I. Management

 

Risk Standard 1: Acknowledgment of fiduciary responsibility

Fiduciary responsibilities should be defined in writing and acknowledged in writing by the parties responsible.


To avoid misunderstandings, written documents should specify fiduciary assignments made or received. The Primary and Manager Fiduciaries should document the assignment of fiduciary responsibility before the allocation or receipt of assets. Documents should specify and acknowledge in writing the capacity of individuals or organizations to enter into agreements on behalf of the Primary Fiduciary and articulate the nature and limits of each party's status as agent or principal for specific activities. Documents should specify that the Manager Fiduciary has accepted a fiduciary assignment from a Primary Fiduciary and should cover individuals as well as firms.

While the Primary Fiduciary may select a Manager to invest its funds, it cannot delegate the responsibilities and liabilities attached to being the Primary Fiduciary. The possibility of lawsuits claiming that a party did not adequately perform its fiduciary responsibilities is a strong motivation to articulate and document fiduciary assignments as well as to monitor compliance carefully.

There are three principal types of accounts with regard to fiduciary responsibility. Each should be defined clearly.

  • Directed accounts, for example: "Invest only in S&P 500 stocks and vote with management."
  • Discretionary accounts, for example: "Invest in assets of your choice and vote as you wish."
  • Mixed accounts, for example: "Invest in common stocks and own 200 names. We will retain voting rights."


For directed accounts, the Primary Fiduciary retains all responsibility for the investment decision, choice of asset class, choice of investment instrument and all associated rights. For discretionary accounts, the Primary Fiduciary delegates broad fiduciary rights. This should be documented to reduce misunderstandings as to the Manager's investment latitude, a common area of dispute when investments go awry. For mixed accounts, the Primary Fiduciary delegates only a portion of its fiduciary duties (the selection of stocks).

Each time the Primary Fiduciary hires a new Manager, or changes the investment guidelines or directives to an existing Manager, both the Primary and Manager Fiduciary should redefine and re-document their fiduciary responsibilities.
 

Risk Standard 2: Approved written policies, definitions, guidelines and investment documentation

The Primary and Manager Fiduciaries should approve formal written policies which reflect their overall risk management objectives. The Primary and Manager Fiduciaries also should approve investment guidelines, management agreements and all other contracts that govern investments. Technical terms should be defined. All policies, definitions, guidelines and investment documentation should be reviewed and updated as appropriate and more often if significant market events or changes in strategy occur.


Written policies should encompass the investment philosophy and risk appetites of the Primary and Manager Fiduciaries. Typically, these require the creation of more detailed documents and standards for the individual Manager, portfolio or asset class which include examples specific to the user. For example, a plan sponsor's internal guidelines should provide examples that relate to the management of a pension fund. A Manager's guidelines should provide examples that relate to its specific instruments, portfolio and particular strategy.

Approved written standards applied consistently and appropriately have several advantages over reliance on culture or apprenticeships:

  • Written standards are less prone to intentional or unintentional omission
  • Written standards allow those new to an organization to study the risk management policies of the organization, rather than to learn by trial and error
  • Written definitions accompanied by pertinent examples reduce the likelihood of incomplete communications, ambiguities or misinterpretations

 

Poorly specified guidelines can lead to problems. Guidelines that explicitly allow "hedging," but not "speculation," may or may not permit proxy hedging. An example of a proxy hedge is the use of Swiss francs to hedge the currency risk in a German equity investment. Some may consider this a hedge, based on the assumption that the two currencies will move closely together. Others may consider this speculation because there is no guarantee that the Deutschemark and Swiss franc will move together.

Other problems can result from poorly defined permitted investment definitions. A portfolio may satisfy the literal restriction "only government securities are permitted," but violate the intent of the restriction if it contains agency notes whose coupon payment is linked to the return of the stock market. Alternately, two portfolios which meet the guideline requirement that they "maintain an average maturity of five years" may have significant differences in yield curve exposure if one portfolio consists of five-year instruments and the other of a combination of 3-month Treasury bills and 30-year bonds.

Common terms that require definition include risk, hedging, speculation, derivative, complex, leverage, benchmark, average maturity, government security and high quality. Descriptors such as material, relevant and significant should also be defined.

