BANK RISK

PRACTICES
STUDY TEXT

Philip Te
Published 2022
Version 1.0
e ISBN 978-967-26625-5-6

Published by:
ASIAN INSTITUTE OF CHARTERED BANKERS 197701004872 (35880-P)
Levels 11 & 12, Bangunan AICB
10, Jalan Dato’ Onn
50480 Kuala Lumpur, Malaysia
www.aicb.org.my

COPYRIGHT NOTICE:
© 2022 Asian Institute of Chartered Bankers

All rights reserved. No part of this work or this publication may be reproduced, stored in a
retrieval system of any nature, distributed, or transmitted in whole or in part in any form or by
any means, including electronic, mechanical, photocopying, recording or otherwise without the
prior permission of the copyright owner.

To request for permission, contact [email protected].

IMPORTANT NOTICES AND DISCLAIMERS

This study text is published by Asian Institute of Chartered Bankers (AICB) and is intended solely
for the use and reference for the Chartered Banker programme. This study text is not intended
for commercial use or distribution. AICB cannot accept responsibility for any error or omission or
any liabilities arising or resulting from the use or misuse of the study text. AICB and ABS reserve
the right to amend the study text.

This study text is intended for the preparation to attempt the Bank Risk Practices examination:

• The content of this study text is current and valid at the time of publication, and the candidates
are responsible for ensuring that they are aware of any subsequent additions, amendments,
changes and/or updates to the content from time to time; and
• AICB does not guarantee or give any warranty that candidates using this study text will achieve
any specific level of performance or outcome.

The sources of the images and illustrations herein have been cited accordingly. Should there be
any error or omission, the rightful owners may contact [email protected].
 ACKNOWLEDGEMENTS I

The Asian Institute of Chartered Bankers (AICB) wishes to thank the following for their valuable
insights in the development of this study text:

1. The Bank Risk Industry Curriculum Committee (ICC) members

2. The Reviewers

Name Designation Organisation

Mr Laurence Ong Wooi Chief Risk Officer MBSB Bank

Keat, CB

Mr Mark Roberts Head of Educational Chartered Banker

Partnerships Institute, UK

Mr Ng Kah Sitt, CFA Risk & Credit Division China Construction Bank
Corporation Labuan
Branch

Mr Wong Kok Leong Examination Committee Asian Institute of

Chartered Bankers

3. The Bank Risk examiners

Special thanks to all other individuals, who in one way or another, have contributed towards
developing this study text.

BANK RISK PRACTICES

II INTRODUCTION

Asian Institute of Chartered Bankers

The Asian Institute of Chartered Bankers (AICB) is the professional body for the banking and
financial services industry. We are committed to raising the competency standards of the
banking profession by staying industry relevant and embracing innovations in the development
and delivery of our qualifications and learning.

This study text was originally planned to be an updated version of the two-volume study texts on
Bank Risk Management published by Oxford University Press and the Asian Institute of Chartered
Bankers (AICB) – a work that has been the basis for the Bank Risk Management (BRM) qualification
offered by AICB.

However, with the developments over the last few years in bank risk management, the effect
of Covid-19 on various risks (both from an operational, credit and market risk perspective), the
continued rise of FinTech in capturing market share of banks, adoption of cryptocurrencies and
other forms of digital currencies by more mainstream players and the current geopolitical risks
we are facing prompted us to launch an almost entirely new study text that covers these new
developments and significantly improved the content from the original BRM study texts.

Jamie Dimon, CEO of JPMorgan, in his 2022 letter to the shareholders, described how banks face
enormous threats from virtually all angles:

“Banks already compete against a large and powerful shadow banking system. And they
are facing extensive competition from Silicon Valley, both in the form of FinTech’s and Big
Tech companies (Amazon, Apple, Facebook, Google and now Walmart), that is here to
stay. As the importance of cloud, artificial intelligence (AI), and digital platforms grows,
this competition will become even more formidable. As a result, banks are playing an
increasingly smaller role in the financial system”

There are two types of risk management books that are available out there in the market.

The first type is a highly technical textbook on risk models that delves deeper on the mathematics
of risk management and the intricacies of risk management modelling. The second type is a highly
qualitative textbook on risk management that focuses on general principles on risk management
without discussing the quantitative aspects of risk management.

Risk management has become so specialised that the practice of risk management has become
siloed. One of the problems identified in the 2008 Global Financial Crisis is that the complexity of
banking operations led risk management professionals to specialise; and this specialisation led
to a situation where very few in the organisation, including risk management professionals, failed
to have an integrated perspective on the risks that banks are taking.

On the other hand, purely focusing on the qualitative aspects of risk management is also not
realistic. Risk management has become more quantitative over the years. Bank regulatory capital
standards are designed to include quantitative models. A close reading of Basel III would show
that there are hundreds of calculus equations there. This means that a modern practitioner of risk
management in a banking context cannot escape the need to study the quantitative aspects of
risk management.

BANK RISK PRACTICES

 INTRODUCTION III

This study text aims to breach the gap and bridge the need for an intermediate level that will
focus on principles of risk management including the risk management models. Risk models will
be discussed (as it cannot be avoided) but the focus will not be on the technicalities but how to
use these models in practice.

BANK RISK PRACTICES

CONTENTS

ACKNOWLEDGEMENTS i

INTRODUCTION ii

1. AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1- 1

1.1 RISK MANAGEMENT PRINCIPLES 1-1
1.1.1 Definition of Risk Management 1-2
1.1.2 Objectives of Risk Management 1-3
1.1.3 Principles of Risk Management 1-9

1.2 RISK MANAGEMENT FRAMEWORK 1-14

1.2.1 Definition of Risk Management Framework 1-14
1.2.2 The Uses of a Risk Management Framework In Banking 1-14
1.2.3 How Organisations Cultures Underpin a Sound Risk
Management Framework in Terms of Its Decision-Making Policy 1-15

1.3 ENTERPRISE RISK MANAGEMENT (ERM) 1-35

1.3.1 The ERM Framework 1-36
1.3.2 The ERM Board of Directors and Senior Management 1-37
1.3.3 The ERM Process 1-37
1.3.4 Benefits of ERM 1-39

1.4 STRATEGIC RISK MANAGEMENT 1-42

1.4.1 Strategic Risk 1-42
1.4.2 The Scope of Strategic Risk Management 1-43
1.4.3 The Future of Banking 1-53

SUMMARY 1-55
END OF CHAPTER PRACTICE QUESTIONS 1-56
ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS 1-57

2. REGULATIONS AND TREATMENT OF RISK 2- 1

2.1 IMPORTANCE AND OBJECTIVES OF REGULATIONS FOR BANKS 2-1
2.1.1 The Malaysian Banking Industry and Its Critical Role to the Economy 2-2
2.1.2 The Nature of Banking 2-4

2.2 THE PURPOSE OF BANKING SUPERVISION AND OTHER SIGNIFICANT

CENTRAL BANKS 2-11
2.2.1 Objective of Banking Supervision 2-13
2.2.2 Approaches to Banking Supervision 2-14
2.2.3 The Risk-Based Supervisory Approach 2-16
2.2.4 Supervisory Tools and Techniques 2-18
 2.3 TYPES AND SOURCES OF MALAYSIAN BANKING REGULATIONS 2-18
2.3.1 Types of Banking Regulations 2-19
2.3.2 Sources of Banking Regulations 2-21
2.3.3 Prudential Regulations and Requirement Standards 2-29

2.4 INTRODUCTION TO RISK-BASED CAPITAL FRAMEWORK 2-38

2.4.1 The Basel Committee on Banking Supervision (BCBS) 2-39
2.4.2 The Basel Accords 2-41

2.5 BASEL I: THE 1988 BASEL CAPITAL ACCORD 2-41

2.5.1 About Basel I 2-42
2.5.2 Basel I Ratio 2-43
2.5.3 Why Focus on Capital? 2-44
2.5.4 The Risk-Weighted Assets 2-46
2.5.5 The 1996 Market Risk Amendments 2-48

2.6 BASEL II: THE THREE PILLARS 2-49

2.6.1 Pillar 1 – Minimum Capital Requirements 2-50
2.6.2 Pillar 2 – Supervisory Review 2-55
2.6.3 Pillar 3 – Market Discipline 2-58

2.7 BASEL III: THE REQUIREMENTS AND BASEL III EXTENDED 2-60
2.7.1 2008 Global Financial Crisis and Basel II 2-60
2.7.2 Basel III Reforms 2-64
2.7.3 Basel III – Capital Reforms 2-65
2.7.4 Basel III – Liquidity Reforms 2-70

2.8 ACCOUNTING RULES FOR BANKS 2-72

2.8.1 Provisioning Under IAS 39 and Procyclicality 2-72
2.8.2 Accounting Perspective Vs Regulatory Perspective 2-72
2.8.3 IFRS9 Expected Loss Model 2-73

SUMMARY 2-75
END OF CHAPTER PRACTICE QUESTIONS 2-76
ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS 2-77

3. KEY COMPONENTS OF RISK MANAGEMENT IN BANKING 3-1

3.1 OVERVIEW OF THE RISK MANAGEMENT PROCESS 3-1
3.1.1 Qualities of a Sound Risk Management Process 3-2
3.1.2 Risk Management Activities 3-3
 3.2 TYPES OF RISK 3-5
3.2.1 Credit Risk 3-5
3.2.2 Interest Rate Risk 3-6
3.2.3 Exchange Rate Risk 3-6
3.2.4 Market Risk 3-7
3.2.5 Liquidity Risk 3-7
3.2.6 Regulatory Risk 3-8
3.2.7 Operational Risk 3-8
3.2.8 Model Risk 3-9
3.2.9 Country Risk 3-9
3.2.10 Business Risk 3-9
3.2.11 Counterparty Risk 3-10
3.2.12 Conduct Risk 3-10
3.2.13 Reputational Risk 3-10

3.3 COMMUNICATION AND CONSULTATION 3-10

3.4 ESTABLISHING CONTEXT 3-11
3.4.1 The External Context 3-12
3.4.2 The Internal Context 3-12
3.4.3 The Risk Management Process Context 3-13
3.4.4 The Risk Criteria 3-13

3.5 RISK ASSESSMENT 3-14

3.5.1 Risk Identification 3-14
3.5.2 Risk Analysis 3-15
3.5.3 Risk Evaluation 3-16

3.6 RISK TREATMENT 3-16

3.6.1 The Risk Treatment Process 3-16
3.6.2 The Risk Treatment Options 3-18

3.7 RISK MONITORING, METRICS AND REPORTING 3-20

SUMMARY 3 - 21
END OF CHAPTER PRACTICE QUESTIONS 3-22
ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS 3-23

4. RISK MODELS 4- 1
4.1 MATHEMATICAL AND STATISTICAL CONCEPTS IN RISK MEASUREMENT 4-1
4.1.1 Expected Value 4-1
4.1.2 The Concept of Mean Reversion and the Law of Large Numbers 4-5
4.1.3 Average 4-6
 4.1.4 Variance and Standard Deviation 4-10
4.1.5 Random Variables 4-13
4.1.6 Random Processes 4-14
4.1.7 Statistical Distributions 4-16

4.2 MODELS 4-28

4.2.1 Model Risk 4-29
4.2.2 Model Validation 4-31
4.2.3 Purpose of Risk Models in the Risk Management Process 4-32
4.2.4 The Potential Shortcomings 4-34
4.2.5 Model Back-Testing 4-36

SUMMARY 4-37
END OF CHAPTER PRACTICE QUESTIONS 4-38
ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS 4-39

5. CREDIT RISK MANAGEMENT 5- 1

5.1 SOURCES OF CREDIT RISK 5-1
5.1.1 Credit Risk From Loan and Advances 5-2
5.1.2 Credit Risk From Investment Securities 5-2
5.1.3 Credit Risk From Off-Balance Sheet Exposures 5-2
5.1.4 Credit Risk From Derivatives 5-3

5.2 TYPOLOGY OF STANDALONE CREDIT RISK 5-3

5.2.1 Retail Credit Risk 5-3
5.2.2 Sovereign Credit Risk 5-4
5.2.3 Corporate Credit Risk 5-5
5.2.4 Counterparty Credit Risk (CCR) 5-9

5.3 OVERVIEW OF PORTFOLIO CREDIT RISK 5-9

5.3.1 Sources of Portfolio Credit Risk 5-14
5.3.2 Credit Concentration Risk Management 5-21

5.4 FUNDAMENTAL ANALYSIS OF CREDIT RISK 5-24

5.5 PROBABILITY OF DEFAULT MODELS 5-30
5.5.1 Actuarial Approaches 5-37
5.5.2 Structural Approaches 5-43
5.5.3 Market-Based Approach 5-59

5.6 LOSS GIVEN DEFAULT MODELS 5-62

5.6.1 Factors Affecting Recovery Rates 5-63
5.6.2 Recovery Rates Modelling 5-66
 5.7 EXPOSURE AT DEFAULT 5-67
5.7.1 Credit Exposure From Loans Or Bonds 5-68
5.7.2 Credit Exposure From Guarantees and Commitments 5-70
5.7.3 Credit Exposure From Derivatives 5-70

5.8 EXPECTED CREDIT LOSS (ECL) – REGULATORY AND ACCOUNTING PRACTICES 5-73
5.8.1 Overview of MFRS9/IFRS9 and the Need For This
New Accounting Standard 5-79
5.8.2 The Relationship of Accounting Standard With Risk Management 5-83

5.9 PORTFOLIO CREDIT RISK MODELS 5-86

5.9.1 History of Credit Portfolio Risk Theory 5-87
5.9.2 Portfolio Credit Risk Models 5-88

5.10 CREDIT RISK MITIGATION TECHNIQUES 5-88

5.10.1 Collateralised Transactions 5-89
5.10.2 Netting Agreements 5-89
5.10.3 Credit Risk Transfer Mechanism 5-91
5.10.4 Securitisation 5-92

SUMMARY 5-93
END OF CHAPTER PRACTICE QUESTIONS 5-94
ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS 5-95

6. OPERATIONAL RISK 6- 1
6.1 PRELUDE TO OPERATIONAL RISK 6-1
6.1.1 Operational Risk – The Residual Definition 6-2
6.1.2 Operational Risk – The Causal Definition 6-2

6.2 PRINCIPLES FOR THE SOUND MANAGEMENT OF OPERATIONAL RISK 6-7

6.2.1 Fundamentals Principles of Operational Risk Management 6-9
6.2.2 Governance 6-9
6.2.3 Risk Management Environment 6-11
6.2.4 Role of Disclosure 6-14

6.3 OPERATIONAL RISK MEASUREMENT 6-14

6.3.1 Challenges in Operational Risk Measurements 6-14
6.3.2 Approaches Used in Operational Risk Models 6-15
6.3.3 The Loss Distribution Approach (LDA) 6 - 16

6.4 INTERNAL OPERATIONAL RISK LOSS DATA 6-18

6.4.1 Incident Reporting 6-18
6.4.2 The 8 X 7 Matrix 6-19
6.4.3 Basic Statistical Analysis 6-20
 6.5 EXTERNAL OPERATIONAL RISK LOSS DATA 6-21
6.6 BUSINESS RESILIENCE & CONTINUITY (HOLISTIC FOCUS) AND
DISASTER RECOVERY PLAN (DRP) 6-22
6.7 BOUNDARY RISK (MARKET & CREDIT) 6-26
6.8 CONDUCT RISK 6-28
6.9 NEW PRODUCTS DEVELOPMENT (NPD) AND BUSINESS ACTIVITIES
AND OUTSOURCING ACTIVITIES 6-30
6.9.1 New Products, Business Activities and Third-Party Risk 6-31
6.9.2 Third Party Risk in Financial Services 6-33

6.10 RISK CONTROL AND SELF-ASSESSMENT (RCSA) 6-34

6.11 RISK AND PERFORMANCE INDICATORS 6-35
6.12 OTHER TOOLS IN OPERATIONAL RISK ASSESSMENT 6-38
6.13 SHARIAH COMPLIANCE RISK 6-42

SUMMARY 6-44
END OF CHAPTER PRACTICE QUESTIONS 6-45
ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS 6-47

7. TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-1

7.1 DEFINITION OF IT, CYBER OR DIGITAL RISK. 7-1
7.2 CURRENT IT, CYBER OR DIGITAL THREATS 7-4
7.3 DATA SECURITY & PRIVACY RISK 7-9
7.4 THE REGULATIONS AS PRESCRIBED UNDER RISK MANAGEMENT IN
TECHNOLOGY (RMIT) BY BNM 7-17
7.5 CRYPTOCURRENCY/BLOCKCHAIN 7-33
7.6 FINTECH & RISK ARISING & MANAGEMENT 7-37
7.7 ARTIFICIAL INTELLIGENCE/MACHINE LEARNING/ROBOTICS
PROCESS AUTOMATION (RPA) 7-45
7.8 API BANKING 7-46
7.9 CLIMATE RISK 7-47

SUMMARY 7-49
END OF CHAPTER PRACTICE QUESTIONS 7-50
ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS 7- 51

8. TRADED/MARKET RISK 8-1

8.1 DEFINITION OF MARKET RISK 8-1
8.1.1 Trading Book Vs Banking Book – Review Changes in Line
With the Accounting Standards Changes 8-2
8.1.2 Daily Valuation 8-3
 8.2 TYPES OF MARKET RISKS 8-4
8.2.1 Foreign Exchange Risk 8-4
8.2.2 Interest Rate Risk 8-6
8.2.3 Equity Price Risk 8-9
8.2.4 Commodity Price Risk 8-10
8.2.5 Market Risk Associated with Option Position 8-11

8.3 MARKET RISK MEASUREMENT 8-12

8.3.1 Market Risk Measurement and Assessment Perspectives 8-13
8.3.2 Market Risk Management Process 8-13
8.3.3 Market Risk Measurement and Assessment Tools 8-14

8.4 BANK TRADING: ROLES AND STRATEGIES 8-15

8.4.1 Bank Trading Positions 8-15
8.4.2 Bank Trading Strategies 8-18

8.5 PRE-VALUE-AT-RISK (VAR) MARKET RISK MEASUREMENT TOOLS 8-28

8.5.1 Full Notional Approach 8-28
8.5.2 Sensitivity Approach 8-30
8.5.3 Market-Value Approach 8-31

8.6 VALUE-AT-RISK (VAR) 8-34

8.6.1 History of VAR 8-34
8.6.2 Definition of VAR 8-35
8.6.3 Basic VAR Calculation Methodology 8-36
8.6.4 Back Testing 8-40
8.6.5 Validation 8-40

8.7 VAR CALCULATION METHODOLOGIES 8-41

8.7.1 Historical Simulation Approach 8-41
8.7.2 Parametric Approach 8-49
8.7.3 Monte Carlo Simulation Approach 8-52

8.8 EXPECTED SHORTFALL 8-53

8.8.1 Criticisms Against VAR 8-53

8.9 CREDIT VALUE ADJUSTMENT (CVA) 8-56

8.10 SETTLEMENT AND PRE-SETTLEMENT RISK 8-62
8.11 NETTING CLOSE OUT AND INTERNATIONAL SWAPS AND
DERIVATIVES ASSOCIATION (ISDA)/CREDIT SUPPORT ANNEX (CSA) 8-62

SUMMARY 8-66
END OF CHAPTER PRACTICE QUESTIONS 8-67
ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS 8-69
9. NON-TRADED MARKET RISK/LIQUIDITY RISK 9-1
9.1 DEFINITION OF NON-TRADED MARKET RISK/LIQUIDITY RISK 9-1
9.1.1 Definition of Liquidity Risk 9-2

9.2 OVERVIEW OF ASSET AND LIABILITY MANAGEMENT (ALM) 9-2

9.2.1 Key Asset and Liability Management (ALM) Activities 9-4
9.2.2 Stabilise Net Interest Income 9-4
9.2.3 Ensure Liquidity 9-7
9.2.4 Maintain Adequate Capital 9-8

9.3 INTEREST RATE RISK MANAGEMENT 9-9

9.4 ELEMENTS OF SOUND INTEREST RATE RISK MANAGEMENT PRACTICES 9-16
9.4.1 Appropriate Board and Senior Management Oversight 9-16
9.4.2 Adequate Risk Management Policies and Procedures 9-17
9.4.3 Risk Measurement, Monitoring, and Control Functions 9-19
9.4.4 Internal Control and Internal Audit 9-22

9.5 INTEREST RATE RISK MEASUREMENT TOOLS 9-23

9.5.1 Gap Analysis 9-23
9.5.2 Earnings-At-Risk (EAR) 9-32
9.5.3 Duration Gap 9-32
9.5.4 Simulation Approaches 9-33

9.6 LIQUIDITY RISK MONITORING TOOLS 9-34

9.6.1 Contractual Maturity Mismatch 9-35
9.6.2 Concentration of Funding 9-39
9.6.3 Available Unencumbered Assets 9-41
9.6.4 Liquidity Coverage Ratio (LCR) For Each Significant Currency 9-42
9.6.5 Market-Related Monitoring Tools 9-42
9.6.6 Net Stable Funding Ratio (NFSR) 9-46

9.7 LIQUIDITY STRESS TESTING/THE INTERNAL LIQUIDITY ADEQUACY

ASSESSMENT PROCESS (ILAAP) 9-46
9.8 SCENARIO ANALYSIS 9-50
9.9 CONTINGENCY FUNDING 9-53
9.10 USING DERIVATIVES TO MANAGE ASSET AND LIABILITY MANAGEMENT (ALM) 9-59
9.11 LIBOR CHALLENGES 9-67

SUMMARY 9-70
END OF CHAPTER PRACTICE QUESTIONS 9- 7 1
ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS 9-73
10. CAPITAL MANAGEMENT 10- 1
10.1 INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (ICAAP) 10-1
10.2 ROLE OF CAPITAL 10-9
10.3 TYPES OF CAPITAL 10-10
10.4 SOUND CAPITAL MANAGEMENT AND ASSESSMENT 10-15
10.5 STRESS TESTING 10-23
10.5.1 Introduction to Stress Testing 10-23
10.5.2 Applications of Stress Testing 10-24
10.5.3 Approaches to Stress Testing 10-24
10.5.4 Principles of Sound Stress Testing 10-25

10.6 RISK ADJUSTED RETURN ON CAPITAL (RAROC) AND CAPITAL ALLOCATION 10-30

SUMMARY 10-37
END OF CHAPTER PRACTICE QUESTIONS 10-38
ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS 10-39

REFERENCES iv
 CHAPTER 1
AN OVERVIEW OF RISK
MANAGEMENT IN BANKING
1-1 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

1. AN OVERVIEW OF RISK MANAGEMENT IN BANKING

Learning Outcomes

At the end of the chapter, you will be able to:

• Explain the scope of risk management in banking.

Key Topics

In this chapter, you will be able to read about:

• Risk management principles

• Risk management framework
• Enterprise risk management
• Strategic risk management

Assessment Criteria

During the exam, you will be expected to:

• Demonstrate the objectives of risk management in the banking context.

• Demonstrate how the components of a sound risk management framework are
applied in practice.

1.1 RISK MANAGEMENT PRINCIPLES

The primary business of banking involves taking short-term deposits and lending it
out to borrowers. This expose bank to different risks (asset and liability management
(ALM) and credit risk in this case). Risk-taking is central to the business of banking.
Poor understanding of risk and poor risk management may lead to huge losses and
threaten the bank’s survival.

Despite the pervasiveness of risks in banking activities, the focus on managing risks
independently and distinctly is a relatively new phenomenon. In the past, risks were
simply accepted as a consequence of doing business. There was relatively little or
modest structured formal effort and framework to understand and manage risks
actively.

Now, as the business environment rapidly evolved and became more globalised,
banks responded by introducing innovative products. This made the banking
business model more complex and volatile. The banking failures in the 1970s and
1980s have heightened concerns that the risks of doing business must be actively

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-2

understood and managed. The lessons learned from these failures gradually
increased risk management’s elevation as a critical and formal function and activity
that it became an equally important core banking business activity.

1.1.1 Definition of Risk Management

ISO 31000 defines risk management as:

“Coordinated activities to direct and control an organisation with

regard to risk….”

The definition reveals some important features of risk management, namely:

i. Coordinated – Risk management is a coordinated effort from all units in

the bank. This means that everyone in the organisation has a responsibility
to oversee and play a part in managing risk in the organisation. Risk
management should not be performed or presented as a single function
in banking. The process should be embedded in all its operational and
business activities as below:

First Line
Third Line
Business line/ Internal audit
Front office

Second Line
Risk management function

Figure 1.1: Three Lines of Defence Model

The Three Lines of Defence model is one of the most cited organisational
models in risk management. It highlights the role of each function with
respect to risk management. The front office or business line, being the first
department that is in direct contact with business activities which generate
risk has the primary responsibility for managing risks. The second line of
defence is the risk management function. They act as an independent
challenge to the first line of defence by developing policies and procedures
with respect to risk management. Their role is to ensure those policies
and procedures are adhered to at all times. The third line of defence, the
internal audit, independently validates the design and effectiveness of the
role played by both the first line and second line of defence with respect to
risk management.

BANK RISK PRACTICES

1-3 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

ii. Activities – Risk management is a structured and formal process. It entails

executing different activities such as communication, consultation,
establishing the context, and identifying, analysing, evaluating, treating,
monitoring, and reviewing risk.
iii. Direct and control – The main aim of risk management is to direct and
control risks banks face. Its function does not aim to only eliminate risk. It
is important to note that in risk management, the process and procedures
are in place to ensure banks are able to continue to operate and meet the
expectations of its internal and external stakeholders despite those risks.

1.1.2 Objectives of Risk Management

Risk management plays a central and integral role in the banking business
model. Given the important role that banks play in the economy, it is thus
essential to understand the main objectives of risk management. Objective
can be on variety of aspects, such as financial, health and safety, and
environmental goals. It can be applied at different levels, including, strategic,
organisation-wide, project, product, and process. The objective of risk
management in banking are as follows:

• To increase the likelihood of achieving business objectives

• To encourage proactive management of risk
• Compliance with the laws and regulations
• Lower cost of funds
• Efficient allocation of capital and resources
• Enhance competitive advantage

Increase the likelihood of achieving business objectives

In traditional finance, the typical business objective of corporations or other
types of business entities is to maximise shareholder value by increasing
profitability and boosting shareholder wealth over the long run. This being
the critical role of a bank would eventually heighten the public interest and its
involvement in the banking business. In doing this, banks must satisfy multiple
stakeholders, which include:

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-4

Stakeholders to Banks

Depositors • Depositors are one of the most important stakeholders of a bank.

• The deposit base usually forms the bulk of a typical bank’s sources of
funds.
• Loss of trust and confidence of depositors could lead to bank failures.
• Prudent management of trust and confidence of the depositing clients is
one of the bank’s main operating objectives.

Customers • Customers refer to the community.

• The importance to the community makes it important for banks to
consider their customers in their business strategy.
• Given the competitive landscape in the global financial industry, banks
that fail to deliver customers’ expectations will face loss of business,
market share and ultimately, profitability.

Regulators • Regulators frequently act as lenders of last resort.

• Regulators exercise oversight of regulated banking entities.
• Failure by banks to comply with regulatory requirements may affect their
ability to continue operating.
• Banks must incorporate the regulatory concerns in designing and
executing their respective business objectives.

Employees • Employees are considered assets to the banks.

• Banks rely on their employees to execute the business objectives.
• The interest of employees should be considered in forming banking
business objectives.

General • Banks play an important role as financial intermediary, essentially

Public providing liquidity to the financial system by transforming cash from
(the public) depositors and transforming it into a productive long-term asset in
the form of loans that is expected to generate long term benefit for the
economy.
• During the 2008 Global Financial Crisis, many governments worldwide
extended sizeable financial assistance to failing banks to prevent them
from collapsing. This financial assistance is often called a bailout. In
most cases, the financial assistance given or lent came from taxes paid
by the public.
• Given the burden on the public by a bank bailout, the interest of the
public must be considered in the bank’s business objectives.

Figure 1.2: Stakeholders to banks and its importance

BANK RISK PRACTICES

1-5 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

Risk introduces uncertainty to the attainment of the bank’s business

objectives. Risk management aims to increase the likelihood of the banks
attaining their business objectives by designing and executing strategies
that will manage risks, which cause uncertainty on the organisation’s ability
to achieve its stated business objectives. Risk management provides the
framework and process that will allow the banks to mitigate those risks on the
bank’s business objective.

Encourage proactive management of risks

The absence of risk management frequently results in the bank taking
risks passively and reactively. The lack of a formal process to assess and
mitigate risks makes the banks more vulnerable to unwanted risk exposures
and frequently impair their ability to respond to the risks quickly and cost-
effectively.

Risk management provides a systematic and structured framework, process

to assess and mitigate risks. The systematic and structured framework
encourages management to proactively assess and mitigate the risk
exposures that the banks face. This allows the bank to anticipate emerging
risks and equips them with the necessary tools to respond to the risks
promptly.

Compliance with laws and regulations

The banking industry is one of the most heavily regulated industries in most
jurisdictions. Special laws and regulations apply to banks designed to ensure
the safety and soundness of the bank’s operations. Failure to comply with
the regulations may have adverse consequences on the bank, ranging from
monetary and non-monetary penalties or sanctions to the extent of being
forced to cease to exist.

Risk management plays an important role in ensuring that the banks comply
with the relevant laws and regulations. Strong risk management practices
strengthen processes and controls that ensure compliance with relevant
laws and regulations. The regulation also plays an important role in risk
management. After the 2008 Global Financial Crisis, regulators are increasingly
emphasising strengthening the banks’ risk management practices. Failures
in risk management practices are consciously being met with substantial
fines that monetarily affect the banking business and significantly damage
the bank’s reputation.

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-6

Boxed Article–1

US Bank legal bills exceed $100 billion

On 28 August 2013, Bloomberg released a report claiming that the six

biggest US banks had accumulated more than $100 billion worth of legal
costs or $51 million a day since the financial crisis. This amount is reported
to be worth more than all dividends paid out to shareholders in the past
five years. The costs may continue to rise as regulators, prosecutors and
investors file new claims against these banks, which initially saw a 40%
increase in litigation and legal costs since January 2012.

This scenario exemplifies how risk management adds value to banks.

Sound risk management practices often entail establishing processes
and controls to minimise the chance of non-compliance with regulations.
(Griffin & Campbell, 2013)

Note: This article shows an example of risk management adding value

to banks. Sound risk management practices often entail establishing
processes and controls that will minimise the chance of non-compliance
with regulations.

Lower cost of funds

Banks fund their assets through a combination of liability and equity funding
sources. Liability sources of funding typically come from depositors and
borrowings with other banks and creditors. Equity sources of funding are
typically sourced from shareholders.

A bank’s cost of funds from both liability and equity funding sources is
positively related to the depositors and investors’ perception of the bank’s risk
profile. This is consistent with the standard finance theory that the higher the
risk, the higher the return is. Conversely, the lower the risk, the lower will be the
return.

The higher the perception of the bank’s risk profile, the higher will be the cost
of its funds. This is because investors, lenders and depositors will demand
higher returns to compensate them for taking higher risks. Conversely, the
lower the perception of the bank’s risk profile, the lower will be the cost of its
funds. Investors, lenders, and depositors may be willing to demand a lower
return due to the bank’s lower risk profile.

Risk management provides value by lowering a bank’s cost of funds. Strong

risk management practices allow for efficient and effective management
of “surprises” in achieving a bank’s business objectives. Lowering these
“surprises” or uncertainties would lower the bank’s overall risk profile.
Depositors, investors, and creditors of the bank would view the bank’s strong

BANK RISK PRACTICES

1-7 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

risk management practices favourably. This favourable view may translate

to a lower perception of risk and, therefore, lower cost of funds for investors
and depositors. The reverse is also true for banks with weak risk management
practices. Depositors, investors, and creditors will penalise banks with weak
risk management practices by demanding higher returns on their investment
to compensate for the higher risk. This, therefore, will increase a bank’s cost
of funds.

Credit rating agencies assess banks’ risk management practices, which is

used as a factor in coming up with the credit rating assessment of banks.
Rating agencies assess the quality of a bank’s risk management approach
and practices and its appropriateness to the organisation’s risk profile. The
stronger the risk management practices of a bank, the more stable its credit
rating will be. The more stable the credit rating, the lower the expected cost of
funds (other things remaining constant).

Efficient allocation of capital and resources

Risk management provides a structured framework and process to assess
the risk implications of each business undertaking. This assessment can then
be used to allocate scarce resources to businesses that generate higher
returns commensurating to the level of risk taken. This is referred to as the
risk-adjusted returns.

In contrast, banks may be tempted to focus on maximising accounting

earnings, for example, net income, without a sound risk management
framework. This focus on maximising accounting earnings overlooks the risk
implications of a business undertaking. Risk-adjusted return or performance
measures the return on a transaction or business activity after considering
the risk associated with the latter. This allows management to have a fair
perspective on how to allocate scarce capital best.

Risk management provides relevant and timely information that management

may use when deciding which business activity or business line will receive
more capital and strategic focus.

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-8

Illustrative Example–1

Role of risk management in providing relevant and timely information

Bank XYZ engages in the following business lines:

Business lines Net income Asset invested

1 $10,000,000 $5,000,000
2 $2,000,000 $5,000,000
3 $1,000,000 $3,000,000
4 $500,000 $3,000,000

If Bank XYZ’s business objective is to maximise accounting earnings, it appears

that Business Line 1 is the most attractive option. It provides the highest accounting
return per $1 of asset invested. Bank XYZ may channel all or most of its scarce
capital resources to Business Line 1.

Return of investment
Business lines Net income Asset invested
(Accounting)

1 $10,000,000 $5,000,000 200%

2 $2,000,000 $5,000,000 40%
3 $1,000,000 $3,000,000 33%
4 $500,000 $3,000,000 17%

The problem with maximising accounting returns as the overriding objective ignores
risk in the capital allocation decision. Risk management provides information to
management on the level of risk taken for each business line. This level of risk is
then taken into consideration when calculating the return and allocating capital.
The table below shows how the decision and allocation will change if the level of
risk is considered.

Return of Volatility (or

Business Return (per 1
Net income investment Other Risk
lines unit of Risk)
(Accounting) Measure)

1 $10,000,000 200% 500% 40%

2 $2,000,000 40% 100% 40%
3 $1,000,000 33% 20% 165%
4 $500,000 17% 10% 170%

Enhance competitive advantage

Risk management has evolved from being a compliance function to one that is
now increasingly viewed as a function that delivers a competitive advantage
to the banks. Strong risk management practices have proven to be a source
of competitive advantage, as evidenced by those banks that have performed

BANK RISK PRACTICES

1-9 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

well—even during the Global Financial Crisis—with superior risk management

practices. On the account of their strong risk management practices, many
banks are given more flexibility to pursue business opportunities that may not
be available for those with weaker risk management practices.

1.1.3 Principles of Risk Management

Ray Dalio, the founder of one of the largest and most successful hedge funds
in the world, discussed the importance of having clarity of principles:

“By having good principles and having them clearly articulated

and regularly connected to one’s actions so that one’s actions are
consistent with them, one will operate effectively.”

What are the principles of risk management? Risk management principles

enumerate fundamental characteristics of effective risk management. These
foundational principles serve as bases for designing a risk management
framework. A risk management framework is a set of components that
provide the foundations and organisational arrangements for designing,
implementing, monitoring, reviewing and continually improving risk
management throughout the organisation. (ISO 31000, 2018).

In other words, risk management principles are necessary as these are the
foundational concepts that are essential in the design and execution of risk
management initiatives. As stipulated in ISO 31000 (2018), there are eleven (11)
principles of risk management:

Principle 1 - Creates and protects value

Principle 2 - An integral part of all organisational process
Principle 3 - Part of decision making
Principle 4 - Explicitly address uncertainty
Principle 5 - Systematic, structured and timely
Principle
Principle 6 - Based on best available information
of risk
management Principle 7 - Tailored
Principle 8 - Takes human and cultural factors into account
Principle 9 - Transparent and inclusive
Principle 10 - Dynamic, iterative and responsive to change
Principle 11 - Facilitates continual improvement of the
organisation

Figure 1.3: The 11 principles of risk management

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-10

Principle 1: Risk management creates and protects value

Risk management creates and protects value by increasing the likelihood of
achieving the organisation’s objectives. It also creates and protects value as
it improves the bank’s governance and control processes, compliance with
regulations and effectiveness, and efficiency in allocating scarce capital and
resources.

One of the common themes of risk management failures is the lack of

coherent structure with respect to the application of risk management to
daily business activities. Risk management is not only a “compliance” matter,
but it can also be regarded as a tool to create and protect value. Excessive
focus on the bottom line leads many to believe that one has to make
mutually exclusive choices between sound risk management practice and
commercially successful business strategy. Organisations that perceive risk
as a tick in an exercise box instead of an activity that generates and preserve
value tend to reduce risk management effectiveness substantially.

Principle 2: Risk management is an integral part of all organisational

processes
Risk management is not a standalone activity that is separate from the main
activities and processes of the organisation. Aside from ensuring profitability
and delivering shareholder value, risk management should form part of the
management responsibilities. Risk management is everyone’s responsibility.
The risks that banks face is too complicated and diverse that making it the
responsibility of one department within the organisation will render risk
management ineffective.

Further, if risk management is siloed from the different underlying

business activities of the organisation, it will also be not effective. In real
life, the occurrence of risks rarely happens in silo. In other words, risks are
multidisciplinary. For example, a market risk event can be caused or can lead
to liquidity, credit, or operational risk event.

Principle 3: Risk management is part of decision making

To be effective, risk management should be part of the decision-making
process. Risk management should help decision-makers make informed
choices, prioritise actions and distinguish among alternative courses of
action.

One of the important roles of risk management is to provide inputs that

decision-makers should consider when making any commercial decision.
These inputs include:

• A complete picture of the risks that the bank is taking from an integrated
perspective, particularly on what can go wrong

BANK RISK PRACTICES

1-11 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

• An accurate and comprehensive perspective of the risk implications of

existing or new business undertaking
• Conditions that allow decision-makers to imagine the distribution of
potential outcomes creatively
• Structure to provide discipline in pricing in risk in any commercial
undertaking
• Information will help decision-makers assess whether there is an adequate
level and quality of capital to support the bank’s risks.

Principle 4: Risk management explicitly addresses uncertainty

Risk management does not view risk in a deterministic manner. Risk
management should explicitly consider uncertainty, the nature of uncertainty
and how that uncertainty can be addressed. Risk management should
explicitly address uncertainty, particularly the uncertainty that matters. In
many instances, the focus of risk management is misplaced. The focus is on
areas where the appropriate solution is to strengthen controls (for example,
known risks where the impact is low should be addressed by instituting the
appropriate internal control).

One recent instance when risk management principles are not applied
appropriately is the extreme (and sometimes, almost blind) reliance on a
risk management tool (for example, value-at-risk as a market risk measure).
Some bank decision-makers put blind faith on this single number without
understanding its limitations. As a result, risks build up over time to an
unsustainable level that led to the 2008 Financial Crisis.

Principle 5: Risk management is systematic, structured, and timely

Risk management is a systematic, structured, and timely process that
contributes to efficient, consistent, comparable, and reliable results. It is
a rigorous process that encourages everyone in an organisation to assess
uncertainty in a structured and systematic manner and design mitigation
strategies methodically. While risk management should not be rigid, it has to
be a structured and systematic process to ensure that risks are appropriately
and consistently dealt with.

The complexity and diversity of risk management issues, including the

regulatory considerations where certain minimum standards must be
complied with, require a risk management process that is formal and
structured. Recent advances in behavioural finance demonstrate that our
brains suffer from behavioural and cognitive biases, making us approach
day-to-day problems irrationally. One of the ways to combat this is to have a
formal risk management process that is a systematic, structured, and timely
manner.

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-12

Principle 6: Risk management is based on the best available information

While risk management aims to assess and manage risk in a forward-looking
manner, it has to rely on the best available information as of a specified
predetermined date. Below are some examples of information sources that
can be used as inputs to the risk management process:

• Historical data
• Past experience
• Stakeholder feedback
• Observation
• Forecasts
• Expert judgement.

Risk management explicitly deals with uncertainty, and risk management

decisions should be based on the best available information on the day a
decision is made. There is always a trade-off between reliability and the
relevance of risk management information. On one hand, risk managers
would want to have the most accurate and reliable source of information to
make key risk decisions. On the other hand, risk managers need to make timely
decisions. At times, trade-off is needed between relevance and reliability
of risk information. Risk information is any information which can influence
decision-making. Because some organisations tend to only accept certain
types of information as legitimate risk information to which such limitation
could increase the chance of something important being missed, hence why
it’s necessary to understand the varieties of information available out there
to ensure total consideration before selection.

The art in risk management practice ensures that an appropriate balance

is made to ensure that the risk management information is as accurate
as possible without sacrificing the timeliness of the information to make a
difference in the risk management decision-making process.

Principle 7: Risk management is tailored

Risk management is not a one size fits all exercise. Each bank has unique
circumstances that must be considered in designing the organisation’s risk
management framework and process. Risk management should be aligned
with the organisation’s external and internal context and risk profile. While
banks need to comply with the minimum risk management standards
as prescribed by the Basel Committee on Banking Supervision or by the
national supervisory authority, risk management should be tailored to the
specific circumstance of the bank, recognising limitations on infrastructure,
knowledge, and capabilities.

BANK RISK PRACTICES

1-13 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

Principle 8: Risk management takes human and cultural factors into

account
The effectiveness of risk management processes, no matter how sophisticated
the designs are, still depends on the commitment and capabilities of everyone
in the organisation. Risk management considers the capabilities, perceptions,
and intentions of external and internal people to facilitate or hinder the
organisation’s objectives. The most effective risk management is not the one
that looks sophisticated and complex but has strong organisational buy-in.
This strengthens the reach and effectiveness of risk management practices
and initiatives instituted within the organisation.

Principle 9: Risk management is transparent and inclusive

Risk management should not be an isolated activity. Everyone in an
organisation should be involved. Risk management is relevant and up to date
if stakeholders and decision-makers at all levels are involved in an appropriate
and timely manner. Risk management should incorporate the perspective
of everyone in the organisation. This is related to the principle we discussed
in an earlier section where the risk in practice is multidisciplinary. Therefore,
it is important to consider the perspective, expertise, and experience in the
organisation.

Further, in practice, the risks that banks face are complex and broad, which
means that to be truly effective, risk management should reach as many
as possible within the organisation – from bank staff to executives to senior
management.

Principle 10: Risk management is dynamic, iterative, and responsive to

change
Risk management should continually evolve and recognise the dynamic
environment in which bank operates. As external and internal events occur,
context and knowledge changes, monitoring and review of risks occur. New
risks emerge. Some risks evolve. Some risks change. Some disappear. Risk
management should be able to capture and calibrate its responses to the
changing nature of uncertainty. Risk management is not a fixed process.
There is no ideal state for risk management. This is because banks face
changes dynamically due to developments both inside and mostly outside
(external) the organisation.

Principle 11: Risk management facilitates continual improvement of the

organisation
Risk management should develop and implement strategies to improve
their risk management maturity alongside all aspects of the organisation.
The outcome that risk management intends to achieve is to facilitate the
improvement of the rest of the bank.

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-14

1.2 RISK MANAGEMENT FRAMEWORK

The purpose of the risk management framework is to assist an organisation

in integrating risk management into significant activities and functions. The
effectiveness of risk management will depend on its integration into the organisation’s
governance, including decision-making. This requires support from stakeholders,
particularly top management. Framework development encompasses integrating,
designing, implementing, evaluating, and improving risk management across the
organisation.

A risk management framework should evaluate its existing risk management

practices and processes in banks, evaluate gaps, and address those gaps within
the framework. Accordingly, the components of this framework and how they work
together should be customised to the organisation’s needs.

1.2.1 Definition of Risk Management Framework

The effectiveness of risk management depends on the effectiveness of the

risk management framework. A risk management framework is a set of
components that provide the foundations and organisational arrangements
for designing, implementing, monitoring, reviewing and continually improving
risk management throughout the organisation.

Foundations of the risk management framework include policy, objectives,

mandate, and commitment to manage risk. Organisational arrangements
include plans, relationships, accountabilities, resources, processes, and
activities. For risk management to be effective, the risk management
framework should be embedded within the bank’s overall strategic and
operational policies and procedures.

1.2.2 The Uses of a Risk Management Framework In Banking

The risk management framework assists in managing risks effectively through

applying the risk management process at varying levels and within specific
contexts of the organisation.

The framework ensures that information about risk derived from the risk
management process is adequately reported and used as a basis for
decision-making and accountability at all relevant organisational levels.
The framework assists in integrating risk management into the overall
management system.

BANK RISK PRACTICES

1-15 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

1.2.3 How Organisations Cultures Underpin a Sound Risk Management

Framework in Terms of Its Decision-Making Policy

Banks will often have a process in place to identify and monitor risks. But
they fall short in implementing practices to manage those risks as part of
the overall strategic plan. Reasons for this shortcoming include lacking
a dedicated internal risk management department and qualified risk
management professionals in the existing talent pool. Figure 1.4 shows the
common elements of a sound risk management framework in a bank:

Effective risk governance

Risk appetite

Risk culture

Risk management policy

Risk organisation

Figure 1.4: Elements of risk management framework

Effective risk governance

The 2008 Global Financial Crisis exposed several governance weaknesses
that resulted in the banks’ failure to understand the risks they were taking. The
Financial Stability Board (FSB) enumerated the weaknesses in risk governance
highlighted in the 2008 Global Financial Crisis. FSB is an international body that
monitors and makes recommendations about the global financial system
and promotes international stability. FSB coordinates national financial
authorities and international standard-setting bodies to develop strong
regulatory, supervisory, and other financial sector policies. The weaknesses
are:

• Many directors had little financial industry experience and limited

understanding of the rapidly increasing complexity of their governing
financial institutions.
• Many boards did not pay sufficient attention to risk management or set up
effective structures, such as a dedicated risk committee.
• Many risk committees were often staffed by directors short on both
experience and independence from management.
• The information provided to the board were voluminous and not easily
understood.
• Many banks lacked a formal process to assess the propriety of their risk
governance frameworks independently.

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-16

• A culture of excessive risk-taking and leverage was allowed to permeate in

the weakly-governed banks.

The International Risk Governance Council (IRGC) defines governance

as the actions, processes, traditions, and institutions by which authority
is exercised, and decisions are taken and implemented. Risk governance
applies the principles of good governance to the identification, assessment,
management, and communication of risks. IRGC is a non-profit and
independent organisation involved in helping improve the understanding
and governance of systemic risks that impact human health and safety,
the environment, the economy, and society at large. Risk governance is
concerned with:

• The roles of the Board of Directors (BOD) in setting risk strategy, an effective
risk management framework and oversight of senior management actions;
• The role of senior management in ensuring that day-to-day management
of business activities is consistent with the risk appetite, strategy and
policies approved by the BOD;
• The risk management process and internal control functions are working
soundly;
• The effects of incentives and organisational culture on risk-taking
behaviours and perceptions of risk in the institution;
• The availability of comprehensive and integrated systems to support
the enterprise-wide or consolidated view of risks for both the individual
financial institution and for the group; and
• The capacity of institutions to respond swiftly to changes in the operating
environment and development in the institution’s business strategies.

A risk governance framework is a framework through which the BOD and

management establish the organisation’s strategy, articulate, and monitor
adherence to risk appetite and risk limits, and identify, measure, and manage
risks. The framework comprises three main functions:

Board of
Directors
(BOD)

Independent
Risk assessment
management of risk
function governance

Figure 1.5: Different functions in the risk management framework

BANK RISK PRACTICES

1-17 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

The key roles of these different functions within the risk governance framework
are as below:

Summary of Key Roles in the Risk Governance Framework

Board of • The BOD is responsible for ensuring that the

Directors organisation has the appropriate risk governance
(BOD) framework given its business model, complexity, and
size embedded in its risk culture.

Risk • The Chief Risk Officer (CRO) and the risk management
management function are responsible for the organisation’s risk
function management across the entire entity, ensuring that
its profile remains within the risk appetite statement
as approved by the BOD.
• The risk management function is responsible
for identifying, measuring, monitoring, and
recommending strategies to control or mitigate risks
and reporting on risk exposures on an aggregated
and disaggregated basis.

Independent • The independent assessment of the organisation’s

assessment risk governance framework plays a critical role in
of the risk maintaining its internal controls, risk management
governance
and risk governance.
framework
• It helps the organisation accomplish its objectives
by bringing a disciplined approach to evaluate and
improve risk management, control and governance
processes. This may involve internal parties (such as
internal audit) or external parties (such as third-party
reviewers, e.g., audit firms and consultants).

Figure 1.6: Key roles in the risk governance framework

The Financial Stability Board (FSB), in its February 2013 thematic review of risk
governance practices of banks, came up with the following recommendations:

• Set requirements on the independence and composition of the board,

including requirements on the relevant types of skills the board collectively
should have (e.g., risk management, financial industry expertise) and the
expected time commitments.
• Hold the board accountable for its oversight of the bank’s risk governance.

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-18

• Ensure that the level and types of risk information provided to the board
enable effective discharge of the BOD's responsibilities. The board should
satisfy themselves that the information they receive from management
and the control functions is comprehensive, accurate, complete, and
timely to enable effective decision-making on the organisation’s strategy,
risk profile and emerging risks. This includes establishing communication
procedures between the risk committee and the board and across other
board committees, most importantly, the audit and finance committees.
• Set requirements to elevate the CRO’s stature, authority, and independence
in the organisation. This includes requiring the risk committee to review
the performance and objectives of the CRO; ensuring that the CRO has
unfettered access to the BOD and risk committee, including a direct
reporting line to the board and/or risk committee; and expecting the CRO
to meet periodically with the directors without the executive directors and
management present.
• The CRO should directly report to the Chief Executive Officer (CEO) and a
distinct role from other executive functions and business lines, for example,
no “dual-hatting”.
• The CRO should be involved in activities and decisions (from a risk
perspective) that may affect the organisation’s prospective risk profile, for
example, strategic business plans, new products, mergers and acquisitions,
and the internal capital adequacy assessment process (ICAAP).
• Require the board (or audit committee) to obtain an independent
assessment of the design and effectiveness of the risk governance
framework on an annual basis.

Prior to that, in October 2011, the FSB agreed to conduct a thematic peer
review on risk governance to assess progress toward enhancing practices
at national authorities and firms (banks and broker-dealers). For purposes of
this review, risk governance collectively refers to the role and responsibilities
of the BOD, the firm wide CRO and risk management function, and the
independent assessment of the risk governance framework. (Financial
Stability Board, 2013)

BANK RISK PRACTICES

1-19 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

BOD
Risk Committee
Audit Committee Approves and oversees the firm’s risk
Reviews and
appetite framework including: the risk
Oversees the review recommends the risk
appetite statement (RAS), risk limits
of the independent strategy, oversees
by business units consistent with the
assessment of the risk implementation of
RAS, and policies and processes to
governance framework. the risk management
implement the risk management
framework.
framework.

Internal Audit CEO

Assesses and opines on Develops and recommends
the adequacy of internal overalls business strategy,
controls, risk appetite and risk strategy, risk appetite
risk governance. framework and RAS.

Business Units
• Receive and
operationalise risk limits CEO

• Establish processes Oversees risk management

CEO to manage risks (e.g., Risk Management Function
Coordinates, monitors monitoring and escalation
• Develops risk metrics to
and reports on firms- of breaches of risk limits)
reflects RAS
wide and business • Adhere to and report
line earnings, capital • Monitors and reports on
on risk metrics
requirements, and risk metrics
budget. • Escalates breaches of risk
metrics
Discuss business and
risk strategies, capital • Conducts stress tests
requirements and budget

Figure 1.7: An example of a risk governance framework1

1 “Board” in the diagram means “Board of Directors (BOD)”.

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-20

Boxed Article–2

Principles of Risk Governance (Bank Negara Malaysia, 2013)

1. BOD Practices
• The BOD must ensure that the financial institution’s corporate objectives
are supported by a sound risk strategy and an effective risk management
framework appropriate to the nature, scale, and complexity of its
activities.
• The BOD must provide effective oversight of senior management’s actions
to ensure consistency with the risk strategy and policies approved by the
BOD, including the risk appetite framework.

2. Senior Management Oversight

• Senior management is responsible for ensuring that day-to-day
management of the financial institution’s activities is consistent with the
risk strategy, including the risk appetite and policies approved by the
board (or "BOD").
3. Risk management and internal controls
• The risk management framework must enable the continuous
identification, measurement, and continuous monitoring of all relevant
and material risks on a group- and firm-wide basis, supported by robust
management information systems that facilitate the timely and reliable
reporting of risks and the integration of information across the institution.
The sophistication of the financial institution’s risk management
framework must keep pace with any changes in the institution’s risk
profile (including its business growth and complexity) and the external
risk environment.
• Risk management must be well-integrated throughout the organisation
and embedded into the culture and business operations of the institution.
• Financial institutions must establish an independent senior risk executive
role (CRO or its equivalent) with distinct responsibility for the risk
management function and the institution’s risk management framework
across the entire organisation. The executive must have sufficient stature,
authority, and seniority to participate in meaningfully and influence
decisions that affect the financial institution’s exposures to risk.
• Financial institutions must establish and maintain an effective risk
management function with sufficient authority, stature, independence,
resources, and access to the BOD.
• Effective implementation of the risk management framework must be
reinforced with an effective compliance function and subjected to an
independent internal audit review.
• Financial institutions must have appropriate mechanisms for
communicating risks across the organisation and reporting risk
developments to the BOD and senior management.

BANK RISK PRACTICES

1-21 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

4. Remuneration
• Executive remuneration must be aligned with prudent risk-taking and
appropriately adjusted for risks. The BOD must actively oversee the
financial institution’s remuneration structure and its implementation
and monitor and review the remuneration structure to ensure that it
operates as intended.

5. Complex and opaque corporate structures

• The BOD and senior management must understand the institution’s
operational and organisational structure and risks and be satisfied
that it is not overly complex or opaque. It hampers effective risk
management by the financial institution.
• A financial institution operates through special-purpose structures. Its
BOD and senior management must understand the purpose, structure,
and unique risks of these operations. Appropriate measures must be
undertaken to mitigate the risks identified.

6. Role of subsidiary and parent entities with respect to risk governance

• The BOD and senior management of subsidiary financial institutions
will be held responsible for effective risk management processes at the
subsidiary level and must have appropriate influence in the design and
implementation of risk management in the subsidiary. Conversely, the
BOD and management of a parent financial institution with local and
overseas operations are responsible for the group’s risk management
and must exercise oversight over its subsidiaries with appropriate
processes to monitor the subsidiaries’ compliance to the group’s risk
management practices.

Risk appetite
Risk appetite is the aggregate level and types of risk a financial institution is
willing to assume within its risk capacity to achieve its strategic objectives
and business plan (Financial Stability Board, 2013). Risk appetite is a key and
integral component of a bank’s risk management framework. In November
2013, the FSB released the final version of the Principles for an Effective Risk
Appetite Framework. The document sets out key elements for an effective risk
appetite framework, effective risk appetite statement, risk limits and defining
the roles and responsibilities of the BOD and senior management. It presents
high-level principles to allow banks to develop an effective risk appetite
framework.

The risk appetite framework is the overall approach, including policies,

processes, controls, and systems through which risk appetite is established,
communicated, and monitored. An effective risk appetite framework should:

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-22

• Establish a process for communicating the risk appetite framework

across and within the financial institution and sharing non-confidential
information to external stakeholders.
• Be driven by top-down board leadership and bottom-up management
involvement at all levels and embedded and understood across the
financial institution.
• Facilitate embedding risk appetite into the financial institution’s risk culture.
• Evaluate opportunities for appropriate risk-taking and act as a defence
against excessive risk-taking.
• Allow for the risk appetite statement to be used as a tool to promote robust
discussions on risk and as a basis upon which the board, risk management
and internal audit functions can effectively and credibly debate and
challenge management recommendations and decisions.
• Be adaptable to changing business and market conditions so that,
subject to approval by senior management and the board as appropriate,
opportunities that require an increase in the limit of a business line or legal
entity could be met while remaining within the agreed institution-wide risk
appetite.
• Cover activities, operations, and systems of financial institutions fall within
its risk landscape but are outside its direct control, including subsidiaries
and third-party outsourcing providers.

The risk appetite framework generally has three main components:

Risk appetite statement (RAS)

Risk limits

Roles and responsibilities

Figure 1.7: Elements of the risk appetite framework

i. Risk appetite statement (RAS) – A risk appetite statement (RAS) is an

articulation in written form of the aggregate level and types of risk that a
financial institution is willing to accept or avoiding in achieving its business
objective. The RAS includes:

▶ Quantitative measures of loss or negative outcomes expressed relative

to earnings, capital, risk measures, liquidity, and other relevant measures
as appropriate, for example, volatility; and
▶ Qualitative statements.

BANK RISK PRACTICES

1-23 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

The RAS should address more difficult to quantify risks, such as reputation
and conduct risks and money laundering and unethical practices. The
statement should be directly linked to the financial institution’s strategy,
address its material risks under normal and stressed market and
macroeconomic conditions, and set clear boundaries and expectations
by establishing quantitative limits and qualitative statements. Key
characteristics of an effective RAS are:

▶ Includes key background information and assumptions that inform the

financial institution’s strategic and business plans when approved.
▶ Be linked to the institution’s short- and long-term strategic, capital, and
financial plans and compensation programmes.
▶ Establish the amount of risk that the financial institution is prepared to
accept in pursuit of its strategic objectives and business plan, taking
into account the interests of its customers and the fiduciary duty to
shareholders and capital and other regulatory requirements.
▶ Determine for each material risk the maximum level of risk that the
financial institution is willing to operate within, based on its overall risk
appetite, risk capacity and risk profile.
▶ Includes quantitative measures that can be translated into risk limits
applicable to business lines and relevant legal entities and at the group
level, which in turn can be aggregated and disaggregated to enable
measurement of the risk profile against the risk appetite and risk
capacity.
▶ Includes qualitative measures that clearly articulate the motivations for
taking on or avoiding certain types of risks, including for reputational
and other conduct risks across retail and wholesale markets, and
establish some form of boundaries or indicators to enable monitoring
of these risks.
▶ Ensure that each business line’s strategy and risk limits and relevant legal
entities are aligned with the institution-wide risk appetite statement.
▶ Be forward-looking and, where applicable, subject to the scenario and
stress testing to ensure that the financial institution understands what
events might push the organisation outside its risk appetite and/or risk
capacity.

ii. Risk limits – Risk limits are quantitative measures based on forward-
looking assumptions that allocate the financial institution’s aggregate risk
appetite statement to business lines, legal entities as relevant, specific risk
categories, concentrations and other levels as deemed appropriate. Some
of the considerations in setting risk limits are as follows:

▶ Risk limits should be set at a level to constrain risk-taking within risk

appetite, taking into account the interest of customers and shareholders

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-24

and capital and other regulatory requirements, if a risk limit is breached

and the likelihood that each material risk is realised.
▶ Risk limits should be established for business lines and relevant legal
entities and generally expressed relative to earnings, capital, liquidity,
and other relevant measures such as growth and liquidity.
▶ Risk limits should include material concentrations at the institution
or group-wide, business line and legal entity levels. Examples of the
breakdown of material risk concentrations are by counterparty, industry,
country/ region, collateral type and product.
▶ Risk limits should not be strictly based on comparison to peers or default
to regulatory limits.
▶ Risk limits should not be overly complicated, ambiguous, or subjective.
▶ Risk limits should be monitored regularly.

iii. Roles and responsibility – In setting the risk appetite framework all
personnel at the relevant organisational levels are encouraged to take
part. This includes the Board of Directors (BOD), Chief Executive Officer
(CEO), Chief Risk Officer, Chief Financial Officer, business line leaders and
legal entity-level management, and the internal audit team.

Roles and Responsibilities in Setting the Risk Appetite Framework

Board of The BOD is primarily responsible for approving the

Directors bank’s risk appetite framework. It is also responsible
(BOD) for holding senior management accountable for
the integrity of the risk appetite framework. The BOD
should conduct a periodic high-level review of actual
versus approved limits. Any breaches should be dealt
with accordingly.

Chief The Chief Executive Officer (CEO) is responsible for

Executive establishing the risk appetite for the bank. He/she is
Officer also responsible for translating the risk appetite into
risk limits for business lines and legal entities.

Together with the rest of the senior management

team, the CEO is accountable for the integrity of the
risk appetite framework and ensures that the risk
appetite framework is implemented throughout the
organisation.

BANK RISK PRACTICES

1-25 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

Roles and Responsibilities in Setting the Risk Appetite Framework

Chief Risk The Chief Risk Officer (CRO) provides relevant inputs to
Officer the CEO in developing the organisation’s risk appetite.
He/she is responsible for actively monitoring the
organisation’s risk profile relative to its risk appetite,
strategy, business and capital plans, risk capacity
and compensating programme.

The CRO is responsible for independently monitoring

the business line and legal entity risk limits against
the bank’s aggregate risk profile to ensure that it is
aligned with the bank’s risk appetite. He/she is also
responsible for establishing a process for reporting
on risk and assessing risk appetite and risk profile
with the organisation’s culture.

Chief The Chief Financial Officer (CFO) provides relevant

Financial inputs to the CEO in developing the bank’s risk
Officer appetite, particularly in integrating risk appetite
into the organisation’s compensation and decision-
making processes. The CFO works with the CRO and
CEO to ensure that breaches in risk limits and material
risk exposures that could endanger the organisation’s
financial condition are reported on time.

Business Business line leaders and legal entity-level

line leaders management cascade the risk appetite statement
and legal and risk limits into their activities. They should
entity-level
establish and ensure adherence to approved risk
management
limits. They are also responsible for implementing
controls to monitor and report risk limits adherence
effectively.

Internal audit Internal audit is responsible for independently

assessing the integrity, design, and effectiveness of
the organisation’s risk appetite framework.

Figure 1.9: Roles and responsibility in risk appetite setting

Risk culture
The Institute of International Finance (IIF) defines risk culture broadly as “the
norms and traditions of the behaviour of individuals and of groups in an
organisation that determine the way they identify, understand, discuss and
act on the risks the organisation confronts and the risk it takes.” This definition

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-26

implies that risk culture influences decisions at all levels in the organisation.
The Institute of Risk Management (IRM) defines risk culture as “the values,
beliefs, knowledge and understanding about risk shared by a group of people
with a common purpose, particularly the employees of an organisation or
teams or groups within an organisation”.

Many considered the lack of a sound risk culture one of the root causes of
the Global Financial Crisis. Many banks encouraged excessive risk-taking
behaviours that have impacted the banks in various ways, from damaging
their reputation to incurring huge legal fines and exposing their banks to the
threat of collapse. Some banks continued to build up risk before the onset of
the 2008 Financial Crisis without considering the implications of a potential
blow-up.

The Financial Stability Board (FSB) issued a consultative document entitled

Guidance on Supervisory Interaction with Financial Institutions on Risk Culture
to help understand and assess an institution’s risk culture and whether it
supports appropriate behaviours and judgements within a risk governance
framework. There are four (4) elements of sound risk culture:

Elements of sound
Key points
risk culture

1. Tone from the • The BOD and senior management are the starting
top point for setting a bank’s risk culture and promoting
appropriate risk-taking behaviours. The behaviours
must reflect the values being espoused.
• It is a necessary but not sufficient condition for
promoting sound risk management.
• Non-executive directors can play an important
role in bringing experience from other industries
where behaviours and practices generally require a
sound risk culture. Examples of these industries are
healthcare, power, and nuclear energy. These non-
executive directors may offer a fresh perspective on
the bank’s risk culture.
• The BOD and senior management should clearly:

a. Articulate the underlying values that support the

desired risk culture and behaviours.
b. Recognise, promote, and reward behaviour
that reflects the stated risk culture and its core
values; and
c. Systematically monitor and assess the actual
culture.

BANK RISK PRACTICES

1-27 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

Elements of sound
Key points
risk culture

2. Accountability • The BOD and senior management should establish

a policy of risk ownership where employees are
held accountable for their actions and are aware
of the consequences of not adhering to the desired
behaviours toward risk.
• There should be a clear delineation of responsibilities
concerning monitoring, identification, management,
and mitigation of risk.
• Employees at all levels should understand the core
values of the bank’s risk culture and its approach to
risk, be capable of performing their prescribed roles,
and be aware that they are held accountable for
their actions with the bank’s risk-taking behaviour.

3. Effective • A sound risk culture promotes an environment of

communication effective communication and challenge in which
and challenges decision-making processes promote a range
of views, test current practices, and stimulate a
positive, critical attitude among employees and an
environment of open and constructive engagement.
• A sound risk culture must encourage transparency
and open dialogue to promote identifying and
escalating risk issues.

4. Incentives • Financial and non-financial incentives should

support the core values and risk culture at all levels
of the financial institution.
• Performance and talent management should
encourage and reinforce the maintenance of an
institution’s desired risk management behaviour.
• Remuneration systems should reward servicing
the greater, long-term interest of the bank and its
clients.
• Risk management and compliance considerations
should have good driving compensation, promotion,
hiring and performance evaluation.

Figure 1.8: The four elements of a sound risk culture

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-28

Boxed Article–3

Nuclear safety culture (Institute of Nuclear Power Operations, 2004)

Nuclear safety culture is the core values and behaviours resulting from
a collective commitment by leaders and individuals to emphasise safety
over competing goals to protect people and the environment. Below are
the principles of sound nuclear safety culture:

1. Everyone is personally responsible for nuclear safety.

2. Leaders demonstrate commitment to safety.
3. Trust permeates the organisation.
4. Decision-making reflects safety first.
5. Nuclear technology is recognised as special and unique.
6. A questioning attitude is cultivated.
7. Organisational learning is embraced.
8. Nuclear safety undergoes constant examination.

Risk management policy

A risk management policy statement is an organisation’s overall intentions
and direction concerning risk management. The risk management policy
should clearly state the organisation’s objectives for and commitment to
risk management. ISO 31000 discusses the following issues that must be
addressed in the risk management policy:

• The organisation’s rationale for managing risk

• Links between the organisation’s objectives and policies and the risk
management policy
• Accountabilities and responsibilities for managing risk
• How conflict of interests is dealt with
• Commitment to make the necessary resources available to assist those
accountable and responsible for managing risk
• How risk management performance will be measured and reported
• Commitment to review and improve the risk management policy
and framework periodically and respond to an event or change in
circumstances.

Risk management organisation

While a unit is mandated to carry out the risk management function,
risk management is the organisation’s responsibility. Everyone has a risk
management role to play. The International Finance Corporation (IFC) manual
on Standards on Risk Governance for Financial Institutions enumerates the

BANK RISK PRACTICES

1-29 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

different roles of those within the bank directly or indirectly involved in risk
management. It proposes a vertical structure descending from the BOD to the
board risk committee, the chief executive officer and the chief risk officer, the
risk management committee up to the dedicated risk management function.

Board of Directors

BoD RM Committee

Executive Management Risk Committee

Information reporting
Oversight

Management Risk Committee

(e.g., ALCO, Credit Committee, OR Committee, etc.)

Lines of Business Risk Committees

Business Units – Risk Origination

Figure 1.9: Vertical risk management organisational structure by IFC

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-30

Their roles and responsibilities are as follow:

Roles Responsibilities

1. Board of • Sets policy, strategy and objectives and oversees the

Directors executive function.
(BOD)
• Sets the risk appetite and ensure that it is reflected in
the business strategy and cascaded throughout the
organisation.
• Establishes and oversees effective risk governance
and organisational structure.

2. Board Risk • The Board Risk Committee is a dedicated board-level

Committee committee mandated by the BOD to perform a more
focused risk oversight function. It is responsible for:

a. Making recommendations on risk appetite;

b. Reviewing the bank’s risk profile periodically;
c. Reviewing strategic decisions from a risk
perspective;
d. Reviewing the risk management and internal
controls framework relative to the bank’s risk
profile periodically;
e. Approving risk policies, limits, and delegations;
f. Considering key risk issues brought up by
management or requesting information about
risk issues; and
g. Reviewing and recommending for BOD approval
key policy statements required by the regulators.

• The board risk committee guides the process of risk

appetite setting and ensures that risk issues are given
sufficient weight in deliberations by the BOD.
• The committee ensures that reporting is adequate to
inform board decisions properly, and the decisions
are properly communicated and understood at the
executive level.
• The committee ensures that key users of risk
information are given a complete picture and
adequate interpretation of the bank’s risk profile.

BANK RISK PRACTICES

1-31 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

Roles Responsibilities

3. Chief Risk • The CRO has broad and exclusive responsibility for
Officer (CRO) all risk issues. The CRO performs the most critical
executive function related to risk management.
• The CRO should directly access the board risk
committee, both to present information and risk
issues.
• The CRO should be a member of the bank’s executive/
management board, reporting to either the CEO or
the BOD.
• The CRO should adequately communicate their risk
assessment to the BOD and facilitate sound board-
level risk decisions.
• The CRO should have sufficient technical expertise
to understand the intricacies of the bank’s risk
exposures.

4. Risk • The risk management function is an independent

management function reporting directly to the CRO with a
function comprehensive mandate covering all risk types
and business lines.
• It is a dedicated function with the primary
responsibility, together with the different business
lines, for assessment and control of market, credit,
liquidity, and operational risk. Further functional
specialisation is also done to create units for
risk methodology, model, reporting, policy, and
technology.
• The responsibilities of the risk management
function are:

a. Collects and analyses information for risk

assessment;
b. Researches and implements external or
internally developed risk measurement
methodologies, including rating systems;
c. Estimates risk levels with its available
methodologies;
d. Estimates economic capital;
e. Prepares proposals and analyses to assist the
risk committee in developing risk policies and
setting risk limits;

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-32

Roles Responsibilities

4. Risk
e. Monitors risk pricing, rate setting, provisioning,
management
and hedging activities;
function
f. Contributes to measuring profitability by
developing, testing, or approving risk-adjusted
return measures and methodologies;
g. Approves risk-taking activities of significant
impact within the established framework of risk
limits;
h. Makes recommendations to various
committees regarding approvals of new
products that fall outside the established
framework of risk limits;
i. Supports the board risk committee with routine
reports and other information and analysis;
j. Monitors compliance with limits and policies
and reports on all exposures regularly;
k. Participates in identifying and managing
problem exposures, including problem loans;
l. Educates all departments, risk-related
committees, and management bodies about
risk;
m. Communicates risks to senior management
and all relevant departments;
n. Contributes risk analysis required in strategy
setting and determining risk appetite; and
o. Organises regular meetings to discuss reports
and issues related to exposures, risks, profits
and losses, past and planned activities.

5. Business • Banks often rely on a “three lines of defence model

units – risk in structuring their risk governance organisational
origination:
structure.” This model recognises that everyone in
“three lines
of defence” an organisation has a responsibility to play a risk
model management role.
• The three lines of defence model put risk ownership
across the three levels in the bank: the business
lines, risk management function and internal audit.

Figure 1.10: Roles and responsibilities within a risk management organisational structure

BANK RISK PRACTICES

1-33 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

Boxed Article–4

Board Risk Committee – Risk Governance Structure HSBC

(HSBC Annual Report, 2012)

Below is HSBC’s risk governance structure. Note the various board-level committees
responsible for risk or risk-related matters.

Governance Structure for the Management of Risk

Authority Membership Responsibilities

Board Executive and • Approves risk appetite, strategy and

Non-Executive performance targets for the group.
Directors • Approves appointment of senior risk
officers.
• Delegates authority for risk management.
• Encourages a strong risk governance
culture which shapes the group’s attitude
to risk.

Global Risk Independent Non- • Advises the Board on:

Committee Executive Directors
a. Risk appetite and alignment with
(GRC)
strategy
b. Alignment of remuneration with risk
appetite (through advice to the group
remuneration committee)
c. Risks associated with proposed
strategic acquisitions and disposals

• Reviews the effectiveness of the group’s

systems of risk management and internal
controls (other than over financial
reporting).
• Oversees the maintenance and
development of a supportive culture
concerning the management of risk.

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-34

Governance Structure for the Management of Risk

Authority Membership Responsibilities

Financial Executive • Oversees controls and procedures

System Directors and designed to identify areas of exposure
Vulnerabilities Co-opted to financial crime or system abuse.
Committee Non-Director • Oversees matters relating to anti-
Members money laundering, sanctions, terrorist
financing and proliferation financing.
• Reviews policies and procedures
to ensure continuing obligations to
regulatory and law enforcement
agencies are met.

Risk • Group Chief • Formulates high-level global risk

Management Risk Officer policy.
Meeting of the • Group Chief • Exercises delegated risk management
GMB Legal Officer authority.
• Group Chief • Oversees implementation of risk
Executive appetite and controls.
• Group Finance • Monitors all categories of risk and
Director determines appropriate mitigating
• All other Group action.
Managing • Promotes a supportive Group culture
Directors in relation to risk management.

Subsidiary Independent • Provides certification to the GRC or

board non-executive intermediate-risk committee on risk-
committees Directors related matters and internal controls
responsible for and/or other (other than over financial reporting) of
risk-related independent relevant subsidiaries or businesses, as
matters members, as appropriate.
and global appropriate
business risk
committees

BANK RISK PRACTICES

1-35 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

Boxed Article – 5 is a sample of risk management structure from the OCC Risk Governance
Structure.

Boxed Article–5

OCC Risk Governance Structure (Polk, 2014).

In January 2014, the Office of the Comptroller of the Currency (OCC), USA, developed a set
of heightened expectations to strengthen risk governance practices of the largest national
banks. Below is a visual picture from the international law firm Davis Polk, summarising
the key risk governance structure as proposed by the OCC.

Board must have 2

independent directors Board of Director

Risk Committee IRM and IA must have Audit Committee

unfettered access to the
board or a committee
Board or the board’s risk Audit committee
thereof, independent from
committee oversees IRM oversees IA
FLU management and, when
necessary, the CEO
Senior
Management CEO oversees CRE on a CEO or the board’s audit committee may
CEO
day-to-day basis oversee CAE on a day-to-day basis

Chief Risk Chief Audit

Executives (CRE) Executives (CAE)

CRE is the head of IRM CAE is the head of IA

Three Lines Independent Risk No FLU executives External

of Defense Internal Audit (IA)
Management (IRM) oversees IRM or IA Experts

FLUs must adhere to Three lines of defense may

First Line Units seek assistance from, but
all applicable policies,
(FLUs) may not delegate their risk
procedures and processes
established by IRM governance responsibilities
to external experts

1.3 ENTERPRISE RISK MANAGEMENT (ERM)

Enterprise risk management (ERM), as defined by the Committee of Sponsoring

Organisations of Treadway Commission (COSO), is:

“A process, effected by an entity’s board of directors, management and other

personnel, applied in strategy setting and across the enterprise designed
to identify potential events that may affect the entity, and manage risk to
be within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives.”

This definition captures the concept and objectives of enterprise risk management,
and it would help if this definition were studied carefully to understand better what
ERM is trying to achieve.

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-36

1.3.1 The ERM Framework

The COSO ERM Framework is composed of the following key components:

Internal Objective Event Risk Risk

environment setting identification assessment response

Control Information & Monitoring Roles and

activities communication responsibilities

Figure 1.13: The COSO ERM framework components.

i. The internal environment comprises the tone of an organisation, influencing

the risk consciousness, influencing the risk consciousness of its people,
and is the basis for all the components of the enterprise risk management,
providing discipline and structure. The internal environment includes:

▶ Setting risk management philosophy

▶ Oversight by the Board of directors
▶ Integrity and ethics standards
▶ The competence of the bank’s personnel; and
▶ The way management assigns authority and responsibility.

ii. The objective setting involves setting objectives at the strategic level,
establishing a basis for operations, reporting, and compliance objectives,
and ensuring that these align with the bank’s risk appetite, which drive the
bank’s risk tolerance.
iii. Event identification involves setting up processes that will allow
management to identify potential events that could either positively or
negatively impact the bank, including the various internal and external
factors that can give rise to these opportunities or adverse events.
iv. Risk assessment provides a framework to assess how events could impact
the achievement of the bank’s objectives. These events are assessed in
two dimensions: likelihood and impact (both positive and negative) using
a combination of quantitative and qualitative techniques.
v. Risk response lists the different steps that management can take to reduce
the residual risk to a level within the bank’s risk appetite. This response can
range from avoiding risk, reducing risk, sharing risk, or just simply accepting
risk.
vi. Control activities are the policies and procedures that help ensure
that management’s decision to respond to risk is carried out.

BANK RISK PRACTICES

1-37 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

vii. Information and communication are key to ensure that the right internal
environment supports the bank’s risk management environment. It
involves management providing specific and directed communication to
the entire organisation.
viii. Monitoring involves the regular assessment of the presence and functioning
of the components.
ix. Roles and responsibilities involve the clear definition of the responsibilities
and ownership of specific areas in enterprise risk management.

1.3.2 The ERM Board of Directors and Senior Management

The Board of Directors (BOD) is responsible for the overall oversight of the
bank’s ERM framework and programme. The BOD exercises their oversight
function in the bank’s ERM framework through the following:

i. Governance – The BOD must ensure that ERM is closely integrated

with strategy and performance. The traditional role of the BOD is to set
and approve the firm’s overall strategy and hold senior management
accountable in terms of performance on behalf of the shareholders. The
BOD must ensure that risk should be considered in both the strategy-
setting process and driving and measuring performance.
ii. Policy – Risk policies are written expectations and governing principles on
each key risk management area, guiding senior management to develop
a more detailed methodology and procedures for implementation.
iii. Performance – To increase ERM effectiveness, risk management should
be integrated into how the bank measures, evaluates and rewards
performance. Rather than view risk as a separate activity, risk should be
linked and integrated with performance. This means that ERM should
inform performance setting and measurement.

1.3.3 The ERM Process

The ERM process includes a structured risk identification and assessment

process. It begins with the risk identification and assessment process,
followed by risk planning and response, then only implementation and control
mitigations and finally monitoring and reporting. It is a continuous process
with no pre-defined start and end.

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-38

Monitoring

Risk monitoring involves Reporting

actively reviewing
whether risk profiles are Risk reporting Control
rigorously investigated, involves producing
reports for internal Risk control involves
particularly material
stakeholders (BOD, risk setting up an
exposures to losses. This
committee and senior environment and
also involves setting
management) and infrastructure for
triggers in place for a
external stakeholders internal control. The
more comprehensive
(regulators and bank’s ERM framework
review.
investors). This process should be subject to
involves making external and internal
sure that the reports audits to ensure that
are comprehensive, the ERM is performing
accurate, consistent as intended. Risk
and actionable. mitigation involves
Reporting is also taking steps to reduce
expected to be timely adverse impact from
and can be produced risk exposures. It may
both under normal and involve transferring
stressed conditions. risks or execute risk-
reducing actions to an
acceptable level.

Figure 1.14: The ERM risk identification and assessment process

Risk identification involves defining risks and grouping them into categories.
Identifying risks is essential because recognition and classification help
determine the importance of the respective risks in the organisation’s overall
risk management practice. Another important objective of risk identification
is to understand and prioritise. Risk assessment involves two (2) different
activities, how risks are quantified and how these risks are aggregated
organisationally. The aggregation is an important step to ensure that those in
charge of risk governance is able to view risk from a big picture, comprehensive
perspective. Failure to provide an integrated view of risk would result in sub-
optimal risk decisions.

Risk assessment and risk appetite setting

There is a certain level of interdependency between this stage (risk
assessment) and risk appetite setting. Risk appetite is the amount and type of
risk that an organisation is willing to pursue or retain. The difference between
the quantified outcome in the risk assessment and the risk appetite could
be a positive or negative gap. If the gap is positive, the organisation should
take the necessary step to address the gap by reducing the risk of taking or
accepting higher risks by increasing risk appetite. If the gap is negative, the
organisation should decide whether the gap is at an appropriate level.

BANK RISK PRACTICES

1-39 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

In identifying the bank’s risk appetite, banks must consider the following
questions:

• What risks should the bank avoid entirely? For example, financing
companies or industries that violate the bank’s environmental and social
responsibility standards.
• For risks that the bank is willing to take, how much risk are we taking? For
example, given the volatility in oil prices, how much credit exposure are we
willing to take for the energy sector?
• Does our risk appetite appropriately match our risk management
infrastructure? For example, a bank with the ambition to be a leading
technology player through digitisation, an important question that must
be answered is – does the bank have the technological capabilities and
control infrastructure to achieve this ambition?
• What is the right balance between restricting the risk appetite and
achieving the commercial ambition of the organisation?

For risk appetite to be effective, risk measures should be agreed upon in

advance. Quantifying risk, therefore, is important before risk appetite can be
defined. For example, if a risk appetite is stated as a function of the bank’s
earnings, the risk measures to be used should quantify the impact of risks
on the bank’s earnings. In other words, there should be internal consistency
between the risk measures and risk appetite. Risk appetite should be set in
terms of the risk measures used, and risk measures should be quantified in
terms of risk appetite set.

1.3.4 Benefits of ERM

To succeed today, businesses are beginning to expose themselves to higher

degrees of risk slowly. As a result, these organisations are devoting more
resources to monitoring and managing these risks. Aligning risk management
and internal control activities is pivotal for bolstering overall business.

This is where enterprise risk management comes into play. ERM is a scalable
approach to traditional risk management that combines risk information from
across an organisation. This data is then used to help businesses meet their
objectives, drive growth and bolster performance. With ERM, risk culture also
becomes more prevalent as organisations embrace risk culture. It’s largely
a matter of siloed versus broad views when traditional risk management is
focused on individual departments, while ERM takes the organisation as a
whole into consideration.

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-40

Some of the highly regarded benefits of ERM are as follow:

i. Increase the range of opportunities – ERM broadens the view of bank

in terms of opportunities. Both in the positive and negative aspects so
that management can rationally assess and evaluate existing and new
opportunities.
ii. Expedite risk identification and management from an enterprise perspective
– Over the years, risk management within the bank has become very
specialised. This specialisation brings some advantages like mastery of the
specific risk and efficiency in the management of that specific risk. However,
it also brings dangers to the bank. This creates a silo effect where no one
looks at the overall picture of risks from the entire firm standpoint. ERM helps
ease this silo effect and ensure that identified risk is managed from an
enterprise perspective.
iii. Increase positive outcomes and advantages and reduce negative surprises
– While risk management is usually associated with actions that involve
reduction or avoidance of risks, ERM can also provide opportunities that
could result in positive outcomes and greater profitability for banks. Risk
management can be a source of competitive advantage. We have seen
that happen in the 2008 Financial Crisis. Stronger banks with superior risk
management capabilities (for example, JP Morgan) could take advantage
and pursue opportunities to purchase assets and banks at attractive
valuations when other banks are constrained from making further
investments.

ERM allows the bank to anticipate negative surprises. ERM provides a forum
for different parties to act as an independent challenge to each other and
identify potentially overlooked risks. This is especially relevant in a stressed
environment, where correlations among different risk factors tend to be
more amplified than during more stable times. Relying on specialist risk
departments organised according to functions (market, credit, operational)
will deprive the bank of a macro perspective on how these different risk
factors could impact the bank.

iv. Reduce performance variability – Risk is defined as the degree of

unpredictability in terms of expected performance outcome. Risk is the
deviation away from the expected outcome. The higher the unpredictability,
the higher the risk. One benefit of ERM is that because risk management feeds
into the strategy setting and the performance setting, one of the important
discussions would be what actions or strategic refinements the bank may
take to optimise performance results and make it more predictable (for
example, by thinking about hedging strategies to reduce variability to an
acceptable level). ERM allows banks to anticipate the impact of a potential
adverse event and reduce the range of negative outcomes (for example, by
optimising provisioning subject to acceptable regulatory and accounting
parameters).

BANK RISK PRACTICES

1-41 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

v. Improve resource deployment – Enterprise risk management provides

discipline in allocating scarce capital resources. ERM provides management
discipline to allocate scarce resources to businesses that not only generate
the highest return but the highest return per unit of risk taken. This ensures
that resources are deployed to business areas that jointly evaluate both the
risk and reward of a particular business undertaking.

Boxed Article–6

The Danske Bank ERM Approach (Danske Bank Group, 2020)

To support Danske Bank’s vision of being recognised as the most trusted financial
partner, the Group uses an enterprise risk management (ERM) approach to set
common standards for consistent risk management across all risk types.

In order to support our business strategy and risk objective, the ERM approach
details how we structure risk governance and risk responsibilities to ensure
appropriate oversight and accountability. Furthermore, it sets out the Group’s risk
culture foundation and specifies its risk taxonomy and risk appetite approach. The
ERM approach is supported by the underlying risk policies as defined by the Board
of Directors (BOD) and detailed in directives set forth by the Executive Board. Risk
culture - we recognise the importance of having a strong risk culture in everyday
work to ensure that we create value for customers and live up to our responsibility
as one of the largest financial institutions in the Nordic region. Building and
maintaining a common risk culture across the Group involve ensuring a high level
of risk awareness. This work is underpinned by the Group’s core values and helps
align behaviour with the risk appetite. Managing risks is the responsibility of all
employees in the Group as part of their day-to-day work routines.

Our approach to remuneration reinforces our risk culture. The key performance
agreements of all Executive Board members include risk/compliance indicators.
Building and maintaining the right set of risk skills and expertise also help
strengthen the risk culture. We develop and maintain risk skills through tailored risk
and compliance training to ensure that risk management expertise is embedded
in daily work routines. Executive Board members participate in compulsory training
courses like all other employees.

The Group’s risk taxonomy is a common set of Group risk categories and definitions
intended to ensure adequate risk identification and ownership across the Group.
For each identified risk category, roles and responsibilities are defined to ensure
continued monitoring and risk assessment. The risk categories cover both financial
and non-financial risks. The taxonomy is adjusted regularly to ensure that the risk
categories reflect the Group’s main risks.

Financial risks Financial risks

Financial
Liquidity,
Pension and Behavioural control
Credit Market funding Model Operational Business Financial Legal
insurance and conduct and
risk risk and capital risk risk disruption crime risk
risk risk strategic
management
risk

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-42

1.4 STRATEGIC RISK MANAGEMENT

The business environment in which banks operate is changing rapidly, that some
believe banking as a business will thrive, but banks will not. As one of the well-
respected banking futurists Brett King (2018) said:

“Bank 4.0 will be about banking everywhere but never at a bank.”

Never before has the business model of banks been under serious strategic threat
and disruption today. It is, therefore, important for banks to consider strategic risks in
the overall risk management framework.

1.4.1 Strategic Risk

The Hong Kong Monetary Authority (2007) defines strategic risk as:

“The risk of current or prospective impact on an Authorised Institution

(AI)’s2 earnings, capital, reputation or standing arising from
changes in the environment the AI operates in and from adverse
strategic decisions, improper implementation of decisions, or lack of
responsiveness to industry, economic or technological changes...”

It is a function of:

• The compatibility of an AI’s strategic goals;

• The strategies developed to achieve those goals;
• The resources deployed to meet those goals; and
• The quality of implementation.

The resources needed to implement an AI’s strategies are both tangible

and intangible. They include capital and funding, communication channels,
staffing and operating systems, delivery networks, and organisational
resources and capabilities.

In banking, there are three dimensions to strategic risk, namely:

• The strategic position risk – which ponders whether the bank is going in the
right direction.
• The strategic execution risk – does the bank have the right talent,
capabilities, and infrastructure to execute the chosen strategy.
• The strategic consequence risk – what are the unintended consequences
of the chosen strategy?

2 Authorised Institution (AI) under Hong Kong Monetary Authority (HKMA) regulation is an institution authorised under the Banking
Ordinance to carry on the business of taking deposits. The equivalent in Malaysian Banking context is Approved and Registered
Intermediaries.

BANK RISK PRACTICES

1-43 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

Boxed Article–7

The Wells Fargo cross-selling scandal

Before the scandal, Wells Fargo had a reputation for sound management.
In fact, during the 2008 Financial Crisis, Wells Fargo is seen as one of the
few banks that have been unscathed by the scandal and untarnished.
What happened then?

Like many banks, Wells Fargo believed in the virtues of cross-selling.

Cross-selling means offering multiple products to a bank’s customer.
The underlying theory of cross-selling is that it is profitable and creates
a synergy and a virtuous circle that makes the bank more competitive to
clients and sells more products to its customers.

In 2013, it was reported that some Wells Fargo employees in Southern

California were engaging in aggressive tactics to meet their daily cross-
selling targets, such as opening new accounts and issuing debit or credit
cards without the consent of its customers.

Some observers blamed the bank’s aggressive daily cross-selling target,

putting undue pressure on employees and incentivising unethical
behaviours.

In the independent investigation commissioned by the Board of Directors,

they found out that the practice of publishing performance scorecards
created “pressure on employees to sell unwanted or unneeded products
to customers”. Employees “feared being penalised” for failing to meet
goals.

Note: Read more on the scandal at https://corpgov.law.harvard.

edu/2019/02/06/the-wells-fargo-cross-selling-scandal-2/. (Tayan, B.
(2019). The Wells Fargo cross-selling scandal. 6 February. Harvard Law
School Forum on Corporate Governance.)

1.4.2 The Scope of Strategic Risk Management

Strategic risk management is defined as the systems, processes, and

infrastructure to devise and implement a systematic approach to manage
strategic risk. This involves addressing current challenges and having the
framework to manage the inherent uncertainty of the future. It comprises the
following elements:

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-44

Strategic
planning

Performance Alignment
Strategic risk
evaluation and & change
feedback management management

Implementation
and monitoring

Figure 1.11: Scope of strategic risk management

Strategic planning
Strategic planning determines the bank’s overall direction, priorities, and
focus. This involves setting medium to long term priorities in line with the
overall strategic goal of the bank. Strategic planning involves translating
those priorities into actionable strategies to achieve these strategic goals and
objectives. While strategic planning has been used in the banking industry for
many years, the process has been heavily criticised. However, after the 2008
Financial Crisis and with technology players challenging incumbent banking
business models, strategic planning is getting renewed attention. Strategic
planning has the following steps to implement:

• Step 1 – Set strategic goals and objectives

• Step 2 – Develop strategies
• Step 3 – Integrate strategies into a strategic plan

1. Step 1 – Set strategic goals and objectives. Strategic goals reflect the bank’s
ambition in relation to growth and return, efficiency, and competitive
advantage. Strategic objectives are more specific and measurable. With
time assigned targets that are derived from strategic goals. Strategic
goals and objectives should be set in line with the corporate mission,
values, culture, and risk tolerance.

Figure 1.16 shows an example of a strategic goal from Barclays PLC. Barclays
is a British multinational universal bank headquartered in London, England,
UK.

BANK RISK PRACTICES

1-45 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

Our Purpose
Creating opportunities to rise
We are a company of opportunity makers, working together to help
people rise – customers, clients, colleagues and society

Our Values
Our values underpin our business and govern
everything we do

Respect Integrity Service

We respect and value We act fairly, We put our
those we work with and ethically and we customers and
the contribution they openly in clients at the centre
make all we do of what we do

Excellence
Stewardship
We use our energy,
We’re passionate
skills and resources
about leaving things
to deliver the best
better than we found
sustainable result
them

Our Group strategy

To build on our strength as transatlantic consumer and wholesale bank,
anchored in our two home markets of the UK and US, with global reach

Measuring success
Our performance measurement approach reflects the way in which
management monitors the performance of the Group, allows for a holistic
assessment and sets out our progress towards the strategic goals of the
organisation

Figure 1.12: Barclays PLC’s strategic goals

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-46

Figure 1.13 is an example of Barclays PLC strategic objective.

Company

Achieving our targets is consistent with our aim of generating long-

term sustainable returns for the shareholders:
• Group return on tangible equity*>9% in 2019 >10% in 2020
• CET1 ratio at c.13%
• Group costs guidance of £13.6-£13.9bn in 2019↑.
Targeting cost: income ratio below 60% over time
* Excluding litigation and conduct, and based on CETI ratio of c.13%
↑
Excluding litigation and conduct

A Commitment to Driving Value

Medium-term1 Financial Targets

ROE / ROTE Efficiency Ratio CET 1 Ratio

>13% / >14% ~60% 13-13.5%

New business growth positions Goldman Sachs to generate mid-teens or

higher returns over longer-terms

Figure 1.13: Barclays PLC’s strategic objectives

BANK RISK PRACTICES

1-47 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

ii. Step 2 – Develop strategies: Accordingly, banks should have a process

to evaluate their strategic position and develop appropriate strategies in
achieving their organisation’s strategic goals and objectives. Typically, this
process would involve:

▶ Understanding the general banking, business, and economic

environment that a bank operates in.
▶ Assessing the bank’s strengths and weaknesses in terms of competitive
position, market standing and financial performance, organisation
and risk management structures, systems, and infrastructure to meet
current and unplanned business needs, managerial capacity, resources
availability, and constraints.
▶ Analysing the bank’s strategic position and possible strategies that can
be considered.

Strategies should be designed to address three different strategic horizons or

challenges of a bank. A helpful framework is the “three-box” approach devised
by Govindarajan (2016). Box 1 are strategies that are devised to allow the bank
to compete for the present successfully. This involves sharpening the bank’s
strategic capabilities and ability to deliver on its traditional core strengths.
Strategy is about making choices. It is about choosing what to do as it is
about what not to do. Box 2, on the other hand, is about selectively forgetting
past successes and having the strategic discipline on what opportunities not
to pursue. Finally, Box 3 is about creating the future. This does not mean that
banks are expected to predict the future. Banks are expected not to predict
but to imagine the future and formulate a hypothesis on how the future will
look and test those hypotheses.

Competing Selectively
Creating
Box 1 for the Box 2 forgetting Box 3 the future
present the past

Figure 1.14: The “three-box approach” in leading innovation by Dr Vijay Govindarajan

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-48

Boxed Article–8

Big European banks face call to end funding for firms building coal-
fired plants (Twidale, Cruise, and Jessop, 2019).
LONDON (Reuters) - Some of Europe’s biggest banks are being challenged
by environmental groups to sever all lending to utilities which they say
are still developing new coal-fired power plants.

Last year, a United Nations report said almost all coal-fired power plants
would need to close by the middle of this century to curb a rise in global
temperatures to 1.5 degrees Celsius, in line with the level scientists say is
needed to stave off the worst effects of climate change.

“Some banks have pledged not directly to finance new coal plants, but
they are providing general finance to companies which are building
new plants,” Katrin Ganswindt of German environmental pressure group
Urgewald told Reuters.

Urgewald and BankTrack, an NGO focused on banks and their financial

activities, said an analysis of the 10 most active European lenders to
companies that are still planning or developing new coal plants indicated
total debt funding had risen to $56 billion between 2017 and the end of
September 2019.

This compared with a calculation of $48 billion for the period 2014 to 2016,
the pressure groups said in a report provided to Reuters on Thursday.

The ten (10) banks were Barclays, BNP Paribas, Credit Agricole, Credit
Suisse, Deutsche Bank, HSBC, ING, Nordea, Standard Chartered and
UniCredit.

(GRAPHIC: Lending by European banks to utilities building coal-fired

power plants)

BANK RISK PRACTICES

1-49 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

Most of those named said the report did not reflect their efforts to stop
funding coal plant development or commit to lowering carbon emissions.
Credit Suisse declined to comment.

Britain’s Barclays said it no longer provides project finance to any new coal-
fired power plants or expansions of existing ones and disagreed with some
of the data:

“The report misrepresents and does not differentiate cases where Barclays
finances a subsidiary investing in renewable energy, when its parent
company may have other subsidiaries involved in coal, which have no
relationship with Barclays.”

BANK ACTION
Since Paris,3 many European banks have adopted cutting lending policies to
firms that rely on coal for a high percentage of their revenues or pledging to
end funding for new mines.

3 This refers to the Paris Agreement on Climate Change signed on 12 December 2015.

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-50

Last week UniCredit said it would halt all lending for thermal coal financing
by 2023, while BNP Paribas said this month it would stop financing the
thermal coal sector in the European Union by 2030 and by 2040 worldwide.

Deutsche Bank said that since 2016 it no longer finances “directly or indirectly
the construction of new coal-fired power plants or new mining projects to
produce steam coal”.

Some banks have increased their funding of renewable energy projects and
stepped-up engagement with clients to encourage a faster shift away from
coal production and consumption.

“In a majority of cases, we know the use of funds and can do our due diligence
to make sure the financing is compatible with our policies, which include no
direct financing for new coal-fired power plants,” Standard Chartered said.

Urgewald and BankTrack said their analysis was based on financial

databases and public disclosures of loans obtained by 258 coal power
producers and the underwriting of bonds issued by them, although for some
syndicated loans and bond commitments, the analysis had estimated each
bank’s share.

Dutch bank ING said it did not “recognise the figures mentioned by Urgewald
and the conclusions drawn from them”.

“ING supports new clients in the utility sector only when their reliance on coal
is 10% or less, and they have a strategy to reduce their coal percentage to
close to zero by 2025,” it added.

iii. Step 3 – Integrate strategies into a strategic plan: In formulating the

strategic plan, banks should also have a process to devise and approve
the strategic plan. A strategic plan is a comprehensive plan formulated by
the bank that sets out the strategies to be implemented by the bank, the
mode of implementation of these strategies and the expected outcome. A
strategic plan should provide information such as the bank’s philosophy
regarding its business, growth targets, the extent of its financial risk-taking
and other relevant factors affecting its growth and development. Strategic
plan should cover different aspects of strategy such as:

▶ Corporate strategy – related to overall purpose and vision and how the
strategic intent is expected to be realised.
▶ Business strategy – related to how the bank will attain a competitive
advantage in the environment in which it operates.
▶ Operational strategy – strategies to support the implementation of the
bank’s corporate and business strategies.

BANK RISK PRACTICES

1-51 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

Figure 1.15 is an example of Goldman Sachs’s “Clear Strategic Direction”

presented to their stakeholders on the Goldman Sachs Investor Day on 22
December 2020. Goldman Sachs is an American multinational investment
bank and financial services company headquartered in New York City. It
offers services in investment management, securities, asset management,
prime brokerage, and securities underwriting.

Clear Strategic Direction

Grow and
Diversify our
Strengthen Operate More
Products and
Existing Efficiently
Services
Businesses

Higher More Durable Higher Margins

Wallet Share Earnings and Returns

Figure 1.15: Goldman Sachs’ corporate strategy

Figure 1.16 is an example of Goldman Sachs’s “Business Strategy”.

Grow and Strengthen Diversify Our Products Operate More

Existing Businesses and Services Efficiently

Expand our global

Build Transaction Increase organisational
footprint: Investment
Banking and process efficiency
Banking, Global Markets,
Ultra High Net Worth
Grow third party Remix to lower cost
Increase financing Alternatives deposit funding
activities
Scale digital Consumer
Banking, High Net Worth
Optimise capital footprint
Grow asset management
and Mass Affluent

Higher Margins and

Higher Wallet Share More Durable Earnings Returns

Figure 1.16: Goldman Sachs’ Business Strategy

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-52

Figure 1.17 is the “Operational Strategy” of Goldman Sachs.

Client-Centric Longer Term

Investing for Enhanced
Organisational Operating
Growth Accountability
Structure Focus

Improving existing
Transparency
Delivering One Multi-year financial businesses and
and performance
Goldman Sachs planning process building new
targets
businesses

Figure 1.17: Goldman Sachs’ Operational Strategy

Alignment and change management

Banks should ensure sufficient resources are allocated to achieve the strategic
goals and objectives. Resources include financial and non-financial resources.
The right talent, infrastructure and risk management systems should be in
place to ensure that the bank can execute its strategic objectives.

It is common for banks to trumpet their desire to capitalise on the digital

revolution in banking in recent years. However, often, there is a clear
misalignment between the stated strategic objectives and the organisational
capacity to deliver on these objectives. Banks should establish resources
development roadmap to cater for digital business growth. This includes
training and hiring of new talent with skills set to enable the bank to execute its
strategic objectives. Pivoting to a new strategy may require banks to implement
changes. A change could meet potential resistance. The bank should establish
a change management programme to ensure a smooth transition.

Implementation and monitoring

For the strategy to succeed, adequate resources should be allocated. Banks
should also ensure that strategies are executed in accordance with the
mandate set out by the BOD. The lack of capital and funding could threaten
the ability of the bank to execute its strategies and disrupt the bank’s day-to-
day operations. Therefore, capital and funding planning is a key element of the
strategic planning process. Banks should conduct stress tests to identify any
possible events or changes that could adversely affect their ability to execute
their strategies. Part of the implementation ensures that systems and controls
are appropriate where risk management structure must be adequate to
support and manage the possible risks when implementing the strategies. This
would ensure that a high-level report on strategic risk profile and any material
risk with strategic implications are deliberated at Management and BOD level.

BANK RISK PRACTICES

1-53 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

Performance evaluation and feedback

Performance should be directly linked to the BOD’s strategic objectives. The
budget determines values. Banks should set both financial and non-financial
targets that are directly linked to the banks’ stated strategic goals and
objectives.

1.4.3 The Future of Banking

In assessing strategic risks for the bank, it is important to consider the

external environment in which the bank operates. Increasingly, both the
banks’ customers and regulators accept that while banking activities are
essential, banks are not. This carving out of banking activities out of banking
organisations provide severe strategic existential threats for banks.

Increasingly, technology players have been grabbing substantial banking-

related businesses away from traditional banks. For example, Alipay and
WeChat have been winning transactional banking-related revenues away
from traditional banks. The decoupling of banking activities and banks may
happen sooner than later, and this is the biggest strategic risk that banks
face.

In the highly influential book “Bank 4.0: Banking Everywhere, Never at a Bank”,
banking futurist King (2018) outlined the four-stage evolution of the banking
industry:

Bank 1.0: Bank 2.0: Bank 3.0:

Bank 4.0:
Traditional Self-Service Mobile
Banking Banking (2017-
Banking
onwards)
(1472-1980) (1980-2007) (2007-2017)

Figure 1.18: Bank evolution (1472 - now)

In his book, King (2018) narrated that:

• Bank 1.0 is the traditional banking where branches (branch banking) is the
primary access point for banking services.
• Bank 2.0 is the emergence of self-service banking, allowing customers to
access banking services outside banking hours (for example, ATMs, credit
cards).
• Bank 3.0 is the emergence of banking when and where you need it. This
was enabled by the technology available in smartphones. Mobile banking

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-54

enables anywhere and anytime banking. Bank 3.0 is about moving out of
the physical premises of banking into digital.
• Bank 4.0 is about embedded banking, where banking services are
decoupled or bifurcated from banks and delivered in real-time through
technology. In Bank 4.0, there is no requirement for any physical contact
and allows frictionless engagement with the customer. This is about the
phasing out of banking products and instead focusing on the “utility” of
banking services. Banking becomes invisible and embedded in the world
around us and delivered through technology.

This concept explores the radical transformation that are already taking
place in banking and follows it to its logical conclusion.

BANK RISK PRACTICES

1-55 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

SUMMARY

• Risk management is defined as coordinated activities to direct and control and

organisation with regard to risk.
• Risk management framework is a set of components that provide the foundations and
organisational arrangements for designing, implementing, monitoring, reviewing and
continually improving risk management throughout the organisation.
• Enterprise risk management is a process, effected by the entity’s board of directors,
management, and other personnel, applied in strategy setting and across the enterprise
designed to identify potential events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance regarding the achievement of
the entity’s objectives.
• The ERM framework is composed of the following key components: internal environment,
objective setting, event identification, risk assessment, risk response, control activities,
information, and communication, monitoring, and roles & responsibilities.
• Strategic risk is the risk of current or prospective impact on earnings, capital, reputation
or standing arising from changes in the environment on which the bank operates in
and from adverse strategic decisions, improper implementation of decisions or lack of
responsiveness to industry, economic or technological changes.

BANK RISK PRACTICES

 AN OVERVIEW OF RISK MANAGEMENT IN BANKING 1-56

END OF CHAPTER PRACTICE QUESTIONS

1. Which of the following best describes the fundamental characteristics of effective risk
management?
A. Risk management principles
B. Risk management framework
C. Risk management policy
D. Risk management infrastructure

2. This describes the emergence of banking when and where you need it using technology-
enabled by mobile phones.
A. Bank 1.0
B. Bank 2.0
C. Bank 3.0
D. Bank 4.0

3. This comprises the organisation’s tone, influencing the risk consciousness of its people and is
the basis for all the components of the enterprise risk management.
A. Internal environment
B. Objective setting
C. Event identification
D. Risk assessment

4. Read the statement below and select the best answer:

Statement 1: Risk appetite statement should be in written format and written from an
integrated bank perspective

Statement 2: Risk appetite statement should focus only on quantitative measures of loss
or negative outcome

A. Both statements are true.

B. Both statements are false.
C. Statement 1 is true. Statement 2 is false.
D. Statement 1 is false. Statement 2 is true.

5. Which of the following is not among the benefits of enterprise risk management?
A. Increase the range of opportunities
B. Identify and manage from an enterprise risk perspective
C. Increase the range of positive outcomes and reduce the range of negative outcomes
D. Eliminate performance variability

BANK RISK PRACTICES

1-57 AN OVERVIEW OF RISK MANAGEMENT IN BANKING

6. Which of the following is not true about the three lines of the defence system?
A. The three lines of defence may delegate their risk governance responsibilities to external
experts.
B. Front line units are primarily responsible for risk management
C. Internal audit belongs to the third line of defence
D. Risk management should have unfettered access to the board

7. Which of the following is a dedicated board-level committee mandated to perform a more

focused risk oversight function?
A. Board of Directors
B. Audit Committee
C. Board Risk Committee
D. Risk Management Department

8. Who sets the risk appetite and ensure that it is reflected in the business strategy and cascaded
throughout the organisation?
A. Board of Directors
B. Board Risk Committee
C. Chief Risk Officer
D. Chief Executive Officer

9. Which of the following issues should not be addressed in the bank’s risk management policy?
A. The rationale for managing risk
B. The link between the organisation’s objectives and policies and the risk management
policy
C. Accountabilities and responsibilities for managing risk
D. Detailed procedures to implement the risk management initiatives

10. Which of the following is the correct order in the risk management process?
A. Monitoring and reporting -> Identification and assessment -> mitigating and control
B. Identification and assessment -> mitigating and control -> monitoring and reporting
C. Mitigating and control -> Identification and assessment -> monitoring and reporting
D. Identification and assessment -> monitoring and reporting - > mitigating and control

ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS

1. A 2. C 3. A 4. C 5. D 6. A 7. C 8. A 9. D 10. B

BANK RISK PRACTICES

 CHAPTER 2
REGULATIONS AND
TREATMENT OF RISK
2-1 REGULATIONS AND TREATMENT OF RISK

2. REGULATIONS AND TREATMENT OF RISK

Learning Outcomes

At the end of the chapter, you will be able to:

• Analyse the influence of regulation on bank risk management.

Key Topics

In this chapter, you will be able to read about:

• Importance and objectives of regulations for banks

• The purpose of banking supervision and other significant central banks
• Types and sources of Malaysian banking regulations
• Introduction to the risk-based capital framework under Basel I
• The three pillars for Basel II
• Introduction to Basel III requirements and Basel III extended.

Assessment Criteria

During the exam, you will be expected to:

• Understand how regulations impact the bank.

• Explain the objectives and features of Basel I, II, III (extended).

2.1 IMPORTANCE AND OBJECTIVES OF REGULATIONS FOR BANKS

The year 2020 brought with it the deepest recession in the global economy since the
Great Depression. It began with global nations gearing up to contain the spread of
the coronavirus pandemic by principally imposing the enforcement of movement
restrictions, the closing of borders and the shutdown of international travel. This
unprecedented situation severely curtailed overall global economic activities and
caused the world economy to experience a sharp contraction. The pandemic
also triggered unparalleled global policy responses, including larger fiscal stimuli,
accommodative monetary policies, and quantitative easing measures. Being
a highly open economy, Malaysia’s GDP was adversely affected due to broad-
based weaknesses in exports, production, and domestic demand, arising from the
negative external spill overs and the introduction of stringent domestic containment
measures to combat Covid-19. The weaker domestic economic activities also led to
a deterioration in labour market conditions and income losses, impacting consumer
spending. (D’ Cruz, 2021)

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-2

Banking regulation is the formulation and issuance by authorised agencies of

specific rules under governing law for the conduct and structure in banking. In further
refining the definition of banking regulation, it is important to distinguish between
what is and what is not legally binding and clarify the terms in which regulations are
transposed into national legislation.

While the economic impact of COVID-19 may have some similarities to the 2007–
2009 Financial Crisis, the implications for financial firms’ performance are likely to
be different. With the regulatory measures announced by Bank Negara Malaysia
(BNM)and statements issued by Malaysian Accounting Standards Boards (MASB)
and International Financial Reporting Standards (IFRS) in response to the recent
development of COVID-19, Deloitte explores its impact on Financial Institutions in
Malaysia in terms of loan growth, earnings, provision, and liquidity. (Deloitte, 2020)

Impact of Covid-19 for bank

COVID-19 Timeline and BNM Measures Related to IFRS 9
BNM's Additional Measure for
General Timeline 1st MCO Period 2nd MCO Period 3rd MCO Period
COVID-10 Related to IFRS9
18 Apr 31 Apr 1 Apr 14 Apr 15 Apr 28 Apr
First MCO First MCO 2nd MCO 2nd MCO 3rd MCO 3rd MCO
started ended started ended started ended 1 BNM's Additional Measure for
18-31 Mar COVID-10 Related to IFRS9

• Moratorium period excluded in

16 Mar 25 Mar 10 Apr determination of period in arrears for the
Prime Prime Prime purpose of regulatory and accounting
25 Jan Minister Minister Minister classifications
Official announced announced
first case announced • Loans/Financing that are granted
identified Movement first MCO second
moratorium solely based on this measure
in Malaysia Control extension MCO
are not to be flagged as R&R in CCRIS
Order (from 1-14 extension
(MCO) Apr) 15-28 Apr) • The R&R loans need not to be classified as
credit impaired in CCRIS

No Dir
27 Mar 2 Liberalised lending/financing limits Impa ct
e
IFRS & MASB released ct to
3 Drawdown and financial reporting MFRS
9
statement

25 Mar
4 MFRS 9 and financial reporting requirement
European Banking Authority (EBA) Statement • FIs required to incorporate impact of
on the application of the prudential framework COVID-19 into foward looking information for
regarding Default, Forbearance and IFRS9 ECL calculation

24 Mar • Payment arrears during moratorium period

Bank Negara Malaysia announced should not automatically result in a stage
measures for COVID - 19 transfer

Figure 2.1: Impact of Covid-19

2.1.1 The Malaysian Banking Industry and Its Critical Role to the
Economy

Malaysia’s financial services industry has traditionally been a key driver of its
economic development and is the foundation of the Financial Sector Blueprint
(FSB). FSB is a 10-year master plan implemented by Bank Negara Malaysia
(BNM) for managing Malaysia’s transition towards becoming a high-value-
added, high-income economy. BNM is currently developing the next blueprint
for the financial sector, which it aims to publish in 2022 (Blueprint 3.0). The
Blueprint 3.0 will set out the critical development and regulatory priorities for
the next five years (2022–2026) and focus on enabling technology and data-
driven innovation, enhancing the competitiveness of the financial sector,

BANK RISK PRACTICES

2-3 REGULATIONS AND TREATMENT OF RISK

expanding access and responsible usage of financial solutions, and ensuring

financial intermediation remains effective to support future economic needs.
(Bank Negara Malaysia, 2020).

