The Simple Rules of Risk
Revisiting the Art of Financial Risk Management

Erik Banks

JOHN WILEY & SONS, LTD



The Simple Rules of Risk


Wiley Finance Series
An Introduction to Capital Markets: Products, Strategies, Participants
Andrew Chisholm
Swaps and Other Instruments
Richard Flavell
Securities Operational Management
Michael Simmons
Monte Carlo Methods in Finance
Peter J¨ackel
Modeling and Measuring Operational Risk: A Quantitative Approach
Marcelo Cruz
Structured Products: A Complete Toolkit to Face Changing Financial Markets
Roberto Knop
Government Bond Markets in the Euro Zone
Analistas Financieros Internacionales
Building and Using Dynamic Interest Rate Models
Ken Kortanek and Vladimir Medvedev
Structured Equity Derivatives: The Definitive Guide to Exotic Options and Structured Notes

Harry Kat
Advanced Modelling in Finance
Mary Jackson and Mike Staunton
Operational Risk: Measurement and Modelling
Jack King
Advanced Credit Risk Analysis: Financial Approaches and Mathematical Models to Assess, Price and
Manage Credit Risk
Didier Cossin and Hugues Pirotte
Dictionary of Financial Engineering
John F. Marshall
Pricing Financial Derivatives: The Finite Difference Method
Domingo A. Tavella and Curt Randall
Interest Rate Modelling
Jessica James and Nick Webber
Handbook of Hybrid Instruments: Convertible Bonds, Preferred Shares, Lyons, ELKS, DECS and Other
Mandatory Convertible Notes
Izzy Nelken (ed.)
Options on Foreign Exchange, Revised Edition
David F. DeRosa
The Handbook of Equity Derivatives, Revised Edition
Jack Francis, William Toy and J. Gregg Whittaker
Volatility and Correlation in the Pricing of Equity, FX and Interest-Rate Options
Riccardo Rebonato
Risk Management and Analysis vol. 1: Measuring and Modelling Financial Risk
Carol Alexander (ed.)
Risk Management and Analysis vol. 2: New Markets and Products
Carol Alexander (ed.)
Credit Derivatives: A Guide to Instruments and Applications
Janet Tavakoli
Interest-Rate Option Models: Understanding, Analysing and Using Models for Exotic Interest-Rate

Options (second edition)
Riccardo Rebonato


The Simple Rules of Risk
Revisiting the Art of Financial Risk Management

Erik Banks

JOHN WILEY & SONS, LTD


Copyright 2002

John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester,
West Sussex PO19 8SQ, England
Telephone (+44) 1243 779777

Email (for orders and customer service enquiries):
Visit our Home Page on www.wileyeurope.com or www.wiley.com
All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system
or transmitted in any form or by any means, electronic, mechanical, photocopying, recording,
scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988
or under the terms of a licence issued by the Copyright Licensing Agency Ltd, 90 Tottenham
Court Road, London W1T 4LP, UK, without the permission in writing of the Publisher.
Requests to the Publisher should be addressed to the Permissions Department, John Wiley &
Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex PO19 8SQ, England, or emailed
to , or faxed to (+44) 1243 770571.
This publication is designed to provide accurate and authoritative information in regard to the
subject matter covered. It is sold on the understanding that the Publisher is not engaged in

rendering professional services. If professional advice or other expert assistance is required, the
services of a competent professional should be sought.
Other Wiley Editorial Offices
John Wiley & Sons Inc., 111 River Street, Hoboken, NJ 07030, USA
Jossey-Bass, 989 Market Street, San Francisco, CA 94103-1741, USA
Wiley-VCH Verlag GmbH, Boschstr. 12, D-69469 Weinheim, Germany
John Wiley & Sons Australia Ltd, 33 Park Road, Milton, Queensland 4064, Australia
John Wiley & Sons (Asia) Pte Ltd, 2 Clementi Loop #02-01, Jin Xing Distripark, Singapore 129809
John Wiley & Sons Canada Ltd, 22 Worcester Road, Etobicoke, Ontario, Canada M9W 1L1

