November 15, 2007
Many of the graphics provided by the consultant in this report do not work in HTML, and in some cases they actually distort the document. It is highly recommended that the PDF version provided here be used for both viewing and printing.
The French-language version of this document is posted as provided by the contractor, and may contain graphs and charts that have not been translated from the English.
The Department of Finance and Bank of Canada recently updated their frameworks and processes regarding financial risk management of the government’s debt and liquid assets including foreign exchange reserves, and have therefore requested this review to assess current status.
This report finds that, given the current complexity of portfolios, policies and tasks, the majority of risk frameworks and processes within Finance and the Bank are appropriate. Many of the recommendations presented in this report therefore fall in two categories:
Four specific recommendations for immediate change are:
The Department of Finance ("Finance") and Bank of Canada ("Bank") recently updated their frameworks and processes regarding risk management of the government’s debt and liquid assets including foreign exchange reserves. An external evaluation has therefore been requested to examine the current status of the risk management environment at Finance and the Bank.
Officials from Finance and the Bank have requested that the evaluation:
The most important source of information used in creating this report was:
Additional information was obtained from:
Given that Canada is among the very few countries that seek to fully hedge elements of its market risk exposure, and given that a government has different objectives and duties than a private sector institution, there are not many published reports, articles or books directly and specifically targeted to this particular investigation. However, there are some sources of information regarding industry best practices in general (for both private institutions and central banks) that were consulted in preparing this report, including:
Following industry practice, the view and consideration of "risk" in this report has been focused along several traditional dimensions:
This report is organized along a discussion of Risk Classes, with consideration and reference to the other views of risk undertaken within the risk classes. In many organizations the potentially most damaging risks come from Operational Risk. In this report we will therefore deal with Operational Risk last and in most detail, once matters related to Market Risk and Credit Risk have been discussed. Specific recommendations are presented after all the analysis and discussion, at the very end of this document.
The assets and liabilities being managed by Finance and the Bank are ultimately the property of the Government of Canada ("Government"). Finance is the Government’s ministry charged with such management. However, given that the Bank carries out many related operational activities as agent, it makes sense for the Bank to also have operational responsibility for much of the risk management function.
The "risk function" includes a wide range of activities and people in essentially all parts of Finance and the Bank and thus when the term "risk function" is used in this report it is intended to imply the widest possible meaning. For example, some risk issues arise and can be addressed in the "front office", which is traditionally described as the location where securities trading occurs (i.e., within the Bank’s Financial Markets Department) and in the "back-office" (i.e., within the Bank’s Financial Services Department). Other personnel at Finance and the Bank involved in funds management, as well as all the systems, infrastructure and support personnel, also have their roles to play in risk management. The core focus of what is traditionally termed "risk management" occurs within the "middle office", which in this instance is the Financial Risk Office ("FRO") within the Bank.
"Market Risk" includes risks stemming from the movement in market price factors, including interest rates and exchange rates, and from the functioning of financial markets, including the risk of illiquidity in certain markets and instruments.
The Receiver General account does not face much market risk because the securities in the portfolio have extremely short maturity (typically deposits maturing overnight or within a few days) and thus their values are impacted very little by movements in market price factors such as interest rates. This portfolio’s extremely short maturity also implies very little liquidity risk – securities normally mature so quickly that the desire to liquidate before maturity has not been a significant issue to date. Market risk issues in the Receiver General account are therefore minimal.
There is some degree of market risk, from both a price volatility and liquidity standpoint, in the Government’s Exchange Fund Account ("EFA" –which is the main repository for the Government’s official international reserves) and will therefore be discussed in detail here. Before discussing, however, it is worth first noting that the Canadian Government has what is now an almost unique EFA market risk policy compared to the rest of the world.
Canada, broadly, seeks to "fully hedge" its exposure to exchange rate movements, so that as values of various currencies fluctuate the net value of the assets/liabilities in the EFA remains essentially constant (i.e., constant within some small band of net exposure). This is contrasted with the practice in many countries, including the United States, of leaving itself exposed to exchange rate movements. Countries such as Great Britain and Portugal lie somewhere in the middle, hedging some but not all of their exchange rate exposure. Up until the summer of 2007 New Zealand fully hedged, but has recently moved away from having this as a requirement and now New Zealand has scope to leave itself partly exposed to exchange rate movements.