The number of licensed banking institutions in Malaysia currently stands at 56,

comprising 32 domestic banking institutions and 24 foreign-owned banking
institutions. There are also 16 Islamic banks, 11 of which are domestically owned,
and 11 investment banks, all domestically owned. (Bank Negara Malaysia, n.d)

Asset size
Institution
(million ringgit)

Malayan Banking Berhad 872,213*

CIMB Bank Berhad 516,075*

Public Bank Berhad 450,310*

RHB Bank Berhad 263,038*

Maybank Islamic Berhad 259,219*

Hong Leong Bank Berhad 221,278

AmBank (M) Berhad 169,203

United Overseas Bank Malaysia 126,146*

Berhad

OCBC Bank Malaysia Berhad 93,922*

HSBC Bank Malaysia Berhad 87,082*

Note: Data sourced from 2020 annual reports or financial statements

(unless otherwise stated)
*As of 30 September 2020,

Figure 2.2: Top 10 banks in Malaysia by asset size (ringgit) as of the end of 2020

In line with the FSB, the regulatory and supervisory framework of Malaysia
in respect of the banking and finance sector was consolidated under the
Financial Services Act 2013 (FSA) and the Islamic Financial Services Act 2013
(IFSA) (collectively, the Acts). These two Acts came into force on 30 June
2013, simultaneously consolidating and repealing the Banking and Financial
Institutions Act 1989 (BAFIA), the Islamic Banking Act 1983, the Insurance Act
1996, the Payment Systems Act 2003 and the Exchange Control Act 1953. These
Acts aim to provide a regulatory framework for both the conventional and
shariah-compliant sectors and endow BNM with greater powers to counter
future risks to stability in the financial sector, increase consumer protection

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-4

and promote competition in the financial services sector. The Acts also
contain provisions that preserve every guideline, direction, circular or notice
previously issued under any repealed legislation in relation to any provision
of the Acts before they came into force.

Malaysia has also established its mid-shore jurisdiction on the island

of Labuan, off the coast of Borneo, which was declared an international
offshore financial centre in October 1990 to complement Kuala Lumpur’s
domestic financial market activities. Labuan is regulated and administered
by the Labuan Financial Services Authority (the Labuan FSA) pursuant to the
Labuan Financial Services Authority Act 1996 (the Labuan FSA Act). In 2008,
the jurisdiction was renamed the Labuan International Business and Financial
Centre (the Labuan IBFC), and an entity called Labuan IBFC Incorporated was
established as the jurisdiction’s marketing arm in 2008. The Labuan FSA and
the Labuan IBFC work together to promote Labuan IBFC’s reputation as the
premier mid-shore international business and financial centre in Asia. Entities
operating in the Labuan IBFC are subject to federal laws that are specific to
the Labuan IBFC. Labuan banks are subject to the Labuan Financial Services
and Securities Act 2010 (LFSSA), and Labuan Islamic banks are regulated
under the Labuan Islamic Financial Services and Securities Act 2010 (LIFSSA).

Based on these regulatory reforms in Malaysia, it is obvious that the banking

industry is one of the most heavily regulated industries worldwide. The
question now is – what makes banks so unique? And why are banks heavily
regulated?

2.1.2 The Nature of Banking

Two views exist regarding the nature of the banking business. The dominant
view defines banks as financial intermediaries, an institution in the business
of transferring money from savers to borrowers. An alternative view advances
that banks finance borrowers via money creation. In both of this, it implies the
importance of banks to be regulated. Among the factors leading to this are
as follow:

• The fragile nature of the banking business

• Contagion or system risk
• Adverse consequence of the economy
• Financial system net

i. The fragile nature of the banking business – Banks are viewed to be

inherently fragile due to the structural mismatches in their balance sheet.
The existence of these structural mismatches can primarily be traced to
the purpose why banks exist (i.e., for financial intermediation). As financial
intermediaries, banks play an important role by connecting savers and

BANK RISK PRACTICES

2-5 REGULATIONS AND TREATMENT OF RISK

borrowers. Savers need a safe place to temporarily invest their money

and receive compensation for renting the money in the form of interest.
Borrowers, on the other hand, need the money to finance their business or
investment ventures.

The source of instability or fragility of banks can be traced to the different

maturity preference of savers or depositors (who prefer funds to be
immediately available when needed) and that of the borrowers (who
prefer to borrow funds for longer tenor to finance its business or project).
Banks take shorter term customers’ deposits to take advantage of the
interest rate term structure (lower short term interest rates and higher
longer term interest rates) and capture the spread between the longer
tenor and the shorter tenor. This structural mismatch in the bank’s balance
sheet makes an individual bank susceptible to potential failure if risk is not
managed soundly.

A bank run occurs when savers or depositors demand contractual

repayment of their funds simultaneously, and the bank has not had enough
liquid assets to fulfil their contractual obligations to repay these savers or
depositors. Bank runs have occurred throughout history including during
the Great Depression and the 2008-09 Financial Crisis. The peculiarity
of the banking industry is that a bank could fail whether it is insolvent or
not. The mere perception of a bank’s insolvency can cause the bank to
fail. As Irvine Sprague, former Chairman of the Federal Deposit Insurance
Corporation, once said, “Bank confidence is a fragile reed, and rumours
damage a troubled bank, true or not.”

ii. Contagion or systemic risk – Even if individual banks are inherently fragile,
it does not sufficiently explain why banks are heavily regulated. To many
laypeople operating outside the industry, it is hard to understand why
a single bank failure is viewed as different from the failure of any other
business.

If a car company fails, it may be a cause of celebration for the remaining

players in the industry as it may mean more market share. A case in point
is the failure of Enron Corporation (then the 7th largest company in the
world) which did not cause the same damage as when Lehman Brothers
(not even among the Top 50 largest banks in the world) filed for bankruptcy
less than a decade later. This is because the banking industry is more
susceptible to contagion or ripple effects than other industries. Gerald
Corrigan, former President of New York Federal Reserve, said:

“More than anything else, it is the systemic risk phenomenon

associated with banking and financial institutions that make them
different from gas stations and furniture stores. It is this factor-
more than any other- that constitutes the fundamental rationale
for the safety net arrangements….”

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-6

This contagion effect is more prominently seen in the banking industry.

This means that the failure of one bank to fulfil its obligation to another
bank may trigger that bank to default on its obligation to other members
of the banking system. The series of successive losses can occur quickly
and spread throughout the other members of the banking system. This
domino effect is also known as systemic risk. This happens because banks:

▶ Simultaneously borrow and lend to each other.

▶ Maintain deposits with each other.
▶ Use a common payment and clearing system.

Despite this, it has triggered a massive wave of losses and failures resulting
from its failure that unprecedented actions must be performed to save
the entire industry from a meltdown. This shows that size alone does not
matter but the degree of interconnectedness of a banking institution with
other banks in the system.

iii. Adverse consequences to the economy – More than a decade after the
Global Financial Crisis, one of the most hotly debated issues is why were
banks bailed out? Why not let the entire industry suffer a meltdown? The
decision to bail out the banking industry during the global financial crisis
has been much criticised. Why did the government bail banks out? It turns
out that the banks are interconnected with each other. They are the nerve
centre of the entire financial system and the economy.

The disruption in the bank’s credit lending activities may threaten the
ability of companies outside the banking industry to continue to survive.
This is because many companies rely on bank financing to sustain their
working capital requirements and capital expenditure. The freezing of this
important credit lending activity could have severe repercussions in the
economy as households and businesses could stop spending or investing,
which would have further negative consequences to the overall economy.

The failure of the banking system has a severe consequence on the

broader economy in general. In an influential study by Harvard Professors,
Carmen Reinhart and Kenneth Rogoff, they found out that banking crises
have a deep and lasting impact on:

▶ Asset prices – Asset prices decline are deep and prolonged. Real
housing prices decline on average of 35%. The duration of decline in
housing prices lasts for as long as six years. Equity prices collapse on
average of 55% over three and a half years.
▶ Economic output – Economic output falls an average of 9% -averaging
roughly two years. The decline in output is generally more severe for
emerging markets than for developed markets. Sudden reversals of
foreign credit available drive the severe contraction in emerging market
output.

BANK RISK PRACTICES

2-7 REGULATIONS AND TREATMENT OF RISK

▶ Employment – Unemployment rises on average of 7% over the down

phase of the cycle, which lasts for an average of four years.
▶ Government debt – A real value of government debt explodes by an
average of 86%. Despite common misconceptions that this is driven by
banking bailout, the cause of the increase in debt is due to collapse in
tax revenues collected by the government due to output contraction
and expansionary fiscal policies adopted by governments to boost
economic activity.

iv. Financial safety nets – Given the negative consequences of banking

failure to the economy, there are cushions or interventions to contain the
impact of banking failure on the broader economy. These cushions or
interventions are also known as financial safety nets. These financial safety
nets have direct costs to the government and taxpayers. Therefore, one of
the objectives of banking regulation is to make sure that these financial
safety nets achieve their intended purpose and minimise the chance of it
being depleted and avoid the taxpayers from ultimately bearing the cost
of bank failure.

The Basel Committee on Banking Supervision enumerated three important

financial safety nets:

1 2 3

Prudential regulation
Lender of last resort Deposit insurance
and supervision

Figure 2.3: Types of financial safety nets

Due to the importance of the banking system in the overall economy

and potential risk that the government may need to step in to contain a
financial crisis as a result of bank failures, bank supervisors are mandated
to impose minimum standards and implement prudential regulation to
ensure that banks are operated in a safe and sound manner.

In addition, in times of banking crisis, banks may face temporary liquidity

problems due to bank runs or asset losses. Banks may not be willing to
lend money to each other. Further, selling assets at a time when there is
a crisis may result in sub-optimal results as banks will sell these assets at
fire-sale prices and may further exacerbate the crisis as more banks sell
existing assets, causing a downward spiral loop of declining asset prices
(resulting in more losses for banks holding those assets). In this scenario,
the central bank could play an important role in stabilising the financial
system by acting as a lender of last resort.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-8

As the lender of last resort, the central bank will provide liquidity to banks
in times of crisis. It may do so through the provision of emergency loans of
high-powered money to temporarily illiquid banks. High-powered money
refers to bank reserves and currencies held by the central bank. Central
banks also contain public fears and panics through announcements of its
commitment to provide liquidity to temporarily illiquid banks. This moral
suasion is one of the important powers of a central bank.

There are several prudential concerns with respect to the central bank
acting as a lender of last resort. One key unintended consequence of this is
that this may create perverse incentives for banks to take undue risks due
to having an alternative liquidity avenue in case these banks encounter
liquidity problems.

To counter this, central banks typically apply an effective lender of last

resort framework to make sure that moral hazard is minimised. One of the
most commonly used frameworks to implement a central bank’s lender
of last resort role is the classical Thornton-Bagehot’s Model of Last Resort.
Below are the principal features of the framework:

Willingness to The lender of last resort should provide liquidity

lend freely and to the banking system as a whole and not to
to the public specific banking institutions.

The liquidity should be extended only to

Sound
temporary illiquid institutions. Insolvent
institutions
institutions should be allowed to fail.

The liquidity extended should carry high penalty

Penalty rates to encourage quick repayment of the
loans once the crisis ends

The lender of last resort should require high

Collateralised quality collateral. This is to ensure that the
central bank’s losses are minimised in the
event of default.

Figure 2.4: Bagehot’s rule

BANK RISK PRACTICES

2-9 REGULATIONS AND TREATMENT OF RISK

The final financial safety net is deposit insurance. Deposit insurance is

defined as “a system established to protect depositors against the loss
of their insured deposits if a bank cannot meet their obligations to the
depositors”. The main objective of the deposit insurance system is to
protect depositors and contribute to financial stability. Note that deposit
insurance is expected to contribute to financial stability and is not intended
to be the only solution for systemic bank failures. The deposit insurance
system should not be the only financial safety net to bear the cost of
systemic banking failure.

Deposit insurance can either be explicit or implicit. Explicit deposit

insurance has legislated deposit guarantees. These laws provide for the
basic features of the deposit insurance system such as coverage amount,
the establishment of the insurance fund, type of instruments covered, and
method for calculating depositor claims. Implicit deposit insurance has no
specific legislated rules with respect to the eligibility and level of protection
in case of bank failure. There is only an expectation that some form of
government protection will be provided in the event of a bank failure.

Explicit deposit insurance has been the preferred choice compared to

implicit deposit insurance. Deposit insurance can help enhance public
confidence in the banking system and the process, provide for an orderly
mechanism for banking failure. It also spreads the costs of bank failure
among different banks.

The Basel Committee on Banking Supervision (BCBS) and the International

Association of Deposit Insurers laid out the parameters for effective deposit
insurance systems. Below are some of the key highlights:

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-10

Characteristics Description

Public policy The main policy objective of deposit insurance is to protect those who are
objective not able to make an informed risk assessment of the bank (for example,
retail depositors) and those who need the protection the most.

Other secondary objectives of deposit insurance are:

• Provide a mechanism for banks to fund the cost of failures.

• Promote competition by lowering competitive barriers as one
advantage of the bigger players in the industry is the perception that
“too big to fail” institutions would have “implicit” deposit insurance from
the government.
• Facilitate the transition from a blanket deposit guarantee to limited
coverage.

Mitigate moral Moral hazard refers to the incentive for excess risk-taking by banks or those
hazard receiving the benefit of deposit insurance protection. This also arises from
expectations that banks will not be allowed to fail.

To mitigate the moral hazard, the deposit insurance should:

• Place limits on the insurance coverage.

• Exclude certain depositors from the scheme.
• Implement risk-adjusted premium (i.e., Higher risk banks to pay the
higher premium for the scheme).

Membership Membership in deposit insurance should be compulsory for all deposit-

and coverage taking institutions. This is because if deposit insurance is voluntary, weaker
banks would be the one who would opt to be part of this scheme while
the stronger banks would opt out. This is why deposit insurance should be
made compulsory for all banks.

Adverse selection is the tendency for higher-risk banks to opt for deposit
insurance and lower-risk banks to opt-out of the deposit insurance
scheme. This happens when membership in the deposit insurance scheme
is voluntary.

The level of coverage should be limited but credible.

Funding The direct cost of funding the deposit insurance should come from the
banks. Funding mechanisms can either be ex-post or ex-ante.

Ex-ante funding requires the accumulation and maintenance of a

fund before a failure occurring. Members principally fund this through
contributions, insurance premiums, etc. This reduces reliance on public
funds during a banking crisis.

Ex-post funding is only collected from member banks when a bank fails.

Figure 2.5: Characteristics of the deposit insurance system

BANK RISK PRACTICES

2-11 REGULATIONS AND TREATMENT OF RISK

The rapid growth of the Islamic financial services industry led to the
establishment of Islamic deposit insurance systems for the protection
of Islamic deposits in accordance with Islamic principles and rules. The
Shariah-compliant design is based on a guarantee with a fee or “kafalah
bil ujr”. This system was endorsed by the Shariah Advisory Council of Bank
Negara Malaysia. The deposit insurance for Islamic deposits is at the same
level as conventional deposits (MYR 250,000).

2.2 THE PURPOSE OF BANKING SUPERVISION AND OTHER SIGNIFICANT CENTRAL

BANKS

In an environment of rapid changes where new risks continue to emerge due to the
integration in global financial markets, it is paramount that the nation’s financial
system is well preserved to support its growth. Thus, to avoid banking failures that
may have adverse consequences on economic activities, it is important to maintain
a stable financial system. This can be achieved with effective regulatory framework
and sustainable supervision on the safety and soundness of the financial institutions.

Banking supervision refers to monitoring banks’ financial performance and

operations to ensure that they operate safely and soundly and follow the rules
and regulations. Bank supervision is conducted by governmental regulators and
is carried out to prevent bank failures. A central bank is a financial institution that
is privileged to control the production and distribution of money and credit for a
nation or a group of nations. In modern economies, the central bank is usually
responsible for the formulation of monetary policy and the regulation of member
banks. Typically, a central bank is required to undertake the following functions:

• Authority to issue currencies – The primary goal of central banks is to provide their
countries’ currencies with price stability by controlling inflation. A central bank
also acts as the regulatory authority of a country’s monetary policy and is the sole
provider and printer of notes and coins in circulation.
• Control of commercial banks – All commercial banks are under the obligation to
prepare and submit a report of their undertaking to the central banks after a given
period of time. In this capacity, central banks typically take part in the regulation
of commercial banks, where they may enforce a variety of rules governing such
things as cash reserve ratios, interest rates, investment portfolios, equity capital,
and entry into the banking industry.
• Banker, fiscal agent, and adviser to the government – As banker to the government,
the central bank keeps the deposits of the central and state governments and
makes payments on behalf of the governments. It is the custodian of government
money and wealth. As a fiscal agent, the central bank manages the country public
debt by making short-term loans to the government for a period not exceeding 90
days. It also floats loans, pays interest on the debt, and finally repays the debt on
behalf of the government. The central bank also advises the government on such

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-12

economic and money matters as controlling inflation or deflation, devaluation or

revaluation of the currency, deficit financing, and balance of payments.
• Controller of credit – The control of credit is realised through the use of the monetary
policy. The central bank controls the credit creation power of commercial banks
to curb inflationary and deflationary pressures in the economy. Through setting
of policy interest rates, the central bank can determine the supply of credit in
the economy. By hiking interest rates, the central bank is effectively constraining
credit. The converse is also true. The central bank can also issue regulations that
would expand or constrain credit availability (for example, by increasing the
countercyclical buffer, central banks are reducing the available capital that banks
may lend or by imposing higher credit risk concentration limits to a particular
sector, banks may be constrained from supplying credit.
• Custodian of bank reserves of commercial banks – Bank reserves are the cash
minimums that financial institutions must have on hand in order to meet central
bank requirements. This is real paper money that must be kept by the bank in a
vault on-site or held in its account at the central bank. Cash reserves requirements
are intended to ensure that every bank can meet any large and unexpected
demand for withdrawals. The law requires that commercial banks keep reserves
to a particular percentage with the central bank. On this basis, the central bank
transfers money from one bank to another to facilitate the clearing of cheques. A
central bank is, therefore, a bank to commercial banks.
• Lender of last resort – As lender of last resort, the central bank would offer loans
to banks or other eligible institutions that are experiencing financial difficulty or
are considered highly risky or near collapse. In Malaysia, Bank Negara Malaysia
(BNM) acts as the lender of last resort to institutions that do not have any other
means of borrowing, and whose failure to obtain credit would dramatically affect
the economy. In some countries, their commercial banks normally borrow from
discount houses4. Commonly, commercial banks would seek funds from the
central bank during times of financial problems by borrowing at the market rate
instead of the bank rates given by discount houses.
• Implement unconventional monetary policy - A non-standard monetary policy
or unconventional monetary policy is a tool used by a central bank or other
monetary authority that falls out of line with traditional measures. Non-standard
monetary policies came to prominence during the 2008 financial crisis when the
primary means of traditional monetary policy, which is the adjustment of interest
rates, was not enough. Non-standard monetary policies include quantitative
easing, forward guidance, and collateral adjustments. During the 2008 financial
crisis, global economies were looking to pull their countries out of recessions by
implementing expansionary monetary policies. However, because the recession

4 Discount house in the financial world is a firm that specialises in trading, discounting, and negotiating bills of exchange or
promissory notes. Its transactions are generally performed on a large scale with transactions that also include government
bonds and Treasury bills. Also known as bill brokers, discount houses primarily operated in the United Kingdom, playing a key
role in the financial system there until the mid-1990s. By 2000, British discount houses largely ceased to exist as separate
financial institutions. They no longer exist as separate financial institutions, though some still remain in India and other nations.

BANK RISK PRACTICES

2-13 REGULATIONS AND TREATMENT OF RISK

was so bad, standard expansionary monetary policies were not enough. Due
to this, to complement the traditional monetary policies, central banks had to
implement non-standard measures to pull their economies out of financial
distress.
• Ensure stability of the financial system – Central banks play a crucial role in
ensuring economic and financial stability. They conduct monetary policy to
achieve low and stable inflation. In the wake of the global financial crisis, central
banks have expanded their toolkits to deal with risks to financial stability and
to manage volatile exchange rates. In response to the COVID-19 pandemic,
central banks used an array of conventional and unconventional tools to ease
monetary policy, support liquidity in key financial markets and maintain the flow
of credit. Central banks need clear policy frameworks to achieve their objectives.
Operational processes tailored to each country’s circumstances enhance the
effectiveness of the central banks’ policies.

Boxed Article–1

The Banking Supervision Role in Malaysia (Bank Negara Malaysia)

In Malaysia, the banking supervision roles lie within the supervision functions in
Bank Negara Malaysia (BNM). Supervision with BNM aims to develop, enhance,
and implement a sustainable, progressive, and robust risk-based supervision
framework on respective financial institutions under their purview to ensure the
safety and soundness of these institutions in the adoption of best practices,
sound governance and proper risk management. The responsibilities of the
respective Supervision Departments are as follows:

• Financial Conglomerates Supervision – Supervision of domestic financial

conglomerates.
• Banking Supervision – Supervision of foreign banks, stand-alone investment
banks and all Islamic banks, including Islamic banking subsidiaries of
domestic banks.
• Insurance and Takaful Supervision – Supervision of insurance companies,
reinsurance companies, takaful operators, retakaful operators as well as
international takaful operators.

2.2.1 Objective of Banking Supervision

Prudential regulation and supervisory framework have a critical role to play

in ensuring financial stability. Bank Negara Malaysia (n.d.) defined financial
stability as:

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-14

“A condition where the processes of financial intermediation function

smoothly and there is confidence in the performance of key financial
institutions and markets”.

There are two components under the regulatory and supervisory framework:

• Bank regulation refers to the set of written rules that define acceptable
behaviour and conduct for banks.
• Banking supervision is the process of monitoring performance and
compliance with these regulations.

While there are many objectives regarding banking supervision, the primary
objective of banking supervision is to promote the safety and soundness of
banks. Contrary to popular belief, banking supervision does not aim to prevent
bank failures. Instead, the aim is to reduce the probability and impact of bank
failures through effective banking supervision.

2.2.2 Approaches to Banking Supervision

There are two main approaches to banking supervision:

Rules-based approach
to supervision Risk-based approach
to supervision

Figure 2.6: The approaches to banking supervision

• Rules-based approach to supervision – Rules-based approach to

supervision refers to monitoring or enforcing compliance with banking
regulations. Under the previous approach, the objective of supervision is
to make sure that banks comply with specific rules and regulations. Under
this approach, the supervisors’ role is to interpret the rules as stated in the
regulations and law, and there is no room for judgment or interpretation.
The underlying theory is if the banks comply with the prudential regulatory
standards, there is a high likelihood that banks are supervised safely and
soundly.

A rules-based system provides certainty on what the banks must do to

comply. However, there is uncertainty on whether the regulatory outcome
is achieved as regulations may not have been able to catch up with
business developments or unintended consequences in complying with
these regulations.

BANK RISK PRACTICES

2-15 REGULATIONS AND TREATMENT OF RISK

Boxed Article–2

The CAMELS rating system (Corporate Finance Institute, n.d).

What is the CAMELS Rating System?
The CAMELS Rating System was developed in the United States as a supervisory rating system
to assess a bank’s overall condition. CAMELS is an acronym that represents the six factors that
are considered for the rating. Unlike other regulatory ratios or ratings, the CAMELS rating is not
released to the public. It is only used by top management to understand and regulate possible
risks.

Supervisory authorities use scores on a scale of 1 to 5 to rate each bank. The strength of the
CAMELS lies in its ability to identify financial institutions that will survive and those that will fail.
The concept was initially adopted in 1979 by the Federal Financial Institutions Examination
Council (FFIEC) under the Uniform Financial Institutions Rating System (UFIRS). CAMELS was later
modified to add a sixth component – sensitivity – to the acronym.

What does CAMELS stand for?

The components of CAMELS are:

• (C)apital adequacy
• (A)ssets
• (M)anagement capability
• (E)arnings
• (L)iquidity
• (S)ensitivity

How does the CAMELS Rating System Work?

For each category, a score is given from one to five. One is the best score and indicates strong
performance and risk management practices within the institution. On the other hand, five is
the poorest rating. It indicates a high probability of bank failure and the need for immediate
action to ratify the situation. If an institution’s current financial condition falls between 1 and 5, it
is called a composite rating.

• A scale of 1 implies that a bank exhibits a robust performance, is sound, and complies with
risk management practices.
• A scale of 2 means that an institution is financially sound with moderate weaknesses
present.
• A scale of 3 suggests that the institution shows a supervisory concern in several dimensions.
• A scale of 4 indicates that an institution has unsound practices, thus is unsafe due to serious
financial problems.
• A rating of 5 shows that an institution is fundamentally unsound with inadequate risk
management practices.

A higher number rating will impede a bank’s ability to expand through investment, mergers,
or adding more branches. Also, an institution with a poor rating will be required to pay more in
insurance premiums.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-16

As banks become more sophisticated and complex, there is an increasing

shift away from a rules-based approach to banking supervision to a more
principle or risk-based approach.

• Risk-based approach to supervision – Risk-based approach to supervision

focuses on regulatory or supervisory outcomes rather than compliance.
Risk-based supervision forces bank supervisors to be more forward-
looking to apply significant judgment to assess whether regulatory
outcomes are achieved. Therefore, the risk-based approach empowers
supervisors to use their discretion and go beyond the interpretation of
rules and regulations.

The risk-based approach is to focus on the most important risks that bank
faces. This radical shift from a compliance paradigm to a forward-looking
consideration and prioritisation of the most important risks that a bank
faces.

The Basel Committee on Banking Supervision (BCBS) recommends risk-

based supervision to:

“Target supervisory resources where they can be utilised to the best

effect, focusing on outcomes as well as processes, moving beyond
passive compliance with rules”.

2.2.3 The Risk-Based Supervisory Approach

The risk-based supervisory approach involves the following elements:

Forward-looking assessment of risk

profile of banks

Assess and address risks from banks

and banking system

Framework for early intervention

Plans to resolve non-viable banks

Figure 2.7: The risk-based supervisory approach

BANK RISK PRACTICES

2-17 REGULATIONS AND TREATMENT OF RISK

i. Forward-looking assessment of risk profile of banks – In a risk-based

banking supervision approach, supervisors should have the methodology
and process in place to assess the nature, impact and scope of risks
that banks and the banking system are exposed to and the risk profile
of different banks, which would allow the supervisors to form a forward-
looking view of each bank’s risk profile and how it affects its safety and
soundness of individual banks and the banking system as a whole.

The risk profile should be analysed with the following inputs:

▶ Group structure;
▶ Internal control;
▶ Resolvability5 of banks; and
▶ Comparative information of banks.

In making this assessment, the banking supervisor considers the

macroeconomic and cross-sectoral environment, affecting the bank’s risk
profile.

ii. Assess and address risks from banks and banking system – The supervisor
then identifies, monitors, and addresses the build-up of risks, trends, and
concentrations within and across the banking system as a whole. The
supervisor should address proactively any serious threat to financial
stability.
iii. Framework for early intervention – The supervisor should assess banks’
resolvability, especially with respect to their risk profile and systemic
importance.

The supervisor may require banks to adopt specific measures such as:

▶ Change to business strategies.

▶ Changes to managerial, operational and ownership structure.
▶ Changes to internal procedures.

iv. Plans to resolve non-viable banks – The supervisor should have a framework
or process for handling banks in times of stress, such as decisions requiring
or undertaking recovery or resolution actions on time. Recovery actions
pertain to alternative approaches that can be implemented quickly after
the occurrence of adverse stress events. Resolution actions are post-
recovery actions that minimises the impact of losses or damages to the
financial system from the failure of the bank.

5 Resolvability of banks is becoming a central feature of post-2008 financial crisis banking regulation where regulators focus on
ensuring that individual banks can be liquidated in an orderly manner with minimal impact on the entire financial system. This
ensures that central bank or the government will not be expected to bailout failing and non-viable financial institutions.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-18

2.2.4 Supervisory Tools and Techniques

The banking supervisor applies a mix of on-site and off-site supervision to

evaluate the bank’s risk profile.

i. On-site supervision – On-site supervision is used as a tool to provide

independent verification that adequate policies and procedures exist
at banks, determine that the information provided by banks are reliable,
obtain additional information on the bank and its related companies which
is needed for the assessment of the condition of the bank and monitor the
bank’s follow-up on supervisory concerns.
ii. Off-site supervision – Recognising the limited resources of banking
supervisors, on-site supervision is supplemented by off-site supervision.
Off-site supervision is a tool to regularly review and analyse the financial
conditions of banks, follow up on matters requiring further attention,
identify and evaluate developing risks and help identify the priorities,
scope of further off-site and on-site work, etc.

Below are some of the tools used by the supervisors to assess the safety and
soundness of banks:

• Financial statement analysis

• Business model analysis
• Horizontal peer reviews
• Review of the outcome of stress tests undertaken by the bank
• Analysis of the corporate governance, including risk management and
internal control systems.

2.3 TYPES AND SOURCES OF MALAYSIAN BANKING REGULATIONS

Regulations are defined as written rules or directives setting minimum expectations

on behaviour or conduct of business. Such regulations include a high-level overview
of the governance and supervision of banks, including legislation, regulatory bodies
and the role of international standards, licensing, the rules on liquidity, foreign
investment requirements, liquidation regimes and recent trends in the regulation of
banks.

BANK RISK PRACTICES

2-19 REGULATIONS AND TREATMENT OF RISK

2.3.1 Types of Banking Regulations

Banking regulations can be divided into four (4) main types as below:

Regulation
Description
types

Competition Competition regulations address issues of non-competitive

behaviour among banks. The objective is to foster competition
among banks to ensure that they provide consumers with
banking services and products at reasonable prices.

There is a complex relationship between competition and

financial stability. Some studies show that competition
is favourable to bank stability. Other studies, however,
conclude

that competition may endanger the stability of banks. This

is because banks should have sufficiently large capital
and diversified exposures to withstand potential shocks in
the business environment. Hence, there may be conflicting
objectives.

Examples:
• Separation of commercial and investment banking,
e.g., the Glass-Steagall Act during the 1930s Great
DepressionAntitrust regulations in banks
• Banking entry restrictions
• Licensing criteria
• Branching restrictions

Safety and Regulations seek to promote a safe and sound banking

soundness system and are not intended to dictate how banks should
be managed. Rather, they prescribe minimum standards on
the management of the bank.

Examples:
• Minimum capital and liquidity standards
• Guideline and limits on large credit exposures
• Corporate governance requirements
• Regular reporting and disclosure standards
• Internal control standards
• Accounting standards
• Anti-money laundering standards

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-20

Regulation
Description
types

Consumer Regulations also seek to protect consumers from

protection irresponsible and unfair banking business practices. It also
aims to protect banks from potential legal liabilities and
ensure public confidence in the bank.

Regulations aim to promote high ethical and professional

standards in the banking sector.

Examples:
• Consumer disclosures
• Bank confidentiality requirements
• The US Truth in Lending Act

Monetary Regulations are designed to implement the monetary policy

policy objectives of a country’s central bank. The central bank can
control monetary supply and implement its monetary policy
objectives through regulations on reserve requirements and
deposit rates.

Examples:
• Reserve requirements
• Deposit rates regulations

Figure 2.8: Types of banking regulations

Following the coronavirus pandemic that had hit the globe in 2020, it has
driven banking regulators and policymakers to enact new or modify existing
laws and policies rapidly; and implement regulations to enable commerce to
continue securely amid social distancing measures. Although the pandemic
greatly impacted the regulatory landscape and many new regulations for
the current year had stemmed from that event, legislation unrelated to the
pandemic was also enacted. Below are some of the key global regulations,
laws, and standards that will impact financial institutions and the banking
industry:

• Cybersecurity
• Anti-money laundering and terrorist financing
• Payment systems
• Electronic signature
• Data privacy and data protection
• Open banking

BANK RISK PRACTICES

2-21 REGULATIONS AND TREATMENT OF RISK

2.3.2 Sources of Banking Regulations

The sources of banking regulations are tri-folded as below:

Banking legislation
• Domestic/national law
• International law

Enforcement
actions

Standards/Guidelines
• Local standards
• International standards

Figure 2.10: Sources of banking regulation

Banking legislation
Banking legislation aims to enable the banks to meet the objectives of a
central bank. It is vested with comprehensive legal powers to regulate and
supervise the financial system. Within the domestic and national spectrum of
banking legislation in Malaysia, these pieces of legislation include:

i. Central Bank of Malaysia Act 2009 – An Act to provide for the continued
existence of the Central Bank of Malaysia and the administration, objects,
functions, and powers of the bank for consequential or incidental matters.

ii. Financial Services Act 2013 – An Act to provide for the regulation and
supervision of financial institutions, payment systems, and other relevant
entities and oversee the money market and foreign exchange market to
promote financial stability and related consequential or incidental matters.

iii. Islamic Financial Services Act 2013 – An Act to provide for the regulation
and supervision of Islamic financial institutions, payment systems and
other relevant entities and the oversight of the Islamic money market
and Islamic foreign exchange market to promote financial stability and
compliance with Shariah and for related, consequential, or incidental
matters.

iv. Insurance Act 1996 – An Act to provide new laws for the licensing and
regulation of the insurance business, insurance broking business, adjusting

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-22

business, financial advisory business, and other related purposes. This act
has been repealed except Section 147(4), 147(5), 150, 151, 144 and 224 shall
continue to remain in full force and effect, see section 275 of FSA 2013 - Act
758.

v. Development Financial Institutions Act 2002 (Act 618) – The DFIA, which came
into force on 15 February 2002, focuses on promoting the development of
effective and efficient development financial institutions (DFIs) to ensure
that the roles, objectives, and activities of the DFIs are consistent with the
Government policies and that the mandated roles are effectively and
efficiently implemented. DFIA also emphasises efficient management and
effective corporate governance and provides a comprehensive supervision
mechanism and mechanism to strengthen the financial position of DFIs
through the specification of prudential requirements.

vi. Money Services Business Act 2011 – The Money Services Business Act 2011
(MSBA) came into force on 1 December 2011 and provides for the licensing,
regulation, and supervision of the money services business industry, which
comprises money changing, remittance and wholesale currency business
and other related matters.
The MSBA was enacted to modernise and elevate the status of the money-
changing and remittance business into a more dynamic, competitive, and
professional industry while strengthening safeguards against the threats
of money laundering, terrorist financing and other illegal activities.
The central bank has the power to regulate the industry through the
issuance of regulations, guidelines, circulars, standards, and notices. Apart
from the power to compound and prosecute any person who contravenes
the MSBA, the bank is also empowered with other enforcement powers, to
issue a directive to a licensee or money services agent if it is contravening
or has contravened the MSBA or is carrying on money services business in
a manner detrimental to the interest of customers and public generally.
The bank may also take administrative action or institute civil actions
against any person who has contravened the MSBA.

vii. Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful

Activities Act 2001 (Act 613) – The AMLATFPUAA provides for the offence of
money laundering, the measures to be taken for the prevention of money
laundering and terrorism financing offences, investigation powers and
the forfeiture of property involved in or derived from money laundering
and terrorism financing offences, as well as terrorist property, proceeds
of unlawful activity and instrumentalities of an offence (this pertains to
the property of concern in the commission of an AMLA offense/violation).
The First Schedule of the AMLATFPUAA contains a list of the reporting
institutions under the AMLATFPUAA, for example, financial institutions and
designated non-financial businesses and professions required to perform

BANK RISK PRACTICES

2-23 REGULATIONS AND TREATMENT OF RISK

certain obligations designed to prevent money laundering and terrorism

financing offences. The Second Schedule of the AMLATFPUAA lists serious
offences from various legislation, which, if committed, are likely to result in
a person benefitting or deriving proceeds from the offence.

The AMLATFPUAA promotes a collaborative and multi-agency approach

by setting out the powers and functions of:

▶ The competent authority which is responsible for overseeing the

performance of obligations by the reporting institutions, facilitate
the enforcement of the AMLATFPUAA and co-operate with the foreign
financial intelligence units;
▶ Enforcement agencies are responsible for investigating the offences
under the AMLATFPUAA; and
▶ Supervisory and regulatory authorities are responsible for facilitating
the implementation of the AMLATFPUAA.

The Minister of Finance has appointed BNM as the competent authority

under the AMLATFPUAA. The Financial Intelligence and Enforcement
Department of BNM is responsible for performing BNM’s functions as the
competent authority under the AMLATFPUAA

viii. Currency Act 2020 – An Act to provide for the management of currency
of Malaysia, regulation of currency processing business, and currency
processing activities, and for related matters.

In addition to the domestic and national legislation of Malaysia as above,

there are very few international regulations or agreements involving banking
in banking regulation. There are, however, treaties that contain provisions
that impact banking regulations indirectly. An example of this would be the
Financial Sector Assessment Programme (FSAP).

Financial Sector Assessment Programme (FSAP) is a comprehensive and

in-depth analysis of a country’s financial sector established in 1999. FSAP
assessments are a joint responsibility of the International Monetary Fund
(IMF) and World Bank. FSAP in advanced economies are conducted by IMF
with a focus on assessing the resilience of the financial sector, the quality
of the regulatory and supervisory framework, and the capacity to manage
and resolve financial crises. In developing and emerging market economies,
FSAPs are conducted jointly with the World Bank.

When a country joins the IMF, it agrees to subject its economic and financial
policies to the international community’s scrutiny. The IMF’s regular monitoring
of economies and associated provision of policy advice is referred to as
surveillance. The objective of surveillance is to identify a weakness that is
causing or could lead to financial instability.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-24

Country surveillance is an ongoing process that culminates in regular

comprehensive consultations with individual member countries. These are
the “Article IV consultations” as required under Article IV of the IMF’s Articles
Agreement.

Standards/ Guidelines
Standards are a level of quality or attainment, while guidelines are a non-
specific rules or principles that provides direction to action or behaviour. In
banking, standards and guidelines (also known as “soft laws”) are used to
facilitate banks in their business interaction and enable them to comply with
relevant laws and regulations in conducting their businesses.

In Malaysia, there are several agencies or bodies in charge of developing the

standards and guidelines for banking, such as Bank Negara Malaysia (BNM),
the Malaysian Accounting Standards Board (MASB) and the Malaysia Deposit
Insurance Corporation (MDIC), also known as PIDM.

The standards and guidelines published on the BNM website cover the
following banking business areas:

• Banking & Islamic banking

• Insurance & takaful
• Development financial institutions
• Money services business
• Intermediaries
• Digital currencies
• Payment systems
• Designated non-financial businesses and professions (DNFBPs) & non-
bank financial institutions (NBFIs)

All these are issued in the form of a policy document, exposure draft,
regulation, notification, and discussion paper.

MASB published the Malaysian Financial Reporting Standards (MFRS), which

serve as a basis for financial reporting in Malaysia and have been fully
converged with the International Financial Reporting Standards (IFRS) from 1
January 2012. Ongoing improvements in these standards have contributed to
a greater alignment between financial reporting and prudential frameworks.
Notwithstanding these positive developments, the increasingly more
principle-based financial reporting standards and the substantial degree of
judgment required under the financial reporting standards can continue to
result in divergent outcomes between the objectives of financial reporting
and prudential regulation, which is primarily concerned with promoting
financial stability.

BANK RISK PRACTICES

2-25 REGULATIONS AND TREATMENT OF RISK

MIDC, a government agency established under the Malaysia Deposit

Insurance Corporation Act, was set up in 2005 to administer the Deposit
Insurance System (DIS) and protect the depositors. Beginning 31 December
2010, MIDC’s role was expanded to administer the Takaful and Insurance
Benefits Protection System (TIPS) to protect owners of takaful certificates and
insurance policies.

Within the international spectrum, below are ten (10) of the international
bodies involved in issuing international standards relevant for banks:

Standards/Guidelines Description

The Basel Committee on Banking Supervision

(BCBS) is the primary global setter for the
prudential regulation of banks and provides a
regular forum for banking supervisory matters.
Its 45 members comprise central banks and
bank supervisors from 28 jurisdictions.

Its mandate is to strengthen banks’ regulation,

supervision, and practices worldwide to
enhance financial stability.

Despite this, the BCBS has no formal

supranational authority, and its decisions
have no legal force. It relies on member
commitments to achieve its mandate.

BCBS formulates supervisory standards and

guidelines to promote global financial stability.
However, these standards and guidelines have
no legal force. They are developed and issued
upon agreement of members and expect that
individual national supervisors implement
these standards and guidelines.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-26

Standards/Guidelines Description

Standards BCBS sets minimum standards

for prudential regulation and
supervision of banks. The
standards constitute minimum
requirements, and members
may decide to go beyond them.

While not legally binding, BCBS

expects these standards to be
incorporated into the respective
local legal frameworks within
the pre-defined timeline
decided by the Committee.

Guidelines Guidelines elaborate the

standards and supplement
the standards for their
implementation.

Sound Sound practices describe

practices actual observed practices
with the goal of common
understanding and improving
supervisory banking practices.

IFRS means the International Financial

Reporting Standards, which are the accounting
standards issued by the IFRS Foundation
and the International Accounting Standards
Board. Accounting standards are a set of
principles that banks follow when they prepare
and publish their financial statements. This
provides a standardised way of describing the
bank’s financial condition and performance.

IFRS Foundation is an organisation established

to develop a single set of high quality,
understandable, enforceable, and globally
accepted accounting standards (IFRS
standards) and promote and facilitate the
adoption of the standards.

BANK RISK PRACTICES

2-27 REGULATIONS AND TREATMENT OF RISK

Standards/Guidelines Description

IFRS standards are set by the International

Accounting Standards Board (IASB), which
is the standard-setting body of the IFRS
foundation.

Financial Stability Board (FSB) is an

international body that monitors and makes
recommendations about the global financial
system. They promote international stability by
coordinating national financial authorities and
international setting bodies to develop strong
regulatory, supervisory and other financial
sector policies.

Financial Action Task Force (FATF) is an

inter-government body established in 1989
to set standards and promote effective
implementation of legal, regulatory and
operational measures for combating money
laundering, terrorist financing and other related
threats to the integrity of the international
financial system.

The FATF has developed a series of

recommendations recognised as the
international standard for combating money
laundering and the financing of terrorism and
proliferation of weapons of mass destruction.

The Committee on the Global Financial

System is a committee of major advanced
and emerging economy central banks that
undertakes systematic short-term monitoring
of the global financial system, longer-term
analysis of the functioning of the financial
markets and the articulation of policy
recommendations aimed at improving market
functioning and promoting stability.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-28

Standards/Guidelines Description

The Committee on Payments and Market

Infrastructure (CPMI) promotes safety and
efficiency of payment, clearing, settlement
and related arrangements to support financial
stability and the wider economy. CPMI is
a global standard-setter in these areas. It
monitors and analyses developments in these
arrangements.

The European Securities and Markets Authority

(ESMA) is an independent EU authority that aims
to strengthen financial markets’ functioning in
Europe and promote investor protection and
cooperation among supervisors. It is in charge
of the implementation of EMIR and MiFID
regulations.

European Market Infrastructure Regulation

(EMIR) lays down (over the counter) OTC
derivatives, central counterparties, and trade
repositories.

Markets in Financial Instruments Directive

(MiFID) is an EU legislation regulating firms that
provide services to clients linked to financial
instruments.

The International Swaps and Derivatives

Association (ISDA) is an organisation
mandated to make OTC derivatives markets
safe and efficient and facilitate effective risk
management for users of derivative products.
ISDA was established in 1985 and had over 800
member institutions in 64 countries.

Joint Forum was established in 1996 under

the Basel Committee on Banking Supervision,
the International Organisation of Securities
Commissions (IOSCO) and the International
Association of Insurance Supervisors (IAIS)
to deal with issues common to the banking,
securities, and insurance sectors, including
the regulation of financial conglomerates.

Figure 2.9: The international bodies issuing the international

standards/guidelines for banks

BANK RISK PRACTICES

2-29 REGULATIONS AND TREATMENT OF RISK

Enforcement actions
The banking supervisor has the authority to take formal enforcement actions
against any person who fails to comply with regulatory standards and other
requirements issued pursuant to the bank administers’ laws. Enforcement
actions imposed by the bank, including criminal, civil and administrative
actions, have an important role in providing credible deterrence against non-
compliance and ensuring public confidence in the financial system’s integrity.

2.3.3 Prudential Regulations and Requirement Standards

The prudential regulatory framework emphasises high-level principles

of sound financial and business practices and the responsibility of the
board and senior management of financial institutions to manage risks in
line with individual business strategies and a manner appropriate to the
circumstances and exposures of the institution. This approach ensures a
regulatory framework that is more robust against the vagaries of changing
market conditions while providing financial institutions with sufficient flexibility
to operate in a manner that is consistent with the institution’s strategic
objectives, business models, size, and risk profile.

Prescriptive rules and requirements are preserved in specific areas necessary

to maintain stability in the financial system and avoid materially distorting
competitive effects. These include minimum capital adequacy requirements,
prudential limits on excessive risk-taking, specific guidance on minimum
standards of sound management (e.g., for less developed sectors or new
financial activities) and regulatory requirements to address present and
emerging risks (e.g., imposed under conditions of distress).

The prudential framework is regularly reviewed and updated to adapt to

changing market realities and considers developments in international
standards and guidance issued by the Basel Committee on Banking
Supervision (BCBS), the International Association of Insurance Supervisors
and the Islamic Financial Services Board.

Figure 2.10 shows the Core Principles for Effective Banking Supervision, the de
facto minimum standard for sound prudential regulation and supervision
of banks and banking systems. Originally issued by BCBS in 1997, countries
use them as a benchmark for assessing their supervisory systems’ quality
and identifying future work to achieve a baseline level of sound supervisory
practices. The International Monetary Fund (IMF) and the World Bank also
use the core principles in the context of the Financial Sector Assessment
Programme (FSAP) to assess the effectiveness of countries’ banking
supervisory systems and practices. (Basel Committee Banking Supervision,
2012)

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-30

The core
What is this about? Why is this important? Where to find it?
principles

Corporate Corporate governance Sound corporate Principles for corporate

governance regulations aim to ensure governance underpins governance, October
that the responsibilities effective risk 2010
of a bank’s Board of management and
Compensation
Directors and Senior public confidence in
principles and
Management with respect individual banks and the
standards assessment
to corporate governance banking system.
methodology, January
are established. This is
2010
to ensure that there is
effective control over the
bank’s entire business.

These covers:
√ Strategic direction
√ Group and
organisational structure
√ Control environment
√ Responsibilities of the
Board of Directors and
Senior Management
√ Compensation

Risk Banks should have a Banks should have Principles for enhancing
management comprehensive risk a structured risk corporate governance,
process management process management process October 2010
to identify, measure, to manage the broad
Enhancements to Basel
evaluate, monitor, report spectrum of risks they
II framework, July 2009
and control or mitigate all face.
material risks on a timely Principles for sound
Given the special nature
basis and assess the stress testing practices
of a bank’s risk profile,
adequacy of their capital and supervision, May
banks should also be
and liquidity in relation to 2009
prepared to handle and
their risk profile and market
manage contingencies
and macroeconomic
and develop credible
conditions.
and robust recovery
This requires banks plans.
to develop and
review contingency
arrangements.

BANK RISK PRACTICES

2-31 REGULATIONS AND TREATMENT OF RISK

The core
What is this about? Why is this important? Where to find it?
principles

Capital Banks should maintain an In order to continue to Revisions to Basel II

adequacy adequate level of capital exist as a going concern, market risk framework,
to absorb losses. banks should maintain February 2011
an adequate level of
The prescribed capital Minimum requirements
capital to absorb losses.
requirements should to ensure loss
reflect the risk profile and Banks must be able absorbency at the point
systemic importance of to calculate capital of non-viability, January
banks. consistently and comply 2011
with the threshold.
This means that higher risk Capitalisation of bank
exposure would attract Failure to comply with exposures to central
higher capital charges (i.e., the threshold would counterparties, July 2012
risk-based). subject the bank to
Sound Practices for Back
supervisory action.
Internationally active testing Counterparty
banks should not be lower Credit Risk Models,
than those prescribed by December 2010
the Basel Capital Accord.
Guidance for national
authorities operating the
countercyclical capital
buffer, December 2010

Basel III, December 2010

Guidelines for
computing capital for
incremental risk in the
trading book, July 2009

Enhancements to the
Basel II framework, July
2009

Range of practices and

issues in economic
capital framework,
March 2009

Basel II, June 2006

Basel I, July 1988

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-32

The core
What is this about? Why is this important? Where to find it?
principles

Credit risk Banks are required to For many banks, credit Sound practices for back
have prudent policies and is their single largest testing counterparty
processes in identifying, exposure. Credit risk credit risk models,
measuring, evaluating, exists in the bank’s loans, December 2010
monitoring, reporting, and investments, and trading
FSB report on principles
controlling or mitigating activities.
for reducing reliance on
credit risk exposure across
Various studies have CRA ratings, October 2010
all the credit lifecycle:
demonstrated that one
credit underwriting, credit Enhancements to the
of the most common
evaluation and ongoing Basel II framework, July
reasons for bank failure
management of the bank’s 2009
is unacceptable credit
loan and investment Sound credit risk
underwriting and risk
portfolio. assessment and
management standards
and practices. valuation for loans, June
2006
Given this, banks must
have a sound credit risk Principles for the
management process in management of credit
place. risk, September 2000

Problem This requires banks to In the business of Sound credit risk

assets, have adequate policies granting credit, it is not assessment and
provision, and and procedures for early avoidable to see some valuation for loans, June
reserves detection, identification, problem assets in the 2006
and management of portfolio.
Principles for the
problem assets. This also
The objective of management of credit
requires banks to properly
regulations regarding risk, September 2000
value assets through the
problem assets is
maintenance of adequate
to ensure that an
provisions and reserves.
appropriate process
Problem assets are assets is in place. This is to
that are or have the ensure that problem
prospect of becoming non- assets are detected and
performing (i.e., interest or identified early (through
principal in default for more early warning signals
than a threshold number indicating or predicting
of days – for example, 90 deterioration).
days).
Further, since most loans
and credit instruments
are measured at
historical cost, banks
are required to make
sure that adequate
provisioning is in place
to reflect expected loss
arising from potential
non-performance of
problem assets.

BANK RISK PRACTICES

2-33 REGULATIONS AND TREATMENT OF RISK

The core
What is this about? Why is this important? Where to find it?
principles

Concentration Banks’ supervisors set a Time and again, history Joint forum cross-
risk and large prudential limit to restrict teaches us that too sectoral review
exposure banks’ exposures to single much concentration on of group-wide
limits
counterparties or groups one party could cause identification and
of related parties. significant damage or management of risk
even the demise of a concentrations, April
This requires banks to
bank. 2008
have adequate policies
and processes to manage Further, excessive Sound credit risk
concentration risk in a reliance on one source assessment and
timely process. of funding or one valuation for loans, June
customer type could 2006
threaten the ability of
Principles for managing
the bank to continue
credit risk, September
to operate as a going
2000
concern.
Measuring and
This is why prudential
controlling large credit
standards are in
exposures, January 1991
place to ensure that
concentration risk is
appropriately mitigated
or managed.

Transactions Related parties are parties Transactions with Principles for managing
with related where the bank exerts related parties are credit risk, September
parties control over or exerts prone to abuses such 2000
control over the bank (for as conflict of interest. It
example, subsidiaries, is, therefore, important
affiliates). to have controls or
mitigants in place
These require banks to
to make sure that
have processes and
transactions with related
procedures in place
parties are done in an
to make sure that
arm’s length manner.
transactions with related
parties.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-34

The core
What is this about? Why is this important? Where to find it?
principles

Country and Country risk is the risk of Banks interested in Management of banks’
transfer risk exposure to loss caused by international banking international lending,
events in a foreign country. activities are exposed March 1982
This is broader than to risks beyond normal
sovereign risk because risks associated with
it involves all forms of activities in the domicile
exposure in lending or country.
investing with individuals,
For example, in banks
corporates, banks, or the
that are active in
government.
lending internationally,
Transfer risk is the risk one unique exposure
that the borrower will is exposure to capital
not be able to convert controls that will affect
local currency into the repayment of
foreign exchange and so the amount lent to a
will be unable to make borrower in that country.
debt service payments Note that the borrower
in foreign currency. may be willing and able
This normally arises to fulfil their obligations
from foreign exchange in this case, but capital
restrictions imposed by the controls would prohibit
government. them from doing so.

Market risk This requires banks to have The bank’s market risk- Revisions to the Basel II
an appropriate market risk taking activities (trading market risk framework,
management process to and investment) have February 2011
provide a comprehensive become a substantial
Interpretative issues with
bank-wide perspective on revenue source and
respect to the revisions
the market risk exposure it risk exposure for many
to the market risk
faces, including exposures banks.
framework, February 2011
for which market value is
Capital held against this
uncertain. Guidelines for
risk exposure should be
computing capital for
sufficient to ensure that
incremental risk in the
unexpected losses and
trading book, July 2009
valuation adjustments
are made for exposures Supervisory guidance
where fair value is hard for assessing banks’
to obtain. financial instrument fair
value practices, April
2009

Amendment to the
capital accord to
incorporate market risks,
January 2005

BANK RISK PRACTICES

2-35 REGULATIONS AND TREATMENT OF RISK

The core
What is this about? Why is this important? Where to find it?
principles

Interest rate This requires the bank to Despite being one of the Principles for
risk in the have adequate systems major risks’ banks faces, management and
banking book to identify, measure this risk is not covered supervision of interest
evaluate, monitor, report by the minimum capital rate risk, July 2004
and control or mitigate requirements (Pillar I)
interest rate risk in the under the Basel Capital
banking book on a timely Framework.
basis. These systems
This standard guide
take into account the
minimum standards
bank’s risk appetite,
in setting interest-
risk profile and market
rate strategies and in
and macroeconomic
establishing an interest-
conditions.
rate risk management
framework.

Liquidity risk This requires banks to Before the 2008 Basel III: International
comply with the minimum financial crisis, much framework for liquidity
standards prescribed by of the regulatory focus risk measurement,
supervisors regarding requires banks to standards and
liquidity and have a sound maintain adequate monitoring, December
liquidity risk management capital. 2010
strategy in place.
One of the lessons Principles for
learned from the global sound liquidity risk
financial crisis is that management and
having adequate supervision, September
capital is necessary 2008
but not a significant
condition for survival.

Many banks failed or

encountered significant
difficulties despite
having an adequate
level of capital due to
short-term liquidity
issues.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-36

The core
What is this about? Why is this important? Where to find it?
principles

Operational Operational risk is one Operational risk is one Principles for sound
risk of the three major risks of the hardest risks to management for
covered by Pillar I of the manage because of its operational risk, June
Basel Capital Framework. pervasive nature and is 2011
hard to quantify.
This requires banks to Recognising the risk-
maintain an appropriate This is why the mitigating impact of
operational risk regulatory approach insurance in operational
management framework tends to be more risk modelling, October
and process that will allow multidisciplinary and 2010
banks to address major incorporates different
High-level principles
aspects of operational risk tools and techniques
for business continuity,
on a bank-wide basis. to manage operational
August 2006
risk.
This also requires banks
Joint forum outsourcing
to have comprehensive
in financial services,
and appropriate disaster
February 2005
recovery and business
continuity plans that will
allow the bank to continue
to operate as a going
concern and minimise
losses in the event of
a severe disruption in
operations.

Banks must also

have an appropriate
information technology
risk management process
and established policies
and processes to address
outsourcing risks.

BANK RISK PRACTICES

2-37 REGULATIONS AND TREATMENT OF RISK

The core
What is this about? Why is this important? Where to find it?
principles

Internal Banks need to have The operations of many Internal audit function in
control and adequate internal control banks are too broad and banks, June 2012
audit frameworks to establish too complex. This makes
Enhancements to Basel
a properly controlled it hard to anticipate and
II framework, July 2009
operating environment for manage every single
business conduct. risk they face. This is Compliance and
why it is important to compliance function in
These controls include:
have an effective and banks, April 2005
√ Clear arrangements for efficient internal control
delegating authority environment in place. Framework for internal
control systems in a
and responsibility
Internal audit is an bank, September 1998
√ Segregation of important pillar in the
functions
risk management
√ Reconciliation of the infrastructure of banks
processes (being the third level of
√ Safeguarding assets defence).
√ Independent internal
audit and compliance
functions to attest to
the effectiveness and
efficiency of these
controls.

Financial Banks are required Financial statements Supervisory guidance

reporting and to prepare financial are an important for assessing banks’
external audit statements in accordance source of information financial instruments
with international for the public in fair value practices, April
accounting standards. assessing banks’ 2009
An independent external financial condition and
External audit quality
auditor should audit performance.
and banking supervision,
the annual financial
This is why these December 2008
statements.
financial statements
The relationship
must be prepared
between banking
in accordance with
supervisors and banks’
internationally accepted
external auditors,
accounting principles
January 2002
independently verified
in accordance with
internationally accepted
auditing standards.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-38

The core
What is this about? Why is this important? Where to find it?
principles

Disclosure Banks are required to Market discipline (Pillar Pillar 3 disclosure

and disclose to the public their III) is an important pillar requirements for
transparency financial condition and of the overall Basel remuneration, July 2011
performance periodically, capital framework. This
Enhancements to Basel
adhering to standards of is why banks must make
II framework, July 2009
comparability, relevance, periodic disclosures to
reliability, and timeliness of the public to help assess Basel II: International
information disclosed. the banks’ financial measurement of capital
performance and measurement and
Disclosure should be done
condition. capital standards, June
on a consolidated or when
2006
appropriate, stand-alone
basis. Enhancing bank
transparency,
September 1998

Abuse of Banks need to have Having adequate Sound management

financial adequate policies and policies and processes of risks related to
services processes to establish are important as this money laundering and
a properly controlled would allow banks to financing terrorism, June
operating environment prevent and detect 2017.
for the conduct of criminal activities and
supervision, September
businesses. This includes report such suspected
2008
strict customer due activities to the relevant
diligence (CDD) rules to authorities. Managing Core principles for the
promote high ethical and such abuse is important effectiveness of banking
professional standards in for the overall safety, supervision, September
the financial sector and soundness and 2012.
prevent the banks from reputation of banks and
being used intentionally or banking systems.
unintentionally, for criminal
activities.

Figure 2.10: The core principles to the prudential regulations and requirements

2.4 INTRODUCTION TO RISK-BASED CAPITAL FRAMEWORK

Risk-Based Capital (RBC) is a method of measuring the minimum amount of

capital appropriate for a reporting entity to support its overall business operations
considering its size and risk profile. RBC limits the amount of risk a company can
take. It requires a company with a higher amount of risk to hold a higher amount
of capital. Capital provides a cushion to a company against insolvency. (National
Association of Insurance Commissioners, 2020)

BANK RISK PRACTICES

2-39 REGULATIONS AND TREATMENT OF RISK

RBC requirements exist to protect financial firms, their investors, their clients, and the
economy as a whole. These requirements ensure that each financial institution has
enough capital on hand to sustain operating losses while maintaining a safe and
efficient market. (Chen, 2020)

2.4.1 The Basel Committee on Banking Supervision (BCBS)

Before BCBS, no international body or forum was imposing minimum prudential

and supervisory standards for banks. Regulation and supervision were left to
the discretion of the respective local regulators. Following the aftermath of
serious disturbances in international currency and banking markets (notably
the failure of Bankhaus Herstatt in West Germany) at the end of 1974, the Basel
Committee was established by the central bank Governors of the Group of
Ten (G10) countries. G10 comprises eleven (11) industrial countries, including
Belgium, Canada, France, Germany, Italy, Japan, the Netherlands, Sweden,
Switzerland, the United Kingdom, and the United States. Their role is to consult
and co-operate on economic, monetary, and financial matters.

The Basel Committee, headquartered at the Bank for International Settlements

(BIS) in Basel, aims to:

• Enhance financial stability by improving the quality of banking supervision

worldwide; and
• Serve as a forum for regular cooperation between its member countries on
banking supervisory matters.

The Basel Committee’s first meeting took place in February 1975, and meetings
have been held regularly three or four times a year since.

Since its inception, the Basel Committee has expanded its membership
from the G10 to 45 institutions from 28 jurisdictions. Starting with the Basel
Concordat, first issued in 1975 and revised several times since, the Basel
Committee has established a series of international standards for bank
regulation, most notably its landmark publications of the accords on capital
adequacy, commonly known as Basel I, Basel II and, most recently, Basel III.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-40

Boxed Article–3

The Bank Herstatt Crisis

The collapse of the Bretton Woods system led many countries to adopt a floating exchange
rate system. The floating exchange rate system means that the currency’s value fluctuates
depending on market supply and demand. Large foreign exchange losses were reported
by various banks such as the Union Bank of Switzerland, Franklin National Bank, etc.

What is the Bretton Woods International Monetary System?

The Bretton Woods International Monetary System was the prevailing international
monetary system at the end of World War II, where currencies are pegged to the US dollar,
and the US dollar is directly pegged or convertible to gold.

The Herstatt crisis

In 1974, a relatively unknown bank in Cologne, Germany- Bankhaus I.D. Herstatt had a high
concentration of activities in the area of foreign trade payments. Because of the large
foreign exchange losses incurred by different banks due to the collapse of the Bretton
Woods System, in March 1974, Germany’s Federal Banking Supervisory Office conducted a
special audit on the bank. Herstatt’s open foreign exchange position is DM 2 billion, three
times as large as its capital. The regulator deemed Herstatt insolvent, given that assets of
DM 1.1 billion are significantly less than liabilities of DM 2.2 billion. To protect the depositors,
the regulator decided to close the bank and withdraw its banking license by the close of
business day on 26 June 1974.

The problem is at the close of the business day in Germany, it was still morning in New
York, and Herstatt’s counterparties from these banks had delivered one leg of the foreign
exchange transaction, not knowing that Bank Herstatt had been closed by regulators
(receive leg). The bank’s liquidators refused to do the other leg of the foreign exchange
transaction (payment leg). This triggered a wave of credit losses and uncertainty from
different banks due to the unsettled trade with Herstatt.

The Hersatt risk

Herstatt risk is a popular risk management jargon used to describe settlement risk.
Settlement risk arises when payments are not exchanged simultaneously, and one of the
parties fails to fulfil their obligations.

Conclusion
The failure of Bank Herstatt brought an international dimension to managing the banking
crisis. It heightened the need to coordinate bank regulatory and supervisory efforts on an
international level.

BANK RISK PRACTICES

2-41 REGULATIONS AND TREATMENT OF RISK

2.4.2 The Basel Accords

The Basel Accords refers to the banking supervision regulations set by the
Basel Committee on Banking Supervision (BCBS). They were developed over
several years between 1980 and 2011, undergoing several modifications over
the years.

The Basel Accords was formed to create an international regulatory framework

for managing credit risk and market risk. Their key function is to ensure that
banks hold enough cash reserves to meet their financial obligations and
survive in financial and economic distress. They also aim to strengthen
corporate governance, risk management, and transparency.

The regulations are considered to be the most comprehensive set of

regulations governing the international banking system. The Basel Accords
can be broken down into Basel I, Basel II, and Basel III.

Basel III
Basel II
Basel I

Pillar 2
Pillar 1 Enhanced Pillar 3
Pillar 1 Pillar 2 Pillar 3
Enhanced supervisory Enhance risk
Minumum capital Minimum Supervisory Disclosure capital and review and disclosure
requirements for capital review and market liquidity evaluation and market
Credit and requirements process discipline requirement process discipline
Market Risk
(SREP)
Eligible Capital

Capital Ratio
Requirements

+ =
Capital

Figure 2.11: The Basel Framework

2.5 BASEL I: THE 1988 BASEL CAPITAL ACCORD

Basel I, also known as the Basel Capital Accord, was formed in 1988. It was created
in response to the growing number of international banks and the increasing
integration and interdependence of financial markets. Regulators in several
countries were concerned that international banks were not carrying enough cash
reserves. Since international financial markets were deeply integrated at that time,
the failure of one large bank could cause a crisis in multiple countries.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-42

2.5.1 About Basel I

In the 1980s, many Latin American countries defaulted on their foreign debt
obligations. In 1970, the debt level was just USD 29 billion, but by the end of
1982, the debt levels increased by more than tenfold to USD 327 billion.

The Latin American Countries Bank Debt Levels

350
USD 327 billion
300

250
USD (Billion)

200

150 USD 159 billion

100

50
USD 29 billion

0
1970 1978 1982

Figure 2.12: The Latin American countries bank-debt levels from 1970 – 1982

Many US commercial banks were exposed to these Latin American economies.

By 1982, the nine largest US money-centre banks held Latin American debt,
amounting to 176% of their capital. The capital ratios of major international
banks were deteriorating at a time of growing international risks. This led
the Basel Committee to focus its work on minimum standards of capital
adequacy.

In 1988, the BCBS issued the International Convergence of Capital

Measurement and Capital Standards, commonly referred to as the 1988 Basel
Capital Accord (Basel I). This is the first international framework on capital
adequacy.

The two main objectives of Basel I are:

• Strengthen the soundness and stability of the international banking system

• Establish a level playing field among international banks

The 1988 Basel Capital Accord aims to establish a minimum level of capital for
internationally active banks relative to their respective risk-weighted assets
or off-balance sheet exposures. This ensures that the competitive inequality
brought by different approaches and standards in calculating capital is due
to national capital requirements.

BANK RISK PRACTICES

2-43 REGULATIONS AND TREATMENT OF RISK

2.5.2 Basel I Ratio

Basel I ratio is called the Cooke ratio, named after Peter Cooke, the former
Chairman of BCBS. The Cooke ratio is a way of calculating how much capital a
bank has in relation to its risky assets. In theory, it indicates how well protected
the bank is against risk. The Cooke ratio was once used to calculate a legal
minimum figure for banks but was replaced in 2006 with a fairer calculation
method.

The Cooke Ratio has two main components, namely the total capital and the
risk-weighted assets. The aim is to take account of the inherent risks of the
way much of the money in a banking system exists only as numbers on paper
rather than as actual cash. The total capital covers the cash it holds plus
physical assets such as buildings. The risk-weighted assets consist of any
money lent to borrowers and are not guaranteed to get back as borrowers
may default. In theory, the higher the ratio of capital to risk assets, the lower
the chance of a bank being threatened by lower-than-expected repayment
levels from borrowers.

Total capital
Basel I Capital Ratio= ≥8%
Risk-weighted assets

Figure 2.13: Basel I capital ratio calculation

Basel I called to implement a minimum capital to risk-weighted assets of 8%

by the end of 1992. The focus of Basel I was on credit risk. Risk arising from
other sources, such as market risk, is left to the discretion of the respective
country’s national supervisor.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-44

2.5.3 Why Focus on Capital?

• Retained earnings Must be sufficient

Capital • Additional paid in capital to cover actual/
• Common equity expected loss

Provision / • Otherwise
Losses the bank
will default
on its debt
obligation.
• Actual loss/
provision for loss Debt
to be recorded
by the banks
(credit loss comes
directly out of
retained earnings)

Figure 2.14: From loss to capital

Banks hold assets such as loans and receivables in their books. Deterioration
in the credit quality of a bank’s balance sheet will result in write-down and
credit losses. These credit losses are charged against profit and loss (P&L).
These write-downs and credit losses impact the bank’s retained earnings,
representing cumulative earnings retained in the bank’s capital.

As long as losses do not exceed the bank’s capital, the bank will continue
to exist as a going concern. This is because the bank has no contractual
obligation to pay its equity holders. If losses exceed the bank’s capital, losses
will accrue to the debtholders. The bank has a contractual obligation to pay
its financial obligations to its debtholders.

Debtholders have a legal recourse to force the bank to file for bankruptcy and
cease to exist as a going concern. This is why capital is considered a buffer
that will allow the bank to withstand losses in a stress-scenario.

BANK RISK PRACTICES

2-45 REGULATIONS AND TREATMENT OF RISK

For regulatory capital purposes, capital is stratified into two types:

Core Capital or Tier 1 Capital Supplementary Capital

or Tier 2 Capital

Core Capital or Tier 1 Capital is Supplementary Capital or Tier 2

composed of: Capital is a secondary source of
capital for banks composed of:
i. Basic equity capital – includes
the permanent shareholders’ i. Undisclosed reserves/ hidden
equity (i.e., the issued and fully reserves – the unpublished
paid ordinary shares/ common reserves that could be freely
stock and perpetual non- and immediately used to meet
cumulative shares) unforeseen future losses.
ii. Disclosed reserves (retained ii. Revaluation reserves – reserves
earnings) – created or generated due to the positive
increased by appropriations revaluation of fixed assets and
of retained earnings or other equity investments relative to its
surpluses such as share historical acquisition cost.
premiums, retained profit, iii. General provisions/ general
general reserves, and legal loan-loss reserves – reserves
reserves. held against unidentified losses
that are freely available to meet
losses, which subsequently
materialise.
iv. Hybrid debt capital instruments
–instruments that combine the
characteristics of equity capital
and debt.
v. Subordinated term debt –
unsecured long-term debt
instruments rank lower than
a secured debt obligation of
banks by higher than equity.
Subordinated term debt will be
limited to a maximum of 50% of
Tier 1.

Figure 2.15: Tier 1 vs Tier 2 capital

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-46

2.5.4 The Risk-Weighted Assets

The Cooke ratio calculation works on a risk-weighted basis. This means the
risky assets figure is not simply a total of the assets. Instead, each asset
is placed into one of five categories, and the total assets in that category
are multiplied by a specific percentage. For example, loans to the national
government in the bank’s own country are considered so safe that the
category total is multiplied by 0%, meaning those assets are effectively
ignored. Riskier loans fall into the 10%, 20%, 50%, and 100% categories, meaning
some or all of the asset’s value is included in the overall total. In Basel I, riskier
assets are assigned higher risk weights.

Risk weights The assets

0% • Cash
• Claims on central governments and central banks in
national currency
• Claims on OECD central governments and central
banks

10% • Claims on domestic public-sector entities (at national

discretion)

20% • Claims on multilateral development banks

• Claims on banks incorporated in the OECD*
• Claims on banks incorporated outside OECD with the
maturity of less than one year

50% • Loans secured by a mortgage on residential property

100% • Claims on private sector

• Claims on banks incorporated outside OECD with the
maturity of greater than one year
• Claims on central governments outside OECD
• Fixed Assets
• Real Estate and Other Investments

*Note: OECD countries are full members of the Organisation for Economic
Cooperation and Development.

Figure 2.16: Risk-weighted assets category and percentage

BANK RISK PRACTICES

2-47 REGULATIONS AND TREATMENT OF RISK

Illustrative Example–1

Computing for Basel I Capital Ratio

Below is a simplified balance sheet of Bank XYZ:

MYR MYR

Cash 100,000,000 Deposits 470,000,000

Real estate loans

50,000,000 Common shares 30,000,000
(unsecured)

Loans from
200,000,000
Company X

Real estate loans

150,000,000
(secured)*

Total liabilities
Total assets 500,000,000 500,000,000
and equities

a. Calculate the Basel I capital ratio for Bank XYZ

b. Determine if Bank XYZ is within the minimum capital requirements
under Basel I.

Solution:

Total capital
Basel I Capital Ratio = ≥8%
Risk-weighted assets

a. Calculate the Basel I capital ratio for Bank XYZ

Step 1 – Calculate the risk-weighted assets

Risk- Risk-weighted
MYR
weights assets (MYR)

Cash 100,000,000 0% 0

Real estate loans

50,000,000 100% 50,000,000
(unsecured)

Loans from
200,000,000 100% 200,000,000
Company X

Real estate loans

150,000,000 50% 75,000,000
(secured)*

Risk-weighted assets 325,000,000

*Note: Real estate loans (secured) means loans secured by a residential mortgage with reference to Basel IV

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-48

Risk-weighted assets = MYR 325,000.00.00

Step 2 – Calculate the total capital

Total capital = MYR 30,000,000.00

Step 3 – Calculate the Basel I ratio

Basel I ratio = 30,000,000

325,000,000
= 9.23%

b. Determine if Bank XYZ is within the minimum capital requirements

under Basel I.
The Basel I ratio is 9.23%. This is well above the minimum Basel I capital
requirement of 8%.

2.5.5 The 1996 Market Risk Amendments

One of the criticisms against Basel I is that it covers only the bank’s credit
risk exposure. In the 1990s, many banks have substantial exposures to market
risks. In 1995, Barings Bank – the oldest bank in Britain, collapsed due to the
speculative activities of a single British trader based in Singapore. Trading
losses peaked when a wrong bet on Japan equities led the bank to recognise
$1.3 billion in losses. The capital and reserves of this 233-year-old institution
were wiped out.

In January 1996, the Basel Committee issued an amendment to the 1988

Basel Capital Accord. This is done to incorporate within the Basel I capital
requirements the market risks arising from the banks’ open positions in
foreign exchange, traded debt securities, equities, commodities, and options.

Banks have two alternative methodologies of measuring market risks,

which are the standardised method and the internal model approach. The
standardised method of measuring risk involves a rule-based “black box
approach to measure interest rate risk, equity position risk, foreign exchange
risk and commodity risk. The standardised methodology uses a building
block approach in which the specific risk and the general market risk arising
from debt and equity positions are calculated separately.

The internal model approach, on the other hand, allows banks to use risk
measures derived from their internal risk management models subject to
the fulfilment of certain conditions and upon the explicit approval of the
bank’s supervisory authority. For purposes of calculating regulatory capital
requirement for market risk, banks are required to calculate daily value-at-
risk (VAR) at the 99th percentile, a one-tailed confidence interval with a ten-
day holding period.

BANK RISK PRACTICES

2-49 REGULATIONS AND TREATMENT OF RISK

The amendment also introduced another type of capital which is the Tier
3 Capital. At the discretion of the applicable national authority, banks may
employ a third tier of capital (Tier 3) consisting of short-term subordinated
debt for the sole purpose of meeting a proportion of the capital requirements
for market risk. This means that the bank may not use Tier 3 Capital to satisfy
credit or counterparty risk requirements under the Basel I Accord. Tier 3 Capital
will be limited to 250% of a bank’s Tier 1 Capital required to support market
risks. The total of Tier 2 and Tier 3 Capital shall not exceed the bank’s total Tier
1 Capital. To illustrate numerically, if US$100 is the Tier 1 capital available for
market risk, then the maximum Tier 3 Capital (including any Tier 2 elements
substituted for Tier 3) can be 250% x US$100 = US$250. The total capital
available then is US$350, of which US$100 is Tier 1. Thus, the minimum Tier 1
Capital needed for market risk ends up being about 28.5% (US$100/US$350).

2.6 BASEL II: THE THREE PILLARS

One of the criticisms against Basel I is that it covers only credit risk. In the years
after Basel I was introduced, banks’ risk exposures have evolved beyond credit risk.
For example, one of the high-profile bank failures during the 1990s is the collapse
of Barings Bank due to the actions of a rogue trader. The underlying cause of
the collapse is not credit risk but a combination of market risk and operational
risk. In June 2004, the Basel Committee released the Revised Capital Framework.
This revised capital framework was designed to improve the way regulatory
capital requirements reflect underlying risks and address the financial and risk
management innovation that occurred in the years following Basel I. Basel II is the
second set of international banking regulations defined by BCBS. It is an extension
of the regulations for minimum capital requirements as defined under Basel I. The
Basel II framework operates under three pillars.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-50

Pillar 1: Pillar 2:
Pillar 3:
Minimum capital Supervisory
requirements review process Market discipline

Figure 2.17: The three pillars of Basel II.

2.6.1 Pillar 1 – Minimum Capital Requirements

Pillar 1 of Basel II sets out the revised minimum capital requirements for banks.
Basel II retains the 8% minimum capital requirements for banks but has now
expanded the mechanism of risk-weighting the bank’s assets following the
Basel II ratio as below:

Total capital
Basel 2 Ratio = ≥ 8%
Market Risk + Credit Risk + Operational Risk

Figure 2.18: The Basel II capital adequacy ratio

Basel II specifies minimum capital calculations for three (3) types of risks:

i. Market risk – Market risk is defined as the risk of losses in the “on and off”
balance sheet positions arising from movements in market prices. The
following market risks are covered in the Basel II framework:

▶ General and specific risk pertaining to interest rate risk and equity risk in
the trading book
▶ Foreign exchange risk and commodity risk throughout the bank

ii. Operational risk – Operational risk is not explicitly covered in Basel I.

Operational risk is formally defined in Basel II as the risk of loss resulting
from inadequate or failed processes, people, and systems or external
events.

BANK RISK PRACTICES

2-51 REGULATIONS AND TREATMENT OF RISK

iii. Credit risk – Basel II introduced significant changes on the minimum capital
requirements for Basel I. Basel II provides capital incentives for banks to
move to more sophisticated credit risk management approaches.

The market risk measurement methodology

There are two common methods used to measure market risk:

i. The standardised approach – Uses a building block approach through the

measurement framework proposed by Basel II. The standardised approach
covers the following categories of market risk:

▶ Interest rate risk

▶ Equity position risk
▶ Foreign exchange risk
▶ Commodities risk
▶ Options risk

This methodology is designed for less sophisticated banks that may not
have the resources to develop their internal risk models.

ii. The internal model approach – Allows banks to use their in-house models
to calculate market risk. The bank’s supervisory authority must explicitly
approve the use of these models for regulatory purposes. The supervisory
authority will only give its approval if:

▶ It is satisfied that the bank’s risk management system is conceptually

sound and is implemented with integrity.
▶ The bank has sufficient staff skilled in sophisticated trading, risk control,
audit, and back-office areas models.
▶ The bank’s models have a proven track record of reasonable accuracy
in measuring risk.
▶ The bank regularly conducts stress-tests.

The operational risk measurement approach

Basel II outlined three measurement approaches for operational risk, as

indicated in Figure 2.21:

Basic indicator Standardised Advanced measurement

approach approach approaches

Figure 2.19: The operational risk measurement approach

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-52

i. The basic indicator approach – Basic Indicator Approach (BIA) is the

simplest method and uses the average of the previous three years of a
fixed percentage of the bank’s positive annual gross income as a basis for
setting capital.

Internationally active banks and banks with significant operational risk

exposures are expected to use a more sophisticated approach than the
basic indicator approach.

ii. The standardised approach – In the standardised approach, banks’

activities are divided into eight business lines:

▶ Corporate finance
▶ Trading and sales
▶ Retail banking
▶ Commercial banking
▶ Payment & settlement
▶ Agency services
▶ Asset management
▶ Retail brokerage

Capital charges for each business line are based on a percentage (beta) of
that business line’s gross income. The percentage (beta) was set according
to the perceived riskiness of the business line. Under this approach, the bank
must set aside capital equal to 15% (Alpha) on the average gross income.

Business lines Beta factors

Corporate finance (Β1) 18%

Trading and sales (Β2) 18%

Retail banking (Β3) 12%

Commercial banking (Β4) 15%

Payment and settlements (Β5) 18%

Agency services (Β6) 15%

Asset management (Β7) 12%

Retail brokerage (Β8) 12%

Figure 2.20: The beta factors for operational risk

BANK RISK PRACTICES

2-53 REGULATIONS AND TREATMENT OF RISK

The total capital charge is the three-year average of the charges across
business lines each year.

iii. The Advanced Measurement Approach (AMA) – The most complex method
of calculating operational risk regulatory capital.

Under AMA, the regulatory capital requirement will be based on the risk
measure generated by the bank’s internal risk measurement system. The
use of AMA is subject to supervisory approval.

A bank will not be allowed to revert to or choose a simpler approach once

approved for a more advanced approach without prior supervisory approval.

The credit risk measurement approach

Basel II provides capital incentives for banks to move to more sophisticated
credit risk measurement approaches as below:

Internal
Standardised • Foundation
ratings-based
approach • Advanced

Figure 2.21: The credit risk measurement approach

i. Standardised approach – The standardised approach for credit risk under

Basel II is similar to Basel I. Basel II focuses on the credit rating assessment
of External Credit Assessment Institutions (ECAIs) to define the required risk
weights. Higher-rated individual claims have lower risk weights compared
to lower-rated claims.

Further, under the standardised approach, credit risk exposures are divided
into the following exposure types:

▶ Sovereign

Corporate credit ratings Risk weights

AAA to AA- 0%

A+ to A- 20%

BBB+ to BBB- 50%

BB+ to B- 100%

Below B- 150%

Unrated 100%

Figure 2.22: Credit risk weight for sovereigns

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-54

▶ Public sector entities, banks, and securities firms

Risk weights*
Corporate
(Option 2: External Credit
Credit Ratings (Option 1: Rating
Assessment Institutions
Below Sovereign)
Rating-Based)

AAA to AA- 20% 20%

A+ to A- 50% 50%

BBB+ to BBB- 100% 50%

BB+ to B- 100% 100%

Below B- 150% 150%

Unrated 100% 50%

Note: * The choice of Option 1 or Option 2 is largely dependent on the options

provided by the National Supervisors.

Figure 2.23: Credit risk weight for public sector entities, banks, and securities firms

▶ Corporates

Corporate Credit Ratings Risk Weights

AAA to AA- 20%

A+ to A- 50%

BBB+ to BB- 100%

Below BB- 150%

Unrated 100%

Figure 2.24: Risk weights for corporates

ii. Internal ratings-based (IRB) approach – IRB allows banks to rely on

their internal estimates of risk components in determining the capital
requirement for a given exposure. This approach requires prior supervisory
approval.

Under the IRB approach, banks must categorise banking book exposures
into broad classes of assets with different underlying risk characteristics.
These classes of assets are corporate, sovereign, bank, retail and equity.

BANK RISK PRACTICES

2-55 REGULATIONS AND TREATMENT OF RISK

Under the foundation IRB approach, banks model only the probability of
default. Under the advanced IRB approach, banks will model their own loss
given default (LGD) and exposure-at-default (EAD) levels. LGD is the absolute
amount of money lost if a borrower defaults, while EAD is the amount a bank
is exposed to at the time of the same default.

Under the Basel III package finalised in December 2017, banks can no longer
use the advanced IRB approach for exposures to financial institutions or
corporates with consolidated annual revenues of more than €500 million

2.6.2 Pillar 2 – Supervisory Review

Pillar 2 of the Basel II Framework describes the mandatory processes for both
the banks and the supervisory authority (regulators). The aim is to establish a
link between a bank’s risk profile, risk management infrastructure, and capital.
Pillar 2 goes beyond the minimum capital requirements of Pillar 1 and ensures
that risks that are not addressed in Pillar 1 will be addressed in Pillar 2.

The Pillar 2 requirements are determined by the Internal Capital Adequacy

Assessment Process (ICAAP) and Supervisory Review Evaluation Process
(SREP) with the intend to:

• Assess capital adequacy in relation to the bank’s risk profile.

• Ensure that banks have adequate capital to support all the risks in their
business.
• Encourage banks to develop and use better risk management techniques
in monitoring and managing risks.

Internal capital
adequacy
assessment process Dialogue/ Supervisory review
(ICAAP) Discussion evaluation process
(SREP)

Figure 2.25: Major components of Pillar 2

Internal capital adequacy assessment process (ICAAP)

Banks are required to implement a process for assessing their capital adequacy
in relation to their risk profile and a strategy on capital management. This
process is referred to as the Internal Capital Adequacy Assessment Process
(ICAAP).

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-56

ICAAP serves as the guideline for setting capital targets commensurate with
the bank’s risk profile and control environment. Below are five main features
of a rigorous internal capital adequacy assessment process:

Board
Comprehensive
and senior Sound capital Monitoring and Internal
assessment
management assessment reporting control review
of risk
oversight

Figure 2.26: The five main features of ICAAP

i. Board and senior management oversight – The bank’s Board of Directors

(BOD) is responsible for setting the bank’s tolerance for risks. It should also
ensure that management:

▶ Establishes a framework for assessing the various risks;

▶ Develops a system to relate risk to the bank’s capital level; and
▶ Establishes a method for monitoring compliance with internal policies.

Bank management is responsible for having a good understanding of

the nature and level of risk taken by the bank and how this risk relates to
adequate capital levels. It is also responsible for ensuring that the formality
and sophistication of the risk management processes are appropriate in
light of the risk profile and business plan.

ii. Sound capital assessment – The bank should have the following elements
of sound capital assessment:

▶ Policies and procedures designed to ensure that the bank identifies,

measures, and reports all material risks.
▶ A process that relates capital to the level of risk.
▶ A process that states capital adequacy goals with respect to risk, taking
into account of the bank’s strategic focus and business plan.
▶ A process of internal controls reviews and audits to ensure the integrity
of the overall management process.

iii. Comprehensive assessment of risk – All material risks faced by the bank
should be assessed in the capital assessment process. The following broad
risks should be covered in the assessment:

▶ Credit risk
▶ Market risk
▶ Operational risk

BANK RISK PRACTICES

2-57 REGULATIONS AND TREATMENT OF RISK

▶ Interest-rate risk in the banking book

▶ Liquidity risk
▶ Other related risks

iv. Monitoring and reporting – The bank should establish an adequate system
for monitoring and reporting risk exposures and assessing how the bank’s
changing risk profile affects the need for capital.
v. Internal control review – The internal control structure is an essential
component of the capital assessment process. The bank should conduct
a periodic review of its risk management process to ensure its integrity,
accuracy, and reasonableness. The following areas should be part of the
review:

▶ Appropriateness of the bank’s capital assessment process.

▶ Identification of large exposures and risk concentrations.
▶ Accuracy and completeness of data inputs into the bank’s assessment
process.
▶ Reasonableness and validity of scenarios used in the capital assessment
process.
▶ Stress testing and analysis of assumptions and inputs.

Supervisory review and evaluation process (SREP)

The supervisory review process is intended to ensure that banks have
adequate capital to support all the risks in their business and encourage
banks to develop and use better risk management techniques to monitor
and manage their risks. The supervisory review process may focus on the
following key areas:

Review of
adequacy
of risk
assessment

Assessment
Supervisory of capital
response adequacy

Supervisory
review of Assessment
compliance of the control
with minimum environment
standards

Figure 2.27: Key areas in the supervisory review process

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-58

i. Review of adequacy of risk assessment – Bank supervisors should assess

the degree to which the internal targets and processes incorporate the full
range of material risks faced by the bank; the adequacy of risk measures
used in assessing internal capital adequacy; and the extent to which these
risk measures are used operationally in setting limits, evaluating business
line performance, and evaluating and controlling risks.
ii. Assessment of capital adequacy – Supervisors should review the business
process to determine that:

▶ Target levels of capital chosen are comprehensive and relevant to the

current operating environment.
▶ Target levels are properly monitored and reviewed by senior management.
▶ Composition of capital is appropriate for the nature and scale of the
bank’s business.

iii. Assessment of the control environment – Supervisors should consider the

quality of the bank’s management information reporting and systems, how
business risks and activities are aggregated, and management’s record in
responding to emerging or changing risks.
iv. Supervisory review of compliance with minimum standards – Supervisors
should ensure that banks meet the minimum requirements in capital, risk
management standards and even disclosures.
v. Supervisory response – Supervisors should take appropriate action if they
are not satisfied with the results of the bank’s risk assessment and capital
actions. These actions may include:

▶ Intensifying the monitoring of the bank

▶ Restricting the payment of dividends
▶ Requiring the bank to prepare and implement a satisfactory capital
adequacy restoration plan
▶ Requiring the bank to raise additional capital immediately

2.6.3 Pillar 3 – Market Discipline

Pillar 3 of the Basel II Framework aims to encourage market discipline by

developing a set of disclosure requirements, allowing market participants
to assess key pieces of information on the bank’s capital, risk exposures, risk
assessment process, and capital adequacy institution. Pillar 3 requires firms
to publicly disclose their risks, capital adequacy, and management policies
to promote market discipline.

BANK RISK PRACTICES

2-59 REGULATIONS AND TREATMENT OF RISK

Key
Qualitative disclosures Quantitative disclosures
information

Scope of • Name of the top • The aggregate amount of surplus capital of

application corporate entity in the insurance subsidiaries.
group. • The aggregate amount of capital
• Outline of differences deficiencies in all subsidiaries is not
in the basis of included in the consolidation.
consolidation for • The aggregate amounts of the firm’s total
accounting and interests in insurance entities.
regulatory purposes.
• Restrictions on transfer
of funds or regulatory
capital within the group.

Capital • Summary information • The amount of Tier 1 Capital with separate

on the terms and disclosure of:
conditions of the main i. Paid-up share capital/common stock
features of all capital
ii. Reserves
instruments.
iii. Minority interests in the equity of
subsidiaries
iv. Innovative instruments
(innovative Tier 1 instruments are non-
traditional capital instruments. Example
of this would be the CoCo bonds or
contingent convertibles. These are debt
instruments that gets converted into
common equity if certain regulatory
ratios are breached).
v. Other capital instruments
(this is a residual term for all other
capital instruments that could be
eligible for Tier 1 classification but
cannot be classified under any of the
categories above).
vi. Surplus capital from insurance
companies
vii. Regulatory calculation differences
deducted from Tier 1 capital (these
are adjustments between accounting
numbers and what is acceptable for Tier
1 capital purposes under the regulatory
capital regime – an example would be,
if accounting permits the recognition
of fair value changes in Tier 1 capital,
this should not be incorporated in
regulatory capital calculation).
viii. Other amounts deducted from Tier
1 capital, including goodwill and
investments

• The total amount of Tier 2 and Tier 3 Capital.

• Other deductions from the capital.
• The total eligible capital.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-60

Key Qualitative
Quantitative disclosures
information disclosures

Capital • Summary • Capital requirements for credit risk

adequacy discussion of the • Capital requirements for equity exposures
bank’s approach
• Capital requirements for market risk
to assessing the
• Capital requirements for operational risk
adequacy of its
capital to support • Total and Tier 1 Capital Ratio
current and future
activities.

Figure 2.28: Key information for disclosure in Pillar 3

Risk exposure and assessment

Banks must disclose all material risks to which it is exposed and the techniques
that banks use to identify, measure, monitor, and control those risks. The
following key banking risks are considered in the detailed disclosure:

• Credit risk
• Market risk
• Interest rate risk and equity risk in the banking book
• Operational risk

2.7 BASEL III: THE REQUIREMENTS AND BASEL III EXTENDED

The 2008 Global Financial Crisis highlighted many weaknesses in the banking
sector, which were not adequately addressed by the Basel II capital framework.
These weaknesses included excessive leverage, inadequate and low-quality
capital, and insufficient liquidity buffers. These weaknesses were further amplified
by a procyclical de-leveraging process and the interconnectedness of systemically
important financial institutions. Basel III was designed to address the lessons learned
from the 2008 Global Financial Crisis. Basel III does not replace the Basel II capital
framework. Instead, it supplements Basel II by addressing its weaknesses.

2.7.1 2008 Global Financial Crisis and Basel II

The 2008 Financial Crisis highlighted several weaknesses in the Basel II

regime from the bank-level perspective (micro-level) and the system-wide
perspective (macro-level).

BANK RISK PRACTICES

2-61 REGULATIONS AND TREATMENT OF RISK

Factors leading to the 2008 Financial Crisis Weaknesses

Bank-level weaknesses
• Inadequate and low-quality capital
• Insufficient liquidity buffers
• Excessive leverage

System-wide weaknesses
• Procyclicality
• Interconnectedness of systemically important financial
institutions

Figure 2.29: Factors leading to the 2008 Financial Crisis Weaknesses

i. Inadequate and low-quality capital – The global banking system entered

the crisis with an insufficient level of high-quality capital. As a result, many
banks were forced to rebuild their common equity capital bases while
the crisis unfolds when it is expensive and difficult to do so. Another issue
highlighted is that many innovative instruments were considered capital
under Basel II but have not been effective during the financial crisis. Capital
is considered to be effective if it is loss-absorbing. Loss-absorbing capital
serves as an effective buffer to absorb both expected and unexpected
losses even during the crisis. This means that banks must not be obligated
to replace this capital when it is less optimal.
ii. Insufficient liquidity buffers – In the years running up to the crisis, liquidity
did not receive adequate attention as debates about bank regulation
were focused on capital adequacy. While a strong capital position was
necessary for banking sector stability, the 2008 Global Financial Crisis
showed insufficiency. Before the crisis, liquidity was abundant, and the
cost of funding was low. During the crisis, funding suddenly dried up and
remained in short supply for a very long period. One of the lessons learned
in the crisis was that illiquidity could last for a long period of time.
iii. Excessive leverage – Excessive leverage in the banking system played
a crucial role in creating vulnerabilities that increased the depth and
severity of the crisis. According to the Turner Report, from 2003 onwards,
there were significant increases in the balance sheet leverage of many
commercial and investment banks driven by dramatic increases in gross
assets and derivative positions. The Turner Report (or more formally known
as the Turner Review: A Regulatory Response to the Global Banking Crisis)
is a landmark report issued by the FSA that sets out what went wrong in the
2008 crisis, changes in the banking regulation and supervisory approaches,
wider issues, and recommendations for reform. This became the catalyst
for many of the regulatory reforms that we now have.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-62

Further, the Financial Crisis Inquiry Commission reported that, as of 2007,

the five major investment banks were operating with extraordinarily high
leverage. By one measure, their leverage ratios were as high as 40:1.
Meaning, for every USD 40 in asset, there was only USD 1 to cover the losses.
This implied that a drop in asset value of less than 3% could wipe out the
firm’s entire value. Leading up to the crisis, many banks reported strong
Basel II Tier 1 risk-based ratio and “game”6 the Basel II risk-based capital
requirements while still building high levels of both on-and-off-balance
sheet leverage.

iv. Procyclicality – Procyclicality refers to the mutually reinforcing mechanisms

through which the financial system can amplify business fluctuations and
possibly cause or amplify financial instability. It refers to the tendency of
financial variables to fluctuate around a trend during the economic cycle.
One of the unintended consequences of Basel II is encouraging behaviour
that amplifies the effects of business cycle fluctuations. During economic
expansions, risk measurement models signal lower risk. The regulatory
capital required, therefore, is lower. This encourages banks to take more
risks during these favourable economic conditions. Banks do not raise
capital when it is cheaper and more optimal to do so.

During economic contractions, risk measurement models signal higher risk.

The regulatory capital required is higher. This forces banks to raise more
capital when it is more expensive to do so. Further, banks are restricted
from taking more risks, which will further amplify the economic contraction.
These reinforcing mechanisms are disruptive and apparent during a
downturn. For instance, institutions incur losses and capital buffers decline,
which will force them to raise funding in an unfavourable environment. This
will also result in tightening credit extension and selling of assets, which will
weaken economic activity. There are two types of procyclicality:

6 “game” means “took advantage of”.

BANK RISK PRACTICES

2-63 REGULATIONS AND TREATMENT OF RISK

Procyclicality of capital Procyclicality of leverage

When conditions are good,

Procyclicality of leverage
financial institutions are
occurs when the financial
profitable and their strong
institutions’ balance sheet
capital base allows them to take
expand and contract with
larger risk positions. This triggers
the economic cycle.
additional demand for assets
and lead to further increase in
their prices.

On the other hand, when

conditions are unfavourable,
financial institutions take
losses and their capital base
deteriorates. This triggers
selling-off of assets and leads to
further decrease in their prices.

Figure 2.30: Types of procyclicality

Under these are the different mechanisms that are at work:

▶ Risk measurement models – Risk measurement models are procyclical,

especially when constructed with short data series. Risk management
practices hardwired to valuations strongly amplify fluctuations and
leverage and lead to fire sales and a one-sided market.
▶ Short term money markets – When liquidity is perceived to be abundant,
there is a strong incentive to lengthen maturity and hold strongly
leveraged positions.
▶ Risk appetite – Valuation gains may encourage further risk-taking, while
valuation losses may trigger sharp pullbacks.

v. Interconnectedness of systematically important financial institutions

– Excessive interconnectedness among systemically important banks
transmitted shocks across the financial system and economy. The collapse
of Lehman Brothers in 2008 sent a shockwave across financial institutions
on the global level.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-64

Corporate
issuers
• Whole Mortgage
residential banks
• Mortgage loans
• Debt and equity securities • Debt
• Commercial paper • Equity
Insurance • OTC derivatives • OTC derivatives
companies • MBS/CMBS Other
banks/
dealer

Lehman Brothers
• Market making
Over 7,000 legal
• Firm finance
entities in more
• Commercial paper • OTC derivatives
than 40 countries

• Prime brokerage
• Credit and interest • Custody
Money rate derivatives Hedge
market • Trade finance
• Primary dealer funds
funds • OTC derivatives
• Secondary trading
• MBS/CMBS
Sovereign
and
municipal
debt issuers

Figure 2.31: Interconnectedness of Lehman’s obligations7 1

The global financial crisis provided lessons on the costs to the economy
due to the absence of effective powers/regulatory tools for dealing with
the failure of systemically important financial institutions.

2.7.2 Basel III Reforms

For the periods 2009-2010, BCBS introduced comprehensive reform measures

that would address the lessons of the 2008 Global Financial Crisis. These
reform measures focus on strengthening global capital and liquidity rules
to promote a more resilient banking sector. These measures are collectively
referred to as “Basel III”. The requirements of Basel III are expected to be fully
implemented by 2019.

These reforms aim to address bank-level and system-wide weaknesses

identified in the 2008 Financial Crisis. These reforms address the following key
areas:

• Raising the quality of capital to ensure banks can absorb losses on both a
going concern and a gone concern basis.
• Increasing the risk coverage of the capital framework.

7 As of 26 May 2009

BANK RISK PRACTICES

2-65 REGULATIONS AND TREATMENT OF RISK

• Raising the level of the minimum capital requirements.

• Introducing an internationally harmonised leverage ratio to serve as a
backstop to the risk-based capital measure and to contain the build-up of
excessive leverage in the system.
• Raising standards for the supervisory review process (Pillar 2) and public
disclosures (Pillar 3).
• Introducing minimum global liquidity standards.
• Promote the build-up of capital buffers in good times that can be drawn
down in periods of stress.

2.7.3 Basel III – Capital Reforms

Basel III capital reforms focus on strengthening both the quality and level of
capital. Basel III increased the required amount of capital and, at the same
time, limited the use of capital that is not fully loss-absorbing. There are two
main purposes of capital:

i. Going concern capital – Going concern capital absorbs losses without

banks being under excessive pressure to contain liquidity. Going concern
capital allows the bank to continue as a going concern and enhances the
ability of a bank to stay solvent. The objective of Tier 1 Capital is to allow
the entity to survive and continue as a going concern. Hence, only capital
that allows the bank to stay solvent and continue as a going concern can
be considered Tier 1 Capital. The predominant form of Tier 1 Capital must
be common shares and retained earnings. Included in the definition of
Common Equity Tier 1 (CET1) Capital is:

▶ Common shares
▶ Share premium
▶ Retained earnings
▶ Accumulated comprehensive income
▶ Minority interest
▶ Regulatory adjustments

Other than common equity shares, certain innovative capital structures

can be considered additional Tier 1 Capital. Additional Tier 1 Capital is an
alternative Tier 1 Capital with no maturity date. Additional Tier 1 Capital is
typically a hybrid debt instrument with a principal loss absorption feature.
The principal loss absorption feature generally allows the bank to convert
the common shares at a pre-specified trigger point or contain a write-
down mechanism, allocating losses to the instrument at a specified trigger
point.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-66

ii. Gone concern capital – Gone concern capital aims to protect senior
creditors, depositors and the taxpayers in a bank failure. Tier 2 Capital,
which is ranked junior compared to senior creditors and depositors but
more senior than common equity holders, is considered a gone concern
capital. BCBS concluded that high-quality capital means higher loss-
absorbing capital to allow banks to withstand periods of stress better.

Quantity of Capital
There is no change in the level of the total capital required to support a bank’s
risk-weighted assets. Similar to Basel II, the minimum total capital required is
also 8%.

Common Tier 1: 4.5%

Tier 1 Capital: 6.0%

Total Capital: 8.0%

Figure 2.32: Minimum capital requirements

There are, however, some changes on the level of high-quality capital

required:

• Common Tier 1 Capital requirement increased from 2% of risk-weighted

assets to 4.5%.
• Tier 1 Capital requirement increased from 4% of risk-weighted assets to 6%.
• Tier 2 Capital is a supplementary capital and is typically recognised as a
liability in the bank balance sheet.

Capital conservation buffer

Basel III introduced a framework to promote conservation of capital and
the build-up of adequate buffers above the minimum capital requirement
that can be drawn upon in periods of stress. The objective is to encourage
banks to hold capital buffers above the regulatory minimum. At the onset
of the 2008 Global Financial Crisis, many banks continued to make large
distributions of capital through dividend payments, share buybacks, and
generous compensation payments even though the financial condition and
outlook for the banking sector were deteriorating.

Much of the activity is driven by a collective action problem where reductions

in distributions were perceived as sending a signal of weakness. These actions
made individual banks less resilient as they did not do enough to rebuild their
capital buffers, particularly during good times. The capital conservation buffer

BANK RISK PRACTICES

2-67 REGULATIONS AND TREATMENT OF RISK

aims to increase the banking sector’s resilience during the downturn and
provide the mechanism for rebuilding capital during the economic recovery.
This buffer aims to avoid breaches of minimum capital requirements and
hold capital buffer above the regulatory minimum outside periods of stress.

When the buffers have been drawn down, banks may consider reducing the
discretionary distribution of earnings or raising new capital from the private
sector. Unlike the minimum capital requirements, failure to meet the capital
conservation buffer requirement will not result in constraints to the bank’s
operation. Rather, it will result in restrictions in distributions. Hence, this should
not be viewed as establishing a new capital requirement. Items subject to
distribution restrictions include:

• Dividends
• Share buybacks
• Discretionary payments on other Tier 1 capital instruments
• Discretionary bonus payments to staff

A capital conservation buffer of 2.5% of the risk-weighted assets should be

established above the minimum regulatory requirement. This buffer should
be fully composed of Basel Common Equity Tier 1 (CET1) equity.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-68

Boxed Article–4

New Bankruptcy Documents Reveal Outsize Pay at Lehman Before Collapse

(Lattman, 2012)

It is no secret that Richard S. Fuld Jr., the former chief executive of Lehman Brothers, and his
fellow officers earned hundreds of millions of dollars in the years leading up to the bank’s
collapse. But new documents from the Lehman bankruptcy case reveal the extraordinary
compensation bestowed on dozens of the bank’s employees in the years leading up
to its demise in September 2008. Wall Street critics blame the outsize salaries of bank
employees as a core reason for the global financial crisis, arguing that the promise of
large pay packages led to excessive risk-taking. While the compensation for a handful
of Lehman executives like Mr Fuld had previously been known, the documents reveal the
compensation for the 50 highest-paid employees.

Robert Millard, the head of Lehman’s proprietary trading operations — the group that
traded the bank’s own money — was in line to make $51.3 million in 2007, making him the
highest-paid employee on a list of the top-50 paid employees that year. The list shows
that he was paid $44.5 million in 2006 and $3.8 million in 2005. Mr Millard now runs Realm
Partners, a hedge fund in New York. The $51.3 million paid to Mr Millard approximates the
pay package received by Mr Fuld that year, which, depending on how it was calculated,
was worth $40 million to $51.6 million. No. 2 on the employee list was Marvin Schwartz, the
low-profile, legendary money manager at Lehman’s Neuberger Berman unit. He was paid
$31.2 million in 2007, $27 million the year before and $14.8 million in 2005. Mr Schwartz is
still at Neuberger, which spun out of Lehman and is now an independent, privately held
company.

The bronze medal for Lehman employee pay in 2007 was Jonathan Hoffman, who is
listed as trading “global rates,” which is trading in government bonds and more complex
instruments including derivatives tied to interest rates. It is unclear where Mr Hoffman
works today.

The bankruptcy documents also include a presentation to the board’s compensation

committee in January 2008 and the compensation review process for the firm’s equity
research personnel. It is unclear how much of this compensation was paid in Lehman
stock, which soon became worthless.

Author’s note: at the height of the 2008 financial crisis, the issue of compensation was
highlighted. For some investment banks, compensation expense is one of the largest
expenses. In times of crisis when banks should conserve capital, this discretionary
distribution of earnings should be set aside as buffer.

BANK RISK PRACTICES

2-69 REGULATIONS AND TREATMENT OF RISK

Countercyclical buffer
Losses in the banking sector can be extremely large when a downturn is
preceded by excess credit growth. These losses can destabilise the banking
sector and spark a vicious cycle. Problems in the financial system can
contribute to a downturn in the real economy that feeds back to the banking
sector. These problems led Basel III to introduce reforms to build up additional
capital defences in periods where the risks of system-wide stresses are
growing markedly. The countercyclical buffer aims to ensure that the banking
sector capital requirements account for the macro-financial environment in
which banks operate.

The countercyclical buffer is a macro-prudential measure that aims to

protect the banking sector from periods of excess credit growth associated
with the build-up of systemic risk. This buffer does not address the resilience
of individual banks during periods of stress, as this was already covered by
the minimum capital requirements and the capital conservation buffer. It will
be deployed by bank supervisors when excess aggregate credit growth is
judged to be associated with a build-up of system-wide risk to ensure the
banking system has a buffer of capital to protect it against future potential
losses. The objective is to control the supply and demand of credit to
moderate the excessive build-up of credit. Banking supervisors will monitor
credit growth and other indicators that may signal a build-up of system-
wide risk and assess whether credit growth is excessive and leads to the
build-up of system-wide risk. The relevant national supervisors may impose
the countercyclical buffer between 0% to 2.5% of risk-weighted assets during
the period of excess credit growth.

Basel II Basel III

Countercyclical Buffer None 0% to 2.5%

Figure 2.33: The countercyclical buffer

Leverage ratio
One of the underlying features of the 2008 Global Financial Crisis was the
build-up of excessive leverage in the banking system. In some cases, banks
built up excessive leverage while still showing a strong risk-based capital
ratio. During the most severe part of the crisis, the banking sector was forced
by the market to reduce leverage to amplify the downward pressure on asset
prices. Basel III introduced a non-risk-based leverage ratio as an additional
regulatory prudential tool to complement the minimum capital adequacy
requirements to prevent an excessive build-up of leverage. The leverage
ratio will backstop the risk-based capital requirement and help to contain a
system-wide build-up of leverage.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-70

Tier 1 Capital
Basel 3 Leverage Ratio = ≥ 3%
Total Exposure

Figure 2.34: The Basel III leverage ratio

The objectives of the leverage ratio requirement are:

• Constrain the leverage in the banking sector.

• Introduce additional safeguards against model risk and measurement
error by supplementing the risk-based measure with a simple, transparent,
independent measure of risk.

2.7.4 Basel III – Liquidity Reforms

One of the most important lessons from the 2008 Global Financial Crisis is that
while strong capital requirements are necessary for banking sector stability,
strong liquidity is also equally important. During the early liquidity phase of
the financial crisis, many banks still experienced difficulties despite having
adequate capital levels. The crisis emphasised the importance of liquidity
to the proper functioning of the banking system. Basel III introduced two
minimum standards for liquidity, namely the liquidity coverage ratio and net
stable funding ratio. These two minimum standards have been developed to
achieve two separate but complementary objectives:

• Promote short term resilience of a bank’s liquidity profile by ensuring it has

sufficient high-quality liquid resources to survive an acute stress scenario
for one month (Liquidity Coverage Ratio).
• Promote longer-term resilience by creating additional incentives for a
bank to fund its activities with more stable funding sources (Net Stable
Funding Ratio).

The liquidity coverage ratio is intended to promote resilience to potential

liquidity disruptions over a 30-day horizon. It will help ensure that banks have
sufficient unencumbered, high-quality liquid assets to offset the net cash
outflows they could encounter under an acute short-term stress scenario.

30-day
liquidity stress
scenario

Cushion of High Quality Liquid Assets

Figure 2.35: HQLA vs Acute Stress Cash Flow

BANK RISK PRACTICES

2-71 REGULATIONS AND TREATMENT OF RISK

The scenario is built upon circumstances experienced in the global financial

crisis in 2007 and entails both institution-specific and systemic shocks. High
quality liquid assets should be unencumbered and liquid in markets during a
time of stress.

Stock of High Quality Liquid Assets

Liquidity Coverage Ratio = ≥ 100%
Net Cash Outflows Over the Next 30 Days

Figure 2.36: Liquidity coverage ratio

Net stable funding ratio requires a minimum amount of stable funding sources
for a bank relative to the liquidity profiles of the assets and the potential for
contingent liquidity needs arising from off-balance sheet commitments
over a one-year horizon. The ratio aims to limit over-reliance on short-term
wholesale funding during times of buoyant market liquidity and encourage
better assessment of liquidity risk across all on- and off-balance sheet items.
It covers the entire balance sheet and provides incentives for banks to use
stable sources of funding.

Available Amount of Stable Funding

Net Stable Funding Ratio = > 100%
Amount of Required Stable Funding

Figure 2.37: Net stable funding ratio

Stable funding is the portion of those types and amount of equity and liability
financing expected to be reliable sources of funds over a one-year horizon
under conditions of extended stress. The amount of required stable funding is
the amount of funding that the bank needs to fund its assets and off-balance
sheet commitments.

Required Stable Funding Available Amount of Stable Funding

(function of liquidity characteristics of
assets/activities)

Figure 2.38: Required stable funding vs the available amount of stable funding

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-72

2.8 ACCOUNTING RULES FOR BANKS

The Financial Stability Forum (FSF), in recommending reforms based on the lessons
learned from the Global Financial Crisis, noted that the accounting standards on
the valuation of financial instruments should be improved, reduce the complexity
in the accounting standards for financial instruments and reduce procyclicality by
strengthening the provision standards. As a response, the International Accounting
Standards Board (IASB) replaced the previous accounting standard (IAS 39) to IFRS
9, addressing the lessons identified from the global financial crisis.

2.8.1 Provisioning Under IAS 39 and Procyclicality

IAS 39 follows an incurred loss model. This means that provisioning is only
recognised when there is objective evidence of impairment. During economic
expansion, incurred loss model results in provisioning that tends to be low.
These lower provisions may incentivise taking more risk as there is a signal
that default risk is viewed to be low. Provisions are lower because asset prices
(collateral) are rising. As a result, banks will set aside less capital during good
times. During economic downturns, provisioning under IAS 39 tends to be
high. Provisions increase exponentially during periods of credit contraction
when there is more objective evidence of impairment. Provisions increase
during a period in the credit cycle where earnings are lower. Provisions also
increase for collateralised lending activities during this period as asset prices
(collateral) tend to be lower. Thus, banks are forced to raise more capital
at a time when it is not optimal to do so. This behaviour created by the
incurred loss model is what is referred to as accounting procyclicality. This
is why the FSF recommended alternative models for loan losses that permit
their recognition earlier in the cycle, thereby reducing procyclicality in loan
provisioning.

2.8.2 Accounting Perspective Vs Regulatory Perspective

There is a difference between the accounting and regulatory perspectives

in terms of provisioning. The objective of accounting is to present financial
statements fairly at a given period of time. This is why the accounting standards
have adopted the concept of the incurred loss model under IAS39 as it
satisfies the accounting principle of matching (i.e., properly match revenues
and expenses, recognise expense only when incurred) where provisioning
is only recognised when there is objective evidence of impairment, and the
balance sheet amount of loan is reduced when impairment is triggered. The
objective of prudential regulations, however, is to promote the safety and
soundness of banks. Therefore, under the regulatory approach, provisions
are set aside to cover expected losses and capital to cover unexpected

BANK RISK PRACTICES

2-73 REGULATIONS AND TREATMENT OF RISK

losses. Loan losses are covered by provisioning. Hence, under the regulatory
approach, provisioning is more forward-looking than the IAS 39 impairment
provisioning.

