Risk Management Policy
General Provisions
This Risk management Policy (the Policy) reflects the vision and goals of the corporate Internal Control and Risk Management System of Global POP Liquidity Solutions Limited (hereinafter – the Company). The primary goal of the Internal Control and Risk Management Policy is to define Risk Management System and develop a single approach to the implementation of its processes.
The company Internal Control and Risk Management System represents the organizational tools, methods and procedures implemented by the company to ensure a systematic and consistent approach to the internal control and risk management process.
Risk management is the management and control of the company risks, a process that affects all operations of the company and aims to identify events that can influence the company business and manage the company risks.
Internal control is a process that aims to provide reasonable assurance that risks are responded to in an effective, timely and coordinated manner at different levels of management, and ensure compliance with applicable laws and reliable reporting. The goal of the internal control processes is to facilitate risk management within the organization and achieve the targets set by the Company.
The company Internal Control and Risk Management System aims to ensure a good balance between the growth of the Company value, its profitability, other operational efficiency criteria and the risks facing the business while observing the risk appetite of the management.
Goals and Tasks
Goals and tasks of the Internal Control and Risk Management System are presented in Table below:
Goals
Tasks
Ensure a reasonable assurance for the achievement of strategic goals
Identify, analyse and evaluate the events
that affect the achievement of strategic goals;
Define the overall level of the Company risks, permissible risk boundaries, and the risk limits assumed by the Company;
Ensure preventive measures to minimize likelihood of negative impact of risks on goals;
Strategic planning based on risks;
Monitor risk control activities.
Preserve assets and maintain business performance
Identify, evaluate and manage business process risks, specifically those relevant to asset protection;
Provide risk information when making management decisions;
Develop Risk Register;
Develop and manage the KRI system; and
Prevent fraud.
Ensure compliance with laws and regulations
Internal Control:
Reliability, completeness and accuracy of financial reporting;
Operating efficiency and target achievement;
Security of assets; and
Company compliance with applicable laws, regulations and contract terms.
Company external communication
Control procedures for disclosing material information about the Company operations to external users by:
Ensuring accuracy of the disclosed information at all stages of its collection and processing; and
Complying with the Company information disclosure regulations.
Principles of This Policy
Continuity: continuous functioning of the Internal Control and Risk Management System;
Integration: the Internal Control and Risk Management System extends to all areas of the organization’s operations and all types of related risks;
Priority: the company prioritizes requisite measures against risks critical to the company operations;
Segregation of duties: quality of the performed control functions by each person is controlled by other participants of the Internal Control Department;
Functionality: responsibility for risk management in different areas of the organization’s operations is distributed in line with employees’ functional responsibilities within the company;
Cooperation: internal control is based on cooperation between all Internal Control participants and divisions of the company;
Endorsement and approval: the company is committed to establishing an approval procedure for all business transactions;
Standardized methodology: the processes of the Internal Control and Risk Management System are based on standardized approaches and standards for all structural divisions of the Company; and
Timeliness of communications: information regarding identified risks or failure should be provided on a timely basis to the persons who are authorized to make relevant management decisions.
Internal Control and Risk Management Methods
Company shall apply the following set of methods and approaches to Internal Control and Risk Management:
Relevant segregation of duties is achieved through separation of certain responsibilities among employees at the relevant job level and through IT interface procedures. Segregation of duties between the Company structural divisions at each management level (vertically) and within each management level (horizontally) are regulated by internal regulatory documents, workflow schedules and interface procedures of the structural divisions.
The authorization system defines the boundaries within which employees fulfil their duties and includes internal documents that:
set forth the persons who are authorized to sign primary documents;
describe work flow schedules for approval of documents by the management; and
establish a system of passwords that only provide designated persons with access to assets, documents and information contained in certain information systems.
Documenting and system accounting records generated in the information systems are the basic forms of the Company documentary audit. All business transactions are executed as primary documents which are entered in the accounting records only if they are made using the standard forms for primary documentation or the forms developed by the Company and incorporated into internal regulatory documents.
Physical methods of controlling and safeguarding assets, documents, and information system data aimed at the restriction of unauthorized access to the Company property. The Company internal documents define the scope of persons who are responsible for the protection and transfer of assets, and sign written contracts as required by law.
In compliance with applicable legal requirements, the Company companies take stock of assets and liabilities, a procedure which is set forth in respective internal regulations.
Risk management is an integral part of all organizational processes: risk management is not separated from the organization’s core business areas and processes. Risk management is included in the managers’ responsibilities and is an integral part of all organizational processes, including strategic planning, and all management projects and processes.
Risk management is part of the decision-making process: risk management helps decision makers to make a conscious choice, prioritize actions and identify the most effective actions out of available options.
Risk management facilitates continuous improvement of the organization: the Company should develop and implement strategies for improving risk management alongside all other aspects of the organization.
The Company aims to create a risk oriented corporate culture, in which each employee understands the risks and opportunities faced by the Company business, and the prioritization of risks. Each employee is also actively involved in the risk identification and assessment process, and in selecting effective methods for responding to risks.
Senior managers ensure prioritization of risk management tasks and dissemination of risk management knowledge and skills across the Company, promote training on the basics of risk management and the “risk-based” corporate management culture.
Employees are familiar with the risk management processes and procedures, their role within the risk management process, and the level of their authority and responsibility.