It is beyond the scope of this report to analyze the pros/cons and effects of, or make recommendations regarding, Canada’s hedging policy. However, it is worth noting that the "fully hedged" policy does have implications for risk management, and worth commenting in particular on how market conditions impact achievement of the policy. In this regard it is interesting to note that, even during the market turmoil of summer 2007, in Canada the EFA assets/liabilities remained closely matched on a currency and duration gap basis; Value at Risk numbers did rise, but that was more due to an increase in general market volatility and changes in correlations than to specific issues in the portfolio. The significance of this is discussed more fully below.
The first step in addressing market price-risk is to identify the array of market factors, Z, which could potentially impact the market value of one’s portfolio. Candidate factors include interest rates, exchange rates, etc., which may themselves be driven by underlying elements such as monetary and fiscal policies and economic performance of Canada and other countries, wars, natural disasters, and so forth.
Next, one attempts to measure market risk by asking questions such as: "if underlying factor z changed by a certain amount, thereby causing market prices to change by x%, how much would the value of my portfolio change?" and "what is the amount I might expect to lose in the x% worst-case scenario in the next y days, given my exposure to the z factors?"
Third, one attempts to construct hedges and otherwise manage the assets and liabilities in the portfolio in such a manner as to achieve the desired level of risk exposure. Measures such as Value at Risk (VaR) are useful guides in this regard, as are the results of historical "prescribed scenario" simulation, so-called "greek" sensitivities, currency and duration gaps, and other statistical measures.
Such market risk measures are and should be calculated and reported at regular frequent intervals (e.g., daily) to those responsible for risk monitoring (e.g., leadership within the middle office). Summary reports of such risk measures are and should also be presented to governing bodies (e.g., risk committees) at appropriate intervals (e.g., monthly) with special interim reports issued when appropriate including when "risk tolerance limits" are breached. Of course, the effectiveness of such risk statistics in providing appropriate trigger warnings and risk management targets are based in part on the limits set by the oversight committees. Risk limits should be set at appropriate levels to provide meaningful warnings; i.e., not so high that dangerous events or exposures slip under the wire, but not so low that alarms are triggered for unimportant risks.
The Financial Risk Office ("FRO") at the Bank, which performs the "middle office" function for the Bank and Finance, currently:
These procedures are in keeping with sound risk management best practices and should be continued.
There are two areas for improvement, however:
It should be noted that the EFA portfolio managed by the Bank of Canada (and portfolios managed by other central banks interviewed for this report) do not generally contain instruments with highly non-linear payoffs, such as financial options or complex swaps, because these instruments are not currently considered necessary to manage the risks they face. This makes the Government different from many private-sector institutions, such as hedge funds and global commercial and investment banks, which do tend to hold a variety of complex and exotic financial instruments.
Since the EFA portfolio is less complex, FRO can afford to use less complex valuation and risk measurement models and procedures than are employed by some private sector banks and hedge funds. However, if this changes in the future (e.g., option contracts or complex swaps enter the portfolio) then the government would face increased "Model Risk", at which point more advanced risk measurement models and methods may need to be employed.
It should also be noted that all the market securities currently traded by the EFA’s portfolio managers are simple enough that they can be captured and valued in the Bank’s risk software. If at some future time securities are traded that are too complex to be included in the automated risk measures, then the government would face an additional risk (sometimes called "Spreadsheet Risk") of these more complex securities being dealt with in separate spreadsheets, or other specialized systems, and not being appropriately handled in the general IT systems and calculations.
Given the foregoing:
Another class of market risk to consider is Liquidity Risk; i.e., the risk that certain assets cannot be liquidated (sold/repoed) in a timely fashion without suffering an unacceptably large discount or market impact.
