Risk Management in Banks

Any activity involves risk, touching all spheres of life, whether it is personal or business,
likewise any business situation involves risk. To sustain its operations, a business has to
earn profit/revenue and thus has to be involved in activities whose outcomes may be
predictable or unpredictable. There may be an adverse outcome, affecting its revenue,
profit and capital. However the dictum “no risk, no gain” holds good here. It is also aptly
said that “risks do not disappear, they give users a choice: which to retain and which to
shed”

4.2 Definition of Risk

The word risk is derived from the Italian word ‘risicare’ meaning ‘to dare’

There is no universally acceptable definition for risk. Prof John Geiger has defined it as-
“an expression of the danger that the effective future outcome will deviate from the
expected or planned outcome in a negative way”

The Basel committee has defined risk as-

“the probability of the unexpected happening- the probability of suffering a loss”

The four letters comprising RISK are

R- Rare (unexpected)
I- incident (outcome)
S –selection (identification)
K -knocking (measuring, monitoring, controlling)

RISK therefore has to be looked data from four different fundamental aspects
• Identification
• Measurement
• Monitoring
• Control( including risk audit)

4.3 Risk Vs Uncertainty

In common parlance both risk and uncertainty are used interchangeably. However risk is to
be viewed differently from mere uncertainty about the occurrence of any event in the
future. Since risk involves an opportunity. In other words risk perception involves studying
‘which event’ is likely to happen as opposed to uncertainty , where the focus in on’ what
could take place’

4.4 Types of Risks

The risk profile of an organization can be viewed from the following angles:
A) Business risks
- capital
- Credit
- Market
- Liquidity
- Business
- Operational;
- Group

B) Control risks
- Internal controls
- Organization
- Management
- Compliance

Both these types of risks are however linked to three omnibus risk categories listed below:
 Credit risk
 Market risk
 Organizational risks

4.5 Risk Management

The standard definition on management is that it is process of accomplishing preset

objective similarly risk management aims at fulfilling the same preset objectives. This
means that an organization , whether its profit seeking or a nonprofit seeking one it must
have in place a clearly laid out parameter to contain if not totally eliminate – the financial;
adverse effects of its activities. Hence the process of identification, measurement,
monitoring and control of its activities becomes paramount under risk management.

The organization can concentrate on the following issues

• Creating an enabling environment across the enterprise to ensure a uniform
understanding
if the risk areas
• Fixing a boundary within which the organizations will move in the matter
of risk prone areas
• The functional authorities must limit themselves to the defined risk
boundary while achieving corporate objectives.
• The risk return equation must be such that while there is no risk aversion,
the decision making process compensates for risk in any activity
• The resources of the enterprise like the accounting capital( the amount out in
by the shareholders) regulatory capital( the amount stipulated by any regulatory
authority for maintain a capital base) or economic capital must be consistent with
the organization risk level
• There should be a balance between the organizations risk philosophy and its
risk appetite.
4.6 Importance of Risk Management

Whether it is business or otherwise risk management is not a new phenomenon. This has
been there over the ages in some form or the other, though various forms were not called
market risk, credit risk or operational risk as they are today. But the importance of risk
management has grown recent times. The international regulatory authority, the bank for
international settlement at Basel Switzerland, has been working on a well structured risk
management system.

The concern over risk management arose from the following developments:
• In February 1995, the Barings bank episode shook the markets and brought
about the downfall of the oldest merchant bank in UK. Inadequate regulation and
the poor systems and practices of the bank were responsible for the disaster. All
components of the risk management – market risk, credit risk and operational risk-
were thrown overboard.
• Shortly thereafter in July 1997 there was Asian financial crisis , brought out
again by the poor risk management systems in banks coupled with perfunctory
supervision by regulatory authorities. Such practices could have severely damaged
the monetary systems of the various countries involved and had international
ramifications