Library of Congress Cataloging-in-Publication Data
Banks, Erik.
The simple rules of risk : revisiting the art of financial risk management / Erik Banks.
p. cm. — (Wiley finance series)
Includes bibliographical references and index.
ISBN 0-470-84774-3 (alk. paper)
1. Financial futures. 2. Risk management. I. Title. II. Series.
HG6024.3 .B36 2002
2002071302
658.15 5—dc21
British Library Cataloguing in Publication Data
A catalogue record for this book is available from the British Library
ISBN 0-470-84774-3
Typeset in 10/12pt Times by TechBooks, New Delhi, India
Printed and bound in Great Britain by Antony Rowe Ltd, Chippenham, Wiltshire
This book is printed on acid-free paper responsibly manufactured from sustainable forestry,
in which at least two trees are planted for each one used for paper production.


Contents


Acknowledgements
Biography

xv
xvii

1 Introduction
1.1 Risk and risk management
1.2 Qualitative and quantitative approaches to risk management
1.3 Financial losses and failures of the risk process
1.3.1 Showa Shell Seikyu
1.3.2 Procter and Gamble
1.3.3 Metallgesellschaft
1.3.4 Orange County
1.3.5 Barings
1.3.6 Sumitomo Corporation
1.3.7 Long Term Capital Management (LTCM)
1.3.8 Enron
1.3.9 Allfirst
1.4 Diagnosing risk process problems
1.4.1 Flaws in governance
1.4.2 Flaws in identification and measurement
1.4.3 Flaws in reporting and monitoring
1.4.4 Flaws in management
1.4.5 Flaws in infrastructure
1.5 Strengthening risk practices
1.6 The simple rules of risk
1.6.1 The cardinal rules


1
1
2
6
8
9
10
10
11
12
13
14
15
16
16
17
17
18
19
20
21
22

2 Philosophy of Risk
2.1 Risk-taking should be aligned with other corporate priorities, directives
and initiatives
2.2 Risk should be viewed on an enterprise-wide basis in order to
understand how it impacts the entire organization

25

25
27


vi

Contents

2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11

2.12
2.13

2.14
2.15

2.16
2.17

Deciding to become an active risk taker without implementing a robust
risk process is likely to lead to financial losses
Actively assuming risk requires support from key stakeholders and

commitment of necessary financial resources
Risk generates profits, and can therefore benefit a firm — it must,
however, be managed properly
Risk is a finite resource that is driven by capital
Risk capacity is not free and proper compensation must be obtained;
the process should be disciplined and applied without exception
More risk should be taken when it makes sense to do so — but only
if the reasons are well established and the returns appropriate
A robust risk/return framework should be used to evaluate the
performance of risk-taking activities
Risk-taking should be confined to areas in which a firm has technical
expertise and a competitive advantage
“Worst case scenarios” happen with considerable frequency in an era
of volatility and event risk. the lessons of history — financial cycles
and crises — provide useful risk information
Understanding the dynamics of different risk classes can help define
an approach to risk
Senior management should know the strengths, weaknesses,
motivations, expertise and risk behavior of its business leaders
and risk takers
Healthy skepticism — though not cynicism — can be useful in
considering risks
Though risk activities of financial and non-financial companies are
based on similar principles, they often feature important differences
that must be thoroughly understood
Creating a risk capability and presence should be regarded as a
long-term endeavor
Once a risk philosophy is defined, it should be communicated clearly
and followed with discipline


3 Risk Governance
3.1 Risk classes need to be clearly defined and delineated
3.2 Clear expression of firm-wide risk appetite is essential
3.3 The risk governance structure should assign responsibility for risk to
senior officials from various parts of the organization; these officials
must ultimately be accountable to the board of directors
3.4 Accountability for risk must run from the top to the bottom of an
organization; senior management must not claim to be unaware of risk,
or be in a position where they are unaware of risk
3.5 Human judgment is remarkably valuable; years of “crisis experience”
can be far more valuable than recommendations generated by models
3.6 Independence of the risk function must be undoubted
3.7 Other key control functions must remain equally independent of the
business

