REAL-TIME RISK MANAGEMENT FOR CENTRAL

BANKS USING OPEN SOURCE SOFTWARE

A proposed paper for the

Bangko Sentral ng Pilipinas (BSP) conference entitled:
Contemporary Changes to Monetary Policy

Abstract

An effective way to evaluate risk is to track risk parameters in real-time.

“Real-time risk management” is a term we shall coin to refer to risk man-
agement software systems that could give a snapshot of risk at any particular
time. Real-time views of risk are most efficiently captured via highly efficient
software systems. Central banks should start looking at Open Source Software
(OSS) to address their risk management needs if they are to keep pace with
technological breakthroughs in Information Technology (IT) and Computer
Science. These breakthroughs could be used to the central banks’ advantage.
The Bangko Sentral ng Pilipinas (BSP) can and should be an example of a
modern central bank that is able to use modern open technology in risk man-
agement. If there is one task in central bank where open source software can
be of great use, it is in risk management. Basel II and Basel III provide a
framework and a set of parameters that measure risk. To measure these risks,
these risks should be measured in real time. In other words, the snapshot of
risk should be able to show up-to-date (to the minute or hour) risk measure-
ments. OSS and open technology platforms provide an answer to measuring
risk, real-time.

Carlo F. Florendo
Business Development Manager
Astra Japan Corp.
Tama-shi, Tokyo, Japan
carlo@astra.ph
Contents

1 Introduction 2

2 A Few Observations 3

3 A Modern Risk Management Operations Center for the BSP 5

4 Opensource Software for BSP Risk Management 7

4.1 The Best Operating System for Risk Management . . . . . . . 7

4.2 Enterprise Database System . . . . . . . . . . . . . . . . . . . 8

5 A Proposed System 9

6 Conclusion 9
1 Introduction 2

1 Introduction

I
t is probably high time for the banking regulation world to look outside
the box and consider state-of-the-art software technologies to enable real-
time risk management, not to replace but to augment traditional risk
management processes. Our observation suggests that contemporary risk
management consists mostly of regression analysis or some of its exotic vari-
ants, event studies, or analytic formulas derived from principles of stochastic
calculus. Some literature have gone as far as to suggest the use of wavelets1
(Saquido, 2007) to predict expected returns or use Markov models2 (Ahrens,
1999) to determine whether or not a recession shall take place. These litera-
ture definitely contribute to the wide body of knowledge in finance but there
is one single problem with all of these:

Every single one of these methods uses historical data that is applied to a
probably obsolete risk modeling technique.

Historical data is useful for modeling but hardly could be useful to day-to-
day assessment of a bank’s health. We shall not posit whether it is useful
to analyse a bank’s health on a day to day basis but it is certainly more
useful for a central bank such as the BSP to know the day’s state of a bank
or financial institution under its regulatory domain rather than to know how
it performed a month ago. The bank might have already folded up a week
ago. The Markov models, wavelets, and even the popular Capital Asset
Pricing Model (CAPM) are backwards-looking. These methods assume that
securities that have been previously risky will still be risky in the future. The
notion is actually mistaken and the methodology for such risk measurement
models is embedded in the Basel II and III frameworks.

To achieve real-time information for use in risk management operations, the

central bank must use the technology that shall enable itself to capture bank’s
data real-time. This means that the better indicator of bank’s risk is the
measure of risk it has at the present time or at least in the recent past rather
than in the remote past. If historical performance is not a guarantee of
future performance, then it makes sense to confine history to recent history,
or “real-time” history.
1
As a mathematical tool, wavelets are used in time-frequency signal processing. They
could extract information from many different kinds of discrete data. Saquido (2007)
attempts to use wavelets to analyze security returns, treating returns as discrete signals.
2
Markov Models are used to analyze dependent random events. (i.e. events that have
a probability of occurring depending on happened most recently.)
2 A Few Observations 3

Our argument begs the question: Before making a decision, will a regulator
give weight take to a bank’s one century of stability or to its current state
today that suggests it may crash tomorrow?

The answer had been given by (the collapse of) the 160 year old Lehman
Brothers in September 2008.

2 A Few Observations

U
p to now, Philippine banks have not fully implemented Basel II,
which is still useful but already outdated. Working drafts of Basel
III already exist and once Basel III is complete, banks will have to
take years to implement it again. When the next crisis comes, Basel III
will most likely be outdated. Yet Basel III seems to have been a knee-jerk
reaction to the US subprime crisis that started in 2007.

What the banking industry and regulators can utilize, not just learn, from
the technology sector3 is that this sector is always at the state-of-the-art. The
technology world is so efficient in implementing new research and develop-
ment discoveries that obsolescence happens every six months. In the software
world, the fastest and most up-to-date software come from the Opensource
world.

