CAIA L2 - 5.5 - Risk Measurement, Risk Management, and Risk Systems Flashcards
Contrast
Risk management
vs
Risk measurement
5.5 - Risk Measurement, Risk Management, and Risk Systems
Risk management
involves making decisions in the process of managing and controlling the risk for the firm related to exposure to uncertainty.
To effectively manage risk, risk measurement must be accurate.
Risk measurement
is the process of gathering, analyzing, and reporting data with appropriate risk models to measure the firm’s risk exposure at all investment levels.
Risk management begins with a proper reporting measurement process.
5.5 - Risk Measurement, Risk Management, and Risk Systems
Describe
5 components
of risk measurement
With the
5 common interrogative terms
5.5 - Risk Measurement, Risk Management, and Risk Systems
What – Where – When – Who – How
(12 types, 3 levels, 5 frequency, , how=models)
‘—–
What? Identify Dimensions of Risk Within Risk Measurement
* What data is required for collection?
* qualitative risks = quantitative risks (has to meet both)
* due diligence in ongoing investment resembles initial DD
* 12 types of risk for a hedge fund
‘–
Where? Risk Measurement at the Investment or Position Level
* Where data is collected?
* industry best practices separate valuation activities in the back office from the investment manager
* 3 levels of pricing matrix
Level 1 assets - most liquid = most confidence on valuation
Level 2 assets - observable data with less frequency
Level 3 assets - illiquid and are based on valuation models of low degrees of confidence
‘–
When? Frequency of Data Collection Affects Risk Measurement
* When is the data collected (daily, monthly, quarterly, or annually)?
* Exception reports are generated for senior managers only when risk measures fall outside of predetermined parameters.
’–
How? Relationship Between Risk Aggregation and Systems Development
* How will data for all risk exposures be collected?
* Static measures (excess leverage and prohibited investments)=> used for exception reporting.
* Dynamic measures (more uncertainty with future elements)=> identifying future risks and changes in risk exposures due to changing asset values and risk budgets. Dynamic risk exposures => mitigated with hedging activities.
* Monte Carlo simulation models (nonlinear risk exposures for alternative)
* Stress testing and scenario analysis
* Spreadsheet-based models (cheaper but raises risks like fraud, data collection, accuracy, cybersecurity, conflict of interest)
* externally provided system
* qualitative risk systems
’–
Who? Risk reporting
* Who are the risk measures collected and reported to?
* Risk reporting provides access to data to individuals and departments responsible for risk management.
5.5 - Risk Measurement, Risk Management, and Risk Systems
List
Data Parameters Collected
and
Reporting Metrics
for each data frequency:
* Daily
* Weekly
* Monthly
* Quarterly
* Annually
5.5 - Risk Measurement, Risk Management, and Risk Systems
Daily
* Prices, returns, positions, volume, benchmark
* Values, risks, performance, exceptions
(Gathering daily data to compute rolling time periods is useful in early detection of risks that are trending )
Weekly
* Aggregate daily data, no additional data needed
* Changes in risk exposures, gross long, gross short and netted exposures
Monthly
* Qualitative risks, position, and manager changes
* Position and manager turnover, exposures, cash flow, qualitative risks (operations, legal, regulatory, and compliance), and illiquidity
(The monthly reports are then used to identify investments or managers that require more in-depth monitoring and are included on a watch list)
Best practices in risk measurement include developing a system for monthly reporting to compute risk statistics that are required quarterly
Quarterly
* Quarterly valuations of Level 3 assets and manager calls
* Summary of manager calls and Level 3 asset valuations
Annually
* Site visits, audits of Level 3 assets, and update references
* Summary report of valuations, performance, manager attribution (+external), and Level 3 positions
(Annual reviews = on-site visit every six months: 1st focusing on business operations 2nd focusing on investment due diligence)
5.5 - Risk Measurement, Risk Management, and Risk Systems
List
12 Examples
of Dimensions of
Risk Reporting
12 types of risks for a hedge fund investment
5.5 - Risk Measurement, Risk Management, and Risk Systems
12 types of risks for a hedge fund investment
- Strategy risks are unique for different types of alternative investment strategies.