Measuring liquidity risk is a challenge, as is defining a clear limit or set of limits for such risk (e.g., one would need definitions for "timely fashion" and for "unacceptably large" in the preceding paragraph). Although the Bank has work underway in this area, at the moment the Bank (and indeed many institutions) does not currently measure such risk directly (e.g., it does not produce a statistic that directly estimates how much the value of its portfolio would drop if it tried to sell all the assets within one day, or that states how long it would take to sell all its assets under the constraint that it could not sell so fast as to swamp the other side of the market). Rather, the Bank monitors how much of its portfolio is in each class of instrument and with each counterparty and time to maturity and then infers the implications for liquidity, and also conducts stress tests within their "days of liquidity framework" in an effort to assess the ability of the portfolio to meet financial commitments as they fall due. In addition, there are some hard limits in place to preserve liquidity; e.g., a limit on the minimum holdings of U.S. Treasuries.
This approach to liquidity risk has been sufficient thus far, and the stress tests in particular are a helpful and appropriate development. Furthermore, the Bank is currently working on new and improved methods for measuring, reporting and managing liquidity risk:
As the term is used in this report, "Credit Risk" includes the risk that the counterparty in a financial instrument will not meet their obligations to pay and/or that the value of the instrument will change as a result of the counterparty’s perceived default risk changing. One might also include certain legal risks in this category, since such risks may impact the counterparty’s payment or not of financial obligations and/or the ability to access collateral in the event of failure to pay.
The Bank and Finance seek to manage credit risk in several ways. In the EFA portfolio the Government buys the most senior obligations issued by highly rated counterparties, which is in many cases other sovereigns and government agencies. Such counterparties have a small probability of default relative to many potential counterparties. Furthermore, securities issued by such counterparties are less subject to the price effects of a "credit crunch", such as that which gripped financial markets during the summer of 2007. In other words, as observed during the summer of 2007, when credit gets extremely tight and prices for a wide range of commercial instruments fall (yields rise), values of instruments issued by very highly rated sovereigns do not tend to be impacted as much and indeed in some cases may rise. This is one reason that the Government’s own portfolios were much less impacted by recent credit conditions than were the portfolio of many private investors who typically hold a much wider range of securities from a credit perspective.
The Government does enter into long-term swap agreements with less safe commercial counterparties (e.g., highly-rated banks which, although still very credit-worthy, are nevertheless usually considered less safe than sovereigns such as the US Treasury). However, these swaps are collateralized and thus even this risk is mitigated to a large degree.
In the Receiver General ("RG") account credit risk is small, but not as small as the market risk the RG account faces, and therefore warrants discussion.
Some portion of the RG funds placed during the morning auction are backed by collateral, while the afternoon auction is not collateral-backed. Still, the counterparties involved are highly rated and diverse. Such diversity helps to reduce Concentration Risk (i.e., the risk of having "too many eggs in one basket", which includes the risk of having too much with one counterparty and the risk that several counterparties might move together). It is important to continue monitoring and managing Concentration Risk as part of the Credit Risk function.
It has been suggested in a recent external review commissioned by Finance, that the Government could increase expected profit from its portfolio management activities (particularly in the RG account) if it expanded the suite of permitted counterparties and relaxed the collateral requirement. This is not surprising to the extent that relaxing collateral requirements and relaxing counterparty creditworthiness requirements (if that is what happens when the suite of counterparties is expanded) entails taking on greater risk, and thus probably earning greater expected return. Perhaps such a move out the risk-return curve (increasing both risk and expected return) is desirable, but perhaps not. It is beyond the scope of this report to analyze the pros/cons and effects of, or make recommendations regarding, this topic (although such an investigation could be interesting). However, from a risk management perspective it is worth noting that changing policies regarding counterparties and/or collateral would have important risk management implications and thus should be studied carefully before any changes are made.
In both the EFA and RG account, it is important to set and periodically refactor appropriate specific credit risk limits (e.g., counterparty limits, etc.) and to ensure that CreditVaR and other calculations are being performed appropriately and reported in the most effective manner possible. For example, it’s important to monitor and use appropriate stress tests for the credit risk models and decisions – the Bank in particular has some good research and foundational work so far in this regard; continued vigilance is important.
"Operational Risk" includes all types of risk not covered by market or credit risk. Given the particular operations of Finance and the Bank, and the portfolios they manage, this includes risks such as:
This is one area of risk management where, even in the very best organizations, improvements can almost always be made.