27
28
28
29
30
30
31
31

31
32

33
33


34
34
35

37
39
39

40

41
41
42
43


3.8
3.9
3.10
3.11
3.12
3.13

3.14
3.15
3.16
3.17

3.18


3.19

3.20
3.21
3.22

3.23
3.24
3.25
3.26
3.27
3.28
3.29

3.30
3.31

3.32

Contents

vii

The risk process must be dynamic in order to be truly effective
Disciplined application of the risk process is a necessity
An ineffective control process is a source of risk that must be addressed
Risk takers must have clear reporting lines and accountabilities
Compensation policies for risk takers must be rational
Trading managers and investment bankers should be the front line of
risk management — accountable, in a measurable way, for assuming

“good” risks
Once management has confidence in its risk process, it should let
business managers conduct business and monitor the results
Appropriate limits should exist to control risks
Risk policies should be used to define and control all risk activities
A new product process should exist to evaluate the nuances and
complexities of new instruments, markets and transactions; the same
should apply to capital commitments
The nature and structure of risk policies, metrics and reporting
should be reviewed regularly to account for changing dimensions of
business
An effective disciplinary system is crucial; if limits/policies are
breached, quick disciplinary action must be taken — if decisive action
is not taken, the risk governance process loses credibility
The risk organization must carry stature, experience and authority in
order to command respect
The knowledge that an experienced group of professionals is scrutinizing
risk is a very powerful risk management tool
Hiring the best risk experts available, with a broad range of credit,
market, legal and quantitative experience, is a worthwhile investment
in the firm’s future
Ensuring the risk function possesses the right mix of skills and
experience strengthens the management process
Risk takers, risk managers and other control professionals should
rotate regularly to remain “fresh” in their experience and perspectives
Risk expertise must be disseminated throughout the organization
Preserving an institutional memory of risk issues is important for future
management of risk within a company
General risk education should be mandatory throughout the firm
Educational efforts should focus on concepts that are part of the daily

operating environment
Risk specialists should question and probe until they are satisfied with
the answers — they should not be afraid to query and challenge
“business experts,” even when it seems difficult to do so
Risk management spans many fronts — allies in audit, finance, legal
and operations can help in the process
A constructive relationship with business units can be more productive
than an adversarial one; but a constructive relationship does not mean
approving all business deals and risks
Risk decisions should be made quickly and firmly; overruling the
decisions of risk subordinates should be kept to an absolute minimum

43
43
44
44
45

46
46
47
47

48

49

49
50
50


51
51
52
52
53
53
54

54
55

55
56


viii

Contents

3.33 Consistency is vital throughout the risk control organization; this
eliminates the possibility of “internal arbitrage” across regions
and businesses
3.34 Risk officers should be involved in every aspect of the firm that has a
risk dimension to ensure that the proper perspective is always
represented
3.35 A risk crisis management program, with clear authorities,
responsibilities and expectations, should be designed for quick
implementation
3.36 Sensitivity to regulatory requirements is important

3.37 The governance process must provide senior managers with an ability
to view and manage risk on a regulatory/legal entity basis
3.38 Regular internal audits of the risk process should be performed
4 Risk Identification
4.1 Proper identification of risk can only occur after a thorough
understanding of a product, transaction, market or process has been
gained
4.2 All dimensions of risk must be identified; risks that might be less
apparent at the time of analysis should not be ignored, as they can
become more prominent as market conditions change
4.3 The identification process should serve as the base for the quantification
process; risks that are identified should be quantified, and ultimately
limited, in some manner
4.4 The identification process should follow a logical progression —
beginning with the most common or essential, and moving on to the
more complex or esoteric
4.5 In the search for more complex dimensions of risk, care must be taken
not to overlook the most obvious risks
4.6 Risk identification should be an ongoing process that continually
re-examines all dimensions of exposure
4.7 Risk officers should work with traders, product experts and finance
personnel to analyze products and identify risks
4.8 Risk specialists must focus on details because the discipline is complex;
but reviewing broader “macro” issues is also an important part of the
risk process
4.9 Cooperation between different control units can lead to identification
of risks that “cross boundaries”
4.10 All sources of settlement risk must be identified
4.11 Hedges may not always function as intended; potential “problem
hedges” should be identified in advance

4.12 Risk arising from convergence/divergence trades must be identified
4.13 Models used to price and manage risks may contain risks of their own
4.14 Risk exposures created through changes in the structure and timing of
cash flows must be identified
4.15 New products and markets can contain special risks that have not been
encountered before; these risks should be thoroughly understood

