NIN 94/12 - Joint Release of IOSCO/BIS Derivatives Papers [NIN - Rescinded]

The British Columbia Securities Commission is publishing two papers, one issued by the Technical Committee of the International Organization of Securities Commissions ("IOSCO") and the other issued by the Basle Committee on Banking Supervision ("BIS"). These papers provide guidance to securities regulators and bank supervisors on sound risk management of derivative activities. The papers set out the views shared by both IOSCO and BIS on the importance of sound risk management for prudential operation of banks and securities firms as well as for promoting stability in the financial system generally. The Commission encourages industry participants to review and consider the guidelines set out in the attached papers.

DATED at Vancouver, British Columbia, on September 21, 1994.

"Douglas M. Hyndman"
Chair

Attachments


OPERATIONAL AND FINANCIAL RISK MANAGEMENT CONTROL MECHANISMS FOR OVER-THE-COUNTER DERIVATIVES ACTIVITIES OF REGULATED SECURITIES FIRMS

INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS

July 1994

Issued by the Technical Committee of the International Organization of Securities Commissions ("IOSCO")

FOREWORD

In this paper, the Technical Committee of IOSCO sets out a framework of management control mechanisms for regulators of securities firms doing over-the-counter (OTC) derivatives business.¹

^{1This paper was prepared by Working Party No. 3 of the Technical Committee of IOSCO. The members of the Working Party are set out in Appendix C.}

The purpose of this paper is to provide guidance to securities regulators as to those management control mechanisms which (as appropriate in the context of each regulator's particular regulatory jurisdiction and approach) they should seek to promote or encourage for use by regulated securities intermediaries. The paper contains a flexible, non-exclusive approach to management controls intended to cooperatively reinforce regulators' promotion of prudential practices while permitting those practices to continue to evolve.

This paper is being issued at the same time as a similar paper on management controls for derivatives being published by the Basle Committee on Banking Supervision. While the two papers differ in detail, the two Committees share the common objective of promoting sound risk management controls and the papers reflect that securities firms' and banks' derivatives activities give rise to similar risks and risk management concerns.

The papers confirm that both Committees attach great importance to prudential risk management on the part of financial institutions. The Committees expect to continue to consult as market and supervisory practices develop.

PART I BACKGROUND

OTC Derivatives and Risk

1. Derivatives are financial instruments whose values are derived from, and reflect changes in, the prices of the underlying products. They are designed to facilitate the transfer and isolation of risk and may be used for both risk transference and investment purposes. As such, they play a valuable role for users of the marketplace. However, they also may increase risk. In view of the rapid growth of OTC derivatives business, numerous international groups and regulatory agencies have studied the risks arising from over-the-counter ("OTC") derivatives trading.²

^2See Appendix A to this paper for a list of studies of OTC derivatives trading and related documents generated by international groups and regulatory agencies.

These risks include:

Credit risk - the risk that a counterparty will fail to perform an obligation owed to the firm;

Market risk - the risk that movements in prices or values will result in loss for the firm;

Liquidity risk - the risk that a lack of counterparties will leave a firm unable to liquidate or offset a position (or unable to do so at or near the previous market price);

Settlement risk - the risk that a firm will not receive funds or instruments from its counterparty at the expected time;

Operations risk - the risk that a firm will suffer loss as a result of human error or deficiencies in systems or controls;

Legal risk - the risk that a firm will suffer loss as a result of contracts being unenforceable or inadequately documented.

2. Such risks are not unique to OTC derivatives transactions, but are of special concern due to the volume, scope, and variety of OTC transactions, the degree of interrelatedness of participants, the opaqueness and uncertain liquidity of OTC "markets", and the complexity of and potential leverage in such instruments. Although it is possible to unbundle the risks of complex instruments into simpler elements, evolving portfolio and pricing technologies are permitting the engineering of increasingly complex financial instruments which have risk profiles that are more difficult to analyze than simpler, one-dimensional financial products. The financial risks of such complex instruments must be carefully assessed as a weakness at one market participant can have ramifications elsewhere in the system.

Importance of Management Controls

3. It is now generally acknowledged by financial services regulators, financial services providers and corporate users alike, that a key component of a robust framework for the management of the risks attaching to OTC derivatives business is a strong structure of risk management controls within firms active in this business.

4. The Technical Committee recognizes that market forces can provide significant incentives for firms to develop effective operational and financial risk control mechanisms. In order to safeguard their own position, firms may well terminate or restrict activities with market participants as to which there may be doubts as to the adequacy of their management controls. Moreover, a firm's own commercial interests are likely to ensure that it checks that a counterparty (a) has the power to enter into a proposed transaction, (b) is represented by an officer with actual or ostensible authority, (c) is creditworthy, and (d) has access to appropriate payment systems.

5. Nonetheless, market forces may also lead firms to ignore or under-estimate risks, including those arising from known control deficiencies, where commercial pressures create an impetus towards entering into certain transactions, including innovative transactions. Furthermore, even the beneficial effects of market forces on controls are achieved by an evolutionary process and so may not address regulatory concerns sufficiently quickly or generally. The Technical Committee believes that the achievement of adequate operational and financial risk control mechanisms cannot be left solely to the influence of market forces.

6. The Technical Committee accordingly is publishing this paper by way of guidance to securities regulators (including self-regulators), intermediaries, and examiners of intermediaries as to the kinds of controls and operational practices that need to be considered in the development of a strong risk management structure. Although not directed at end-users, this guidance will nonetheless provide a reference point concerning procedures and controls that also may be relevant to effective risk management by end-users. Given the ease with which derivatives cross borders, and the degree to which OTC derivatives business is transnational, the Technical Committee considers that the articulation of this guidance on a transnational basis is particularly appropriate.

7. In developing this guidance in the context of OTC derivatives business, the Technical Committee recognizes that much of the guidance is likely to be of general application to the effective management by a firm of all of its risks. As a consequence, risk management control mechanisms for OTC derivatives should be integrated within a firm's overall risk management framework.

8. The Technical Committee also recognizes that strong management controls are only one element of the management of financial exposures. In particular, they are not a substitute for adequate capital.

9. Part II of this paper identifies a number of specific management control mechanisms. These are non-exclusive. The control structure that should be established, and the practices that should apply, in the case of any particular institution must be appropriate to that institution relative to the scale, the risk profile and the complexity of its OTC derivatives activities. Accordingly, additional or different controls may be of importance in particular situations. The mechanisms are intended to form a framework within which regulators, self-regulators and firms may design, subject to national consultation or otherwise, more specific risk management practices and procedures as necessary and appropriate to address regulatory or managerial needs in a specific context.

