Quyết định 428/QD-UBCK

DECISION

ON ISSUING REGULATION ON GUIDING THE ESTABLISHMENT AND OPERATION OF RISK MANAGEMENT SYSTEM FOR FUND MANAGEMENT COMPANY AND SELF-MANAGING SEPARATE SECURITIES INVESTMENT COMPANY

CHAIRMAN OF STATE SECURITIES COMMISSION OF VIETNAM

Pursuant to the Securities Law dated 29 June 2006;

Pursuant to the Law amending and supplementing a number of articles of Securities Law dated 24 November 2010;

Pursuant to Decree No. 58/2012/ND-CP dated 20 July 2012 of the Government detailing and guiding the implementation of some articles of the Securities Law and the Law amending and supplementing some articles of Securities Law;

Pursuant to Decision No.112/2009/QD-TTg dated 11 September 2009 of the Prime Minister defining the functions, duties, powers and organizational structure of the State Securities Commission of Vietnam directly under the Ministry of Finance;

Pursuant to Circular No. 212/2012/TT-BTC dated 05 December 2012 of the Minister of Finance guiding the establishment, organization and operation of fund management company;

Pursuant to Circular No. 227/2012/TT-BTC dated 27 December 2012 of the Minister of Finance guiding the establishment, operation and management of securities investment company;

Considering the recommendation of Director of management Department of fund management Companies and securities investment Funds

DECIDES:

Article 1. Issued with this Decision is the Regulation on guiding the establishment and operation of risk management system for fund management company and self-managing separate securities investment company.      

Article 2. This Decision takes effect from the signing date.

Article 3. Chief of Office, Director of management Department of fund management Companies, securities investment Funds, fund management Companies, self-managing separate securities investment companies and the relevant parties are liable to execute this Decision.

REGULATION

GUIDING THE ESTABLISHMENT AND OPERATION OF RISK MANAGEMENT SYSTEM FOR FUND MANAGEMENT COMPANY AND SELF-MANAGING SEPARATE SECURITIES INVESTMENT COMPANY
(Issued with Decision No. 428/QD-UBCK dated 11 July 2013 of the Chairman of State Securities Commission of Vietnam)

Chapter 1.

GENERAL PROVISIONS

Article 1. Scope of regulation and subjects of application

1. This Regulation guides the establishment and operation of risk management system in operation of fund management companies and self-managing separate securities investment companies (hereafter referred to as company) established and operating in Vietnam.

2. The Board of Directors, Member Board or owner of fund management companies or Board of Directors of self-managing separate securities investment companies and other relevant organizations and individuals are responsible for building the system, issue procedures, organize and supervise the risk management under the guidelines in this Regulation.

Article 2. Explanation of terms

In this Regulation, the following terms are construed as follows:

1. Board of Executives consists of Director (General Director), Deputy Directors (Deputy General Directors).

2. Valid copy is a copy certified in accordance with regulations of law.

3Entrusting customer means the funds, individuals and organizations entrusting their capital and assets to the fund management companies for management in accordance with regulations of law on securities.

4. Personal documents consist of information provision Form specified in Annex 1 issued with this Regulation, valid copy of ID card, Passport or other legal personal identification.

5. Risk are events which uncentainly occur during business activities causing loss of revenue, profits, capital, the material and other material and non-material damage or not achieving business target of the companies or target of entrusting customers.

6. Operation risks mean risk occurring due to technical errors, system errors and operational procedures, human errors during operation or due to short of  business capital incurred from expenditures and losses from investment or other objective causes.

7. Prestige risk means the risk the company must face in case of loss of prestige, trust and credit of investors and customers even in case of objective causes.

8. Liquidity risk means when the companies or entrusting customers cannot sell or convert the assets in the portfolio into cash with rational value due to liquidity shortage.

9. Payment risk means when the partners cannot make their payment on schedule or cannot transfer their assets on schedule as committed.

10. Market risk means risk occurred due to volatility of market value of assets and financial tools.

11. Compliance risk means the risk to be faced by the company in case the company or its employees breach or do not comply with regulations of law specified in the charter of company or fund charter, internal rules, operational procedures and regulations including regulations on occupational ethics.

12. Risk value is the risk corresponding to the loss degree likely to occur upon risk arising determined at a certain time and by a specific method. The risk value can be calculated for each risk, for the whole company, each department, operation or work position.

13. General risk value is the agggregated result of risk values for company or portfolio of entrusting customers. The risk aggregation must ensure all risks are fully calculated without duplication. In a simple linear model, the general risk value is equal to the total constituted risk values.

14. Risk appetite is the types of risk and risk levels which the company or entrusting customers are willing to accept to achieve investment targets. The risk appetite is shown both in quality and quantity, including the constituted risk appetite and general risk.

15. Risk limit is a maximum risk accepted by the company or entrusting customer. The risk limit can be allocated as per each type of risk for the whole company, each department, transaction, work position and entrusting customer.

16. Risk threshold is the value level established by the company for warning when the risk value approaches the risk limit. The risk threshold can be shown as per the absolute value (currency unit) or relative value (the percentage compared with risk limit).

17. Risk concentration state is a state concentrating mainly on one or a number of key risks whose losses can seriously affect the company.

18. Risk acceptance ability is the ability using the owner’s equity, expectation profits and financial resources available to offset at any time all key risks and underlying losses accepted by the company.

19. Available capital is the owner’s equity which can be converted into cash within ninety (90) days. The available capital shows the ability to be ready for offsetting losses whose risks can cause to the company.

20. Fund means the investment fund or securities investment company entrusting its capital to the fund management company for management, in which the term of member fund refers to the separate securities investment company.

21. Fund representative Board is the representative Board of securities investment fund and Board of Directors of the securities investment company entrusting its capital to the fund management company for management.

Article 3. Principles of building of risk management system

1. The risk management shall comply with the provisions in Clause 11, Article 24 of Circular No. 212/2012/TT-BTC dated 05 December 2012 of the Minister of Finance (Circular No. 212/2012/TT-BTC).

2. The fund management companies and self-managing separate securities investment companies shall carry out their risk management for their business activities under the guidelines in Chapter II of this Regulation.

3. Depending on the scale of operation, type and entrusting customer, the fund management companies shall carry out their risk management for the portfolio of entrusting customers as guided in Chapter III of this Regulation.

4. Annually, the strategies, policies and procedures for risk management of the company must be re-assess, adjust and supplement in accordance with the operational scope, scale and conditions of the company and market background.

5. Level, scale, scope and type of risk must be within the limit established and approved by the companies and entrusting customers. The decisions on risk management must be clear, rational and consistent with strategies, targets and financial capacity of the companies and risk acceptance level of the entrusting customers.

Article 4. Risk management system and risk management personnel

1. The companies must establish their synchronous, effective and comprehensive risk management system including the following components:

a) Organizational structure of risk management

The companies should set up their separate organizational structure of risk management, including components and personnel for activities of risk management, integrated and operated pararelly in the organizational and operational structure of the companies.

- Organizational structure of risk management must be consistent with the model, scale, operational scope and financial capacity of the companies; consistent with the scope, investment field, investment target and risk acceptance level of entrusting customers. The responsibility for coordination, monitoring, explanation and report on risk, processing plan approval and implementation is detailed to each work position and operational department, Board of Executives, Board of Directors and Member Board or owner in the whole organizational structure system of risk management.