2.8.3 IFRS9 Expected Loss Model

IFRS9 significantly overhauls the impairment model under IAS 39 from

incurred loss model to an expected credit loss model. IFRS 9 adopts a three-
stage approach in measuring impairment loss.

i. Stage 1 – Performing
At the origination of credit exposure, the bank recognises an expected
credit loss equivalent to a 12-month expected loss.

ii. Stage 2 – Underperforming

If there is a significant increase in credit risk, the credit exposure migrates to
Stage 2. Under Stage 2, the bank is required to recognise lifetime expected
credit loss. Assessment on whether there is a significant increase in credit
risk is made at each financial reporting period. There are no single criteria
in assessing whether a credit exposure has significantly increased or not
and is based on multi-factor considerations such as borrower rating,
macroeconomic conditions, and transition probabilities. However, there is
a presumption that if the credit is 30-days past due, there is a significant
increase in credit risk. Below are some of the indications of an increase in
credit risk:

▶ Change in internal price indicators of credit risk (for example, credit

spread).
▶ Change in terms of existing instrument vs newly originated (for example,
more stringent covenants, increase in collateral required or guarantees).
▶ External indicators of credit risk (implied credit spread from bond prices,
credit default swap prices).
▶ Actual or expected change in external credit rating.
▶ Actual or expected change in internal credit rating.
▶ Existing or forecast adverse changes in business, financial or economic
conditions could affect the borrower’s ability to meet its obligations.
▶ Significant change in the operating results of the borrower (declining
revenues, working capital deficiencies, decreasing asset quality,
leverage, etc.).
▶ Significant increase in credit risk on other financial instruments of the
same borrower.
▶ Change in the regulatory, economic, or technological environment.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-74

▶ Change in the value of collateral, quality of guarantees or credit

enhancement reduces the incentive for the borrower to make
contractual payments (for example, collateral on housing loan).
▶ Significant changes include reductions in financial support from a
parent entity or other affiliate or actual or expected significant change
in credit enhancement (for example, the parent decides not to provide
a guaranty).
▶ Expected change in loan documentation (expected breach of contract
that may lead to covenant waivers, interest payment holidays, interest
rate step-ups).
▶ Significant change in expected performance and behaviour of borrower
including change in the payment status of borrowers in the group.
▶ Change in entity’s credit management approach
▶ Past due information.

Significant depends on original credit risk (i.e., relative to credit risk at the
time of origination).

iii. Stage 3 – Non-performing loans

If there is objective evidence of impairment, the bank will write off the
principal, and for purposes of recognising interest income, the amount of
interest is based on the net written amount.

BANK RISK PRACTICES

2-75 REGULATIONS AND TREATMENT OF RISK

SUMMARY

• The crucial role that the banking industry plays in the overall economy coupled with
the fragile nature of the banking industry makes it important that financial safety nets
are applied to minimise the chance of failure in the financial system.

• There are three important financial safety nets – prudential regulation and supervision,
lender of last resort and deposit insurance.

• The main objective of banking supervision is to ensure financial stability where financial
intermediation (critical role of banks) functions smoothly and there is confidence in
the performance of key financial institutions and markets.

• Banking regulations are categorised into four main types – competition, safety and
soundness, consumer protection and monetary policy. Banking regulations can also
be further categorised into those that are formally legislated (banking legislation) and
those that are standards/guidelines.

• The Basel Committee on Banking Supervision (BCBS) recommends minimum standards

of banking supervision worldwide and serves as a forum for regular cooperation
between member countries on banking supervisory matters.

• There is recent focus on maintaining risk-based capital where an appropriate level of

high-quality capital is maintained to support the risk that the bank is taking.

• Basel III is the most recent form of risk-based capital minimum standards where the
quality and quantity of capital that needs to be maintained by banks are enhanced
and where minimum liquidity standards are imposed.

BANK RISK PRACTICES

 REGULATIONS AND TREATMENT OF RISK 2-76

END OF CHAPTER PRACTICE QUESTIONS

1. If there is a significant increase in credit risk, but there is no objective evidence of

impairment, which stage should the exposure go?
A. Stage 1
B. Stage 2
C. Stage 3
D. Stage 4

2. Which of the following is not true about Basel III?

A. Basel III is a significant overhaul in the banking regulatory framework where the quality
and quantity of capital have been enhanced and increased
B. Basel III adopts the same three-pillar approach as Basel II
C. Basel III focuses solely on ensuring that banks have adequate capital to support their
risk-taking operations
D. Basel III includes minimum liquidity standards, which is not covered under Basel II
minimum capital requirements

3. The objective of the liquidity coverage ratio is to promote resilience and focuses
on the side of the balance sheet.
A. shorter-term, asset
B. shorter-term, liability
C. longer-term, asset
D. longer-term, liability

4. Which of the following is the minimum Tier 1 ratio under Basel III?
A. 4%
B. 4.5%
C. 6%
D. 8%

5. Which of the following is not among the risks that are covered under Pillar I of Basel III?
A. Interest rate risk in the trading book
B. Interest rate risk in the banking book
C. Operational risk
D. Credit risk

6. These are hidden reserves that could freely and immediately be used to meet unforeseen
future losses.
A. Undisclosed reserves
B. Revaluation reserves
C. General provisions
D. Loan loss provisions

BANK RISK PRACTICES

2-77 REGULATIONS AND TREATMENT OF RISK

7. This refers to the bank supervisory approach where there is close and active monitoring
or enforcement of compliance with bank regulations.
A. Principles-based approach
B. Risk-based approach
C. Supervisory-based approach
D. Rule-based approach

8. The total capital charge for operational risk under the standardised approach is based
on:
A. A three-year average of the gross income
B. A three-year average of the sum of the charges across business lines
C. A five-year average of the gross income
D. A five-year average of the sum of the charges across business lines

9. Which of the following is considered as gone concerned capital?

A. Retained earnings
B. Additional tier 1 capital
C. Subordinated debt
D. Common equity

10. Which of the following is a necessary condition for the lender of last resort rule to be
effective?
A. The central bank should provide liquidity to specific banking institutions and not to the
system as a whole
B. Liquidity should carry low penalty rates to encourage participation in the lender of last
resort scheme
C. The lender of last resort should not require any collateral so the bank can freely
mobilise the funds and ease market uncertainties
D. The liquidity should be extended only to temporarily illiquid institutions, as insolvent
institutions should be allowed to fail.

ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS

1. B 2. C 3. A 4. C 5. B 6. A 7. D 8. B 9. C 10. D

BANK RISK PRACTICES

 CHAPTER 3
KEY COMPONENTS OF RISK
MANAGEMENT IN BANKING
3-1 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING

3. KEY COMPONENTS OF RISK MANAGEMENT IN BANKING

Learning Outcomes

At the end of the chapter, you will be able to:

• Explain the risk management process in banking.

Key Topics

In this chapter, you will be able to read about:

• Overview of the risk management process

• Types of risk
• Communication and consultation
• Risk identification
• Risk assessment
• Risk treatment
• Risk monitoring, metrics, and reporting

Assessment Criteria

During the exam, you will be expected to:

• Examine the components of the risk management process.

• Outline how risks are classified.
• Explain how risk treatment options are used to manage risk.

3.1 OVERVIEW OF THE RISK MANAGEMENT PROCESS

ISO 31000 (2018) defines “risk management process” as:

“A systematic application of management policies, procedures and practices

to the activities of communicating, consulting, establishing the content and
identifying, analysing, evaluating, treating, monitoring and reversing risk.”

Risk management helps organisations identify potential risks, analyse them, and
take corrective actions to eliminate or reduce the magnitude of the risk. Some
potential risk in banking includes IT security threats and data-related risks.

BANK RISK PRACTICES

 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING 3-2

There are five key steps involved in an ideal risk management process. See Figure 3.1.

Risk
Communicating Establishing Risk Risk monitoring
and consulting the context assessment treatment and review

Figure 3.1: The risk management process

3.1.1 Qualities of a Sound Risk Management Process

In banking, risks are inherent in all its products, activities, processes and
systems, and the effective management of risk is a fundamental element of
the bank’s risk management process. Banks commonly rely on three lines of
defence, namely the:

• Business unit management8

• An independent corporate operational risk management function (CORF);
and
• Independent assurance.9

Depending on the bank’s nature, size and complexity, and the risk profile of a
bank’s activities, the degree of formality of how these three lines of defence
are implemented will vary, and a sound risk management process will
reflect the effectiveness of the board of directors and senior management in
administering their portfolio of products, activities, processes, and systems.

8 The term “business unit” is meant broadly to include all associated support, corporate, and/or shared service functions, as for
example: Finance, Compliance, Legal, Human Resources, Operations and Technology etc. Risk Management and Internal Audit
are not included unless otherwise specifically indicated.
9 Independent assurance includes verification and validation: verification of the ORMF is done on a periodic basis and is typically
conducted by the bank’s internal and/or external audit but may involve other suitably qualified independent third parties from
external sources. Verification activities test the effectiveness of the overall ORMF, consistent with policies approved by the
board of directors, and also test validation processes to ensure they are independent and implemented in a manner consistent
with established bank policies. Validation ensures that the quantification systems used by the bank are sufficiently robust and
provide assurance of the integrity of inputs, assumptions, methodologies, processes, and outputs. Validation is critical for a
well-functioning ORMF.

BANK RISK PRACTICES

3-3 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING

Below are the qualities of a sound risk management process:

An integral part of
management.

Tailored to the Embedded in the

organisation’s business organisational culture
process. and practice.

Figure 3.2: Qualities of a sound risk management process.

i. The process should be an integral part of management – For the

risk management process to be effective, it should form part of the
management decision-making process. A risk management process
that is divorced and separated from the management decision-making
process will have limited ability to influence the likelihood that the banks
will be able to achieve their risk management objectives.
ii. The process should be embedded in the organisational culture and
practices – Given the complexity of banks, the risk management process
can only be effective if it is deeply embedded in all the underlying business
activities of these institutions. Regardless of its sophisticated design, the
risk management process will not be effective unless it forms part of its
culture and practices. Risk culture involves an organisation’s collective
behaviours and attitudes toward risks. The Financial Stability Board (FSB)
emphasises the important role that risk culture plays in influencing the
actions and decisions taken by individuals within the institution and in
shaping an institution’s attitude toward its stakeholders.
iii. The process should be tailored to the organisation’s business processes
– No risk management process template can be imposed on any bank.
The process should fit the unique circumstances of the individual bank.
However, the process should meet the minimum standards required by
regulations and international standards.

3.1.2 Risk Management Activities

The first step in implementing a risk management process is to uncover,

recognise, and describe the risks that could have an adverse effect on the
business. Risk identification often proves to be a positive experience that the
whole team can take part in and learn from. It is important to take the opinion

BANK RISK PRACTICES

 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING 3-4

of team members in any risk management framework. This helps to identify

the possible risks to a project from each team member’s point of view. It is
also vital to put together a work breakdown structure to see all the necessary
tasks in the project and where risks might emerge.

Once the risks have been identified, the next step is to dig a little deeper and
conduct an in-depth analysis of the risk. This includes finding answers to
critical questions such as how likely these risks are to occur. It is essential
to develop an understanding of the nature of the risk and its potential to
affect project goals and objectives. Factors such as potential financial loss
to the business, the severity of impact and time lost play a part in accurately
analysing each risk.

Next is prioritising the risk. This is one of the most critical steps in the risk
management process. This stage involves ranking each risk by factoring in
its likelihood of happening and its potential effect on the project. It provides
a holistic view of the project at hand and pinpoints where the team’s focus
should lie and identifies workable solutions for each risk. By incorporating this
step in the risk management framework, project delays and interruptions can
be avoided.

The next activity is treating risk. This is also referred to as risk response
planning. This stage involves assessing the highest ranked risks and setting
out a plan for treating or modifying these risks in order to achieve acceptable
risk levels. Teams must create risk mitigation strategies, preventive plans, and
contingency plans in this step.

Finally, is monitoring and reviewing the risk. Clear communication among

the team and various organisation stakeholders is an essential element in
monitoring potential threats. It involves closely monitoring and following up
on both the risks and the overall plan, which helps to monitor and track new
and existing risks continuously. The entire risk management process and
the risk management activities must be constantly reviewed and updated
accordingly.

Identify
risk

Monitor/ Analyse
review risk risk

Treat Prioritise
risk risk

Figure 3.3: Risk management activities

BANK RISK PRACTICES

3-5 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING

3.2 TYPES OF RISK

Due to the large size of some banks, overexposure to risk can cause bank failure and
impact millions of people. Major risks for banks include credit, operational, market,
and liquidity risks. Other types of risk to banks are as follow:

1. Credit risk 6. Regulatory risk

• Transactional credit risk
• Portfolio credit risk 7. Operational risk

• Process risk
2. Interest rate risk • People risk
• System risk
• Traded interest rate risk • External event risk
• Structural interest rate risk

3. Exchange rate risk 8. Model risk

• Transaction risk
• Transaction risk or revaluation risk 9. Country risk

4. Market risk 10. Business risk

• General market risk

• Specific market risk 11. Counterparty risk

5. Liquidity risk 12. Conduct risk

• Asset-based liquidity risk
• Liability or funding based liquidity risk 13. Reputational risk

Figure 3.4: Types of risk in banking

3.2.1 Credit Risk

Credit risk is defined as the potential that a borrower or counterparty will fail
to meet its obligations in accordance with agreed terms. There are two levels
of credit risk, namely transactional credit risk and portfolio credit risk.

Transactional credit risk refers to a credit risk exposure generated on a

transactional level. It is primarily determined by the borrower or counterparty’s
ability and willingness to pay its obligations as they come due. Transactional
credit risk can be further subdivided according to three different types of
exposures:

i. Retail credit risk – The risk of loss due to a consumer’s default on a

consumer credit product arising from the bank’s retail business. The Basel
Committee on Banking Supervision (BCBS) defines retail credit exposures
as homogenous portfolios consisting of large number of small, low-value
loans, consumer or small business focus, and incremental risk of any single
exposure is small.

BANK RISK PRACTICES

 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING 3-6

ii. Corporate credit risk – The risk of loss due to a default of an institutional/
corporate client. Corporate credit risk is usually the largest risk faced by
traditional commercial banks.
iii. Sovereign risk— The risk of loss due to a default of a government on its
financial obligations.

Portfolio credit risk refers to the credit risk exposure of the bank on an
aggregated level. Portfolio credit risk considers the impact of consolidating
individual transactional credit risk exposure on a consolidated bank basis.
This includes taking into account the positive diversification effect of taking
individual exposures on a portfolio level. An important source of portfolio
credit risk is concentration risk. Concentration risk is exposure with the
potential to produce substantial enough losses to threaten the financial
condition of a banking institution. Concentration risk arises from excessive
exposures to single counterparty or group of connected counterparties,
specific instrument, and specific market segment.

3.2.2 Interest Rate Risk

Interest rate risk is the exposure of the bank’s earnings and financial condition
to adverse movements in interest rates. Interest rate risk is commonly
associated with positions in fixed income securities. There are two types of
interest rate risks:

i. Traded interest rate risk (interest rate risk associated with the bank’s trading
book) – This interest rate risk is associated with financial instruments
traded in the trading book.
ii. Structural interest rate risk (interest rate risk associated with the bank’s
balance sheet) – This interest rate risk arises from financial instruments in
the bank’s banking book.

3.2.3 Exchange Rate Risk

Exchange rate risk, also known as “foreign exchange risk”, is the exposure of
the bank’s earnings and financial condition to adverse movements in foreign
exchange rates. Sources of foreign exchange rates include:

i. Traded foreign exchange risk – This arises from the bank’s market-
making and proprietary trading activities that generate foreign exchange
exposures, e.g., servicing a client’s foreign exchange hedging requirements.
Traded foreign exchange risk normally resides in the bank’s trading book.
ii. Structural foreign exchange risk – This arises from the structural
foreign exchange position imbalance between the bank’s assets and
liabilities. Structural mismatches occur from mismatches in the currency

BANK RISK PRACTICES

3-7 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING

denomination of the bank’s assets and liabilities; and accounting

differences (e.g., investments in foreign currency denominated assets
are translated using historical exchange rates, but financial assets and
liabilities are translated using the closing exchange rates).

There are two types of foreign exchange risk:

i. Transaction risk – This arises from the impact of exchange rates on

foreign currency denominated receivables and payables. It arises from
the difference between the price at which the receivables are collected or
paid, and the price recognised in the bank’s financial statements.
ii. Translation risk or revaluation risk – The risk of changes in the reported
domestic accounting results of foreign operations or transactions due to
changes in foreign exchange rates.

3.2.4 Market Risk

Market risk is defined as the risk of losses in on-and off-balance sheet

positions arising from movements in market prices. Market risk here refers to
market risk that exists in the trading book.

There are two different components of market risk:

i. General market risk – The risk arising from movements in the general
level of market rates and prices. General market risk is also referred to as
systematic market risk. In modern portfolio theory, general market risks
are risks that cannot be diversified away. Events such as a global financial
crisis and recessions are some examples of systematic risks.
ii. Specific market risk (also known on unsystematic market risk) – The risk
arising from adverse movements in market prices that are tied directly to
the performance of a particular security. In modern portfolio theory, specific
market risks are risks that can be eliminated by adequate diversification.

3.2.5 Liquidity Risk

Liquidity risk is the risk arising from the bank’s inability to fund increases in
assets and meet obligations as they come due. There are two main sources
of liquidity risk:

i. Asset-based liquidity risk – One of the ways a bank can fund growth in its
assets or pay its obligations as they come due is to sell its existing assets.
Assets that can easily be converted into cash are generally considered
higher quality (in liquidity terms) than those that are not. This ensures
that the bank can fund increases in assets and pay its obligations without
incurring unacceptable losses. Another important source of asset-based
liquidity risk is the off-balance-sheet commitments. Banks frequently

BANK RISK PRACTICES

 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING 3-8

allow a client to borrow funds over a commitment period on demand. This

is referred to as a loan commitment transaction. When the client draws
on its loan commitment, the bank must immediately fund the obligation,
creating a demand for liquidity.
ii. Liability or funding-based liquidity risk – The bank’s liquidity profile is also
largely determined by the quality of its sources of funding — the liability
side of the bank’s balance sheet. When liability holders demand cash by
withdrawing their deposits (or lending), they need to borrow additional
funds or sell assets to meet the withdrawals. Banks use cash to satisfy the
demands of the liability holders. In times of liquidity stress, volatile sources
of funds (liability) would force banks to replace these liabilities in order
to continue to operate as a going concern. In such a situation, replacing
these sources of funds will force banks to accept unacceptable increases
in funding costs.
iii. On the other hand, having access to stable sources of funds will give
banks the flexibility not to replace/raise funding in times when it will not be
optimal to do so.

3.2.6 Regulatory Risk

Regulatory risk is defined as the risk of having the license to operate as a bank
being withdrawn by the bank supervisor or the bank supervisor taking prompt
and corrective action through the imposition of conditions or restrictions that
could negatively impact the performance or the economic value of the bank.

3.2.7 Operational Risk

Basel II defines operational risk as the risk of loss resulting from inadequate
or failed internal processes, people and systems, or external events. This
definition includes legal risk but excludes strategic and reputational risk.
There are four main causes of operational risk:

i. Process risk – The risk from faulty overall design and application of internal
business processes.
ii. People risk – The risk that employees do not follow the organisation’s
procedures, practice and/or rules or deviate from expected behaviour.
iii. Systems risk – The risk of failure arising from deficiencies in the bank’s
infrastructure and information technology systems.
iv. External events risk – The risk associated with events outside the bank’s
control.

While operational risk is classified under financial risk in this book, it has
financial and non-financial dimensions. Keyman or person risk is the risk

BANK RISK PRACTICES

3-9 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING

of loss arising from losing one or more important members of the bank.
Because of this key person’s knowledge or skills, it won’t be easy to replace
this individual immediately. This is an example of operational risk with a non-
financial dimension. Rogue trading or the unauthorised execution of trades by
an authorised trader is an example of an operational risk that has a financial
consequence to the bank.

3.2.8 Model Risk

Banks rely heavily on models for assessing and quantifying risks. Model
refers to a quantitative method, system or approach that applies statistical,
economic, financial, or mathematical theories, techniques, and assumptions
to process input data into quantitative estimates. Models provide a formal
structure for banks to assess, analyse and quantify risks by simplifying the
often complex, dynamic, and interrelated nature of risk exposures to enable
efficient and effective decision-making. Banks often heavily rely on these
simplifications.

Model risk is defined as the risk of loss, incorrect business decisions, financial
reporting errors or reputational damage arising from possible errors and
misapplication of models’ inputs. Model risk has received considerable
attention during the height of the 2008 Global Financial Crisis. Many banks
relied on faulty model assumptions in measuring their risk exposures from
complex derivatives. The model’s results to formally quantify the risk exposures
led to faulty decisions, leaving many banks stuck with highly illiquid assets.

3.2.9 Country Risk

Country risk is the risk of loss due to events in a particular country that are, to
some extent, under the control of the government. Country risk covers a wider
range of risks than sovereign credit risk. One example of risk within the scope
of country risk is transfer risk. Transfer risk refers to the borrower’s inability
to fulfil its obligations because of government actions, such as restrictions
imposed on the ability of private-sector borrowers to foreign source exchange
to repay their foreign exchange obligations.

3.2.10 Business Risk

The Basel Committee defines business risk as the risk that volumes may
decline, or margins may shrink with no opportunities to offset the revenue
declines with reduced costs. For example, in an economic downturn or
recession, customers may sharply reduce their financing activities. This could
reduce revenue earning opportunities for the bank. Cutting costs may not be
sufficient to offset this reduction in revenue.

BANK RISK PRACTICES

 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING 3-10

3.2.11 Counterparty Risk

Counterparty risk is a risk that a counterparty to a financial contract, such

as derivatives, will default before the contract’s expiration and fails to meet
its obligations under the contract. While counterparty credit risk is classified
under credit risk, a large element determining a bank’s counterparty credit
risk exposure is closely linked to market risk.

3.2.12 Conduct Risk

Conduct risk is the risk of a bank’s activities having a detrimental impact on

customers or negatively impacting market stability. Examples of conduct risk
are mis-selling of financial products and services, market manipulation, and
insider trading

3.2.13 Reputational Risk

Reputational risk is the risk that may arise from negative publicity regarding an
institution’s business practices. Whether true or not, such reputational risk can
cause a decline in customer base, costly litigations, or revenue deductions. In
a 2013 Global Survey conducted by Deloitte on more than 300 companies
worldwide, reputational risk was ranked as the biggest risk concern by the
respondents. Reputation is rated as the highest impact risk area for most
individual sectors. The occurrence of a reputational risk event is usually a
result of risk management failure. Reputational risk is the consequence to risk
management failure.

While this text presents individual risks separately, in practice, these risks are
interrelated and correlated. For example, an operational risk error resulting in
systems loss may result in reputational risk with depositors losing confidence
in the reliability of the bank. This may result in asset and liability management
(ALM) or liquidity risk as more depositors withdraw their funds with the bank.

3.3 COMMUNICATION AND CONSULTATION

Communication and consultation are a continuous and iterative dialogue between

the bank and its stakeholders regarding risk management. Communication is a two-
way process that involves sharing information about the risk management process.
It is a process that the bank conducts to provide, share, or obtain information and
engage in dialogues with its stakeholders regarding risk management.

BANK RISK PRACTICES

3-11 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING

Communication

Bank Stakeholders

Consultation

Figure 3.5: Risk management process - Step 1

Consultation is a two-way process of informed communication between the

organisation and its stakeholders on an issue before deciding or determining a
direction on that issue. Communication and consultation ensure that the interests
of different stakeholders are understood and considered. This process is important
as stakeholders make judgements on risk based on their perceptions of the risk.
The different perceptions of risk can significantly impact the decisions and choices
made by the bank. Communication and consultation with different stakeholders
also help bring different expertise together to analyse risks and design risk treatment
strategies. Communication and consultation should be done continuously for all
phases of risk management. This helps ensure the adequacy and appropriateness
of each phase of the risk management activities.

3.4 ESTABLISHING CONTEXT

Establishing the context is an important prerequisite before the bank can perform the
risk assessment adequately and effectively. In other words, it allows the organisation
to consider the internal and external factors that must be considered in the risk
assessment phase, establish the scope of the risk management process, and define
the risk criteria for analysing and assessing risks.

The external
context

The risk Establishing The internal

criteria context context

The risk
management
process

Figure 3.6: Risk management process - Step 2

BANK RISK PRACTICES

 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING 3-12

3.4.1 The External Context

External context is the external environment in which the organisation seeks

to achieve its objectives. Establishing the external context helps ensure
that external stakeholders’ objectives and concerns are considered when
developing the risk criteria. The external context includes:

• Cultural, social, political, legal, regulatory, financial, technological,

economic, natural, and competitive environment.
• Key drivers and trends having impacts on the organisation’s objectives.
• Relationships with, and perceptions and values of, external stakeholders.

The risks the bank faces are, to a certain extent, influenced by external
events. The bank should identify and examine these events to ensure that
the risk management process adequately and appropriately captures these
external factors. An example, which is of utmost relevance to ASEAN banks, is
the planned regional integration. If it pushes through as planned, the ASEAN
Economic Community (AEC) will be an external factor that could affect the risk
management decisions of many banks. To this end, banks must be prepared
to seize the opportunities and manage this event’s risks. Technological
development is another example of potential effects on the banking
industry. For example, crowdfunding, the raising of funds from many people
via the internet, and social media can potentially disrupt commercial and
investment banking business. Another important technological development
is the emergence and rising popularity of digital currencies, such as bitcoin.
Banks should, therefore, consider all crucial external developments or events
in the risk management process.

3.4.2 The Internal Context

Internal context is the internal environment in which the organisation seeks

to achieve its objectives. Internal context is anything within the organisation
that can influence how an organisation undertakes risk. The internal context
can include:

• Governance, organisational structure, roles, and responsibilities.

• Policies, objectives, and the strategies that are in place to achieve them.
• The capabilities of the bank, understood in terms of resources of knowledge.
• Information systems, information flows and decision-making process —
both formal and informal.
• Relationships with, and perceptions and values of, internal stakeholders.
• Organisation’s culture.
• Standards, guidelines, and models adopted by the organisation.
• Form and extent of contractual relationships.

BANK RISK PRACTICES

3-13 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING

Establishing internal context is important as it helps ensure that the risk

management parameters are appropriate given the unique circumstances
of the bank. There is no one-size-fits-all risk management infrastructure
for the organisation. For risk management to be properly embedded in the
risk culture and processes, the organisation’s unique circumstances and
capacity must be considered.

3.4.3 The Risk Management Process Context

This includes the objectives, strategies, scopes, and parameters of
the organisation’s activities or those of the organisation where the risk
management process is being applied. Establishing the risk management
process context involves defining the objectives, strategies, scope, and
parameters of the bank’s activities, particularly concerning the risk
management process. Establishing the risk management process context
typically involves:

• Defining the goals and objectives of risk management activities.

• Defining responsibilities for and within the risk management process.
• Defining the scope as well as the depth and breadth of the risk management
activities to be carried out.
• Defining the activity, process, function, project, product, service or asset in
time and location.
• Defining the relationships between a particular project, process or activity
and other projects, processes, or activities of the organisation.
• Defining the risk assessment methodologies.
• Defining the way performance and effectiveness is evaluated in managing
risk.
• Identifying and specifying the decisions that must be made.
• Identifying, scoping, or framing the studies needed their extent and
objectives and the resources required for such studies.

3.4.4 The Risk Criteria

Risk criteria refer to the terms of reference against which the significance of
risk is evaluated. They allow a bank to clearly define the level of risk that the
institution is willing to accept. The risk criteria are used as a framework for the
organisation to assess the significance of its risks. This will enable the bank to
decide whether a certain risk level is acceptable, tolerable, or unacceptable.

Defining the risk criteria and the conditions, which will make risks acceptable,
tolerable, or unacceptable, will be a critical input for the bank to assess
whether taking on the risk exposure is acceptable or not. The following should
be considered when defining the risk criteria:

BANK RISK PRACTICES

 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING 3-14

• Nature and types of causes and consequences that can occur, and how
they will be measured.
• How likelihood is defined.
• The timeframes or likelihoods and/or consequences.
• How the level of risk is determined.
• Views of stakeholders.
• The level at which risk becomes acceptable or tolerable.
• Whether combinations of multiple risks should be taken into account and,
if so, how, and which combinations should be considered.

3.5 RISK ASSESSMENT

Risk assessment is the identification of hazards that could negatively impact a

bank’s ability to conduct business. It encompasses the following activities:

Risk
Identification

Risk analysis

Risk evaluation

Figure 3.7: Risk management process - Step 3

3.5.1 Risk Identification

Risk identification is the process of finding, recognising, and describing risks. It

involves the identification of the following:

i. Risk sources – A risk source is an element that alone or in combination has

the intrinsic potential to give rise to risk (ISO 31000). For example, credit risk
is one type of risk. A risk source is the bank’s lending activities, which can
give rise to credit risk.
ii. Risk events and their causes – A risk event occurs or changes a particular
set of circumstances. The event can be one or more occurrences and can
have several causes. It can also consist of something not happening. An
event without consequences can also be referred to as a “near-miss”,

BANK RISK PRACTICES

3-15 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING

“incident”, “near hit”, or “close call”. For example, an example of a risk

event could be a borrower’s default or a counterparty’s creditworthiness
deterioration with respect to credit risk.
iii. Consequences – Risk consequence is the outcome of an event affecting
objectives. The event can lead to a range of consequences, which can be
certain or uncertain and can positively or negatively impact the objectives.
For example, one risk consequence of a counterparty’s creditworthiness
deterioration is the potential adverse impact on the bank’s earnings or
capital.

The objective of risk identification is to generate a comprehensive list of risks

based on specific events that might create, enhance, prevent, degrade,
accelerate, or delay the achievement of objectives. A comprehensive risk
identification process is critical as any risk that is not identified at this stage
may not be included in the risk analysis stage. All significant causes and
consequences must be considered. Risk identification should also include
examining the knock-on effects of consequences. These knock-on effects
may include many risk events and consequences that happen quickly in a
series.

3.5.2 Risk Analysis

Risk analysis is the process of comprehending the nature of risk and

determining the level of risk. It involves developing an understanding of
the risk. Risk analysis provides the basis for risk evaluation and decisions
about how risks should be treated and the most appropriate risk treatment
strategies and methods. It also involves quantifying the magnitude of risk or
combination of risks, expressed in terms of the combination of consequences
and their likelihood.

Risk analysis involves consideration of the:

• Causes and sources of risk.

• Positive and negative consequences of risk.
• The likelihood that those consequences can occur.
• Factors that affect the consequences and likelihood.

Risk analysis should also consider the interdependence of different risks and
their sources. It can be done in a qualitative, quantitative or a combination of
qualitative and quantitative approaches. Consequences and their likelihood
can be determined by:

• Modelling the possible outcomes of an event or set of events.

• Extrapolating from experimental studies or available data.

BANK RISK PRACTICES

 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING 3-16

3.5.3 Risk Evaluation

Risk evaluation is the process of comparing the results of risk analysis with risk
criteria to determine whether the risk and/or its magnitude are acceptable or
tolerable.

The purpose of risk evaluation is to assist in making decisions based on

outcomes of the risk analysis — about which risks need treatment and the
priority for risk treatment implementation. It involves comparing the level of
risk quantified during the risk analysis process with established risk criteria.
The decision reached under the risk evaluation process should consider the
following:

• Risk appetite and tolerance of the organisation

• Risk criteria
• Legal regulations and other requirements

3.6 RISK TREATMENT

Risk treatment involves selecting one or more options for handling, controlling or
mitigating risks and implementing those options. It entails a cyclical process of
assessing the risk treatment and deciding whether the residual risk (also referred to
as retained risks) are tolerable or not. Residual risk is the risk remaining after a risk
treatment. If the residual risks are not tolerable, the bank may generate a new risk
treatment.

3.6.1 The Risk Treatment Process

Step 1 Step 2 Step 3 Step 4 Step 5

Assessing a Planning risk Monitoring Measuring Feedback
risk treatment treatment effectiveness residual risk actions
(identify and (prepare a for that (deciding (if residual risk
evaluate risk risk treatment treatment whether residual is not tolerable,
treatment schedule and risk levels are generate a new
options) action plan) tolerable) risk treatment)
(go back to Step
1 and repeat the
process)

Figure 3.8: The risk treatment process

BANK RISK PRACTICES

3-17 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING

i. Risk treatment assessment – An organisation should select the best option

at its disposal. That involves balancing the costs of implementing each
option against the benefits derived from it regarding legal, regulatory, and
other requirements such as social responsibility. In general, the cost of
managing risks needs to be balanced with the benefits obtained. When
making such cost versus benefit judgments, the context should be taken
into account. It is important to consider all direct and indirect costs and
benefits, whether tangible or intangible, and measure them in financial or
other terms.
ii. Risk treatment plan – Treatment should involve, at the operational level,
preparing and implementing a related plan. It shows how the treatment
options selected will be implemented and integrated with the management
and budgetary processes. Specifically, the information provided in a
treatment plan should include:

▶ The reasons for selecting the treatment options, including expected

benefits;
▶ Who is accountable for approving the plan, and who is responsible for
implementing it;
▶ The actions proposed;
▶ Resource requirements, including contingencies;
▶ Performance measures and constraints;
▶ Reporting and monitoring requirements;
▶ Timing and schedule.

Lastly, responsibilities related to the treatment phase should be assigned,

specifying who is accountable for managing risks (or categories of risk),
implementing treatment strategies, and maintaining risk controls. For this,
the board should ensure that management considers and implements
appropriate risk responses: responsibility for treatment is usually assigned
to the management level (directors-general, heads of divisions, project
managers) and assigned to staff, where appropriate. Management should
also identify and note in the “risk register” those actions selected as
treatment and show how such risk responses improve the organisation’s
performance. According to their respective roles in the project or process,
risk owners are indicated to set risk treatment plans, even though at this
stage, responsibilities vary according to the kind of risks (either corporate or
operational). For example, senior managers are responsible for corporate
risks, their mitigation strategies and action plans. The operational risk
responsibility relies on the divisional levels to which the programme is
assigned.

iii. Risk treatment monitoring – In designing response actions, the controls

must be proportional to the risks. Risk analysis assists such a process

BANK RISK PRACTICES

 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING 3-18

by identifying those risks requiring attention by the management. Risk

control actions will be prioritised in terms of their potential to benefit the
organisation. The effectiveness of internal control is determined by how
much the risk will be either eliminated or reduced by the control measures
proposed. The latter need to be measured in terms of potential economic
effect if no action is taken versus the cost of the action(s) proposed and
invariably required more detailed information and assumptions than are
promptly available. Every response action has a related cost, and the
treatment must offer value for money in relation to the risk controlled by it.
In this regard, options in addressing risk (“risk treatment”) can be further
analysed into four different types of related/associated controls:

▶ Preventative controls – These are designed to limit undesirable

outcomes. The more an undesirable outcome should be avoided, the
more appropriate preventative controls should be implemented. Most
controls implemented in organisations tend to belong to this category.
▶ Corrective controls – These are designed to correct undesirable
outcomes that have occurred and provide a way to achieve some
recovery against loss or damage. Contingency planning is an important
element of corrective control.
▶ Directive controls – These are designed to ensure that a particular
outcome is achieved and are particularly important when avoiding an
undesirable event typically related to health and safety or security is
crucial.
▶ Detective controls – These are designed to identify occasions of
occurrence of undesirable outcomes. Their effect is, by definition, “after
the event,” so they are only appropriate when the resulting loss or
damage can be accepted.

iv. Residual risk measurement – If a residual risk persists even after treatment,
a decision should be taken about whether to retain this risk or repeat the
risk treatment process. For residual risks deemed high, information should
be collected about the cost of implementing further mitigation strategies.

3.6.2 The Risk Treatment Options

Risk treatment varies widely. Some of the common risk treatment options
which are not mutually exclusive are as follow:

i. Avoid risk – One of the risk treatment options is to avoid the risk by
deciding not to pursue or continue with the activity that generates the
risk. In a highly innovative and globalised business environment, banks
are often presented with numerous business opportunities. However, the
organisation may find it prudent to forego those opportunities where the
risks outweigh the potential benefits.

BANK RISK PRACTICES

3-19 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING

ii. Take or increase risk – Another risk treatment option is to take or increase
risk to pursue a business opportunity. This option can only be taken if the
bank is confident that it has the ability, expertise, and willingness to tolerate
and manage the residual risk arising from the business opportunity that
generates the specific risk.
iii. Remove the risk source – An alternative risk treatment option is to remove
the risk source. An example of this is a risk treatment option called risk
transfer—a strategy that involves the contractual shifting of risk from one
party to another. While this approach effectively removes this type of risk
from the bank, other types of risks may arise. An example is the purchase
of insurance. It may remove the risk from the insured events, but it exposes
the organisation to counterparty credit risk, for example, the risk that the
insurance provider will not be able to fulfil its commitments or obligations
under the contract.
iv. A popular risk transfer mechanism is the use of derivatives contract.
Derivatives are financial instruments whose value depends on the
performance of one or more underlying variable. Derivative contracts
allow the efficient transfer of risk from one party to another.
v. Change likelihood – Another risk treatment option is to reduce the chance
of a risk event from happening. The likelihood of a risk event occurring can
be reduced if more rigorous controls are in place. Preventive controls are
designed to keep risk events from occurring. They decrease the likelihood
of a particular risk event from happening. Other examples of risk treatment
options are standardisation of business processes and automation of
manual processes to minimise risks due to human errors.
vi. Change consequences – Aside from reducing the likelihood of a risk event
from happening, another approach is to reduce the consequence if the risk
event occurs. An example of this risk treatment option is the requirement
for the borrower to post securities or cash as collateral. If the risk event
occurs, the bank (creditor) may sell the securities or use the cash collateral
to minimise the impact of losses arising from the risk event (in this case, a
credit risk event).
vii. Share the risk – Risk sharing is a risk treatment option where the
consequence of risk is distributed among several participants.
viii. Risk retention – Banks may also decide to retain risk using informed
decision-making. Similar to the take or increase risk option, the decision
should be made after considering the bank’s ability and willingness to
retain the specific risk. The decision is made after carefully considering the
results of the risk analysis and the pre-set risk criteria.

BANK RISK PRACTICES

 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING 3-20

The selection of the most appropriate risk treatment strategy involves

balancing the costs and efforts of implementing the strategy against the
benefits derived. When selecting the risk treatment options, the bank should
consider the stakeholder values and perceptions and the most appropriate
way to communicate with them. A risk treatment plan should also be produced
to ensure that individual risk treatments are prioritised in implementation.
The risk treatment plan should be integrated with the bank’s management
processes and discussed with the appropriate stakeholders.

3.7 RISK MONITORING, METRICS AND REPORTING

Risk monitoring is the process of checking, supervising, critically observing or

determining the status of the risk to enable change from the required or expected
performance level. On the other hand, risk review is the process of determining
the suitability, adequacy, and effectiveness of the risk management process. Risk
monitoring and review involve a regular process of checking. It should be a planned
part of the risk management process. The responsibilities for risk monitoring and
reviewing should be clearly defined.

Risk reporting is an important part of the risk monitoring and review process. It
involves documenting and communicating the results of the bank’s risk assessment
and treatment measures to both the internal and external stakeholders. Risk
reporting aims to inform the stakeholders on how the organisation manages its risk
exposures. It plays a critical role in ensuring that the different stakeholders impose
market discipline on the organisation, particularly concerning how it assesses and
manages risks.

Some of the main objectives of the monitoring and reviewing processes are:

• Ensure the controls are effective and efficient in both design and operation.
• Obtain further information to improve risk assessment.
• Analyse and learn lessons from events, changes, trends, successes, and failures.
• Detect changes in the external and internal context.
• Identify emerging risks.

BANK RISK PRACTICES

3-21 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING

SUMMARY

• Risk management process is a systematic application of management policies,

procedures, and practices to the activities of communicating, consulting, establishing
the content and identifying, analysing, evaluating, treating, monitoring, and reversing
risk.

• These activities involve: identification, analysis, prioritize, treating and monitoring/

reviewing of risks.

• Risks can be classified into credit, interest rate, exchange rate, market, liquidity,
regulatory, operational, model, country, business, counterparty, conduct and
reputational risk.

• Communication and consultation are a continuous and iterative dialogue between

the bank and its stakeholders regarding risk management.

• Establishing the context is an important prerequisite before the bank can performance
the risk assessment adequately and effectively and it involves: considering internal and
external factors, establish the scope of risk management and define the risk criteria for
analysing and assessing risks.

• Risk assessment is the identification of hazards that could negatively impact a bank’s
ability to conduct business and involves identification, analysis, and evaluation of risks.

• Risk treatment involves selecting one or more options for modifying risks and
implementing those options.

• Risk monitoring and review involves a regular process of checking to observe whether
the risk management process is performing as intended.

BANK RISK PRACTICES

 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING 3-22

END OF CHAPTER PRACTICE QUESTIONS

1. The bank must focus on its core sectoral expertise when lending to clients. However,
excessive focus on one sector could be risky from the bank’s perspective also. Which of
the following best describes the risk?
A. Individual risk
B. Transactional risk
C. Concentration risk
D. Market risk

2. Bank XYZ is not comfortable with Project Xeno as it is a greenfield project. For that, Bank
XYZ would require a guarantee from the project’s sponsor – a well-known company with
a solid track record and is creditworthy. This is an example of -
A. Change the likelihood
B. Change the consequence
C. Remove the risk source
D. Avoid risk

3. Bank ABC has an existing fixed-rate loan to transform into a floating rate to minimise fair
value risk. For this, Bank ABC entered a fixed-to-float interest rate swap. This risk treatment
strategy is an example of:
A. Change the likelihood
B. Change the consequence
C. Remove the risk source
D. Avoid risk

4. Requiring collateral is a risk treatment strategy that results in:

A. Change the likelihood
B. Change the consequence
C. Remove the risk source
D. Avoid risk

5. This is the risk of the bank’s activities having a negative impact on customers or negatively
impacting market stability.
A. Conduct risk
B. Reputational risk
C. Business risk
D. Market risk

BANK RISK PRACTICES

3-23 KEY COMPONENTS OF RISK MANAGEMENT IN BANKING

6. Which of the following is not among the objectives of risk monitoring?

A. A regular process of checking and supervising
B. Critically observing the status of level
C. Determine the status of risk to enable change from the required or expected
performance level
D. Determine the suitability, adequacy, and effectiveness of the risk management
process

7. This refers to documentation and communication of the results of the bank’s risk
assessment and treatment measures.
A. Risk assessment
B. Risk reporting
C. Risk review
D. Risk monitoring

8. Statement 1: Operational risk is a risk arising from people, process, system or external
events. Statement 2: Operational risk is a risk that is only non-financial and thus, must be
classified as non-financial risk.
A. Statement 1 is correct. Statement 2 is incorrect.
B. Statement 1 is incorrect. Statement 2 is correct.
C. Both statements are correct.
D. Both statements are incorrect.

9. Which of the following should be considered in risk identification?

A. Sources
B. Consequences
C. Likelihood
D. All of the above

10. Elon Musk resigning as CEO of Tesla with respect to the market risk of owning Tesla is an
example of:
A. General market risk
B. Credit risk
C. Benchmark risk
D. Specific market risk

ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS

1. C 2. A 3. C 4. B 5. B 6. D 7. B 8. A 9. D 10. D

BANK RISK PRACTICES

CHAPTER 4
RISK MODELS
4-1 RISK MODELS

4. RISK MODELS

Learning Outcomes

At the end of the chapter, you will be able to:

• Examine the use of models in risk management.

Key Topics

In this chapter, you will be able to read about:

• Mathematical and statistical concepts in risk measurement

• Models

Assessment Criteria

During the exam, you will be expected to:

• Understand the purpose of the mathematical and statistical concepts used in risk
models.
• Identify the purpose of risk models in the risk management process and their
potential shortcomings.

4.1 MATHEMATICAL AND STATISTICAL CONCEPTS IN RISK MEASUREMENT

When Basel I was first published, the document came out with only eight pages
and few equations (for example, how to calculate capital adequacy ratio and risk-
weighted assets), which requires only minimal arithmetic skills. In 2013, when Basel
III was published, it contains 78 calculus equations (more than 100 by now with the
finalisation of certain revisions to market risk framework) and dozens of statistical
methodologies for the market, credit, operational, and liquidity risk. It is, therefore,
important for risk managers to have a big-picture perspective on the mathematical
and statistical foundations of risk measurement.

4.1.1 Expected Value

Expected value refers to the probability-weighted outcome of any random

variable. It is calculated by multiplying each potential outcome’s probability
with the cash inflow (outflow).

BANK RISK PRACTICES

 RISK MODELS 4-2

Illustrative Example–1

Expected value calculation

Bank ABC is evaluating a potential investment with a 95% chance of
getting US$10 million and 5% of getting US$0 when the borrower defaults.
Calculate the expected value of the investment.

Solution:

95% x US$10,000,000.00 = US$9,500,000.00

5% x US$0.00 = US$0.00

Expected value = US$9,500,000.00

This expected value thinking has been pervasive in finance and risk
management that it is always taken as given. This approach is so important
that it is the primary engine of many risks management models used today,
such as expected credit loss accounting (IFRS 9) and provisioning, loan
pricing, mark-to-market, derivatives valuation, equity valuation, option
pricing, recovery rate modelling, simulation, etc. By a surprise, this thought can
be traced back to the 17th century when the mathematics of probability was
formalised by Blaise Pascal and Pierre de Fermat. Believe it or not, the origin
of risk management thinking came from a simple gambling experiment that
has puzzled intellectuals during those times on the aspect of the problem of
points. (Fermat to Pascal, 1654)

BANK RISK PRACTICES

4-3 RISK MODELS

Illustrative Example–2

Problem of points
Player 1 and Player 2 contributed 500,000 each to a prize pot.

Total prize = US$1,000,000

Player 1 and Player 2 agreed that the first player who wins in four rounds would
collect the entire US$1,000,000

Problem: How can we divide this prize money fairly when one player quits the
game, and no winner has yet been declared based on the rules (first to win in
four rounds)?

For example:

Round 1 Round 2 Round 3 Round 4

Player 1 Win Win Win Lose

Player 2 Lose Lose Lose Win

How to divide the stakes fairly between Player 1 and Player 2?

Solution 1: Luca Pacioli Solution – The accounting solution

Luca Pacioli, the father of accounting/ bookkeeping, invented the double-
entry bookkeeping system of debit and credit.

Round 1

Player 1 Win

Player 2 Lose

His solution is simple: divide the prize in proportion to the number of rounds
won by each player.

Applying his solution, the response is straightforward:

i. Player 1 won in 3 out of 4 rounds = 3/ 4 x US$1,000,000.00 = US$750,000.00

ii. Player 2 won in 1 out of 4 rounds = 1/ 4 x US$1,000,000.00 = US$250,000.00

Let’s take a step backwards and reflect on the underlying mental model that
underlies this solution:

The use of the proportion used tells us something about how our philosophy
of fairness.

The philosophy applied is based on past winnings (for example, Player 1 won 3
out of 4 times; therefore, Player 1 deserves ¾ of the total prize).

The solution seems to make sense at first glance. However, there is a big
dilemma in the Luca Pacioli criterion. What if this scenario happens?

BANK RISK PRACTICES

 RISK MODELS 4-4

Applying the Luca Pacioli criterion of allocating the prize based on past winnings,
Player 1 should get 1/1 or 100% of the prize! This then brings an interesting dilemma
– why would Player 1 push through with the game if he or she can only lose if the
game is continued and supposed only one game is played.

Solution 2: Pascal/Fermat Solution

This started the revolution in our understanding of risk. This solution shifted the
focus of thinking away from past performance to thinking about the future
outcome. This is a revolutionary change in risk management thinking.

According to Fermat/Pascal, one should not look at past winnings. Instead, look
at the future.

There are two questions that should be answered:

i. How many more theoretical future rounds are needed for there to be a
declared winner?
ii. What are the outcomes under those theoretical rounds?

Take the case of the below and see the answer to the two questions above.

Round 1 Round 2 Round 3 Round 4

Player 1 Win Win Win Lose

Player 2 Lose Lose Lose Win

How many more theoretical rounds? Three more future rounds (Round 5, 6, and 7)

• Player 1 needs to win in 1 more future round.

• Player 2 needs to win in 3 more future rounds.

By the future third round, a winner should be declared regardless of the outcome.
Why is this so?

If Player 2 does not win in the next three rounds, it means Player 1 has won at
least one round. If Player 1 did not win by the future third round (Round 7), Player
2 won in 3 rounds.

What are the outcomes under rounds 5, 6, and 7?

Scenario Round 5 Round 6 Round 7

1 Win Win Win
2 Win Win Lose
3 Win Lose Win
4 Win Lose Lose
5 Lose Lose Lose
6 Lose Lose Win
7 Lose Win Lose
8 Lose Lose Win

BANK RISK PRACTICES

4-5 RISK MODELS

From Player 1’s perspective, who only needs to win in one round, he or she
will win in 7 out of the 8 future scenarios above.

Therefore, Player 1 should get:

7/8 x USD 1,000,000 = USD 875,000.

Player 2’s perspective, who needs to win in 3 rounds, he or she will win in
only 1 out of the 8 future scenarios above.

Therefore, Player 2 should get:

1/8 x USD 1,000,000 = USD 125,000.

This is a significant shift from Luca Pacioli’s way of thinking. First, we looked
at future outcomes and applied probabilities (instead of simple historical
ratio and proportion) in assessing the fairway to allocate payoffs.

This is the intellectual origin of expected value. Expected value is pervasive

in approaching risk management problems (mark-to-market, project
finance analysis, expected credit loss modelling, option pricing theory, etc.).

4.1.2 The Concept of Mean Reversion and the Law of Large Numbers

Standard deviation or volatility can be simply visualised as the distance

(deviation) away from a stable value (i.e., mean or average). Unlike in
other risk measures, the standard deviation is compared against a stable
benchmark value. Therefore, it is important to understand the nature of this
long-run stable value.

Figure 4.1: The dice experiment

The dice experiment is a testing model used to test probability and statistics.
In that experiment, each individual will roll the dice and anticipate that the
outcome can be any number between 1 to 6. It is hard to predict the individual
outcome of a single roll of dice. However, something interesting happens as
we roll the dice many times (for example, 1000 times). As seen in the three
scenarios below, as the individual rolls the dice more, the outcome tends to
be predictable and stable, stabilising at around 3.5 on average.

BANK RISK PRACTICES

 RISK MODELS 4-6

Scenario 1 Scenario 2 Scenario 3

No. of Rolls Average No. of Rolls Average No. of Rolls Average

1 4 1 5 1 4

2 3.5 2 5 2 4.5

5 4 5 4 5 4

10 2.7 10 3.7 10 4.4

20 3.4 20 3.55 20 3.8

50 3.28 50 3.46 50 3.62

100 3.38 100 3.51 100 3.51

200 3.49 200 3.43 200 3.465

500 3.482 500 3.354 500 3.498

1000 3.553 1000 3.471 1000 3.461

Figure 4.2: The simulation outcome of the dice experiment

In short, the dice experiment is predictable in the long run, and the result is
average. This is also what is known as the law of large numbers. This states that
the long-term value of a random variable can be estimated as the average.
In finance and risk management, this phenomenon is also known as mean
reversion. Everything will go back to the average, and risk can be quantified as
the deviation from the long-run average outcome. Risk models that are used
in practice rely heavily on the use of this mean reversion concept. The use of
standard deviation as a measure of risk is one example of such application.
Another application is the Basel Committee on Banking Supervision (BCBS)
requirement to maintain longer data set for using internal models for internal
capital calculation purposes for the market, credit, and operational risk. The
law of large numbers indicates that the sample historical data should be long
enough to rely on the mean or average as the stable reference value.

4.1.3 Average

Average is one of the most important concepts in finance and risk

management. Average is also known as the measure of central value or
tendency. This measure answers the question, “what is the likely value of the
dataset?” There are three main measures of central tendency, and each has
different applications. See Figure 4.3.

BANK RISK PRACTICES

4-7 RISK MODELS

Types of average Description

Mean Mean is calculated as the sum of all individual measures and divided
by the total number of observations. For example:

Observations Total of each observation

1 100
2 150
3 200
4 300
5 150
Sum of all
900
observations

Mean Sum of the observation

= Number of observations

900
=
5
= 180

Median Median is the value of the observation at the middle of the dataset. In
calculating the median, it is important to rank the dataset from lowest
to highest or vice-versa. The median is the midpoint of the dataset.

Using the dataset above, the observations are ranked from lowest to
highest.

Rank (Lowest to Highest) Observations

1 100
2 150
3 (median) 150
4 200
5 300

Mode Mode is the most frequently observed value in the dataset. Using the
dataset above, the most frequently observed value is 150 (observed
twice in the dataset).

Figure 4.3: Types of average

BANK RISK PRACTICES

 RISK MODELS 4-8

Illustrative Example–3

Calculating the mean returns

Below are the individual returns of Stock XYZ:

Day 1 5%

Day 2 6%

Day 3 7%

Day 4 8%

Day 5 9%

Calculate the mean returns:

Step 1 – Calculate the sum of the individual outcomes

5%+ 6%+ 7%+ 8%+ 9% = 35%

Step 2 – Divide by the number of observations

35% / 5 = 7%

The use of mean as a measure of central tendency is relevant if the distribution is symmetric
(i.e., there are no outliers or extreme values). If the dataset contains extreme values, the mean
would not be representative of central tendency.

Illustrative Example–4

Warren Buffett and the Problem of Mean

In a room, there are four individuals. The net worth of each individual is US$1,000,000. A
surprise guest- Warren Buffett- entered the room. His net worth is US$70 billion.

The mean net worth of the five people in the room is US$14 billion (US$1m + US$1m +
US$1m+ US$1m + US$70 billion) / 5.

It is clear in this illustration that the mean is not the appropriate measure of central
tendency as the likely net worth of the five individuals is not US$14 billion. The results were
skewed by the presence of our extraordinarily wealthy fifth guest, Warren Buffett.

To resolve this problem, a better measure of central tendency or location is the median.
Median is the middle observation when data is sorted from smallest to largest.

BANK RISK PRACTICES

4-9 RISK MODELS

Illustrative Example–5

Calculating the median returns

Below are the individual returns of Stock XYZ:

Day 1 5%
Day 2 6%
Day 3 7%
Day 4 8%
Day 5 9%

Calculate the median returns:

Step 1 – Rank the return from smallest to highest.
Step 2 – Get the middle observation.
Note: for even number observation, the median is the average of the two
middle observations
Answer: 7%

In the Illustrative Example above, the median and the mean are the same
because the returns are symmetric. However, if there are extreme values
(outliers), the median presents a superior measure of central tendency.

Illustrative Example–6

Warren Buffett and the Power of Median

In a room, there are four individuals. The net worth of each individual is
US$1,000,000. A surprise guest- Warren Buffett- entered the room. His net
worth is US$70 billion.

The median net worth of the five people in the room is:

Person 1 USD 1 million

Person 2 USD 1 million

Person 3 USD 1 million

Person 4 USD 1 million

Person 5 USD 70 billion

The use of the median helps mitigate the impact of the outlier. Here, the
median net worth of the five individuals is at USD 1 million (which makes
sense given that four out of five have a net worth of US$1 million).

BANK RISK PRACTICES

 RISK MODELS 4-10

Mode is another measure of central tendency, which is the most frequently

occurring value. In the Warren Buffet illustration above, the mode net worth
is US$1 million. Mode is applied in relatively few instances. One application of
mode is if we are interested in identifying or predicting what value may come
next. For example, Department XYZ appears to be the department where
fraud most frequently occurs. Hence, it is common to expect that the next
fraud case would probably happen in Department XYZ.

4.1.4 Variance and Standard Deviation

Variance and standard deviation are common measures of dispersion.

Measures of dispersion or variability indicate how spread out a distribution is.
These measures are important as it indicates how unpredictable the outcome
is for a given distribution. This measure includes range as well. Range is the
simplest dispersion and variability measure. It is calculated by getting the
difference between the highest value and the lowest value.

Illustrative Example–7

Calculating the Range

Below are the individual returns of Stock XYZ:

Daily Returns
Day 1 5%
Day 2 6%
Day 3 7%
Day 4 8%
Day 5 9%

Solution:
Range = Maximum value - minimum value
= 9% - 5%
= 4%

This means that the difference between the maximum and minimum
value is 4%, the higher the spread or variability within the dataset. The
higher the range, the more dispersed the outcome.

BANK RISK PRACTICES

4-11 RISK MODELS

Below is the return to Stock DEF:

Daily Returns
Day 1 5%
Day 2 6%
Day 3 9%
Day 4 9%
Day 5 9%

Here the range is:

Range = Maximum value - minimum value

= 9% - 5%
= 4%

While the range of the returns for both Stock XYZ and Stock DEF is the same,
it is clear that Stock DEF is the more unpredictable profile.

Stock XYZ grows in predictable increments versus Stock DEF. Stock DEF, on
the other hand, grows in a less than linear fashion.

A better alternative to using a range is the use of variance as a measure of

variability. Variance is calculated as the average of the squared deviations
of each random variable from the mean. To simplify this, variance can be
visualised as a measure quantifying the distance away from mean or other
measures of central tendency (with mean being the most commonly used
measure of central tendency,

The Illustrative Example below shows how variance is calculated. From the
calculation, variance is nothing more than the average degree to which each
data point differs from the mean (or other measures of central tendency). This
means that the greater the range of numbers within a data set, the greater
the variance number will be, and therefore, it is expected to be difficult to
predict the outcome in a data set.

BANK RISK PRACTICES

 RISK MODELS 4-12

Illustrative Example–8

The advantage of Variance vs Range

Stock XYZ Stock ABC

Day 1 5% 5%
Day 2 6% 6%
Day 3 7% 9%
Day 4 8% 9%
Day 5 9% 9%

In the earlier section of the range, we cited one of the problems in using range is that it
looks at two data points only – the maximum and minimum value in the observation. The
ranges of Stock XYZ and Stock ABC are both 4%. Using our intuitive hunch, it appears that
Stock ABC is more unpredictable than Stock XYZ.

How do we quantitatively confirm our hunch? By calculating the variance of both Stock
XYZ and Stock ABC and comparing the two.

Based on the table above, the variance of Stock XYZ is 0.025%. The variance of Stock ABC
can be calculated as follows:

Stock ABC Average Deviation Squared Deviation

Day 1 5% 8% -3% 0.09%

Day 2 6% 8% -2% 0.04%
Day 3 9% 8% 1% 0.01%
Day 4 9% 8% 1% 0.01%
Day 5 9% 8% 1% 0.01%

Sum of squared deviation = 0.16%

Divided by the number of observations minus 1 = 0.16% /4 = 0.04%
Stock XYZ variance = 0.025%
Stock ABC variance = 0.04%
We can see from the outcome of the variance analysis that the range is not giving us a
complete picture. Stock ABC has a higher spread or variability than Stock XYZ.

BANK RISK PRACTICES

4-13 RISK MODELS

Variance gives us a picture of how far each random variable is from each
other, but it does not tell us how far each random variable is away from the
most likely outcome (or the measure of central tendency). Standard deviation
measures how far each variable is from the mean or average. It is calculated
simply as the square root of the variance.

Illustrative Example–9

Calculating the Standard Deviation

Below are the returns of Stock XYZ:

Daily Returns
Day 1 5%

Day 2 6%

Day 3 7%

Day 4 8%

Day 5 9%

Solution:

Calculate the square root of the variance

The square root of the variance is √variance = √(0.025%)=1.58%

Standard deviation provides important information on how far away each

random variable is from the mean. This means that each random variable
is an average of 1.58% away from the mean. In risk management, we refer
to standard deviation as volatility. It is one of the most pervasive measures
of risk if we stop to think about it and reflect on the big picture meaning of
standard deviation as a measure of risk. Standard deviation calculates how
far each observation is away from the mean. Mean is a measure of central
tendency and indicates the most likely value of a data set. Therefore, standard
deviation indicates the distance between each random variable against a
predictable value. The larger the spread or the distance or the deviation is,
the harder it is to rely on the mean as the basis for forecasting risk.

4.1.5 Random Variables

The concept of random variables is important to understand in the context of

what we are trying to achieve in risk measurement: come up with estimates
of future outcomes in terms of; likelihood and impact. These future outcomes
are random. The concept of randomness indicates something that did

BANK RISK PRACTICES

 RISK MODELS 4-14

not systematically occur as planned. It occurs as a result of chance or

uncertainty. Random variables assign a numerical value to each possible
random outcome. There are two types of random variables, namely the
discrete random variables and continuous random variables.

i. Discrete random variables – These random variables assume only exact

values or values with a limited number of outcomes associated with each
realisation. Examples of discrete random variables are:

▶ Outcomes of a dice experiment (1,2,3,4,5,6)

▶ Number of clients defaulting in a certain industry for a certain credit
rating category
▶ Frequency of incidents of fraud in a year

ii. Continuous random variables – These random variables are random

variables that could have an infinite number of possible values. Examples
of continuous random variables are:

▶ Market price (100.1, 105, 110, 111.75, 111.88)

▶ Probability of Borrower XYZ defaulting in 1 year. While it is true that
probability has bounded outcomes (between 0% to 100%), the outcome
is not finite. It can be 8.01%, 8.02%, or 8.0225%. This is still within the 0% to
100% boundary, but the outcome is not finite and cannot be counted.
▶ Impact of incidents of fraud in a year (USD 100,000; USD 105,000; … USD
1,000,000… USD 1,000,000,000)

It is important to distinguish between discrete and continuous random

variables as different probability distributions are used depending on the
type of random variables. For example, normal distribution simulates future
prices and returns (since market prices are continuous random variables).
In simulating the frequency of operational loss events, Poisson distribution is
used, which describes probability outcomes for discrete random variables.

4.1.6 Random Processes

Random process, also known as a stochastic process, describes a random

process that evolves. Stochastic is a term used to describe a random process
that evolves. Variables such as market prices can be described as random
in an efficient market. It is important to have assumptions on how random
processes work to understand future scenarios for random variables.

In 1900, Louis Bachelier, a relatively unknown French mathematician, wrote

his doctoral dissertation titled “Theorie de La Speculation”. The dissertation
became one of the landmark documents in quantitative finance and risk
management. The central thesis of this important academic work is that
the asset’s current price is the best predictor of the future price. This means,

BANK RISK PRACTICES

4-15 RISK MODELS

in accordance with the efficient market hypothesis, price should capture

all available information, and therefore, there’s no need for anything else
except to use the current price as a reference point. Regardless, there is still
some reservation to this hypothesis. Bachelier used the Brownian motion to
analyse fluctuations in prices. Brownian motion is a model used to describe
how a random variable may evolve. Brownian motion is used to refer to
mathematical models that describe random movements. In the Brownian
motion, we use initial price as the basis to predict future values.

Random
Walk

Brownian Motion

Drift

Figure 4.4: Brownian’s motion in a nutshell.

The return of any asset class can be decomposed into two parts, namely
the drift and random walk. The drift is the long-term average return of the
asset. Previously, in 4.1.3, it was stated that the long-run returns would revert
to the mean return. However, in the short run, there are noises. These noises
are driven by two main factors: volatility or standard deviation and a random
part.

Figure 4.5: Asset return using Brownian’s motion

The equation above shows that if volatility is zero, the random part (epsilon)
does not influence the overall return, and the drift will primarily drive return. On
the other hand, the more volatile the underlying asset is, the more influential
the random part (second part) of the equation is, and therefore, noises or
random walks influence the return of the underlying asset instead of the drift.

BANK RISK PRACTICES

 RISK MODELS 4-16

4.1.7 Statistical Distributions

Statistical distribution refers to measures of shape or also known as measures

of symmetry. Measures of symmetry and shape describe the pattern of data
within a dataset. There are two patterns to be understood in the dataset.

Question 1:
“Does the data indicate symmetric outcomes (i.e. equal chance of positive or
negative outcomes?” If not, “Is the data skewed towards positive or negative
outcomes?”

Question 2:
“Does the data contain extreme values or outliers more than what a
symmetric (normal) distribution predicts”

To answer these questions, it is important to understand what it means by

“normal distribution”. A normal distribution is one of the most commonly used
statistical distributions in risk management. It is known to govern many natural
phenomena (such as the famous height illustrations in university textbooks
on statistics) or financial phenomena (such as stock market returns over a
long time). One striking feature of a normal distribution curve is its bell shape
features. Therefore, normal distribution is more popularly referred to as the
“bell shape curve”.

Normal Distribution Curve

-3 -2 -1 0 1 2 3

Figure 4.6: A normal distribution curve

The bell shape feature tells us a few things about the normal distribution:

i. The weight of the distribution is concentrated at the centre of the bell

curve – That centre is the mean or the average. To test this, see below that
if the average of all the observations were taken in the normal distribution,
it would get to zero. This is why the mean is an appropriate measure of
central tendency if the data is normally distributed.

BANK RISK PRACTICES

4-17 RISK MODELS

Normal Distribution Curve

MEAN=
Central Tendency

-3 -2 -1 0 1 2 3

Figure 4.6: The mean in a normal distribution curve

ii. The observations are symmetric around the mean – Visually, the left
side of the distribution (below the mean) mirrors exactly the right side of
the distribution (above the mean). This implies equal chances of seeing
observations below the mean (left side) and above the mean (right side).

Normal Distribution Curve

MEAN=
Central Tendency

0 1 2 3 4 5 0 1 2 3 4 5

-3 -2 -1 0 1 2 3

Figure 4.7: The symmetrical around the mean

iii. Extreme values (below or above the mean) are not likely to occur – Extreme
values are represented by the tail of the normal distribution curve. As
shown in the graph below, more extreme values on both ends of the curve
(-3 and +3) are expected to occur infrequently (observations on outliers
are expected to be very minimal).

BANK RISK PRACTICES

 RISK MODELS 4-18

Normal Distribution Curve

MEAN=
Central Tendency

-3 -2 -1 0 1 2 3

Figure 4.8: The extreme values in a normal distribution curve

A normal distribution would exhibit symmetry around the mean. However, in

many instances, the data may exhibit preference or skew for one side of the
distribution versus the other.

Negative Skew Positive Skew

Figure 4.9: The concept of skewness

A dataset exhibits negative skew if the tail of the distribution is longer on the
left than on the right (i.e., the left side is longer than the right side). This implies
more data on the left tail than what is expected in a symmetric distribution
like the normal distribution. This means that the distribution is skewed to the
left. An example of a negative skew dataset is the operational risk loss data
set. Due to operational errors, banks may experience some luck and realise
gains instead of losses (or recoveries are higher than operational losses
incurred). But this is very unlikely, as it is often expected for more loss to
incur in operational loss events than gains, and therefore, the loss dataset is
skewed to the left.

A dataset exhibits positive skew if the tail of the distribution is longer on the
right than on the left. This implies more data on the right tail than what is
expected in a normal distribution. This means that the distribution is skewed

BANK RISK PRACTICES

4-19 RISK MODELS

to the right. An example of positive skew data set is market prices. For many
asset classes, prices can never go below zero (not true for some, for example,
in 2020, oil prices traded below zero). However, there is a chance that prices
will go significantly higher. This makes some price data set skewed to the
right (positively skewed). Skew is not to be calculated by hand. A function in
EXCEL called =SKEW helps to calculate the SKEW. However, to interpret skew
are to be done offline. Below is a simple guideline to interpret the outcome of
the skew calculation:

Symmetrical
Moderately Moderately
Highly Skewed Skewed Highly
Skewed Skewed

-1.0 -0.5 +0.5 +1.0

Figure 4.10: Visualising the outcome of skew

The skewness of a normal distribution is zero. Any symmetric data should

have a skew of zero.

BANK RISK PRACTICES

 RISK MODELS 4-20

Illustrative Example–10

Calculating the skew of the dataset

Note: In this exam, you are not expected to calculate skew by hand. A
function in EXCEL called =SKEW helps to calculate the SKEW.

Case 1:
Below are the individual returns of Stock XYZ:

Day 1 5%

Day 2 6%

Day 3 7%

Day 4 8%

Day 5 9%

Solution:
Skew = 0.00
Interpretation: The skew of the above data set is 0.00. This means that the
distribution is symmetrical and follows a normal distribution.

Case 2:
Below are the stock returns of Stock HIJ:

Day 1 5%
Day 2 6%
Day 3 7%
Day 4 8%
Day 5 -9%

Solution:
Skew = -2.10

Interpretation: As the skew is greater than -1.0, it is clear that this data set
is negatively skewed (outlier exists and leans toward the left side of the
distribution)

BANK RISK PRACTICES

4-21 RISK MODELS

Case 3:
Below are the stock returns of Stock KLM:

Day 1 5%
Day 2 6%
Day 3 7%
Day 4 8%
Day 5 90%

Solution:
Skew = +2.23

Interpretation: As the skew is greater than +1.0, it is clear that this data
set is positively skewed (outlier exists, and extreme values are above the
average).

In a normal distribution, extreme values (both on the left and right side of the
distribution) are expected to happen infrequently relative to what a normal
distribution predicts. Kurtosis is a statistical measure that indicates the
weight of the tail. The heavier the tail is (the higher the kurtosis), the higher
the probability of seeing extremely large and extremely small values. Kurtosis
is usually compared against the kurtosis of a normal distribution. A normal
distribution has a kurtosis of three. The difference between the kurtosis of an
observed data set and the three kurtoses of a normal distribution is also known
as excess kurtosis. A normal distribution exhibits a mesokurtic distribution with
excess kurtosis of zero. Below is an example of how a mesokurtic distribution
looks like:

Figure 4.11: A mesokurtic distribution

A positive excess kurtosis means that the dataset has a heavier tail than a
normal distribution, and therefore, more extreme values are expected than

BANK RISK PRACTICES

 RISK MODELS 4-22

what the normal distribution predicts. This distribution is also known as

leptokurtic. Below is an example of how a leptokurtic distribution looks like:

Figure 4.12: A leptokurtic distribution

A couple of observations on the leptokurtic distribution:

• The distribution is “taller” than a normal distribution (peaking at the centre)

• Tail is heavier

A negative excess kurtosis means that the dataset has a lighter tail than a
normal distribution, and therefore, fewer extreme values are expected than
what the normal distribution predicts. This distribution is also known as
platykurtic.

Figure 4.13: A platykurtic distribution

BANK RISK PRACTICES

4-23 RISK MODELS

Illustrative Example–11

Calculating the excess kurtosis of the dataset

Note: In this exam, you are not expected to calculate excess kurtosis by
hand. A function in EXCEL called =KURT is available to calculate excess
kurtosis.

Case 1:
Below are the individual returns of Stock XYZ:

Day 1 5%
Day 2 6%
Day 3 7%
Day 4 8%
Day 5 9%

Solution:
Excess Kurtosis = -1.20

Interpretation: The excess kurtosis of the above dataset is -1.20. It means

that the distribution is platykurtic, and we expect less extreme values than
what the normal distribution predicts.

Case 2:
Below are the stock returns of Stock HIJ:

Day 1 5%
Day 2 6%
Day 3 7%
Day 4 8%
Day 5 -9%

Solution:
Excess kurtosis = 4.50

Interpretation: As excess kurtosis is a positive amount; we expect the

distribution to exhibit leptokurtic characteristics.

BANK RISK PRACTICES

 RISK MODELS 4-24

Case 3:
Below are the stock returns of Stock KLM:

Day 1 5%
Day 2 6%
Day 3 7%
Day 4 8%
Day 5 90%

Solution:
Excess kurtosis = 4.98
Interpretation: Note that it doesn’t matter whether it’s a positive or negative
extreme value (unlike in skewness). The fact that there is an outlier makes
this distribution a leptokurtic distribution.

Correlation measures the strength and direction of the relationship between

two variables. A correlation coefficient is a number between -100% to 100% that
provides a picture of the statistical relationship between the two variables.
There are two types of correlation relationship:

i. Positive correlation – This means that the two data being analysed tend
to move together over the data. This means that if variable one increases,
variable two also increase. The closer the positive correlation is to 100%
(perfectly correlated), the stronger the relationship is.
ii. Negative correlation – This means that the two data being analysed tend
to move inversely against each other. This means that if variable one
increases, variable two is expected to decrease. The closer the negative
correlation is to -100% (negatively correlated), the stronger the negative
correlation is.

BANK RISK PRACTICES

4-25 RISK MODELS

Illustrative Example–12

Measures of association
Below are the quarterly stock returns of Exxon Mobil (energy company)
and quarterly Crude Oil (WTI Index) returns (from September 2015 to March
2020):

Exxon Mobil Crude Oil

9/30/2015 -11% -24%

12/31/2015 5% -18%

3/31/2016 7% 4%

6/30/2016 12% 26%

9/30/2016 -7% 0%

12/30/2016 3% 11%

3/31/2017 -9% -6%

6/30/2017 -2% -9%

9/29/2017 2% 12%

12/29/2017 2% 17%

3/30/2018 -11% 7%

6/29/2018 11% 14%

9/28/2018 3% -1%

12/31/2018 -20% -38%

3/29/2019 18% 32%

6/28/2019 -5% -3%

9/30/2019 -8% -8%

12/31/2019 -1% 13%

3/31/2020 -46% -66%

Intuitively, the price returns of an oil company would have a strong

relationship with crude oil returns.

BANK RISK PRACTICES

 RISK MODELS 4-26

Illustrative Example–12

Exxon Mobil vs Crude Oil

40%

20%

0%

-20%

-40%

-60%

-80%
Exxon Mobile Crude oil

Looking at the scatterplot diagram above, it can be seen that Exxon Mobil
moves together (i.e., stock price returns are negative for Exxon Mobil if
crude oil price decline; stock price returns are positive for Exxon Mobile if
crude oil price return increase.

To formalise this, we use a statistical metric called correlation. Using the

Excel CORREL function, we calculated correlation at 88% (a high positive
correlation).

Boxed Article 1 relates on a correlation matrix between Petronas Chemicals and

other macro variables using weekly returns from February 2020 to May 2020.

BANK RISK PRACTICES

4-27 RISK MODELS

Boxed Article 1

Correlation Matrix

Some insights implied from the correlation matrix above:

i. Petronas Chemicals returns have the strongest statistical relationship

(91%) with Malaysia Stock Exchange Index (expected given that Petronas
Chemicals is a Malaysian Company), and the relationship is positive.
This means that Petronas Chemical returns are expected to increase if
the Malaysia stock exchange increase.
ii. Petronas Chemicals has a strong negative correlation with the Malaysia
CDS (-83%). This means that stock prices increase if Malaysia CDS
decrease (sovereign becomes safer from a credit risk perspective).
This is logical given Petronas Chemical is domiciled in Malaysia.

BANK RISK PRACTICES

 RISK MODELS 4-28

4.2 MODELS

Risk measurement is an important part of the risk management process and in

understanding the nature of risk and determining the level of risk exposure of
the bank. Risk measurement provides a basis for risk evaluation and decisions
on how risks should be treated and managed. Risk management deals with the
study of risk or the effect of uncertainty on attaining the banking organisation’s
business objectives. An important aspect of risk management is the quantification
or measurement of risk. Risk measurement is a prerequisite to sound risk
management.

Risk measurement is key to understanding risk. However, risk measurement is

far from being an exact science. This was shown by the effect of the 2008 Global
Financial Crisis on the global banking industry. Risk models that had been accepted
as a fool proof representation of risks had broken down in the worst financial crisis
since the Great Depression. Just when many had become exuberant about their
ability to quantify risks, many of these models failed at the time when they were
needed the most. The failure of these models, however, does not mean that it does
not have any value. They are still useful representations of economic reality. It is
important to be aware of the limitations of risk models and treat these models as
what they are—approximations of economic realities. The Office of the Comptroller
of the Currency (OCC) of the Federal Reserve defines models as:

“Quantitative method, system or approach that applies statistical, economic,

financial or mathematical theories, techniques and assumptions to process
input data into quantitative estimates.”

BANK RISK PRACTICES

4-29 RISK MODELS

4.2.1 Model Risk

Model risk is the potential for adverse consequences from decisions based
on incorrect or misused model outputs and reports. It can result in financial
loss, poor business and strategic decision making, and damage the bank’s
reputation.

i. Financial loss.

Boxed Article–2

Value at risk model masked JP Morgan US$2 billion loss (Whittall, 2012)
Dimon revealed the Chief Investment Office’s VaR had almost doubled
from an average of US$67m for the first quarter to US$129m after scrapping
the Chief Investment Officer (CIO) new model and revising the figures
appropriately. JP Morgan has decided to revert to the methodology the
CIO used to calculate VaR in 2011.

“In the first quarter, we implemented a new VaR model, which we now
deemed inadequate, and went back to the old one that we used for the
past several years, which we deemed to be more adequate,” Dimon
explained on a conference call with analysts.

The revelations vividly illustrate the potential for banks’ internal risk
models to produce vastly different results that can have real economic
impacts. The case may well bring into focus once more how bank VaR
models can hinder as well as aid risk management.

Dimon laid the blame for the CIO losses squarely at the feet of the trading
strategy aimed at reducing the CIO’s synthetic credit portfolio hedge,
which he said was “flawed, complex, poorly reviewed, poorly executed
and poorly monitored.”

However, there seems little doubt that the new VaR model masked the
losses racking up in the CIO by artificially depressing the potential risks
the bank was exposed to.

The CIO’s average VaR for the first quarter was US$67m under the new
VaR model. This was broadly in line with the average CIO VaR for 2011of
US$60m, calculated under the old model.

BANK RISK PRACTICES

 RISK MODELS 4-30

ii. Poor business and strategic decision making

Boxed Article–3

Recipe for Disaster – The Formula that Killed Wall Street (Salmon, 2009)
For five years, Li’s formula, known as a Gaussian copula function, looked
like an unambiguously positive breakthrough, a piece of financial
technology that allowed hugely complex risks to be modelled with
more ease and accuracy than ever before. With his brilliant spark of
mathematical legerdemain, Li made it possible for traders to sell
vast quantities of new securities, expanding financial markets to
unimaginable levels.

Everybody adopted his method, from bond investors and Wall Street
banks to ratings agencies and regulators. And it became so deeply
entrenched—and was making people so much money—those warnings
about its limitations were ignored.

Then the model fell apart. Cracks started appearing early on when
financial markets began behaving in ways that users of Li’s formula had
not expected. The cracks became full-fledged canyons in 2008—when
ruptures in the financial system’s foundation swallowed up trillions of
dollars and put the survival of the global banking system in serious peril.

Li’s Gaussian copula formula will go down in history as instrumental

in causing the unfathomable losses that brought the world financial
system to its knees.

iii. Damage to bank’s reputation

Boxed Article–4

SEC Charges AXA Rosenberg for Concealing Error in Model (U.S.

Securities and Exchange Commission, 2011)

Today, the Securities and Exchange Commission charged three AXA

Rosenberg entities with securities fraud for concealing a significant error
in the computer code of the quantitative investment model that they use
to manage client assets. The error caused $217 million in investor losses.

AXA Rosenberg Group LLC (ARG), AXA Rosenberg Investment Management

LLC (ARIM), and Barr Rosenberg Research Centre LLC (BRRC) have agreed
to settle the SEC’s charges by paying $217 million to harmed clients plus a
$25 million penalty and hiring an independent consultant with expertise
in quantitative investment techniques who will review disclosures and
enhance the role of compliance personnel.

BANK RISK PRACTICES

4-31 RISK MODELS

The SEC found that the error introduced into the model in April 2007 was
eventually fixed for all portfolios. However, knowledge of the error was
kept from ARG’s Global CEO until November 2009. ARG then conducted an
internal investigation and disclosed the error to SEC examination staff in
late March 2010 after being informed of an impending SEC examination of
ARIM and BRRC. ARG disclosed the error to clients on April 15.

The SEC’s order further found that ARG, BRRC, and ARIM made material
misrepresentations and omissions about the error to ARIM’s clients. The
firms failed to disclose the error and its impact on client performance
attributed the model’s underperformance to market volatility rather than
the error and misrepresented its ability to control risks. BRRC did not have
reasonable compliance procedures to ensure that the model would
assess certain risk factors as intended. The coding process for the model
represented a serious compliance risk for BRRC and its clients because
accurate coding is required for the model to function properly and in the
manner represented to clients.

4.2.2 Model Validation

Model validation is the set of processes and activities intended to verify that
models perform as expected, in line with their design objectives and business
uses. The key components of model validation are as below:

Conceptual Ongoing Outcomes

soundness monitoring analysis

Figure 4.14: Elements of model validation

i. Conceptual soundness – This involves assessing the quality of the model

design and construction that comprises of the following activities:

▶ Review of documentation and empirical evidence supporting the

methods used and variables selected for the model.
▶ Ensure that the models used are backed by solid research and empirical
evidence.
▶ Review soundness of theoretical construction, key assumptions, data
and specific mathematical calculations.
▶ Assess the stability of the model in response to small changes in inputs.
If the model exhibits large sensitivity for small input changes, this

BANK RISK PRACTICES

 RISK MODELS 4-32

should be a red flag. Sensitivity analysis outcomes should fall within the
expected range of outcomes.
▶ The use of common sense and logic should be applied in testing the
reasonability of the output from the models.

ii. Ongoing monitoring – This ensures that the model is appropriately

implemented and used and is performing as intended. Ongoing monitoring
is also relevant to evaluate whether changes in the business environment
necessitate recalibration or replacement of the bank’s existing risk models.
Ongoing monitoring involves process verification and benchmarking.
Process verification checks that all model components are functioning as
intended. Benchmarking involves comparing a given model’s inputs and
outputs to estimate from alternative internal or external data or models.
iii. Outcome analysis – This involves the comparison of model outputs to
actual outcomes. Back-testing is one of the common ways to perform
outcomes analysis. Back-testing involves comparing actual outcomes with
model forecasts during a sample period not used in model development
and at an observation frequency that matches the forecast horizon or
performance.

4.2.3 Purpose of Risk Models in the Risk Management Process

Banks rely on quantitative models in most aspects of risk management

and decision-making. Models are simplified representations of reality and
relationships among characteristics, values, and quality. Model refers to a
quantitative method, system or approach that applies statistical, economic,
financial, or mathematical theories, techniques, and assumptions to process
input data into quantitative estimates. These quantitative estimates are used
in almost every aspect of risk management. These quantitative estimates are
used in almost every aspect of risk management, such as:

BANK RISK PRACTICES

4-33 RISK MODELS

Risk
evaluation

Stress Valuing
testing positions

Models

Risk Capital
control adequacy

Risk
Accounting
appetite

Figure 4.15: Purpose of models

i. Risk evaluation – Risk models are used to evaluate whether to take the risk
or not (for example, in credit underwriting. For example, in the area of credit
risk, the risk evaluation is the calculation of transaction return economics
on whether the credit margin charged to the borrower is in line with the
risk/ return priorities of the bank (for example, a multiple of expected credit
loss).
ii. Quantifying and valuing positions – Banks take substantial market risk
positions in proprietary investments and client servicing activities. This
requires exposures to be valued periodically and monitored by the risk
management department.
iii. Capital adequacy – Basel III risk-based capital framework requires banks
to have the ability to calculate the economic capital it needs to hold
given its risk appetite and given the level of risks it is taking. Therefore, risk
models are central to the overall internal capital adequacy assessment
process. Without these risk models, it will be hard to formalise and quantify
the risks that banks are taking. Banks’ Pillar III disclosure requires extensive
disclosure of the types of risk management models and approaches banks
to use.

BANK RISK PRACTICES

 RISK MODELS 4-34

iv. Accounting – For the bank’s market and credit risk positions, risk models
are used to quantify the level of exposure and the amount of income or
loss that must be recognised as a result of taking certain risk exposures.
For example, under IFRS 9, banks must measure expected credit loss (ECL)
from its credit risk generating position. This requires the use of risk models.
Banks are also required to disclose financial risk management objectives
and strategies, which requires some linkage with the banks’ risk models.
v. Risk appetite – Risk models are required inputs for banks to define their
risk appetite. For example, the banks’ economic capital setting requires
extensive risk models from different parts of risks (i.e., to quantify the
theoretical capital that the bank needs to hold for taking market, credit,
and operational risk).
vi. Risk control – Risk models are used to set and monitor limits. Risk models
are used to alert or identify emerging risks.
vii. Stress testing – Risk models are used to understand the ability of banks to
survive in a severe, adverse environment. Special tools also identify risks
in risk models that they do not perform in a specific type of environment
where they are needed the most.

4.2.4 The Potential Shortcomings

Models have three components, namely the input component, processing

component and the reporting component. The input component delivers
assumptions and data to a model. The processing component transforms
inputs into quantitative estimates. The reporting component translates these
estimates into useful business information. The potential shortcomings to
these three components would result in model risk. Model risk occurs primarily
due to the following reasons:

i. Fundamental errors that may result in inaccurate outputs:

▶ Wrong application of theory
▶ Choice of sample design
▶ Selection of inputs and estimation
▶ Implementation in information systems

Errors can occur in any of the steps in the generic process. Banks may
use the theory of mean reversion and efficient markets to justify normal
distribution in quantifying market risk exposures (for example, in an illiquid
market). This may present a significant model risk for the bank, particularly
because it fails to consider the unique circumstances of financial assets.
Many financial assets, particularly illiquid assets, exhibit negatively skewed
properties. Further, illiquid assets may have insufficient market data, which
can justify using the theory of mean reversion.

BANK RISK PRACTICES

4-35 RISK MODELS

A recent real-life example of how model risk arises from erroneous

implementation in information systems is what had transpired in the JP
Morgan “London Whale Trading Scandal” in 2012. Spreadsheet errors arose
because the bank implemented a new risk model under the new Basel
market risk requirements. The use of a temporary spreadsheet led to errors
which misstated important risk exposures.

The use of estimates and approximations is commonly done in practice.

This is particularly relevant for complex risk positions. Banking organisations
sometimes use simplifying assumptions in coming up with an estimate of
complex risk exposure. These simplifications may compromise the integrity
and reliability of the model outputs.

ii. Incorrect use of models – Even a fundamentally sound model may still result
in losses from the model as it may not be appropriate to use it in a specific
context. For example, the use of historical simulation may be appropriate
in many instances. However, using a historical-based approach, Models
are simplified approximations of reality. Many banking organisations and
their regulators place undue reliance on models to accurately represent
their full risk exposures.
For instance, many banks relied on probabilistic risk models that quantify
exposures at a very high confidence level (for example, 99%). Many
believed that using models (such as value-at-risk) which estimate losses
at a very high confidence level would be equivalent to saying that these
risks will not occur or are highly unlikely to occur.

This proved to be a dangerous assumption. As Nassim Taleb, the

famous author and former options trader, once said, the objective of risk
management is survival. This means that the institution will either survive
or fail. One of the key limitations of a probabilistic model is that no matter
how high the confidence level if the unlikely event occurs, it may threaten
the ability of the organisation to continue to survive.

The use of the probabilistic model conflicts with the deterministic objective
to survive. This key limitation should be understood by management to
avoid giving a false level of confidence that a rare event will not occur.
Management should be aware of the limitations and uncertainties in the
model. It should identify changes in the environment that may render the
use of current risk models irrelevant.

BANK RISK PRACTICES

 RISK MODELS 4-36

4.2.5 Model Back-Testing

Back testing is a model validation technique that involves the comparison

of actual outcomes with model forecasts during a sample time period. The
objective of the outcome analysis is to assess whether the outcome fall
outside predetermined ranges or confidence intervals. When outcomes fall
outside these predetermined ranges, this will trigger investigation as to the
significance of the deviation and the frequency. The objective of back testing
is to assess:

• Whether the differences arose from omission of material risk factors from
the models
• Error in model specification or assumptions
• Whether the deviation is systematic or random and is consistent with the
model performance expectation.

BANK RISK PRACTICES

4-37 RISK MODELS

SUMMARY

• Quantitative risk models are based on probabilistic models that rely heavily on
statistical approaches. This starts with the concept of understanding a base case
value. Risk is defined as any deviation from the expected value.

• The first level of statistical analysis is a discussion of a central measure of

value (concept of average), the second level of statistical analysis involves the
assessment of deviation from the central value (standard deviation, volatility), the
next level of analysis involves assessing the directional skew of data (positively or
negatively skewed) and the final level of analysis is the assessment of the existence
or dominance of outliers in the data.

• Normal distribution is one of the most commonly used statistical distribution in risk
management. However, normal distribution has some important assumptions on
the data – outliers are infrequent, average is an appropriate measure of central
value and data is symmetric. Alternative statistical distributions should be used in
situations where the use of normal distribution is inappropriate.

• Models are representations of reality and must not be taken at face value. Effort
should be undertaken to make sure that models are performing as intended
through a process called model validation.

• Back-testing involves the comparison of forecasted results (i.e., forecasted by

models) against actual results to test the reliability of the models used and how it
is performing in practice.

BANK RISK PRACTICES

 RISK MODELS 4-38

END OF CHAPTER PRACTICE QUESTIONS

1. Data 1: Probability of Default, Data 2: 1 = Default and 0 = Default

A. Data 1 is discrete. Data 2 is continuous
B. Data 1 is continuous. Data 2 is discrete
C. Both Data 1 and Data 2 are discrete
D. Both Data 1 and Data 2 are continuous

2. Which of the following is the best measure of central tendency if extreme outliers are in
the data set?
A. Mean
B. Median
C. Mode
D. All of the Above

3. There are more losses in the dataset than gains. This is an example of:
A. Positive kurtosis
B. Negative kurtosis
C. Positive skew
D. Negative skew

4. Variable A and Variable B have almost -100% correlation. Which of the following is an
incorrect way to interpret the results?
A. Variable A and B has a significantly weak relationship because of the negative sign
B. Variable A and B have a strong relationship
C. As Variable A increases, variable B is expected to decrease.
D. As Variable A decreases, Variable B is expected to increase

5. Financial market returns are expected to exhibit which of the following?

A. Positive kurtosis
B. Negative kurtosis
C. Both A and B
D. None of the Above

6. Correlation is a measure of .
A. Central tendency
B. Tendency
C. Shape
D. Association

BANK RISK PRACTICES

4-39 RISK MODELS

7. Negative excess kurtosis means that the dataset has tail than the normal distribution
and therefore extreme values are expected than what normal distribution predicts.
A. Lighter, less
B. Lighter, more
C. Heavier, less
D. Heavier, more

8. Wrong spreadsheet linking in the case of the London Whale trading scandal that resulted
in massive understatement of risk exposure and wrong hedges is an example of:
A. Input error
B. Processing error
C. Output error
D. Reporting error

9. This involves assessing the quality of the model design.

A. Conceptual soundness
B. Ongoing monitoring
C. Outcomes analysis
D. Model validation

10. In the Brownian motion, the return of a financial asset can be decomposed into two, the
stable part and the random part. The random part is driven by:
A. Drift
B. Epsilon
C. Volatility
D. Both B and C

ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS

1. B 2. B 3. D 4. A 5. A 6. D 7. A 8. B 9. A 10. D

BANK RISK PRACTICES

 CHAPTER 5
CREDIT RISK MANAGEMENT
5-1 CREDIT RISK MANAGEMENT

5. CREDIT RISK MANAGEMENT

Learning Outcomes

At the end of the chapter, you will be able to:

• Explain the use of models to estimate the probability of default, recovery rates and
credit risk exposure for different types of transactions in credit risk management.

Key Topics

In this chapter, you will be able to read about:

• Sources of credit risk

• Typology of standalone credit risk
• Overview of portfolio credit risk
• Probability of default models
• Loss given default models
• Exposure at default
• Expected credit loss (ECL) – MFRS9
• Portfolio credit risk models
• Credit risk mitigation techniques

Assessment Criteria

During the exam, you will be expected to:

• Outline the managing of credit risk exposure profile by applying the different credit
risk mitigation techniques.
• Understand credit risk measurement in the portfolio context.
• Explain how default models are used.

5.1 SOURCES OF CREDIT RISK

Credit risk in the banking organisation arises from the bank’s lending activities. It
would be simplistic to assume that this only arises from the lending department.
Credit risk arises from different banking activities. Credit risk arises from:

• Loans and advances

• Investment securities
• Off-balance sheet activities
• Derivatives

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-2

5.1.1 Credit Risk From Loan and Advances

For most banks (especially commercial banks), loans and advances represent
the largest source of credit risk. Different banks have different specialisation or
strength as credit institutions. Commercial and industrial loans are loans that
are provided to the bank’s corporate client base. These loans are generally
used to either finance the short-term working capital requirements of these
companies and other short-term funding needs or finance the longer-term
capital needs of companies including for maintenance and growth capital
expenditures, new ventures, and permanent increases in working capital
required. These loans can either be secured or unsecured. Secured loans are
loans that is backed by the assets of the borrower. If the borrower defaults,
the bank would have rights or claim on these assets. Unsecured loans are
loans that only provides general claim to the assets of the borrower in the
event of default.

5.1.2 Credit Risk From Investment Securities

Banks, as part of their investment portfolio hold investment securities that

can be bought or sold in the market. Securities are held for many reasons
– for liquidity purposes (an example of this would be short-term treasury
bills which are near cash equivalents and considered as high-quality liquid
assets) or for longer term strategic purposes – either to earn from the interest
accrual from the security or to earn from capital appreciation.

Investment securities, while usually is managed from a market risk

perspective, are also subject to credit risk. The issuer of the securities may
default. However, the risk mitigating feature of investment securities is that it
can be actively traded and therefore, it would be easier to cut losses in the
event of potential credit events.

5.1.3 Credit Risk From Off-Balance Sheet Exposures

Credit risk arises also from off-balance sheet activities that banks engage
in. What are off-balance activities that generate credit exposure? These
are commitments that banks make that are not yet contractual obligations
but could potentially result in credit exposure upon the occurrence of credit
events. Examples of off-balance sheet activities that generate credit risk are
as follows:

• Loan commitments – these are contractual commitments for banks to lend

up to a predefined amount at a stated interest rate. Loan commitments
tend to be drawn down during difficult credit conditions (i.e., market
conditions where funding dries up and corporate clients have limited

BANK RISK PRACTICES

5-3 CREDIT RISK MANAGEMENT

access to funding other than tapping their existing loan commitments with
banks).
• Commercial letters of credit – these are contingent guarantees sold by the
bank to underwrite the trade or commercial performance of the purchaser
of the guarantee.
• Standby letters of credit – these are guarantees issued to cover contingencies
that are potentially more severe and less predictable than contingencies
covered under trade-related or commercial letters of credit.

5.1.4 Credit Risk From Derivatives

Derivatives are financial instruments whose value depends on the performance

of the underlying variable. Entering derivatives would entail contingent credit
risk as one of the counterparties on this contract may default at some point in
time.

5.2 TYPOLOGY OF STANDALONE CREDIT RISK

Standalone credit risk is the generation of credit risks which typically starts at the
individual or transactional level. Individual or transactional credit risk exposures are
typically classified into retail, sovereign, corporate, and counterparty credit risk.

5.2.1 Retail Credit Risk

A risk is classified as a retail credit risk exposure if it meets the following criteria:

• Orientation criterion
• Product criterion
• Granularity criterion
• Value criterion

Orientation criterion means the exposure should be to an individual person or

persons or to a small business. Product criterion means the exposure should
take the form of revolving credits or lines of credit, personal term loans and
leases, or small business facilities and commitments. Securities such as bonds
and equities are excluded from the retail category. Granularity criterion means
retail credit portfolio should be sufficiently diversified such that no aggregate
exposure to one counterparty exceeds 0.2% of the total regulatory portfolio or
the regulatory retail portfolio. These are credit exposures that are considered
as retail for regulatory capital purposes that attracts lesser capital charge
compared to other types of credit exposures. Value criterion means individual
exposures should be of low value. The maximum exposure to one counterpart
cannot exceed a certain absolute threshold.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-4

5.2.2 Sovereign Credit Risk

Sovereign credit risk refers to the bank’s exposure to debt obligations issued
by sovereigns or other quasi-sovereigns. Otherwise known as a government-
linked companies (GLC), a quasi-sovereign entity is a company with full
or partial government ownership or control, a special charter, or a public
policy mandate from the national, regional, or local government. By nature,
this companies usually have strategically important roles, enjoy dominant
market positions and are prominent issuers of debt within their respective
markets. There are currently seven GLCs in Malaysia, among those are the
Employee Provident Fund (EPF), Khazanah Nasional Berhad, Kumpulan
Wang Amanah Pencen (KWAP), Lembaga Tabung Angkatan Tentera (LTAT),
Lembaga Tabung Haji (LTH), Menteri Kewangan Diperbadankan (MKD), and
Permodalan Nasional Berhad (PNB).

Boxed Article–1

Malaysia: Risk Assessment (Economist Intelligence, 2021)

In June 2021, The Economist Intelligence Unit credit rating agency, registered
in accordance with The Credit Rating Agencies (Amendment, etc.) (EU Exit)
Regulations 2019, S1 2019/266 issued the Malaysia’s sovereign rating and is
issued pursuant to the (EU Exit) Regulations 2019, S1 2019/266 regulations.

Malaysia: risk assessment

Sovereign Currency Banking Economic

Political risk Country risk
risk risk sector risk Structure

June 2021 BB BBB BBB BB BBB BBB

Fung Siu (lead analyst); Tom Rafferty (analyst). Published 04 June 2021, 2100 GMT.

Sovereign risk
Malaysia’s sovereign risk is rated at BB. A “third wave” of Covid-19 infections
will put a brake on the economic rebound, but activity will then pick up as
the vaccine rollout continues. The fiscal deficit stood at 6.2% of GDP in 2020.
Risks are mitigated by a benign short-term repayment schedule and an
anticipated widening of the current-account surplus in 2021.

Currency risk
Currency risk is rated at BBB. Bank Negara Malaysia (BNM, the central
bank) remains on standby to intervene in the event of excess volatility and
has the firepower to do so (international reserves fully cover the country’s
gross external financing requirement).

BANK RISK PRACTICES

5-5 CREDIT RISK MANAGEMENT

Banking sector risk

Banking sector risk is BBB-rated. Despite a recent uptick in inflation,
macroeconomic and credit risks are manageable. Capital buffers are
sound. As debt moratoriums related to targeted repayment assistance
are phased out later this year, non-performing loans will rise.

Malaysia: sovereign, currency and banking sector risk scores

Sovereign Currency Banking sector
44

42
40
38
36
34
32
30
Dec Apr Jun Dec Apr Jun Dec Apr Jun Dec Dec Jun
2017 2017 2017 2017 2017 20 21

Political risk
The Economist Intelligence Unit believes that a snap election will be held
later in 2021. The need to go to the polls early owes more to the wafer-
thin majority held by the incumbent Perikatan Nasional coalition than to
ebbing political support because of the Covid-19 crisis.

Economic structure risk

Exports of goods and services will continue to account for a large
proportion of GDP, highlighting Malaysia’s heavy dependence on external
trade and its consequent vulnerability to fluctuations in global energy and
electronics prices. Persistently high levels of public debt will also weigh on
the score.

5.2.3 Corporate Credit Risk

Corporate credit risk refers to a bank’s credit risk exposure to corporation,

partnership, and proprietorship. It relates to risk of loss due to default on
corporate credit products and migration of corporate credit ratings.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-6

Boxed Article–2

The coronavirus (COVID-19) pandemic: Assessing the impact on corporate credit risk
(Choi, Y.Y, Levine, G., and Malone, S. W., 2020)

News of the coronavirus began to appear in global media in late December, but it wasn’t
until mid-January—when reports emerged that the virus was no longer contained within
China and had spread to the rest of Asia—those financial markets began to react. Fortune
500 companies such as Samsung and Apple suspended some Chinese production and
issued profit warnings, immediately affecting their stock value. The decline in stock prices
has since spread to most public companies across all major economies. The CreditEdge
public-firm EDFTM (Expected Default Frequency) model takes a company’s stock price
as an input to its credit-risk metrics. The EDF is the CreditEdge trademarked name for
probability of default (PD), and we will use the acronyms EDF and PD interchangeably
throughout. Since around January 20, 2020, EDF is rising in many countries in response
to stock price declines when the coronavirus pandemic began to spread internationally.

One key finding of the research held by Moody’s Analytics is that while the rise in EDFs
is broad and troubling, it is not equally deep. The extent of the rise in default risk varies
significantly by industry and country, as well as the country’s exposure to the COVID-19
pandemic shock and how risky the corporate sector was before the pandemic.

To place the current situation in context, Figure 1 shows the median EDF for all publicly
listed firms, back to 1998. Recent data (as of March 12, after the Dow Jones fell 10%) show
a median EDF of 0.74%. This is materially higher than the end-2019 figure of 0.48% but
remains low when compared to past crises. Indeed, the research does not have to look
too far into the past to find a period of similar credit stress; in early 2016, in the wake of the
oil price bust, the median EDF was slightly higher (0.76%) than it was as of March 12, 2020.

Figure 1. Median EDF, all firms

3.5

2.5

1.5

0.5

0
200008

200312

200804
199812
199904
199908
199912
200004

200012
200104
200108
200112

200208
200212

200308
200204

200304

200404

200704
200412

200508
200512

201208
201212

201308

201404

201712

201812
200504

200604
200608
200612

200708
200712

200808
200812
200904
200908
20091 2
201004

201104
201008
201012

201108
201112
201204

201304

201312

201412

201608
201504
201508
201512
201604

201612

201708

201808
201808

201904
201908
201912
201704

201804

BANK RISK PRACTICES

5-7 CREDIT RISK MANAGEMENT

Looking at the “S-Curve” of total infection counts in a set of nine countries (see Figure
2), the graph shows log of total official cases plotted against the number of days since
a country’s first infection. For China, the data begins on December 31, 2019, with 27 cases
recorded at that time, so that’s why its curve starts at a higher point on the y-axis.

Data are taken from the European Centre for Disease Prevention and Control as of
March 18. The reason it’s called the S-curve is that there are three stages apparent in
the progression from initial infection to disease control. First, there is seemingly tepid
growth in cases. Second, there is an explosion of official cases due to a combination of
better testing and unchecked spread of the virus. Third, a few countries have used severe
measures to get new cases under control, and cumulative case counts level off.

So why is COVID-19 so costly? The main reason is that the longer a country takes to
respond, the starker a choice it faces between damage to human health and damage
to the economy. As reported by the New York Times, South Korea stands out due to its
demonstrated ability to contain the coronavirus without a total lockdown, in contrast to
the ultimately successful, but heavier-handed approach adopted by China. Its ability to
do this, however, was enabled by a combination of swift intervention, early testing, and
the practice of contact tracing, isolation, and surveillance for infected individuals and
those with whom they may have come into contact. For countries such as the United
States and affected nations in Western Europe, failure to respond rapidly with widespread
testing allowed infections to propagate exponentially, thus obscuring the true scale of the
problem until a partial economic lockdown became inevitable.

Figure 2. The S-curve of total infections: Initial detection lag, testing and unrestrained growth, and slowing growth*

Days since first reported infection

The set of countries that have most successfully managed to “flatten the curve” of
new infections includes China, South Korea, Singapore, Hong Kong, and Taiwan. These
countries have focused on achieving virus suppression, as opposed to simply mitigating
the spread of infections. The distinction between mitigation and suppression strategies
was set out clearly in a widely cited working paper by Neil Ferguson and co-authors at
Imperial College London. They write:

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-8

“(a) mitigation, … focuses on slowing but not necessarily stopping epidemic spread
– reducing peak healthcare demand while protecting those most at risk of severe
disease from infection, and (b) suppression, … aims to reverse epidemic growth,
reducing case numbers to low levels and maintaining that situation indefinitely.”
(p. 1, ibid)

In their paper, they present model results indicating that in the United States, the United
Kingdom, and many other countries, suppression is the strongly preferred policy option,
and will require some combination of social distancing of the entire population, home
isolation of cases, and household quarantine of family members of infected individuals,
as well as potentially other measures such as school and university closures. At the time
of writing, many countries in North America and Western Europe appear to have adopted
measures generally consistent with the suppression strategy outlined in the Imperial
College paper. The primary challenge with the suppression approach, as noted by that
study’s authors, is that it or something equally effective would need to be maintained to
prevent a ramp-up of infections until a vaccine becomes available, which could involve
a timeline of 18 months or more. Absent testing and treatment or other innovations that
lower the health impact of COVID-19 during that window, the economic cost of such
prolonged, reduced economic activity would be potentially without precedent for many
countries.

Pivoting back to credit risk, look at how far EDFs have risen in relative terms for the countries
in Figure 2 since the day of their first recorded infections. To do this, the EDF, or default
probability is plotted at the 75th percentile of each country’s distribution relative to the
same figure on the day of the first infection for that country. The result is the J-shaped
curve shown in Figure 3. Italy’s credit risk rose faster and earlier in relative terms than any
other country shown during the course of its experience with COVID-19. This is consistent
with its failure to contain the spread of the virus initially, which overwhelmed the hospital
infrastructure and necessitated an economic lockdown.

BANK RISK PRACTICES

5-9 CREDIT RISK MANAGEMENT

2.5

1.5

0.5

0
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51 53 55 57

Trading Days Since First Recorded Infection

China United States South Korea Japan Italy France Spain Germany United Kingdom

*Data as of March 19, 2020, showing CreditEdge data up to March 19, 2020. Day 1 for China begins on 1, 2020

China is interesting; its credit risk metric is the least affected of all
countries shown. This likely reflects its ability to contain infections, which
was facilitated by the quick ramping up of hospital bed capacity in Wuhan
and ability to contain the spread of the virus nationally through strict, early
lockdown measures.

5.2.4 Counterparty Credit Risk (CCR)

This is the risk that a counterparty to a transaction could default or deteriorate

in creditworthiness before the final settlement of a transaction’s cash flows.
An economic loss would occur if the transactions or portfolio of transactions
with the counterparty has a positive economic value at the time of default.
Unlike a firm’s exposure to credit risk through a loan, where the exposure to
credit risk is unilateral and only the lending bank faces the risk of loss, CCR
creates a bilateral risk of loss: the market value of the transaction can be
positive or negative to either counterparty to the transaction. The market
value is uncertain and can vary over time with the movement of underlying
market factors.

5.3 OVERVIEW OF PORTFOLIO CREDIT RISK

Traditionally, credit risk is assessed and analysed at an individual transactional

level. In the traditional credit granting process, for example, credit was extended
after considering the merits from a transactional standpoint. Emphasis was made
on “picking the superior credits” or extending credit to “selected top industries” or
to “selected markets”. The collapse of large corporate borrowers, such as Enron,
WorldCom, Parmalat, and Tyco, has shown the limits of the strategy of “picking

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-10

superior credits”. Exposures to a large single borrower may be a risky strategy,

particularly when the exposures have accumulated to a level that may threaten the
bank’s safety and soundness.

Boxed Article–3

Faith in Parmalat (Kiran, n.d)

Parmalat is huge daily product company of Italy, the eighth largest industrial
group of the country. Its main factory is in Colicchio near Parma, northern Italy.
The company is conspicuous by its presence in 30 countries, employs more than
36,000 staff and had a turnover of 7.6 billion Euros or about 15 trillion lira (its old
currency) in 2002. The company came into disrepute in early Dec 2003 when a
document purporting to certify that Bank of America held about four billion Euros
for Parmalat’s offshore unit Bonlat was declared false by the said Banker.

This obviously created a quake of sorts in Italy and when the Company board
picked up the balance sheet for scrutiny, they found a big hole, as the assets side
had vaporised. This case seems to be one of the latest additions to thorough list
of notable account in scams. A 4-billion euro or US$5 billion alleged accounting
scandal by Parmalat deepened when the Italian food group’s founder and three
former finance directors were targeted in a criminal probe. As the prosecutors
and the investigating agencies are trying to unravel a complex web of financial
transactions perpetrated by top executives of Parmalat, which is being called as
Europe’s Enron, a rescue management team is weighting up the best option for
bankruptcy protection.

Facts of the case:

This case exploded into one of the Europe’s worst corporate scandals in early
Dec. 2003 when a document of the firm showing 3.95 billion Euros held by a
Cayman Island unit, Bonlat Financing Corporation, had been declared false by
the Bank of America. The prosecutors registered a fraud case in Dec. 2003 and
named in their report Parmalat’s founder Mr. Calisto Tanzi, who is reported to
have resigned recently as chairman and CEO of Italy’s biggest food group. The
available facts indicate involvement of former chief Financial Officers Messrs
Fausto Tonna, Alberto Ferrari and Luciano Del Soldato, all of whom held the post
during 2003. The last two admitted providing false information, when questioned
by the authorities, but said that the plan was hatched by both Mr. Tanzi and Mr.
Tonna.

BANK RISK PRACTICES

5-11 CREDIT RISK MANAGEMENT

The size of this fraud is estimated to snowball to a figure as big as 10 billion euros,
thus dwarfing a 1-billion-euro accounting scandal at Dutch retailer Ahold and
comparing well with the scam induced collapse of energy giant Enron. In that
this may emerge to be one of the Europe’s biggest accounting scandals so far.
Parmalat’s newly appointed chairman and CEO, Mr. Enrico Bondi is reported to have
met Industry Minister, Mr. Antonio Marzano on 23-12-2003, who is required to name
an administrator for Parmalat.

It is reported the Prime Minister, Mr. Silvio Berlusconi’s cabinet could approve a
decree dealing with the Parmalat crisis and shield Mr. Bondi and his team from
any legal action while they attempt a turnaround, similar to U.S. chapter 11. The
Italian police has already taken documents from Parmalat’s main auditor Deloittee
& Touche.

Parmalat owes Italian dairy farmers about 120 million Euros (US$149 million) and has
not paid for milk supplies for the last 6 months (August 2003) as per farmers group
Confagricoltura. US Banks is also believed to have given big loans to Parmalat.
As per Standard and Poor, the “on and off-balance sheet exposures of Bank of
America to the Parmalat Group are significant but manageable” given the Bank’s
huge resources.

Keeping the revelations of the company’s exposure so far, it appears that the
default amount can go up to 7 billion Euros of bonds as the group failed to find the
cash to repay a 150-million-euro debt issue on time in early December 2003. That
was despite showing 4.2 billion euro of liquidity on its books.

Parmalat and Role of Banks:

As per emerging signs, Parmalat’s financial deceptions may have been going on
at least for the last four years. Investigators are likely to examine the role at least
Citigroup Inc and Merrill Lynch & Co., while Parmalat investors are still not clear of a
transaction called “black hole’ arranged by Citi Group Inc. which was a place since
1999 but not known to most. Another Transaction from that year has also surfaced.
Through a financial product called a “Credit – linked note”, Parmalat in effect bet on
its own creditworthiness. The transaction, arranged by Merrill Lynch & Co., highlights
the way in which financial engineering can give a misleading picture of corporate
health to outsiders.