Risk Management Levels
Risk Management in the Company is structured by level. Risk-related decisions can be made by each level. There are three management levels:
Shareholder/CEO;
The Risk Management Committee; and
AML / Compliance
Each level of the Risk Management System has a decision threshold (threshold risk value), and if it is exceeded, the risk decision is passed onto the next decision-level in the following way:
decision making by the AML / Compliance level is passed on to the Risk Management Committee; and
decision making by the Risk Management Committee level is passed on to the Shareholder/CEO.
Roles and Responsibilities of the Internal Control and Risk Management System Participants
The allocation of roles and responsibilities between the participants of the Internal Control and Risk Management System is presented in table below:
Participant
Functions and responsibility
CEO
Defines the risk management strategy of the Company. Approves corporate standards (the Policy and its changes) in the field of internal control and risk management.
Approves at the corporate level the Company risk appetite. Makes decisions on performance of the Internal Control and Risk Management System;
Risk Committee
Exercises control over creation and functioning of the Company Internal Control and Risk Management System, establishes and exercises control over compliance with the requirements of the System’s organization;Develops corporate standards (the Policy) in the field of internal control and risk management;Defines the Company risk management strategy;
Defines at the corporate level the Company’s risk appetite; Approves the prioritized Risk Register at the level of CEO; Approves activity plans for critical risks management; Approves budgets for risk management activities;
Ensures achievement of the Internal Control and Risk Management System's key performance indicators by introducing financial incentives;
Approves internal regulations for internal control and risk management; and
Resolves disputes.
Monitors the efficiency of risks management;
Exercises control over functioning of the Internal Control and Risk Management System, prepares resolutions for the CEO on the efficacy of the Internal Control and Risk Management System; Identifies material drawbacks in Internal Control and Risk Management procedures, and initiates the process for their elimination; and
Develops recommendations for the CEO on improvement of the Internal Control and Risk Management System, and the Company procedure for reporting and information disclosure.
Approves risk appetite levels in the form of limits and other restrictions of permissible risks and scales of risk assessment; Prioritizes the Company risks;
Defines and aligns the Company prioritized Risk Register; Approves KRIs for critical risks;
Develops activity plans for critical risk management;
Controls implementation of the Company activity plans for critical risk management;
Approves key performance indications of the Internal Control and Risk Management System;
Makes risk management decisions at Risk Committee level; Analyses risk management reports; and
Approves annual reports on implementation of the Company risk management activities to the CEO.
o AML / Compliance officer
Organizes and manages internal control and risk management processes;
Coordinates the activity of, and provides information support to, the Risk Committee;
Develops risk management methodologies and procedures in line with best global practice;
Collects, processes and analyses information on risk identification generated by the Company structural divisions, analyses internal documentation, and conducts interviews;
Participates in the expert risk assessment; Develops and updates the Company Risk Register; Organizes risk prioritization;
Defines risk appetite levels in the form of limits and other restrictions of permissible risks and scales of risk assessment;
Consolidates activity plans for critical risk management; Monitors critical risks’ dynamics and implementation of risk management activity plans;
Develops KRIs with structural divisions; Monitors values of the KRIs;
Trains and consults the Company’s management and employees on the methodology behind risk management processes; Establishes development areas and improvement plans for the Company’s Internal Control and Risk Management System; Prepares information about risks if required;
Develops and reviews, as necessary, the risk management reporting system;
Develops internal control methodologies and procedures in line with best global practice;
Provides systematic support to the Company structural divisions regarding control procedure achievement;
Audits and evaluates the adequacy of control procedures; Develops and implements new control procedures in line with identified drawbacks;
Develops and reviews, as necessary, the internal control reporting system;
Provides systematic support to the Company managers on internal control reporting; and
Prepares reports on implementation of activities related to the Company internal control system for the CEO.
Director
Monitors compliance with these Policy provisions; Identifies risks in the structural division/initiated project; Participates in expert risk assessment;
Monitors the development and execution of the risk management activity plan within his or her division;
Performs day-to-day control over accepted risks, observance of limits, KRI values and execution of risk management activities; Provides information about risks and activities on a timely basis to the Risk Committee; and
Captures and provides information on realized risks to the Risk Manager.
Company employees
Performs duties in the field of internal control and risk management as per job descriptions;
Participates in risk assessment upon the request of the Compliance and Risk Management Function; and
Immediately informs his/her manager about any mistakes/drawbacks or potential mistakes/drawbacks, which have resulted in actual losses or can result in potential losses for the Company.
Key Internal Control Processes
Analysis of Business Processes
Analysis of the Company business processes is conducted under the guidance of the Compliance and Risk Management Function in order to define the key control points and control means and evaluate their adequacy. Business process analysis is based on process flows that reflect the sequence of functions performed within a business process, and the connection between events and functions within a business process.
Assessment of the Current Control Procedures
Based on the results of the analysis of business processes, the Compliance and Risk Management Function conducts assessments of the existing control procedures and identifies missing control procedures. Assessment of the performance of control procedures is carried out to ensure a reasonable assurance of achieving the corresponding goals of the business process in question.
A list is prepared of missing control procedures and control procedures that require improvement or revision in order to prevent potential risks in the future.
Development of Control Procedures
Control procedures are developed by the function that is the business process owner and the Compliance and Risk Management Function. Control procedures are developed by establishing a set of measures aimed at reducing the likelihood of risk occurrence and the impact of their negative consequences.