One area of operational risk involves the use of IT systems and other infrastructure by those involved in risk-related activities. Here it is important to ensure that disasters which may render existing buildings or equipment unusable are accounted for and that IT systems are secure and well functioning. To this end the Bank has had the ability to run risk operations from a different building than the main Bank office. The alternate location is regularly tested under simulated and actual situations (e.g., it was used successfully during the Ontario power failure in 2003) and has been recently upgraded to provide real-time mirroring of the main trade capture/risk monitoring system. Finance does not have a disaster recovery plan as advanced as the Bank, but Finance may not need one given that Finance is less involved than the Bank in the daily hands-on front-, middle- and back-office functions. However, this should be monitored and upgraded as appropriate.
From interviewing members of the Bank’s risk-related IT team, it appears that the team is confident in the security of their IT systems and processes, and confident that current systems can handle the workload and type of work required. For example, any changes to the IT systems go through multiple rounds of analysis/testing and layers of approval, which serves to help reduce the chance of error or misbehavior.
The current software package used for much of the risk function permits a degree of Straight-Through Processing (STP) and draws on a single general database, thereby helping to minimize the potential for human-intervention errors or for incorrect duplication of data information. However, here again continued vigilance can pay dividends even for what currently appears to be a well functioning set of systems, processes and teams.
One significant area of risk that many firms face (not just Finance and the Bank) involves the potentially negative impact of various human factors.
Employee turnover or absenteeism is one such risk. Employees can choose to move to other jobs, suffer unexpected illnesses or accidents, or experience other events that keep them away from work and thus create holes in the ability of organizations to perform certain tasks in a timely and competent fashion. It is therefore important to have clear plans for covering short-term gaps in the team and for longer-term employee succession.
The Bank appears to have such plans and supporting artifacts (e.g., user manuals, task documentation, etc.) in place. For example, information provided suggests that appropriate cross-training programs are in place at the Bank. The Bank also has written documentation that describes important tasks to be performed so that a person could step into a new position and have some ability to know what needs to be done and how to do it. Furthermore, there appears to be appropriate succession planning within the Bank. This suggests that the current level of plans and artifacts may be appropriate at the Bank. However, this is another area where continued vigilance is warranted for the future.
Finance also has some degree of job coverage/succession plans and artifacts, but at a lower level of completeness than the Bank. This is partly because Finance has a relatively small staff involved in risk-related activities. A downside of its relatively small team is that Finance can on occasion face challenges backfilling for missing personnel. The Finance Department also appears to have fewer artifacts in place that document in detail risk duties. It may be appropriate for Finance to have a lower level of preparedness than the Bank given that the Bank, not the Finance Department, is primarily engaged in the day-to-day operational execution of risk management tasks. However, best-practices suggest that some increase in transition planning and supporting artifacts would be advisable for Finance in the future.
Another area to consider is the risk associated with the significant level of skill required to perform many of the key risk-related tasks broadly defined, across many areas within the Bank and Finance. This includes not only the duties of the front office and Financial Risk Office, but also risk-related duties performed by a wide range of other individuals and teams in Finance and the Bank, from planning to infrastructure, auditing and oversight, to name but a few.
Staff interviewed from Finance and the Bank generally seem to feel that the personnel involved possess the training and skills appropriate for the current level of complexity in the portfolios and risk tasks; this does indeed seem to be the case based on the personal interviews and conversations undertaken in preparing this report. However, given the rapid pace at which the risk industry, risk technology and risk best practices are progressing, it is prudent to ensure that risk-related personnel continue to receive appropriate training so that they can remain appropriately skilled as time progresses, and to increase training and required skill levels as the portfolios and/or tasks become more complex.
It is important to maintain an ability to detect and hopefully prevent any form of human misbehavior especially where billions of dollars are potentially involved. This includes intentional misbehavior, such as fraud, as well as unintentional misbehavior including errors or omissions.
