Reading 1: The Building Blocks of Risk Management

After compl eti ng thi s readi ng, you shoul d be abl e to:

Explain the concept of risk and compare risk management with risk-taking.

Evaluate, compare, and apply tools and procedures used to measure and manage risk,

including quantitative measures, qualitative risk assessment techniques, and enterprise

risk management.

Distinguish between expected loss and unexpected loss and provide examples of each.

Interpret the relationship between risk and reward, and explain how conflicts of interest

can impact risk management.

Describe and differentiate between the key classes of risks, explain how each type of risk

can arise, and assess the potential impact of each type of risk on an organization.

Explain how risk factors can interact with each other and describe challenges in

aggregating risk exposures.

Risk and Its Management

Risk refers to the potential variability of returns around an expected return from a portfolio or an

expected outcome. T he financial risk that arises from uncertainty can be managed and mitigated.

Modern risk management refers to the ability, in many instances, to price risks and to provide

adequate compensation for the risk taken in business activities.

T he building blocks of risk management include:

1. T he classic risk management process

2. Identifying knowns and the unknowns

3. Expected loss, unexpected loss, and the tail loss

4. Risk factor breakdown

5. Structural change from tail risk to a systemic crisis

3
© 2014-2023 AnalystPrep.
 6. Human agency and conflicts of interest

7. T ypology of risks and risk interactions

8. Risk aggregation

9. Balancing Risk and Reward

10. Enterprise risk management

1. Types of Risk and Their Interactions

Risk can be grouped depending on different types of business environments. Grouping the risks is

essential for the business institutions to factor into specific risks while managing them. T his is true

because each type of risk needs different skills to manage it.

A typical typology of risks should always be flexible to accommodate new forms of risks that are

ever-emerging (such as cyber risks). T he following diagram gives the typical modern typology of

corporate risks:

Market Risk

4
© 2014-2023 AnalystPrep.
T his is the risk associated with the potential reduction in the value of a portfolio or security due to

changes in financial market prices and rates. Price risk can be decomposed into a general market risk

component (the risk that the market as a whole will fall in value) and a specific market risk

component (idiosyncratic component), unique to the particular financial transaction under

consideration. In trading activities, a risk arises from open (unhedged) positions and imperfect

correlations between market positions intended to offset one another.

Market risk can be further classified into the following categories:

Interest Rate Ri sk – It arises from fluctuations in the market interest rates, which may cause a

decline in the value of interest-rate-sensitive portfolios. For example, the bond market is affected by

interest rates in the market. Curve risk can arise in portfolios in which long and short positions of

different maturities are effectively hedged against a parallel shift in yields, but not against a change in

the shape of the yield curve. If the rates of the positions are imperfectly correlated, basis risk may

arise in offsetting positions having the same maturity.

Equi ty Pri ce Ri sk – T his is the risk that is associated with the volatility in the stock prices. T he

market risk component is the sensitivity of the equity or a portfolio to a change in the level of a

market index. T his risk cannot be done away with by diversification. T he idiosyncratic or

5
© 2014-2023 AnalystPrep.
specific threat is the component of volatility determined by firm-specific characteristics like its

management, production line, etc. T his can be done away with by diversification.

Forei gn Exchange Ri sk – Due to operations that involve foreign currencies, imperfectly hedged

positions in certain currencies may arise, which may cause exposure to exchange rates. Major

factors influencing foreign exchange risk are imperfect correlations in currency prices and

fluctuating international interest rates.

Credit Risk

T he risk associated with a counterparty not fulfilling its contractual obligations is the credit risk. For

example, the default on a credit card loan is the scenario in which credit risk materializes for a credit

card company.

Credit risk can be further classified into:

Bank ruptcy Ri sk – T he risk associated with a borrower's inability to clear his debt

leading to a takeover of his collateralized assets.

Downgrade Ri sk – T he risk that there might be a decline in the borrower's credit

ratings because of a drop in his creditworthiness.

Credit risk is a matter of concern only when the position is an asset and not a liability. If the position

is an asset, then a default by the counterparty may cause a loss of the position's total or partial value.

T he value that is likely to be recovered is called recovery value, while the amount that is expected

to be lost is called loss given default.

At the portfolio level, the issues to be addressed are the following:

T he creditworthiness of the obligor: Based on this, an appropriate interest rate or spread

should be charged to compensate for the risk undertaken.

Concentration risk: T he extent of diversification of the obligor should be a concern.

T he state of the economy: When the economy is booming, the frequency of defaults is

comparatively lower than when there is a recession.

6
© 2014-2023 AnalystPrep.
Liquidity Risk

It comprises funding liquidity risk and market liquidity risk.

Funding liquidity risk is associated with the risk that a firm will not be able to settle its obligations

immediately when they are due. It relates to raising funds to roll over debt and to meet margin calls

and collateral requirements. Funding liquidity risk can be managed by holding highly liquid assets like

cash.

T rading liquidity risk (also called market liquidity risk) is the risk associated with the inability of a

firm to execute transactions at the prevailing market price. It may reduce the institution's ability to

hedge market risk, and also it is the capacity to liquidate assets when necessary.

Operational Risk

It refers to the risk that arises from operational weaknesses like management failure, faulty

controls, and inadequate systems. Human factor risk is one of the essential operational risks, and it

results from human errors like entering wrong parameter values and using wrong controls, among

others. Technology risk arises from a computer system's failure.

Business Risk

It arises from the uncertainties in demands, the cost of production, and the cost of delivery of

products. Business risk is managed by framing appropriate marketing policies, inventory policies,

choices of products, channels, suppliers, etc. Business risk is affected by the quality of a firm's

strategy and its reputation too.

Strategic Risk

It is the risk associated with the risk of significant investments for which the uncertainty of success

and profitability is high. It is related to the strategic change in the company's policies to make it more

competitive in the marketplace.

Reputation Risk

7
© 2014-2023 AnalystPrep.
It comprises the belief that an enterprise can settle its obligations to counterparties and creditors

and secondly, it follows ethical practices. T rust and fair dealing are two essential things that drive

businesses. For example, reputation is of crucial importance in the financial industry.

Interactions of Risk Types

Risks can flow from one type to another. For instance, during hard business times, the risk can flow

from the credit risk to liquidity risk and then to market risk. T his kind of flow was seen in the 2007-

2009 financial crisis.

Another example is where operational risk (as a form of lousy trading activity by the traders) flows

to market risks by creating unfavorable market positions. Moreover, this can move to become a

reputation risk to the concerned company.

2. The Risk Management Process

Given below is the flow chart of the risk management process:

8
© 2014-2023 AnalystPrep.
Risk management includes identifying the type and level
of risk that is appropriate for the firm to assume, analyze,
and measure the risk, and assess the possible outcomes
of each risk. The final stage is the management of the
risks.

Methods of Risk Management

1. Avoi di ng the ri sk : some risks can be managed by avoiding them. For instance, closing

down the business unit or changing the business strategy.

2. Retai ni ng or k eepi ng the ri sk : if the company can accommodate the risk, it can be

retained by methods such as insurance of the risk.

3. Mi ti gati on of the ri sk : this method involves an attempt to decrease the exposure,

frequency, and severity of the risk. A good example is the improvement of a firm's

infrastructure and putting collateral on credit exposure.

4. Transfer ri sk : this method applies to risks that can be transferred to a third party. An

example is in derivative products where a company pays a premium to a party to accept a

certain level of risk.

3. Known and Unknown Risks

According to Donald Rumsfeld (1921), risk managers should not concentrate on known risks only but

also the unknown risks. He also classified the risks, as seen in the diagram below.

9
© 2014-2023 AnalystPrep.
Unknown risks can be very significant and essential, even though their measurement may be difficult

or outright impossible. However, unknown risks can be managed using the usual forms of risk

management.

Rumsfeld's classification implies that risk managers should focus not only on measurable risks but

also on an unknown risks. T hey should strive to unravel the "unknown unknowns," which include

threats that do hide away.

10
© 2014-2023 AnalystPrep.
4. Expected, Unexpected, and Tail Loss

The Expected Loss

T he expected loss can be defined as the mean loss an investor (position taker) might expect to

experience from a portfolio. T he expected risks are those that may be large in size, are predictable,

and could be avoided with the risk management process.

T heoretically, portfolios usually bear a loss that is near to the average loss, which can be statistically

measured with some degrees of freedom.

Expected loss can be calculated from the underlying risk factors. Such factors include:

T he probability of occurrence of a risk event

T he size (severity) of the loss

T he exposure to risk

Let us take an example of credit risk to the bank. Denote the probability of default by PD, bank's

exposure at default by EAD, and severity of loss given default by LGD. So, the EL is given by:

EL = EAD × LGD × P D

So, how does the bank's manager make sure that they make a profit? T he bank management should

come up with the price that covers the expected loss. It is important to note that the computation of

expected loss is based on assumptions.

The Unexpected Loss

T he unexpected loss is the level at which the losses in a portfolio defer from the average loss.

Unexpected risks due to unanticipated variability in the losses.

For instance, in a credit portfolio, an unexpected loss can be caused by a difference in the number

and severity of the loans. T hat is, a large number of small loans are diversified, and hence we can

estimate the expected loss. However, if the EL continuously changes due to macroeconomic factors,

11
© 2014-2023 AnalystPrep.
it leads to unexpected loss.

In some cases, some portfolios (such as credit) can show extreme loss variance over some interval

of time. In this case, the expected loss (EL) is calculated by averaging the loss from the long-run good

years and the short-run bad years. However, in bad years, the losses can rise to an unexpected level

and even to extreme levels. Consequently, the banks are forced to increase the risk capital and

include an expected loss in pricing their products to guard themselves against huge unexpected

losses, which can cause insolvency and defaults.

Value-at-Risk (VaR)

VaR is a statistical measure that defines a particular level of loss in terms of its chances of

occurrence, i.e., the confidence level of the analysis. In other words, VaR utilizes loss distribution

relative to a portfolio or a position to approximate losses at a given level of confidence.

For example, suppose a position in an option has a one-day VaR of $1 million at the 99% confidence

level. In that case, the risk analysis will show that there is only a 1 percent probability of a loss that

is greater than $1 million on any given trading day.

12
© 2014-2023 AnalystPrep.
T he VaR measure works under normal market conditions and only over a short period, such as one

trading day. Potentially, it is a poor and misleading measure of risk in abnormal markets, over more

extended periods, or for illiquid portfolios. VaR also depends upon the control environment. T rading

controls can be circumvented. T his usually happens when back-office staff, business line managers,

and even risk managers do not have a proper understanding of the critical significance of routine

tasks, such as an independent check on volatility estimates, for the integrity of key risk measures.

Expected Shortfall

Despite the significant role VaR plays in risk management, it stops short of telling us the amount or

magnitude of the actual loss in the tail. What it tells us is the maximum value we stand to lose for a

given confidence level. T his drawback can be overcome by a measure known as an expected

shortfall.

Expected shortfall (ES) is the expected loss given that the portfolio return already lies below the

pre-specified worst-case quantile return, e.g., below the 5th percentile return. Put differently, the

expected shortfall is the mean percent loss among the returns found below the q-quantile. It helps

answer the question: If we experience a catastrophic event, what is the expected loss in our

financial position?

T he expected shortfall (ES) provides an estimate of the tail loss by averaging the VaRs for increasing

confidence levels in the tail. It is also called the expected tail loss (ET L) or the conditional VaR.

5. Breakdown and Interactions of Risk Factors

T he risk managers must subdivide the risk into discrete risk factors so that each factor and the

interactions between these factors can be studied. An excellent example is the credit risk, which we

have studied earlier-where credit risk was divided into the probability of default (PD), bank's

exposure at default (EAD), and severity of loss given default (LGD).

However, there is an obvious challenge of how granular risk should be, given the loss of data.

Dividing the data into very small sub-factors is impractical since it is time-consuming and tiresome.

Secondly, analytical resources might be limited. Moreover, the data might be limited in terms of

13
© 2014-2023 AnalystPrep.
quantity, quality, or descriptive ability.

T he solution to this challenge is the emergence of machine learning. In machine learning and

substantial cloud-based calculation, power can help in isolating risk granules into smaller details.

6. Structural Change from Tail Risk to Systemic Crisis

Tail risks are those that rarely occur. T hey can be explained as the extreme version of unexpected

loss that is hard to find in the given data. T hey are usually revealed in time series data of long periods.

T he tail risk can be detected using statistical methods such as the Extreme Value T heory (EVT ).

When the structure of a financial system changes, the risks increases. T hat is, events associated

with large losses may increase as well as risk factor levels. Unless the structural problem is fixed or

proper risk management is adopted, new losses relative to a risk type might occur, which changes

the amount of tail risk, expected and unexpected losses.

7. Human Agency and Conflicts of Interest

Financial systems are run by intelligent human beings who can adapt to change in a personal and

cunning manner. T hat is, those who are more experienced in risk management can play up their

game by hiding their risk analysis from other participants for their gain.

Having said this, many financial firms have employed three ways to control human agency and

conflicts of interest:

i. Firms create business models that can identify and manage risk.

ii. Employing risk managers that are qualified in risk management and day-to-day oversight.

iii. Periodic independent oversight and assurance (e.g., internal audit)

T hese defense mechanisms do not always work due to industry innovations, which sometimes leave

loopholes in the risk management sector. Moreover, sometimes traders and the industry leadership

willingly alter the credibility of the risk management systems. T hat is why grasping the role of

human agency, self-interest, and conflicts of interest are some of the cornerstones of risk

14
© 2014-2023 AnalystPrep.
management.

8. Risk Aggregation

T he risk manager should be able to identify the riskiest businesses and determine the aggregate risks

of a firm. For instance, market risks are easily quantified and controlled by comparing the notional

amount in each asset held. T his, most of the time is impractical since different stocks and industries

have different volatilities.

Since the mushrooming of derivative markets in the 1970s, measurement of market risk became

relatively achievable. T his is because the value and the risk of the derivatives depend on the price of

the underlying portfolio.

Derivative traders developed risk measures referred to as the Greeks. T hey include delta and theta.

Greeks are still used up to date, but they cannot be added up, rendering them limited at the

enterprise level.

Another measure of risk is VaR. VaR was a useful aggregation method up to the year before the

crisis, but it involves too many assumptions. However, VaR is marred with shortcomings but remains

to be essential to ask managers.

T he disadvantages of these aggregate risk measurements have motivated the managers to come up

with total risk measures to replace the traditional measures but, most of the time, fail to include

critical dimensions of the risk and must be supplemented with other methods. Conclusively,

understanding how risks are aggregated and the drawbacks and advantages that come with them, is an

essential risk management building block.

9. Risk and Reward Equilibrium

Normally, the assumption of higher systematic risk is associated with higher returns from portfolios.

However, the demanded returns from risky assets may not be apparent unless the asset's market is

efficient and transparent. For example, the bond prices, solely, may not imply the return demanded,

15
© 2014-2023 AnalystPrep.
taking additional risks. T his can be the case because of liquidity and tax effects. A key objective of

risk management is to make transparent potential risks for the firm and identify activities that may

be detrimental to the firm in the long term.

For instance, a bank can include the cost of both the expected and unexpected costs by using the

following formula for risk-adjusted return on capital (RAROC):

Reward
RAROC =
Risk

Note the Reward can be After-Tax Risk-Adjusted Expected return, and the risk is described as the

economic capital so that:

After-Tax Risk-Adjusted Expected return

RAROC =
Economic capital

If the RAROC is higher than the cost of equity capital, then the portfolio is valuable to the investor.

T he cost of equity capital is the minimum return on equity capital required by the shareholders to

compensate for the risk.

Apart from the banking industry, RAROC is applied across different industries and institutions, with

the formula varying accordingly (but its purpose remains constant).

Uses of RAROC

1. Investment Anal ysi s: RAROC formula is used to anticipate the likely returns from future

investments.

2. Compari ng busi nesses: RAROC can be used to compare different units of a company that

needs varying amounts of economic capital.

3. Pri ci ng strategi es: A company can re-determine the pricing strategy of its products so

the risk-adjusted returns.

4. Ri sk management cost (benefi t anal ysi s): A firm can use RAROC to compare the cost

of risk management to the benefit of the firm.

16
© 2014-2023 AnalystPrep.
10. Enterprise Risk Management (ERM)

Enterprise management risk (ERM) is the process of planning, organizing, leading, and controlling the

activities of an organization in order to minimize the effects of risk on an organization's capital

and earnings as a whole. ERM overcomes the challenge of "siloed" risk management, where each

unit of an institution manages its own risk independently.

Since the financial crisis of 2007-2009, risk cannot be represented by a single number but rather:

i. Risk is multi-dimensional. T hat is, it should be approached from all angles and using diverse

methods.

ii. Risk demands specialized judgment that is seconded by statistical science application.

iii. Risk develops across all risk types, and thus one may miss the point by analyzing one risk at a

time.

More clearly, firms need to adopt a 360-degree view of risk by using different tools and appropriate

levels of curiosity. T hus, ERM is not only about aggregating the risk across the risk types and

business lines but also taking a comprehensive risk management process while taking into

consideration the strategic decisions of a business. A simplified ERM is shown below:

17
© 2014-2023 AnalystPrep.
18
© 2014-2023 AnalystPrep.
Question

Which of the following form is NOT included in the expected loss formula?

A. Probability of default

B. Loss given default

C. Unexpected loss

D. Exposure at default

Sol uti on

T he correct answer is C.

EL = EAD × LGD × P D

Unexpected loss is the level at which the losses in a portfolio defer from the average

loss as calculated by the expected loss.

19
© 2014-2023 AnalystPrep.
 Reading 2: How Do Firms Manage Financial Risk?

After completing this reading, you should be able to:

Compare different strategies a firm can use to manage its risk exposures and explain

situations in which a firm would want to use each strategy.

Explain the relationship between risk appetite and a firm’s risk management decisions.

Evaluate some advantages and disadvantages of hedging risk exposures and explain

challenges that can arise when implementing a hedging strategy.

Apply appropriate methods to hedge operational and financial risks, including pricing,

foreign currency, and interest rate risk.

Assess the impact of risk management tools and instruments, including risk limits and

derivatives.

Financial institutions are required to manage financial risks. However, it is an uphill task given that

risk management should go hand with the firm’s owners’ objectives, the reason for risk management

strategy and the type of risks, risks to be retained, and types of instruments available.

Modern risk management follows an iterative road map which involves five key areas:

Identification of the Risk Appetite

T his involves taking note of the corporate objectives and risks, and deciding whether to manage risk

and in case risks are managed, what type of risks.

Risk Appetite

Risk appetite refers to the types of risk the firm is willing to accommodate. It, however, should be

differentiated with the ri sk capaci ty, whi ch i s the highest level of risk that a firm can handle.

Another term is the ri sk profi l e, which the current level of risk to which the firm is exposed.

20
© 2014-2023 AnalystPrep.
T he practical risk appetite is stated in two ways:

1. A statement that gives the preparedness of a firm to accommodate risks in wanting to

achieve its goals. T his is usually an internal document which the board must approve.

2. T he tools in which the risk appetite is related to the daily risk management operations of the

firm. T hese include the risk policy of the firm, business lines’ risk statements, and risk

limits.

Many financial institutions have developed risk appetite as an essential factor. From the above

diagram, the risk appetite of a firm should be below the risk capacity and above the risk profile of the

firm. T he dotted lined represents the upper and lower levels at which the risk must be reported.

Risk Mapping

T he assessment of magnitudes of risks is required after a general policy structure pertaining to risk

management has been set up by the board of directors. First, the concerned officials from the firm

should identify the risks affecting their divisions, record all the assets and liabilities that have

exposure to the risks, and should list orders falling in the horizon set for hedging activities. Once the

business risk, market risk, credit risk, and risks associated with operations are identified, the

management should look into appropriate instruments to hedge the risks. For example, a firm with

21
© 2014-2023 AnalystPrep.
foreign exchange rate exposure may list all the assets and liabilities, having exposure to the exchange

rate on the horizon of hedging policy. It should also list sales and expenses that are exposed to the

exchange rate. After this, it can find the appropriate financial instrument to hedge these risks.