By analyzing these two incidents we can come to the following conclusions

 Risks do increase over time in a business especially a globalised

environment
 A mere quantitative approach to risk perception – arising out of trading
volumes, earnings levels etc does not reveal that inherent drawbacks in the
organization
 Increasing competition, the removal of barriers to entry to new business
units by many countries, higher order expectations by stakeholders lead to
assumption of risk without adequate support and safeguards.
 Business are tempted to bring in new types of products , spreading to
unchartered areas for short term gains
 The traditional focus of business has been ‘transaction oriented’ which has
also proven disastrous. There is a need for them to take a ‘risk perception’ approach
enterprise wide for the long term sustainability of operations.
 The technological revolution, while introducing countless benefits, has also
created many new risks for an organization like technology fraud, loss due to wrong
monitoring of technology etc which can be tackled only through compact risk
management systems.
 The external operating environment in the 21st century is noticeably
different. It is not possible for manage tomorrows events with yesterdays systems
and procedures ad today’s human skit sets. Hence risk management has to address
such issues on continuing basis and install safeguards from time to time with the
tool of risk management.
  Regulatory authorities have begun to insist that organizations install a ‘risk
return discipline’. This is possible only when a structured risk management
environment operates in the organization.
 Forward looking assessment by an organization in operational matters is
best aided by a properly articulated risk management systems.
 Stake holders in business are now demanding that their long term interest be
protected in a changing environment. They expect the organizations to install
appropriate system to handle a worst cause situation. Here lies the task of a risk
management system- providing returns and enjoying confidence.
 The three pillar principle of Basel committee cam is served if an
organization has in place a risk management system.

Risk management is thus functional necessity and adds to the strength and efficiency of an
organization on an ongoing basis.

4.7 Risk Philosophy Vs Risk Appetite.

Ideally a risk management system in any organization must codify its risk philosophy and
risk appetite in each functional area of its business. For example, in a bank or financial
institution, this should specifically cover market risk, credit risk and operations risk. Risk
philosophy involves developing and maintaining a healthy portfolio within the boundary
set by the legal and regulatory framework. Risk appetite on the other hand, is governed by
the objective of maximizing earnings within the contours of risk perception.

While coming up with a risk philosophy and a risk appetite therefore, it is necessary to
highlight the following aspects.
 They should have an enterprise wide dimension for example , the
implications of focusing on any particular business segment or other segments of
the organization
 Calculated risk taking should be encouraged rather than risk aversion. New
and emerging business opportunities involving slightly more risks may be
entertained with necessary safety belts.
 The legal and regulatory framework must be properly incorporated into
plans of the business segments with an eye, however on maximizing earnings
 ‘Adverse selection’ just to prop up earnings must go hand in hand to ensure
that the organization has strength and vitality.

4.8 Risk Management Architecture

The efficacy of any risk management system depends in its architecture. This comprises the
following essential elements:
 A clearly defined and structured organizational set up to manage
enterprise wide risks.
  Commitment of the highest level of those who set the policy framework
and oversee implementation within that organization – that is, the board of directors
and senior management.
 Codification of risk management policies, articulated in such a way that
its serves the organizational risk appetite within counters of risk perception.
 Implementing strategy of the direction through specific risk management
processes so as to effectively identify measure, monitor and control risks.
 Manpower development initiatives to improve the skill-sets of people in
the organizations
 Periodical evaluation
 Risk audit.

4.9 Risk Organizational Set Up

In a planned organizational set up, it is necessary to keep the risk taking and risk control
functions separate. However while creating balanced organizational structure , it must be
borne in mind that the primary goal is not to avoid risk that are inherent in a particular
business but rather to steer them consciously and actively to ensure that the income
generated is adequate to the assumption of risks.

In risk management the organizations set up must have the following elements:
 There must be clarity in the job roles of the officials.
 Inter departmental relationships must be conductive to organizational
effectiveness
 There must be flexibility in terms of inter connectivity of the function of
various officials
 Control linkages and rationale.

Thus an appropriate risk management structure is paramount in the organization`s interest.

The RBI has inter alia stated that sound organizational structure is necessary for the
successful implementation of risk management initiatives in an organization (RBI
Guidance Note Issued On October 2002)

In limited companies the board of directors is highest policy making body and has the
overall responsibility for managing and controlling business risks. This role played by the
partners in partnerships and by the board of governors in a cooperative organization.

The board’s specific roles in risk management include:

 Evolving policies based on risk perception for the enter pries as a whole.
  Setting up risk and tolerance limits covering major risk areas for the
organization. For egg. Liquidity risk limit, interest rate limit, foreign exchange rate
limited etc. especially in case of sensitive segments.
 Measuring monitoring and controlling risk areas periodically with feedback
from other operating commitments.