In many capital markets, documentation has been developed to limit credit and other exposures. For example, master counterparty agreements for derivatives transactions reduce credit exposure by allowing the netting of payments in the case of default. The current trend to include foreign exchange forwards and options contracts under master swap agreements further reduces counterparty exposure.

The Primary and Manager Fiduciaries should update their policies periodically to reflect changing circumstances, new instruments or other relevant changes. Meaningful changes in an institutional investor's or investment manager's business, strategy, goals, risk appetite, capital requirements, markets or products should trigger formal reviews. Amendments to policies and guidelines should reaffirm what remains and what is changed in the previous document to avoid conflicts between the two versions.
 

Risk Standard 3: Independent risk oversight, checks and balances, written procedures and controls

Oversight of compliance with risk policies should be independent of line investment activity and conducted according to up-to-date, written policies and procedures. Front, middle, and back office activities should be separate wherever possible and sufficient checks and balances and appropriate controls should exist. When separation is not possible due to limited staff, alternative checks, balances and controls should be established.


Unauthorized trading by individuals can go undetected for months or years if audits or other oversight are insufficient or because other checks and balances are not in place. Traders and portfolio managers who oversee themselves or perform their own portfolio valuations can make mistakes or intentionally understate risk, hide losses or overstate their own performance (and perhaps compensation due). These potential conflicts of interest make it crucial to ensure independent oversight for all major activities and separation of the front office (e.g. portfolio management, manager selection, trading, investment research), the middle office (performance and risk measurement, compliance, legal, risk oversight, controllers) and the back office (accounting, administration, operations).

For example, position reports should be monitored by individuals outside the trading group who do not report directly or indirectly to the head of trading. The position reports should verify that investments are as reported by managers, that ownership is properly documented, cash balances reconciled and exceptions reported and acted upon (Risk Standard 9).

Where possible, an independent internal group or individual should perform oversight. Small institutional investors or Managers without a separate risk oversight function should use random audits and develop other internal checks and balances to make the best use of limited resources. The Primary Fiduciary should supervise its Managers closely in these circumstances. Auditors or independent third parties may also be used. Functions checked independently should include such items as

  • Oversight of investment activity (Risk Standards 17 and 18)
  • Limits, monitoring, exception reports and action plans relating to exception reports (Risk Standards 8 and 9)
  • Valuations and pricing methodologies (Risk Standards 10 and 19)
  • Stress tests and back tests (Risk Standards 14 and 15)


The Primary and Manager Fiduciaries should verify that Managers conduct independent risk oversight of their employees and activities. Further, the individual or unit of an institutional investor that selects external managers should not be charged solely with overseeing them.

Each organization should prepare a written plan that contains cost and time estimates of the systems, personnel, training and data necessary for risk oversight (Risk Standard 6).
 

Risk Standard 4: Clearly defined organizational structure and key roles

Organizational structure and reporting lines should be defined clearly and distributed to all parties. Key personnel and their roles in all front, middle and back office areas should be identified. Changes in key personnel should be communicated immediately to all relevant parties.


To avoid confusion or misunderstandings, the Primary Fiduciary, Managers and subcontractors (such as custodians) should delineate clearly responsibility and accountability for all functions, including risk measurement, risk management and oversight. Organizational and functional charts that address both line responsibility and oversight responsibility should be compared to reveal areas where there may be a conflict of interest, inadequate checks and balances, lack of assigned responsibility or unofficial authority (Risk Standards 1 and 3). Functional charts should specify who is authorized to do what-and who is not. For example, a functional chart should specify the individuals authorized to trade and those authorized to clear trades and might explicitly forbid traders to clear trades. An organizational chart should specify the reporting lines for internal audit and other checks and balances to ensure oversight exists for each function and is independent of the area overseen.

Functional charts should be used also to identify all individuals who are vital to the functioning of an organization. For an institutional investor, the loss of a sole Manager with particular investment or risk management skills might force the sudden, and perhaps unskilled, liquidation of that portfolio. Senior managers are not the only key personnel in an organization. For example, chaos might follow the abrupt resignation of the only person responsible for maintenance and troubleshooting of software or systems. Risk policies should include specific provisions for immediate notification of the loss or change in any key personnel. The Fiduciary and its subcontractors should document their succession plans for key personnel and train backups.
 

