DECISION

ON ISSUING REGULATION ON GUIDING THE ESTABLISHMENT AND OPERATION OF RISK MANAGEMENT SYSTEM FOR FUND MANAGEMENT COMPANY AND SELF-MANAGING SEPARATE SECURITIES INVESTMENT COMPANY

CHAIRMAN OF STATE SECURITIES COMMISSION OF VIETNAM

Pursuant to the Securities Law dated 29 June 2006;

Pursuant to the Law amending and supplementing a number of articles of Securities Law dated 24 November 2010;

Pursuant to Decree No. 58/2012/ND-CP dated 20 July 2012 of the Government detailing and guiding the implementation of some articles of the Securities Law and the Law amending and supplementing some articles of Securities Law;

Pursuant to Decision No.112/2009/QD-TTg dated 11 September 2009 of the Prime Minister defining the functions, duties, powers and organizational structure of the State Securities Commission of Vietnam directly under the Ministry of Finance;

Pursuant to Circular No. 212/2012/TT-BTC dated 05 December 2012 of the Minister of Finance guiding the establishment, organization and operation of fund management company;

...

...

...

Considering the recommendation of Director of management Department of fund management Companies and securities investment Funds

DECIDES:

Article 1. Issued with this Decision is the Regulation on guiding the establishment and operation of risk management system for fund management company and self-managing separate securities investment company.      

Article 2. This Decision takes effect from the signing date.

Article 3. Chief of Office, Director of management Department of fund management Companies, securities investment Funds, fund management Companies, self-managing separate securities investment companies and the relevant parties are liable to execute this Decision.

CHAIRMAN




Vu Bang

...

...

...

GUIDING THE ESTABLISHMENT AND OPERATION OF RISK MANAGEMENT SYSTEM FOR FUND MANAGEMENT COMPANY AND SELF-MANAGING SEPARATE SECURITIES INVESTMENT COMPANY
(Issued with Decision No. 428/QD-UBCK dated 11 July 2013 of the Chairman of State Securities Commission of Vietnam)

Chapter 1.

GENERAL PROVISIONS

Article 1. Scope of regulation and subjects of application

1. This Regulation guides the establishment and operation of risk management system in operation of fund management companies and self-managing separate securities investment companies (hereafter referred to as company) established and operating in Vietnam.

2. The Board of Directors, Member Board or owner of fund management companies or Board of Directors of self-managing separate securities investment companies and other relevant organizations and individuals are responsible for building the system, issue procedures, organize and supervise the risk management under the guidelines in this Regulation.

Article 2. Explanation of terms

In this Regulation, the following terms are construed as follows:

1. Board of Executives consists of Director (General Director), Deputy Directors (Deputy General Directors).

...

...

...

3Entrusting customer means the funds, individuals and organizations entrusting their capital and assets to the fund management companies for management in accordance with regulations of law on securities.

4. Personal documents consist of information provision Form specified in Annex 1 issued with this Regulation, valid copy of ID card, Passport or other legal personal identification.

5. Risk are events which uncentainly occur during business activities causing loss of revenue, profits, capital, the material and other material and non-material damage or not achieving business target of the companies or target of entrusting customers.

6. Operation risks mean risk occurring due to technical errors, system errors and operational procedures, human errors during operation or due to short of  business capital incurred from expenditures and losses from investment or other objective causes.

7. Prestige risk means the risk the company must face in case of loss of prestige, trust and credit of investors and customers even in case of objective causes.

8. Liquidity risk means when the companies or entrusting customers cannot sell or convert the assets in the portfolio into cash with rational value due to liquidity shortage.

9. Payment risk means when the partners cannot make their payment on schedule or cannot transfer their assets on schedule as committed.

10. Market risk means risk occurred due to volatility of market value of assets and financial tools.

11. Compliance risk means the risk to be faced by the company in case the company or its employees breach or do not comply with regulations of law specified in the charter of company or fund charter, internal rules, operational procedures and regulations including regulations on occupational ethics.

...

...

...

13. General risk value is the agggregated result of risk values for company or portfolio of entrusting customers. The risk aggregation must ensure all risks are fully calculated without duplication. In a simple linear model, the general risk value is equal to the total constituted risk values.

14. Risk appetite is the types of risk and risk levels which the company or entrusting customers are willing to accept to achieve investment targets. The risk appetite is shown both in quality and quantity, including the constituted risk appetite and general risk.

15. Risk limit is a maximum risk accepted by the company or entrusting customer. The risk limit can be allocated as per each type of risk for the whole company, each department, transaction, work position and entrusting customer.

16. Risk threshold is the value level established by the company for warning when the risk value approaches the risk limit. The risk threshold can be shown as per the absolute value (currency unit) or relative value (the percentage compared with risk limit).

17. Risk concentration state is a state concentrating mainly on one or a number of key risks whose losses can seriously affect the company.

18. Risk acceptance ability is the ability using the owner’s equity, expectation profits and financial resources available to offset at any time all key risks and underlying losses accepted by the company.

19. Available capital is the owner’s equity which can be converted into cash within ninety (90) days. The available capital shows the ability to be ready for offsetting losses whose risks can cause to the company.

20. Fund means the investment fund or securities investment company entrusting its capital to the fund management company for management, in which the term of member fund refers to the separate securities investment company.

21. Fund representative Board is the representative Board of securities investment fund and Board of Directors of the securities investment company entrusting its capital to the fund management company for management.

...

...

...

1. The risk management shall comply with the provisions in Clause 11, Article 24 of Circular No. 212/2012/TT-BTC dated 05 December 2012 of the Minister of Finance (Circular No. 212/2012/TT-BTC).

2. The fund management companies and self-managing separate securities investment companies shall carry out their risk management for their business activities under the guidelines in Chapter II of this Regulation.

3. Depending on the scale of operation, type and entrusting customer, the fund management companies shall carry out their risk management for the portfolio of entrusting customers as guided in Chapter III of this Regulation.

4. Annually, the strategies, policies and procedures for risk management of the company must be re-assess, adjust and supplement in accordance with the operational scope, scale and conditions of the company and market background.

5. Level, scale, scope and type of risk must be within the limit established and approved by the companies and entrusting customers. The decisions on risk management must be clear, rational and consistent with strategies, targets and financial capacity of the companies and risk acceptance level of the entrusting customers.

Article 4. Risk management system and risk management personnel

1. The companies must establish their synchronous, effective and comprehensive risk management system including the following components:

a) Organizational structure of risk management

The companies should set up their separate organizational structure of risk management, including components and personnel for activities of risk management, integrated and operated pararelly in the organizational and operational structure of the companies.

...

...

...

- For work of risk management in business activities of the companies: The Board of Executives, Board of Directors and Member Board or owner shall decide the organizational structure system of risk management; approve and issue strategies and policies on risk management. The Board of Executives is responsible for inspecting, supervising and implementing risk management under the approved strategies and policies;

- For the risk management of the entrusted portfolio, including investment funds: The fund representative Board and the entrusting customers shall decide or authorize the fund management company to decide the strategies and policies on risk management. The fund management companies shall inspect, supervise and implement the risk management for the entrustment list, including investment funds.

b) Strategies and policies on risk management

The companies need to issue strategies and policies on risk management in order for the staff to know and apply consistently in their whole companies.

- The risk management strategies including the general risk management strategies and constituted risk management strategies in accordance with the guidelines in Article 9 of this Regulation;

- The risk management policies, including the risk management procedures shall comply with the guidelines in Article 11 of this Regulation.

- The strategies and policies on risk management must ensure the consistency with the organizational structure of risk management, scale and scope of operation, investment fields and types of investment asset of the companies. The strategies and policies on risk management are made in writing and kept at the head office of the companies and shall be provided for the State Securities Commission of Vietnam upon written requirement.

2. The members of Board of Directors and Member Board or owner in charge of risk management; members of Board of Executives in charge of risk management; head and operational employee of risk management department (if any) should have certificate appropriate with risk management or qualifications meeting requirements for risk management in accordance with internal rules the companies.

3. Within seven (07) working days, from the day of establishment or change or supplementation of staff of risk management, the companies must provide the State Securities Commission of Vietnam with the list under the form specified in Annex 02 issued with this Regulation enclosed with personal record of staff.

...

...

...