The board is the final authority in an organization, having the overall responsibility for
growth and profitability. Therefore to ensure compact supervision over the risk
management’s function, a risk management committee (RMC) is usually nominated by
board members.

The RMC functions as a board level subcommittee. Its functions comprise

 Devising operating risk policy and strategy for the entire organization
 Initiating measures as may be necessary from time to time to contain risk
exposures within the limits fixed by the board.
 Coordinating with other internal executive committees, asset liability
management committee (ALCO), investment committee, operational risk
management committee etc. such committees are in genera responsible for
implementing the directions of RMC.

The next rungs of risk management set up are:

1. Credit risk management committee (CRMC), comprising heads of the credit
department, investment department, and chief economist, if there is one. The
CRMC may be headed either by the CEO or by his immediate subordinate.
2. Market risk management committee, asset liability management committee,
comprising heads of treasury, foreign exchange investment along with the chief
economist if there is one.
3. Operational risk management committee comprising heads of production (in
case of manufacturing or allied operations) various product service divisions ,
personnel resources management , internal inspection /audit and publicity or public
relations etc. the committee may also be headed by the CEO or his immediate
subordinate.

The functions of each of these committees may be:

 Responsibility for the implementation of directions from the board on

strategic issues
 Monitoring relative risk sectors- for e.g. credit, market operations etc- on an
enterprise wide basis within limits set by the board.
 Making recommendations to the board through the RMC on new thrust
areas or modification of existing areas having a direct impact on the operations of
the organization in terms of earnings, capital and other areas of concern. Hence the
identification, measuring, monitoring and control angles of the risk segment are to
be examined and reported to the board/ RMC regularly.
Since there are several types of risk involved, separate departments have to be set up to
handle each one of them these include:

 Credit risk department

 Market risk department
 Operational risk department.

The composition of each dept depends on the size and complexity of the organization, its
risk philosophy, risk appetite and its magnitude of operations. Functionally however each
department should do the following things.

 Measure control and manage each risk area across the enterprise.
 Ensure compliance with the board `s RMC s directives on risk
 Lay down operating instruction with a property articulated management
information system(MIS) and evaluation procedure to correct deficiencies when
they arose
 Undertake portfolio studies of the external and internal environment and
take steps within the framework of the organizations operating guidelines.
 Provide support services to the RMC.

The organization structure for risk management may vary between institutions for the
following reasons.
 Differences in the size and complexity of operations
 Varying management cultures and organizational ethos.
 Different risk philosophy and risk appetite.

4.10 Omnibus Risk Management Organization Chart

BOARD OF DIRECTORS

RISK MANAGEMENT
COMMITTEE

CREDIT RISK MARKET RISK OPERATIONAL

Operational risk
Credit risk Marketing risk RISK
management cell
management management cell
consisting of:
dept consisting of: consisting of :
-Identification cell
- Identification cell
-Measurement cell - Identification cell
-Measurement cell
-Monitoring cell -Measurement cell
-Monitoring cell
-Control cell -Monitoring cell
-Control cell
-Control cell
4.11 Principles In Risk Management

Any activity or group of activities needs to be done according to clear principle or

fundamental truths. In risk management, the following set of principles dominates an
organization`s operating environment.

 Close involvement at the top level not only at the policy stage but also
during the entire process of implementation and regular monitoring.
 The risk element in various segments within an organizational vary
depending on their type of activities they are involved in. for e.g.: in a bank credit
risk of loan to priority sectors may be perceived as being of high frequency but low
value . On the other hand, the operational risk involved in large deposit accounts
may see as low frequency but high value.
 The severity and magnitude of various types of risks in an organization must
be clearly documented.
 There should be clear lines of responsibility and demarcation of duties of
people managing the organization.
 Staff accounting must be clearly spelt out so that various risk segments are
handled by various officers with full understanding and dedication.
 After identification of risk areas it is absolutely essential that these are
measured monitored and controlled as per the needs and operating environment of
the organization.
 All the risk segments should operate in an integrated manner on an
enterprise wide basis.
 Risk tolerance limits for various categories must be in place and exception
reporting must be provided for when such limits are exceeded due to exceptional
circumstances.