- For work of risk management in business activities of the companies: The Board of Executives, Board of Directors and Member Board or owner shall decide the organizational structure system of risk management; approve and issue strategies and policies on risk management. The Board of Executives is responsible for inspecting, supervising and implementing risk management under the approved strategies and policies;

- For the risk management of the entrusted portfolio, including investment funds: The fund representative Board and the entrusting customers shall decide or authorize the fund management company to decide the strategies and policies on risk management. The fund management companies shall inspect, supervise and implement the risk management for the entrustment list, including investment funds.

b) Strategies and policies on risk management

The companies need to issue strategies and policies on risk management in order for the staff to know and apply consistently in their whole companies.

- The risk management strategies including the general risk management strategies and constituted risk management strategies in accordance with the guidelines in Article 9 of this Regulation;

- The risk management policies, including the risk management procedures shall comply with the guidelines in Article 11 of this Regulation.

- The strategies and policies on risk management must ensure the consistency with the organizational structure of risk management, scale and scope of operation, investment fields and types of investment asset of the companies. The strategies and policies on risk management are made in writing and kept at the head office of the companies and shall be provided for the State Securities Commission of Vietnam upon written requirement.

2. The members of Board of Directors and Member Board or owner in charge of risk management; members of Board of Executives in charge of risk management; head and operational employee of risk management department (if any) should have certificate appropriate with risk management or qualifications meeting requirements for risk management in accordance with internal rules the companies.

3. Within seven (07) working days, from the day of establishment or change or supplementation of staff of risk management, the companies must provide the State Securities Commission of Vietnam with the list under the form specified in Annex 02 issued with this Regulation enclosed with personal record of staff.

Chapter 2.

RISK MANAGEMENT FOR ACTIVITIES OF COMPANIES

Article 5. Responsibility of Board of Directors, Member Board or owner

1. The Board of Directors, Member Board or owner must establish and control the whole risk management system at their companies as follows:

a) Decide the organizational structure of risk management of their companies, including the constituted departments, organizations and personnel for risk management; duties, responsibilities and relationship in risk management of such departments, components and personnel.

b) Approve, issue and adjust strategies and policies on risk management of their companies;

c) Inspect, supervise and assess the compleness, effectiveness and effect of risk management system

2. The Board of Executives, Board of Directors and Member Board or owner must take all responsibilities before the general meeting of shareholders and Member Board for risk management.

3. Depending on operational scale, the Board of Executives, Board of Directors and Member Board or owner shall assign a member in charge of risk management or establish a risk management sub-Board. The structure, condition and criteria for personnel of such risk management sub-Board shall comply with the internal rules of the companies.

4. The members in charge of risk management or the risk management sub-Board (if any) must:

a) Make review and assessment before the Board of Executives, Board of Directors and Member Board or owner approve and decide issues related to the organizational structure of risk management; strategies and policies on risk management which the Board of Executives have drafted.

b) Inspect and assess the compliance with the risk management procedures of operational departments and staff; annually coordinate with the risk management department (if any), the internal auditing department (if any) and the internal control department to review and assess the completeness, effectiveness and effect of risk management system; report the operation and operational effectiveness of risk management done in the year to the Board of Executives, Board of Directors and Member Board or owner; recommend corrective plan of shortcomings and restrictions to improve the risk management system.

c) Analyse and give warning of underlying risks and risk precautions.

d) Give advice to the Board of Executives, Board of Directors and Member Board or owner in issuing strategies and policies on risk management.

5. In case of establishment of risk management sub-board, the Board of Executives, Board of Directors and Member Board or owner need to issue the operation rule of such sub-Board , including regulations on its rights and duties, meeting organization (regular and irregular), conditions, form of meeting, voting and adoption of sub-Board’s decision; minutes and sub-Board’s decision; mechanism of coordination and cooperation, share and security of information between the risk management sub-Board with other operational departments in their companies.

Article 6. Responsibility of Board of Executives

1. The Board of Executives shall take responsibility before the Board of Directors, the Member Board or the owner for the implementation of risk management, particularly as follows:

a) Prepare draft of strategies and policies on risk management to be submitted to the Board of Directors, the Member Board or the owner for approval and issue;

b) Implement strategies and policies on risk management after they have been approved and issued by the Board of Directors, the Member Board or the owner,

c) Supervise to ensure the implementation of risk management in accordance with the strategies and policies on risk management; the full compliance with regulations and procedures for risk management; personnel assignment in line with requirement and financial resources for risk management; regular updating and dissemination of knowledge and experience of risk management to the staff of companies.

d) Make quarterly report to the Board of Directors, the Member Board or the owner on risk management; assess the consistency, effectiveness and effect of risk management system, completeness of policies, regulations and procedures for risk management.

2. The Board of Executives shall assign one of its member to be in charge of risk management.

3. Depending on the operational scale, the Board of Executives can establish a risk management department or requires the internal control department to implement duties specified in Clause 4 of this Article. The personnel structure, conditions and criteria for personnel of the risk management  department shall follow the internal rule of the company.

4. The risk management department:

a) Studies, develop and prepare draft of strategies and policies on risk management for the Board of executives to submit it to the Board of Directors, the Member Board or the owner for approval and issue; builds internal models for risk management;

b) Aggregates information and supervise the operational department in implementation of risk management to ensure the underlying risks in activities of each operational department and of the whole company shall not exceed the risk appetite and risk limit; supervise the management of risk appetite and compliance with risk limit; directly implement the management of operation risk, prestige risk and compliance risk;

c) Defines, identifies, determines the quantity and tests the risk stress; controls underlying risks; allocates the risk management resources; implement and supervise the compliance with risk management policies and risk management procedures, daily risk settlement to ensure the compliance with risk management policies; receives, monitors and aggregate reports on risks and risk settlement from operational departments on market risk, payment risk; coordinates work of risk management between departments in the company;

d) On a monthly basis, makes report to the Board of Executives on issues related to risk management and risk limits exceeded and settlement solutions taken; makes the biannual report to the Board of Executives on operational effectiveness of risk management system of the company.

Article 7. Responsibility of the internal audit department and internal control department

1. The internal audit department must participate in risk management as stipulated under Point b and c, Clause 3, Article 9 of Circular No. 212/2012/TT-BTC.

2. The internal control department must participate in risk management as stipulated under Point c, Clause 1, Article 10 of Circular No. 212/2012/TT-BTC.

3. The internal control department shall directly (in case of no risk management department established) or coordinate with the risk management department to help the Board of Executives to ensure the risk management must comply with the approved policies and procedures for risk management and other regulations of law.

Article 8. Responsibility of operational departments

1. The operational departments shall:

a) Comply with the policies and procedure for risk management in all of their activities.

b) Aggregate information, analyse it and recommend the strategies of constituted risk management; coordinate the study of building of strategies and policies on risk management, recommend the underlying risk appetite and risk limit in their activities; formulate risk concepts, techniques of identification, determines the quantity (value) and establishment of limit of each constituted risk;

c) Control and supervise the risks occurring in operation at their department; report the risks to the Board of Executives through the risk management department (if any), recommend and carry out the risk settlement plan.

2. The heads of operational departments must directly implement or assign one or a number of experienced employees of their departments to be in charge of (full-time or part-time) of implementation of risk management in such departments; supervise and control transantions and operations of their departments in order to identify, prevent and manage the risks as per internal rules and operational procedures for risk management to ensure the consistency with the approved policies and risk appetite of the company.