56

57

57
58
58
59
61

61

62

62

63
64
64
65

65
66

66
67
67
68
68
69


Contents

4.16 Local markets may possess very unique risks and due care must be
taken to understand them
4.17 “Risk-free” strategies with above average returns are rarely risk-free;
pockets of “hidden” or structural risk may exist
4.18 If the identification process reveals that a large number of firms are
extending credit to a counterparty, caution should be exercised
4.19 The existence of “credit cliffs” can result in the creation of
sub-investment grade credit exposures, and should be identified
in advance
4.20 Market risk concentrations must be properly identified
4.21 Understanding and identifying the links between liquidity, leverage,
funding and exposure is vital
4.22 During times of market stress, market and credit risks can become
linked; advance identification of these linkages can help avoid
problems
4.23 Risk outside a specialist’s domain that is discovered during
the identification stage should be forwarded to a unit with direct
responsibility
4.24 Identifying the source of the next “large loss” can provide guidance
on the nature/quality of controls needed to protect against such a loss

4.25 If an unexpected loss occurs, the identification process may not be
working correctly and should be reviewed
5 Risk Quantification and Analysis
5.1 Risks discovered in the identification stages should be decomposed into
quantifiable terms; this allows exposures to be constrained and
monitored
5.2 Though certain risks can be difficult to quantify, basic attempts at
measurement are important in order to obtain an indication of riskiness
5.3 Models are based on assumptions that may, or may not, be realistic;
assumptions, and the impact they can have on valuation, must be well
understood
5.4 Models should not be used to the point of “blind faith” — they are only
ancillary tools intended to supplement the risk process
5.5 It is important to know which risks are marked-to-model and why
5.6 The effects of volatility on risk exposures should be quantified
5.7 The impact of correlation between assets, and between assets and
counterparties, should be quantified
5.8 The valuation of large positions should be regarded with skepticism;
proof, through periodic, random liquidation exercises, can help
provide an assessment of fair value
5.9 Use of traditional risk quantification techniques may underestimate
potential market risk losses if a portfolio or business is very illiquid
5.10 Scenario analysis can be useful in quantifying how risk profiles change
with fluctuating variables
5.11 Quantifying the effect of “disaster” scenarios on risk portfolios is useful,
but managing to such scenarios is not an advisable practice

ix

69

70
70

71
71
72

72

73
73
74
77

77
78

78
79
80
80
81

82
82
83
83


x


Contents

5.12 “Safe” assets and exposures can become risky in a crisis — quantifying
the downside of such exposures is useful
5.13 Credit and market risk linkages should be quantified when possible
5.14 Leverage can magnify credit, market, funding and liquidity risks and
must be factored into any quantification exercise
5.15 Relying on a mark-to-market calculation as an estimate of replacement
cost at the time of default might result in an understatement
5.16 Quantifying credit exposures on a net basis should only be done when
a firm has appropriate counterparty documentation and is operating in
a jurisdiction where netting is legally recognized
5.17 The efficacy of risk analytics should be demonstrated through regular
quantitative testing
5.18 Independent verification of the analytics used to quantify risks should
be undertaken
6 Risk Monitoring and Reporting
6.1 If risk cannot be monitored it cannot be managed
6.2 Top risks should be monitored continuously
6.3 The use of a “risk watchlist” report, which alerts participants
to potential concerns or problem areas, can be a valuable
management tool
6.4 Standard risk reports should be supplemented by special reports
that provide an indication of illiquidity, mismarks and other
problems
6.5 It is more useful to have timely reporting of 90% of a firm’s risk
exposure than delayed reporting of 100%
6.6 Information should not come from multiple sources — a single,
independent source should be used as the kernel for all reports,

and should be audited for accuracy on a regular basis
6.7 The ability to relate profit and loss to risk, in detail, is paramount
6.8 Profits must be reviewed with the same rigor as losses as they may be
indicative of large, or unknown, risks
6.9 Some risk positions generate losses instantaneously while others bleed
profits over time; P&L decomposition can help identify losses in both
cases
6.10 Reporting should focus on the essential — simple reports that convey
the right information are often the most effective tool
6.11 Management reporting should generally commence with broad
summaries of key risks for board directors and senior executives,
and increase in detail as it moves down the management chain
6.12 Senior managers in the risk governance structure must receive
and review risk information on a regular basis
6.13 Ready access to detailed risk information is critical
6.14 Reporting should be flexible enough to provide all relevant views of
risk information
6.15 Regulatory reports are generally not sufficient to manage a complex
business