10. Therefore, this document takes the form of guidance rather than normative standards. This reflects the view that:

- the structures, size and resources, and the business volume, diversity and complexity, of firms active in OTC derivatives business differ sufficiently that generically specified controls would not be adequately tailored to the environment in which they are likely to operate;

- a prescriptive approach may inadvertently not address significant risk at some firms or cause other firms to waste resources on operating controls which they do not need;

- a prescriptive approach may inadvertently hinder the market development of sophisticated control practices, which are constantly evolving;

- a prescriptive approach may not take adequate account of juridical differences or differences in the allocation of regulatory authority among national regulators;

- a non-prescriptive approach enables regulators to encourage individualized solutions to the desired objectives of management control mechanisms and to balance customer and systemic protection with the need to avoid impeding commercial activity; and

- a non-prescriptive approach, which establishes internationally agreed operational and financial risk management control objectives, may, if widely and publicly adopted by regulators and prominent firms, raise the consciousness of and otherwise influence non-regulated intermediaries and other market participants, as well as unregulated commercial end-users.

11. Although this paper takes the form of guidance, the Technical Committee attaches great importance to the achievement in practice of sound risk management controls. Individual regulators, therefore, need to explore the various means whereby they can promote high standards and the ways in which they can be given confidence that such high standards are in place and are being applied in practice.

12. The Technical Committee recognizes that there are a number of different possible regulatory approaches to the achievement by firms of satisfactory operational and financial control mechanisms. A number of options are briefly discussed in Appendix B. Often, it will be appropriate to use a combination of approaches. Given variations in national regulatory styles and responsibilities, the Technical Committee does not envisage a common regulatory approach to achieving the objectives of the mechanisms. However, the Technical Committee, collectively, does believe that the mechanisms are important elements of an appropriate risk management framework.

13. In developing this guidance, the Technical Committee has been working in parallel with the Basle Committee on Banking Supervision, which also has been developing risk management guidelines for derivatives. The two Committees, while considering it appropriate to examine their own needs in the first instance, have kept informal contact on their respective projects. There are some differences of perspective deriving from differences in the overall supervisory context of banks and non-banks, and some traditional differences of supervisory style and technique. However, it is apparent that both bank and securities supervisors believe that strong management controls are an essential element of managing OTC derivatives risk.

PART II RISK MANAGEMENT CONTROL MECHANISMS

1. Framework of Risk Management

The framework of risk management policies and procedures and management controls overseen by the board of directors or equivalent management body of the firm should specifically cover derivatives activity, clearly establish responsibility for its implementation, and provide for accurate, informative and timely reporting to management. This framework should be communicated to all concerned and should be reviewed as business and market circumstances change.

The firm's board of directors or other equivalent body should establish and communicate risk management policies and procedures for OTC derivatives activities that are integrated with the firm's overall management policies. Such policies and procedures should address the measurement of market risk and credit risk including aggregate exposures against risk tolerance objectives (position limits or capital at risk); acceptability criteria for counterparties, strategies and products (hedging, covered writing, risk management, position taking and related legal risks); risk monitoring procedures and exception reporting criteria; personnel policies (including expertise, training and compensation policies); the separation of trading and risk management functions; and the establishment of management controls and checks over accounts, traders, operational staff and systems.

The framework should provide for two-way communication between the board and persons responsible for implementing board policies.

Delineation of derivatives authority should be without prejudice to ultimate board supervisory responsibility.

2. Independent Market Risk Management

Management controls should provide for independent market risk management at the firm to develop and monitor the application of risk limit policies, to review and approve pricing models and valuation systems (including mark-to-market mechanisms) for use by front and back office staff, to re-assess such systems from time to time as appropriate, to monitor for significant variances in the volatilities, and to carry out stress simulations.

Controls should address stress scenarios, confidence levels, credit assumptions and market risk measurement methodologies, separation of back office, accounting and compliance functions from trading, risk policies and integration of accounting systems. Stress tests should test the consequences of severe price moves and changes in market behavior, including changes in correlations and other risk assumptions.

3. Independent Credit Risk Management

Management controls should provide for independent credit risk management at the firm to consider credit exposure measurement standards, set and monitor credit limits, and to review leverage, concentration and risk reduction arrangements.

Appetite for risk, quality of credits, level of concentration, reliance on credit enhancements, measurement methodologies and separation of sales supervision from exposure supervision should be subject to controls. Controls also should address the risk of failure to deliver or of termination provisions, as appropriate.

4. In-House Expertise and Resources

In view of the speed of evolution and complexity of derivatives products, firms should devote adequate resources to all aspects of risk management controls, including back office systems and accounting and supervision. Firms also should make every effort to ensure that knowledge at all levels of the firm, and of traders and risk managers is adequate in terms of market developments for the appropriate assessment and management of risks.

5. Risk Reduction Techniques

Firms should as appropriate use risk reduction techniques such as master agreements, netting arrangements, collateralization of transactions and third party credit enhancements, including letters of credit and guarantees. Firms also should consider risk reduction techniques to address operations risk, including contingency planning.

Controls should address credit enhancements in terms of exposure and explore the use of master agreements to reduce documentation risk and to increase the potential to assign and/or otherwise unwind transactions. Legal capacity of counterparties to transact and legality of netting arrangements should be evaluated.

6. Valuations and Exposures

Firms on both an entity and a group basis should have the capability to make accurate risk valuations daily, using an acceptable pricing methodology to mark-to-market and to identify concentrations. Potential exposures to credit and market risk should also be calculated using appropriate methodologies. Exposures may be aggregated provided netting arrangements are acceptable and enforceable.

Arrangements should be made to value dynamic portfolios sufficiently frequently to address exposures taking into account legal netting arrangements. Outputs of simulations should be tested against actual results and adjusted accordingly.

7. Systems

Firms' accounting, risk management and information systems should ensure adequate and timely documenting, processing, confirming, approving as appropriate, and reconciling of trades and valuation systems used by front and back offices; assessing of risk on a global (firm-wide) basis; accurate and timely reporting to management; and external reporting by management. Internal or external independent systems reviews should be used to verify that such systems are operating as designed.

The complexity and dynamic nature of derivatives trading activity and portfolios require that accurate and timely information is always available. Systems must be kept constantly under review to be certain that they permit tracking and reporting financial performance and effectuating management policies. Significant deficiencies in the design or operation of the systems that could adversely affect the entity's ability to record, process, summarize, and report financial data should be reported upon. This is not intended to define the scope of external financial audits.

8. Liquidity, Funding Arrangements and Financial Performance

Firms need to monitor on a continuing basis financial performance, including profit and loss, funding requirements and sources and cash flows.

Risk management personnel need to take account of revenues and the adequacy of funding arrangements in designing and implementing risk management strategies. Liquidity planning should attempt to anticipate changes in cash flow or funding requirements and should accommodate the possible need to rebalance portfolios, augment collateral, and permit the management of defaults.

APPENDIX A OTC DERIVATIVES STUDIES AND RELATED DOCUMENTS

Risk Management Guidelines for Derivatives, Basle Committee on Bank Supervision (July, 1994).

Detailed Questions About Derivatives, American Institute of Certified Public Accountants (June 15, 1994).

Financial Derivatives. Actions Needed to Protect the Financial System, United States General Accounting Office (May 1994).

Questions and Answers for OCC Bulletin BC-277: Risk Management of Financial Derivatives, U.S. Office of the Comptroller of the Currency (OCC), (May 10, 1994).

