Risk management and control

In 2007, UBS suffered significant losses as a result of positions in instruments related to US residential mortgage markets. This experience does not invalidate UBS's risk management and risk control principles – the high level precepts remain valid – but it has demonstrated that the policies, measures and processes that implement the principles can be strengthened in some ways. UBS is taking steps to ensure that the lessons learned in 2007 are embedded in its risk management and control frameworks and in the structure and processes of its risk control organization.

Risk management and control principles

Taking, managing and controlling risk is core to UBS's business. The aim is not, therefore, to eliminate all risks but to achieve an appropriate balance between risk and return. UBS's approach to risk management and control is based on five principles:

– business management throughout the firm is accountable for all the risks assumed or incurred by their business operations and is responsible for the continuous and active management of risk exposures to ensure that risk and return are balanced;

– an independent control process is an integral part of the firm's structure – its goal is to provide an objective check on risk-taking activities and to support senior management in achieving appropriate alignment of the interests of all stakeholders including shareholders, clients and employees;

– comprehensive, transparent and objective risk disclosure to senior management, the Board of Directors (BoD), shareholders, regulators, rating agencies and other stakeholders is an essential component of the risk control process;

– earnings protection is based on limiting the scope for adverse variations in earnings and exposure to stress events – controls are applied at the level of individual exposures and portfolios in each business and to risk in aggregate, across all businesses and major risk types, relative to the firm's risk capacity (the level of risk UBS is capable of absorbing, based on its anticipated earnings power); and

– protection of UBS's reputation ultimately depends on the effective management and control of the risks incurred in the course of business.

The principles are the foundation upon which the more detailed risk management and control frameworks are built. These frameworks comprise both qualitative elements, including policies and authorities, and quantitative components including limits. They are continually adapted and enhanced as UBS's business and the market environment evolve.

The pace of innovation in financial markets makes this challenging, and never more so than when markets undergo major dislocations as they did in 2007. Many parts of UBS's risk management and control frameworks were resilient in the face of these stressful conditions, but, in a limited area of the Investment Bank, some aspects of risk management assessments and the market risk control framework proved inadequate to identify certain risk concentrations and therefore to prevent losses in the extreme market conditions of the second half of 2007.

Risk management and control responsibilities

The BoD has a strategic and supervisory function. It is responsible for the firm's fundamental approach to risk, for approving the risk principles and for determining risk capacity and risk appetite.

The Chairman's Office acts as the Risk Council of the BoD. In this capacity, it oversees the risk profile of the firm on behalf of the BoD and oversees implementation by the Group Executive Board (GEB) of the risk management and control principles.

The GEB, together with its Risk Sub-Committee, is responsible for implementing the risk principles, including approval of core risk policies, and for managing the risk profile of UBS as a whole.

The Group Chief Risk Officer (Group CRO) has overall responsibility for the development, implementation and enforcement of UBS's risk principles. The role is supported by the Group Chief Credit Officer (Group CCO), the Group Head of Market Risk and the Group Head of Operational Risk. Together they establish risk control frameworks, formulate risk policies and determine methodologies for measurement and assessment of risk. They are responsible for monitoring UBS's risks and its risk / return profile, and have the authority to mandate risk reductions in the light of market conditions and UBS's financial resources.

The Group Chief Financial Officer (Group CFO) is responsible for transparency in the financial performance of UBS and its business groups, including high-quality and timely reporting and disclosure in line with regulatory requirements, corporate governance standards and global best practice. The Group CFO is responsible for implementation of the risk principles in the areas of capital management, liquidity, funding and tax.

The Group General Counsel is responsible for implementing the risk principles in the areas of legal and compliance.

The Chief Executive Officer (CEO) of each business group has overall responsibility for the business group and its management, and is accountable for its results and risks.

Within the business groups, business management is responsible for ensuring that risks are identified and managed. The risk control functions are responsible for the implementation of independent control processes. They are empowered to enforce the risk principles and frameworks and corrective measures mandated by the Group CRO, the risk function heads and senior management.

All employees, but in particular those involved in risk decisions, must make UBS's reputation an overriding concern. Responsibility for UBS's reputation cannot be delegated or syndicated.

The risk control process

There are five key elements in the independent risk control process:

– risk policies to implement the risk principles, reflecting UBS's risk capacity and risk appetite, and consistent with evolving business requirements and international best practice. UBS's risk policies are principle-based, specifying minimum requirements, high-level controls and standards, and broad authorities and responsibilities – they are never a substitute for the exercise of sound business judgment but, rather, guide and determine actions and decisions;

– risk identification through continuous monitoring of portfolios, assessment of risks in new businesses and complex or unusual transactions, and ongoing review of the risk profile in the light of market developments and external events;

– risk measurement using methodologies and models which are independently verified and approved;

– risk control by monitoring and enforcing compliance with risk principles, policies and limits, and with regulatory requirements; and

– transparent risk reporting to stakeholders, and to management at all levels, on all relevant aspects of the approved risk control framework, including limits.