Monitoring
Monitoring of the Internal Control and Risk Management System is a mechanism for the systematic review of the status, changes, and performance of the Company control procedures in order to timely identify negative tendencies, perform analysis based on observations, and prepare data for management to make internal control decisions.
Monitoring is carried out by the Compliance and Risk Management Function. The main method used for monitoring the performance of control procedures is the monitoring by deadlines, i.e. defining control points for development, alignment, approval, and implementations.
Goal Setting
Risk management is based on a system of precise, clear and measurable strategic and operational goals of the Company formulated by the CEO. General goals are set on a strategic level;
management sets more specific tactical targets and tasks at a lower level. When risks are identified, threats to the achievement of formalized goals and tasks are analysed.
Risk Identification
Risk identification is a process that helps to identify the underlying risk factors that impact the Company operational indicators. The risk identification process is organized by the Compliance and Risk Management Function involving employees from the Company structural divisions. Final responsibility of Risk identifications belongs to process owners.
Risk identification includes:
Identification of all risk types and factors that impact the achievement of the Company strategic goals, business process functioning, and performance indicators of the Company structural divisions and projects. Both risks and possible risks should be identified.
Development of the Company Risk Register.
Risk assessment that incorporates key characteristics of the identified risks, and assessment of the likelihood, potential and maximum risk loss.
Development of a Risk Register and rating of risk by level of significance.
Defining KRI values for the most critical and most significant risks; and
Description of methods used for the control and management of identified risks.
The risk register contains the following data:
Risk Id;
Risk Type
Risk Description.
Potential Outcome
Treatment Plan
Risk Score
Likelihood Score
Risk Rating
Risk Status
Assessment Frequency
Risk Owner
Last Review Date
The Risk Register is updated periodically (monthly, quarterly, yearly) as necessary (depending on the type of risk – as agreed with structural divisions) and is used as an instrument for creating the Risk Register.
The Risk Register contains information regarding risks with respect to selected risk management methods. The Risk Register can be developed by core business areas, business processes, individual divisions and projects and describes the risks that directly impact this object.
The Company prioritized Risk Register is developed monthly. The Risk Register is reviewed by the Risk Committee and approved by the CEO.
Identification and Analysis of Risks. Mitigation measures.
Due to rapid change in information technology, no list of risks can be exhaustive. The intention in this document is to describe a broad, representative set of risks as a basis for designing general guidance for risk management and mitigation. Company facing specific risks by engaging in financial dealer activities can be grouped according to risk categories discussed in other risk management documents and, in this sense, the risks are not new. By categorising risks in this manner can be helpful in systematically identifying risks in financial dealer organisation. The presents examples of specific risks and problems financial dealer may face in activities grouped into risk categories.
While the basic types of risks are not new, the specific ways in which some of the risks arise, as well as the magnitude of their impact on organisation, may be new for business and supervisors. Some of the risks and problems business may face apply to financial dealer business. However, there are likely to be differences in the degree to which a particular risk is applicable across different financial dealer activities.
At this stage, it would appear that Operational Risk, Market Risk, Counterparty Credit Risk and Liquidity Risk are the most important risk categories for financial dealer activities (license A,B,C), especially for international businesses. The next subsections discuss specific manifestations of these type of risks while some of specific problems cut across risk categories. For example, breach of security by allowing unauthorised access to customer information, can be classified as operational risk, but such event also exposes the organisation to legal and reputational risk. Even though these different types of risks may result from a single problem, appropriate risk management may require several remedies to address each of these different risks.
Operational Risk
Operational risk is the risk of loss resulting from the actions of people, inadequate or failed internal processes and systems, or from external events. The operational risk can also arise from customer misuse. This is a particular risk in securities activities because of the complex and rapidly evolving nature of some financial or securities strategies. Operational risk also includes legal risk. Legal risk is the risk that a security or financial contract will not be legally enforceable. A number of factors contribute to legal risk, including the following:
The legal capacity and authority of a counterparty to enter into a securities or financial contract
The securities or financial contract documentation being deficient or unenforceable
The securities or financial transaction not being in compliance with regulatory requirements.
The Company ensures that the controls in place to manage operational risk are commensurate with the scale and complexity of the financial activity being undertaken. Before entering into a securities transaction, a Company ensures that there are processes and procedures in place that demonstrate the following:
That systems can support, and operational capacity can accommodate, the types of financial or securities transactions that the plan administrator is authorized to engage in;
That all relevant details of securities or financial transactions are documented;
That there is sufficient staff with the expertise to support the volume and types of complex securities transactions that the Company may enter into;
That staff who are involved with making decisions regarding the use of securities products such as derivatives will be provided with on-going education;
That the methods for valuing positions are appropriate and the assumptions underlying valuation methods are reasonable.
Market risk
Market risk is the risk of losses in positions arising from movements in market variables like prices and volatility. Market risk can be influenced by many factors, including movements in interest rates, credit spreads, equity prices, exchange rates or commodity prices. There is no unique classification as each classification may refer to different aspects of market risk. Nevertheless, the most common types of market risks are:
Equity risk, the risk that stock or stock indices (e.g. Euro Stoxx 50, etc.) prices or their implied volatility will change.
Interest rate risk, the risk that interest rates (e.g. Libor, Euribor, etc.) or their implied volatility will change.