OTC Derivatives Oversight, Statement of the Securities and Exchange Commission, the Commodity Futures Trading Commission, and the Securities and Investments Board (March 15, 1994).

Guidelines for Operations Practices, The International Swaps and Derivatives Association, Inc. (March 1994).

Over-the-Counter Derivatives in Ontario, Ontario Securities Commission Staff Report, 17 OSCB 371 (January 28, 1994).

Memo to the Officer in Charge of Supervision at each Federal Reserve Bank, re Examining Risk Management and Internal Controls for Trading Activities of Banking Organizations, Division of Banking Supervision and Regulation, Board of Governors of the Federal Reserve System (December 20, 1993).

Off-Balance-Sheet Activities of German Banks, Deutsche Bundesbank Monthly Report (October 1993).

OTC Derivative Markets and Their Regulation, The Report of the Commodity Futures Trading Commission (October 1993).

Risk Management of Financial Derivatives, Banking Circular No. 277, U.S. Office of the Comptroller of the Currency, Administrator of National Banks (October 27, 1993).

Derivatives: Practices and Principles, Report prepared by the Global Derivatives Study Group of the Group of Thirty, Washington, D.C. (July 1993).

Draft Report on Over-the-Counter Derivatives Markets, Australian Securities Commission (July 1993).

Securities Exchange Act Release No. 32256, 58 FR 27486 (May 10, 1993)(U.S. Securities and Exchange Commission concept release on capital treatment of OTC derivatives).

Derivatives. Report of an Internal Working Group, Bank of England (April 1993).

Internal Control-Integrated Framework, Committee of Sponsoring Organizations (COSO)(Treadway Committee) (September 1992).

Report of the Committee on Interbank Netting Schemes of the Central Banks of the Group of Ten Countries, Bank for International Settlements, Basle (November 1990).

APPENDIX B THE ROLE OF REGULATORS

Individual national regulators will need to determine how best to cause firms subject to their regulatory jurisdiction to develop control policies and procedures to meet the performance objectives set forth in this paper. Regulators may wish to consult further with appropriate industry groups for this purpose With respect to regulated entities, a number of approaches to identifying appropriate management control mechanisms and ensuring that they are effectuated in practice are identified and briefly discussed below.

A. Adopt performance or design standards.

Where they have appropriate jurisdiction, regulators could promulgate regulations setting performance or design standards. Regulators could mandate that firms engaging in OTC business have in place a system of operational and financial risk management controls which addresses the issues and meets the objectives specified in Part II above. Regulators could require report by self-audit or third-party audit of material inadequacies or deficiencies in such controls on a periodic basis (e.g. a condition that could inhibit the completion of transactions or result in a failure of an accounting or risk -management system). See E. below.

The appropriate level of detail required to be specified in a system is a matter for discussion. Regardless of the specificity of the policies adopted, the need for management to articulate its system and policies should have a beneficial effect. In particular, such a review should cause management to focus on potential risks and benefits of derivatives as a component of financial and funding activities in general.

Regulators could also consider devising new regulations specifically tailored to OTC derivatives activity. For example, regulators could enact rules expressly requiring regulated firms to supervise their OTC derivatives traders and risk managers and to obtain and maintain timely specified documentation and records of derivatives transactions (e.g., similar to underwriting logs, deal sheets, confirmations, etc.) or to follow other specific risk reduction methodologies (e.g., use master agreements, and document credit analyses).

B. Interpret existing rules to subsume management control requirements for OTC business.

Many regulators currently measure compliance with certain supervisory or other prudential requirements by evaluating management control mechanisms of firms. For example, many jurisdictions interpret their supervisory requirements for regulated entities to apply to accounts, systems, and personnel and to reach up the chain of command to the person with the ultimate authority to hire or fire. Under this reading, certain members of the board of directors may be cited for supervisory failures relative to firm operational controls. Effective management controls generally are considered essential to meeting such supervision requirements.

Other types of requirements could also be met through the implementation of management controls. For example, certain fiduciary requirements in some jurisdictions preclude an intermediary from acting in conflict with the interests of its customers. Further, most regulators impose various recordkeeping requirements on regulatees and/or require minimum capital levels and reporting of shortfalls immediately. This necessitates systems to produce the desired reports. These rules are not particularized to OTC risks and, in some cases, would have to be extended by interpretation to cover such risks.

Some jurisdictions also regard corporate board members and certain types of end-user management (e.g., pension funds) as fiduciaries and impose duties of care and financial responsibility or prudence that may need to be addressed through adequate management and operational controls.

C. Collect information an risks and risk management controls and policies.

Rules also could be adopted which authorize regulators to collect specified information on risks related to OTC derivatives activity undertaken in affiliates of regulated entities and on risk management policies of the regulated firms. Such rules have the beneficial effect of requiring risk analyses to be undertaken within firms by officers responsible for financial reports.

In jurisdictions which require consolidated supervision, guidance could be issued as to how to achieve group controls.

D. Require assessment of counterparties.

Regulators could mandate that regulated intermediaries inquire before entering into transactions with potential counterparties as to certain specified management controls (e.g., marking-to-market and documentation).

Regulators also could consider making inquiries into the existence of management controls (or representations as to their existence) relevant to so--called "suitability," "know your customer," "authority" or "access" determinations made by persons marketing OTC derivatives.

E. Require management assessments and regulatory examinations or auditor's reports on controls - either by internal independent audit staffs or third-party auditors.

Regulators could periodically examine firms' practices and comment on controls in place or could issue rules or guidance compliance with which is established through routine audits conducted by regulators or relevant self--regulating organisations ("SROs").

Regulators also could require management of regulated firms periodically to assess and to document their implementation of the firm's risk management policies, and require the submission of reports on those policies (by independent internal audit staffs, or independent third parties) to regulators.

The discipline of self-assessment and independent auditing and reporting to regulators could be expected to heighten the attention of all levels of management and the board of directors as to the importance of such controls.

A number of models for reporting to regulators by auditors and reporting accountants already exist. In addition to routine reporting arising from audits or specific regulatory assignments, regulators may wish to consider requiring ad hoc reporting by auditors of matters which become known to them in the course of their work.³

³See, e.g., E.C. Post-BCCI Directive; GAAS Guide, at 7.37, quoting Statement of Auditing Standards - 60 (Communication of internal Control Structure Related Matters Noted in an Audit); and Bulletin B., Mexican GAAS.

F. Require Self-Regulatory Organization oversight by reference to industry standards.

In addition to (or as an alternative to) rulemaking aimed directly at market participants, regulators may consider requiring industry SROs to adopt rules directing their members to employ specific management control mechanisms.

Regulators also may wish to encourage SROs to implement procedures for SRO or other third-party review of individual firms' management controls. Separately, SROs may seek to develop innovative means of ensuring their members meet management control objectives.

G. Require pre-clearance of systems and controls as part of fitness determinations.

Controls could be reviewed as part of fitness determinations and qualifications to engage in specific types of business.