Risk Management Strategies

After understanding the firm’s risk appetite and mapping risks, a risk manager can decide the best

way to address the risk while prioritizing the most severe and urgent risks. Moreover, risk must put

into consideration the cost and the benefits of each risk management strategy. Risk management

strategies include:

Avoiding the risk: some risks can be managed by avoiding them. For instance, closing down

the business unit or changing the business strategy.

Retaining the risk: some risks can be accommodated by the company, through insurance.

Mitigating the risk: this method attempts to decrease the exposure, frequency, and

severity of the risk. A good example is the improvement of a firm’s infrastructure and

putting collateral on credit exposure.

T ransferring the risk: involves transferring some portion of the risk to a third party. Such

methods include insurance and the application of derivatives.

T he type of strategy is decided by the senior management, the board, and the firm's risk manager.

T he strategy should enable the firm to operate efficiently within the risk appetite.

Now let us turn our attention a little bit on the transfer of risks. T he tools of risk transfer (Hedging)

include forwards, futures, options, and swaps.

Forwards: A forward is an agreement where a given amount of asset is exchanged at a

predetermined price in the future.

Futures: A future is a financial agreement that obligates the parties involved to transact an

asset at a predetermined future date and price. T he buyer must buy, or the seller must sell

22
© 2014-2023 AnalystPrep.
 the underlying asset at the predetermined price, irrespective of the current market price

at the expiration date.

Options: T hese are financial instruments that are derivatives that give an investor the

right, but not the obligation, to buy or sell a predetermined asset on a specified future date.

Examples of the options include call option, put option, exotic option, and swaption.

Swap: T his is an over-the-counter (OT C) agreement to swap the cash value or the cash

flows associated with a business transaction at (until) the maturity of the deal. For

example, an interest rate swap involves paying a fixed interest rate on an agreed notional

cash amount for a specified period while the other party agrees to pay a variable interest

rate.

T he type of transfer tool used depends on the desired goals of the firm. For instance, options might

be more flexible than the forward contracts—moreover, the trading mechanism of the risk transfer

instrument. For example, firms may decide to use either exchange-traded or over-the-counter (OT C)

instruments to hedge their risks. Exchange-traded instruments are standardized products with

maturities and strikes set in advance while over-the-counter derivatives are traded by investment

banks, among others, and can be tailored to the firm’s needs. For example, the size of the contract,

strike, and maturity can all be customized. However, the credit risk is higher for OT C contracts as

compared to exchange-traded instruments. In addition, a firm should take into account the liquidity

and transaction costs related to the instrument that it wants to use for hedging.

Advantages of Hedging Risk Exposure

Hedging can reduce the cost of capital, reduce cash flow volatility, check liquidity crunch, and

improve the debt capacity of a firm. Firms with tight financial constraints might always want to

minimize cash flow volatilities to capitalize on growth opportunities. If there are synergistic effects

of hedging on the firm’s operation, then it should actively hedge to reduce volatilities that may

adversely affect its business. For example, if a firm’s core business is to manufacture using some

crop as an input, then it may use futures on the crop to hedge the price of that crop. In so doing, the

firm may go about managing its core business rather than worrying about the price fluctuations in

23
© 2014-2023 AnalystPrep.
the crop.

Disadvantages of Hedging Risk Exposure

Hedging can only lead to stable earnings for a limited period. Moreover, hedging is costly (for

example, an option requires premiums). Hedging might not be appropriate in a diversified portfolio

because risk might be diversified away.

Challenges of Implementing Hedging Strategy

A firm risk management team may miscomprehend the type of risk to which it is exposed,

incorrectly measuring or mapping the risk, fail to detect variation in market structure or maybe

among the rogue traders, is their own.

Moreover, hedging might involve complex derivatives or strategies which can be compromised by

certain events such as interest rate movements.

Poor communication concerning the risk management strategy can lead to dire consequences.

T herefore, a hedging program should be well communicated.

Operationalization of Risk Appetite

As mentioned earlier, the risk management roadmap is iterative. To operationalize the risk appetite,

the risk manager evaluates the risk policies, sets the risk limit, and rightsizes the risk management

team.

A firm can choose to hedge against volatilities related to its operations. For example, a firm may

hedge the cost of an input material required for a firm’s operations. Since this type of hedging can

help reduce the risks associated with the firm’s inputs, a firm can concentrate on its core business.

It has an impact on the prices of final products and also the scale of products being sold. Hedging

currency exposures to reduce risks of losses in exports constitutes an example of hedging risks

24
© 2014-2023 AnalystPrep.
related to operations. A tomato ketchup company may choose to hedge its exposure to tomato prices

so that it may concentrate on the quality and marketing of its ketchup rather than worrying about the

losses it may incur if the prices of tomatoes were to increase.

Hedging risks related to financial positions can be performed by hedging interest rate risks, interest

rate swaps, among others. If the marketplace is assumed to be perfect, then there is no need for

such hedging because this will not alter the financial health of a firm. However, if hedging is

attempted, it would be even for both parties in the hedge, as both will have equal information about

the markets. If the market is assumed to be inefficient, then there can be benefits from hedging to

one party in the transaction. T he benefits may be an increase in debt capacity and tax advantage,

economies of scale, or having comparatively better information than individual investors. Firms

should essentially hedge their operations, and if they hedge their financial positions, they should be

transparent about their policies. So, accepting some form of risk, hedging other risks, and

management of costs of hedging to benefit the firm constitute the activities underlying risk

management.

Rightsizing Risk Management

When the firm has a clear picture of its objectives in risky areas, it needs to see that the risk

management team can come up and execute the approach. T hat is, risk management should fit its

purpose.

Rightsizing of the risk management team ensures that if a firm uses complex risk management

instruments, the firm is independent of risk management providers such as investment banks.

Rightsizing also involves ensuring that the risk management function has an elaborate accounting

treatment, which can be cost or a profit center. Moreover, the firm should also decide whether to

proportionally redistribute the cost of risk management to areas where risk management is

concerned, depending on the risk culture and appetite of the firm.

Risk Limits

25
© 2014-2023 AnalystPrep.
Rightsizing risk management may also involve setting up a risk-limiting system. A good example is the

stress, sensitivity, and scenario analysis limits. Scenario analysis limits are linked to determining how

bad the situation in a hypothesized worst-case scenario. T he stress test concentrates on unique

stresses while the sensitivity looks at the sensitivity of the portfolio to variables changes. However,

stress, sensitivity, and scenario analysis limits are sophisticated, require excellent expertise, and in

the case of scenario analysis, is challenging to be sure if all bases are covered.

Value-at-Risk (VaR) limits give an aggregate statistical digit as a limit, but the management can easily

misinterpret it. Moreover, it does not indicate the extent of an unfavorable condition in a stressed

market.

T he Greek limits provide the risk positions of options using Greeks such as delta, gamma, and theta.

However, their calculations may be compromised, given the lack of management and independence.

Risk concentration limits can also be used. Recall that the risk concentrations include product and

geographical risk concentrations. To set these limits, a risk manager ought to have expertise in

dealing with correlations because capturing correlation risk in a stressed market is a bit challenging.

Risk-specific limits involve setting limits concerning specific risk types such as Liquidity ratios for

Liquidity risks. On the contrary, these limits are difficult to aggregate and require expert knowledge.

Maturity (gap) limits state the limits of the transactions at maturity at each period. T hese limits are

aimed to decrease the risk associated with large-size transactions in a given time frame. However,

they are not evident in delivering price risk. Other limits include stop-loss limits and notional limits.

Risk Management Implementation

Risk management involves choosing the right instruments, coming up with the day-to-day decisions,

and establishing oversight authority. Consider risk hedging, for instance.

Access to all relevant information, data, and statistical tools is required to frame a strategy for

hedging. T he risk management team should know the background of the statistical tools being

employed to create hedges. T he nature of strategy, i.e., static or dynamic, is an important decision.

Static strategies are more of a hedge and forget strategies, where a hedge is placed almost exactly to

26
© 2014-2023 AnalystPrep.
match the underlying exposure. T his hedge remains in place till the exposure ends. Dynamic

strategies require more managerial effort and involve a sequence of trades that are used to offset the

exposure as nearly as possible. Moreover, dynamic strategies may result in higher transaction costs

and require monitoring of positions closely. Proper implementation and communication are the key

requirements for the success of any hedging strategy.

T he horizon for the hedging position and accounting considerations related to the hedge often has

important implications for the way the strategy is planned. Accounting rules require that marked-to-

market profit or loss be duly recorded if the position in a derivative and underlying asset are not

perfectly matched with regards to dates and quantities. Tax laws vary among countries, and there are

differences in tax laws for different derivatives.

27
© 2014-2023 AnalystPrep.
Question

Which of the following best describes the risk capacity?

A. T he amount of risk the firm is willing to accommodate

B. T he total amount of risk that a firm can accommodate without becoming insolvent

C. T he current level of risk to which the firm is exposed

D. None of the above

Sol uti on

T he correct answer is B.

Recall that, risk capacity is the highest level of risk that a firm can handle. T his implies

that it is the highest amount of risk a firm can handle without running insolvent.

Option A is incorrect because it describes the risk appetite.

Option C is incorrect because it describes the risk profile of a firm.

28
© 2014-2023 AnalystPrep.
 Reading 3: The Governance of Risk Management

After compl eti ng thi s readi ng, you shoul d be abl e to:

Explain changes in regulations and corporate risk governance that occurred as a result of

the 2007-2009 financial crisis.

Describe best practices for the governance of a firm’s risk management processes.

Explain the risk management roles and responsibilities of a firm’s board of directors.

Evaluate the relationship between a firm’s risk appetite and its business strategy, including

the role of incentives.

Illustrate the interdependence of functional units within a firm as it relates to risk

management.

Assess the role and responsibilities of a firm’s audit committee.

Corporate governance can be defined as the way the firms are run. T hat is, corporate governance

postulates the roles and the responsibilities of a company's shareholders, a board of directors, and

senior management. T he relationship between corporate governance and risk has become

fundamental since the 2007-2009 financial crisis. T he critical questions to be answered in the

following text are about the relationship between corporate governance practices and risk

management practices, the organization of risk management authority through committees, and the

transmission of risk limits to lower levels so that they can be observed in daily business decisions.

Lack of transparency, lack of correct and sufficient information about economic risks, and a

breakdown in the transmission of relevant information to the board of directors are some of the

leading causes of corporate failures in nonfinancial as well as financial sectors in 2001-03 and 2007-

09. T he subprime crisis was caused by the relegation of risk management activities in the boom

years. T he risk associated with structured financial products was almost ignored, and this resulted in

failed institutions and a global financial crisis.

T he post-discussion of corporate governance includes some key issues, especially in the banking

industry. T hese include the composition of the board, the risk appetite, compensation, and

29
© 2014-2023 AnalystPrep.
stakeholder priority.

Risk Appetite

T he regulators have forced banks to come up with a formal and board-approved risk appetite that

reflects the firm's willingness to accommodate risk without the risk of running insolvent. T his can

be amplified to enterprise risk limits while engaging the board.

T he boards have been tasked with the responsibility to cap overcompensation settings. T he payment

structure should capture the risk-taking adjustment to capture the long-term terms' risks. A good

example is where some banks have limited the bonus compensation schemes and also introduce

delayed bonus structures.

Board Composition

T he financial crisis led to a discussion on the firm's board's independence, engagement, and financial

industry skills. However, statistical analysis on the failed banks does not show any correlation

between the prowess of a bank and the predominance of either the insiders or outsiders.

Stakeholder Priority

T he 2007-2009 financial crisis analysis led to the realization that there was little attention to

controlling the tail risks and worst-case scenarios. T his has led to discussions on the stakeholders of

a bank and their impact on corporate governance.

Board Risk Oversight

After the crisis, the significance of the boards being proactive in risk oversight became a significant

issue. Consequently, the boards have been educated on the risks and the direct relationship of the

risk management structure, such as delegating CRO's power to report to the board directly.

Compensation

To determine risk behavior, the board takes control over compensation schemes. Boards should

30
© 2014-2023 AnalystPrep.
assess the impact of pay structures on risk-taking and also examine whether risk-adjustment

mechanisms carters for all key long-term risks. Several banks have already started practicing this for

example, by limiting the spread of bonuses in compensation schemes, deferred bonus payments, and

clawback provisions.

The Infrastructure of Risk Governance

A clear understanding of business strategies and associated risks and returns is necessary for risk

governance. T he risks associated with business activities should be made transparent to the

stakeholders. Appropriate risk appetite should be set for the firm, and the board should oversee the

managerial operations and strategy formulation process. Risk management should be involved in

business planning, and risks associated with every target should be adequately assessed to see if they

fit into the firm's risk appetite. T he choices in risk management are as follows:

Scrapping activities to avoid the risk

Reducing risk exposure by hedging/buying insurance

Risk mitigation, for example, reduction of operational risks by control measures

Accepting risks to generate values for the shareholders.

31
© 2014-2023 AnalystPrep.
Risk management strategies should be directed to impact economic performance rather than

accounting performance. Policies, directives, and infrastructure related to risk management should

be appropriately placed in a firm. T he seriousness of a firm about its risk management process can

be gauged by assessing the career path in the risk management division of the firm, the incentives

awarded to the risk managers, the existence of ethics within the firm, and the authority to whom the

risk managers report.

The Board and the Corporate Governance

T he primary responsibility of the board of directors is:

To steer the firm according to the interests of the shareholders. Other stakeholders like

the debt holders must also be kept in mind while making strategies at the corporate level.

T he assumption of particular risks to attain projected returns should be weighed against

the sustainability of the profits from such activities. Agency risks, i.e., the conflict of

32
© 2014-2023 AnalystPrep.
 interests between the management and the stakeholders, should be avoided at all costs. For

example, managers may turn to short-term profit-making while assuming long-term risks, to

make some bonuses. Corporate governance roles should be independent of the roles of the

executive, i.e., the board and the CEO should act independently of each other. Chief risk

officers have been put to task in many corporations to integrate corporate governance and

risk management activities.

T he board should ensure that staff gets rewarded according to their risk-adjusted

performance—this checks fraud related to financial manipulation and stock price boost.

T he board should check the quality and reliability of information about risks, and it should

be able to assess and interpret the data. T his ensures that all the risk management-related

operations are aligned to value creation for shareholders.

T he board should be educated on risk management and should be able to determine the

appropriate risk appetite for the firm. T here should also be an assessment of risk metrics

over a specified time horizon that the board may set. Some technical sophistication is

required to build clear strategies and directives concerning crucial risk disciplines. A risk

committee of the board should be qualified enough to handle these technicalities. It should

also be separated from the audit committee because of the differences in skills and

responsibilities.

The Transition of Corporate Governance to Best-Practice Risk

Management

As stated earlier, the 2007-2009 financial crisis reflected the weakness in the risk management and

oversight of the financial institutions. Consequently, the post-crisis regulatory has emphasized risk

governance with an aim to check both the financial risks.

Risk governance is all about coming with an organizational structure to address a precise road map of

defining, implementing, and authoritative risk management. Moreover, it touches on the transparency

and establishment of channels of communication within which an organization, stakeholders, and

regulators engage.

33
© 2014-2023 AnalystPrep.
For instance, the board of directors has the responsibility for shaping and authority in risk

management. T he board of directors to analyze the major risk and rewards in a chosen firm's

business strategy.

In other words, the risk governance must ensure that it has put a sound risk management system in

place to enable it to expand its strategic objectives within the limits of the risk appetite.

The Risk Appetite Statement (RAS)

A statement of risk appetite is one of the critical components of corporate governance. RAS

contains a precise aggregated amount and types of risks a firm is willing to accommodate or avoid to

achieve its business objectives.

Clear articulation of the risk appetite for a firm helps maintain the equilibrium between the risks and

return, cultivating a positive attitude towards the tail and even risks, and attaining the desired credit

rating.

T he RAS should contain the risk appetite, and the risk tolerance measures the maximum amount of

risks taken at the business level as well as an enterprise risk. Moreover, it should be the relationship

between the risk appetite, the risk capacity, the risk profile, and the risk tolerance.

34
© 2014-2023 AnalystPrep.
Risk tolerance is the number of acceptable results relative to business objectives (dotted line on the

diagram above). Risk tolerance is a tactical measure of risk, while risk appetite is the aggregate

measure of risk. Note that the risk appetite is below the risk capacity of a firm. A firm operating

within the risk tolerance can attain the risk-adjusted return objectives relative to the amount of risk.

Implementation of the Board-Level Risk Governance

In the banking industry, the board of directors charges the committees like risk management

committees, among others with ratifying policies and directives for activities related to risk

management. T he committees frame policies related to division-level risk metrics in relation to the

overall risk appetite set by the board. T hey also look after the effective implementation of these

35
© 2014-2023 AnalystPrep.
policies.

Role of Audit Committee of the Board

T he audit committee's responsibility is:

To look into the accuracy of financial and regulatory reporting of the firm and the quality

of processes that underlie such activities.

It also ensures that a bank complies with standards in regulatory, risk management, legal,

and compliance activities.

T he audit committee verifies the activities of the firm to see if the reports outline the

same.

T he members should ideally be nonexecutives to keep the audit committee clear from executive

influence. T he audit committee should interact with the management productively and should keep

all channels of communication open.

The Role of the Risk Advisory Director

T here may be a few nonexecutives on the board of directors, who may not have the necessary

expertise to understand the technicalities behind the risk management activities of a sophisticated

firm. In this case, executives may dominate the nonexecutives, and this may lead to corporate

scandals. T raining programs and support systems may be put in place to aid such nonexecutives.

Another method is to have a specialist in risk management as a risk advisory director on the board.

Its functions are:

T he risk advisory director would oversee risk management policies, reports, risks related

to the overall business.

Mitigation of risks like credit risk, market risk, etc. T he risk advisory director should be

familiar with financial statements and accounting principles.

36
© 2014-2023 AnalystPrep.
 T he risk advisory director should oversee financial reporting and the dealings between the

firm and its associates, including issues like intercompany pricing, transactions, etc.

T he risk advisory director should look into the requirements from regulatory agencies and

should lay appropriate directives for the firm to comply with the requirements.

Participation in audit committee meetings, outlining risk profiles of strategic business

segments, sharing insights into corporate governance and risk management policies, and

overseeing the conduct of business.

The Role of the Risk Management Committee

T he risk management committee in a bank independently reviews different forms of risks like

liquidity risk, market risk, etc., and the policies related to them. T he responsibility of approving

individual credits also usually rests with the risk management committee. It monitors securities

portfolios and significant trends in the market as well as breakdowns in the industry, liquidity crunch,

etc. It reports to the board about matters related to risk levels, credits, and it also provides

opportunities for direct interaction with the external auditor, management committees, etc.

The Role of the Compensation Committee

Its responsibility is to determine the compensation of top executives. Since the CEO could convince

the board to pay the executives at the expense of shareholders, compensation committees were put

in place to check such occurrences. In the previous decade, compensation based on short-term

profits, without much concern about long-term risks, have sealed the fate of many institutions.

Since then, compensation based on risk-adjusted performance has gained recognition. Such

compensation helps in aligning business activities with long-term economic profitability.

Various caps have also been put in place on the bonuses of executives across the world to prevent a

reckless risk-bearing attitude while eying for the upside but bearing no responsibility for the

downside of the risky activity. Stock-based compensation may encourage risk-taking as the upsides

are not capped while the downsides are. To make employees concerned about the firm's financial

health, they may be made the firm's creditors by providing compensations in the form of bonds. For

example, UBS has adopted such a strategy.

37
© 2014-2023 AnalystPrep.
The Risk Appetite and the Business Strategy

Many firms wish to examine how the regular activities of a firm run within the confines of the set

risk appetite and limits defined by the board and executive committees. T he process of examining

the firm's risk appetite include:

Risk approval by the board risk committee: T he board risk committee approves the risk

appetite statement on an annual basis.

