Risk Management is the Core Competency of Securities Companies （Translation）

* By Lu Ya, Deputy Chairman of the Risk Management Committee of the Securities Association of China

*This article is from Volume 12 of 2020 China Securities and “Commemorate the 30th Anniversary of Chinese Capital Market” Special Edition, originally in Chinese, translated by Tianyuan "Robert" Zhang.

The year 2020 marks the 30th anniversary of the establishment of the Chinese capital market. As one of the most important participants, securities companies have experienced the entire process of capital market development. The sound growth of the market is inseparable from the steady operation of them, and in turn is inseparable from their risk management function. It can be said that the risk management has acted as the defensive escort for the industry. During the period, it has gone through a process of birth, evolution, and maturation.?Risk management is the core competency for securities companies and will continue to create intangible value. Since our capital market will open further to outside world and domestic innovation, businesses of securities companies will grow in the breadth and depth, and their risk management teams will occupy a increasingly significant position in the industry.

?I.History

The risk management of securities companies has gone through three stages of development: the rise of the securities industry in the early 1990s to 2004, 2005 to 2012, and 2013 to present. The regulatory framework is the primary driver of proper risk management, rules and regulations of self-regulatory organizations assisted, and the large market fluctuation raised firms’ awareness of the risk and compelled them to improve risk management capabilities.

1. The first stage, the risk management’s inception from the early 1990s to 2004. Urged by the regulator, securities companies started to preliminarily control risk specialized by lines of business (LoB). The ex-post inspection of the internal auditor was the main force for risk control in the brokerage business.

From the 1980s to the early 1990s, with the emergence of stock issuance and securities exchange, the retail offices of securities companies and other financial institutions sprouted from Shenzhen and Shanghai, and then spread to Beijing, coastal provinces, and the capital of the inland provinces. The companies were under the joint jurisdiction of the People’s Bank of China (PBOC), the local branches of PBOC, and local treasury departments.

During this period, securities companies mainly focused on brokerage business, while their stock proprietary investment in the secondary market and the IPO underwriting business gradually expanded. They generally did not have a specialized risk management department. The risk was mainly operational, and was managed locally by business lines focusing on internal control. The audit department assumed the responsibility of ex-post risk control to a certain extent, providing management improvement suggestion to decision makers through internal inspections and audits. Unfortunately, it is only after the rise and fall of market that the companies improved their risk control for their clients and for proprietary business, which can only be thought of as an awakening after pain.

The main risk of securities brokerage business was the misappropriation of client funds. Since the trading settlement funds for clients and securities companies were commingled, the retail offices generally had the authority to access both funds in their trading IT system. Operational risks were widely spread, such as malicious overdraft by clients, unsolicited margin financing by retail offices, fraudulent misappropriation of client funds by the firms and employees. When the market plummeted, large losses resulting from these risks were exposed. Therefore, the main theme of managing risk for this stage was to control the client overdraft risk by iteratively updating IT system. Measures on the Management of Client Transaction Settlement Funds was formally implemented in 2002 by China Securities Regulatory Commission (hereinafter referred to as the "CSRC") to clarify that client transaction settlement funds must be deposited to a third party, providing a risk mitigation mechanism for the entire industry.

Information technology risks such as the failure of the software and hardware, and the improper authorization are more controlled by the ability and awareness of the information technology department of each firm.

The investment banking business focuses on deal contracting. In December 1999, the CSRC issued the Notice on the Establishment of a Securities Issuance Internal Verification Team, requiring securities companies to establish an internal verification organization to conduct internal audits and decide on investment banking deals. Since then, the quality control relatively independent of the front-office personnel came into existence.

There were almost no such terms as "investment decision", "risk measurement" and "monitoring" in the proprietary stock investment. After three major market downfalls from 1992 to 1995, the CSRC issued the Securities Companies’ Proprietary Business Management Measures in 1996, specifying the risk management of this business from areas including organizational structure, control measures, and monitoring indicators. Only after the introduction of this regulatory system, the concept of "risk indicators" started to exist for securities companies.