84
84
85
85

86
86
87
89
89

89

90

90
91

91
92
93

93
94

94
94
95
95
96


Contents

6.16 Regulatory reporting requirements are likely to increase over time and
should be borne in mind when designing reporting mechanisms
6.17 More, rather than less, disclosure of credit and market risks to external
parties is preferable; it adds transparency and comfort
6.18 Reporting should not be aimed at very limited audiences or be done
“for show”
6.19 Use of “flash reporting” can provide an early indication of P&L and risk

performance
6.20 Monitoring processes should be implemented to verify the nature of
collateral and counterparties
6.21 Public credit ratings can be useful for “third party” confirmation and
monitoring, but should not be regarded as a substitute for proprietary
internal ratings
6.22 Financial markets contain a great deal of credit information — monitoring
the stock prices and credit spreads of counterparties can be helpful,
especially on the downside
7 Risk Management
7.1 Risk managers should be visible and available
7.2 Risk officers and risk takers should discuss risk issues on a regular
basis
7.3 Risk managers should be in regular contact with market participants —
the market has a great deal of information that can be used in daily
management of risk
7.4 Risk managers should strive to be “value added” by searching for
beneficial risk solutions whenever possible
7.5 Risk decisions should be documented clearly in order to avoid errors
and misinterpretation; good documentation establishes a proper audit
trail
7.6 When a potential risk problem is discovered, immediate
action must be taken; problems must not be permitted to grow out of
control
7.7 Risk decisions should not be driven by competitive pressures
7.8 If other institutions do not want to accept a risk-bearing deal, there
may be a reason for it — it is important to determine whether it should
be a factor in approving or declining the risk
7.9 Prudent risk reserve mechanisms should be established for
concentrated, complex, illiquid or marked-to-model risks

7.10 Credit reserve mechanisms should be implemented in order
to encourage active management of credit risks
7.11 Failure to price the cost of credit risk will ultimately lead to
a misbalanced credit portfolio and credit losses
7.12 A risk is not hedged or sold until it is actually hedged or sold; just
because it is “theoretically” possible to hedge or sell a risk does not
mean that it can be done
7.13 Active management of asset and funding liquidity is vital in order to
avoid potential losses

xi

96
96
97
98
98

99

99
101
101
101

102
102

103


103
104

104
105
105
106

106
107


xii

Contents

7.14 Since liquidity has a tendency to disappear quickly, conservative
liquidation assumptions should be used when managing risks
7.15 An investment account must not be regarded as a trading account for
illiquid positions
7.16 Large deals mean large — and possibly illiquid or unhedgeable —
risks; they must be managed carefully and command an appropriate
premium
7.17 Concentrated risks can be very damaging and must be managed
actively
7.18 Risk takers should be limited to taking risk in specific markets and
instruments
7.19 Risk-bearing positions must be booked/housed in officially sanctioned
trading systems
7.20 Using financial incentives and penalties to influence risk-taking behavior

is an effective management tool
7.21 Aggressive risk-taking behavior, which may ultimately create risk
problems, should be managed closely
7.22 Risk mitigation should not be mistaken for risk migration
7.23 Risk mitigation/migration tools should be used wherever possible
7.24 Attempting to predict what will happen in the future is hazardous —
the risk function should be realistic in assessing the time horizon of
deals, structures and credits
7.25 Understanding why a client is entering into a complex risk trade is
important; if suitability emerges as an issue, it should be made known
to legal officers
7.26 Strong client sales practices can help mitigate risks
7.27 Executing a risk-bearing deal to accommodate a client or build a client
relationship does not justify the assumption of bad risk
7.28 Where possible and feasible — and without compromising
confidentiality — counterparty information should be shared
with others seeking to extend credit
7.29 Collateral taken in support of an exposure should relate directly to
counterparty credit quality, the size of the risk exposure and relevant
concentration/liquidity parameters
7.30 Legal and operational staff should be familiar with triggers and clauses
that can be influenced by credit, market and liquidity events
7.31 Legal documentation that protects multiple products/eventualities can
help control risk exposures
7.32 A legal documentation backlog may ultimately lead to
operational/legal errors and losses — authorizations, guarantees,
confirmations and master agreements should always be as current as
possible
7.33 Establishing documentary targets and thresholds can help limit
operational and legal risks; incomplete documentation should be