T he firm's senior management (such as the CEO and CRO) is tasked by the board with

implementing the risk appetite framework.

With the approval from the board, the senior management comes up with the limiting

financial risk parameters (for example, credit risk) and nonfinancial risk (for instance,

operational risk) excited by the firm. At this point, the subcommittees can be set up to deal

with each risk type independently.

After setting the risk limit, the senior risk committee then reports the outcome to the

board risk committee accompanied by the recommendations on the total risk acceptable,

which again subject to the board risk committee's consideration and approval.

The Role of the Chief Risk Officer (CRO)

T he CRO is a member of the risk committee whose responsibilities are:

Designing the risk management program of the firm;

Risk policies, analysis dimensions, and methodologies;

Risk management infrastructure and governance in the firm;

Monitoring the firm's risk limits set by the senior risk management; and

In many financial institutions such as banks, the CRO is an intermediary between the board

and the management. T he CRO keeps the board informed on the firm's risk tolerance and

condition of the risk management infrastructure and informs the management on the state

38
© 2014-2023 AnalystPrep.
 of the risk management.

The Role of Incentive

As realized in the global crisis, the executive compensation schemes at many financial institutions

motivated short-run risk-taking, leading to management ignoring the long-term risks. T hat is, the

bankers were rewarded based on short-run profits. Consequently, it led to the formation of the

compensation committee to cap executive compensation. T his prevents a scenario where the CEO

can convince the board member to compensate themselves at the expense of other shareholders.

T he compensation is part of the risk culture of a firm. T hus, it should be made in accordance with

the long-term interest of the shareholders and other stakeholders and the risk-adjusted return on the

capital.

For instance, the central bank governors and the finance ministers of the G-20 countries met in

September 2009 to discuss the framework for financial stability, one of which is reforms on

compensation. T he reforms included:

Scrapping of the multi-annual guaranteed bonuses;

Controlling the amount of variable compensation given to the employees with respect to

total net revenues;

Promoting transparency through disclosure;

Recognizing the interdependence of the compensation committee to ensure that they

work either with respect to performance and risk; and

T he inclusion of the executive downside exposure by deferring an appropriate

compensation, implementing the share-based incentives, and introducing the clawback

mechanism where the bonuses are reimbursed if the longer-term losses are incurred after

the bonuses are made.

The Interdependence of Organizational Units in Risk

39
© 2014-2023 AnalystPrep.
Governance

Primary responsibility is put on the firm's staff to implement the risk management at all scopes of

the firm. T he executives and the business line managers should work collaboratively to manage,

monitor, and report the various types of risk being undertaken. T he figure below illustrates the risk

management lows and divided by various management functions.

The Role of the Audit Function

T he audit function is responsible for an independent assessment of the framework and

implementation of risk management. It reports to the board about the strategies of business

managers and executives, and whether these strategies are in line with the board's expectations.

40
© 2014-2023 AnalystPrep.
Regulatory guidelines require audit groups to monitor the adequacy and reliability of documentation,

the effectiveness of the risk management process, etc. For example, suppose the market risk is

under consideration. In that case, auditors are required to assess the process by which derivative

pricing models are examined, changes in measures for quantifying risks, and the scope of risks

captured by the models in use. T he integrity and independence of position data should also be

examined.

T here should be an evaluation of the design and conceptual soundness of risk metrics and measures,

and stress testing methodologies. T he risk management information system, including the process of

coding and implementing models, should also be checked and evaluated. T he same would include

examining controls over market position data capture and that over the process of parameter

estimation. T he audit function reviews the design of the financial rates database, which is used to

generate parameters for VaR models, and things like risk management system upgrade, adequacy of

application controls in risk management information system, etc. Documentation related to

compliance should be examined, and the audit function should independently assess VaR reliability.

T he guidelines for the audit function are provided in the International Professional Practices

Framework (IPPF). T he audit should, essentially, be independent of operational risk management.

T his ensures that the assessment done by the audit function is reliable.

Conclusion

It is not possible to control the financial health of a firm without an excellent risk management

function and appropriate risk metric. Historically, many corporate failures have been associated with

the relegation of risks, which would turn fatal later. An important example of this is the subprime

crisis in the United States. T herefore, a clear risk management policy should guide the strategies of

the firm, and an appropriate risk appetite should limit the exposures of the firm. Such directives

make it easy for the executives down the business line to understand their role in the risk

management activity.

T he risk committees should participate in framing risk management methodologies, and they should

have appropriate knowledge of all the risks as well as their metrics so that they can clearly

understand the risk reports. A careful delegation of authorities and responsibilities to each risk

41
© 2014-2023 AnalystPrep.
management mechanism should ensure that all the gaps are filled, and all the activities are

complementary to each other. After taking risk into account, risk measures like VaR, economic

capital, etc. can be used to set risk limits, and also be used to determine the profitability of various

business lines.

Risk infrastructure can be used as a tool in the analysis and pricing of various deals. It can also be

used to formulate incentive compensation schemes so that business decisions and strategies are

aligned with risk management decisions.

42
© 2014-2023 AnalystPrep.
Question

Which of the following statements best describes the role of the board in risk

management?

A. Issuing guidelines on how to manage risks

B. Developing the risk appetite statement and objectives the managers should strive to

meet within the risk management framework.

C. Regularly reviewing decisions made by managers regarding risk exposures

D. Choosing the risk exposures to hedge, the risks to mitigate, and those to avoid

altogether

Sol uti on

T he correct answer is B.

T he board sits above the managers in the hierarchy of management in most for-profit

organizations. T he board assembles and develops a comprehensive risk appetite

statement, specifying the risks the company should assume and those to avoid, including

the preferred methods of risk mitigation. T he managers consult the risk appetite

statement when choosing the projects to undertake.

43
© 2014-2023 AnalystPrep.
 Reading 47: Measures of Financial Risk

After compl eti ng thi s readi ng, you shoul d be abl e to:

Describe the mean-variance framework and an efficient frontier.

Compare the normal distribution with the typical distribution of returns of risky financial

assets such as equities.

Define the VaR measure of risk, describe assumptions about return distributions and

holding period, and explain the limitations of VaR.

Explain and calculate Expected Shortfall (ES), and compare and contrast VaR and ES.

Define the properties of a coherent risk measure and explain the meaning of each

property.

Explain why VaR is not a coherent risk measure.

The Mean-Variance Framework

T he mean-variance framework uses the expected mean and standard deviation to measure the

financial risk of portfolios. Under this framework, it is necessary to assume that returns follow a

specified distribution, usually the normal distribution.

T he normal distribution is particularly common because it concentrates most of the data around the

mean return. 66.7% of returns occur within plus or minus one standard deviations of the mean. A

whopping 95% of the returns occur within plus or minus two standard deviations of the mean.

3
© 2014-2023 AnalystPrep.
Investors are generally concerned with downside risk and are therefore interested in probabilities

that lie to the left of the expected mean.

Note the expected return does not imply the anticipated return but rather the average returns. On

the other hand, the risk is measured using the standard deviation of returns.

Example: Calculating Expected Return and Standard Deviation

T he expected returns for an asset with corresponding probabilities are given below:

Return (%) Probability

10% 0.25
−20% 0.09
15% 0.40
7% 0.06
30% 0.20

Calculate the expected return and standard deviation of the asset return.

4
© 2014-2023 AnalystPrep.
Solution

To calculate the expected return, we weight the expected return by the corresponding probability.

T hat is:

n
R̄ = ∑ piR
i=1

So for this case,

R̄ = (0.10 × 0.25) + (−0.20 × 0.09) + (0.15 × 0.40) + (0.07 × 0.06) + (0.30 × 0.20)
= 0.1312 = 13.12%

Recall that the variance for a variable X is given by:

Var (X) = E (X 2) − [E(X)]2

T hen the variance of the return R is given by:

Var (R) = E (R 2) − [E(R)]2

T he standard deviation is equal to the square root of the variance

σR = √E(R 2 ) − [E (R)]2

T herefore,

E(R 2 ) = (0.102 × 0.25) + ((−0.20)2 × 0.09) + (0.152 × 0.40) + (0.072 × 0.06)

+(0.302 × 0.20)
=0.033394
⇒ σR = √0.033394 − [0.1312]2 = 0.1272 = 12.72%

Combinations of Investments

Consider two investments with respective means μ1 and μ2. Assume that an investor wishes to invest

5
© 2014-2023 AnalystPrep.
in both investments with a proportion of w 1 in the first investment and w 2 in the second investment.

It is safe to state that w 2 = 1 − w 1 .

T he portfolio expected return is equivalent to weighted returns from individual investments. T hat is:

μp = w 1μ1 + w 2 μ2

T he variance of the portfolio expected return is given by:

σP2 = w 21 σ12 + w 22σ22 + 2ρw 1w 2 σ1σ2

Where:

σ1: Standard deviation of the first investment

σ2: Standard deviation of the second investment

ρ: Correlation between investment the first and the second investment

T herefore, the standard deviation of the portfolio is given by:

σP = √w 21 σ12 + w 22σ22 + 2ρw 1w 2 σ

Note that the variance of the portfolio can be written as:

σP2 = w 21 σ12 + w 22 σ22 + 2w 1 w 2 Cov (R 1, R 2 )

T his is true from the fact that:

Cov (R 1 , R 2)
Corr (R 1, R 2) = ρ =
σ1 σ2
⇒ Cov (R 1, R 2) = ρσ1 σ2

Example: Calculating the Expected Return and the Standard Deviation

of a Portfolio

An investor invests in two assets X and Y, with an expected return of 10% and 15%. T he investor

6
© 2014-2023 AnalystPrep.
invests 45% of his funds in asset X and the rest in asset Y. T he correlation coefficient is 0.45. Given

that the standard deviation of asset X is 15% and Y is 30%, what are the expected return and standard

deviations of the portfolio?

Solution

T he portfolio expected return is given by:

μp = w XμX + w Y μY
= 0.10 × 0.45 + 0.15 × 0.55
= 0.1275 = 12.75%

T he portfolio standard deviation is given by:

σP = √w 21σ12 + w 22 σ22 + 2ρw 1 w 2σ1 σ2

= √0.452 × 0.152 + 0.552 × 0.32 + 2 × 0.45 × 0.45 × 0.55 × 0.15 × 0.3

= √0.041805 = 0.2045 = 20.45%

Calculating the portfolio expected return and standard deviation can be extended to a portfolio with n

investments. T he portfolio expected return for n returns is given by:

n
μp = ∑ w i μi
i=1

Where μi and w i are the mean return and weight of ith investment

And then the standard deviation of the portfolio is given by:

n n
σP = ∑ ∑ ρij w iw j σiσj
i=1 j=1

where ρij is the correlation coefficient between investments i and j. Other variables are intuitively

definitive.

Efficient Frontier

7
© 2014-2023 AnalystPrep.
T he efficient frontier represents the set of optimal portfolios that offers the highest expected

return for a defined level of risk or the lowest risk for a given level of expected return. T his

concept can be represented on a graph by plotting the expected return (Y-axis) against the standard

deviation (X-axis).

For every point on the efficient frontier, at least one portfolio can be constructed from all available

investments with the expected risk and return corresponding to that point. Portfolios that do not lie

on the efficient frontier are suboptimal: those that lie below the line do not provide enough return

for the level of risk. T hose that lie on the right of the line have a higher level of risk for the defined

rate of return.

Note that, the efficient frontier above considers only the risky assets. Now, consider when we

introduce a risk-free investment with a return of R F . It can be shown that the efficient frontier is a

straight line. T hat is, there is a linear relationship between the expected return and the standard

8
© 2014-2023 AnalystPrep.
deviation of return.

Denote the risk-free return by R F (with a standard deviation of 0). Also, let the market portfolio

return be R M , and its standard deviation, σM. Let the proportion of funds in a risky portfolio be β and

that in risk-free assets, be 1 − β . Now, the formula

μp = w 1μ1 + w 2 μ2

We have w 1 = 1 − β ,w 2 = β, μ1 = R F, μ2 = R M so that return from the portfolio is given by

μp = R F (1 − β) + βR M
μp − R F
⇒β =
RM − RF

Also, the standard deviation of a portfolio with two components is given by

σ = √w 21σF2 + w 22 σM
2 + 2ρw w σ σ
1 2 F M

9
© 2014-2023 AnalystPrep.
But σF = 0

⇒ σ = √0 + w 22σM
2 + 0 = w 2σM = βσM

T herefore,

μP − R F
σ = σM ( )
RM − RF
σM σMR F
⇒ σ = μp ( )−
RM − RF RM − RF

T he efficient frontier involving a risk-free asset also shows that the investor should invest in risky

assets (in this case, M) by borrowing and lending at a risk-free rate rF . For instance, we assume that

an investor borrows at the rate rF so that now we are considering the efficient frontier beyond M. If

this is the case, then β > 1 and the proportion of amount borrowed will be β − 1, and the total amount

available is β multiplied by available funds. Now that we invest in risky asset M. T hen the expected

return will be:

βrM − (β − 1) R F = (1 − β) rF + βrM

T he standard deviation can be shown to be βσM , which is similar to arguments for the points below

point M.

T herefore, it is safe to say risk-averse investors will invest in points on line FM and close to F, and

those investors that are risk-seeking will invest on points close to M or even points beyond M on

line FM.

Normal Distribution

Normal distribution, also called Gaussian distribution, is a widely used continuous distribution with

two parameters: mean denoted by μ and the standard deviation denoted by σ. T he density function of

the normal distribution is given by

10
© 2014-2023 AnalystPrep.
 (x − μ)2
1 −
f (x) = e 2σ 2
√2πσ 2

T he shape of the standard curve is as shown below.

Note that, similar to other probability distributions, the probability that a value lies between a and b

is equivalent to the area under the curve between a and b. T his can be thought of as the cumulative

distribution up to point b less the cumulative distribution up to point a.

Standard Normal Distribution

A standard normal distribution has a mean of 0 and a standard deviation of 1. In other words, μ=0 and

σ=1. As such, the normal distribution density function reduces to:

x2
1 −
f (x) = f (x) = e 2σ 2
√2π

T he normal tables give a cumulative distribution of the standard normal distribution. For normal

distribution with the mean μ and the standard deviation σ, it can be transformed into z-scores, which

give cumulative probability up to a value x for standard normal. T he z-score is defined by:

x −μ
11
© 2014-2023 AnalystPrep.
 x −μ
z=
σ

Where z∼N(0,1).

For example, consider a normal distribution with a mean of 4 and a standard deviation of 5. What the

probability that a value X is less than 7? Using standard normal transformation,

X−μ 7−4
Pr(X < 7) = P r( < ) = 0.6
σ 5
= P r(z < 0.6) = Φ(0.6) = 1 − 0.2743 = 0.7257

Note that the standard normal table is usually provided in exam.

In this case, the table provided is of negative z-values. As such, if we want to read the probability of

P (z < 0.6) then we will be forced to use 1 − P (z < −0.6) since the table gives probabilities for

negative z-values yet, we want the probability for a positive z-value.

12
© 2014-2023 AnalystPrep.
A normal distribution is usually assumed to apply to financial data because financial analysts are

mostly concerned with the mean and standard deviation. However, financial variables have fatter tails

than the normal distribution. A large number of portfolio returns also tend to have fatter tails than

normal distribution. For instance, the means created can have fatter tails. Consider the diagram

below.

13
© 2014-2023 AnalystPrep.
As discussed earlier in this chapter, we have seen that assuming a normal distribution for financial

variables (by use of mean and standard deviation) may underestimate the probability of the adverse

events.

Standard deviation can be a perfect measure of risk, but it does not capture the tails of the

probability distribution.

VaR is a risk measure that is concerned with the occurrence of adverse events and their

corresponding probability. VaR is built from two parameters: the ti me hori zon and the confi dence

l evel . T herefore, we can say that VaR is the loss that we do not anticipate to be exceeded over a

given time period at a specified confidence level.

For example, consider a time horizon of 30 days and a confidence interval of 98%.98% VaR of USD 5

million implies that we are 98% confident that over the next 30 days, the loss will be less than USD 5

million. Similarly, we can say that we are 2% confident that over the next 30 days, the loss will be

greater than USD 5 million.

Consider the following loss distribution density function curve:

14
© 2014-2023 AnalystPrep.
Consider the following examples:

Example 1: Computing the VaR for Normally Distributed Investment

Returns

T he investment return over a period of time has a normal loss distribution with a mean of -200 and a

variance of 300. What is 99% VaR of the loss distribution?

Solution

Denote the VaR level by t, then we need:

P (X < t) = 0.99

(Note we can also use P(X > t)=0.01)

Standardizing the normal distribution with a given mean and standard deviation, we have:

15
© 2014-2023 AnalystPrep.
 t − (−200)
P (z < ) = 0.99
300
t + 200
⇒Φ( ) = (0.99)
300
t + 200
⇒ = Φ−1 (0.99)
300

Now, Φ−1(0.99) is the inverse of standard normal cumulative probability. To do this using a standard

table, look for 0.99 (or closest value) in the table and read the corresponding vertical and horizontal

values and add them. In other words, we are reversing the reading of the standard normal table.

In our cases, consider the following table:

16
© 2014-2023 AnalystPrep.
And thus:

Φ−1 (0.99) = 2.33

t + 200
∴ = 2.33 ⇒ t = 499
300

T he VaR level is 499 at a 99% confidence level.

Example 2: Calculating the VaR for a Discrete Loss Distribution

17
© 2014-2023 AnalystPrep.
T he loss distribution of investment is as shown below:

Amount of Loss Probability

USD 10 Million 75%
USD 13 Million 22%
US 17 million 3%

What is the value of the 99% VaR?

Solution

To find the 99%, we need to find the cumulative probability distribution and locate 99%:

Amount of Loss Probability Cumulative Probability Range

USD 10 Million 75% 0 to 75%
USD 13 Million 22% 75% to 97%
US 17 million 3% 97% to 100%

T herefore, with a confidence level of 99%, the VaR value is USD 17 million because 99% falls the

range of 97% and 100% (the last range).

Note that if we reduce our confidence level to 95%, VaR will change to USD 13 million because 95%

falls between 75% to 97% cumulative probability range.

However, if the confidence level is 97%, then we could have two VaR values: USD 13 million and

USD 17 million. T his will be ambiguous, and so the best estimate is the average of the values, which

is USD 15 million.

Limitations of VaR

I. It does not describe the worst possi bl e loss. Indeed, as seen from the example above, we

would expect the $13 million loss mark to be breached 5 times out of a hundred for a 95%

confidence level.

II. VaR does not describe the losses in the left tail. It indicates the probability of a value

occurring but stops short of descri bi ng the di stri buti on of l osses i n the l eft tai l .

III. T wo arbi trary parameters are used in its calculation – the confidence level and the

18
© 2014-2023 AnalystPrep.
 holding period. T he confidence level indicates the probability of obtaining a value greater

than or equal to VaR. T he holding period is the time span during which we expect the loss to

be incurred, say, a week, month, day, or year. VaR increases at an increasing rate as the

confidence level increases. VaR also increases with increases in the holding period.

IV. VaR estimates are subject to both model risk and implementation risk. Model risks arise from

incorrect assumptions, while implementation risk is the risk of errors from the

implementation process.

Expected Shortfall (ES)

Note that the VaR does not describe the worst possible loss. For instance, if 99% VaR is USD 10

million, we know that we are 1% certain that the loss will exceed USD 10 million. From the VaR

level, we cannot say that the loss is greater than 20 million or USD 50 million. T herefore, VaR sets a

risk measure equal to a certain percentile of the loss distribution and does not consider the possible

losses beyond the VaR level.

Expected shortfall (ES) is a risk measure that considers the expected losses beyond the VaR level. In

other words, ES is the expected loss conditional that the loss is greater than the VaR level.

Exam tip: Expected shortfall is also called conditional value at risk (CVaR), average value at risk

(AVaR), or expected tail loss (ET L). T hink about this as the average loss beyond the VaR.