Article 9. Strategy of risk management

1. The strategy of risk management is an overall risk management plan of the company drafted by the Board of Executives and approved by the Board of Directors, the Member Board or the owner. The strategy of risk management is then concretized by the risk management policies, including the risk management procedures daily performed.

2. The general risk management strategies and constituted risk management strategies include:

a) Mục tiêu quản trị rủi ro Targets of risk management;

b) Definition and classification of risk groups and constituted risk groups;

c) Basic principles of risk management;

d) Risk appetite and risk limit under the guidelines specified in Article 10 of this Regulation;

dd) Mechanism of organization of risk management includes the personnel organization, responsibilities and obligations of departments and personnel related to the risk management, the decentralized approval mechanisms of risk appetite, risk limit and risk settlement mechanisms.

e) Method of assessment and quantity of risk (as per standard model, internal model or both) and the principles of completion of such methods.

f) Method of risk settlement; fully and in detail defining the preventive solutions, mode of settlement; mechanisms of information aggregation, report and supervision of risk management activities.

3. The risk management strategies must be re-assessed periodically, at least once a year to ensure the consistency with business plan of the company and the actual context of the market.

4. The risk management strategies need include the contents to early detect and fully control the key risks to be submitted to the competent level of the company.

Article 10. Risk appetite

1. The companies need to define the risk appetite in the form of statement of risk appetite. The form of statement of risk appetite is carried out under the guidelines in Annex No.03 issued with this Regulation. The risk appetite of the company need to meet the following conditions:

a) Demonstrating the company's philosophy of risk, consistent with the principles, vision, core values, business strategy, objectives and business development of the company;

b) Demonstrating the willingness to accept the certain levels of risk to achieve the operational target of the company, particularly clearly identifying the acceptable types of risk and clearly identifying the acceptable risk value (if possibly quantified)

c) Fully covering the operations of the company, in the short term, average term and long term; consistently with the actual capacity of supervision and management of risk of the company, including the personnel, experience and technical infrastructure for risk management;

2. The risk appetite is established with the risk limit. The risk limit Form complies with the guidelines in Annex 04 issued with this Regulation. The risk limit can be quantified or defined by the qualitative method. Depending on the operational scale and needs of the company, the risk limit can be allocated to each business operational department, each type of product, length of term and concentration degree of a hold position…

3. To ensure no excess of risk limit, the Board of Executive must establish the risk thresholds which are lower than the approved risk value. In case of excess of thresholds, the operational department must notify immediately to the risk management department and the Board of Executives to have a settlement plan in a timely manner. The monitoring, supervision, report, explanation, approval and implementation of solution to risk settlement comply with the risk management procedures of the company.

Article 11. Risk management policies and risk management procedures

1. The risk management policies need to be developed in writing to ensure any individual and department in company can access, grasp and know well their duties in risk management of their company.

2. The risk management policies must be consistent with the risk management strategies and specific conditions of the company, including the business strategies and plans, organizational structure, professional levels of risk management, services and customers of the company. The risk management policies consist of the following contents:

a) The definition and classification of types of risk to ensure the full inclusion of underlying types of risk in operation of the company.  These types of risk are defined as per the risk management procedures guided in Annex 05 issued with this Regulation.

b) The risk appetite is allocated as per types of risk, management structure of risk appetite (procedures for monitoring, identification, assessment, explanation, consultation, report, approval and settlement), monitoring mechanisms of risk appetite (control of implementation of management of risk appetite, reporting form, reporting frequency, subjects reporting and receiving report), mechanisms of review and adjustment of risk appetite (review frequency, individuals and departments involved in review…).

c) The limit of each type of risk, procedures for establishment of risk limit, mechanism of management of risk limit (role, responsibility of individuals and departments related to the recommendation, establishment and adjustment of risk limits);

d) The method of general assessment and quantification of general risks and each constituted type of risk, standard model, internal model or combination of both as guided in Annex 05 issued with this Regulation;

dd) The structure of general risk management and constituted risk, including personnel departments involved in risk management; responsibility and obligations of each individual, department ensure that all risks shall be undertaken by individuals and departments, fully identified, strictly assessed and monitored, reported, consulted from relevant parties and explained to the competent level for timely approval, settled under the approved plan and in orders and procedures specified in the risk management procedure.

e) The risk management procedure consists of internal regulations in order to identify, determine the quantity (analyze and quantify if possible, test the risk stress and test back the chosen model), monitor, supervise (reporting regulation, risk reporting frequency, risk stress testing frequency), control, reduce, prevent and deal with the underlying risks.

f) The risk management procedure needs to be regularly reviewed, updated, adjusted in a timely manner to ensure high efficiency.

3. Depending on the operational scale and needs of the company, the risk management procedure can be developed for the whole company, for each constituted risk, operation, department or work position. The risk management procedure is guided in detailed in Annex 05 issued with this Regulation.

Chapter 3.

RISK MANAGEMENT FOR FUNDS AND PORTFOLIOS

Article 12. Mechanism of risk management

1. Except for cases specified in Clause 2 of this Article, the fund management companies shall develop the risk management strategies and policies for funds and portfolio of entrusting customers as guided in Article 13 of this Regulation and proactively implement the risk management procedure under the risk management strategies and policies in order to achieve the investment target within the scope, limit and field of investment specifiedin the fund charter, the investment management contract and other regulations of law.

2. The member fund representative Board and the entrusting customers in management of portfolio can decide by themselves the risk management strategies and policies for their member funds and portfolio. In this case, the fund representative Board can appoint a member in charge of the risk management of its fund or establish a risk management Board. The fund management company is responsible for implementation of risk management procedure under the approved risk management strategies and policies.

3. The employees operating funds and department managing assets for funds and portfolio of entrusting customers are responsible for monitoring, identifying, determining quantity and reporting to the risk management department (if any) and the Board of Executives on the underlying risks in the portfolio of funds and customers under the approved risk management procedure. In case of excess of risk thresholds, the company shall carry out the settlement plan to adjust these risks lower than such threshold. In case of excess of risk limits, the company is responsible for consulting the fund representative Board and the entrusting customers (if  the company has no right to decide) on dealing with arising risks and implement the settlement of risks under the approved risk management procedure.

Article 13. Risk management strategies and policies

1. The companies must develop the risk management strategies and policies in accordance with the investment targets, portfolio and types of fund, scope of investment, fund charter, management contract and risk acceptance level of the entrusting customers. The risk management strategies and policies must be regularly updated at least once a year to ensure the consistency with the actual conditions of market and asset list of funds and customers.

2. The risk management strategy, risk appetite, risk management policy for funds and portfolio of entrusting customers shall comply with the guidelines specified in Article 9, 10 and 11 of this Regulation.

Chapter 4.

INFORMATION REPORT AND STORAGE

Article 14. Report to the State Securities Commission of Vietnam

1. Every six (06) months, the companies must report to the State Securities Commission of Vietnam on their risk management activities, the funds and portfolio managed by their companies, enclosed with the biannual financial statement and annual financial statement reviewed and controlled by an acceptable auditing organization. The report must consist of the following main contents:

a) Information on management and operation of the company;

b) Thông tin về hệ thống quản trị rủi ro Information on risk management system;

c) Quantity reporting indicators;

d) Other attached documents.

2. The reporting form to be sent to the State Securities Commission of Vietnam is guided in Annex 06 issued with this Regulation.

3. The report and the attached documents are made into an original set with an electronic file to be sent to the State Securities Commission of Vietnam.

Article 15. Information storage

1. All documents related to the risk management, including the risk management strategies, procedures and policies, reports, minutes and resolutions of the Board of Directors, the member Board or the owners, the risk management sub-Board, the risk management department, decisions of the General Directors and other documents on risk management must be fully stored and provided for the State Securities Commission of Vietnam upon written requirement.

2. The time for document storage guided in Clause 1 of this Article is ten (10) years as stipulated in Clause 4, Article 40 of Circular No. 212/2012/TT-BTC.

Chapter 5.

IMPLEMENTATION ORGANIZATION

Article 16. Implementation organization

1. The fund management companies must complete the organizational structure and develop the risk management system in accordance with their companies, the funds and the portfolios under their management; issue the risk management strategies, policies and procedures and make report to the State Securities Commission of Vietnam before 31 March 2014.

2. The amendment and supplementation of this Regulation shall be decided by the Chairman of the State Securities Commission of Vietnam./.

ANNEX 01

FORM OF INFORMATION PROVISION FORM
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

SOCIALIST REPUBLIC OF VIETNAM
Independence - Freedom – Happiness
---------------

INFORMATION PROVISION FORM

1. Full name:                                                                 Male/Female

Alias (if any):

2. Date of birth:

3. Place of birth:

4. ID Card Number (or Passport or other personal identification papers):

5. Nationality

6. Place of permanent residence registration:

7 Current residence:

8. Contact address (regular):

9. Tel, fax, email:

10. Educational background:

11. Qualification:

12. Occupation:

£ State official £ State officer            £ Other

13. Process of study and professional training:

Specify name of school, city and country where the school is located; name of learning course, time and name of diploma (specify diploma(s), training program related to criteria and conditions of title selected or appointed).

14. Working process (details of past occupation, position, job title and working result of each position/commendation, award and discipline if any).

15. Estimated job title in fund management company:

16. Current job title in other organizations:

17. Personal information of declarant:

I undertake that the above information is true and correct and shall take full responsibility for its contents

ANNEX 02

FORM OF LIST OF RISK MANAGEMENT STAFF
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

SOCIALIST REPUBLIC OF VIETNAM
Independence - Freedom – Happiness
---------------

...., date... month... year ...

LIST OF STAFF OF RISK MANAGEMENT DEPARTMENT

To: State Securities Commission of Vietnam

We are:

- Company ... (official full name in capital letter)

- Establishment and operation Permit No.:…….issued on……….by the State Securities Commission of Vietnam

- Charter capital:

- Address of main office:

- Tel: .... Fax:...

We would like to announce the list of risk management staff as follows:

We undertake that the above information is true and correct and shall take full responsibility for its contents

ANNEX 03

FORM OF RISK APPETITE STATEMENT
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

RISK APPETITE STATEMENT

The company can state its risk appetite in different forms. Below are the two examples of form of risk statement

Form 1

Company….is willing to accept the risk (high/average/low…) to achieve the targets (concretizing targets here). The maximum risk level which the whole company can tolerate is….(X currency unit/X% of owner’s equity, charter capital, available capital…). The company wishes and is willing to accept the risk level as…(Y currency unit/Y% of owner’s equity, charter capital, available capital…Y is usually smaller than X). When the risk level faced by company exceeds …( Z currency unit/Z% of owner’s equity, charter capital, available capital…), the company must consider the appropriate response measures to reduce such risk level

The company can make specific statements for types of risk such as reaching AAA credit rating, or make short-term statements (quarter/year) and long-term targets (3 years, 5 years…)

Form 2

The company can also use the form of risk appetite statement, including the desired levels and is willing to accept the risk of the company for each type of risk. For example:

It is possibly to additionally explain about acceptance level of each type of risk and the relation with the company’s strategies and targets.

ANNEX 04

FORM OF RISK LIMIT
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

The form of risk limit defines the risk limit and risk warning threshold for each risk. Depending on the company’s operational scale and need, the risk limit can be quantified and allocated to each operational department, job title, product, term, level of concentration of a position held…The departments/organizations and individuals must absolutely follow the assigned risk limit, not performing any activity which makes the risk value they face greater than the risk limit. When the risk value is greater than the risk warning threshold, take timely remedial measures as directe in order to ensure such value does not exceed the permissible threshold.

ANNEX 05

 (Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

The general risk management procedure can consist of steps of identification, assessment, handling, monitoring of risk, stress testing and back testing. These steps of risk management form a repeated, flexible procedure and regularly reported, updated and completed to ensure the formulation of appropriate and effective risk management procedure.

Step 1. Risk identification

1. The identification of risks depends on the ground of company’strategies and policies on risk management business operation. The main types of risk faced by the companies are market risk, payment risk, operation risk and liquidity risk. The companies may face the concentrated risk, legal risk or others.

The basic types of risk are introduced in Annex 07 issued with this Regulation.

2. The company can use methods such as questionnaire, scenario analysis, incident investigation, assessment seminar, study of business procedures and factors affecting such procedures….to identify risks.

The relevant staff need to declare and register risks under the Form guided in Annex 08 issued with this Regulation. The Board of Executives needs to approve such risks (if rational) before conducting the next management steps.

3. After each risk has been identified, the Board of Executives needs to allocate its risk limit in accordance with the policy and risk appetite of the company and assign officer in charge (referred to as risk management officer). The member of in charge of risk management of the Board of Executives shall take care of the general risks.

4. The result of risk identification can be described as per the risk Form with information about name, risk limit, relevant parties of risk, method of risk assessment, risk monitoring and handling in the next steps. The risk Form is guided in Annex 09 issued with this Regulation.

Step 2. Risk assessment

1. The companies need to formulate and use appropriate method of assessment for risks they must face. There are two methods: qualitative method and quantitative method. Each method consists of different technical models.

2. The quantitative models, also called as model of risk value identification are used with priority to quantify risks. Such models can calculate and estimate risk values such as values of market risk, payment risk, operation risk, liquidity risk and other risks.

These risk values can be calculated in cash or percentage over capital or available capital.

3. The qualitative models are used to assess the risks which are unlikely or so difficult to quantify. For quantified risks, the qualitative model is also used as a supplemented one to provide more information for more accurate risk assessment.

4. The general result of risk assessment can be aggregated under the Form of result of risk assessment specified in Annex 10 issued with this Regulation. This Form of result allows the identification of priority level of each risk in company’s activities.

The detailed quantitative result for each risk is used with similar risk limits to plan the monitoring and handling of each risk accordingly.

5. The Board of Executives needs to calculate the general risk values for the whole company, paying attention to the correlation between risks upon calculation of general risk value.

6. The companies can use a number of quantitative models as follows to calculate the risk values and the available capital.

a) The standard models specified in Circular No. 226/2010/TT-BTC dated 31/12/2010 and Circular No. 165/2012/TT-BTC dated 09/10/2012 of the Ministry of Finance.

b) The separate models of the companies must be approved by the State Securities Commission of Vietnam. The Annex 11 issued with this Regulation shall preliminarily introduce one quantitative model (VaR) actually used.

Step 3. Risk handling

1. After assessing risks, the companies need to apply appropriate procedures specified in writing to deal with risks encountered in accordance with the company’s policy and risk appetite.

2. General steps to choose and implement measures of risk handling:

a) Identification of applicable measures.

b) Assessment of advantages and disadvantages of each measure.

c) Selection and development of handling plan with responsibility for its implementation, progress, forecasting result, planning and resources review and assessment procedures.

d) Handling of risk under the selected plan. This procedure can be repeated and completed until the risk value is within an acceptable limit as per the company’s risk appetite.

3. Basic measures of risk handling include:

a) Risk avoidance: Not doing any activity which can cause risk under handling. This method can lead to the narrowing of company’s operational scale and profits.

b) Risk reduction: Applying measures to reduce the impacts of risk on the company, reduce the potential risks or both.

c) Risk sharing: Transferring all or a part of risk to other subjects as regulation on risk in contract and purchasing insurance (if corresponding services) for business activities.

d) Risk acceptance: There is no measure to change the probability and impact of risk. The company must ensure adequate capital to cover losses from such risks.

Step 4. Risk monitoring/report

1. The companies need to monitor risks according to the priority from the result of risk assessment to have appropriate handling plan.

2. The level and frequency of risk monitoring must be corresponding to the importance of risk and effect of handling measures adopted by the company for risk management.

a) Periodically or at least weekly, the risk management officer needs to make risk reports he/she is in charge of to the Leadership in charge of risk management. The risk management officer needs to compare the risk value and level of calculated risk concentration with the allocated limits. Where the calculated value exceeds the warning thresholds or permissible limits, the risk management officer must explain and recommend the handling measures to the Leadership in charge of risk management.

b) Every week, the member in charge of risk management of the Board of Executives shall make the company’s general risk report, compare the risk value and level of calculated risk concentration with the approved limits. Where the calculated value exceeds the approved limits, the risk management officer must report to the Board of Executives, the Board of Directors, the member Board or the owner and explain the causes with the handling plan

3. The companies need to specify in writing the risk reporting procedure to ensure all shortcomings are detected through the reported risk monitoring process for completion of risk management policies and procedures.

Step 5. Stress testing

The stress testing is the assessment of potential losses likely happening to the company or the portfolio of entrusting customers upon unusual market volatility in presumptive situation.

1. The stress testing is an important component, a useful supplementary tool for calculating the risk values in the risk management.

The methods of risk value identification usually estimate the risk values in normal business conditions, thus the handling measures of risks are based on such estimates are not appropriate in particularly difficult conditions such as financial crisis or other disaster conditions.

The stress testing can help the companies to forecast their losses in particularly difficult conditions to have timely response plans and resources as needed.

2. The stress testing requires detailed study of characteristics of risk factors, both in terms of individual and general aspects and thorough understanding of relation between such risk factors.

3. There are 03 common methods of stress testing:

a) Method of historical scenario recreates the economic environments with particularly difficult conditions in the past to simulate great losses which the company may face in the future.

b) Method presumptive scenario can fully provide on the principle many aspects to simulate losses but such aspects are only theoretical and not practically proven.

c) Algorithmic method can systematically identify a set of changes of risk factors which can generate losses in particularly difficult conditions.

Each of the above method can have different technical models. The companies can choose appropriate method and technical models.

Step 6. Back testing

The back testing is a technique to test the accuracy of quantitative risk model based on the comparison between the historical data and the general risk value calculated by the models at the same point of time. The quantitative risk models, for example the VaR model are usually very complex, using multiple mathematical assumptions and statistics, with many different parameters.

One of the techniques of back testing for VaR model, for example is to compare the VaR value calculated for one day with the observed loss value in the next day. Then, the difference between these two values must be consistent with the reliability of VaR model. Moreover, such difference must be independent in the sense that the model must adapt quickly to the changes of market conditions, thus the differences of today and tomorrow must be independent from each other. The companies can develop the techniques of back testing with the approaches consistent with their own conditions.

The back testing is a part of validation and risk management to ensure the risk management is increasing completed and consistent with the companies’ conditions market context. The summary of re-assessment is described in Annex 12 issued with this Regulation.

ANNEX 06

FORM OF RISK MANAGEMENT REPORT
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

RISK MANAGEMENT REPORT

Year/Half year: …..

To: State Securities Commission of Vietnam

Legal representative of company

Full name:                                 Tel:                               Email:

Leadership in charge of risk management:

Full name:                                 Tel:                               Email:

I. Information about the company’s management and operation

II. Information about risk management system

III. Quantitative reporting indicators

1. Total overdue receivables, including renewed overdue receivables (opening and closing period).

2.Total short-term investment value after risk adjustment (opening and closing period, see Note 04).

3. Profits annually distributed from the establishment year to the current year.

4. Time-weighted return ((TWR and twr, see Note 05), net asset value (NAV) of each portfolio, open-end fund under active management.

5. Money-weighted return (MWR and mwr, see Note 06), net asset value (NAV) of each closed-end fund, member fund, securities investment company under active management.

6. Standard deviation or tracking error (TE), net asset value (NAV) of funds under active management.

IV. Attached documents

1. Strategies and policies of risk management, risk appetite and risk management procedure of the company as stipulated in Article 9, 10 and 11 of this Regulation.

2. Internal rules and brief description in section I, II.

3. Other relevant documents (if any).

Our company undertakes that the above report is correct and complete and shall take full responsibility before law for its accuracy and completeness.

Note:

1. Only send documents with changes compared with the previous reporting period and indicate no change of such documents.

2. In biannual reports, the s of senior personnel change and average growth of revenue in the last three (03) years are understood that in the last two years and the first six months of the current year.

3. Some examples of risk management certificate: Financial Risk Manager – FRM issued by GARP, Professional Risk Manager – PRM issued by PRMIA or other appropriate certificates as required by the company

4. Short-term investment value after risk adjustment in which, MV_i is market value (rational value) of the short-term investment assets i; Rsk_i is the total underlying risk values in investment item i, including the market risk value, payment risk value and concentrated risk of such investment item. The establishment of risk values are calculated as per Circular No. 226/2010/TT-BTC dated 31/12/2010 and Circular No. 165/2012/TT-BTC dated 09/10/2012 of the Minister of Finance. Note that for investment assets as bonds, banking deposit certificates with term, Repo/Reverse Repo contracts and receivables, both market risk and payment risk must be calculated.

5. TWR is the Time-Weighted Return.

TWR_{kỳ báo cáo}= (1 + R₁) × (1 + R₂) × … × (1 + R_n) – 1

in which R_i is the rate of return at the times of defining value of net assets of fund, times of receipt/payment to entrusting customers. Use the rate of return with the log return by the formula:

twr = ln(1 + TWR) = log_e(1 + TWR)

Then: twr_{kỳ báo cáo} = twr₁ + twr₂ + … + twr_n

6. MWR is the Money-Weighted Return. Use the modified Dietz method to define MWR, then calculate the rate of return with the log return by the formula:

mwr = ln(1 + MWR) = log_e(1 + MWR)

ANNEX 07

INTRODUCTION OF BASIC RISKS
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

I. Market risk

1. General introduction

a) The concept of market risk is specified in Clause 10, Article 2 of this Regulation. This is the type of risk regularly faced by the companies, especially in operations of investment fund management and portfolio management.

b) The market risk arises due to the change of price in the market with unfavorable trend under the impact of objective causes of market such as volatility in international market, volatility of market indicators, change of macro policies, interest volatility, bond interest, exchange rate…or due to activities in the market, for example business and financial result of an issuer likely leading to the reduction in shares of such issuer, or the sale of a large volume of securities of a shareholder in condition of local liquidity loss resulted in price reduction of such type of securities…The market risk can be divided into groups of risk such as interest risk, currency risk, securities price risk…

c) The companies need to follow the principles: The operational staff only carries out the investment transactions when clearly understand the financial products and define, assess, supervise and control the risk management related to such sanctions.

d) The companies need to pay attention to all of the market risks from the transactions and investment significantly affecting the companies.

2. Policy on market risk management

a) The market risk is managed through separate policy on market risk management. This policy must define the scale (value) and risk level like occurring in each market state (as guided under Point c below), with the timely and appropriate response plan on the basis of balancing between the investment targets and market risk (risk acceptance level).

To develop a complete policy on market risk management, the following factors must be paid attention to: economic and market conditions; financial capacity; portfolio and investment structure of companies and entrusting customers. Such information must be continuously and regularly monitored.

b) The companies must have method for assessing and identifying the value in line with each market risk classification such as interest risk, currency risk, securities price risk (liquidity risk is also associated with the risk market but separated and managed separately in this Regulation). The identification of market risk value should be done in combination with the process of daily risk management of the companies. The scale (value) of market risk can be identified in the form of relative and absolute value. The absolute value is converted as per currency unit to show the underlying / volatility of portfolio and company. The relative value is calculated based on the standard indicator showing the profit volatility compared with expectation/average value of profits of portfolio and company.

The establishment of scale (value) of market risk must be done continuously and by various methods in accordance with the different presumptive situations as follows:

- With the presumption of normal market operation, one of the model identifying the market risk value regularly used as a VaR model which is introduced in Annex 1. This method is also combined with other statistical techniques such as EWMA (Exponentially Weighted Moving Average), GARCH (Generalized AutoRegressive Conditional Heteroscedasticity), EVT (Extreme Value Theory), PCA (Principal Component Analysis)… to give more reliable results.

- With the presumption of volatile market, the companies can apply model of stress testing to define the underlying market risk in unexpected and unusual situations of market or the whole economy in the country and abroad which can cause great loss to finance, personnel, material facility and information system…

c) The models and quantitative methods of risk management mentioned above must be regularly reviewed and re-assessed and tested in order to update and adjust parameters in the model to be consistent with reality.

The companies can use the Risk-Adjusted Performance Measure, RAPM to assess and compare the operation of individuals and asset management departments effectively and rationally. A number of examples of risk-adjusted performance such as Sharpe ratio, Jensen’s Alpha coefficient and Treynor ratio.

d) The policy on market risk management must reflect the company’s overall risk management strategies and policies to ensure the implementation phase is controlled steps and operational procedures related to market risk. All activities and decisions must be reported and only done after the approval for implementation from the competent leadership level. The policies must be implemented uniformly with close coordination between departments in the company and must fully include the contents as in the overall risk management policies, including the regulation on mode of identification of risk value, risk limit, risk threshold; mode and contents of report to the competent leadership level; mode and risk handling tools and scale of use of risk handling tools; powers, responsibilities and obligations of relevant departments and management board…Particularly as follows:

- Procedure for market risk management: needs to be established fully and comprehensively with the contents such as nature of market risk, grounds for risk identification, appropriate detailed structure of risk limit, information management system for control and supervision and report on market risk…

- The risk management system need to define levels of volatility of market; scale and underlying severity of loss corresponding to each level; possibility of risk occurrence and resilience. The parameters to identify the risk scale must be daily tested and adjusted to ensure the consistency with the portfolio structure and volatility of factors generating the market risk.

- The risk management procedure and system are managed and implemented by the risk management department and relevant departments (investment, analysis…).

3. Handling of market risk

The control and handling of market risk are of great importance and complexity. The design of a policy to reduce the market risk usually accompanies with the design of investment policy. A number of methods can be used to reduce the market risk are:

a) Selective hedging: This method usually choose a number of unwanted market risks for reduction by using the hedging tools, usually long and medium term.

b) Temporary hedging: This method is usually used in case of occurrence of short-term market incidents.

c) Capital adequacy assurance to cover the market losses possibly occurring (for the company’s market risks).

d) Compliance with regulations of law, the company’s policies and procedure for risk management

dd) Tools used for prevention and management of market risks: types of derivative securities, bonds, currency market tools, portfolio diversity…

II. Payment risk

1. General introdcution

a) The concept of payment risk is specified in Clause 9, Article 2 of this Regulation.

b) The payment risk is the risk arising when the partner does not want or is not able to follow its commitments in contract resulted in certain financial losses. The payment risk can arise from transactions in and out of the balance sheet or upon implementation of financial tools such as derivative securities or partner’s failure to make timely payment of contributed capital for share purchase or transfer of securities delinquently as committed…The payment risk usually occurs separately or with accompanied market risk and relevant risks. Thus, the management of payment risk needs to be done uniformly and is the constituent of common risk management policies.

2. Payment risk management policy

a) The payment risk management policy includes the limit of total payment risk, total of maximum receivables and loans, payment risk thresholds; responsibility and obligations of relevant departments (transaction departments and departments approving, maintaining and managing the receivables; decision authority for payment limits; standard of payment risk acceptance and acceptable securities collateral.

- The payment risk acceptance level must be consistent with the risk acceptance level and business targets of each company, taking into account the company’s business cycle in the operational fields, business nature, portfolios and relevant risks of market segments.

- The credit risk management structure is established in accordance with the company’s model and nature to ensure the convenience for supervision, management and implementation of risk management. There must be procedures for control and supervision of payment risk levels, especially the separation between the department forming credit (investment/business department) and department monitoring and managing the payment risk.

- Supervision and control of payment risk are done through the credit financing procedure, risk reduction, supervision and re-assessment of receivables, classification of credit, customer/partner, provision appropriation, management and control of arising risks.

- Method of identification of payment risk: depending on nature of each type of asset, receivable and debt to have appropriate way of identification on the basis of relationship between such assets and receivables and other relevant factors. The basic components of model of payment risk assessment and quantification include the value of receivables at risk and probability of nonpayment from partners and debt recovery rate from partner. These components are aggregated to identify the loss distribution of assets. This distribution is often asymmetrical, with small probability for large losses.

The receivables at risk are often managed as per each partner with close relationship with the two remaining components, for example the probability of default from partner, history of debt repayment of such partner and debt recovery rate from partner…

The probability of default from partner is often calculated by the credit rating coefficient of such partner. This coefficient can be provided by third parties or calculated by the company itself as per its own model.

The debt recovery rate is a very significant factor of loss distribution of payment risk. This rate changes as per the priority, guarantee level, economical cycle and bankruptcy law in the host country. This rate is difficult to estimate, has great difference and is affected by the business cycle.

On the basis of loss distribution, the company can estimate the risk value using the quantitative models such as VaR model, stress testing and other statistical calculation models.

3. Risk handling

The company must ensure the payment risk is appropritately dispersed. The payment risk management procedure must have risk limit associated with each partner so that such risks do not threaten the company’s healthy financial condition. A number of methods of payment risk handling are:

a) Using the clearing agreements, including bilateral clearing and centralized clearing (multilateral) to reduce debt risk;

b) Requiring partner to deposit/mortgage assets;

c) Limiting debt for partner especially the one with low credit.

d) Using the right to terminate transations with partner upon the worsened payment risk reality.

dd) Requiring the guarantee of a third party in case of loss.

e) Using the relevant derivative products (if any in market) such as CDS (Credit Default Swaps), CLN (Credit-Linked Notes), TRS (Total Return Swaps), Credit Options, CDO (Collateralized Debt Obligations).

III. Operation risk

1. General introduction

a) The concept of operation risk is specified in Clause 6, Article 2 of this Regulation.

b) The operation risks arise during operation and service supply at the company. The causes may be the limit of internal procedure and human factors during implementation, incompatibility of system, other objective causes or losses in business resulted in shortage of business capital and losses for the company.

The operation risk consists of: (i) risk of information technology system (IT risk). The causes are the incompatibility of system or technical errors incidents resulted in the failed or interrupted transactions. The IT risk needs to be identified for all dangers and losses appearing in IT system such as intranet, internet, external connection port, hardwares, softwares, applications or human factors. The IT security risks also should be concerned to ensure the security and integrity of system; (ii) Security risk in the operational areas, system security, electricity, fire and explosion safety and other risks that can occur (iii) Risks due to inconsistent implementation of procedures with the company’s internal regulations and operational structure resulted in the inaccuracy in establishing the risk management system.

2. Policies on operation risk management:

a) Formulation of liquidity risk list including the frequency and severity of each risk.

b) Scorecard of operation risk including the types of risk, degree of interdependence of the types of risk, change and complexity, frequency and severity of risks and net operation risk (after deduction from insurance, contract…).The company needs to implement the stress testing to identify the scale of operation risk to have appropriate handling plan in particularly difficult situations.

The risk level related to the IT system directly related to the operation and services provided for customers needs to be quantified and analyzed regularly. Where the specific risks are not quantified, such risks must be identified through steps of knowing about their underlying effect and possible reverse outcomes. The risk management is the first priority, then followed by the cost-benefit analysis and implementation of decisions to reduce risks.

c) Review, updating and assessing risks. When developing and designing IT system, the risk management system integrated into this system should be taken into account in order to reduce costs and raise the effectiveness of risk management procedure. The inspection, monitoring and network security measures should be carried out regularly. The company should pay attention to the security of data, system and customers’ information.

d) Formulation of result of operation risk assessment.

3. Risk handling

For each type of risk identified and analyzed, there must be measures to reduce them and plan for management and handling in line with the requirement and risk tolerance level. This management must include the active assessment of loss and damage in case the risk factors become true. The costs of risk management should be calculated, balanced to be consistent with the benefits and efficiency from the risk management.

A number of methods can be used to reduce the operation risk, including:

a) Operation risk not as purely financial risk. Depending on the specific characteristics, the company should have appropriate risk management plan.

b) The company must ensure all members must strictly comply with policies and strategies of risk management in particular and other regulations in general to limit the arising errors and reduce losses from operation risk.

c) The company must develop a provision plan for emergency situations and can use the model of stress testing to ensure the continuity of business activities. This provision plan must prepare necessary resources including but not limited to personnel, finance and information system ready for difficult conditions such as natural disasters…;

d) The company needs to ensure the operation risk management system has a detailed and clear implementation procedure which is strictly followed, taking into account:

- All internal activities and procedures for operational processing, including IT system and other supporting systems;

- Operations possibly at risk and ways of handling and reduction of such risks.

- Needs of an early warning system to allow company’s effective intervention and prevention of risk.

dd) For outsourcing activities (if any), the company must ensure its partners absolutely follow the company’s relevant policies and procedures. The company must not provide services and sell products on the internet without necessary control measures and network security assurance.

IV. Liquidity risk

1. General introduction

a) The concept of liquidity risk is specified in Clause 8, Article 3 of this Regulation.

b) The liquidity risk arises when the company or its customers meet difficulties in cash flow and face the insolvency resulted in early asset disposal with transfer of losses in books to losses in fact due to the failure to dispose their assets at the current market price or to maintain the cash flow in line with their investment and business targets. The reasons may be due to the depth, breadth of market. For example the disposal of a type of securities with large volume can affect or lead to the lower price in the market.

The liquidity risk can be regarded as a part of market risk.

b) The company needs to manage the liquidity both in long term and short term and conduct the stress testing in particularly difficult situations.

c) Short-term liquidity includes the daily needs of cash with general business conditions. When studying the long-term liquidity, it is required to consider the possibility of occurrence of unusual bad business conditions and the value of assets cannot be implemented with current market price.

2. Policies on liquidity risk management:

- In the policies on liquidity risk management, the company must define the actual cash flow and value of liquidity risk during the time of asset holding and investment. The value of liquidity risk is defined on the basis of sensitivity analysis and price volatility of the portfolio at any time during the holding period.

To identify the price volatility in each point of time of the holding period of time, the company can use the extrapolation method. The company also needs fully understand and know about market and is able to identify the value of market risk level. All main market risks whose value must be identified and aggregated on the basis and possible widest scope.

- A number of calculating tools of liquidity risk can be, including:

a) Liquidity rates from financial statements.

b) VaR (Value at Risk) introduced in Annex 08 of this Regulation.

c) LaR (Liquidity at Risk) operated similarly to VaR to define the cash flow related to the assets and obligations to pay debt in and out of the accounting balance sheet. The LaR models are under development and completion.

d) Assessment done on the basis of difference in cash in and out, term, exchange rate and derivative products…

dd) Method of stress inspection.

3. Risk handling

A number of methods can be used to handle and reduce the liquidity risk, including:

a) The company should make plan to ensure the liquidity, including:

- Continuously monitoring debts and analyzing the company’s solvency.

- Identifying the current financing possibilities, negotiation of loan commitments and financing possibilities within corporation and company.

- Regularly reviewing and inspecting the above financial capacity/cash flow in both general conditions and special conditions.

- Identifying limit norms for some markets or products or diversity of investment products to ensure the limit of deficit of cash flow and capacity of additional capital mobilization to cover the temporary shortage of business capital;

d) The company needs to implement activities in order to control the cash flow, particularly:

- The difference between the cash flow in and out of assets and debts.

- The overall liquidity needs in short and medium term including buffer necessary for liquidity reduction.

- Monitoring of assets with high liquidity and potential cost quantification and financial loss to be accepted upon required rapid sale of assets.

- The cost of financing and identification of other financial tools with corresponding costs.

c) Establishment of centralized and dispersed limits for both assets and debts in the balance sheet, limit of difference of cash flow in and out, financial leverage rate…Regular review and adjustment of such limits to ensure the company’s compliance without exceeding such limits.

d) Stress testing for bad cases possibly occurring. The past scenarios when the company suffered great losses due to bad liquidity can be followed or other presumptive scenarios.

dd) Having appropriate management plan, especially in the frozen market conditions.

e) Use of deposit and collateral with appropriate liquidity.

f) Maintaining the available capital to cover the loss of liquidity possibly occurring.

V. Other risks

Besides the main risks mentioned above, the company can face the following risks. Each type of risk has different methods to identify, assess, monitor and handle. In many cases, these risks can be integrated with each other or other types of risk faced by the company. The company must develop the management policies and procedures consistently with such risks.

1. Legal risk

The legal risks occur when a contract can not be implemented due to legal reasons. The legal risks also happen when the company fail to comply with legals regulations and operational rules and procedures… for example risks occur when the company supplies the fund and portfolio management services to customers or caries out its investment not in accordance with portfolio structure approved by the customers or the asset transaction of the Fund or the portfolio management operation is not suitable…The violation of regulation of law may be intentionally or unintentionally or other objective reasons (for example violation of regulation on investment restriction the cause of which is the market volatility and out of the company’s control or intentional violation of regulations of law on investment limit and structure or failure to separate the company’s assets with those of its customers.

Preventive measures: Establishing a legal department or hiring the legal consultation services for company to to ensure the contracts signed with its partners may be done. Controlling the activities of internal control department to ensure no violation of laws upon supply of services to the entrusting customers…

2. Transaction risks with relevant persons (insider trading risk)

Interest conflicts from the transactions with parent companies, the parties related to the persons practicing the fund management, the board of executives, company staff and partners having contractual relation with the company under the agreement on portfolio management services or with relevant persons banned from doing transactions under current regulations of law shall cause the insider trading risks).

3. Personnel risk

The personnel risks occur when there is a shortage of senior personnel or personnel having certificate of fund management practice resulted in difficulties or failure to maintain activities or risk from staff who do not follow internal rules (code of conducts about personal investment, regulation on access to internal information and information security, regulation on information allocation…) and rules of occupational ethics.

ANNEX 08

FORM OF RISK REGISTRATION
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

ANNEX 09

FORM OF RISK
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

Note:

The parts of risk assessment and risk handling closely related to the risk management procedure

The attached documents (if any): List documents attached to this risk table.

ANNEX 10

FORM OF RESULT OF RISK ASSESSMENT
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

Note:

- For example of risk frequency: The lowest frequency can be less than 01 time/1 decade, then 01 time/1 decade, 01 time in several years/1 year/month…to the highest frequency with several times/1 week.

- For example of impact level: Maybe from the lowest effect level with loss of less than 1% of portfolio value to the higher effect levels with loss of 3%, 5%, 10% of portfolio value. The loss level from 15% or more for example could be corresponding to the very serious effect.

ANNEX 11

BRIEF INTRODUCTION VaR MODEL
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

I. Introduction

1. Concept

The VaR (Value-at-Risk) model is a method of identifying the maximum risk value (based on historical data or simulative data) possibly occurring with a certain probability in definite period of time for the companies or portfolio of entrusting customers in case of no abnormal market volatility.

The VaR is a model of risk quantification in cash often used to assess the risk of a portfolio. The result of such quantitive model, also called as VaR method is understood as the greatest forecast loss the company may undergo in a normal market condition, in a definite period of time with a certain probability.

2. For example

At the present time, the company has calculated the VaR of a portfolio to be 10 billion dong within 07 days with the probability of 99%. This is understood that with the probability of 99%, the loss of portfolio which the company may undergo in 07 subsequent days shall not exceed 10 billion dong. In other words, there is still 1% of possibility (also known as the reliability of 1%), the company may undergo a loss of over 10 billion dong.

Some notes in the above example:

- The value of 10 billion dong above is only an estimate value.

- 10 billion dong is not a greatest loss in all cases the company must undergo from the portfolio because there is still 01% of possibility of loss of over 10 billion dong.

- The probability and reliability are their complement or the total of these two quantities is 100%.

3. Advantages and disadvantages of VaR

The strong point of VaR is to show a measure of risk value in cash and is a simple and useful method to help the companies quantify their risks in normal conditions.

VaR does not provide information on losses faced by the companies in particularly difficult conditions. Thus, the companies should carry out the stress testing in such conditions as a supplement for VaR.

II. Some basic VaR models

1. Analytical models

Assuming that the yield (R) during the study period (h day, as 07 days in the above example) complies with the standard distribution with the average value m and standard deviation s², or

R ~ N(m, s²)

If the market value of the present portfolio is S, the VaR in h day with the reliability a is defined by

VaR_h,a = -x_aS

In which x_a is the “lower percentile” of distribution N(m, s²), or the value the probability of R <>x_µ  is µ. Generally, µ is relatively small (0 µ< 0.1)="" and="">x_µ is also displayed in the form

x_µ = Z_µs + m

with Z_µ is the “lower percentile” of distribution N(0, 1) standardized from N(m, s²).

The analytical model has the advantage of being simple, easy to understand and perform. In case of shortage of past data, such distributions shall not be developed.

This VaR model is appropriate for low risk level and simplelevel. When the transaction positions in the portfolio become more complex or the relationship between the positions is non-linear, we need better VaR models.

2. Monte Carlo simulative model

This model can deal with a lot of disadvantages of the analytical model¸especially for the complex portfolios such as derivative portfolios. In general, the Monte Carlo simulative model is more reliable than the analytical model.

The Monte Carlo simulative model firstly defines the variables and parameters can affect the yield and next uses the simulative techniques (using the strength of calculation of computer programs) to create a lot of simulative results, each simulative result is associated with one value of company’s profit/loss. These simulative results shall create a distribution of profit/loss and VaR shall be calculated from such distribution.

The Monte Carlo model has a lot of advantages such as it can review a lot of risk acts in the market, deal with non-linear risks and complex financial tools no depending much from the past data. The Monte Carlo model used to have a disadvantage of too much calculation, but nowadays with the development of information technology, such disadvantage is increasingly negligible.

3. Past simulation model

This model is different from the above models on the characteristics that we do not assume anything about distribution of yield. Such data shall demonstrate which distribution is the most appropriate and VaR shall be calculated on such actual basis of distribution.

A variation of past simulative model is that the data which are close to present can be attributed to the larger number than the remote data, this model is called past-weighted simulation or weight average simulation.

The past simulative model has advantages of being very visual, simple and understandable. The special loss data in the past can still be included in this model. This model is relatively easy for implementation and can use data available from various sources and can deal with a lot of different distribution forms of the yield…

One of the advantages of the past simulative model is that it is completely dependent from the past so it can not be done without data or with reliable data. The number of record of past data also affects the reliability of estimate value VaR.

ANNEC 12

BRIEF REASSESSMENT OF RISK MANAGEMENT
(Issued with Regulation on guiding the establishment and operation of risk management system to the fund management companies and the self-managing separate securities investment companies)

The risk management play a very important role in the companies’ development. They have to re-assess their risk management particularly the risk management strategies, risk appetite, risk management policies and procedures to ensure the consistency with the companies’ reality and market conditions.

1.Parties related to the reassessment procedure.

The reassessment procedure is the same as the procedure for strategy and policy development and risk management procedure implemented by the Board of Executives and approved by the Board of Directors, the Member Board or the owner. The Board of Executives may assign the risk management department or establish an assessment group to carry out the reassessment which must ensure the standardization, quality and effectiveness. In this process, the group developing strategies, policies and procedures for risk management (development group) must be also involved and closely coordinate.

The relevant parties have their clear roles and responsibilities, the development group prepares all required documents and answers all questions of the reassessment group, provide data used to build the model if required. The reassessment group carries out the reassessment procedure including all stages of model management, uses appropriate methods and makes reassessment reports. The Board of Executives reviews the reassessment reports and documents, assigns the updating of relevant strategies, policies and procedures and submits them to the Board of Directors, the Member Board for approval.

2  Contents of reassessment

The risk management strategies are consistent with the companies’ reality and present conditions? List the inconsistent points and give recommendations.

The risk appetite and risk limit have been stated and identified properly? It is necessary to change the method and update any parameter?

The risk management policies and procedures have any problem? The models of risk assessment need  any updating, adjustment or inspection? List all problems and give handling recommendations.

3. Reassessment documents

Such documents must include at least: Policies of reassessment framework, reassessment method, reassessment forms and reports and other relevant documents.