RISK MANAGEMENT FOR ACTIVITIES OF COMPANIES

Article 5. Responsibility of Board of Directors, Member Board or owner

1. The Board of Directors, Member Board or owner must establish and control the whole risk management system at their companies as follows:

a) Decide the organizational structure of risk management of their companies, including the constituted departments, organizations and personnel for risk management; duties, responsibilities and relationship in risk management of such departments, components and personnel.

b) Approve, issue and adjust strategies and policies on risk management of their companies;

c) Inspect, supervise and assess the compleness, effectiveness and effect of risk management system

2. The Board of Executives, Board of Directors and Member Board or owner must take all responsibilities before the general meeting of shareholders and Member Board for risk management.

3. Depending on operational scale, the Board of Executives, Board of Directors and Member Board or owner shall assign a member in charge of risk management or establish a risk management sub-Board. The structure, condition and criteria for personnel of such risk management sub-Board shall comply with the internal rules of the companies.

4. The members in charge of risk management or the risk management sub-Board (if any) must:

...

...

...

b) Inspect and assess the compliance with the risk management procedures of operational departments and staff; annually coordinate with the risk management department (if any), the internal auditing department (if any) and the internal control department to review and assess the completeness, effectiveness and effect of risk management system; report the operation and operational effectiveness of risk management done in the year to the Board of Executives, Board of Directors and Member Board or owner; recommend corrective plan of shortcomings and restrictions to improve the risk management system.

c) Analyse and give warning of underlying risks and risk precautions.

d) Give advice to the Board of Executives, Board of Directors and Member Board or owner in issuing strategies and policies on risk management.

5. In case of establishment of risk management sub-board, the Board of Executives, Board of Directors and Member Board or owner need to issue the operation rule of such sub-Board , including regulations on its rights and duties, meeting organization (regular and irregular), conditions, form of meeting, voting and adoption of sub-Board’s decision; minutes and sub-Board’s decision; mechanism of coordination and cooperation, share and security of information between the risk management sub-Board with other operational departments in their companies.

Article 6. Responsibility of Board of Executives

1. The Board of Executives shall take responsibility before the Board of Directors, the Member Board or the owner for the implementation of risk management, particularly as follows:

a) Prepare draft of strategies and policies on risk management to be submitted to the Board of Directors, the Member Board or the owner for approval and issue;

b) Implement strategies and policies on risk management after they have been approved and issued by the Board of Directors, the Member Board or the owner,

c) Supervise to ensure the implementation of risk management in accordance with the strategies and policies on risk management; the full compliance with regulations and procedures for risk management; personnel assignment in line with requirement and financial resources for risk management; regular updating and dissemination of knowledge and experience of risk management to the staff of companies.

...

...

...

2. The Board of Executives shall assign one of its member to be in charge of risk management.

3. Depending on the operational scale, the Board of Executives can establish a risk management department or requires the internal control department to implement duties specified in Clause 4 of this Article. The personnel structure, conditions and criteria for personnel of the risk management  department shall follow the internal rule of the company.

4. The risk management department:

a) Studies, develop and prepare draft of strategies and policies on risk management for the Board of executives to submit it to the Board of Directors, the Member Board or the owner for approval and issue; builds internal models for risk management;

b) Aggregates information and supervise the operational department in implementation of risk management to ensure the underlying risks in activities of each operational department and of the whole company shall not exceed the risk appetite and risk limit; supervise the management of risk appetite and compliance with risk limit; directly implement the management of operation risk, prestige risk and compliance risk;

c) Defines, identifies, determines the quantity and tests the risk stress; controls underlying risks; allocates the risk management resources; implement and supervise the compliance with risk management policies and risk management procedures, daily risk settlement to ensure the compliance with risk management policies; receives, monitors and aggregate reports on risks and risk settlement from operational departments on market risk, payment risk; coordinates work of risk management between departments in the company;

d) On a monthly basis, makes report to the Board of Executives on issues related to risk management and risk limits exceeded and settlement solutions taken; makes the biannual report to the Board of Executives on operational effectiveness of risk management system of the company.

Article 7. Responsibility of the internal audit department and internal control department

1. The internal audit department must participate in risk management as stipulated under Point b and c, Clause 3, Article 9 of Circular No. 212/2012/TT-BTC.

...

...

...

3. The internal control department shall directly (in case of no risk management department established) or coordinate with the risk management department to help the Board of Executives to ensure the risk management must comply with the approved policies and procedures for risk management and other regulations of law.

Article 8. Responsibility of operational departments

1. The operational departments shall:

a) Comply with the policies and procedure for risk management in all of their activities.

b) Aggregate information, analyse it and recommend the strategies of constituted risk management; coordinate the study of building of strategies and policies on risk management, recommend the underlying risk appetite and risk limit in their activities; formulate risk concepts, techniques of identification, determines the quantity (value) and establishment of limit of each constituted risk;

c) Control and supervise the risks occurring in operation at their department; report the risks to the Board of Executives through the risk management department (if any), recommend and carry out the risk settlement plan.

2. The heads of operational departments must directly implement or assign one or a number of experienced employees of their departments to be in charge of (full-time or part-time) of implementation of risk management in such departments; supervise and control transantions and operations of their departments in order to identify, prevent and manage the risks as per internal rules and operational procedures for risk management to ensure the consistency with the approved policies and risk appetite of the company.

Article 9. Strategy of risk management

1. The strategy of risk management is an overall risk management plan of the company drafted by the Board of Executives and approved by the Board of Directors, the Member Board or the owner. The strategy of risk management is then concretized by the risk management policies, including the risk management procedures daily performed.

...

...

...

a) Mục tiêu quản trị rủi ro Targets of risk management;

b) Definition and classification of risk groups and constituted risk groups;

c) Basic principles of risk management;

d) Risk appetite and risk limit under the guidelines specified in Article 10 of this Regulation;

dd) Mechanism of organization of risk management includes the personnel organization, responsibilities and obligations of departments and personnel related to the risk management, the decentralized approval mechanisms of risk appetite, risk limit and risk settlement mechanisms.

e) Method of assessment and quantity of risk (as per standard model, internal model or both) and the principles of completion of such methods.

f) Method of risk settlement; fully and in detail defining the preventive solutions, mode of settlement; mechanisms of information aggregation, report and supervision of risk management activities.

3. The risk management strategies must be re-assessed periodically, at least once a year to ensure the consistency with business plan of the company and the actual context of the market.

4. The risk management strategies need include the contents to early detect and fully control the key risks to be submitted to the competent level of the company.

...

...

...

1. The companies need to define the risk appetite in the form of statement of risk appetite. The form of statement of risk appetite is carried out under the guidelines in Annex No.03 issued with this Regulation. The risk appetite of the company need to meet the following conditions:

a) Demonstrating the company's philosophy of risk, consistent with the principles, vision, core values, business strategy, objectives and business development of the company;

b) Demonstrating the willingness to accept the certain levels of risk to achieve the operational target of the company, particularly clearly identifying the acceptable types of risk and clearly identifying the acceptable risk value (if possibly quantified)

c) Fully covering the operations of the company, in the short term, average term and long term; consistently with the actual capacity of supervision and management of risk of the company, including the personnel, experience and technical infrastructure for risk management;

2. The risk appetite is established with the risk limit. The risk limit Form complies with the guidelines in Annex 04 issued with this Regulation. The risk limit can be quantified or defined by the qualitative method. Depending on the operational scale and needs of the company, the risk limit can be allocated to each business operational department, each type of product, length of term and concentration degree of a hold position…

3. To ensure no excess of risk limit, the Board of Executive must establish the risk thresholds which are lower than the approved risk value. In case of excess of thresholds, the operational department must notify immediately to the risk management department and the Board of Executives to have a settlement plan in a timely manner. The monitoring, supervision, report, explanation, approval and implementation of solution to risk settlement comply with the risk management procedures of the company.

Article 11. Risk management policies and risk management procedures

1. The risk management policies need to be developed in writing to ensure any individual and department in company can access, grasp and know well their duties in risk management of their company.

2. The risk management policies must be consistent with the risk management strategies and specific conditions of the company, including the business strategies and plans, organizational structure, professional levels of risk management, services and customers of the company. The risk management policies consist of the following contents:

...

...