H. Limit OTC dealer activity to regulated intermediaries.

In order to encourage appropriate use of management policies related to market, credit and other risks, regulators could require OTC dealing activity to be undertaken solely by regulated intermediaries, thus causing existing supervisory rules to pertain to all derivatives dealers.

This approach is complicated by the fact that in most jurisdictions the intermediaries engaged in OTC business are subject to various regulatory regimes. For example, such activities could be conducted in a bank, a securities firm, a commodities intermediary firm, a pension fund or collective investment vehicle, or by a merchant or trader. To the extent activity is undertaken in an entity engaging in "dealing" (that is, "two-way" market making) activities that are not regulated two questions arise: which regulator and which institutional model should be followed. This also raises questions about regulatory convergence between differently regulated institutions. Some jurisdictions consider it unlikely that this is a viable alternative.

I. Nonregulated Market Participants

While regulators cannot impose management control requirements directly over nonregulated entities, regulators may be able to influence the acceptance of best practice.

Nonregulated firms do have significant economic incentives adequately to supervise employees and effectively to manage their derivatives risk. Regulators nevertheless could promote best practice by all potential counterparties by encouraging regulated intermediaries to use contractual or documentation practices that address certain of their customers' management control mechanisms such as marking-to-market or specified documentation.

APPENDIX C IOSCO WORKING PARTY NO. 3

PARTICIPANTS

Australia Peter Clarke Australian Securities Commission

Canada Rozanne Reszel Canadian Investor Protection Fund

France Didier Davydoff Commission des
François Champarnaud Opérations de Bourse
Emmanuel Carrère Commission Bancaire

Germany Dr. Joachim Henke Bundesministerium der Finanzen
Werner Gehring Deutsche Bundesbank
Dr. Uwe Neumann Bundesaufsichtsamt fur das Kreditwesen

Hong Kong Siva Singham Securities and Futures Commission

Italy Dr. M. Antonietta Scopelliti Commissione Nazionale per la
Carlo Biancheri Società e la Borsa

Japan Toru Shikibu Ministry of Finance
Kenta Ichikawa

Mexico Miguel Cano Comision Nacional de Valores

Netherlands Cor-Jan Dasselaar Securities Board of the Netherlands

Spain Ester Martinez Cuesta Comision Nacional del
R. Martinez-Pardo del Valle Mercado de Valores

Sweden Lennart Torstensson Financial Supervisory
Hans Boberg Authority

Switzerland Daniel Zuberbühler Swiss Federal Banking Commission
Urs Brügger Swiss Admission Board

United Kingdom Martin Vile, Chairman Securities and Investments Board
Jane Coakley
Peter Andrews
Tony Smith

U.S.A. Michael Macchiaroli Securities and Exchange Commission
Harry Melamed

Andrea Corcoran Commodity Futures Trading
Jane Kang Commission


RISK MANAGEMENT GUIDELINES FOR DERIVATIVES

Basle Committee on Banking Supervision

July 1994

Risk management guidelines for derivatives

Preface

1. As part of its on-going efforts to address international bank supervisory issues, the Basle Committee on Banking Supervision¹

^{1 The Basle Committee on Banking Supervision is a Committee of banking supervisory authorities which was established by the central-bank Governors of the Group of Ten countries in 1975. It consists of senior representatives of bank supervisory authorities and central banks from Belgium, Canada, France, Germany, Italy, Japan, Luxembourg, Netherlands, Sweden, Switzerland, United Kingdom and the United States. It usually meets at the Bank for International Settlements in Basle.}

is currently engaged in several activities to strengthen the prudential supervision of banks' derivatives operations. One of these activities has been a reassessment of the key elements of sound management of the risks involved in derivatives. In 1986, the Committee issued a document entitled "The management of banks' off balance sheet exposures: a supervisory perspective", and it has continued to consider the issues raised in that document. As a result, the Committee is now issuing the attached paper providing guidance on sound risk management of derivatives activities for use by supervisory authorities and banking organisations. In developing these guidelines, the Committee has drawn upon those established in member countries of the Committee and upon recommendations made by the financial industry.

2. The Basle Committee is distributing these guidelines to supervisors worldwide with the expectation that they will facilitate the further development of a prudent supervisory approach to the risk management of derivatives. Supervisors may wish to circulate the guidelines to the institutions under their jurisdiction, either in their entirety or as modified to take into account local conditions. The Committee wishes to emphasise that sound internal risk management is essential to the prudent operations of banks and that supervisory tools, such as capital requirements, are not by themselves sufficient. Sound internal risk management is also essential to promoting stability in the financial system as a whole.

3. Neither derivatives, nor the individual risks inherent in them are, by themselves, new. Institutions have been active for some time in forwards, swaps, and options and have routinely addressed credit, market, liquidity, operational and legal risks in their more traditional activities. However, the growing complexity, diversity and volume of derivatives products, facilitated by rapid advances in technology and communications pose increasing challenges to managing these risks. Sound risk management practices are an important element in meeting these challenges.

4. The guidelines bring together practices currently used by major international banks in a single framework. While no bank may follow the framework precisely, it could provide guidance to all banks. The applicability of the guidelines depends on the size and complexity of an institution's derivatives activities.

5. Supervisors should find the guidelines useful in reassessing their own existing supervisory methods and procedures for monitoring how banks control risks in derivatives. The exact approach chosen by individual supervisors to supervise derivatives activities depends upon a host of factors, including their own legal authority, use of on-site and off-site supervisory techniques and the degree to which external auditors are also used in a supervisory function.

6. One outstanding feature of financial markets is the increasing use of sophisticated models by major institutions as their principal means of measuring and managing risk. As a consequence, supervisory agencies will need to assure that they (and external auditors) have staff with sufficient mathematical knowledge to understand the issues and that the reliability of models can be independently verified by external experts.

I. Introduction and basic principles

1. Derivatives instruments have become increasingly important to the overall risk profile and profitability of banking organisations throughout the world. Broadly defined, a derivatives instrument is a financial contract whose value depends on the values of one or more underlying assets or indexes. Derivatives transactions include a wide assortment of financial contracts, including forwards, futures, swaps and options. In addition, other traded instruments incorporate derivatives characteristics, such as those with imbedded options. While some derivatives instruments may have very complex structures, all of them can be divided into the basic building blocks of options, forward contracts or some combination thereof. The use of these basic building blocks in structuring derivatives instruments allows the transfer of various financial risks to parties who are more willing, or better suited, to take or manage them.

2. Derivatives contracts are entered into throughout the world on organised exchanges and through over-the-counter (OTC) arrangements. Exchange-traded contracts are typically standardised as to maturity, contract size and delivery terms. OTC contracts are custom-tailored to an institution's needs and often specify commodities, instruments and/or maturities that are not offered on any exchange. This document addresses banks' activities in both OTC and exchange-traded instruments.