When the losses are normally distributed with the mean μ and standard deviation σ, then the ES is

given by:

U2
⎛ − ⎞
e 2
⎜⎜ ⎟⎟
ES = μ + σ ⎜
⎜⎜ (1 − X) √2π ⎟⎟⎟
⎝ ⎠

Where:

X = T he confidence level.

U = T he point in the standard normal distribution that has a probability of X% of being exceeded.

19
© 2014-2023 AnalystPrep.
Example: Calculating Expected Shortfall

T he investment return over a period of time has a normal loss distribution with a mean of -200 and a

standard deviation of 300. What is 99% Expected of the loss distribution?

Solution

We know that:

U2
⎛ e− 2 ⎞
ES = μ + σ ⎜ ⎟
⎝ (1 − X) √2π ⎠

Now, U = 2.33

(2. 33)2
⎛ e− 2 ⎞
ES = −200 + 300 ⎜⎜ ⎟⎟ = 592.79
⎝ (1 − 0.99) √2π ⎠

ES should always be greater than the VaR level because the ES gives us the average of the values

that are in tail exceeding VaR.

Example: Calculating the ES for a discrete loss distribution

T he loss distribution of investment is as shown below:

Amount of Loss Probability

USD 20 Million 2%
USD 17 Million 8%
US 13 million 12%
US 10 million 78%

What is the 95% expected shortfall (ES)?

Solution

20
© 2014-2023 AnalystPrep.
At a 95% confidence level, we need to answer the question, "given that we are at 5% of the loss

distribution, what is the value of the expected loss?". Now looking at the probability column, it is

clear that 5% tail distribution consists of a 2% probability that the loss is USD 20 million and 3% that

the loss is USD 17 million. Conditioned that we are dealing with tail distribution, there is a 2/5 chance

that the loss is USD 20 million and a 3/5 chance that the loss is USD 17 million. T herefore, the

expected shortfall is given by:

2 3
× 20 + × 17 = 18.20
5 5

Again, note that the 97% VaR is USD 10 million, which is less than ES.

Properties of a Coherent Risk Measure

A risk measure summarizes the entire distribution of dollar returns X by one number, ρ(X). T here

are four desirable properties every risk measure should possess. T hese are:

I. Monotoni ci ty: If X 1 ≤ X 2 ,ρ (X 1) ≥ ρ (X 2)

Interpretation: If a portfolio has systematically lower values than another, it must have a

greater risk in each state of the world. In other words, if a portfolio gives undesirables

results than others, then it must be riskier.

II. Subaddi ti vi ty: ρ (X 1 + X 2) ≤ ρ (X 1 ) + ρ (X 2)

Interpretation: When two portfolios are combined, their total risk should be less than (or

equal to) the sum of their risks. Merging of portfolios ought to reduce risk. T his property

captures the implications of diversification. If two portfolios are perfectly correlated, then

the overall risk is the sum of their risk when considered separately. However, if the two

portfolios are not perfectly correlated, their overall risk should decrease due to

diversification benefits.

III. Homogenei ty: ρ (kX) = kρ (X)

21
© 2014-2023 AnalystPrep.
 Interpretation: Increasing the size of a portfolio by a factor k should result in a

proportionate scale in its risk measure. For instance, if we increase the portfolio size by a

quarter, then the risk should be increased by a quarter.

IV. Transl ati on i nvari ance: ρ (X + h) = ρ (X) − h

Interpretation: Adding cash h to a portfolio should reduce its risk by h. Like X, h is measured

in dollars. T his property reflects that more cash acts as a "loss absorber" and can be taken

as a replacement for capital.

If a risk measure satisfies all four properties, then it is a coherent risk measure. Expected shortfall

is a coherent risk, but VaR is not.

Why VaR is Not a Coherent Risk Measure

Value at risk is not a coherent risk measure because it fails the subadditivity test. Here's an

illustration:

Suppose we want to calculate the VaR of a portfolio at 95% confidence over the next year of two

zero-coupon bonds (A and B) scheduled to mature in one year. In this instance, we'll assume that:

T he current yield on each of the two bonds is 0.

T he bonds have different issuers.

Each bond has a probability of 4% of defaulting over the next year.

T he event of default in either bond is independent of the other.

T he recovery rate upon default is 30%.

Given these conditions, the 95% VaR for holding either of the bonds is 0 because the probability of

default is less than 5%. Now, what is the probability 'P' that at least one bond defaults?

P = 0.04 × 0.96 + 0.96 × 0.04 + 0.04 × 0.04 = 7.84

T he probability of at least one default is 7.84%, which exceeds 5%.

22
© 2014-2023 AnalystPrep.
So, if we held a portfolio that consisted of 50% A and 50% B, then the 95% VaR = 0.7 × 0.5 + 0 × 0.5

= 35%

T his violates the subadditivity principle, and VaR is, therefore, not a coherent risk measure.

23
© 2014-2023 AnalystPrep.
Practice Question

Ann Conway, FRM, has spent the last several months trying to develop a new risk

measure to appraise a set of defaultable zero-coupon bonds owned by her employer.

Prior to its use, her supervisor has asked her to demonstrate that it is a coherent risk

measure. T he results are listed below:

Given:

X and y are state-contingent payoffs of two different bond portfolios.

P (x) and P (y)are risk measures for portfolio x and portfolio y.

K and l are arbitrary constants, with k > 0.

Which of the following equations shows that Conway's risk measure is not coherent?

A. P (kx) = kP (x)

B. P (x) + P (y) ≥ P (x+y)

C. P (x) ≤ P (y) if x ≤ y

D. P (x+l) = P (x) − l

T he correct answer is C.

Opti on C, as represented above, shows that the risk measure does not satisfy the

monotonicity property. Monotonicity requires that P (x) ≥ P (y) if x ≤ y. (If a portfolio

has systematically lower values than another, in each state of the world, it must have a

greater risk.)

Opti on A demonstrates that the measure satisfies the homogeneity property.

Opti on B demonstrates that the measure satisfies the subadditivity property.

Opti on D demonstrates that the measure satisfies the translation invariance property.

24
© 2014-2023 AnalystPrep.
 Reading 48: Calculating and Applying VaR

After compl eti ng thi s readi ng, you shoul d be abl e to:

Explain and give examples of linear and nonlinear derivatives.

Describe and calculate VaR for linear derivatives.

Describe and explain the historical simulation approach for computing VaR and ES.

Describe the delta-normal approach for calculating VaR for nonlinear derivatives.

Describe the limitations of the delta-normal method.

Explain structured Monte Carlo and stress testing methods for computing VaR, and identify

strengths and weaknesses of each approach.

Describe the implications of correlation breakdown for scenario analysis.

Describe the worst-case scenario (WCS) analysis and compare WCS to VaR.

Linear and Nonlinear Portfolios

A linear portfolio linearly depends on the changes in the values of its corresponding variables (risk

factors). For instance, consider a portfolio consisting of 100 shares, each valued at USD 100. T he

change in portfolio value (ΔP) is attributed to the change in stock (share price) which can be denoted

by ΔS, and therefore the change in portfolio value is given by :

ΔP = 100ΔS

T he value of the portfolio is USD 10,000 (=100×100). Now, if we introduce the effect of the

interest rate, the change in the value of the portfolio will be given by:

ΔP = 100Δr

Generally, consider a portfolio consisting of long and short positions in stocks. T he change in a linear

25
© 2014-2023 AnalystPrep.
portfolio is given by:

ΔP = ∑ niΔSi
i

Where:

ni = Number of shares of stock i in the portfolio.

Si = T he price of stock i.

Intuitively, the amount invested in stock i is ni Si, and the price change is ΔSi.

Si
Now, if we multiply the above equation by , we have:
Si

Si ΔSi
ΔP = ∑ ni ΔSi × = ∑ ni ΔSi
i Si i Si

ΔSi
Let qi = ni Si and Δri = , then
Si

ΔP = ∑ qi Δri
i

ΔSi
Note that qi is the amount invested in stock i, and Δri= is the return on stock i.
Si

T herefore, we can say the portfolio change is a linear function of change in stock price or change in

stock returns.

Nonlinear portfolios contain complex securities that are not linear. For instance, consider a portfolio

made of call options. T he payoff from the call option is nonlinear because the payoff is zero if the

stock price is less than the strike price at maturity and S-K if the stock price is higher than the strike

price K.

26
© 2014-2023 AnalystPrep.
Note, however, that a forward contract is an example of a derivative whose value is a linear function

of the asset because even if the contracts do give a payoff, the holder is obligated to buy the asset at

a future time T at agreed price K. As such, in case the asset provides no income, then the forward

contract's value is given by:

S − PV (K)

Where S is the current asset price, and PV (K) denote the present value of the future price K.

T he figure below shows the relationship between the value of a forward contract and the underlying

asset.

27
© 2014-2023 AnalystPrep.
From the figure above, it is correct to say that a person who agrees to buy an asset at a future time

is actually in a position to own the asset today but pay for it at a future time. Now, the value of

owning the asset today is S, and the present value of what will be paid for the asset at the future time

is PV(K). T his proves the formula above for the value of the forward contract.

VaR for Linear Derivatives

In general terms, the VaR of a linear derivative can be expressed as:

VaR linear derivative = Δ × VaR Underlying factor

28
© 2014-2023 AnalystPrep.
Where Δ represents the sensitivity of the derivative's price to the price of the underlying asset. It is

usually expressed as a percentage.

Example: VaR for Linear Derivatives

Suppose the permitted lot size of S&P 500 futures contracts is 300 and multiples thereof, what is the

VaR of an S&P 500 futures contract?

VaR S&P500futures c. = 300 × VaR S&P500 index

Calculating VaR and Expected Shortfall Using Historical

Simulation

Historical simulation is used to calculate one-day VaR and ES. However, for longer periods T it is

assumed that,

VaR (T , X) = √T × VaR (1, X)

ES(T , X) = √T × ES (1, X)

VaR (T ,X) = Value at risk for a time horizon of T days and confidence level X.

ES (T ,X) = Expected shortfall for a time horizon of T days and confidence level X.

T he above estimates assume that the portfolios' changes are normally distributed with a mean of

zero and independent of each other.

T he historical simulation procedure involves the following steps:

i. Identifying market variables or risk factors -T he first step involves identifying market

variables (risk factors) on which the portfolio value depends. Examples of such variables

include commodity prices, equity prices, and volatilities.

ii. Collecting data on the behavior of risk factors - Once risk factors have been identified, the

data on the behavior of these risk factors in the past is collected. In this section, it is

presumed to be the immediate past.

iii. Creating scenarios - After past data has been collected, scenarios are built by assuming that

29
© 2014-2023 AnalystPrep.
 each risk factor's change over the next day corresponds to a change observed during one of

the past days.

Risk factors are broadly classified into:

i. T hose whose past percentage change is to define the future percentage, for example, stock

prices and exchange rates.

ii. T hose whose past actual change is used to define an actual change in the future, for example,

interest rates and credit spreads.

Example: Illustration of Historical Simulation

A portfolio is assumed to depend on many risk factors. For clarity, let us assume that three risk

factors (exchange rates, interest rates, and stock price) over the past 300 days (longer periods, such

as 500 days, are usually considered). T he most recent 301 days of historical data is as follows:

Day Stock Price Exchange Interest Portfolio

(USD) rates rate (%) Value
(USD/CAD) (USD
millions)
0 30 1.3901 3.51 60.0
1 34 1.4000 2.64 62.5
2 40 1.3921 2.52 61.25
.. .. .. .. ..
298 42 1.3876 2.40 65.0
299 40 1.3910 2.45 60.25
300 60 1.4021 2.50 71.25

Assuming that today is the 300th day, we need to know what will happen between today and

tomorrow (301st day). To achieve this, we use the above data to create 300 scenarios (that is why

we have 301-day historical data).

In the first scenario, we will assume that the risk factors behave in a similar manner between the

days 300 and 301, as they did between days 0 and 1. For instance, in the first scenario, the stock
34
price increased by 13% (= − 1), and therefore the stock price on day 301 is USD 68
30

[= ( 34 1. 400
− 1) × 60]. For the exchange rate, it increased by 0.7% (= − 1) , and thus, we expect the
30 1. 3901

30
© 2014-2023 AnalystPrep.
exchange rate for the 301st day to be 1.4121 (= 1.4021[ 1. 400 − 1]) . For the interest rate, it decreased
1. 3901

by 0.87% (2.64%-3.51%) and thus 301st interest rate is 1.63% (2.50%-0.87%).

T he calculation of the values of the second and subsequent scenarios' risk factorsis similar to the

first scenario calculation. For the second scenario, assume that the risk factors behave in a similar

manner as they did between days 1 and 2. T his will create the following table.

Scenario Stock Price Exchange Interest Portfolio Loss

(USD) rates rate (%) Value
(USD/CAD) (USD
millions)
1 68 1.4121 3.37 70.25 1.0
2 71 1.3922 2.38 72.15 0.9
.. .. .. .. ..
299 57.14 1.3910 2.55 71.25 0
300 90 1.4021 2.55 73.25 2.0

T he risk factor values for the scenario table are directly calculated from the historical data table.

T he scenario portfolio values are generated based on the risk factors. We assume that the current

portfolio value is USD 71.25 million (300th day's value). After generating the portfolio values, we

calculate the losses while attaching a negative to create a loss distribution.

Assume that the first scenario's portfolio value is 70.25, 72.15 for the second scenario, and so on.

T herefore, the loss for the first portfolio is 1.00 (=71.25-70.25), and the second scenario is 0.9

(71.25-72.15), and so on.

In order to calculate the VaR and the expected shortfall, we ought to arrange the scenario losses

from the largest to the smallest. Assume that in our example, we wish to calculate one day VaR and

ES at a 99% confidence interval. T he sorted losses are as follows:

Scenario Loss
200 3.9
10 3.0
25 2.5
100 2.0
.. . .. .
.. . .. .

31
© 2014-2023 AnalystPrep.
In this case, VaR is equivalent to third-worst loss since the third-worst loss is the first percentile
3
point of the distribution, i.e., = 0.01. T herefore, VaR=2.5 million.
300

By definition, the expected shortfall is calculated as the average of the losses that are worse than the

VaR. In this case,

1
ES = (3.9 + 3.0) = 3.45 million
2

Example: Calculating VaR Using the Historical Simulation Method

T he following are hypothetical ten worst returns for an asset B from 120 days of data for 6 months.

Find the 1-day 5% VaR and the ES for B.

-3.45%, -14.12%, -15.72%, -10.92%, -5.50%, -3.56%, -6.90%, -2.50%, -5.30%, -4.31%.

Solution

First, we rearrange starting with the worst day, to the least bad day, as shown below:

-15.72%, -14.12%, -10.92%, -6.90%, -5.50%, -5.30%, -4.31%, -3.56%, -3.45%, -2.50%.

T he VaR corresponds to the (5% × 120) =6th worst day = -5.30%. However, recall that VaR need not

be represented as a negative.

T his implies that there is a 95% probability of getting at most 5.3% loss.

T he expected shortfall (ES) is calculated as the average of the losses that are worse than the VaR. In

this case,

(15.72% + 14.12% + 10.92% + 6.90% + 5.50%)

ES = = 10.63%
5

Valuing portfolios

Before we look at the delta-normal model, we will biefly look at the full revaluation approach. Under

32
© 2014-2023 AnalystPrep.
this approach the VaR of a portfolio is established by fully repricing the portfolio under a set of

scenarios over a period of time.

However, a full revaluation of a portfolio for many scenarios is a time-consuming activity. One

approach to address this challenge is to use Greek letters. T he Greek letters are the hedging

parameters used by analysts to quantify and manage risks.

One of the crucial Greek letter deltas (δ) is defined as:

ΔP
δ=
ΔS

Where ΔS is a small change in risk factors such as stock price and ΔP the corresponding change in

the portfolio value. T herefore, delta can be defined as a change of the portfolio value with respect to

the change in the risk factor.

For instance, consider stock price as a risk factor. If the delta of a portfolio with respect to the

stock price is USD 100, it implies that the portfolio value changes by USD 100 if the stock price

changes by 1 USD.

From the delta formula, we express the change in the portfolio value as :

ΔP = δΔS

Generally, if we have multiple risk factors, we find each risk factor's effect and sum it up. T hat is, if

we have i risk factors, then change in the portfolio would be:

ΔP = ∑ δiΔSi
i

However, the delta concept gives relatively accurate estimates in linear portfolios as compared to

nonlinear portfolios.

T he accuracy of nonlinear portfolios can be enhanced by including another Greek letter gamma (γ)

so that the delta-gamma formula is given by:

1
33
© 2014-2023 AnalystPrep.
 1
ΔP = δΔS + γ (ΔS)2
2

In case of multiple risk factors, the above equation changes to:

1 2
ΔP = ∑ δiΔSi + ∑ γi(ΔSi )
i 2 i

The Delta-normal Model

T he delta-normal model is based on the equation (as seen earlier):

ΔP = ∑ δiΔSi
i

Note that this equation gives an exact value in a linear portfolio and an approximate value in

nonlinear portfolios.

34
© 2014-2023 AnalystPrep.
Also, recall that we have two types of risk factors:

1. T hose whose past percentage change is to define the future percentage.

2. T hose whose past actual change is used to define an actual change in the future.

To accommodate both types of risk factors, the equation above is written as:

ΔP = ∑ aix i
i

ΔSi
For risk factors where percentage changes are used, ai = and x i = δiSi .
Si

And for the risk factors where actual changes are considered ai = ΔSi and x i = δi.

From the resulting equations, the mean and the standard deviation of the change in portfolio value

35
© 2014-2023 AnalystPrep.
can be calculated as:

n
μP = ∑ aiμi
i=1
n n
σP2 = ∑ ∑ ai ajρij σiσj
i=1 j=1

Where:

μi and σi are the mean and standard deviation of x i, respectively.

ρij is the coefficient of correlation between x i and x j .

T he formula for the standard deviation can be written as:

σP2 = a2i σi2 + 2 ∑ ai ajρij σiσj

i>j

Assuming that the portfolio changes are normally distributed, we can comfortably compute VaR and

ES. Remember that the VaR is given by:

VaR = μP + σPU
U2
⎛ e− 2 ⎞
ES = μP + σP ⎜ ⎟
⎝ (1 − X) √2π ⎠

Where:

X = Confidence level

U = Point on the normal distribution where X is exceeded

For instance, if X=95% then U=Φ−1 (0.05) = −1.645.

At this point, you might guess where the name "delta-normal" comes from: the model uses deltas of

the risk factors and assumes that the portfolio changes are normally distributed.

A typical assumption is that the mean change in the risk factor is zero. T his assumption is sometimes

not reasonable but is useful when dealing with short time periods. T his is because the mean is less

36
© 2014-2023 AnalystPrep.
than the standard deviation for short periods when dealing with portfolio value changes. As such, VaR

and ES are given by:

VaR = σP U
U2
−
⎛ e 2 ⎞
ES = σP ⎜ ⎟
⎝ (1 − X) √2π ⎠

Example: Calculating Expected Shortfall and VaR Using Delta-normal

Model

The investment return over a period of time has a normal loss distribution with a mean of -100 and a

variance of 400.

Using the delta-normal model, calculate the 99% Expected Shortfall and the 99% VaR of the loss

distribution.

Solution

U2
⎛ e− 2 ⎞
σ
ES = p ⎜ ⎟
⎝ (1 − x)√2π ⎠
2. 33 2
⎛ e− 2 ⎞
= 20 ⎜ ⎟ = 52.85
⎝ (1 − 0.99)√2π⎠

Where X is the confidence level and U is the point on the normal distribution where X is exceeded

T he 99% VaR is given by:

VaR = σp U = 20 × (−2.33) = −46.6

Limitations of Delta-normal Model

T he method has several disadvantages, chief among them being that:

It is computationally easy but quite inaccurate compared to other VaR measurement

methods. Put more precisely, it may underestimate the occurrence of extreme losses

because it relies on the normal distribution.