...

b) The risk appetite is allocated as per types of risk, management structure of risk appetite (procedures for monitoring, identification, assessment, explanation, consultation, report, approval and settlement), monitoring mechanisms of risk appetite (control of implementation of management of risk appetite, reporting form, reporting frequency, subjects reporting and receiving report), mechanisms of review and adjustment of risk appetite (review frequency, individuals and departments involved in review…).

c) The limit of each type of risk, procedures for establishment of risk limit, mechanism of management of risk limit (role, responsibility of individuals and departments related to the recommendation, establishment and adjustment of risk limits);

d) The method of general assessment and quantification of general risks and each constituted type of risk, standard model, internal model or combination of both as guided in Annex 05 issued with this Regulation;

dd) The structure of general risk management and constituted risk, including personnel departments involved in risk management; responsibility and obligations of each individual, department ensure that all risks shall be undertaken by individuals and departments, fully identified, strictly assessed and monitored, reported, consulted from relevant parties and explained to the competent level for timely approval, settled under the approved plan and in orders and procedures specified in the risk management procedure.

e) The risk management procedure consists of internal regulations in order to identify, determine the quantity (analyze and quantify if possible, test the risk stress and test back the chosen model), monitor, supervise (reporting regulation, risk reporting frequency, risk stress testing frequency), control, reduce, prevent and deal with the underlying risks.

f) The risk management procedure needs to be regularly reviewed, updated, adjusted in a timely manner to ensure high efficiency.

3. Depending on the operational scale and needs of the company, the risk management procedure can be developed for the whole company, for each constituted risk, operation, department or work position. The risk management procedure is guided in detailed in Annex 05 issued with this Regulation.

Chapter 3.

RISK MANAGEMENT FOR FUNDS AND PORTFOLIOS

...

...

...

1. Except for cases specified in Clause 2 of this Article, the fund management companies shall develop the risk management strategies and policies for funds and portfolio of entrusting customers as guided in Article 13 of this Regulation and proactively implement the risk management procedure under the risk management strategies and policies in order to achieve the investment target within the scope, limit and field of investment specifiedin the fund charter, the investment management contract and other regulations of law.

2. The member fund representative Board and the entrusting customers in management of portfolio can decide by themselves the risk management strategies and policies for their member funds and portfolio. In this case, the fund representative Board can appoint a member in charge of the risk management of its fund or establish a risk management Board. The fund management company is responsible for implementation of risk management procedure under the approved risk management strategies and policies.

3. The employees operating funds and department managing assets for funds and portfolio of entrusting customers are responsible for monitoring, identifying, determining quantity and reporting to the risk management department (if any) and the Board of Executives on the underlying risks in the portfolio of funds and customers under the approved risk management procedure. In case of excess of risk thresholds, the company shall carry out the settlement plan to adjust these risks lower than such threshold. In case of excess of risk limits, the company is responsible for consulting the fund representative Board and the entrusting customers (if  the company has no right to decide) on dealing with arising risks and implement the settlement of risks under the approved risk management procedure.

Article 13. Risk management strategies and policies

1. The companies must develop the risk management strategies and policies in accordance with the investment targets, portfolio and types of fund, scope of investment, fund charter, management contract and risk acceptance level of the entrusting customers. The risk management strategies and policies must be regularly updated at least once a year to ensure the consistency with the actual conditions of market and asset list of funds and customers.

2. The risk management strategy, risk appetite, risk management policy for funds and portfolio of entrusting customers shall comply with the guidelines specified in Article 9, 10 and 11 of this Regulation.

Chapter 4.

INFORMATION REPORT AND STORAGE

Article 14. Report to the State Securities Commission of Vietnam

...

...

...

a) Information on management and operation of the company;

b) Thông tin về hệ thống quản trị rủi ro Information on risk management system;

c) Quantity reporting indicators;

d) Other attached documents.

2. The reporting form to be sent to the State Securities Commission of Vietnam is guided in Annex 06 issued with this Regulation.

3. The report and the attached documents are made into an original set with an electronic file to be sent to the State Securities Commission of Vietnam.

Article 15. Information storage

1. All documents related to the risk management, including the risk management strategies, procedures and policies, reports, minutes and resolutions of the Board of Directors, the member Board or the owners, the risk management sub-Board, the risk management department, decisions of the General Directors and other documents on risk management must be fully stored and provided for the State Securities Commission of Vietnam upon written requirement.

2. The time for document storage guided in Clause 1 of this Article is ten (10) years as stipulated in Clause 4, Article 40 of Circular No. 212/2012/TT-BTC.

...

...

...

IMPLEMENTATION ORGANIZATION

Article 16. Implementation organization

1. The fund management companies must complete the organizational structure and develop the risk management system in accordance with their companies, the funds and the portfolios under their management; issue the risk management strategies, policies and procedures and make report to the State Securities Commission of Vietnam before 31 March 2014.

2. The amendment and supplementation of this Regulation shall be decided by the Chairman of the State Securities Commission of Vietnam./.

ANNEX 01

FORM OF INFORMATION PROVISION FORM
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

SOCIALIST REPUBLIC OF VIETNAM
Independence - Freedom – Happiness
---------------

Passport photo (4x6)

...

...

...

….., date … month …. year …

INFORMATION PROVISION FORM

1. Full name:                                                                 Male/Female

Alias (if any):

2. Date of birth:

3. Place of birth:

...

...

...

5. Nationality

6. Place of permanent residence registration:

7 Current residence:

8. Contact address (regular):

9. Tel, fax, email:

10. Educational background:

11. Qualification:

12. Occupation:

£ State official £ State officer            £ Other

...

...

...

Specify name of school, city and country where the school is located; name of learning course, time and name of diploma (specify diploma(s), training program related to criteria and conditions of title selected or appointed).

Time

Place of training/city

Training specialty

Study program

Name of diploma

...

...

...

14. Working process (details of past occupation, position, job title and working result of each position/commendation, award and discipline if any).

Time

Working place

Job title/Position

Responsibility

Job title

...

...

...

15. Estimated job title in fund management company:

16. Current job title in other organizations:

17. Personal information of declarant:

Full name

Year of birth

ID Number

Permanent address

...

...

...

Job title

Spouse

Father

...

...

...

Mother

...

...

...

Sibling:

...

...

...

I undertake that the above information is true and correct and shall take full responsibility for its contents

Certification of declarant’s signature

Declarant
(Signature and full name)

ANNEX 02

FORM OF LIST OF RISK MANAGEMENT STAFF
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

SOCIALIST REPUBLIC OF VIETNAM
Independence - Freedom – Happiness
---------------

...

...

...

LIST OF STAFF OF RISK MANAGEMENT DEPARTMENT

To: State Securities Commission of Vietnam

We are:

- Company ... (official full name in capital letter)

- Establishment and operation Permit No.:…….issued on……….by the State Securities Commission of Vietnam

- Charter capital:

- Address of main office:

- Tel: .... Fax:...

We would like to announce the list of risk management staff as follows:

...

...

...

Full name

ID/Passport No.

Qualifications/type of international certificate of risk management (if any)

Job title/Description of work1 or operational department2

I

Members in charge/risk management sub-Board directly under the Board of Directors, the Member Board or the owner

1

...

...

...

....

II

...

...

...

1

..

...

...

...

III

Risk management department

1

2

...

...

...

..

IV

Staff implementing the supervision and risk management at operational departments

...

...

...

2

...

...

...

We undertake that the above information is true and correct and shall take full responsibility for its contents

Documents attached:
- Form of information provision (full list)

Legal representative
(Signature, seal and full name)

...

...

...

FORM OF RISK APPETITE STATEMENT
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

COMPANY ….
--------

...., date... month... year ...

RISK APPETITE STATEMENT

The company can state its risk appetite in different forms. Below are the two examples of form of risk statement

Form 1

Company….is willing to accept the risk (high/average/low…) to achieve the targets (concretizing targets here). The maximum risk level which the whole company can tolerate is….(X currency unit/X% of owner’s equity, charter capital, available capital…). The company wishes and is willing to accept the risk level as…(Y currency unit/Y% of owner’s equity, charter capital, available capital…Y is usually smaller than X). When the risk level faced by company exceeds …( Z currency unit/Z% of owner’s equity, charter capital, available capital…), the company must consider the appropriate response measures to reduce such risk level

...

...

...

Form 2

The company can also use the form of risk appetite statement, including the desired levels and is willing to accept the risk of the company for each type of risk. For example:

Contents of risk

Risk acceptance levels

Low

Average

High

...

...

...

2

3

4

5

Risk of unstable income/revenue/profit

...