What the banks need is not massive investments in electronic and com-
puting infrastructure but investments in software and computer scientists –
computer scientists who know how to program and have the fundamental
knowledge in the formulation and implementation (i.e. programming the
actual software) of efficient risk management algorithms.

The technology world makes use of the most recent products that are the
result of up-to-date research and development. That’s the reason why obso-
lescence happens every six months. Computers become more efficient every
time: either the processor is faster or the fixed memory (i.e. harddisk) and
volatile memory (i.e. Random Access Memory or RAM) has larger capacity.
With faster processors and larger storage spaces, the market releases com-
puter software with more features all the time. This had been true since
the invention of the Personal Computer in 1981 but especially true starting
3
In this paper, we shall confine this sector to technologies in the IT, electronic, and
electronic communication world
2 A Few Observations 4

16 years ago, when Intel Corporation invented the Pentium processor at the
same time that the word Internet became a household word in 1996.

The purpose of risk management is to avert problems, to know when they

are about to come, to forecast possible recessions, and to alert stakeholders
to take when these problems arise. However, when these risk management
tools give their results, it is already too late and regulators, investors, and
credit raters already have the benefit of hindsight.

For crises with massive global impact such as the US mortgage crisis of 2007,
the scores given to by credit rating companies to products of banks and other
financial begin to lose meaning.

The Philippine banking system at-large system was not affected by the recent
global crises not because the banks were completely wise in their investments
but due to the conservative regulatory policies of the BSP. However, being
conservative in stance is compatible with deploying modern sofware.

The central bank could deploy a high performance database system that can
accept tens of thousands of data writes per second. The Opensource systems
that can be deployed for such function are: PostgreSQL, MySQL, or SQLite.
In this way, banks can upload data real-time to these database systems (via
some web-based application).

The central bank could develop a web service that can be implemented by
banks no matter what type of software the banks use. The web service could
be accessible via the HTTP protocol. The HTTP protocol is the single most
widely used protocol on the Internet for the delivery of web services.

The security of this web service could be ensured with the use of the Secure
Sockets Layer (SSL) encryption protocols. The SSL standard is the virtually
unbreakable encryption protocol most widely used in the Internet today.
The presence of SSL is most obviously shown when websites start with the
https protocol designation. SSL is used for by banks, governments, and
corporations.

The advantage of all these is that:

1. The BSP does not need to collate data submitted every day since the
program itself is the aggregator of the data.
2. The banks do not need to collate nor summarize data every day since
3 A Modern Risk Management Operations Center for the BSP 5

data collection and report generation is done real-time.

Thus, the BSP can save resources by focusing on risk managing rather than
collating.

3 A Modern Risk Management Operations

Center for the BSP

A
quick survey of the world’s most demanding organizations suggests
that, when it comes to high-performance calculation and high volume
data processing, open source software systems are one of the top
choices. The pace with which software technology and computer science
applications develop is faster than any technology in the world. For any
institution to be modern, it has to keep pace, or at the very least use, modern
software technology.

The most efficient software risk managers understandably may not have ex-
tensive software background and thus, may not familiar with the many avail-
able software tools and systems that could help them in their jobs. For
example, how shall a risk manager determine whether the 100 banks under
his wings comply with Basel II requirements for a particular item in the main
Basel pillars? A computer scientist can answer that question with an actual
computer program.

Take for example the Credit Conversion Factor (CCF) in Basel II.4 The
CCF converts the amount of a free credit line and other off-balance-sheet
transactions with the exception of derivatives to an EAD (exposure at
default) amount. This function provides the basis for calculating the total
EAD. 5

The actual program to calculate CCF may look like this:

/ * This function gets the Credit Conversion Factor specified in

Section 13 of Basel II
4
We take this as an example because of its easy implementation into a computer pro-
gram.
5
SAP, “http://help.sap.com/saphelp banking70/
helpdata/en/61/be74de95ab4b4189e2363c984be732/content.htm”
3 A Modern Risk Management Operations Center for the BSP 6

Parameters:
borrower_id: the borrower identifier
commitment_type_id: the type of commitment identifier
commitment_id: the commitment identifier
Returns: The borrower’s credit conversion factor based on the
commitment

#define TRUE 1
#define FALSE 0

double get_CCF(int borrower_id, int commitment_type_id, int commitment_id)