Currency risk, the risk that foreign exchange rates (e.g. EUR/USD, EUR/GBP, etc.) or their implied volatility will change.
Commodity risk, the risk that commodity prices (e.g. corn, crude oil) or their implied volatility will change.
Margining risk results from uncertain future cash outflows due to margin calls covering adverse value changes of a given position.
Shape risk is a type of basis risk when hedging a load profile with standard hedging products having a lower granularity.
Holding period risk is a financial risk that a firm's sales quote giving a potential retail client a certain time to sign the offer for a commodity, will actually be a financial disadvantage for the offering firm since the market price's on the wholesale market has changed. The risk is usually reduced by a risk premium being added onto the wholesale price of a commodity by the offering firm.
Basis risk in finance is the risk associated with imperfect hedging due to the variables or characteristics that affect the difference between the futures contract and the underlying "cash" position. It arises because of the difference between the price of the asset to be hedged and the price of the asset serving as the hedge before expiration.
Risk of derivative transactions that involve the use of leverage, as these transactions can increase market risk by magnifying losses.
For mitigating Market Risk the Company performs monitoring of the Market Risk and Leverage.
Securities transactions can expose investment plans to market risk from a range of sources, and the amount of exposure can greatly exceed the plan’s initial investment. Market risk can be increased due to the significant leverage effect of certain securities. For example, a minor fluctuation in the value of the underlying interest can potentially cause large fluctuations in the value of a derivative. The value of a derivative that has a leverage effect can, therefore, be highly volatile. Financial dealer should ensure that any securities transactions that involve the use of leverage are understood and closely monitored and managed in order to avoid undue risk. Limits should be established for the amount of leverage that the financial dealer may obtain through securities transactions that are consistent with maximum exposures authorized by the financial dealer’s risk management framework. When establishing limits on the use of leverage, financial dealer should take into account the company’s overall exposure from all of the leveraged investment strategies that the company has entered into. Setting limits would allow the financial dealer to assess the maximum financial loss in the most extreme market conditions. These limits should be clearly understood by all parties who are authorized to enter into derivative transactions on behalf of the plan. Plan administrators should carefully consider the use of leverage when using derivatives since losses can be greater than the money put into these instruments.
Counterparty Credit Risk
Counterparty credit risk is the risk of loss due to a counterparty’s unwillingness or inability to pay its contractual obligations under a contract. When a financial dealer enters into a non-centrally cleared OTC transaction, the financial dealer takes on the risk that their counterparty will default, causing the loss of market exposure or hedge provided by the investment transaction and potentially the loss of any unrealized gain from open financial investment contracts. Prudent management of counterparty credit risk can help minimize the risk of loss in the event of a counterparty default.
For mitigating the Counterparty Credit Risk the Company performs a credit assessments.
Counterparty credit risk can be managed through appropriate measurement of exposures, ongoing monitoring, timely evaluations of counterparties, and sound operating procedures. Before entering into a non-centrally cleared OTC securities contract, the financial dealer should conduct a comprehensive credit assessment of each of its proposed counterparties. Credit limits should be established for each counterparty, taking into account factors such as the creditworthiness of the proposed counterparty and whether collateral arrangements will be in place.
There are also some other risks that may affect the Company. All these risks are assessed and managed to the extent necessary by implementation of effective controlling and mitigation measures.
Security Risk
The Security Risk arises in the respect to controls over access of financial dealer `s critical accounting and risk management systems, information that it communicates with other parties and, in the case of assets, measures the Company uses to deter and detect counterfeiting. Controlling access to financial dealer systems has become increasingly complex due to expanded computer capabilities, geographical dispersal of access points and the use of various communications paths, which includes public networks such as the Internet. It is important to note, that with assets, a breach of security could result in fraudulently created liabilities of assets. Unauthorised access could lead to direct losses, added liabilities to customers or other problems.
A variety of specific access and authentication problems may occur. For example, inadequate controls could result in a successful attack by hackers operating via the Internet who could access, retrieve and use confidential customer information. In the absence of adequate controls, outside third party could access the financial dealer `s computer system and inject the virus into it.
In addition to external attacks on systems, financial dealer business is exposed to operational risk with respect to employee fraud: employees could surreptitiously acquire authentication data in order to access customer accounts. Inadvertent errors by employees may also compromise the financial dealer `s system.
Of direct concern to supervisory authorities is the risk of criminals counterfeiting assets, which is highlighted if financial dealer’s businesses fail to incorporate adequate measures to detect and deter counterfeiting. A financial dealer faces operational risk from counterfeiting, as it may be liable for the amount of the falsified balance. In addition, there may be costs associated with repairing a compromised system.
Systems Design, Implementation, and Maintenance
Financial dealer faces risk when the systems it chooses are not well designed or implemented. For example, business is exposed to the risk of interruption or slow-down of its existing systems if the financial dealer system it chooses is not compatible with user requirements.
Many financial businesses are likely to rely on outside service providers and external experts to implement, operate and support portions of their activities. Such reliance may be desirable because it allows a business to outsource certain aspects of the provision of activities that it cannot provide economically itself. However, reliance on outsourcing exposes a business to operational risks. The service providers may not have the requisite expertise to deliver services expected by financial dealer or may fail to update their technology in a timely manner. A service provider’s operations could be interrupted due to system breakdowns or financial difficulties, jeopardising the financial dealer `s ability to deliver products or services.