prioritized by creditworthiness and risk exposure

108
109

109
109
110
110
111
111
112
112

113

114
114
115

115

116
116
117

117

118



Contents

8 Risk Infrastructure
8.1 Data is the fundamental component of any risk process — bad data
leads to bad information and bad risk decisions
8.2 A single source of trade data should be used whenever possible to
ensure consistency; when this is not possible, data processes must be
properly reconciled and audited
8.3 Technology should be made as flexible as possible in order to
accommodate the changing business environment
8.4 Risk requirements should be a central part of any business technology
blueprint
8.5 Technology changes that impact risk management, finance, legal,
regulatory reporting and operations should always be considered
jointly
8.6 Minimum standards related to risk technology, analytics and reporting
should be applied to all risk-taking business
8.7 A risk control system is not a risk management system; the two are
different and both are necessary
8.8 The technology platform that generates valuations and risk
information must be under the scrutiny/control of technological
auditors/risk managers
8.9 Changes in risk measures, processes or technology by the trading
or risk management functions must be thoroughly developed, tested,
reviewed and documented before being implemented
8.10 Use of short-term, temporary infrastructure solutions is acceptable, but
these should be replaced by robust solutions as soon as possible
8.11 When automated infrastructure solutions are not available, the best
manual solutions, with checks and balances, should be implemented

8.12 “Off-the-shelf” technology solutions that provide 80% or 90% of the
capability a firm is seeking can be an ideal solution
8.13 Infrastructure contingency plans should take account of all risk
requirements

xiii

121
121

122
123
123

124
124
125

126

126
127
127
128
128

9 Summary

131


Selected References

133

Index

135



Acknowledgements
I would like to express my gratitude to various individuals for their help in making The Simple
Rules of Risk a reality.
My sincere thanks go to Samantha Whittaker, publishing editor at John Wiley and Sons,
for her considerable efforts in supporting and guiding the project. As always, Sam has been
a valuable partner and supporter. Thanks are also due to Carole Millett, editorial assistant at
Wiley, for helping coordinate the mechanics of the project.
Professionally, I have had the good fortune of working for some of the best risk managers
in the financial industry — I owe my gratitude to those who taught me, over a 15-year period,
about the intricacies of the risk discipline. Specifically, I would like to thank William Lyman,
Daniel Napoli, Steve Schulman and Richard Dunn for their efforts over the years. Each taught
me a great deal about risk — including the importance of using common sense, prudence,
judgment and experience when making risk decisions — and each guided me with enthusiasm.
I am grateful for their friendship, support and instruction.
Patience, support and encouragement on the home front are vital in any writing project — as
always, my wife Milena provided all three, and so deserves the biggest thanks of all!



Biography

Erik Banks has held senior risk management positions at several global financial institutions.
In 2001 Mr. Banks joined XL Capital’s weather/energy risk management subsidiary, Element
Re, as Partner and Chief Risk Officer. Prior to that he spent 13 years at Merrill Lynch, where
he was Managing Director of Corporate Risk Management, responsible for the firm’s risk
infrastructure; before that he spent 8 years abroad, managing Merrill’s credit and market risk
teams in London, Hong Kong and Tokyo. Prior to joining Merrill Lynch in 1988 he was a credit
officer at Citibank and Manufacturers Hanover in New York. Mr. Banks is author of seven
other books on risk, emerging markets, derivatives, merchant banking and electronic finance;
he is also editor and co-author of a book on weather risk management, and is working on
various new financial texts.