4.12 Risk Management Policies

Mere codification of risk principles is not enough. They need to be implemented though
defined course of action. Therefore an organization requires policies on managing all types
of risks. These have to be drawn up keeping in mind the following elements:
 • The risk management process should give appropriate weight age to the
nature of each risk considering the organizations nature of business and availability
of skills sets, information systems etc.
• The methodology and models of risk evaluation must be build into the
system
• Action points for correcting deficiencies beyond tolerance levels must be
provided for in the policy
• Risk policy documents need not be uniform for all types of risks and in fact
it may not be practical
• An appropriate MIS is a must for the smooth and successful operation of
risk management activities in an organization.
• The organisation structure must be so designed as to fit its risk philosophy
and risk appetite
• A back testing process where the quality and accuracy of the actual risk
measurement is compared with the results.
• There should be periodical reviews preferably on semiannual basis of the
risk mitigating tools for each risk segment.
• There should e skilling and re skilling and even deskilling in some cases
• There should be a contingent planning system to handle crisis situations that
elude planned safety nets.

4.13 The Risk Management Process

The word process connotes a continuing activity or function towards a particular result.
The process is in fact the last of the four wings in the entire risk management edifice- the
other three being organizational structure, principles and policies .

Internationally the risk management process has four components:

 Risk identification
 Risk measurement
 Risk monitoring
 Risk control

4.13.1 Risk Identification

In order to achieve a common understanding of the characteristics of each risk

segment at all levels in an organization. It is necessary to spell out the danger signals. This
helps decision makers to get the best from various activities points of the organization
allowing them to take calculated risks and not be risk averse. While identifying the risks
the following points have to be kept in mind.
  All types of risks must be identified and their likely effect in the short run be
understood
 The magnitude of each risk segment may vary from organization to
organization.
 The geographical area covered by an organization may be determining the
coverage of its risk contents.
 One clear way of identifying risk in an organisation is to scan both balance
sheet items and off balance sheet items and find the risk elements.

4.13.2 Risk Measurement

Measurement means weighing the contents and value intensity magnitude of any object
against a yardstick. In risk measurement it is necessary to establish clear ways of evaluating
various risk categories in an organization, without which identification of risk would not
serve any purpose.

Using quantitative techniques in a qualitative framework will facilitate the following

objectives:
 Finding out and understanding the exact degree of risk elements in each
category in the operational environment
 Directing the efforts of the organization to mitigate the risks according to
the vulnerability of a particular risk.
 Taking appropriate initiatives in planning the organization future thrust
areas and line of business and capital allocation. The systems and techniques used
to measure risk depend on the nature and complexity of a risk factor.

Since an error free risk measurement takes care of the organizations stake and
sustainability, on case to case basis depending on size and complexity, statistical qualitative
models may e used with the following precautions:

4.13.3 Risk Monitoring

Keeping close track of risk identification measurement activities in the light of the risk,
principles and policies is a core function in a risk management system. Risk monitoring
activity should ensure that-

 Each operating segment has clear lines of authority and responsibility

 Wherever the organizations principles and policies are breached they should
be analyzed and reported to the appropriate authorities to aid in policy making
 In the course of risk monitoring , if it appears that it is in the organization s
interests to modify existing policies and procedures , steps to change them should
be considered
 There is an action plan to deal with major threat areas facing the
organization in the future
 The activities of both the business and reporting wings are monitored,
striking a balance at all points of time.
  Tracking of risk mitigations is both upward and downward.

4.13.4 Risk Control

There must be an appropriate mechanism to regulate or guide the operations of the risk
management system in that entire organization through a set of control devices. There can
be achieved through a host of management processes such as:

 Assessing risk profile techniques regularly to examine how far they are
effective in mitigating risk factors in the organization.
 Analyzing the internal and external audit feedback from the risk angle and
using it to activate control mechanisms
 Segregating risk areas of major concern from other relatively insignificant
areas and exercising more control over them.
 Putting in place a well drawn out risk focused audit system to provide inputs
on restraint for operating personnel so that they do not take needless risks for short
term interests.
 Risk control mechanism provides top management the opportunity to review
staff skilling aspects in the organization.

It is evident, therefore that risk management process through its entire four wings –
identification, measurement, monitoring, and control – facilitates an organizations
sustainability and growth.