3. Derivatives are used by banking organisations both as risk management tools and as a source of revenue. From a risk management perspective, they allow financial institutions and other participants to identify, isolate and manage separately the market risks in financial instruments and commodities. When used prudently, derivatives can offer managers efficient and effective methods for reducing certain risks through hedging. Derivatives may also be used to reduce financing costs and to increase the yield of certain assets. For a growing number of banking organisations, derivatives activities are becoming a direct source of revenue through "market-making" functions, position taking and risk arbitrage:

- "market-making" functions involve entering into derivatives transactions with customers and with other market-makers while maintaining a generally balanced portfolio with the expectation of earning fees generated by a bid/offer spread;

- position-taking, on the other hand, represents efforts to profit by accepting the risk that stems from taking outright positions in anticipation of price movements;

- arbitrageurs also attempt to take advantage of price movements, but focus their efforts on trying to profit from small discrepancies in price among similar instruments in different markets.

4. Participants in the derivatives markets are generally grouped into two categories based primarily on their motivations for entering into derivatives contracts. End-users typically enter into derivatives transactions to achieve specified objectives related to hedging, financing or position taking on the normal course of their business operations. A wide variety of business enterprises are end-users. They include, but are not limited to, a broad range of financial institutions such as banks, securities firms and insurance companies; institutional investors such as pension funds, mutual funds and specialised investment partnerships; and corporations, local and state governments, government agencies and international agencies.

5. Intermediaries, which are sometimes referred to as "dealers", cater to the needs of end-users by "making markets" in OTC derivatives instruments. In doing so, they expect to generate income from transaction fees, bid/offer spreads and their own trading positions. Important intermediaries, or derivative dealers, include major banks and securities firms around the world. As intermediaries, banks have traditionally offered foreign exchange and interest rate risk management products to their customers and generally view derivatives products as a financial risk management service.

6. The basic risks associated with derivatives transactions are not new to banking organisations. In general, these risks are credit risk, market risk, liquidity risk, operations risk and legal risk. Because they facilitate the specific identification and management of these risks, derivatives have the potential to enhance the safety and soundness of financial institutions and to produce a more efficient allocation of financial risks. However, since derivatives also repackage these basic risks in combinations that can be quite complex, they can also threaten the safety and soundness of institutions if they are not clearly understood and properly managed.

7. Recognising the importance of sound risk management to the effective use of derivatives instruments, the following guidance is intended to highlight the key elements and basic principles of sound management practice for both dealers and end-users of derivatives instruments. These basic principles include:

1. Appropriate oversight by boards of directors and senior management,

2. Adequate risk management process that integrates prudent risk limits, sound measurement procedures and information system, continuous risk monitoring and frequent management reporting; and,

3. Comprehensive internal controls and audit procedures.

II. Oversight of the risk management process

1. As is standard practice for most banking activities, an institution should maintain written policies and procedures that clearly outline its risk management guidance for derivatives activities. At a minimum these policies should identify the risk tolerances of the board of directors and should clearly delineate lines of authority and responsibility for managing the risk of these activities. Individuals involved in derivatives activities should be fully aware of all policies and procedures that relate to their specific duties.

Board of directors

2. The board of directors should approve all significant policies relating to the management of risks throughout the institution. These policies, which should include those related to derivatives activities, should be consistent with the organisation's broader business strategies, capital strength, management expertise and overall willingness to take risk. Accordingly, the board should be informed regularly of the risk exposure of the institution and should regularly re-evaluate significant risk management policies and procedures with special emphasis placed on those defining the institution's risk tolerance regarding these activities. The board of directors should also conduct and encourage discussions between its members and senior management, as well as between senior management and others in the institution, regarding the institution's risk management process and risk exposure.

Senior management

3. Senior management should be responsible for ensuring that there are adequate policies and procedures for conducting derivatives operations on both a long-range and day--to-day basis. This responsibility includes ensuring that there are clear delineations of lines of responsibility for managing risk, adequate systems for measuring risk, appropriately structured limits on risk taking, effective internal controls and a comprehensive risk-reporting process.

4. Before engaging in derivatives activities, management should ensure that all appropriate approvals are obtained and that adequate operational procedures and risk control system are in place. Proposals to undertake derivatives activities should include, as applicable:

- a description of the relevant financial products, markets and business strategies;

- the resources required to establish sound and effective risk management systems and to attract and retain professionals with specific expertise in derivatives transactions;

- an analysis of the reasonableness of the proposed activities in relation to the institution's overall financial condition and capital levels;

- an analysis of the risks that may arise from the activities;

- the procedures the bank will use to measure, monitor and control risks;

- the relevant accounting guidelines;

- the relevant tax treatment; and

- an analysis of any legal restrictions and whether the activities are permissible.

5. After the institution's initial entry into derivatives activities has been properly approved, any significant changes in such activities or any new derivatives activities should be approved by the board of directors or by an appropriate level of senior management, as designated by the board of directors.

6. Senior management should regularly evaluate the procedures in place to manage risk to ensure that those procedures are appropriate and sound. Senior management should also foster and participate in active discussions with the board, with staff of risk management functions and with traders regarding procedures for measuring and managing risk. Management must also ensure that derivatives activities are allocated sufficient resources and staff to manage and control risks.

7. As a matter of general policy, compensation policies - especially in the risk management, control and senior management functions - should be structured in a way that is sufficiently independent of the performance of trading activities, thereby avoiding the potential incentives for excessive risk taking that can occur if, for example, salaries are tied too closely to the profitability of derivatives.

Independent risk management functions

8. To the extent warranted by the bank's activities, the process of measuring, monitoring and controlling risk consistent with the established policies and procedures should be managed independently of individuals conducting derivatives activities, up through senior levels of the institution. An independent system for reporting exposures to both senior-level management and to the board of directors is an important element of this process.

9. The personnel staffing independent risk management functions should have a complete understanding of the risks associated with all of the bank's derivatives activities. Accordingly, compensation policies for these individuals should be adequate to attract and retain personnel qualified to assess these risks.

III. The risk management process

1. The primary components of a sound risk management process are the following: a comprehensive risk measurement approach; a detailed structure of limits, guidelines and other parameters used to govern risk taking; and a strong management information system for controlling, monitoring and reporting risks. These components are fundamental to both derivatives and non-derivatives activities alike. Moreover, the underlying risks associated with these activities, such as credit, market, liquidity, operations and legal risk, are not new to banking, although their measurement and management can be more complex. Accordingly, the process of risk management for derivatives activities should be integrated into the institution's overall risk management system to the fullest extent possible using a conceptual framework common to the institution's other activities. Such a common framework enables the institution to manage its risk exposure more effectively, especially since the various individual risks involved in derivatives activities can, at times, be interconnected and can often transcend specific markets.

2. As is the case with all risk-bearing activities, the risk exposures an institution assumes in its derivatives activities should be fully supported by an adequate capital position. The institution should ensure that its capital position is sufficiently strong to support all derivatives risks on a fully consolidated basis and that adequate capital is maintained in all group entities engaged in these activities,

Risk measurement

3. An institution's system for measuring the various risks of derivatives activities should be both comprehensive and accurate. Risk should be measured and aggregated across trading and non-trading activities on an institution-wide basis to the fullest extent possible.