UBS has control processes around the establishment of new businesses or significant changes to existing businesses, and the execution of complex or unusual transactions. These processes involve the business, and potentially all the control functions – risk control, legal, compliance, treasury, finance, tax and logistics, as necessary. The objective is to ensure that all critical elements are addressed across disciplines. A key aspect is whether transactions can be booked in a way that will permit appropriate ongoing risk management, measurement, control and reporting. These processes are being strengthened to reflect the lessons learned in 2007.

More generally, UBS is seeking ways to further integrate its credit and market risk structure in the Investment Bank to provide a more holistic view within and across asset classes.

Risk categories

Business risks are the risks associated with a chosen business strategy – it is business management's responsibility to respond to fundamental changes in the economic environment and the competitive landscape. Business risks are not subject to independent risk control but are factored into the firm's planning and budgeting process and the assessment of UBS's risk capacity and overall risk exposure.

The primary and operational risks inherent in business activities are subject to independent risk control.

Primary risks are:

– credit risk – the risk of loss resulting from the failure of a client or counterparty to meet its contractual obligations. It arises on traditional banking products, such as loans and commitments, and on derivatives and similar transactions. A form of credit risk also arises on securities and other obligations in tradable form. Their fair values are affected by changing expectations about the probability of failure to meet obligations as well as actual failures. Where these instruments are held in connection with a trading activity, UBS controls the risk as market risk;

– market risk – the risk of loss resulting from changes in market variables of two broad types: general market risk factors and idiosyncratic components. General market risk factors include interest rates, exchange rates, equity market indices, commodity prices and general credit spreads. Idiosyncratic components are specific to individual names and affect the values of their securities and other obligations in tradable form, and derivatives referenced to those names. Investment positions may also be affected by market risk factors but they are often not liquid and are generally intended or required to be held beyond a normal trading horizon. For these reasons they are subject to a different control framework; and

– liquidity and funding risk – the risk that UBS might be unable to meet its payment obligations when due, or to borrow funds in the market on an unsecured or secured basis at an acceptable price to fund actual or proposed commitments.

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external causes, whether deliberate, accidental or natural. Operational risks must be monitored, and are controlled and mitigated to the extent possible and desirable.

Quantitative controls

In principle, for risks that are quantifiable, UBS measures potential loss at three levels – expected loss, statistical loss and stress loss.

Expected loss is the loss that is expected to arise on average over time in connection with an activity. It is an inherent cost of such activity, and must be factored into business plans. For financial instruments carried at fair value, expected loss is reflected in valuations and deducted directly from revenues.

Statistical loss measures, such as Value at Risk ("VaR"), estimate the amount by which actual loss in a portfolio can exceed expected loss over a specified time horizon, measured to a specified level of confidence (probability).

Stress loss is the loss that could arise from extreme events, typically beyond the confidence level of the statistical loss estimate, and is normally a scenario-based measure.

Concentration controls complement portfolio risk measures. Controls are generally applied where UBS identifies that positions in different financial instruments or different portfolios are affected by changes in the same risk factor or group of correlated factors and there is the potential for significant loss in the event of extreme but plausible adverse developments. UBS's concentration controls include credit limits for individual clients, counterparties and counterparty groups, ceilings on exposure to all but the best-rated countries, limits on potential loss from changes in general market risk factors, and thresholds on single name exposures in the trading portfolio.

The primary day-to-day quantitative controls are intended to govern normal periodic adverse results and prevent severe losses as a result of stress events. The identification of stress events and scenarios to which UBS is vulnerable and an assessment of their potential impact – in particular the danger of aggregated losses from a single event through concentrated exposures – is a critical component of the risk control process. Risk measures and controls rely on a combination of past experience, available external data, and judgments about likely future developments. Each new stress event is in some way unique, and thus no risk measure can provide complete protection against every possible scenario. Equally, each stress event offers new insights into ways of enhancing risk measures and controls, whether specific to an individual portfolio or risk type or, as is the case with the experience of 2007, a more generic extension from a particular experience, applying the lessons learned more broadly.

"Earnings-at-risk" and "Capital-at-risk"

To complement the day-to-day operating controls, UBS has developed two concepts – "Earnings-at-risk" and "Capital-at-risk" – to assess aggregate risk exposure across risk types and businesses against its financial resources. These measures assess UBS's ability to absorb the potential loss inherent in its business in the current economic cycle, across all business lines, and from all major sources, including primary risks, operational risks and business risks.

Earnings-at-risk focuses on UBS's ability to absorb losses from current earnings, while capital-at-risk considers more extreme losses and their potential to lead to a breach of minimum regulatory capital requirements or, ultimately, to insolvency. Capital-at-risk is an input to the capital management process.

Earnings-at-risk has been an integral part of the risk control process since 2004 and is monitored by the GEB and Chairman's Office as part of the regular quarterly risk reporting cycle. The concept reflects UBS's long-held view that the first and primary resource to absorb losses is a firm's earnings stream. Earnings-at-risk has three elements – risk capacity, risk exposure and risk appetite.