4.14 Types Of Risks

The risks that an organization faces can be of two categories

A. Business risks
B. Control risks

A. Business risk includes all risk factors, whether it affects a business directly or indirectly.

Business risks can be divided into the following:

1. Capital risk

The size of the owner’s stake in the organization determines the strength of its operation.
The composition of its capital – tier I (capital + reserves) and tier II (bonds, hybrid
instruments etc) depends on its resource mobilization capacity. If an organization can
access capital from only limited sources like directors rather than from the public then this
may act as a constraint on capital. In contemporary financial management capital has a
number of components. These include:

• Accounting capital
• Regulatory capital
 • Economic capital

According to the Basel committee, capital base is one of the three pillars of risk assessment
(the other two being supervisory role and market discipline)

2. Credit risk

The main components of credit risk are:

• Credit growth in the organization and composition of the credit folio in

terms of sectors centers and size of borrowing activities so as to assess the extent
of credit concentration
• Credit quality in terms of standard substandard doubtful and loss making
assets
• Extent of the provisions, made towards poor quality credits
• Volume of off balance sheet exposures having a bearing on the credit
portfolio

3. Market risk

The components of this risk type are:

• Composition of the investment portfolio

• Quality of the investment portfolio
• Interest rate volatility and sensibility
• Where in business and the foreign exchange aspect is also vital
• Equity/commodity risk

4. Earnings risk

This covers a host of items such as

• Budget and profit planning function in the organization

• Analysis of income /expenses
• Earning quality and stability

5. Liquidity risk

Cover areas such as:

• Composition
• Liquidity profile

6. Business strategy and environment risk

 Covers the following areas:

• External environment and macro-economic factors

• Strategy with regard to market share, geographical spread, compatibility of
strategy with in house experience and expertise.
• Business profile analysis using SWOT
• Strategic business initiatives on the institution and stream lining of business
development
• Experience and skills of key personnel in the organization
• Adequacy and compatibility of IT systems and business needs.

7. Operational risk

This really is an omnibus type of risk as it covers the entire range of activities in an
organization. The main components of operational risk are:

• People risk: the capabilities, competence and motives of the people in the
organization
• Technology risk: system failure , system security
• Legal risk: documentation for transaction
• Operating environment: abrupt non macroeconomic changes in the
organization.

8. Group risk factors

These include:
• Capital concentration of the parent/group, gearing of capital, return on
capital investment
• Operating and financial performance of the subsidiaries share of business
and competition faced by subsidiaries
• Contagious problems overlooked by the parent organization
• Risks arising from connected lending and intra- group exposures, risk form
joint ventures etc
• Compliance by subsidiaries with regulatory guidelines in the area of
operations.

B. CONTROL RISKS

In the entire risk management process, control of activities finds a prominent place. A
control mechanism is a must for nay transitions well being. Control risks can be divided
into two:
1. Internal control risks

• Lack of a clear line of responsibility and authority

 • Poor systems for monitoring and reporting suspicious transactions
• No regular surveillance of the control mechanism by the top management.

2. Organisational risks

• Vague and overlapping organisational structure with unclear legal

implications
• Absence of a structured assessment mechanism to leverage external and
internal relationships
• Absence of a cordial industrial relationship
• Lack of an adequate support system to evaluate major customer
relationships

3. Management risk

• Composition, cohesiveness and competence and leadership attributes of

board of directors
• Non assessment of the effectives of control functions of senior management
• Absence of a clear succession planning mechanism
• Undefined responsibility and accountability
• Whether it follows contemporary corporate governance practice especially
with regard to strategy formulation

4. Risk from the compliance angle

• Necessary emphasis not accorded to compliance with guidelines laid down

by the regulatory authorities
• Deviations not reported to the competent authorities when they arise
• Non adherence to a Monitorable Action Plan (MAP) if any prescribed by a
competent authority

It is evident that these risks are interlinked. For example the credit risk of a bank may arise
from operational risk, where the default is the result of fraudulent activity by the banks
staff/ others or lack of care on their part. Ultimately it is reflected in the organization’s
earnings.( for example, losses due to credit risk, market risk and operational risk) and
capital.

As omnibus categories, credit risk market risk and operational risk covers all items of
business risk and control risks. This is precisely why, internationally risk analysis is done
on these three types only.