While the amount involved in the deal US$39 million or euro 30.6 million at current
exchange rates, according to a preliminary term sheet of August 2, 1999 – is relatively
insignificant compared with the US$4.8 billion of cash the company is missing, the
transaction points to a potentially bigger problem, the assets and investments
on Parmalat’s balance sheet may be much less than they appear. Friends and
neighbours are never tired of reeling off the homely features of his life: to bed at
10.30 P.M. at the office by 7.00 A.M., on the job six days a week, mass every Sunday.
The employees and others who have flown with him on his Bombardier corporate jet
marvel; the boss was always cutting the salami himself and serving it to his Guests.
“He is 50, low key, he could have been one of his factory workers” says Gabriella Rossi,
75, who attends the same church as the Tanzi family.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-12

Mr. Tanzi was an innovator, an early adopter. In mid-60’s when he was hardly 25,
he baffled his friends by revealing his plans to them to bring to Italy a new Swedish
technology for packing milk in cardboard cartons, which then looked unbelievable.
But he did it. The process-known as ultra-high temperature pasteurisation turned
the company into a global giant. For years, Mr. Tanzi ducked the limelight. But as
Parmalat flourished, it became the engine of growth for that area. Today, some
5000 food production units and distribution companies in the area depend on
Parmalat for their livelihoods.

Slowly but steadily, with that wealth, Mr. Tanzi cultivated ties with Italy’s great and
good, especially in the Catholic Church. In 1967, he financed the opening of a drug-
rehabilitation centre run by the local priests. In 1970’s he helped open a home
for single mothers and for abandoned children and threw open his house to the
homeless on Fridays for free milk and cookies. The Parmalat chopper was used
so frequently to ferry about Vatican officials in the 1970s and 1980s that Italians
nicknamed it. “God’s helicopter”. Further, in 1998, when monsignor Grisenti needed
urgent medical treatment in Mayo clinic in Minnesota, “Mr. Tanzi lent him the
corporate jet”. “Mr. Tanzi is a man of great human and Christian sentiments”, Mr.
Grisenti says.

The only people who are not crying for Mr. Tanzi but cursing him are dairy farmers
grip of Confagricultura as they blame him and Parmalat for not paying them for
milk supplies since August 2003. The company owes Italian farmers more than $
120 million. Mr. Tanzi has been named in the present scam and is reported to have
left the country for a short while to rest, but has promised to speak to everyone,
including prosecutors as soon as he returns. It seems the Parma people have been
hurt a lot by the downfall of Parmalat chief. They are not prepared to believe or buy
the scam theory which Tanzi might not been knowing about, much less involved in.
In fact, Parma people even now are not prepared to forget that Mr. Tanzi was and still
is patron of art, sports, church, and charity; and often flying in “God’s helicopters”.

Parmalat’s Chairman Arrested:

Parmalat’s Chairman Mr. Tanzi was arrested and put into jail during the last days
of December 2003 for misappropriating millions of Euros, which can be called as
one of the history’s most brazen corporate frauds. Government and the judiciary
believe that Calisto Tanzi was instrumental in getting the Co’s accounts falsified
since early 1990’s, thus pushing the eight largest industrial group company of Italy
into insolvency, which as per prosecutors may be as big as $ 12.5 – 16.2 billion.

Mr. Tanzi is reported to have confessed to investigators to have funnelled

around Euros 500 million from Parmalat into other group companies, including
Parmalatour, a family-owned tourism company, as per one of his defence lawyers.
As per judicial sources, he also admitted to falsifying accounts. Investigators feel
that the scam amount may exceed Euros 10 billion Parmalat’s missing billions have
drawn comparisons with collapse into bankruptcy of US energy trading giant. Enron
two years ago, and raised questions about the effectiveness of regulators, banks,
auditors, company Board, audit committees and the rating agencies.

BANK RISK PRACTICES

5-13 CREDIT RISK MANAGEMENT

Thus, US Securities & Exchange Commission (SEC) is filing a suit against

Parmalat seeking sizeable fines and accusing the group of misleading the
bond investors in “one of the largest and most brazen corporate financial
frauds in history. It is also investigating the role of Bank of America and some
other Banks to ascertain whether they were negligent or reckless, including
collusion in selling Parmalat’s Bonds. Mr. Lawrence West, associate director,
enforcement at SEC is reported to have observed “we need to understand if
the Bank of America and other Banks acted in a way that was negligent or
reckless or otherwise”.

Among 20 people under investigation in the case are the Chairman and a
partner of the auditing firm Grand Thornton SPA, accused by the prosecutors
of helping Parmalat organise a web of off­shore companies that concealed the
firms’ losses. Parmalat’s balance sheet as on September 2003 shows debts
of 6 billion euros; but as per Milan’s prosecutor’s the debt might add up to $
30 billion. As per the government appointed administrator, it is premature to
speculate about the size of the debts.

On January 1, 2004, Italian Police is reported to have arrested Senior Finance,

Accounting and Legal executive associated with the group and warrants were
issued by the Magistrate against the Head of Parmalat Venezuela. Meanwhile,
the US Security Inspectors arrived in Italy and the Magistrate summoned
Sao Paoli Imi bank President Rainer Masera for questioning. This is one of the
biggest banking groups of Italy.

“Selecting top industries” as a centrepiece credit risk strategy proved to be

risky as well. During the industrial boom, many banks tend to build excessive
credit risk exposures to booming industries. Industry trends, technological
developments, macroeconomic or sectoral shifts could sometimes quickly
reverse the fortunes of these industries and put the banks at risk.

Continental Illinois National Bank and Trust Company (CINB) was one of the
most notable cases of bank failures in the 1980s; and is still one of the largest
bank failures in history. Many refer to Continental Illinois as the original and
the first ‘too-big-to-fail’ institution. In the 1980s, CINB embarked on a lending
strategy to focus on a sector—the energy sector—an area which the bank
felt it possessed strong expertise. CINB invested its lending resources to
this sector. In fact, CINB was one of the few banks that had energy sector
engineering experts on its lending team. CINB also aggressively purchased
speculative loans from the Oklahoma-based Penn Square Bank, which had
extended billions of dollars’ worth of loans to speculative activities in the oil
and gas exploration industry. In the 1980s, when oil prices dropped many
energy companies started to default on their loans. Penn Square Bank, the
smaller bank which specialised in oil and gas exploration loans, filed for

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-14

bankruptcy. As a result, CINB faced liquidity problems which eventually led to

one of the costliest failures in banking history.

A credit strategy that focuses on ‘selected markets’ where the bank has
expertise and knowledge is clearly a sound strategy. However, there are
instances when banks display excessive optimism on certain growth markets
or countries—leading to a build-up of excessive credit risk exposures in
those markets. An example would be the build-up of credit risk exposures in
emerging markets—where many banks held bullish sentiments throughout
the 1980s and 1990s. At the height of the emerging markets turmoil during
the 1980s and 1990s, the exposures posed threats to the banks’ safety and
soundness.

While it is important to assess and manage credit risk on a standalone level,

for example, on a per transaction level, it is also vital to assess credit risk on
a consolidated portfolio level. Good credit decisions on a transactional level
may turn out to be a poor credit portfolio when taken as a whole. In the same
way, poor credit decisions on a transaction level may be mitigated if the
banking institution has a well-constructed and diversified credit portfolio.

5.3.1 Sources of Portfolio Credit Risk

Portfolio credit risk analyses credit risk from the consolidated level, for example,
from the level of the institution. Portfolio credit risk considers the impact of
diversification and correlation of individual loans among each other from the
portfolio’s consolidated level.

Standalone credit risk

Sources of
portfolio
credit risk

Concentration risk Correlation

Figure 5.1: Sources of portfolio credit risk

BANK RISK PRACTICES

5-15 CREDIT RISK MANAGEMENT

Standalone credit risk

Standalone credit risk is the credit standing of individual–specific borrowers.
The bank’s credit portfolio is composed of individual credit exposures to
specific borrowers. A well-constructed credit portfolio should first start with
good credit decisions on an individual transactional level. This means that
individual transactions should be assessed on a name-by-name basis. Good
credit decisions result in lower standalone credit risk for the bank. Poor credit
decisions result in higher credit risk.

Correlation
Good credit decisions on a standalone level are a necessary step in
constructing a robust and sound credit portfolio. However, this is rarely
sufficient. Additionally, banks should consider how the individual credit risk
exposures behave when aggregated on a portfolio level. One of the important
sources of risk in a portfolio risk is the correlation of individual loans among
each other. Correlation measures the interdependence of the standalone
credit risks. Examples of highly correlated industries are agricultural, oil and
gas, and alternative energy.

i. Agricultural products industry and food processing industry – The

processed food industry is highly correlated to the agricultural products
industry, given that agricultural food prices are a major portion of the input
costs of the processed food industry. Constraints on the supply side would
impact the bottom line of the processed food industry.

Likewise, adverse shocks on the demand side of processed food consumers

could affect the bottom line of agricultural products industry. The processed
food industry is a major customer of the agricultural products industry.

On the other hand, credit exposures that are negatively correlated tend to
respond differently to risk factors. Credit risk exposures that are negatively
correlated tend to provide diversification benefit to the portfolio.

ii. Oil and gas industry and plastics – The oil and gas industry and plastics
industry are another example of highly-correlated industries.

A major component of the cost structure of the plastics industry is the

price of oil and gas. Plastics are made from liquid petroleum gases, natural
gas liquids (NGL) and natural gas. Liquid petroleum gases (LPG) are by-
products of petroleum refining. Based on the Energy Information Agency’s
estimate, in 2010 about 191 million barrels of LPG and NGL were used to make
plastics products—about 2.7% of the total U.S. petroleum consumption.

iii. Alternative energy industry and agricultural products industry – Another

group of industries that are uncorrelated but are correlated are the
agricultural products industry and alternative energy industry.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-16

In recent years, the search for alternative sources of energy has led to the
birth of the biofuel industry. This industry is a new one and is expected to
be a significant player in the alternative energy landscape. Biofuel industry
produces fuel from living organisms such as agricultural crops. Ethanol is
made from crops such as corn and sugar cane.

The agricultural products industry now serves not only the market for food
production but for energy production as well.

Boxed Article–4

Biofuel Demand in the U.S. Driving Higher Food Prices

(Goldenberg, 2011)

The report, produced by Purdue University economists for the Farm

Foundation policy organisation, said the U.S. government support for
ethanol, including subsidies, had fuelled strong demand for corn over
the last five years.

“In 2005, we were using about 16 million acres (6.4 million hectares)
to supply all of the ethanol in the United States and Chinese soybean
imports,” Wallace Tyner, one of the authors said. It took 18.6 million
hectares (46.5 million acres) last year, just to satisfy that demand.

The US Department of Agriculture reported that U.S. ethanol refiners

were for the first time consuming more corn than livestock and poultry
farmers. It took 27% of last year’s corn crop to meet the demand for corn
ethanol. Only about 10% went to make ethanol in 2005, Tyner said.

The Centre for Agricultural and Rural Development at Iowa State

University has estimated that 40% of the U.S. corn crop now goes to
make ethanol. But Tyner said the cobs and husks of corn used to make
ethanol would go on to be used for animal feed.

But the report focused strongly on a U.S. government mandate for

ethanol production and $6 billion (£3.7 billion) in annual subsidies
for ethanol refineries. Others have also been putting the corn ethanol
industry in the spotlight. In an interview with the Financial Times, General
Mills, which produces Cheerios’s cereal, Haagen-Dazs ice-cream and
other major brands, also blamed ethanol subsidies for driving up food
prices. Ken Powell, the company’s chief executive, said the price of corn
and oats was up by 30 to 40% over last year.

“We’re driving up food prices unnecessarily,” Ken Powell said in the

interview. “If corn prices go up, wheat goes up. It’s all linked.”

BANK RISK PRACTICES

5-17 CREDIT RISK MANAGEMENT

Concentration risk
One of the causes of bank failure in history (for example, the case of
Continental Illinois) is concentration of exposure. Concentration risk is a risk
that can threaten the survival of the bank. Concentration to a risk exposure
can potentially give rise to “new” risk exposure due to unforeseen progression
or evolution of risk exposure or risk combinations. Concentration risk is the
risk that may arise within or across different risk categories throughout the
bank with the potential to produce losses large enough to threaten the
bank’s health or ability to maintain its core operations, and material changes
in the bank’s risk profile. Concentration risk arises from the bank’s assets,
liabilities, off-balance sheet items or through the execution or processing of
transactions. Concentration risk, while not covered under Pillar 1- Minimum
Capital Requirement, is covered under Pillar 2 of the Internal Capital Adequacy
Assessment Process (ICAAP).

Concentration risk also refers to the risk that any single exposure or group
of exposures could potentially result in losses that are substantial enough
to threaten the financial condition of a banking organisation. Concentration
risk occurs when a bank’s portfolio contains an elevated level of direct or
indirect credits to a single counterparty, group of connected counterparties,
particular industry or economic sector, geographic region, individual foreign
country, or a group of countries whose economies are strongly interrelated,
type of credit facility, and type of collateral.

Concentrations can also occur in credits with the same maturity. Credit risk is
the failure of the borrower or counterparty to meet its obligations as they come
due. Many times, credit risk is associated with the borrower or counterparty’s
inability to pay its financial obligation—interest and debt—as it becomes
due. This inability to pay is formally recognised in a judicial process called
bankruptcy. However, there are a wide range of events before bankruptcy
happens. These are also known as credit events. Credit events according
to the International Swaps and Derivatives Association (ISDA) includes
administrative errors, technical default, default resolution (restructuring),
and bankruptcy (insolvency), The definition of each is as follow:

i. Administrative errors – This refers to the failure of a borrower or counterparty

to pay its financial obligations under the loan agreement in a timely
manner due to an administrative error or mistake. Compared to other
events involving credit risk, this failure to pay is not due to the borrower
or counterparty’s inability to do so. This type of failure to pay is frequently
remedied during the grace period as agreed upon by the parties. In such
cases, the borrower is given a grace period—typically within five business
days after the due date— to make payment. While failure to pay due to an

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-18

administrative error is usually not linked to the borrower or counterparty’s

inability to meet its financial obligations, this sometimes indicate
weaknesses in the managerial processes of the borrower or counterparty.

Boxed Article–5

Delinquent Debt Service due to Administrative Error (Moody’s Investor

Services, 2015)

On 17 March 2014, the Town of Southeast, New York was delinquent in the
payment of interest and principal on its bonds. According to the town
management, the town was notified by the Depository Trust Company
(DTC) after 4pm on 17 March that a debt service payment had not yet
been received. Upon realising the error, the town attempted to make
the payment before the end of the day but could not complete the wire
transfer until the next morning. Moody’s, a major credit rating agency,
believes that the payment delay was due to an administrative error, not
an impairment of the town’s ability to pay. However, the delayed debt
service payment reveals a weakness in managerial processes that may
threaten the town’s credit rating.

ii. Technical default – This refers to the failure of the borrower or counterparty
to meet its obligations under the agreement other than failure to make
payments. It includes violations or non-performance of the borrower or
counterparty of the loan covenant. Loan covenants are clauses in the loan
agreement that require the borrower to adhere to certain conditions about
its conduct and financial situation. Loan covenants are designed to satisfy
the lender that the borrower will be able to fulfil its financial obligations,
and that the lender will not be disadvantaged against the borrower’s other
creditors in the event that the borrower can no longer fulfil its obligations.
Loan covenants could either be affirmative or negative. Affirmative
covenant means clauses which require the borrower to perform certain
actions. Negative covenant means clauses which require the borrower not
to take certain actions that could undermine its ability to repay the loan.

BANK RISK PRACTICES

5-19 CREDIT RISK MANAGEMENT

• Commitment to deliver • Prohibition to incur

financial statements to the additional indebtedness in
lender in a timely manner. excess of a certain level or

Negative convenants
Affirmative covenants

• Promise to pay taxes. amount

• Obtain insurance on the • Not to pledge the borrower’s

borrower’s property against assets to other creditors.
fire, theft, and other risks. • Not to declare dividends or
• Compliance with laws and other distributions.
regulations. • Prohibition to become a
• Maintenance of certain guarantor for the obligations
financial ratios, such of another person or
as, maximum level of organisation.
indebtedness to net worth. • Not to sell assets in excess
of a certain percentage of
the total assets except for
inventories.
• Not to make a capital
expenditure in excess of a
certain level for a predefined
period of time.

Figure 5.2. Affirmative and negative covenants

Violation of debt covenants typically allows the lender to demand the full
repayment of principal and interest even before the agreed maturity date
of the loan. Should the lender decide not to require early repayment of
principal and interest, the lender may require the borrower to take remedial
actions to cure the violations or amend certain provisions of the loan in the
lender’s favour, for example, increase the interest rate.

iii. Default resolution (Restructuring) – Restructuring is an agreement

between a lender and borrower to modify the terms of the loan agreement
to avoid foreclosure or bankruptcy. It is also sometimes referred to as loan
workouts. Common examples of restructuring are:

▶ Reduction in the interest payable.

▶ Reduction in the amount of principal payable at maturity or at scheduled
principal repayment dates.
▶ Postponement or deferral for the payment of interest or principal.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-20

▶ Change in the ranking of the priority of payment of any obligation,

for example, a debt-for-equity swap agreement—a restructuring
agreement where the lender agrees to cancel the debt in exchange
for an ownership stake in the borrower’s company. Equity holders rank
lower in terms of priority of payments compared to debt holders.
▶ Change in the currency or composition of any payment of interest or
principal.

iv. Bankruptcy (insolvency) – Insolvency is a condition where the borrower no

longer has the capacity to pay its obligations as it come due (for example,
cash flow insolvency) or when the borrower’s assets is less than its
liabilities, for example balance sheet insolvency. Bankruptcy refers to the
formal legal proceeding for borrowers who are already insolvent. While in
practice, the terms insolvency and bankruptcy are used interchangeably,
there is a difference between the two. An insolvent borrower may threaten
its ability to continue as a going concern and may eventually lead to
bankruptcy. However, insolvency may not be a permanent condition if
the borrower or lender were able to resolve the state of insolvency, which
then allows the borrower to continue to operate as a going concern. On
the other hand, a borrower who is in the bankruptcy stage ceases to
continue to operate as a going concern and is in the liquidation stage. It is,
therefore, a more permanent condition. Borrowers in the bankruptcy stage
are necessarily insolvent. However, insolvent borrowers are not necessarily
in the bankruptcy stage.

Boxed Article–6

Lehman Files for Bankruptcy (Lioudis, 2021)

Lehman Brothers filed for bankruptcy on September 15, 2008. Hundreds
of employees, mostly dressed in business suits, left the bank’s offices one
by one with boxes in their hands. It was a sombre reminder that nothing
is forever—even in the richness of the financial and investment world.
At the time of its collapse, Lehman was the fourth-largest investment
bank in the United States with 25,000 employees worldwide. It had
$639 billion in assets and $613 billion in liabilities. The bank became a
symbol of the excesses of the 2007-08 Financial Crisis, engulfed by the
subprime meltdown that swept through financial markets and cost an
estimated $10 trillion in lost economic output

Bankruptcy can be broadly classified as either voluntary or involuntary.

Voluntary bankruptcy is when the borrower initiates the bankruptcy
proceeding to protect itself from creditors and to ensure an equitable
settlement of its obligations.

BANK RISK PRACTICES

5-21 CREDIT RISK MANAGEMENT

Boxed Article–7

NMI Involuntary Bankruptcy (Wolf, 2020)

National Medical Imaging was in the business of leasing radiology
machines. The leases were bundled and sold as investment packages
serviced by Lyon Financial Services, a unit of US Bancorp. When the
company’s business started to suffer from the economic downturn and
new regulations, NMI approached the bank for a restructuring of the
loan terms.

NMI stopped the payments after US Bancorp refused NMI’s request for
restructuring. US Bancorp responded by filing an involuntary bankruptcy
against NMI.

5.3.2 Credit Concentration Risk Management

There are two types of concentration risk, namely the intra-risk concentration
and the inter-risk concentration. Intra-risk concentration is the risk
concentration that arise from interactions between risk exposures within a
single risk category. Inter-risk concentration is the risk concentration that
may arise from different risk exposures across different risk categories. The
interaction between risk exposures may stem from a common underlying risk
driver or from interacting risk driver. Banks should have a concise and practical
definition of credit concentration. BCBS, for regulatory purposes, define large
exposure as the sum of all exposure values of a bank to a counterparty or to
group of connected parties that is equal to or above 10% of the bank’s eligible
capital base. From a credit risk perspective, exposure from lending activities is
measured using the notional amounts committed or using economic capital
measures. Credit risk exposure from financial market activities, are measured
using mark-to-market and counterparty-based measures. In practice, banks
manage credit risk concentrations through imposing internal limits on single
borrowers, industry, or sector, geographic, region, or country, securitised
exposure, product type and counterparty.

i. Single borrowers – These are single name concentrations to a borrower

and their connected entities. Exposures are measured by name using
notional amounts or mark-to-market values.
ii. Industry/sector – These are borrowers that offer the similar products or
services that are grouped together. Banks could also establish limits on
certain credit transactions per industry.
iii. Geographic region/country exposures – Banks may establish limit per
country and take respective credit ratings into consideration.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-22

iv. Counterparty limits – Trading counterparties may be grouped by industry,

country, or group. Counterparty transactions are generally covered by
secured or collateralisation arrangements (for example, through the
credit support annex in ISDA). Therefore, counterparty exposures may be
reported on a gross or net of collateral basis. Notional may not be the only
important measure of credit risk exposure for counterparties. Exposure to
counterparty is supplemented by potential future exposure models.
v. Product type – Credit risk exposures may be classified according to
product type. For example, consumer loan exposures may be classified
according to borrower type (prime, subprime) or loan-to-value coverage
or debt servicing requirements to income ratio. Real estate loans may be
classified according to type of collateral (residential, commercial, etc.).
vi. Securitised type – Credit risk exposures may be classified according to
tranche and notional amount.

Limits on concentrations should be defined in relation to bank’s capital, total

assets, or its overall risk level.

Concentration risk mitigation

In mitigating concentration risk, the following strategies are commonly used:

i. Credit underwriting – Modify underwriting standards to increase exposure

to higher quality exposures and reduce exposure to higher risk exposures.
This can be done through explicit decisions to exit higher risk lending
relationships. Or a less drastic measure such as instituting differentiating
pricing to encourage lower risk exposures (through lower credit spread)
and discourage higher risk exposures (through higher credit spread, more
stringent credit terms).

Boxed Article–8

Malaysia’s CIMB commits to phase out coal financing by 2040

(Reuters, 2020)

CIMB announced it will exit coal financing by 2040 – the first banking
group in Malaysia and Southeast Asia to do so. The new ‘Coal Sector
Guide’ will prohibit asset-level or general corporate financing for new
thermal coal mines and coal-fired power plants, as well as expansions,
except when there are existing commitments.

CIMB also said that it is strengthened its sustainable financing policy

requiring clients in the ‘High Sustainability Risk Factor’ such as palm
oil, forestry, and oil and gas, to meet environmental and sustainability
standards at the point of acquiring financing.

BANK RISK PRACTICES

5-23 CREDIT RISK MANAGEMENT

ii. Portfolio diversification strategy – To mitigate credit concentration risk,

management may focus on actively applying a portfolio diversification
strategy to look for credit exposures that would have an offsetting benefit
to existing credit exposures. For example, a significant drop in the price of
oil may affect oil producers negatively but this may benefit some sectors
such as the shipping industry. The bank may also increase exposure on
defensive exposures that have shown strength and stability to withstand
the vicissitudes and cyclical swings of the economy. Another example is to
shift credit exposure to names that could potentially disrupt existing credit
exposure. For example, shifting names from names that is most exposed
to climate change risk (both physical and transition risk) to exposures that
are poised to benefit from climate-related risk.

Boxed Article–9

Amid investor scrutiny, Norway’s banks future-proof against climate

risk (Sarfraz and Wass, 2019)

A total of six Norwegian banks — DNB, SpareBank 1 SR-Bank ASA,

SpareBank 1 SMN, SpareBank 1 Østlandet, Fana Sparebank and KLP
Banken AS — have signed up to the UN Principles for Responsible
Banking, which aim to encourage banks to bring their strategies in line
with global warming targets. The banks have been scaling down their
lending to oil and gas companies, a move that was driven in part by the
oil price downturn in 2014 to 2015.

DNB has reduced its oil-related exposure by 40% since 2015. It has also
shortened the duration of its corporate loans to three to five years on
average, said Kaj-Martin Georgsen, head of corporate responsibility at
DNB, in an interview. Furthermore, the bank is more critical in assessing
the oil and gas companies it supports, expecting them to have a
“resilient strategy to meet the low-carbon future,” he said.

Norwegian banks have also started to tap the green bond market. In
the first nine months of 2019, DNB arranged sustainable bond volumes
totalling €3.3 billion. In September, Sparebank 1 SMN issued its first green
bond designed to encourage sustainable fishing practices. SpareBank 1
SR-Bank followed with its first green bond in October.

iii. Risk limits – To reduce concentration risk, banks may alter exposure limits
or credit risk benchmarks. For example, by adjusting limits on outstanding
amounts or by tightening credit constraints on certain credit risk exposures.
iv. Risk transfer – Banks can enter risk transfer mechanisms by purchasing
insurance or guarantees or by selling down credit risk exposures through

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-24

outright loan sale or through sale of loan participations on a non-recourse

basis.
v. Derivatives – Banks can also be exposed to credit risk by entering credit
derivatives where they can buy protection on an underlying credit risk
individual or sectoral exposure.
vi. Capital – Banks may also mitigate credit concentration risk by holding
more capital to cover for concentration risk.

5.4 FUNDAMENTAL ANALYSIS OF CREDIT RISK

Financial statements (balance sheet, income statement, cash flow statement and
statement of changes in equity) provide information on the ability of the borrower
to repay their obligations as they come due. This provides important information to
forecast the likelihood of the borrower to repay their obligations.

Fundamental analysis involves adjusting financial statements, calculating financial

statement ratios that could affect default risk (liquidity, solvency and operating)
and translating this analysis into useful analytics to estimate default risk.

Adjusted financial
Ratios
statements
• Liquidity ratios Forecasting
• Balance sheet
• Solvency ratios default risk
• Income statement
• Operating ratios
• Cash flow statement

Figure 5.3: Fundamental analysis

Adjusted financial statements

The financial statements should be adjusted to uncover information that will be
useful in estimating the borrower’s ability to repay the information. This involves
including information from the footnotes or disclosures in the financial statements.

Balance sheets
The ability of the borrower to repay their obligations depends on its ability to
generate cash to repay their obligations. The objective in adjusting balance sheet
is to properly reflect the condition of the borrower with respect to paying their
obligations as it comes due.

BANK RISK PRACTICES

5-25 CREDIT RISK MANAGEMENT

Balance Sheet

Assets Liability and Equity

• Fair value of assets. Investments • Debt maturity schedule. The borrower’s
or securities that are measured at debt maturity schedule (debt profile)
historical or amortized cost in the should be thoroughly scrutinised and
balance sheet should be adjusted analysed to understand the vulnerability
to the best estimate of fair value. of the borrower with respect to a specific
This is to give some comfort on how repayment date. This means that the
much cash will the borrower be able concentration of repayment dates
to raise to repay their obligations. should be analysed to assess whether
• Impairment of assets. Assets that there are potential future vulnerabilities
are not recognised as fair value in terms of the borrower’s ability to repay.
should be tested for impairment. An This is important to identify emerging or
overvaluation of asset would affect existing liquidity issues that could affect
the assessment of whether the the ability of the borrower to pay their
borrower has the ability to repay obligations. The debt maturity profile is
their obligations. frequently compared to the borrower’s
asset profile to determine the residual
risk that the borrower may not be able to
repay its obligations as it comes due.
• Contingent liabilities. There may be
obligations that the borrower may be
exposed to but may not be reflected as
obligation in the balance sheet because
the potential obligation is not yet
probable. This could affect the borrower
to repay their obligations and must
therefore, be considered as liability.
• Off-balance sheet obligations. These
are obligations by the borrower that
are not recognised in the balance
sheet as liability. An example would be
guarantees of debt of a subsidiary on
an affiliate. This could affect potential
obligations of the borrower and must
therefore, be included as part of the
obligations.
• Deferred tax liabilities. There are certain
obligations that the borrower is no
longer obliged to repay if it is under a
liquidation scenario. This is why this
should be eliminated as part of long-
term liability.

Figure 5.4: Balance sheet

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-26

Income statement
The income statement reports the profitability of the borrower. The profitability of the
borrower can be classified into operating income and non-operating income. The
credit risk analyst should be able to identify which of the income can be considered as
one-time or non-recurring in nature. This is important as there are many actions that
management can take to recognise income upfront (for example, selling profitable
investments to report one-time gains) that the user of the financial statement may
view as recurring but is one-time in nature. This analysis may be distorted when
financial statement ratios that convey information on the ability of the borrower to
demonstrate their ability to generate sufficient income to meet their interest payment
obligations, one-time and non-recurring income (or losses) are used.

Cash flow statement

The borrower generates (or expends) cash from the following key activities:

Operating activities Investing activities Financing activities

Figure 5.5: Cash flow statement - Three sources of cash

Cash flow from operating activities are cash inflows and outflows from the company’s
core operating activities. Cash flow generated or expended from operating activities
are considered as more recurring in nature. Therefore, the credit risk analyst should
make sure that cash flows that are not operational in nature should be excluded from
the analysis. Cash from investing activities are cash inflows and outflows generated
from the company’s investing activities. An example of cash flow generated from
investing activity would be interest, dividend income or capital gains from the
company’s investment securities. An example of cash flow expended from investing
activities are capital expenditures or purchase of equipment. Cash from financing
activities are cash inflows and outflows from the company’s equity and liability
financing activities. An example of cash outflow from financing activities are interest
expenses the company pays from their debt obligations. An example of cash inflow
from financing activities are funds raised from the company’s equity and liability
financing activities.

Ratios
There are three areas of focus with respect to credit risk analysis using financial
statement ratios: liquidity, solvency, and operating ratios. These ratios are compared
against standards of safety (for example, by comparing against peer companies
in the industry) or are compared over time to identify deterioration in each of these
three key pillars.

BANK RISK PRACTICES

5-27 CREDIT RISK MANAGEMENT

Liquidity ratios
Liquidity ratios measures the ability of the borrower to repay their obligations on a
short-term basis. This means comparing the borrower’s short-term assets and
liabilities. Working capital is short-term assets less short-term liabilities.

Short Term Assets Short Term Liabilities

• Cash • Trade Payables

• Short-Term Investments • Short-Term Debt
• Receivables • Accrued Liabilities
• Prepaid Expenses
• Inventories

Figure 5.6. Working capital

There are two types of liquidity ratio, the liquidity balance sheet measures, and the
liquidity cash flow measures. The liquidity balance sheet measures refer to measures
with the ability of the cash or near-cash assets (cash equivalents and receivables)
being able to meet its current liabilities. For examples:

Current Assets
Current Ratio =
Current Liabilities

Quick Ratio= Cash+Short-Term Investments+Receivables

Current Liabilities

Cash+Short-Term Investments
Cash Ratio =
Current Liabilities

Figure 5.7: Liquidity ratios

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-28

The liquidity cash flow measures are the measures with the ability of the company
being able to generate sufficient cash flows to repay their short-term and long-term
obligations. For examples:

Cash Flow from Operations

Cash Flow Ratio =
Current Liabilities

This ratio measures the ability of the company to generate cash flow from
operations to repay their current liabilities.

Cash+Short-Term Investments+Receivables
Defensive Interval= x 365
Capital Expenditures

This ratio measures the amount of liquid assets that are available to meet
capital expenditures without further borrowing. Specifically, this ratio provides
the number of days the borrower can survive with no borrowing using its liquid
resources.

Cash Flow from Operations

Cash Flow to Capital Expenditures =
Capital Expenditures

This ratio indicates how much of the capital expenditures can be covered by the
cash flow generated from the company’s operations.

Figure 5.8: Liquidity cash flow measures

Solvency ratios
These ratio measures the ability of the borrower to repay their obligations on
a longer-term basis. There are two types of solvency ratio, the solvency balance
sheet measures, and the solvency cash flow measures. The solvency balance sheet
measures are the measures with the ability of the borrower to repay their obligations
on a longer-term basis. For example:

Total Debt
Debt to Total Assets =
Total Assets

Total Debt
Debt to Equity=
Total Equity

Long-Term Debt
Long-Term Debt Ratio =
Long-Term Debt+Total Equity

Figure 5.9: Solvency ratios

BANK RISK PRACTICES

5-29 CREDIT RISK MANAGEMENT

The solvency cash flow measures the ability of the company to generate sufficient
cash flows or income to repay their obligations. For example:

Operating Income
Interest Coverage =
Net Interest Expense

This ratio measures the ability of the company to generate operating income
over its net interest expense. This measures the number of times earnings cover
the net interest expense.

Cash Flow from Operations

Interest Coverage (Cash Basis) =
Net Interest Expense

This ratio is similar to the interest coverage measure but instead of looking at
earnings we use cash as basis to determine the coverage.

Operating Income + Fixed Charge

Fixed Charge Coverage =
Fixed Charge

Fixed charge are financial obligations the borrower needs to repay (for example,
interest and principal payment). This ratio measures the number of times total
debt service is covered.

Cash Flow from Operations + Fixed Charge

Fixed Charge Coverage (Cash Basis) =
Fixed Charge

Compared to the traditional fixed charge coverage ratio, this ratio looks at a
cash flow measure rather than an accrual measure to determine fixed charge
coverage.

Cash Flow from Operations

CFO to Debt=
Total Debt

This ratio measures cash flow relative to total debt.

Figure 5.10: Solvency cash flow measures

Operating ratios
In many cases, a borrower encounters financial distress when the ability of the
company to generate cash flows is impaired as operations deteriorate. It is therefore,
important for the credit risk analyst to monitor a company’s profitability and watch
out for signs of deterioration. This is because poor operating profitability are red flag
indicators of potential default risk.

Forecasting default risk

Default risk can be forecasted using either external ratings probability of default data
(using the credit transition matrix as discussed in the previous section) or internal
loss data experience.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-30

5.5 PROBABILITY OF DEFAULT MODELS

The probability of default is the likelihood of a borrower or counterparty failing to

meet its financial obligations over a period of time. The probability of default is one
of the most important inputs in the credit risk measurement framework. Models to
estimate the probability of default are some of the most developed in the area of
credit risk measurement and are broadly categorised into three approaches, which
are, the actuarial approach, structural approach, and market-based approach.

Credit ratings transition mix

Credit rating agencies regularly publish credit migration or transition matrices. A
credit rating transition matrix summarises changes in credit ratings over a period
of time. It provides information on past changes in the credit quality of borrowers.
The credit rating transition matrix presents historical rating migration frequencies
for borrowers belonging to a particular credit rating grade and is based on a yearly
study on rating histories of rated companies. The study is conducted on a grouping
basis called static pools where borrowers are grouped by a rating category at the
beginning of each year. An example of a one-year credit rating transition matrix is
set out below.

Ratings Aaa Aa A Baa Ba B Caa-C Defaults

Aaa 88.647% 7.447% 0.637% 0.000% 0.015% 0.002% 0.000% 0.000%

Aa 1.080% 87.190% 6.881% 0.254% 0.055% 0.017% 0.000% 0.008%

A 0.064% 2.724% 87.559% 4.927% 0.493% 0.090% 0.022% 0.020%

Baa 0.045% 0.193% 4.887% 84.345% 4.309% 0.774% 0.232% 0.169%

Ba 0.008% 0.055% 0.383% 5.703% 75.649% 7.736% 0.574% 1.097%

B 0.012% 0.041% 0.157% 0.351% 5.566% 73.440% 5.589% 4.484%

Caa-C 0.000% 0.028% 0.028% 0.168% 0.627% 9.689% 59.186% 16.597%

Figure 5.11: Credit ratings transition mix

Each row of a credit rating transition matrix indicates the present state of the borrower.
The columns represent the future credit rating state of the borrower. The numbers
in the corresponding cell represents the historical rating transition frequencies in
percentages. These rating transition frequencies can be used to estimate the
probability of a borrower from a present state (using the row as reference) moving
to another credit rating state (using the column as reference).

BANK RISK PRACTICES

5-31 CREDIT RISK MANAGEMENT

Illustrative Example–1

Determining Migration Frequencies

The migration frequencies can be determined using the following estimate:
Number of firms migrated from i to j in one year
P=
i →j Number of firms in rating category i

This means that if there are 100 firms rated as A and that three of these firms were
upgraded to AA in one year, then the probability that A will be upgraded to AA is 3%.
P = 3 = 3%
A →AA100

Similarly, if there are 100 firms rated as A and five of these firms where downgraded to
Baa in one year, then the probability that A will be downgraded to Baa is 5%.
P = 5 = 5%
A →Baa 100

The Illustrative Example below illustrates how migration frequencies are determined
and used in practice.

Illustrative Example–2

Migration Frequencies
Company ABC is currently rated as A. Using the example of the one-year credit
transition matrix in Figure 5.11, determine the historical probability that Company ABC
will be rated Aaa, Aa, A, Baa, Ba, B, Caa-C or defaults within one year.

Below are the transition frequencies from A to the different credit rating categories:

FROM TO Transition Frequencies

Aaa 0.064%
Aa 2.724%

A A 87.559%

Baa 4.927%

Ba 0.493

B 0.090%
Caa-C 0.022%
Default 0.020%

The transition frequencies above provide important insights on the future state of a
borrower currently rated as A.

Firstly, the chance that a borrower rated A will be upgraded to a higher rating using
a one-year horizon is not high (2.724% chance of being upgraded to Aa and an even
smaller chance of 0.064% of being upgraded to Aaa).

Secondly, the probability where the borrower rated as A maintains its rating using a
one-year horizon is the highest at 87.559%.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-32

Illustrative Example–2

Thirdly, the chance that A borrower rated A will be downgraded by one notch
lower given a one-year horizon (below A) is low at 4.927%. The chances that the
borrower will be downgraded by more than one notch will be much lower.

Finally, the risk that a borrower rated A will default is quite small at 0.02%.

FROM TO Transition Frequencies

Aaa 0.064%
UPGRADE
Aa 2.724%

A A 87.559%

Baa 4.927%

Ba 0.493

B 0.090% Downgrade
Caa-C 0.022%

Default 0.020%

The probability that a borrower’s rating will be upgraded or downgraded during

a one-year horizon can also be easily determined using the credit transition
matrix by summing up the different transition frequencies.

Probability (Upgrade) = P (AAA) + P(Aa)

= 0.064% + 2.724%
= 2.788%

Probability (Downgrade) = P(Baa) + P(Ba) + P(B) + P(Caa to C) + P(D)

= 5.552%

As illustrated above, the probability of default over a one-year horizon can be easily
determined using the credit transition matrix. Based on the figure below, default
rates are low for borrowers rated investment grade (0% for AAA to 0.169% for Baa)
and significantly higher for borrowers rated below investment grade (between
1.097% for Ba and 16.597% for Caa-C).

BANK RISK PRACTICES

5-33 CREDIT RISK MANAGEMENT

FROM TO Default Rates

Aaa 0.000%
Aa 0.008%

A 0.02%

Baa 0.169

Ba
Default 1.097%

B 4.484%
Caa-C 16.597%

Figure 5.12: Transition from current rating to default

The credit transition matrix shows the probability of moving from one rating
depending on the rating at the beginning of the period. This movement is also known
as credit migration. Migration is a discrete process where a credit rating changes
from one period to the next. In order to appreciate the credit transition matrix, it is
important to understand a default from the actuarial point of view. Based on the
above Illustrative Example 1 and 2, the borrower may start with an initial A credit
rating. There are two possible scenarios at the end of the first year (Year 1), either
the borrower rated “A” will survive or end in default. The default rate can easily be
extracted using the credit transition matrix.

Beginning End (Year 1)

SURVIVE

Survival Rate = 1 - Default Rate

A
Default Rate

Figure 5.13: Two scenarios - default or survival

Given that the one-year default rate in the transition matrix is 0.02%, the probability
that A will survive in one year is 99.98% (computed as 100% less 0.02%). The calculation
of one-year default and survival rate is straightforward. The calculation of the
default probability for the second year is more difficult to extract. This is because if
the borrower survives in the first year, there are then multiple migration paths after
the first year.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-34

YEAR 1 YEAR 2

Upgrade

Same Rating

Survive
Beginning
Rating Downgrade

Default

Default

Figure 5.14: Two-year rating path

Based on the above, the following may occur:

• The borrower may be upgraded to a higher rating (e.g., from A to Aaa or Aa).
• The borrower will retain the same rating.
• The borrower may be downgraded to a lower rating (e.g., from A to Baa, Ba, B,
Caa to C).
• The borrower may default.

The probability of default for the second year (Year 2) can be determined by
calculating the migration probability rates that the beginning credit rating will move
under different paths.

Beginning End (Year 1) End (Year 2)

Borrower
Credit
Rating

SURVIVE Aaa
Aa
A
Baa
A Ba
B
SURVIVE
Default Rate (Y2)

Caa-C

SURVIVE Default Rate (Y1)

Figure 5.15: Two-year default rate

BANK RISK PRACTICES

5-35 CREDIT RISK MANAGEMENT

The credit transition matrix in the table below shows how the one-year probability of
default for Year 2 is calculated.

Ratings Aaa Aa A Baa Ba B Caa-C Defaults

Aaa 88.647% 7.447% 0.637% 0.000% 0.015% 0.002% 0.000% 0.000%

Aa 1.080% 87.190% 6.881% 0.254% 0.055% 0.017% 0.000% 0.008%

A 0.064% 2.724% 87.559% 4.927% 0.493% 0.090% 0.022% 0.020%

Baa 0.045% 0.193% 4.887% 84.345% 4.309% 0.774% 0.232% 0.169%

Ba 0.008% 0.055% 0.383% 5.703% 75.649% 7.736% 0.574% 1.097%

B 0.012% 0.041% 0.157% 0.351% 5.566% 73.440% 5.589% 4.484%

Caa-C 0.000% 0.028% 0.028% 0.168% 0.627% 9.689% 59.186% 16.597%

Figure 5.16: Credit transition matrix

The Probability of Default for Year 2

From A to Aaa From A to Aaa: 0.064%

0.064% × 0.000% = 0.00000%
to Default From Aaa to Default: 0.000%

From A to Aa to From A to Aa: 2.724%

2.724% × 0.008% = 0.00022%
Default From Aa to Default: 0.008%

From A to A to From A to A: 87.559%

87.559% × 0.02% = 0.01751%
Default From A to Default: 0.020%

From A to Baa From A to Baa: 4.927%

4.927% × 0.169% = 0.00833%
to Default From Baa to Default: 0.169%

From A to Ba to From A to Ba: 0.493%

0.493% × 1.097% = 0.00541%
Default From Ba to Default: 1.097%

From A to B to From A to B: 0.09%

0.09% × 4.484% = 0.004036%
Default From B to Default: 4.484%

From A to From A to Caa-C: 0.022%

Caa-C to From Caa-C to Default: 0.022% × 16.597% = 0.00365%
Default 16.597%

Probability of default rate for Year 2 0.03915%

Figure 5.17: PD calculation for year 2

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-36

Average cumulative default rate per credit ratings

Credit rating agencies also regularly publish average default rates per credit
rating using historical data. The average default rate per credit rating shows the
cumulative default rate over a certain period or year. An example of the average
corporate default rates matrix for each credit rating from Year 1 to Year 5.

Ratings Year 1 Year 2 Year 3 Year 4 Year 5

Aaa 0.000% 0.000% 0.190% 0.077% 0.163%

Aa 0.000% 0.181% 0.286% 0.446% 0.704%

A 0.263% 0.237% 0.500% 0.808% 1.116%

Baa 0.507% 0.850% 1.561% 2.335% 3.142%

Ba 1.483% 3.200% 5.315% 7.490% 9.587%

B 4.617% 8.786% 13.494% 17.720% 21.425%

Caa-C 20.617% 22.460% 29.029% 33.916% 37.638%

Figure 5.18: Average cumulative default rating

In order to understand how the probability of default or default rate is calculated

from the average corporate default rates matrix, it is important to understand the
following important terms below:

i. Default intensity or hazard rate – Also known as the default intensity or the hazard
rate (a term borrowed from the insurance industry). It is the probability that a
borrower defaults at a certain time having survived without default between now
and a point in time.
ii. Cumulative default rate – Measures the frequency of default at any time between
the starting date and Year T. For example, the 5-year cumulative default rate is
the frequency of default from Year 0 up to Year 5.
iii. Marginal default rate – The frequency of default during year T. For example, the
marginal default rate for Year 5 is the one-year probability of default from Year 4
to Year 5.

1 Y Marginal 1 Y Marginal 1 Y Marginal

Default Rate Default Rate Default Rate

Year 1 Year 2 Year T

Figure 5.19: Marginal default rate vs. Cumulative default rate

BANK RISK PRACTICES

5-37 CREDIT RISK MANAGEMENT

Illustrative Example–3

Marginal Default Rate

Bank XYZ has the following existing exposure with a borrower rated Baa.

Rating Year 1 Year 2 Year 3 Year 4 Year 5

Baa 0.507% 0.850% 1.561% 2.335% 3.142%

Using the excerpt above on the average cumulative default rate for Baa from
Year 1 to Year 5, calculate the following:

a. The probability that borrower rated Baa will default on the third year.
b. The probability that borrower rated Baa will survive at the end of the second
year.

Solution:

a. The probability that borrower rated Baa will default on the third year.
Probability of default on the 3rd year = PD (3rd year) – PD (2nd year)
= 1.561% – 0.850%
= 0.711%

b. The probability that the borrower rated Baa will survive at the end of the
second year.
Survival probability on the 2nd year = 100% – PD (2nd year)
= 100% – 0.850%
= 99.150%

5.5.1 Actuarial Approaches

The actuarial approach to the estimation of a probability of default involves

the use of historical data on the default rates of borrowers to predict the
expected probability of default for customers or clients having similar credit
risk characteristics. Models belonging to this approach use statistical data
of the default rates of borrowers to quantify the expected probability of
default. This estimation of probability of default can be further classified into
two approaches namely the external ratings-based approach and internal
scorecard approach.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-38

External ratings-based approach

The external ratings-based approach to the estimation of a probability of
default involves the use of the empirical default rates of credit rating agencies
for each credit rating scale. As can be seen in Figure 5.11, the probability of
default of a particular borrower is estimated by matching its borrower credit
rating assessment to the historical default rate experience for each credit
rating grade.

Credit rating agencies independently assess the creditworthiness of

organisations and there are three major leading credit rating agencies in the
world; the Moody’s Investor Services (Moody’s), Standard and Poor (S&P), and
Fitch Ratings. Moody’s Investors Service is a leading global provider of credit
ratings. Moody’s cover more than 115 countries, 11,000 corporate issuers, 21,000
public finance issuers and 76,000 structured finance obligations. Standard
and Poor’s, on the other hand, is one of the world’s leading providers of
independent credit risk research. In 2013, S&P rated US$6.6 trillion worth of
new debt. S&P has over 25 offices around the world and more than 1,400
analysts, managers, and economists. Finally, Fitch Ratings is a global leader
in credit ratings and research with presence in over 30 countries. Fitch Ratings
introduced the AAA to D ratings scale in 1924.

Credit rating agencies express their opinion on the creditworthiness of an

organisation through credit ratings. Credit ratings are forward-looking
assessments of the creditworthiness of an organisation. These credit ratings
are expressed using alpha or alphanumeric rating scales.

Moody’s

Aaa Obligations are judged to be of the highest quality, minimal credit risk

Aa Obligations are judged to be of high quality, subject to very low credit risk

Obligations are considered upper medium grade and a subject to low credit
A
risk

Obligations are subject to moderate credit risk. They are considered medium-
Baa
grade and may possess certain speculative characteristics.

Obligations are judged to have speculative elements that are subject to

Ba
substantial credit risk.

B Obligations are considered speculative and subject to high credit risk.

Obligations are judged to be of poor standing and are subject to very high
Caa
credit risk.

Obligations are highly speculative and are likely in, or very near default, with
Ca
some prospect of recovery of principal and interest.

Obligations are the lowest rated class of bonds and are typically in default,
C
with little prospect for recovery of principal or interest.

Figure 5.20: Moody’s ratings definition

BANK RISK PRACTICES

5-39 CREDIT RISK MANAGEMENT

S&P

AAA The highest rating assigned by S&P. The obligor’s capacity to meet its financial
commitment on the obligation is extremely strong.

AA Differs from the highest rating only to a small degree. The obligor’s capacity to meet
its financial commitment on the obligation is very strong.

A More susceptible to the adverse effects of changes in circumstances and economic

conditions than obligations in higher rated categories. However, the obligor’s capacity
to meet its obligations is still strong.

BBB Exhibits adequate protection parameters. However, adverse economic conditions or

changing circumstances are more likely to lead to a weakened capacity of the obligor
to meet its financial commitment on the obligation.

BB Less vulnerable than other speculative issues. However, it faces major ongoing
uncertainties or exposure to adverse business, financial or economic conditions which
could lead to the obligor’s inadequate capacity to meet its financial commitment on
the obligation.

B More vulnerable to non-payment than BB but the obligor currently has the capacity
to meet its financial commitment on the obligation. Adverse business, financial or
economic conditions will likely impair the obligor’s capacity or willingness to meet its
financial commitment on the obligation.

CCC Currently vulnerable to non-payment, and is dependent on favourable business,

financial, and economic conditions for the obligor to meet its financial commitment
on the obligation. In the event of adverse business, financial or economic conditions,
the obligor is not likely to have the capacity to meet its financial commitment on the
obligation.

CC Currently highly vulnerable to non-payment.

C Currently highly vulnerable to non-payment. Obligations that have payment

arrearages allowed by the terms of the documents, or obligations of an issuer that
is the subject of a bankruptcy petition or similar action which have not experienced
a payment default. This rating may also be assigned to subordinated debt, preferred
stock or other obligations on which cash payments have been suspended in
accordance with the instrument’s terms or when preferred stock is the subject of a
distressed exchange offer, whereby some or all of the issue is either repurchased for
an amount of cash or replaced by other instruments having a total value that is less
than par.

D Obligation is in payment default. Payments not made on the due date unless such
payments will be made within five business days, irrespective of any grace period.

Figure 5.21: S&P rating definition

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-40

Fitch Ratings

Credit ratings are opinions based on established criteria and methodologies that Fitch is
continuously evaluating and updating. Credit ratings are forward-looking and include
analysts’ view of future performance. Credit ratings do not directly address any risk other
than credit risk. Credit ratings are opinions on relative ranking of vulnerability to default.

AAA Highest credit quality. Lowest expectation of default risk. Assigned only in cases of
exceptionally strong capacity for payment of financial commitments. This capacity is
highly unlikely to be adversely affected by foreseeable events.

AA Very high credit quality. Expectations of very low default risk. Indicates a very strong
capacity for payment of financial commitments. Not significantly vulnerable to
foreseeable events.

A High credit quality. Expectations of low default risk. The capacity for payment of
financial commitments is considered strong. This capacity may, nevertheless, be
more vulnerable to adverse business or economic conditions than is the case for
higher ratings.

BBB Good credit quality. Expectations of default risk are currently low. The capacity for
payment of financial commitments is considered adequate but adverse business or
economic conditions are more likely to impair this capacity.

BB Speculative. Elevated vulnerability to default risk, particularly in the event of adverse

changes in business or economic conditions over time; however business or financial
flexibility exists, which supports the servicing of financial commitments.

B Highly speculative. Material default risk is present, but a limited margin of safety
remains. Financial commitments are currently being met; however, capacity
for continued payment is vulnerable to deterioration in business and economic
environment.

CCC Substantial credit risk. Default is a real possibility.

CC Very high levels of credit risk. Default of some kind appears probable.

C Exceptionally high levels of credit risk. Default is imminent or inevitable, or the issuer
is in standstill.

D Issuer has entered into bankruptcy filings, administration, receivership, liquidation or

other formal winding-up procedure, or which has otherwise ceased business.

Figure 5.22: Fitch ratings definition

BANK RISK PRACTICES

5-41 CREDIT RISK MANAGEMENT

Ratings Moody’s S&P Fitch Ratings

Investment Aaa AAA AAA

Grade
Aa1 AA+ AA+
Aa2 AA AA
Aa3 AA- AA-
A1 A+ A+
A2 A A
A3 A- A-
Baa1 BBB+ BBB+
Baa2 BBB BBB
Baa3 BBB- BBB-

Speculative Ba1 BB+ BB+

Grade
Ba2 BB BB
Ba3 BB- BB-
B1 B+ B+
B2 B B
B3 B- B-
Caa1 CCC+ CCC+
Caa2 CCC CCC
Caa3 CCC- CCC-
Ca CC CC
C C C
D D

Figure 5.23: Major rating agencies comparison

Internal scorecard approach

The internal scorecard approach is similar to the external rating models
approach except that banking organisations will use their own internal credit
default experience and apply statistical and econometric techniques to
estimate the probability of default. The Altman Z-score is one of the most
popular statistical models in credit risk measurement. The Altman Z-score
is based on the pioneering work of Professor Edward Altman who conducted
a study in 1968 among publicly listed non-financial companies to identify
which accounting ratios are important in detecting financial distress.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-42

These values are combined and weighted to produce a credit risk score that
discriminates between firms that will fail and firms that will survive. The table
below (Figure 5.24) shows the five financial ratios that are determined to be
most predictive of bankruptcy:

Financial ratios

X1 Working capital to total assets

X2 Retained earnings to total assets

X3 Earnings before interest and taxes to total assets

X4 Market value of equity to book value of liabilities

X5 Sales to total assets

Figure 5.24: Altman’s Z-score financial ratios

From the above financial ratios, a credit risk score is then calculated as below:

Original Z-score = 1.2 X 1 + 1.4 X 2 + 3.3 X3 + 0.6 X4 + 1.0 X5

Figure 5.25: Original Altman Z-score formula

The calculated Z-score is used as a basis for the approval or rejection of

loan applications. If the Z-score has a value of less than 1.8, the borrower has
a high chance of defaulting. This could be the basis for rejecting the loan
application.

BANK RISK PRACTICES

5-43 CREDIT RISK MANAGEMENT

Illustrative Example–4

Altman Z-score
Bank ABC is currently deciding whether to grant a loan to Company XAS, a
publicly listed company. Below are some of the accounting data extracted from
the company’s financial statements:

A Company’s Financial Statements

Working Capital 10,000,000.00

Retained Earnings 300,000,000.00

Total Assets 1,000,000,000.00

Earnings Before Interest and Taxes 15,000,000.00

Market Value of Equity 200,000,000.00

Book Value of Liabilities 700,000,000.00

Sales 500,000,000.00

Determine whether Bank ABC should grant loan to Company XAS based on the
Altman Z-score.

Solution:
Step 1: Calculate the accounting ratios

X1 Working Capital to Total Assets 1.00%

X2 Retained Earnings to Total Assets 30.00%

X3 EBIT to Total Assets 1.50%

X4 Market Value of Equity to Book Value of Liabilities 28.57%

X5 Sales to Total Assets 50.00%

Step 2: Altman Z-score

The Altman Z-Score above was calculated using the following formula:

Z Score = (1.21 x 1%) + (1.4 x 30%) + (3.3 x 1.50%) + (0.6 x 28.57%) + (1x 50%)
= 1.15

5.5.2 Structural Approaches

Structural approaches use publicly available information on an entity’s

liabilities, historical and current market value of its equity and volatility of the
borrower’s assets in estimating the probability of default. The most popular
structural approach in estimating the probability of default is the Merton

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-44

Model (1974). The Merton Model uses the option pricing theory to estimate the
probability of default.

Introduction to options
Options are contracts giving one party the right but not the obligation to buy
(or sell) an underlying asset at a fixed price. This fixed price is also called an
exercise or strike price. The party with the right to buy (or sell) is also called the
holder of the option. The other party with the obligation to sell (or buy) is called
the writer of the option. The asset that is bought or sold is also known as the
underlying. In order to understand the basics of the option pricing theory, the
risk management student should have a firm grasp of the different jargons of
options. Illustrative Example 5 provides the basic terms of an option contract.

Illustrative Example–5

Basic Terms of an Option Contract

Bank ABC bought an option to buy 100,000 shares of JVC Corporation at USD
100 per share exercisable after 1 year. The option price is USD 800,000.

Terms Description

Option Holder Option holder is the party with the right to buy (or sell) an
underlying asset.

Option Writer or Option writer or seller is the party with the obligation to sell
Seller (or buy) an underlying asset.

Underlying Underlying is the financial or non-financial variable from

which the option derives its value from.

In the case of the example above, the underlying is the JVC

Corporation shares.

Notional Amount The notional amount is the quantity of the underlying to

which the option contract applies.

In the case of the example above, the notional is the 100,000

shares.

Expiration Date The expiration date is the maturity date. It is the date when
the right to buy (or sell) expires.

In the case of the example above, the expiration date is after

one year.

Exercise Price or Exercise price or strike price is the stated price for which an
Strike Price asset may be bought by the holder (if call option) or sold by
the holder (if put option).

In the case of the example above, the exercise price is USD

100 per share.

BANK RISK PRACTICES

5-45 CREDIT RISK MANAGEMENT

There are two main types of options, call option and put option. Call option
is a contract giving the holder the right but not the obligation to buy an
underlying at a future date and at a fixed exercise price. The holder of the call
option has bullish view on the underlying. Put option is a contract giving the
holder the right but not the obligation to sell an underlying at a future date
and at a fixed exercise price. The holder of the put option has a bearish view
on the underlying.

Illustrative Example–6

Option Contracts in Ancient Times

Option contracts are said to be one of the oldest instruments in history.
Below are some of the excerpts from ancient manuscripts which contain
option features.

Exhibit 1: Code of Hammurabi (1795 to 1750 B.C.)

“If anyone owe a debt for a loan, and a storm prostrates the grain, or the
harvest fail, or the grain does not grow for lack of water; in that year he
need not give his creditor any grain, he washes his debt tablet in water
and pays no rent for the year.”

Exhibit 2: Politics by Aristotle

“Thales, so the story goes, because of his poverty was taunted with the
uselessness of philosophy; but from his knowledge of astronomy he had
observed while it was still winter, there was going to be a large crop of
olives, so he raised a small sum of money and paid round deposits for the
whole of the olive presses in Miletus and Chios, which he hired at a low rent
as nobody was running him up; and when the season arrived, there was a
sudden demand for a number of presses at the same time.”

Hint: Think in the perspective of the option holder! The nature of the option
contract depends on when the option holder will gain from the contract
(i.e., will the option holder gain from rising or falling underlying prices?).

There are two perspectives in an option contract, long and short. A party can
have a long perspective or a short perspective in either call option or put
option. A long perspective refers to the buyer of an option contract. The option
holder is in a long position. The long position has a right in all cases—a right
to buy (call option) and a right to sell (put option). To be long in a call option
contract means that the party has bought a right to buy (i.e., a call option). To
be long in a put option contract means that the party has bought a right to
sell (i.e., a put option). In exchange for the right to buy or sell, the long position
pays an option premium to the short position. A short perspective refers to
the seller of an option contract. The option seller or writer is in a short position.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-46

The short position has an obligation in all cases—an obligation to sell (call
option) and an obligation to buy (put option). To be short in a call option
contract means that the party has sold a right to buy (i.e., a call option). To be
short in a put option contract means that the party has sold a right to sell (i.e.,
a put option). The short position receives a consideration in the form of option
premium from the option holder.

The basic payoff of options contract

There are four basic option payoffs, the long call position, short call position,
long put position, and short put position.

i. Long call position – In a long call position, the option holder has the right
but not the obligation to buy an asset at a pre-determined exercise price
at expiry. The call option holder in the long call position will exercise its right
to buy if the underlying price at expiry moves above the exercise or strike
level. This is the region where the payoff for the call option holder is positive,
or the position is said to be in-the-money.

On the other hand, if the underlying price at expiry is below the exercise or
strike level, the call option holder will not exercise its right to buy and may
just allow the option to expire as worthless. This is the region where the
payoff for the call option holder is zero or the position is said to be out-of-
the-money.

Payoff

Strike

Underlying Price
at Expiry

Figure 5.26: Call option pay-off diagram

Based on the payoff diagram above, it can be noted that the option holder
in a long call option position exhibits a bullish view on the underlying price
as the call option will only expire in-the-money if the underlying price moves
up above the strike level. The payoff of a long call position is the higher of
the difference between the underlying price and strike price or zero (i.e., the
payoff of a long call position can never be below zero as the option holder
has the right to allow the option to expire as worthless if it results in a negative
payoff to the option holder).

BANK RISK PRACTICES

5-47 CREDIT RISK MANAGEMENT

Call long = Max (Underlying Price – Strike, 0)

Figure 5.27: Call option pay-off formula

The highest possible payoff from a long call option strategy is unlimited.
This is because theoretically there is no limit as to where the underlying
price can end up on expiry date. The long call option position benefits from
the upward movement of the underlying, which is theoretically unlimited.
The lowest possible payoff from a long call option strategy is zero. This is
because the option holder has the right but not the obligation to buy the
underlying at the strike price. If the strategy will result in a negative payoff,
the option holder may just allow the call option to expire as worthless.

ii. Short call position – In a short call option position, the seller or writer of
the call option has the obligation to sell the underlying asset at a pre-
determined exercise or strike price. The payoff of the seller or writer of the
short call position depends on the actions of the long call position. This
is because the seller of the call option always has the obligation to sell
the underlying asset if required to do so by the long call position. The
option holder in the long call position will only exercise its right to buy the
underlying if it is optimal for the holder to do so (i.e., if the payoff is positive).
Otherwise, the option holder in the long call position will only allow the
option to expire. If the underlying asset rises above the strike or exercise
level, the option holder of the long call position will exercise its right to buy
the underlying asset at the strike price. This results in a positive payoff for
the option holder of the long call position. The option seller in a short call
position has no choice but to sell the underlying asset at a lower strike
price compared to its market value. This results in a negative payoff for the
option seller.

On the other hand, if the underlying asset falls below the strike or exercise
level, the option holder of the long call position will not exercise its right to
buy the underlying asset at the strike price. This results in a zero payoff for
the option holder of the long call position. The option seller in a short call
position will suffer no negative payoff under this scenario.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-48

Payoff

Strike

Underlying Price
at Expiry

Figure 5.28: Short put option pay-off diagram

The option seller in a short call option position receives an option premium
from the option holder in exchange for the right. The payoff of a short
call position is the lower of the difference between the strike price and
underlying price or zero (i.e., the payoff of a short call position can never be
above zero as the option holder has the right to allow the option to expire
as worthless if it results in a negative payoff to the option holder).

Put short = Min (Strike Price – Underlying Price, 0)

Figure 5.29: Short-put option formula

The highest possible payoff from a short call option strategy is zero. This is
because the option holder has the right but not the obligation to buy the
underlying at the strike price. If the strategy will result in a negative payoff,
the option holder may just allow the call option to expire as worthless. The
lowest possible payoff from a short call option strategy is unlimited. This
is because theoretically, there is no limit as to where the underlying price
can end up on expiry date. The exposure of the option seller in a call option
contract is theoretically unlimited.

iii. Long-put position – In a long-put position, the option holder has the right
but not the obligation to sell an asset at a pre-determined exercise price
at expiry. The put option holder in the long-put position will exercise its right
to sell if the underlying price at expiry moves below the exercise or strike
level. This is the region where the payoff for the put option holder is positive
or the position is said to be in-the-money.

BANK RISK PRACTICES

5-49 CREDIT RISK MANAGEMENT

On the other hand, if the underlying price at expiry is above the exercise or
strike level, the put option holder will not exercise its right to sell and may
just allow the option to expire as worthless. This is the region where the
payoff for the put option holder is zero or the position is said to be out-of-
the-money.

Payoff

Strike

Underlying Price
at Expiry

Figure 5.30: Long-put option pay-off diagram

Based on the payoff diagram above, it can be noted that the option holder
in a long-put option position exhibits a bearish view on the underlying
price as the put option will only expire in-the-money if the underlying price
moves down below the strike level. The payoff of a long-put position is the
higher of the difference between the strike price and the underlying price
or zero (i.e., the payoff of a long-put position can never be below zero as
the option holder has the right to allow the option to expire as worthless if it
results in a negative payoff to the option holder).

Put long = Max (Strike Price – Underlying Price, 0)

Figure 5.31: Long-put pay-off formula

The highest possible payoff from a long-put option strategy is the strike
price. This is because the highest payoff occurs when the underlying price
falls to zero. For most financial assets (e.g., equities), the underlying price
can never go below zero. Unlike in a long call option strategy where the
highest possible payoff is unlimited, the highest possible payoff for the
long-put option strategy can already be determined at the start (i.e., equal
to the predetermined strike price).

The lowest possible payoff from a long-put option strategy is zero. This is
because the option holder has the right but not the obligation to sell the

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-50

underlying at the strike price. If the strategy will result in a negative payoff,
the option holder may just allow the put option to expire as worthless.

iv. Short put position – In a short put option position, the seller or writer of
the call option has the obligation to buy the underlying asset at a pre-
determined exercise or strike price. The payoff of the seller or writer of the
short call position depends on the actions of the long-put position. This is
because the seller of the put option always has the obligation to buy the
underlying asset if required to do so by the long-put position.

The option holder in the long-put position will only exercise its right to sell
the underlying if it is optimal for the holder to do so (i.e., if the payoff is
positive). Otherwise, the option holder in the long-put position will only
allow the option to expire as worthless. If the underlying asset fell below the
strike or exercise level, the long-put position will exercise its right to sell the
underlying asset at the strike price. This results in a positive payoff for the
long-put position. The option seller in a short put position has no choice
but to buy the underlying asset at a higher strike price compared to its
market value. This results in a negative payoff for the option seller.

On the other hand, if the underlying asset rose above the strike or exercise
level, the long-put position will not exercise its right to sell the underlying
asset at the strike price. This results in a zero payoff for the long-put position.
The option seller in a short put position will suffer no negative payoff under
this scenario.

Payoff

STRIKE

Underlying Price
at Expiry

Figure 5.32: Short put option

BANK RISK PRACTICES

5-51 CREDIT RISK MANAGEMENT

The option seller in a short put option position receives an option premium
from the option holder in exchange for the right. The payoff of a short put
position is the lower of the difference between the underlying price and
the strike price or zero (i.e., the payoff of a short put position can never be
above zero as the option holder has the right to allow the option to expire as
worthless if it results in a negative payoff to the option holder).

Put short = Min (Underlying Price – Strike Price, 0)

Figure 5.33: Short put equation

The highest possible payoff from a short put option strategy is zero. This is
because the option holder has the right but not the obligation to sell the
underlying at the strike price. If the strategy will result in a negative payoff,
the option holder may just allow the put option to expire as worthless. The
lowest possible payoff from a short call option strategy is the strike price.
This is because the lowest possible value of the underlying price is zero. This
means that the maximum exposure of the option writer in a short put strategy
is equal to the strike price.

Merton Model 1974

The Merton Model (1974) uses the insights gained from option pricing theory to
estimate the probability of default. In order to understand the Merton Model,
it is important to appreciate the simplified capital structure of any borrower
and the assumption on the default process.

The capital structure of any borrower can be simplistically represented as

equal to the sum of the market value of its liabilities and equity. This is true
because the borrower’s assets are financed by liabilities and equity.

Market Value
of Liability
Market
Value
of Asset
Market Value
of Equity

Figure 5.34: Balance sheet structure

Under the Merton Model, a default occurs when the market value of the
borrower’s assets falls below the book value of its liabilities. The default point
occurs when the market value of the borrower’s assets falls below the book or
face value of its liabilities.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-52

1200

1000

Market Value of Assets

800

600

400 Liability
Default Point

200

100
40

46

64
49

55
58

85
88

94
34

43
25
28

52

82
70
67

76

97
79
22

37

73
10

16

61
19

91
13

31
4
7
1

Figure 5.35: Default point

The wider the distance between the market value of the borrower’s assets
and the book value of its liability, the lower the risk that the borrower will
default. Conversely, the narrower the distance between the market value of
the borrower’s assets and the book value of its liability, the higher the risk that
the borrower will default.

The Merton Model uses the option pricing framework in order to calculate the
probability of default. To do this, the model analyses the perspective of both
the equity holders and debt holders from an option payoff standpoint.

According to the equity holder as a long call option position perspective, the
equity holder or the shareholder is the owner of the residual value of the firm
after paying off all its legal obligations. The equity holder gets all the positive
benefit from owning the firm after satisfying all its contractual obligations. If
the firm is unable to satisfy these contractual obligations, the equity holder
will lose all its initial investment but will not be contractually liable for the
contractual obligations beyond what was invested in the firm.

Given this profile, the Merton Model argues that the rights of equity holders
or shareholders are akin to the rights of the buyers of call options (i.e., long
call position). Equity holders or shareholders enjoy the positive residual
payoff if the market value of the firm’s assets rose beyond the book value of
its liabilities. On the other hand, equity holders or shareholders will suffer no
losses (apart from what was initially invested) if the market value of the firm’s
assets move below the book value of its liabilities.

BANK RISK PRACTICES

5-53 CREDIT RISK MANAGEMENT

Payoff

Book Value
of Liabilities

Market Value
of Asset

Figure 5.36: Merton Model - Shareholder perspective

Whereas, according to the debt holder as a short put option position

perspective, the debt holder enjoys superior rights over equity holder in terms
of the ranking of the priority of rights in the event of the failure of the firm
(borrower). This is because the firm has a contractual obligation to repay the
amount owed to the creditor. Failure to do so would expose the borrower to
insolvency.

This is the reason why the contractual obligations of debt holders must be
satisfied first before the borrower can repay its obligations to equity holders.
Failure of the borrower to repay its obligations would result in the debt holder
having the right to claim the entity’s assets. If the market value of the firm’s
assets is lower than the book value of the firm’s liabilities, the debt holder
will get all the remaining recovery value of the firm’s assets. The higher the
recovery value of the firm’s assets, the lower the loss of the debt holder. The
lower the recovery value, the higher the loss of the debt holder.

On the other hand, if the market value of the firm’s assets is higher than the book
value of its liabilities, the debt holder will receive the full value of the principal
lent to the firm. After the borrower is able to satisfy its contractual obligations
to the debt holder, the equity holder participates from the remaining market
value of the borrower’s assets. The debt holder no longer participates from
any positive upside after receiving repayment for the principal lent.

Given this profile, the Merton Model argues that the rights of the debt holders
are akin to that of the sellers of put options (short put position) on the firm’s
assets.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-54

Payoff

Book Value
of Liabilities

Market Value
of Asset

Figure 5.37: Merton Model - Debtholder perspective

In a short put position, the seller of the put option suffers negative payoff if the
underlying asset falls in value below the strike level. This is because the buyer
of the put option exercises its right if the underlying price falls below the strike
level. Similarly, if the market value of the firm’s assets falls below the book
value of its liabilities, the debt holders will get the recovery value of the firm’s
assets. The lower the market values of these assets, the lower the recovery
of the debt holders will be, and therefore, the higher the losses they will incur.

The seller of the put option recognises zero payoff if the underlying asset
price falls above the strike price. This is because the buyer of the put option
will not exercise its right to sell the underlying asset if its value falls above
the strike price. Similarly, if the market value of the firm’s assets falls above
the book value of its liabilities, this means that the firm or the borrower will
be able to repay all its contractual obligations (i.e., the book value of debt).
The debt holders will then receive repayment equal to the face value or the
principal lent. Debt holders will not be able to participate from any positive
performance above the book value of the firm’s liabilities.

The Merton Model presents an approach to the valuation of corporate

liabilities. It modifies the specifications of the famous Black-Scholes or Black-
Scholes Merton model by applying the option pricing theory to the valuation
of corporate liabilities. This can be done because debts can now be valued
as a short put option on the firm’s assets while equity can be valued as a long
call option position on the firm’s assets.

BANK RISK PRACTICES

5-55 CREDIT RISK MANAGEMENT

Payoff

Book Value
of Liabilities
Short Put
DEBT
Position

Market Value
of Assets

Payoff

Long Call
Book Value
EQUITY of Liabilities Position

Market Value
of Assets

Figure 5.38: Merton Model - Debt and equity perspective

Illustrative Example–8

Merton Model
Bank ABC wants to estimate the probability that Company BDF will default over a one-year
horizon using the Merton Model. Bank ABC gathered the following data about Company
BDF:

Value of assets = USD 100 million

Book value of liability at maturity = USD 70 million
Interest rate = 5%
Volatility of assets = 20%
Time of maturity =1

Solution:
Step 1: Calculate d1
Recall that:

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-56

Step 2: Calculate d2
Recall that:

Step 3: Calculate the probability of default

Recall that the main argument of the Merton Model is that the rights of equity holders are
akin to that of the buyer of a call option (long call position) and the rights of debt holders
are akin to that of the seller of a put option (short put position).

Alternative 1: Probability of default from the equity holder perspective

Recall the following payoff of a long call position. If the underlying price is above the
strike price, the option holder will exercise the call option. The option is in-the-money. On
the other hand, if the underlying price is below the strike price, the option holder will not
exercise the call option. The option is out-of-the-money.

Payoff

Book Value
of Liabilities
REGION OF
DEFAULT

Market Value
of Asset

BANK RISK PRACTICES

5-57 CREDIT RISK MANAGEMENT

Default occurs when the market value of assets falls below the book value of liabilities
(refer to left portion of the diagram).

N(d2) is the probability that the call option will end up in-the-money. This is also the
probability that the market value of the borrower’s assets will be above the book value
of its liabilities. N(d2), therefore, represents the probability that the borrower will survive
during a one-year horizon.

N(d2) or the probability of survival is 97.34%. This means that over a one-year horizon the
probability that the borrower will survive is 97.34%.

Therefore, 1 – N(d2) is the probability that the call option will end up out-of-the-money.
This is also the probability that the market value of the borrower’s assets will be below the
book value of its liabilities. 1 – N(d2), therefore, represents the probability that the borrower
will default over a one-year horizon.

1-N(d2)= 1-97.34%= 2.66%

1 – N(d2) is equal to 2.66%. This means that over a one-year horizon, the probability that
the borrower will default is 2.66%.

Alternative 2: Probability of default (debtholder’s perspective)

Recall the following payoff of a short put position. If the underlying price is below the strike
price, the option holder will exercise the put option. This means that the party in a short
put option position will suffer losses. On the other hand, if the underlying price is above
the strike price, the option holder will not exercise the put option. The option is out-of-the-
money.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-58

Payoff

Book Value of
Liabilities

REGION OF
DEFAULT

Market Value
of Asset

Default occurs when market value of assets falls below the book value of liabilities (refer
to left portion of the diagram).

N(–d2) is the probability that the put option will end up in-the-money. This is also the
probability that the market value of the borrower’s assets will be above the book value
of its liabilities. N(–d2), therefore, represents the probability that the borrower will survive
during a one-year horizon.

1 minus N(–d2) is the probability that the put option will end out of-the-money. This is
also the probability that the market value of the borrower’s assets will be below the book
value of its liabilities. 1 – N(–d2), therefore, represents the probability that the borrower will
default during a one-year horizon.

The probability of default, using the short put option argument, is also 2.66%.

BANK RISK PRACTICES

5-59 CREDIT RISK MANAGEMENT

5.5.3 Market-Based Approach

Market-based approaches to the estimation of a probability of default uses

traded prices of financial instruments to imply default rates. This is the reason
why these default rates are also called market implied default probabilities.
Market-based approaches use traded bond or loan prices to imply the
probability of default. Recall that bond price is simply the present value of
the expected cash flow of the bond using an appropriate discount rate. The
discount rate is composed of two elements, the risk-free element and credit
spread.
Y=Rf+Credit Spread

Figure 5.39: Yield formula

Risk-free interest rate is the interest rate return required assuming that the
interest and principal will be repaid with certainty (i.e., free from default or
credit risk). It is therefore the minimum interest rate to be demanded by
investors when investing in bonds or other fixed income securities. In most
cases, the risk-free rate is the interest rate of local currency denominated
government securities. For example, the risk-free rates for securities that
are issued in US dollars are the US treasury yield for the applicable tenor. For
issues that are not risk-free, investors would demand a higher return in the
form of a spread over the risk-free rate. This spread is also known as credit
spread. The credit spread is seen as the compensation for the investor taking
on the credit risk.

Illustrative Example–9

Credit Spread
Below is an example of the different rates/yields given on different maturity
dates:

US Treasury Company XYZ

Tenor
Rates/Yields Rates/Yields

1 year 0.25% 0.35%

2 years 0.30% 0.45%

3 years 0.75% 0.95%

5 years 1.30% 1.70%

7 years 1.80% 2.30%

10 years 2.20% 2.75%

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-60

Company XYZ is a US-based company. The rates in the column Company

XYZ Rates/Yields represent rates/yields for Company XYZ borrowings
for each applicable tenor. Calculate the credit spread of Company XYZ
issuances for each tenor.

Solution:
Recall that the yield or rates of any issuance can be broken down into two-
risk-free rate and credit spread.

Y = Rf + Credit Spread

Risk-free rates are the rates of sovereign issuances for each tenor (in
this case, this is the interest rate for securities issued by the United States
Treasury). This is the minimum rate of return required for securities at no
default risk.

Credit spread is the additional spread required by investors for

securities with default risk (e.g., securities issued by entities other than
the government). The credit spread can be viewed as an additional
compensation demanded by the investor for taking default risk. The higher
the default risk, the higher the credit spread. The lower the default risk, the
lower the credit spread.

Credit Spread = Y – Rf

Tenor US Treasury Company XYZ Credit

Rates/Yields Rates/Yields Spread

1 year 0.25% 0.35% +0.10%

2 years 0.30% 0.45% +0.15%

3 years 0.75% 0.95% +0.20%

5 years 1.30% 1.70% +0.40%

7 years 1.80% 2.30% +0.50%

10 years 2.20% 2.75% +0.55%

The credit spread is a function of the market’s perception of the borrower’s

credit risk. The higher the credit risk, the higher the credit spread will be
demanded by the investors.

It can also be observed that credit spread tends to be higher as the tenor
or maturity of the exposure increases.

BANK RISK PRACTICES

5-61 CREDIT RISK MANAGEMENT

Credit spread can be viewed as a form of compensation for the credit risk
taken. In any lending activity, a major portion of the risk faced by the banking
organisation is the possibility that losses will be incurred by the bank if the
borrower defaults on its obligation. This loss can be quantified by the expected
credit loss model:

Expected Loss (EL) = Probability of Default (PD) x Loss Given Default (LGD) x
Exposure at Default (EAD)

LGD = 1-Recovery

Figure 5.40: Expected credit loss formula

At the very least, the bank should be compensated by an amount equal to

the risk-free rate (minimum benchmark return assuming there is no default
risk) and the expected credit loss arising from taking the borrower’s credit
risk. If the earnings are not sufficient to recover these expected losses, then
the bank loses money from this transaction. Below is an example on how
expected loss and yield is related:

Illustrative Example–10

Expected Loss and Yield

Assuming a principal of 100, calculate the minimum yield required to be
earned from this transaction if the probability of default is 1% and recovery
rate is 0%. The risk-free rate is 2%.
Solution:
Step 1: Calculate the expected loss

The expected loss is equal to:

EL = PD × LGD × Exposure
= 1% × (1 - 0%) × 100
=1
Step 2: Convert the expected loss as a percentage of the exposure
EL
Expected Loss in Percentage =
Exposure

= 1
100
= 1%
Step 3: Calculate the yield required
Minimum Yield Required = Risk Free Rate + Credit Spread
= 2% + 1%
= 3%

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-62

From the analysis above on how credit spread was calculated, the probability
of default can now be indirectly derived using the following arguments:

Probability of default
Credit spread formula
arguments

credit spread is simply the

expected loss from the Expected Loss
Credit Spread =
transaction divided by the Exposure
overall exposure

Expected loss is equal to

the probability of default
PD × (1-RR) × Exposure
multiplied by the loss given Credit Spread =
Exposure
default (i.e., 100% minus
recovery rate) and exposure.

Credit spread can be

Credit Spread= PD × (1-RR)
reduced to:

Probability of default can be Credit Spread

PD =
indirectly derived as (1-RR)

Figure 5.41: Credit spread formula

The probability of default can be estimated more precisely by comparing the

price of the risky bond with its theoretical risk-free price. The theoretical risk-
free price of the bond is the price of the bond if the default or credit risk was
removed. It is higher than the actual price of the risky bond. The difference
between the price of the risky bond and its theoretical risk-free price can
be attributed to credit risk. This difference is then compared against the
theoretical risk-free price to determine the probability of default.

Price Difference Between Risk and Risky Bond

PD =
Theoretical Risk Free Price

Figure 5.42: PD implied from bonds

5.6 LOSS GIVEN DEFAULT MODELS

Loss-given-default (LGD) is the loss severity on defaulted obligations, is a critical

component of risk management, pricing, and portfolio models of credit. This is among
the three primary determinants of credit risk, the other two being the probability
of default (PD) and exposure of default (EAD). LGD is equivalent to 100% minus the

BANK RISK PRACTICES

5-63 CREDIT RISK MANAGEMENT

recovery rate, or dollar recovery as a proportion of par, or EAD assuming all debt
becomes due at default. Recovery rate is an important factor in the calculation of
expected credit losses. It measures the severity of loss upon the emergence from a
default. S&P defines recovery rate as:

“The value of securities at the point of emergence from default.”

Credit rating agencies provide numerical recovery rate ratings on some facilities
or issues. These ratings are based on expected recovery in the event of payment at
default.

S&P Recovery Rating Description of Recovery Recovery Range

Highest expectation, full

1+ 100%
recovery

1 Very high recovery 90-100%

2 Substantial recovery 70-90%

3 Meaningful recovery 50-70%

4 Average recovery 30-50%

5 Modest recovery 10-30%

6 Negligible recovery 0-10%

Figure 5.43. Recovery rates per rating

5.6.1 Factors Affecting Recovery Rates

Recovery rates are estimated either on a discounted or nominal basis.

Nominal recovery rates are the actual recovery rates after the emergence
from a default. It compares the amount expected to be received at the end
of a restructuring or bankruptcy to the exposure at the default. Exposure
at default for recovery rating calculation purposes, is the principal and
accrued interest at the point of default.

Nominal
Recovery = Nominal Value at the End of Restructuring or Bankruptcy
Rate (RR) Exposure at default

Figure 5.44: Recovery rates formula

Discounted recovery rates refer to estimates of recovery rates based on the

discounted cash flows recovered after the emergence from default. Because
of the discounted recovery rates consider the time and value of money, it tends

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-64

to be lower than nominal recovery rates. Modelling recovery rates has received
far less attention than other modelling factors of credit risk such as probability
of default and exposure at default. This is because recovery rates are harder
to model given that it is dependent on many factors that are hard to quantify.

Seniority State of the

obligations economy

Recovery
rates

Borrower Type of default

characteristics resolutions

Figure 5.45: Factors affecting recovery rates

Seniority obligations
The more senior the obligation is, the higher the recovery rate is holding
other things constant. Senior secured obligations are obligations that rank
first in terms of priority of payments in principal and interest and is backed
by collateral. In the event of a bankruptcy, senior secured creditors receive
the proceeds from the sale of the collateral. If the proceeds from the sale
of collateral is not sufficient, senior secured creditors will receive priority
payment over other unsecured obligations. Senior unsecured obligations
rank higher in terms of priority payments than subordinated obligations. They
are however not backed by any collateral.

Senior subordinated obligations are obligations that are ranked lower than all
senior obligations and receive payments only after the obligations to senior
creditors are paid. Senior subordinated obligations, however, rank higher
than other subordinated obligations.

Senior Secured Obligations

Recovery rate increasing

Senior Unsecured Obligations

Senior Subordinated Obligations

Others Subordinated Obligations

Figure 5.46: Seniority ranking - Debt obligations

BANK RISK PRACTICES

5-65 CREDIT RISK MANAGEMENT

State of the economy

The state of the economy will also affect recovery rates. Recovery rates tend to
be higher during economic expansions and lower during economic recessions.
Recovery rates tend to be higher during an economic expansion due to the
availability of a wider range of potential buyers of the defaulting borrower’s
assets who may be keen to pursue acquisitions of assets for expansions. The
general liquidity in the economy during economic expansions tend to result
in asset prices that are higher compared during an economic recession. This
increases the proceeds from the sale of the defaulting borrower’s assets.

During an economic recession however, recovery rates tend to be lower as

potential buyers may be more conservative in terms of pursuing expansion
opportunities. There are fewer potential buyers, who may lead to a decrease
in recovery rates. During a recession, the lack of liquidity may result in asset
prices that are lower than during an economic recession. This decreases
the proceeds from the sale of the defaulting borrower’s assets. In the study
by S&P on recovery rates in three recessionary periods in the US (1990−1991,
2000−2001 and 2008−2009), one of the key findings is that instruments
generally recover less during the recessionary periods. Recovery rates were
slightly lower during 1990−1991 and 2008−2009 and below average during the
2000−2001 recessionary period.

Borrower characteristics
Characteristics of the borrower (e.g., type of industry) will also affect the
recovery rates. Recovery rates tend to be higher when assets of the defaulting
borrower are tangible. On the other hand, recovery rates tend to be lower when
assets of the defaulting borrower are intangible. Recovery rate is observed
to be the lowest for the environment, telecommunications, technology, and
defence industries. Recovery rate is highest for the utility industry.

Type of default resolution

The type of default resolution can also dictate the amount of recovery.
There are two main types of defaults, which are bankruptcy and distressed
exchanges. Bankruptcy refers to the type of default which involve a formal
legal procedure to liquidate an organisation’s assets in order to satisfy
its obligations to creditors. Distressed exchanges refer to attempts by the
organisation to avoid bankruptcy by renegotiating the credit terms with the
creditors. Common examples of distressed exchanges are:

• Exchange of debt claims to obligations with lower priority claims (e.g.,

debt-for-equity swap)
• Reduction of interest rate
• Extension of tenor or repayment dates
• Reduction of the face value of the original claim

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-66

Many creditors agree to distressed exchanges because of the view that

recovery rates would be higher than if the borrower undergoes the legal
process of bankruptcy. However, based on the study by S&P of the US recovery
rates from 2008 to 2012, the average discounted recovery rates for all bond
defaults that underwent distressed exchanges reported higher recovery rates
(43.20%) than those that went through bankruptcy (29.20%). In a similar study
by Moody’s of corporate defaults, it was noted that defaults that occurred
through distressed exchanges experienced recovery of 69%. This was
significantly higher than the recovery rates of companies that underwent
bankruptcy which was only 49%.

5.6.2 Recovery Rates Modelling

Estimating recovery rates is one of the most challenging aspects of credit risk
modelling. The outcome is recovery rates are used to quantify an important
input in credit risk modelling—the loss given default (LGD). Recovery rates,
compared to the probability of default, are more instrument specific than
the probability of default. Modelling of recovery rates has received far less
attention compared to probability of default models. Recovery rates as an
input in many credit risk measurement models, can be viewed as endogenous
or exogenous.

Recovery rates as endogenous variables

Recovery rates can be viewed as endogenous variables in a credit risk model.
This assumes that

recovery rates are internal variables that are functionally related to other
inputs in the credit risk model (e.g., probability of default). In the Merton
Model, recovery rate are variables linked to the value of the borrower’s assets
and its volatility. Recovery rates are the market values of the firm’s assets as
a percentage of the book values of its total liabilities.

In the Merton Model, recovery rates vary inversely with the probability of
default. As the market value of the firm’s assets increases, the recovery
value increases and the probability that the borrower will default decreases.
Conversely, as the market value of the firm’s assets decreases, recovery value
decreases and the probability of default increases.

Recovery rates as exogeneous variable

Recovery rates can be viewed as an exogenous variable in a credit risk
model. This means that the recovery rate is modelled independently without
considering the other inputs of the credit risk model such as the probability
of default.

BANK RISK PRACTICES

5-67 CREDIT RISK MANAGEMENT

The most common approach in modelling recovery rates as an exogenous

variable is the beta distribution approach. The beta distribution approach
models recovery rate as a random variable between 0% to 100%. The main
attractiveness of the beta distribution approach is that it is simple to apply in
practice as it only needs two parameters—the alpha and the beta. The alpha
and the beta can easily be calculated using the mean recovery rates and
standard deviation of recovery rate variables. The mean recovery rates and
standard deviation of recovery rates can be obtained from recovery rates
study conducted by credit rating agencies. Moody’s uses mean recovery rates
of 50% and standard deviation of 26% for its Loss Given Default Assessment
methodology.

5.7 EXPOSURE AT DEFAULT

Exposure at default (EAD) is the estimate of the amount outstanding in the event that
the borrower defaults. The amount outstanding should include the drawn amounts
plus likely future drawdowns of yet undrawn lines. The EAD for loans and advances to
customers are normally expressed in terms of notional amount, reflecting the values
carried on the bank’s balance sheet. The EAD for financial market transactions is
expressed in terms of mark-to-market net of margin.

Credit exposures from loans or bonds represent the simplest and most straightforward
type of exposure at default. The EAD for loans or bonds is either the principal amount
plus accrued interest, or the market value or replacement cost of the loan or bond. It
is common to simply assume that, for many loans and bonds, the EAD is equal to the
principal amount plus accrued interest.

Determining the exposure at default for other contracts, such as derivative

transactions, is less straightforward. Derivatives are contracts which values depend
on the performance of underlying variables. The future payoff profile of a derivative
transaction is not known at the start of the contract. It evolves, depending on the
performance of the underlying variable. In fact, for some derivatives that generate
two-way credit exposures, such as swaps and forwards, it is difficult to determine at
the onset who is the exposed counterparty.

In a traditional lending exposure, the lending bank is the exposed party. The lending
bank is the sole exposed party. Many derivative transactions create a two-way or
bilateral credit risk exposures. If the market value of the derivative transaction is
positive for the bank, the bank is the exposed party as the counterparty may have
an incentive to default from the transaction. On the other hand, if the market value of
the derivative transaction is negative for the bank, the counterparty is the exposed
party, and the bank may have an incentive to default from the transaction.

The credit risk exposure from a derivative transaction is based on the mark-to-
market value of the transaction on the date of default. There are diverging practice

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-68

on how this credit risk exposure is calculated on trade date. Some banks apply a
standardised approach where a constant multiplier is used to estimate the credit
exposure. More sophisticated banks simulate the mark-to-market of a particular
derivative exposure and calculate the worst-case exposure assuming a high
confidence level.

Exposure at default (EAD) is the amount of loss that the bank/creditor will incur
assuming zero recovery. It is the absolute amount of credit risk during the life of the
credit instrument. EAD is an important element in the modelling of expected credit
loss. The expected credit loss in percentage (i.e., probability of default × loss given
default) is applied to EAD to get the absolute value of the expected credit loss.

There are two types of credit risk exposures, namely the current exposure and
potential exposure. Current exposure is the value of the asset or exposure at the
current time. Current exposure should always be positive. Potential exposure
represents the positive value of the credit exposure at some future date.

5.7.1 Credit Exposure From Loans Or Bonds

Credit exposure from loans or bonds represents the simplest and most
straightforward type of exposure at default. The exposure-at-default (EAD)
for loans or bonds is either the principal amount plus accrued interest, or
the market value or replacement cost of the loan or bond. It is common
to simply assume that the EAD is equal to the principal amount plus
accrued interest for many loans and bonds. In order to visualise the EAD
for a simple loan, it is useful to visualize the exposure through diagrams
called exposure profiles. Exposure profiles provide a simple way to visualise
credit risk exposure on specific dates.

For purposes of illustration, assume that the bank has an outstanding

five-year bullet loan receivable at 5% interest (payable annually). A bullet
loan means that a fixed principal is repaid one-time at the maturity of the
loan (in this case, after five years). The table below sets out the cash flow
profile of the five-year bullet loan.

Year Interest Principal Total

1 $5 $5
2 $5 $5
3 $5 $5
4 $5 $5
5 $5 $100 $105

Figure 5.47: Bond cash flow - Principal + interest

BANK RISK PRACTICES

5-69 CREDIT RISK MANAGEMENT

$120.00
$105.00 $105.00 $105.00 $105.00
$100.00 $100.00
$100.00
$100.00 $100.00 $100.00

$80.00

$60.00

$40.00

$20.00

$- $-
0 1 1.5 2 2.5 3 3.5 4 4.5 5

Figure 5.48: Credit exposure profile - Bullet

The exposure of the bank increases during interest payment dates (payable
annually) equal to the principal plus accrued interest. During non-interest
payment dates, exposure declines to principal. At maturity, exposure-at-
default drops dramatically to zero. Another common loan structure is the
amortising loan. In an amortising loan, principal is repaid at multiple pre-
agreed scheduled dates. Interest is repaid based on the outstanding principal.
The table below sets out an example of a five-year equally amortising loan.

$120.00
$105.00
$100.00 $100.00
$84.00
$80.00 $80.00
$63.00
$60.00 $60.00
$42.00
$40.00
$40.00

$20.00 $20.00

$- $-
0 1 1.5 2 2.5 3 3.5 4 4.5 5

Figure 5.49: Credit exposure profile - Amortising

Note that the exposure profile of an amortising loan is different from the
exposure profile of a bullet loan. The exposure profile of an amortising loan
shows a gradual reduction in the exposure every principal repayment date.
It increases during interest payment date which is equal to the accrued
interest. However, the interest is not based on the original principal but on the
outstanding principal for the applicable period. At maturity, the exposure of
the banking organisation is zero.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-70

5.7.2 Credit Exposure From Guarantees and Commitments

Guarantees are off-balance sheet contracts where the bank has agreed to
assume the obligations of a third party in the event of default. The exposure
at default (EAD) is the notional amount as the guaranteed obligation will be
triggered if the guaranteed party defaults. Commitments are off-balance
sheet contracts where the bank agrees to lend money to the borrower for
a fixed period of time. Commitments generate future exposure when the
borrower decides to draw on the commitment to meet funding needs.
Commitments can either be revocable or irrevocable. In an irrevocable
commitment, the obligation to make future lending is unconditional and
binding on the part of the bank. In a revocable commitment, the bank has the
option to terminate the commitment should the borrower’s credit deteriorate.
The challenge in modelling exposure-at-default in loan commitments is that
the EAD increases with the increase in probability of default. This is because
in many instances, borrowers will draw on the loan commitment if their credit
deteriorates.

5.7.3 Credit Exposure From Derivatives

Derivatives are contracts whose value depends on the performance of an

underlying variable. The future payoff profile of derivative transactions is not
known at the start of the contract. It evolves depending on the performance
of the underlying variable. In fact, for some derivatives that generate two-
way credit exposure such as swaps and forwards, it is hard to determine at
the onset who the exposed counterparty is. Derivatives generate two different
types of exposures: pre-settlement risk and settlement risk.

Pre-settlement risk is the risk that the counterparty defaults prior to the
maturity of the transaction. If a transaction is terminated prior to maturity, the
exposure of the party is the cost to replace this transaction. Settlement risk is
the risk that the counterparty defaults at the final settlement of the transaction.
The exposure in settlement risk is the gross exposure of the transaction. Thus,
it is larger compared to the pre-settlement risk exposure. However, compared
to pre-settlement risk exposure, the settlement risk exposure lasts only for a
very short period of time and usually due to timing differences.

In a traditional lending exposure, only the lending bank is the exposed

party. Many derivative transactions create a two-way or bilateral credit
risk exposure. If the market value of the derivative transaction is positive for
the bank, the bank is the exposed party as the counterparty may have an
incentive to default from the transaction.

On the other hand, if the market value of the derivative transaction is negative
for the bank, the counterparty is the exposed party, and the bank may have an

BANK RISK PRACTICES

5-71 CREDIT RISK MANAGEMENT

incentive to default from the transaction. The two-way exposure generated

by some derivative transactions makes it important to distinguish between
two types of risk exposures arising from derivatives.

Types of Risk Exposure Arising from Derivatives

Risks Description Example

Wrong- Wrong-way risk Company XYZ, a Malaysia-

way Risk occurs when the based company entered into a
exposure to a forward transaction with Bank
counterparty is ABC where it sells US$10,000,000
adversely correlated at an exchange rate of 3.4 (local
with currency value: MYR 34,000,000).

the credit quality of If MYR weakens against the US$

the counterparty. (US$ strengthens) to 3.5, Company
This means that the XYZ is still required to pay
exposure increases US$10,000,000 but will receive only
with the deterioration MYR34,000,000 from Bank ABC.
of the credit quality Had Company XYZ not entered
of the counterparty. into this transaction, it would have
been able to sell US$10,000,000
at a more favourable rate of
MYR35,000,000. This means that
the hedge has negative mark-to-
market (MTM) value for Company
XYZ and a positive mark-to-
market value for Bank ABC.

Recall that Company XYZ is a

Malaysia-based company. A
weakening of MYR (domestic
currency) may be an indication
of a weakness in the domestic
economy. This means that
Company XYZ’s creditworthiness
may have deteriorated as well.

Bank ABC, therefore, is exposed

to the correlation between the
increase in exposure (positive
mark-to- market value) and
deteriorating creditworthiness of
the counterparty.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-72

Types of Risk Exposure Arising from Derivatives

Risks Description Example

Right- Right-way risk, on the Company DEF, a Malaysia-based

way Risk other hand, occurs company entered into a forward
when the exposure transaction with Bank ABC where it
to a counterparty buys US$10,000,000 at an exchange
decreases with the rate of 3.4 (local currency value of
deterioration of the MYR34,000,000).
credit quality of the
If MYR weakens against the US$ (US$
counterparty.
strengthens) to 3.5, Company ABC
will receive US$10,000,000 from Bank
ABC but will pay only MYR34,000,000
to Bank ABC. The value of
US$10,000,000 in local currency
terms is now at MYR35,000,000. This
means that Company DEF has no
incentive to default.

Bank ABC will have a positive MTM

exposure to Company DEF in this
transaction only if MYR strengthens
against US$.

If MYR strengthens against US$, this

may indicate a generally positive
development of the local economy.
This means that, holding other
things constant, Company DEF, a
Malaysia-based company, may be
facing improving credit prospects.

In this transaction, the exposure of

Bank ABC is negatively correlated to
the credit quality of Company DEF.

Figure 5.50: Types of risk exposure arising from derivatives

Derivative exposure can be defined in different ways depending on how it will

be used in practice. Below is a summary of the different ways derivatives are
defined in practice.

BANK RISK PRACTICES

5-73 CREDIT RISK MANAGEMENT

Terms Definition

Current • Current exposure is the market value of the derivative

Exposure transaction within a netting agreement set with a
counterparty. This is the amount that would be lost upon
the default of the counterparty assuming no recovery
on the value of those transactions upon default.
• It gives a picture of a bank’s counterparty credit risk
exposure at any given time.

Jump-to- • Jump-to-default exposure is the change in the value of

default counterparty transactions upon default.
Exposure
• It allows banks to assess the risk of a sudden,
unanticipated default before the market can adjust.

Expected • Expected exposure is the average exposure to a

Exposure counterparty at a date in the future.
• It allows banks to measure exposures at a common
time in the future.

Expected • Expected positive exposure is the weighted average

Positive expected exposures over time.
Exposure
• This measure only considers positive exposure and
ignores instances when exposures are negative.

Peak • Peak exposure is a high percentile of the distribution of

Exposure exposures (typically 95 or 99 per cent) at any particular
future date before the maturity date of the longest
transaction.
• It provides an estimate on the maximum potential
exposure at a specified future date or over a given time
horizon with a high level of confidence.

Figure 5.51: Different definitions of derivatives

5.8 EXPECTED CREDIT LOSS (ECL) – REGULATORY AND ACCOUNTING

PRACTICES

Expected Credit Loss (ECL) is the probability-weighted estimate of credit losses

(i.e., the present value of all cash shortfalls) over the expected life of a Financial
Instrument. The concept is particularly important in the context of IFRS 9 Financial
Instrument. A cash shortfall is the difference between the cash flows that are due
to an entity in accordance with the contract (scheduled or contractual cashflows)
and the cash flows that the entity expects to receive (actual expected cashflows).

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-74

Because expected credit losses consider the amount and timing of payments, a
credit loss arises even if the entity expects to be paid in full but later than when
contractually due.

In IFRS 9 context the ECL approach applies to all instruments held at amortised cost
as well as to all instruments held at fair value through other comprehensive income.
ECL can be measured either at an individual exposure level or a collective portfolio
level (grouped exposures based on shared credit risk characteristics). According
to the IFRS 9 standard, the measurement of expected credit losses of a financial
instrument should reflect:

• An unbiased and probability-weighted amount of potential loss that is determined

by evaluating a range of possible outcomes;
• The time value of money; and
• Reasonable and supportable information that is available without undue cost or
effort at the reporting date about past events, current conditions, and forecasts of
future economic conditions.

Under the new impairment approach introduced by IFRS 9, it is no longer necessary

for a credit event to have occurred before credit losses are recognised (as with the
previous incurred loss accounting approach). Instead, an entity always accounts for
expected credit losses, and also changes in those expected credit losses. The amount
of expected credit losses is updated at each reporting date to reflect changes in
credit risk since initial recognition and, consequently, more timely information is
provided about expected credit losses.

The formula for calculating the expected loss (EL) is:

EL PD LGD EAD
Expected Probability Loss Given Exposure at
Loss of Default Default Default

Figure 5.52: EL formula

BANK RISK PRACTICES

5-75 CREDIT RISK MANAGEMENT

Illustrative Example – 11

Computing Expected Credit Loss

Bank XYZ has an outstanding loan commitment of MYR2,000,000 of
which MYR1,500,000 is currently outstanding. It is expected that 75% of
the remaining commitment would have been drawn down. It was also
assessed that the default rate is 1% over the next year. Recovery rate in
case of default is expected to be only 60% of the exposure at default.

Calculate the expected credit loss over a one-year horizon.

Solution:
Step 1: Calculate the exposure at default

Outstanding loan MYR 1,500,000.00

Add:

Expected drawdown on default

(MYR 500,000 x 75%) 375,000.00

Exposure at default MYR 1,875,000.00

Step 2: Determine the probability of default

Probability of default: 1%
Step 3: Calculate the loss given default
Loss given default = 100% - Recovery rate
= 100% - 60%
= 40%

EL PD LGD EAD
Expected Probability Loss Given Exposure at
Loss of Default Default Default

1% 40% Loss 1,875,000

7,500 Probability Given Exposure at
of default Default Default

Banking organisations are expected to incorporate the expected loss in pricing

loans. The pricing of loans is a key element in the credit risk management
process. It ensures that the bank is adequately compensated for taking the
risks associated with its lending activities. This means that the bank should
earn sufficient income to cover not only the costs to fund the loans and other
overhead costs but also the expected credit loss.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-76

Banks are also required to set aside credit reserves if the revenue is not
sufficient to cover for expected credit loss. The process of setting aside a
portion of its earnings to cover for expected credit losses is known as loan
loss provisioning. These loan loss provisions appear as operating expense in
the bank’s income statement. These loan provisions generate credit reserves
that the bank can draw upon.

Type of Loan
Description
Provisioning

General loan This provision is applied to the loan portfolio as a whole. The
provisioning provisions are established for losses that are known to exist but
cannot be directly addressed or attributed to any individual
loans.

Banking organisations are typically required to set aside a

percentage of their total loan portfolios as general loan provisions.

Specific loan This is a provision established against a loss that is directly

provisioning attributable to a specific loan. The provision is assigned based on
the loan classification under an approved loan grading system.

Loan grading is a system of classifying a loan by assigning scores

or grades based on the characteristics of the individual loan.

The following is an example of a loan classification system

adopted from the U.S. Federal Reserve classification system:

Standard These loans are performing and have

loans sound credit fundamentals

Specially These loans are still performing but

mentioned have potential weaknesses that may
loans weaken the loan and the bank’s asset
quality.

Substandard These loans have weaknesses where

loans the borrower’s payment capacity is
already not assured.

Doubtful loans These loans are substandard loans

with full collection already highly
questionable and improbable.

Loss loans These loans are uncollectible.

Figure 5.53: Type of loan provisioning

BANK RISK PRACTICES

5-77 CREDIT RISK MANAGEMENT

Boxed Article–11

Loan Loss Provisioning Practices in Asia

In the aftermath of the 1997 Asian financial crisis, many jurisdictions in Asia
adopted stronger standards particularly in establishing reserves in the
loan portfolio. Many of the moves converge with internationally accepted
accounting regimes (e.g., IAS 39) or improvements to loan grading or
provisioning schemes.

Malaysia
Bank Negara Malaysia increased its reserve requirements for various
prudential loan grades. Up to March 1998, no specific reserve level was
required for loans graded substandard, while stipulating 50% for doubtful
loans and 100% for loss loans. In March 1998, a 20% requirement for
substandard loans—net of collateral—was introduced and general reserve
levels were increased to 1.5% of total loans.

Philippines
The Philippines adopted the IAS 39 in 2005 including the loan impairment
framework. For banks, however, the Bangko Sentral ng Pilipinas (BSP)
requires that the general reserve levels be maintained in accordance with
the IAS 39 or BSP guidelines, whichever is higher. The BSP requirements
include a general provision for loans without heightened credit risk
characteristics at 1% and 5% for loans which were previously restructured.
Specific reserves are determined based on the particular loan’s assigned
grade.

Singapore
Singapore adopted the IAS 39 in 2005. The Monetary Authority of Singapore
assigns a transitional arrangement of general provisions of 1% of loans net
of collateral values.

Thailand
In 1998, Thailand significantly increased the minimum loan loss reserves
required for various supervisory loan grades. In 2006 and 2007, the Bank of
Thailand further tightened loan provisioning standards for all loans graded
substandard or below.

Indonesia
The definition for prudential loan classification scheme with five grades
was adopted in December 1998 and a tighter definition for each grade
was instituted in 2005. General loan loss reserves should not be less than
1% net of collateral.

Source: Bank for International Settlements Working Paper No. 375

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-78

Unexpected loss refers to credit losses above the expected levels. These
losses may occur at any time, but the timing, frequency and severity of
losses are difficult to estimate. Provisioning is expected to cover only for the
expected value of losses from the loan portfolio. There are instances when the
unexpected losses can go beyond what the bank expects. In these instances,
the bank is expected to hold a buffer that would protect the entity against
losses beyond the expected levels. This buffer is in the form of bank capital.
Sufficient capital is necessary to cover the risks of peak losses.

It would be convenient to assume that banks hold capital to cover all

unexpected losses by assuming the worst-case scenario. The worst-case
scenario is when the banks lose their entire assets or loan portfolios in a
given year. Holding enough buffer or capital to cover such losses may not be
economically efficient but also not economically feasible. This is the reason
why, in practice, a statistical or probabilistic approach is frequently used to
determine the amount of capital as provision for unexpected losses.

Some banks quantify the amount of capital required for unexpected

losses by estimating the amount of loss which will be exceeded in a small,
pre-defined probability. The probability is determined by assessing the
probability of bank insolvency arising from credit losses that bank is willing
to accept. This small-defined probability can therefore be considered as the
probability of bank insolvency. Setting this probability depends on the bank’s
risk appetite framework and, on a broader level, the bank insolvencies that
bank supervisors are willing to accept.

Unexpected loss is the worst-case loss (or peak loss) for a given time horizon
and assuming a given confidence level.

Unexpected
Loss (UL)
Loss Rate

Expected
Loss (EL)

Time Frequency

Figure 5.54: Unexpected loss

There are instances when the losses occur beyond the dashed line, i.e.,
expected loss. These may occur from time to time, but the timing and amount
of loss is difficult to estimate. The losses above the dashed line represent the
unexpected credit losses.

BANK RISK PRACTICES

5-79 CREDIT RISK MANAGEMENT

Frequency 100% minus Confidence

Level

Potential Losses
Expected Loss (EL) Unexpected Loss (EL)

Value-at-Risk (VaR)

Figure 5.55: Capital setting for credit risk.

The curve shows that losses below the expected loss dashed line are expected
to occur more frequently. Unexpected losses—losses beyond the expected
loss dash line—are expected to occur with less frequency. Buffers are set
aside to cover for both expected and unexpected credit losses. This can
be quantified using different techniques, but the most popular quantitative
technique is the value-at-risk (VAR) model. This covers the unexpected loss
determined at a certain confidence level.

Loan reserves or provisioning is used to cover expected credit losses. Capital,

on the other hand, is used to cover for unexpected credit losses. The shaded
region—100% minus Confidence Level—represents potential losses that are not
covered by the bank’s capital. This region is the small risk of bank insolvency
that the bank is willing to take. This “small-probability” risk is usually set by the
banking regulator.

5.8.1 Overview of MFRS9/IFRS9 and the Need For This New Accounting
Standard

Credit loss is incurred by the banking organisation from its lending activities.
Credit loss affects a bank’s profitability. The losses can fluctuate over time.
During economic booms, credit losses are generally low, and generally higher
during economic recessions. Expected credit loss is the average level of credit
losses that the bank can reasonably experience over a specified risk horizon.
The loss should be viewed as the cost of doing business. It forms part of the
cost component of the business of lending.

One of the issues raised during the 2008 Financial Crisis is the problem of
provisioning for loan losses. Under the accounting standards prior to the
financial crisis, banks use an incurred loss model. This means that provisioning
is only recognised when there is objective evidence of impairment. One of
the key findings is the provisioning is “too little, too late”.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-80

During economic expansion, incurred credit loss under the previous accounting
standards tends to be too late and too low. Provisions decline during periods
when surges in loan origination might indicate increasing level of credit risks.
Provisions during time when earnings are higher (i.e., good years when default
risk is low) tend to be not sufficient. Provisions are lower when asset prices (for
example, collateral) are rising. Therefore, banks set aside less capital during
good times when it would be the optimal time to do so.

1. Low
4. More Loan Actual
Origination Default

3. Lower
Capital 2. Low
Set Aside Provisioning

Figure 5.56: Procyclicality of Provisioning – Provisioning During Economic Expansions

The problem occurs during economic downturns and provisions exponentially

increase during periods of credit contraction. Provisions during this time are
higher when earnings are lower. This will force banks to raise more capital
during economic downturns when capital tend to be more expensive.

5. Low
4. More Loan Actual
Origination Default

3. Lower
Capital 2. Low
Set Aside Provisioning

Figure 5.57: Procyclicality of Provisioning – Provisioning During Economic Recessions

BANK RISK PRACTICES

5-81 CREDIT RISK MANAGEMENT

Loan provisioning procyclicality is defined as building up risk during periods

of instability when it would be more cost effective and optimal to raise and
conserve capital (but less incentive to do so given low provisioning) and the
corresponding excessive avoidance of risk during periods of volatility due to
high provisioning.

Accounting Perspective Regulatory Perspective

IAS 39 follows an incurred Under the regulatory
loss model. This means approach, provisions
that provisioning is only are set aside to cover
recognised when there is expected losses and capital
an objective evidence of to cover unexpected
impairment. Balance sheet losses. Loan losses are
amount of loan is reduced covered by provisioning.
through a loan loss reserve Basel ll encourages the
if impairment conditions are development of forward
triggered looking provisioning
methodologies

Figure 5.58: Accounting vs. Regulatory Under IAS 39

The Financial Stability Forum (FSF) recommends that accounting standards

should consider alternative models for loan losses that would permit the
recognition of loan losses earlier in the cycle to reduce the procyclicality in
loan provisioning.

Expected Credit Loss Model

At inception, the credit exposure goes under Stage 1 bucket where twelve (12)
month expected loss significantly. Interest income is recognised on a gross
basis (i.e., loans receivable gross of any allowance for impairment multiplied
by the yield).