- Liquidity risks should be reported for each specific strategy. Liquidity risk is greater for Level 3 types of assets that are unlisted, private, and have no publicly available benchmarks. Liquidity risk is less for transparent investments with an active daily market and public investible benchmarks.
- Concentration risk decreases as the number of investment and diversification increases. The concentration risk report section typically compares long and short position values as a percentage of the total portfolio. In addition, the top 5 to 10 positions are also highlighted.
- Geography-related risk is included in the report, and it distinguishes developed countries with strong rule of law regulatory systems from emerging markets that are riskier due to the less-developed regulatory and financial systems.
- Leverage risk is included in the report, identifying the type and expected amount of leverage that will be used by the investment manager. Leverage risk may reduce returns on a risk-adjusted basis. In addition, default and counterparty risks increase with increased leverage. In a financial crisis, forced selling is a major risk when leverage is employed.
- Transparency in reporting reduces risk if all risks are identified and understood.
- Valuation risk is greater for Type 3 investments that are illiquid and private, such as alternative assets.
-
Key person risk is the concern that key talent may leave the fund or the investment management firm. Several ways to mitigate key person risk include
not relying on one individual for knowledge, relationships, or investment decisions;
purchasing key person insurance;
creating extraordinary redemption rights linked to the departure of a key person; and
creating a diversified portfolio with other possible alternative investments that can replace current investments. - Business operations risk involves annual reporting and reviewing all extraordinary risks related to the operations of the investment manager’s business. These risks are identified and monitored during interim periods using key word searches on media outlets.
- Legal, regulatory, and compliance risks should be monitored daily using key word searches, and extraordinary events should be reported through exception reporting as needed and reviewed and reported on an annual basis.
- Other risks include the reporting of all other extraordinary or unique firm-specific risks related to the investments or investment manager, including acquisitions, succession plans, capacity limitations, and conflicts of interest.
- Emerging risks (ESG, AI…) include reporting potential risks related to environmental, social, and governance (ESG), in addition to artificial intelligence and big data risks.
5.5 - Risk Measurement, Risk Management, and Risk Systems
Complete
Both
quantitative and qualitative risk categories
should be considered ____ or ____
(period)
5.5 - Risk Measurement, Risk Management, and Risk Systems
Both
quantitative and qualitative risk categories
should be considered monthly or quarterly
5.5 - Risk Measurement, Risk Management, and Risk Systems
List
5 specific
qualitative categories
in the
due diligence tracking matrix
5.5 - Risk Measurement, Risk Management, and Risk Systems
Due Diligence Tracking Matrix
are designed to track qualitative risk measures for external managers or investments.
- Manager descriptive information - includes key dates related to initial investing, initial approval, regulatory dates, on-site review dates, operation review dates, recent background checks, and details on the underlying investment strategy.
- Key qualitative information related to managers include performance versus investment mandates, liquidity, key employee turnover, changes in offices and ownership, regulatory registration changes, and changes in assets under management (AUM) with respect to firm capacity.
- Other manager information may be included in reports regarding investment mandate violations, regulatory audits, or pending litigations.
- Watch list is created for managers with performance concerns or under consideration for redemption of investments. The watch list ensures that performance will be tracked for targeted managers until the concern no longer exists and they are then removed from the list.
- Activities log is sometimes added as an appendix to the due diligence tracking matrix to record specific information related to investment and business operations gained during site visits. The chief compliance officer is sometimes required to review and certify qualitative risk measures used for each investment manager.
5.5 - Risk Measurement, Risk Management, and Risk Systems
List
4 cybersecurity prevention actions
for advisors
(SEC)
5.5 - Risk Measurement, Risk Management, and Risk Systems
- (Vast majority of advisers) conducted periodic risk assessments of critical systems to identify cybersecurity threats and consequences of cyber risk.