The CSRC issued the Guidelines for the Internal Control of Securities Companies in January 2001 and the Guidelines for the Governance of Securities Companies in 2003. The former listed detailed internal control measures for various major business lines, and both guidelines put forwards basic requirements on the companies’ internal control and governance.

2. The second stage, from 2005 to 2012. The combination of the top-level design of the securities regulatory authority and the guidance issued by industry self-regulatory organizations has led the risk management of securities companies to transition from simple risk control by LoBs to a system focusing on the risk tolerance?

The securities regulatory agencies pushed the fundamental improvement of the industry risk management through top-level design, while industry self-regulatory organizations help the industry establish a targeted risk management structure in terms of specific business risks and specific risk management tools. During this period, securities companies generally established independent departments to manage risk in a targeted manner according to the types of risks. Some securities firms have established market risk limits such as stop loss, exposure, and VaR. The monitoring, measurement and assessment capability of market and credit risk was indeed enhanced.

(1)?Comprehensive Governance improved the industry’s governance structure and internal control, extended the scope of risk management, and improves the ability to manage compliance and operational risks

Beginning in August 2004, in accordance with the direction of the State Council, the CSRC began to adopt a series of measures to implement Comprehensive Governance on securities companies, which was declared completed in August 2007. Scheme of Comprehensive Governance of Securities Companies was officially released in July 2005, which established the overall goal of Comprehensive Governance, the triangular approach including risk management, standing supervision, and industry development. The scheme specified that before the end of 2007, securities companies shall: 1)closely observe a mandatory public disclosure requirement;2) submit true, accurate, and complete regulatory reports; 3) keep clients’ assets safe and complete, ensure that firms’ business risks effectively insulated from society’s risks, and implement a third-party custody mechanism for?client transaction settlement funds; 4)comprehensively establish compliance culture, and standardize business operation; 5)enhance internal control and risk management capabilities, basically resolve legacy issues, carry out market-oriented innovations in an orderly manner, significantly improve profit model, and ensure that the overall financial condition is robust and that no material hidden danger for the industry.

After the Comprehensive Governance, problems involving illegal wealth management, and the misappropriation of margin funds and bonds have drastically reduced. Through consolidation, liquidation, write-off, and divestiture, off-book operations have also drastically reduced, and the risks of the industry have been effectively and substantially mitigated.

The operational risk of the securities brokerage business was further controlled through various institutional arrangements purposed under regulatory requirements such as third-party custody and vertical branch management.

(2) Through risk control indicators, supervision and other regulatory rules, the risk tolerance of securities companies and risk control measures for major businesses have been established

The issuance of the "Measures for the Management of Risk Control Indicators for Securities Companies" in July 2006 opened the door to firmwide risk management. The implementation of the measure has extraordinary guiding significance, as it clarifies the risk control indicator system with capital management at the core, and the calculation rules of the indicators and the threshold of the indicators became the risk tolerance level in the regulatory sense. The regulations on the Supervision and Administration of Securities Companies issued in July 2008 specifies the risk control mechanism of each major business. The Regulations on Classified Supervision of Securities Companies issued in May 2009 classifies companies by the management capabilities of securities companies in terms of liquidity risk, compliance risk, market risk, credit risk, IT risk, and operational risk, etc., corresponding to companies’ capital adequacy, corporate governance, compliance management, dynamic risk monitoring, IT security, consumer rights protection, and information disclosure. It is by this evaluation that regulators guide them to improve their risk management capabilities.

(3) Business innovation drives the industry to explore credit risk management methods and tools, and enrich the risk management system

One aspect of Comprehensive Governance was to clean up the asset management business, which was eventually completed. In 2006, the CSRC authorize Innovative Pilot Securities Companies to carry on asset management business on trial, and successively liberalized the management product approvals of several companies, and began to experiment with investment decisions, risk measurement, and monitoring involved.