...

...

Risk of capacity to maintain financial/capital safety

Prestige risk

...

...

...

Level of credit rating

…

...

...

...

It is possibly to additionally explain about acceptance level of each type of risk and the relation with the company’s strategies and targets.

ANNEX 04

FORM OF RISK LIMIT
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

The form of risk limit defines the risk limit and risk warning threshold for each risk. Depending on the company’s operational scale and need, the risk limit can be quantified and allocated to each operational department, job title, product, term, level of concentration of a position held…The departments/organizations and individuals must absolutely follow the assigned risk limit, not performing any activity which makes the risk value they face greater than the risk limit. When the risk value is greater than the risk warning threshold, take timely remedial measures as directe in order to ensure such value does not exceed the permissible threshold.

...

...

...

Department/individual taking risk.

Risk limit

Risk warning threshold

General risk

All company or portfolio of funds and entrusting customers

Operational departments…

...

...

...

Job title or staff …

Market risk

All company or portfolio of funds and entrusting customers

...

...

...

Operational departments…

Job title or staff …

Payment risk

All company or portfolio of funds and entrusting customers

...

...

...

Operational departments…

Job title or staff …

...

...

...

All company or portfolio of funds and entrusting customers

Operational department…

Job title or staff ……

...

...

...

Liquidity risk

All company or portfolio of funds and entrusting customers

Operational departments…

...

...

...

Job title or staff …

Other risks
(complete list)

All company or portfolio of funds and entrusting customers

Operational departments…

...

...

...

Job title or staff …

Chairman of the Board of Directors, the Member Board or the owner
Signature and full name

…, date ... month… year …
General Director
Signature and seal

...

...

...

 (Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

The general risk management procedure can consist of steps of identification, assessment, handling, monitoring of risk, stress testing and back testing. These steps of risk management form a repeated, flexible procedure and regularly reported, updated and completed to ensure the formulation of appropriate and effective risk management procedure.

Step 1. Risk identification

1. The identification of risks depends on the ground of company’strategies and policies on risk management business operation. The main types of risk faced by the companies are market risk, payment risk, operation risk and liquidity risk. The companies may face the concentrated risk, legal risk or others.

The basic types of risk are introduced in Annex 07 issued with this Regulation.

2. The company can use methods such as questionnaire, scenario analysis, incident investigation, assessment seminar, study of business procedures and factors affecting such procedures….to identify risks.

The relevant staff need to declare and register risks under the Form guided in Annex 08 issued with this Regulation. The Board of Executives needs to approve such risks (if rational) before conducting the next management steps.

...

...

...

4. The result of risk identification can be described as per the risk Form with information about name, risk limit, relevant parties of risk, method of risk assessment, risk monitoring and handling in the next steps. The risk Form is guided in Annex 09 issued with this Regulation.

Step 2. Risk assessment

1. The companies need to formulate and use appropriate method of assessment for risks they must face. There are two methods: qualitative method and quantitative method. Each method consists of different technical models.

2. The quantitative models, also called as model of risk value identification are used with priority to quantify risks. Such models can calculate and estimate risk values such as values of market risk, payment risk, operation risk, liquidity risk and other risks.

These risk values can be calculated in cash or percentage over capital or available capital.

3. The qualitative models are used to assess the risks which are unlikely or so difficult to quantify. For quantified risks, the qualitative model is also used as a supplemented one to provide more information for more accurate risk assessment.

4. The general result of risk assessment can be aggregated under the Form of result of risk assessment specified in Annex 10 issued with this Regulation. This Form of result allows the identification of priority level of each risk in company’s activities.

The detailed quantitative result for each risk is used with similar risk limits to plan the monitoring and handling of each risk accordingly.

5. The Board of Executives needs to calculate the general risk values for the whole company, paying attention to the correlation between risks upon calculation of general risk value.

...

...

...

a) The standard models specified in Circular No. 226/2010/TT-BTC dated 31/12/2010 and Circular No. 165/2012/TT-BTC dated 09/10/2012 of the Ministry of Finance.

b) The separate models of the companies must be approved by the State Securities Commission of Vietnam. The Annex 11 issued with this Regulation shall preliminarily introduce one quantitative model (VaR) actually used.

Step 3. Risk handling

1. After assessing risks, the companies need to apply appropriate procedures specified in writing to deal with risks encountered in accordance with the company’s policy and risk appetite.

2. General steps to choose and implement measures of risk handling:

a) Identification of applicable measures.

b) Assessment of advantages and disadvantages of each measure.

c) Selection and development of handling plan with responsibility for its implementation, progress, forecasting result, planning and resources review and assessment procedures.

d) Handling of risk under the selected plan. This procedure can be repeated and completed until the risk value is within an acceptable limit as per the company’s risk appetite.

...

...

...

a) Risk avoidance: Not doing any activity which can cause risk under handling. This method can lead to the narrowing of company’s operational scale and profits.

b) Risk reduction: Applying measures to reduce the impacts of risk on the company, reduce the potential risks or both.

c) Risk sharing: Transferring all or a part of risk to other subjects as regulation on risk in contract and purchasing insurance (if corresponding services) for business activities.

d) Risk acceptance: There is no measure to change the probability and impact of risk. The company must ensure adequate capital to cover losses from such risks.

Step 4. Risk monitoring/report

1. The companies need to monitor risks according to the priority from the result of risk assessment to have appropriate handling plan.

2. The level and frequency of risk monitoring must be corresponding to the importance of risk and effect of handling measures adopted by the company for risk management.

a) Periodically or at least weekly, the risk management officer needs to make risk reports he/she is in charge of to the Leadership in charge of risk management. The risk management officer needs to compare the risk value and level of calculated risk concentration with the allocated limits. Where the calculated value exceeds the warning thresholds or permissible limits, the risk management officer must explain and recommend the handling measures to the Leadership in charge of risk management.

b) Every week, the member in charge of risk management of the Board of Executives shall make the company’s general risk report, compare the risk value and level of calculated risk concentration with the approved limits. Where the calculated value exceeds the approved limits, the risk management officer must report to the Board of Executives, the Board of Directors, the member Board or the owner and explain the causes with the handling plan

...

...

...

Step 5. Stress testing

The stress testing is the assessment of potential losses likely happening to the company or the portfolio of entrusting customers upon unusual market volatility in presumptive situation.

1. The stress testing is an important component, a useful supplementary tool for calculating the risk values in the risk management.

The methods of risk value identification usually estimate the risk values in normal business conditions, thus the handling measures of risks are based on such estimates are not appropriate in particularly difficult conditions such as financial crisis or other disaster conditions.

The stress testing can help the companies to forecast their losses in particularly difficult conditions to have timely response plans and resources as needed.

2. The stress testing requires detailed study of characteristics of risk factors, both in terms of individual and general aspects and thorough understanding of relation between such risk factors.

3. There are 03 common methods of stress testing:

a) Method of historical scenario recreates the economic environments with particularly difficult conditions in the past to simulate great losses which the company may face in the future.

b) Method presumptive scenario can fully provide on the principle many aspects to simulate losses but such aspects are only theoretical and not practically proven.

...

...

...

Each of the above method can have different technical models. The companies can choose appropriate method and technical models.

Step 6. Back testing

The back testing is a technique to test the accuracy of quantitative risk model based on the comparison between the historical data and the general risk value calculated by the models at the same point of time. The quantitative risk models, for example the VaR model are usually very complex, using multiple mathematical assumptions and statistics, with many different parameters.

One of the techniques of back testing for VaR model, for example is to compare the VaR value calculated for one day with the observed loss value in the next day. Then, the difference between these two values must be consistent with the reliability of VaR model. Moreover, such difference must be independent in the sense that the model must adapt quickly to the changes of market conditions, thus the differences of today and tomorrow must be independent from each other. The companies can develop the techniques of back testing with the approaches consistent with their own conditions.

The back testing is a part of validation and risk management to ensure the risk management is increasing completed and consistent with the companies’ conditions market context. The summary of re-assessment is described in Annex 12 issued with this Regulation.

ANNEX 06

FORM OF RISK MANAGEMENT REPORT
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

COMPANY …..
--------

...

...

...

No.: ……..(of official letter)
Subject: Risk management report

…….., date …. month …. year ….

RISK MANAGEMENT REPORT

Year/Half year: …..