The rapid pace of change that characterises information technology presents businesses with the risk of systems obsolescence. For example, computer software which facilitates the use of financial products by customers will require updating, but channels for distributing software updates pose risks for companies where criminal or malicious individuals could intercept and modify the software. In addition, rapid technological change can mean that staff may fail to fully understand the nature of new technology employed by the business. This could result in operational problems with new or updated systems.
Customer Misuse of Products and Services
As with traditional finance services, customer misuse both intentional and inadvertent, is another source of operational risk. The risk may be highlighted where a financial dealer’s business does not adequately educate its customers about security precautions. Additionally, the absence of adequate measures to verify transactions, customers may be able to repudiate transactions they previously authorised, inflicting financial losses on the organisation. The customers using personal information (e.g., authentication information, bank account numbers) in a non-secure electronic transmission could allow criminals to gain access to customer accounts. Subsequently, the financial dealer business may incur financial losses because of transactions customers did not authorise. Money laundering may be another source of concern.
Reputational Risk
The reputational risk describes significant negative public opinion that results in a critical loss of funding or customers. Furthermore, the reputational risk may involve actions that create a lasting negative public image of overall financial dealer business operations, such that the business ability to establish and maintain customer relationships is significantly impaired. This risk may also arise if actions by the business causes a major loss of public confidence in the business`s ability to perform functions critical to its continued operation. Reputational risk can arise in response to actions a company itself takes or in response to actions of third parties. Increased reputational risk can be a direct corollary of heightened risk exposure or problems, in other risk categories, particularly operational risk.
Reputational risk may arise when systems or products do not work as expected and cause widespread negative public reaction. A significant breach of security, whether as a result of external or internal attacks on Company system, can undermine public confidence in the business. Reputational risk may also arise in cases where customers experience problems with a service but have not been given adequate information about product use and problem resolution procedures.
Mistakes, malfeasance and fraud by third parties may also expose a company to reputational risk. Reputational risk can arise from significant problems with communications networks that impair customers’ access to their funds or account information, particularly if there are no alternative means of account access. Substantial losses caused by mistakes of another institution offering the same or similar financial products or service may cause Company customers to view its products or services with suspicion, even if Company itself did not face the same problems. Reputational risk may also arise from targeted attacks on a business. For example, a hacker penetrating a company’s website may alter it to intentionally spread inaccurate information about the company or its products. Reputational risk may not only be significant for the company but also for the financial dealer system as a whole.
Cross-Border Issues
Financial dealer activities are based on technology that by its very nature is designed to extend the geographic reach of businesses and customers. Such market expansion can extend beyond national borders, highlighting certain risks. Financial dealer businesses may face different legal and regulatory requirements when they deal with customers across national borders. Financial dealer services may have uncertainties about legal requirements in some countries. In addition, there may be jurisdictional ambiguities with respect to the responsibilities of different national authorities. Such considerations may expose financial dealer businesses to legal risk associated with non-compliance with various national laws and regulations, including consumer protection laws, record-keeping and reporting requirements, privacy rules, and anti-money laundering laws.
The operational risk could arise for the financial dealer business dealing with a service provider located in another country, which for that reason may be more difficult to monitor. Companies may also face other risks as they engage in the provision of financial dealer activities as cross-border services. Financial dealer businesses dealing with foreign-based service providers or with foreign participants in financial dealer activities, are subject to country risk to the extent that foreign parties become unable to fulfil their obligations due to economic, social or political factors. A business offering services via open networks like the Internet may be exposed to credit risk, in that applications for credit from customers in other countries may be more difficult to evaluate with procedures based upon a more familiar customer base. A business accepting foreign currencies in payment for services may be subject to market risk because of movements in foreign exchange rates.
Risk Management
For an increasing number of financial businesses there may be a strategic reason for engaging in financial dealer activities. Greater use of financial dealer businesses further may increase the efficiency of business finance - benefiting consumers and merchants. At the same time as preceding discussion indicates, there are risks for businesses engaging in financial dealer activities. Risks must be balanced against benefits; companies must be able to manage and control risks and absorb any related losses if necessary. Risks from financial dealer activities should also be evaluated in the context of other risks the company faces. Even though, financial dealer activities may represent a relatively small portion of the overall activities of business currently, supervisors may still require senior management’s assurance that critical systems are not threatened by the risk exposures Company takes.
The rapid pace of technological innovation is likely to change the nature and scope of risks companies face in financial dealer business. Supervisors expect businesses to have processes that enable management responding to current risks and adjust to new risks. Risk management process that includes the three basic elements of assessing risks, controlling risk exposure and monitoring risks will help organisations and supervisors attain these goals. Businesses may employ such process when committing to new financial dealer activities and as they evaluate existing commitments to these activities. It is essential that companies have a comprehensive risk management process in place that is subject to appropriate oversight by the senior management. As new risks in financial dealer activities are identified and assessed, the CEO and director must be kept informed of these changes. Prior to any new activity being commenced, comprehensive review should be conducted so that senior management can ensure that the risk management process is adequate to assess, control and monitor any risks arising from the proposed new activity.