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-82

Objective
Significant evidence of
increase in impairment/
credit risk default
STAGING

Stage 3:
Stage 1: Performing Stage 2: Underperforming
Non-Performing Loans

12 Months Lifetime
Lifetime Expected Loss
Expected Loss Expected Loss

Interest Revenue: Interest Revenue:

Interest Revenue:
Gross Basis Net Basis
Gross Basis

12-Month Expected Loss Lifetime Expected Loss if PD Lifetime Expected Loss +

if PD has not increased has increased significantly recognise net revenue
significantly since inception

Measurement of ECL

Figure 5.59: Expected Credit Loss Model Under IFRS 9

Assessment is performed at each reporting period by considering the change

in the risk of default occurring over the remaining life of the instrument relative
to the initial recognition. If PD has increased significantly, the bank should
recognise the lifetime expected credit loss.

12 Month ECL Lifetime ECL

Figure 5.60: From 12 Month ECL to Lifetime ECL

12-month expected credit loss is the portion of lifetime ECLs that represent the
ECLs that result from default events on a financial instrument that are possible
within the 12 months after the reporting date. This overstates the allowance for
each financial instrument on date of initial recognition/origination. However,
this is matched against the time horizon used under the internal ratings-
based approach under Basel III. Lifetime expected credit loss is the result from
all possible default events over the expected life of a financial instrument. IFRS
9 requires further modelling for Stage 2 and Stage 3.

BANK RISK PRACTICES

5-83 CREDIT RISK MANAGEMENT

5.8.2 The Relationship of Accounting Standard With Risk Management

The expected credit loss model is defined as:

PD LGD EAD ECL

Figure 5.61: Expected Credit Loss Components

Probability of default is a point-in-time likelihood that a counterparty will

default over up to 12 months from reporting date (Stage 1) or over the lifetime
of the credit exposure (Stage 2) and incorporating the impact of forward-
looking economic assumptions that would have an effect on credit risk (IR,
unemployment rate, GDP).

LGD is the loss that is expected to be incurred on default incorporating

the impact of forward-looking assumptions to incorporate the difference
between contractual cash flows and expected cash flows. In practice, this is
based on history of recovery rates.

EAD is Expected balance sheet exposure at the time of default, taking into
account the expected change in exposure over the lifetime of the exposure. This
incorporates the impact of drawdowns of committed facilities, repayments
of principal and interest, amortisation, and prepayments, together with the
impact of forward-looking economic assumptions.

Basel III vs. IFRS 9 – Probability of Default

Basel II/III IFRS 9

The definition of default includes Rebuttable presumption of default

a backstop of 90+ days past due if exposure is 90 days + past due
(180+ days past due for some
exposures)

Through the Cycle Point In Time

PDs are calibrated over 12 months 12-month ECL (Stage 1)

Lifetime ECL (Stage 2 and Stage 3)
Both with forward looking
component

Regulatory Floor Based on unbiased estimate

Figure 5.62 Basel II/III vs. IFRS 9 Probability of Default

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-84

Point In Time vs. Through the Cycle

Point in time reflects an assessment of a borrower’s current condition and/
or most likely future condition over the course of the chosen time horizon,
whereas, through the cycle models the average default rate performance
over an economic cycle.

Point in Time PD
Portfolio PD

Through the cycle PD

Year

Figure 5.63: Point in time vs through cycle PD

Loss given default

Basel II/III IFRS 9

LGD should reflect current

Downturn LGD conditions and reliable and
supportable forecast

Discount based on effective

Discount based on cost of capital
interest rate

Subject to regulatory floors (10%

for retail exposures secured by No floors
residential properties)

All collection costs included Only direct costs included

Period of discounting from Period of discounting from

recovery to default recovery to balance sheet date

Significant increase in credit risk

What constitutes as significant increase in credit risk? Different banks would
have different approach in determining expected credit loss. There is a
rebuttable presumption that if the loan is 30-days past due, this constitutes
significant deterioration in credit risk. Some banks use changes in lifetime
probability of default as basis to determine whether there is a significant

BANK RISK PRACTICES

5-85 CREDIT RISK MANAGEMENT

increase in credit risk. Some banks can use multiple factors such as changes
in borrower rating, macroeconomic conditions, and transition probabilities.

Other factors can be considered such as change in watch list, migration

probabilities in terms of notches, market price information (for example,
sharp increase in credit default swap levels), rating downgrade or change in
internal credit scores. Below are some examples of indicators that will point to
increase in credit risk:

• Change in internal price indicators of credit risk (for example, credit spread)
• Change in terms of existing instrument vs. newly originated (for example,
more stringent covenants, increase in collateral required or guarantees)
• External indicators of credit risk (implied credit spread from bond prices,
credit default swap prices)
• Actual or expected change in external credit rating
• Actual or expected change in internal credit rating
• Existing or forecast adverse changes in business, financial or economic
conditions that could affect the borrower’s ability to meet its obligations
• Significant change in the operating results of the borrower (declining
revenues, working capital deficiencies, decreasing asset quality, leverage,
etc.)
• Significant increase in credit risk on other financial instruments of the same
borrower
• Change in regulatory, economic, or technological environment
• Change in the value of collateral, quality of guarantees or credit
enhancement which reduces incentive for borrower to make contractual
payments (for example, collateral on housing loan)
• Significant change such as reductions in financial support from a parent
entity or other affiliates or actual or expected significant change in
credit enhancement (for example, parent entity decides not to provide
guarantee)
• Expected change in loan documentation (expected breach of contract
that may lead to covenant waivers, interest payment holidays, interest
rate step-ups)
• Significant change in expected performance and behaviour of borrower
including change in payment status of borrowers in the group
• Change in entity’s credit management approach
• Past due information
• Change in lifetime risk of default guided by scores and rating
• Change in 12-month probability of default
• Change in ratings or credit scores for retail exposures and ratings for
corporate exposures

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-86

What constitutes as significant depends on the credit risk at inception

(i.e., credit risk at initial origination). One important item to consider is the
phenomenon known as the non-linearity of probability of defaults. Probability
of default is the likelihood over a specified period, usually one year, that a
borrower will not be able to make scheduled repayments. It can be applied to
a variety of different risk management or credit analysis scenarios. Also called
the default probability, it depends, not only on the borrower’s characteristics
but also on the economic environment. Creditors typically want a higher
interest rate to compensate for bearing higher default risk. Financial metrics—
such as cash flows relative to debt, revenues or operating margin trends, and
the use of leverage—are common considerations when evaluating the risk. A
company’s ability to execute a business plan and a borrower’s willingness to
pay are sometimes factored into the analysis as well.

5.9 PORTFOLIO CREDIT RISK MODELS

Credit portfolio risk management is the management of credit risk from a

portfolio level. It aims to arrive at the optimal risk/return credit portfolio mix
subject to the banks’ credit risk appetite and strategy. One of the primary
reasons that call for a portfolio approach to credit risk measurement and
management is the need to systematically address concentration risk. Credit
portfolio risk management allows banks to:

• Assess the quality of the banks’ loan portfolio as a whole

• Measure the regulatory and economic capital required for the loan portfolio as a
whole
• Identify and measure the bank’s exposure at the portfolio level and ensure that
the exposure is consistent with the bank’s credit risk appetite
• Inform key decision-makers whether a new loan asset will add or subtract to the
risk of the existing loan portfolio
• Measure the risk that a new loan will bring to the portfolio as a whole
• Price new loans and ensure that adequate return is being made given the risk
profile and the capital required for the new loan
• Assess whether the value of the loan will be stable through time up to maturity
• Identify problem areas in the credit portfolio that would need more attention
• Identify, assess, analyse, and measure concentration risks that exist in the bank’s
portfolio
• Assess the appropriateness of different credit risk mitigation techniques given the
bank’s existing credit portfolio risk profile

BANK RISK PRACTICES

5-87 CREDIT RISK MANAGEMENT

5.9.1 History of Credit Portfolio Risk Theory

Recent advances in finance theory and computational techniques

have shifted the banks’ capability from standalone credit risk analysis
to a portfolio-driven credit analysis. Portfolio analysis of credit risk was
influenced by the modern portfolio theory in the 1950s and the 1960s. The
modern portfolio theory (Nobel Laureate Harry Markowitz, William Sharpe,
and John Lintner) became the foundation of modern credit risk analysis.
The empirical findings of Professor Edward Altman and the theoretical
works of Nobel Laureate Robert Merton led to the development of modern
tools on credit risk measurement.

In 1952, Nobel Laureate Harry Markowitz published his seminal paper on

modern portfolio theory entitled “Portfolio Selection”. Below are the salient
points of Markowitz’s Portfolio Theory:

• Investors select their investment portfolio using two basic parameters—

expected return and risk.
• Expected return is measured by the average rate of return. Average
rate of return is measured using the mean of the returns.
• Risk is measured by the variability of returns around the average rate
of return. The higher the variability of returns, the higher the risk of the
portfolio. Risk is measured using a statistical measure called standard
deviation.
• Investors select assets based on each asset’s contribution to the
portfolio’s overall return and risk.

Based on the conclusions of Markowitz, investors should not evaluate returns

or risks of the asset on its standalone basis but in terms of its interactions
with the other assets in the portfolio. Investors can reduce the risks specific
to any individual asset at virtually no cost through diversification. Traditional
finance theory posits that the higher the risk, the higher the return and the
lower the risk, the lower the return. Markowitz concluded that if assets are
selected carefully, investors could still earn higher return for the same level of
risk. The objective of the investors is to improve the selection of asset until
investors arrive at the efficient frontier. The efficient frontier contains all
portfolios of assets such that there are no other assets that, for a given level
of risk, generate a higher expected return. This means that once the portfolio
contains only assets that are in the efficient frontier, the higher return can
only be achieved by taking higher risk and lower risk can only be achieved by
sacrificing returns.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-88

5.9.2 Portfolio Credit Risk Models

Portfolio credit risk models enable banks to better quantify, aggregate and
manage risk across geographical and product lines. The Basel Committee
on Banking Supervision issued the document “Credit Risk Modelling:
Current Practices and Applications”, which provides some broad conceptual
approaches to credit risk modelling. BCBS enumerated the benefits of portfolio
credit risk models as below:

• Portfolio credit risk models provide a framework for banks to better assess
risk exposures in a timely manner especially those exposures that cut
across geographical locations and product lines.
• Portfolio credit risk models encourage centralisation of data on global
exposures and analysis of marginal and absolute contributions to risk.
• Portfolio credit risk models provide important estimates of credit risk,
which reflect individual portfolio composition and give a better reflection
of concentration risk.
• Portfolio credit risk models may provide an incentive to improve systems
and data collection efforts.
• Portfolio credit risk models give a more informed and integrated setting of
limits and reserves.
• Portfolio credit risk models may provide a more consistent basis for
economic capital allocation for credit risk.
• Portfolio credit risk models allow a more accurate and performance-based
pricing which may contribute to a more transparent decision-making
process.

5.10 CREDIT RISK MITIGATION TECHNIQUES

Banks apply different techniques in order to reduce, mitigate or transfer their credit
risk exposures. These techniques are also known as credit risk mitigation techniques.
This section provides an overview of some of the common credit risk mitigation
techniques used by banking organisations to manage their credit risk exposure.
These credit risk mitigation techniques may reduce or transfer credit risk. However,
it may increase other types of residual risks such as operational, legal, liquidity and
market risk. These residual risks should be properly managed and controlled by
the banking organisations. For the following credit risk mitigation techniques to be
allowed as a capital relief under Basel II, the banking organisation should ensure
that the documentation of these credit risk mitigants are legally enforceable in the
relevant jurisdictions.

BANK RISK PRACTICES

5-89 CREDIT RISK MANAGEMENT

5.10.1 Collateralised Transactions

Collateralised transactions refer to transactions where the bank’s current or

potential credit risk exposures are hedged fully or partially by collateral posted
by the borrower or counterparty or by a third party on behalf of the borrower/
counterparty. Collateral is an asset pledged or transferred as a security for
repayment of a loan. Examples of collaterals that can be used to secure the
repayment of the loan are:

• Cash
• Gold
• Debt and equity securities
• Real property
• Other investments

Basel II recognises collateralised transactions as acceptable credit risk

mitigants for purposes of reducing the capital required to support a credit
risk exposure subject to the following conditions:

• Banking organisations should have the legal right to liquidate or take

possession of the collateral, in a timely manner, in the event of default,
insolvency or bankruptcy of the borrower or counterparty.
• The credit quality of the borrower and the value of the collateral must not
have a material positive correlation.
• Banks should have clear and robust procedures for the timely liquidation
of collateral.

This is to ensure that banks can liquidate the collateral in a timely and prompt
manner.

5.10.2 Netting Agreements

Netting agreements are agreements that allow banks to offset the value of
multiple positions. It allows the aggregation of the different values into a single
value. This in effect allows banks to offset asset (e.g., loans) and liabilities (e.g.,
deposits) with the same counterparty. Netting agreements, in effect, allows
the bank to treat the assets as exposure and the liability as the collateral
offsetting the exposure. For netting agreements to be an effective credit risk
mitigants, the bank should have a legally enforceable right to net offsetting
exposures with the same counterparty

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-90

Illustrative Example 12

Impact of Netting
Bank ABC has the following outstanding exposures with Counterparty BCG.
Determine the exposure of Bank ABC assuming:

• There is no existing netting agreement,

• There is an existing netting agreement.

Receivable from BCG USD 100 million

Payable to BCG USD 50 million

Solution:

Scenario 1: No netting agreement

If there is no netting agreement and Counterparty BCG defaults, Bank
ABC’s receivable from BCG will be part of the general asset recovery pool
of BCG. This is because in some jurisdictions, the liquidator/bankruptcy
trustee may cherry pick positive transactions and disclaim negative
transactions. Bank ABC is thus obliged to fulfil its obligations to pay USD 50
million to the bankruptcy court. The net exposure of Bank ABC, therefore, is
USD 150 million.

Scenario 2: Netting agreement exists

If there is a netting agreement with Counterparty BCG, Bank ABC is
allowed to legally offset its exposure to Counterparty BCG. With a netting
agreement, the exposure of Bank ABC is only USD 50 million (= USD 100
million – USD 50 million).

At times, banking organisations may enter into bilateral deposit netting

agreement. An example of a deposit netting agreement is the British Bankers’
Association International Deposit Netting Agreement. This agreement allows
banks to bilaterally net interbank loans and deposits. In the event of default,
individual interbank loans and deposits are replaced with a single net figure.
This effectively reduces counterparty credit risk.

The ISDA Master Agreement is one of the most commonly used netting
agreements particularly for over-the-counter derivative transactions. ISDA
Master Agreement allows close- out netting. Close-out netting refers to
the process of aggregating positive and negative values into a single net
payable or receivable value. This reduces the credit risk exposure for the non-
defaulting party.

BANK RISK PRACTICES

5-91 CREDIT RISK MANAGEMENT

5.10.3 Credit Risk Transfer Mechanism

Credit risk transfer mechanisms are transactions that allow banks to transfer
credit risk from one party to another. Credit risk transfer mechanisms allow
spreading of credit risk to a wide range of market participants who are willing
to bear this risk. Examples of credit risk transfer mechanisms are guarantees
and credit derivatives.

Guarantees are contracts where one party (guarantor) pledges to fulfil the
obligations of another party in the event of default. Guarantees, therefore,
allow the transfer of credit risk from the borrower to the party providing
guarantee or the guarantor. This provides an additional layer of protection for
the bank in the event that the borrower fails to fulfil its obligations under the
contract.

Credit derivatives are financial instruments whose value depends on the

performance of an underlying credit variable. Credit derivatives allow one
party to transfer the credit risk of an underlying debt obligation to another
party who is willing to accept the credit risk. Credit default swaps (CDS) are
the most common and popular credit derivatives in the market. Credit default
swaps are bilateral agreements where one party (protection buyer) transfers
the credit risk on an underlying reference credit or obligation to another party
(protection seller).

The protection buyer pays a regular credit default swap (CDS) premium to
the protection seller in exchange for the contractual commitment by the
protection seller to compensate the protection buyer in the event of default
by the reference entity. Credit default swaps transfer the credit risk from the
protection buyer to the protection seller. Banks use credit default swaps as
protection buyers in order to transfer its credit risk exposure on the reference
entity. However, it should be noted that by entering into a credit default
swaps, the banking organisation was able to transfer its credit risk exposure
from the reference entity to the protection seller. The bank, however, was not
able to eliminate the credit risk exposure as the bank is now exposed to the
creditworthiness of the protection seller.

This is the reason why it is important for the protection seller to be of higher
creditworthiness compared to the reference entity. This is a particularly
important issue. In the 2008 global financial crisis, many banks who hedged
themselves using different credit risk mitigation techniques found themselves
in a difficult situation when major counterparties who act as protection sellers
were facing difficulties and challenges. For example, Lehman Brothers who
acted as protection sellers on many reference entities filed for bankruptcy
even when many of the reference entities are continuing to operate as a
going concern.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-92

5.10.4 Securitisation

Securitisation involves pooling of the bank’s assets and transforming

these assets into securities that will redistribute the risk of collateral among
different classes of investors. In a generic securitisation structure, the
originator bank transfers assets in each balance sheet to a special purpose
vehicle (SPV). This SPV issues multiple tranches or classes of securities
representing different slices of payment streams from the pooled assets. The
SPV is organised for a specific purpose, the activities of which are limited to
those appropriate to accomplish its purpose. SPVs are structured to isolate
from the credit risk of the originator or the seller of exposures. Securitisation
allows banks to achieve the following:

• Monetise assets in the balance sheet and obtain additional funding

(discussed in Module 1, under liquidity risk).
• Offload risks such as credit risk from the bank’s balance sheet and transfer
these risks to other parties who are willing to bear these risks.

Banking organisations uses securitisation to transfer the credit risk of the

assets from their balance sheet to other financial institutions or investors. In a
generic securitisation structure, the originator bank transfers assets in each
balance sheet to a special purpose vehicle (SPV). These assets can range
from the retail loans receivable (i.e., auto loans, home equity loans, credit
card receivables, student loans) to the commercial loans receivable that
banking organisations extend to their clients.

These assets are then transferred to a SPV. The bank effectively transfers all
the risks and rewards of ownership to the SPV. The SPV then issues securities
which are backed by its assets. These securities are backed by the cash flows
of the portfolio of assets under the SPV. The securities can be divided into
three classes—senior tranche, mezzanine tranche and junior tranche. These
securities are sold to investors.

By engaging in securitisation transactions, banks remove the credit risks

associated with the holding of the assets in the bank’s balance sheet as
investors now bear these risks. In order to be an effective credit risk mitigant,
the risks and rewards of ownership to a third party (i.e., the SPV) significant
credit risks should be transferred to the SPV. The bank (as transferor) should
not maintain effective or indirect control over the transferred portfolio of
assets. These assets should be legally isolated from the transferor and its
creditors even in the event of bankruptcy. The investors of the asset-backed
securities should not have any legal claim or recourse to the transferring
bank. Instead, their rights are limited to the portfolio of assets transferred to
the SPV.

BANK RISK PRACTICES

5-93 CREDIT RISK MANAGEMENT

SUMMARY

• Due to the bank’s lending activities, credit risk is likely the single largest exposure for
commercial banks. While it exists primarily in the bank’s lending activities, credit risk
also arises from other sources such as from its financial markets and other off balance
sheet activities.

• Credit risk can be analysed in three different dimensions: exposure at default (EAD),
probability of default and loss given default.

• Probability of default is measured using three different approaches: actuarial

approaches (use of historical loss rates), structural approaches (use of Merton model
and balance sheet relationships) and market-based approaches (use of market price
data to imply probability of default).

• Exposure at default is simply the principal amount lent plus accrued interest for loans.
However, for other transactions – for instance, derivative transactions, exposure at
default is measured using probabilistic approaches and can be described in different
ways.

• IFRS 9 adopts a more credit risk management aligned framework when measuring
credit losses as it shifted away from incurred loss approach to expected credit loss
approach.

• There are different credit risk mitigation techniques that an institution can adopt,
and this involves lowering one or more of the risk inputs (probability of default
exposure at default or loss given default). Through the use of collateral, guarantees,
netting agreements, credit risk transfer mechanisms and engaging in securitisation
mechanisms, the bank can lower its credit risk exposures.

BANK RISK PRACTICES

 CREDIT RISK MANAGEMENT 5-94

END OF CHAPTER PRACTICE QUESTIONS

1. Which of the following models in measuring probability of default is based on the

pioneering works of Dr. Robert Merton?
A. Actuarial approach
B. Market implied approach
C. Structural approach
D. Reduced form approach

For Questions 2 to 4, use the following information:

Country A: Baa1

Country B: Baa2

Country C: B3

Country D: Aa2

Country E: A3

2. How many of the investments are grade rated?

A. 2
B. 3
C. 4
D. 5

3. Which country is the most highly rated?

A. Country A
B. Country B
C. Country D
D. Country E

4. Which of the country has the lowest credit rating?

A. Country A
B. Country B
C. Country C
D. Country D

5. Which of the following best describes the payoff of a holder of a put option?
A. S-X
B. X-S
C. Max (S-X, 0)
D. Max (X-S, 0)

BANK RISK PRACTICES

5-95 CREDIT RISK MANAGEMENT

6. In using the beta distribution approach in estimating recovery rates, which of the following
data is needed?
A. Mean recovery rate
B. Standard deviation of recovery rate
C. Either a or b
D. Both a and b

7. Right-way risk occurs when:

A. Exposure to counterparty decreases with the deterioration of the credit of the
counterparty
B. Exposure to counterparty increases with the deterioration of the credit of the
counterparty
C. Exposure to counterparty decreases with the improvement of the credit of the
counterparty
D. None of the above

8. This measures the risk of a sudden, unanticipated default before the market can adjust
A. Current exposure
B. Jump to default exposure
C. Peak exposure
D. Expected exposure

9. This is the first to apply the theory of Merton in measuring probability of default
A. Creditmetrics
B. KMV Model
C. CreditRisk+
D. Kamakura’s Risk Manager

10. This involves the pooling of the bank’s assets and transforming those assets into securities
that will redistribute risk among different classes of investors
A. Netting agreement
B. Collateralisation
C. Securitisation
D. Credit derivatives

ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS

1. C 2. C 3. C 4. C 5. D 6. D 7. A 8. B 9. B 10. C

BANK RISK PRACTICES

 CHAPTER 6
OPERATIONAL RISK
6-1 OPERATIONAL RISK

6. OPERATIONAL RISK

Learning Outcomes

At the end of the chapter, you will be able to:

• Analyse the sources of operational risk in banking and how it is managed.

Key Topics

In this chapter, you will be able to read about:

• Prelude to operational risk

• Principles for the sound management of operational risk
• Operational risk measurement
• Internal operational risk loss data
• External operational risk loss data
• Business resilience & continuity
• Boundary risk
• Conduct risk
• New product and business activities
• Risk control and self-assessment
• Risk and performance indicators
• Key findings and observation of the Basel Committee
• Shariah compliance risk

Assessment Criteria

During the exam, you will be expected to:

• Describe the different types of operational risk events.

• Explain the tools used to measure operational risks.
• Analyse how operational risk can be managed.
• Understand the Business Continuity Management process including any
reputational risk arising from it.

6.1 PRELUDE TO OPERATIONAL RISK

Managing operational risk is more complex than other types of banking risk such
as market and credit risk. In most types of risk, there is a close relationship between
taking risk and expected return: the higher the risk, the higher the return we should

BANK RISK PRACTICES

 OPERATIONAL RISK 6-2

expect from the transaction. In credit risk and market risk, this statement is true. For
example, the higher the credit risk of the borrower, the higher is the credit spread
(return) we expect from the transaction. Taking more operational risk means that
the expected return is lower. The relationship between risk and return in operational
risk is not as straightforward as in other types of risks.

The nature of operational risk is that it is pervasive to the entire organisation which
makes it difficult to understand who should be made responsible for operational
risk. For the longest time, banks have varying definition of operational risk. Some
define operational risk in a residual manner (i.e., any risk that is not market or credit
risk is operational risk).

6.1.1 Operational Risk – The Residual Definition

Among the different areas of risk management discipline, operational risk

can be considered as one of the most recent. Prior to the 1990s, operational
risk is not viewed as a standalone risk management discipline. This is evident
by how operational risk has been defined in the past:

“Risk That Is Not Market Or Credit.”

This residual definition of operational risk indicates that operational risk

is seen as a given and categorised in the realm of the unknowable and
unmanageable. Operational risk was only given a “residual status”. It was
only when the Basel Committee on Banking Supervision (BCBS) included
operational risk as among the major risks to be within the scope of Pillar I
(minimum capital requirements) of Basel II that bank risk management
practitioners begin to treat operational risk as an independent and standalone
risk management practice and discipline.

6.1.2 Operational Risk – The Causal Definition

The Basel Committee on Banking Supervision defines operational risk as:

“Operational Risk Is Defined as the Risk of Loss Resulting from Inadequate

Or Failed Internal Process, People, Systems Or from External Events. This
Includes Legal Risk But Exclude Strategic and Reputational Risk.”

From the definition of operational risk, we can derive the following insights:

i. Operational risk is a risk of loss – Operational risk is not defined variability

of outcome. This means the focus of operational risk management is to
mitigate the downside. The focus of operational risk is loss. Two of the
most important tools in operational risk pertains to internal and external
operational loss data collection.

BANK RISK PRACTICES

6-3 OPERATIONAL RISK

ii. Focus is on causes of operational risk – Operational risk is defined in a

causal manner. Because of the difficulty in defining operational risk, the
BCBS settled with a definition that identifies the causes of operational risk
as inadequate or failure of process, people systems and external events.
iii. Strategic and reputational risk are explicitly excluded in the definition of
operational risk.

Boxed Article 1

How Banks Define Operational Risk

From ANZ:
“Risk of loss and/or non-compliance with laws resulting from inadequate
or failed internal process, people and/or systems, or from external events.
The definition includes legal risk, and the risk of reputation loss, or damage
arising from inadequate or failed internal process, people and/or systems,
but excludes Strategic Risk”

From HSBC:
“Operational risk is the risk to achieving our strategy or objectives as a
result of inadequate or failed internal process, people and systems or from
external events”

Source: Various Annual Reports

Types of operational risk

The Basel Committee (BIS, September 2001, p. 21 – 23) identified the following
operational loss event types:

BANK RISK PRACTICES

 OPERATIONAL RISK 6-4

Event type
Definition Examples of activity
category

1. Internal fraud Losses due to acts of a • Unreported

type in-tended to defraud, transactions.
misappropriate property or (intentional);
circumvent regulations, the law • Unauthorised
or company policy, excluding transactions.;
diversity/ discrimination events,
• Mismarking
which involves at least one
of positions
internal party.
(intentional);
• credit fraud;
• worthless deposits;
• theft;
• extortion;
• embezzlement;
• misappropriation of
• assets;
• forgery;
• check kiting;
• smuggling;
• impersonation;
• tax evasion (wilful);
• bribes;
• insider trading.

2. External fraud Losses due to acts of a • Theft/robbery;

type intended to defraud, • forgery;
misappropriate property, or
• check kiting;
circumvent the law, by a third
• theft of information
party.
(with monetary loss);
• hacking damage.

3. Employment Losses arising from acts • Compensation,

practices and inconsistent with employment, benefit, termination
workplace health or safety laws or issues;
safety
agreements, from payment of • organised labour
personal injury claims, or from activity;
diversity/discrimination events.
• general liability;
• employee health &
safety rules events;
• workers
compensation;
• all discrimination
types.

BANK RISK PRACTICES

6-5 OPERATIONAL RISK

Event type
Definition Examples of activity
category

4. Clients, Losses arising from an • Fiduciary breaches;

products, unintentional or negligent • disclosure issues;
and business failure to meet a professional
practices • breach of privacy;
obligation to specific clients
• aggressive sales;
(including fiduciary and suitability
requirements), or from the nature • account churning;
or design of a product. • misuse of confidential
information;
• lender liability;
• antitrust;
• improper trade &
market practices;
• market manipulation;
• insider trading (on
• firm’s account);
• unlicensed activity;
• money laundering;
• product defects;
• model errors;
• failure to investigate
client per guidelines;
• exceeding client
exposure limits;
• performance disputes
for advisory activities.

5. Damage to Losses arising from loss or • Natural disaster

physical assets damage to physical assets from losses;
natural disaster or other events. • human losses
• from external
sources (terrorism,
vandalism).

6. Business Losses arising from disruption of • Hardware;

disruption and business or system failures. • software;
system failures
• telecommunications;
utility outage/
disruptions.

BANK RISK PRACTICES

 OPERATIONAL RISK 6-6

Event type
Definition Examples of activity
category

7. Execution, Losses from failed transaction • Miscommunication;

delivery, processing or process • data entry,
and process management, from relations with
management. • maintenance or
trade counterparties and vendors.
loading error;
• missed deadline;
• system problem;
• accounting error;
• delivery failure;
• collateral
• management failure;
• reference data
• maintenance;
• failed mandatory
reporting;
• inaccurate external
report;
• client
• disclaimers missing;
• legal documents
missing;
• unapproved access
given to accounts;
• incorrect client
records;
• negligent loss of
client assets;
• non-client
counterparty
misperformance;
• outsourcing vendor
disputes.

Figure 6.1: Loss event type classification: The Advanced Measurement Approach

BANK RISK PRACTICES

6-7 OPERATIONAL RISK

6.2 PRINCIPLES FOR THE SOUND MANAGEMENT OF OPERATIONAL RISK

“Sound Management of Operational Risk” is a collection of principles that has been

developed over the years by the Basel Committee on Banking Supervision for the
purpose of guiding firms in the financial services industry and their regulators to
establish sound practices for the management of Operational Risk.

There are eleven guiding principles to the sound management of operational risk as
below:

Guiding
Description
principles

Principle 1 The board of directors should take the lead in establishing a

strong Risk Management Culture. The board of directors and
senior management should establish a corporate culture
that is guided by strong risk management and that supports
and provides appropriate standards and incentives for
professional and responsible behaviour. In this regard, it is the
responsibility of the board of directors to ensure that a strong
operational risk management culture exists throughout the
whole organisation.

Principle 2 Firms should develop, implement, and maintain a Risk

Framework that is fully integrated into the firm’s overall risk
management processes. The Framework for operational risk
management chosen by an individual firm will depend on a
range of factors, including its nature, size, complexity, and risk
profile.

Principle 3 The board of directors should establish, approve, and

periodically review the Framework. The board of directors
should oversee senior management to ensure that the policies,
processes, and systems are implemented effectively at all
decision levels.

Principle 4 The board of directors should approve and review a Risk

Appetite and tolerance statement for operational risk that
articulates the nature, types, and levels of operational risk that
the bank is willing to assume.

BANK RISK PRACTICES

 OPERATIONAL RISK 6-8

Guiding
Description
principles

Principle 5 Senior management should develop for approval by the

board of directors a clear, effective, and robust Governance
Structure with well defined, transparent, and consistent
lines of responsibility. Senior management is responsible for
consistently implementing and maintaining throughout the
organisation policies, processes, and systems for managing
operational risk in all of the firm’s material products, activities,
processes, and systems consistent with the risk appetite and
tolerance.

Principle 6 Senior management should ensure the Risk Identification and

Risk Assessment of the operational risk inherent in all material
products, activities, processes, and systems to make sure the
inherent risks and incentives are well understood.

Principle 7 Senior management should ensure that there is an approval

process for all new products, activities, processes, and systems
that fully assesses operational risk.

Principle 8 Senior management should implement a process to regularly

monitor operational risk profiles and material exposures to
losses. Appropriate reporting mechanisms should be in place
at the board, senior management, and business line levels that
support proactive management of operational risk.

Principle 9 Firms should have a strong control environment that utilises

policies, processes, and systems; appropriate Internal Control;
and appropriate Risk Mitigation and/or Risk Transfer strategies.

Principle 10 Firms should have business resiliency and Business Continuity

Plan in place to ensure an ability to operate on an ongoing
basis and limit losses in the event of severe Business Disruption.

Principle 11 A firm’s public disclosures (where applicable) should allow

stakeholders to assess its approach to operational risk
management.

Figure 6.2:Principles for the sound management of operational risk

BANK RISK PRACTICES

6-9 OPERATIONAL RISK

6.2.1 Fundamentals Principles of Operational Risk Management

Accordingly, the principles for the sound management of operational risk and
the role of supervision includes the following key elements:

• Governance
• Risk management environment
• Data infrastructure
• Operational risk measurement and modelling

Governance

Board of Directors and Senior Management Three Lines of Defence Model

Risk Management Environment

Identification and Monitoring Control

assessment and reporting and mitigation

Data Infrastructure

Internal loss External loss Risk and control self

database Key risk indicators
database assessment

Operational Risk Measurement

Figure 6.3: Key elements to the sound risk management for operational risk

6.2.2 Governance

Governance encompasses the system by which an organisation is controlled

and operates, and the mechanisms by which it, and its people, are held
to account. Ethics, risk management, compliance and administration are
all elements of governance. Within the operational risk management,
governance includes the board of directors, senior management
committee, and operational risk committee. Operational risk is managed
and implemented through a three-lines of defence model.

Board of Directors (BOD)

The BOD is responsible for establishing, approving, and periodically reviewing
the operational risk framework. The BOD oversees senior management to

BANK RISK PRACTICES

 OPERATIONAL RISK 6-10

ensure that policies, processes, and systems are implemented effectively.

The BOD is responsible for approving and reviewing a risk appetite and
tolerance statement.

Senior Management
Senior management is responsible for developing a governance structure
and for implementing and maintaining policies, procedures, and systems
for managing operational risk.

Operational Risk Committee

The operational risk committee should be established for the oversight,
reviewing, and managing the organisation’s operational risk.

Committee Larger and more complex organisations usually

Structure have a board-created enterprise level committee for
overseeing all risks to which a management-level
operational risk committee report.

Committee Operational risk committee should include a

Composition combination of members with expertise in business
activities and financial, as well as independent risk
management. In some jurisdictions, committee
members include independent non-executive board
members.

Committee Committee meetings should be held at appropriate

Operation frequencies with adequate time and resources to
permit productive discussion and decision-making.

Figure 6.4:Operational risk committee structure

Three Lines of Defence

Unlike other types of risk, it is difficult to attribute responsibility for operational
risk to a single department within the bank. Operational risk is pervasive
throughout the banking organisation. It is therefore important to organise
efforts to manage operational risk through a three lines of defence model.

BANK RISK PRACTICES

6-11 OPERATIONAL RISK

The three lines

Description
of defence

First Line of Defence – The first line of defence is the business line
Business line and the functions that support it. Business line
management is responsible for identifying
and managing operational risks.

Second Line of The second line of defence is an independent

Defence – Independent corporate operational and compliance
corporate operational risk function. As a best practice, for larger
risk function and organisations, the corporate operational
compliance function risk function is responsible for the design,
maintenance, and ongoing development of
the operational risk framework.

The key function of the second line is to

challenge the business lines’ inputs to and
outputs from the bank’s risk management,
measurement, and reporting systems.

Third Line of Defence – The third line of defence is an independent

Independent audit review and challenge of the bank’s operational
risk management controls, process, and
systems.

Figure 6.5: Three Lines of Defence

6.2.3 Risk Management Environment

Operational risk management attempts to reduce risks through risk

identification, risk assessment, measurement, and mitigation, and monitoring
and reporting while determining who manages operational risk. These stages
are guided by four principles:

• Accept risk when benefits outweigh the cost.

• Accept no unnecessary risk.
• Anticipate and manage risk by planning.
• Make risk decisions at the right level.

Identification and assessment

Risk identification and assessment are fundamental characteristics of an
effective operational risk management system. Risk identification considers
both internal factors and external factors.

BANK RISK PRACTICES

 OPERATIONAL RISK 6-12

Internal Factors External Factors

• Bank’s structure • Changes in the industry

• Nature of bank’s activities • Advances in
• Quality of bank’s human technology
resources • Political risk arising
• Organisational changes from trade wars

• Employee turnover

Figure 6.6: Internal and external factors to risk management

Risk assessment allows banks to better understand its risk profile and allocate
risk management resources and strategies most effectively. Operational risk
exposure is heightened when a bank:

• Engage in new activities

• Develop new products
• Enters unfamiliar markets
• Implement new business process or technology systems
• Engage in businesses that are geographically distant from the head office

The review and approval process should consider the following:

Changes to the bank’s Controls, risk

Inherent risk in the new
operational risk profile management process
product, service or
and appetite and and risk mitigation
activity
tolerance strategy

Procedures and
Change to relevant metrics to measure,
Residual risk risk threshold monitor and manage
or limits risk of new product or
activity

Figure 6.7: Review and approval process considerations

Monitoring and reporting

The nature of operational risk is that it is unpredictable and ever evolving. It is
therefore important that there is a process to regularly monitor operational
risk profiles and exposures to operational losses. Operational risk reports may
contain internal financial, operational and compliance indicators as well as
external market or environmental information. It should include:

BANK RISK PRACTICES

6-13 OPERATIONAL RISK

• Breaches of bank’s risk appetite and tolerance statement

• Details of recent significant internal operational risk events and losses
• Relevant external events and any potential impact on the bank and
operational risk capital

Control and mitigation

An ounce of prevention is worth a pound of cure. Operational risk arises from
diverse and pervasive factors that are hard to predict. Having strong internal
controls mitigate operational risk. Internal controls help the bank to:

• Have efficient and effective operations

• Safeguard assets
• Produce reliable financial reports
• Comply with applicable rules and regulations.

The bank’s internal control programme is composed of five elements:

Monitoring Control
Environment

Information and Risk

Communication Assessment

Control
Activities

Figure 6.8: Elements of sound internal control

In instances where internal controls do not adequately address risk,

management can complement controls through sound risk mitigation
strategy. For example, management can transfer risk to another party through
insurance. Risk transfer should be seen not as replacement for internal control
but as complementary to operational risk control.

BANK RISK PRACTICES

 OPERATIONAL RISK 6-14

6.2.4 Role of Disclosure

The demand for corporate disclosures arises from the challenge faced in
all economies, to optimally allocate resources to investment opportunities.
This challenge is compounded by the fact that company insiders, such
as managers and entrepreneurs, typically possess superior information
about the profitability of investments a company has made and often have
conflicting incentives with those of the providers of capital.

Reliable and relevant information enables capital providers to assess, ex ante,

potential investment opportunities and to monitor, ex post, the use of their
capital once committed to funding productive investments by companies.
Capital markets are thus only able to achieve their role in the efficient
allocation of capital if credible mechanisms are created to mitigate agency
and information problems between corporate insiders and capital providers.

Banks are required to satisfy minimum standards in disclosing their

operational risk management approach. With many cases demonstrating
how operational risk events could result to material monetary and reputational
losses to banks, it is even more important that banks give its stakeholders
adequate disclosure of their operational risk assessment and management
processes.

6.3 OPERATIONAL RISK MEASUREMENT

According to the Basel Committee, there are three ways to measure operational risk:
the basic indicator approach (BIA), the standard approach (SA) and the advanced
measurement approach (AMA).

6.3.1 Challenges in Operational Risk Measurements

Operational risk measurement is one of the most challenging areas in

operational risk management. The measurement of operational risk is a
relatively new discipline. Under Basel II, banks were incentivised to take a
close look at operational risk modelling under the advanced measurement
approach (AMA). However, there will be changes post-Basel II which will
phase out the advanced measurement approach and instead focus on
strengthening the standard approach (SA).

Issue 1 – Scarcity of operational loss event data

That data on operational risk loss is relatively scarce compared to market
and credit risk. This makes it difficult for risk managers to develop a robust
operational risk measurement model. Unlike market and credit risk where
data is relatively readily available, data for operational risk is not commonly
found.

BANK RISK PRACTICES

6-15 OPERATIONAL RISK

Issue 2 – Nature of operational risk losses

Many banking failures associated with operational loss events are classified
as low-frequency but high-impact operational losses. These low-frequency
and high impact operational losses could drastically reduce shareholder
value or even threaten the ability of the bank to continue to survive as a
going concern. Unlike market and credit risk, operational risk losses are more
extreme. This makes traditional statistical distributions which is relied on for
market and credit risk modelling less applicable for operational risk modelling.

6.3.2 Approaches Used in Operational Risk Models

Unlike market and credit risk models, there is no standard operational risk
models. The quantification of operational risk is a relatively new development
compared to other areas of risk. However, operational risk models can be
broadly classified into two, the scenario-based approaches and the statistical
approaches (loss distribution approach).

Scenario-based approach
An alternative approach to operational risk modelling is the use of scenario
analysis. In contrast to the loss distribution approach, under this approach
one uses scenario analysis as data point instead of loss data. The main
advantage under this approach is the flexibility that this approach provides
on operational risk measurement. One is not constrained on loss data and
statistical distribution.

However, the main disadvantage is that scenario analysis is a qualitative

exercise and therefore, the output would contain significant uncertainties
including subjective inputs and assumptions.

The statistical approach

The statistical approach (also known as the “loss distribution approach”) is
a common approach followed by risk management practitioners in order
to identify and evaluate the possible risks that they are likely to face in the
due course of business. The loss distribution approach has actually been
designed by the actuarial practitioners who work in the insurance industry. It is
for this reason that this technique is mathematically advanced and therefore
complicated in nature. In the modern world, the loss distribution approach
has become an integral part of the advanced measurement approach
prescribed by the Bank of International Settlements (BIS) in the Basel norms.

BANK RISK PRACTICES

 OPERATIONAL RISK 6-16

6.3.3 The Loss Distribution Approach (LDA)

As mentioned above, the loss distribution approach is the most commonly

used model for operational risk measurement is the loss distribution approach.
Loss distribution approach estimates the distribution of operational risk losses
for each business line/ event based on assumptions of frequency of events
and severity of events.

Frequency of events
Frequency of operational loss events describes the likelihood of operational
risk events occurring. These are frequently described as discrete random
variables – the number of events that the operational risk event will occur.
The most commonly used statistical distribution for modelling frequency of
event is the Poisson distribution.

Poisson distribution is one of the most commonly used statistical distribution

in predicting the number of events over a specified period of time. Poisson
distribution is used to model discrete frequency events. It expresses the
frequency of a number of relatively rare events occurring in a fixed time if
these events occur with a known average rate.

In the Poisson distribution, variance is equal to the mean. Below are the
conditions to use Poisson distribution:

• Counts are of rare events

• All events are independent
• Average does not change over the period of interest

BANK RISK PRACTICES

6-17 OPERATIONAL RISK

Illustrative Example–1

Poisson Distribution

e- λ λk
Pk λ =
k!
Λ = is the expected mean or average frequency of the operational loss
events
k = is the number of events
The financial control department is concerned on the frequency of financial
statement errors which results in regulatory penalties. On average, the
department sees 1 error every month. Based on the department’s estimate,
an error rate of 3 or more every month indicates material weakness in
internal control.

What is the probability that there will be no error in 1 month?

What is the probability that there will be 2 or more errors in 1 year?

BANK RISK PRACTICES

 OPERATIONAL RISK 6-18

Severity of operational loss event

Severity of operational loss events describe the monetary impact of an

operational risk loss. This, therefore, requires a continuous distribution. Severity
distributions specify the loss size and are therefore, important components
of operational loss models. Operational risk capital requirements are mainly
driven by individual high losses. Severity distributions specify the loss size
and therefore a very important component in quantitative operational risk
models. The exponential distribution or the negative exponential distribution
is the most popular distribution for estimating operational loss severity.

CONVOLUTION AGGREGATE LOSS

Frequency of DISTRIBUTION
Loss Distribution

Severity of Loss
Distribution

Figure 6.9: Convolution

Convolution is the process of aggregating frequency (discrete) and

severity (continuous) distribution. The resulting process is the generation of
operational risk losses that will allow the operational risk modeler to come up
with an estimate of maximum loss assuming a high confidence level.

6.4 INTERNAL OPERATIONAL RISK LOSS DATA

Internal loss data is a collection of operational losses (financial/ non-financial

impacts including penalties) in business processes and projects, structured by risk
categories, such as technology, human resources, organisation, external factor.
Internal losses arise from actual events, i.e., the materialisation of operational risks,
and reflect the organisation’s own experience. Therefore, internal loss events have
the potential to be the most relevant basis for analysis and management response.

6.4.1 Incident Reporting

Operational risk incidents are incidents that are caused by operational risk
events (failure from people, process, and system). Operational risk incident
reporting is the process of escalating and registering it formally within
the bank’s operational risk management system. On the occasion of an
operational risk incident, it is significant to gather operational risk data. This is
due to the following reasons:

BANK RISK PRACTICES

6-19 OPERATIONAL RISK

• Inputs to be used for modelling operational risk

• Identify weaknesses in the operational risk management environment and
process
• Understand current level of operational risk exposure and assess potential
vulnerabilities

The process of gathering operational risk event data gives awareness about
the bank’s operational risk agenda and could be used as an important step
in embedding operational risk culture awareness within the organisation.
Operational risk loss can only arise from an operational risk event. Internal
operational loss data provides important information on the bank’s
operational risk exposure and the effectiveness of internal controls. One
important outcome from the internal loss data collection is the ability to
analyse operational risk losses with the goal of gaining insight on:

• Causes of large operational losses

• Understand whether control failures are isolated or systematic
• Assess relationship of operational risk losses with other risks such as
market, credit, and liquidity risk.

6.4.2 The 8 X 7 Matrix

Internal operational loss data is consolidated and summarised into a loss

matrix also known as the 8 x 7 operational loss matrix which includes the seven
operational risk event types (i.e., internal fraud, external fraud, employment
practice and workplace safety, clients, products and business practices,
damage to physical assets, business disruptions and system failures, and
execution, delivery and process management) as they cut across the eight
different banking business lines (i.e., corporate finance, trading & sales, retail
banking, commercial banking, payment and settlements, agency services,
asset management, and retail brokerage). This process of mapping is
particularly relevant under the standardised approach (TSA) for operational
risk capital measurement purposes.

BANK RISK PRACTICES

 OPERATIONAL RISK 6-20

Figure 6.10.The 8x7 operational loss matrix

6.4.3 Basic Statistical Analysis

Statistical analysis gives meaning to the meaningless numbers, thereby

breathing life into a lifeless data. The results and inferences are precise
only if proper statistical tests are used. In operational risk management, the
operational loss data are analysed and assessed based on its statistical
characteristics. Statistical analysis allows the organisation and summarisation
of the internal loss data gathered. For operational risk management
purposes, this is a crucial step in coming up with concrete conclusions on the
operational risk events experience.

Accordingly, operational loss data can be analysed in four levels (or more
formally, statistical moments).

First Moment: Second Moment: Third Moment: Fourth Moment:

Expected Value Variance Skewness Kurtosis

Figure 6.11: The statistical moments

i. First moment (expected value) – This measures the central value of a

specific operational loss event and gives an anchor expected value to
be used for operational risk measurement purposes (i.e., assess the likely
magnitude).
ii. The second moment (variance) – This measures the dispersion of
operational loss data. This measures how far the operational risk losses are

BANK RISK PRACTICES

6-21 OPERATIONAL RISK

against a predictable or likely value called expected value. The higher the
variance, the more dispersed the observed data is against an expected
value.
iii. The third moment (skewness) – This measures where the data is leaning
towards. Internal operational loss data, as the term suggests, is expected to
be skewed to the loss side of the distribution (i.e., more losses than gains).
iv. The fourth moment (kurtosis) – This measures the presence of outliers. The
higher the kurtosis is, the more influence the outliers are in the operational
loss data. In practical terms, this means that black swan events (tail risk)
are expected to occur more frequently than what the normal distribution
predicts.

6.5 EXTERNAL OPERATIONAL RISK LOSS DATA

External loss data is operational risk event loss data gathered from operational risk
events occurring at organisations outside the bank. This can be used to supplement
internal operational loss data gathered to make operational risk measurement
more robust. External loss data may be sourced from:

• Public database (these databases collect descriptions and analysis of external

operational losses).
• Consortium where members submit loss information (these are subscription-
based operational risk event services).
• News or any other sources of external loss information.

These are usually large actual losses that have not been experienced by the bank.
External loss data provides important supplementary information to assess the
severity of operational loss events. While external loss data is usually used to provide
information on large losses for operational risk modelling purposes, this can also
provide guidance on assessing riskiness of new business lines, provide important
benchmarking information or estimate peer banks’ loss experience. External loss
data also provide important input into the bank’s scenario analysis.

In using external loss data in the overall operational risk data structure, an
operational risk manager should be aware of reporting bias inherent in external loss
data. External loss data is biased towards larger and more remarkable losses. This
may, therefore, not be applicable to all banks (unless adjustments are made). This
data scaling process involves the adjustment of loss amounts reported in external
data to fit the bank’s business activities and risk profile.

i. Operational Risk-data Exchange association (ORX) – ORX is the largest operational

management association in the financial services sector. ORX mandate is to
improve the management and measurement of operational risk. One of the
objectives of ORX is to provide a platform for sharing high-quality operational risk
loss data from around the world. Among the services provided by ORX are:

BANK RISK PRACTICES

 OPERATIONAL RISK 6-22

▶ Insights on publicly reported losses from various media sources all over the
world
▶ Access to an extensive scenario library
▶ Content for cyber and information security risk professionals

ii. UK Finance – UK Finance is composed of 300 banking and finance firms which
offers research, policies and guidance and data on economic crime and business
finance. UK Finance compiles a range of data covering customer behaviour,
industry performance and fraud.
iii. GOLD – Global Operational Loss Database (GOLD) is an industry platform
managed by UK Finance to share loss event information anonymously. It has since
expanded to provide insights beyond operational risk management practices to
include analysis on causes, control failures, risk categories and impact. Data from
GOLD is used by banks to compare their loss experience against others.
iv. Operational risk consortium Ltd (ORIC) Data – ORIC International is a leading
operational risk consortium for the reinsurance and investment management
sector. ORIC facilitates anonymous exchange of operational risk intelligence
among member firms.
v. ORIC maintains an operational risk event database that comprises of more than
15,000 anonymised operational risk events from the insurance and investment
management industry submitted by more than 40 firms on a quarterly basis.

6.6 BUSINESS RESILIENCE & CONTINUITY (HOLISTIC FOCUS) AND DISASTER

RECOVERY PLAN (DRP)

Operational resilience is defined as the bank’s ability to deliver critical operations

through disruption. The objectives of operational resilience are:
• To enable the bank to identify and protect itself from threats and potential failures
• To respond and adapt to, as well as recover and learn from disruptive events
in order to minimise their impact on the delivery of critical operations through
disruption.

Critical operations are activities, processes, services, and their relevant supporting
assets the disruption of which would be material to the continued operation of the
bank or its role to the financial system. Examples of these critical functions are:
• Payments
• Custody
• Certain lending and deposit taking activities
• Clearing and settlement
• Segments of wholesale markets
• Market making in certain securities
• Highly concentrated specialised lending sectors

BANK RISK PRACTICES

6-23 OPERATIONAL RISK

The fundamental principle of operational resilience includes:

• Governance
• Operational risk management
• Business continuity planning and testing
• Mapping interconnections and interdependencies
• Third party dependency management
• Incident management
• ICT including cybersecurity

Governance
Banks should use the existing governance structure to establish, oversee and
implement an effective operational resilience approach. The board of directors
should review and approve the bank’s operational resilience approach considering
the bank’s risk appetite, risk capacity and risk profile. In approving the approach,
the board should consider a broad range of severe but plausible scenarios such
as lockdown due to pandemics, destructive cyber security incidents, catastrophic
natural disasters, etc.

Senior management should implement the operational resilience approach and

ensure that appropriate financial, technical, and other resources are appropriately
allocated to support the bank’s operational resilience approach.

Operational risk management

Banks should use their existing functions for operational risk management to
identify, assess and manage (IAM) operational risk.

Identify Assess Manage

External and Vulnerabilities of Resulting risks in

internal threats critical operations accordance with
the operational
Potential failures
resilience
in people, process,
expectations
and systems

Figure 6.12: Components of IAM

To deliver a consistent approach to operational resilience, the operational risk

management function should work with and coordinate with business continuity
planning, third party dependency management, recovery and resolution planning
and other risk management functions. Identifying threats and vulnerabilities
should form part of the bank’s operational resilience approach. Controls and
procedures should be in place to ensure that this is done in a timely manner.
In the event that there are changes in any component of the underlying critical

BANK RISK PRACTICES

 OPERATIONAL RISK 6-24

operations, assessment should be conducted to ensure that any new threats and
vulnerabilities are identified. Assessment should be made on the delivery of critical
operations and their interconnections and interdependencies.

Business continuity planning and testing

Banks should have business continuity plans in place and conduct business
continuity exercises under a range of severe but plausible scenarios in order
to test their ability to deliver critical operations through disruption. Among the
characteristics of effective business continuity plans includes:

i. Forward looking - The impact of potential disruptions should be made based on

a range of severe but plausible scenarios.
ii. Comprehensive – This should cover critical operations, key internal and external
dependencies to assess the risks and potential impact of various disruption
scenarios on operations and ensure appropriate resilience levels. This should
incorporate business impact analyses, recovery strategies and business
continuity plan as well as testing programmes, training awareness programmes
and communication and crisis management programmes.
iii. Regular testing – There should be a regular business continuity exercise
encompassing critical operations and their interconnections and
interdependencies.
iv. Disaster recovery – The plan should include detailed guidance for implementing
the bank’s disaster recovery framework including specification of key roles and
responsibilities.
v. Invocation process – The plan should clearly specify triggers where business
continuity plan is triggered and escalated.

Mapping interconnections and interdependencies

Mapping interconnections and interdependencies involves tracing and
documenting operational aspects of an organisation that are necessary in order to
perform critical operations. That includes things like people, technology, processes,
information, and facilities. The bank should map the relevant internal and external
interconnections and interdependencies after identifying the critical operations.

Third party dependency management

This principle highlights the importance of managing relationships with third
parties or intragroup entities. This includes assessing risk before establishing
a relationship and ensuring that any third party or intragroup entity has an
equivalent or higher operational resilience approach in place. In coming up with an
operational resilience approach, the bank should carefully identify dependencies
of this approach to external parties such as third parties and intra-group entities.

Before outsourcing any function or process that could impact the bank’s
operational resilience approach, appropriate due diligence should be undertaken

BANK RISK PRACTICES

6-25 OPERATIONAL RISK

to ensure that these third-party dependencies exercise appropriate standards of

operational resilience.

Incident management
Proper incident management ensures effective response and recovery plans to
manage incidents that could disrupt an organisation’s critical operations. Key facets
include:

• Maintaining an inventory of incident response

• Classification of incident severity
• Response and recovery procedures
• Communications plans.

There should be an inventory of incident response and recovery, internal and third-
party resources to support the bank’s response and recovery capabilities. Incidents
should be classified based on its severity’s pre-defined criterion. This is to ensure
that there is proper prioritisation and assignment of resources to respond to an
incident. Incident management procedures should be developed, maintained, and
tested regularly. This includes setting of thresholds for triggering business continuity,
disaster recovery and crisis management procedures. Root causes should be
identified to eliminate recurrent episodes of these incidents. Communication plans
should be implemented to ensure that incidents are reported to both internal and
external stakeholders. Lessons learned from previous incidents should be widely
shared and duly reflected in updating the incident management programme.

Information and Communications Technology (ICT) including cybersecurity

ICT policies and cyber security measures should effectively support and facilitate
an organisation’s critical operations while staying in-line with legal requirements
concerning the protection of data and confidentiality. These systems should be
tested regularly alongside other processes and systems within the organisation to
ensure optimal security, performance, and ability to overcome disruptions. Banks
should ensure resilient ICT including cybersecurity. Banks should have a documented
ICT policy that covers:

• Governance and oversight

• Risk ownership and accountability
• Information security measures (access controls, critical information asset
protection, identity management, etc.)
• Periodic evaluation and monitoring of cyber security controls
• Incident response
• Business continuity and disaster recovery plans

Critical information assets and the infrastructure upon which they depend should
be identified in advance. Clear parameters on prioritisation of cybersecurity efforts

BANK RISK PRACTICES

 OPERATIONAL RISK 6-26

should be made and should be based on the significance of the critical information
assets to the bank’s critical operations.

6.7 BOUNDARY RISK (MARKET & CREDIT)

Boundary risk is the risk we face due to commitments around dependencies and
the limitations they place on our ability to change. There are many instances where
losses could not fit in one category or boundary. Also, there are many times, it would
be relatively straightforward to classify a loss event as an operational loss event.
The difficulty in operational risk is that it is a risk that can emanate from different
business lines. Unlike for market risk, it is clear that it arises from the bank’s trading,
balance sheet management and sales activities. For credit risk, on the other hand, it
is clear that it arises from the bank’s lending activities.

Operational risk boundary events are operational risk events which trigger a
consequence in another risk category. Defining boundary risk is more than just
semantics and is not trivial. Failure to properly define these boundary risks clearly
may result in confusion on accountability and often times result in poor risk
management practices.

Operational risk – Market risk boundary

For operational-market risk boundary, operational risk losses that are related to
market risk are treated as operational risk for purposes of calculating regulatory
capital.

BANK RISK PRACTICES

6-27 OPERATIONAL RISK

Boxed Article–2

JPMorgan Breaches Its Risk Limits More than 330 Times in 2012
“The J.P. Morgan Chase whale trades provide a startling and instructive
case history of how” synthetic credit derivatives have become a multi-
billion source of risk within the US banking system.” IE Buffett’s, “weapons
of mass destruction” pose a dangerous risk to the banking system. I was
shocked that JP Morgan breached their risk limits on derivatives positions
more than 330 times over 5 months in 2012. Get that? The most iconic
name in banking hid hundreds of millions of losses, billions really, from the
public, the regulators, the politicians, and the shareholders over a span of
3 months. Ouch!

“They also demonstrate how inadequate derivative valuation practices

enabled traders to hide substantial losses for months at a time; lax hedging
practices obscured whether derivatives were being used to offset risk or
take risk; risk limit breaches were routinely disregarded; risk evolution
models were manipulated to downplay risk; inadequate regulations
oversight was too easily dodged or stonewalled and derivative trading
and financial results were misrepresented to investors, regulators, policy
makers, and the taxpaying public who, when banks lose big, may be
required to finance multi-billion bailouts.”

Source: https://www.forbes.com/sites/robertlenzner/2013/03/15/the-
cover-up-is-always-worse-than-the-crime/?sh=261d05c7233d

Operational risk – Credit risk

For loan related events that are caused by operational events (such as
failure of people, process, system) – these are generally treated as credit
risk for capital calculation purposes. One particularly common example is
credit card fraud. Credit card fraud is definitely a failure of process or system
(i.e., an operational loss failure). However, some banks treat this as purely
operational risk. On another instances, some banks even only consider third
party-initiated fraud as operational risk. All other types of credit card fraud
are seen as credit risk.

Another area where boundary risk is prevalent is in the area of collateral

management. Collateral management is a credit risk mitigant technique
to lower credit risk exposure from a client. In the event that there is a failure
in collateral management, one may consider that it is the failure of people,
process, or system (meaning failure on operational risk), or., failure of credit
risk mitigant technique (meaning failure on credit risk).

BANK RISK PRACTICES

 OPERATIONAL RISK 6-28

Another practical example is when the loan defaults (this is clearly credit risk)
and at some point, it was found out that the collateral was not properly in
place due to fraud (which is clearly an operational risk).

Boxed Article–3

Repayment Hopes Dim with Hin Leong Windup

HSBC and other global banks owed USD 3.5 billion by Hin Leong Trading
Pte Ltd may recoup less than expected from the collapsed Singapore oil
trader. Problems first arose in April 2020 when legendary founder Lim Oon
Kuin revealed to investors that the company had suffered undisclosed
losses of more than USD 800 million and the oil pledged as collateral for
lending had also been sold. Police say that Lim demanded a company
employee forge a document purportedly issued by Universal Terminal, a
fuel storage company also owned by the Hin Leong Group, to support the
sale of more than 1 million barrels of gasoil to trading giant China Aviation
Oil in Singapore.

“The document was allegedly used to secure more than US$56mn in

trade financing from a financial institution,” says a statement from the
police force’s public affairs department. Investigations into other potential
offences are ongoing.

Source: Bloomberg, Global Trade.

6.8 CONDUCT RISK

The role of conduct in shaping customer and stakeholder perceptions is outlined

in the influential report on banking conduct and culture entitled “Banking Conduct
and Culture – A Permanent Mindset Change” published by the Group of 30. Conduct
is a part of the bank’s overarching culture which shapes clients, stakeholders
and perceptions of the bank. Conduct is the part of culture that can be observed,
monitored, managed, and incentivised. Conduct is defined as:

“Behaviour of Financial Services Institutions Towards Their Clients and

Counterparties in the Financial Markets”.

Conduct risk is the risk of a bank’s activities having a detrimental impact on

customers or negatively impacting market stability. Examples of conduct risk are:

• Mis-selling of financial products and services

• Market manipulation
• Insider trading

BANK RISK PRACTICES

6-29 OPERATIONAL RISK

Mis-selling of financial products and services

Mis-selling of financial products and services is one of the most common causes of
bank misconduct. Mis-selling involves misrepresenting of financial products during
sales or inappropriate advice and recommendation of financial products and
services. There are three elements of mis-selling; misrepresentation, suitability, and
complexity.

Misrepresentation refers to the situation where products were wrongly presented

as a low-risk alternative to deposits and the risks and complexity were not properly
explained. Complexity refers to the situation where the products sold are too
complex and risk disclosures were ineffective in alerting investors. Suitability refers
to the failure of banks to do proper customer due diligence hence resulting in
inexperienced retail investors being left with holding products not suitable to their
investment profile.

Boxed Article–4

Hong Kong Lehman Minibonds Misselling

In September 2008, Lehman Brothers filed for bankruptcy. In Hong Kong, financial
products known as the callable credit-linked bonds marketed by Lehman Brothers
known as minibonds were aggressively marketed since 2002. These products
have been widely sold to the public in Hong Kong. Minibonds were credit linked
notes to seven companies known as “reference entities”. As long as credit event
has not occurred, investors will receive fixed coupon and full repayment of the
principal at the end of three years. The minibonds were sold by seven distributors
in Hong Kong: five banks and two non-bank financial services firm.

Based on complaints filed by investors, bank sales induced their clients to turn
their matured fixed deposits into these minibonds for higher returns and was given
incentives such as free shopping coupons. Bank sales staff failed to consider the
investors’ risk profile and personal circumstances when selling products and did
not provide product information nor did they explain the product features and
risks at the point of sales.

Market Manipulation
Market manipulation is when one party artificially affects the supply or demand of
a security. In 2012, an international investigation was conducted and uncovered
widespread manipulation by several banks to manipulate interest rates particularly
the London Interbank Offer Rate (LIBOR) as far back as 2003. LIBOR is the reference
rate for setting interest rates on many consumer and corporate loans and affects
interest payments of clients. Banks colluded to manipulate LIBOR beginning in 2003
so traders can make profits on derivatives linked to LIBOR. The LIBOR scandal has
eroded public trust in the market.

BANK RISK PRACTICES

 OPERATIONAL RISK 6-30

Every day, currency pairs/ rates are fixed at a certain point in time, and this is used
as a foreign exchange reference for some contracts. This fix is agreed over a 60
second period. The foreign exchange scandal involves some traders attempting to
make a quick profit by buying or selling currencies just before clients are buying or
selling amounts these currencies at the fix. Traders were found to have colluded to
set a currency’s rate through conversations in chat rooms via Bloomberg or Reuters
terminals. This rigging of currency pairs undermined the public’s trust on the foreign
exchange markets.

Boxed Article–5

Banks Fined $1.2 Billion for Forex Rigging

Banks were fined by EU antitrust regulators for rigging the spot exchange rates
for 11 currencies. The EU investigation found that some individual traders from
various banks in charge of forex trading exchanged sensitive information and
trading plans through various online professional chat rooms. The information
exchanges enabled these traders to take advantage and profit from client
information.

Insider trading
Insider trading refers to the buying and selling of security, in breach of a fiduciary
duty or other relationship of trust and confidence, while in possession of material,
non-public information about the security.

6.9 NEW PRODUCTS DEVELOPMENT (NPD) AND BUSINESS ACTIVITIES AND

OUTSOURCING ACTIVITIES

Outsourcing of production has been deployed and researched for decades

but outsourcing of activities in the new product development (NPD) process is a
relatively new phenomenon. In banking, there are several types of outsourcing that
have become incredibly commonplace.

First and foremost is IT outsourcing (ITO), which involves an external service provider
being given responsibility for managing specific applications for a financial
institution. Server management and infrastructure solutions, network administration,
isolated cloud centres and software development are the most common functions
to be outsourced, and ITO is typically implemented to save banks time and money
while introducing flexibility in terms of data storage, product offerings and speed of
service.

Another common type of outsourcing is business process outsourcing (BPO). This

is an established methodology for slashing inefficient internal operation processes
and instead involving a third party to manage an entire business process like

BANK RISK PRACTICES

6-31 OPERATIONAL RISK

accounting, finance, customer service or HR. BPO offers a compelling business value
proposition in terms of gaining operational efficiency and reducing costs and is
independent of economic cycles. That being said, because BPO sees organisations
handover day-to-day maintenance of fundamental business processes, it is not a
decision financial institutions (FIs) make lightly.

Finally, an emerging trend in outsourcing amongst financial institutions is the relatively

new concept of “full-fledged product outsourcing”. According to researchers at
PwC, this third form of outsourcing in the banking sector is starting to gain traction
in Europe and sees financial institutions enter into partnership agreements with
Federal Financial Supervisory Authority (BaFin) licensed and regulated financial
technology (Fintech) to take on vast swathes of a bank’s value chain. In many
cases, full-fledged product outsourcing hands product development, operations,
compliance, regulatory infrastructure, and IT over to a third-party – while the bank
retains ownership of said tasks and instead focuses its time on customer interface
and its balance sheet.

This new bank outsourcing trend enables FIs to gain a competitive edge and establish
lean and flexible operations across the value chain to deliver products and services
faster and cheaper than ever before. That being said, each form of outsourcing
comes hand-in-hand with its own set of advantages and disadvantages across the
banking sectors.

6.9.1 New Products, Business Activities and Third-Party Risk

The bank should have an approval process for all new products and business
activities that incorporates the assessment of operational risk. This is because
operational risk is increased when a bank engages in new products and new
business activities.

Operational risk is also heightened at that space between the bank introduce
the new product or business activity for the first time to the period when
the bank scales up investment and becomes a material source of revenue
or become critical operations. The review and approval process for new
products and activities should cover:

• Inherent risks in new product, service, or activity

• Changes to the bank’s operational risk profile and appetite and tolerance,
including the risk of existing products or activities
• Necessary controls, risk management processes and risk mitigation
strategies
• Residual risk
• Changes to the relevant risk thresholds or limits

BANK RISK PRACTICES

 OPERATIONAL RISK 6-32

• Procedures and metrics to measure, monitor, and manage the risk of new
product or activity
• Adequate investments in human resources and technology infrastructure

The product approval process includes the following elements:

• Initiation
• Due diligence
• Approval
• Post-approval and product review

Initiation
The product and business activity approval are initiated by the relevant
business unit. At this stage, the initiation should be sponsored and approved
by the appropriate management to proceed. The relevant front office
personnel then introduce this to the product approval and review committee.
The product approval and review committee consist of multidisciplinary
stakeholders from front office, risk management, compliance, and finance
department. The objective of the initial meeting is to understand whether the
due diligence phase can proceed.

Due diligence
In this stage, risk management and the relevant support functions will
conduct due diligence where risks and potential issues are identified and
assessed. Once the issues are addressed, it undergoes the approval process.
The following items must be considered during the due diligence phase:

• Underlying risks involved in the new product or business activity

• Implications of those risks in the bank’s overall risk profile
• Residual risks involved in the new product and approval
• Appropriateness of the risk mitigation measures
• Monitoring and control process to mitigate the risk

Approval
After due diligence is conducted, the initiative undergoes an approval process
where the product approval and review committee assess the residual risks
involved in the process including ensuring that appropriate investment has
been made for human resources and technology infrastructure.

Post-Approval and Review

The approval should be communicated clearly particularly the scope.
This should be communicated to the relevant front office department,
risk management and support functions. Post-approval – any system,
operational risk profile or legal and regulatory changes should be monitored

BANK RISK PRACTICES

6-33 OPERATIONAL RISK

and reviewed. The implementation of new products and business activities

should be monitored to make sure that any material differences to the
expected operational risk profile is identified and assessed and unexpected
risks are managed appropriately.

6.9.2 Third Party Risk in Financial Services

Outsourcing is one area of third-party risk management. Third-party risk

management focuses on identifying, assessing and managing the risks
relating to the use of third parties. Third parties include all vendors, suppliers,
contractor, or any service providers that may have direct or indirect impact
to the bank’s internal operations. Some common examples of outsourcing
includes transaction processing such as, back-office functions that involve
process of settlements of existing trades, or business processes such as,
physical security of bank premises.

The bank should understand, assess, and manage operational risks associated
with outsourcing arrangements. The bank should have an appropriate
outsourcing risk management process that considers the following:

i. Principles – Outlining of the motivation on why a business activity is

outsourced.
ii. Scope – Which bank business activity or transaction can be outsourced,
and which cannot be outsourced.
iii. Alternatives – Determine different approaches in outsourcing activities.
iv. Structuring – Principles on sound structuring of outsourcing arrangement
including minimum standards on ownership and confidentiality of data as
well as termination rights.
v. Risk management – Programmes for managing and monitoring the risks
associated with the outsourcing arrangement including assessing the
financial condition of the outsourcing provider.
vi. Control – Establishment of an effective control environment at the bank
and the service provider.
vii. Contingency – Development of viable contingency plans.
viii. Execution – Execution of comprehensive contracts and/or service level
arrangements with a clear allocation of responsibilities between the
outsourcing provider and the bank.

In instances when internal controls do not adequately address the risk and
exiting the risk is not a viable option, banks should consider entering into risk
transfer mechanisms where risk is transferred to another party such as via
purchasing an insurance. Risk transfer mechanisms should not be viewed
as a replacement for a comprehensive internal operational risk control. Risk
transfer mechanisms are complementary risk management tools

BANK RISK PRACTICES

 OPERATIONAL RISK 6-34

6.10 RISK CONTROL AND SELF-ASSESSMENT (RCSA)

Risk control and self-assessment (RCSA) plays an important role in the operational
risk management framework for banks. RCSA is defined as:

“… A Systematic Means of Identifying Control Gaps That Threaten the

Achievement of Defined Business Or Process Objectives and Monitoring What
Management Is Actually Doing to Close Those Gaps”

Steps involved in RCSA

RCSA evaluates the following:

i. Inherent risk – Risk before controls is considered.

ii. Control risk – Efficiency and effectiveness of the control environment.
iii. Residual risk – Risk exposure after controls is considered.

Compared to internal loss data collection and analysis, RCSA is an important

operational risk assessment tool that could provide insights on operational risk
exposures whether they have occurred or yet to occur. It is a forward-looking exercise
that allows the bank to anticipate risk and strategise actions to mitigate those
risks. RCSA has an important role in embedding operational risk culture awareness
throughout the organisation by empowering each business unit to assess their own
risk, inventory available controls to mitigate those risks and enumerate the residual
risks.

Common approaches used in RCSA

An important output of the RCSA exercise is to assess the effectiveness of the design
and performance of existing internal controls in addressing residual risks. This control
effectiveness matrix is used to assess vulnerability to failure of control environment
and enable prioritisation of key controls to be developed to mitigate these control
risks.

Design Performance
L M H

L Low Low Medium

M Low Medium High

H Medium High High

Figure 6.13: Control Effectiveness Matrix

Scorecards build on RCSA by weighting residual risks to provide a means to translate

the RCSA output into metrics that gives a relative ranking of the risk. An example of
risk impact scoring table is shown below:

BANK RISK PRACTICES

6-35 OPERATIONAL RISK

Low Medium High

Financial Loss less than Loss between USD Loss greater than
USD 500,000 500,000 to USD USD 1,000,000
1,000,000

Reputational Reputational risk Reputational risk Reputational risk

is local is national is international

Compliance Regulatory Regulatory Regulatory

finding classified finding classified finding classified
as suggestions as violations with as violations
and points for no monetary with monetary
improvement. damage or damage or
licensing with licensing
implication. consequence.

Figure 6.14: Risk Impact Scoring Table

6.11 RISK AND PERFORMANCE INDICATORS

One of the other most commonly used indicators in corporate governance is the
key performance indicators (KPIs) and key risk indicators (KRIs). While KRI is used
to indicate potential risks, KPI measures performance. Many organisations use
these interchangeably, making it necessary to distinguish between the two. KPIs are
typically designed to offer a high-level overview of organisational performance. So,
while these metrics may not adequately offer early warning signals of a developing
risk, they are important to analyse trends and monitor performance. KRIs highlight
just the opposite.

KRIs also help the management understand increasing risk exposures in various
areas of the enterprise. At times, they represent key ratios that the management
can track as indicators of evolving risks, and potential opportunities, which signal
the need for action. Others may be more elaborate and involve the aggregation
of several individual risk indicators into a multi-dimensional score about emerging
events that may lead to new risks or opportunities.

In the banking sector, a bank may develop a KPI that will include data about
defaulters. This KPI may highlight an event that has already occurred – a case where
a client defaulted on his payment to the bank as per his loan contract. However,
developing a KRI would be more proactive way to indicate loan repayment trends
before risk events occur.

To balance risks and opportunities appropriately and to obtain the best possible
alignment of performance and risk management, each KRI should be linked to a

BANK RISK PRACTICES

 OPERATIONAL RISK 6-36

KPI. KPIs have long played an essential role in performance management. One of
the most effective ways to link performance and risk management is by selecting
KRIs, setting thresholds and integrating risk factors into the company’s performance
management tool of choice. By integrating these, a company can measure and
monitor performance and risk at the same time, as part of the same process.

Key risk indicators Key performance indicators

Key risk indicators are Key performance indicators

used to monitor the provide insight on the status of
main drivers of exposure operational processes which
associated with key risks. provide insight into operational
weaknesses, failures, and
potential loss.

Figure 6.15: Key Risk Indicators and Key Performance Indicators

General uses of key risk indicators (KRIs)

Key risk indicators (KRIs) are critical predictors of unfavourable events that can
adversely impact organisations. It monitors changes in the levels of risk exposure
and contribute to the early warning signs that enable organisations to report risks,
prevent crises and mitigate them in time. KRIs independently or in conjunction with
other risk environment related data, such as, loss events, assessment outcomes, and
issues -- offer considerable insights into the weaknesses within the risk and control
environments. It acts as metrics of changes in an organisation’s risk profile, but given
the changing risk landscape, simply establishing them within the corporate protocol
may not be enough.

Types of KRIs
KRIs are typically measurable, i.e., they can be quantified in terms of percentages,
numbers etc. They are predictable and are often used as early warning signals,
while also tracking trends over a period of time. Since they offer useful insights about
potential risks that may impact organisational achievements and objectives, KRIs
are informative and act as a catalyst for decision making.

Current Indicators Lagging Indicators Leading Indicators

Current indicators Lagging indicators Leading indicators

describe the current describe past are indicators that
exposure level. exposures but may describe emerging
occur again. risk trends and issues
that may need to be
addressed.

BANK RISK PRACTICES

6-37 OPERATIONAL RISK

Current Indicators Lagging Indicators Leading Indicators

Use: Current KRIs provide Use: Lagging indicators Use: Leading indicators
a snapshot view of the are considered to be are seen to be
operational risk exposure detective in nature predictive in nature.
as it is. This is used to and provide important These indicators’ main
identify situations where information regarding function is preventive
attention is required the historical causes of in nature.
to reduce exposure or losses or exposure.
minimise the loss.

Figure 6.16: Types and Use of Kris

Uses of KRIs in the operational risk management process.

Key risk indicators (KRIs) are an important tool within risk management and are
used to enhance the monitoring and mitigation of risks and facilitate risk reporting.
Operational risk is defined as the risk of loss resulting from inadequate or failed
internal processes, people and systems, or external events. Operational KRIs are
measures that enable risk managers to identify potential losses before they happen.
The metrics act as indicators of changes in the risk profile of a firm.

Example of KRIs within operational risk management process is as below:

KRI Example

People Staff turnover Number of leavers in a year

Job satisfaction Morale score per department

Process Volume of Number of transactions per product

transactions

Process errors Number of cancel and amendment over

total number of bookings

Systems System downtime Minutes system is down

Time to resolve issues Average hours of system resolution

Figure 6.17: Examples of Kris

Key performance indicators evaluate the success of business units in achieving pre-
defined business objectives and provide insights on potential losses from operational
weaknesses. These indicators are paired with thresholds or limits to assess degree
of operational risk exposure.

BANK RISK PRACTICES

 OPERATIONAL RISK 6-38

Low Risk Medium Risk High Risk

Average time to resolve Less than 1 hour 1 hour – 1 day More than
system issue 1 day

Figure 6.18: Examples of Linking Limits to Indicators

6.12 OTHER TOOLS IN OPERATIONAL RISK ASSESSMENT

The management of operational risk is not a new practice; it has always been
important for banks to try to prevent fraud, maintain the integrity of internal controls,
reduce errors in transaction processing, and so on in order to preserve the best quality
services for their customers, but also because errors can lead to huge losses. However,
what is relatively new is the view of operational risk management as a comprehensive
practice comparable to the management of credit and market risk in principle. In
the past, banks relied almost exclusively upon internal control mechanisms within
business lines, supplemented by the audit function, to manage the operational risk.
While these remain important, recently there has been an emergence of specific
structures and processes aimed at managing the operational risk.

Some other tools in operational risk assessments include audit findings, business
process mapping, scenario analysis and key control testing.

Audit findings
Banking organisations are being examined on a regular basis and audited by internal,
external and independent auditors and by the national banking supervisor. The
results of these examinations and audits are often formally documented in the form
of audit reports. The audit reports contain audit findings that provide insights on the
inherent risks, control weaknesses and vulnerabilities of the banking organisation.
These audit findings provide important action points on the susceptibility of the
banking organisation to various operational risk losses.

Boxed Article–6

Key Observations:
The CIO’s judgment, execution and escalation of issues were poor. The bank did
not ensure that the controls and oversight of the CIO evolved commensurately
with the increased complexity and risks of the CIO’s activities. The CIO’s risk
management lacked the personnel and structure necessary to manage the risks
of a complex investment portfolio. The risk limits applicable to the CIO was not
sufficiently detailed. The approval process and implementation of the new risk
model were flawed.

Source: JPMorgan Internal Report, January 2013

BANK RISK PRACTICES

6-39 OPERATIONAL RISK

While the excerpt above provides a high-level summary of what went wrong in the
London Whale trade, analysing the details of the report provides a wealth of information
on the weaknesses and vulnerabilities of the CIO department, it was reported that
spreadsheet errors had been made which resulted in a significant understatement
of the risk exposures reported to senior management. This finding can be used as
additional input to the operational risk identification exercise.

Business process mapping

Business process maps are an important part of the operational risk identification and
assessment process. This involves laying out the different activities, accountabilities
and systems involved in a particular business process. Business process maps could
be used to identify process loopholes that could be potential sources of operational
risks. Business process maps could reveal:

• Individual risks (for example, fraud risk arising from inadequate segregation of
duties)
• Risk interdependencies (for example, inadequate segregation of duties that may
lead to erroneous credit underwriting decisions which could heighten credit risk or
allow rogue traders to hide huge risk positions)
• Area of control or management weaknesses

Business process maps provide a helpful way to visualise weaknesses so that preventive
measures can be designed. This can also enhance the ability of independent parties
such as internal or external auditors to detect existing weaknesses and flaws in the
current business processes. Many huge losses from rogue trading could have been
prevented had the loopholes in business processes been detected earlier.

Scenario analysis
Scenario analysis is an important element of the operational risk management
framework. A scenario analysis attempts to predict possible situations and events that
can impact an entity in the future. Scenario analysis gives flexibility to management
to think about how the different risks could affect organisational goals in the future.
It allows management to go beyond rigid measurement models and think more
creatively about future risk exposures. Scenario data also provides forward-looking
perspectives on operational risk exposures. The world has become more complex that
it is now impossible to fully understand the many risks that an organisation is taking.
Keeping to a rigid model would make risk managers more susceptible to surprises.

Scenario analysis that combines both external data and expert opinion allows
management to form a clearer picture of its exposure in high severity events. It can
also be used to assess the impact of deviations from the assumptions inherent in the
use of models in operational risk assessment. It also helps understand interrelated
risks that could arise from multiple and simultaneously occurring operational loss
events. Scenario analysis has two elements:

BANK RISK PRACTICES

 OPERATIONAL RISK 6-40

• Current state
• Future states (evaluation of future possibilities)

Scenarios are generated by using a bank’s internal loss data, external loss data
and other available information for the business environment. According to the
Basel Committee’s Operational Risk Management Practices, the Basel II minimum
standards on scenario analysis framework are as follows:

• Clearly defined and repeatable process

• Good quality background preparation of the participants in the scenario
generation process
• Qualified and experienced facilitators with consistency in the facilitation process
• Appropriate representatives of the business, subject matter experts and the
corporate operational risk management function as participants involved in the
process
• A structured process for the selection of data used in developing scenario
estimates
• High quality documentation which provides clear reasoning and evidence
supporting the scenario output
• A robust independent challenge process and oversight by the corporate
operational risk management function to ensure the appropriateness of scenario
estimates
• Mechanisms for mitigating biases inherent in the scenario process

BANK RISK PRACTICES

6-41 OPERATIONAL RISK

Boxed Article–7

Shell Scenario Analysis

In 1973, the global economy was shocked by a major oil crisis. However, Royal
Dutch Shell was not affected.

In the 1960s, a pioneering team of economists, engineers and scientists started to

work on Shell’s first scenarios. They analysed how the future might unfold and the
impact this could have on the company. They had then shared these scenarios
with Shell’s management, posing to them a serious question—what if the world
faced an oil crisis?

In October 1973, fuel shortages sparked a global recession and a massive stock
crash. Shell, however, was spared as its decision-makers were prepared for such
a crisis. Their predictions included choices Shell could make to cushion a blow
from an oil crisis. The 1973 scenarios helped Shell weather the volatility of the
1970s, bringing financial gains running into billions of dollars arising from sale of
refineries and installations or decisions not to replace them.

Schoemaker and van der Heijden (1992) cited the role of scenario analysis in
Shell’s strategic planning. Scenarios are used as tools for improving the decision-
making process against a background of possible future environments. Scenarios
benefit the organisation by stimulating managers to think in a systematic and
disciplined manner.

Shell’s scenarios were focused on:

• Issues and information that concern Shell’s decision-makers
• Elements in the environment that were determinable and relatively predictable
• Trend-breakers—elements that will affect a system in unpredictable ways but
with understandable dynamics
• Potential surprises

Source: Paul J.H. Schoemaker, Cornelius A.J.M. van der Heijden (1992), Integrating
Scenarios Into Strategic Planning at Royal Dutch Shell, Strategy & Leadership,
Volume 20 Issue 3.

Key control testing (KCT) – control effectiveness test

Key control testing (KCT) is a procedure to test the existence, design soundness and
operational effectiveness of internal controls. The objective of KCT is to:

• Validate the existence of key controls to detect and prevent operational risk events
• Assess whether the design of these controls adequately addresses the identified
key risk
• Test whether these controls are operating effectively as intended.

BANK RISK PRACTICES

 OPERATIONAL RISK 6-42

KCT is integral not only to the bank’s internal control system but to the risk and control
self-assessment (RCSA) process. Key control testing ensures that all material risks
are adequately linked to a specific and effective internal control. Testing frequency
depends on the criticality of the risk that controls intend to mitigate.

1 2 3

Design Operational
Existence
effectiveness effectiveness

Whether controls are

Whether controls are
sufficient to mitigate
Whether controls being implemented
inherent risk in line
exist and are working as
with the bank’s risk
intended
appetite

Figure 6.19: Key Control Testing (Kct)

6.13 SHARIAH COMPLIANCE RISK

The establishment of Islamic financial institutions has brought about a new landscape
in the financial system. They offer various financial products and services (hereafter,
financial services) that comply with Shariah rules and principles. This means that in
offering financial services, underlying contracts which include processes, utilisation of
financial services, and legal documentation should follow the rules and principles of
Shariah. This is to relate the potential of Islamic financial contracts to serve Maqasid
Al-Shariah, which is the main thrust of the Islamic financial system and guidelines for
Islamic finance operations (Lone & Ahmad, 2017).

Failing to comply with the underlying contracts means that Islamic financial institutions
deserve specific attention because it may erode customers’ confidence in Islamic
financial institutions and the whole financial system (Lahsasna, 2014). Although the
unique contractual features of the financial services have exposed Islamic financial
institutions to the mix of risks, the risk resulting from failure in complying with Shariah
principles is considered as a unique aspect and significant in Islamic financial
institutions.

Shariah compliance risk is the risk that financial products or services are not compliant
with the Shariah principles and standards. Shariah compliance is what gives financial
products the legitimacy to be considered as Shariah/ Islamic finance products.

Bank Negara Malaysia (BNM) published Shariah Governance standards on 20

September 2019. This document outlines the heightened expectations of BNM with

BANK RISK PRACTICES

6-43 OPERATIONAL RISK

respect to Shariah governance arrangements. In the document, BNM defines Shariah

non-compliance risk as:

“Risk of Legal Or Regulatory Sanctions, Financial Loss Or Non-Financial

Implications Including Reputational Damage Which an Islamic Financial
Institution May Suffer Arising from Failure to Comply with the Rulings of the
Shariah Advisory Council of Bank Negara Malaysia.”

Shariah non-compliance risk must be deeply embedded in the following functions:

Shariah Shariah risk

audit management

Shariah review

Figure 6.20: Functions in Shariah Compliance

Shariah risk management refers to the function that systematically identifies,

measures, monitors, and reports Shariah non-compliance risks in the business
activities of the Islamic financial institution. Among the responsibilities of this function
are:

• Integration of the shariah non-compliance risk in the overall enterprise-wide risk

management framework
• Identification of Shariah non-compliance risk exposures
• Assessment of Shariah non-compliance risk and measurement of potential
impact of risk exposures
• Establishment of risk mitigation measures
• Monitoring of Shariah non-compliance risk exposures and the effectiveness of the
risk mitigation measures
• Reporting to the Board, Shariah Committee, and senior management
• Constructively challenge decisions that may give rise to Shariah non-compliance
risk

Shariah review refers to the function involved in regular assessment of compliance of

the business activities with Shariah requirements. Shariah audit refers to the function
responsible for the independent assessment of the quality and effectiveness of the
internal control, governance processes and overall compliance with Shariah.

BANK RISK PRACTICES

 OPERATIONAL RISK 6-44

SUMMARY

• Operational risk has historically in a residual manner (i.e. risk that remains after market
and credit risk). In Basel II, operational risk is defined in a causal manner – risk of loss
arising from failure in people, process and system.

• Operational risk is the most difficult risk to measure. Unlike market and credit risk where
data is available and sometimes abundant, in operational risk gathering operational
loss data is a recent and huge undertaking for banks. Unlike market and operational
risk, operational risk losses may not be fitted in using traditional statistical distribution
models.

• Loss distribution approach is one of the most commonly used measurement tool in
measuring operational risk. This approach involves the convolution of frequency and
severity of operational risk losses.

• Operational risk boundary event is an operational risk event which triggers a

consequence in another risk category (for example, market and credit risk).

• Conduct risk is the risk arising from negatively impacting the bank’s customers or
market stability.

BANK RISK PRACTICES

6-45 OPERATIONAL RISK

END OF CHAPTER PRACTICE QUESTIONS

1. Which of the following tools provide insights on the complex relationship between the
causes and effects of risks?
A. Audit findings
B. Key risk indicators
C. Scenario analysis
D. Business maps

2. Risk control and self-assessment aims to evaluate .

A. Inherent risk
B. Internal control
C. Residual risk
D. All of the above

3. These key risk indicators describe emerging trends and impending issues that may need
to be addressed. This is an example of __________.
A. Current KRIs
B. Lagging KRIs
C. Leading KRIs
D. None of the above

4. The most commonly used statistical distribution in quantifying frequency of operational

risk losses is _________.
A. Normal distribution
B. Exponential distribution function
C. Poisson distribution
D. Negative exponential distribution function

Practice 1: The operational risk committee is composed of members only with

financial expertise given the highly complex nature of banking

Practice 2: The committee should include executive board members only to ensure
that confidentiality is preserved

5. Which of the practice/s above is consistent with the BCBS principles of sound operational
risk practices?
A. Practice 1 only
B. Practice 2 only
C. Both a and b
D. None of the above

BANK RISK PRACTICES

 OPERATIONAL RISK 6-46

Statement 1: The use of external loss data is among the most established. Most
banks have fully implemented the collection and analysis of external
loss data.

Statement 2: Based on the survey conducted by the BCBS, business process

mapping is one of the least implemented operational risk identification
and assessment tools.

6. Answer below:
A. Statement 1 is true. Statement 2 is false.
B. Statement 1 is false. Statement 2 is true.
C. Both statements are true
D. Both statements are false

Statement 1: The business continuity management programme should be

decentralised across different business groups to be more effective.

Statement 2: The scope of internal audit on the full implementation and execution of
the operational risk management framework should not be limited to
the operational risk capital model.

7. Answer below:
A. Statement 1 is true. Statement 2 is false.
B. Statement 1 is false. Statement 2 is true.
C. Both statements are true
D. Both statements are false

8. Which of the following is part of the Shariah control functions?

A. Shariah risk management
B. Shariah review
C. Shariah audit
D. All of the above

9. Which of the following is not true about operational risk losses?

A. Operational risk losses are generally skewed to the left
B. We expect to see more outliers in operational risk losses than what normal distribution
will predict
C. Operational loss distribution is symmetric
D. All of the above statements are true

BANK RISK PRACTICES

6-47 OPERATIONAL RISK

10. Which of the following is examples of conduct risk?

A. Misselling of financial products and services
B. Market manipulation
C. Insider trading
D. All of the above

ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS

1. B 2. D 3. C 4. C 5. D 6. B 7. B 8. D 9. C 10. D

BANK RISK PRACTICES

 CHAPTER 7
TECHNOLOGY, CYBER RISK,
AND EMERGING RISK
7-1 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

7. TECHNOLOGY, CYBER RISK, AND EMERGING RISK

Learning Outcomes

At the end of the chapter, you will be able to:

• Discuss current IT, cyber and digital risks and describe new emerging risk issues
and challenges.

Key Topics

In this chapter, you will be able to read about:

• Definition of IT, cyber and digital risk

• Current IT, cyber and digital threats
• Data security & privacy risk
• The regulations as prescribed under risk management in technology by BNM
• Cryptocurrency/blockchain
• Fintech, risk arising and management
• Artificial intelligence, machine learning and RPA
• API banking
• Climate risk

Assessment Criteria

During the exam, you will be expected to:

• Define IT/cyber and digital risks.

• Understand the regulations affecting the IT, cyber & digital risk as prescribed under
Risk Management in Technology (RMiT) guidelines by BNM.
• Understand external technology driven market developments and their impact on
financial institutions.
• Describe emerging regulatory responses BNM, other regulators.

7.1 DEFINITION OF IT, CYBER OR DIGITAL RISK.

Cyber risk is defined as the risk of financial loss, disruption or reputational damage
arising from failure, unauthorised access, or erroneous use of its IT systems. IT systems
include all electronic and information systems within the banks (computers, internet,
networking, and telecommunication infrastructure). Due to the importance of banks
in national and international stability, banks have been a high-profile cyber-attack
targets for different reasons by individuals or by institutions.

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-2

Cyber risk has different distinguishing characteristics:

• Persistent nature of campaign by motivated threat actors (also known as

advanced persistent threat) where hackers lurking inside the target’s system for
months assessing its vulnerabilities before finalising the attack to maximise the
damage.
• Compared to physical attacks on a bank’s property, there is a wider range of entry
points on which the attackers can penetrate the bank’s IT systems.
• Some sophisticated cyber-attacks may paralyze the bank’s risk management
and business continuity programmes.
• Cyber-attacks can be stealthy and propagate rapidly within a network of systems.
• Attackers can be well funded and very organised with motives other than profit
(for example, destruction or impairment of financial systems).

Cyber risk is classified according to different event types:

Confidentiality Availability Integrity

Figure 7.1: Classification of Cyber Risk

i. Confidentiality events – These are events where confidentiality of data is

compromised. These events may result in direct losses for banks as banks may
be exposed to liability for damages or may cause indirect losses for banks due to
competitors gaining access to a bank’s proprietary business strategy.
ii. Availability events – These are events which result in a bank’s data or systems
being compromised. This may affect the bank’s ability to continue to perform its
core business activities. This can cause direct and indirect losses for the bank.
iii. Integrity events – These are events where the integrity of data is compromised
(for example, impairing the bank’s ability to continue to use this data to perform
its core banking functions.

BANK RISK PRACTICES

7-3 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

Boxed Article–1

Bangladesh Bank Heist

On February 4, hackers used the SWIFT credentials of the Bangladesh Central

Bank employees to send more than three dozen fraudulent money transfer
requests to the Federal Reserve Bank of New York asking it to transfer funds to
bank accounts in the Philippines, Sri Lanka, and other parts of Asia.

The hackers managed to get USD 81 million sent to Rizal Commercial Banking
Corporation (RCBC) in the Philippines and an additional USD 20 million to Pan
Asia Banking in a single request. The USD 81 million was deposit into four accounts
at RCBC on February 4. The accounts have been opened a year earlier but have
been inactive with only USD 500 sitting in them.

The hackers installed malware on the bank’s network to prevent employees from
discovering fraudulent transactions quickly.

Source: Wired Magazine, 17 May 2016

Cyber events can be understood according to the following dimensions:

Dimension Description

Intent Cyber events are deliberate acts with different intentions:

• Make financial gains for the attacker.

• Inflict maximum damage.

This means that there are diverse agents that can implement
cyberattacks ranging from individuals to state-sponsored
organisations. The implication of this is that banks may be attacked
at a time when the impact or damage is the largest.

Technology Due to the interconnectedness of the IT infrastructure used by

banks, cyberattacks can be executed with larger number of banks
affected at the same time. This means the potential to wreak havoc
and inflict damage to financial institutions are higher compared to
others.

Uncertainty Cyber event may be hidden and lurk in the bank’s IT systems for a
long period in time. This means that attackers can:

• Gain sufficient familiarity on the bank’s systems including its

recovery strategy and therefore, would impair the ability of the
bank to recover upon attack.
• Wait for opportunistic time and inflict maximum damage to the
bank.

Figure 7.2: Dimensions of Cyber Events

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-4

7.2 CURRENT IT, CYBER OR DIGITAL THREATS

In the 1950s, the word “cyber” refers to cybernetics – the science of understanding
the control and movement of machines and animals. This was followed by “cyber”
standing for “computerised.” The 1990s brought around a new cyber-related term.
The word “cyberspace” emerged to define an invented physical space that some
people wanted to believe existed behind the electronic activities of computing
devices.

Today, the term is almost exclusively used to describe information security

matters. Because it is hard to visualise how digital signals traveling across a wire
can represent an attack, we have taken to visualising the digital phenomenon as
a physical one. A cyber-attack is an attack that is mounted against us (meaning
our digital devices) by means of cyberspace. Cyberspace, a virtual space that does
not exist, has become the metaphor to help us understand digital weaponry that
intends to harm us.

Types of cybersecurity threats

Cybersecurity threats come in two classifications of intent. Attackers are after

financial gain or disruption espionage (including corporate espionage meaning the
theft of patents or state espionage). The classification of intent is as follow:

• According to consequence
• According to cause

A cybersecurity threat according to consequence includes the following common

types of threat:

Business Theft or loss of

disruption, system non-personally
Data breach Theft of funds
and execution identifiable
failure information

Figure 7.3: Consequence of Cyber Threats

i. Business disruption, system, and execution failure – This pertains to internal or

external incident that disrupts the business or damage the performance of the
bank’s IT/software/hardware infrastructure with no initial data, technology, or
monetary loss.

BANK RISK PRACTICES

7-5 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

Boxed Article–2

HSBC says Internet Banking Services Down After Cyber Attack

[LONDON] HSBC said on Friday that its personal banking websites in the
UK have been suspended after a cyberattack, its second major service
outage this month. Europe’s largest lender said in a statement it had
successfully defended its systems against the denial-of-service attack,
a mechanism often used by cyber criminals trying to disrupt businesses
and companies with significant online activities.

Customer transactions were not affected, the bank said:

“We are working hard to restore services, and normal service is now being
resumed”, a spokeswoman said, apologising for any inconvenience
caused by the incident.

Source: Business Times, 29 January 2016

ii. Data breach – This pertains to any type of data loss or exposure involving
personally identifiable information.

Boxed Article–3

Data Breach at Bank of America

Bank of America disclosed data breach affecting clients who have
applied for paycheck protection programme (PPP). Client information
was exposed on April 22 when the bank uploaded PPP applicants’ details
onto the US Small Business Administration’s platform.

Source: Business Times, 29 January 2016

iii. Theft or loss of non-personally identifiable information – This pertains

to events that results in theft or loss of technology, intellectual property,
business proprietary information or any information not involving
personally identifiable information.

One of the hidden costs of a cyberattack is the loss or theft of intellectual

property. Loss of intellectual property has taken less prominence compared
to the more high-profiled cyberattack events (for example, events that
involve the loss of personally identifiable information). However, this does
not mean that this is less important. Attacks that result in loss of intellectual
property can threaten not only a bank’s competitive strength or profitability
but may also result in the loss of entire business line.

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-6

Boxed Article–4

Goldman Sachs Proprietary Trading Code Theft

A former Goldman Sachs programmer was convicted after encrypting and
downloading files from Goldman Sachs’ network that contained the code he had
worked on. He transferred the data to a website hosted in Germany, then erased
the program from Goldman Sachs’ network that he had used to encrypt the files.
He also attempted to delete the network’s bash history showing his activity. This
has been viewed as one of the most substantial thefts in the bank’s history.

Source: Wired Magazine, 1 May 2015

iv. Theft of funds: This pertains to immediate and direct loss of funds carried out via
digital channel.

Boxed Article-5

Bangladesh Bank Heist

On February 4, unknown hackers used SWIFT credentials of Bangladesh Central
Bank employees to send more than three dozen fraudulent money transfer
requests to the Federal Reserve Bank of New York asking to transfer millions of
the Bangladesh Bank’s funds to bank accounts in the Philippines, Sri Lanka and
other parts of Asia. The hackers managed to get USD 81 million sent to a bank in
the Philippines via four different bank transfer requests.

Source: Business Times, 29 January 2016

Methodology of cyberattacks

Denial of service Man-in-the- Drive-back

Phishing
attacks middle attacks attack

Cross-site Birthday
Password attack SQL injection
scripting attack

Zero-day
Malware
exploit

Figure 7.4: Methodology of Cyber Attacks

BANK RISK PRACTICES

7-7 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

i. Denial of service attack – Denial of service attack floods systems, servers, or

networks with traffic to exhaust resources and bandwidth. As a result, the system
is unable to fulfil legitimate requests. A distributed denial-of-service attack occurs
when attackers use multiple compromised devises to perform an attack.

Boxed Article–6

Hong Kong Stock Exchange Hit by DOS Attack

Hong Kong’s stock exchange open access website was subject to a distributed
denial of service attack where hackers overwhelmed the network with
massive incoming traffic, which slowed down and disrupted its ability to
display exchange prices and financial data. This resulted in the suspension of
derivatives trading – an unprecedented move last seen in 2000.

Source: South China Morning Post, 6 September 2019

ii. Man-in-the-middle attacks – Man-in the-middle attack is also known as

eavesdropping attack, happens when attackers insert themselves into a two-
party transaction. Once the attackers interrupt the traffic, they can filter and steal
data.

Boxed Article–7

US NSA Impersonating Google

The US National Security Agency (NSA) appears to have impersonated Google
to gather personal data. This involves using a fake security certificate to pose
as a legitimate Web service, bypass browser security settings, then intercept
the data that an unsuspecting person is sending to the service.

Source: Cnet, 12 September 2013

iii. Phishing – Phishing is the practice of sending fraudulent communications that

appear to come from a reputable source, usually through email. The goal is to
steal sensitive data like credit card and login information or to install malware on
the victim’s machine.

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-8

Boxed Article–8

Largest Phishing Scandal – Ubiquiti Attack

Ubiquiti Networks became a victim to one of the largest phishing scandals and
lost USD 47 million. The scam led to the transfer of funds held by a subsidiary in
Hong Kong to other overseas account held by third parties through a phishing
scam. This involves the use of email spoofs and targets businesses that
regularly perform foreign wire transfers.

Source: Nbc News – 7 August 2015

iv. Drive by attack – Drive by attack involves hackers looking for insecure websites
and plant a malicious script into HTTP or PHP code on one of the pages. The script
might install malware directly on the computer of someone who visits the site, or
it might redirect the victim to a site controlled by the hackers. Watering hole is the
most common strategy to execute this type of attack.

Boxed Article–9

Polish Banks on Alert After Mystery Malware on Computers

Polish banks discovered mysterious malware on their computers and servers.
In at least one case, it was used to take the data from a bank’s computer to
an external server. The attack appears to be carried out using watering hole
attack where hackers compromised websites that were of interest to their
ultimate target and injected code to these websites that redirected browsers
to an external site. What is particularly interesting about this case is that the
code was hosted on the Polish Financial Supervision Authority.

Source: PC World, 7 February 2017

v. Password attack – This occurs when unauthorised parties obtain access to a

person’s password by looking around the person’s desk, sniffing the connection
to the network to acquire unencrypted passwords. Watering hole is the most
common strategy to execute this type of attack.
vi. SQL injection – Structured query language (SQL) injection happens when an
attacker inserts malicious code into a server that uses SQL and forces the server
to reveal information it normally would not.

BANK RISK PRACTICES

7-9 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

Boxed Article–10

Qatar National Bank Leak

1.4 GB trove of documents of Qatar National Bank (QNB) clients were leaked
online containing customer transaction log, personal identification numbers
and credit card data. The hackers used open-source SQL injection tool to
extract all of the data they needed. SQL injection is used against websites that
use SQL to query information from the database server.

Source: PC World, 1 May 2016

vii. Cross-site scripting – Cross-site scripting (XSS) attacks use third-party web
resources to run scripts in the victim’s web browser or scriptable application.

Boxed Article–11

XSS Behind a Decade of Bank Attacks

Cross-site scripting vulnerabilities accounted for 80% of attacks against the

world’s banks. A common cross-site scripting attack method involves a hacker
using code injections to steal visitors’ data, like cookies, or manipulating
what victims see to trick them into inputting sensitive personal or financial
information.

Source: It News, 15 November 2013

viii. Birthday attacks – Birthday attacks are made against hash algorithms that are
used to verify the integrity of a message, software, or digital signature.
ix. Malware – Malware attacks involve software designed with malicious intent
containing features or capabilities that can potentially cause harm directly or
indirectly to entities or their information systems.
x. Zero-day exploit – A zero-day exploit hits after a network vulnerability which is
exploited before a patch or solution is developed.

7.3 DATA SECURITY & PRIVACY RISK

Data is the most valuable assets in any business, especially banking. Data security, or
information security, includes the practices, policies, and principles to protect digital
data and other kinds of information. Privacy risk is the likelihood that individuals
will experience problems resulting from data processing, and the impact of these
problems should they occur. Privacy risk includes but is not limited to technical
measures that lack appropriate safeguards, social media attacks, mobile malware,
third-party access, negligence resulting from improper configuration, outdated
security software, social engineering, and lack of encryption.

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-10

Data & privacy security

Data and privacy security is based on three foundational principles — confidentiality,
integrity, and availability — which are known as the “CIA triad.”

Confidentiality involves preventing unauthorised access to sensitive data to keep

it from reaching the wrong people. To protect confidentiality, organisations should
implement security measures such as access control lists (ACLs) based on the
principle of least privilege, encryption, two-factor authentication and strong
passwords, configuration management, and monitoring and alerting. Integrity is
about protecting data from improper data erasure or modification. One way to
ensure integrity is to use a digital signature to verify content authenticity and secure
transactions, which is widely used by government and healthcare organisations.
Availability requires ensuring that security controls, computer systems and software
all work properly to ensure that services and information systems are available
when needed. For example, your financial database must be available in order for
your accountants to send, pay or process.

Types of data
Companies typically have to protect two major types of data:

i. Business critical data – Business-critical data comprises the data assets needed
to operate and sustain your company. Examples include financial plans, inventory,
and intellectual property like designs and trade secrets.
ii. Private information – Private information includes employee, human resources
and payroll data, customer profiles, contracts with suppliers, and personal
medical histories. Private information also includes personal data and sensitive
personal data.

▶ Personal data – Personal data relates to information about identified or an

identifiable natural person (“data subject”) with particular reference to an
identifier, such as names, identification numbers, location data, and online
identifiers, or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that person. This also
includes financial privacy that refers to the maintenance of confidentiality of
customer information about transactions and finances by financial institutions.
▶ Sensitive personal data – Sensitive personal data refers to personal information
that reveals racial or ethnic origin, political opinions religious or philosophical
beliefs, trade-union membership; or data concerning health; and genetic data
or biometric data.

A strong cybersecurity strategy provides differentiated protection of the company’s

information assets, giving the most important data the highest degree of protection.
Otherwise, companies waste resources trying to safeguard every file and folder,
whether it contains critical intellectual property or just pictures from the company
picnic.

BANK RISK PRACTICES

7-11 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

Data & privacy risk

In the wake of recent high profile data breaches worldwide, the data privacy debate
has assumed greater significance and assumed centre stage in the regulatory
world and, more so in the financial services industry given the vast amounts of
personal data processed by banks or financial services organisations and their
third-party IT solution providers. The customer onboarding process in a bank entail
capturing personally identifiable information, and this can range from sharing non-
financial data such as names, addresses, e-mail ids, contact and social security
numbers to financial data in the form of savings, loans accounts and debit/ credit
card numbers. Below are the top reasons why organisation must focus on data and
privacy security:

i. Data breaches – A data breach, or data leak, is a security event when critical
data is accessed by or disclosed to unauthorised viewers. Data breaches can
happen due to:

▶ Cyberattacks in which hackers bypass your security technologies and get into
the company important software or security platform
▶ Theft or loss of devices containing protected information
▶ Data theft by employees or other internal users, such as contractors or partners
▶ Human errors such as accidentally sending sensitive data to someone
unauthorised to see it

Data breaches can have a significant financial impact. It can interrupt business
operations, which can hurt company revenue. A breach can also involve legal
costs, and if it involves a violation of a compliance or industry mandate, the
regulatory body can impose fines or other consequences. In addition, the
organisation can suffer lasting damage to its reputation and customer trust.

ii. Compliance – Compliance requirements also drive data security. In particular,

data privacy regulations like the EU’s General Data Protection Regulation
(GDPR) and the California Consumer Privacy Act (CCPA) strictly regulate how
companies collect, store and use personally identifiable information (PII).
Compliance failures can be expensive; for example, GDPR fines can reach 20
million euros or 4% of a company’s global annual turnover for the preceding
financial year. In addition, authorities can issue warnings and reprimands, and,
in extreme cases, ban the organisation from processing personal data.

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-12

Boxed Article–12

Privacy Law in Malaysia (Abdul Aziz, Samuel, and Azami, n.d)

Introduction
With the rapid development of technology and the widespread usage of the
Internet over the last decade, anyone can have access to almost anything
including the personal information of others. Today, the usage of the Internet is
no longer confined to connecting people and conducting research, but it has
become a platform for many to store information and advertise themselves
and their businesses.

Unlike other jurisdictions, Malaysia has no specific law such as a Privacy

Act to protect personal privacy, except for the Personal Data Protection Act
2010 (“PDPA”), which deals with personal data and focuses on regulating the
processing of “personal data” in commercial transactions.

Even though there is no principle on the right to privacy in Malaysia, the Federal
Court case of Sivarasa v Badan Peguam Malaysia & Anor held that the right to
personal liberty under Article 5(1) of the Federal Constitution includes the right
to privacy.

What Does “Privacy” in PDPA Entail?

There is no general definition of ‘privacy’ embedded under the PDPA. However,

‘personal data’ under Section 4 of the PDPA is defined as any information in
respect of commercial transactions which: –

a. is being processed wholly or partly by means of equipment operating

automatically in response to instructions given for that purpose.
b. is recorded with the intention that it should wholly or partly be processed by
means of such equipment; or
c. is recorded as part of a relevant filing system or with the intention that it
should form part of a relevant filing system.

The information relates directly or indirectly to a data subject, who is identified

or identifiable from that information or from other information in the possession
of a data user, including any sensitive personal data and expression of opinion
about the data subject; but excludes any information that is processed for the
purpose of a credit reporting business carried on by a credit reporting agency
under the Credit Reporting Agencies Act 2010.

In simpler terms, the aim of the PDPA is to safeguard the personal data of
individuals that are collected, stored, and used (“data subject”) from being
abused by the person or persons who have control over the personal data
(“data user”) or authorises the processing of such personal data (“data
processor”). This wide definition covers details such as name, address, contract
details and your national registration identity card. It also includes ‘sensitive’
personal data such as the physical or mental health condition of an individual,
their political opinions and even religious beliefs.

BANK RISK PRACTICES

7-13 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

A Guide for Data Users

There are seven data protection principles in the PDPA that data users should
comply with, and they are briefly stated as follows:

No. Type of Principle Method

1. General Ask for the data subject's consent before

processing data

2. Notice and Give a written notice to the data subject

Choice informing them details such as the description
of data, the purpose of the data, the sources,
the right to request access and correction
and the of third parties to whom the data may
disclosed to.

3. Disclosure Ask for the data subject's consent of the

personal data is to be disclosed for any other
purpose other than the purpose for which the
personal data was to be disclosed at the time
of collection or to any party other than the third
party notified by the data user.

4. Security Take practical steps to protect the personal

data from any loss, misuse, modification,
unauthorised or accidental access or
disclosure, alteration or destruction.

5. Retention Ensure that personal data is not kept longer

than necessary and to take all reasonable steps
to ensure all personal data is permanently
deleted or destroyed if it is no longer required
for the purpose it was to be processed.

6. Data Integrity Take reasonable steps to ensure the personal

is accurate, complete, not misleading and
kept up-to-date.

7. Access Give the data subject access to the personal

and be able to correct their inaccurate,
incomplete, misleading or not up-to-date
personal data.

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-14

As per Section 5(2) of the PDPA, a data user who fails to comply with
these seven principles commits an offence and shall be liable to a fine or
to imprisonment or to both upon conviction. Hence, a breach in the data
protection can be costly to the data user’s business as a data subject may
pursue an action against them. Therefore, it is crucial for data users to comply
with the above-mentioned principles.

Other Statutes
Sections 211 and 233 of the Communications and Multimedia Act 1998 (“CMA”)
prohibits the provision of offensive content (which is indecent, obscene, false,
or menacing) with the intent to annoy, abuse, threaten or harass any person.
However, these two sections are not specifically about the right to privacy
and very broad to describe the offensive content on the internet. Further, it is
subject to the court’s assessment whether the content falls under the types
of offensive content on the internet as provided in Sections 211 and 233 of the
CMA.