To: State Securities Commission of Vietnam

Legal representative of company

Full name:                                 Tel:                               Email:

Leadership in charge of risk management:

...

...

...

I. Information about the company’s management and operation

No.

List

Description

1.

Board of Directors, member Board and Supervisory Board

Information about structure of Board of Directors, member Board; working process, number of years of experience in enterprise management and operation in the field of securities of each member of Board of Directors, member Board;

...

...

...

The list of members of the Board of Directors, the Member Board; job title or duties in the Board of Directors/ Member Board; management and operation experience at securities business organizations (number of years holding position as member of Board of Directors/ Member Board/Board of Executives); result of implementation (achievement/violation) at such organizations.

Listing criteria and conditions

Information about change of senior personnel in the last three (03) years in Board of Directors, member Board, Board of Executives and Heads of Departments

The average rate of change in the last three (03) years of a number of personnel changed in the year (reporting period)/number of personnel at the beginning of year (opening reporting period)

Information about internal operational rule of Board of Directors, member Board, supervisory Board and Board of internal operation and control, internal audit and other necessary rules for operation of the company.

Listing the issued documents (number, date/month/year) with brief description of content of documents (internal rules and operational procedures including asset allocation procedure, portfolio management procedure, fund management procedure…)

...

...

...

Detailing the implementation time, number of participants over the total participants; contents with required opinion and percentage of voting to adopt each content.

The findings in the reporting period of the internal control and internal audit department and competent management organs related to:

- Violation of regulations of law and regulations in the company charter; violation of regulations of enterprise law on manager’s obligations, failure to properly, completely and promptly exercise duties and responsibility, beyond authority in company management, control and operation; violation of regulations on management and use of seal;

- Allowing company to implement the operations and supplying products which the law has not permitted or guided.

Listing and specifying the companies’ way of handling and settlement, remedy and recommendations.

- Not publicizing relevant interests or permitting the implementation of contracts and transactions without approval from the Board of Directors, member Board or general meeting of shareholders.

...

...

...

Internal audit

Structure of internal audit

List of employees of internal audit department/or department performing function of internal audit; job title or duties; number of years working at securities business organizations, auditing/accounting organizations or state organs in the field of securities; result of implementation (achievement/violation) at such organizations.

Internal audit procedure

Attached

...

...

...

Listing and specifying the companies’ way of handling and settlement, remedy and recommendations.

3.

Internal control

Internal control structure

List of employees of internal audit department/or department performing function of internal audit; job title or duties; number of years working at securities business organizations, auditing/accounting/law organizations or state organs in the field of securities; result of implementation (achievement/violation) at such organizations.

Internal control procedure

...

...

...

Personal transations (number, value) between company staff with the funds and customers under the company’s management.

Listing

Findings in reporting period related to the internal control and internal controller

Listing and specifying the companies’ way of handling and settlement, remedy and recommendations.

4.

Structure of shareholders/capital contributors

...

...

...

Information about structure of shareholders/capital contributors

List of shareholders/capital contributor; ownership percentage; field of business of shareholders/capital contributor as capital contributing organizations/professional experience of shareholders/capital contributor as individuals

Findings in reporting period of the internal control department, internal audit department and competent management organs related to:

- Violation regarding cross-ownership relationship, contributed capital, exceeding limit of ownership and implementation of unapproved transaction under the provisions of the charter, or regulations of law

- Violation of management of shareholder book, rights, obligations and responsibility for shareholders/ capital contributors; organization of general meeting of shareholders (order, procedures for organization, minutes, resolution…)

Listing and specifying the companies’ way of handling and settlement, remedy and recommendations.

5.

...

...

...

List of disputes; overlapping of function, duty in decision making between the Board of Directors, the member Board, the Board of Executives and other departments

Listing and specifying the companies’ way of handling and settlement, remedy and recommendations.

6.

Board of Executives and management and operation

...

...

...

Description of specific duties and experience in management, operation and securities operations of each member

Listing the members of Board of Executives, duties, type of certificate of practice, experience in the field of securities (number of years of experience working at positions of securities business operation: brokerage, analysis, consultation, investment, asset management), result of implementation (achievement/violation) at such organizations.

Organizational structure of company;

Description of duties and personnel of each department.

Listing of departments, employees, type of certificate of practice (if any), job title.

The findings in reporting period of the internal control department and competent management organs related to:

- The Board of Executives, fund operator, head of departments and staff of company failed to fulfil their responsibilities and fully comply with regulations of law on enterprises and securities (including regulations of enterprise law on manager’strategies and policies on risk management obligations), operational procedures, rules and regulations in the company charter.

...

...

...

Listing and specifying the companies’ way of handling and settlement, remedy and recommendations.

7.

Operational and business activities

Supplied products (open-end fund, closed-end fund, real estate fund, exchange-traded fund and  exchange-portfolio fund

Listing the number of funds, type of fund, investment targets, number of investment management contract, number and type of entrusting customer (value of mobilized capital/net assets under management of each organization and individual).

...

...

...

Listing the investment items in subsidiary companies, joint-venture companies other long-term financial investment, details of business line and total investment value.

The findings in reporting period of the internal control department, internal audit department and competent management organs related to:

- Violation of regulations of law on company’s financial management such as capital borrowing for financial investment; capital lending, allocation of company’s capital to the relevant persons and other organizations and individuals in any form; improper investment in real estate

- Employees of company violate or have signs of violation of regulations of securities law on limit of interest conflict.

- Violation of regulations on information announcement.

- Violation of laws on rate of investment; type of investment assets; investment exceeding authority… and other regulations on establishment and management of closed-end fund, member fund, securities investment companies, open-end fund, real estate fund, exchange-portfolio fund…

- Violation of regulations on portfolio management operation and depository of entrusting customers’ assets.

- Regulations on securities investment consultation operation

...

...

...

The average growth rate of revenue in the last three (03) years.

Percentage (%)

II. Information about risk management system

No.

List

Result

1.

...

...

...

Members in charge of risk management and other members of risk management sub-Board (if any):

Name, position and detailed information on type of risk management certificate (see Note 03), number of years of experience in the field of risk management including working time, job title, responsibility, implementation result (achievement/violation if any)

Times of policy and strategy assessment and approval and risk management in the period

First time: Date…/month…/year …

Second time: Date…/month…/year …

….

...

...

...

Board of Executives

Name and position of member in charge of risk management; experience of risk management of member in charge of risk management

Name, position, detailed information on type of risk management certificate(see Note 03), experience in the field of risk management (number of working years, job position), responsibility, implementation result (achievement/violation if any)

Times of policy and strategy assessment and approval and risk management in the period

First time: Date…/month…/year …

Second time: Date…/month…/year …

...

...

...

Strategies and policies of risk management

Strategies and policies of risk management in company

Attached

Risk appetite of company and risk limit

Attached

...

...

...

Attached

Times of policy and strategy assessment and approval and risk management in the period

First time: Date…/month…/year …

Second time: Date…/month…/year ..

4.

Information technology infrastructure for risk management

...

...

...

Brief description (name of software, manufacturer, types of risk likely managed/controlled…)

5.

Risk management organization/personnel

Organizational structure and personnel of risk management department (if any)

List, names, functions, duties related to the risk management, type of risk management certificate (if any), number of experience years in risk management including working time, job title, responsibility implementation, result (achievement/violation if any)

...

...

...

List, names, main functions and duties and part-time functions and duties related to the risk management, type of risk management certificate (if any), number of experience years in risk management including working time, job title, responsibility implementation, result (achievement/violation if any).

The ratio of part-time/full-time risk management officers over the total officers of each department and the whole company.

Tỷ lệ Ratio

The findings in reporting period of internal control department, internal audit department and competent management organ related to implementation of risk management which is not good and inconsistent with the company’s actual investment and business.

Listing and specifying the companies’ way of handling and settlement, remedy and recommendations.

6.

...

...

...

Information on dissemination, training and report on risk management at company in the reporting period.

Listing the time of implementation, performer, content and attached documents

Report to the State Securities Commission of Vietnam on risk management

Listing the reporting time /content of report

7.

Risk management for entrusting customers’ portfolio

...

...

...

Coordinating with the entrusting customers in development of strategies, policies and procedures for risk management for portfolios under the company’s management

Sending the strategy, policy and procedure for risk management to fund/portfolio; Listing the time of meeting/discussion/update of information with entrusting customers

Times of review and updating of risk management policies and procedures.