4. While the use of a single prescribed risk measurement approach for management purposes may not be essential, the institution's procedures should enable management to assess exposures on a consolidated basis. Risk measures and the risk measurement process should be sufficiently robust to reflect accurately the multiple types of risks facing the institution. Risk measurement standards should be understood by relevant personnel at all levels of the institution - from individual traders to the board of directors - and should provide a common framework for limiting and monitoring risk taking activities.

5. With regard to dealer operations, the process of marking derivatives positions to market is fundamental to measuring and reporting exposures accurately and on a timely basis. An institution active in dealing foreign exchange, derivatives and other traded instruments should have the ability to monitor credit exposures, trading positions and market movements at least daily. Some institutions should also have the capacity, or at least the goal, of monitoring their more actively traded products on a real-time basis.

6. Analysing stress situations, including combinations of market events that could affect the banking organisation, is also an important aspect of risk measurement. Sound risk measurement practices include identifying possible events or changes in market behaviour that could have unfavourable effects on the institution and assessing the ability of the institution to withstand them. These analyses should consider not only the likelihood of adverse events, reflecting their probability, but also "worst case" scenarios. Ideally, such worst case analysis should be conducted on an institution-wide basis by taking into account the effect of unusual changes in prices or volatilities, market illiquidity or the default of a large counterparty across both the derivatives and cash trading portfolios and the loan and funding portfolios.

7. Such stress tests should not be limited to quantitative exercises that compute potential losses or gains. They should also include more qualitative analyses of the actions management might take under particular scenarios. Contingency plans outlining operating procedures and lines of communication, both formal and informal, are important products of such qualitative analyses.

Limiting risks

8. A sound system of integrated institution-wide limits and risk taking guidelines is an essential component of the risk management process. Such a system should set boundaries for organisational risk-taking and should also ensure that positions that exceed certain predetermined levels receive prompt management attention. The limit system should be consistent with the effectiveness of the organisation's overall risk management process and with the adequacy of its capital position. An appropriate limit system should permit management to control exposures, to initiate discussion about opportunities and risks and to monitor actual risk taking against predetermined tolerances, as determined by the board of directors and senior management.

9. Global limits should be set for each major type of risk involved in an institution's derivatives activities. These limits should be consistent with the institution's overall risk measurement approach and should be integrated to the fullest extent possible with institution--wide limits on those risks as they arise in all other activities of the institution. Where appropriate, the limit system should provide the capability to allocate limits down to individual business units.

10. If limits are exceeded, such occurrences should be made known to senior management and approved only by authorised personnel. These positions should also prompt discussions about the consolidated risk taking activities of the institution or the unit conducting the derivatives activities. The seriousness of limit exceptions depends in large part upon management's approach toward setting limits and on the actual size of individual and organisational limits relative to the institution's capacity to take risk. An institution with relatively conservative limits may encounter more exceptions to those limits than an institution with less restrictive limits.

Reporting

11. An accurate, informative and timely management information system is essential to the prudent operation of derivatives activities. Accordingly, the quality of the management information system is an important factor in the overall effectiveness of the risk management process. The risk management function should monitor and report its measures of risks to appropriate levels of senior management and to the board of directors. In dealer operations, exposures and profit and loss statements should be reported at least daily to managers who supervise but do not, themselves, conduct those activities. More frequent reports should be made as market conditions dictate. Reports to other levels of senior management and the board may occur less frequently, but the frequency of reporting should provide these individuals with adequate information to judge the changing nature of the institution's risk profile.

12. Management information systems should translate the measured risk for derivatives activities from a technical and quantitative format to one that can be easily read and understood by senior managers and directors, who may not have specialised and technical knowledge of derivatives products. Risk exposures arising from various derivatives products should be reported to senior managers and directors using a common conceptual framework for measuring and limiting risks.

Management evaluation and review

13. Management should ensure that the various components of the institution's risk management process are regularly reviewed and evaluated. This review should take into account changes in the activities of the institution and in the market environment, since the changes may have created exposures that require additional attention. Any material changes to the risk management system should also be reviewed.

14. The risk management functions should regularly assess the methodologies, models and assumptions used to measure risk and to limit exposures. Proper documentation of these elements of the risk measurement system is essential for conducting meaningful reviews. The review of limit structures should compare limits to actual exposures and should also consider whether existing measures of exposure and limits are appropriate in view of the institution's past performance and current capital position.

15. The frequency and extent to which an institution should re-evaluate its risk measurement methodologies and models depends, in part, on the specific risk exposures created by their derivatives activities, on the pace and nature of market changes and on the pace of innovation with respect to measuring and managing risks. At a minimum, an institution with significant derivatives activities should review the underlying methodologies of its models at least annually - and more often as market conditions dictate - to ensure they are appropriate and consistent. Such internal evaluations may, in many cases, be supplemented by reviews by external auditors or other qualified outside parties, such as consultants who have expertise with highly technical models and risk management techniques. Assumptions should be evaluated on a continual basis.

16. The institution should also have an effective process to evaluate and review the risks involved in products that are either new to it, or new to the marketplace and of potential interest to the institution. It should also introduce new products in a manner that adequately limits potential losses and permits the testing of internal systems. An institution should not become involved in a product at significant levels until senior management and all relevant personnel (including those in risk management, internal control, legal, accounting and auditing) understand the product and are able to integrate the product into the institution's risk measurement and control systems.

IV. Internal controls and audits

1. Policies and related procedures for the operation of derivatives activities should be an extension of the institution's overall structure of internal controls and should be fully integrated into routine work-flows. A sound system of internal controls should promote effective and efficient operations; reliable financial and regulatory reporting; and compliance with relevant laws, regulations and policies of the institution. In determining whether internal controls meet those objectives, the institution should consider the overall control environment of the organisation; the process for identifying, analysing and managing risk; the adequacy of management information systems; and adherence to control activities such as approvals, confirmations and reconciliations. Reconciliation control is particularly important where there are differences in the valuation methodologies or systems used by the front and back offices.

2. An important step in the process of reviewing internal controls is the frequency, scope and findings of independent internal and external auditors and the ability of those auditors to review the institution's derivatives activities. Internal auditors should audit and test the risk management process and internal controls on a periodic basis, with the frequency based on a careful risk assessment. The depth and frequency of internal audits should be increased if weaknesses and significant issues are discovered, or if significant changes have been made to product lines, modelling methodologies, the risk oversight process, internal controls or the overall risk profile of the institution. To facilitate the development of adequate controls, internal auditors should be brought into the product development process at the earliest possible stage.

3. Internal auditors are expected to evaluate the independence and overall effectiveness of the institution's risk management functions. In this regard, they should thoroughly evaluate the effectiveness of internal controls relevant to measuring, reporting and limiting risks. Internal auditors should evaluate compliance with risk limits and the reliability and timeliness of information reported to the institution's senior management and board of directors.