Under Section 509 of the Penal Code, it is a criminal offence to “intrude upon
the privacy” of a person, however, this strictly applies to actions which insult
the modesty of a person. Upon conviction, an offender may be punished with
imprisonment for a term which may extend to five years or with fine or with
both.

Conclusion
The Malaysian courts are generally reluctant to accept that there is a general
principle of invasion of privacy. However, the courts did on some occasions
find that a person’s privacy had been intruded, especially where there is a
case for breach of confidence (e.g., doctor-patient relationship). With the
limited scope of privacy introduced by the PDPA, an individual who wishes
to bring an action under the PDPA can only do so when their personal data
privacy has been breached, and not for the rights to privacy in general.

As public awareness of privacy rights in Malaysia is still low and this problem
is aggravated by the absence of modern legislation penalising invasion of
privacy, it is timely for our lawmakers to come up with our own legislation
that provides the protection for all types of privacy (not just the protection of
private data) instead of adopting the common law.

BANK RISK PRACTICES

7-15 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

Meeting compliance requirements is necessary for a successful data

security strategy but checking the boxes during compliance audits is not
sufficient. Regulations typically focus only on specific aspects of data
security (such as data privacy), and real-world security threats evolve
faster than legislation. Protecting sensitive data should be viewed as a
long-term, ongoing commitment.

iii. Cloud10 security – Since the Covid-19 pandemic began, cloud adoption has
soared, as organisations needed to create options to enable employees to
work from home. Suddenly, cloud data security was on everyone’s radar.

Earlier, data protection strategies generally focused on keeping malicious

intruders out of systems where sensitive data is stored. But with cloud
computing, data is stored in systems that are outside the traditional
perimeter and can flow freely everywhere. Therefore, organisations
need a data-centric security strategy that prioritises their most sensitive
information.

of organisations think that of organisations that

their employees share data employ remote workers
using approved means of have suffered cloud data
communication only. 1 security breaches. 1

of organisations say they of IT professionals believe

can spot unauthorized data remote workers are not
sharing in minutes. secure.

Netwrix 2020 Data Risk and Security Report

1 2
Remote Workforce Cybersecurity Survey, OpenVPN

Figure 7.5: Security Risk in the Cloud

10 “The cloud” refers to servers that are accessed over the Internet, and the software and databases that run on those servers.
Cloud servers are located in data centres all over the world. By using cloud computing, users and companies do not have to
manage physical servers themselves or run software applications on their own machines. The cloud enables users to access
the same files and applications from almost any device, because the computing and storage takes place on servers in a data
centre, instead of locally on the user device.

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-16

iv. Lack of cybersecurity talent – According to a 2020 (ISC) study, the industry
needs about 3 million more qualified cybersecurity workers, and 64%
of cybersecurity professionals say their company is impacted by this
cybersecurity skills shortage. This talent shortage limits their ability to
reduce risk, detect threats and respond to attacks.

Data & privacy security management

Data governance refers to the overall management of the availability,
usability, reliability, integrity, and security of the data used in the bank.

Data management involves the following:

• Identify the bank’s data needs on an ongoing basis.

• Ensure that adequate and effective policies and procedures are in place for
data creation, capture, maintenance, reporting, distribution, and retention.
• Translate data quality expectations set by the Board to specific goals for
significant data systems and owners.
• Define metrics for data quality with respect to the following variables:
accuracy, completeness, consistency, and currency.
• Ensure that the data control functions are operating effectively.
• Monitor trends which may indicate weaknesses or vulnerabilities within
data systems and controls.
• Provide continuous development support to user.

The data and systems architecture facilitates proper integration of data and
systems across the institution.

Standards, guidelines or common criteria

Element of data and data definitions
and systems
architecture Major types and sources of data

Database technology

Administrative structures and protocols for

processing and disseminating data

Process and systems for data

repository management

Data storage and backup process

Figure 7.6: Elements of Data and System Architecture

Data quality should be assessed and monitored against the bank’s data
policy statements and objectives on an ongoing basis.

BANK RISK PRACTICES

7-17 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

Data Quality Characteristics

Consistent Supported
(across by clear and
Accurate Complete Current
systems and unambiguous
organisation) data descriptions

Figure 7.7: Data Quality Characteristics

Banks should maintain effective controls over data security and privacy. Systems
and data integrity refers to the reliability of the information processed, stored, or
transmitted within the bank and between the bank and external parties (for example,
customers or other third parties).

Banks should identify critical data systems. These are systems that if disrupted or
tampered with would materially affect the bank’s business operations, reputation,
or financial condition. More rigorous controls are expected to be in place for critical
data systems.

Data privacy regulations differ from one jurisdiction to another. Some jurisdictions
view that the bank customer owns their own data and has the right to control it. On
the other hand, some jurisdictions view that banks are the data owner but should
limit their rights to control the use of such data and should get customer consent.

7.4 THE REGULATIONS AS PRESCRIBED UNDER RISK MANAGEMENT IN

TECHNOLOGY (RMIT) BY BNM

Technology risk refers to risks emanating from the use of information technology (IT)
and the Internet. These risks arise from failures or breaches of IT systems, applications,
platforms, or infrastructure, which could result in financial loss, disruptions in
financial services or operations, or reputational harm to a financial institution. On
19 June 2020, Bank Negara Malaysia (BNM) issued a policy document to set out the
requirements of management of technology risk for financial institutions. This policy
document sets out the Bank’s requirements with regard to financial institutions’
management of technology risk. In complying with these requirements, a financial
institution shall have regard to the size and complexity of its operations. Accordingly,
larger, and more complex financial institutions are expected to demonstrate risk
management practices and controls that are commensurate with the increased
technology risk exposure of the institution. In addition, all financial institutions shall
observe minimum prescribed standards in this policy document to prevent the
exploitation of weak links in interconnected networks and systems that may cause
detriment to other financial institutions and the wider financial system

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-18

The policy requirements are set out as below:

Technology
Technology risk operations
Governance
management management

Internal
Cybersecurity Technology audit awareness
management and training

Figure 7.8: BNM on RMIT

Governance
Data governance is the practice of identifying important data across organisation,
ensuring it is of high-quality and improving the business value. A financial institution
may either designate an existing board committee or establish a separate
committee for this purpose. Where such a committee is separate from the Board
Risk Committee (BRC), there must be appropriate interface between this committee
and the BRC on technology risk-related matters to ensure effective oversight of all
risks at the enterprise level.

Responsibilities of Board of Directors

• Establish and approve the technology risk appetite including risk tolerances
for technology-related events including indicators to monitor technology risk
against the risk tolerance.
• Oversee the adequacy of the IT and cybersecurity strategic plans covering a
period of no less than three years – This should be reviewed periodically at
least once in three years.
• Oversee the effective implementation of technology risk management
framework (TRMF) – This is a framework to safeguard information
infrastructure, systems, and data.
• Oversee the effective implementation of the cyber-resilience framework
(CRF) – This is a framework for ensuring the institution’s cyber resilience.
• Designate a board-level committee focusing on technology-related matters.
• Promote effective technology discussions at the board level.
• Allocate sufficient time to discuss cyber risks and related issues.
• The Board Audit Committee should ensure that internal audit (third level of
defence) is adequately equipped to perform technology audits

BANK RISK PRACTICES

7-19 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

Responsibilities of Senior Management

• Translate TRMF and CRF into specific policies and procedures

• Establish cross-functional committee to provide guidance on the bank’s
technology plans and operations – Among the responsibilities of this
committee include formulation and effective implementation of the strategic
technology plan and the associated policies and procedures; provide timely
updates to the Board on technology matters11 and approve any deviation
from technology-related policies.
• Ensure the adequate allocation of resources to maintain robust technology
systems and appropriately skilled and competent staff.
• Embed appropriate oversight arrangements to support enterprise-wide
oversight of technology risk.
• Conduct self-assessment in terms of vulnerabilities to technology risk
especially for large financial institution.

Figure 7.9: Governance in Data and Privacy Security/ Risk Management

Technology risk management

The technology risk management framework (TRMF) is an integral part of the bank’s
enterprise risk management (ERM) framework. It includes the following:

Definition of Risk controls and Risk monitoring

technology risk mitigations

Risk measurement
Responsibilities and assessment
and accountability approaches and
methodologies

Risk classification of
Identification of
information assets/
technology risks
systems

Figure 7.10: The Technology Risk Management Process

11 Key technology matters include updates on critical systems’ performance, significant IT and cyber-incidents, management
of technology obsolescence risk, status of patch deployment activities for critical technology infrastructure, proposals for
and progress of strategic technology projects, performance of critical technology outsourcing activities and utilisation of the
technology budget.

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-20

There must be an independent enterprise-wide technology risk management

function which is responsible for:

Implementing the TRMF and CRF

Advising on critical technology projects

Ensuring critical issues are adequately deliberated or escalated in a timely manner

Provide independent views to the board and senior management

Figure 7.11: Functions and Responsibilities

There must be a Chief Information Security Officer (CISO)12 who is appropriately

certified, is independent from day-to-day IT operations and is keep apprised of
current and emerging technology risks. The CISO is responsible for the bank’s
information assets and that technologies are adequately protected.

Technology operations management

Technology operations management is a broad scope of technology-related
activities that cover the following areas:

Technology System
project development Cryptography
management and acquisition

Third party
Data centre Network
service provider
resilience resilience
management

Patch and end

Cloud Access
of life system
services control
management

Security of
digital services

Figure 7.12: Technology Operations Management

12 A financial institution’s CISO may take guidance from the expertise of a group-level CISO, in or outside of Malaysia, and may
also hold other roles and responsibilities. Such designated CISO shall be accountable for and serve as the point of contact with
the Bank Negara Malaysia (BNM) on the financial institution’s technology-related matters, including managing entity-specific
risks, supporting prompt incident response and reporting to the financial institution’s board.

BANK RISK PRACTICES

7-21 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

i. Technology project management – There should be appropriate governance

and risk assessment infrastructure surrounding the implementation of
technology projects. Key risks surrounding technology projects are as follows:

▶ Adequacy and competency of resources

▶ Complexity of systems to be implemented (for example, use of unproven
technology)
▶ Adequacy and configuration of security controls throughout the project
lifecycle
▶ Comprehensiveness of user requirement specifications
▶ Robustness of system and user testing strategies
▶ Appropriateness of system development and fallback strategies
▶ Adequacy of disaster recovery operational readiness

ii. System development and acquisition – The bank should have an enterprise
architecture framework (EAF) that provides a holistic view of technology
throughout the bank. EAF is an overall technical design and high-level plan that
describes the bank’s technology infrastructure, systems’ interconnectivity, and
security controls. EAF helps to:

▶ Facilitate conceptual design and maintenance of the network infrastructure,

related technology controls and policies.
▶ Serve as foundation to plan and structure system development and
acquisition strategies to meet business goals.

There should be clear risk management policies and practices for key phases
of the system development life cycle (SDLC) which includes:

System design

Decommissioning Development

Maintenance Testing

Change
Development
management

Figure 7.13.Phases of System Development Life Cycle

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-22

iii. Cryptography – The bank should adopt a robust and resilient cryptography
policy to protect important data and information. A cryptography policy is a
policy on controls established and implemented to protect private and sensitive
information. This involves a discussion of the encryption methods (i.e., approach to
secure digital data using cryptography). At a minimum, policies and procedures
should address:

▶ Adoption of industry standards for encryption algorithms, message

authentication, hash functions, digital signatures, and random number
generation.
▶ Adoption of robust and secure process in managing cryptographic key
lifecycles (generation, distribution, renewal, usage, storage, recovery,
revocation, and destruction).
▶ Periodic review (at least once every 3 years) of existing cryptographic
standards and algorithms.
▶ Development and testing of compromise-recovery plans in the event of
cryptographic key compromise.

iv. Data centre resilience – Data centre resiliency is a planned part of a facility’s
architecture and is usually associated with other disaster planning and data
centre disaster-recovery considerations such as data protection. The adjective
resilient means “having the ability to spring back”.
v. Data centre resiliency is often achieved through the use of redundant components,
subsystems, systems, or facilities. When one element fails or experiences a
disruption, the redundant element takes over seamlessly and continues to
support computing services to the user base. Ideally, users of a resilient system
never know that a disruption has even occurred.

BANK RISK PRACTICES

7-23 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

Data Centre Infrastructure Data Centre Operations

• The bank should specify the • Capacity needs should be well-

resilience and availability planned and managed with due
objectives of data centres. regard to growth plans.
• Production data centres • There should be real-time
should be maintainable. monitoring mechanism to track
• Critical systems should be capacity utilisation and performance
in a dedicated space for of key processes and services.
production data centre usage. • Segregate incompatible activities
in the data centre operations to
prevent any unauthorised activity.
• Establish adequate control
procedures for its data centre
operations.
• There should be independent risk
assessment of end-to-end backup
storage and delivery management
to ensure that controls are adequate
in protecting sensitive data.

Figure 7.14: Data Centre Resilience

vi. Network resilience – The bank should design a reliable, scalable, and secure
enterprise network to support both current business activities and future growth
plans. Networks for critical services should be reliable and have no single point of
failure (SPOF) to protect the network against potential network faults and cyber
threats. There should be sufficient and relevant network device logs are retained
for investigations and forensic purposes for at least three years.
vii. Third party service provider management – There should be an effective
oversight and risk management infrastructure for engaging third party service
providers especially for critical technology functions and systems. Due diligence
should be conducted around the following areas with respect to the third-party
service provider.

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-24

Competency

Financial System
viability infrastructure

Figure 7.15: Criteria for Third-Party Provider

Third party service providers competency on the following area should be

assessed with respect to the following risk areas:

▶ Data leakage
▶ Service disruption
▶ Processing errors
▶ Physical security breaches
▶ Cyber threats
▶ Over-reliance on key personnel
▶ Mishandling of confidential information
▶ Concentration risk

There should be service level agreements (SLA) that would contain at least the
following:

Access rights for regulator

Provide prior notice of any substantial sub-contracting

Undertaking in writing on compliance with secrecy provisions

Critical system availability

Business continuity in event of exit or termination of service provider

Figure 7.16: Minimum Content of Service Level

BANK RISK PRACTICES

7-25 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

viii. Cloud services – Banks should conduct comprehensive risk assessment prior to
adopting cloud services. Critical and non-critical systems must be thoroughly
and separately identified. For non-critical systems, banks are required to notify
Bank Negara Malaysia (BNM) of the intention to use cloud services for such
systems. However, for critical systems, banks are required to consult BNM and
should demonstrate that risks have been adequately considered and addressed
and should cover the following:

▶ Adequacy of the overall cloud adoption strategy.

▶ Availability of independent, internationally recognised certifications of cloud
service providers.
▶ Degree to which the selected cloud configuration addresses the following:
geographical redundancy, high availability, scalability, portability,
interoperability and strong recovery and resumption capability.

ix. Access control – The bank must implement access controls for the identification,
authentication, and authorisation of users. In terms of authentication, the bank
may adapt robust authentication process by combining:

What the user knows

(password, PIN)

Something the user

Something the
possess (smart card,
user is (biometric)
security device)

Figure 7.17: Access Control Elements

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-26

Boxed Article-13

Principles in Access Control

• Adopt a “deny all” access control policy for users by default unless explicitly
authorised.
• Employ “least privilege” access rights or on a “need-to-have” basis where
only minimum sufficient permissions are granted to legitimate users to
perform their roles.
• Employ time-bound access rights.
• Employ segregation of incompatible functions. This includes combination of
functions such as: system development and technology operations; security
administration. system administration, network operation and network
security.
• Employ dual control functions which require two or more persons to execute
an activity.
• Adopt stronger authorisation for critical activities including for remote
access.
• Limit and control use of same user ID for multiple concurrent sessions.
• Limit and control sharing of user ID and passwords across multiple users.
• Control the use of generic user ID naming conventions in favour of more
personally identifiable IDs.

x. Patch and end of life system management – Critical systems should be running
on outdated systems with known security vulnerabilities or end of life (EOL)
technology systems.
xi. Security of digital services – The bank must implement robust technology
security controls in providing digital services which should assure confidentiality
and integrity of information and transactions, reliability of digital services, proper
authentication, sufficient audit trail, monitoring of anomalous transactions,
ability to identify and revert to the recovery point prior to incident or service
disruption and strong physical control and logical control measures. The controls
to authenticate and monitor transactions should, at a minimum, be effective at
dealing with:

▶ Man-in-the middle attacks.

▶ Transaction fraud.
▶ Phishing.
▶ Compromise of application systems and information.

Additional controls to authenticate and authorise transactions that are high-risk or

more than RM 10,000 in value. Digital service logs are expected to be retained for
investigations and forensic purposes for at least three years.

BANK RISK PRACTICES

7-27 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

Cybersecurity management
Technology has played a transformative role in the provision of financial and
payment services. In addition to improving the efficiency of processes, technology
has opened up new and innovative channels for financial institutions to provide
greater access and convenience to consumers. Technology has also enabled
financial institutions to viably offer and manage a wider range of products that
are competitive and responsive to different needs of consumers in ways that
were not possible before. Business and retail customers have readily embraced
these technological developments, as evidenced by the value of commerce
transacted online which continues to rise. These advancements however present
new challenges for risk management by financial institutions.

With increasing dependence on technology, financial institutions face new

risks of malicious actions by criminals and other malefactors. These actions
have the potential to disrupt the provision of services and also undermine the
confidentiality and integrity of a financial institution’s proprietary and customer
data. Such incidents can thus damage the reputation of a financial institution
and may undermine confidence in the financial system. A report by Strategic
and International Studies Centre on the “Net losses: Estimating the global cost of
cybercrime”, stated that the global economic losses resulting from cybercrimes
were estimated to be approximately USD375 billion annually. Cyber-attacks are
commonly motivated by financial gain but can also be driven by an aim to cause
disruption for social and political purposes. Following several high-profile cyber
security incidents in the financial sector, the management of cyber risks has
become an increasingly global concern.

A report on “Cyber resilience in financial market infrastructures” in November

2014 by the Committee on Payments and Market Infrastructure of the Bank for
International Settlements emphasised the complex and rapidly evolving nature
of cyber risks, and highlighted the increasing priority accorded to the effective
management of these risks. The report also recommended a more integrated
approach to cyber resilience, which will reduce recovery times in the event of
a successful cyber-attack, whilst enabling key functions of critical systems to
continue to operate.

In the European Union, the Joint Committee of the European Supervisory

Authorities has similarly called for authorities and financial market participants
to ensure that sufficient resources and attention are devoted to increasing the
financial system’s resilience against IT-related operational and cyber risks. BNM
recommended the following cybersecurity management elements:

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-28

Cybersecurity management

Distributed Security
Cyber risk Cyber security Cyber response
denial of operations
management operations and recovery
service centre

Figure 7.18: Elements of a Cybersecurity Management

i. Cyber risk management – A financial institution must ensure that there is an

enterprise-wide focus on effective cyber risk management to reflect the collective
responsibility of business and technology lines for managing cyber risks.
Accordingly, a financial institution must develop a Cyber Resilience Framework
(CRF) which clearly articulates the institution’s governance for managing cyber
risks, its cyber resilience objectives, and its risk tolerance, with due regard to the
evolving cyber threat environment.

Objectives of the CRF shall include ensuring operational resilience against

extreme but plausible cyber-attacks. The framework must be able to support the
effective identification, protection, detection, response, and recovery (IPDRR) of
systems and data hosted on-premises or by third party service providers from
internal and external cyber-attacks.

The CRF must consist of, at a minimum, the following elements:

▶ Institutional understanding of overall cyber risk context.

▶ Identification, classification and prioritisation of critical systems, information,
assets, and interconnectivity.
▶ Identification of cybersecurity threats and countermeasures.
▶ Layered security controls to protect its data, infrastructure, and assets against
evolving threats.
▶ Timely detection of cybersecurity threats.
▶ Detailed incident handling policies and procedures and a crisis response
playbook.
▶ Policies and procedures for timely and secure information sharing and
collaboration with other financial institutions

ii. Cyber security operations – There should be clear responsibility and mitigating
measures for cybersecurity operations that correspond to the following phases
of the cyber-attack lifecycle:

BANK RISK PRACTICES

7-29 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

Reconnaissance

Exfiltration Weaponisation

Command and
control Delivery

Installation Exploitation

Figure 7.19: Phases of Cyber Attacks

A financial institution should adopt the control measures on cybersecurity

to enhance its resilience to cyber-attacks. BNM specified the following control
measures on cybersecurity:

▶ Conduct periodic review on the configuration and rules settings for all security
devices.
▶ Use automated tools to review and monitor changes to configuration and
rules settings.
▶ Update checklists on the latest security hardening of operating systems.
▶ Update security standards and protocols for web services encryption regularly.
▶ Disable support of weak ciphers and protocol in web-facing applications.
▶ Ensure technology networks are segregated into multiple zones according to
threat profile.
▶ Ensure security controls for server-to-server external network connections.
▶ Ensure security controls for remote access to server.
▶ Ensure overall network security controls are implemented.
▶ Synchronise and protect the Network Time Protocol (NTP) server against
tampering.

iii. Distributed denial of services (DDoS) – In a DDoS attack, a targeted system is

disrupted by directing a large flow of traffic to overwhelm it, thereby denying
access by legitimate users. A network of compromised computers is directed to
simultaneously make repeated requests (such as a particular web page) from
the system.

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-30

Distributed Denial of Service (DDos) Attack on a Website

Internet Internet

1. Attacker sends
instruction to multiple
Computer 1 computers.

2. Compromised computers
Computer 2 execute instruction to
Attacker’s make repeated webpage
Webserver
Computer requests.
Computer 3
3. Web server crashes when
overloaded by request,
Computer n rendering website
inaccessible to legitimate
users.

1 2 3

Source: Bank Negara Malaysia

Figure 7.20: Distributed Denial of Services (Ddos) Attack on a Website

Experts estimate that the number of DDoS attacks worldwide have increased
by 20% over the last two years, averaging almost 3,000 incidents per day, of
which 43% were targeted at financial service providers. DDoS attacks have been
launched to disrupt customer access to the Internet banking portals of a number
of global banks for hours or even days at a time, preventing customers from
conducting online transactions.

Hence, this is evident to show that a financial institution must ensure its technology
systems and infrastructure, including critical systems outsourced to or hosted by
third party service providers, are adequately protected against all types of DDoS
attacks (including volumetric, protocol and application layer attacks) through
the following measures:

▶ subscribing to DDoS mitigation services, which include automatic “clean

pipe” services to filter and divert any potential malicious traffic away from the
network bandwidth;
▶ regularly assessing the capability of the provider to expand network
bandwidth on-demand including upstream provider capability, adequacy of
the provider’s incident response plan and its responsiveness to an attack; and
▶ implementing mechanisms to mitigate against Domain Name Server (DNS)
based layer attacks.

iv. Data loss prevention (DLP) – Data loss prevention (DLP) is a set of tools and
processes used to ensure that sensitive data is not lost, misused, or accessed by
unauthorised users. DLP software classifies regulated, confidential, and business
critical data and identifies violations of policies defined by organisations or within
a predefined policy pack, typically driven by regulatory compliance such as Health

BANK RISK PRACTICES

7-31 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

Insurance Portability and Accountability Act (HIPAA), Payment Card Industry

and Data Security Standard (PCI-DSS), or General Data Protection Regulation
(GDPR). Once those violations are identified, DLP enforces remediation with alerts,
encryption, and other protective actions to prevent end users from accidentally
or maliciously sharing data that could put the organisation at risk. Data loss
prevention software and tools monitor and control endpoint activities, filter data
streams on corporate networks, and monitor data in the cloud to protect data
at rest, in motion, and in use. DLP also provides reporting to meet compliance
and auditing requirements and identify areas of weakness and anomalies for
forensics and incident response.

The bank should establish a clear DLP strategy and processes in order to ensure
that client, counterparty, and proprietary information is identified, classified, and
secured. Banks should:

▶ Ensure that data owners are accountable and responsible for identifying and
appropriately classifying data
▶ Undertake a data discovery process prior to the development of data
classification scheme and data inventory
▶ Ensure that data accessed by third parties is clearly identified and policies are
in place to safeguard and control third party access.

Data-in-Use Data-in-Motion Data-in-Motion

Data stored in
Data being Data being storage mediums
processed by IT transmitted to such as servers,
resources network backup media and
databases

Figure 7.21: Scope of a Dlp

Other than that, banks should establish security operations centre (SOC) to
enable the detection of anomalous user or network activities, flag potential
breaches and establish the appropriate response supported by skilled resources
based on the level of complexity of the alerts. The SOC should be able to perform
the following functions:

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-32

Log collection and

Provision of
implementation of
situational
event correction
awareness
engine

Incident
Remediation
coordination
functions
and response

Vulnerability
Threat hunting
management

Figure 7.22: Function of a Security Operation Centre

v. Cyber response and recovery – A cyber response and recovery plan is a set
of instructions designed to help companies prepare for, detect, respond to,
and recover from network security incidents. Most of these cyber response
and recovery plans are technology-centric and address issues like malware
detection, data theft and service outages. However, any significant cyber-
attack can affect an organisation across functions in multiple ways, so the plan
should also encompass areas such as HR, finance, customer service, employee
communications, legal, insurance, public relations, regulators, suppliers, partners,
local authorities, and other outside entities.

There are industry standard incident response frameworks from organisations

such as National Institute of Standards and Technology (NIST) and System
Admin, Audit, Network, and Security (SANS) that provide general guidelines on
how to respond to an active incident. BNM, in its policy document requirements
on Risk Management in Technology (2020) stated that banks should establish
and implement a comprehensive Cyber Incident Response Plan (CIRP). The CIRP
must address the following:

BANK RISK PRACTICES

7-33 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

Clear governance, process and accountability of the

Preparedness Cyber Emergency Response Team (CERT)

Effective and expedient process for identifying points of

Detection and Analysis compromise, assessing damage extent and preserving
evidence for forensic purposes

Containment, Eradication Remedial actions to prevent or minimize damage to the

and Recovery financial institution

Post-incident Activity Conduct post-incident review incorporating lessons

learned and develop long-term risk mitigants

Figure 7.23: The Bnm Cyber Incident Response Plan (Cirp)

Technology audit
Technology audit involves the examination of the bank’s IT infrastructure,
applications, data use and management in accordance with the relevant policies
and procedures with respect to how the bank operates. Technology audit should
keep pace with the several disruptions that the banking industry is undergoing.
For example, the digitalisation of banking products and payment mechanisms
introduce new challenges for auditing banking transactions. The automation of
processes and controls require enhancement in the audit process to be effective.
The importance shifts from focus on transactions to the overall soundness and
effectiveness of the cyber resilience framework.

Internal awareness and training

An important element in technology risk management is to ensure that there is
adequate internal awareness and training on the various cyber risk issues that
the banks face.

7.5 CRYPTOCURRENCY/BLOCKCHAIN

Blockchain and cryptocurrency has driven a lot of interest from the financial markets
and institutional investors over the last few months. On 19 October 2021, the first US
futures-based Bitcoin ETF has been launched pushing bitcoin to trade at its highest
level USD 66,000. This occurred less than a month after China’s central bank declared
all cryptocurrency transactions illegal.

Federal Reserve Chairman Powell announced that the Federal Reserve will issue a
consultation paper on whether it will issue its own digital currency as a response to
the technological developments viewed as one of the most significant innovations

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-34

of our lifetime. There is no universally recognised definition of crypto assets given

the evolving nature of these assets. There are, however, common features that
distinguish crypto assets against traditional asset classes.

Digital/Virtual Reliance on Use of distributed

nature cryptography ledger technology

Do not possess
physical Rely on cryptography Rely on distributed
characteristics or advanced ledger technology
mathematical to administer and
techniques to restrict record information
Stored and traded transmission of data and data
electronically

Figure 7.24: Common Features of Crypto Assets

Crypto assets are cryptographically verified to ensure that people trying to transmit
assets actually own the asset they are trying to send. Cryptography is the science of
secure communication that involves applying advanced mathematical techniques
to store and transmit data to the intended recipient. It involves taking information
and scrambling it in a way that only the intended recipient can understand and use
that information for its intended purpose.

Encryption Decryption

Key

Figure 7.25: Encryption to Decryption

Encryption involves the process of locking up information. Decryption is the process

of unlocking encrypted information. Key is a “secret” used to encrypt and decrypt
information. There are three examples of cryptographic tools. The symmetric
encryption cryptography, asymmetric encryption cryptography and hashing.

i. Symmetric encryption cryptography - This relies on some digital key to create

and verify cryptographic signatures data. This involves the use of a single key to
encrypt and decrypt. The single key is known by both the sender and the recipient.
ii. Asymmetric encryption cryptography - This relies on different keys and is also
known as public key cryptography. It uses two different keys to encrypt information.
Secret keys are exchanged over the network. The secret key is used to decrypt
information.
iii. Hashing - Used to verify integrity of data and involves converting data into a
unique string of text.

BANK RISK PRACTICES

7-35 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

Distributed ledger technology refers to the protocols and infrastructure that allow
computers in different locations to propose and validate transactions and update
records in a synchronised way across a network. To understand this revolutionary
technology, we should go back to traditional distributed database. In a traditional
distributed database, multiple database files are located in different geographical
areas or sites. This allows multiple users to access and manipulate data in those
files.

Applications of crypto assets

Application of crypto assets includes payment and exchanges, investment or
securities and utility access.

Payments and
Exchanges Can be used as means of payment or exchange.

• Can be used as source of investment/ security

Investments/ by providing the ability to speculate on change
Securities in the market value of the crypto-asset.
• Used by some entities as a way to raise funds.

Utility Access • Grant access to a current prospective product,

application or service.

Figure 7.26: Applications of Crypto Assets

Boxed Article–14

Central bank digital currency (CBDC) is a digital currency that is issued by central
banks on blockchain. CBDC may shift the digital currency value focus from store
of value to mode of payments. CBDC may address the scalability concerns that
users have on digital currencies.

Regulatory Approaches
Based on a recent BIS Survey, 86% of the central banks are actively studying the
potential of CBDC.

At the heart of the regulatory approach, is how CBDC fits in on existing legal
framework. Can central banks issue their own digital currency? Fed Chairman
Powell adopts the view that congressional authorisation is required before the
Fed can issue their own currency.

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-36

Depending on the form, central banks may play a larger operational role where
instead of facing depositary institutions, central banks may have to face users
and merchants directly and maintain a ledger of all retail transactions.

Current monetary order is account based and identity driven and not token
based. How will CBDC find the right balance between ensuring privacy and
complying with existing rules on AMLA/FATCA/counter-financing rules?

Implication to Blockchain or Cryptocurrency Sectors

Bitcoin critics (Noriel Roubini) claim that CBDC will pose an existential threat to
cryptocurrencies as users may view CBDCs as an efficient payment mechanism
and a more stable store of value.

Some, however, argues that CBDC could potentially increase the attractiveness
of virtual currencies as central banks are seen to play a larger operational role
and control more information on transactions that could raise serious privacy
concerns.

CBDC may result in disintermediation of banks as central banks face end users/
merchants directly. Will the central banks adopt a full-fledged CBDC, or will they
apply a two-tier private- public partnership system? If a two-tiered approach is
applied, this could lead to the rise of new crypto industries.

Risk management challenges

Like traditional risk exposures, crypto assets generate both financial and non-
financial risks.

Financial risk Non-financial risk

Liquidity risk – Crypto-assets may not Cyber and operational risk – Investing
be easily convertible to cash at little or in crypto-assets introduce some
no loss of value (due to friction costs). heightened operational risks due to
inherent technological vulnerabilities
Banks that accept crypto assets as
from crypto-assets (cyber-attacks),
deposits may be subject to funding
network governance issues, etc.
liquidity risk in times of stress.

Market risk – High degree of volatility Legal risk – Uncertainties involving

of crypto-assets may expose banks the legal status of crypto-assets
to high market risk (i.e., susceptibility expose banks to legal risks (consumer
to bank’s earnings and capital due protection, safeguarding of assets,
to change in the value of the crypto- anti-money laundering, terrorist
assets). financing etc.)

BANK RISK PRACTICES

7-37 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

Financial risk Non-financial risk

Credit and counterparty risk – Reputational risk – Banks face

Direct: Banks who have crypto-assets reputational risk in the event of any
are subject to the credit risk of the losses incurred by crypto-asset holders,
crypto-asset issuer. misconduct by crypto providers or
broader network vulnerabilities.
Indirect: Banks’ lending to entities that
invest in crypto-assets or are engaged
in crypto activities are exposed to
credit risk. However, probability of
default is hard to assess and measure.

Third party risk – Banks that rely on

third parties could be exposed to risk of
disruptions in operations and services.

Implementation risk – Banks’ role

within a crypto-asset ecosystem may
require internal changes in systems
and controls

Figure 7.27: Financial and Non-Financial Risk from Crypto Assets.

7.6 FINTECH & RISK ARISING & MANAGEMENT

The financial technology (fintech) industry continues to invest in innovations

that create exciting new products and support evolving customer preferences.
Emerging technologies such as artificial intelligence, robotics, and machine learning
are increasingly the core elements of Fintech’s’ product portfolios and customer
interactions. In addition, many Fintech’s find themselves optimising their business
model by way of new products or services in response to customer needs, and in
their partnerships with more regulated firms (e.g., banks and insurance companies).
Evolving Fintech risk management functions are tasked with addressing the potential
exposures created by their innovation, partnerships, and ongoing financial and
regulatory market developments. Consistent with this, there is increasing pressure for
Fintech firms to elevate their risk management capabilities, including the development
of a responsive operational risk and compliance programme. As these capabilities
evolve, the callout of roles and responsibilities is occurring with a delineation of a
more traditional “three lines of defence” financial service model. Fintech as defined by
the Financial Stability Board is:

“Technologically Enabled Financial Innovation That Could Result in New Business

Models, Applications, Processes, Or Products with an Associated Material Effect
on Financial Markets and Institutions and the Provision of Financial Services.”

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-38

The Basel Committee on Banking Supervision classified these innovations into two, the
sectoral innovations and market support services.

Sectoral innovations
These are Fintech sectors that directly competing with core products of banking.
Sectoral innovations can be divided into three main areas which are the credit,
deposit and capital-raising services, payments, clearing and settlement services
and investment management services. These traditionally are the core banking
products/ services.

Credit, deposit and Payments, clearing Investment

capital-raising and settlement management
services services services

Retail High Frequency

Crowdfunding
• Mobile Wallets Trading
• Peer-to-peer
transfer
• Digital currencies
Lending
• Private currencies Copy Trading
marketplace

Wholesale
Mobile
• Value transfer E-Trading
banks
networks
• FX wholesale
• Digital exchange
Credit platforms
Robo-advice
scoring

Figure 7.28: The Sectoral Innovations

i. Crowdfunding – Crowdfunding is the practice of funding a project or venture

by raising money from large number of people where investors come in as part
owner of the venture being funded. It is often performed via internet-mediated
registries that facilitate money collection for the issuer.
ii. Lending marketplaces – Lending marketplaces refers to technology-driven
nonbank lending. These marketplaces use sophisticated algorithms to compete
with banks. These online lending platforms intermediate loans online and may be
operated by banks or non-banks. Online lender platforms can be classified into
two:

▶ Balance sheet lender – These are lenders who keep all or some of the loans
they originate.
▶ Platform lender – These are lenders who sell or securitise loans they originate.

BANK RISK PRACTICES

7-39 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

iii. Mobile banks – Mobile banks refer to banking services that are conducted through
a mobile device (such as smartphones or tablets). Mobile banks are different from
online or internet banking in the sense that internet or online banking involves the
use of the bank’s website to conduct financial or banking transactions. Mobile
banking involves the use of smartphone or tablet in performing banking activities.

Another variant of mobile banking is digital and virtual banking. Digital banking is
the digitalisation (or moving online) of traditional banking activities and services
from physical bank branches to online (to the internet). Digital banking is broader
than mobile banking. It pertains to the application of technology to every banking
activity and process. Virtual banking is different from digital banking in that virtual
banking exist only online with no branch offices.

iv. Credit scoring – Credit scoring is the use of statistical analysis that provides
an estimate of the probability that the credit applicant, existing borrower or
counterparty will default or will not be able to fulfil its obligations. The development
of artificial intelligence and machine learning provided banks and non-banks with
more innovative approaches in assessing credit risks of borrowers. In particular,
artificial intelligence allowed lenders to take advantage of the ability of computers
to find complex patterns in large amounts of data and learn from experience.
v. Mobile wallet – Mobile wallet is an electronic account, dominated in a currency,
held on a mobile phone that can be used to store and transfer value. Mobile wallets
replicate a physical wallet in a digital interface on a mobile phone. Customers
can add credit and debit cards, gift cards, prepaid cards, and rewards cards.
This replaces physical plastic cards and allows those cards to be enhanced by
additional services.
vi. Peer-to-peer transfers – Peer to peer transfers uses a website or a mobile app to
transfer funds from one person to another through linked bank account.
vii. Digital currencies – Digital currency is an asset that only exists electronically
and that can be used as a currency although it is not a legal tender. Digital
currencies are underpinned by distributed ledger technology to record and verify
transactions made using the digital currency.
viii. Private currencies – Digital versions of national bank currencies. Central bank
digital currencies (CBDC) are a digital form of central bank money that is different
from balances in traditional reserve or settlement accounts.

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-40

Digital Central bank issued

Widely
accessible Token-based

CB reserves
Bank and settlement
deposits accounts

CB
CB digital
accounts
tokens
(general
(wholesale
purpose)
only)
CB digital
tokens
(general Private
purpose) digital tokens
(wholesale
Cash only)

Private digital tokens

(general purpose)

: CBDC

Figure 7.29. Digital Currencies

ix. Value transfer networks – Value transfer networks are payment systems,
exchanges, clearing houses and depositories that are key infrastructural links in
the transaction chain. These value transfer services refer to financial services that
involve the acceptance of cash, cheques, other monetary instruments or other
stores of value and the payment of a corresponding sum in cash or other form
to a beneficiary by means of communication, message, transfer, or through a
clearing network.
x. FX wholesale – FX wholesale refers to providing a full suite of currency products to
help institutional or high net worth clients manage currency risk, design hedging
strategies, automate FX transactions and process international payments.
xi. Digital exchange platforms – Digital exchange platforms allow the exchange of
one digital currency for another (whether digital or fiat currency). It works in a very
similar way as a stock exchange except for the underlying assets traded in the
platform.
xii. High frequency trading – Automated trading refers to electronic trading using
algorithms at some stage in the trade process. This is also commonly referred to
as algorithmic trading. Algorithmic trading can be divided into two types:

BANK RISK PRACTICES

7-41 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

Human trader decides to trade but uses electronic

Execution programme to execute the trade. This often applied
for larger orders.

The firm develops a model to initiate a trade based

on certain key input parameters (for example, order
book imbalance, momentum, correlations, mean
Decision-Making
reversion and systematic response to economic
data or news). Once a trade decision has been
made, the algorithm also executes the trade.

Figure 7.30: High Frequency Trading

High frequency trading (HFT) is a subset of automated trading. Automated

trading is the use of algorithms in electronic trading at some stage in the trading
process. High frequency trading is a subset of algorithmic decision-making where
earnings are generated from large number of small-size, small-profit trades. One
of the important characteristics of HFT is the high speed at which they detect and
act on profitable opportunities in the market. As speed is of the essence, huge
investment on IT systems and infrastructure is needed.

xiii. Copy trading – Copy trading allows investors to trade by automatically copying
another investor’s trades. Copy trading involves setting a proportion of funds to
execute the trades of the copied trader from the allotted funds. Copy trading is a
feature in a broker platform that allows to see what other traders are trading real-
time.
xiv. E-Trading – E-trading refers to a software programme that allows one to place
orders for financial products.
xv. Robo-advice – Robo advisors are applications that combine digital interfaces and
algorithms (and can also include machine learning) in order to provide services
ranging from automated financial recommendations to contract brokering to
portfolio management to their clients, with limited or no human intervention. Robo
advisers provide investment management service at a lower cost compared to
traditional investment advisory. This is because advisory services provided by
robo advisers are based on automated algorithms. In contrast, human advisors
are generally more expensive due to the labour-intensive nature of personal
investment advisory. These fees may be charged in the form of commissions or flat
fee. Another cost consideration is the indirect cost of psychological misjudgement
in investing. There is a plethora of empirical evidence about investment mistakes
committed by human investors as a result of cognitive and behavioural biases.
This is the reason why it is commonly observed that in many markets, while
investments tend to perform well over long term, investors do not.

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-42

Market support services

Market support services relate to innovations that are not specific to the financial
sector but also play a significant role in financial developments. Examples of
these market support services are:

Portal and data aggregators

Ecosystems (infrastructure, open source and APIs)

Data applications (big data analysis, machine learning, predictive modelling)

Distributed ledger technology

Security

Cloud computing

Internet of things

Artificial intelligence

Figure 7.31: Market Support Services

The Basel Committee on Banking Supervision enumerated five possible scenarios

for banks in the context of changing innovative environment:

BANK RISK PRACTICES

7-43 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

Scenario About Risk Implications

Better bank This is the scenario when According to the BCBS – key risks
incumbents revamp legacy under the better bank scenario
with a modern digital client is on the execution risk related
interface. The incumbents to the banks’ ability to manage
in this scenario digitise and and effectively implement both
modernise themselves to the technology and business
retain customer relationship processes including the
and core banking services, strategic and profitability risk
leveraging enabling implications.
technologies to change
It is expected that some aspect
their current business
of operational risk will benefit
models.
from better banking processes.
However, operational risk may
also increase due to potential
evolution of the sophistication of
cyber risk attacks and reliance
on outsourcing.

New bank This is the scenario when This scenario would mean
new banks build for digital that incumbent banks will lose
an enhanced digital market share to new banks who
customer experience. are able to gain significant scale
This is the scenario where – this will potentially result in
challenger banks replace lower profitability for incumbent
incumbent banks. banks and could threaten the
ability of incumbent banks to
These challenger banks
continue to operate as a going
are technology driven and
concern.
are referred to as neo-
banks. Neo-banks are
unencumbered by legacy
infrastructure and are able
to leverage technology at a
lower cost.

Neo-banks make extensive

use of technology in order to
offer retail banking services
predominantly through
a smartphone app and
internet- based platform.

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-44

Scenario About Risk Implications

Distributed In a distributed bank In this scenario, key risks is in

bank scenario, financial services the management of end-to-
are fragmented among end transactions across one or
specialised fintech multiple parties. A key risk here
firms and incumbent is how to ensure that third party
banks. Financial services risk management processes are
are modularised with well established.
incumbents looking for
With Fintech companies as
niche to survive.
service providers or business
In this scenario, banks partners to banks – processes
and fintech companies should be in place to ensure
operate a joint venture or protection of client data,
partnership. Examples of appropriate due diligence and
such arrangements are: onboarding requirements are
done.
• Lending platforms
partner and share with A key issue for risk management
banks the marketing of to consider is how effective
credit products. risk management will be in the
• Innovative payment context of distributed service
systems (see the architecture.
Goldman Sachs and
Apple partnership).
• Robo-advisor services
provided by fintech firms
through a bank.

Relegated In this scenario, In this scenario, banks become

bank incumbent banks become back-office provider for front
commoditised service office customer facing platforms
providers and customer where banks provide license,
relationships are owned by access to payment networks,
new intermediaries. maintain deposit and access to
funding.
Incumbent banks are used
for their banking license to This will mean that customer
provide core commoditised relationship will be outside
banking services such as the control of the bank and
lending and deposit taking. may significantly affect
the effectiveness of risk
management to fulfil their
mandate.

BANK RISK PRACTICES

7-45 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

Scenario About Risk Implications

Dis-Intermediated In this scenario, banks While unlikely, in the

bank have become irrelevant as disintermediated
customers interact directly scenario, banking
with individual financial service activities take place
providers. In this scenario, outside the regulatory
the need for balance sheet framework.
intermediation or for a trusted
third party is removed. Banks
are displaced from customer
financial transactions.

Customers may have a more

direct say in choosing the
services and the provider rather
than sourcing such services via
an intermediary bank.

Figure 7.32: BCBS Scenario for Banks

7.7 ARTIFICIAL INTELLIGENCE/MACHINE LEARNING/ROBOTICS PROCESS

AUTOMATION (RPA)
It is overwhelming to know about the many kinds of artificial intelligence (AI).
However, it would be important to understand the different types of AI as it will help
identify the opportunities and threats of AI on the banking business model. There are
two types of artificial intelligence:

i. Expert systems – these are the earliest forms of artificial intelligence that is
rule based (for example, If A – then B). There is a human programmer involved
anticipating all possible answers and machine follows a set of rules to determine
its actions. An example of an expert system is a chatbot. The chatbot follows a
predefined set of rules and responds to the rules accordingly.
ii. Machine learning – machine learning is more sophisticated than expert systems
in that it learns from data and becomes more accurate as more data is fed in
the system. Machine learning has progressed over the past decade as large
quantities of data are generated from internet usage. Technologies such as facial
recognition and self-driving cars are made possible by machine learning.

The explosion of data is what resulted in breakthroughs in machine learning. There

are two types of data, structured data, and unstructured data. Expert systems can
only take highly structured data. This is where machine learning come in strongly.
Machine learning can take both structured and unstructured data. According to
renowned banking futurist Brett King, in his book Bank 4.0: Banking Everywhere, never
in a Bank, enumerated the distinct phases of how artificial intelligence will affect
banks:

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-46

i. Algos and Machine Intelligence (AMI) – This is the phase where some elements
of some human-decision making are replaced with basic machine learning or
algorithm-based cognition. This is essentially the replacement of some elements
of human thinking or processing with algorithms. For example, when it comes
to credit decision-making, instead of having a human credit officer, this will be
replaced with credit risk assessment algorithms.
ii. Artificial General Intelligence (AGI) – AGI refers to the system where the machine
is capable of thinking with flexibility just like a human being. This means that the
system is able to confront and adjust to uncertain situations. This essentially
means that the AI would be capable of performing any task that a human being
could.
iii. Hyperintelligence – Hyperintelligence or Strong AI means that machine intelligence
has surpassed human intelligence on an individual or collective basis and can
understand and process concepts that humans cannot.

7.8 API BANKING

The widespread adoption of mobile banking led to innovation in financial products

and services. Customers explicitly grant third party firms’ permission to access
personal banking data in order to obtain other services. This development where
customer grants permission to third party to access their data directly or indirectly
(through a bank) to allow these firms to build new applications and services is also
referred to as open banking.

Tax preparers and accountants Financial advisors

Third Party

Payment fund transmitters Data aggregators

Figure 7.33: Third Party Access

Data aggregators and payment service providers are the most common types of
third-party entities that access customer permissioned data. Data aggregators
are affiliated and /or third-party entities that collect data, including customer
permissioned data. Application programming interfaces (API) is a set of rules and
specifications for software programmes to communicate with each other, that
forms an interface between different programmes to facilitate their interaction.
The objective of these rules and specifications is to facilitate information exchange.
Below are the different types of APIs:

BANK RISK PRACTICES

7-47 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

i. Open API – This is an interface that provides a means of accessing data based on
public standard. This is also known as external or public API.
ii. Internal/ Closed API – This is an interface that provides a means of accessing
data based on a private standard.
iii. Partner API – This is an API created with one or two strategic partners who will
create applications, add-ons, or integrations with the API.

Open banking and the expanded use of APIs are expected to impact payment,
lending, investment products and services and account services. Open banking
introduces unique risk management challenges that banks should be aware of.

7.9 CLIMATE RISK

The importance of climate risk has rapidly evolved over time. In a report published by
the GARP Institute entitled “Climate Risk Management at Financial Firms: Challenges
and Opportunities”, the author noted how appreciation of climate risk has changed
over time. In the past, climate risk is seen as a reputational risk that can be managed
using the environment, social and governance (ESG) framework of banks. In the
recent years, climate risk is now viewed as a financial risk and must be incorporated
in the bank’s overall risk management framework. Climate risk arises from two main
channels, physical risk, and transition risk. Physical risk arises from climate and
weather-related events. The changes in physical environment will create physical
risks that will impact individuals, businesses and economies and are expected to
have direct and indirect impacts for banks. Transition risk is the risk arising from the
process of adjusting toward a lower-carbon economy. The adjustment to comply
with new policies, laws, and regulations with respect to climate change can trigger
a reassessment of existing assets and investments. This can affect the portfolio of
loans or investments of the bank.

Boxed Article–16

In a study entitled “Financial Management of Flood Risk” published by OECD, it

was noted that in countries where homeowners or businesses maintain low levels
of insurance protection against floods, a significant flood event could lead to an
increase in defaults on mortgages, other consumer loans and /or commercial
loans if debtors are faced with direct or indirect losses that are beyond their
capacity to absorb.

Source: Financial Management of Flood Risk, OECD 2016

Climate risk is a relatively new risk, but it can be understood in the context of other
financial risks that banks are more used to. Below is a helpful examples of climate
risk mapping according to different risk types:

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-48

Climate risk Description Related risk types

Extreme Disruption to the companies’ own Operational and credit

weather operations and supply chain and risk
events to their respective counterparties.

Physical damage to real estate

and physical assets affecting
collateral value.

Heightened risks to infrastructures

built in affected regions.

Impact on counterparties’ business

viability particularly for those with
inadequate insurance.

Rising sea Homes and commercial properties Operational and credit

levels in flood prone areas may become risk
uninsurable

Changes in Longer term effects on tourism Operational and credit

temperature revenues risk

Impact on mortality rate for

countries affected by climate
change

New laws Costs required to adapt to the new Credit and reputational
regulatory environment may make risk
some firms, assets, and industries
not viable.

Changes in Shifts in consumer taste could Credit and reputational

consumer quickly disrupt traditional business risk
tastes and models
preferences

Class action Firms seen as contributing to Legal and reputational

and legal climate change or associated risk
cases environmental damage may face
legal action

Failure to Materials risks that are not Legal, regulatory and

identify and disclosed may invite scrutiny of reputational risk
disclose investors, regulators, and other
relevant risks stakeholders

Figure 7.34: Climate Risk

BANK RISK PRACTICES

7-49 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

SUMMARY

• Cyber risk is defined as the risk of financial loss, disruption or reputational damage
arising from failure, unauthorised access, or erroneous use of its IT systems.

• Bank Negara Malaysia issued a document entitled Risk Management in Technology

(RMIT) which provides comprehensive policy guidance on governance, technology
risk management, technology operations management, cybersecurity management,
technology audit and internal awareness and training.

• Banks are undergoing tremendous threats due to fast growing evolution of fintech
that could affect the business model for these banks. These technologically enabled
financial innovation may result in new business models, applications, process, or
products with material impact on incumbent business models.

• These innovations are wide ranging from sectoral innovations (credit, deposit and
capital raising services, payments, clearing and settlement services and investment
management services) and market support services.

• There are few scenario outcomes for banks:

▶ Better bank: where banks processes are improved, and incumbent players’ banking
services are digitised
▶ New bank: where incumbent banks are replaced by challenger banks
▶ Distributed bank: where financial services are fragmented among specialised
fintech firms and incumbent banks
▶ Relegated bank: where incumbent banks become commoditised service providers
and customer relationships are owned by new intermediaries
▶ Disintermediated banks: where banks become irrelevant as customers interact
directly with individual financial service providers

BANK RISK PRACTICES

 TECHNOLOGY, CYBER RISK, AND EMERGING RISK 7-50

END OF CHAPTER PRACTICE QUESTIONS

1. This is a scenario where machines can do all the things those human beings can do.
A. Algos
B. Machine learning
C. Artificial general intelligence
D. Hyperintelligence

2. Which of the following statement is false?

A. There is a reliable centralised ledger similar to how credit card companies facilitate
transaction
B. Bitcoin relies on a network of decentralised nodes with no built-in central authority
C. Bitcoin can be used to purchase goods and services
D. Any transaction that can be done online or any credit card transaction can potentially
be facilitated by bitcoin

3. The International Maritime Organisation (IMO) imposed stringent fuel standards that can
affect the shipping industry. From the bank perspective, this is an example of .
A. Direct physical risk
B. Indirect physical risk
C. Direct transition risk
D. Indirect transition risk

4. Which of the following is an example of physical direct climate change risk?

A. Impairment of coal projects as a result of transition to carbon economy
B. Flooding which impairs the value of collateral held against real estate loans
C. Higher fuel cost of borrower due to carbon economy transition
D. Disruption in supply chain caused by flooding could affect operations of one borrower
client

5. This is a scenario where banks build for enhanced digital franchise and where challenger
banks replace incumbent banks.
A. Better bank
B. New bank
C. Distributed bank
D. Relegated bank

BANK RISK PRACTICES

7-51 TECHNOLOGY, CYBER RISK, AND EMERGING RISK

6. This refers to banking services existing only online with no branch offices.
A. Internet banking
B. Mobile banking
C. Digital banking
D. Virtual banking

7. This happens when attackers insert themselves in a two-party transaction and once the
attacker interrupt the traffic, they can filter and steal data.
A. Denial of service attack
B. Distributed denial of service attack
C. Man in the middle attack
D. Phishing

8. This refers to the overall technical design and high-level plan that describes the bank’s
technology infrastructure, systems’ interconnectivity, and security controls.
A. Enterprise architecture framework
B. IT infrastructure
C. IT systems
D. Technology project management

9. Mobile banking is an example of:

A. Payments, clearing and settlement services
B. Investment management services
C. Credit, deposit, and capital raising services
D. All of the above

10. This is an interface that provides a means of accessing data based on public standard.
This is also known as external or public API.
A. Open API
B. Internal API
C. Closed API
D. Partner API

ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS

1. C 2. A 3. D 4. B 5. B 6. D 7. C 8. A 9. C 10. A

BANK RISK PRACTICES

 CHAPTER 8
TRADED/MARKET RISK
8-1 TRADED/MARKET RISK

8. TRADED/MARKET RISK

Learning Outcomes

At the end of the chapter, you will be able to:

• Understand the sources of market risk and principles used to manage it.

Key Topics

In this chapter, you will be able to read about:

• Definition of market risk

• Types of market risks
• Market risk measurement
• Bank trading: Roles and strategies
• Pre-VAR market risk measurement
• VAR
• VAR calculation methodologies
• Expected shortfall
• Credit value adjustment (CVA)
• Settlement and pre-settlement risk
• Netting close out and ISDA/ CSA

Assessment Criteria

During the exam, you will be expected to:

• Explain the market risk management process.

• Identify the types of market risk exposures.
• Explain the parameters and limitations of common market risk measurement and
monitoring tools.

8.1 DEFINITION OF MARKET RISK

Market risk is the risk of losses arising from changes or movements in prices of
financial instruments such as bonds, currencies, equity, and commodities.

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-2

Credit
spreads

Foreign Equity
exchange prices

Interest rate/ Market Commodity

profit (islamic
Risk prices
rate)

Figure 8.1: Types of Market Risk

Banks are required to set aside capital to cover for the risk of losses arising from
taking market risk positions under the market risk framework.

8.1.1 Trading Book Vs Banking Book – Review Changes in Line With the
Accounting Standards Changes

From a regulatory perspective, position in financial instruments can either be

found in the trading book or the banking book. Financial instruments found in
the trading book are subject to the market risk capital framework. Whereas
instruments found in the banking book are subject to the credit risk capital
framework. Given this, it is important to establish a clear boundary on which
book each product should be designated to.

Prior to the 2008 crisis, the boundary between trading book and banking
book is largely intent based. This increased incentive for many banks to
arbitrage regulatory capital requirements. Under the new Basel framework, a
financial instrument is generally considered as trading book exposures if the
instrument is:

• Held for short-term resale.

• Held to profit from short-term price movements.
• Lock-in arbitrage profits.
• Hedging risks arising from instruments meeting the first three above.

BANK RISK PRACTICES

8-3 TRADED/MARKET RISK

Examples of trading book exposures are:

• Instruments accounted for as fair value through profit and loss under IFRS 9.
• Instruments held for market making activities.
• Equity investments in a fund that can be separately identified.
• Listed equities.
• Trading-related repo style transaction.
• Options including embedded derivatives from instruments that the
institution issued out of its banking book that related to credit or equity risk.

Instruments that do not qualify under the four categories above would form
part of the banking book exposure. Examples of instruments that will form
part of banking book exposures are:

• Unlisted equities.
• Instruments designated for securitisation warehousing.
• Real estate holdings.
• Retail and SME credit.
• Equity investments in a fund.
• Hedge funds.
• Derivative instruments and funds that have the same underlying as above.
• Instruments held for the purpose of hedging any of the items above.

8.1.2 Daily Valuation

After each trade is made, traders are required to calculate profits and losses
from the trading position on a regular basis. This is done by comparing the
fair value of the current trading position with previous day’s price. Changes
in fair value of trading position is either recognised in the bank’s profit or loss
(P&L) or other comprehensive income (OCI – an equity account).

This process is called mark-to-market. Mark-to-market is an important risk

management tool to ensure that management is updated on a regular basis
on the performance of the trading position. This allows management to
decide whether to increase or decrease risk position on a timely basis. In most
cases, this simply involves getting the last reported trade price and compare
against previous day’s price. However, this is based on the assumption that
recent transaction prices are readily available. The problem, however, is for
some market risk exposures transaction prices are not readily available. It is,
therefore, important to understand the concept of different levels or hierarchy
of market prices.

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-4

Different levels of market prices Examples:

Level 1 Quoted prices in active Price of a security (for

markets for assets or example, equity security
liabilities that the entity can listed in a recognised stock
access at the measurement exchange).
date.

Level 2 Inputs other than quoted The use of valuation model

prices included within Level (for example, Black Scholes
1 that are observable for model) to price an option
the asset or liability, either contract–whose features
directly or indirectly. are customised to meet the
client requirements.

Level 3 Unobservable inputs for the Unlisted equity securities

asset or liability. that are valued using
a discounted cash flow
approach based on a range
of input estimates.

Figure 8.2: Fair-Value Hierarchy

Mark-to-market accounting refers to the process of recognising financial

instruments at fair value and any changes in the fair value is reflected in
either the income statement (profit or loss) or balance sheet (equity). The
process of mark-to-market accounting introduces volatility to the banks’
balance sheet. In the 2008 global financial crisis, it was observed that mark-
to-market accounting introduced undue volatility to many banks’ profitability
and capital. Some believed that this volatility caused the market to panic and
in return exacerbated the crisis.

8.2 TYPES OF MARKET RISKS

The different types of market risks include foreign exchange, interest rate, equity
price, commodity price and market risk associated with option position, such as the
volatility risk and gamma risk.

BANK RISK PRACTICES

8-5 TRADED/MARKET RISK

8.2.1 Foreign Exchange Risk

Banks are exposed to foreign exchange risk in two ways, directly and indirectly.
Direct foreign exchange rate risk exposure arises from the mismatch between
the bank’s foreign currency denominated assets and foreign currency
denominated liabilities. The bank is also exposed through foreign currency
translation of its investments in foreign subsidiaries or affiliates. These
exposures are the easiest to identify and to hedge.

Foreign currency denominated assets XXX

Foreign currency denominated liabilities (XXX)

Net foreign exchange risk exposure (*Note in practice this XXX

should be net of foreign currency hedges applied by the
organisation)

Figure 8.3: Foreign Exchange Exposures

Banks are also exposed to indirect foreign exchange risk. For example, a bank
may have a lending exposure to a borrower whose ability to repay their debt
obligations would depend on the prevailing foreign exchange rate. These
indirect foreign exchange rate exposures are not explicit and requires second
level analysis.

Boxed Article–1

ECB Concerns Grow Over EU Banks’ Turkey Exposure as Lira Slides

As the Turkish currency has weakened throughout the year (lost 35 percent
against the dollar in 2018), the ECB expressed concerns that Turkish
borrowers might not be hedged against the Lira’s weakness and begin to
default on foreign currency loans, which make up about 40 percent of the
Turkish banking sector’s assets.

Source: Financial Times, 18 August 2018

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-6

Figure 8.4: Basic Fx Information Portal

8.2.2 Interest Rate Risk

Interest rate risk arises from the changes in the fair value of financial
instruments arising from changes in interest rates. The fair value or price of
any fixed income security is equal to the present value of expected cash flows
discounted at the discount rate (i).

n
Coupont Principal
Price of fixed income securities +
(1+i) t
(1+i)n
t=1

Discount rate (i) Discount rate (i)

increase Decrease

Price Goes Down Price Goes Up

Figure 8.5: Price of Fixed Income Securities

Discount rate (i) represents the opportunity cost of money. If discount rate
goes up and expected cash flows stay the same, the price or fair value of any
fixed income security goes down. The discount rate is equal to the risk-free
rate plus the credit spread. Risk-free rate (benchmark rate) is the interest
rate that the investor expects from an instrument that has no credit risk. The
risk-free rate is usually the benchmark government security yield from the
government’s local currency issuance as in theory, the government cannot
default on its own obligations issued in its own currency.

BANK RISK PRACTICES

8-7 TRADED/MARKET RISK

Boxed Article–2

Conventional wisdom is that sovereign debt in local currency is safer than

sovereign debt in foreign currency. In fact, sovereign debt in local currency
has automatically rated higher than those debt in foreign currency. In
a paper published by the BIS (BIS Working Paper No. 709), the authors
investigate whether credit risk of sovereign debt differs whether or not it
is issued in local or foreign currency. In the paper, the authors were able
to find that sovereign debt risk issued in local currency is lower than in
foreign currency.

However, the gap has narrowed over time especially for countries where:
• Foreign currency reserves are higher
• Foreign borrowing is lower
• Banks hold more government debt
• Less global volatility

There is no evidence with the widely held view that sovereign debt issued
in local currency is safer because sovereigns are more likely to inflate
away their local debt (i.e., by printing more money).

Rising interest rates cause prices of issued bonds to fall. This is because cash
flows from these securities are fixed (interest and principal). As interest rate
goes up, the attractiveness of these fixed cash flows declines in comparison
when they were first issued, therefore, the price goes down.

Interest rates

Price

Figure 8.6: Inverse Relationship Between Interest Rates and Price

Falling interest rates cause prices of issued bonds to rise. This is because cash
flows from these securities are fixed (interest and principal). As interest rate
goes down, the attractiveness of these fixed cash flows increase compared
to when they were first issued, therefore, the price goes up.

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-8

Direction Impact on Price

Coupon > Current Interest Rate (yield) Premium

Coupon = Current Interest Rate (yield) Par Value

Coupon < Current Interest Rate (yield) Discount

Figure 8.7: Price and Yield - Discount vs. Premium

If coupon is greater than the current interest rate, the price of the fixed income
security will trade above the par value or will trade at a premium (above 100).
If coupon is equal to the current interest rate, the price of the fixed income
security will trade at par value (equal to 100). If coupon is below the current
interest rate, the price of the fixed income security will trade below the par
value or at a discount (below 100).

Figure 8.8: Global Bond Markets

As can be seen above, the security issued by the UK Government (maturing in

2030) is trading at 146.469 (significantly above the par value). This is because
the coupon is at 4.75% while the yield of the security (current interest rates)
is at 0.301%. The higher coupon makes the bond more attractive than if this
security is issued today. Hence, the bond trades at a significant premium
over the par value. On the other hand, the bond issued by Spain is trading at a
discount. The bond is trading at 94.758 (below par value). This is because the
current required yield of the bond is at 1.055% while the coupon of the bond is
at 0.75%. Hence, the price decrease to below 100.

BANK RISK PRACTICES

8-9 TRADED/MARKET RISK

8.2.3 Equity Price Risk

Equity (also known as stocks) is a type of financial asset issued by a corporation

that represents a proportionate ownership interest in that company’s net
assets. Investments in equity securities are accounted for in three different
ways depending on the extent of control or significant influence exercised by
the investor on the company:

Ownership interest Accounting treatment

Investment No significant influence Mark-to-market (except

in equity (for example, less than for unquoted equity
securities 20% ownership) securities).

Two alternative treatments:

Fair value through profit or

loss.

Fair value through other

comprehensive income
(equity account).

Investment in With significant Equity method (at

associates influence but no control initial investment cost
(for example, more than with adjustments for
20% ownership interest proportionate share in
but with no control) earnings and return of
capital).

Subsidiary Control (for example, Consolidation method

more than 50%
ownership interest)

Figure 8.9: Accounting Classifications of Equity Ownership

Of the three equity investment classifications, market risk concern is only on

those equity investments that will fall under investment in equity securities
(i.e., securities) where the entity has no significant influence on the company
and is generally held to take advantage of short-term price movements.

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-10

Figure 8.10: Major Stock Indices

8.2.4 Commodity Price Risk

Commodities are undifferentiated products that are fungible and

interchangeable. These are generally the raw materials in the products that
we use. Commodities can be classified into:

i. Hard commodities – These are commodities that are non-perishable.

Examples are metals such as gold, copper and tin.
ii. Soft commodities – These are perishable commodities. Examples are
agricultural products such as soybean and wheat.

There are six main categories of commodities:

Precious Base Ferrous

Energy Agricultural Livestock
Metals Metals Metals

Crude oil Crude oil Feeder

Gold Aluminium
Cattle
Steel
LNG LNG
Live
Silver Copper
Cattle
Gas Gas
Iron Ore Lean
Platinum Nickel
Electricity Electricity Hogs

Figure 8.11: Types of Commodities

BANK RISK PRACTICES

8-11 TRADED/MARKET RISK

Commodity prices tend to be more volatile than other underlying asset

classes as in the short run both demand and supply are inelastic. This means
that a change in the price does not significantly affect both supply and
demand at least for the short term.

Figure 8.12: Commodity Markets

8.2.5 Market Risk Associated with Option Position

Options are contracts giving the holder the right but not the obligation to buy
or sell an underlying asset. If it is a right to buy, it is called a call option. If it
is a right to sell, it is called a put option. An option position is examined by
determining the sensitivity of the option price to various factors. Below are the
factors that can impact the price of an option:

• Change in the price of the underlying asset.

• Change in the volatility of the asset – an option is a one-sided (asymmetric)
contract where there is significantly higher upside for the holder, but the
downside is limited. Hence, the more volatile the underlying asset is, the
more valuable the option value will be.
• Time to maturity – the longer the time to maturity is, the more time the
option can end up in-the-money. On the other hand, the nearer the option
is to expiry, the less valuable the option becomes.
• Interest rates also impact the value of the option as interest rates affect
the value of the underlying assets in the future.

These option sensitivities are also known as option Greeks.

Delta Gamma Theta Vega Rho

Figure 8.13: Option Greeks

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-12

Delta This approximates the impact on the price of the option

for every change in the price of the underlying asset.

Gamma This measures how much the delta changes with respect
to changes in the underlying asset.

Theta This measures how much the value of the asset decline
due to passage of time. Options lose value as it gets
closer to expiry.

Vega This measures how the option value will change with
respect to change in volatility. The higher the volatility
is, the more valuable option becomes. Vega is highest
when underlying price is close to the strike of the option.

Rho Rho is the estimate of how option values change as

interest rates change.

Figure 8.14: Option Greeks’ Sensitivity

8.3 MARKET RISK MEASUREMENT

Market risk measurement or assessment is the process of quantifying or measuring

the market risk exposures of banking organisations. It is in many ways, the easiest
and the hardest activity in the market risk management process.

It is the easiest means of assessment because for many market risk exposure
types, data availability is less of an issue particularly when compared against
operational risk or credit risk. Historical prices of financial instruments can be
accessed easily. Foreign exchange rates, equity prices, commodity prices and
interest rates are available on a real-time or historical basis. Compared to other risk
measurement areas, market risk measurement tools are relatively more developed
and standardised. VAR is recognised as a standard measurement tool in the
measurement of market risk. In fact, Basel II places VAR in the market risk regulatory
capital regime. This is not the case for other types of risks such as operational risk
where different banking organisations adopt different tools in measuring their
operational risk exposures.

However, market risk measurement can also be the hardest. While the mathematics
of market risk measurement is sophisticated, it is ironically the easiest part in the
measurement of market risk. The challenge in market risk lies primarily in the nature
of market risk exposures. What the entire banking industry learned from previous
banking crises and the relatively recent 2008 financial crisis is that financial market

BANK RISK PRACTICES

8-13 TRADED/MARKET RISK

prices are too complex and too unpredictable to be modelled using statistical
techniques. Banking organisations that place extreme reliance on market risk
models soon found out that most of these models are only applicable in a normal
market scenario. Most of these models did not perform well particularly in an extreme
market environment where these models are most needed. The main challenge
in market risk management is that while risk models work reasonably well during
normal markets, in abnormal and stressed environment, these risk models do not
perform as intended.

8.3.1 Market Risk Measurement and Assessment Perspectives

Market measurement and assessment is in understanding the limitations of

these models no matter how sophisticated or complex they may seem to
be. There are efforts on a global level (most notably by the Basel Committee
on Banking Supervision) to address the weaknesses that were noted
during the 2008 financial crisis. The risk management industry is expecting
significant changes in the way market risk is measured and assessed. Market
risk measurement and assessment involves the assessment of market risk
exposure from two perspectives:

i. Probability — Quantifies the likelihood of market risk loss.

ii. Severity — Measures the expected magnitude or impact of market risk loss.

The objective of market risk measurement and assessment is to generate a

potential loss forecast which is expressed in terms of probability and severity.

8.3.2 Market Risk Management Process

Market risk
Market risk
control and
identification
mitigation

Market risk Market risk

monitoring measurement

Figure 8.15: Market Risk Management Process

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-14

i. Market risk identification – Market risk identification involves identifying the

different sources of market risk of a bank. These sources can be classified
into types (foreign exchange, interest rate, equity price and commodity
price) or products (money markets, derivatives, securities financing, or
spot transactions).
ii. Market risk measurement – Market risk measurement involves the
quantifying of market risk exposure and performing a view on the
likelihood and severity of potential risk of losses from the bank’s market risk
generating activities.
iii. Market risk monitoring – The output in the market risk measurement phase
is used to determine the risk areas to monitor. The Basel Committee on
Banking Supervision encourages prudent management of market risk
using a set of market risk measures. Market risk measures are used as the
basis for setting aside regulatory capital for market risk.

In the Basel II Minimum Capital Framework for Market Risk, banking

organisations which rely on the internal models’ approach rely on the
outputs of market risk models in the calculation of minimum capital
required for market risk.

iv. Market risk control and mitigation – Market risk measures are used as the
basis for setting the overall market risk appetite of the banking organisation.
Market risk measures are important inputs in the banking organisation’s
overall market risk limit framework. These measures are used to manage
the bank’s overall market risk profile. These measures provide objective
parameters that allow the banking organisation to monitor the actual
market risk profile. These measures serve as the basis for allocating market
risk appetite across the organisation.

8.3.3 Market Risk Measurement and Assessment Tools

Pre-VAR VAR Post-VAR Tools

Full notional Parametric, historical Expected shortfall

approach Monte Carlo simulation Stress testing
Sensitivity measures Portfolio VAR

Figure 8.16: Panorama of Market Risk Measurement

Market risk measurement tools can be divided into three types:

i. Pre-VAR measurement tools – These are risk measures before value-at-

risk (VAR) and are generally used in quantifying market risk exposure on a
transactional or deal level.

BANK RISK PRACTICES

8-15 TRADED/MARKET RISK

ii. Value-at-risk tools – These are risk aggregation tools that aim to reduce
the quantification of market risk exposure into a single number and usually
involves the determination of the worst-case loss under normal markets
based on a pre-defined confidence level.
iii. Post-VAR measurement tools – These tools aim to address the limitations
of VAR models by determining scenarios outcomes if risk under abnormal
markets. These tools focus on tail risk (i.e., risk of extreme losses).

8.4 BANK TRADING: ROLES AND STRATEGIES

Investors and traders have different objectives, different strategies, and different
methods of approaching financial markets. Investors tend to be focused on the
long-term, seeking to put money in securities that are both profitable and appear
to represent a good value. A sector in an investment bank is referred to as a trading
desk. Depending on the investment bank, trading desks are likely to be divided by
market. The four main sectors are foreign exchange or forex, fixed income, equities,
and commodities.

8.4.1 Bank Trading Positions

Banks enter into trading activities to profit from short-term price movements
or lock-in arbitrage profits. Trading activities generate trading positions or
exposures. The degree of exposure depends on the types of trading exposure
that the bank takes.

Client servicing Propriety trading

Market making

Figure 8.17: Bank Trading Types

i. Client servicing – Client servicing positions arise from trading activities

where banks engage in servicing client requirements. This involves banks
acting on behalf of the client to execute a purchase or sale decision. This,
therefore, involves finding matches in supply and demand. An example of
client servicing position is when the banking organisation has entered into
a matched principal broking trade. In a matched principal broking trade,
the banking organisation facilitates the client’s requests to anonymously
execute a trade by acting as a principal for the trade. In client servicing
positions, banks do not take open market risk exposure and trades
are done on a matched basis. Taking client servicing positions involve
engage in trading activities with the goal of having limited or no market

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-16

risk exposure for the bank. Open market risk exposures are expected to be
hedged or covered immediately. Therefore, among all trading positions,
client servicing positions take the least market risk.

USD 10 million USD 10 million

securities securities

Figure 8.18: Client Servicing.

In a strictly client servicing position (brokerage or agency type of trading

position), banks need to find exact matches in supply and demand. At
times, however, banks would step in as the counterparty of the client’s
trade by committing their balance sheet either through market making or
proprietary trading.

ii. Market making – Market making is a trading position where banks step
in as counterparty of the client to absorb temporary supply and demand
imbalances and provide immediate execution of the transaction with
the client. The bank does this by standing ready to buy or sell financial
instruments at the quoted price. The objective of market making is to
support client relationship.

Banking organisations act as market makers and provide liquidity for

secondary market trading of financial securities. This helps create a more
efficient market pricing for these securities by ensuring market liquidity
and providing price discovery. Banks generated two types of revenues
from its market making activities, which are the facilitating revenues and
inventory revenues.

Bid offer spread = 101 - 100 = 1

Bid Offer
100 101

Figure 8.19: Market Making

BANK RISK PRACTICES

8-17 TRADED/MARKET RISK

Banks are compensated for facilitating transactions through the spread

between the buying (bid) and selling (offer or ask) rate. As a market maker,
the bank stands ready to buy a security at the bank’s bid price and sells the
security at the offer price. The bank acting as a market maker earns from a
market-making transaction by buying at a low price (bid price) and selling at
a high price (offer or asking price). The difference between the offer price and
the bid price is also known as the bid-offer spread.

The quoted bid/ ask spread incorporates the market makers’ expectations
of the cost and risk hedging the trading position. Thus, if trading positions
can be closed or offset quickly (for example, because of high turnover) at
minimal cost, the quoted bid/ask spread tends to be narrow. However, if the
bank will incur substantial costs in closing out a trading position as a result
of accommodating a client request, the quoted bid/ ask spread is expected
to be wider. Market-making income may be complemented by inventory
revenues. These revenues add on to the revenue from the quoted bid/ask
spread. This represents additional income (or potentially losses) from holding
securities in the bank’s balance sheet and this includes:

• Change in the price of the security

• Accrued interest earned (or paid) from the market making position (also
known as the carry of the position)
• Less: funding/borrowing costs from holding the security

Banks acting as market makers need to hold inventories of financial

instruments with the intention of selling these instruments for a profit.
Therefore, unlike client servicing positions, market makers are not necessarily
constrained to ensure positions are matched. Market makers take open
positions and anticipate client demand. Because of this, market making
positions share similar market risk characteristics as those of proprietary
trading market positions. This is the reason why many believe that there is a
thin line between proprietary trading and market-making activities. In some
instances, market-making positions generate the same level of market risk
exposure as proprietary trading positions, hence why market risk measures are
also used to measure, monitor, and control market risks arising from market-
making positions.

Proprietary trading positions arise from trading activities where the bank’s own
capital is used to trade for the bank’s short-term profit. It is considered to be
the riskiest amongst the three main types of trading positions because banking
organisations use their own capital to trade in the volatile financial markets.

Market risk models such as VAR are frequently used to measure, monitor, and
control market risk exposures from proprietary trading positions. Many banks
that collapsed (e.g., Lehman Brothers) or were on the brink of collapse during
the 2008 financial crisis reported huge losses from their proprietary trading

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-18

activities. Because of the risk involved in proprietary positions, many regulators

sought to limit or ban proprietary trading for banking organisations. The most
popular of these regulatory measures is the Volcker Rule named after the
former Federal Reserve Chairman Paul Volcker. The Volcker Rule of the Dodd-
Frank Act of the United States prohibits banking organisations to engage in
short-term proprietary trading of securities, derivatives, commodities, futures,
and options for the bank’s own account.

Compared to market making positions, proprietary trading position is

generated not with the client relationship servicing in mind. Thus, in times of
temporary market dislocation, proprietary trading activities are not obliged to
show both buying and selling rate.

Characteristics Proprietary Trading Market-making

Source of Price appreciation. Fees, commission, bid/

revenue ask spread.

Size of exposure Depending on bank risk Based on expected

appetite. near-term demands of
client or customers.

Pricing role Bank not required to quote Bank required to stand

two-way (buying and ready to buy or sell the
selling) prices. financial instrument by
quoting two-way bid/
offer prices.

Figure 8.20. Proprietary Trading Vs Market Making

8.4.2 Bank Trading Strategies

Market risk is primarily generated in the banking organisation’s proprietary

trading positions. However, market risk also exists in the bank’s client servicing
and market-making positions. Trading involves the buying and selling of
financial instruments for profit. Trading strategies can be executed through
different means.

i. Long and short position – Long and short are the most basic trading
strategies. Long is a term used to describe a position where the trader
stands to profit if the price of the underlying asset rises in value. Long is
frequently used interchangeably with a buy position (i.e., where the trader
buys or purchases an underlying instrument). Entering into a long position,
therefore, entails that the trader has a bullish view or outlook on the
underlying asset.

BANK RISK PRACTICES

8-19 TRADED/MARKET RISK

Illustrative Example–1

Long Position
Trader XYZ is long 100,000 shares on Stock BCG. Current value of Stock
BCG is US$5 per share.

Scenario 1: After one year, the market value of Stock BCG is US$7 per
share.

In this scenario, the value of Stock BCG rose from US$5 per share to US$7
per share. This means that Trader XYZ gains US$200,000 from the long
position (US$2 per share).

Gain (Loss) = (New Value – Old Value) × Long Position

= (US$7 − 5) × 100,000
= +US$200,000

Scenario 2: After one year, the market value of Stock BCG is US$3 per
share.

In this scenario, the value of Stock BCG fell from US$5 per share to US$3
per share. This means that Trader XYZ loses US$200,000 from the long
position (US$2 per share).

Gain (Loss) = (New Value – Old Value) × Long Position

= (3 − 5) × 100,000
= −US$200,000

Short is a term to describe a trading position where the trader stands to

profit if the price of the underlying falls in value. Short is used to describe a
sell position. Entering into a short position therefore entails that the trader
has a bearish view or outlook on the underlying. The short position should
be represented with a negative sign as the performance of the short
position varies indirectly with the underlying asset.

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-20

Illustrative Example–2

Short Position
Trader XYZ is short 100,000 shares on Stock BNP. Current value of Stock
BNP is US$5 per share.

Scenario 1: After one year, the market value of Stock BCG is US$7 per
share.

In this scenario, the value of Stock BCG rose from US$5 per share to
US$7 per share. This means that Trader XYZ loses US$200,000 from the
short position (US$2 per share).

Gain (Loss) = (New Value − Old Value) × (−Short Position)

= (7 − 5) × (−100,000)
= −US$200,000

Scenario 2: After one year, the market value of Stock BCG is US$3 per
share.

In this scenario, the value of Stock BCG fell from US$5 per share to US$3
per share. This means that Trader XYZ gains US$200,000 from the short
position (US$2 per share).

Gain (Loss) = (New Value − Old Value) × (−Short Position)

= (3 − 5) × (−100,000)
= +US$200,000

ii. Short selling – Short selling is a trading strategy where the trader sells the
security which he or she does not own. Traders usually enter into short-
selling trading strategies if they think that the securities are overvalued,
or the market will undergo significant corrections and the value of these
securities will go down. In a typical short-selling transaction, the trader
sells the securities to the buyer. At this point, the trader does not own these
securities.

BANK RISK PRACTICES

8-21 TRADED/MARKET RISK

BROKER TRADER BUYER

2
1
The trader borrows the 3
The trader sells the
securities from the broker The trader delivers
securities to the buyer.
and promises to deliverer the securities to
The trader does not own
the securities at pre- the buyer
the securities
defined future date

Figure 8.21: Short Selling Illustration

The trader then borrows the securities from a broker. The broker transfers
the legal title of the securities to the trader. In exchange, the trader pays
the broker a fee for borrowing the securities. The trader agrees to return the
securities at a pre-agreed future date. The trader usually puts up collateral
to secure the exposure of the broker to the trader. The trader delivers the
security to the buyer.

BROKER TRADER MARKET

5 4
The trader returns the At the future date, the trader will
borrowed securities to purchase the securities at the
the broker prevailing market prices

Figure 8.22: Short Selling Cover.

At a pre-agreed future date, the trader will purchase the securities at the
prevailing market prices. This is where the risks of short selling will arise as
the trader needs to purchase these securities at market value and return
the borrowed securities to the broker. An illustration on the payoff from a
short selling strategy is as follows:

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-22

Illustrative Example–3

Short Selling
Trader XYZ short sells Stock PNP in anticipation of a bear market. He short
sold 100 shares at US$100 per share for 30 days and borrowed Stock PNP
shares from a broker. Trader XYZ promises to return the shares to the
broker after 30 days. Below are the two scenarios that can happen after
30 days:

Scenario1: Stock PNP fell to US$70 per share

In this scenario, Trader XYZ’s view on Stock PNP is correct. After 30 days,
Trader XYZ will buy Stock PNP at US$70 per share and return the shares
to the broker.

Sold 100 shares at US$100 +US$10,000

Bought 100 shares at US$70 -US$7,000

Trader XYZ Gain (Loss) +US$3,000

Scenario 2: Stock PNP rose to US$140 per share

In this scenario, Trader XYZ’s view on Stock PNP proves out to be wrong.
After 30 days, Trade XYZ will buy Stock PNP at US$140 per share and
return these shares to the broker.

Sold 100 shares at 100 +US$10,000

Bought 100 shares at 120 −US$14,000

Trader XYZ Gain (Loss) −US$4,000

Short selling is a very risky trading strategy. The trader is exposed to

huge losses if his or her view that the securities will fall in value fails to
materialise. Because theoretically, there is no upper limit on the value of
these securities, the trader may be exposed to potentially unlimited losses
from the short-selling strategy. The potential losses from short selling are
virtually unlimited while the payoffs are limited. The following illustrative
example provides a sample scenario analysis on the potential gains and
losses from a short-selling strategy:

BANK RISK PRACTICES

8-23 TRADED/MARKET RISK

Illustrative Example–4

Short Selling
Trader XYZ short sells Stock PNP in anticipation of a bear market. He short
sold 100 shares at US$100 per share for 30 days and borrowed Stock PNP
shares from a broker. Trader XYZ promises to return the shares to the
broker after 30 days.

Below are the possible gains and loss scenarios:

Scenario 1 2 3 4 5 6 7

Stock Prices
−0 −50 −70 −100 −150 −200 −1,000
After 30 Days

Selling Price +100 +100 +100 +100 +100 +100 +100

Gain (Loss) +100 +50 +30 0 −50 −100 −900

Since stock prices can never fall below zero at any time, the highest
payoff from a short-selling strategy is when a stock price falls to its
lowest possible value after 30 days. Hence, in this case, the highest
payoff achievable is US$100 per share.

Unfortunately, the reverse is not true. The lowest payoff from this strategy
is limitless. This is because the lowest payoff possible will happen only if
the stock price rises to the highest possible value after 30 days. However,
the highest possible value of a stock is unlimited. In Scenario 7, the loss
from the strategy is US$900 per share because the stock price has risen
to US$1,000 per share. This is, however, not the largest possible loss. This
is because the stock price can rise to US$2000, US$3000, US$5000, or
even US$1 million per share. This clearly shows the asymmetric payoff
from a short selling strategy.

In practice, many traders were forced to incur huge losses from their
portfolio particularly when there is a lack in the supply of the securities.
Many short-sellers are then forced to cover their positions causing the
value of the securities to increase further and therefore exacerbating the
losses incurred by the short-sellers.

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-24

Boxed Article–3

Short Squeeze
Short squeeze is an event when the share prices of the securities or
commodities moves sharply higher due to a positive development
(whether temporary or permanent) on the securities. Short sellers
are then forced to limit their losses by closing their short positions
and buy these securities or commodities. This buying activity further
exacerbates the losses that short sellers will incur as security prices
may continue to rally.

iii. Leverage – Leverage in trading involves the use of borrowed money

to magnify potential gains from a trading strategy. However, it also
magnifies potential losses if the trading strategy does not work out as
initially envisioned. Below are some of the most common examples of the
application of leverage in trading:

▶ Margin trading – Margin trading or financing involves borrowing

money from a broker to purchase securities and using these securities
as collateral. It allows the trader to increase the amount of securities
invested. This amplifies the potential gain and the potential risk from the
trading strategy. US Federal regulations allow investors to borrow up to
50% of the total cost of the purchase.
▶ Repurchase agreement is a transaction in which one party
simultaneously sells securities to another party while committing to
repurchase the same securities on a specified future date at a specified
price. This is also known as a repo transaction.

Transaction Date Maturity Date

Repo seller Repo buyer Repo seller Repo buyer

(Net of the haircut (Includes compensation for

interest or repo rate

Figure 8.23: Repurchase Agreement

In this transaction, the repo seller delivers the security to the repo buyer.
The repo buyer pays cash to the repo seller. The cash delivered to the repo

BANK RISK PRACTICES

8-25 TRADED/MARKET RISK

seller is net of the haircut applied to the security. The higher the haircut, the
lower the cash delivered to the repo seller. At maturity date, the repo seller
repurchases the security. The repurchase price includes compensation
for interest. This is also known as the repo rate. Traders hold securities
leverage from these holdings by taking advantage of the repo markets.
Traders raise cash from the repo markets, which they can use to further
implement a trading objective. In many instances, repo rate is cheaper
than the market rate.

iv. Derivatives – Traders use derivatives to take a leveraged position on an

underlying security. Leverage is inherent in many types of derivatives
and traders frequently use derivatives. A common example of this is the
purchase of a call option. A call option contract gives the purchaser or
the holder the right (but not the obligation) to buy an underlying asset
at a pre-agreed strike price. In exchange for this right, the buyer of a call
option contract pays the seller of the option the option premium at the
trade inception. On maturity date, the holder of the call option contract
may exercise the call option contract if the price of the underlying asset
rises above the pre-agreed strike price. On the other hand, the holder of
the call option contract may allow the call option to expire as worthless if
the underlying asset falls below the pre-agreed strike price. Entering into a
call option contract is akin to entering into a long position in the underlying
security. Unlike a straightforward purchase of the underlying security, a
long call option contract allows the trader to take a leveraged position on
the underlying security.
v. Carry trade – Carry trade is a widely used trading strategy where the
trader borrows asset at a lower rate and lends or invest in another asset at
a higher rate earning from the spread between the two.

SAMPLE CARRY TRADE: AUD/USD

Borrowing Rate Lending Rate

USD 0.2% 0.3%

AUD 4.0% 4.5%

TRADER
Invest AUD
Borrows USD Convert the USD to at 4.0%
at 0.3% AUD at the spot market

Figure 8.24: Carry Trade

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-26

The figure above illustrates a typical carry trade transaction. The trader
borrows at the lower-interest rate currency (i.e., funding currency, which
in this case is US Dollar, US$), converts the fund at the higher-interest rate
currency (i.e., investment currency, which in this case is Australian Dollar,
AUD) and lends the resulting amount in the investment currency at the
higher interest rate. The trade remains to be profitable as long as the
exchange rate between the US$ and AUD does not move drastically. The
trader, therefore, is guaranteed the earnings from the spread between the
interest earned from the investment currency and the funding currency.

Illustrative Example–5

Carry Trade
Trader ANC borrowed US$9 million at a cost of 0.3%. Trader ANC then
invested the US$9 million and converted the borrowed money to AUD at
the exchange rate of 1 AUD = 0.90 US$.

Trader invests AUD 10,000,000 at 4%.

Below is an assessment of the profitability of the carry trade:

Variables Scenario

Investment Currency Proceeds AUD 10,400,000

(AUD Principal + Interest) (= AUD 10 million + 4% interest)

Exchange Rate 1 AUD = 0.90 US$

Investment Currency Proceeds

US$9,360,000
(US$ Equivalent)

Funding Currency Payment

(US$9,027,000)
(US$9 million + 0.3% interest)

Net Earnings US$333,000

Net Earnings in Percentage 3.7%

Trader ANC earned 3.7% from this carry trade after one year. This is
also incidentally the interest differential between the borrowing and
investment currency (= 4% − 0.3%).

The main risk of the trader is if the exchange rate between the investment
currency and the borrowing currency changes significantly. The trader
may then face the risk of not being able to meet the obligations under
the borrowing currency should the earnings from the investment currency

BANK RISK PRACTICES

8-27 TRADED/MARKET RISK

are insufficient to offset the losses from the exchange rate weaknesses in
the investment currency against the borrowing currency. If the exchange
rate of the investment currency weakens against the borrowing currency,
the losses from the conversion of the investment currency against the
borrowing currency may offset whatever gain the trader recognises from
the carry trade.

Illustrative Example–6

Carry Trade Risks

Scenario 1: AUD weakens against US$ (1 AUD = 0.80 US$)
Scenario 2: AUD strengthens against US$ (1 AUD = 1.00 US$)

Scenario 1: Scenario 2:
Variables
1 AUD = 0.80 US$ 1 AUD = 1 US$

Investment Currency
Proceeds AUD10,400,000 AUD10,400,000
(AUD Principal + Interest)

Exchange Rate 1 AUD = 0.80 US$ 1 AUD = 1 US$

Investment Currency
US$8,320,000 US$10,400,000
Proceeds (US$ Equivalent)

Funding Currency Payment

(US$9,027,000) (US$9,027,000)
(US$9 million + 0.3% interest)

Net Earnings (US$707,000) + US$1,373,000

Net Earnings in Percentage −7.86% 15.3%

Based on Illustrative Example 6, in Scenario 1, the AUD has weakened

against the US$. Trader ANC converted the AUD proceeds to US$ to pay the
borrowing obligation at a significantly less US$ amount. Although Trader
ANC earned 4% from investing in AUD, this amount is not enough to repay
the US$ 9,027,000 obligation (= US$ 9 million + 0.3% interest). The interest
spread of +3.7% (= 4% − 0.3%) has been offset by the weakness in AUD. In
Scenario 2, on the other hand, the AUD strengthens against the US$. Trader
ANC converted the AUD proceeds to US$ to pay the borrowing obligation
at a higher US$ amount. Trader ANC earned both from the interest spread
of 3.7% and the strengthening of the AUD against US$.

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-28

8.5 PRE-VALUE-AT-RISK (VAR) MARKET RISK MEASUREMENT TOOLS

VAR modelling is a statistical risk management method that quantifies a stock or

portfolio’s potential loss as well as the probability of that potential loss occurring. While
well-known and widely utilised, the VAR method requires certain assumptions that limit
its precision. For example, it assumes that the makeup and content of the portfolio
being measured is unchanged over a specified period. Though this may be acceptable
for short-term horizons, it may provide less accurate measurements for long-term
investments. There are three main ways of computing VAR. First is the full notional
approach. Second, the sensitivity approach, and thirdly is the market-value approach.

8.5.1 Full Notional Approach

The full notional or nominal approach is one of the earliest and also the crudest
approaches to the measurement of market risk exposure. This approach
involves the use of the face amount as the measurement of the market risk
exposure. It quantifies market risk exposure as the actual amount of monetary
exposure in a particular security or commodity. The key advantage of using
the full notional approach is its simplicity and objectivity. The full notional
approach is easy to understand and is a straightforward measure not subject
to interpretation.

While the full notional amount approach is simple and easy to understand,
it provides very limited use. There are also some obvious weaknesses in this
approach, and this is further explained below.

i. Overstatement of risk exposure – The full notional amount approach

fails to consider the offsetting positions. Recall that a long position in the
underlying asset will offset a short position in the same underlying asset.
The full notional approach treats all exposures regardless of whether
it is a long or a short exposure as standalone market risk exposure. This
approach double counts the market risk exposure as the only exposure
faced by the bank on the underlying security or commodity as net long or
short exposure.

For the example shown in illustrative example, the full notional equity
exposure of the bank is US$ 100 million. This overstates the actual economic
exposure of the bank as the short exposure on the equity offsets the long
exposure. In fact, the market risk exposure of the bank, if the short position
is considered, is zero. In Figure 8.25, the gold position is short.

BANK RISK PRACTICES

8-29 TRADED/MARKET RISK

Financial Instrument Notional Amount

Bonds US$100 million

Equity Nil

Foreign Exchange Short US$80 million

Gold US$20 million

Figure 8.25: Notional Amount Per Financial Instrument Type

ii. Not additive – Another important limitation of the full notional approach
is that it is not additive. The market risk manager cannot simply add
the notional exposure in the different asset classes to provide a single
portfolio-wide measure of the banking organisation’s overall market risk
exposure. In the illustrative example on the full notional approach, it cannot
be concluded that the overall market risk exposure is US$340 million (=
US$100 million in bond + US$100 million in equity + US$120 million in foreign
exchange + US$20 million in gold).
iii. Do not distinguish among different types of risk – The use of nominal
exposure does not distinguish between assets that have lower volatility
and those with higher volatility. Market risk exposure is measured based
on the size of exposure and not based on the risk characteristics of
these exposures. Some asset classes possess higher risk characteristics
compared to other assets. This is not considered by the full notional
approach. A US$1 million exposure in a higher risk asset (e.g., equities) is
given the same treatment as a US$1 million exposure in a lower risk asset
(e.g., government bonds).
iv. Ignores diversification – The use of notional or nominal exposure does
not take into consideration that different asset tends to move positively
or negatively against each other. Correlation measures the relationship
between different assets. A strong correlated relationship means that two
assets tend to move in tandem with each other. This means that if Asset 1
increases in value by 20%, a strong correlated Asset 2 will also increase in
value by close to 20%. Assets that have a low correlation tend to display a
weak relationship between two assets. This means that these two assets
do not perform in the same way. If Asset 1 increases in value by 20%, Asset
2 will increase in value by less than 20%. Assets that have low correlation
against each other tend to have lower risks from a portfolio perspective.

This is because a poor performance in one investment can be offset by a

good performance of another and thus provides diversification benefits to
the investor. The problem with the use of nominal exposure is that it treats
assets with high correlation against each other similarly as assets with low
correlation against each other.

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-30

v. Not reflective of economic exposure – Another key limitation of the

full notional approach is that for many instruments such as derivative
contracts, notional is not reflective of the economic market risk exposure
of the transaction.

Illustrative Example–7

The full notional approach

Bank XYZ entered into a contract to purchase US$100 million at US$/
MYR 3.20 after 30 days. The full notional approach assigns a market risk
exposure of US$100 million for this forward contract to purchase foreign
currency after 30 days.

This, however, overstates the actual economic exposure from a forward

contract. As can be seen in the diagram below, Bank XYZ faces a market
risk exposure if MYR appreciates below the pre-agreed 3.20. In the example
below, US$/MYR is traded at 3.0 (below the pre-agreed price):

MYR320 million

Bank XYZ Loss to Bank XYZ

Forward Seller
(Forward Buyer) MYR 20 million

USD100 million at MYR3 =

MYR300 million

In this scenario, Bank XYZ is obliged to deliver MYR320 million (= US$100

million × pre-agreed forward price of 3.2) and will receive only MYR300
million from the forward seller (= US$100 million × 3.0). Bank XYZ will need
to pay the net difference of MYR20 million. From a market risk perspective,
the exposure of Bank XYZ is the net difference of MYR20 million.

8.5.2 Sensitivity Approach

The limited use of the full notional approach for assessing potential market risk
exposure led to the development of specialised risk measures, for example,
sensitivity measures. Sensitivity measures allow the quantification of the
potential loss due to adverse movements in a primary risk factor. The primary
risk factor is a measurable variable that has the largest impact on the value
of a security or commodity. Market risk sensitivity measures calculate the
movements in the primary risk factors against the impact on the value of a
security or commodity. Sensitivity measures aim to capture the relationship
between the risk factor of a financial instrument and its market value. It is

BANK RISK PRACTICES

8-31 TRADED/MARKET RISK

used by traders to see how changes in the market risk factors could affect
the market value of their trading positions.

Sensitivity measures are helpful measures, but it also suffers from many
limitations. Among these limitations are sensitivity measures cannot be
aggregated across markets and across risk types.

i. Sensitivity measures cannot be aggregated across markets. – The

sensitivity measures pertaining to the fixed income exposure of the bank
cannot be added with the sensitivity measures used for equity exposure.
These measures encourage a ‘silo’ approach towards market risk
measurement and present a challenge for the risk manager attempting
to get a portfolio integrated view of the overall market risk exposure of the
banking organisation.
ii. Sensitivity measures cannot be aggregated across risk types – Option
contracts are influenced by four risk factors, i.e., underlying security price,
volatility, interest rate and time to maturity. Each of these factors have a
corresponding risk measure. These measures, however, cannot be simply
summed up. Therefore, even on a position level, the risk manager cannot
get a single number measure of the risk exposure.

8.5.3 Market-Value Approach

For bond or fixed income securities, duration-based measures are the most
commonly used risk factor sensitivity measures.

i. Duration – Fixed income securities have different maturities have different

maturities and different coupon rates. At times (without going through
extensive quantitative exercises) it is easy to make a value judgment on
which fixed income security is riskier. Generally, the longer the maturity of
the bond, the more sensitive the bond is to changes in interest rates. On the
other hand, the higher the coupon of the bond, the less sensitive the bond
is to changes in interest rates. However, there are times when it is difficult to
directly compare bonds with each other. For example, which bond is riskier,
a longer-tenor bond with a higher coupon or a shorter-tenor bond with a
lower coupon? Therefore, it is important to come up with a standardised
approach to compare two or more different bonds with different features.

It is not correct to compare two different bonds with different features.

Duration is used to standardise the duration that quantifies the effective
maturity of a bond. It is expressed in years. The higher the duration of the
bond, the riskier the asset is.

ii. Modified duration – Duration in itself is not a measure of interest rate

sensitivity. It merely describes the effective maturity of the bond. Modified

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-32

duration is a widely used measure of sensitivity of the bond price to

changes in interest rates. Modified duration is calculated by discounting
the duration of the bonds’ yield to maturity.
iii. Greeks – Compared to fixed income securities, many financial instruments
such as derivatives face more complex risk factor dynamics. A single risk
factor sensitivity measure (such as duration) may not be enough to get
a more complete perspective on the risk exposure profile for derivatives
particularly for options.

Greek measures or ‘Greeks’ measure different dimensions of risk in an

option position. Each of the Greek letter represents a different dimension of
risk that the trader must manage. The five ‘Greeks’ measures are named as
such because each of the parameters is named after the Greek alphabet.

The Five Main Greeks

Delta (Δ) Theta (Θ) Gamma (Γ) Vega (ν) Rho (ρ)
Represents the Represents Represents the Represents Represents
sensitivity of an the rate of rate of change an option’s how sensitive
option’s price time decay of Delta relative sensitivity to the price of
to changes in of an option. to the change volatility. an option is
the value of of the price of relative to
the underlying the underlying interest rates.
security. security.

Figure 8.26: The Five Main Greeks

Delta measures the change in the option price for a small change in
the price of the underlying asset holding. Positive delta option positions
indicate that the option value increases with an increase in the price of the
underlying. Examples of option positions with positive delta are:

▶ Long call position

▶ Short put position

Negative delta option positions indicate that the option value increases
with a decrease in the price of the underlying. Examples of option positions
with negative delta are:

▶ Long put position

▶ Short call position

BANK RISK PRACTICES

8-33 TRADED/MARKET RISK

Delta is also a useful tool to help traders calculate the risks in the option
portfolio to hedge against small movements in the price of the underlying
security. Delta is similar to the duration measure for fixed income. Traders
use delta measures as inputs in their hedging decisions. Traders may buy
or sell the underlying securities so that the positive or negative delta of
those securities will offset the negative or positive delta generated by the
option position. This process of offsetting the delta of the option position
is also known as delta hedging. A position with zero delta is referred to as
delta neutral.

The delta hedging process illustrated is an example of dynamic

hedging. Dynamic hedging refers to the iterative process of continuously
rebalancing the volume of the hedge to achieve the optimal delta desired.
The concept of delta can also be applied to other instruments such as
forward contracts. In a forward contract, the value of the contract changes
linearly with changes in the price of the underlying security. The delta of a
forward contract, therefore, is always equal to 1.

Gamma measures the change in the delta for a small change in the price
of the underlying. To put it simply, gamma measures the rate of change
of delta. The higher the gamma, the more rapidly the delta will change.
The lower the gamma, the less rapidly the delta will change. In practice,
delta is only applicable for small changes in the underlying price. For
larger changes in the underlying price, the delta may change significantly.
Gamma is frequently used in practice to adjust position delta hedges.

Delta neutral hedge is used to protect the trader against small changes
in stock prices. Gamma neutral hedge protects the trader against larger
movements in stock prices before the hedge rebalancing is made.

Theta measures the change in the value of an option as time elapses. Theta
measures the rate of decay in the time value of the option. The decay in
value is due to the fact that there is less time for the option to expire in-
the-money. Theta is negative for both long call and long put options as the
value of the option decreases over time. Compared to delta and gamma,
it does not make sense to hedge theta. Delta and gamma measures arise
from fluctuations in the underlying security prices. These fluctuations are
uncertain in nature hence why, hedging is sometimes required. On the
other hand, changes in the value of an option attributed to theta is due to
the passage of time which is predictable.

Vega is the change in the value of the option based on a one per cent
change in the assumed volatility of the underlying. The higher the Vega of
the underlying security, the more sensitive it is to small changes in volatility.
On the other hand, the lower the Vega of the underlying security, the less
sensitive it is to changes in volatility. Buying a call or a put option results in
a long Vega position. This means that the value of the option increases as
the volatility increases.

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-34

Rho measures the change in the price of the option for a given change in
the level of the interest rates. It measures the sensitivity of the option value
to changes in interest rates.

8.6 VALUE-AT-RISK (VAR)

Value-at-Risk (VAR) is one of the most commonly used measures of investment risk
in the banking industry. Prior to VAR, risk measures are calculated depending on the
asset class type. For example, risks in investments in bonds and other fixed income
securities are measured differently from investments in currencies and equities. This
leads to a risk management dilemma for investors – how do we measure investment
risk in the portfolio regardless of the asset class?

VAR is an elegant answer to the demand coming from portfolio managers and
investment practitioners to come with a single quantitative measure of portfolio
risk exposure. In this section, we will discuss value-at-risk (VAR) from a practical
perspective. What is VAR? When and why do we use VAR? How do we calculate and
interpret VAR? VAR has been controversial especially after its shortcomings were
revealed due to high profile bank failures during the 2008 financial crisis. We will
discuss the limitations of VAR and what are the alternatives to VAR as a risk measure.

The limitations of the notional approach and sensitivity measures led to the
development of a market risk measurement tool which helped to revolutionise the
risk management industry. For a long time, banking organisations relied on the
simplistic notional approach when measuring and managing market risk. As the
risks faced by banks became more complex and volatile, the need for quantitative
approaches to measure market risks became more important. While sensitivity
measures are more quantitative and forward looking than the notional approach, it
suffers from one major limitation—it cannot provide an integrated view of the market
risk exposure faced by the banking organisation.

VAR is now one of the standard measures of market risk. The use of VAR is pervasive
in many banking organisations, not only as a measure to calculate market risk but
also to control market risk exposures through limits. Basel II requires the use of VAR (in
the internal model approach) as a basis to determine how much minimum capital
should be set aside to support the banking organisation’s market risk exposure.
VAR is also used internally to allocate capital and set risk appetite in a quantitative
manner.

8.6.1 History of VAR

The development and the use of VAR as a statistical measure of a portfolio’s

losses was credited to J.P. Morgan. As a large commercial bank with diverse
and complex exposures to various securities, there was a need to measure
and summarise all these risk exposures into a single measurement. Dennis

BANK RISK PRACTICES

8-35 TRADED/MARKET RISK

Weatherstone, Chairman of J.P. Morgan, had asked his staff to produce a

concise summary of the bank’s risk at the end of each day. It started with the
question— “How much can we lose on our trading portfolio by tomorrow’s
close?”

J.P. Morgan developed a firm-wide value-at-risk system that modelled several

hundred key risk factors. Each day, trading units would report by e-mail their
risk positions with respect to each key risk factor. These were aggregated to
express the portfolio’s risk factors as a single statistical measure. With the
value-at-risk measure, J.P. Morgan replaced the crude system of notional
market risk limit with a system of VAR limits.

Starting in 1990, the VAR numbers were combined with the profit and loss
(P&L) in a report for each day’s 4:15 PM treasury meeting in New York. These
reports were forwarded to Dennis Weatherstone. The use of VAR became
prevalent when J.P. Morgan decided in May 1995 to make its proprietary Risk
Metrics publicly available.

8.6.2 Definition of VAR

VAR is a single statistical measure of possible portfolio losses due to normal

market events. VAR is the potential loss from a market risk that can occur over
a period of time given certain assumed statistical confidence levels. VAR is
the probability that you may suffer the worst loss that can be expected from
holding a security over a given time horizon and a given specified confidence
level. The three important considerations in the interpretation of VAR are:

• VAR is not an absolute measure of risk

• VAR covers only normal market scenario
• VAR measures the maximum loss on a normal market event

The most common error in the interpretation of VAR is that it is frequently

misinterpreted as an absolute maximum measure of loss. An important
element that is missed in this interpretation is that VAR is a probabilistic
and not an absolute measure. This means that the VAR number should be
interpreted with the confidence level (e.g., 95% confidence level) as part of
the interpretation. Many mistakenly interpret VAR as the maximum loss to
the portfolio over a given period of time while ignoring the most important
characteristic of VAR in that VAR only attempts to describe market risk in
probabilistic terms.

VAR covers only potential losses arising from normal market losses. It does
not answer the ‘worst case scenario’. VAR has received a huge (mostly fair)
amount of criticism for failing to anticipate the 2008 financial crisis. While
many of the criticisms against VAR are with merit, it should be recalled that
VAR measures potential losses in normal market scenario. ‘Black Swan Events’

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-36

(a term coined by one of the most prominent critics of VAR, Nassim Nicolas
Taleb) or events that are highly improbable and yet causes massive adverse
consequences are not captured by VAR.

VAR measures the maximum loss on a normal market event. It measures

expected losses from normal market conditions, but it does not capture
unexpected losses from stressed market conditions. It is therefore incorrect
to view VAR as the worst-case or maximum loss point of view. While VAR
is used to make forward looking assessments of market risk exposures,
it relies heavily on the assumed distribution of returns. The most common
assumption distribution of returns is usually the historical distribution or the
normal distribution.

8.6.3 Basic VAR Calculation Methodology

There are three main calculation approaches to VAR. All these approaches,
however, share the generic process of determining the exposure, selecting
the time horizon, and deciding on the appropriate confidence level.

Determine the Select the horizon and Select the VAR calculation
exposure confidence level methodology

Figure 8.27: Basic Var Calculation Methodology

Determine the exposure

The first important step in calculating VAR is to determine the exposure. The
exposure is the market value of the position as of the VAR calculation date.
The objective of VAR calculation is to determine the maximum loss to the
banking organisation’s portfolio relative to the current value of its exposure
given a certain confidence level and time horizon.

VAR is a holdings-based measure, which means that although VAR is

intended to be a forward-looking measure, it is based on a static position for
a given holding period. The exposure or position is fixed for the time period in
question. It is therefore important to be aware of this limitation in the use of
VAR. The VAR calculated is based on the static holding as of the calculation
date.

Select the time horizon

Time horizon or holding period is the period over which the bank wants to
estimate the maximum potential loss through the calculation of the VAR. Time
horizon can range from one day to one year. The higher the time horizon, the
more uncertain and the larger the VAR is. The choice of time horizon depends
on the factors stated in the table below:

BANK RISK PRACTICES

8-37 TRADED/MARKET RISK

Factors in Determining the Choice of Time Horizon

Nature of the Position Regulatory Requirements Use of VAR

• The choice of the time • The choice of the time • The selection of a time horizon
horizon or holding horizon or holding period is also largely dependent
period depends on the depends on the specific on the objective of VAR
characteristics of the regulatory requirements. measurement.
position. • Banking organisations • If VAR is used to estimate the
• The calculated VAR applies adopting the Internal potential losses over a shorter
to the specific time horizon Models Approach of time horizon, then a one-day
chosen. VAR is a forward- Basel II requires the use BAR should frequently be used.
looking measure of market of a 10-day time horizon An example of this in trading
risk exposure. It is therefore for the calculation of the – Trading usually involves
important to consider the regulatory VAR. generating short-term gains
liquidity of the position. • On the other hand, or incurring short-term losses.
• The horizon chosen should minimum capital Hence, a shorter time horizon
be based on how quickly requirements for banking is usually applicable.
the trader can liquidate book are calculated based • If VAR is used to estimate
the position in an orderly on a one-year horizon for potential losses over a
manner. credit risk exposures. long-time horizon, then the
• The more liquid the position selection of time horizon for
is, the lower the time VAR purposes is also longer.
horizon should be. The less An example of this is the use
liquid the position is, the of VAR for purposes of setting
higher the time horizon regulatory capital required.
should be. Regulatory capital requires
the use of a longer time
horizon.
• Trading desks of banking
organisation typically choose
a one-day time horizon for
the calculation of VAR. This
is because bank required to
mark-to-market the positions
in the trading book given the
importance of trading in the
banking business.
• Investment managers or
non-financial corporations
with a mandate to rebalance
portfolio only on a monthly
basis may find it more
appropriate to use a 30-day
time horizon.

Figure 8.28: Factors in Determining Horizon

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-38

Select the confidence level

Confidence level is the probability that the range of losses will not exceed
the VAR estimate for a given time horizon. The higher the confidence level,
the more conservative the VAR estimate is. To better understand how the
confidence level is selected in practice, it is important to understand the
concept of confidence level. Recall that the VAR estimate is the maximum
loss given a confidence level. Confidence level, therefore, acts as a threshold
at which the range of losses is expected not to exceed the VAR estimate. This
is the reason why the higher this threshold level is, the higher the VAR estimate
will be. Within the confidence level, VAR is the maximum loss.

Significance level is the probability that corresponds to the frequency with

which a given level of loss is expected to occur. Significance level is simply
100% of the confidence level. This is the threshold at which the range of
losses is expected to exceed VAR. The significance level is also known as the
“distribution tail”. These are extreme events or outliers. Within the significance
level, VAR is considered to be the minimum loss. This is why it has been
emphasised that the VAR is an estimate and probabilistic measure and not
an absolute measure of risk. The higher the significance level, the lower the
confidence level and therefore the lower the VAR estimate will be.

Confidence
VAR at 95% Level: 95%
Confidence (=100% - Significance level
Significance
Level: 5%
(=100% - Confidence level

Figure 8.29: Var as a Boundary Number

The figure above shows the relationship between confidence level and
significance level. The VAR at 95% confidence level is the maximum loss 95%
of the time. However, the VAR does not describe the loss in the region of the
significance level (5%). VAR, in fact, is the minimum loss at the 5% significance
level region. The choice of the confidence level depends on how extreme
events are viewed by the banking organisation. For example, are losses
exceeding 1%, 5% or 7% considered conservative or extreme enough for the
banking organisation?