37
© 2014-2023 AnalystPrep.
 T his method is accurate for small moves of the underlying, but qui te i naccurate for

l arge moves. As we can see from the following graph, the slope of the green line is

entirely different from the slope of the blue line:

For large changes in a nonlinear derivative, we must use the delta + gamma approximation, or full

revaluation as we had discussed earlier.

Using Monte Carlo Simulation to Calculate VaR and ES

Monte Carlo approach is similar to that of the historical simulation. It is noteworthy, though, that the

Monte Carlo simulation produces scenarios by randomly selecting samples from the distribution

assumed for the risk factors instead of using historical data. Monte Carlo simulations work for both

38
© 2014-2023 AnalystPrep.
linear and nonlinear portfolios.

Now, if for instance, we assume that risk factor changes have a multivariate normal distribution (as

in delta-normal), Monte Carlo procedure is as follows:

Step 1: Calculate the value of the portfolio today using the current values of the risk factors.

Step 2: Sample once from the multivariate normal probability distribution of Δx i. Sampling should be

consistent with the assumed standard deviations and correlations, which are usually approximated

from historical data.

Step 3: Using the sample values of Δx i, determine the values of the risk factors at the end of the

period being considered (such as one day).

Step 4: Revalue the portfolio using these new risk factor values.

Step 5: Subtract the revaluated portfolio from the current portfolio value to determine the loss.

Step 6: Repeat step 2 to step 5 multiple times to come up with a probability distribution for the loss.

For instance, if a total of 500 trials are conducted in a Monte Carlo simulation, then 99% VaR for the

period under consideration will be the fifth-worst loss. T herefore, the expected shortfall will be the

average of the four losses worse than VaR.

Like other approaches, Monte Carlo simulation computes one-day VaR, and therefore, the following

equations apply when we want to compute T-day time horizon VaR and ES:

VaR (T , X) = √T × VaR (1,X)

ES(T , X) = √T × ES (1,X)

Monte Carlo simulation is slow because it is computationally intensive. T his can be explained by the

fact that portfolios considered are usually huge, and evaluating each one of them in each trial is quite

time-consuming. To address this challenge, the delta-gamma approach can be used (as discussed

earlier) to determine the change in the portfolio value. T his is called partial simulation.

Delta-normal model assumes normal distribution for the risk factors. However, Monte Carlo

simulation uses any distribution for the risk factors only if the correlation between the risk factors

39
© 2014-2023 AnalystPrep.
can be defined.

Estimating the Parameter Values

To execute the Monte Carlo simulation or delta-normal model, an approximation of the standard

deviations and correlations of either percentage or actual changes of the risk factors is necessary.

T he approximation of these parameters is made using recent historical data. More weights can be

applied to more recent data using models such as GARCH (1,1), which we will see in the following

chapter.

In the case of stressed VaR and ES, standard deviations and correlations should be estimated from the

past period, which would be considered stressful to the current portfolio.

Correlation Breakdown

During the stressed market conditions, standard deviations as well as correlations increase. T his

phenomenon was witnessed during the 2007-2008 financial crisis, where default rates of mortgages

increased all over the US.

T herefore, correlations in a high volatility period are quite different from those of normal market

conditions. T his phenomenon is referred to as a correlation breakdown. As such, when calculating

VaR or ES, risk managers might need to determine what will happen in extreme market conditions.

Worst-case Scenario Analysis

Worst-case scenario analysis focuses on extreme losses at the tail end of a distribution. First, firms

assume that an unfavorable event is certain to occur. T hey then attempt to establish its possible

worst outcomes.

WCS analysis dissects the tail further to establish the range of worst-case losses that could be

incurred. For example, within the lowest 5% of returns, we can construct a "secondary" distribution

that specifies the 1% WCS return.

WCS analysis complements the VaR, and here is how. Recall that the VaR specifies the minimum loss

40
© 2014-2023 AnalystPrep.
for a given percentage, but it stops short of establishing the severity of losses in the tail. WCS

analysis goes a step further to describe the distribution of extreme losses more precisely.

41
© 2014-2023 AnalystPrep.
Practice Questions

Question 1

A risk manager wishes to calculate the VaR for a Nikkei futures contract using the

historical simulation approach. T he current price of the contract is 955, and the

multiplier is 250. For the last 300 days, the following return data has been recorded:

-7.8%, -7.0%, -6.2%, -5.2%, -4.6%, -3.2%, -2.0%, …, 3.8%, 4.2%, 4.8%, 5.1%, 6.3%, 6.8%,

7.0%

What is the VaR of the position at 99% using the historical simulation methodology?

A. $12,415

B. $16,713

C. $18,623

D. $14,803

T he correct answer is D.

T he 99% return among 300 observations would be the third-worst observation among

the returns ((1 − 0.99) ∗ 300 = 3) .

Among the returns given above, the third-worst return is −6.2%. As such,

VaR (99%) = 6.2% × 955 × 250 = 14,802.50

A is incorrect. T his answer incorrectly uses the fourth-worst observation as the 99%

return among 300 observations.

B is incorrect. T his answer incorrectly uses the second-worst observation as the 99%

return among 300 observations.

C is incorrect. T his answer incorrectly uses the worst observation as the 99% return

42
© 2014-2023 AnalystPrep.
among 300 observations.

Question 2

Bank X and Bank Y are two competing investment banks that are calculating the 1-day

99% VaR for an at-the-money call on a non-dividend-paying stock with the following

information:

Current stock price: USD 100

Estimated annual stock return volatility: 20%

Current Black-Scholes-Merton option value: USD 4.80

Option delta: 0.7

To compute VaR, Bank X uses the linear approximation method, while Bank Y uses a

Monte Carlo simulation method for full revaluation. Which bank will estimate a higher

value for the 1-day 99% VaR?

A. Bank X.

B. Bank Y.

C. Both will have the same VaR estimate.

D. Insufficient information to determine.

T he correct answer is A.

T he option’s return function is convex with respect to the value of the underlying.

T herefore the linear approximation method will always underestimate the true value of

the option for any potential change in price. As such, the VaR will always be higher under

the linear approximation method than a full revaluation conducted by Monte Carlo

simulation analysis. T he difference is the bias resulting from the linear approximation,

and this bias increases in size with the change in the option price and with the holding

period.

As a quick summary, linear approximation underesti mates true price of the option

43
© 2014-2023 AnalystPrep.
(see the graph below), and as such, overesti mates the value-at-risk.

44
© 2014-2023 AnalystPrep.
 Reading 50: External and Internal Credit Ratings

After compl eti ng thi s readi ng you shoul d be abl e to:

Describe external rating scales, the rating process, and the link between ratings and

default.

Describe the impact of time horizon, economic cycle, industry, and geography on external

ratings.

Define and use the hazard rate to calculate the unconditional default probability of a credit

asset.

Define recovery rate and calculate the expected loss from a loan.

Explain and compare the through-the-cycle and point-intime internal ratings approaches.

Describe alternative methods to credit ratings produced by rating agencies.

Compare external and internal ratings approaches.

Describe and interpret a ratings transition matrix and explain its uses.

Describe the relationships between changes in credit ratings and changes in stock prices,

bond prices, and credit default swap spreads.

Explain historical failures and potential challenges to the use of credit ratings in making

investment decisions.

A Description of External Rating Scales and the Rating

Process

An external rating scale is a scale used as an ordinal measure of risk. T he highest grade on the scale

represents the least risky investments, but as we move down the scale, the amount of risk gradually

increases (safety decreases).

An i ssue-speci fi c credi t rati ng conveys information about a specific instrument, such as a zero-

70
© 2014-2023 AnalystPrep.
coupon bond issued by a corporate entity. An i ssuer-speci fi c credi t rati ng, on the other hand,

conveys information about the entity behind an issue. T he latter usually incorporates a lot more

information about the issuer.

Here are S&P’s and Moody’s credit rating scores for long-term obligations:

T he successive move down the scale represents an increase in risk. In the case of Moody’s ratings,

Baa and above are said to be investment-grade while those below this level are said to be non-

investment-grade.

In the case of S&P’s, ratings BBB and above are investment-grade. All the others are non-

71
© 2014-2023 AnalystPrep.
investment-grade.

The Rating Process

T he process leading up to the issuance of a credit rating follows certain steps. T hese are:

I. A qualitative analysis of the company, including assessments of the quality of management

and competitive aspects

II. A quantitative analysis of financials such as ratio analysis

III. A meeting with the firm’s management

IV. A meeting of the rating agency committee assigned to rating the firm

V. A notification is sent to the rated firm detailing the assigned rating

VI. A fee is paid to the rating agency.

VII. T he rated firm has a window to appeal the assigned rating or offer new information

VIII. T he assigned rating is published

Outlooks and Watchlists

Apart from the ratings themselves, the rating agencies also provide outlooks which shows the

changes likely to be experienced over the medium term.

A positive outlook indicates that a rating is likely to be raised.

A negative outlook indicates that a rating is likely to be lowered.

A stable outlook shows that the rating is stationary.

A developing outlook is an evolving one in which we can’t tell the direction of the change.

When a rating is placed on a watchlist, it shows that a very small short-term change is expected.

Rating Stability

Rating stability is necessary since ratings are majorly used by bond traders. If the ratings were to

change, then the bond traders are required to trade more frequently and, in this case, they are likely

72
© 2014-2023 AnalystPrep.
to incur a lot of transaction costs.

Rating stability is important because ratings are also used in financial contracts, and if the ratings

vary for different bonds, it would be difficult to administer the underlying contracts.

The Impact of Time Horizon, Economic Cycle, Industry, and

Geography on External Ratings

Time Horizon

T he probability of default given any rating at the beginning of a cycle increases with the time

horizon. Non-investment bonds are the worst hit. T heir default probabilities can dramatically

increase within a short time.

Economic Cycle

Since ratings are generally produced with an eye on a long-term period, they must take into account

any economic/industrial cycle on the horizon. Rating agencies make efforts to incorporate the

effects associated with an economic cycle in their ratings. Although this practice is generally valid, it

can lead to underestimation or overestimation of default if the predicted economic cycle doesn’t play

out exactly as expected. Put precisely, the probability of default can be underestimated if an

economic recession occurs, or overestimated if an economic boom occurs. In addition, the default

rate of lower-grade bonds is correlated with the economic cycle, while the default rate of high-grade

bonds is fairly stable.

Industry and Geographic Consistency

T wo firms in different industries – say, banking and manufacturing – could have the same rating, but

the probability of default may be higher for one of the firms than for the other. What does that mean?

T he implication here is that for a given rating category, default rates can vary from industry to

industry. However, there’s little evidence to support the notion that geographic location has a similar

effect.

73
© 2014-2023 AnalystPrep.
Hazard Rate

Consider a firm defaulting in a very short time, that is, δt.

T he task is to answer the question, “What is the conditional probability of a firm defaulting between

time t and time t + δ t given that there is no default before time t?”

We can denote this by hδt, where h is the rate at which defaults are happening at time t .

Unconditional default probabilities can be calculated using the hazard rates.

Suppose that h̄ is the average hazard rate between time 0 and time t.

T hen, the unconditional probability between time 0 and t is

1 − exp (−h̄t)

and the survival probability to time t is therefore given by

exp (−h̄t)

and the unconditional probability between time t1 and t2 is given by the expression;

exp (−h̄1t1 ) − exp (−h̄2t2 )

Example: Calculating Default Probabilities Given Hazard Rates

Suppose you have been given a constant hazard of 0.05,

Calculate:

a. T he probability of default by the end of 2 years.

b. T he unconditional probability of defaulting during the 3rd year.

c. T he conditional probability of defaulting in the 3rd year, given that it has survived until the

end of the second year.

Solution

74
© 2014-2023 AnalystPrep.
 a. T he probability of default at the end of the 2nd year is given by:

1 − exp (−ht)
=1 − exp (−0.05 × 2) = 0.09516

b. T he unconditional probability of default during the 3rd year.

exp (−0.05 × 2) − exp (−0.05 × 3) = 0.04413

c. T he conditional probability of defaulting in the 3rd year, given that it has survived until the

end of the second year is given by:

Unconditional probability of a default occurring during the third year

Probability of surviving to the end of the second year
0.04413
= = 0.04877
1 − 0.09516

Recovery Rates

In the event that a firm runs bankruptcy or defaults, it may pay part of the amount of the total loan to

the lender. T his amount that is repaid, expressed as a percentage, is known as the recovery rate.

Since the loan is not fully repaid, then we can calculate the expected loss from the loan over a given

period of time as;

Expected Loss = Probability of Default × Loss Given Default

EL = PD × LGD

But since LGD = 1 − Recovery Rate

T hen, the expected loss from a loan is also calculated as

EL = PD × (1 − Recovery Rate)

For example, if the recovery rate is 70%, then

LGD = 100% − 70% = 30%.

75
© 2014-2023 AnalystPrep.
Suppose the debt instrument has a notional value of $100 million, and that there is a 1% probability of

default, then the expected loss when the loan defaults is $0.3 million.

Comparing the Through-the-Cycle and Point-in-Time Internal

Ratings Approaches

Point-in-Time Internal Ratings

Poi nt-i n-ti me rati ngs, also called at-the-poi nt i nternal rati ngs, evaluate the current

si tuati on of a customer by taking into account both cyclical and permanent effects. As such, they

are known to react promptly to changes in the customer’s current financial situation.

Point-in-time ratings, try to assess the customer’s quantitative financial data (e.g. balance sheet

information), qualitative factors (e.g. quality of management), and information about the state of the

economic cycle. Using statistical procedures such as scoring models, all that information is

transformed into rating categories.

Point-in-time ratings, are onl y val i d for the short-term or medi um term, and that’s largely

because they take into account cyclic information. T hey are usually valid for a period not exceeding

one year.

Through-the-Cycle Internal Ratings

T hrough-the-cycle (ttc) internal ratings try to evaluate the permanent component of default risk.

Unlike point-in-time ratings, they are said to be nearly independent of cyclical changes in the

creditworthiness of the borrower. T hey are not affected by credit cycles, i.e. they are through-the-

cycle. As a result, they are less volatile than at-the-point ratings and are valid for a much longer

period (exceeding one year).

Advantages of ttc ratings include:

I. T hey are much more stable over time compared to at-the-point ratings

II. Because of their low volatility, ttc ratings help financial institutions to better manage

76
© 2014-2023 AnalystPrep.
 customers. Too many rating changes necessitate changes in the way a bank handles a

customer, including the products the bank is ready to offer.

One of the di sadvantages of ttc ratings over at-the-point ratings is that they can at times be too

conservative if the stress scenarios used to develop the rating are frequently materially different

from the firm’s current condition. If the firm’s current condition is worse than the stress scenarios

simulated, then the ratings may be too optimistic. In fact, ttc ratings have very low default prediction

in the short-term.

Alternative Methods to Credit Ratings Produced by Rating

Agencies

Apart from the commonly known rating agencies, that is, Moody’s, S&P, and Fitch, we have some

organizations such as KMV and Kamakura which use some models to come up with default

probabilities and hence can then use probabilities to provide important information to clients.

Factors considered include:

T he amount of debt the firm has in its capital structure.

T he market value of the firm’s equity.

T he volatility of the firm’s equity.

In the underlying model, a company defaults if the value of its debt exceeds the value of its assets.

Suppose v is the value of the asset and d is the value of the debt, the firm defaults when v < d.

T he value of the equity, at a future point in time, is:

Equity = max (v-d, 0)

T his implies that equity in a company is a call option on the assets of the firm with a strike price

equal to the face value of the debt. T he firm defaults if the option is not exercised.

T he estimates provided by KMV and Kamakura are point-in-time estimates which are only valid for

77
© 2014-2023 AnalystPrep.
the short/medium term.

Comparing External and Internal Ratings Approaches

External ratings are produced by independent rating agencies and aim at revealing the financial

stability of both lenders and borrowers. For example, Moody’s periodically releases ratings for big

banks around the globe. Such ratings are important because banks usually rely on customer deposits

and money raised through the issuance of various assets such as bonds to sustain lending. T he funds

raised this way to create a pool of money that is then loaned to borrowers in smaller chunks. T hus,

depositors and bond owners use such ratings to assess the riskiness of giving their money to the

bank.

Sometimes, however, banks also need their own ratings so as to undertake an independent

assessment of the creditworthiness of a specific borrower – either an individual or a corporate.

T hat’s where i nternal credi t rati ngs come in.

In modern times, internal credit ratings are usually developed based on the techniques used to

develop external credit ratings. Such methodology consists of identifying the most meaningful

financial ratios and risk factors. T hese ratios and factors are then assigned weights such that the final

rating estimate is close to what a rating agency analyst would come up with. T he same indicators are

used, albeit with a few adjustments depending on whether the borrower is an individual or a

corporate.

One way of carrying out an internal rating is by use of a statistical technique known as the Altman’s

Z-score. T he following ratios need to be provided when using this technique:

i. X 1 ∶Working capital to total assets

ii. X 2 ∶Retained earnings to total assets

iii. X 3 ∶Earnings before interest and taxes to total assets

iv. X 4 ∶Market value of equity to book value of total liabilities

v. X 5 ∶Sales to total asset

Using the discriminant analysis, the Z-score is given by:

78
© 2014-2023 AnalystPrep.
 Z = 1.2X 1 + 1.4X 2 + 3.3X 3 + 0.6X 4 + 0.999X 5.

A Z-score above 3 means that the firm is not likely to default and when the Z-score is below 3, then

the firm is likely to default.

Nowadays, machine learning algorithms use more than five input variables as compared to Altman’s

Z-score. Also, the functions used in machine learning algorithms can be non-linear.

Some of the factors that have contributed to the increased sophistication of modern internal credit

ratings are:

I. T he ever-growing use of external credit rating agency language in financial markets

II. Enforcement of capital requirements such as Basel II

Banks should also ensure that they back-test their procedures for calculating internal ratings. Back-

testing requires atleast ten years of data. If the default statistics show that firms with higher ratings

have performed better than those with low ratings, a bank can then have some confidence in its

rating methodology.

Internal ratings have two main uses:

I. Assessing the creditworthiness of a customer during the loan application process

II. To determine the value of inputs used in the modeling of capital required as per the existing

regulations, e.g. Basel II

For these reasons, internal ratings have to be calibrated. T his involves establishing a link between

the internal rating scale and tables displaying the cumulative probabilities of default. T he timeline of

such tables must capture all maturities, from, say, 1 year to 30 years. Sometimes, it may be

necessary to build different transition matrices that are specific to the asset classes owned by the

bank.

Ratings Transition Matrices and Their Uses

A rating transition matrix gives the probability of a firm ending up in a certain rating category at some

79
© 2014-2023 AnalystPrep.
point in the future, given a specific starting point. T he matrix, which is basically a table, uses

historical data to show exactly how bonds that begin, say, a 5-year period with an Aa rating, change

their rating status from one year to the next. Most matrices show one-year transition probabilities.

T ransition matrices demonstrate that the higher the credit rating, the lower the probability of

default.

T he table below presents an example of a rating transition matrix according to S&P’s rating

categories:

One-year transition matrix

Initial Rating at year end

Rating AAA AA A BBB BB B CCC Default
AAA 90.81 % 8.33 % 0.68 % 0.06 % 0.12 % 0.00 % 0.00 % 0.00 %
AA 0.70 % 90.65 % 7.79 % 0.64 % 0.06 % 0.14 % 0.02 % 0.00 %
A 0.09 % 2.27 % 91.05 % 5.52 % 0.74 % 0.26 % 0.01 % 0.06 %
BBB 0.02 % 0.33 % 5.95 % 86.93 % 5.30 % 1.17 % 0.12 % 0.18 %
BB 0.03 % 0.14 % 0.67 % 7.73 % 80.53 % 8.84 % 1.00 % 1.06 %
B 0.00 % 0.11 % 0.24 % 0.43 % 6.48 % 83.46 % 4.07 % 5.20 %
CCC 0.22 % 0.00 % 0.22 % 1.30 % 2.38 % 11.24 % 64.86 % 19.79 %

Exam tips:

Each row corresponds to an initial rating

Each column corresponds to a rating at the end of 1 year. For example, a bond initially rated

BB has an 8.84% chance of moving to a B rating by the end of the year.