Assessing Risks
Assessing risks is an ongoing process which typically involves three steps. Firstly, company may engage in a rigorous analytic process to identify risks and where possible to quantify them. In events where risks cannot be quantified, management may still identify how potential risks can arise and steps it has taken to deal with in order to limit risks. Company management should form a reasonable and defensible judgement of the magnitude of any risk with respect to both the impact it could have on the business (including the maximum potential impact), and the probability that such event will occur. Secondly, risk assessment is for the senior management to determine the business risk tolerance, based on assessment of the losses business can afford to sustain in the event when a given problem materialises. Finally, management can compare its risk tolerance with its assessment of the magnitude of a risk to ascertain if the risk exposure fit within the tolerance limits.
Managing and Controlling Risks
Having made an assessment of risks and its risk tolerance, Company management should take steps to manage and control risks. This phase of the risk management process includes activities such as implementing security policies and measures, co-ordinating internal communication, evaluating and upgrading products and services, implementing measures to ensure that outsourced risks are controlled and managed, providing disclosures and customer education, and developing contingency plans. Senior management should ensure that staff responsible for enforcing risk limits have authority independent from the business unit undertaking the financial dealer activity. Financial dealer businesses increase their ability to control and manage the various inherent risks by having policies and procedures set out in written documentation and made available to all relevant staff.
Security Policies and Measures
The security is combination of systems, applications, and internal controls used to safeguard the integrity, authenticity, and confidentiality of data and operating processes. Proper security relies on the development, implementation of adequate security policies and security measures for processes within the organisation, and for communication between the business and external parties. Security policies and measures can limit the risk of external and internal attacks on financial dealer systems, as well as the reputational risk arising from security breaches.
The information security policy states management’s intentions to support information security and provides an explanation of the business`s security organisation. It also establishes guidelines that define Company security risk tolerance. The policy may define responsibilities for designing, implementing and enforcing information security measures, and it may establish procedures to evaluate policy compliance, enforce disciplinary measures, and report security violations. Security measures are combinations of hardware and software tools, and personnel management, that contribute to building secure systems and operations. Senior management should regard security as a comprehensive process that is only as strong as the weakest link in the process. Company can choose from a variety of security measures to prevent or mitigate external and internal attacks and misuse of assets. Such measures include, for example, encryption, passwords, firewalls, virus controls, and employee screening. Encryption is the use of cryptographic algorithms to encode clear text data into ciphertext to prevent unauthorised observation. Passwords, passphrases, personal identification numbers, hardware-based tokens, and biometrics are techniques for controlling access and identifying users.
Firewalls are combinations of hardware and software that screen and limit external access to internal systems connected to open networks such as Internet. Firewalls may also separate segments of internal networks using Internet technology (Intranets). Firewall technology, if properly designed and implemented, can be an effective means of controlling access and safeguarding data confidentiality and integrity. Because this technology is complex to design and can be costly, its strength and capabilities should be proportionate with the sensitivity of the information being protected. A well-planned design should include enterprise-wide security requirements, clear procedures for operation, separation of duties, and selection of trusted personnel who are responsible for the configuration and operation of the firewall. Although, firewalls screen incoming messages they do not necessarily protect against virus-infected programs downloaded from the Internet. As a consequence, management should develop prevention and detection controls to reduce the chance of virus attack and data destruction, particularly for remote services. Programmes to mitigate the risk of a virus infection may include network controls, end-user policies, user training, and virus detection software.
Not all security threats are external. The financial dealer systems should also be safeguarded, to the extent possible, against unauthorised activities by current and former employees. As with existing business activities, background checks for new employees, temporary employees, and consultants, as well as internal controls and separation of duties are important precautions to protect system security.
For financial dealer, additional security measures may help deter attacks and misuse, including counterfeiting and money laundering. Such measures could include on-line interaction with the issuer or a central operator; monitoring and tracing individual transactions; maintenance of cumulative records in a central database; the use of tamper-resistant devices incorporated into stored-value cards and merchant hardware; and the use of value limits and expiration dates on stored-value cards.
Internal Communication
Aspects of operational, reputational, legal and other risks can be managed and controlled if senior management communicates to key staff how the provision of financial dealer services is intended to support the overall goals of the business. At the same time, technical staff should clearly communicate to senior management how systems are designed to work, as well as the strengths and weaknesses of systems. Such procedures can reduce operational risks of poor system designs, including incompatibility of different systems within organisation; data integrity problems; reputational risk associated with customer dissatisfaction that systems did not work as expected; and credit and liquidity risk. To ensure adequate internal communication, all policies and procedures should be provided in writing. In addition, senior management should adopt a corporate policy of ongoing education and upgrading of skills and knowledge, consistent with the pace of technological innovation in order to limit operational risks arising from lack of staff and management expertise. Training may include technical course work, as well as time for staff to keep abreast of important market developments.
Evaluating and Upgrading
Evaluating products and services before they are introduced on a widespread basis can also help limit operational and reputational risks. Testing validates that equipment and systems function properly and produce desired results. Pilot programs or prototypes can be helpful in developing new applications. The risk of system slowdowns or disruptions can also be reduced by policies to review the capabilities of existing hardware and software regularly.
Outsourcing
One of growing trends in industry for businesses is to focus strategically on core competencies and rely on external parties specialising in activities outside the company's expertise. While these arrangements may offer benefits such as cost-reduction and economy of scale, outsourcing does not relieve Company of the ultimate responsibility for controlling risks that affect its operations. Consequently, businesses should adopt policies to limit risks arising from reliance on outside service providers. For example, company management should monitor the operational and financial performance of their service providers; ensure that contractual relations between parties, as well as the expectations and obligations of each party, are clearly understood and are defined in written, enforceable contracts; and maintain a contingency arrangement to change service providers in a prompt manner if necessary.