VAR calculated at the 95% confidence level means that VAR losses are
expected to exceed only 5% of the time (significance level). This means
that over a one-year horizon (assuming there are 240 trading days in one

BANK RISK PRACTICES

8-39 TRADED/MARKET RISK

year), losses are expected to exceed the VAR only 12 times in a year (= 240 ×
5%) or not more than once a month on average. Vice versa, over a one-year
horizon, the range of losses should not be expected to exceed 228 times
(= 240 trading days − 12 days) the VAR in one year. Table 4.8 summarises
the relationship between confidence level, significance level and the average
expected excess over a one-year horizon.

Confidence Significance Expected Exception per

Level Level 240 Trading Days

95% 5% 12 times in one year

97% 3% 7.2 times in one year

99% 1% 2.4 times in one year

Figure 8.30: Expected Exceptions Per Confidence Level

The choice of confidence level also depends on the use and particular objective
of VAR.

Regulatory
Capital Setting Limit Setting
Requirements

• Many banking • Banking organisations • The choice of

organisations set sometimes select a different confidence level
their target capital confidence level for settling may also depend
to maintain a high market risk limits. on regulatory
credit rating to lower • Setting the size of the requirements.
the probability of market risk limit at a higher • For the trading
insolvency. confidence level (for portfolio, the Basel
• For example, to example, 99%), will result in II requires banks
maintain a high credit a higher limit for the bank. to set aside a
rating of AA, the risk This, however, implies that minimum capital
of insolvency must the bank does not expect equal to the 10-
be less than 0.03. losses to exceed 2.4 times day VAR at 99%
This means that the a year. confidence level.
probability of solvency • This expectation may not
is 99.97%. be realistic. This is why
• These banking many banks set a lower
organisations confidence level (and
must select a high therefore, lower market
confidence level to risk limit size) to align with
meet these objectives. market realities.

Figure 8.31: Uses of Var

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-40

8.6.4 Back Testing

VAR models are probabilistic in nature and is not expected to perform all the
time. However, given the high confidence level that is assigned to VAR, it is
important to test the accuracy of the VAR model. Back testing is an approach
used to test the performance of probabilistic models such as VAR against
actual historical outcome. Back testing is a validation procedure where actual
profit & loss is compared against projected VAR.

VAR Estimates Actual P&L

Figure 8.32: Back Testing: Var Vs Actual P&L

The discrepancy between the VAR estimates versus actual profit and loss (P&L)
is what is referred to as the estimation error. To understand the importance
of finding out what the estimation error is, it is important to remember what
question VAR models intend to answer. VAR is the maximum loss assuming a
high confidence level for a given time horizon. In practice, VAR is back tested
against a hypothetical or clean P&L. The clean P&L is adjusted for intraday
deals, fees, and commissions. This is to align VAR calculation which does
not take into account intraday deals, fees, and commission. If for example,
the daily VAR calculated is USD 1,000,000 assuming a 99% confidence level.
Assuming there are 250 trading days in 1 year, we expect to lose more than
USD 1,000,000 only on average 2.5 trading days in 1 year. If there are VAR
exceptions in more than 2.5 trading days in one year, then this means that
the failure rate (or overshooting rate) happens more frequently than the
chosen confidence level. This means that the VAR model should be checked
for inaccuracy and inability to perform as expected.

8.6.5 Validation

Back testing is one of the important approaches in validating internal

models including VAR models. One of the lessons that was learned in various
financial crises is that internal models are not fool proof, and the regular
model validation is an important element in risk governance that will lessen
the chance of misplaced reliance on these models. VAR models must be
examined according to the following parameters:

BANK RISK PRACTICES

8-41 TRADED/MARKET RISK

Accuracy Robustness Stability of

estimation

Figure 8.33: Var Validation Parameters

Other than back testing, validation should also be expanded to include the
following points:

• Conceptual soundness of the methodology used in calculating VAR

• Data quality to ensure that the true volatility of a position or portfolio is
considered
• Correctness of the inputs and length of the dataset used

8.7 VAR CALCULATION METHODOLOGIES

There are three main approaches in calculating VAR. First is the historical simulation
approach. Second is the parametric or normal distribution approach, and third is
the Monte-Carlo simulation approach. Each approach has its own advantages and
disadvantages.

8.7.1 Historical Simulation Approach

Historical simulation VAR is one of the most widely used approaches in the
calculation of VAR. The historical simulation approach uses the historical
distribution of past returns to generate a VAR estimate. Historical simulation
entails the use of historical data of asset returns (e.g., historical data over
the last five years). This approach involves using historical changes in asset
prices or rates to construct a distribution of potential portfolio gains and
losses. The figure below illustrates how historical simulation VAR is typically
estimated.

Confidence Time
Level Horizon

Market Value of Actual Historical Hypothetical

the Position Returns Portfolio Historical VAR

Figure 8.34: Historical Simulation: Big Picture

The main idea is to take the current market value of the position and then
revalue these positions on the basis of the historical returns. These historical
returns are collected on a historical basis depending on the requirements or

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-42

standards of the bank. A hypothetical P&L is then generated for each revalued
portfolio. These hypothetical P&Ls are then ranked from lowest to highest. The
historical simulation value-at-risk is calculated at 100% − confidence level
worst loss. The illustrative example below discusses how historical simulation
VAR is calculated. Below is an example on how historical simulation VAR is
calculated in practice:

Simulate Rank
Select Calculate
historical returns Calculate
historical daily
P&L from lowest the VAR
data returns
scenarios to highest

Figure 8.35: Historical Simulation VAR: Step-By-Step Calculation

Step 1- Select historical data

The first step in the estimation of historical simulation VAR is to select the
applicable historical data. For the historical simulation approach, this is
one of the most important aspects in the estimation of VAR. Should it be a
one-month historical data? One year? Two years? Or even five years? A key
issue that you should be aware of is that there is a trade-off between data
relevance and reliability.

Relevance Reliability

Figure 8.36: Length of Dataset - Trade-Off Between Relevance and Reliability

Longer historical data sets tend to be more reliable as the historical data
covers a wider range of possible price or return scenarios. It also tends to
cover a wider range of economic cycles. Thus, from a statistical standpoint, a
longer dataset will generally result in a more robust VAR estimate as the effect
of statistical errors or biases are diluted. The problem with a long data set is
that it may contain data that may no longer be Relevant. This is particularly
true if there is a regime change that has fundamentally altered the future
prospect of an asset class.

An example of a regime change is the developments in the foreign

exchange markets particularly on the US dollar. Under the Bretton Woods
System (1944−1971), many countries agreed to fix their exchange rates by
tying their domestic currencies to the US dollar. US, on the other hand, is linked
to gold. This means that each US Dollar (US$1) is convertible to a certain

BANK RISK PRACTICES

8-43 TRADED/MARKET RISK

number of ounces of gold. Countries agreed to buy and sell US dollars to

keep their currencies within one per cent of the agreed fixed rate. In August
1971, US President Richard Nixon announced the temporary suspension
of the US dollar’s convertibility to gold. This marked the end of the Bretton
Woods System. By March 1973, a major regime shift happened causing major
currencies to float against each other. Data on foreign exchange prior to
the breakdown of the Bretton Woods System will not only be irrelevant in the
analysis of current exposure in US dollar but it also dilutes the importance of
the more recent and relevant data— the post-Bretton Woods data.

Shorter historical data sets, on the other hand, tend to be more relevant
than longer data sets. This is because recent data is not diluted by the longer
range of data. However, from a statistical standpoint, shorter historical data
tend to be less reliable.

Start Date 1/20/2016

End Date 1/21/2022

Frequency Daily

No. of Observations 1,486

Figure 8.37: Historical Data Scope

Step 2: Calculate the returns

The next step in the estimation of the VAR under the historical simulation
approach is the calculation of historical daily returns. The historical daily
returns are calculated as the daily percentage change on the price of the
underlying asset

Price Today - Price Yesterday

Daily Percentage Return =
Price Yesterday

Figure 8.38: Formula for Daily Returns

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-44

Figure 8.39: A Daily Return Calculation

Step 3- Simulate P&L scenarios

After calculating the returns, the next step is to simulate the P&L scenarios.
The objective in this step is to come up with different hypothetical P&L
scenarios using the returns calculated based on the current market value of
the position.

Figure 8.40: Daily P&L Absolute Amount

BANK RISK PRACTICES

8-45 TRADED/MARKET RISK

Step 4- Rank Returns from Lowest to Highest

This step involves a simple exercise of ranking profit and losses (P&L) from
lowest to highest. Column G below shows the hypothetical P&L scenarios
ranked from lowest (highest loss) to highest (highest return).

Figure 8.41: Ranked Returns

Step 5 - Calculate the Historical VAR

Recall that VAR is the estimated maximum loss given a confidence level
over a specified time horizon. The estimation of the historical simulation VAR
is straightforward. If the confidence level is 95%, it means that the 95% VAR
is the 5% (=100% − Confidence Level) worst loss. The 95% VAR is calculated
using a daily dataset of 1,486 observations, the 95% VAR is essentially, the 5%
worst case loss. This means that we will look at the ranked returns and find
the associated P&L of the 74.3rd worst case loss (or the 74th worst case loss).

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-46

Figure 8.42: 95% Historical Simulation Var

From the ranked returns above, the 95% VAR is at around USD 503,717.34. This
means 95% of the time losses are not expected to exceed more than USD
503,717.34. However, from here, it can be seen that 5% of the time (from 1 to
73), losses could exceed above the 95% VAR. 99% VAR is the worst-case loss
99% of the time. This means that using the daily dataset of 1,486 observations,
the 99% VAR will be the 14.86th (= 1% x 1,486) worst case loss or the 15th worst
case loss.

BANK RISK PRACTICES

8-47 TRADED/MARKET RISK

Figure 8.43: 99% Historical Simulation Var

The 99% VAR is USD 1,020,659.12. From the diagram above, it can be seen that
the worst-case loss 99% of the time is the 15th worst case loss. This means that
99% of the time, losses are not expected to be above this number. However, 1%
of the time, losses can be beyond this number.

Advantages Disadvantages

1. Based on actual historical market 1. Data requirements. Historical

returns. Historical simulation does simulation requires a large
not rely on theoretical statistical number of data in order to have a
distributions to estimate the reasonable statistical accuracy.
distribution of potential losses. Estimating a 99% historical VAR
Historical simulation does not based on a 240-day historical
assume that price changes are data may not be enough to have
normally distributed. It is not model a robust estimate of future market
based in the sense that it uses risk exposure. Short data sets may
actual historical market returns as provide an imprecise measure of
basis. market risk.

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-48

Advantages Disadvantages

2. Easy to understand and explain to 2. Reliance on historical data. One of

management. Historical simulation the significant limitations of historical
relies on historical market returns as a simulation is that it relies on historical
basis to estimate losses. The idea that data to measure potential losses.
the recent past statistical distribution There may be differences in current
of a portfolio’s returns will be used and historical market price volatility.
as the basis for predicting the likely Historical VAR is limited to events that
distribution of a portfolio’s returns in are reflected in the historical data
the future. This is one of the reasons selected. Extreme but rare events
why historical simulation as a VAR such as the 2008 financial crisis, the
calculation methodology is popular. 1998 Long Term Capital Management
crash and the 1987 stock market
crash are either not captured or lie
outside the historical dataset. Many
VAR models relying on historical
distribution failed to capture the
unprecedented 2008 financial crisis.

3. Easy to implement. Historical 3. Limitations in measuring complex

simulation is easy to implement positions. While historical simulation
in practice. It is not difficult to is more flexible than models that rely
implement the historical simulation on statistical distribution, there are
approach in a spreadsheet. It does limitations on the ability of historical
not require intensive calculation data to capture a material loss
compared to other simulation scenario for complex option positions.
approaches such as the Monte Carlo This is particularly true for financial
Simulation. It is easy to implement instruments with complex payoff.
the historical simulation approach as Historical data availability will usually
long as data is available. give narrower price scenarios than
model-simulated data (e.g., loss data
that is simulated using the Monte
Carlo simulation).

4. Provides insight on black swan

events (if included in the dataset).
Historical simulation approach may
provide insights on black swan events
or tail risk events. These are extreme
but rare events. The main problem
with models that rely on assumptions
that price changes are normally
distributed is that they assume
that markets are normal. Historical
simulation captures the actual
characteristics of portfolio value
changes as VAR is calculated using
actual market return distribution.
Therefore, as long as extreme events
or black swan events are contained
in the historical dataset, it will be
captured by the historical VAR.

Figure 8.44: The Pros and Cons of Historical Stimulation

BANK RISK PRACTICES

8-49 TRADED/MARKET RISK

8.7.2 Parametric Approach

The parametric approach or the analytical approach is a VAR calculation

methodology that relies on the assumption that returns are normally
distributed. This is why the parametric approach is sometimes referred to as
the normal distribution or the delta normal approach. The normal distribution
is characterised by two parameters, the mean (average) and standard
deviation. The mean or average is the central value of a range of observations.
The concept of mean or average plays a central role in risk management. An
important concept in financial risk management is the observation that while
in the short-run returns are not predictable, in the long-run asset values and
returns will revert to their long-term average. This concept is also referred to
as mean reversion.

Standard deviation is a measure of the dispersion or spread of a set of data

from the mean. It measures how much a series of values vary around the
mean. The higher the dispersion or spread of the data set, the higher the
standard deviation is. Standard deviation plays a very important role in risk
management. It is the most common measurement of market risk. Standard
deviation measures the degree of fluctuations of a series of values against
the mean. The greater the fluctuation, the higher the uncertainty, the higher
the risk. In risk management, standard deviation is frequently referred to as
the volatility. Mathematically, standard deviation or volatility is represented
by the symbol.

The probability of any value occurring can be determined by how many

standard deviations separate the value from the mean. The probability of
any value can be determined by calculating how many standard deviations
the range of value is away from the mean. The three-sigma or standard
deviation rule posits that nearly all possible values lie within three standard
deviations of the mean. This has led to a helpful rule of thumb—the 68-95-
99.7 Rule to describe the probability of any value occurring within one, two
and three standard deviations respectively.

Standard Deviation Probability

1 Standard Deviation 68%

2 Standard Deviation 95%

3 Standard Deviation 99.7%

Figure 8.45: No. Of Standard Deviation and Probability

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-50

Returns are symmetric – This means that positive deviations and negative
deviations from the mean are equally likely to occur. The main attractiveness
of the parametric approach in the estimation of VAR is the simplicity in
the calculation approach. This makes it one of the easiest VAR calculation
methodologies to implement. The parametric VAR can be estimated using
the following equation:

Mean or average Z-score

Parametric VAR = (m+o z) x MV

Standard deviation Market

value

Figure 8.46: Parametric Var Formula

Parametric VAR relies only on two parameters, the mean or average return
and the standard deviation or volatility.

Illustrative Example–8

The parametric VAR

Step 1: Calculate the Average Returns
The first step in the estimation of parametric VAR is the calculation of the
average of returns. You should take note that there is subjectivity in this
exercise. Which average should be taken? Five-year? One-year? Or one-
month? The average return should be the long-run average expected
return. For this illustration, we used the average of daily returns over the
5-year horizon using daily data. The average return is 0.0027%.

Step 2- Calculate the Volatility Or Standard Deviation of Returns

The next step in the calculation of parametric VAR is the estimation of the
volatility of returns. The volatility of returns is measured by the fluctuation
or deviation of each return relative to the mean or average. This is why
the volatility of returns is measured by the standard deviation. The higher
the standard deviation, the higher the fluctuation or deviation of each
return is relative to the mean. Recall in the earlier chapters that standard
deviation measures the distance away (dispersion) from a central value
called average. The standard deviation for the daily return observations is
at 0.33%.

BANK RISK PRACTICES

8-51 TRADED/MARKET RISK

Step 3- Determine the Z-Score

This step involves the selection of the confidence level. The confidence
level will be used as the basis for calculating the Z-score or the standard
score. The Z-score or the standard score measures the number of standard
deviations that the range of data is away from the mean. The higher the
confidence level, the higher the Z-score is. The Z-score is an important input
in the calculation of the parametric VAR. Table 4.12 shows the common
Z-scores used in practice. Below are some of the most commonly used
confidence levels and their associated Z-scores:

Confidence Levels z-scores

90% 1.282

95% 1.645

97% 1.881

99% 2.326

Step 4: Calculate the Parametric Var

The parametric VAR can be estimated using the formula below:

Parametric VAR = (μ + σΖ) x MV

Average = 0.0027%
Standard Deviation = 0.33%
Market Value = USD 100,000,000

Parametric VAR at 95% Calculation

VAR at 95% = (0.0027% + 0.33% x 1.645) x USD 100,000,000
= USD 533,117.00

Parametric VAR at 99% Calculation

VAR at 99% = ( -0.0027% + 0.33% x 2.326) x USD 100,000,000
= USD 754,921.76

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-52

Advantages of parametric Disadvantages of parametric

approach approach

1. Parametric approach to VAR 1. The main weakness in the

is the simplest and easiest application of parametric
method in VAR estimation to approach is the assumption
implement. Smaller banks that returns are normally
typically use the parametric distributed. In finance, the
approach as the initial VAR normal distribution assumption
model before migrating to more has been heavily criticised.
sophisticated VAR tools. 2. Assumes normally distributed
2. Parametric approach relies returns in a market environment
only on two parameters— where outliers (extreme
the average and standard but rare events) exist more
deviation that can easily be frequently than what the normal
obtained in practice. distribution assumes.
3. Parametric approach is
inappropriate for financial
instruments with more complex
features (e.g., exotic derivatives
and options).

Figure 8.47: Pros and Cons of Parametric Var

8.7.3 Monte Carlo Simulation Approach

The Monte Carlo simulation methodology is a computational approach that

uses iterative random sampling to generate scenarios. The Monte Carlo
simulation approach estimates VAR by simulating multiple fictional risk factor
scenarios and revaluing current market positions at each simulation trial. The
calculation approach is similar to how historical simulation VAR is calculated.
The main difference between the two is that the Monte Carlo Simulation
does not rely on historical distribution in the calculation of VAR. Instead, this
approach relies on statistical distributions such as the normal distribution
(similar to the parametric model).

The Monte Carlo simulation approach is the most flexible and powerful
method in VAR calculation. It is used to calculate VAR for complex positions
(e.g., exotic derivatives) that cannot be adequately captured by other VAR
calculation approaches. Below are the advantages and disadvantages of
using the Monte Carlo simulation approach.

BANK RISK PRACTICES

8-53 TRADED/MARKET RISK

Advantages Disadvantages

• Monte Carlo Simulation VAR is a • Monte Carlo Simulation is

powerful and flexible approach in computationally intensive.
the calculation of VAR • It can accommodate any
• It can accommodate any distributions including a
distribution of risk factor distribution that captures
• The methodoly is flexible and can extreme events.
accommodate the calculation of
VAR for financial instruments with
complex payouff

Figure 8.48: Pros and Cons of Monte Carlo Simulation Approach

8.8 EXPECTED SHORTFALL

Expected shortfall is a risk measure sensitive to the shape of the tail of the distribution
of returns on a portfolio, unlike the more commonly used value-at-risk (VAR).
Expected shortfall is calculated by averaging all of the returns in the distribution that
are worse than the VAR of the portfolio at a given level of confidence. For instance,
for a 95% confidence level, the expected shortfall is calculated by taking the average
of returns in the worst 5% of cases.

8.8.1 Criticisms Against VAR

VAR as a risk measure has received considerable criticisms particularly

during the aftermath of the 2008 financial crisis. Many blamed VAR not only
for its failure to predict the 2008 financial crisis but also for exacerbating the
impact of the crisis.

In the report entitled “The Turner Review: A Regulatory Response to the Global
Banking Crisis” (March 2009), the misplaced reliance on mathematically
sophisticated risk measurement techniques particularly the VAR framework
was enumerated as one of the causes of the 2008 financial crisis.

i. Procyclicality – One of the criticisms against VAR is that the use of VAR
tends to amplify business cycle fluctuations, which causes or exacerbates
financial instability. This is referred to as the problem of the procyclicality
of risk models.

During periods of low volatility, VAR gives an impression of lower risk. This
encourages build-up of market risk exposure and ties up more capital with
the market risk position when this is the ideal time to consider building up
capital.

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-54

During periods of high volatility, VAR gives an impression of higher risk. This
encourages banks to unwind existing market risk positions at a time when
it is less optimal to do so. As the market collectively loses confidence on
the market risk position, a vicious cycle of amplifying volatility occurs.

ii. Tail risk – At the centre of all the criticisms against VAR is that it ignores
tail risk. Tail refers to the leftmost and rightmost part of the statistical
distribution. The leftmost part is the portion where extreme negative values
reside. The rightmost part is the portion where extreme positive values are.
The leftmost and the rightmost parts contain extreme scenarios that are
expected only to occur rarely. These are also referred to as high impact,
low probability risks.

Distribution tail

VAR coverage

Figure 8.49: Tail Risk Illustration

Recall that one of the central assumptions of the normal distribution is that
most observations lie in the centre (at the peak of the distribution). Hence,
the reliance on central value measures such as average. Tail risk refers to
the probability of rare events occurring (more specifically, the probability
that the leftmost part of the distribution will occur). The more technical
definition of tail risk is the probability that a three-sigma or standard
deviation event occurs. A three-sigma event entails breaching a 99.97%
confidence level which indicates how rare these events are, i.e., these
events are expected to occur only 0.03% of the time.

VAR is the maximum risk given a certain confidence level. For regulatory
capital setting purposes, a 10-day VAR using 99% confidence level is used.
This means that sufficient capital is set aside if market risk losses fall within
the 99% confidence level band. The 2008 financial crisis proved however
that during stressed scenarios even a high confidence level of 99% is not
sufficient. The VAR gives a picture on what the maximum loss is within the
99% region. However, the VAR measure totally ignores the losses on the 1%
region. The VAR does not give information on what is the maximum loss
or the likely loss in the 1% region. In fact, what risk managers know is that
the VAR measure calculated using 99% confidence level is the minimum
loss in the 1% region. This means that VAR is only useful during market
conditions. During stressed conditions, VAR may not be a sufficient (or
even a necessary) risk measure.

BANK RISK PRACTICES

8-55 TRADED/MARKET RISK

Managing risks using the VAR framework had also encouraged

unacceptable risk-taking behaviour among traders. Many traders
designed their market risk position to comply with the VAR-based limits set
by senior management. For example, if the 99% one-day VAR limit is US$1
million, the trader can design a portfolio that complies with the limit (i.e.,
maximum loss not expected to exceed US$1 million 99% of the time) but
may expose the bank to a 1% chance of losing US$100 million because the
1% region is not within the coverage of VAR.

iii. Expected shortfall – One of the main criticisms against VAR is that it
provides a maximum estimate of loss during normal market conditions.
However, it does not provide any answers or insights to the losses that may
be incurred if stressed market conditions occur. In May 2012, the BCBS had
provided a proposal to replace the VAR framework with a risk measure
designed to capture tail risk—expected shortfall (ES).

Expected shortfall

VAR coverage

Figure 8.50: Expected Shortfall

Expected shortfall measures the average loss over a given time horizon
assuming that the loss is greater than the confidence level selected. In
contrast to VAR which ignores the tail, the expected shortfall focuses on
the tail losses. Expected shortfall is the average or the central value of the
tail. In calculating the expected shortfall using the historical simulation
approach, the same procedure from step 1 to step 3 is followed (i.e., calculate
daily returns, simulate P&L scenarios and rank returns from lowest to highest).

The only thing that differs is the focus of the analysis. Whereas, the historical
simulation approach focuses on the 99% confidence level region, expected
shortfall focuses on the tail (i.e., the 1% significance level). The expected shortfall
at 99% confidence level is the average of the observations that is not covered
by the 99% VAR.

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-56

Figure 8.51: Ranked Returns Data

8.9 CREDIT VALUE ADJUSTMENT (CVA)

A derivative instrument is a contractual agreement between two parties to exchange

cash flows. In most cases, these cash flows happen in the future (for forwards and
swaps). Derivatives are marked to market with changes in fair value reflected in
profit or loss (P&L). Prior to the 2008 financial crisis, derivative contracts are valued
using valuation approaches that ignore the ability of both parties in the contract to
perform their obligations in the contract. In other words, counterparty credit risk was
ignored in the pricing of these derivative transactions.

As a result, banks suffered huge losses in their derivative portfolio as counterparty

credit deteriorates and risk that the counterparty will not be able to fulfil their
obligations under the contract increase. To understand this concretely, below is
a short illustrative case of a defaulting Malaysian importer in the simplest type of
derivative transaction (a forward contract):

BANK RISK PRACTICES

8-57 TRADED/MARKET RISK

Illustrative Example–9

A Malaysian importer entered into a USD/MYR forward contract with

June Bank. In the contract, the Malaysian importer is obliged to buy USD
10,000,000 from June Bank at MYR 4.00 after 1 year.

MYR 40,000,000

Malaysian
June Bank
Importer

USD 10,000,000

In the case above, if USD/MYR decrease to MYR 3.00/ 1 USD, Malaysian

Importer will need to buy USD 10,000,000 at MYR 40,000,000 (at MYR 4.00)
when the market prices USD at MYR 3.00.

June Bank Receives June Bank Pays

MYR 30,000,000
MYR 40,000,000
(USD 10,000,000 at MYR 3.00/ 1 USD)

This means that June Bank has a credit exposure or receivable equal to
the present value of MYR 10,000,000 in the event that the importer client
defaults. However, what if the probability of default or loss given default
(i.e., credit risk) of the importer client increase? The value of June Bank’s
receivable can be anywhere between 0 to the present value of MYR
10,000,000.

From the illustration above, the fair value of the derivative exposure can be
decomposed into two main factors, the change in market factors and the
change in credit factors. The change in market factors will determine whether
the bank will have a positive or negative exposure. In the case above, if US$/
MYR is above 4.00, the other party (i.e., Malaysian importer) will be exposed to
June Bank. The change in credit factors is the ability of the other party to fulfil
their obligations under the derivative contract. As credit risk increases, the
expected value of the bank’s positive exposure decreases.

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-58

Change
in market
factors

MTM of
Exposure

Change
in credit
factors

Figure 8.52: MTM of Exposure

This is why under IFRS13, all over-the-counter derivative transactions must incorporate
fair value adjustment to take into account the credit risk. This adjustment can be
divided into two forms:

i. Credit valuation adjustment – This is an adjustment to the fair value of the

derivative transaction to reflect the counterparty’s credit risk.
ii. Debit valuation adjustment – This is an adjustment to the fair value of the
derivative transaction to reflect an entity’s own credit risk.

Credit valuation adjustment (CVA) is an adjustment to the fair value of over the
counter (OTC) derivatives to take into account counterparty credit risk. CVA is the
price of counterparty credit risk. The price of counterparty credit risk depends on:

• Counterparty credit spreads

• Market risk factors that affect the market value of the derivative exposure

Illustrative Example–10

SIM Bank has existing derivative asset exposure of USD 100 million. This value is
determined using a valuation approach that ignores the impact of credit risk.
After considering the impact of counterparty credit risk, SIM Bank calculated the
CVA adjustment to be at USD 5 million.

How does this impact the balance sheet of SIM Bank?

SIM Bank Balance Sheet

Derivative Asset (credit risk-free) USD 100,000,000

CVA Adjustment (USD 5,000,000)

Derivative Asset (Net of CVA Adjustment) USD 95,000,000

BANK RISK PRACTICES

8-59 TRADED/MARKET RISK

If counterparty credit improves, the CVA adjustment decrease, derivative asset

value net of CVA adjustment increases. On the other hand, if counterparty
credit deteriorates, the CVA adjustment increase, the derivative asset value
net of CVA adjustment decreases. The complexity in determining CVA is as
follows:

i. Uncertainty of exposure at default – In a traditional loan exposure, exposure

at default can be easily determined (principal plus accrued interest). In
the case of derivative transactions, the exposure at default depends on
market risk factors. Therefore, some modelling is required to estimate the
exposure at default.
ii. Bilateral nature of many derivative transactions – One other factor that
complicates the calculation of CVA is the fact that many derivative
transactions (for example, forwards and swaps) are bilateral in nature.
This means that it is also uncertain on who will be the exposed party (i.e.,
the bank could have a positive or negative exposure). In contrast, in a loan
exposure, it is clear that the lending bank is always the exposed party.

Bilateral counterparty credit valuation framework requires banks to recognise

fair value adjustment from deterioration of own credit (i.e., own non-
performance in the derivative contract). Debit valuation adjustment (DVA) is
an adjustment to the fair value of over the counter (OTC) derivatives to take
into account an entity’s own credit risk. The price of counterparty credit risk
depends on:

• Own credit spread

• Market risk factors that affect the market value of the derivative exposure

Illustrative Example–11

SIM Bank has existing derivative liability (what it owes to the other party in
the derivative contract) of USD 100 million. This value is determined using a
valuation approach that ignores the impact of credit risk. After considering
the impact of own default, SIM Bank calculated the DVA adjustment to be
at USD 5 million.

How Does this Impact the Balance Sheet of Sim Bank?

SIM Bank Balance Sheet

Derivative Liability (credit risk-free) USD 100,000,000

DVA Adjustment (USD 5,000,000)

Derivative Liability (Net of DVA Adjustment) USD 95,000,000

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-60

If own credit deteriorates, the debit valuation adjustment increases, and this
results in lower derivative liability balance. Lower derivative liability balance
means a gain is recognised in the bank’s income statement. If own credit
improves, the debit valuation adjustment decreases, and this results in higher
derivative liability balance. Higher derivative liability balance means a loss is
recognised in the bank’s income statement. This results in counterintuitive
outcome for the bank where the bank stands to gain from a performance
standpoint if its own credit deteriorates and stands to lose from a performance
perspective if own credit improves.

Boxed Article–4

Bank’s Profits Boosted by DVA Rule

Bank profits can be inflated due to a new accounting rule that allows them
to book a gain when their own credit risk increases (and the value of their
debt falls). Debit value adjustment (DVA) rule works on the assumption
that if a bank went into the market today to buy back its own debt, and
the bonds have fallen in value since they were issued, then the bank can
recognise a gain on this difference.

Note: The buyer here refers to the bank (issuer of the debt).

Bank of America would have reported a loss were it not for the DVA gain,
while Goldman Sachs’ third-quarter loss would have been even larger
were it not for the accounting effect from the drop in value of its debt. “It’s
a nonsense figure and we will strip it out of the bank’s results,” said one
head of bank research based in London.

Even chief executives of banks that have benefited from the adjustment
have said they do not like the rule, which has the converse effect of
requiring them to book a loss when they are doing better as their bonds
will often have risen in value”

Source: The Independent

Calculation methodology
There are different approaches in calculating these adjustments. One of the
most common approaches is the expected future exposure approach. The
expected exposure approach involves the simulation of different mark-to-
market scenarios of the derivative exposure. CVA is calculated by taking the
average of all positive exposures (i.e., where the counterparty owes the bank
money). This is also known as the expected positive exposure. After which, this
amount is multiplied by the counterparty’s probability of default.

BANK RISK PRACTICES

8-61 TRADED/MARKET RISK

DVA, on the other hand, is calculated by taking the average of all negative
exposures (i.e., where the bank owes the counterparty money). This is also
known as the expected negative exposure. After which, this amount is
multiplied by own probability of default. This is considered to be the most
theoretically sound approach in calculating CVA and DVA but is the costliest
to implement. Another approach in calculating CVA is to calculate based on
the cost of hedging approach. In this approach, CVA is estimated to be equal
to the theoretical cost to purchase credit protection depending on the forecast
exposure of the derivative transaction. It takes into account forecast exposure
(based on current forecast) but does not consider potential future exposure.

Boxed Article–5

Microsoft Corporation entered into a 5-year interest rate swap where

Microsoft receives 3m LIBOR and pay a fixed rate of 0.5166% p.a. for USD
10,000,000 notional

For this trade, using Microsoft’s credit default swaps curve, the credit
valuation adjustment would be around USD 2,700.

Below is the exposure profile of the trade:

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-62

A couple of things to note from the exposure:

Credit valuation adjustment is USD 2,762 and is a function of the expected
positive exposure, probability of default of Microsoft and loss given default.
The exposure peaks at the end of 2 years (even if this is a 5-year interest
rate swap).
The maximum expected exposure is USD 77,727.95.

8.10 SETTLEMENT AND PRE-SETTLEMENT RISK

Pre-settlement risk refers to the possibility that one party in a contract will fail to
fulfil their obligations before the contract is settled. For the non-defaulting party, this
will result in a replacement cost risk as the affected party must enter into another
transaction to replace the old one. Pre-settlement risk is usually calculated as the
higher future potential exposure. Settlement risk refers to the risk that one party will
fail to deliver payments at the time of settlement. This is also known as Herstatt or
delivery risk. Settlement risk is usually calculated as the highest notional amount to
be exchanged.

8.11 NETTING CLOSE OUT AND INTERNATIONAL SWAPS AND DERIVATIVES

ASSOCIATION (ISDA)/CREDIT SUPPORT ANNEX (CSA)

International Swaps and Derivatives Association (ISDA) is an organisation established

in 1985 with the main objective of making the global derivatives markets safer and
more efficient. ISDA’s most important work is the publication of the ISDA Master
Agreement. The ISDA Master Agreement governs the legal and credit relationship
between the parties specified.

BANK RISK PRACTICES

8-63 TRADED/MARKET RISK

The ISDA includes the following:

• Representations of different parties

• Netting provisions
• Events of default
• Termination events
• Schedule which amends the standard provisions in the ISDA

ISDA covers all over-the-counter derivative transactions entered into between

two parties, whereas Credit Support Annex (CSA) supplements ISDA and governs
collateralisation agreements between two parties with respect to derivative
exposures.

Single agreement concept

The ISDA allows the application of the single agreement concept which is a vital
provision that allows efficient risk management of derivative transactions. This
means that transactions entered into under an ISDA Master Agreement do not
create separate and distinct contracts between the parties. The practical benefit of
this concept is the ability to net payment obligations under multiple transactions in
order to determine a net amount payable at the ISDA level.

Illustrative Example–12

Bank A and Bank B entered into multiple derivative transactions where:

Transaction 1: Bank A needs to pay to Bank B USD 1,000,000

Transaction 2: Bank A receives from Bank B USD 800,000
Transaction 3: Bank A receives from Bank B USD 300,000

If the single agreement concept is applied, on the ISDA level, Bank A nets out its
receivable of USD 1,100,000 to its own payable to Bank B of USD 1,000,000.
This means that on a net basis Bank A’s net exposure is only USD 100,000.

Events of default
The ISDA Master Agreement (referred to as ISDA in this chapter) empowers the
affected party to early terminate the transaction when there is an event of default.
The event of default under the ISDA is reasonably expansive and covers wide variety
of default events.

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-64

Breach/
Failure to pay Credit support
repudiation of Misrepresentation
or deliver default
agreement

Default under
specified Cross Merger without
Bankruptcy
transaction default assumption

Figure 8.53: Events of default under ISDA

Failure to pay or deliver refers to failure by any party to make payments or deliveries
when due under the ISDA Master Agreement. Breach or repudiation of agreement
refers to failure by any party to comply with any agreement or obligation under
the ISDA. This also covers situations where any part challenges the validity of the
ISDA Master Agreement as such action (i.e., repudiation) clearly demonstrates the
intention not to perform or honour its contractual obligations under the Master
Agreement.

Credit support default applies to situations where obligations under the ISDA Master
Agreement are covered by external credit support or guarantee. The failure of the
credit support to continue to be effective may constitute as an event of default.
Misrepresentation refers to breaches in representation under the ISDA Master
Agreement.

Default under specified transaction refers to default in transactions that are

not governed by the ISDA Master Agreement (for example, securities financing
transaction) but are specified transactions under the ISDA.

Cross default refers to default under agreements related to borrowed money (for
example, under loan agreements). Cross default is subject to minimum pre-agreed
threshold of default (referred to as threshold amount).

Illustrative Example–12

Threshold Amount: USD 10,000,000

Company A defaulted on a loan with Bank D (loan value at USD 5,000,000)
Company B defaulted on a loan with Bank E (loan value at USD 12,000,000).
Bank C has outstanding derivative transaction with Company A and B governed
under the ISDA Master Agreement, can Bank C call this an event of default?
For Company A: No. Because this is below the default threshold amount.
For Company B: Yes. Because the defaulted amount is above the threshold
amount under the ISDA.

BANK RISK PRACTICES

8-65 TRADED/MARKET RISK

Bankruptcy refers to situations where the counterparty filed for insolvency

proceedings. This usually indicates the borrower’s inability to repay their obligations
as they come due. Merger without assumptions refers to situations where the
counterparty merges or transfers substantially all of its assets resulting in material
deterioration of the counterparty to repay their obligations.

Termination events
There are certain events that could empower one or both parties in the ISDA to
terminate the transaction early. These events are not necessarily default events but
could possibly significantly alter the parties’ ability to fulfil their obligations under the
ISDA.

Tax event Credit Additional

Force Tax
Illegality upon event upon terminal
majeure event
merger merger event

Figure 8.54: ISDA Credit Events

i. Illegality is a termination event that applies if it becomes unlawful to make

or receive payments under the ISDA (for example, external credit guarantee
becomes unlawful and therefore, ineffective).
ii. Force majeure is catching all provision outside illegality that would impair the
ability of any party to fulfil their obligations under the ISDA.
iii. Tax event refers to any change in tax law that could impact the ability of either
party to fulfil their obligations under the ISDA.
iv. Tax event upon merger is similar to tax event except that this is a result of one
party’s merger.
v. Credit event upon merger is a termination event that refers to an entity being
subject to a merger, acquisition or restructuring, the effect of which is a materially
weaker credit than the original counterparty when the ISDA was negotiated.
vi. Additional termination events are pre-agreed events between counterparties that
would constitute as termination event (for example, maintenance of ownership,
credit rating downgrade below a certain rating threshold).

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-66

SUMMARY

• Market risk is the risk arising from the effect on P&L or equity arising from changes in
interest rates, foreign exchange, commodity price and equity prices. This usually exists
in the bank’s trading book.

• Bulk of the work in market risk is in measuring the market risk exposure. Market risk
measurement tools ranges from simple notional approach to sensitivity measures
(duration, option Greeks) to risk aggregation models (value-at-risk) to stress testing.

• Value-at-risk (VAR) is the most used measurement tool for market risk. VAR is a
probabilistic measure that measures the worst-case loss assuming a high confidence
level.

• There are three main approaches in measuring VAR: parametric VAR (relies on normal
distribution), historical simulation (relies on historical numbers) and Monte Carlo
Simulation.

• The problem with VAR is that it fails to account for tail risk (i.e., black swan risks).
Regulatory approaches to market risk measurement focuses more on the tail risk. One
of the most commonly used approach is the expected shortfall approach (i.e., the
average of the tail risk).

BANK RISK PRACTICES

8-67 TRADED/MARKET RISK

END OF CHAPTER PRACTICE QUESTIONS

1. This measures the change in the price of option with respect to change in volatility
A. Delta
B. Gamma
C. Theta
D. Vega

For Question 2- 5, read below:

Trader ABC borrowed JPY 100,000,000 at a cost of 1%. Trader ABC invested this in a USD
1,000,000 denominated security with interest of 3% for one year. USD/JPY exchange rate = 100.

2. This strategy is also known as .

A. Short selling
B. Margin trading
C. Carry trading
D. Derivatives trading

3. How much is the USD proceeds after one year assuming exchange rate after one year is
at 105?
A. USD 1,000,000
B. USD 1,050,000
C. USD 1,030,000
D. USD 1,060,000

4. How much is the JPY payable after one year assuming that exchange rate after one year
is at 105?
A. JPY 100,000,000
B. JPY 101,000,000
C. JPY 103,000,000
D. JPY 100,030,000

5. How much is the net earnings in JPY at maturity assuming that the exchange rate after
one year is at 105?
A. JPY 1,030,000 Gain
B. JPY 1,030,000 Loss
C. JPY 7,150,000 Gain
D. JPY 7,150,000 Loss

BANK RISK PRACTICES

 TRADED/MARKET RISK 8-68

6. Carry trading involves borrowing in a currency with interest and investing

the proceed in another currency with interest.
A. Low, low
B. Low, high
C. High, low
D. High, high

Using daily returns of stocks with 500 daily observations, the following results were obtained

Historical Daily Losses Ranked

1 (USD 10, 000,000)

2 (USD 9,800,000)
3 (USD 9,700,000)
4 (USD 7,100,000)
5 (USD 6,100,000)
6 (USD 3,100,000)
7 (USD 3,000,000)
8 (USD 2,900,000)
9 (USD 2,500,000)
10 (USD 2,450,000)
11 (USD 2,320,000)
12 (USD 2,120,000)
13 (USD 2,050,000)
14 (USD 2,012,000)
15 (USD 2,000,000)
16 (USD 1,995,000)
17 (USD 1,500,000)
18 (USD 1,200,000)
19 (USD 1,100,000)
20 (USD 800,000)
21 (USD 780,000)
22 (USD 779,000)
23 (USD 775,000)
24 (USD 750,000)
25 (USD 735,000)

495 USD 5, 730,000

496 USD 5, 750,000
497 USD 5, 770,000
498 USD 7,800,000
499 USD 9,000,000
500 USD 9,100,00

BANK RISK PRACTICES

8-69 TRADED/MARKET RISK

7. Which of the following best describes the VAR calculation approach that can be used
given the available information?
A. Parametric VAR
B. Delta Normal VAR
C. Historical Simulation VAR
D. Monte Carlo Simulation VAR

8. Calculate the one-day VAR assuming a 95% confidence level.

A. (USD 735,000)
B. (USD 750,000)
C. (USD 775,000)
D. (USD 790,000)

9. Calculate the one-day VAR assuming a 99% confidence level.

A. (USD 735,000)
B. (USD 6,100,000)
C. (USD 7,100,000)
D. (USD 9,700,000)

10. Calculate the expected shortfall assuming 95% confidence level.

A. (775,000)
B. (750,000)
C. (3.2 million)
D. (3.3 million)

ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS

1. D 2. C 3. C 4. B 5. C 6. B 7. C 8. A 9. B 10. C

BANK RISK PRACTICES

 CHAPTER 9
NON-TRADED MARKET RISK/
LIQUIDITY RISK
9-1 NON-TRADED MARKET RISK/LIQUIDITY RISK

9. NON-TRADED MARKET RISK/LIQUIDITY RISK

Learning Outcomes

At the end of the chapter, you will be able to:

• Understand the principles of Asset and Liability Management (ALM).

Key topics:

In this chapter, you will be able to read about:

• Definition of non-traded market risk/ liquidity risk

• Overview of ALM
• Interest rate risk management
• Elements of sound interest rate risk management
• Interest rate risk measurement tools
• Liquidity risk monitoring tools
• Liquidity stress testing
• Scenario analysis
• Contingency funding
• Using derivatives to manage ALM
• LIBOR challenges

Assessment Criteria:

During the exam, you will be expected to:

• Explain non-traded market risk/ liquidity risk.

• Explain the common tools used to measure and manage interest rate risk in the
banking book.
• Describe the four basic elements of sound interest rate risk management practices
according to the Basel Committee on Banking Supervision (BCBS).
• Describe how the different Asset and Liability Management (ALM) models are used
to measure and manage interest rate risk and liquidity risk.

9.1 DEFINITION OF NON-TRADED MARKET RISK/LIQUIDITY RISK

Non-traded market risk arises primarily outside the trading activities of the bank
and from certain off-balance sheet items. The exposure exists mainly in the banking
book. Banking book consists of on and off-balance sheet exposures that are not part
of the trading book. While exposures in the banking book are generally not fair valued

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-2

on a daily basis, changes in market risk factors impact the bank’s profit or loss (P&L)
or the economic value of its equity. Non-traded market risk can be classified further
into two types:

IRRBB

Non-traded
market risk

CSRBB

Figure 9.1: Non-traded market risk

• Interest rate risk in the banking book (IRRBB) is the current or prospective risk to
the bank’s capital and earnings arising from adverse movements in interest rates
that affect the bank’s banking book positions.
• Credit spread risk in the banking book (CSRBB) is the asset/liability spread risk
that is not explained by IRRBB and by expected credit/jump to default risk.

9.1.1 Definition of Liquidity Risk

Liquidity risk is the risk of incurring losses as a result of failure to meet payment
obligations in a timely manner as they come due without incurring substantial
losses. Liquidity risk exists in two dimensions:

• Asset (asset or market liquidity risk)

• Liability (funding liquidity risk)

Asset or market liquidity risk is the risk that banks will not be able to liquidate
existing assets to generate cash without incurring substantial losses. Funding
liquidity risk is the possibility that over a specific time frame, the bank will not
be able to settle its obligations with immediacy. Funding liquidity risk can be
mitigated if the bank is able to sell its existing assets into cash. Therefore,
funding and market liquidity risk are closely interrelated.

9.2 OVERVIEW OF ASSET AND LIABILITY MANAGEMENT (ALM)

Asset and liability management (ALM) is a set of integrated, high-level strategic

activities to manage the bank’s asset and liability profile. ALM seeks an integrated
and strategic view of the mismatches in a bank’s asset and liability mix. There are
three key activities in ALM:

BANK RISK PRACTICES

9-3 NON-TRADED MARKET RISK/LIQUIDITY RISK

Asset and Liability Management

Interest rate risk Liquidity risk Capital

management management management

Figure 9.2:Key ALM activities

The three activities above involve the management of risks that arises from structural
mismatches in the bank’s balance sheet. The primary mismatch in a bank’s balance
sheet is the tenor mismatch between the bank’s asset (loans and receivables which
are generally long-term) and liability (deposit liabilities which are generally shorter
term).

Long Term
Loans and
Receivables

Short Term
Deposit
Liability

Figure 9.3 Asset and Liability Mismatch

Tenor mismatches such as this is a common feature for financial intermediaries

such as banks. In the fulfilment of their role as financial intermediaries, banks take
mismatches in the balance sheet to cater to the unique requirements of depositors
(suppliers of funds) for liquid assets and borrowers (users of funds) for stable
liabilities. This tenor mismatch present important risks for banks:

i. Interest rate risk – Banks earn interest income from its lending activities. Banks
incur interest expense from its deposit taking activities. If interest rates increase,
this means that the bank incurs higher interest expense as deposit matures
earlier than when interest income from the loan reprices. This, therefore, exposes
the bank to lower earnings.
ii. Liquidity risk – Depositors have the right to demand repayment when the deposit
matures. Banks have the contractual obligation to repay the depositors. However,
the problem is assets of banks are generally longer term in nature. This means
that either banks should replace the maturing deposit with another source of
fund or sell its existing assets.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-4

There are also other forms of mismatches in a bank’s balance sheet such as
difference in the currency of funding and the currency of asset (foreign exchange
risk) or qualitative mismatches in the asset and liability (for example, volatile liabilities
matched with illiquid assets). Another important mismatch is the large proportion of
the bank’s asset financed by liability (mainly by deposits) than by equity (or capital).
This introduces an important risk for the bank, as banks are exposed to many types
of risks such as market, credit, and liquidity risks. These exposures may result in the
bank incurring losses above the expected losses over a short-term horizon. Capital
acts as a buffer that would absorb these temporary losses above the expected loss
amount. Capital plays a crucial role for the bank to continue to operate as a going
concern by enabling the temporary absorption of losses during volatile period.

In a nutshell, ALM activities aim to optimally manage these mismatches to allow

the bank not only to continue to operate as a going concern but also to be able to
achieve its business and profitability objectives.

9.2.1 Key Asset and Liability Management (ALM) Activities

Asset and liability management, therefore, has four (4) main objectives:

• Stabilise net interest income

• Optimise the economic value of the bank’s equity
• Maintain adequate level of high-quality capital
• Ensure liquidity

9.2.2 Stabilise Net Interest Income

Net interest income is a key component that indicates a bank’s profitability

on its core operations of lending and deposit taking. Net interest income is
the difference between the amount of income earned by the bank through its
interest earning assets and amount of interest paid by the bank through its
various sources of funds.

The maturity of a bank’s interest earning assets (loans and receivables) in

generally longer than the maturity of the bank’s interest expense incurring
liabilities (deposits). Therefore, if interest rate rises, the bank incurs higher
interest expense on its deposit liability while at the same time still earn the
same interest income from its interest earning loans and receivables. This
exposes the bank to the deterioration in the net interest income earned as a
result of adverse movements in interest rates.

BANK RISK PRACTICES

9-5 NON-TRADED MARKET RISK/LIQUIDITY RISK

Interest Income
Loans and
Receivables

Interest Expense
Deposit
Liability

Net Interest Income = Interest Income - Interest Expense

Figure 9.4: Net Interest Income

One of ALM’s key objectives is to stabilise net interest income. Net interest
income is a measure of how effective the bank is in managing its interest
earning assets and its cost of funding those assets. Net interest income is
an important factor in assessing the bank’s stability. Failure to manage the
bank’s net interest income could accelerate declines in the bank’s profitability.
Figure 9.4 offers a simplistic scenario where the bank could potentially incur
losses if interest rates increase (due to higher interest expense but sticky/
stable interest income). However, in practice, it is less straightforward. In
practice, banks may be exposed to declines net interest income if interest
rates decrease due to unique asset and liability mix, regulatory constraints, or
existing hedging positions. The case below illustrates how one bank became
exposed to declines in interest rates.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-6

Boxed Article–1

Wells Fargo Warns of Further Declines in Net Interest Income

Wells Fargo on Thursday reduced its full-year outlook for a key financial
metric and warned that the coronavirus outbreak could have additional
detrimental effects. Chief Financial Officer John Shrewsberry said that he
expects the bank’s net interest income in 2020 to decline in the mid-single
digits of percentage points. Six weeks earlier, Wells Fargo forecast a full-
year decline in the low-to-mid single digits.

Wells Fargo’s net interest income — which measures the difference

between the revenue the bank generates from loans and other assets and
the cost of servicing deposits and other liabilities — tends to worsen when
interest rates fall. For the last two years, Wells Fargo has been operating
under an asset cap imposed by the Federal Reserve, which has limited its
ability to grow its loan portfolio. In 2019, after initially providing a guidance
range with a midpoint that showed flat net interest income for the full year,
Wells Fargo made three downward revisions.

Ultimately, the bank’s net interest income fell by 6% in 2019 compared with
the previous year.

Source: The American Banker, 27 February 2020

Optimise the economic value of equity

The economic value of any enterprise (including banks) is equal to the
present value of expected cash inflows from its asset less the present value of
the expected cash outflows from its liabilities. This is the economic value of a
bank’s net assets or equity.

Present Value of Cash

Inflows (Assets)

Assets

Liability Present Value of Cash

Outflows (Liability)

Figure 9.5: Economic Value Mismatch

BANK RISK PRACTICES

9-7 NON-TRADED MARKET RISK/LIQUIDITY RISK

Changes in interest rates could affect the present value of these cash inflows
and cash outflows. Depending on the mix and certain asset and liability
management decisions, the economic value of the bank’s net assets or equity
can change materially. One of the objectives of asset and liability management
is to optimally position the bank’s asset and liability mix to achieve an optimal
level of economic value. Failure to achieve an optimal level may put the bank’s
solvency at risk. As a worst-case scenario, if the economic value of the equity
is less than the economic value of the bank’s net assets, the bank’s ability to
continue to operate as a going concern is at risk.

9.2.3 Ensure Liquidity

While maintaining adequate capital is essential for the bank to continue to
operate in a stable manner, what we learned from past banking crises is
that capital is a necessary but not a significant condition to survive. As the
opening quote in this chapter states, liquidity is sacrosanct. In times of stress,
the lack of liquidity could force banks to sell assets at declining prices which
eventually eats to the bank’s capital system. Liquidity is the oxygen for any
financial system.

One key major area of ALM is the management of liquidity. Liquidity is the
ability of the bank to meet its obligations as they come due. Liquidity risks, like
all the ALM risks, arises from the tenor mismatch between the bank’s source
of fund (deposit) with the bank’s use of fund. One major implication of this
mismatch is that once the deposit liability matures, the bank has to raise
cash to repay the depositor.

Long Term
Loans and
Receivables

Short Term
Deposit
Liability

Figure 9.6: Liquidity Mismatch in the Balance Sheet

The bank can do so in two ways:

i. Asset solution – The bank can liquidate its existing asset (for example,
loans and receivable or investment securities) in order to generate the
necessary cash and repay the maturing deposit.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-8

Asset Solution

Investments XXX
Loans XXX
Repay the maturing
deposit (liability)

Cash

Figure 9.7: Asset Solution

ii. Liability and other financing solution – The bank replaces the maturing
deposit with another source of fund (another deposit, strategic equity
investments, etc.)

9.2.4 Maintain Adequate Capital

Capital acts as a buffer to absorb unexpected losses (i.e., maximum loss

above the expected loss) without putting the bank at the risk of insolvency.
Liabilities are contractual obligations the bank has to fulfil in order to continue
to operate as a going concern. Failure to do so, banks may be forced into
insolvency or bankruptcy. Capital management involves maintaining
adequate inventory of high-quality capital that the bank can rely on to
absorb shocks and losses and still be able to continue to operate.

5% impairment/loan
non-performance: (5)
Loans and
Loans and Receivables:
Receivables: 90
Loans and 90
Receivables: Loans and
100 Receivables: Loss:
95 5

Capital: 10 Capital:
5

Figure 9.8: Impairment impact

Capital adequacy has been the focus of global risk regulation for banks. The
idea is to make sure that banks have sufficient amount of high-quality capital
that could cover all major types of risks that the bank is taking and allow the
bank to continue to survive as a going concern even under stressed scenario.

BANK RISK PRACTICES

9-9 NON-TRADED MARKET RISK/LIQUIDITY RISK

9.3 INTEREST RATE RISK MANAGEMENT

Interest rate risk is the risk that occurs when movements in interest rates adversely
impacts the banking organisation’s earnings or economic value. Interest rate risk
exists both in the trading book and in the banking book. Interest rate risk in the trading
book is the market risk that arises from positions that are tradable and hedgeable.
Interest rate risk in the banking book, on the other hand, arises from the structural
mismatch between the bank’s assets and liabilities particularly those items that are
not booked at market value.

Sources of interest rate risk

There are four different sources of interest rate risk:

i. Repricing risk – Repricing risk arises from a mismatch in the interest income
and interest expense over a particular period of time. This is the primary source
of interest rate risk. Repricing mismatches are fundamental to the business
of banking. However, failure to monitor and mitigate the amount of repricing
mismatches could expose the banking organisation to large fluctuations in net
interest income. Repricing mismatches occur primarily due to timing differences
in the maturity of the bank’s assets and liabilities.

Illustrative Example–1

Repricing risk
Bank XYZ funded its 5-year loans and receivables with a one-year deposit. The
5-year loan earns an interest of 5% per annum. Bank XYZ pays 1% per annum
on the one year deposit.

Below is the cash flow profile of the earnings and expenses associated with this
transaction.

Year Year Year Year Year

One Two Three Four Five

Interest Income 5% 5% 5% 5% 5%

Interest Expense 1% ? ? ? ?

Net Interest
4% ? ? ? ?
Income

On the date of the transaction, the bank locks in a net interest income of 4% for
the first year. This represents a healthy margin for the bank. However, because
the source of funding is not locked-in for the next five years, the bank is exposed
to changes in interest rates.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-10

If interest rates fall to 0.5% from 1% in Year Two, the bank will earn a higher net
interest income of 4.5% in Year Two.

Year Year Year Year Year

One Two Three Four Five

Interest Income 5% 5% 5% 5% 5%

Interest Expense 1% 0.5% ? ? ?

Net Interest Income 4% 4.5% ? ? ?

However, if interest rates rose to 3% in Year Three, the bank will now see a
deterioration in the net interest income margin from the original 4% to only 2%.
The 5-year loan does not reprice until after Year Five, while the 1-year deposit
reprices every year.

Year Year Year Year Year

One Two Three Four Five

Interest Income 5% 5% 5% 5% 5%

Interest Expense 1% 0.5% 3% ? ?

Net Interest Income 4% 4.5% 2% ? ?

The stability of the bank may be threatened if interest rates rose to a level
above the interest locked-in for the loan. If interest rates rose to 7% in Year
Four, the bank may face negative net interest income of −2%. This negative net
interest income affects the bank’s capital through a reduction in the bank’s
retained earnings. If the negative net interest income is large enough, it could
threaten the ability of the banking organisation to survive.

Year Year Year Year Year

One Two Three Four Five

Interest Income 5% 5% 5% 5% 5%

Interest Expense 1% 0.5% 3% 7% ?

Net Interest Income 4% 4.5% 2% −2% ?

BANK RISK PRACTICES

9-11 NON-TRADED MARKET RISK/LIQUIDITY RISK

ii. Yield curve risk – A yield curve depicts the relationship between interest
rates and time to maturity. The yield curve is also known as the term
structure of interest rates. The slope of the yield curve can either be flat,
upward-sloping or downward-sloping. A flat yield curve occurs when
interest rate is the same across all tenors. This means that investors do not
demand higher compensation or interest rates for longer-tenor exposures.
A flat yield curve rarely occurs in practice and even if it does occur, it
usually lasts fora very short period of time.

6
Interest rate (%)

5 5% 5% 5% 5% 5% 5% 5% 5% 5% 5%
4

1 2 3 4 5 6 7 8 9 10

Time to maturity (year)

Figure 9.9: The yield curve

A yield curve can also be upward sloping. This means that interest rates
are higher for longer-tenor exposures. This also means that short-tenor
instruments have lower interest rates or yield than long-tenor instruments.

An upward-sloping yield curve is also known as the normal yield curve. This
is the typical slope of the yield curve because investors usually demand
higher interest rates for longer exposures. This is to compensate the investor
for the higher risk it is taking for a longer-tenor exposure compared to a
shorter-tenor exposure. Because they are facing higher levels of uncertainty
of a longer-tenor exposure compared to shorter-tenor exposure, investors
demand higher compensation in the form of higher interest rates (risk
premium theory). This explains why interest rates are higher on longer-tenor
exposures.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-12

8 7.5%
7.0%
7 6.5%
6.0%
Interest rate (%) 6
5.5%
5 5.0%
4.5%
4 4.0%
3.5%
3 3%

1 2 3 4 5 6 7 8 9 10

Time to maturity (year)

Figure 9.10: Upward sloping yield curve

Investing on a long-term basis also locks in the cash of the investor for a
longer period of time. To compensate the investor for foregoing its ability
to use the invested cash for consumption, interest rates for longer-tenor
exposures should be higher than interest rates for shorter-tenor exposures
(liquidity preference theory).

In some instances, the yield curve is downward sloping. A downward-sloping

yield curve occurs when interest rates are higher for shorter-tenor securities
than longer-tenor securities. A downward-sloping yield curve is also known
as an inverted yield curve. Inverted yield curves occur very rarely in practice.
It occurs when the market expects interest rates to decrease in the future,
hence the reason why longer-tenor bonds are trading at a lower yield
compared to shorter-tenor bonds. Inverted yield curves are seen by many as
a predictor of recessions.

8
7
7%
Interest rate (%)

6 6.5%
6.0%
5 5.5%
5.0%
4 4.5%
4%
3 3.5% 3.5%
3%
2

1 2 3 4 5 6 7 8 9 10

Time to maturity (year)

Figure 9.11: Downward sloping yield curve

BANK RISK PRACTICES

9-13 NON-TRADED MARKET RISK/LIQUIDITY RISK

Yield curve risk also refers to changes in the shape of the yield curve. The
shape of the yield curve may change depending on the relationship between
short-term interest rates and longer-term interest rates. Shorter-term interest
rates are more sensitive to monetary policies. Longer-term interest rates are
more sensitive to the long-term inflation outlook. The change in the shape
of the yield curve can either shift in a parallel manner or it can steepen or
flatten. A parallel shift in the yield curve occurs when the interest rates move
upward or downward equally across all maturity tenors.

10
9.5%
9 9.0%
8.5%
8 8.0%
7.5% 7.5%
Interest rate (%)

7 7.0% 7.0%
6.5% 6.5%
6 6.0% 6.0%
5.5% 5.5% 5.5%
5 5.0% 5.0% 5.0%
4.5% 4.5%
4 4.0% 4.0%
3.5% 3.5%
3 3.0% 3.0%
2.5%
2 2.0%
1.5%
1 1.0%

1 2 3 4 5 6 7 8 9 10

Time to maturity (year)

Figure 9.12: Parallel shift

Another change in the shape of the yield curve is the steepening of the yield
curve. Yield curve steepening occurs when the gap between short-term rates
and long-term rates widens. This means that the long-term rates are rising
faster than the shorter-term rates. Yield curves often steepen when there is
an expectation of higher inflation in the future. Yield curves also steepen when
shorter-term rates are decreasing faster than longer-tenor rates. Another
change in the shape of the yield curve is the flattening of the yield curve.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-14

10 10.0%

9 9.0%

8 8.0%

7.25%
7
Interest rate (%)

6.5% 6.5%
6 6.0%
5.5%
5 5.0% 5.0%
4.5% 4.5%
4 4.0% 4.0%
3.5%
3 3.0% 3.0%
2.5%
2.5%
2
2.0%

1 2 3 4 5 6 7 8 9 10

Time to maturity (year)

Figure 9.13: Steepening of the yield curve

A flattening of a yield curve has an opposite effect compared to a steepening.

Yield curves flatten when the difference between longer-tenor and shorter-
tenor rates are narrowing. This occurs when the rates for shorter-tenor
securities increase faster than longer-tenor securities. It also occurs when
rates for longer-tenor securities decrease relative to shorter-tenor securities.

7.0%
7
6.5%
6.25% 6.5%
Interest rate (%)

6 5.75% 6.0%
5.5%
5.5%
5 5.0% 5.0%
5.0%
4.5% 4.5%
4.5%
4 4.0% 4.0%
3.5%
3 3.0%
2.5%
2 2.0%

1 2 3 4 5 6 7 8 9 10

Time to maturity (year)

Figure 9.14: Flattening of the yield curve

BANK RISK PRACTICES

9-15 NON-TRADED MARKET RISK/LIQUIDITY RISK

Boxed Article–2

Flattening of the yield curve

The United States Treasury yield curve approached the flattest level in
almost five years as investors speculated the Federal Reserve may raise
interest rates sooner than forecast.
The yield spread between the five-year notes and the 30-year bonds
shrank to as narrow as 168 basis points.
Source: Bloomberg News, 14 June 2014

From an ALM standpoint, yield curve risk arises when anticipated shifts, both in
the slope (i.e., upward-slopping, flat or downward-slopping) and shape (i.e.,
flattening, steepening or parallel shift) of the yield curve causes the bank’s
income or economic value to be adversely affected. One of the more common
examples is the adverse impact on the economic value of the bank’s position
if the yield curve steepens and the bank has an existing long-term position in
a fixed income security which is funded by a short-term fixed income position.
The economic value of the longer-tenor asset will deteriorate more than the
gain from the economic value of the shorter-tenor liability.

iii. Basis risk – Basis risk arises from imperfect correlation in the adjustment of
the rates earned and paid on different instruments with similar repricing
characteristics. This arises when the reference pricing for the bank’s assets
differs from the reference pricing for the bank’s liabilities.
iv. Optionality – Optionality is one of the most ignored aspects of interest
rate risk. It is easy to overlook optionality as these are not latent exposures
and are often embedded in many banking products.

An option contract is a contract that gives the holder the right but not the
obligation to buy or sell an underlying asset. A call option gives the holder
the right to buy an underlying asset. A put option gives the holder the right to
sell an underlying asset. There are many banking products with embedded
option features. Interest rate risk arising from optionality exists both in the
bank’s assets and liabilities.

Assets Liabilities

Embedded prepayment option. Embedded put option.

Long-term loan contract giving the Deposit agreement giving the depositer
borrower the right but not the obligation the right but not the obligation to
to prepay prior to the maturity of the loan. withdraw their deposit prior to maturity.

Figure 9.15: Embedded options in bank asset and liability

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-16

9.4 ELEMENTS OF SOUND INTEREST RATE RISK MANAGEMENT PRACTICES

The Basel Committee on Banking Supervision (BCBS) in the Principles for

Management and Supervision of Interest Rate Risk enumerated the four core pillars
of sound interest rate risk management practices.

Appropriate risk
Appropriate Adequate risk Comprehensive
measurement,
board and senior management internal controls
monitoring
management policies and and internal
and controlling
oversight procedures audit
functions

Figure 9.16: Pillars of Sound Interest Rate Risk Management

9.4.1 Appropriate Board and Senior Management Oversight

Effective board and senior management oversight is critical to a sound interest

rate risk management process. This section enumerates the responsibilities
of the board and senior management with respect to their roles in overseeing
and managing interest rate risks. As in all other aspects of risk management,
the board of directors and senior management have the overall responsibility
for the interest rate risk management process.

Principles Description

Principle 1— The Board of Directors are primarily responsible for

Role of Board approving interest rate risk management strategies
of Directors and policies. The Board of Directors should exercise
effective oversight on senior management responsible
for monitoring and controlling interest rate risks.

Principle 2— Senior management is responsible in monitoring and

Role of Senior controlling interest rate risks. Senior management
Management should ensure that the interest rate risk exposure that
the bank is taking is appropriately managed.

Senior management should also ensure that interest

rate risk management policies and procedures are in
place. These policies and procedures should focus on
both short-term (day-to-day) and long-term risk. These
policies and procedures should cover limits, interest rate
risk measurement and valuation standards; reporting,
monitoring and review; and internal controls.

BANK RISK PRACTICES

9-17 NON-TRADED MARKET RISK/LIQUIDITY RISK

Principles Description

Principle Interest rate risk is a significant risk exposure for banking

3—Lines of organisations. It is, therefore, important that individual
Responsibility and committee responsible for managing interest rate
and Authority
risk is clearly defined. There should be clear segregation
for Managing
of duties such that the risk measurement, monitoring,
Interest Rate
Risk and control functions are separate from the risk-taking
function.

Figure 9.17: BCBS principles of sound interest rate risk management (Principles 1 – 3).

9.4.2 Adequate Risk Management Policies and Procedures

Interest rate risk is inherent in the business of banking. As a banking

organisation performs its financial intermediation role through asset and
maturity transformation, banks cannot avoid interest rate risk. While interest
rate risk is part of the business of banking, this does not mean that banks
should accept interest rate risk as a given. Excessive interest rate risk
exposures coupled with aggressive monetary policy actions in the 1980s led
to the failure of many savings & loans (S&L) institutions in the United States.

Banks should have formal interest rate risk management policies and
procedures in place to ensure that the levels of interest rate risk exposure that
they take are within their ability. A careful consideration should also be taken
for new products, markets or business activities as these new initiatives could
heighten the bank’s interest rate risk exposures.

Principles Description

Principle The interest rate policies and procedures should be calibrated

4—Interest based on the specific circumstance and complexity of a
Rate Risk particular banking organisation. Generally, these policies and
Policies and procedures should be applied on a centralised basis.
Procedures
The policies and procedures typically cover the following
area: Lines of responsibility and accountability with respect
to interest rate risk management, authorised instruments,
hedging and position-taking strategies, interest rate risk limits,
quantitative specifications of the organisation’s risk tolerance
with respect to interest rate risk.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-18

Principles Description

Principle 5 In developing new products or business activities, the impact

– New on the bank’s interest rate risk exposure should be considered.
products The bank should ensure that it has sufficient capabilities
to measure and control interest rate risks from these new
products or activities. New interest rate risk hedging, and
trading strategies should be approved in advance by the
Board of Directors.

Note:
New products and activities may have new interest rate risk
profile or characteristics that the bank may not have captured
in the bank’s existing interest rate risk management process.
This is why it is important for the bank to evaluate the interest
rate risk profile of new products and activities and be aware
how it affects the bank’s existing interest rate risk profile.

Examples of these are:

Banks who have previously limited investments in securities
with maturities of less than five years will find that investing
in longer-tenor securities (for example 20 to 30 years) has a
very different interest rate risk profile. It may be subject to more
swings due to the longer-tenor nature of the securities.

A bank which had previously limited its lending activities to

traditional commercial lending will find that the interest rate
risk profile of fixed rate retail mortgage lending is very different
due to the existence of prepayment option risks that the bank
should have the capability to measure, manage and control.

Before introducing a new product or activity, a product

proposal analysing the interest rate risk characteristics of
the new product or activity should first be made. The product
proposal should clearly describe the product or strategy,
identify interest rate risks arising from these new products and
the resources required to measure, monitor, and control these
risks, and assess how interest rate risks from the new product
or strategy would be managed to ensure that it is aligned with
the bank’s risk appetite and that procedures are in place to
manage these interest rate risk exposures.

Figure 9.18: BCBS principles of sound rate risk management (Principle 4 - 5)

BANK RISK PRACTICES

9-19 NON-TRADED MARKET RISK/LIQUIDITY RISK

9.4.3 Risk Measurement, Monitoring, and Control Functions

Interest rate risk is frequently measured in terms of its impact on the banking
organisation’s profitability and economic value. Banks should therefore have
the ability to measure all material interest rate risk exposures and assess its
impact in these two dimensions.

Principles Description

Principle Interest rate risk measurement systems should be able

6—Interest to capture all the important sources of interest rate
Rate Risk risk. These systems should be able to assess the effect
Measurement
of interest rate changes in the banking organisation’s
profitability or economic value.

Note:
The bank should have the ability to assess the effect of
interest rate changes on both the bank’s earnings and
economic value.

The measurement systems should:

• Assess all material interest rate risk exposure of the
bank
• Use generally accepted financial concepts and risk
measurement techniques
• Document assumptions and parameters

The bank should have the ability to have an integrated

view of the interest rate risk it is exposed to across products
and business lines and across different dimensions of
interest rate risk (repricing risk, yield curve risk, basis risk,
option risk). Interest rate risk measurement techniques
can range from the simple repricing gap analysis to a
duration gap analysis to a simulation-based approach.
These techniques are discussed in more detail in the next
section.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-20

Principles Description

Principle 7 – Banks should establish interest rate risk limits to ensure

Limits that the level of interest rate risk exposure that the bank
is taking is consistent with its risk appetite. Limits provide
discipline across the organisation and ensures that the
exposure it is taking is within the bank’s acceptable risk
tolerance. Limits are usually set on a consolidated level
and are allocated to individual business activities or
business units.

• There should be a clear policy on how limit exceptions

are escalated to senior management and what
actions should be taken in such cases.
• Limits can also be designed with the earnings or
economic value perspective in mind.
• From an earnings perspective, limits may cover
setting a boundary on the variability of net income or
net interest income.
• From an economic value perspective, the bank
looks at how interest rate risk changes, impact the
economic value of the organisation’s equity.
• Interest rate risk limits could be designed based on
the statistical behaviour of interest rates (e.g., use of
value-at-risk) or based on the results of stress testing.

Principle Stress testing provides insights on the bank’s exposure

8 – Stress to loss particularly when assumptions under normal
Testing market conditions break down. Stress testing allows
management to prepare for stressed market conditions
and assess whether its policies, procedures, limits,
measurement systems and hedging strategies are
sufficient under these conditions.

Note:
Interest rate risk measurement system should evaluate
the effect of stressful market conditions on the bank.

BANK RISK PRACTICES

9-21 NON-TRADED MARKET RISK/LIQUIDITY RISK

Principles Description

Possible stress scenarios may include:

• Abrupt changes in the general level of interest rates
(e.g., when the Federal Reserve aggressively tightened
the policy in 1973 to address high inflation).
• Changes in the relationships among key market rates
(e.g., at the height of the 2008 financial crisis when the
difference between interbank loans and government
debt significantly widened).
• Changes in the slope and shape of the yield curve
• Changes in the liquidity of key financial markets (e.g.,
when interbank lending and the repo markets dried
up at the height of the financial crisis).
• Changes in the volatility of market rates

The stress scenarios should also incorporate the impact

of a breakdown in key business assumptions and
parameters.

Principle The information system should have appropriate and

9— Interest sufficient capability in measuring, monitoring, controlling,
Rate Risk and reporting interest rate risk exposures. These reports
Monitoring
should be made available to the Board of Directors
and
and Senior Management in a timely manner. Reporting
Reporting
should be done on a regular basis. The report should
highlight the bank’s current interest rate risk exposure
and compare it against the bank’s policies and limits,
key assumptions used in measuring interest rate risk
and in generating interest rate scenarios, and key results
of the stress tests, exceptions noted, and summary of
findings related to the bank’s interest rate risk policies,
procedures, and risk management systems.

Figure 9.19: BCBS principles of sound interest rate risk management (Principles 6 - 9)

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-22

9.4.4 Internal Control and Internal Audit

Internal controls are an important pillar in risk management and should be

integrated into the bank’s internal risk management practices. It involves the
following:

i. Regular and independent review of the effectiveness of the bank’s interest

risk management process and infrastructure.
ii. Internal controls are working effectively and efficiently as intended.

Principles Description

Principle 10 – Internal control over the bank’s interest rate risk

Internal control management system should include a strong control
environment; process for identifying, evaluating,
measuring, managing, and reporting of interest rate
risk; information systems sufficiently capture interest
rate risk exposures; control activities and review
of compliance with the interest rate policies and
procedures.

Internal audit should independently assess the interest

rate risk control process of the bank particularly with
respect to the quantity and the quality of the interest
rate risk management practices of the bank.

The quantity of interest rate risk pertains to the

assessment of the magnitude of interest rate risk
the bank is taking and how changes in interest rates
adversely impact the bank’s profitability and/or the
economic value of its equity.

The quality of interest rate risk management practices

pertains to the sufficiency and appropriateness of the
bank’s interest rate risk management infrastructure,
the degree of involvement of the Board of Directors
and Senior Management with respect to interest rate
risk, compliance with limits and policies, reliability of
the interest rate risk measurement system and the
adequacy of the resources allocated to managing
interest rate risk.

Figure 9.20: BCBS principles of sound interest rate risk management (Principles 10)

BANK RISK PRACTICES

9-23 NON-TRADED MARKET RISK/LIQUIDITY RISK

9.5 INTEREST RATE RISK MEASUREMENT TOOLS

Banks use different techniques in measuring interest rate risk. These techniques
range from simple repricing models to simulation-based models. See Figure 9.22
below:

Repricing models Simulation-based models

Gap analysis Static models

Earnings at risk Dynamic models

Duration gap

Figure 9.21: Tools used to measure the impact of interest rate risk

9.5.1 Gap Analysis

Repricing models are the simplest approach in the measurement of interest

rate risk. This approach involves the allocation of interest rate sensitive assets
and liabilities into a number of pre-defined time bands according to their
maturity (if fixed rate) or their next repricing (if floating rate).

0-1 month 1-3 months 3-6 months

Rate Sensitive
Assets

6-12 months 1-3 years 3-5 years

Rate Sensitive
Liabilities
>5 years Non-sensitive

Figure 9.22: Bucking RSA and RSL

Gap analysis is one of the simplest and most widely used approaches in
the measurement of interest rate risk. It was one of the first methodologies
developed to quantify interest rate risk exposure. Gap analysis aims to assess
the impact of interest rate changes on the bank’s net interest income. It
involves analysing the net difference between interest rate sensitive assets
and interest rate sensitive liabilities for each time band. The objective is to
come up with a repricing gap for the time band.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-24

Greater Than 5
Months to 12
Months to 6
to 3 Months

to 5 Years
0 to 1 Day

Sensitive
Not Rate
Months

Months

1 Year

Years
1 Day

6
3
Interest Rate
Sensitive Assets

Interest Rate
Sensitive Liabilities

Positive
(Negative) Gap

Figure 9.23: Interest rate gap - RSA vs RSL

This gap is then used to estimate the impact on the bank’s earnings (i.e., net
interest income) given an assumed change in the level of market interest
rates. The target variable in the gap analysis is the net interest income. In
order to understand the rationale behind the gap analysis, it is important
to have a strong understanding of the different components of net interest
income.

Net interest income is simply the difference between interest income and
interest expense. Interest income is derived from the earnings of the banking
organisation from its financial assets. It can be estimated as the level of
financial assets multiplied by the average interest rate for the bank’s financial
assets portfolio. Interest expense, on the other hand, comes from the banking
organisation’s financial liabilities. It can be estimated as the level of financial
liabilities multiplied by the average interest for the bank’s financial liabilities
portfolio.

Rate
Sensitive
Financial
Assets
Interest Not Rate
Income Sensitive
Ave. Interest Rate
for Assets

NII Rate
Sensitive
Financial
Liabilities
Interest Not Rate
Expense Sensitive
Ave. Interest Rate
for Liability

Figure 9.24: Net interest margin breakdown

BANK RISK PRACTICES

9-25 NON-TRADED MARKET RISK/LIQUIDITY RISK

Financial assets and financial liabilities can be classified as rate-sensitive

or not rate-sensitive. Rate sensitivity refers to whether an asset or a liability
reprices during a certain time interval. This occurs when either the asset or
the liability matures or reprices during a certain time band. An asset that is
not rate sensitive indicates that the asset or liability does not reprice during
a given time band. Therefore, only rate sensitive assets and liabilities impact
the bank’s net interest income for a given time band. In order to understand
how the gap between rate sensitive assets and liabilities impacts the bank’s
net interest income, the following accounting equations are presented:

ΔNII = ΔInterest Income - ΔInterest Expense

ΔNII = Δ(A*RA) - Δ(L*RL)

ΔNII = Δ(RSA*RA) + Δ(NRA*RA) - Δ(RSL*RL)-Δ(NRS*RL)

Figure 9.25: NII and RSA/RSL link13

A change in net interest income is equal to the change in the bank’s interest
income and the change in the bank’s interest expense. Interest income
can be approximated as the level of the financial asset multiplied by the
average interest rates on the asset. Interest expense can be approximated
as the level of the financial liability multiplied by the average interest rates
on the liability. Change in net interest income is the difference between the
estimated change in interest income minus the change in interest expense.
The financial asset and financial liability can be further subdivided into rate-
sensitive assets or liability and not rate-sensitive assets or liability. For the
purposes of analysing the impact of changes in interest rates on net interest
income, not rate-sensitive assets or liability should be ignored.

Assuming changes of interest rates for both assets and liabilities are the
same, change in net interest income is equal to the change in interest rates
multiplied by the difference between the rate sensitive asset and rate sensitive
liability. The difference between rate sensitive asset and rate sensitive liability
is also known as the repricing gap. It can hence be concluded that changes in
net interest income is directly linked to the change in interest rates multiplied
by the gap. To estimate changes in net interest income for a certain tenor, it is
important to understand and calculate the bank’s repricing gap.

13 Formula taken from pg. 227, 5.4.1, Risk management in banking: Risk models, capital, and asset liability management.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-26

ΔNII = Δ(RSA*R)-Δ(RSL*R)

ΔNII = ΔR(RSA-RSL)

ΔNII = ΔR(RSA-RSL)

Figure 9.26: Link between NII and gap14

Gap Interest Rates

Net
Interest
Income

Figure 9.27: Interest rates and gap connection

In order to observe how repricing gap is done in practice, a one-year repricing

gap will be estimated using the following balance sheet of a commercial
bank.

Assets ($) Liabilities and Equity ($)

One-year loan 100 Demand deposits 50

Five-year corporate loan 80 Overnight interbank funding 30

Five-year floating loan

Three-month time deposits 60
(repriceable every 3 months) 10
Three-months
One-year time deposit
government securities 10
Five-year long term
Two-year government bond 20
certificate of deposit 40

Ten-year government securities 10 Equity 40

Investment in equity securities 10 Total 250

Property, plant and equipment 10

Total 250

Figure 9.28 . Commercial bank balance sheet example

14 Formula taken from pg. 227, 5.4.1, Risk management in banking: Risk models, capital, and asset liability management.

BANK RISK PRACTICES

9-27 NON-TRADED MARKET RISK/LIQUIDITY RISK

Time Buckets
The first step in the calculation of repricing gaps is to decide on the number
of buckets. A bucket is a time interval that an entity specifies so that specific
repricing gaps can be calculated for that interval. The narrower the time
bands, the more accurately the interest rate risk is measured. In practice,
monthly detail is expected for the first year and at least a quarterly detail for
the second year. Many gap reports are focused on a one-year time frame.

0-1 month 1-3 months 3-6 months

6-12 months 1-3 years 3-5 years

>5 years Non-sensitive

Figure 9.29: Interest rate gap buckets

Rate Sensitive Assets and Liabilities

The next step is to assess whether each balance sheet item is rate sensitive. If
it is rate sensitive, an assessment is made on which time bucket it belongs to.
An asset or a liability is considered as rate sensitive during a time interval if:

• The asset or liability matures on the specific time bucket

• There are partial principal repayments that fall within a specific time
bucket
• The asset or liability reprices on the specific time bucket. This is particularly
applicable for floating rate assets or liabilities where repricing of cash flows
occurs earlier than the indicated maturity date of the asset or liability.

Rate Sensitive Assets

Looking at the balance sheet for this illustration, the following balance sheet
items are assessed for rate sensitivity.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-28

Rate
Assets Bucket Explanation
Sensitive?

One-year Yes 6−12 The one-year loan reprices after one year when
loan months the loan matures. The bank will have to negotiate
the interest terms with the existing or new
borrower after one year.

Five-year Yes (but 3−5 The five-year loan reprices after five years when
loan not on a years the loan matures. However, from a one-year
one-year repricing gap perspective, this has no impact.
horizon)

Five-year Yes 1−3 While the five-year floating loan has a maturity of
floating loan months five years, its interest reprices every three months
repriceable depending on the market level of interest rates.
every three This means that while the maturity of this loan is
months five years, changes in interest rates will have an
impact on the cash flows of the loan every three
months.

Three-month Yes 1−3 The three-month government securities will

government months reprice on its maturity date (after three months).
securities

Ten-year Yes 10 years The ten-year government securities will reprice

government on its maturity date (after ten years). While this is
securities a rate sensitive asset, it will not reprice after one
year. Hence, it will not be part of the one-year
repricing gap calculation.

Investment No Not rate- Investment in equity securities does not reprice

in equity sensitive at any point in time. It represents a residual
securities interest on the net assets of a company. It has
no contractual maturity. The company has no
contractual obligation to repay the investor
unless it is on a liquidation model. It does not
reprice or move based on changes in interest
rates.

Property, No Not rate- Property, plant and equipment do not reprice at

plant, and sensitive any point in time. It is a physical asset and is not
equipment influenced by changes in interest rates.

Figure 9.30: Rate sensitive asset bucketing rules

BANK RISK PRACTICES

9-29 NON-TRADED MARKET RISK/LIQUIDITY RISK

Rate Sensitive Liabilities

Rate
Liabilities Bucket Explanation
Sensitive?

Demand Depends Either not Demand deposits generally pay zero interest. There
Deposits rate- are some who argue that demand deposits should
sensitive be considered as not interest rate sensitive as the
or 0−1 cash flow is not sensitive to interest and any cash
month
outflow is not dependent on the movement in
interest rates.

A more conservative view is to put demand deposits

in the overnight bucket. This is because if interest
rates rise, depositors may withdraw their demand
deposits and replace them with higher yielding,
interest bearing, and rate sensitive deposits.

For this illustration’s purpose, demand deposits are

classified in the nearest time bucket (i.e., 0−1 month).

Overnight Yes 0−1 Overnight interbank funding reprices every day. It is,
Interbank month therefore, classified under the 0−1 month bucket.
Funding

Three- Yes 1−3 The three-month time deposit matures after three
month months months. It will not reprice until the third month.
time Therefore, this should be classified under the 1−3
deposit months bucket.

One- Yes 6−12 The one-year deposit matures after one year. Hence,
year time months this is classified under the 6−12 months bucket.
deposit

Five-year Yes 3−5 years The five-year deposit matures on the fifth year.
long-term Hence, this is classified under the 3−5 years bucket.
certificate
of deposit

Equity No Not rate Equities have no contractual maturity. The bank

sensitive has no contractual obligation to repay any cash
flow to the investors (unless it is liquidated). Equity,
therefore, is not subject to any change in cash flows if
interest rates move. Therefore, it is not rate sensitive.

Figure 9.31: Rate sensitive liabilities bucketing rules

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-30

Using the rate sensitivity assessment for assets and liabilities, this shows the
rate sensitive assets and liabilities into the applicable time buckets:

Greater Than
6 Months to
to 3 Months

3 Months to

to 5 Years
12 Months
0 to 1 Day

6 Months

Sensitive
Not Rate
5 Years
1 Year
1 Day

Total
Rate
Sensitive 20 100 100 10 20 250
Assets

Rate
Sensitive 80 60 30 40 40 250
Liabilities

Figure 9.32: Rate gap analysis - sample calculation

Calculate the Repricing Gap

The repricing gap is the difference between the rate-sensitive asset and
rate-sensitive liability on each time bucket. If the rate-sensitive asset is
greater than the rate-sensitive liability for a particular time bucket, the bank
is in a positive gap position for that particular time bucket. If there are more
assets that reprice or mature than liabilities, the position is said to be ‘asset
sensitive’. This means that increases in interest rates have a positive impact
on the bank’s net interest income and decreases in interest rates have a
negative impact on the bank’s net interest income.

RSA > RSL Positive Gap Net Interest Income Impact

Interest Rates Increase Positive

Interest Rates Decrease Negative

Figure 9.33: Positive gap impact

On the other hand, if the rate sensitive liability is greater than the rate sensitive
asset for a particular time bucket, the bank is in a negative gap position for
that time bucket. If there are more liabilities that reprice or mature than
assets, the position is said to be ‘liability sensitive’. This means that increases
in interest rates have a negative impact on the bank’s net interest income
and decreases in interest rates have a positive impact on the bank’s net
interest income.

BANK RISK PRACTICES

9-31 NON-TRADED MARKET RISK/LIQUIDITY RISK

RSA < RSL Negative Gap Net Interest Income Impact

Interest Rates Increase Negative

Interest Rates Decrease Positive

Figure 9.34: Negative gap

Below is a sample calculation of the repricing gap up to one-year horizon:

Than 5 Years
6 Months to
3 Months to

1 Year to 5
12 Months
0 to 1 Day

1 Day to 3

6 Months

Sensitive
Not Rate
Greater
Months

Years

Total
Rate Sensitive
20 100 100 10 20 250
Assets

Rate Sensitive
80 60 30 40 40 250
Liabilities

Positive
(Negative) -80 -40 0 70
Gap

Figure 9.35: Repricing gap - one year horizon calculation

Banks may set limits on the maximum dollar value of the positive (negative)
gap per bucket. Limits may also be set on the gap as a percentage of the rate
sensitive asset. The one-year cumulative repricing gap is the sum of all the
positive or negative gaps from the earliest bucket up to the one-year bucket.
The one-year repricing gap is equal to −50 (= −80 + −40 + 70). While gap
analysis is a useful approach in both the quantification and management of
interest rate risk, it has a number of shortcomings such as:

• Gap analysis does not take into account the difference in the characteristics
of different positions within a time band. It assumes that all items within a
certain time bucket mature at the same time.
• Gap analysis only captures repricing risks. It ignores other aspects of
interest rate risks such as the yield curve risk (i.e., change in the shape and
slope of the yield curve), basis risk and optionality risk in the assessment of
interest rate risk.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-32

9.5.2 Earnings-At-Risk (EAR)

Given the calculated one-year repricing gap, it is now possible to perform

estimates on how the net interest income will be affected by changes in
interest rates. Earnings-at-risk (EAR) refers to the use of the gap analysis
in the estimation of the impact of interest rate changes on the bank’s net
interest income. Suppose interest rates increased by 1%, the impact on the
bank’s net interest income is −0.5 million (or −500,000).

DNII = DR(Gap)
DNII =+1%(-50)
DNII =-0.5

Figure 9.36: Earnings at risk example: 50 bps lower15

If interest rates decreased by 1%, the impact on the bank’s net interest income
is +0.5 million (or +500,000).

DNII = DR(Gap)
DNII =-1%(-50)
DNII =+0.5

Figure 9.37: Earnings at risk example: 50 bps higher16

9.5.3 Duration Gap

The repricing gap analysis focused on assessing the impact of interest

changes on the bank’s net interest income. Duration gap, on the other hand,
focuses on the impact of interest rate risk on the economic value of the bank’s
assets and liabilities.

Repricing Gap Net Interest Income

Market Value of
Duration Gap
Equity

Figure 9.38: Repricing vs duration gap target variables

15 Formula taken from pg. 233, 5.4.2, Risk management in banking: Risk models, capital, and asset liability management.
16 Formula taken from pg. 233, 5.4.2, Risk management in banking: Risk models, capital, and asset liability management.

BANK RISK PRACTICES

9-33 NON-TRADED MARKET RISK/LIQUIDITY RISK

Duration gap analysis evaluates the effect of interest rate changes on the
bank’s economic value by applying sensitivity weights to each time band. The
sensitivity weights are based on the estimates of the duration of assets and
liabilities of the bank that fall into each time band. Duration gap measures
the impact on the market value of the bank’s net worth or equity given a
small change in interest rates. Duration gap is an equity-based model of
estimating interest rate risk impact on the economic value of the bank. It
involves the calculation of the portfolio duration of the bank’s assets and the
portfolio duration of the bank’s liabilities.

Modified Modified
Leverage DURATION
Duration Duration of
Adjustment GAP
of Assets Liability

Figure 9.39: Duration gap formula

The calculated duration gap can be used to estimate the impact of interest
rates on the market value of the bank’s equity. Using the duration equation,
is is shown below how duration gap can be used to assess the impact on the
market value of the bank’s equity if interest rates adversely moved.

Market Change
Duration Change in
Value of in MV of
Gap Rate
Asset Equity

Figure 9.40: Duration gap and change in MV of equity

9.5.4 Simulation Approaches

Many banks, particularly those with complex risk profiles, apply more
sophisticated approaches than the repricing and duration gap models.
These simulation approaches involve a detailed assessment of the impact of
interest rates on the net interest income and economic value of the bank by
generating different future interest rate scenarios.

The focus of these approaches is to measure the risk to net interest income or
economic value by projecting the future composition of the bank’s balance
sheet and applying different interest rate scenarios to assess the impact
on the bank’s cash flows given the movements in interest rates. Simulation
approaches run ‘what if’ analyses to determine the impact of different interest
rate scenarios on the bank’s risk profile and profitability.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-34

There are two main types of simulation models:

• Static models
• Dynamic models

Static Models Dynamic Models

Static simulation models use the bank’s Dynamic models simulate

current balance sheet in simulating the future interest rate paths. It
exposure of earnings to interest rate considers the evolution of the
changes. bank’s business activity and
risk profile over the period of
Static simulations involve the assessment
analysis. Dynamic models
of changes in cash flows involving
employ more sophisticated
straightforward movements in the interest
simulation models.
rates such as:

• Changes in the spreads between

different interest rates.
• Shifts in the yield curve.
• Impact of prepayments on loans and
mortgages on cash flows.

Figure 9.41: Static vs dynamic model

9.6 LIQUIDITY RISK MONITORING TOOLS

The liquidity risk monitoring tools are quantitative tools that are used to measure
and manage liquidity risk on a day-to-day basis. Liquidity risk is not like the other
risks – it is rarely a standalone risk and is oftentimes a consequence of other risks.
It is, therefore, dangerous to view liquidity risk in isolation. Below are the five tools to
monitor liquidity risk prescribed by Basel Committee on Banking Supervision (BCBS):

Contractual Available
Concentration of
maturity unencumbered
funding
mismatch assets

Liquidity coverage ratio

Market related
for each significant
monitoring tools
currency

Figure 9.42: Liquidity risk monitoring tools

BANK RISK PRACTICES

9-35 NON-TRADED MARKET RISK/LIQUIDITY RISK

9.6.1 Contractual Maturity Mismatch

Contractual maturity mismatch measures a bank’s liquidity risk profile by

mapping contractual inflows and outflows to defined time bands based
on their respective maturities. This measure aims to identify the mismatch
between the different terms of the bank’s assets and liabilities across the term
structure. Liquidity risk exposure arises from the liquidity mismatch of asset
and liabilities as maturity terms of assets do not match with the maturity
terms of liabilities. Liquidity gap arises because of the mismatches both in the
amount and maturity terms of a bank’s assets and liabilities. If for a certain
time band, the bank reports a surplus of inflows over the outflows, the entity
has a reinvestment requirement over the relevant liquidity time horizon.

Inflows > Outflows → Liquidity Surplus

Figure 9.43: Liquidity surplus

If for a certain time band, the bank reports a deficit of inflows over the outflows,
the entity has a funding requirement over the relevant liquidity time horizon.

Inflows < Outflows → Liquidity Shortfall

Figure 9.44: Liquidity shortfall

Liquidity gap is the difference between contractual inflows and outflows. These
gaps are calculated for each relevant time bands. The difference between
liquidity gap and interest rate gap is the focus. The focus on liquidity gap is
on the very short-term: 1 year or less (specifically the 1-month gap or even
less than 1 gap). Below are the steps involved in calculating the contractual
maturity mismatch:

Determine contractual inflows and outflows

Decide on appropriate time bucketing parameters

Classify inflow/ outflow to the appropriate time bucket

Figure 9.45: Liquidity gap - step by step

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-36

Determine Contractual Inflows and Outflows

A maturing balance sheet/off-balance sheet asset which needs to be
redeployed is considered as an inflow for contractual maturity mismatch
purposes. On the other hand, a maturing liability which needs to be funded is
considered as an outflow for contractual maturity purposes:

Items Inflow/Outflow

Cash Inflow

Investment in Securities Inflow

Loan Receivable Inflow

Term Receivable Inflow

Term Deposits Outflow

Demand Deposits Outflow

Credit Line Commitment to Outflow

Institutions

Credit Line Commitment from Inflow

Institutions

Property, Plant and Equipment Inflow

Figure 9.46 Contractual inflows vs outflows

Decide on appropriate time buckets

The next step in constructing a contractual maturity mismatch report is to
decide on the required time bands. Basel III allows national supervisors in
each jurisdiction to determine the required time bands by which the data
must be reported. Sample time bands mentioned by Basel III are:

BANK RISK PRACTICES

9-37 NON-TRADED MARKET RISK/LIQUIDITY RISK

Overnight 7 days 14 days 1 month

- 7 days - 14 days - 1 month - 2 months

2 months 3 months 6 months 9 months

- 3 months - 6 months - 9 months - 1 year

1 year - 2 years 2 years - 3 years 3 years - 4 years 4 years - 5 years

Beyond
5 years

Figure 9.47: Time buckets - Liquidity gap

As a general rule, a narrow time frame is used for measuring near-term

liquidity exposures. As a best practice, a daily time frame is usually ideal in
measuring current liquidity exposures. For the first two weeks of gap analysis,
for example, a daily time frame could be used. The main focus of a liquidity
gap analysis is on short-term mismatches. As such, it is a powerful indicator
of an emerging liquidity problem.

Classify Inflow/ Outflow to the appropriate time bucket

Contractual inflows and outflows should be mapped in the relevant time
bands based on their residual contractual maturity. Generally, contractual
maturity is the primary consideration when classifying an asset or liability
to a particular time bucket. For contractual maturity mismatch reporting
purposes, Basel III requires that classifications to a particular time bucket
should be based solely on contractual maturities with no behavioural
assumptions.

This report, therefore, will not reflect actual future forecasted cash flows
under the current, or future, strategy, or plans. This is because the objective
of this metric is to allow national supervisors to use this data and apply their
own assumptions to reflect alternative behavioural responses in reviewing
maturity gaps.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-38

Accounts Time Bucket

Capital Latest time bucket (for example, greater than

five years)

Retained earnings Latest time bucket (for example, greater than

five years)

Term deposits Based on contractual maturity

Long-term liabilities Based on contractual maturity

Cash Overnight bucket

Investment in debt Based on contractual maturity

securities

Investment in shares Latest time bucket (for example, greater than

five years)

Lines of credit Overnight bucket – These committed lines of

committed to credit are contingent liabilities that will only
institutions materialise upon the occurrence of a trigger
event. To be conservative entities usually
place this obligation in the overnight bucket
(or at most under the 0 – 14 days bucket).

Figure 9.48: Rule of thumb - Liquidity bucket per account

If the inflow is less than the outflow for the relevant time bucket, there is a
liquidity shortfall that must be funded.

Inflows < Outflows → Liquidity Shortfall

Figure 9.49: Liquidity shortfall

If the inflow is greater than the outflow for the relevant time bucket, there is a
liquidity surplus that can be reinvested.

Inflows > Outflow → Liquidity Surplus

Figure 9.50: Liquidity surplus

In the contractual maturity mismatch example below, it should be noted that

in the 0−7 days bucket, there is a shortfall that needs to be funded.

BANK RISK PRACTICES

9-39 NON-TRADED MARKET RISK/LIQUIDITY RISK

14 Days- 1 Months-
Overnight 0-7 Days 7-14 Days
1 Months 3 months

Assets (Inflows) 100 800 9,000 12,000 15,000

Liabilities (Outflows) (80) (1,100) (8,500) (10,000) (12,000)

Funding Requirement 20 (300) 500 2,000 3,000

Cumulative Gap 20 (280) 220 2,220 5,200

Figure 9.51: Contractual maturity mismatch

Behavioural profiling
For internal analysis, banks may apply behavioural assumptions to reflect
a realistic/ conservative overview of the bank’s liquidity profile. Asset flows
(inflows) should be reported according to their latest possible maturity (i.e.,
latest possible date of inflow). Liability flows, on the other hand, should be
classified according to the earliest possible date of outflow. Outflows that are
callable, puttable, or extendible should be analysed based on the earliest
possible date of repayment.

9.6.2 Concentration of Funding17

Concentration of funding measure aims to enumerate the different

significant sources of wholesale funding. This is to help monitor vulnerabilities
of the banking organisation where a withdrawal of these funding sources
could trigger liquidity issues or problems. The Basel Committee on Banking
Supervision (BCBS) requires banks to devise a funding strategy that would
enable it to diversify in terms of both sources and tenor of funding and
withstand potential liquidity problems. Concentration of funding aims to:

• Determine the extent of funding concentration to a certain counterparty,

type of instrument, currencies, and tenor
• Encourage diversification of funding sources as recommended in the
Basel Committee’s Sound Principles for Liquidity Risk Management and
Supervision

A significant counterparty is defined as a single counterparty or a group of

connected or affiliated counterparties accounting in aggregate for more
than 1% of the bank’s total balance sheet.

17 Content extracted from pg. 240 – 244, 5.5.2, Risk management in banking: Risk models, capital and asset liability management.
For further reading on the topic, candidates can go to this text.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-40

Concentration of Funding by Counterparty

Weighted average

Weighted average
residual maturity
Amount received
Counter- party

counter- party

initial maturity
Product type
Residence of
party name
Counter-

Currency
Lei-Code

sector
Code

ID

1. Top Ten Counterparties Greater Than 1% of Total Liabilities

101
102
103
104
105
106
107
108
109
110
2. All
Other

Figure 9.52: Concentration of funding by counterparty

The names of the counterparties from which unsecured wholesale funding

obtained is greater than 1% of total liabilities will be reported. Counterparty
sectors are also identified. One sector shall be allocated to every counterparty
based on these sector classes—central banks, general governments, credit
institutions, other financial corporations, non-financial corporations, and
households. A significant instrument/product is defined as a single instrument/
product or groups of similar instruments/products that in aggregate, amount
to more than 1% of the bank’s total balance sheet.

BANK RISK PRACTICES

9-41 NON-TRADED MARKET RISK/LIQUIDITY RISK

Financial Description
Instruments

Retail Retail sources of funding are considered to be more

stable than wholesale market sources of funding,
especially when protected by deposit guarantee
schemes.

An example of retail sources includes customer deposits

such as household deposits

Wholesale Wholesale sources consist broadly of funding from

private markets. These sources are typically used to
supplement customer deposits in financing the bank's
assets.

Wholesale sources can be classified into two categories:

1. Short-term funding
Short-term wholesale funding involves secured
and unsecured borrowing in money markets and
issuance of other short-term debts (for example,
commercial paper). Examples include interbank
loans, repurchase agreements (repos), commercial
paper and certificate of deposits.

2. Long-term wholesale funding

Example include medium-term notes (MTNs) and
bonds.

Figure 9.53: Retail vs wholesale sources of funding

The bank should also be able to understand structural mismatch in the

bank’s assets and liabilities in each of its significant currency. This will allow
the bank to understand its reliance on a particular funding currency. The
Basel Committee on Banking Supervision (BCBS) defines significant currency
as the currency denomination of a funding source that comprises 5% or more
of its total liabilities.

9.6.3 Available Unencumbered Assets

Banks could use its assets as collateral to generate liquidity in normal and
stressed markets. Banks should therefore be able to manage its collateral
positions and distinguish between encumbered and unencumbered assets.
Unencumbered assets are assets that are free of legal, regulatory, contractual,

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-42

or other restrictions on the ability of the bank to liquidate, sell, transfer,

or assign the asset. These assets can potentially be used to raise cash or
other high-quality assets. Generally, these assets are eligible as collateral
for the standing facilities of central banks and can be used as collateral in
secondary markets. Asset encumbrances arise from collateral pledged to
obtain secured funding. Banks should be able to monitor the amount, type,
and location of available unencumbered assets by significant currency. The
bank should have procedures in place that would allow it to monetise and
use these assets to raise cash.

9.6.4 Liquidity Coverage Ratio (LCR) For Each Significant Currency

Compliance with the liquidity coverage ratio should be monitored across

significant currencies in order to better capture structural currency
mismatches. The definition of the stock of high-quality foreign exchange
assets and total net foreign exchange cash outflows should mirror those of
the LCR for common currencies. A currency is considered significant if the
aggregate liabilities denominated in that currency amount to 5% or more of
the bank’s total liabilities.

Stock of High Quality Liquid Assets in Each Currency

Foreign Currency LCR =
Total Net Cash Outflows Over a 30-Day Time Period in
Each Significant Currency

Figure 9.54: Foreign Currency Liquidity Coverage Ratio (LCR) formula

9.6.5 Market-Related Monitoring Tools

Real time market data is important to identify early warning indicators and
anticipate emerging liquidity crisis and potential liquidity difficulties for banks.
There are three types of market related monitoring tools:

1 2 3
Market wide Information on Bank-specific
information financial sector information

Figure 9.55: Market related monitoring tools

Market wide information

Market-wide information refers to information both on the absolute level
and direction of major markets and considers their potential impact on the
financial sector and the specific bank. Market-wide information is crucial

BANK RISK PRACTICES

9-43 NON-TRADED MARKET RISK/LIQUIDITY RISK

when evaluating assumptions behind a bank’s funding plan. Valuable market

information to monitor includes:

i. Equity markets (overall stock markets and sub-indices in various

jurisdictions relevant to the activities of the bank)

Figure 9.56: Equity market overview

ii. Debt markets (money markets, medium-term notes, long-term debt,

derivatives, government bond markets, credit default spread indices)

Figure 9.57: Debt market overview

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-44

iii. Foreign exchange markets

Figure 9.58: Foreign exchange markets overview

iv. Commodity markets

Figure 9.59: Commodity markets overview

Information on the financial sector

To track whether the financial sector as a whole is mirroring broader market
movements or is experiencing difficulties, information to be monitored
includes:

i. Equity and debt market for the financial sector – Figure 9.60 is an example
of an equity index for financial sector. Financial Select Sector Standard &
Poor’s Depository Receipts (SPDR) fund is an index intended to track the
movements of companies that are components of the Standard & Poor’s
(S&P) 500 and are involved in the development and production of financial
products.

As can be seen in Figure 9.60, the index level declined steeply at the height
of the 2007/2008 Global Financial Crisis.

BANK RISK PRACTICES

9-45 NON-TRADED MARKET RISK/LIQUIDITY RISK

ii. Specific subsets of the financial sector – As mentioned above, the financial
sector is made up of many different industries ranging from banks,
investment houses, insurance companies, real estate brokers, consumer
finance companies, mortgage lenders, and real estate investment trusts
(REITs).

The financial sector is one of the largest portions of the S&P 500. The largest
companies within the financial sector are some of the most recognisable
banking institutions in the world, including the following:

• JPMorgan Chase (JPM)

• Wells Fargo (WFC)
• Bank of America (BAC)
• Citigroup (C)

While these large companies dominate the sector, there are other, smaller
companies that participate in the sector as well. Insurers are also a major
industry within the financial sector, being made up of such companies as
American International Group (AIG) and Chubb (CB).

Figure 9.60: Equity and debt market for the financial sector

Bank specific information

To monitor whether the market is losing confidence in a particular institution
or has identified risk at an institution, it is useful to collect specific market
information on the bank.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-46

• Equity prices
• Credit default swap prices
• Contingency funding plan (CFP)
• Liquidity stress events
• Two levels of CFPs
• Contingency measures

9.6.6 Net Stable Funding Ratio (NFSR)

Net stable funding ratio is the second liquidity standard under Basel III that
requires banks to ensure that stable funding is available to meet its required
stable funding. Available stable funding is the portion of its capital and
liabilities that is expected to remain with the bank for more than one year.
Required stable funding considers the liquidity characteristics and maturities
of the assets and the contingent liquidity risk arising from its off-balance sheet
exposure. Required stable funding of 100% means that the asset or exposure
needs to be entirely financed by stable funding because of its illiquidity.

9.7 LIQUIDITY STRESS TESTING/THE INTERNAL LIQUIDITY ADEQUACY

ASSESSMENT PROCESS (ILAAP)

Internal Liquidity Adequacy Assessment Process (ILAAP), along with ICAAP, constitutes
an important part of the supervisory review and evaluation process (SREP). ILAAP
provides a structured framework for the bank to ensure that:

• It has sufficient liquidity to fulfil its obligations when they fall due
• Ability to bear risk and follow a sustainable strategy even during prolonged
periods of adverse developments

ILAAP goes beyond what is required by Basel III and aims to allow the bank to
enhance the continuity of the bank by ensuring its liquidity adequacy from different
perspectives. These two perspectives are:

Net present value Net present

Economic value
perspective

Going concern Normative perspective

Figure 9.61: ILAAP - Two different perspectives

BANK RISK PRACTICES

9-47 NON-TRADED MARKET RISK/LIQUIDITY RISK

From an economic perspective, the bank is expected to identify and quantify all
material risks that may negatively affect the bank’s internal liquidity position based
on its own internal liquidity adequacy concept. This includes the assessment of a
credible baseline scenario and adequate, institution-specific scenarios, as reflected
in the multiyear liquidity and funding planning and in line with the overall planning
objectives of the bank. The bank is expected to make a point in time risk quantification
of the current situation as of a reference date. This is complemented by a forward-
looking liquidity adequacy assessment for the medium term to take into account
of future developments. Banks are expected to capture at least three years for the
funding position and an appropriate time horizon for the liquidity position.

Cash reserves, liquid asset portfolio,

unencumbered asset, stable funding
sources and liquidity inflows (supply).

Liquidity outflows from an economic

perspecitve (demand).

Figure 9.62: Economic perspective

Projections should be made on:

• Survival period
• Maturity mismatch
• Other internal metrics

These projections should be made under expected future developments after

management actions for baseline assumption and should be made for adverse
future developments for adverse assumption. From a normative perspective, the
bank should assess its ability to fulfil all of its regulatory and supervisory requirements
and to cope with other financial constraints on an ongoing basis in the medium
term. This is a multiyear assessment of the bank’s ability to fulfil its liquidity related
regulatory supervisory requirements and demands.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-48

Availability regulatory highly liquid assets and

available stable funding (supply).

Regulatory outflows and stable funding

requirement (demand).

Figure 9.63: Normative perspective

Projections are made for:

• Liquidity Coverage Ratio

• Other regulatory or supervisory ratios

Internal liquidity buffers and internal stable sources of funding

Internal liquidity buffers are assets and future inflows which can be considered
as liquidity available for purposes of assessing liquidity adequacy. Internal stable
sources of funding are funding sources that are considered to be reliable. An explicit
internal view should be made on the stickiness of deposits and behavioural cash
flow profile. The stability of the funding profile must also be identified.

i. Risk quantification – Risk quantification is a process to evaluate identified risks

to produce data that can be used in deciding a response to corresponding
risks. It is a second step of project risk management, after risk identification and
before risk response development and risk response control according to PMBOK
(Project Management Body of Knowledge) standard. The objective of project
risk quantification is to prepare contingencies in terms of costs, time, or human
resources and prioritise them. PMBOK, ISO 31000, and PRINCE (Projects in Controlled
Environment) provide principles and processes for effective risk management.

Maturity Internal Stress Projected

NSFR balance sheet
gaps buffer testing

Current assets MCO by tenor

Contractual Projections Utilisation

Future inflows MCO by

Behavioural Trends Shortfall
currency

Figure 9.64: Liquidity risk quantification tools

BANK RISK PRACTICES

9-49 NON-TRADED MARKET RISK/LIQUIDITY RISK

ii. Stress testing – Stress testing is the application of severe but plausible
macroeconomic assumptions with a focus on key vulnerabilities that are expected
to result in a material impact on the bank’s internal and regulatory position. The
stress testing programme should cover:

▶ Normative and economic perspective

▶ Different time horizons (including intraday)
▶ Different currencies

When conducting stress testing scenarios and sensitivities, the bank should
consider both historical and hypothetical stress events. The objective of stress
testing is to ultimately translate scenarios and sensitivities to liquidity inflows and
outflows and the applicable values of liquid assets.

Impact on liquidity
Scenarios and Liquidity inflows values of assets +
sensitivities and outflows funding requirement

Figure 9.65: Liquidity stress testing

Stress testing should be conducted on two levels:

• Baseline
• Adverse

Under the baseline assessment, stress testing is conducted based on the expected
circumstances. This means that scenarios would be based on the most likely
assumptions on inflows, outflows, risk events, etc. Under the adverse assessment,
stress testing is conducted based on exceptional but plausible developments
with adequate degree of severity in terms of their impact on the liquidity position.
The adverse scenarios should cover:

Severe economic downturns

Severe market disruptions

Financial shocks

Institution-specific vulnerabilities

Reliance on major funding providers

Figure 9.66: Scenario coverage for stress testing

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-50

Reverse stress testing should be used to challenge the comprehensiveness and

conservatism of the ILAAP framework assumptions. This should start from the
identification of a predefined outcome. For example, reverse stress testing would
start with the level of deposits and outflows required to exhaust its liquidity buffers.
And then find out what assumptions on deposit outflows and risk realisation would
result in the exhaustion (the pre-defined outcome). Below is a short illustration of
this principle:

Scenario 1 Scenario 2 Scenario 3

Deposit outflow assumption

Retail 49% 7% 10%

Financial 33% 63% 60%

Financial 62% 91% 94%

Other assumptions (not exhaustive)

Downgrade 4 notches 4 notches 4 notches

Debt buy-back 0% 15% 15%

Figure 9.67: Reverse stress testing

9.8 SCENARIO ANALYSIS

The objective of scenario analysis is to “form a basis for strategic conversation –

they are a method for considering potential. Liquidity risk management expert
Leonard Matz once described scenario analysis as “the language of liquidity risk”.
This is because liquidity risk is context specific. No one liquidity crisis is the same.
Liquidity risk can arise from multiple dimensions (market risk – Lehman Brothers/
Bear Stearns, credit risk – Continental Illinois, operational risk – Barings Bank). This is
the reason why risk managers have to apply a more flexible and creative approach
in understanding and managing liquidity risk. Scenario analysis could be a powerful
tool to help risk managers understand and manage liquidity risk. Scenarios should
be identified both based on bank institution-specific and market-wide or systemic
funding events. Bank institution-specific scenarios are liquidity or funding crisis that
pertains specifically to the bank.