1
Introduction
1.1 RISK AND RISK MANAGEMENT
Risk, which can impact all areas of personal and corporate activity, can be defined as the uncertainty surrounding the outcome of a future event. In order to manage and control risks — to
reduce or contain possible losses caused by uncertain future events — firms should strive to
use all available tools and approaches. By doing so they minimize the chance that unacceptable losses will occur. Firms active in risk-taking businesses should seek to draw on both
quantitative and qualitative approaches to help them manage their exposures. Quantitative risk
management, which relies on mathematical models and techniques to identify, quantify and
manage exposures, is one major approach to risk control; qualitative risk management, which
focuses primarily on experience, judgment and common sense, represents a second major approach. Certain firms favor quantitative approaches over qualitative processes, while others
prefer a qualitative focus; in some cases firms rely on both methods. Indeed, the “combined”
approach may well be the best one, as the truly effective risk process draws on the strengths of
quantitative and qualitative techniques to overcome individual shortcomings and weaknesses
that characterize each discipline. As we shall note later in this chapter, qualitative approaches
to risk management are periodically ignored in favor of purely quantitative techniques. The
prudent firm must never forget that judgment, experience and common sense can be powerful tools in helping create a strong risk process. In this text we seek to demonstrate that
the creation and application of qualitative methods of risk management — combined with

relevant quantitative processes — can help a firm develop the strongest possible framework
for managing the risks surrounding core business. Risk takers and risk managers must never
forget that experience and judgment are powerful tools in the ongoing management of all
risks.
Before embarking on a detailed discussion of risk rules we frame our discussion by reviewing
quantitative and qualitative approaches to risk management, failures in the risk control process
and diagnosis of control flaws. An understanding of these topics provides some insight into
how many of the simple rules of risk discussed in the balance of the text are actually developed.
To prepare, we digress briefly and review the scope of the risks considered in this book.
Risk management is the process of managing uncertainty that arises in the normal course of
activities, including those related to business ventures. Business risks can assume many forms.
From a financial perspective, these may include credit risk, or the risk that a counterparty will
fail to perform as expected on a contractual obligation, leading to a loss; market risk, or the risk
that movements in an underlying asset or index will create a loss; and liquidity risk, or the risk
that assets cannot be liquidated or funding sources cannot be accessed without creating a loss.
Each of these broad categories can be divided further. For instance, credit risk can be separated
into default risk, settlement risk, sovereign risk, and so on. Market risk can be segregated
into directional risk, volatility risk, basis risk, curve risk and correlation risk, among other
categories. Other types of business risks can, of course, impact a firm, including operational
risk, or the risk of loss due to flaws or failures in control processes, and legal risk, or the risk


2

The Simple Rules of Risk

of loss due to errors in, or lack of, legal documentation; these can be decomposed into detailed
subcategories. Various other types of risks can impact a company, including tax risk, strategic
risk, business risk, reputational risk, and so on; in addition, non-financial operating risks, such
as catastrophic property and casualty risk, business interruption risk and director liability risk,

can create exposures and losses. While all of these are important, they are beyond the scope
of this book and we will not consider them further. Figure 1.1 summarizes major types of
business risks. A brief glossary of risk is highlighted in Table 1.1.
Each category of risk — regardless of its underlying characteristics — exposes a firm to the
possibility of loss. The risk management discipline focuses on minimizing the possibility of
loss, and limiting those that occur to “acceptable” levels. Though the term “acceptable” varies
from firm to firm, we define it as a loss that is not significant enough to threaten the financial
viability of an institution. Active management of risk, using all available approaches, is central
to eliminating unacceptable losses.

1.2 QUALITATIVE AND QUANTITATIVE APPROACHES
TO RISK MANAGEMENT
The management of financial business risks — particularly credit, market and liquidity risks —
tends to evolve over time, as markets, products, skills and resources change. For instance,
before the development and implementation of financial mathematics in the early 1970s, risk
management was based largely on experience and judgment. The absence of sophisticated
mathematical tools to help evaluate and analyze risks — apart from measures such as bond
duration (developed in 1938), the Markowitz mean–variance framework (1952) and Sharpe’s
Capital Asset Pricing Model (1963) — meant that financial and corporate risk managers relied
very heavily on common sense, experience and prudence in order to operate safely. Experienced
line managers and financial controllers were responsible for decomposing risks thought to
impact operations and developing rudimentary methods for managing exposures (e.g. broad
risk limits constraining notional deal size); they often drew on experience from previous losses
to help them identify and constrain potential “problem areas.” There was little in the way of
computing power to assist in the process — the technology focus was on mainframe-driven
databases oriented primarily toward customer-related functions rather than financial analysis —
and reporting of risk exposures was often manual. Given the preponderance of the “human
element” — experience, judgment and common sense, supported by some basic numerical support — we might consider this a “qualitative” approach to risk management. While this method
may not have prevented all financial losses, it was adequate given the environment of the time.
Markets in the mid-20th century were not as volatile as they have become over the past few