T he sum of the probabilities of all possible destinations, given an initial rating, is equal to 1

(100%)

You will need to recall the rules of probability from mathematics to come up with n-year

transition probabilities, where n>1.

Credit ratings are more stable over a one-year horizon. Stability decreases with longer

horizons.

The Impact of Rating Changes on Bond Price, Stock Prices

80
© 2014-2023 AnalystPrep.
and Credit Default Swap Spreads

Bonds

T here’s overwhelming evidence that a rating downgrade triggers a decrease in bond prices. In fact,

bond prices sometimes decrease just because there’s a strong possibility of a downgrade. Anxious

investors tend to sell bonds whose credit quality is declining.

A rating upgrade triggers an increase in bond prices, although there’s relatively less market evidence

to support this conclusion.

T herefore, the underperformance of bonds whose credit quality has been downgraded is more

statistically significant compared to the over-performance of bonds recently upgraded.

Stocks

T here’s moderate evidence to support the view that a rating downgrade will lead to a stock price

decrease. A ratings upgrade, on the other hand, is somewhat likely to trigger an increase in stock

prices.

In practice, the relationship between changes in rating and stock prices can be quite complex and

will usually be heavily impacted by the reason behind the changes. Furthermore, downgrades tend to

have more impact on the stock price compared to upgrades.

Credit Default Swap Spreads

T he impact of rating changes on credit default swap spreads has been examined based on outlooks,

watchlists, and rating changes. It has been concluded that according to watchlists, reviews for

downgrades contain significant information, but this is not the case for downgrades and negative

outlooks. On the other hand, positive rating events proved to be much less significant.

In general terms, credit default swap changes seem to anticipate rating changes. T he research

findings show that credit spread changes provide vital information in estimating the probability of

negative credit rating changes.

81
© 2014-2023 AnalystPrep.
Historical Failures and Potential Challenges to the Use of
Credit Ratings in Making Investment Decisions

During the run-up to the 2007-2008 crisis, rating agencies became much more involved in the rating

of structured products created from portfolios of subprime mortgages.

Rating of structured products relied much more on the model in use. T he three common models used

were S&P, Fitch, and Moody's. S&P and Fitch based their ratings on the probability that the

structured product would give a loss. On the other hand, Moody's based its ratings on expected loss

as a percentage of the principal. However, the inputs to their models, i.e. the correlations between

the defaults on different mortgages, seemed too optimistic. Furthermore, they developed their

ratings of structured products from other structured products.

Creators of structured products came to understand the models used by rating agencies and hence

they could create the structured products in a manner that they would achieve the ratings they

desired. In case where the desired ratings were not achieved, these structured products could be

adjusted until the desired ratings are achieved. Creators of structured products could also pay rating

agencies to give structured products higher ratings. Even though the rating companies knew about

the decline of the leading standards and rising fraud and that their independence was being interfered

with, they did not pay attention to this since they found working on structured products to be more

profitable.

What followed is that most of the structured products created from mortgages defaulted during the

2007-2008 crisis period. T his ruined the reputation of the rating agencies. Currently, rating agencies

are subject to more oversight than during the pre-crisis period. Furthermore, bank supervisors no

longer use rating agencies to determine regulatory capital.

82
© 2014-2023 AnalystPrep.
Questions

Question 1

You have been given the following one-year transition matrix:

Rating From Rating To

A B CCC Default
A 80 % 10 % 10 % 0%
B 5% 85 % 5 % 5%
CCC 0% 10 % 70 % 20 %

Determine the probability that a B –rated firm will default over a two-year period.

A. 5%

B. 4.25%

C. 1%

D. 10.25%

T he correct answer is D.

Required probability = Sum of probabilities of all possible paths that could lead to a rating

of D (default) after two years.

In other words, in how many ways can a B-rated firm default over a two-year period? T he

following are the possible paths:

Path Probability
B→ default 0.05
B→ B → default 0.85 x 0.05= 0.0425
B→ CCC → default 0.05 x 0.20= 0.01
Total 0.1025

Question 2

ABC Co., currently rated BBB, has an outstanding bond trading in the market. Suppose the

83
© 2014-2023 AnalystPrep.
company is upgraded to A. What will be the most likely effect on the bond’s price?

A. Positive and stronger than the negative effect triggered by a bond downgrade

B. Negative and stronger than the positive effect triggered by a bond downgrade

C. Positive and weaker than the negative effect triggered by a bond downgrade

D. Positive and as strong as the negative effect triggered by a bond downgrade

T he correct answer is C.

Rating downgrades tend to have more impact on the stock price compared to upgrades.

T his can be explained by the fact that firms tend to release good news a lot more often

than bad news, and thus the expectations among investors are generally positive.

Negative news is usually unexpected and unanticipated, triggering a stronger downward

effect.

84
© 2014-2023 AnalystPrep.
 Reading 53: Operational Risk

After compl eti ng thi s readi ng, you shoul d be abl e to:

Describe the different categories of operational risk and explain how each type of risk can

arise.

Compare the basic indicator approach, the standardized approach, and the advanced

measurement approach for calculating operational risk regulatory capital.

Describe the standardized measurement approach and explain the reasons for its

introduction by the Basel committee.

Explain how a loss distribution is derived from an appropriate loss frequency distribution

and loss severity distribution using Monte Carlo simulations.

Describe the common data issues that can introduce inaccuracies and biases in the

estimation of loss frequency and severity distributions.

Describe how to use scenario analysis in instances when data is scarce.

Describe how to identify causal relationships and how to use Risk and Control Self-

Assessment (RCSA) and Key Risk Indicators (KRIs) to measure and manage operational

risks.

Describe the allocation of operational risk capital to business units.

Explain how to use the power-law to measure operational risk.

Explain the risks of moral hazard and adverse selection when using insurance to mitigate

operational risks.

According to the Basel Committee, operational risk is “the risk of direct and indirect loss resulting

from inadequate or failed internal processes, people, and systems or from external events.”

T he International Association of Insurance Supervisors describes the operational risk as to the risk

of adverse change in the value of the capital resource as a result of the operational occurrences

124
© 2014-2023 AnalystPrep.
such as inadequacy or failure of internal systems, personnel, procedures, and controls as well as the

external events.

Operational risk emanates from internal functions or processes, systems, infrastructural flaws,

human factors, and outside events. It includes legal risk but leaves out reputational and strategic risks

in part because they can be difficult to measure quantitatively.

T his chapter primarily discusses the methods of computing the regulatory and economic capital for

operational risk and how the firms can reduce the likelihood of adverse occurrence and severity.

The Basel Committee’s Seven Categories of Operational Risk

1. Internal fraud: Internal fraud encompasses acts committed internally that diverge from a

firm’s interests. T hese include forgery, bribes, tax non-compliance, mismanagement of

assets, and theft.

2. External fraud: External fraud encompasses acts committed by third parties. Commonly

encountered practices include theft, cheque fraud, hacking, and unauthorized access to

information.

3. Cl i ents, products, and busi ness practi ces: T his category has much to do with

intentional and unintentional practices that fail to meet a professional obligation to clients.

T his includes issues such as fiduciary breaches, improper trading, misuse of confidential

client data, and money laundering.

4. Empl oyment practi ces and work safety: T hese are acts that go against laws put in

place to safeguard the health, safety, and general well-being of both employees and

customers. Issues covered include unethical termination, discrimination, and the coerced

use of defective protective material.

5. Damage to physi cal assets: T hese are losses incurred to either natural phenomena like

earthquakes or human-made events like terrorism and vandalism

6. Busi ness di srupti on and system fai l ures: T his included supply-chain disruptions and

system failures like power outages, software crashes, and hardware malfunctions.

7. Executi on, del i very, and process management: T his describes the failure to execute

transactions and manage processes correctly. Issues such as data entry errors and unfinished

125
© 2014-2023 AnalystPrep.
 legal documents can cause unprecedented losses.

Large Operational Risks

T he three large operational risks faced by financial institutions include cyber risk, compliance risks,

and rogue trader risk.

Cyber Risk

T he banking industry has developed technologically. T his development is evident through online

banking, mobile banking, credit and debit cards, and many other advanced banking technologies.

Technological advancement is beneficial to both the banks and their clients, but it can also be an

opportunity for cybercriminals. Cybercriminals can either be individual hackers, organized crime,

nation-states, or insiders.

T he cyber-attack can lead to the destruction of data, theft of money, intellectual property and

personal and financial data, embezzlement, and many other effects. T herefore, financial institutions

have developed defenses mechanisms such as account controls and cryptography. However, financial

institutions should be aware that they are vulnerable to attacks in the future; thus, they should have

a plan that can be executed on short notice upon the attack.

Compliance Risks

Compliance risks occur when an institution incurs fines due to knowingly or unknowingly ignoring

the industry’s set of rules and regulations, internal policies, or best practices. Some examples of

compliance risks include money laundering, financing terrorism activities, and helping clients to

evade taxes.

Compliance risks not only lead to hefty fines but also reputational damage. T herefore, financial

institutions should put in place structures to ensure that the applicable laws and regulations are

adhered to. For example, some banks have developed a system where suspicious activities are

detected as early as possible.

126
© 2014-2023 AnalystPrep.
Rogue Trader Risk

Rogue trader risk occurs when an employee engages in unauthorized activities that consequently

lead to large losses for the institutions. For instance, an employee can trade in highly risky assets

while hiding losses from the relevant authorities.

To protect itself from rogue trader risk, a bank should make the front office and back office

independent of each other. T he front office is the one that is responsible for trading, and the back

office is the one responsible for record-keeping and the verifications of transactions.

Moreover, the treatment of the rogue trader upon discovery matters. T ypically, if unauthorized

trading occurs and leads to losses, the trader will most likely be disciplined (such as lawful

prosecution). On the other hand, if the trader makes a profit from an unauthorized trading, this

violation should not be ignored because it breeds a culture of risk ignorance, which can lead to

adverse financial drawbacks.

Comparing the Three Approaches for Calculating Regulatory

Capital

T he Basel Committee on Banking Supervision develops the global regulations which are instituted by

the supervisors of each of the banks in each country. Basel II, which was drafted in 1999, revised the

methods of computing the credit risk capital. Basel II regulation includes the approaches to

determine the operational risk capital.

T he Basel Committee recommends three approaches that could be adopted by firms to build a capital

buffer that can protect against operational risk losses. T hese are:

I. Basic indicator approach

II. Standardized approach

III. Advanced measurement approach (AMA)

Basic Indicator Approach

Under the basi c i ndi cator approach, the amount of capital required to protect against operational

127
© 2014-2023 AnalystPrep.
risk losses is set equal to 15% of annual gross income over the previous three years. Gross income

is defined as:

Gross income = Interest earned− Interest paid+ Noninterest income

Standardized Approach

To determine the total capital required under the standardi zed approach is similar to the primary

indicator method, but a bank’s activities are classified into eight distinct business lines, with each of

the lines having a beta factor. T he average gross income for each business line is then multiplied by

the line’s beta factor. After that, the capital results from all eight business lines are summed up. In

other words, the percentage applied to gross income varies in all business lines.

Below are the eight business lines and their beta factors:

Business Line Beta Factor

Corporate Finance 18%
Retail Banking 12%
T rading and Sales 18%
Commercial Banking 15%
Agency Services 15%
Retail Brokerage 12%
Asset Management 12%
Payment and Settlement 18%

To use the standardized approach, a bank has to satisfy several requirements. T he bank must:

I. Have an operational risk management function tasked with the identification, assessment,

monitoring, and control of operational risk

II. Consistently keep records of losses incurred in each business line.

III. Regularly report operational risk losses incurred in all business lines.

IV. Install an operational risk management system that’s well documented.

V. Regularly subject its operational risk management processes to independent reviews by both

internal and external auditors.

Advanced Measurement Approach (AMA)

128
© 2014-2023 AnalystPrep.
T he AMA approach is much more complicated compared to other approaches. Under this method,

the banks are required to treat operational risk as credit risk and set the capital equal to the 99.9

percentile of the loss distribution less than the expected operational loss, as shown by the figure

below.

Moreover, under the AMA approach, banks are required to take into consideration every

combination of the eight business lines mentioned in the standardized approach. Combining the seven

categories of operational risk with the eight business lines gives a total of (7 × 8 =) 56 potential

sources of operational risk. T he bank must then estimate the 99.9 percentile of one-year loss for

each combination and then aggregate each combination together to determine the total capital

requirement.

To use the AMA method, a bank has to satisfy all the requirements under the standardized approach,

but the bank must also:

I. Be able to estimate unexpected losses, guided by the use of both external and internal data.

129
© 2014-2023 AnalystPrep.
 II. Have a system capable of allocating economic capital for operational risk across all business

lines in a way that creates incentives for these business lines to manage operational risk

better.

Currently, the Basel Committee has replaced the three approaches with a new standardized

measurement (SMA) approach. Despite being abandoned by the Basel Committee, some aspects of

the AMA approach are still being used by some banks to determine economic capital.

T he AMA approach opened the eyes of risk managers to operational risk. However, bank regulators

found flaws in the AMA approach in that there is a considerable level of variation in the calculation

done by different banks. In other words, if different banks are provided with the same data, there is a

high chance that each will come up with different capital requirements under the AMA.

Standardized Measurement Approach (SMA)

T he Basel Committee announced in March 2016 to substitute all three approaches for determining

operational risk capital with a new approach called the standardized measurement approach (SMA).

T he SMA approach first defines a quantity termed as Business Indicator (BI). BI is similar to gross

income, but it is structured to reflect the size of a bank. For instance, trading losses and operating

expenses are treated separately so that they lead to an increase in BI.

T he BI Component for a bank is computed from the BI employing a piecewise linear relationship.

T he loss component is calculated as:

7X + 7Y + 5Z

Where X, Y, and Z are the approximations of the average losses from the operational risk over the

past ten years defined as:

X – all losses

Y – losses greater than EUR 10 million

Z – losses greater than EUR 100 million

130
© 2014-2023 AnalystPrep.
T he computations are structured so that the losses component and the BI component are equal for a

given bank. T he Basel provides the formula used to calculate the required capital for the loss and BI

components.

Determination of Operational Risk Loss Distribution

Computations of the economic capital require the distributions for various categories of operational

risk losses and the aggregated results. T he operational risk distribution is determined by the

average l oss frequency and l oss severi ty.

Average Loss Frequency

T he term “average l oss frequency” is defined as the average number of times that large losses

occur in a given year. T he loss frequency distribution shows just how the losses are distributed over

one year, specifying the mean and variance.

If the average losses in a given year are λ, then the probability of n losses in a given year is given by

Poisson distribution defined as

e−λ λn
Pr (n) =
n!

Example: Calculating the Probability of Loss

T he average number of losses of a given bank is 6. What is the probability that there are precisely

15 losses in a year?

Solution

From the question, λ = 6 . T herefore,

e−6 615
Pr (15) = ≈ 0.001
15!

131
© 2014-2023 AnalystPrep.
Loss Severity

Loss severity is defined as a probability distribution of the size of each loss. T he mean and variance

of the loss severity are modeled using the lognormal distribution. T hat is, suppose the standard

deviation of the loss size is σ, and the mean is μ, then the mean of the logarithm of the loss size is

given by:

μ
ln ( )
√1 + w

T he variance is given by:

ln (1 + w)

Where:

2
σ
w =( )
μ

Example: Calculating the Logarithm of Mean and Variance Loss

Severity.

T he estimated mean and standard deviation of the loss size is 50 and 20, respectively. What is the

mean and standard deviation of the logarithm of the loss size?

Solution

We start by calculating w,

2
20
w =( ) = 0.16
50

So the mean of the logarithm of the loss size is given by:

132
© 2014-2023 AnalystPrep.
 μ 50
ln ( ) = ln( ) = 3.8378
√1 + w √1.16

T he variance of the logarithm of the log size is given by:

ln (1 + w) = ln(1.16) = 0.1484

Monte Carlo Simulation for Operational Risk

After estimating λ, μ, and σ, Monte Carlo simulation can be utilized to determine the probability

distribution of the loss as illustrated below:

133
© 2014-2023 AnalystPrep.
T he necessary steps of the Monte Carlo Simulations are as follows:

I. Sampling is done from the Poisson distribution to determine the number of loss events (=n)

in a year. For instance, we can sample the percentile of Poisson distribution as a random

number between 0 and 1

II. Sample n times from the lognormal distribution of the loss size for each of the n loss

occurrences.

III. Sum the n loss sizes to determine the total loss.

IV. Repeat the process (steps I to III) many times.

Example: Demonstration of the Monte Carlo Simulation

134
© 2014-2023 AnalystPrep.
Step 1: Sampling is done from the Poisson distribution

Assume the average loss frequency is six, and a number sampled in step I is 0.29. T herefore, 0.29

corresponds to three loss events in a year because using the formula.

e−λ λn
Pr (n) =
n!
Pr (0) + Pr (1) + Pr (2) = 0.284 and Pr (0) + Pr (1) + Pr (2) + Pr (3) = 0.4660

T herefore 0.29 lies in between two cumulative probabilities.

Also, assume that the loss size has a mean of 60 and a standard deviation of 5 using the formulas
μ
ln ( ) and ln (1 + w) .
√1 + w

Step 2: Sample n times from the lognormal distribution

In step II we will sample three times from the lognormal distribution using the mean

⎛ ⎞
2
⎜⎜ 60 ⎟⎟ ⎛ 5 ⎞
ln ⎜⎜ ⎟⎟ = 4.0909 and standard deviation ln 1 + ( ) = 0.0069
⎜⎜ ⎟⎟ ⎝ 60 ⎠
5 2
√1 + ( )
⎝ 60 ⎠

Now, assume the sampled numbers are 4.12, 4.70, and 5.5. Note that the lognormal distribution gives

the logarithm of the loss size. T herefore we need to exponentiate the sampled numbers to get the

actual losses. As such, the three losses are e4. 12=61.56, e4. 70=109.95 and e5. 5=244.69.

Step 3: Sum the n loss sizes to determine the total loss

T his gives the total loss of 416.20 (61.56+109.95+244.69) in the trial herein.

Step 4: Repeat the process (steps I to III) many times

Step 4 requires that the same process be repeated many times to generate the probability

distribution for the total loss, from which the desired percentile can be computed.

135
© 2014-2023 AnalystPrep.
Estimation Procedures for Loss Frequency and Loss Severity

T he estimation of the loss frequency and loss severity involves the use of data and subjective

judgment. Loss frequency is estimated from the banks’ data or subjectively estimated by operational

risk professionals after considering the controls in place.

In the case that the loss severity cannot be approximated from the bank’s data, the loss incurred by

other financial institutions may be used as a guide. T he methods by which banks share information

have been laid out. Moreover, there exist data vendor services (such as Factiva), which are useful at

supplying data on publicly reported losses incurred by other banks.

Common Data Issues in the Estimation of Loss Frequency and Severity

Distributions

I. Inadequate hi stori cal records: T he data available for operational risk losses – including

loss frequency and loss amounts – is grossly inadequate, especially when compared to credit

risk data. T his inadequacy creates problems when trying to model the loss distribution of

expected losses.

II. Infl ati on: When modeling the loss distribution using both external and internal data, an

adjustment must be made for inflation. T he purchasing power of money keeps on changing so

that a $10,000 loss recorded today would not have the same effect as a similar loss recorded,

say, ten years ago.

III. Fi rm-speci fi c adj ustments: No two firms are the same in terms of size, financial

structure, and operational risk management. As such, when using external data, it is essential

to make adjustments to the data in cognizance of the different characteristics of the source

and your bank. A simple proportional adjustment can either underestimate or overestimate

the potential loss.

T he generally accepted scale adjustment for firm size is as follows:

Estimated Loss for Bank A

0. 23
Bank A Revenue
= Observed Loss for Bank B × ( )
Bank B Revenue

Example: Calculating the Estimated Loss based on its Size

136
© 2014-2023 AnalystPrep.
Suppose that Bank A has revenues of USD 20 billion and incurs a loss of USD 500 million. Another

bank B has revenues of USD 30 billion and experiences a loss of USD 300 million. What is the

estimated loss for Bank A?