{
float current_credit_rating;
float required_credit_rating;
int is_borrower_credit_worthy;
double CCF = 0.0; /* credit conversion factor */

current_credit_rating =
XFORM_TO_FLOAT(get_current_credit_rating(borrower_id));
required_credit_rating =
XFORM_TO_FLOAT(get_credit_worthy_rating(borrower_id));

is_borrower_credit_worthy = FALSE;
if (current_credit_rating >= required_credit_rating)
is_borrower_credit_worthy = TRUE;

if ((for_automatic_cancellation(commitment_type_id, commitment_id) == TRUE)

|| (is_borrower_credit_worthy == FALSE))
CCF = 0.0;
if (get_maturity(commitment_type_id, commitment_id) <= 1)
CCF = 0.20;
else if (get_maturity(commitment_type_id, commitment_id) > 1)
CCF = 0.50;

return CCF;
}

/* This function determines whether a commitment is for automatic cancellation */

extern int for_automatic_cancelation(int commitment_type_id, int commitment_id);

/* This function gets the current credit rating of a given borrower */

extern int get_current_credit_rating(int borrower_id);

/* This function gets the required credit rating for a given borrower
to remain credit worthy */
extern int get_credit_worthy_rating(int borrower_id);

/* This function gets the maturity of a commitment */

4 Opensource Software for BSP Risk Management 7

extern int get_maturity(int commitment_type_id, commitment_id);

/* This function transforms an identifier into an equivalent real number */

extern float XFORM_TO_FLOAT(int id);

This program could be further modified such that the CCF can be entered into the BSP
risk management system database automatically. Thus, a risk manager will always have
an up-to-date view of a banks creditworthiness. There will be no need for him to spend
so much time in data collation.

4 Opensource Software for BSP Risk Man-

agement

O
pensource software is a viable solution for use in central bank risk management.
In its most basic sense, Opensource software is the type of software where the
software license specifies that the code is freely available for anyone to modify
without restrictions and must make these modifications available to anyone who requests
for it. The operative phrase here is “free to modify”, not necessarily free from cost. The
single largest mistaken notion on Opensource software is that one does not need to pay
anything to use it. This is true most of the time but it is not always the case. There are
many variants of Opensource software licenses but the fundamental characteristic, ”free
to modify”, is always present.

4.1 The Best Operating System for Risk Management

The most stable and mature modern operating systems in the world are variants of the
UNIX Operating System (OS). The world’s most widely used implementation of UNIX
is the Linux Operating System or simply. UNIX and Linux can be used interchangeably
since the latter is an implementation or a variant of the former.

The Federal Reserve uses Linux and even recommends it.6

With a Linux Operating System, the risk for virus infection for the entire system is almost
zero. The reason is that UNIX, where Linux is based, was designed with security very
much in its core. UNIX was designed for high performance, stability and security for use
in research institutions. The US Department of Defense (DoD), which was and still has
research and development departments for advance defense and encryption technology, was
6
SR 04-17, Board of Governors of the Federal Reserve System, Division of Banking
Supervision and Regulation, December 6, 2004. The Annex to the SR 04-17 indicates that
“The use of free and Opensource software is increasing in the mainstream information
technology (IT) and financial services communities...”
4.2 Enterprise Database System 8

one of the early users of UNIX. The DoD uses Linux and various Opensource systems to
keep its systems modern and state-of-the-art.7 . The US National Security Agency (NSA),
the cryptologic intelligence agency under the DoD, signified its discontinuation for the
support of Windows XP. It currently supports Linux.8

The New York Stock Exchange, the World’s largest stock market uses Linux for its trading
platform.9 If the BSP uses UNIX in its risk management software systems, the system
can run for several years without the need to shutdown the machines and servers that
run the systems. In Linux, the systems can be updated (i.e. the installation of security
patches or optimization upgrades) without shutting down or rebooting the machines. In
this case, downtimes can be minimized and the risk management system can be accessed
at any time. It is practical however to shutdown machines once in a while for hardware
maintenance and cleaning. Other than these reasons, the machined do not need to be
shutdown.

4.2 Enterprise Database System

The most widely used Opensource enterprise database systems are MySQL and Post-
greSQL. These two database systems support multi-user configurations and are designed
for accessibility via computer networks. The author has implemented programs using these
database systems for various Enterprise Resource Planning (ERP) software.10 Another
lightweight and high speed database system is SQLite. The author also has experience
with SQLite databases with that could perform update operations over two (2) million
records in a fraction of a second.

