Risk Management Systems Examination by SEC

Internal Controls/Risk Management Exams
An SEC internal controls examination begins with an overview of a firm's risk management system. We look at organizational structure and the process by which managers identify, assess, monitor and control all risks within the broker-dealer. These exams are conducted in conjunction with a review of the firm's compliance with the SEC financial responsibility rules, including capital rules. If a firm is not vigilant in a particular area and lacks controls, it will very likely have related deficiencies and violations in the area.

During our examinations, we are not looking for one particular set of policies and procedures. There is no single blueprint for risk management - it must be customized, reflecting the particular business operations of each firm. The design and implementation of a firm's risk management system must take into account such factors as - size and geographic dispersion, types of business activities, products offered and customers of the firm, operations and technology, legal and regulatory issues, market conditions, and other relevant factors. Moreover, risk management must be viewed as constantly evolving - as the environment changes, or as better practices come to light - firms should change their risk management systems accordingly to maintain the highest level of appropriate internal controls.

Our internal controls examinations include reviews of the following areas:

Senior management, to look for establishment of overall policies and active involvement in the process of risk management and the oversight of risk parameters and controls

Adequacy of resources and systems used for risk management, and compensation incentives that may adversely impact independence

Internal audit, to ensure that comprehensive and independent assessments get to management and that deficiencies are addressed in a timely manner

Market risk in trading activities and firm inventory, including VAR (value at risk), economic models, scenario analyses, stress testing, and back testing; we follow trades from the trading desk through the entire risk management system
Funding, liquidity and credit risks, including counterparty credit risk across all products and businesses, credit limits, pricing models, guarantees, collateral, margin, and settlement and legal risks

Operational risks, including segregation of duties, checks and balances, protection of customer funds and securities, operating systems, management information systems, management reporting, front and back office operations, security, contingency planning and disaster recovery

And finally, we look to see that new products and activities are assimilated into the risk management system in a timely and appropriate manner.
What are some weaknesses we have seen in internal controls system at firms?

Inattention by senior management

Allowing senior trading personnel to oversee risk management - the inherent conflict between profit and risk control

Failure to adhere to the firm's risk limits

Understaffed and inexperienced audit staff What are examples of sound practices?

Having the board of directors involved in risk management policy and oversight

Independent and experienced high-level risk managers

Periodic (daily) reconciliations of information data systems

Having an independent and centralized credit department to establish and monitor credit limits for counterparties across all businesses.
In conducting these reviews, our examiners are looking for areas where the firm's controls are weak or inadequate. We will conduct more thorough reviews in those areas and often find deficiencies and violations of laws and rules. Internal controls and effective risk management are particularly important when firms are more aggressively pursuing innovative ways to increase revenues and enhance profits. Under such conditions, we should all be more vigilant.

Therefore, the objective of this first type of comprehensive examination is to assess and improve where necessary the structure and operation of a firm's risk management processes and systems.

From the speech by Mary Ann Gadziala
Associate Director, Office of Compliance Inspections and Examinations
U.S. Securities & Exchange Commission
on February 26, 2003

http://www.sec.gov/news/speech/spch022603mag.htm

The speech has also explanation how compliance is examined

Nasdaq risk management system
http://www.nasdaqtrader.com/content/ProductsServices/Trading/ACTWorkstation/risk_factsheet.pdf