Solution

0. 23
Bank A Revenue
Estimated Losss for Bank A = Observed Loss for Bank B × ( )
Bank B Revenue
0. 23
20
= 300 × ( ) = USD 273.29 million.
30

Scenario Analysis in Instances when Data is Scarce

Scenario analysis aims at estimating how a firm would get along in a range of scenarios, some of

which have not occurred in the past. It’s particularly essential when modeling low-frequency high-

severity losses, which are essential to determine the extreme tails of the loss distribution.

T he objective of the scenario analysis is to list events and create a scenario for each one. Scenarios

considered come from:

T he firms’ own experience;

T he experience of other firms;

Market analysts and consultants; or

T he risk management unit in liaison with senior management.

For each scenario, loss frequency and loss severity are approximated. Monte Carlo simulations are

used to determine a probability distribution for total loss across diverse types of losses. T he loss

frequency estimates should capture the existing controls at the financial institution and the type of

business.

Estimation of the probability of rare events is challenging. One method is to state several categories

and ask operational risk experts to put each loss into a category. For instance, some of the categories

137
© 2014-2023 AnalystPrep.
might be a scenario that happens once every 1,000 years on average, which is equivalent to

λ = 0.001. T he bank could also use a scenario happening once every 100 years on average, which is

equivalent to λ = 0.01, and so on.

Operational risk experts estimate the loss severity, but rather than in the form of the mean and

standard deviation, it is more suitable to estimate the 1 percentile to 99 percentile range of the loss

distribution. T hese estimated percentiles can be fitted with the lognormal distribution. T hat is, if 1

percentile and 99 percentiles of the loss are 50 and 100 respectively, then 3.91 (ln(50)) and 4.61

(ln(100)) are 1 and 99 percentiles for the logarithm of the loss distribution, respectively.

T he concluding point in scenario analysis is that it takes into consideration the losses that have never

been incurred by a financial institution but can occur in the future. Managerial judgment is used to

analyze the loss frequency and loss severity which can give hints on how such loss events may

appear, which in turn assist the firms in setting up plans to respond to loss events or reduce the

likelihood of it happening.

Allocation of Operational Risk Capital to Business Units

T ypically, economic capital is allocated to business units, after which the return on capital is

computed. Similar to credit risk, the same principles are used in the allocation of operational risk

capital. T he provision of operational risk capital to business units acts as an incentive to the business

unit manager to reduce the operational risk because if the manager reduces the loss frequency and

severity, less operational capital will be allocated. Consequently, the profit from the business unit

will improve.

In a nutshell, the allocation of operational risk capital should sensitize the manager on the benefits of

operational risk. Operational risk reduction does not necessarily reach an optimal point because

there exists operational risk in a firm that cannot be avoided. T herefore, cost-benefit analysis is

carried out when operational risk is reduced by increasing the operational cost.

Use of the Power Law to Measure Operational Risk

138
© 2014-2023 AnalystPrep.
T he power law states that, if v is the value of a random variable and that x is the highest value of v,

then it is true that:

Pr(v > x) = Kx −α

Where K and α are the parameters.

T he power law holds for some probability distributions, and it describes the fatness of the right tail

of the probability distribution of v. K is a scale factor, and α depends on the fatness of the right tail of

the distribution. T hat is, the fatness of the right tail increases with a decrease in α.

According to the mathematician G.V Gnedenko, the power for many distributions increases as x

tends to infinity. Practically, the power law is usually taken to be true for the values of x at the top

5% of the distribution. Some of the distributions in which the power law holds to be true are the

magnitude of earthquakes, trading volume of the stocks, income of individuals, and the sizes of the

corporations.

Generally, the power law holds for the probability distributions of random variables resulting from

aggregating numerous independent random variables. Adding up the independent variables, we usually

get a normal distribution, and fat tails arise when the distribution is a result of many multiplicative

effects.

According to Fontnouvelle (2003), the power law holds for the operational risk losses, which turns

to be crucial.

Example: Measuring Operational Risk Using the Power Law

A risk manager has established that there is a 95% probability that losses over the next year will not

exceed $50 million. Given that the power law parameter is 0.7, calculate the probability of the loss

exceeding (a) 20 million, (b) 70 million, and (c) 100 million.

Solution

According to the power law

139
© 2014-2023 AnalystPrep.
 Pr(v > x) = Kx −α

T his implies from the question that,

0.05 = K50−0. 7 ⇒ K = 0.7731

T hus,

P(v > x) = 0.7731V −0. 7

Now,

when x=20

p(v > 20) = 0.7731 (20)−0. 7 = 0.09495

when x=70

p(v > 20) = 0.7731 (70)−0. 7 = 0.03951

when x=100

p(v > 100) = 0.7731 (100)−0. 7 = 0.03071

Managing Operational Risk

It is crucial to measure operational risk and to compute the required amount of operational risk

capital. However, it is also imperative to reduce the likelihood of significant losses and severity in

case an event occurs. More often, financial institutions learn from each other. T hat is, if significant

losses are incurred in one of the financial institutions, risk managers of other financial institutions

will try and study what happened so that they can make necessary plans to avoid a similar event.

Some of the methods of reducing operational risk include: reducing the cause of losses, risk control,

and self-assessment, identifying key risk indicators (KRI’s), and employee education.

140
© 2014-2023 AnalystPrep.
Causal Relationship

Causal relationships describe the search for a correlation between firm actions and operational risk

losses. It is an attempt to identify firm-specific practices that can be linked to both past and future

operational risk losses. For example, if the use of new computer software coincides with losses, it is

only wise to investigate the matter in a bid to establish whether the two events are linked in any

way.

Once a causal relationship has been identified, the firm should then decide whether or not to act on

it. T his should be done by conducting a cost-benefit analysis of such a move.

Risk and Control Self Assessment (RCSA)

Risk and control self-assessment (RCSA) involves asking departmental heads and managers to single

out the operational risks in their jurisdiction. T he underlying argument is that unit managers are the

focal point of the flow of information and correspondence within a unit. As such, they are the

persons best placed to understand the risks pertinent to their operations.

Some of the approaches RCSA methods include:

I. Analyzing the historical incidences with line managers

II. Requesting line managers to complete a risk questionnaire

III. Carrying out interviews with line managers and their staff

IV. Utilizing the suggestion boxes and intranet reporting portals

V. Executing brainstorming in a workshop environment

VI. Analyzing the reports from third parties such as auditors and regulators

RCSA should be done periodically, such as yearly. T he problem with this approach is that managers

may not divulge information freely if they feel they are culpable or the risk is out of control. Also, a

manager’s perception of risk and its potential rewards may not conform to the firm-wide assessment.

For these reasons, there is a need for independent review.

Key Risk Indicators (KRIs)

141
© 2014-2023 AnalystPrep.
Key risk indicators seek to identify firm-specific conditions that could expose the firm to operational

risk. KRIs are meant to provide firms with a system capable of predicting losses, giving the firm

ample time to make the necessary adjustments. Examples of KRIs include:

Staff turnover

Number of vacant positions

Number of failed transactions over a specified time period

Percentage of employees that take up the maximum leave days on offer

T he hope is that key risk indicators can identify potential problems and allow remedial action to be

taken before losses are incurred.

Education

It is essential to educate the employees on the prohibited business practices and breeding risk

culture where such unacceptable practices might be executed. Moreover, the legal branch of a

financial institution educates the employees to be cautious when writing emails and answering phone

calls. Essentially, employees should be mindful that their emails and recorded calls could become

public knowledge.

Moral Hazard and Adverse Selection when Using Insurance to

Mitigate Operational Risks

Earlier in the reading, we saw that a bank using the AMA approach could reduce its capital charge,

subject to extensive investment in operational risk management. One of the ways through which a

bank can achieve this is by taking an insurance cover. T hat way, the firm is eligible for compensation

if it suffers a loss emanating from a covered risk.

For all its advantages, taking an insurance policy comes with two problems:

1. Moral Hazard: Moral hazard describes the observation that an insured firm is likely to act

differently in the presence of an insurance cover. In particular, traders might increasingly

142
© 2014-2023 AnalystPrep.
 take high-risk positions in the knowledge that they are well protected from heavy losses.

Without such an insurance policy, the traders would be a bit more cautionary and restricted

in their trading behavior.

In a bid to tame the moral hazard problem, insurers use a range of tactics. T hese may include

deductibles, coinsurance, and policy limits. Stiff penalties may also be imposed in case there

is indisputable evidence of reckless, unrestricted behavior.

A firm can intentionally keep insurance cover private. T his ensures that its traders do not

take unduly high-risk positions.

2. Adverse Sel ecti on: Adverse selection describes a situation where the risk seller has more

information than the buyer about a product, putting the buyer at a disadvantage. For example,

a company providing life assurance may unknowingly attract heavy smokers, or even

individuals suffering from terminal illnesses. If this happens, the company effectively takes

on many high-risk persons but very few low-risk individuals. T his may result in a claim

experience that’s worse than initially anticipated.

On matters trading, firms with poor internal controls are more likely to take up insurance

policies compared to firms with robust risk management frameworks. To combat adverse

selection, an insurer has to go to great lengths toward understanding a firm’s internal risk

controls. T he premium payable can then be adjusted to reflect the risk of the policy.

143
© 2014-2023 AnalystPrep.
Question

Question 1

Melissa Roberts, FRM, has observed 12 losses in her portfolio over the last four years.

She believes the frequency of losses follows a Poisson distribution with a parameter λ.

T he probability that she will observe a total of 4 losses over the next year is closest to:

A. 17%

B. 16%

C. 20%

D. 0.53%

T he correct answer is A.

We need to find the parameter λ, which from the questions we have,

12 losses
λ= = 3 losses per year
4 years

T he probability of n losses in a given year is given by Poisson distribution, defined as

e−λλn
Pr (n) =
n!
e−334
Pr (n = 4) = = 0.168
4!

Question 2

According to the Basel Committee, a bank has to satisfy certain qualitative standards to

be allowed to use the advanced measurement approach when computing the economic

capital required. Which of the following options is NOT one of the standards?

A. T he bank must have a system capable of allocating economic capital for operational

144
© 2014-2023 AnalystPrep.
risk across all business lines in a way that creates incentives for these business lines to

manage operational risk better.

B. Internal and external auditors must regularly and independently review all operational

risk management processes. T he review must include the policy development process

and independent scrutiny of the risk management function.

C. T he bank’s operational risk measurement system should only make use of internally

generated data to avoid the bias associated with external data.

D. T he bank must have an operational risk management function tasked with

identification, assessment, monitoring, and control of operational risk.

T he correct answer is C.

T he Basel committee does not rule out the use of external data by banks. In fact, the

committee recommends the use of a combination of both external and internal data to

estimate the unexpected loss. External data may not conform to a particular firm, but

firms are allowed to scale the data to fit their profiles. In some cases, internal data may

be either insufficient or entirely unavailable, forcing the firm to look elsewhere.

145
© 2014-2023 AnalystPrep.
 Reading 54: Stress Testing

After compl eti ng thi s readi ng, you shoul d be abl e to:

Describe the rationale for the use of stress testing as a risk management tool.

Explain key considerations and challenges related to stress testing, including choice of

scenarios, regulatory specifications, model building, and reverse stress testing.

Describe the relationship between stress testing and other risk measures, particularly in

enterprise-wide stress testing.

Describe stressed VaR and stressed ES, including their advantages and disadvantages, and

compare the process of determining stressed VaR and ES to that of traditional VaR and ES.

Describe the responsibilities of the board of directors, senior management, and the

internal audit function in stress testing governance.

Describe the role of policies and procedures, validation, and independent review in stress

testing governance.

Describe the Basel stress testing principles for banks regarding the implementation of

stress testing.

Stress testing is a risk management tool that involves analyzing the impacts of the extreme scenarios

that are unlikely but feasible. T he main question for financial institutions is whether they have

adequate capital and liquid assets to survive stressful times. Stress testing is done for regulatory

purposes or for internal risk management by financial institutions. Stress testing can be combined

with measurement of the risk such as the Value-at-Risk (VaR) and the Expected Shortfall (ES) to give

a detailed picture of the risks facing a financial institution.

T his chapter deals with the internally generated stress testing scenarios, regulatory requirements of

stress testing, governance issues of stress testing, and the Basel stress testing principles.

Rationale for the Use of Stress Testing as a Risk Management

Tool

146
© 2014-2023 AnalystPrep.
 Stress testing serves to warn a firm’s management of potential adverse events arising from

the firm’s risk exposure and goes further to give estimates of the amount of capital needed

to absorb losses that may result from such events.

Stress tests help to avoid any form of complacency that may creep in after an extended

period of stability and profitability. It serves to remind management that losses could still

occur, and adequate plans have to be put in place in readiness for every eventuality. T his

way, a firm is able to avoid issues like underpricing of products, something that could prove

financially fatal.

Stress testing is a key risk management tool during periods of expansion when a firm

introduces new products into the market. T here may be very limited loss data or none at

all, for such products, and hypothetical stress testing helps to come up with reliable loss

estimates.

Under pillar 1 of Basel II, stress testing is a requirement of all banks using the Internal

Models Approach (IMA) to model market risk and the internal ratings-based approach to

model credit risk. T hese banks have to employ stress testing to determine the level of

capital they are required to have.

Stress testing supplements other risk management tools, helping banks to mitigate risks

through measures such as hedging and insurance. By itself, stress testing cannot address all

risk management weaknesses, nor can it provide a one-stop solution.

Comparison between Stress Testing and the VaR and ES

Recall that the VaR and ES are estimated from a loss distribution. VaR enables a financial institution

to conclude with X% likelihood that the losses will not exceed the VaR level during time T. On the

other hand, ES enables the financial institutions to conclude whether the losses exceed the VaR level

during a given time T and hence the expected loss will be the ES amount.

VaR and ES are backward-looking. T hat is, they assume that the future and the past are the same.

T his is actually one disadvantage of VaR and ES. On the other hand, stress testing is forward-looking.

147
© 2014-2023 AnalystPrep.
It asks the question, “what if?”.

While stress testing largely does not involve probabilities, VaR, and ES models are founded on

probability theory. For example, a 99.9% VaR can be viewed as a 1-in-1,000 event.

T he backward-looking ES and VaR consider a wide range of scenarios that are potentially good or bad

to the organization. However, stress testing considers a relatively small number of scenarios that are

all bad for the organization.

Specifically, for the market risk, VaR/ES analysis often takes a short period of time, such as a day,

while stress testing takes relatively long periods, such as a decade.

T he primary objective of stress testing is to capture the enterprise view of the risks impacting a

financial institution. T he scenarios used in the stress testing are often defined based on the

macroeconomic variables such as the unemployment rates and GDP growth rates. T he effect of

these variables should be considered in all parts of an institution while considering interactions

between diverse areas of an institution.

Stressed VaR and Stressed ES

Conventional VaR and ES are calculated from data spanning from one to five years, where a daily

variation of the risk factors during this period is used to compute the potential future movements.

However, in the case of the stressed VaR and stressed ES, the data is obtained from specifically

stressed periods (12-month stressed period on current portfolios according to Basel rules). In other

words, stressed VaR and stressed ES generates conditional distributions and conditional risk

measures. As such, they are conditioned to a recurrence of a given stressed period and thus can be

taken as a historical stress testing.

T hough stressed VaR and stressed ES might be objectively similar, they are different. T ypically the

time horizon for the stressed VaR/ES is short (one to ten days), while for the stress testing, it

considers relatively longer periods.

For instance, assume that a stressed period is the year 2007. T he stressed VaR would conclude that if

there was a repeat of 2007, then there is an X% likelihood that losses over a period of T days will

148
© 2014-2023 AnalystPrep.
not surpass the stressed VaR level. On the other hand, stressed ES would conclude that if the losses

over T days do not exceed the stressed VaR level, then the expected loss is the stressed ES.

However, stress testing would ask the questions “if the following year (2008) is the same as in 2007,

will the financial institution survive?” Alternatively, what if the conditions of the next year are twice

as adverse as that of 2007, will the financial institution survive? T herefore, stress testing does not

consider the occurrence of the worst days of 2008 but rather the impact of the whole year.

T here is also a difference between conventional VaR and the stressed VaR. Conventional VaR can be

back-tested while stressed VaR cannot. T hat is, if we can compute one-day VaR with 95%

confidence, we can go back and determine how effective it would have worked in the past. We are

not able to back-test the stressed VaR output and its results because it only considers the adverse

conditions which are generally infrequent.

Types of Scenarios in Stress Testing

T he basis of choosing a stress testing scenario is the selection of a time horizon. T he time horizon

should be long enough to accommodate the full analysis of the impacts of scenarios. Long time

horizons are required in some situations. One-day to one-week scenarios can be considered, but

three months to two-year scenarios are typically preferred.

T he regulators recommend some scenarios, but in this section, we will discuss internally chosen

scenarios. T hey include using historical scenarios, stressing key variables, and developing ad hoc

scenarios that capture the current conditions of the business.

Historical Scenarios

Historical scenarios are generated by the use of historical data whose all relevant variables will

behave in the same manner as in the past. For instance, variables such as interest rates and credit

rate spreads are known to repeat past changes. As such, actual changes in the stressed period will be

assumed to repeat themselves while proportional variations will be assumed for others. A good

example of a historical scenario is the 2007-2008 US housing recession, which affected a lot of

financial institutions.

149
© 2014-2023 AnalystPrep.
In some cases, a moderately adverse scenario is made worse by multiplying variations of all risk

factors by a certain amount. For instance, we could multiply what happened in the loss-making one-

month period and increase the frequency of movement of all relevant risk movements by ten. As a

result, the scenario becomes more severe to financial institutions. However, this approach assumes

linear relationships between the movements in risk factors, which is not always the case due to

correlations between the risk factors.

Other historical scenarios are based on one-day or one-week occurrences of all market risk factors.

Such events include terrorist attacks (such as 9/11 terrorist attacks) and one-day massive movement

of interest rates (such as on April 10, 1992, when ten-year bond yields changed by 8.7 standard

deviations).

Stressing Key Variables

A scenario could be built by assuming that a significant change occurs in one or more key variables.

Such changes include:

A 2% decline in the GDP

A 25% decrease in equity prices

A 100% increase in all volatilities

A 4% increase in the unemployment rate

A 200-basis point increase in all interest rates

Some other significant variations could occur in factors such as money exchange rates, prices of

commodities, and default rates.

In the case of the market risk, small changes in measured using the Greek letters (such as delta and

gamma). T he Greek letters cannot be used in stress testing because the changes are usually large.

Moreover, Greeks are used to measure risk from a unit market variable over a short period of time,

while stress testing incorporates the interaction of the different market variables over a long period

of time.

150
© 2014-2023 AnalystPrep.
Ad Hoc Stress Tests

T he stress testing scenarios we have been discussing above are performed regularly, after which the

results are used to test the stability of the financial structure of a financial institution in case of

extreme conditions. However, the financial institutions need to develop ad hoc scenarios that

capture the current economic conditions, specific exposures facing the firm, and update analysis of

potential future extreme events. T he firms either generate new scenarios or modify the existing

scenarios based on previous data.

An example of an event that will prompt the firms to develop an ad hoc scenario is the change in the

government policy on an important aspect that impacts the financial institutions or change in Basel

regulation that requires increment of the capital within short periods of time.

T he boards, senior management, and economic experts use their knowledge in markets, global

politics, and current global instabilities to come with adverse scenarios. T he senior management

carries out a brain-storming event, after which they recommend necessary actions to avoid

unabsorbable risks.

Using the Stress Testing Results

While stress testing, it is vital to involve the senior management for it to be taken seriously and thus

used for decision making. T he stress-testing results are not only used to satisfy the “what if ”

question, but also the Board and management should analyze the results and decide whether a certain

class of risk mitigation is necessary. Stress testing makes sure that the senior management and the

Board do not base their decision-making on what is most likely to happen, but also consider other

alternatives less likely to happen that could have a dramatic result on the firm.