Risk Standard 5: Consistent application of risk policies

The Primary Fiduciary's risk policies should apply both to internal and external managers and should be consistent across similar asset classes and strategies.


Because internal managers can pose the same risks as their external peers, culture and proximity are unreliable restraints. Therefore, all Managers should be subject to consistent investment management agreements, written objectives and guidelines (Risk Standard 2). Note that these may vary by asset class or strategy, but policies and performance evaluation should be consistent across the same peer group universe.

Each time the Primary Fiduciary establishes a new portfolio or moves a portfolio, it should provide a copy of its current risk policies to the Manager. A separate document should describe how the risk policies apply to that Manager. If a Manager runs several portfolios for a given client, separate policies should govern each.
 

Risk Standard 6: Adequate education, systems and resources, back-up and disaster recovery plans

The Primary and Manager Fiduciaries should ensure that adequate education, systems and resources are available to implement and administer their risk policies. They should also establish and test back-up procedures and disaster recovery plans.


Successful implementation of these Risk Standards requires a knowledgeable and responsible fiduciary and well-trained and capable professionals in the front, middle and back office (including adequate systems for position-keeping, processing, settlement, compliance monitoring and reporting). Sufficient funds must be allocated for necessary resources in the systems, personnel and risk oversight areas. All relevant employees (both new and existing) should receive copies of the risk policies and should confirm in writing that they have read and understood them. Employees should receive promptly copies of updates or changes and should sign re-confirmations at least annually.

Back-up and recovery plans are crucial, as physical disasters such as the World Trade Center bombing, the Chicago flood, California earthquakes and hurricanes in the Southeastern U.S. made clear. Financial interruptions such as market trading halts or technological disasters such as systems, communications and power failures or software viruses also have proven the need for back-up and disaster recovery plans.

A disaster plan should include access to duplicate records of investment inventory, legal title to positions, master counterparty agreements, authorities and scheduled cash inflows and payments. It should prepare the organization to resume operations offsite in a reasonable amount of time if the primary location shuts down and should include access to contingency financing in case of a liquidity crisis.

Back-up and disaster recovery plans are necessary for the Primary and Manager Fiduciaries, custodians and other subcontractors. Each should conduct trial runs to test the adequacy of its plans as well as the plans of those on whom they rely whether these are to be implemented by trained internal staff or outsourcer to a specialty firm.
 

Risk Standard 7: Identification and understanding of key risks

Risks should be analyzed to determine relevancy. This entails understanding strategies and their vulnerabilities, as well as assumptions built into an instrument, system, process, model or strategy. Key risks should be reviewed periodically as well as when significant events occur.


Risk comes in many forms including market (e.g. price deterioration), credit (default), legal (a contract deemed invalid), operational (systems failure), suitability (sale of inappropriate instruments to a municipal cash pool), asset/liability (mismatch), personnel (loss of a key person), internal liquidity (unexpectedly large demand for cash that forces a fire-sale), market liquidity (wide bid/ask  spreads) and dozens of others. The Primary and Manager Fiduciaries should determine which risks are relevant to a given portfolio, strategy or instrument by asking such questions as:

  • What events, even if unlikely, could cause a large change in market value or risk?
  • How likely are such events to occur?
  • What risks offset each other? By how much?
  • How likely is it that these risks will offset each other as expected?
  • What could go wrong and result in losing more money than is acceptable or increasing risk too much?
  • What assumptions are built into a model or strategy? Do they make sense?
  • How reliable are the models on which your risk analysis is based?
  • How different are the results from other available models?

 

Identification of relevant risks prevents draining scarce resources on monitoring risks that are not relevant (foreign currency risk in a domestic portfolio) or are extremely improbable (obliteration of a well-established market such as the U.S. equity market). Analyses should distinguish between prohibited risks (currency risk in a domestic bond portfolio), required risks for a strategy or instrument (beta in an equity portfolio), desired risks (credit exposure of a particular name or yield curve risk in a bond portfolio) and those that are subject to established limits (concentration risk).

In order to facilitate the understanding and identification of relevant risks, the Primary and Manager Fiduciaries should clarify what type of risk disclosures it expects from all Managers, subcontractors, counterparties and broker-dealers.