Risk capacity is the level of risk UBS considers itself capable of absorbing, based on its earnings power, without damage to its dividend paying ability, its strategic plans and, ultimately, its reputation and ongoing business viability. It is based on a combination of budgeted / forecast and historical revenues and costs, adjusted for performance-related compensation, and dividends and related taxes.

Risk exposure is an estimate of potential loss based on current and prospective risk limits and risk positions across major risk categories – primary risks, operational risk and business risk. It is assessed against a severe but plausible constellation of events over a one-year time horizon to a 95% confidence level – in effect to assess the impact of a "once in 20 years" event. The measure builds on the statistical loss measures used in the day-to-day operating controls as far as possible, extending their time horizons where necessary, with adjustments and supplements determined by management to reflect known coverage gaps, measurement weaknesses and potential events. The results are combined to reflect potential correlations between the various risk categories under the severe scenarios envisaged.

A comparison of risk exposure with risk capacity serves as a basis for determining the appropriateness of current or proposed risk limits, and UBS's ability to pay a cash dividend out of its current year earnings. It is also one of the tools available to management to guide decisions on adjustments to the risk profile.

Risk appetite is established by the BoD, who set an upper bound on aggregate risk exposure in the form of a "risk exposure ceiling". It is appropriate that risk exposure should be less than risk capacity, but in the difficult market conditions that confronted UBS in 2007, this relationship has not held: calculated risk exposure has increased and risk capacity has fallen beyond the levels predicted. For 2007 as a whole, UBS recorded a net loss, showing that the risk inherent in some positions had resulted in total risk exposure greater than UBS's risk capacity.

The pattern of UBS's losses was unexpected – a limited area experiencing extreme writedowns while other areas maintained strong or even record performance. In these circumstances, there was less flexibility to adjust performance-related compensation than had previously been assumed. This, and the actual losses experienced, reduced measured risk capacity.

On the other hand, risk exposure increased. Major market and credit risk limits for parts of the Investment Bank not connected to US residential mortgage markets were adjusted in recognition of the reduced risk capacity but the reduction was more than offset by other factors: the standard market risk measures reported higher exposure as volatility increased, and because it had become apparent that some of these measures did not fully capture certain market risks, a much larger exposure estimate was used for these positions.

Measured risk exposure is neither an expected case nor a worst case and it can be significantly affected by many external factors. Based on UBS's assessment of the various dimensions of its portfolio of risks, and their potential evolution – particularly in light of its US residential mortgage-related exposures – management will continue to reduce the firm's risk exposure to achieve an appropriate level relative to its risk capacity, but liquidity has been and remains quite poor in the markets for positions on which UBS has suffered major losses.

As with any model, Earnings-at-risk is heavily dependent on the many assumptions (including the chosen confidence level) and estimates that are necessarily entailed in determining the inputs and generating the output, not least because risk exposure includes a combination of statistical and more judgmental elements. Measured risk exposure must be understood in this context. Risk capacity and risk exposure are, furthermore, dynamic measures, affected significantly by the external environment which will impact, for example, correlations between risk categories, the liquidity of UBS's positions, the potential to reduce or hedge them at reasonable prices, and UBS's funding costs. In the current difficult market conditions, there is a high degree of uncertainty in the statistical estimation of risk exposure and a material element is now contributed by supplementary measures. Observable data has been supplemented by judgmental elements for residential and commercial real estate, corporate and consumer credit and US municipal and student loan markets, and for potential defaults by monoline insurers. These estimates are subjective, not derived from statistical models but determined through extensive consultation between risk control professionals.

Capital-at-risk builds off the Earnings-at-risk concept but assesses the potential for losses to exceed earnings capacity and erode capital. For Capital-at-risk, the analysis of risk exposure is essentially the same as for Earnings-at-risk but measured at two higher confidence levels – the first in relation to UBS's minimum regulatory capital requirement, and the second in terms of solvency.

The Capital-at-risk measure of aggregate risk exposure is an important consideration in the assessment of capital adequacy.

Like Earnings-at-risk, Capital-at-risk relies on the day-to-day risk control measures and will potentially underestimate aggregate exposure if these measures do not fully capture the risks. As the underlying systems are enhanced – a process which is already in hand – the measures of aggregate risk exposure will also improve, and in the meantime supplementary estimates will continue to be incorporated. Furthermore, as a result of the events of 2007, UBS has gained a better understanding of the dynamics of the risk capacity and exposure measures and of the interplay between different measures of capacity – in particular the relationship between risk management, treasury management and capital management measures.

Qualitative controls

Although measurement of risk is clearly important, quantification does not always tell the whole story, and not all risks are quantifiable. Due diligence, sound judgment, common sense and an appreciation of a wide range of potential outcomes – including a willingness to challenge assumptions – are key components of a strong risk culture for both risk management and risk control. UBS's risk measures did not adequately identify risks in the US residential mortgage markets in 2007, and qualitative assessments equally did not fully appreciate the range of potential outcomes and the deep tail risk in the portfolio. UBS will learn from this experience and will strive to strengthen its risk culture accordingly.