Model Building

It is possible to see how the majority of the relevant risk factors behave in a stressed period while

building a scenario, after which the impact of the scenario on the firm is analyzed in an almost direct

manner. However, scenarios generated by stressing key variables and ad hoc scenarios capture the

variations of a few key risk factors or economic variables. T herefore, in order to exhaust the

151
© 2014-2023 AnalystPrep.
scenarios, it is necessary to build a model to determine how the “left out” variables are expected to

behave in a stressed market condition. T he variables stated in the context of the stress testing are

termed as core vari abl es, while the remaining variables are termed as peri pheral vari abl es.

One method is performing analysis, such as regression analysis, to relate the peripheral variables to

the core variables. Note that the variables are based on the stressed economic conditions. Using the

data of the past stressed periods is most efficient in determining appropriate relationships.

For example, in case of the credit risk losses, data from the rating agencies, such as default rates, can

be linked to an economic variable such as GDP growth rate. Afterward, general default rates

expected in various stressed periods are determined. T he results can be modified (scaled up or

down) to determine the default rate for different loans or financial institutions. Note that the same

analysis can be done to the recovery rates to determine loss rates.

The Knock-On Effects

Apart from the immediate impacts of a scenario, there are also knock-on effects that reflect how

financial institutions respond to extreme scenarios. In its response, a financial institution can make

decisions that can further worsen already extreme conditions.

For instance, during the 2005-2006 US housing price bubble, banks were concerned with the credit

quality of other banks and were not ready to engage in interbank lending, which made funding costs

for banks rise.

Reverse Stress Testing

Recall that stress testing involves generating scenarios and then analyzing their effects. Reverse

stress testing, as the name suggests, takes the opposite direction by trying to identify combinations

of circumstances that might lead financial institutions to fail.

By using historical scenarios, a financial institution identifies past extreme conditions. T hen, the

bank determines the level at which the scenario has to be worse than the historical observation to

cause the financial institution to fail. For instance, a financial institution might conclude that twice

the 2005-2006 US housing bubble will make the financial institution to fail. However, this kind of

152
© 2014-2023 AnalystPrep.
reverse stress testing is an approximation. T ypically, a financial institution will use complicated

models that take into consideration correlations between different variables to make the market

conditions more stressed.

Finding an appropriate combination of risk factors that lead the financial institution to fail is a

challenging feat. However, an effective method is to identify some of the critical factors such as

GDP growth rate, unemployment rates, and interest rate variations, then build a model that relates all

other appropriate variables to these key variables. After that, possible factor combinations that can

lead to failure are searched iteratively.

Regulatory Stress Testing

US, UK, and EU regulators require banks and insurance companies to perform specified stress tests.

In the United States, the Federal Reserve performs stress tests of all the banks whose consolidated

assets are over USD 50 billion. T his type of stress test is termed as Comprehensive Capital Analysis

and Review (CCAR). Under CCAR, the banks are required to consider four scenarios:

I. Baseline Scenario

II. Adverse Scenario

III. Severely Scenario

IV. An internal Scenario

T he baseline scenario is based on the average projections from the surveys of the economic

predictors but does not represent the projection of the Federal Reserve.

T he adverse and the severely adverse scenarios describe hypothetical sets of events which are

structured to test the strength of banking organizations and their resilience. Each of the above

scenarios consists of the 28 variables (such as the unemployment rate, stock market prices, and

interest rates) which captures domestic and international economic activity accompanied by the

Board explanation on the overall economic conditions and variations in the scenarios from the past

year.

Banks are required to submit a capital plan, justification of the models used, and the outcomes of

their stress testing. If a bank fails to stress test due to insufficient capital, the bank is required to

153
© 2014-2023 AnalystPrep.
raise more capital while restricting the dividend payment until the capital has been raised.

Banks with consolidated assets between USD 10 million and USD 50 million are under the Dodd-Fank

Act Stress Test (DFAST ). T he scenarios in the DFAST are similar to those in the CCAR. However, in

the DFAST, banks are not required to produce a capital plan.

T herefore, through stress tests, regulators can consistently evaluate the banks to determine their

ability to extreme economic conditions. However, they recommend that banks develop their

scenarios.

Responsibilities of the Board of Directors, Senior Management

and the Internal Audit Function in Stress Testing Activities

For effective operation of stress testing, the Board of directors and senior management should have

distinct responsibilities. What’s more, there should be some shared responsibilities, although a few

roles can be set aside exclusively for one of the two groups.

Responsibilities of the Board of Directors

1. The buck stops wi th the Board: T he Board of directors is “ultimately” responsible for a

firm’s stress tests. Even if board members do not immerse themselves in the technical

details of stress tests, they should ensure that they stay sufficiently knowledgeable about

stress-testing procedures and interpretation of results.

2. Conti nuous i nvol vement: Board members should regularly receive summary information

on stress tests, including results from every scenario. Members should then evaluate these

results to ensure they take into account the firm’s risk appetite and overall strategy.

3. Conti nuous revi ew: Board members should regularly review stress testing reports with a

view to not just critic key assumptions but also supplement the information with their views

that better reflect the overall goals of the firm.

4. Integrati ng stress testi ng resul ts i n deci si on mak i ng: T he Board should make key

decisions on investment, capital, and liquidity based on stress test results along with other

information. While doing this, the Board should proceed with a certain level of caution in

154
© 2014-2023 AnalystPrep.
 cognizance of the fact that stress tests are subject to assumptions and a host of limitations.

5. Formul ati ng stress-testi ng gui del i nes: It’s the responsibility of the Board to come up

with guidelines on stress testing, such as the risk tolerance level (risk appetite).

Responsibilities of Senior Management

1. Impl ementati on oversi ght: Senior management has the mandate to ensure that stress

testing guidelines authorized by the Board are implemented to the letter. T his involves

establishing policies and procedures that help to implement the Board’s guidelines.

2. Regul arl y reporti ng to the Board: Senior management should keep the Board up-to-date

on all matters to do with stress testing, including test designs, emerging issues, and

compliance with stress-testing policies.

3. Coordi nati ng and Integrati ng stress testi ng across the fi rm: Members of senior

management are responsible for propagating widespread knowledge on stress tests across

the firm, making sure that all departments understand its importance.

4. Identi fyi ng grey areas: Senior management should seek to identify inconsistencies,

contradictions, and possible gaps in stress tests to make improvements to the whole

process.

5. Ensuri ng stress tests have a suffi ci ent range: In consultations with the Board of

directors, senior management has to ensure that stress testing activities are sufficiently

severe to gauge the firm’s preparation for all possible scenarios, including low-frequency

high-impact events.

6. Usi ng stress tests to assess the effecti veness of ri sk mi ti gati on strategi es:

Stress tests should help the management to assess just how effective risk mitigation

strategies are. If such strategies are effective, significantly severe events will not cause

significant financial strain. If the tests predict significant financial turmoil, it could be that

the hedging strategies adopted are ineffective.

7. Updati ng stress tests to refl ect emergi ng ri sk s: As time goes, an institution will

gradually gain exposure to new risks, either as a result of market-wide trends or its

investment activities. It is the responsibility of senior management to develop new stress-

testing techniques that reflect the institution’s new risk profile.

155
© 2014-2023 AnalystPrep.
Role of the Internal Audit

Internal audit should:

Independently evaluate the performance, integrity, and reliability of stress-testing

activities;

Ensure that stress tests across the organization are conducted in a sound manner and

remain relevant in terms of the scenarios tested;

Assess the skills and expertise of the staff involved in stress-testing activities;

Check that approved changes to stress-testing policies and procedures are implemented

and appropriately documented;

Evaluate the independent review and validation exercises;

To accomplish all the above, internal audit staff must be well qualified. T hey should be well-grounded

in stress-testing techniques and technical expertise to be able to differentiate between excellent and

inappropriate practices.

The Role of Policies and Procedures, Validation, and

Independent Review in Stress Testing Governance

Policies and Procedures

A financial institution should set out clearly stated and understandable policies and procedures

governing stress testing, which must be adhered to. T he policies and procedures ensure that the

stress testing of parts of a financial institution converges to the same point.

T he policies and procedures should be able to:

Explain the purpose of stress testing;

Describe the procedures of stress testing;

State the frequency at which the stress testing can be done;

156
© 2014-2023 AnalystPrep.
 Describe the roles and responsibilities of the parties involved in stress testing;

Provide an explanation of the procedures to be followed while choosing the scenarios;

Describe how the independent reviews of the stress testing will be done;

Give clear documentation on stress testing to third parties (e.g., regulators, external

auditors, and rating agencies);

Explain how the results of the stress testing will be used and by whom;

T hey were amended as the stress testing practices changes as the market conditions

change;

Accommodate tracking of the stress test results as they change through time; and

Document the activities of models and the software acquired from the vendors or other

third parties.

Validation and Independent Review Governance

T he stress testing governance covers the independent review procedures, which are expected to be

unbiased and provide assurance to the board that stress testing is carried out while following the

firm’s policies and procedures. Financial institutions use diverse models that are subject to

independent review to make sure that they serve the intended purpose.

Validation and independent review should involve the following:

Ensuring that validation and independent review are conducted on an ongoing basis;

Ensuring that subjective or qualitative aspects of a stress test are also validated and

reviewed, even if they cannot be tested in quantitative terms;

Acknowledging limitations in stress testing;

Ensuring that stress-testing standards are upheld;

Acknowledging data weaknesses or limitations, if any;

157
© 2014-2023 AnalystPrep.
 Ensuring that there is sufficient independence in both validation and review of stress tests;

Ensuring that third-party models used in stress-testing activities are validated and reviewed

to determine if they are fit for the purpose at hand;

Ensuring that stress tests results are implemented rigorously, and verifying that any

departure from the recommended actions is backed up by solid reasons.

Basel Stress-Testing Principles

T he Basel Committee emphasizes that stress testing is a crucial aspect by requiring that the market

risk calculations are based on the internal VaR and the Expected Shortfall (ES) models, which should

be accompanied by “ rigorous and comprehensive” stress testing. Moreover, banks that use the

internal rating approach of the Basel II to calculate the credit risk capital should perform a stress

test to evaluate the strength of their assumptions.

Influenced by the 2007-2008 financial crisis, the Basel Committee published the principles of stress-

testing for the banks and corresponding supervisors. T he overarching emphasis of the Basel

committee was the importance of stress testing in determining the amount of capital that will

cushion banks against losses due to large shocks.

T herefore, the Basel committee recognized the importance of stress testing in:

Giving a forward-looking perspective on the evaluation of risk;

Overcoming the demerits of modes and historical data;

Facilitating the development of risk mitigation, or any other plans to reduce risks in

different stressed conditions;

Assisting internal and external communications;

Supporting the capital and liquidity planning procedures; and

Notifying and setting of risk tolerance.

158
© 2014-2023 AnalystPrep.
When the Basel committee considered the stress tests done before 2007-2008, they concluded that:

It is crucial to involve the Board and the senior management in stress testing. T he Board

and the senior management should be involved in stress testing aspects such as choosing

scenarios, setting stress testing objectives, analysis of the stress testing results,

determining the potential actions, and strategic decision making. During the crisis, banks

that had senior management interested in developing a stress test, which eventually

affected their decision-making, performed fairly well.

T he approaches of the stress-testing did not give room for the aggregation of different

exposures in different parts of a bank. T hat is, experts from different parts of the bank did

not cooperate to produce an enterprise-wide risk view.

T he scenarios chosen in the stress tests were too moderate and were based on a short

period of time. T he possible correlations between different risk types, products, and

markets were ignored. As such, the stress test relied on the historical scenarios and left

out risks from new products and positions taken by the banks.

Some of the risks were not considered comprehensively in the chosen scenarios. For

example, counterparty credit risk, risks related to structured products, and product

awaiting securitizations were partially considered. Moreover, the effect of the stressed

scenario on liquidity was underrated.

Basel Committee Stress Testing Principles

According to the Basel Committee on Banking Supervision’s “Stress Testing Principles” published in

December 2017:

1. Stress testing frameworks should incorporate an effective

governance structure.

T he stress testing frameworks should involve a governance structure that is clear,

documented, and comprehensive. T he roles and responsibilities of senior management,

oversight bodies, and those concerned with stress testing operations should be clearly

159
© 2014-2023 AnalystPrep.
 stated.

T he stress testing framework should incorporate a collaboration of all required stakeholders

and the appropriate communication to stakeholders of the stress testing methodologies,

assumptions, scenarios, and results.

2. Stress testing frameworks should have clearly articulated and

formally adopted objectives.

T he stress testing frameworks should satisfy the objectives that are documented and

approved by the Board of an organization or any other senior governance. T he objective

should be able to meet the requirements and expectations of the framework of the bank and

its general governance structure. T he staff mandated to carry out stress testing should know

the stress testing framework’s objectives.

3. Stress testing frameworks should capture material and relevant

risks and apply sufficiently severe stresses.

Stress testing should reflect the material and relevant risk determined by a robust risk

identification process and key variables within each scenario that is internally consistent. A

narrative should be developed explaining a scenario that captures risks, and those risks that

are excluded by the scenario should be described clearly and well documented.

4. Stress testing should be utilized as a risk management tool and

to convey business decisions.

Stress testing is typically a forward-looking risk management tool that potentially helps a

bank in identifying and monitoring risk. T herefore, stress testing plays a role in the

formulation and implementation of strategic and policy objectives. When using stress testing

results, banks and authorities should comprehend crucial assumptions and limitations such as

the relevance of the scenario, model risks, and risk coverage. Lastly, stress testing as a risk

management tool should be done regularly in accordance with a well-developed schedule

(except ad hoc stress tests). T he frequency of a stress test depends on:

160
© 2014-2023 AnalystPrep.
 T he objective of the stress testing framework;

T he size and complexity of the financial institution; and

Changes in the macroeconomic environment.

5. Resources and organizational structures should be adequate to

meet the objectives of the stress testing framework.

Stress testing frameworks should have adequate organizational structures that meet the

objectives of the stress test. T he governance processes should ensure that the resources

for stress testing are adequate, such that these resources have relevant skill sets to

implement the framework.

6. Stress tests should be supported by accurate and sufficiently

granular data and robust IT systems.

Stress tests identify risks and produce reliable results if the data used is accurate and

complete, and available at an adequately granular level and on time. Banks and authorities

should establish a sound data infrastructure which is capable of retrieving, processing, and

reporting of information used in stress tests. T he data infrastructure should be able to

provide adequate quality information to satisfy and objectives of the stress testing

framework. Moreover, structures should be put in place to cover any material information

deficiencies.

7. Models and methodologies to assess the impacts of scenarios and

sensitivities should be fit for purpose.

T he models and methodologies utilized in stress testing should serve the intended purpose.

T herefore,

T here should be an adequate definition of coverage, segmentation, and granularity

of the data and the types of risks based on the objectives of the stress test

framework. All is done at the modeling stage;

161
© 2014-2023 AnalystPrep.
 T he complexity of the models should be relevant to both the objectives of the

stress testing and target portfolios being assessed using the models; and

T he models and the methodologies in a stress test should be adequately justified

and documented.

T he model building should be a collaborative task between the different experts. As such,

the model builders engage with stakeholders to gain knowledge on the type of risks being

modeled and understand the business goals, business catalysts, risk factors, and other

business information relevant to the objectives of the stress testing framework.

8. Stress testing models, results, and frameworks should be subject

to challenge and regular review.

Periodic review and challenge of stress testing for the financial institutions and the

authorities is important in improving the reliability of the stress testing results,

understanding of results’ limitations, identifying the areas that need improvement and

ensuring that the results are utilized in accordance with the objectives of the stress testing

framework.

9. Stress testing practices and findings should be communicated

within and across jurisdictions.

Communicating the stress testing results to appropriate internal and external stakeholders

provides essential perspectives on risks that would be unavailable to an individual institution

or authority. Furthermore, disclosure of the stress test results by banks or authorities

improves the market discipline and motivates the resilience of the banking sector towards

identified stress.

Banks and authorities who choose to disclose stress testing results should ensure that the

method of delivery should make the results understandable while including the limitations and

assumptions on which the stress test is based. Clear conveyance of stress test results

prevents inappropriate conclusions on the resilience of the banks with different results.

162
© 2014-2023 AnalystPrep.
Question 1

Hardik and Simriti compare and contrast stress testing with economic capital and value at

risk measures. Which of the following statements regarding differences between the two

types of risk measures is most accurate?

A. Stress tests tend to calculate losses from the perspective of the market, while EC/VaR

methods compute losses based on an accounting point of view

B. While stress tests focus on unconditional scenarios, EC/VaR methods focus on

conditional scenarios

C. While stress tests examine a long period, typically spanning several years, EC models

focus on losses at a given point in time, say, the loss in value at the end of year t.

D. Stress tests tend to use cardinal probabilities while EC/VaR methods use ordinal

arrangements

T he correct answer is C.

Opti on A i s i naccurate: Stress tests tend to calculate losses from the perspective of

accounting, while EC/VaR methods compute losses based on a market point of view.

Opti on B i s i naccurate: While stress tests focus on conditional scenarios, EC/VaR

methods focus on unconditional scenarios.

Opti on D i s al so i naccurate: Stress tests do not focus on probabilities. Instead, they

focus on ordinal arrangements like “severe,” “more severe,” and “extremely severe.”

EC/VaR methods, on the other hand, focus on cardinal probabilities. For instance, a 95%

VaR loss could be interpreted as 5-in-100 events.

Question 2

One of the approaches used to incorporate stress testing in VaR involves the use of

163
© 2014-2023 AnalystPrep.
stressed inputs. Which of the following statements most accurately represents a genuine

disadvantage of relying on risk metrics that incorporate stressed inputs?

A. T he metrics are usually more conservative (less aggressive)

B. T he metrics are usually less conservative (more aggressive)

C. T he capital set aside, as informed by the risk metrics, is likely to be insufficient

D. T he risk metrics primarily depend on portfolio composition and are not responsive to

emerging risks or current market conditions.

T he correct answer is D.

T he most common disadvantage of using stressed risk metrics is that they do not respond

to current issues in the market. As such, significant shocks in the market can “catch the

firm unaware” and result in extensive financial turmoil.

Question 3

Sarah Wayne, FRM, works at Capital Bank, based in the U.S. T he bank owns a portfolio of

corporate bonds and also has significant equity stakes in several medium-size companies

across the United States. She was recently requested to head a risk management

department subcommittee tasked with stress testing. T he aim is to establish how well

prepared the bank is for destabilizing events. Which of the following scenario analysis

options would be the best for the purpose at hand?

A. Hypothetical scenario analysis

B. Historical scenario analysis

C. Forward-looking hypothetical scenario analysis and historical scenario analysis

D. Cannot tell based on the given information

T he correct answer is C.

Scenario analyses should be dynamic and forward-looking. T his implies that historical

164
© 2014-2023 AnalystPrep.
scenario analysis and forward-looking hypothetical scenario analysis should be combined.

Pure historical scenarios can give valuable insights into impact but can underestimate the

confluence of events that are yet to occur. What’s more, historical scenario analyses are

backward-looking and hence neglect recent developments (risk exposures) and current

vulnerabilities of an institution. As such, scenario design should take into account both

specific and systematic changes in the present and near future.

Question 4

Senior management should be responsible for which of the following tasks?

I. Ensuring that stress testing policies and procedures are followed to the letter

II. Assessing the skills and expertise of the staff involved in stress-testing activities

III. Evaluating the independent review and validation exercises

IV. Making key decisions on investment, capital, and liquidity based on stress test

results along with any other information available.

V. Propagating widespread knowledge on stress tests across the firm, and making

sure that all departments understand its importance

A. I, II, and IV

B. I and V

C. III and IV

D. V only

T he correct answer is B.

Roles II and III belong to internal audit. Role IV belongs to the board of directors.

165
© 2014-2023 AnalystPrep.