4. The internal auditors' assessment of the adequacy of internal controls involves a process of understanding, documenting, evaluating and testing an institution's internal control system. This assessment should include product or business line reviews which, in turn, should start with an assessment of the line's organisational structure. Especially for dealer operations, the auditors should check for adequate separation of duties (particularly between market-making personnel and functions of internal control and risk management), adequate oversight by a knowledgeable manager without day-to-day responsibilities in the dealer operation and the presence of separate reporting lines for risk management and internal control personnel on one side and for market-making personnel on the other. Product-by-product reviews of management structure should supplement the overall assessment of the organisational structure of the institution's derivatives business.

5. The institution should establish internal controls for key activities. For example, for transaction recording and processing, the institution should have written policies and procedures for recording trades, assess the trading area's adherence to policy and analyse the transaction processing cycle, including settlement, to ensure the integrity and accuracy of its records and management reports. The institution should review the revaluation process in order to assess the adequacy of written policies and procedures for revaluing positions and for creating any associated revaluation reserves. The institution should review compliance with revaluation policies and procedures, the frequency of revaluation and the independence and quality of the sources of revaluation prices, especially of instruments originated and traded in illiquid markets. All significant internal controls associated with the management of market risk, such as position versus limit reports and approval policies and procedures for limit exceptions, should also be reviewed. The institution should also review the credit approval process to ensure that the risks of specific products are adequately captured and that credit approval procedures are followed for all transactions. In this connection, institutions should recognise their combined credit exposure to a given counterparty that arise from transactions conducted throughout the bank.

V. Sound risk management practices for each type of risk

1. The following sections present sound practices for the specific components of an institution's risk management process in the context of each of the risks involved in derivatives activities.

Credit risk (including settlement risk)

2. Broadly defined, credit risk is the risk that a counterparty will fail to perform on an obligation to the institution. The institution should evaluate both settlement and pre-settlement credit risk at the customer level across all products. On settlement day, the exposure to counterparty default may equal the full value of any cash flows or securities the institution is to receive. Prior to settlement, credit risk is measured as the sum of the replacement cost of the position, plus an estimate of the institution's potential future exposure from the instrument as a result of market changes. Replacement cost should be determined using current market prices or generally accepted approaches for estimating the present value of future payments required under each contract, given current market conditions.

3. Potential credit risk exposure is measured more subjectively than current exposure and is primarily a function of the time remaining to maturity and the expected volatility of the price, rate or index underlying the contract. Dealers and large derivatives participants should assess potential exposure through simulation analysis or other sophisticated techniques, which, when properly designed and implemented can produce estimates of potential exposure that incorporate both portfolio-specific characteristics and current market conditions. Smaller end-users may measure this exposure by using "add-ons" based on more general characteristics. In either case, the assumptions underlying the institution's risk measure should be reasonable and if the institution measures exposures using a portfolio approach, it should do so in a prudent manner.

4. An institution may use master netting agreements and various credit enhancements, such as collateral or third-party guarantees, to reduce its counterparty credit risk. In such cases, an institution's credit exposures should reflect these risk-reducing features only to the extent that the agreements and recourse provisions are legally enforceable in all relevant jurisdictions. This legal enforceability should extend to any insolvency proceedings of the counterparty. The institution should be able to demonstrate that it has exercised due diligence in evaluating the enforceability of these contracts and that individual transactions have been executed in a manner that provides adequate protection to the institution.

5. Credit limits that consider both settlement and pre-settlement exposures should be established for all counterparties with whom the institution conducts business. As a matter of general policy, business with a counterparty should not commence until a credit line has been approved. The structure of the credit-approval process may differ among institutions, reflecting the organisational and geographic structure of each institution. Nevertheless, in all cases, it is important that credit limits be determined by personnel who are independent of the derivatives function, that these personnel use standards consistent with those used for other activities and that counterparty credit lines are consistent with the organisation's policies and consolidated exposures.

6. If credit limits are exceeded, exceptions should be resolved according to the institution's policies and procedures. In addition, the institution's reports should adequately provide traders and credit officers with relevant, accurate and timely information about the credit exposures and approved credit lines.

7. Similar to bank loans, OTC derivatives products can have credit exposures existing for an extended period. Given these potentially long-term exposures and the complexity associated with some derivatives instruments, an institution should consider the overall financial strength of its counterparties and their ability to perform on their obligations.

Market risk

8. Market risk is the risk to an institution's financial condition resulting from adverse movements in the level or volatility of market prices. The market risks created - or hedged - -by a future or swap are familiar, although not necessarily straightforward to manage. They are exposures to changes in the price of the underlying cash instrument and to changes in interest rates. By contrast, the value of an option is also affected by other factors, including the volatility of the price of the underlying instrument and the passage of time. In addition, all trading activities are affected by market liquidity and by local or world political and economic events.

9. Market risk is increasingly measured by market participants using a value-at-risk approach, which measures the potential gain or loss in a position, portfolio or institution that is associated with a price movement of a given probability over a specified time horizon. The institution should revalue all trading portfolios and calculate its exposures at least daily. Although an institution may use risk measures other than value-at-risk, the measure used should be sufficiently accurate and rigorous, and the institution should ensure that it is adequately incorporated into its risk management process.

10. An institution should compare its estimated market risk exposures with actual behaviour. In particular, the output of any market risk models that require simulations or forecasts of future prices should be compared with actual results. If the projected and actual results differ materially, the assumptions used to derive the projections should be carefully reviewed or the models should be modified, as appropriate.

11. The institution should establish limits for market risk that relate to its risk measures and that are consistent with maximum exposures authorised by its senior management and board of directors. These limits should be allocated to business units and individual decision makers and be clearly understood by all relevant parties. Exceptions to limits should be detected and adequately addressed by management. In practice, some limit systems may include additional elements such as stop-loss limits and guidelines that may play an important role in controlling risks.

12. An institution whose derivatives activities are limited in volume and confined to end-user activities may need less sophisticated risk measurement systems than those required by a dealer. Senior management at such an institution should ensure that all significant risks arising from its derivatives transactions can be quantified, monitored and controlled. At a minimum, risk management systems should evaluate the possible impact on the institution's earnings and capital which may result from adverse changes in interest rates and other market conditions that are relevant to risk exposure and the effectiveness of derivatives transactions in the institution's overall risk management.

Liquidity risk

13. An institution faces two types of liquidity risk in its derivatives activities: one related to specific products or markets and the other related to the general funding of the institution's derivatives activities. The former is the risk that an institution may not be able to, or cannot easily, unwind or offset a particular position at or near the previous market price because of inadequate market depth or because of disruptions in the marketplace. Funding liquidity risk is the risk that the institution will be unable to meet its payment obligations on settlement dates or in the event of margin calls. Because neither type of liquidity risk is necessarily unique to derivatives activities, management should evaluate these risks in the broader context of the institution's overall liquidity. When establishing limits, the institution should be aware of the size, depth and liquidity of the particular market and establish guidelines accordingly.