First time: Date…/month…/year …

Second time: Date…/month…/year ..

Daily implementation of risk management

...

...

...

8.

Compliance monitoring

Times of inspection, review and assessment of efficiency of risk management of the internal control department and internal audit department.

First time: Date…/month…/year …

Second time: Date…/month…/year ..

The findings of the internal control department and internal audit department related to:

...

...

...

- Violation in risk management for company’s business activities (violation of policy, risk appetite, risk limit, risk management procedure..)

- Violation in risk management for funds and portfolios of entrusting customers (violation of policy, risk appetite, risk limit, risk management procedure..),

Number of times, listing

III. Quantitative reporting indicators

1. Total overdue receivables, including renewed overdue receivables (opening and closing period).

2.Total short-term investment value after risk adjustment (opening and closing period, see Note 04).

3. Profits annually distributed from the establishment year to the current year.

4. Time-weighted return ((TWR and twr, see Note 05), net asset value (NAV) of each portfolio, open-end fund under active management.

5. Money-weighted return (MWR and mwr, see Note 06), net asset value (NAV) of each closed-end fund, member fund, securities investment company under active management.

...

...

...

IV. Attached documents

1. Strategies and policies of risk management, risk appetite and risk management procedure of the company as stipulated in Article 9, 10 and 11 of this Regulation.

2. Internal rules and brief description in section I, II.

3. Other relevant documents (if any).

Our company undertakes that the above report is correct and complete and shall take full responsibility before law for its accuracy and completeness.

Note:

1. Only send documents with changes compared with the previous reporting period and indicate no change of such documents.

2. In biannual reports, the s of senior personnel change and average growth of revenue in the last three (03) years are understood that in the last two years and the first six months of the current year.

3. Some examples of risk management certificate: Financial Risk Manager – FRM issued by GARP, Professional Risk Manager – PRM issued by PRMIA or other appropriate certificates as required by the company

...

...

...

5. TWR is the Time-Weighted Return.

TWR_{kỳ báo cáo}= (1 + R₁) × (1 + R₂) × … × (1 + R_n) – 1

in which R_i is the rate of return at the times of defining value of net assets of fund, times of receipt/payment to entrusting customers. Use the rate of return with the log return by the formula:

twr = ln(1 + TWR) = log_e(1 + TWR)

Then: twr_{kỳ báo cáo} = twr₁ + twr₂ + … + twr_n

6. MWR is the Money-Weighted Return. Use the modified Dietz method to define MWR, then calculate the rate of return with the log return by the formula:

mwr = ln(1 + MWR) = log_e(1 + MWR)

...

...

...

(Signature and seal)

ANNEX 07

INTRODUCTION OF BASIC RISKS
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

I. Market risk

1. General introduction

a) The concept of market risk is specified in Clause 10, Article 2 of this Regulation. This is the type of risk regularly faced by the companies, especially in operations of investment fund management and portfolio management.

b) The market risk arises due to the change of price in the market with unfavorable trend under the impact of objective causes of market such as volatility in international market, volatility of market indicators, change of macro policies, interest volatility, bond interest, exchange rate…or due to activities in the market, for example business and financial result of an issuer likely leading to the reduction in shares of such issuer, or the sale of a large volume of securities of a shareholder in condition of local liquidity loss resulted in price reduction of such type of securities…The market risk can be divided into groups of risk such as interest risk, currency risk, securities price risk…

c) The companies need to follow the principles: The operational staff only carries out the investment transactions when clearly understand the financial products and define, assess, supervise and control the risk management related to such sanctions.

...

...

...

2. Policy on market risk management

a) The market risk is managed through separate policy on market risk management. This policy must define the scale (value) and risk level like occurring in each market state (as guided under Point c below), with the timely and appropriate response plan on the basis of balancing between the investment targets and market risk (risk acceptance level).

To develop a complete policy on market risk management, the following factors must be paid attention to: economic and market conditions; financial capacity; portfolio and investment structure of companies and entrusting customers. Such information must be continuously and regularly monitored.

b) The companies must have method for assessing and identifying the value in line with each market risk classification such as interest risk, currency risk, securities price risk (liquidity risk is also associated with the risk market but separated and managed separately in this Regulation). The identification of market risk value should be done in combination with the process of daily risk management of the companies. The scale (value) of market risk can be identified in the form of relative and absolute value. The absolute value is converted as per currency unit to show the underlying / volatility of portfolio and company. The relative value is calculated based on the standard indicator showing the profit volatility compared with expectation/average value of profits of portfolio and company.

The establishment of scale (value) of market risk must be done continuously and by various methods in accordance with the different presumptive situations as follows:

- With the presumption of normal market operation, one of the model identifying the market risk value regularly used as a VaR model which is introduced in Annex 1. This method is also combined with other statistical techniques such as EWMA (Exponentially Weighted Moving Average), GARCH (Generalized AutoRegressive Conditional Heteroscedasticity), EVT (Extreme Value Theory), PCA (Principal Component Analysis)… to give more reliable results.

- With the presumption of volatile market, the companies can apply model of stress testing to define the underlying market risk in unexpected and unusual situations of market or the whole economy in the country and abroad which can cause great loss to finance, personnel, material facility and information system…

c) The models and quantitative methods of risk management mentioned above must be regularly reviewed and re-assessed and tested in order to update and adjust parameters in the model to be consistent with reality.

The companies can use the Risk-Adjusted Performance Measure, RAPM to assess and compare the operation of individuals and asset management departments effectively and rationally. A number of examples of risk-adjusted performance such as Sharpe ratio, Jensen’s Alpha coefficient and Treynor ratio.

...

...

...

- Procedure for market risk management: needs to be established fully and comprehensively with the contents such as nature of market risk, grounds for risk identification, appropriate detailed structure of risk limit, information management system for control and supervision and report on market risk…

- The risk management system need to define levels of volatility of market; scale and underlying severity of loss corresponding to each level; possibility of risk occurrence and resilience. The parameters to identify the risk scale must be daily tested and adjusted to ensure the consistency with the portfolio structure and volatility of factors generating the market risk.

- The risk management procedure and system are managed and implemented by the risk management department and relevant departments (investment, analysis…).

3. Handling of market risk

The control and handling of market risk are of great importance and complexity. The design of a policy to reduce the market risk usually accompanies with the design of investment policy. A number of methods can be used to reduce the market risk are:

a) Selective hedging: This method usually choose a number of unwanted market risks for reduction by using the hedging tools, usually long and medium term.

b) Temporary hedging: This method is usually used in case of occurrence of short-term market incidents.

c) Capital adequacy assurance to cover the market losses possibly occurring (for the company’s market risks).

d) Compliance with regulations of law, the company’s policies and procedure for risk management

...

...

...

II. Payment risk

1. General introdcution

a) The concept of payment risk is specified in Clause 9, Article 2 of this Regulation.

b) The payment risk is the risk arising when the partner does not want or is not able to follow its commitments in contract resulted in certain financial losses. The payment risk can arise from transactions in and out of the balance sheet or upon implementation of financial tools such as derivative securities or partner’s failure to make timely payment of contributed capital for share purchase or transfer of securities delinquently as committed…The payment risk usually occurs separately or with accompanied market risk and relevant risks. Thus, the management of payment risk needs to be done uniformly and is the constituent of common risk management policies.

2. Payment risk management policy

a) The payment risk management policy includes the limit of total payment risk, total of maximum receivables and loans, payment risk thresholds; responsibility and obligations of relevant departments (transaction departments and departments approving, maintaining and managing the receivables; decision authority for payment limits; standard of payment risk acceptance and acceptable securities collateral.

- The payment risk acceptance level must be consistent with the risk acceptance level and business targets of each company, taking into account the company’s business cycle in the operational fields, business nature, portfolios and relevant risks of market segments.

- The credit risk management structure is established in accordance with the company’s model and nature to ensure the convenience for supervision, management and implementation of risk management. There must be procedures for control and supervision of payment risk levels, especially the separation between the department forming credit (investment/business department) and department monitoring and managing the payment risk.

- Supervision and control of payment risk are done through the credit financing procedure, risk reduction, supervision and re-assessment of receivables, classification of credit, customer/partner, provision appropriation, management and control of arising risks.

...

...

...