There have been well publicized examples of individuals in certain private sector institutions feeling pressure to downplay risk concerns in search of higher trading profits, or even attempting to circumvent the risk management process and/or engage in unethical business behavior to personally profit from engaging in speculative trading activity or even outright fraud. This risk seems to be less at Finance and the Bank than one might assume in some private sector financial institutions in part because personnel involved in the securities trading function at the Bank are not compensated based on profits generated and thus face less temptation or pressure to hide trades or engage in other intentional misbehavior.
The risk of unintentional misbehavior can be lessened by the use of automated systems and processes to the extent that this reduces the risk of key-entry errors and other mistakes. Here too the Bank seems to have something of an advantage given its IT systems and comparatively simple trading strategies.
Continued oversight, audits, robust security measures, and a general culture of responsibility and risk sensitivity all have important roles to play in reducing risk. Finance and the Bank both seem to have measures in place to help mitigate such risk, but here again continued vigilance is essential.
|Image file not available
Please refer to PDF version
Industry best practices dictate that "transparency", "independence" and "diligence" are three keys to effective risk management, and all come into play in the fourth step of risk management – "monitoring". Figure 1, on the previous page, depicts the risk organizational structure employed by the Bank and Finance.
The most senior managers at the top of organizations (as well as other appropriate key stakeholders) need to be able to see into the workings of their organizations transparently so that risk processes and practices can be overseen and risk problems discovered and mitigated in a timely fashion and appropriate policies instituted. To promote transparency, senior oversight bodies receive regular risk reports and are ideally active and informed.
Similarly, those engaged hands-on in the risk function within an organization need the independence to identify, measure and manage risk, and report results and issues up the line, without fear of persuasion or pressure to deviate from their duties (this point is discussed in detail below).
To help promote independence, private sector firms often give the middle office risk management team considerable autonomy, including separate lines of reporting and their own separate budget, and undertake other measures to help ensure that the risk group does not feel pressure from other parts of the organization, or indeed have the potential themselves, to sway from sound risk management practices.
The goal of "independence" is achieved well within the framework created by Finance and the Bank, especially in terms of the primary "middle office" function served by FRO. For one, FRO is not only separate from Finance, it is also given considerable autonomy from other parts of the Bank. Overall, the situation in Canada is broadly comparable to other leading central banks/governments, and also to standard industry best practices, regarding independence. In central banks/finance departments in the USA, Great Britain, Portugal and New Zealand the "middle office" enjoys significant autonomy. In some cases the middle office, through a string of managers and committees, ultimately reports up to the same senior manger responsible for front office trading or for back office audit or accounting functions. However, in all cases this reporting line preserves significant risk autonomy.
Best-practice in private sector organizations is for the risk function to report entirely separately from the front or back office, often up to a "chief risk officer" who is in some cases a vice-chair of the board of directors, enjoying significant independence from even the CEO. This sometimes creates a degree of friction between the front and middle office (and since the middle office is usually much smaller than the front office also potentially some reduction in flexibility for re-assigning resources and tasks). However, such friction is often healthy, in part because it can serve to highlight and give awareness to risk issues and can even potentially identify practices that can be modified to help the front office without detracting from the risk function. Thus:
Another way to foster independence and provide added assurance in oversight, and also gain access to a ready and ongoing source of information concerning ongoing developments in risk management best practices and issues, is for the Bank and Finance to add an "outside" advisor to its oversight committee(s). For example, it would be advisable to consider adding an outside member to the Risk Committee. The Risk Committee may be a good choice of committee on which to add an outsider because the Risk Committee is advisory in nature and not directly responsible for approving policies. Thus, the outside advisor would not infringe on any of the decision-making responsibility or power of Finance or the Bank, but could still provide significant value to the risk management process.
Choice of an appropriate outside advisor would be key. The individual should have appropriate expertise in risk management and not have any perceived or actual conflicts of interest or duty especially since confidential information would be discussed. This last requirement likely rules out many potential candidates from the private business sector (e.g., a risk manager from a commercial bank), unless that person was retired and no longer involved with financial management or with the banks including as a consultant. However, candidates from other sectors may prove promising.
Other ways to gain this outside expertise and view would be to commission frequent reports and reviews such as this one, bring in consultants on a more regular basis to perhaps advise on smaller ad hoc issues, etc.; such an approach would likely yield lower, although still positive, returns in terms of value-add, but might also be less of a challenge than appointing an outsider to the Risk Committee.