decades. The collapse of the Bretton Woods Agreement in 1972, which had been implemented
in the mid-1940s to create a system of fixed exchange rates, together with oil shocks in the
early and late 1970s, which fuelled inflation and more active monetary policy initiatives, meant
an increase in asset volatility. Currencies, interest rates and commodities began fluctuating by
much greater amounts. Deregulation in the global financial and commodity markets during
the late 1970s, 1980s and 1990s — including elimination of fixed brokerage commissions,
removal of interest rate ceilings, passage of legislation allowing greater personal investment
freedoms, erosion of the restrictions between commercial and investment banking, lowering
of trade and capital barriers, and so on — translated into greater movement of capital across
borders, markets and asset classes. The end result was, and continues to be, an increase in
volatility — and a corresponding rise in financial risks.


Introduction

Overall Business Risk Classes

Market
Risk

Credit
Risk

Liquidity
Risk

Legal
Risk

Operational

Risk

Directional
Risk

Default
Risk

Asset
Risk

Documentation
Risk

Confirmation
Risk

Volatility
Risk

Settlement
Risk

Funding
Risk

Suitability
Risk

Control

Risk

Curve
Risk

Sovereign
Risk

Other
Risks

Other
Risks

Fraud
Risk

Basis
Risk

Model
Risk

Infrastructure
Risk

Spread
Risk

Other

Risks

Other
Risks

Model
Risk

Time Decay
Risk

Correlation
Risk

Concentration
Risk

Other
Risks

Figure 1.1 Financial business risk classes

3


4

The Simple Rules of Risk

Table 1.1 A brief glossary of risk a

Term

Definition

Market Risk

Risk of loss due to unfavorable movement in an underlying reference asset, index
or market

Basis Risk

Risk of loss due to unfavorable movement between target instrument and hedge
instrument

Concentration Risk

Risk of loss due to unfavorable movement in, or performance of, a concentrated
risk position

Correlation Risk

Risk of loss due to changing magnitude/relationship of correlations between
assets

Curve Risk

Risk of loss due to unfavorable movement in the shape of the reference curve

Directional Risk


Risk of loss due to unfavorable movement in the direction of the underlying
reference asset, index or market

Model Risk

Risk of loss due to errors in the financial mathematics or assumptions underlying
a model used for market risk management/valuation purposes

Spread Risk

Risk of loss due to unfavorable movement of a spread between two assets

Volatility Risk

Risk of loss due to unfavorable movement in volatility

Credit Risk

Risk of loss due to failure by a counterparty to perform on a contractual obligation

Default Risk

Risk of loss due to counterparty default

Model Risk

Risk of loss due to errors in the financial mathematics or assumptions underlying
a model used for credit risk management/valuation purposes

Settlement Risk


Risk of loss due to failure by a counterparty to settle trade/cash flow

Sovereign Risk

Risk of loss due to sovereign action

Liquidity Risk

Risk of loss due to inability to liquidate assets or obtain funding

Asset Risk

Risk of loss due to inability to liquidate assets, risk positions or collateral

Funding Risk

Risk of loss due to inability to secure new funding or rollover existing funding

Legal Risk

Risk of loss due to legal events

Documentation Risk

Risk of loss due to errors in, or lack of, documentation

Suitability Risk

Risk of loss due to client suitability issues


Operational Risk

Risk of loss due to errors in processes and controls

Confirmation Risk

Risk of loss due to unconfirmed transactions

Control Risk

Risk of loss due to human error or lack of control over cash, securities and other
assets

Fraud Risk

Risk of loss due to internal/external fraud

Infrastructure Risk

Risk of loss due to failure of internal/external infrastructure

a Risks can apply across a broad spectrum of asset classes, including currencies, equities, interest rates, commodities,
credits, and so on.