14. In developing guidelines for controlling liquidity risks, an institution should consider the possibility that it could lose access to one or more markets, either because of concerns about the institution's own creditworthiness, the creditworthiness of a major counterparty or because of generally stressful market conditions. At such times, the institution may have less flexibility in managing its market, credit and liquidity risk exposures. An institution that makes markets in over-the-counter derivatives or that dynamically hedges^{Dynamic hedging refers generally to the continuous process of buying or selling instruments to offset open exposures as market conditions change (e.g. an option writer selling an underlying asset as its price falls).} its positions requires constant access to financial markets and that need may increase in times of market stress. The institution's liquidity plan should reflect the institution's ability to turn to alternative markets, such as futures or cash markets, or to provide sufficient collateral or other credit enhancements in order to continue trading under a broad range of scenarios.

15. An institution that participates in over-the-counter derivatives markets should assess the potential liquidity risks associated with the early termination of derivatives contracts. Many forms of standardised contracts for derivatives transactions allow counterparties to request collateral or to terminate their contracts early if the institution experiences an adverse credit event or a deterioration in its financial condition. In addition, under conditions of market stress, customers may ask for the early termination of some contracts within the context of the dealer's market making activities. In such situations, an institution that owes money on derivatives transactions may be required to deliver collateral or settle a contract early and possibly at a time when the institution may face other funding and liquidity pressures. Early terminations may also open up additional, unintended, market positions. Management and directors should be aware of these potential liquidity risks and should address them in the institution's liquidity plan and in the broader context of the institution's liquidity management process.

Operations risk

16. Operations risk is the risk that deficiencies in information systems or internal controls will result in unexpected loss. This risk is associated with human error, system failures and inadequate procedures and controls. This risk can be exacerbated in the case of certain derivatives because of the complex nature of their payment structures and calculation of their values.

17. The board of directors and senior management should ensure the proper dedication of resources (financial and personnel) to support operations and systems development and maintenance. The operations unit for derivatives activities, consistent with other trading and investment activities, should report to an independent unit and should be managed independently of the business unit. The sophistication of the systems support and operational capacity should be commensurate with the size and complexity of the derivatives business activity.

18. Systems support and operational capacity should be adequate to accommodate the types of derivatives activities in which the institution engages. This includes the ability to efficiently process and settle the volumes transacted through the business unit, to provide support for the complexity of the transactions booked and to provide accurate and timely input. Support systems and the systems developed to interface with the official databases should generate accurate information sufficient to allow business unit management and senior management to monitor risk exposures in a timely manner.

19. Systems needs for derivatives activities should be evaluated during the strategic planning process. Current and projected volumes should be considered together with the nature of the derivatives activity and the user's expectations. Consistent with other systems plans, a written contingency plan for derivatives products should be in place.

20. With the complexity of derivatives products and the size and rapidity of transactions, it is essential that operational units be able to capture all relevant details of transactions, identify errors and process payments or move assets quickly and accurately. This requires a staff of sufficient size, knowledge and experience to support the volume and type of transactions generated by the business unit. Management should develop appropriate hiring practices and compensation plans to recruit and retain high calibre staff.

21. Systems design and needs may vary according to the size and complexity of the derivatives business. However, each system should provide for accurate and timely processing and allow for proper risk exposure monitoring. Operational systems should be tailored to each institution's needs. Limited end-users of derivatives may not require the same degree of automation needed by more active trading institutions. All operational systems and units should adequately provide for basic processing, settlement and control of derivatives transactions.

22. The more sophisticated the institution's activity, the more need there is to establish automated systems to accommodate the complexity and volume of the deals transacted, to report position data accurately and to facilitate efficient reconciliation.

23. Segregation of operational duties, exposure reporting and risk monitoring from the business unit is critical to proper internal control. Proper internal control should be provided over the entry of transactions into the database, transaction numbering, date and time notation and the confirmation and settlement processes. Operational controls should also be in place to resolve disputes over contract specifications. In this regard, an institution must ensure that trades are confirmed as quickly as possible. The institution should monitor the consistency between the terms of a transaction as they were agreed upon and the terms as they were subsequently confirmed.

24. The operations department, or another unit or entity independent of the business unit, should be responsible for ensuring proper reconciliation of front and back office databases on a regular basis. This includes the verification of position data, profit and loss figures and transaction-by-transaction details.

25. The institution should ensure that the methods it uses to value its derivatives positions are appropriate and that the assumptions underlying those methods are reasonable. The pricing procedures and models the institution chooses should be consistently applied and well-documented. Models and supporting statistical analyses should be validated prior to use and as market conditions warrant.

26. Management of the institution should ensure that a mechanism exists whereby derivatives contract documentation is confirmed, maintained and safeguarded. An institution should establish a process through which documentation exceptions are monitored and resolved and appropriately reviewed by senior management and legal counsel. The institution should also have approved policies that specify documentation requirements for derivatives activities and formal procedures for saving and safeguarding important documents that are consistent with legal requirements and internal policies.

27. Although operations risks are difficult to quantify, they can often be evaluated by examining a series of "worst-case" or "what if' scenarios, such as a power loss, a doubling of transaction volume or a mistake found in the pricing software for collateral management. They can also be assessed through periodic reviews of procedures, documentation requirements, data processing systems, contingency plans and other operational practices. Such reviews may help to reduce the likelihood of errors and breakdowns in controls, improve the control of risk and the effectiveness of the limit system and prevent unsound marketing practices and the premature adoption of new products or lines of business. Considering the heavy reliance of derivatives activities on computerised systems, an institution must have plans that take into account potential problems with its normal processing procedures.

Legal risk

28. Legal risk is the risk that contracts are not legally enforceable or documented correctly. Legal risks should be limited and managed through policies developed by the institution's legal counsel (typically in consultation with officers in the risk management process) that have been approved by the institution's senior management and board of directors. At a minimum, there should be guidelines and processes in place to ensure the enforceability of counterparty agreements.

29. Prior to engaging in derivatives transactions, an institution should reasonably satisfy itself that its counterparties have the legal and necessary regulatory authority to engage in those transactions, In addition to determining the authority of a counterparty to enter into a derivatives transaction, an institution should also reasonably satisfy itself that the terms of any contract governing its derivatives activities with a counterparty are legally sound.

30. An institution should adequately evaluate the enforceability of its agreements before individual transactions are consummated. Participants in the derivatives markets have experienced significant losses because they were unable to recover losses from a defaulting counterparty when a court held the counterparty had acted outside of its authority in entering into such transactions. An institution should ensure that its counterparties have the power and authority to enter into derivatives transactions and that the counterparties' obligations arising from them are enforceable. Similarly, an institution should also ensure that its rights with respect to any margin or collateral received from a counterparty are enforceable and exercisable.

31. The advantages of netting arrangements can include a reduction in credit and liquidity risks, the potential to do more business with existing counterparties within existing credit lines and a reduced need for collateral to support counterparty obligations. The institution should ascertain that its netting agreements are adequately documented and that they have been executed properly. Only when a netting arrangement is legally enforceable in all relevant jurisdictions should an institution monitor its credit and liquidity risks on a net basis.

32. The institution should have knowledge of relevant tax laws and interpretations governing the use of derivatives instruments. Knowledge of these laws is necessary not only for the institution's marketing activities but also for its own use of these products.

Basle, July 1994