Security of the business’s sensitive information is critically important. Outsourcing arrangement may require the company to share sensitive data with service providers. Management should evaluate the ability of service provider to maintain the same level of security as though the activities were conducted in-house, through the review of service providers’ policies and procedures aimed at protecting sensitive data. Additionally, supervisors may wish to have the right to independently assess, when necessary, the competence and the operational and financial performance of the service providers.
Disclosures and Customer Education
Disclosures and customer education may help Company limit legal and reputational risk. Disclosures and programs to educate customers that address how to use new products and services, fees charged for services and products, and problem and error resolution procedures can help businesses comply with customer protection and privacy laws and regulations. Disclosures and explanations about the nature of company’s relationship to linked website may help to reduce the legal risk to company, arising from problems with services or products on the linked sites.
Contingency Planning
The company can limit the risk of disruptions in internal processes or in service or product delivery by developing contingency plans that establish its course of action in the event of a disruption in its provision of financial dealer services. The plan may address data recovery, alternative data-processing capabilities, emergency staffing and customer service support. Backup systems should be tested periodically to ensure their continued effectiveness. Businesses should ensure that their contingency operations are as secure as their normal production operations.
An important aspect of financial dealer business is the reliance on external entities including hardware vendors, software providers, Internet service providers, and telecommunications companies. Business management may insist that such service providers have backup capabilities. In addition, management may consider compensating actions it can take in the event service providers become impaired. Such plans could include short-term contracting with other providers and a policy describing how the business will address customer losses associated with service disruption. Company should also consider the advisability of reserving the right to change service providers in a prompt manner if necessary. Contingency planning may also contribute to limit reputational risk arising from the business’s own actions or from problems experienced by another institution offering the same or similar financial dealer products or services. For instance, financial dealer businesses may wish to establish procedures to address customer problems during system disruptions.
Monitoring Risks
Ongoing monitoring is an important aspect of any risk management process. For financial dealer activities, monitoring is particularly important both because the nature of activities is likely to change rapidly as innovations occur, and because of the reliance of some products on the use of open networks such as the Internet. Two important elements of monitoring are system testing and auditing.
System Testing and Surveillance
Testing of system operations can help detect unusual activity patterns and avert major system problems, disruptions and attacks. Penetration testing focuses upon the identification, isolation and confirmation of flaws in the design and implementation of security mechanisms through controlled attempts to penetrate a system outside the normal procedures. Surveillance is a form of monitoring in which software and audit applications are used to track activity. In contrast to penetration testing, surveillance focuses on monitoring routine operations, investigating anomalies and making ongoing judgements regarding the effectiveness of security by testing adherence to security policies.
Auditing
Auditing (internal and external) provides an important independent control mechanism for detecting deficiencies and minimising risks in the provision of financial dealer services. The role of an auditor is to ensure that appropriate standards, policies, and procedures are developed, and that the business consistently adheres to them. Audit personnel must have sufficient specialised expertise to perform an accurate review. An internal auditor should be separate and independent from employees making risk management decisions. To augment an internal audit, management may seek qualified external auditors such as computer security consultants or other professionals with relevant expertise in order to provide an independent assessment of the financial dealer activity.
Management of Cross-Border Risks
The cross-border risks may be more complex than risks companies face within their home country. Hence, companies and supervisors may need to devote added attention to assessing, controlling, and monitoring operational, reputational, legal and other risks arising from cross-border financial dealer activities.
The businesses who choose to provide services to customers in different national markets will need to understand different national legal requirements and develop an appreciation for national differences in customer expectations and knowledge of products and services. In addition, senior management should ensure that existing systems for credit extension and liquidity management take into account potential difficulties arising from cross-border activities. A business may need to assess country risk and develop contingency plans that take into account service disruptions due to problems in the economic or political climate abroad. A business may also face difficulties in enforcing the fulfilment of a foreign service provider’s obligations. In case of companies relying on service providers located abroad, national supervisors may want to assess the accessibility of information from, and consider the activities of, cross-border service providers on a case-by-case basis.
The national supervisors can play an important role by identifying and discussing jurisdictional ambiguities. They can also continue efforts to develop measures to detect unsafe and illegal practices. Finally, national supervisors can continue and strengthen cooperative efforts to share information about product, service innovations as well as industry practices
Settlement Risk
An institution’s actual exposure – the amount at risk – when settling a foreign exchange trade equals the full amount of the currency purchased and lasts from the time a payment instruction for the currency sold, can no longer be cancelled unilaterally until the time the currency purchased is received with finality.
Although settling a trade involves numerous steps, from a settlement risk perspective a trade status - from the time it is executed until the time it is settled - can be classified according to five broad categories:
Status
Description
Revocable
The institution’s payment order for sold currency either has not been issued or may be unilaterally cancelled without the consent of the institution's counterparty or any other intermediary. The institution faces no current settlement exposure for this trade
Irrevocable
The institution’s payment order for sold currency can no longer be cancelled unilaterally either because it has been finally processed by the relevant payment system or because of some other reason (e.g. internal procedures, correspondent banking arrangements, local payments system rules, laws, etc.) making cancellation dependent upon the consent of the Foreign exchange settlement risk of counterparty or another intermediary; the final receipt of the bought currency being not yet due. In this case, the bought amount is clearly at risk.
