Risk Management and Control Guidance for Securities Firms and their Supervisors

RISK MANAGEMENT AND CONTROL GUIDANCEFORSECURITIES FIRMS AND THEIR SUPERVISORSA Report by the Technical Committeeof theInternational Organization of Securities CommissionsMay 1998 TABLE OF CONTENTSI.Introduction.................................................................................. 1II.The Role of Risk Management and Controls............................ 4III. Firm and Supervisory Considerations ...................................... 8IV. Elements of a Risk Management and Control System........... 13Appendix ASignificant Risk Management and Control Papers................ 19Appendix BRisk Management and Control Self-Assessment Grid .......... 27 -1-I. IntroductionThis paper provides guidance about controls to securities firms and their supervisors. Theprimary concern of the paper is guidance relating to risk management and control policies andprocedures and internal control systems. The objective of this paper is to promote domestic andinternational risk management and control structure awareness for firms and regulators. Thepaper’s recommendations are intended to be flexible and non-exclusive, allowing eachjurisdiction and firm to implement appropriate policies and procedures. In addition,implementation of the papers’ recommendations should be appropriate for the size, complexityand nature of a firms’ business and the markets in which it operates. The paper is based on thepremise that, although risk management and controls are an integral part of a well run securitiesfirm and the industry as a whole, they are not a substitute for adequate capital requirements.While much has been published on controls from a firm’s perspective, this paper addressescontrols from a supervisory perspective.The term “controls” as used in this paper refers to basic internal accounting controls and riskmanagement policies and procedures. Basic internal accounting controls refer to systems whichare designed to provide reasonable assurance that transactions are properly recorded and verified including appropriate segregation of duties. Risk management and control systems refer tosystems to manage market risk, credit risk, legal risk, operational risk, and liquidity risk.1The nature and scope of risk management and controls by necessity must fit the organization theyare going to protect which means they can not be dictated in much detail from without, but mustbe designed from within to meet the needs of the organizational structure as well as a firm’sbusiness practices and appetite for risk. Irrespective of design and implementation, controls canprovide only reasonable assurance with respect to fulfilling a firm’s control objectives.The twelve “Elements of a Risk Management and Control System” discussed in Section IVconstitute the control guidance for firms and supervisors. They are intended to be benchmarkswhich can be used by firms and supervisors in each jurisdiction to measure the adequacy of theircontrol systems. The elements are grouped under five categories which are considered to becritical elements of any control system:The Control Environment1. Firms need to establish a mechanism to ensure that they have internal accountingcontrols and risk management controls. Supervisors need to establish a mechanismto ensure that the entities they regulate have internal accounting controls and risk1These controls refer to the structure of the control environment, the nature and scope of risk management andinternal controls, implementation, verification, and reporting taken as a whole. It is a framework by whichmanagement of a firm can independently monitor and verify the activities of its revenue producing and supportoperations. -2-management controls. The supervisory mechanism need not prescribe specific anddetailed controls, but rather provide general guidance to firms.2. Firms and supervisors need to determine that controls are set and monitored at thesenior management level at a firm; responsibility for monitoring controls is clearlydefined; and senior management promotes a culture of controls at all levels within afirm.Nature and Scope of Controls3. Firm guidance and guidance from supervisors should cover both internalaccounting controls and risk management and controls.4. Internal accounting controls for firms should include books and recordsrequirements and segregation of duties controls that are designed to safeguardassets of the entity and to safeguard customer property.5. Risk management and controls for firms should include controls for overall firmand individual trading desk limits, market risk, credit risk, legal risk, operationalrisk, and liquidity risk.Implementation6. Firm guidance