The receivables at risk are often managed as per each partner with close relationship with the two remaining components, for example the probability of default from partner, history of debt repayment of such partner and debt recovery rate from partner…

The probability of default from partner is often calculated by the credit rating coefficient of such partner. This coefficient can be provided by third parties or calculated by the company itself as per its own model.

The debt recovery rate is a very significant factor of loss distribution of payment risk. This rate changes as per the priority, guarantee level, economical cycle and bankruptcy law in the host country. This rate is difficult to estimate, has great difference and is affected by the business cycle.

On the basis of loss distribution, the company can estimate the risk value using the quantitative models such as VaR model, stress testing and other statistical calculation models.

3. Risk handling

The company must ensure the payment risk is appropritately dispersed. The payment risk management procedure must have risk limit associated with each partner so that such risks do not threaten the company’s healthy financial condition. A number of methods of payment risk handling are:

a) Using the clearing agreements, including bilateral clearing and centralized clearing (multilateral) to reduce debt risk;

b) Requiring partner to deposit/mortgage assets;

c) Limiting debt for partner especially the one with low credit.

...

...

...

dd) Requiring the guarantee of a third party in case of loss.

e) Using the relevant derivative products (if any in market) such as CDS (Credit Default Swaps), CLN (Credit-Linked Notes), TRS (Total Return Swaps), Credit Options, CDO (Collateralized Debt Obligations).

III. Operation risk

1. General introduction

a) The concept of operation risk is specified in Clause 6, Article 2 of this Regulation.

b) The operation risks arise during operation and service supply at the company. The causes may be the limit of internal procedure and human factors during implementation, incompatibility of system, other objective causes or losses in business resulted in shortage of business capital and losses for the company.

The operation risk consists of: (i) risk of information technology system (IT risk). The causes are the incompatibility of system or technical errors incidents resulted in the failed or interrupted transactions. The IT risk needs to be identified for all dangers and losses appearing in IT system such as intranet, internet, external connection port, hardwares, softwares, applications or human factors. The IT security risks also should be concerned to ensure the security and integrity of system; (ii) Security risk in the operational areas, system security, electricity, fire and explosion safety and other risks that can occur (iii) Risks due to inconsistent implementation of procedures with the company’s internal regulations and operational structure resulted in the inaccuracy in establishing the risk management system.

2. Policies on operation risk management:

a) Formulation of liquidity risk list including the frequency and severity of each risk.

...

...

...

The risk level related to the IT system directly related to the operation and services provided for customers needs to be quantified and analyzed regularly. Where the specific risks are not quantified, such risks must be identified through steps of knowing about their underlying effect and possible reverse outcomes. The risk management is the first priority, then followed by the cost-benefit analysis and implementation of decisions to reduce risks.

c) Review, updating and assessing risks. When developing and designing IT system, the risk management system integrated into this system should be taken into account in order to reduce costs and raise the effectiveness of risk management procedure. The inspection, monitoring and network security measures should be carried out regularly. The company should pay attention to the security of data, system and customers’ information.

d) Formulation of result of operation risk assessment.

3. Risk handling

For each type of risk identified and analyzed, there must be measures to reduce them and plan for management and handling in line with the requirement and risk tolerance level. This management must include the active assessment of loss and damage in case the risk factors become true. The costs of risk management should be calculated, balanced to be consistent with the benefits and efficiency from the risk management.

A number of methods can be used to reduce the operation risk, including:

a) Operation risk not as purely financial risk. Depending on the specific characteristics, the company should have appropriate risk management plan.

b) The company must ensure all members must strictly comply with policies and strategies of risk management in particular and other regulations in general to limit the arising errors and reduce losses from operation risk.

c) The company must develop a provision plan for emergency situations and can use the model of stress testing to ensure the continuity of business activities. This provision plan must prepare necessary resources including but not limited to personnel, finance and information system ready for difficult conditions such as natural disasters…;

...

...

...

- All internal activities and procedures for operational processing, including IT system and other supporting systems;

- Operations possibly at risk and ways of handling and reduction of such risks.

- Needs of an early warning system to allow company’s effective intervention and prevention of risk.

dd) For outsourcing activities (if any), the company must ensure its partners absolutely follow the company’s relevant policies and procedures. The company must not provide services and sell products on the internet without necessary control measures and network security assurance.

IV. Liquidity risk

1. General introduction

a) The concept of liquidity risk is specified in Clause 8, Article 3 of this Regulation.

b) The liquidity risk arises when the company or its customers meet difficulties in cash flow and face the insolvency resulted in early asset disposal with transfer of losses in books to losses in fact due to the failure to dispose their assets at the current market price or to maintain the cash flow in line with their investment and business targets. The reasons may be due to the depth, breadth of market. For example the disposal of a type of securities with large volume can affect or lead to the lower price in the market.

The liquidity risk can be regarded as a part of market risk.

...

...

...

c) Short-term liquidity includes the daily needs of cash with general business conditions. When studying the long-term liquidity, it is required to consider the possibility of occurrence of unusual bad business conditions and the value of assets cannot be implemented with current market price.

2. Policies on liquidity risk management:

- In the policies on liquidity risk management, the company must define the actual cash flow and value of liquidity risk during the time of asset holding and investment. The value of liquidity risk is defined on the basis of sensitivity analysis and price volatility of the portfolio at any time during the holding period.

To identify the price volatility in each point of time of the holding period of time, the company can use the extrapolation method. The company also needs fully understand and know about market and is able to identify the value of market risk level. All main market risks whose value must be identified and aggregated on the basis and possible widest scope.

- A number of calculating tools of liquidity risk can be, including:

a) Liquidity rates from financial statements.

b) VaR (Value at Risk) introduced in Annex 08 of this Regulation.

c) LaR (Liquidity at Risk) operated similarly to VaR to define the cash flow related to the assets and obligations to pay debt in and out of the accounting balance sheet. The LaR models are under development and completion.

d) Assessment done on the basis of difference in cash in and out, term, exchange rate and derivative products…

...

...

...

3. Risk handling

A number of methods can be used to handle and reduce the liquidity risk, including:

a) The company should make plan to ensure the liquidity, including:

- Continuously monitoring debts and analyzing the company’s solvency.

- Identifying the current financing possibilities, negotiation of loan commitments and financing possibilities within corporation and company.

- Regularly reviewing and inspecting the above financial capacity/cash flow in both general conditions and special conditions.

- Identifying limit norms for some markets or products or diversity of investment products to ensure the limit of deficit of cash flow and capacity of additional capital mobilization to cover the temporary shortage of business capital;

d) The company needs to implement activities in order to control the cash flow, particularly:

- The difference between the cash flow in and out of assets and debts.

...

...

...

- Monitoring of assets with high liquidity and potential cost quantification and financial loss to be accepted upon required rapid sale of assets.

- The cost of financing and identification of other financial tools with corresponding costs.

c) Establishment of centralized and dispersed limits for both assets and debts in the balance sheet, limit of difference of cash flow in and out, financial leverage rate…Regular review and adjustment of such limits to ensure the company’s compliance without exceeding such limits.

d) Stress testing for bad cases possibly occurring. The past scenarios when the company suffered great losses due to bad liquidity can be followed or other presumptive scenarios.

dd) Having appropriate management plan, especially in the frozen market conditions.

e) Use of deposit and collateral with appropriate liquidity.

f) Maintaining the available capital to cover the loss of liquidity possibly occurring.

V. Other risks

Besides the main risks mentioned above, the company can face the following risks. Each type of risk has different methods to identify, assess, monitor and handle. In many cases, these risks can be integrated with each other or other types of risk faced by the company. The company must develop the management policies and procedures consistently with such risks.

...

...

...

The legal risks occur when a contract can not be implemented due to legal reasons. The legal risks also happen when the company fail to comply with legals regulations and operational rules and procedures… for example risks occur when the company supplies the fund and portfolio management services to customers or caries out its investment not in accordance with portfolio structure approved by the customers or the asset transaction of the Fund or the portfolio management operation is not suitable…The violation of regulation of law may be intentionally or unintentionally or other objective reasons (for example violation of regulation on investment restriction the cause of which is the market volatility and out of the company’s control or intentional violation of regulations of law on investment limit and structure or failure to separate the company’s assets with those of its customers.