Institutional investors and Managers should re-analyze their risks on a scheduled basis and whenever significant change occurs. Key risks may vary over time due to changes in portfolio composition as well as paradigm changes in markets and economies. For example, the impact of the Mexican peso's collapse on other Latin American markets and even some markets in Asia forced investors to recognize the risk of temporary linkage between falling markets. Parliament's decision that the municipalities of Hammersmith and Fulham were not authorized to enter into certain over-the-counter transactions triggered a review of trade authorization risk throughout the derivatives markets. Other significant changes in portfolio behavior, market practice or models should trigger a re-examination of the key risks in a portfolio.

When hiring or reviewing a Manager, investors should consider both the individual Manager's risks as well as how those risks fit within the context of the investor's aggregate portfolio of Managers. Exposures to instruments, strategies and individual Managers should be analyzed to ensure they are within limits. A new Manager that trades actively, for example, might increase total trading activity within the aggregate portfolio to a level that the investor or its custodian cannot adequately monitor. On the other hand, a Manager who takes a contrarian, fundamental approach to buying U.S. value stocks may diversify the risk from several managers who trade on momentum.
 

Risk Standard 8: Setting risk limits

Risk limits should be set for the aggregate portfolio and all individual portfolios. These may include limits on asset classes, individual instruments and specific types of risk.


The Primary and Manager Fiduciaries should establish limits at the instrument, aggregate and individual portfolio level for all relevant risks (Risk Standard 7). Examples of such limits include credit and market risks, net exposure (the combination of long and short positions), tracking error relative to a benchmark (for the individual and the aggregate portfolio), duration risk relative to a benchmark (for a bond portfolio), industry concentration (for an equity or corporate bond portfolio) or the percentage of a portfolio that is "non-readily priced," illiquid or dependent upon theoretical models (Risk Standard 10).

Often, risk limits are expressed in notional terms. For example, "10% of the dollar value of a U.S. bond portfolio may be invested in international bonds." Other limits are expressed through measures of risk such as duration, tracking error or value-at-risk (e.g. "10% of the value at risk can be invested in bonds") (Risk Standard 12). Risk limits should be meaningful in the context of the current portfolio and market environment and not solely based on history.

Risk limits, of course, may at times reduce expected returns. The Fiduciary should examine this risk/return tradeoff.
 

Risk Standard 9: Routine reporting, exception reporting and escalation procedures

The Primary and Manager Fiduciaries should specify what positions, risks and other information must be reported and to whom. This policy also should define what constitutes required reporting or an exception to guidelines, to whom the exception should be reported, what action must be taken for different levels of violation and what procedures must be followed for ongoing or increased violations.


After identifying relevant risks (Risk Standard 7), the Primary and Manager Fiduciaries should specify what positions, risks and other information should be reported, how often and to whom.

An important lesson from the past is that extraordinary performance can lull investors into a false sense of security. Many U.S. bond investors realized the risk implicit in bull market securities after the bond market crashed in 1994; many emerging markets investors awoke to the event risk in some markets after the Mexican peso crashed in late 1994. Similarly, firms and investors questioned the extraordinary performance of rogue traders only after it was too late. It is as important to be as suspicious of unexpected outperformance as of underperformance. Both may indicate mispriced, unintended or misunderstood risks.

Key to effective risk control is an early warning system for problems and violations. It is crucial to rely on established reports and procedures, rather than culture or single individuals to sound the alarm. Both the Primary and Manager Fiduciaries should decide in advance which risk policies, guidelines or limits, if violated, require exception reports, who is responsible for monitoring and reporting exceptions and to whom they must be reported. Exception policies should also include what corrective actions, if any, should take place and within what time-frame, who will monitor the corrective actions and who is authorized to make exceptions to the exception policy.

A typical escalation procedure requires progressively more senior staff to be notified of exceptions which go unaddressed or exceptions which increase.

Oversight of the exception reporting and response process should be performed by individuals independent of those who are directly responsible for monitoring and reporting exceptions. If that is impossible, adequate checks and balances should be established (Risk Standard 3). The Primary and Manager Fiduciaries should ensure that all Managers are subject to consistent reporting, exception reporting and escalation procedure requirements (Risk Standard 5).