The margin trading and securities lending business launched on a pilot basis in 2006 is an industry innovation in the history of China's securities industry. The margin trading business is not only the first time that a securities company carried out the business of taking the credit risk of the counterparty to obtain income, but also enabled the securities company to embark on the road of debt management, and thus truly become a financial institution. The launch of the "Two Financials"(acronyms in Chinese referring to margin trading and securities lending) directly challenged the credit risk management capabilities of the companies. In August 2006, CSRC issued the Internal Control Guidelines for the Margin Trading and Securities Lending Business of Securities Companies, which regulates its borrower approval and credit extension, mark-to-market collateral evaluation, and default collection. “Two Financials” pilot securities firms have established a set of process to management counterparty rating, credit extension, monitoring, and disposal.

The Securities Association of China(SAC) issued the Guidelines for Managing OTC Trading Risk for Financial Derivatives of Securities Companies in March 2013, which stipulated principles for the risk management structure of so-mentioned business and specific control measures, intended to establish risk indicators valuation model, and monitoring system corresponding to derivatives in the industry. The pilot securities companies in the OTC derivatives business began to apply advanced measurement models and monitoring indicators in terms of credit and market risk.

(4) Stress testing has been widely used as a supplement to risk assessment

In March 2011, the SAC in collaboration with industry experts issued the Guidelines for the Stress Tests of Securities Companies. Stress testing has been carried out by multiple contexts in large securities firms, and is considered an effective supplement to risk assessment; all securities firms in the industry now conduct annual comprehensive stress tests by the mandates of the guidelines, which have provided some guidance for annual business planning and budgeting.

3.??The third stage, from 2013 to present. The promulgation of the enterprise risk management norms marks that the risk management of securities companies has entered the ERP stage

2012-2015 is a period when regulator pushed the innovation and development of the industry. June and August of 2015, the industry experienced unprecedented market volatility. In 2014, industry self-regulatory organizations were the mainstay of promoting securities companies to establish an enterprise risk management system.

(1) Regulations on Enterprise Risk Management of Securities Companies guides the leap forward of risk management quality

In February 2014, CSRC forwarded the Regulations for Enterprise Risk Management of Securities Companies issued by SAC. The regulation laid out the management principles of the firm from six areas: risk management rules, organizational structure, human resource, risk indicators, IT system, and emergency response. For the first time, securities companies are required to appoint a chief risks officer, and headquarter shall vertically manage companies’ subsidiaries and their subsidiaries managed directly by the parent.

By the end of 2019, securities companies had established a multi-level risk management structure with clear division of responsibilities. It had designated or created special departments to perform risk management responsibilities, which carried out comprehensive risk management under the leadership of the chief risk officer. To various extent, each securities company had created risk institution, risk preferences and risk indictors, established risk IT system compatible with its own business complexity, and started to explore data governance. In terms of subsidiary management, more than 90% of securities companies have implemented risk limits for their subsidiaries, T+1 reporting of major risk events, integrated monitoring of all subsidiaries, and vertical management of risk for overseas subsidiaries.

(2) Industry self-regulatory organization guides the industry to establish management mechanisms for important types of risks

In February 2014, the SAC issued the Guidelines for the Management of Liquidity Risk of Securities Companies. Before 2014, the liquidity risk management of securities companies mainly focused on the balance sheet and the parent company. By the end of 2019, a multi-level indicator monitoring system had been built, and different management methods were adopted for managing short, medium, and long-term liquidity risk, which further enhanced the granularity of the management. In 2019, the liquidity risk management of off-balance sheet entities was strengthened, and the top securities companies that have developed more rapidly as financial holding group preliminarily formed a framework for groupwide liquidity risk management.