If the BSP in the future shall consider deploying a risk management operations center that
captures real-time data, MySQL or PostgreSQL running under Linux can provide a very
stable system that can store millions of data writes (from banks)
7
Open Technology Development (Roadmap Plan), Advanced Systems and Concepts,
Herz JC et al, US Department of Defense, April 2006
8
National Security Agency, http://www.nsa.gov/ia/guidance/security configuration guides/
operating systems.shtml
9
PC World, How Linux mastered Wall Street, August 16, 2011
10
ERP software automate the accounting, finance, manufacturing and purchasing oper-
ations of an organization in one piece of software.
5 A Proposed System 9

5 A Proposed System

H
ere is the structure of the proposed web service for BSP risk management opera-
tions using ideas suggested at this paper:

1. The BSP shall publish a webservice that shall implement functions of this type:

submit_data(bank_id, parameter_name, parameter_value);

submit_data(bank_id, parameter_set, parameter_value_array);

The first function supports the submission of one parameter to the BSP risk manage-
ment system while the second one supports the submission of multiple parameters
to the system.
The actual call via HTTP could be:

http://www.bsp.gov.ph/banking/risk-management?bank_id=x&
parameter_name=y&parameter_value=z
http://www.bsp.gov.ph/banking/risk-management?bank_id=x&
parameter_set=y&parameter_value_array=z

2. The banks shall call the preceding functions via HTTP to submit any value that
the regulators require.
3. The BSP shall select an Opensource enterprise database system (e.g. PostgreSQL
or MySQL) to accept the data submissions.
4. The BSP shall host the database (and its corresponding interface system via a web
application) on a Linux platform.

6 Conclusion

P
erhaps a multidisciplinary approach to the BSP’s risk management needs to be
considered. A first step at this multi-disciplinary approach could be the inclusion
of computer scientists in the implementation of software risk management systems.
Computer scientists, who are designers and writers of software, are trained to look at
problems, whatever the problems are, from an optimization point of view that can be
translated into a usable computer program.That’s one reason why the best individuals
who write computer programs are the the computer scientists themselves, who write for
different problem domains including the banking and risk management domains.

To enable the BSP to accurately know of the health of the banking system, the use of
modern computer technology and Opensource software could be a new way of doing risk
management never done before by the BSP. The BSP is already seen as effective in its
conservative stance in banking regulations. Using real-time risk management shall enable
the BSP to have an accurate and up-to-date view of the banking system’s health.
6 Conclusion 10

References

1. Ahrens, Ralf “Predicting Recessions with Interest Rate Spreads: A Multicountry

Regime-Switching Analysis”, Center for Financial Studies, Taunusanlage 6, D-60329
Frankfurt am Main, Germany (http://www.ifk-cfs.de)
2. Andersen, Torben G.; Vega, Clara; Bollerslev, Tim; Diebold, Francis X. “Real-Time
Price Discovery in Stock, Bond and Foreign Exchange Markets”, NBER Working
Paper No. W11312.
Available at SSRN: http://ssrn.com/abstract=720403, May 2005
3. Aquino, Rodolfo Q. “A Variance Equality Test of the ICAPM on Philippine Stocks:
Post Asian Financial Crisis Period”, Applied Economics, vol. 38, issue 3, pp.
353-362, 2006
4. Bernanke, Ben and Kuttner, Kenneth N. “What Explains the Stock Market’s Reac-
tion to Federal Reserve Policy?”, The Journal of Finance 60 (3), 2005
5. Blanchard, Olivier “Introduction to Macroeconomics”, 4th ed., 2006
6. Chollete, Loran “The Propagation of Financial Extremes: An Application to Sub-
prime Market Spillovers”, Norwegian School of Economics and Business Adminis-
tration (NHH), and Norwegian Central Bank, December 15, 2007
7. Chulia-Soler, Helena; Martens, Martin; van Dijk, Dic “The Effects of Federal
Funds Target Rate Changes on S&P100 Stock Returns, Volatilities and Correla-
tions”, ERIM Report Series Reference No. ERS-2007-066-F&A, Available at SSRN:
http://ssrn.com/abstract=1098992, June 15, 2007
8. Engelmann, Bernd and Rauhmeier Robert (Editors), “The Basel II Risk Parame-
ters; Estimation, Validation, and Stress Testing”, Springer Germany, 2006
9. Gerding, Erik F., “The Outsourcing of Financial Regulation to Risk Models and the
Global Financial Crisis: Code, Crash, and Open Source” Washington Law Review,
Forthcoming,
Available at SSRN: http://ssrn.com/abstract=1273467, March 01, 2009
10. Saquido, Amado “Wavelet Analysis and the Test of the CAPM in the Philippines”,
Ph.D. Dissertation, University of the Philippines, College of Business Administra-
tion, Diliman, Quezon City, 2007
11. Swire, Peter P., “A Model for When Disclosure Helps Security: What is Different
About Computer and Network Security?”, Journal on Telecommunications and High
Technology Law, Vol. 2, 2004. Available at SSRN: http://ssrn.com/abstract=531782