Another operational risk consideration is the purview of the risk function – what types of risk are those involved in risk management empowered to assess and manage. Here there are two issues.
First is the issue of holistic Enterprise Risk. Finance and the Bank have determined that the EFA and RG account should be managed separately. However, in some cases the same counterparties are involved from at least a credit perspective. For example, EFA may hold a swap with a certain commercial bank and also have funds on deposit with that same bank through its other portfolios including the RG account. The Government’s total credit risk exposure to that counterparty is therefore the sum of all portfolio exposures. It may therefore be beneficial to measure the total exposure to each counterparty (considering collateral and netting) at least at some level. Of course the cost of computing such a combined exposure may outweigh the benefits, especially given collateralization in the EFA swaps, but at least this issue should be considered.
A second issue involves Crown Corporations. The Government is ultimately responsible for the Crowns, and is even planning to move to a regime wherein the Government raises funds on behalf of many of the Crowns. If one or more of the Crowns became insolvent, the Government would likely be called upon to backstop the situation. Crowns are outside the scope of this report so no comments will be made regarding specific Crown Corporations or their individual risk practices. However, from Finance’s risk-management perspective, it is important for all parties to understand the degree of robustness desired in Crown risk-oversight and to ensure that Finance has the information, power and processes required to deliver this degree of robustness.
Since a risk-management failure at the Crowns could negatively impact the Government as the Crowns’ backer of last resort, a case could be made for a significant degree of robust oversight in which Finance diligently monitors the Crowns and has the ability to see transparently into their organizations from a risk management perspective, and even recommend or perhaps enforce risk standards. An issue is whether Finance has sufficient information and power to perform such robust risk oversight adequately (the question of whether Government policy is, or should be, to require a high or low level of robustness is outside the scope of this report).
Finance and the Bank currently receive a form of risk report from the Crowns, but only receive this information quarterly and the report only contains the most basic type of credit risk information (counterparty exposures) and no information on market risk or operational risk. Best practices suggest that this is not sufficient information to conduct robust risk oversight. To increase robustness, Finance would need to increase the quantity, quality and frequency of the information it receives from Crowns regarding credit, market and operational risk, and engage in more frequent and active risk oversight of the Crowns. This might include Finance approving high-level risk policies for the Crowns and frequently monitoring their risk positions and processes, but the Crowns still handling all day-to-day operational management of their own portfolios.
If it is not possible (or desirable) for Finance to receive the quantity, quality and frequency of information, and have the power it requires, to conduct robust risk oversight, then it should be clearly recognized and communicated to all parties that Finance’s oversight of the Crowns from a risk perspective is not going to be robust so that the expectations of all parties regarding who has what responsibilities is clear. The degree of oversight robustness that Finance is expected to deliver should be commensurate with the level of information and power it receives.
Finally, it is worth noting that there is no obvious reason that the Bank should be involved in risk oversight of Crowns since the Crowns, not the Bank, are responsible for day-to-day operational management of the Crowns’ portfolios (unlike the EFA and RG account, which the Bank does manage operationally and thus it makes sense for the Bank to also be involved in risk-management of these portfolios). Finance could of course engage the Bank to assist in risk-monitoring the Crowns, but Finance could also engage some other agency (such as OSFI) or some outside party to assist, or Finance could do it alone. This would be a policy choice outside the scope of this report, as would the degree of robustness expected from Finance’s oversight of the Crowns. Within the scope of this report, however:
The Department of Finance and Bank of Canada recently updated their frameworks and processes regarding risk management of the Government’s debt and liquid assets including foreign exchange reserves. Upon review it appears that, given the current complexity of portfolios, policies and tasks, the majority of risk frameworks and processes within these organizations are appropriate considering industry best practices and those employed by other comparable international institutions. Many of the suggestions contained this report therefore fall into two categories: elements that should not be changed; and elements to be monitored for possible future change as circumstances, time, risk and the profession evolve. There are only four suggestions for elements to be changed immediately. Specific recommendations are offered below.
One important message of this report is to not change structures, processes and procedures that are working well as identified in this report. For example: