RISK MANAGEMENT IN FINANCIAL INSTITUTIONS
ASSIGNMENT
Section A:
Critically evaluate the Risk Management Failures during the JP Morgan ‘London Whale’
scandal of 2012.
Word count: 1949
Section B:
Critically Analyse the Risks an Established Financial Institution Faces in Accepting
Cryptocurrency Deposits from Customers, and the Risks Faced from Investing in
Cryptocurrency Assets.
Word count: 951
Section A - Critically evaluate the Risk Management Failures during the JP Morgan ‘London
Whale’ scandal of 2012.
Introduction
One of the largest trading scandals in recent history was JP Morgan's 'London Whale' incident in
2012. It entailed several breakdowns in risk management that added up to $6.2 billion in losses
for the bank. The CFI Team (2022) argues that in order to effectively manage risk, organisations
should make an effort to exert as much proactive influence over future events as feasible.
Therefore, the probability and severity of a risk can be reduced through effective risk
management. The three lines of defence concept will be utilised throughout this essay, which will
also outline the primary forces that led to the crisis.
Key facts about the scandal
The Chief Investment Office (CIO) of JP Morgan conducted several intricate and dangerous deals
in credit derivatives that led to the "London Whale" incident. The incidents were brought about
by an effort to lower risk ahead of new laws intended to raise capital requirements for big banks
like JPMorgan (Basel Committee on Banking Supervision, 2010). The CIO, which looked after the
bank's extra funds and investments, had amassed a sizable position in credit derivatives with the
intention of making money for the bank., Bruno Iksil, the head of the CIO's trading desk, had
amassed a sizable position in Credit Default Swaps (CDS). These trades became known as the
"London Whale" trades due to the scale and complexity (PSI 2013; JPMorgan 2013; CFTC 2013).
The traders for the CIO had amassed a sizable position in corporate bonds at first, which they
then hedged using credit default swaps. However, the hedges themselves grew to be so
substantial and intricate that they took over the portfolio. Additionally, the traders' use of
incorrect valuation tools to determine the worth of their holdings resulted in substantial losses
when the contracts were ultimately unwound.
As expected by JPMorgan's management, changing one's mind on a trading position rarely comes
without a price. These were initially assessed to be worth roughly $400 million by CIO traders in
this case, which was a significant loss for a division that had been successful during its brief
existence (PSI 2013).
Until the London Whale incident, JPMorgan had a stellar reputation in the industry as a capable
risk manager (PSI, 2013), and its risk management systems and procedures were advanced. The
CIO's risk management division failed to recognise risks related to the portfolio as losses rose and
placed undue reliance on Value-at-Risk (VaR) models. The bank's upper management and board
of directors were originally shielded from news of the losses because they had an incomplete
understanding of the risks involved in the deals. Despite the CIO traders' insistence, the bank's
standard VaR model overstated the risks they were taking with the SCP because it failed to
account for the "relationships" between its components. A new VaR model that purportedly
better simulated the risks was fervently pushed for approval by CIO traders and management
(JPMorgan 2013; PSI 2013). The VaR estimate was decreased by the new model, however, it was
later shown that this reduction was inaccurate. However, by the time of that finding, the CIO had
already engaged in significant risk-taking through the whale transactions, which were flying under
the bank's risk management radar because they were below their division's VaR restrictions (PSI
2013). In an effort to conceal the severity of the risks until they could be reduced, the CIO traders
and management team initiated a practise known as "marking to market" in which the portfolio
was priced higher than it actually was.
By the time the full extent of the risks involved in the failed plan was revealed in May 2012, the
expected losses had reached roughly US$6 billion (PSI 2013). The bank and its regulators began
investigating the risk management failures that enabled the development of both the complex
and ultimately disastrous strategy and the spectacular failure of ostensibly top-notch risk
management and model development processes after the usual firing of the guilty parties and
the resignation of key managers.
The internal task force investigating the circumstances behind the losses concluded that the
bank's CIO, in particular, had demonstrated weaknesses in risk management, which the CEO had
previously noticed (JP Morgan 2013).
First Line of Defence
The first line of defence, according to Antonius Alijoyo (2018), is part of the business function that
handles day-to-day tasks, particularly those that are performed by employees who work on the
organization's front lines. For the JP Morgan ‘London Whale’ case, this relates to the Chief
Investment Office (CIO), which overspent funds and investments for the bank. The trading desk is
in charge of executing the complicated deals. The traders were rewarded mainly on short-term
gains rather than long-term risk management, and they utilised incorrect valuation methods to
value their holdings, which encouraged them to take on excessive risk (PSI 2013). They also
neglected to adequately hedge their holdings and identify the risks connected to the portfolio,
which resulted in large losses.
Second Line of Defence
Bruce (2019) asserts that the second line of defence is in charge of directing organizational-level
risk management efforts. This entails establishing guidelines and standards for risk management,
advising and assisting the front line of defence, and carrying out impartial risk assessments. The
risk management department of the bank served as the second line of defence in the 'London
Whale' incident. They did not properly monitor and evaluate the risks connected to the CIO's
trades.
Additionally, there was a breakdown in communication between the risk management team in
New York and the traders in London (PSI 2013). In particular, it lacked sufficient knowledge of the
sophisticated credit derivatives employed by the CIO and placed undue reliance on VaR models,
which failed to account for the risk involved in the complicated deals.
Third Line of Defence
The third line of defence is the internal audit. Its responsibility is to offer unbiased assurance on
how well the risk management and control methods are working. Internal auditors in the JP
Morgan ‘London Whale‘ case, however, failed to spot the risk management system's flaws and
failed to provide top management and the board of directors enough assurance (PSI 2013). In
March 2012, as losses were rapidly increasing, the company's Internal Auditing (IA) division
completed its final audit of the CIO before the scandal broke. It was already too late by that point.
If the OCC’s regulatory inspections and internal audits had been adequately dealt with in
retrospect, it is possible that the losses could have been reduced, if not entirely avoided.
Additionally, the business units and risk management function were not entirely separate from
the internal audit department. This made it more difficult for them to offer unbiased evaluations
of the trade's risk.
Other aspects
The London JP Morgan "Whale scandal" included contributions from strangers as well. Strangers,
according to Turner (1976), are members of the general public who could act unexpectedly in the
case of a catastrophe. It's possible that strangers aren't always a direct cause of instances like
these, but they can contribute to the noise that diverts participants' attention and prevents the
early discovery of possible issues. Turner's description would seem to fit hedge funds as an
outside party in the London Whale case; however, one company in particular, JP Morgan
Investment Bank (JPMIB), was not an actual "stranger" but did contribute to some of the
intricacies.
The CIO division and JPMIB both engaged in the active trading of credit derivatives. The CIO was
expected to utilise the same pricing and valuation inputs as the Investment Bank once clearance
to trade credit derivatives had been granted. Nevertheless, there was no proof that the CIO had
coordinated their price data or sources with JPMIB; instead, they appeared to have relied on
independent procedures since they thought their trading tactics were distinct from those of
JPMIB (PSI 2013).
The Incubation Period
Turner (1976) believed that the incubation phase was crucial to examine when studying
catastrophes since it is what is done in advance of the disaster that ultimately defines its scope.
It is at this point that the "failures of foresight" that eventually result in crisis happen.
In the instance of the London whale, all of the issues were self-inflicted and unrelated to any
outside forces. 2011 was a highly successful year for CIO, with rising earnings and a steadily
expanding but managed portfolio of assets worth around $57 billion (JPMorgan 2013). The bank's
top management made the decision to lower its total risk-weighted assets (RWAs) at the end of
2011 in order to boost regulatory capital in advance of Basel III (Basel Committee on Banking
Supervision, 2010), the anticipated new requirements. Like for other companies, it was strongly
recommended to the CIOs that they reduce their RWAs, and as a result, their risks and regulatory
capital (JPMorgan 2013).
Selling down all or a portion of the portfolio or purchasing assets that "hedge", or balance the
risk of the portfolio's remaining securities are the two basic ways to reduce market risks in trading.
To counteract the "short risks" in the SCP at the time, the CIO traders chose the second strategy
and went on a major selling frenzy of protection (JPMorgan 2013). The traders had to choose
between three competing priorities: reduce RWAs by lowering the SCP's VaR, minimise losses
while doing so, and minimise prospective losses as a result of corporate defaults while doing so.
This decision was not made lightly because the dangers were evident. When Eastman Kodak
defaulted in January 2012 and suffered a loss of US$40 million, it became clear that there were
dangers associated with dismantling the SCP (PSI 2013).
Due to their perception that the market was acting erratically in February and March 2012, CIO
traders marked away from the mid. By the end of March, there had been an overall disparity
between losses estimated using mid-price levels and prices utilised by dealers of between US$600
million and US$800 million (PSI 2013). Criminal charges were brought against CIO traders and
management as a result of this underreporting of losses (DOJ 2013).
Operational Risk Management
The Basel Committee of the Bank for International Settlements came to a conclusion in 2004 on
the idea to link the management of operational risk with the standards already outlined for
market and credit risks (BIS 2004). These suggestions are meant to tighten operational controls
at foreign banks and make sure that they have reserved enough capital to handle significant
losses, like those at JPMorgan. According to the definition provided by the Basel Committee,
operational risk is the probability of incurring a loss due to the failure of internal procedures, staff,
or systems, or as a result of adverse external conditions. This concept covers legal risk but
excludes reputational or strategic risk (BIS, 2004).
'Operational deficiencies' were mentioned by JP Morgan (2013) and CFTC (2013) as a component
of the organisational errors that caused the losses, however, operational risk was not included as
a significant factor. According to the division's organisation charts, the CIO did not have its own
ORM function, even though operational risk management (ORM) was mentioned in passing as a
discipline that was involved in the effort to prevent the losses (PSI 2013).
Conclusion
The 2012 JP Morgan 'London Whale' scandal served as a harsh reminder of the value of
competent risk management in averting significant financial losses. Multiple risk management
lapses, such as insufficient risk controls, poor communication, insufficient monitoring, and
unsuitable incentives, contributed to the scandal. From my analysis, the three lines of defence all
had their shortcomings, although the first line has the most responsibility, in particular Bruno
Iksil, the head of the CIO trading desk. He failed to address the long-term risks, in favour of shortterm profits, which escalated into huge losses for the firm.
Section B – Critically Analyse the Risks an Established Financial Institution Faces in Accepting
Cryptocurrency Deposits from Customers, and the Risks Faced from Investing in Cryptocurrency
Assets.
Introduction
Privately produced digital representations of value with monetary attributes and encryption (a
method of documentation that verifies business dealings without the need for a third party) such
as distributed ledger technology (DLT) generally known as crypto assets, have become a threat to
the monetary and financial institutions. Cryptocurrencies (like Bitcoin) and stablecoins (like USD
Tether) make up the bulk of the quickly growing crypto asset field.
Proponents of crypto assets claim that they will free people from the authority of governments
and financial institutions while also resolving the age-old challenges facing the world's monetary
and financial systems: how to facilitate fast, cheap, and private money transfers; expand access
to banking services; and protect users' privacy. The aftermath of the Global Financial Crisis of
2008 (GFC) led to a decrease in people's trust in government regulation and financial institutions.
At the same time, advancements in digital technology (such as cloud computing and blockchain)
as well as the growth of digital payment systems and related infrastructure (such as pre-paid
cards, electronic wallets, or web-based services) all contributed to the increase in popularity of
crypto assets. Increasing internet shopping and contactless payment during the Covid–19
epidemic also contributed to their increasing use.
Since June 2019, when Facebook (now Meta) and its partners revealed intentions to develop a
payments system based on a global stablecoin (Libra, then renamed Diem), the interest of central
banks in Central Bank Digital Currencies (CBDCs) has soared (Pistor 2021 & Prasad 2021). CBDCs
are digital equivalents of sovereign currencies such as the Sand Dollar or the e-Naira. These CBDCs
can assist improve financial inclusion, solve problems raised by crypto assets, and help assure
consumer protection, financial stability, and monetary sovereignty (Powell 2019).
Several cryptocurrencies and exchanges went down in May 2022, which led to a significant drop
in the value of cryptocurrencies overall by November 2022 (Levy and Sigalos, 2022). There were
speculative bubbles based on what were thought to be high-yielding, low-risk assets, and ordinary
investors suffered significant losses (Cornelli et al., 2023)—all hallmarks of the Global Financial
Crisis. As a result of the crypto world's still modest size and limited interoperability between
individual crypto assets, financial upheaval continued on a far smaller scale. At the same time, it
strengthened the idea that crypto assets are intrinsically unviable due to a lack of sovereign
support and severe regulation, dampening faith in the promises of crypto ecosystems.
Bitcoin and other cryptocurrencies have the potential to reduce transaction fees and speed up
settlement times, but they also present substantial dangers to traditional financial institutions like
banks. This essay will provide an in-depth analysis of the potential risks that banks face when they
accept cryptocurrency deposits from consumers and when they invest in cryptocurrency assets.
More importantly, it will explain why strong risk management frameworks are necessary and how
to implement them.
Potential Risks involved for Banks
Risks in accepting cryptocurrency deposits

Volatility: The value of cryptocurrencies can see large swings in a short amount of time. If
a bank takes cryptocurrency deposits and the value of those deposits suddenly declines,
the bank might suffer severe losses.

Regulatory ambiguity: Cryptocurrency laws are patchy at best, and many nations still lack
definitive standards for how banks should handle cryptocurrency holdings. As a result,
these establishments may face legal and regulatory repercussions.

Security risks: Cryptocurrencies are susceptible to cyberattacks and fraud, which might
result in the theft of funds or private information. Without proper safety precautions, a
bank runs the risk of suffering both financial and public relations damages.

Liquidity risks: Banks may have trouble successfully managing deposits and withdrawals if
cryptocurrencies do not have the same degree of liquidity as fiat currency.
Other risks that financial institutions may face in investing in cryptocurrency assets include:

Lack of transparency: In contrast to more conventional financial markets, the
cryptocurrency market is not very open to the public. To make informed cryptocurrency
investments, banks may have trouble collecting the necessary information.

Volatility: Banks should exercise caution when investing in cryptocurrencies due to their
extreme volatility. The difficulty in accurately valuing their cryptocurrency holdings
increases the risk of suffering substantial financial losses.

Operational risks: It takes a high level of skill and understanding to invest in cryptocurrency
assets. Banks and other financial institutions may lack the knowledge and experience to
properly handle such.

Insurance: Unlike deposits in regular banks, funds held in digital wallets are not protected
by the FDIC.

Government Backing: A cryptocurrency's value is not backed by the word of any
government or central bank, unlike the US dollar or other fiat currencies.
Conclusion and Recommendation
Accepting client deposits in cryptocurrencies and investing in cryptocurrency assets might expose
banks to potentially high levels of risk. Cryptocurrencies have a lot of potential upsides, but the
hazards should be carefully considered first. Many considerations must be taken into account by
financial institutions when dealing with cryptocurrency transactions, including price volatility,
regulatory uncertainty, security risks, liquidity hazards, lack of transparency, cybersecurity risks,
and operational risks.
It is of grave importance that banks develop effective risk management frameworks bearing in
mind the unique characteristics of cryptocurrencies. They should stay up-to-date with regulatory
developments and market trends. Investing in the necessary expertise, technology and security
measures should also be a priority for banks delving into the cryptocurrency space.
Although dealing in cryptocurrencies has multiple risks, it presents the potential to transform the
financial industry, banks must therefore be prepared to adapt to this new reality. It is
recommended that banks approach cryptocurrencies cautiously and invest in the necessary
resources to effectively manage the risks involved, while also exploring the potential benefits
(SEC, 2023). This will enable banks to position themselves properly and advance with the
emerging trends.
References
Antonius Alijoyo (2018) Three Lines of Defense. ERMA | Enterprise Risk Management
Academy. [Online] [Accessed on 25th April 2023] https://www2.ermacademy.org/publication/risk-management-article/three-linesdefense/#:~:text=This%20approach%20is%20often%20referred.
Basel Committee on Banking Supervision (2010) Basel Committee on Banking Supervision
Basel III: A global regulatory framework for more resilient banks and banking systems. Basel,
Switzerland: Bank for International Settlements Communications.
https://www.bis.org/publ/bcbs189_dec2010.pdf
BIS (2004) Basel II: International Convergence of Capital Measurement and Capital Standards:
a Revised Framework. Bis.org. [Online] https://www.bis.org/publ/bcbs107.htm.
Bruce, S. (2019) Internal audit: three lines of defence model explained. icas.com. [Online]
https://www.icas.com/professional-resources/audit-and-assurance/internal-audit/internal-auditthree-lines-of-defence-model-explained.
CFI Team (2022) Risk Management. Corporate Finance Institute. [Online]
https://corporatefinanceinstitute.com/resources/risk-management/risk-management/.
CFTC (2013) ORDER INSTITUTING PROCEEDINGS PURSUANT TO SECTIONS 6(c) and
6(d) OF THE COMMODITY EXCHANGE ACT, MAKING FINDINGS AND IMPOSING
REMEDIAL SANCTIONS. US Commodity Futures Trading Commission.
https://www.cftc.gov/sites/default/files/idc/groups/public/@lrenforcementactions/documents/leg
alpleading/enfjpmorganorder101613.pdf
Cornelli, G., Doerr, S., Frost, J. and Gambacorta, L. (2023) BIS Bulletin No 69 Crypto shocks
and retail losses. https://www.bis.org/publ/bisbull69.pdf
DOJ (2013) Justice Department Announces Charges Filed Against Two Derivatives Traders in
Connection with Multi-Billion Dollar Trading Loss at JPMorgan Chase & Company.
www.justice.gov. [Online] [Accessed on 26th April 2023]
https://www.justice.gov/opa/pr/justice-department-announces-charges-filed-against-twoderivatives-traders-connection-multi.
JP Morgan (2013) Report of JPMorgan Chase & Co. Management Task Force Regarding 2012
CIO Losses. Yale School of Management. United States: JP Morgan Chase & Co, p. 57.
https://ypfsresourcelibrary.blob.core.windows.net/fcic/YPFS/JPMorgan%20Management%20Ta
sk%20Force%20Regarding%202012%20CIO%20Losses%201-16-13.pdf
Levy, A. and Sigalos, M. (2022) Crypto peaked a year ago — investors have lost more than $2
trillion since. CNBC. [Online] [Accessed on 27th April 2023]
https://www.cnbc.com/2022/11/11/crypto-peaked-in-nov-2021-investors-lost-more-than-2trillion-since.html?qsearchterm=crypto%20peaked.
Pistor, K. (2021) How Not to Launch a Digital Currency | by Katharina Pistor. Project
Syndicate. [Online] [Accessed on 27th April 2023] https://www.projectsyndicate.org/commentary/facebook-libra-diem-failure-lessons-for-digital-currencies-bykatharina-pistor-2021-05.
Powell, J. (2019) MONETARY POLICY AND THE STATE OF THE ECONOMY HEARING
BEFORE THE COMMITTEE ON FINANCIAL SERVICES U.S. HOUSE OF
REPRESENTATIVES ONE HUNDRED SIXTEENTH CONGRESS FIRST SESSION.
https://www.govinfo.gov/content/pkg/CHRG-116hhrg39738/pdf/CHRG-116hhrg39738.pdf
Prasad, E. S. (2021) The Future of Money — Eswar S. Prasad. www.hup.harvard.edu.
Cambridge: Harvard University Press, pp. 168–175.
https://www.hup.harvard.edu/catalog.php?isbn=9780674258440
PSI (2013) JPMORGAN CHASE WHALE TRADES: A CASE HISTORY OF DERIVATIVES
RISKS AND ABUSES HEARING BEFORE THE PERMANENT SUBCOMMITTEE ON
INVESTIGATIONS OF THE COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS UNITED STATES SENATE ONE HUNDRED THIRTEENTH
CONGRESS FIRST SESSION VOLUME 1 OF 2. https://www.govinfo.gov/content/pkg/CHRG113shrg80222/pdf/CHRG-113shrg80222.pdf
SEC, U. S. (2023) Exercise Caution with Crypto Asset Securities: Investor Alert | Investor.gov.
www.investor.gov. [Online] [Accessed on 28th April 2023]
https://www.investor.gov/introduction-investing/general-resources/news-alerts/alertsbulletins/investor-bulletins/crypto-asset-securities.
Turner, B. A. (1976) ‘The Organizational and Interorganizational Development of Disasters.’
Administrative Science Quarterly, 21(3) pp. 378–397. DOI: 10.2307/2391850