In July 2019, the SAC issued the Guidelines for the Management of Credit Risks of Securities Companies, which regulates the credit risk management of financing, bond investment, and derivatives trading businesses. Under the 2017 CSRC Document No. 89 and the Guidelines of the SAC, securities companies improve its credit risk management in terms of risk policies, internal credit rating applications, and stress testing. Specifically, internal rating was implemented for financing businesses, bond trading, credit risk measurement, etc.; top securities firms have extended the credit risk limit system including scale and concentration level based on the complexity of business to subsidiaries; periodically conduct ad-hoc stress tests for credit risks, the results of which are applied to risk exposure adjustments, asset liquidity enhancement, and collateral management.

(3) Regulators and self-regulatory organizations have introduced risk management systems for weak risk management businesses, enabling the industry to further consolidate risk management capabilities

In March 2015, the SAC issued the Guidelines for the Risk Management of the Stock-Pledge Repo Business of Securities Companies, which specifies higher risk management requirements for the stock pledge business. In 2017, the CSRC issued Circular 89 in accordance with Circular 302 of the “One Bank and Three Committees”, which laid out more detail standard of the market, credit, and operational risk of bond trading by securities companies’ proprietary and asset management businesses. In March 2018, the CSRC issued Guidelines for the Internal Controls of the Investment Banking Business of Securities Companies, which put forward detailed requirements for the quality control, internal verification, and follow-up management of all investment banking businesses.

II.Prospects for the risk management of securities companies

We believe that after the previous three development stages, the risk management of securities companies will mainly exhibit the following characteristics in the future.

1.?Consolidated Supervision will lead the industry's enterprise risk management to a higher level

In April 2017, the CSRC initiated the preliminary pilot program for the Consolidated Supervision of the securities industry. After two rounds of assessments, the CSRC believed that the six pilot securities companies had essentially established enterprise risk management that can effectively cover various risks, business lines, and subsidiaries, and thus they had basically met the conditions to be supervised by the CSRC based on consolidated entity. Therefore, the CSRC decided to accept these 6 securities companies as the first batch of pilot companies under the Consolidated Supervision.

The Categorized Regulation of Securities Companies revised in 2020 will add consolidated supervision as a positive item, which will lead the trend of the industry. First, securities companies will pay more attention to ERP. Second, the implementation of vertical risk management or integrated risk management of subsidiaries will be widespread. Third, securities companies will increase investment in IT systems and personnel to improve infrastructure. Fourth, risk management will be further embedded in the entire business process, especially credit risk management, which will be extended to all on-balance-sheet and off-balance-sheet credit risk businesses, focusing on individual and portfolio, pre-investment and post-investment full-process management, so as to effectively managing risks and maintain minimum risk standard.

2.?Industry innovation will continue to promote risk management

From the speech of the chairman of the CSRC Yi Huiman at the Lujiazui Financial Forum or the report on the expanded study meeting of the Party Committee and the Party Committee Theory Center Group of the Securities Regulatory Commission on October 30, 2020, it can be seen that institutional innovation is the significant component of the further reformation of the capital market in the future. Important quotes are such: "Focus on increasing the proportion of direct financing and accelerating the improvement of the multi-level capital market system", "Putting support for technological innovation in a more prominent position and accelerating the establishment of a high-quality innovative capital center", "utilizing registration and delisting reforms as handler, drive the institutional innovation of issuance and underwriting, trading, continuous supervision, and investor protection, and comprehensively strengthen the infrastructure of the capital market." In this context, securities companies’ investment banking, brokerage, proprietary investment, and asset management businesses will emerge innovative varieties or businesses. In response, regulator will change the requirements for businesses themselves as well as the corresponding risk management. To properly control and manage the risk of these innovative businesses, securities companies may undergo changes in various aspects such as organizational structure of risk management, measurement methods, and monitoring techniques, etc.