The institution's payment instruction for sold currency can no longer be cancelled unilaterally; receipt of the bought currency is due, but the institution does not yet know whether it has received these funds with finality. In normal circumstances, the institution expects to have received the funds on time.
However, since it is possible that the bought currency was not received when due (e.g. owing to an error or to a technical or financial failure of the counterparty or some other intermediary), the bought amount might, in fact, still be at risk.
Fail
The institution has established that it has not received the bought currency from its counterparty. In this case the bought amount is overdue and remains clearly at risk.
Settled
The institution knows that it has received the bought currency with finality. From a settlement risk perspective, the trade is considered settled and the bought amount is no longer at risk.
Managing Settlement Risk
Company will ensure that the senior management team will receive fully qualified training and will maintain and monitor key points below:
The nature of settlement risk:
Institution should understand the nature and effect of settlement risk
Institution should treat FX exposures as being equivalent to other credit exposures.
Senior management responsibilities:
Senior management should ensure that they fully understand the FX settlement risks incurred by the institution
Senior management should formulate a policy on settlement risk and review it regularly
Institution should have clear procedures for measuring and managing exposure
Adequate training should be provided to all staff responsible for the various aspects of FX settlement risk
Senior management should exercise appropriate oversight of settlement exposures
Settlement risk should be integrated into other risk management.
Duration of FX settlement exposure:
Institution should know and apply methods for measuring the duration of settlement exposure
Institution needs to be certain when the unilateral cancellation deadline is for each currency
Measurement of FX settlement exposures:
Recognised methods should be used to measure both minimum and maximum risk
Measurement of settlement risk should constitute part of the general risk assessment and management
Setting and using limits:
A normal limit should be set for exposures to each counterparty
Methods should be devised to determine a limit for exposures to each counterparty.
Procedures for managing fails and other problems:
Institution should have procedures for quickly identifying fails and taking appropriate action
Institution needs to strike a balanced approach in their reactions to fails.
Contingency planning:
Institution should undertake contingency planning and stress testing
Contingency plans should be established to include a broad spectrum of stress events
Contingency planning for FX settlement problems should be coordinated with planning for other problems
Contingency plans should be tested periodically.
Improving the management of FX settlement exposures:
Financial dealer institutions should develop recognised methods for management of FX risks
The duration or size of the settlement exposures relating to FX deals should be reduced
Company should negotiate better cancellation cut-off times with correspondents
Methods for identifying receipts should be improved
Internal processing should be improved
Collateral arrangements should be managed properly.
Netting agreements should be legally sound.
Use of bilateral netting:
The advantages of establishing bilateral netting towards counterparties should be assessed
Sound methods should be developed for measuring the effect of netting on settlement risk
The legal basis for payment netting arrangements should be sound.
Alternative arrangements for FX settlement risk reduction:
Institutions should assess the advantages of adopting new risk-reducing arrangements, in particular with direct or indirect participation in settlements
Institutions should assess the effect of participation of all risk factors in their operation.
Company responsibilities to its counterparties:
Company needs to be aware that its own behaviour affects the settlement risk faced by its counterparties
Institution should take account of its counterparties in order to preclude settlement problems.
The role of supervisors:
Supervisors should make sure that institutions measure, monitor and manage FX settlement risk appropriately and use risk management methods
Supervisors should share information about FX settlement risk problems.
Development of Risk Management Activities
Development of activity plans for critical risk management aims to reduce losses and/or risk likelihood. The activities should be based on the economic feasibility principle – the cost of implemented activities should not exceed the expected loss from risk occurrence. Activity plans are developed by the Risk Owners and should contain a clear definition of tasks, responsible persons and due dates.
When developing critical risk management activities, risk interdependencies should be taken into account. The Compliance and Risk Management Function consolidates the developed activity plans, analyses the impact of each proposed activity on other risks and organizes cooperation between Risk Owners in order to optimize activity plans.
Monitoring of Risk Management
Monitoring of risk management involves control of the risk level. Monitoring helps to track the dynamics of changes in the risk characteristics and whether the desired result from implementation of various risk management measures has been achieved. Monitoring is performed by the Compliance and Risk Management Function by collecting information on the critical risk dynamics and executing the plan of risk management activities received from the Risk Owners, and also by tracking the values of KRIs developed during risk identification and assessment process.
Implemented activities can be adjusted or additional activities developed based on the monitoring results. The risk management performance evaluation is carried out based on:
Analysis of the change in dynamics of the risks assessment.
Analysis of the integrity and completeness of the risk mitigation measures; and
Change in the dynamics of KRIs.
In order to allocate responsibility for achieving target KRIs, they can be set as Key Performance Indicators for managers.
Reporting Under the Internal Control and Risk Management
Presentation for the CEO, Committee, etc. are the presentation materials (in MS PowerPoint) including key information on risks and the status of the risk management process, current and future risk management tasks and the Company internal control system.
Internal control and risk management reporting documents ensure solving of risk management tasks, focus on a meaningful and transparent exchange of risk information, and provide information to decision makers. Internal control and risk management regulatory documents are based on, aligned with and do not contradict the provisions of this Policy.