- (Almost half of the surveyed advisors) conducted penetration tests and vulnerability scans.
- (Almost all advisors) had processes in place for regular system maintenance that included installation of software patches to address cyber concerns.
- (Large majority of advisors) maintained cybersecurity organizational charts that identified cybersecurity responsibilities for employees and departments.
5.5 - Risk Measurement, Risk Management, and Risk Systems
List
3 key concerns
in cybersecurity
identified by SEC
5.5 - Risk Measurement, Risk Management, and Risk Systems
- Vague Policies and procedures - Policies and procedures were not reasonably tailored, as they were too vague or general and did not detail implementation procedures.
- Lax Firm adherence - Firm adherence to policies and procedures was lax and were not enforced or reflected in practice.
- System maintenance was inadequate, using outdated operating systems that no longer supported security patches. The inadequate systems were unable to remedy penetration and vulnerability tests in a timely manner.
5.5 - Risk Measurement, Risk Management, and Risk Systems
List
The Directive on Security of
Network and Information Systems (NIS)
(EU)
5.5 - Risk Measurement, Risk Management, and Risk Systems
The NIS directive requires entities that provide essential services, such as banking institutions and financial market infrastructures, to monitor and manage exposure risks, including
- identifying critical systems that contain confidential and sensitive data,
- performing penetration tests and cybersecurity risk assessments,
- training employees on awareness and prevention, and
- creating an incident response plan.
5.5 - Risk Measurement, Risk Management, and Risk Systems
List
Three Models of
Risk Management Structure
Define which is preferred
5.5 - Risk Measurement, Risk Management, and Risk Systems
1. CEO or President = RM (Risk Manager)
2. COO or CFO = RM
3. CIO = RM. Preferred!!
* Pro: Lower the risk of low priority to risk management.
* Con: RM less aware of investment positions.
5.5 - Risk Measurement, Risk Management, and Risk Systems
List the 12 Types of risk for a Hedge Fund
- Strategy
- Liquidity
- Concentration
- Geography-related
- Leverage
- Transparency
- Valuation
- Key person
- Business operations
- Legal, regulatory, and compliance
- Other
- Emerging
Describe the different Data Frequency collection parameters
Data Frequency / Data Parameters Collected /Reporting Metrics
Daily
* Prices, returns, positions, volume, benchmark
* Values, risks, performance, exceptions
(Gathering daily data to compute rolling time periods is useful in early detection of risks that are trending)
Daily information is gathered for level 1 assets.
Only moving averages are typically reported daily.
Weekly
* Aggregate daily data, no additional data needed
* Changes in risk exposures, gross long, gross short and netted exposures
Monthly
* Qualitative risks, position, and manager changes
* Position and manager turnover, exposures, cash flow, qualitative risks (operations, legal, regulatory, and compliance), and illiquidity
(The monthly reports are then used to identify investments or managers that require more in-depth monitoring and are included on a watch list)
Quarterly
* Quarterly valuations of Level 3 assets and manager calls
* Summary of manager calls and Level 3 asset valuations
Annually
* Site visits, audits of Level 3 assets, and update references
* Summary report of valuations, performance, manager attribution (+external), and Level 3 positions
(Annual reviews = on-site visit every six months: 1st focusing on business operations 2nd focusing on investment due diligence)
Provide the SEC list of best practices for risk managers to emulate
- Maintain a complete inventory of data, information, and vendors.
- Detail cybersecurity-related instructions
- Maintain prescriptive processes for testing data integrity and vulnerabilities.
- Establish and enforce controls to access data and systems.
- Provide mandatory employee training.
- Engage senior management.
Provide the cybersecurity regulators in Hong Kong, Singapore, Japan
Hong Kong Monetary Authority and Securities and Futures Commission
Japan:
- The Basis Act of Cybersecurity
- the Act on the Protection of Personal Information
- the Act on the Prohibition of Unauthorized Computer Access
Singapore: The Cybersecurity Act