Preventive measures: Establishing a legal department or hiring the legal consultation services for company to to ensure the contracts signed with its partners may be done. Controlling the activities of internal control department to ensure no violation of laws upon supply of services to the entrusting customers…

2. Transaction risks with relevant persons (insider trading risk)

Interest conflicts from the transactions with parent companies, the parties related to the persons practicing the fund management, the board of executives, company staff and partners having contractual relation with the company under the agreement on portfolio management services or with relevant persons banned from doing transactions under current regulations of law shall cause the insider trading risks).

3. Personnel risk

The personnel risks occur when there is a shortage of senior personnel or personnel having certificate of fund management practice resulted in difficulties or failure to maintain activities or risk from staff who do not follow internal rules (code of conducts about personal investment, regulation on access to internal information and information security, regulation on information allocation…) and rules of occupational ethics.

ANNEX 08

FORM OF RISK REGISTRATION
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

...

...

...

Department:

Information on risk

Risk description

Preventive action/risk handling

ID

Time of risk identification

Risk identified by

bởi Risk managed by

Risk description

...

...

...

Frequency assessment

Impact assessment

Priority assessment

Prevention/risk handling

Action origin

Action date

1

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

…, date ... month … year …
General Director
(Signature and seal)

ANNEX 09

FORM OF RISK
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

Risk details

Code of risk type

Unique code of risk type under the company’s classification

Code of risk subtype

Unique code of risk subtype

...

...

...

Proposal date

Risk description

Brief description of risk

Employee in charge

Employee in charge such risk

Risk assessment

Possibility of risk occurrence

...

...

...

Impact of risk

Description and assessment upon risk occurrence and approach used to identify such impact (financial analysis, forecasting analysis…)

Priority level

Description and assessment of priority level for identified risk

Risk handling

Risk prevention

Brief description of necessary activities to prevent such risks.

Risk handling

Brief description of necessary activities to reduce impacts upon risk occurrence

...

...

...

The parts of risk assessment and risk handling closely related to the risk management procedure

The attached documents (if any): List documents attached to this risk table.

…, date ... month … year …
General Director
(Signature and seal)

ANNEX 10

FORM OF RESULT OF RISK ASSESSMENT
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

...

...

...

Impact

Very low

 Low

Average

 Major

Serious

Frequency

...

...

...

Average low risk

Average high risk

Serious risk

Serious risk

Serious risk

Remarkable possibility of occurrence

Average low risk

Average high risk

Average high risk

...

...

...

Serious risk

With possibility of occurrence

Low risk

Average low risk

Average high risk

Serious risk

Serious risk

Low possibility of occurrence

Low risk

...

...

...

Average low risk

Average high risk

Serious risk

Rare occurrence

Low risk

Low risk

Average low risk

Average low risk

Average high risk

...

...

...

- For example of risk frequency: The lowest frequency can be less than 01 time/1 decade, then 01 time/1 decade, 01 time in several years/1 year/month…to the highest frequency with several times/1 week.

- For example of impact level: Maybe from the lowest effect level with loss of less than 1% of portfolio value to the higher effect levels with loss of 3%, 5%, 10% of portfolio value. The loss level from 15% or more for example could be corresponding to the very serious effect.

…, date ... month … year …
General Director
(Signature and seal)

ANNEX 11

BRIEF INTRODUCTION VaR MODEL
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

I. Introduction

...

...

...

The VaR (Value-at-Risk) model is a method of identifying the maximum risk value (based on historical data or simulative data) possibly occurring with a certain probability in definite period of time for the companies or portfolio of entrusting customers in case of no abnormal market volatility.

The VaR is a model of risk quantification in cash often used to assess the risk of a portfolio. The result of such quantitive model, also called as VaR method is understood as the greatest forecast loss the company may undergo in a normal market condition, in a definite period of time with a certain probability.

2. For example

At the present time, the company has calculated the VaR of a portfolio to be 10 billion dong within 07 days with the probability of 99%. This is understood that with the probability of 99%, the loss of portfolio which the company may undergo in 07 subsequent days shall not exceed 10 billion dong. In other words, there is still 1% of possibility (also known as the reliability of 1%), the company may undergo a loss of over 10 billion dong.

Some notes in the above example:

- The value of 10 billion dong above is only an estimate value.

- 10 billion dong is not a greatest loss in all cases the company must undergo from the portfolio because there is still 01% of possibility of loss of over 10 billion dong.

- The probability and reliability are their complement or the total of these two quantities is 100%.

3. Advantages and disadvantages of VaR

...

...

...

VaR does not provide information on losses faced by the companies in particularly difficult conditions. Thus, the companies should carry out the stress testing in such conditions as a supplement for VaR.

II. Some basic VaR models

1. Analytical models

Assuming that the yield (R) during the study period (h day, as 07 days in the above example) complies with the standard distribution with the average value m and standard deviation s², or

R ~ N(m, s²)

If the market value of the present portfolio is S, the VaR in h day with the reliability a is defined by

VaR_h,a = -x_aS

In which x_a is the “lower percentile” of distribution N(m, s²), or the value the probability of R < x_µ  is µ. Generally, µ is relatively small (0 <µ< 0.1) and x_µ is also displayed in the form

x_µ = Z_µs + m

...

...

...

The analytical model has the advantage of being simple, easy to understand and perform. In case of shortage of past data, such distributions shall not be developed.

This VaR model is appropriate for low risk level and simplelevel. When the transaction positions in the portfolio become more complex or the relationship between the positions is non-linear, we need better VaR models.

2. Monte Carlo simulative model

This model can deal with a lot of disadvantages of the analytical model¸especially for the complex portfolios such as derivative portfolios. In general, the Monte Carlo simulative model is more reliable than the analytical model.

The Monte Carlo simulative model firstly defines the variables and parameters can affect the yield and next uses the simulative techniques (using the strength of calculation of computer programs) to create a lot of simulative results, each simulative result is associated with one value of company’s profit/loss. These simulative results shall create a distribution of profit/loss and VaR shall be calculated from such distribution.

The Monte Carlo model has a lot of advantages such as it can review a lot of risk acts in the market, deal with non-linear risks and complex financial tools no depending much from the past data. The Monte Carlo model used to have a disadvantage of too much calculation, but nowadays with the development of information technology, such disadvantage is increasingly negligible.

3. Past simulation model

This model is different from the above models on the characteristics that we do not assume anything about distribution of yield. Such data shall demonstrate which distribution is the most appropriate and VaR shall be calculated on such actual basis of distribution.

A variation of past simulative model is that the data which are close to present can be attributed to the larger number than the remote data, this model is called past-weighted simulation or weight average simulation.

...

...

...

One of the advantages of the past simulative model is that it is completely dependent from the past so it can not be done without data or with reliable data. The number of record of past data also affects the reliability of estimate value VaR.

ANNEC 12

BRIEF REASSESSMENT OF RISK MANAGEMENT
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

The risk management play a very important role in the companies’ development. They have to re-assess their risk management particularly the risk management strategies, risk appetite, risk management policies and procedures to ensure the consistency with the companies’ reality and market conditions.

1.Parties related to the reassessment procedure.

The reassessment procedure is the same as the procedure for strategy and policy development and risk management procedure implemented by the Board of Executives and approved by the Board of Directors, the Member Board or the owner. The Board of Executives may assign the risk management department or establish an assessment group to carry out the reassessment which must ensure the standardization, quality and effectiveness. In this process, the group developing strategies, policies and procedures for risk management (development group) must be also involved and closely coordinate.

The relevant parties have their clear roles and responsibilities, the development group prepares all required documents and answers all questions of the reassessment group, provide data used to build the model if required. The reassessment group carries out the reassessment procedure including all stages of model management, uses appropriate methods and makes reassessment reports. The Board of Executives reviews the reassessment reports and documents, assigns the updating of relevant strategies, policies and procedures and submits them to the Board of Directors, the Member Board for approval.

2  Contents of reassessment

...

...

...

The risk appetite and risk limit have been stated and identified properly? It is necessary to change the method and update any parameter?

The risk management policies and procedures have any problem? The models of risk assessment need  any updating, adjustment or inspection? List all problems and give handling recommendations.

3. Reassessment documents

Such documents must include at least: Policies of reassessment framework, reassessment method, reassessment forms and reports and other relevant documents.

1 Specify responsibility and obligation related to risk management (risk in operation of company/risk in operation of fund (specify name of fund)/risk in management of portfolio of customers), including: (i) development and approval for risk management policies, risk appetite; (ii) risk supervision; (iii) receipt of risk report/approval.

2 Specify name of operational department