3.?Risk management will further involve artificial intelligence

On the one hand, the penetration of technology in various businesses will trigger innovations in corresponding risk management methods. On the other hand, the application of information technology as a quantitative means in risk management will also be more extensive and in-depth. Informatization has broken the boundaries of traditional business operations, making the front, middle and back offices indistinguishable in time and space. With the continuous improvement of artificial intelligence and big data infrastructure, machines will learn from the existing experience of humans in opportunity discovery, customer service, and risk identification; and hence, it will comprehensively consider all factors and quickly made optimal decision adaptive to conditions of the time, all of which are done at the depth and breadth that humans cannot achieve. In this way, artificial intelligence will inevitably integrate risk management into the entire life cycle of business development.

III.Conclusion and Moral

After 30 years of development, the risk management of securities companies has evolved from internal control and decentralized risk control to today's enterprise risk management. Although there is room for further improvement in terms of IT systems and technicalities, it can be said that the basic framework has been constructed. In this process, regulator was the key, and industry association guided the process.

1.?Securities companies should take risk culture seriously, incorporating it into the industry culture

For a long time, the risk management of securities companies has relied too much on the guidance of regulator and self-regulatory organization, and their internal incentive is weak. The only way to comply with the essence of enterprise management is to manage risk considering individualized business character and risk tolerance on the company’s own initiative while satisfy external requirements. To improve risk awareness, it is necessary to clarify the company’s attitude towards risk and risk management from the perspectives of ideology, strategy, and business philosophy, and integrate them into the work of employees at all levels through the direction, exemplification of the main leaders as well as advocacy training and KPIs.

2.?The risk management of securities companies must be forward-looking

Securities companies themselves are important participants in the capital market. Whether as an intermediary for financing and trading, or as a provider of investment subjects, funding securities and market liquidity, they need to bear certain risks when making profits. One of the basic tasks of risk management is to analyze and judge the macro situation, primary and secondary market trends, and even the fundamentals of individuals such as market financing entities and counterparties. Only after forward-looking assessment and analysis can we adjust risk management strategy and policy in a targeted manner, make targeted risk control arrangements, and avoid "surprises" as much as possible.

3.?Risk management is essentially the management of risk preference

The market environment is constantly changing in the operation of businesses, so the risks are constantly changing accordingly. It is also a common phenomenon that securities companies suffer losses due to market risks and credit risks arising from market fluctuations. The key is whether these losses are expected in advance or within the tolerance of the firm. If a company’s risk appetite is not clear, the firm does not know the total amount of risk it can bear. Therefore, we must first clearly specify the risk appetite for a certain period of time. Under this premise, considering the market environment and other quantified tolerable risk bottom lines, the company's board of directors should actively participate in this specification process of risk appetite.

?

References:

[1] Wang Lu. There is a clear timetable for the comprehensive management of securities firms [N]. Shanghai Securities News, 2006-1-11.

[2] Hou Jiening. Governance came to a successful conclusion The securities industry has entered a new era [N]. Securities Daily, 2007-9-3.

[3] Zhou Chong, Shang Fulin. The comprehensive management of securities companies ended successfully [N]. Shanghai Securities News, 2007-9-3.

[4] Lu Ya, Yang Minghai, Zhuang Yaming, Li Guangqing, Xu Meng. Investigation report on the current situation of liquidity risk management of securities companies [A]. China Securities Industry Association. Innovation and Development: 2014 Proceedings of China's Securities Industry [C]. Beijing: China Financial and Economic Publishing House, 2015.729-739.

[5] China Report Network. Analysis of the development history and regulatory system of China's securities industry in 2018 [R]. Beijing: 2018.

[6] China Securities Industry Association. China Securities Industry Development Report [M]. China Financial and Economic Publishing House, 2020.166-187.

[7] Xun Tactics of the Stock Market. Bulls and bears never sleep-market characteristics analysis framework (Xun Yugen, Zheng Zixun) [DB]. 2020-9-3.

?

About the author: Lu Ya, master, senior accountant. She is currently a member of the Executive Committee of China Securities Co., Ltd., the chief risk officer, the administrative head of the company's risk management department, and the deputy chairman of the Risk Management Committee of the Securities Industry Association of China.