A common theme in history with respect to bank specific stress scenarios is

how it all starts with rapid expansion in taking either market or credit risk without
proportionately boosting or enhancing capital or liquidity. Risk starts to build up
without stepping up risk management efforts. A sudden surprise (in the form of
risk events or adverse impact on profitability) hits the institution. This results in
second order reaction by rating agencies, depositors and other stakeholders which

BANK RISK PRACTICES

9-51 NON-TRADED MARKET RISK/LIQUIDITY RISK

eventually leads to flight of unsecured funding sources. Market-wide or systemic

funding events refers to adverse events that could affect the industry or market as
a whole. A common theme in market-wide or systemic funding events is the “rush
to exit pattern”. In a “rush to exit pattern”, it strangely starts with initial or trivial loss.
However, given that banks generally use similar risk management models, which
means they rely on the same market date, risk management models and regulatory
framework, an initial loss could cascade adverse and amplified events with strong
multiplier effect that could threaten the stability of the banking system as a whole.

Scenario analysis objective

The objective in identifying scenarios is to:

• Determine potential vulnerabilities to liquidity events

• Evaluate the impact of adverse events to the bank’s liquidity position

The scenarios should incorporate major funding and market liquidity risks that the
bank is exposed to.

Types of scenarios
There are two different types of scenarios that one can consider for purposes of
scenario analysis:

Historical Hypothetical
scenarios scenarios

Figure 9.68: Types of scenario

Historical scenarios are based on history or past events. Examples of scenarios that
can be used are:

Wall Street Hyperinflation

1987 Stock S&L Crisis in the
Crash of 1929 in the 1960s
Market Crash 1990s
and 1970s

1995 Latin
1991 Oil 1997 Asian 1998 LTCM
America
Price Surge Financial Crisis Crisis
Debt Crisis

2001 September
1998 Russia 2000 Stock 2007-2008 Global
11 Attack, Enron
Default Crisis Market Bubble Financial Crisis
Default

2010 European
2020
Sovereign Debt 2016 Brexit
Covid-19 Crisis
Crisis

Figure 9.69: Sample historical liquidity scenarios

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-52

Hypothetical scenarios are based on imagined events or a combination of events

that could adversely affect the bank’s liquidity position. Hypothetical scenarios are
subject to assumptions. Among the most critical assumptions that must be carefully
examined are as follows:

• Asset market illiquidity and erosion in the value of liquid assets

Why?
During a funding crisis, liquidity for assets may dry up. As market participants
become more risk averse, the value of the liquid assets may be lower than the
value expected during normal market conditions. In fact, liquidity for those
assets may disappear altogether during a liquidity crisis scenario where the
objective is to conserve as much cash as possible.

• Runoff retail funding

Why?
During a funding crisis, retail funding may runoff especially uninsured deposits.
This is a classic reaction of retail depositors (and not entirely unexpected).
While part of the bank’s deposit base can be viewed as stable, it is important
that assumptions on stable and non-stable part is carefully scrutinised.

• Availability or unavailability of secured and unsecured wholesale funding sources

Why?
Some banks heavily rely on wholesale funding to fund their assets. Like in the
famous Northern Rock case, it has been, prior to its collapse, considered as one
of the most efficiently run banks as they rely on overnight wholesale funding
– their funding cost is cheap. However, the disappearance of the wholesale
funding market left Northern Rock vulnerable.

• Correlation between funding markets or effectiveness of diversification across

sources of funding

Why?
Many banks aim for funding diversification to not leave it vulnerable in case a
significant source of funding disappears. However, are they truly diversified?
Diversification during normal markets when funding sources tend to be
uncorrelated is different from diversification during periods of funding stresses
during which correlation tends to amplify. The point is to ask this important
question – can the bank still rely on the different funding sources, or will they
all dry up together?

BANK RISK PRACTICES

9-53 NON-TRADED MARKET RISK/LIQUIDITY RISK

• Additional margin calls and collateral requirements

Why?
In conducting scenario analysis, one could make the mistake of not considering
the second order consequences of losses. One of the important second order
effect of these losses is margin calls or posting of additional cash or collateral
in favour of the affected counterparty. This will pose significant liquidity risk for
the bank. This second order consequence should be considered in scenario
analysis.

• Funding tenors

Why?
A common risk management rule of thumb is that holding longer tenor
funding is always desirable. This is not always true. It is important to maintain
diversification also in terms of tenor. This is due to the fact that liquidity risk is
unpredictable and is a consequence of random events.

• Contingent claims

Why?
Banks enter off-balance sheet credit line commitments to lend money to their
clients. For committed credit lines, banks are contractually obliged to lend
money and during market-wide, systemic stresses when banks may need
to conserve funding. These committed credit lines should be factored in the
scenario analysis. At times, banks may have branches or subsidiaries that
are of strategic or reputational importance. While not contractually obliged
to provide financing, banks may be compelled to do so especially if this is of
strategic importance to the bank.

9.9 CONTINGENCY FUNDING

One of the key lessons we learned from previous banking crises is how rapidly
liquidity risk escalates and evolves. Quantitative risk management models that were
used to measure risks during normal markets proved to be inadequate in a crisis.
Given their unique balance sheet structure (short-term liabilities and longer-term
assets), banks should always have strategies in place to fund themselves not only in
normal market conditions but also during severe market disruptions.

During the 2008 global financial crisis, several banks were caught off guard as banks
who are heavily reliant on short-term wholesale funding suddenly have liabilities
maturing that cannot be refinanced. For some, this was exacerbated by the lack of
liquid assets to monetise. All of these happened in a few days or weeks.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-54

Banks who were able to survive this crisis tend to have well thought out contingency
plans in place before the situation turned into crisis. These plans gave their respective
management teams a structured framework and plan to implement during periods
of severe disruptions.

What is CFP?
Contingency Funding Plan (CFP) is the compilation of policies, procedures, and
action plans for responding to severe disruptions to a bank’s ability to fund some or
all of its activities in a timely manner and at a reasonable cost. The CFP clearly sets
out strategies for addressing liquidity shortfalls in emergency situations. The CFP
should provide a clear description of diversified set of viable, readily available, and
flexibly deployable potential contingency funding measures for preserving liquidity
and making up cash flow shortfalls in various adverse situations.

Available and deployable funds

Cash flow shortfalls

Figure 9.70: Available funds vs cash flow shortfalls

One key objective of CFP is to ensure minimal disruptions in the funding operations
of the bank. This means that the bank should focus efforts to: (a) institute cash
conserving measures and (b) maintain the bank’s franchise value. In essence,
CFP describes procedures to manage and make up cash flow shortfalls in stress
situations.

Design of CFP
When designing a CFP, the following factors should be accounted for:

i. Impact of stressed market conditions on the ability to sell or securitise assets.

ii. Link between asset market and funding liquidity (for example, the complete loss
of typically available market funding options).

BANK RISK PRACTICES

9-55 NON-TRADED MARKET RISK/LIQUIDITY RISK

Boxed Article–3

Northern Rock accounts for 1 in 13 UK home loans and funded bulk of its
mortgages with borrowing on wholesale markets rather than stable deposits.
Northern Rock relies on wholesale sources of funding for 77 percent of its
funding requirement and is regarded as one of the most cost-efficient banks
in the UK. It originates subprime home loans and certifies home loans for
Lehman Brothers. Northern Rock became the victim of the first bank run in the
UK in over a century as wholesale funding dried up and they are unable to
raise sufficient cash to fulfil their maturing short-term obligations

Source: Reuters, Financial Times, September 2012

iii. Second round and reputational effects related to execution of contingency

funding measures.
iv. Potential to transfer liquidity across group entities, borders, and line of business-
considering legal, regulatory, operational and time zone restrictions and
constraints.

Scope of CFP
CFP, at minimum, should include:

Policies to manage a range of stress environment

Establish clear lines of responsibility

Include clear invocation and escalation procedures

Be regularly tested and updated to ensure robustness

Figure 9.71: Scope of CFP

Policies to manage a range of stress environment

CFPs should prepare the bank to manage a range of scenarios of severe liquidity
stress that include both firm specific, generalised market-wide stress and the
potential interaction between them.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-56

Generalised
Firm-wide
market-wide

Figure 9.72: Interaction between firm specific vs market-wide stress risk

Firm specific stress events are funding crises that are triggered by bank-specific
events (for example, incurring substantial market, credit, or operational losses).
Firm specific stress events can start from different areas – for example, it can be
triggered when a bank suffered a sudden market, credit or operational risk that
results in deterioration of confidence on the bank’s ability to continue to operate as
a going concern. Many classic banks run start from bank-specific events that are
triggered by sizeable, surprise substantial losses. At times, it can arise from baseless
rumours that could catalyse collective deterioration in the reputation of the bank.

Boxed Article–4

Jiangsu Sheyang Rural Commercial Bank Run

Jiangsu Sheyang Rural Commercial Bank run was hit by a four-day bank run after
rumours spread about the bank’s possible bankruptcy after the bank allegedly
turned down a customer’s request to withdraw 200,000 yuan. The bank and local
officials denied this happen. Hundreds started to queue in front of the bank to
withdraw their money.

Source: Reuters, 26 March 2014

System-wide stress events include scenarios outside the control of the bank that
could affect the bank’s ability to fund themselves. Example of system-wide stress
events include sudden deterioration in market conditions that result in bank funding
sources drying up. This could be caused by diverse events that is outside the bank’s
control but will result in public deterioration of confidence in the banking system.
It can also be caused by a general economic recession that could result in the
deterioration of the banking industry’s credit portfolio and cause loss of trust and
confidence in the banking system. CFP should include a broad range of menu of
action plans or options in order for management to have a palette overview of
contingency measures.

BANK RISK PRACTICES

9-57 NON-TRADED MARKET RISK/LIQUIDITY RISK

Establish clear lines of responsibility

CFP should be activated promptly during a crisis. Management is expected to make
timely and well-informed decisions and execute these contingency measures
quickly and proficiently. To do that, clear lines of responsibility must be established
beforehand.

The CFP should:

• Clearly specify roles and responsibilities, including authority to invoke the CFP.
• Provide names and contact details of members of the team responsible for
implementing the CFP and the locations of team members
• Provide designation of alternates for key roles

Clear invocation and escalation procedures

There are two important levels within the CFP:

Pre-alarm phase

Alarm phase

Figure 9.73: Pre-alarm vs alarm phase

During the pre-alarm phase, the bank is expected to intensely monitor a set of early
warning indicators following an observed firm-specific or system-wide shock. The
alarm phase is composed of different escalation levels. Colour coding is typically
used (green, orange, and red) to indicate the severity of the liquidity crisis situation.
Invocation is the activation of the CFP. The CFP should contain procedures that will
trigger prompt discussion within the ALCO to decide whether to activate the CFP or
not.

The trigger could be based on certain developments in the key risk indicators (for
example, breach of key risk indications beyond a certain pre-defined level). The
triggers or the key risk indicators are specific early warning signs selected in advance
which will indicate the stage of the liquidity crisis. Examples of these early warning
signals are:

• Availability of credit or funding lines

• Past due levels
• Level of maximum cumulative outflow
• Funding spread levels

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-58

Escalation, on the other hand, refers to the process of updating the threat level. The
CFP should contain clear parameters and procedures for escalation. Action plans
should be designed for different stages or levels of escalation. Invocation of the CFP
includes the establishment of a formal crisis team to facilitate internal coordination
and decision-making during the crisis.

The plan should set out clear decision-making process on the following areas:

• What? What actions to take?

• When? When to take these actions?
• Who? Who can take the actions?
• What issues need to be escalated to more senior officials in the bank?

Regular test and update

CFPs should be reviewed and tested regularly based on the following two broad
criterias, effectiveness, and operational feasibility.

Testing should be conducted based on the following areas:

Roles and Prove transferability

responsibilities are Confirm contact of cash and collateral
appropriate and information is up (cross borders and
understood to date cross entities)

Legal and
documentation is in Regularly test
place to execute the assumptions
plan in short notice

Figure 9.74: CFP - Roles and responsibilities

Senior management should review and update the CFP at least every year for the
board’s approval.

Linkage with Business Continuity Plan (BCP)

BCP CFP

Figure 9.75: BCP vs CFP

BANK RISK PRACTICES

9-59 NON-TRADED MARKET RISK/LIQUIDITY RISK

The CFP should be consistent with the bank’s business continuity plan (BCP) and
should be operational in situations where business continuity arrangements
have been invoked. The bank should have an effective coordination process
between teams managing the business continuity and liquidity crisis. CFP should
be maintained in a central repository and at locations that would facilitate quick
implementation and execution of emergency measures.

9.10 USING DERIVATIVES TO MANAGE ASSET AND LIABILITY MANAGEMENT (ALM)

As what we have learned so far in this chapter, banks are in the business of financial
intermediation and as a consequence of performing their role, it is inevitable
that banks would take certain risks associated in the performance of this role. For
example, by undertaking the role of maturity transformation, banks are funding long
term assets (for example, fixed rate loans and receivables or fixed rate bonds) with
short-term liabilities (for example, short-term deposits).

Illustrative Example–4

Before Hedging
Bank Merkel has outstanding USD 100,000,000 fixed rate loan for 5 years with
interest at 5%. This is funded by a short-term 1 year USD 100,000,000 fixed rate
liability with interest at 2%. After 1 year, Bank Merkel must refinance the loan at the
prevailing market rate.

Assume that the bank’s weighted average cost of capital is at 3%. Before hedging,
Bank Merkel expects to earn net interest income for Y1:

Interest income from fixed rate loan

(100,000,000 x 5%) = 5,000,000
Interest expense from liability
(100,000,000 x 2%) = (2,000,000)
Net Interest Income 3,000,000

In the scenario where interest rate increases by 1%, the bank’s profitability and the
economic value of its net assets could be adversely affected. Below is an illustration
demonstrating this classic asset and liability management problem:

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-60

Illustrative Example–5

Before Hedging (Interest Rate Increases)

After 1 year, the fixed rate liability matures, and Bank Merkel must refinance this
at the prevailing interest rate. Suppose the prevailing interest rate (for example,
LIBOR) is at 3%.

Assume that the bank’s weighted average cost of capital is at 3%.

Before hedging, Bank Merkel expects to earn net interest income for Y2:

Interest income from fixed rate loan

(100,000,000 x 5%) 5,000,000
Interest expense from liability
(100,000,000 x 3%) (3,000,000)
Net Interest Income 2,000,000

This represents a decline in net interest income from 3,000,000 to 2,000,000.

One of the most efficient ways to manage the bank’s asset and liability management
exposure is through the skilful use of derivatives. What are derivatives? Derivatives
are financial instruments whose value depends on the performance of an
underlying variable. The underlying variable can be interest rates, foreign exchange,
commodities, or equities.

Interest rate swap is one of the simplest derivatives that one can use for asset and
liability management. Interest rate swap is an agreement to exchange a series of
future cash flows – for example, fixed vs. floating rate cash flows.

USD Fixed Interest Rate Party B

Payer

USD Fixed Interest Rate Effective Date to [] and thereafter, each semi-annual period
Periods ending on the [ ] to [] up to and including the termination date

USD Fixed Interest Rate The last day of each USD floating interest rate period, subject to
Periods adjustment in accordance with the Modified Following Business
Day Convention

USD Fixed Interest Rate 2.00%

USD Fixed Interest Rate Actual/360

Day Count Fraction

Business Days New York, London

Calculation Agent Party A

Documentation ISDA, English Law

Figure 9.76: Terms and conditions - Interest rate swap

BANK RISK PRACTICES

9-61 NON-TRADED MARKET RISK/LIQUIDITY RISK

In the sample interest rate swap terms and conditions above, Party B – fixed rate
payer agrees to pay a fixed rate of 2% p.a. and will receive from Party A floating rate
or variable cash flow – LIBOR in this example.

2.00% p.a

Fixed Rate Fixed Rate

Payer Receiver

LIBOR

Figure 9.77: Interest rate swap cash flow

To solve our earlier asset and liability management problem, suppose Bank Merkel
wants to remove the mismatch between the 5-year fixed rate asset and 1-year
floating rate liability. Bank Merkel may enter into an interest rate swap with another
counterparty by converting the 5-year fixed rate asset into a 1-year floating rate
asset, repricing every year. By entering a 5-year interest rate swap with another
bank, Bank Merkel agrees to exchange the 5% p.a. fixed rate cash flow from the loan
into a floating rate cash flow.

In the interest rate swap transaction above, the fixed rate payer agrees to 2% and
will receive floating LIBOR over the next 5 years. To convert a 5% fixed rate cash flow,
Bank Merkel will receive the following from the floating rate counterparty:

Fixed Rate Loan 5% p.a.

Less:
Fixed Rate vs. LIBOR swap rate (2% p.a.)

Equivalent Interest Rate – New Fixed Rate Asset (Old Fixed Rate LIBOR + 3%
Asset + Interest Rate Swap)

Figure 9.78: Synthetic floating rate asset

By entering into an interest rate swap, Bank Merkel has effectively addressed the
asset and liability management challenge that we identified at the beginning of
this section. By entering into an interest rate swap, Bank Merkel has converted its
fixed rate asset into a floating rate asset. The net impact, from a broad bank-wide
perspective is that Bank Merkel was able to lock-in the margin at 3% p.a regardless
of the movement of interest rates.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-62

New Fixed Rate Asset LIBOR + 3%

Deposit LIBOR

Net Margin Locked In 3% p.a.

Figure 9.79: Locking-in-the net margin

5% p.a 5% p.a
Fixed Rate Bank
Bank XYZ
Loan Merkel
LIBOR+3% p.a

Deposit

Figure 9.80: Flow diagram - Interest swap hedging

Illustrative Example–6

Interest Rate Increase – Using Interest Rate Swap

After 1 year, the fixed rate liability matures, and Bank Merkel must refinance
this at the prevailing interest rates. Suppose the prevailing interest rate (for
example, LIBOR) is at 3% after 1 year.

Before hedging, Bank Merkel expects to earn net interest income for Y2:

Interest income from fixed rate loan

(100,000,000 x 5%) 5,000,000
Interest expense from liability
(100,000,000 x 3%) (3,000,000)
Net Interest Income 2,000,000

By entering into an interest rate swap, Bank Merkel was able to transform the
cash flow:

Fixed Rate Payment 5,000,000

Floating Rate Receipt
(LIBOR + 3%) 6,000,000
Net Receipt from Interest Rate Swap 1,000,000

Total Income for Bank Merkel

Net Interest Income 2,000,000
Net Receipt from Interest Rate Swap 1,000,000
Net Income 3,000,000

By entering into an interest rate swap, Bank Merkel was able to lock-in its net
interest income and insulated it from changes in interest rates.

BANK RISK PRACTICES

9-63 NON-TRADED MARKET RISK/LIQUIDITY RISK

Below is a short summary of Bank Merkel’s net income under different interest rate
scenarios:

LIBOR at

2% 3% 5% 7% 10%

Net Interest
3,000,000 2,000,000 0 (2,000,000) (5,000,000)
Income

Net Receipt
0 1,000,000 3,000,000 5,000,000 8,000,000
from Swap

Net Income 3,000,000 3,000,000 3,000,000 3,000,000 3,000,000

Figure 9.81: Scenario analysis - LIBOR vs Net Income

What was achieved by entering into an interest rate swap was remarkable. The
bank was able to efficiently transform its asset and liability management profile by
entering into an interest rate swap. Without derivatives, the traditional solutions that
are available are limited and generally inefficient. For example, the only alternative
to achieve the same outcome as above is to re-negotiate the fixed rate loan to
a floating rate loan, repricing every year. By locking in the margin at a fixed level,
Bank Merkel forgoes potential to participate from interest rate decreases and thus,
reduce the cost of funds and improve the overall net income from the transaction.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-64

Illustrative Example–7

Interest Rate Decrease – Before Hedging

After 1 year, the fixed rate liability matures, and Bank Merkel must refinance this
at the prevailing interest rate. Suppose the prevailing interest rate (for example,
LIBOR) is at 1% after 1 year.

Before hedging, Bank Merkel expects to earn net interest income for Y2:

Interest income from fixed rate loan

(100,000,000 x 5% ) 5,000,000
Interest expense from liability
(100,000,000 x 1%) (1,000,000)
Net Interest Income 4,000,000

Bank Merkel was able to lower its cost of funds from 3,000,000 to 1,000,000. This
improves the net income from 3,000,000 to 4,000,000.

By entering into an interest rate swap, Bank Merkel was able to transform the
cash flow:

Fixed Rate Payment

5,000,000
Floating Rate Receipt
(LIBOR @ 1% + 3%) x USD 100,000,000 = 4,000,000
Net Payment in Interest Rate Swap
1,000,000)

Total Income for Bank Merkel

Net Interest Income
4,000,000
Net Receipt from Interest Rate Swap
(1,000,000)
Net Income
3,000,000

By entering into an interest rate swap, Bank Merkel was able to lock-in its net
interest income and insulated it from changes in interest rates.

By locking in the margin at a fixed level via an interest rate swap, Bank Merkel
forgoes potential to participate from interest rate decreases as what can be seen in
the previous illustration. An alternative solution is to enter into an interest rate cap.
Interest rate cap is an interest rate derivative that is similar to an insurance contract
where the hedger is protected against interest rate increases above a certain
hedge or strike rate. However, below this strike rate, the hedger can participate from
interest rate decreases. Interest rate cap essentially protects the hedger against
interest rate increases. For example, instead of entering into an interest rate swap,

BANK RISK PRACTICES

9-65 NON-TRADED MARKET RISK/LIQUIDITY RISK

Bank Merkel entered into an interest rate cap with strike at 2%. For this interest rate
cap, Bank Merkel needs to pay a premium of 0.5% p.a.

Illustrative Example–8

Interest Rate Increase – Using Interest Rate Swap

After 1 year, the fixed rate liability matures, and Bank Merkel must refinance this
at the prevailing interest rates. Suppose the prevailing interest rate (for example,
LIBOR) is at 3% after 1 year.

Before hedging, Bank Merkel expects to earn net interest income for Y2:

Interest income from fixed rate loan

(100,000,000 x 5% ) 5,000,000
Interest expense from liability
(100,000,000 x 3%) (3,000,000)
Net Interest Income 2,000,000

By entering into an interest rate cap, Bank Merkel benefits from increases in
interest rates above 2%:

Fixed Rate Payment 3,000,000

Strike Rate (2,000,000)
Net Receipt from Interest Rate Cap 1,000,000
Less:
Premium Payment
(0.5% x 100,000,000) (500,000)

Total Income from Cap 500,000

Net Interest Income 2,000,000
Net Receipt from Cap 500,000
Net Income 2,500,000

By entering into an interest rate cap, Bank Merkel locks in its net income at
2,500,000.

Interest rate cap provides similar level of protection like an interest rate swap except
that it costs more as Bank Merkel has to pay additional premium of 500,000 per
annum for this protection. What is Bank Merkel paying for? Bank Merkel is paying for
not only the protection (for interest rate swaps provide the similar level of protection
at much lower cost) but also the flexibility to participate in the event of interest rate
decreases.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-66

Illustrative Example–9

Interest Rate Decrease – Interest Rate Cap

After 1 year, the fixed rate liability matures, and Bank Merkel must refinance this
at the prevailing interest rate. Suppose the prevailing interest rate (for example,
LIBOR) is at 1% after 1 year.

Before hedging, Bank Merkel expects to earn net interest income for Y2:

Interest income from fixed rate loan

(100,000,000 x 5%) 5,000,000
Interest expense from liability
(100,000,000 x 1%) (1,000,000)
Net Interest Income 4,000,000

Bank Merkel was able to lower its cost of funds from 3,000,000 to 1,000,000. This
improves the net income from 3,000,000 to 4,000,000.

Bank Merkel will exercise the interest rate cap only if interest rate increases above
the strike rate of 2%. In this case, since interest rate cap strike is above the market
rate of 1%, there will be no payoff in interest rate cap. However, Bank Merkel still
needs to pay the premium of 500,000.

Net Interest Income 4,000,000

Premium (500,000)
Net Income 3,500,000

Note that by entering into an interest rate cap instead of interest rate swap, Bank
Merkel was able to achieve better income than just by locking in via interest rate
swap.

Note: In practice, interest rate caps are marked-to-market with changes in fair
value reflected in profit or less (unless hedge accounting is applied). Entering into
derivatives, as discussed in the credit risk chapter, entails counterparty credit risk.

BANK RISK PRACTICES

9-67 NON-TRADED MARKET RISK/LIQUIDITY RISK

9.11 LIBOR CHALLENGES

The London Interbank Offer Rate (LIBOR) has been the reference benchmark rate
used to determine interest payments for many commercial and financial contracts
from corporate loans to consumer loans to derivatives. LIBOR is referenced by an
estimated USD 350 trillion of outstanding in contracts with maturities ranging from
overnight to more than 30 years.

LIBOR is an average derived from quotations provided by banks determined by the

ICE Benchmark Administration. Each contributor banks submits rates at which it
could obtain unsecured funding. LIBOR is calculated using a trimmed arithmetic
means by excluding the outliers (i.e., the highest and lowest 25% of submissions).

LIBOR Scandal
In 2009, the Financial Services Authority (FSA), together with regulators globally,
has been investigating a number of banking institutions for suspected misconduct
involving benchmark rates such as LIBOR, EURIBOR and TIBOR. Global financial
institutions came under investigation for colluding to manipulate the LIBOR beginning
in 2003.

Boxed Article–5

On June 2012, Barclays entered into a USD 360 million settlement with the United
States Department of Justice and the Commodity Futures Trading Commission
after Barclays attempted to manipulate the LIBOR between 2005 and 2009. UK’s
FSA fined Barclays USD 92.5 million for its attempted LIBOR manipulation.

The investigation revealed two types of manipulation:

• Request to manipulate rates for the benefit of derivative traders: derivatives
trades attempted to manipulate LIBOR by requesting that submitters submit
rates that would benefit the traders’ position. Barclays employees made at
least twelve of the requests to other interbank participants to submit false
rates to benefit Barclays’ trading positions.
• Barclays also attempted to manipulate LIBOR by submitting low estimates
of bank borrowing costs leading up to and during the financial crisis in 2008
as some market participants interpret LIBOR submissions as reflective of
Barclays’ financial health.

Source: Review of Banking and Financial Law Vol. 32

The LIBOR scandal eroded public trust not only on LIBOR but on financial markets
in general. Hence, since 2017, there is an increasing momentum to transition away
from LIBOR-based benchmarks. The Financial Conduct Authority (FCA) announced
in 2017 that it will no longer “persuade or compel” banks to submit rates required to
calculate LIBOR.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-68

New Benchmark Reference Rates

To protect market participants against manipulation, the proposed new or reformed
benchmark rates would ideally be based on actual transactions in liquid markets
rather than derived from a poll of contributing banks. The new benchmark reference
rates initially introduced are based on credible, transaction-based overnight risk-
free rates anchored on sufficiently liquid money markets.

Key Characteristics of Ideal Benchmark Reference Rates

i. Robust – The ideal benchmark reference rate should be robust and an accurate
representation of interest rates in core money markets that is not susceptible to
manipulation. It should ideally be derived from actual transactions in active and
liquid markets, subject to best-practice governance and oversight.
ii. Applicability – The benchmark reference rate should be applicable beyond
the money market and could be applied for discounting and for pricing cash
instruments and interest rate derivatives.
iii. Benchmark for both lending and funding – As financial intermediaries are both
lenders and borrowers simultaneously, the lending benchmark rate should not
behave too differently from the rates at which they raise funding.

Secured Overnight Financing Rate (SOFR)

Secured overnight financing rate (SOFR) is a broad measure of the cost borrowing
cash overnight collateralised by Treasury securities. SOFR is based on secured
overnight transaction that transacts in the repo market. As SOFR is based on the
repo markets, it is important to understand the repo markets. Repo is a form of
collateralised short-term loan in which the borrower pledges a security as collateral
while agreeing to repurchase it at a higher price at a future date.

In SOFR, the relevant repo transactions focus on borrowing cash overnight

collateralised by U.S. Treasury securities. Given this, SOFR tend to be more volatile
than LIBOR. This is why one of the proposed approaches is to benchmark the floating
rate based on a moving average. For example, one-month SOFR rate would be the
moving average of the daily SOFR rate over the previous month.

SOFR vs. LIBOR

One of the important differences between SOFR and LIBOR is that SOFR is a pure
risk-free rate with no credit risk. On the other hand, LIBOR is an interbank interest
rate (therefore, includes bank credit risk). Another important distinction between
SOFR and LIBOR is that SOFR is calculated daily or in arrears, but LIBOR is already
known in advance of the interest rate period. LIBOR is a forward-looking interest
rate in the sense that it reflects bank’s expectations about future interest rates and
market conditions. SOFR, on the other hand, is backward looking and is constructed
mechanically from realisations of overnight rates through a methodology known as
“compounded in arrears”.

BANK RISK PRACTICES

9-69 NON-TRADED MARKET RISK/LIQUIDITY RISK

SOFR is a secured overnight rate (secured by US Treasuries). On the other hand,

LIBOR is based on unsecured funding rate based on a pre-defined time horizon. To
address the issues raised on LIBOR, one of the most important differences between
SOFR and LIBOR is that SOFR is grounded on actual transactions in active and liquid
markets. In contrast, LIBOR is calculated from a survey of a small set of banks
reporting non-binding quotes.

Implications on ALM
In the world of new benchmark rates, asset-liability management is expected to
become more challenging. One of the key advantages of LIBOR as a benchmark
rate is that it serves as the same benchmark for term funding and lending by the
bank. The lack of benchmark rates that adequately reflects the banks’ marginal
funding cost would expose banks to basis risk when the marginal funding cost
diverge from interest rates on assets benchmark to the new replacement risk free
rates.

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-70

SUMMARY

• Non-traded market risk is a broad term for risk exposures arising from financial
instruments (both on and off-balance sheet) that is not covered by market risk.
This is the risk arising from the banking book and can be subdivided further into
interest rate risk in the banking book and credit risk in the banking book.

• There are three key main activities that fall within the asset and liability
management (ALM) which are to stabilise net interest income, ensure liquidity and
maintain adequate capital.

• Interest rate risk is the risk arising from changes in interest rates that can adversely
impact the bank earnings (net interest margin) or economic value. There are
four main sources of interest rate risk: repricing risk, basis risk, yield curve risk and
option risk.

• Interest rate risk is managed using three different tools: earnings-based tools
(gap analysis, earnings at risk), economic value-based tools (duration gap) and
simulation approaches.

• Liquidity risk is the risk arising from failure of the bank to fulfil their obligations as
they come due. Liquidity risk exists on both the asset and liability side of the bank’s
balance sheet. Basel III requires banks to address both asset-based liquidity risk
(through the liquidity coverage ratio) and liability-based liquidity risk (through the
net stable funding ratio).

BANK RISK PRACTICES

9-71 NON-TRADED MARKET RISK/LIQUIDITY RISK

END OF CHAPTER PRACTICE QUESTIONS

1. Which of the following is not among the activities included in asset and liability
management?
A. Interest rate risk in the banking book
B. Interest rate risk in the trading book
C. Capital management
D. Liquidity management

2. This occurs when the gap between short-term and long-term rates tightens.
A. Steepening
B. Flattening
C. Inverting
D. Reverting

3. The borrower’s right to prepay their loan is an example of and is a risk (from
the lender’s perspective) that is associated on the side of the balance sheet.
A. Call option, Asset side
B. Call option, Liability side
C. Put option, Asset side
D. Put option, Liability side

4. The depositor’s right to terminate their deposit is an example of and is a risk (from
the bank’s perspective) that is associated on the side of the balance sheet.
A. Call option, Asset side
B. Call option, Liability side
C. Put option, Asset side
D. Put option, Liability side

5. The gap between five- and 30-year yields narrowed for a third day. Long-term debt
outperformed on Thursday after Mario Draghi signalled the European Central Bank won’t
stop its bond-buying programme without tapering it first. This is an example of:
A. Parallel shift in the yield curve
B. Flattening of the yield curve
C. Steepening of the yield curve
D. None of the above

BANK RISK PRACTICES

 NON-TRADED MARKET RISK/LIQUIDITY RISK 9-72

6. If a yield curve steepens, this means that the spread between long- and short-term rates
. Therefore, the long-term bond prices will relative to short-term
bonds.
A. increase, increase
B. increase, decrease
C. decrease, increase
D. decrease, decrease

7. If an entity is in a positive gap position, this means that rate sensitive asset is
than rate sensitive liabilities. This exposes the entity to in interest rates.
A. greater, increases
B. greater, decreases
C. lower, increases
D. lower, decreases

8. Standard Chartered Plc roiled credit markets in Europe on Tuesday, when the U.K.
bank broke with convention by saying it wouldn’t buy back its junior bonds at the first
opportunity. The move echoes Deutsche Bank AG’s decision during the financial crisis
not to redeem its bonds, which shook investor assumptions about callable subordinated
debt and made it more difficult to value the securities. It highlights the dilemma faced
by issuers of such debt: extend the bonds to take advantage of cheap funding at the
risk of alienating investors or redeem the bonds and refinance at a higher rate to satisfy
investors.
“Clearly the market was expecting a call here,” said Robert Montague, a senior
financial analyst for ECM Asset Management in London, whose parent Wells Fargo
Asset Management oversees about $480 billion, including some of Standard
Chartered’s other junior bonds. “People will start to look at similar bonds and
question whether other banks will follow suit. Some will, some won’t, but the
uncertainty is unhelpful.”

Determine what type of option is this and who is the holder of the option.

A. Call, Standard Chartered

B. Call, Investor
C. Put, Standard Chartered
D. Put, Investor

9. Which of the following should be considered in stress testing?

A. Severe but probable events
B. Severe but plausible events
C. Median but probable events
D. Median but plausible events

BANK RISK PRACTICES

9-73 NON-TRADED MARKET RISK/LIQUIDITY RISK

10. Which of the following should be considered from a normative perspective of liquidity?
A. All material risks that may negatively affect the bank’s internal liquidity position
B. Assessment of a credible baseline scenario and adequate institution specific
scenarios.
C. Ability of the bank to fulfil all of its regulatory and supervisory requirements.
D. All of the above.

ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS

1. B 2. B 3. A 4. D 5. B 6. B 7. B 8. A 9. B 10. C

BANK RISK PRACTICES

 CHAPTER 10
CAPITAL MANAGEMENT
10-1 CAPITAL MANAGEMENT

10. CAPITAL MANAGEMENT

Learning Outcomes

At the end of the chapter, you will be able to:

• Explain stress testing and reverse stress testing as part of capital management.

Key Topics

In this chapter, you will be able to read about:

• The internal capital adequacy assessment process (ICAAP)

• Role of capital
• Types of capital
• Sound capital assessment
• Stress testing
• The risk adjusted return on capital (RAROC).

Assessment Criteria

During the exam, you will be expected to:

• Explain the role of capital in minimising the risk of bank insolvencies.

• Understand the regulatory capital framework under Basel III (kept to minimum).
• Explain the concept of economic capital.
• Explain the importance of stress testing in the overall risk management.

10.1 INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (ICAAP)

Basel II (now Basel III) provides a three-pillar approach to sound risk management
and regulatory capital requirements. Under Pillar 1, Basel prescribes minimum
capital requirements to cover for market, credit, and operational risk. Under Pillar 2,
banks are empowered to perform their own assessment of their own internal capital
adequacy by:

• Identifying and assessing all material risks it is exposed to

• Assess the nature, type, and amount of available capital

Internal capital adequacy assessment process (ICAAP) consists of sound, effective

and comprehensive strategies, and processes to assess and maintain on an
ongoing basis the amounts, types, and distribution of internal capital that they
consider adequate to cover the nature and level to which they are or might be

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-2

exposed. Supervisory review evaluation process (SREP) independently validates and

challenges the outcome of bank management’s ICAAP process. This makes Pillar II
an iterative activity.

What is the objective of the ICAAP process?

The objective of the ICAAP is to ensure that the bank will continue to operate as
a going concern by ensuring that it has sufficient capital to bear risks, absorb
losses and follow a sustainable strategy even during prolonged period of adverse
developments. ICAAP takes a close look at the management buffers (above the
minimum regulatory requirement) and internal capital needs that allow the bank to
sustainably follow is strategy.

The assessment of internal capital adequacy must be done using two

complementary internal perspectives:

i. Normative perspective – The normative perspective refers to a multi-year

assessment of the bank’s ability to fulfil all of its capital-related regulatory and
supervisory requirements and demands and to cope with other external financial
constraints on an ongoing basis over the medium term (around at least 3 years).
The normative perspective refers to ongoing fulfilment of all relevant regulatory
requirements and external constraints (for example, ratings and dividend
expectations).

The normative perspective also informs the economic perspective risk

quantification and complement this perspective if they do not adequately
capture the risks arising from adverse scenarios considered. This is because
economic perspective is calculated based on a point-in-time risk quantification.
The scenarios foreseen in the normative perspective could be used as input for
the economic perspective.

ii. Economic perspective – The economic perspective refers to the expectation

that the internal capital of the bank is sufficient to cover its risks and support
its strategy on an ongoing basis. This requires banks to cover all material risks
that may impact the bank’s capital position from an economic perspective. The
economic perspective focuses on the risks that may cause economic losses and
ensuring that this is covered by the bank’s internal capital.

The economic perspective provides a comprehensive view of risks which may not
be apparent under the normative perspective. The projections of future capital
position are informed by economic perspective assessment especially in cases
when risks and impacts are not apparent when focusing solely on regulatory and
accounting capital framework.

BANK RISK PRACTICES

10-3 CAPITAL MANAGEMENT

Normative Perspective Economic Perspective

Objective: Objective:
Ongoing fulfilment of all relevant Risks that may cause economic losses
regulatory requirements and external are covered by internal capital.
constraints.
Basis:
Basis: Point-in-time risk quantification of
Medium term projection for at least the current situation feeding into a
three years. medium-term assessment covering
future developments.
Focus:
Impact on Pillar 1 ratios. Focus:
Internal risk quantification methods.

Figure 10.1: Normative vs economic perspective of capital

Both economic and normative perspective are expected to mutually inform each
other.

Economic Normative
perspective perspective

Figure 10.2: Economic vs. Normative Perspective

What are the components of ICAAP?

There are two main components of ICAAP. Firstly, the identification and assessment
of the level and nature of risk. Secondly, the internal capital is clearly defined and of
high quality.

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-4

Capital Risks

Nature

Level
Type

Nature
Amount

Figure 10.3: Capital vs. Risk

The bank is required to identify all material risks under both economic and
normative perspectives. Risk inventory refers to a list of identified risks and their
characteristics.

Risk Types Sub-categories

Credit risk Country risk

Migration risk
Concentration risk

Market risk Credit spread risk

Structural foreign exchange risk
Credit valuation adjustment risk

Interest Gap risk

Rate Risk in Basis risk
Banking Book
Option risk
(IRBBB)

Operational Business disruption and systems failure

Risk Legal risk
Model risk

BANK RISK PRACTICES

10-5 CAPITAL MANAGEMENT

Risk Types Sub-categories

Other Risks Insurance risk

Strategic/ Business risk
Step-in risk18
Pension risk19
Participation risk20
Funding cost risk
Reputational risk
Climate risk

Figure 10.4: Material risk under ICAAP

The main purpose of internal capital is to serve as a risk-bearing component under

the economic perspective.

Internal capital can use:

i. Model-based – Model-based definition of internal capital refers to the use of a

net present value approach where capital items with loss absorption capacity
are calculated on a standalone basis.
ii. Regulatory own funds – Alternatively, the bank can start with regulatory own funds
as starting point in defining internal capital (for example, Common Equity Tier 1).

The ICAAP Architecture

ICAAP is an integral part of the overall management framework. This means that ICAAP
is not an isolated, standalone activity. Rather, it is expected to be integrated to the
business, decision-making, and risk management processes of the bank. The ICAAP
architecture refers to how different elements of ICAAP fit together coherently and
how ICAAP is positioned as an integral part of the overall management framework.
ICAAP is expected to support strategic decision-making and operationally aimed at
ensuring that the bank has adequate capital on an ongoing basis.

18 Step-in risk arises when a bank considers that it is likely to suffer a negative impact from the weakness or failure of an
unconsolidated entity and concludes that this impact is best mitigated by stepping in to provide financial support (e.g., to
avoid the reputational risk the bank would suffer otherwise).
19 Reserved to financial institutions that offer pensions. Pensions must have in place appropriate systems for measuring,
monitoring, and controlling pension obligation risk and its impact on liquidity and profitability. Similarly, financial institutions
that manage or provide trustee services for pension plans must also have adequate systems in place to ensure that these
plans are administered appropriately from an operational and reputational standpoint. In assessing the level of risk, there
should be a well-founded projection to evaluate the corresponding Pillar 2 capital charge.
20 Participation risk or parent/ group risk relates on the importance of the parent’s or group’s financial strength is such that it
should be addressed separately in the ICAAP including the ability of the parent / group to provide capital or liquidity support as
may be appropriate. Where relevant, the risk arising from direct counterparty exposure to the parent should also be addressed
including the impact on credit RWAs if a credit rating downgrade were to occur (and the likelihood of such a downgrade having
a material effect on the institution’s RWAs and capital adequacy).

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-6

Decision-making

Business Risk management

ICAAP

Figure 10.5: ICAAP Inputs

Key elements of ICAAP

Below are the key elements of the ICAAP:

• Governance framework
• Internal documentation framework
• Perimeter of entities captured
• Risk quantification methodologies supported by reliable data and sound data
aggregation systems
• The approach used to assess capital adequacy

Climate and ESG Risks in ICAAP

Following the adoption of the Paris Agreement on climate change and the United
Nations (UN) 2030 Agenda for Sustainable Development in 2030, governments all over
the world are making efforts to transition to low-carbon economies on a coordinated
scale. The European Commission adopted an action plan on financing sustainable
growth to reorient capital flows towards a more sustainable economy, for example to
provide funding from economic activities linked to sustainable finance.

This reorientation and transition towards low carbon economy entails risks that bank
should consider. Regulators around the world are assessing how environmental, social
and governance (ESG) risks can be incorporated in the overall banking supervision.
Banks are expected to incorporate climate-related and environmental risks within
their risk management framework particularly in the internal capital adequacy
assessment process (ICAAP). In addition to that, banks are expected to understand
how climate-related and environmental risks affect their business environment in the
sort, medium and long term. Banks are also expected to assess the resilience of their
business model over time considering climate-related and environmental changes
to the macroeconomic and regulatory environment. Banks are expected to map
climate-related risk to financial risks:

BANK RISK PRACTICES

10-7 CAPITAL MANAGEMENT

Risk Climate-related and environmental risks should be

Management incorporated as drivers of existing risk categories in the risk
Framework management framework.

The impact of these risks should be identified and quantified

and assessed within the overall ICAAP framework.

Banks are expected to comprehensively analyse the ways

climate-related and environmental risks can impact other risk
areas like liquidity, credit, operational and market risk to the
capital of the bank.

Banks are also expected to pay particular attention to

concentrations (intra- and inter) that climate-related and
environmental risks may cause.

In the internal capital plan, banks should assess the

environmental impact of financing with ratings calibrated to
consider the environmental risks of the deal. This rating should
affect the risk weights assigned to each material exposure.

Credit Risk Climate-related and environmental risks should be

incorporated in assessing the borrower’s default risk. This can
be incorporated both qualitatively and quantitatively.

If qualitatively, a scorecard for sustainability risks could be

developed. These scorecards may get a fixed risk weighting.

If quantitatively, banks may introduce what is known as

climate-informed shadow default probability. These shadow
probability takes into consideration a detailed analysis of
physical and transition risks for higher risk counterparties.

An important area for credit risk is to identify credit

risk concentrations arising from climate-related and
environmental risks so a proper deleveraging or limit strategy
can be implemented.

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-8

Operational Banks are expected to assess the extent on which reputational

Risk damage, liability or litigation arising from social or
environmental controversies could impact the bank financially.

Reputational risks arising from environmental, social or

governance (ESG) should be assessed in the ICAAP process.
Financing companies that could be involved in ESG issues
could have a significant and material impact on the reputation
of the bank.

A good practice is to allocate capital as buffer to cover for

clients in higher risk categories.

Market Risk Banks may have a market risk exposure from clients who are
located in geographic areas prone to physical risks or are
perceived as environmentally unsustainable.

Technological developments may render investments or loans

or collateral as obsolete and thus, affect the fair value of these
instruments.

Trading in certain asset classes (for example, commodities)

that could be perceived as environmentally unsustainable
may expose banks to higher future potential volatility.

Internal stress testing should be conducted to better

understand the impact of climate-related risks in the bank’s
trading and banking book.

Stress Testing As part of the bank’s ICAAP process, all material climate-
and Scenario related and environmental risks must be reviewed through
Analysis stress testing.

Stress testing should consider scenarios in line with scientific

climate change pathways (for example, Inter-governmental
Panel on Climate Change (IPCC) scenarios).

Banks are expected to conduct flexible scenario analysis for

transition risks to incorporate different policy outcomes and
assess how this will impact the bank’s capital adequacy.

ILAAP Banks are expected to assess material climate-related and

environmental risks on the net cash outflows or liquidity buffers
of the bank.

Figure 10.6: Climate risk and financial risk mapping

BANK RISK PRACTICES

10-9 CAPITAL MANAGEMENT

10.2 ROLE OF CAPITAL

Banks are expected to incur losses as a result of the performance of its business
objectives. For example, in the credit lending business, losses or principal and
interest are expected to happen as some borrowers fail to meet their obligations to
the bank.
Loss Rate

Ubexpected
Loss (UL)

Expected
Loss(EL)
Time Frequency

Figure 10.7: Unexpected Loss and Capital

There are two types of losses that banks incur as a result of their risk-taking activities:

• Expected Loss
• Unexpected Loss

Expected loss
Expected loss is the average level of losses that the bank will incur over time. The
dashed line in the figure above represents expected loss. In the business of lending
credit, these expected losses should be viewed as an integral part of the business.
This is why expected losses are viewed as a direct component cost of doing business.
Viewed this way, expected loss should be managed through proper pricing of credit
risk and through provisioning.

Illustrative Example–1

Pricing Loan
Bank Munger granted a USD 10,000,000 loan to Borrower ABC. Based on Bank
Munger’s experience, the expected loss for this exposure is 1%. The cost to fund
the loan is 3%.

This means that as a prudent business practice, Bank Munger must not only
charge the cost to fund this loan but must also cover for the expected loss at the
very least. Expected loss should be viewed as a cost of doing business.

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-10

Unexpected loss
There are, however, instances when losses exceed the expected loss level.
Unexpected losses, therefore, are not covered by product pricing or provisioning.
Losses may fluctuate from time to time and the magnitude may vary. While loan
pricing and provisioning covers expected losses, there are instances when losses
are above the expected loss. Capital exists for this purpose. Capital acts as a
cushion against unexpected losses. Capital protects depositors and shareholders
in case losses exceed expected losses temporarily. Higher capital provides buffer to
be able to repay its contractual obligations to debtholders. This is the reason why
the regulations and treatment of risk in the past few years have been focused on
ensuring that banks maintain adequate level of capital in order to minimise the risk
of insolvency. Capital minimises the risk of insolvency. However, there is a trade-off.
Capital is generally the most expensive source of funding for bank (especially when
compared against debt).

10.3 TYPES OF CAPITAL

Capital is defined differently from different perspectives. This section seeks to clarify
these different perspective

Accounting perspective
The accounting perspective of capital refers to the value of capital as it appears in the
bank’s balance sheet. The accounting standards define equity as:

“Any contract that evidences residual assets of an entity after deducting all its
liabilities”.

Preferred Retained
Common stock Reserves
shares earnings

Figure 10.8: Accounting Perspective of Capital

The main criticism against the use of accounting perspective of capital for purposes
of capital management is that it is not risk-sensitive (i.e. it fails to consider any risk
element – this however, is slowly changing with the implementation of IFRS 9 expected
credit losses). To clarify on this point, the main problem is one cannot necessarily
conclude that a bank with higher accounting capital is the safer and more stable
bank compared to a bank with lower accounting capital. The failure to link the amount
of capital against the bank’s risk profile is one of the main reasons why the accounting
capital perspective is not sufficient focus area for capital management.

Further, the accounting perspective of capital is directly linked to the values

ascertained by the accounting standards and may no longer be relevant especially if
the bank is undergoing a stressed situation or liquidation.

BANK RISK PRACTICES

10-11 CAPITAL MANAGEMENT

Market value perspective

Market perspective is the market value of the bank’s equity (market price multiplied
by outstanding shares). The problem with market perspective is that not all bank
shares are listed. But a more fundamental issue with market perspective of capital
is that market price is cycle and sentiment dependent. During good times, market
value of the bank’s equity is high. During bad times, market value of the bank’s equity
is low.

Regulatory perspective
Regulatory perspective of capital refers to the amount of capital that banks are
required to maintain to support its risk-taking activities in accordance with the
minimum standards imposed by the local banking supervisor. The regulatory
perspective of capital is discussed in the Chapter 2.

Economic perspective
Economic perspective of capital views it as the level of capital that banks need to hold
to support their own risk profile and appetite. It is usually linked to a desired solvency
level. Economic capital is defined as the methods or practices that allow banks to
consistently assess risk and attribute capital to cover the economic effects of risk-
taking activities. Contrary to what the term suggests, economic capital quantifies
the amount of capital necessary to support the bank’s risk-taking activities. It is,
therefore, a risk measure and not a capital measure.

Set desired or target rating

Determine probability of solvency of associated rating

Calculate economic capital

Figure 10.9: Economic Capital Calculation Procedure

In practice, economic capital is calculated with a certain target or desired rating in

mind. After which, this desired rating is used to imply a probability of survival during
a pre-defined time horizon. For example, if the desired credit rating is AA. An implied
probability of survival is obtained from credit transition matrix (for example, AA
rating is associated with 99% survival probability over a 1-year horizon). The bank
then calculates the amount of capital needed in order to survive 99% of the time. The
economic capital, therefore, is the amount of capital needed in order to maintain
the desired rating over a given time horizon.

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-12

The economic capital is the amount of capital needed to withstand losses at a high
confidence level while not impairing the bank’s ability to continue to survive as a
going concern. It is the amount of capital needed to absorb unexpected losses over
a certain time horizon at a given confidence level. The illustration below is instructive
on how economic capital is applied in practice. Economic capital is quantified as the
amount of capital needed for each risk-taking activity (for example, market, credit,
operational). This represents the amount of capital needed. It is then compared
against the bank’s available capital. The bank, then, is able to quantify its own
internal capital adequacy.

Illustrative Example–4

Deutsche Economic Capital

As the primary measure of our Internal Capital Adequacy Assessment Process
(ICAAP) we assess our internal capital adequacy based on our “gone concern
approach” as the ratio of our total capital supply divided by our total capital demand
as shown in the table below. Our capital supply definition has been further aligned
with the Capital Requirements Regulation (CRR)/ Capital Requirements Directives
(CRD) IV capital framework in the first quarter 2016. Consequently, goodwill and other
intangible assets are now deducted from Pillar 2 capital supply, instead of being
added to the capital demand. The prior year information has been revised.

Source: Deutsche Bank 2018 Annual Report

BANK RISK PRACTICES

10-13 CAPITAL MANAGEMENT

Applications of economic capital

Economic capital is used on two different levels: on the business, enterprise-wide or
group level.

Business Level Enterprise Level

Credit portfolio Relative performance

management measurement

Capital budgeting,
Risk-based strategic planning, target
pricing setting and internal
reporting

Customer and product

profitability analysis, Acquisition and divestiture
customer segmentation analysis
and portfolio optimisation
External
communication
Management
incentives Capital
adequacy

Figure 10.10: Economic Capital Applications.

i. Credit portfolio management – Economic capital is used as a measure of credit

concentration. Economic capital can be used to detect excessive concentration
and is considered to be more risk-based than simple nominal measures for credit
concentration. Internal economic capital models may be used to measure the
risk contribution of exposures for risk management purposes.

ii. Risk based pricing – Economic capital can be used to properly price risk (for
example, in granting credit) by incorporating return threshold required to add
value to shareholders. In pricing credit risk (i.e., credit spread) of a particular
lending exposure, the bank must charge at least the expected loss (i.e., credit
cost) for the lending business to be viable. However, the bank may also incur
unexpected losses. For these unexpected losses (i.e., losses above the expected
loss), banks are required to hold capital. For holding capital to cover this, the bank
must price this opportunity cost in any lending undertaking.

iii. Customer and profitability analysis, customer segmentation and portfolio

optimisation – The famous management guru Stephen Covey once said: “the
enemy of the great is the good”. While the bank may be profitable on an overall
scale, there may be business units or risk-taking activity that is actually losing
money and is being subsidised by the more profitable business units.

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-14

Having the means to analyse customer profitability for a given unit of risk brings
advantages to the bank. First, it allows the bank to optimise the allocation of
resources to the business. Second, it provides useful information to management
which may result in decisions like closing unprofitable business lines or prioritising
the more profitable business line.

iv. Management incentives – History is full of lessons on the perverse incentives

created by rewarding management based on accounting performance.
Management sometimes sacrifices the long-term welfare of the bank in favour
of short-term profits as perverse incentives result from management maximising
income. One example would be what happened in the 2008 financial crisis where
senior management entered into highly risky businesses that jeopardised the
ability of the bank to survive.
The Financial Stability Board identified compensation as one of the key issues
that led to excessive risk-taking activities as compensation is not aligned with the
level of risk taken.

v. Relative performance measurement – Economic capital is an important input to

risk-adjusted performance measures. Risk-adjusted performance measures are
considered to be a more superior approach in determining business performance
than accounting measures. It provides useful comparative information on the
performance of two risk-taking activities with the same amount of economic net
income.

vi. Capital budgeting, strategic planning, target setting and internal reporting –
Economic capital plays an important role in allocating capital to each business
unit. Economic capital can also be used to define the bank’s risk appetite or to set
targets (rating, profitability, or capital ratio).
Economic capital can also help highlight the amount of capital required to
support the bank’s risk-taking activity. The bank, then, uses this demand figure to
compare against available capital and come up with a strategy to optimise the
level of capital.

vii. Acquisition/divestiture – Banks use economic capital figures in evaluating

potential mergers and acquisition target especially where information on target
market value is not available.

viii. External communication – Economic capital may be disclosed to provide useful

information on the bank’s business activities. Credit rating agencies also require
banks to disclose economic capital figures.

ix. Capital adequacy – As discussed earlier, economic capital is a measure of risk

not of capital held (i.e., capital demand and not capital supply). Economic capital
is used in making internal capital adequacy assessment.

BANK RISK PRACTICES

10-15 CAPITAL MANAGEMENT

10.4 SOUND CAPITAL MANAGEMENT AND ASSESSMENT

In a typical business organisation, the objective of capital management is to

ensure that adequate capital exist to support its operational & strategic business
requirements and fulfil its stated obligations to its shareholders (for example,
paying dividends). Due to the special nature of banking, the objective of capital
management is more comprehensive than this. This section outlines the different
objectives of capital management from a banking perspective.

Capital management involves a broad set of activities requiring multi-stakeholder

perspective with respect to activities. Different banks have different objectives for
managing capital. However, these objectives can be categorised into the following:

i. Meet minimum regulatory capital requirements – Banks are required to hold

minimum levels of capital to support its risk-taking activities by the regulations
(this is discussed in more detail in Chapter 2).

The minimum capital requirements are based on the level of risk taken by the
bank. Available capital refers to the amount of capital supply the bank has. This
capital can be in the form of:

Common Equity Tier 1 Additional Tier 1 Tier 2 Capital

Figure 10.11: Types of Capital

Level of risk is measured by risk-weighted assets (capital demand). Risk-weighted

assets are used to determine the minimum amount of regulatory capital that
banks need to hold (i.e., the higher the risk-weighted assets, the higher the
regulatory capital required). RWAs are required to support the following risk types:

Counterparty Operational
Credit risk Market risk
credit risk risk

Figure 10.12: Risk Types for RWA

Failure to comply with minimum regulatory requirements would impact the

ability of the bank to continue to operate as a going concern without regulatory
intervention.

ii. Support credit rating requirements – Many banks have sources of funding other
than traditional deposits. Some of this funding sources are credit-rating sensitive.
This means that credit rating downgrades could affect the ability of these banks
to access certain sources of funding (for example, wholesale/capital markets
funding).

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-16

Credit rating downgrades may result in a bank’s access to non-core sources of

funding (uninsured deposits and wholesale funding).

Boxed Article–2

Bank Downgrades Threaten to Hit Funding

Banks are anxiously weighing the effect of expected industry-wide ratings
downgrade- such as those flagged by Moody’s in February- will have on their
funding cost.

Past experience shows that banks can handle a downgrade in their short-term
ratings, though they may lose access to some commercial paper markets and
so incur higher funding costs, says Vinod Visan, head of the European debt
capital markets financial institutions group at Deutsche Bank.

He points to the effect downgrades have on longer-term funding costs. As

bank moves down the ratings ladder, some investors’ mandates with clients
will prohibit them from holding the bank’s security.

Source: Financial Times, 21 May 2012

Given the importance of credit rating in a bank’s overall funding strategy, one
of the objectives of capital management is to make sure that there is adequate
capital available to support a bank’s target credit rating.
Credit rating is an informed opinion provided by external credit rating agencies on
the creditworthiness of an entity. One of the factors that could materially affect a
bank’s credit rating is the availability of buffer that will allow the bank to withstand
losses in the future under normal and stressed conditions. That buffer is capital.
Each credit rating is associated with a risk of insolvency. The higher the credit
rating, the lower the risk of insolvency. Risk of insolvency happens if the market
value of a bank’s financial obligations (i.e., liability) is higher than the market value
of a bank’s capital.
This is why to achieve a certain target credit rating; the bank has to maintain
sufficient inventory of buffer or capital.

BANK RISK PRACTICES

10-17 CAPITAL MANAGEMENT

Illustrative Example–2

Capital Management and Target Credit Rating

For purposes of illustration, below is a hypothetical table illustrating the
relationship between the credit rating and default rates.

Credit Rating Default Rates

AAA 0.10%

AA 0.15%

A 0.25%

BBB 0.90%

BB 4.00%

B 12.50%

CCC/C 41.00%

For a bank currently rated A, to maintain the same credit rating, the bank has
to have a risk of insolvency of at most 0.25%. This means that this bank should
hold sufficient capital that will allow it to withstand losses, 99.75% (= 100% -
0.25%) of the time.

iii. Efficient allocation of capital – As discussed in the previous section, the amount
of regulatory capital that a bank need depends on the level of risk taken by the
bank as quantified by the bank’s risk-weighted assets (RWAs). This means that
every risk-taking activity that a bank undertakes entail consumption of capital.
This means that traditional measures of allocating capital based on profitability
or accounting measures of performance (such as return on equity) may not be
optimal.

As a bank’s capital is determined by the risk taken by the bank, banks should
allocate capital based on risk-adjusted return on capital (RAROC). Risk-adjusted
return on capital represents the true performance or earning of a bank net of the
cost of obtaining the capital allocated to the underlying business activity.
Business activities that earn above risk-adjusted return on capital indicates
that the profitability covers the cost of capital. This means that these business
activities create value in terms of capital generation. However, business activities
that achieve profitability but below the risk-adjusted cost of capital, means that
the business consumes more capital than it generates. This means that these
business activities destroy value by consuming more capital than what was
allocated.

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-18

Illustrative Example–3

Capital Management – Banking’s New Imperative

(McKinsey Working Papers on Risk No. 38)

With banks’ capital needs growing, and sources of capital becoming more
scarce, this 2012 edition of McKinsey’s capital-management survey of European
banks provide important insights on the next frontier in capital and resource
allocation.

Source: McKinsey, November 2012

One of the objectives of sound capital management is to make sure that capital
is allocated on business activities that creates value to the organisation.

iv. Support strategic requirements of the organisation – Different banks have

different strategic objectives and ambitions. Any organisation needs capital to
support those strategic objectives. For example, if a bank wishes to expand its
reach beyond its home markets, it needs to allocate capital to invest in other
markets. If a bank wishes to expand its product offerings or its market share, it
requires capital to support these initiatives.

During stressed times, opportunities may be available for banks to grow at a

cost that is lower than what it would incur in normal markets or by building the
business themselves at a huge margin of safety. Sufficient amount of capital
must be available to support this.
One of the most powerful examples of this case is when JP Morgan was able to
capitalise on the weakness during the 2008 financial crisis and acquire assets and
businesses for an amount that is less than the intrinsic value or an amount that
is less than what JP Morgan will spend had it decided to build these businesses
themselves (in fact, for less than the market value of Bear Stearns’ headquarters
in Madison Avenue).

Boxed Article–3

JPMorgan Pays $2 a Share for Bear Stearns

In a shocking deal reached on Sunday to save Bear Stearns, JPMorgan agreed
to pay a mere $2 a share to buy all of Bear Stearns- less than one tenth of the
firm’s market price on Friday.

JPMorgan is buying Bear, which has 14,000 employees, for a third the price
at which the smaller firm went public in 1985. Over a year ago, Bear’s shares
sold for $170. The sale price includes Bear Stearn’s soaring Madison Avenue
Headquarters.

Source: New York Times, 17 March 2008

BANK RISK PRACTICES

10-19 CAPITAL MANAGEMENT

Capital planning
One of the most important weaknesses identified during the 2008 global financial
crisis is the lack of a robust capital planning purposes. Many banks do not have
a sufficiently comprehensive, forward-looking, or formalised capital planning
structure. As a result, banks have underestimated the amount of capital needed
given the level of risk that they are taking. Capital planning is an important process to
assess their respective capital adequacy and conduct forward looking assessments
on how much capital is needed given their evolving risk profile and changing market
conditions. A sound capital planning process has four main components:

• Internal control and governance

• Capital policy and risk capture
• Forward looking view
• Management framework for preserving capital

Internal Control and Governance

Capital planning should be approached from two different perspectives: bottom up
and top down structure.

Bottom-Up Structure Top-Down Structure

This is a decentralised approach to Top bottom approach is a centralised

capital planning where responsibilities approach to capital planning where
on capital planning are divided along senior management determines the
functional lines. optimal amount of capital to hold
and allocate this capital to individual
In this structure, each relevant business
businesses.
unit is given the responsibility to
establish capital targets and manage This centralised group develops
their business based on these capital assumptions on an enterprise-
targets. These individual businesses wide perspective. This group has
are held responsible for the risk capital the authority and responsibility to
allocated to their business and are challenge the estimates given by the
judged on how effective and efficient individual businesses within the bank.
they are in managing the risk capital
allocated.

Figure 10.13: Bottom-up vs top-down structure

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-20

The capital planning process should include a multidisciplinary perspective with

input from different experts in the bank. This could include:

• Risk
• Finance
• Treasury Departments

There should be a strong link between capital planning, budgeting, and the strategic
planning process within the bank. The strategic assessment process should
inform and complement the bank’s capital planning process. This is because the
strategies that banks choose would naturally result in risks and these risks should be
considered in the bank’s capital planning process. Failure to do so would result in a
capital plan that is incomplete in their scope. This may result in capital targets that
are too optimistic.

Strategy Capital

Figure 10.14: Strategy vs capital

Both senior management and the board of directors should be involved in the capital
planning process. This process usually involves the bank’s management committee
under the oversight of board of directors. The board of directors should review and
approve capital plans at least annually. The board of directors set the principles that
underpin the capital planning process. These principles may include:

1 2 3

Forward strategy for Risk appetite Perspective on

the bank balancing capital
reinvestment and
provide returns to
shareholders

Figure 10.15: Linking strategy and returns

Capital policy and risk capture

What is a capital policy? Capital policy is a written document that specifies the
principles that management will follow in making decisions about how to deploy
a bank’s capital. The overall objective of having a sound capital policy in place is
to satisfy different stakeholders with respect to the bank’s capital management
approach and achieve the following objectives:

BANK RISK PRACTICES

10-21 CAPITAL MANAGEMENT

Continue to serve
Meet obligations to as a financial
Ready access
creditors and other intermediary before,
to funding
counterparties during and after a
stress scenario

Figure 10.16: Objectives of capital policy

The bank’s capital policy should cover the following:

• Statement of capital objective

• Targets and levels of capital composition
• Description of the process of capital distribution including metrics and specific
circumstances in which the bank would reduce or cancel capital distributions
• Specific triggers and events to determine frequency in which the board of directors
and senior management will revisit capital actions
• Set capital goals that is aligned with the bank’s risk appetite, risk profile and
expectations of internal and external stakeholders
• Adopt a conservative approach to capital distributions
• Provide for and adopt a robust capital contingency plan to correct any current or
prospective deficiencies in capital
• Establish triggers or early warning indicators. These triggers can be internal
(funding spreads, credit default swap spreads, declining stock prices, deteriorating
liquidity, debt positions, surprise negative earnings. These triggers can also be
external (market-wide economic stress).

The scope of capital policy should include not only the maintenance or optimisation
of regulatory capital measures (such as Common Equity Tier 1 Ratio etc.) but also
non-regulatory metrics such as Return on Equity (ROE), return on risk-adjusted
capital (RORAC) and risk-adjusted return on capital (RAROC).

Capital Capital
planning adequacy

Figure 10.17: Capital planning vs capital adequacy

Capital planning and capital adequacy are two complementary activities. Capital
planning is used to evaluate capital adequacy from different perspectives. For
example, economic capital is the theoretical amount of capital the bank needs to
hold to survive losses based on a pre-determined confidence level (an expression
of risk appetite). The bank can then compare this against the bank’s actual capital
resources to determine the capital adequacy.

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-22

The credibility of a bank’s capital plan lies on the comprehensiveness of the scope
of risk reflected in the framework. At a minimum, Pillar 1 risks should be covered in the
capital planning process (market, credit and operational). Risks that are not covered
by minimum regulatory capital framework (for example, strategic risk, reputational
risk, etc.) could be covered by the bank’s capital planning process.

Forward-looking view
Given the uncertain nature of risks, the capital planning process should include stress
testing and scenario analysis. These tools are used to obtain a forward-looking view
on the sufficiency of a bank’s capital base. Capital, as discussed early in this chapter,
is used to provide buffer for unexpected losses. Stress testing and scenario analysis,
are therefore, integral components of the capital planning process. Banks are highly
susceptible to dramatic, adverse bank-specific or economic developments.

In performing stress testing analysis for capital planning purposes, many banks do
not incorporate diversification benefits across business or risk dimensions. This is a
conservative approach that encourage prudence in capital deployment decisions.

Management framework for preserving capital

The capital plan should include an enumeration of management actions that can
be taken to mitigate further deterioration of capital. These actions include:

i. Reduction or discontinuance of dividends

Boxed Article–4

Banks Tap Capital Markets to Raise Pandemic Capital

Singapore’s central bank is calling on banks to limit their dividend payments to
shareholders – the first time it has done so. This is to ensure they have enough
capital and can buffer their capacity to offer loans during the economic fallout
from the Covid crisis.

The MAS urged the banks to cap their total dividends per share for financial year
2020 at 60 percent of the amount paid during the previous financial year.

While the local banks’ capital positions are strong, the dividend restrictions
are a pre-emptive measure to bolster their resilience and capacity to support
lending to businesses and individuals through an uncertain period ahead for our
economy,” MAS said of the banks that include DBS, OCBC and United Overseas
Bank (UOB).

Source:
https://www.todayonline.com/singapore/mas-calls-singapore-banks-pay-
reduced-dividends-shareholders-buffer-capital-during-covid

BANK RISK PRACTICES

10-23 CAPITAL MANAGEMENT

ii. Raising equity

Boxed Article–5

BIS Paper – Raising Equity is Best for Bank Recapitalisation

In a study conducted by Bertsch and Mariathasan (2021) titled “Optimal Bank
Leverage and Recapitalisation in Crowded Markets”, the authors concluded
that the raising equity instead of the usual preferred route of asset side
recapitalisation is the most optimal approach in recapitalising banks especially
during periods of financial markets distress. Equity recapitalisations are viewed
as more stabilising than the asset side recapitalisation.

Source: Bank for International Settlements, January 2021

iii. Balance sheet reductions – Balance sheet reduction can include selling of existing
inventory of investments/ capital markets securities, monetising business units or
reducing credit origination.

10.5 STRESS TESTING

Capital exists to cover unexpected losses without affecting the ability of the bank
to continue to operate as a going concern. The key to capital adequacy, therefore,
is to ensure that the bank has sufficient capital to withstand these unexpected
losses. Stress testing is, therefore, a key element to achieve the objective of capital
adequacy.

10.5.1 Introduction to Stress Testing

Stress testing is not unique to banking. To understand stress testing, let

us come up with some examples on how stress testing is being applied in
other fields of inquiry. In computer engineering, stress testing or sometimes
referred to as torture testing is deliberate intense testing used to determine
the stability of a system or object. The objective is to assess the reliability of
this system.

In the medical field, cardiac stress testing is something every student who
undergoes executive medical check-up would be personally familiar with. In
a stress test, one walks in a treadmill to make the heart work progressively
harder. The objective is to assess the probability of there being a coronary
issue.

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-24

10.5.2 Applications of Stress Testing

Stress testing is a risk management tool that alerts bank management to

unexpected outcomes related to a variety of risks and provides an indication
on how much capital might be needed to absorb losses should large shocks
occur.

Risk management tool

Stress testing is a risk management tool. However, unlike the other risk
management tools, stress testing has a different purpose. Stress testing
complements the weaknesses of other risk models. The complementary
purpose of stress testing can be best illustrated by going through with the
case of the collapse of the Long-Term Capital Management (LTCM).

Boxed Article–6

Long Term Capital Management - Risk Management Failure

Despite the presence of Nobel Laureates closely identified with option
pricing theory, the hedge fund Long Term Capital Management (LTCM)
relied too much on theoretical market-risk models and not enough on
stress testing. LTCM’s strategies are analysed in terms of value-at-risk
and capital is held against this assessment. However, the problem with
quantitative risk models is that it is ultimately subject to assumptions and
model limitations (for example, applicable to normal market environments
only). Thus, as recommended by the President’s Working Group on Financial
Markets, quantitative risk models should be completed with a sound stress
testing programme.

Source: Various sources

10.5.3 Approaches to Stress Testing

Stress testing provides the flexibility to think “outside the box” about scenarios
that could occur. One of the major limitations of key quantitative risk models
is that it is subject to either parametric assumptions (for example, the use of
statistical distribution such as normal distribution) or historical assumptions.

Stress testing gives the risk manager the flexibility to incorporate scenarios or
tests that may not be foreseen or incorporated in the data used for purposes
of quantitative risk models. To achieve this, there are two main approaches or
methodologies that banks typically follow. These are:

• Sensitivity stress test

• Stress test scenario

BANK RISK PRACTICES

10-25 CAPITAL MANAGEMENT

Sensitivity stress test isolates the impact of a portfolio’s value of one or more
predefined move in a particular market risk factor or a small number of
closely linked market risk factors. Sensitivity analysis provides a quick initial
assessment of portfolio sensitivity to a given risk factor and identify certain
risk concentrations.

Sensitivity analysis is generally intended to assess the output from quantitative

estimates when certain inputs or parameters are shocked. In most cases, this
involves changing inputs or parameters without relating those changes to
real-world outcomes. For example, the impact of increase in interest rates by
100, 200, 300, 500, 1000 basis points.

Stress test scenario contains simultaneous moves in a number of risk factors

(for example, equity prices, foreign exchange, interest rates), reflecting an
event that the firm’s risk managers believe may occur in the foreseeable
future. Note the term used is “may occur” as the focus of stress testing is to
gauge vulnerability to exceptional but plausible events.

There are two types of stress test scenarios:

i. Historical scenarios – Historical scenarios are scenarios that are based on

significant market event in the past.
ii. Hypothetical scenarios – Hypothetical scenarios are scenarios that are
based on events that have not yet been experienced.

10.5.4 Principles of Sound Stress Testing

The 2008 global financial crisis highlighted several weaknesses in how stress
testing is being applied in practice. These areas of weaknesses form part of
the key principles for sound stress testing.

Use of stress testing

Stress testing
and integration in risk
methodologies
governance

Scenario Stress testing of specific

selection risks and products

Figure 10.18: 2008 Financial Crisis

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-26

i. Use of stress testing and integration in risk governance

The Problem Recommendation

One of the key findings by the BCBS is that Stress testing should form an integral
banks who have thrived and fared well in the part of the overall governance and risk
2008 financial crisis are banks who have used management culture of the bank. The stress
stress testing as an input to the strategic testing programme should be actionable
decision-making process. and feed into the decision- making process
at appropriate management level.
Most banks, however, have failed to have an
effective stress testing programme in place Stress testing should promote risk
where assumptions are challenged, and the identification and control. This means that
outputs of stress testing are used actively in stress testing should be included in risk
the decision-making process. management activities at different levels.

The Committee also noted that the risk Stress testing should provide complementary
function has conducted stress testing with and independent risk perspective to other
little interaction from the different business risk management tools. Stress testing should
areas. There are also instances when stress provide insights of the validity of statistical
testing is treated as a mechanical exercise models. It should assess the robustness of the
and the accuracy was challenged by the models to possible changes in the economic
business. and financial environment.

Further, stress testing was conducted on a Stress testing should play an important role
silo basis with each department conducting in the communication of risks within the bank.
their own stress testing with limited bank-
Stress testing should incorporate multiple
wide perspective.
perspectives and range of techniques.

Stress testing programme should be

governed by internal policies and procedures.
The documentation should include types of
stress testing and the main purpose of each
programme:

i. Frequency of stress testing exercise

ii. Methodological details of each
component
iii. Range of remedial actions envisioned

The bank should have a suitably robust

infrastructure in place which could provide
flexibility to accommodate targeted or ad-
hoc stress tests.

The effectiveness of the stress testing

programme should be addressed regularly
and independently.

BANK RISK PRACTICES

10-27 CAPITAL MANAGEMENT

ii. Stress testing methodologies

The Problem Recommendation

Weaknesses in infrastructure Stress testing should cover a range of

limited the ability of banks to risks and business areas. Stress testing
identify and aggregate exposures should examine the effect of shocks
within the bank. across all relevant risk factors, taking
into account interrelations among them.
Stress testing methodologies
that heavily rely on historical Stress tests should identify, monitor, and
statistical relationships have control risk concentrations including how
proven to be unreliable. Banks potential changes in market conditions
have underestimated the strong that could adversely impact the bank’s
interlinkages among different exposure to risk concentrations.
types of risks.
Stress testing should be evaluated
against one or more measures. Typical
measures are:

i. Asset values
ii. Accounting profit and loss
iii. Economic profit and loss
iv. Regulatory capital or risk weighted
assets
v. Economic capital requirements
vi. Liquidity and funding gaps

iii. Scenario selection

The Problem Recommendation

One finding by the BCBS is that Stress testing should cover a range of
most stress tests did not cover scenarios (including forward looking
extreme market events that were scenarios) and take into account
experienced. system-wide interactions and
feedback effects.
In fact, the severe stress scenarios
assumed resulted in estimates of Non-linear loss profile
losses that were no more than a Stress testing should be done with
quarter’s worth of earnings. flexibility and imaginatively to
identify hidden vulnerabilities as a
Scenarios that were selected tend
failure of imagination could lead to
to reflect mild shocks, shorter
underestimation of extreme events.
durations and underestimate the
Stress testing should uncover the effect
correlations among risks.
of non-linear loss profiles.

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-28

i. Time horizon – Stress testing

should include various time
horizon depending on the risk
characteristics of analysed
exposures. The impact of
recession-type scenarios should
be incorporated over a medium to
long-term horizon.
ii. Range of severities – Stress
testing should feature a range
of severities including events
capable of generating the most
damage whether through size of
loss or through loss of reputation.

Stress testing should take into

account the simultaneous interaction
between funding and asset markets
especially during crisis.

iv. Stress testing of specific risks and products

The Problem Recommendation

There are risks that were not The effectiveness of hedging

covered in sufficient detail such as: strategies (risk mitigants) should
be systematically challenged
• Behaviour of complex structured
especially under stressed
products under stressed liquidity
conditions where market may not
conditions
be fully functioning.
• Pipeline or securitisation risk
Stress testing should cover complex
• Basis risk in relation to hedging
and bespoke structured products
strategies
and analyse second-order risks
• Counterparty credit risk
arising from these exposures.
• Contingent risks
In a stressed environment, there
• Funding liquidity risk
may be risks that would emerge
The insufficiency is partly due to especially if the bank were unable
excessive reliance on historical to access the securitisation market,
data. these risks must be incorporated in
the stress testing programme.

BANK RISK PRACTICES

10-29 CAPITAL MANAGEMENT

The Problem Recommendation

Another area where stress testing Stress testing programme should

failed is how limitations of the capture the effect of reputational
effectiveness of hedging strategies risk.
were not properly thought of
Stress testing should take particular
especially in the context of a crisis
note of large exposures in highly
environment.
leveraged counterparties.
Interaction between market and
credit risk is also not covered
adequately.

Other contingent risks were not

captured in stress testing such
as reputational risk or contingent
obligations (for example, from
legally binding credit and liquidity
lines).

Stress testing also did not

adequately capture funding
liquidity impact of systemic failure.

The concept of reverse stress testing

Reverse stress testing starts with a known stress outcome (for example,
insolvency) and then asking what events could lead to such outcome for the
bank. It allows banks to identify extreme scenarios that could cause the bank
to be insolvent and provide important insights on the bank’s vulnerabilities.

How will
Is the
What Given this, behaviour
hedging
scenarios what should change What could
strategy
could lead be our impact the cause this
viable during
to crisis- hedging effectiveness failure?
a stressed
level losses strategy? of our hedging
market?
strategy?

Figure 10.19: Reverse Stress Testing

Reverse stress testing provides discipline to management to think about tail

events (low probability but high impact) and think about ways to address
this no matter how remote the chance.

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-30

Stress Testing

Cause Effect

Reverse Stress Testing

Effect Cause

Figure 10.20.Stress testing vs reverse stress testing

The objective of stress testing is to understand how outcomes or scenarios

(historical or hypothetical) can impact the bank’s capital, P&L, balance sheet
or capital ratios – in other words, understand how variables can impact the
bank. Reverse stress testing is a powerful exercise that starts with the end
story: what outcome, as an organisation, should we be worried about (for
example, capital ratios falling below a certain level).

10.6 RISK ADJUSTED RETURN ON CAPITAL (RAROC) AND CAPITAL ALLOCATION

There is a saying that budget determines an organisation’s values. How the institution
is measured and evaluated determines how they will behave. Performance
measurement is an important aspect in risk management. One of the major
lessons learned in the 2008 global financial crisis is that there are deficiencies in
how banks measure performance and reward their employees. In fact, performance
measurement has contributed to excessive risk-taking which led or at least
exacerbated the global financial crisis. Undue reliance on traditional accounting
measures (such as return on assets and return on equity) that do not incorporate
the level of risk taken led many banks to prioritise short-term results over long-term
sustainability.

Return on Assets (ROA)

Return on assets (ROA) is a measure on how profitable the bank is relative to its total
assets.

Net Income
ROA =
Total Assets

Figure 10.21: The ROA formula

We could get more insights on this as we break down the different sources of the
bank’s profitability. Net income is simply the difference between a bank’s revenue
and expenses.

BANK RISK PRACTICES

10-31 CAPITAL MANAGEMENT

Net Income Expense

ROA= -
Total Assets Total Assets

Revenue Cost
ROA= x 1-
Total Assets Revenue

Figure 10.22: The ROA breakdown

From the equation above, we could see that return on asset is a function of two
different variables:

i. Gross return on assets (revenue/ total assets) – This ratio reflects the bank’s ability
to generate revenue out of the assets. This ratio increases as the bank generates
revenue from activities that do not require the use of assets.
ii. Cost to income ratio (cost/ revenue) – This ratio reflects the cost incurred while
generating revenue. The lower this ratio is, the more efficient the bank is in
generating revenues.

Return on Equity (ROE)

Return on equity measures the bank’s profitability relative to the capital invested by
the shareholders.

Net Income
ROA=
Shareholder's Equity

Figure 10.23: The ROE formula

Return on equity is the most popular performance measurement due to its simplicity
and availability (net income and shareholders’ equity figures are readily accessible
in the financial statements). It is therefore a convenient and attractive choice of
relative performance measurement.

Revenue Cost Total Assets

ROA= x 1- x
Total Assets Revenue Shareholders' Equity

Figure 10.24. The ROE breakdown

From the equation above, we could see that return on equity is a function of gross
return on assets, cost to income ratio and leverage (represented by total assets
over shareholders’ equity). Leverage measures the degree of reliance to which the
bank relies on liabilities to finance its assets. The higher the leverage is, the higher
this ratio is. Conversely, the lower the leverage is, the lower the ratio is. Leverage
amplifies the return to shareholders.

From the ROE breakdown above, there are three ways in which a bank can boost
return on equity:

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-32

Gross Revenue /
Total Assets Improve efficiency by which the bank converts its asset to revenue

Cost/Income Controlling cost

Assets/
Shareholders’ Increase leverage
Equity

Figure 10.25: ROE Breakdown

There are major criticisms against the use of traditional measures of performance.
Below are some of the criticisms heavily excerpted from a study published by the
European Central Bank entitled “Beyond ROE – How to Measure Bank Performance”:

ROA/ROE is not risk sensitive

ROA/ROE is a profitability measure that ignores any consideration of risk. This makes
it difficult to compare ROA/ROE across time and among different banks. This is
because ROA/ROE ignores the risk profile of the bank. It fails to consider the quality of
the bank’s asset, liquidity profile or size of the bank’s market risk exposure.

Relying on ROA/ROE makes it difficult to distinguish one bank versus the other in
terms of sustainability of the performance due to absence of any consideration of
risk factors. In fact, ROE leads to a counterintuitive conclusion. Taking more risk by
boosting leverage (asset to shareholders’ equity ratio) can boost ROE substantially.
Some banks’ excessive focus on maximising ROA/ROE led to decisions that has
maximised short-term results (profitability) at the expense of the long-term survival
of the bank.

ROA/ROE is a point-in-time measurement without signalling power and forward-

looking view
Prior to the crisis, there seems to be some uniformity in terms of banks’ ROA/ROE.
However, at the height of the crisis, banks with higher ROA/ROE are the same banks
who suffered greatly and whose survival was or has been threatened. ROA/ROE is
an accounting measure that is based on the past performance of the bank. It does
not provide an indication on the sustainability of results. Accounting choices could
leave some room for manipulation of this ratio (for example, intent-based provision
of financial instrument accounting standards prior to the crisis).

ROA/ROE may discourage the bank’s managements to pursue actions that could
strengthen the bank’s long-term viability. One such action is enhancing the bank’s
capital structure by building equity capital. The action may be averse to ROE in the
short run, but this will enhance the bank’s long-term solvency. Excessive focus on

BANK RISK PRACTICES

10-33 CAPITAL MANAGEMENT

ROA/ROE may discourage banks from sacrificing short-term profitability but could
enhance the bank’s future profitability.

Boxed Article–7

Lehman Raises Dividend, sets 100mn Share Buyback

A few months before Lehman’s collapse, Lehman raised its common stock dividend
13%, and the board of directors authorised the buyback of 100 million shares. The
buyback programme covers 19% of its 530.6 million shares outstanding at year
end.

Source: Reuters, 29 January 2008

Risk Adjusted Return on Capital (RAROC)

RAROC is the return on risk-based required capital. RAROC is an innovative concept
pioneered by Bankers’ Trust and has far-ranging implications. RAROC aims to
overcome the limitations of traditional measures of bank performance by:

i. Risk-adjusted net income – Adjusting net income by incorporating forward-

looking risk-based costs (for example, in the context of the lending business, it
is expected that there are losses that are expected on the pool of the lending
portfolio over time. This expected loss should be deducted from net income).
This is also known as the risk-adjusted net income. Risk-adjusted net income is
the after-tax income after deducting expected loss. Risk adjusted net income
is the difference between all returns on the assets of the bank and all the costs
associated with the liabilities of the bank (for example, funding cost).
ii. Expected losses are the estimated losses that the bank may incur from market,
credit, and operational risk. Expected loss is the probability weighted outcome
of a risk event and is calculated as the likelihood x impact x exposure at the
occurrence of risk event. For credit risk, expected loss is calculated as probability
of default (PD) x loss given default (LGD) x exposure at default (EAD). Market risk
expected loss is calculated using a VAR-based approach where maximum losses
at a high confidence level previously set by management is calculated.

Risk Adjusted Net Income = Net Income - Expected Losses

Figure 10.26: The risk adjusted net income

iii. Economic Capital – Instead of using shareholders’ equity, this measure uses a
risk-based measure which was discussed in the earlier section of this book.
Economic capital is the bank’s estimate of the capital required to absorb losses
up to a given confidence level. It goes beyond the accounting measure of equity
and instead focuses on the risk appetite of the institution.

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-34

Risk Adjusted Net Income Economic Capital

Risk adjusted net income is the Economic capital reflects the bank’s
after-tax income of the bank after estimate of the capital required to absorb
deducting expected losses. losses up to a given confidence level.

Figure 10.27: Risk adjusted net income vs economic capital

Putting together, RAROC is premised on the important concept that equity or capital
is a scarce resource. It is, therefore, important to allocate the bank’s capital to
business activities that result in its most efficient use.

Risk Adjusted Net Income

RAROC=
Economic Capital

Figure 10.28: The RAROC formula

Illustrative Example–5

Bank XYZ is evaluating a proposal to grant a one-year USD 200 million loan to a
client at an interest rate of 6%.

Based on a 99% confidence level, the economic capital for this lending activity
required is USD 10 million.

Cost of funding this loan is 5%. The probability that the client will default is 0.5%
and the recovery rate is 50%.

Calculate the transaction’s RAROC.

Solution:

Risk-adjusted net income = Net Income – Expected Loss

= 2,000,000 – 500,000
= 1,500,000

RAROC = Risk Adjusted Net Income/ Economic Capital

= 1,500,000/ 10,000,000
= 15%

BANK RISK PRACTICES

10-35 CAPITAL MANAGEMENT

Two things that RAROC aims to cure:

i. First, net income (backward/ lagging measure) is adjusted to incorporate

expected losses. This downward adjustment to profitability aims to overcome the
problem of excessive focus on accounting measure and provides disincentives
for management to take undue risk by penalising management for taking more
risk through the downward adjustment.
ii. Second, economic capital is a risk-based measure which starts with the amount
of capital required to support the amount of risk that the bank is taking.

How RAROC is Used in Decision-Making

RAROC can be used in pricing risk and risk management. For example, in granting
loan, the RAROC could serve as a hurdle in ensuring adequate returns to shareholders.
The general practice is to use RAROC as hurdle that would deliver the same return
as the target ROE. If the RAROC from a transaction is insufficient, the bank should
adjust the pricing of risk to meet that minimum hurdle that is aligned with the return
objective expected by the bank’s shareholders.

Illustrative Example–6

Bank XYZ is evaluating a proposal to grant a one-year USD 200 million loan to a
client at an interest rate of 6%.

Given the stage in the credit cycle, the bank’s board of directors and senior
management decided to adjust the risk appetite from 99% confidence level to
99.5% confidence level. This increased the economic capital required from USD
10,000,000 to USD 20,000,000.

Target ROE and RAROC is 15%. Evaluate whether the bank should proceed with the
transaction.

Solution:
Risk-adjusted net income = Net Income – Expected Loss
= 2,000,000 – 500,000
= 1,500,000

RAROC = Risk Adjusted Net Income/ Economic Capital

= 1,500,000/ 20,000,000
= 7.5%

From the above results, it appears that the bank should reject this transaction as
the RAROC is significantly below the target RAROC/ROE. To cure this, the bank may
reconsider readjusting the price of the loan to meet the hurdle.

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-36

Illustrative Example–7

Calculate the loan pricing required to meet the target RAROC.

Solution:
Required Risk Adjusted Net Income = Economic Capital x Target Return
= USD 20,000,000 x 15%
= USD 3,000,000

USD 3,000,000 = Net Income – Expected Loss

= Net Income – 500,000

Net Income = USD 3,500,000

USD 3,500,000 = Interest Income – Funding Cost

= Interest Income - USD 10,000,000

Interest Income Required = USD 13,500,000

Interest Required = USD 13,500,000 / USD 200,000,000

= 6.75%

From the results above, to meet the RAROC hurdle, interest charged should be
increased from 6% to 6.75%.

BANK RISK PRACTICES

10-37 CAPITAL MANAGEMENT

SUMMARY

• Capital risk is the risk that the bank will have insufficient level of quality capital to
support the bank’s business activities and the underlying risks it takes during normal
and stressed economic environment. Capital is a necessary but not a sufficient
condition for bank survival.

• Capital acts as a buffer against unexpected losses that is uncovered by risk pricing
(which is fundamentally based on expected losses).

• Economic capital is the amount of capital needed to support the bank’s risk taking
activity. Economic capital is a risk measure and is usually calculated as a probabilistic
amount taking into account the bank’s risk appetite (for example, to maintain a certain
level of rating with high probability).

• Given the unpredictability of not only the market environment but also the reliability of
the risk models used, banks should use a supplementary approach to assess capital
adequacy through stress testing.

• Internal capital adequacy assessment process (ICAAP) is the process of the bank
ensuring its own capital adequacy by incorporating risks that are not covered by Pillar
I of the Basel III framework.

• Performance is measured differently. Return on equity is an accounting measure of

performance that do not take into account the risk taken by the bank. Risk adjusted
performance measures are more appropriate measures of bank performance.

BANK RISK PRACTICES

 CAPITAL MANAGEMENT 10-38

END OF CHAPTER PRACTICE QUESTIONS

1. Capital conservation buffer should be composed of:

A. Common equity Tier 1
B. Additional Tier 1 capital
C. Tier 2 capital
D. Any of the above as long as majority is common equity Tier 1

2. To be able to continue to operate without regulatory intervention, banks must hold how
much common equity Tier 1 assuming the national supervisor triggers the maximum
amount of buffer needed to address systemic risk?
A. 4.5% of risk-weighted assets
B. 6.5% of risk-weighted assets
C. 7.0% of risk-weighted assets
D. 9.5% of risk-weighted assets

3. This is the level of capital that the board of directors and senior management require
banks to hold to support the bank’s risk profile and appetite.
A. Accounting capital
B. Market capital
C. Regulatory capital
D. Economic capital

4. This is designed to approximate the amount of a particular asset that could not be
monetised through the sale or use as collateral over a period of one year.
A. Available stable funding factor
B. Required stable funding factor
C. Liquidity coverage ratio
D. Net stable funding ratio

5. Which of the following will not likely qualify as Level 1 assets under the Basel III minimum
liquidity standards?
A. Cash
B. Central Bank Reserves
C. Marketable Securities
D. Derivatives

BANK RISK PRACTICES

10-39 CAPITAL MANAGEMENT

6. To be able to continue to pay discretionary payments without regulatory restriction, banks

must hold how much common equity Tier 1 assuming the national supervisor triggers the
maximum amount of buffer needed to address systemic risk?
A. 4.5% of risk-weighted assets
B. 6.5% of risk-weighted assets
C. 7.0% of risk-weighted assets
D. 9.5% of risk-weighted assets

7. Return on equity is .
A. Risk sensitive, forward looking
B. Risk sensitive, lagging
C. Not risk sensitive, forward looking
D. Not risk sensitive, lagging

8. RAROC can also be defined as .

A. Economic Capital/ Risk Adjusted Net Income
B. Economic Capital/ Net Income
C. Net Income/ Economic Capital
D. Risk Adjusted Net Income/ Economic Capital

9. Read the statements below:

Statement 1: Capital conservation buffer and countercyclical buffer are part of the
minimum capital requirement under Basel III

Statement 2: Capital conservation buffer can be in any form of capital as long as at least
50% is composed of common equity Tier 1 capital

A. Statement 1 is true. Statement 2 is false.

B. Statement 1 is false. Statement 2 is true.
C. Both statements are true.
D. Both statements are false.

ANSWERS TO END OF CHAPTER PRACTICE QUESTIONS

1. A 2. A 3. D 4. B 5. D 6. D 7. D 8. D 9. D

BANK RISK PRACTICES

 REFERENCES IV

Abdul Aziz, O.S., Samuel, D. R., and Azami, N. A. (n.d) “Privacy law in Malaysia”. @azmillaw Newsletter.
Available at https://www.azmilaw.com/insights/privacy-law-in-malaysia/. [Accessed on 26 June 2021].

Aldasoro, I. et al “The Drivers of Cyber Risk” 20 May 2020. Basel Committee on Banking Supervision.

Alexander, Carol. Wiley. Market Risk Analysis, Value at Risk Models. Volume IV. (9 February 2009).

Antonopoulous, Andreas “Mastering Bitcoin: Unlocking Digital Cryptocurrencies” 2010. O’Reillly Media Inc.

Bank Negara Malaysia (2020). Risk Management in Technology. 19 June. Available at chrome-
extension://efaidnbmnnnibpcajpcglclefindmkaj/viewer.html?pdfurl=https%3A%2F%2F2.zoppoz.workers.dev%3A443%2Fhttps%2Fwww.bnm.
gov.my%2Fdocuments%2F20124%2F963937%2FRisk%2BManagement%2Bin%2BTechnology%2B(RMiT).
pdf%2F810b088e-6f4f-aa35-b603-1208ace33619%3Ft%3D1592866162078. [Accessed on 26 June 2021]

Bank Negara Malaysia. (2013). Policy on risk governance. 1 March. Available at

https://www.bnm.gov.my/-/newly-published-policy-on-risk-governance. [Accessed on 22 May 2020].

Bank Negara Malaysia. (2013). Policy on risk governance. 1 March. Available at

https://www.bnm.gov.my/-/newly-published-policy-on-risk-governance. [Accessed on 22 May 2020].

Bank Negara Malaysia. (2020). ‘BNM Annual Report 2020’. Bank Negara Malaysia. Available at
https://www.bnm.gov.my/o/ar2020/index.html. [Accessed on 22 May 2021].

Bank Negara Malaysia. (2020). ‘BNM Annual Report 2020’. Bank Negara Malaysia. Available at
https://www.bnm.gov.my/o/ar2020/index.html. [Accessed on 22 May 2021].

Bank Negara Malaysia. (n.d.). ‘List of licensed financial institutions.’. Financial Stability, Bank Negara
Malaysia. Available at https://www.bnm.gov.my/list-of-licensed-financial-institutions.
[Accessed on 22 May 2021].

Bank Negara Malaysia. (n.d.). ‘List of licensed financial institutions.’. Financial Stability, Bank Negara
Malaysia. Available at https://www.bnm.gov.my/list-of-licensed-financial-institutions.
[Accessed on 22 May 2021].

Bank Negara Malaysia. (n.d.). ‘Standards and Guidelines.’. Regulations, Bank Negara Malaysia. Available
at https://www.bnm.gov.my/banking-islamic-banking. [Accessed on 22 May 2021].

Bank Negara Malaysia. (n.d.). ‘Standards and Guidelines.’. Regulations, Bank Negara Malaysia. Available
at https://www.bnm.gov.my/banking-islamic-banking. [Accessed on 22 May 2021].

Bank Negara Malaysia. (n.d.). ‘The importance of financial stability.’. Financial Stability, Bank Negara
Malaysia. Available at https://www.bnm.gov.my/the-importance-of-financial-stability.
[Accessed on 22 May 2021].

Bank Negara Malaysia. (n.d.). ‘The importance of financial stability.’. Financial Stability, Bank Negara
Malaysia. Available at https://www.bnm.gov.my/the-importance-of-financial-stability.
[Accessed on 22 May 2021].

Barclays PLC. (2018). Strategic report. Available at https://home.barclays/content/dam/home-

barclays/documents/investor-relations/reports-and-events/annual-reports/2018/barclays-plc-
strategic-report-2018.pdf. [Accessed on 22 May 2020].

BANK RISK PRACTICES

V REFERENCES

Basel Committee in Banking Supervision. (2012). Core principles for effective banking supervision.
September. Available at https://www.bis.org/publ/bcbs230.pdf. [Accessed on 22 May 2021].

Basel Committee in Banking Supervision. (2012). Core principles for effective banking supervision.
September. Available at https://www.bis.org/publ/bcbs230.pdf. [Accessed on 22 May 2021].

Basel Committee on Banking Supervision. (2017). Basel III: International Regulatory Framework for Banks.

Basel Committee on Banking Supervision. (2021). Principles for Operational Resilience.

Basel Committee on Banking Supervision. (2021). Revisions to the Principles for the Sound Management
of Operational Risk.

Basel Committee on Banking Supervision. “Designing a Prudential System for Crypto Assets”
Consultative. 12 December 2019.

Basel Committee on Banking Supervision. Sound Practices on the Implications of Fintech Developments.
February 2018.

Basel Committee on Banking Supervision. (2018). Stress testing principles. 17 October. BCBS.

Basel III: A Global Regulatory Framework for More Resilient Banks and Banking Systems -Revised Version
June 2016[online] Available at: https://www.bis.org/publ/bcbs189.htm

Basel III: International Regulatory Framework for Banks. Basel Committee on Banking Supervision.
Revised Version June 2016.

Bertsch C. and Mariathasan M. (2021). “Optimal bank leverage and recapitalisation in crowded
markets”, BIS Working Papers, no. 923. Monetary and Economic Department, BIS. Available at
chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/viewer.html?pdfurl=https%3A%2F%2F2.zoppoz.workers.dev%3A443%2Fhttps%2Fwww.bis.
org%2Fpubl%2Fwork923.pdf&clen=857421&chunk=true. [Accessed on 4 April 2022].

Chapelle, A. (2019) Operational risk management: Best practices in the finanical services industry.
Wiley.

Chen, J. (2020). ‘Risk-based capital requirements.’ Investopedia. 13 December. Available at

https://www.investopedia.com/terms/r/risk-based-capital-requirement.asp.
[Accessed on 22 May 2021].

Chen, J. (2020). ‘Risk-based capital requirements.’ Investopedia. 13 December. Available at

https://www.investopedia.com/terms/r/risk-based-capital-requirement.asp.
[Accessed on 22 May 2021].

Choi, Y. Y., Levine, G., and Malone, S. W. (2020). “The coronavirus (COVID-19) pandemic: Assessing
the impact on corporate credit risk”. Moody’s Analytics. April 2020. Available at https://www.
moodysanalytics.com/articles/2020/coronavirus-assessing-the-impact-on-corporate-credit-risk.
[Accessed on 26 July 2021].

Choudhry, M. (2011). Bank asset and liability management: Strategy, trading and analysis. 1st ed. 27
December. Wiley.

BANK RISK PRACTICES

 REFERENCES VI

Corporate Finance Institute. (n.d). ‘CAMELS rating system’. Resources, Knowledge, Corporate Finance
Institute. Available at https://corporatefinanceinstitute.com/resources/knowledge
/finance/camels-rating-system/. [Accessed on 22 May 2021].

Corporate Finance Institute. (n.d). ‘CAMELS rating system’. Resources, Knowledge, Corporate Finance
Institute. Available at https://corporatefinanceinstitute.com/resources/knowledge
/finance/camels-rating-system/. [Accessed on 22 May 2021].

D’ Cruz, R. G. (2021). ‘The banking regulation review: Malaysia’. The Law Reviews. 4 May. Available at
https://thelawreviews.co.uk/title/the-banking-regulation-review/malaysia. [Accessed on 22 May 2021].

D’ Cruz, R. G. (2021). ‘The banking regulation review: Malaysia’. The Law Reviews. 4 May. Available at
https://thelawreviews.co.uk/title/the-banking-regulation-review/malaysia. [Accessed on 22 May 2021].

Danske Bank Group. (2020). Risk management 2020. Available at https://danskebank.com/-/media/

danske-bank-com/file-cloud/2021/2/risk-management 2020.pdf?rev=25603
689101af84815de20ba0edf3. [Accessed on 28 February 2021]

Deloitte (2020). ‘Covid-19: Impact on financial institutions and how to respond’. Deloitte. April.
(PowerPoint presentation). Available at file:///C:/Users/hp/OneDrive%20-%20Asian%20institute%20
of%20Chartered%20Bankers/Desktop/Review%20for%20Risk/Bank%20Risk%20(new%20name%20-%20
16072021)%203rd%20draft/Readings/my-risk-covid-19-impact-my-financial-institutions.pdf.
[Accessed on 22 May 2021].

Deloitte (2020). ‘Covid-19: Impact on financial institutions and how to respond’. Deloitte. April.
(PowerPoint presentation). Available at file:///C:/Users/hp/OneDrive%20-%20Asian%20institute%20
of%20Chartered%20Bankers/Desktop/Review%20for%20Risk/Bank%20Risk%20(new%20name%20-%20
16072021)%203rd%20draft/Readings/my-risk-covid-19-impact-my-financial-institutions.pdf.
[Accessed on 22 May 2021].

Eavis, P. (2002). “Conseco Inc. debt ratings and violation of debt covenants.” The Street. Available at
https://www.thestreet.com/opinion/bond-proposal-a-loser-for-conseco-holders-10013559.
[Accessed on 22 May 2021].

Economist Intelligence. (2021). “Malaysia: Risk assessment.” Economist Intelligence. 16 June 2021.
Available at https://country.eiu.com/article.aspx?articleid=391086022&
Country=Malaysia [Accessed on 26 July 2021]

European Central Bank. (2020). "Guide on climate-related and environmental risks: Supervisory
expectations relating to risk management and disclosure." Banking Supervision. November.

Fermat to Pascal. (1654). Fermat and Pascal on probability. Available at https://www.york.ac.uk/depts/

maths/histstat/pascal.pdf. [Accessed on 22 May 2020].

Financial Stability Board. (2013). Principles for an effective risk appetite framework. 18 November.
Available at https://www.fsb.org/wp-content/uploads/r_131118.pdf. [Accessed on 22 May 2020].

Financial Stability Board. (2013). Thematic review on risk governance – Peer review report. 12 February.
pp. 6. Available at https://www.fsb.org/wp-content/uploads/r_130212.pdf. [Accessed on 22 May 2020)

Girling, P. (2013). Operational risk management: A complete guide to a successful operational risk
framework. Wiley.

BANK RISK PRACTICES

VII REFERENCES

Goldenberg, S. (2011). “Biofuel demand in US driving higher food prices.” The Guardian, News. Available
at https://www.theguardian.com/environment/2011/jul/19/biofuel-demand-us-fuel-prices.
[Accessed on 22 May 2021].

Goldman Sachs. (2020). Goldman Sachs investor day. 22 December. (PowerPoint presentation)
Available at https://www.goldmansachs.com/investor-relations/investor-day-2020/presentations/
consolidated-presentations.pdf [Accessed on 28 February 2021].

Govindarajan, V. (2016). The three-box solution: A strategy for leading innovation. 26 April. Harvard
Business Review Press, United States.

Griffin, D, and Campbell, D. (2013). ‘US Bank legal bills exceed $100 billion’. Bloomberg. Business. [Online].
Available at https://www.bloomberg.com/news/articles/2013-08-28/u-s-bank-legal-bills-exceed-100-
billion. [Accessed on 22 May 2020].

Harding, P. (2010). Mastering ISDA master agreements: A practical guide for negotiation (Mastering
Series). 29 April. FT Press.

Hong Kong Institute of Banker. (2018). Bank asset and liability management. 18 January. Wiley.

Hong Kong Monetary Authority. (2007). Supervisory policy manual – Strategic risk management. 12
December, v.1. Available at https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/
supervisory-policy-manual/SR-1.pdf. [Accessed on 22 May 2020].

HSBC. (2010). HSBC annual report.

Institute of Nuclear Power Operations. (2004). Principles for a strong nuclear safety culture. November.
pp. 7. Available at https://www.nrc.gov/docs/ML0534/ML053410342.pdf. [Accessed on 22 May 2020].

ISO 31000 (2018) Risk management – guidelines.

Jorion, P. (2006). Value at risk: The new benchmark for managing financial risk. 3rd ed. 9 November.
McGraw Hill Education.

King, B. (2018). Bank 4.0: Banking everywhere, never at a bank. Wiley.

King, B. (2018). Bank 4.0: Banking everywhere, never at a bank. Marshall Cavendish Business.

Kiran, N. (n.d.). “Case study on Parmalat accounting scam”. Your Article Library. Available at https://
www.yourarticlelibrary.com/case-studies/parmalat/case-study-on-parmalat-accounting-
scam/99551. [Accessed on 22 May 2021].

Lahsasna, A. (2014). Shari’ah non-compliance risk management and legal documentation in Islamic
finance. Singapore: John Wiley.

Lattman, P. (2012). ‘New bankruptcy documents reveal outsize pay at Lehman before the collapse.’
Investment banking, The New York Times. 27 April. Available at https://dealbook.nytimes.
com/2012/04/27/new-bankruptcy-documents-reveal-outsize-pay-at-lehman-before-collapse/.
[Accessed on 22 May 2021].

Lattman, P. (2012). ‘New bankruptcy documents reveal outsize pay at Lehman before the collapse.’
Investment banking, The New York Times. 27 April. Available at https://dealbook.nytimes.
com/2012/04/27/new-bankruptcy-documents-reveal-outsize-pay-at-lehman-before-collapse/.
[Accessed on 22 May 2021].

BANK RISK PRACTICES

 REFERENCES VIII

Lioudis, N. (2021), “Lehman files for bankruptcy.” Investopedia. Available at https://www.investopedia.

com/articles/economics/09/lehman-brothers-collapse.asp. [Accessed on 22 May 2021].

Lone, F. A., Ahmad, S. (2017). “Islamic finance: More expectations and less disappointment”. Investment
Management and Financial Innovations, 14(1), 134-141. doi:10.21511/imfi.14(1).2017.14

Matz, L. (2011). Liquidity risk management and management: Basel III and beyond. 20 July. Xlibris
Corporation.

Mckinsey Working Papers on Risk. (2011). “Mastering ICAAP – Achieving excellence in the new world of
scarce capital. May (no.27). Mckinsey.

Moody’s Investor Services. (2015). “Delinquent debt service due to administrative error.” Moody’s
Investor Services. Available at https://www.moodys.com/research/Moodys-Somers-Central-School-
District-NYs-delinquent-debt-service-payment--PR_322240. [Accessed on 22 May 2021].

National Association of Insurance Commissioners. (2020). Risk-based capital.24 June. Available at

https://content.naic.org/cipr_topics/topic_riskbased_capital.htm. [Accessed 22 May 2021].

National Association of Insurance Commissioners. (2020). Risk-based capital.24 June. Available at

https://content.naic.org/cipr_topics/topic_riskbased_capital.htm. [Accessed 22 May 2021].

Polk, D. (2014). Risk governance: Visual memorandum on guidelines adopted by the OCC. Online slides.
Davis Polk & Wardwell LLP, 450 Lexington Avenue, New York, NY, delivered 7 November 2014. Available at
https://www.davispolk.com/sites/default/
files/11.07.14.Risk_Governance_Visual_Memorandum_on_Final_Guidelines_Issued_by_the_OCC.pdf.
[Accessed on 22 May 2020].

Reuters. (2020). “Malaysia’s CIMB commits to phase out coal financing by 2040.” Reuters. Available at
https://www.reuters.com/article/uk-malaysia-cimb-idUKKBN28I0X0. [Accessed on 22 May 2021].

Salmon, F. (2009). ‘Recipe for disaster: The formula that killed wall street”. Wired, Business. 23 February.
Available at https://www.wired.com/2009/02/wp-quant/. [Accessed on 22 May 2020].

Sarfraz, S., and Wass, S. (2019). “Amid investor scrutiny, Norway’s banks future-proof against climate
risk”. SP Global. Available at https://www.spglobal.com/marketintelligence
/en/news-insights/latest-news-headlines/amid-investor-scrutiny-norways-banks-future-proof-
against-climate-risk. [Accessed on 22 May 2021].

Saunders, A., and Cornett, M. (2017). Financial institutions management: A risk management approach.
9th ed. 9 February. McGraw Hill Education.

Tayan, B. (2019). The Wells Fargo cross-selling scandal. 6 February. Harvard Law School Forum on
Corporate Governance. Available at https://corpgov.law.harvard.edu/. [Accessed on 22 May 2020].

Te, P. (2016). Risk management in banking: Principles and framework. Asian Institute of Chartered
Bankers. Oxford Fajar, Malaysia.

Te, P. (2016). Risk management in banking: Risk models, capital, and asset liability management. Asian
Institute of Chartered Bankers. Oxford Fajar, Malaysia.

Tett, G. (2016). The silo effect: The peril of expertise and the promise of breaking down barriers. 27
September. Simon & Schuster.

BANK RISK PRACTICES

IX REFERENCES

The use of economic capital in performance management for banks. (2011). January. Mckinsey.

Tierney, M. (n.d). “Data security explained: Challenges and solutions.” Netwrix Blog. Available at https://
blog.netwrix.com/2021/07/26/data-security/. [Accessed on 26 June 2021].

Twidale, S., Cruise, S., and Jessop, S. (2019). ‘Big European banks face call to end funding for firms
building coal-fired plants’. Sustainable Business, Reuters. 6 December. Available at https://www.reuters.
com/article/us-europe-banks-coal-idUKKBN1Y92C8. [Accessed on 22 May 2020].

U.S. Securities and Exchange Commission. (2011). ‘SEC charges AXA Rosenberg entities for concealing
error in quantitative investment model: Firms agree to pay more than $240 million to settle SEC
charges.’. [Press Release]. U.S. Securities and Exchange Commission. 2 March. Available at https://www.
sec.gov/news/press/2011/2011-37.htm. [Accessed on 22 May 2020].

Whittall, C. (2012). ‘Value-at-Risk model masked JP Morgan $2 bln loss’. Reuters. 11 May. Available at
https://www.reuters.com/article/jpmorgan-var-idUSL1E8GBKS920120511. [Accessed on 22 May 2020].

Wolf, A. (2020). “NMI involuntary bankruptcy.” Bloomberg Law. Available at https://news.bloomberglaw.

com/banking-law/row-over-u-s-banks-role-in-involuntary-bankruptcy-revived.
[Accessed on 22 May 2021].

BANK RISK PRACTICES

BANK RISK
PRACTICES
AUTHORS’ PROFILE
Philip Te
Director for Financial Markets, ING Singapore.

Philip Te is currently Director for Financial He is the Programme Director for the
Markets for ING Singapore. He was Quantitative Finance, Risk Management and
previously Vice President for Financial Value Investing Programme for the Ateneo
Markets Sales for ING Manila. Prior to this, he Graduate School of Business - Centre for
was Head of Structured Products and Continuing Education (AGSB-CCE). He has
Financial Engineering Department of a local lectured extensively on value investing,
commercial bank and a Senior Associate at derivatives, IFRS 9 hedge accounting, option
the Ernst & Young Financial Services Risk pricing, corporate treasury management
Management and Quantitative Advisory and strategic issues in hedging.
Services Group.
He is a Chartered Financial Analyst (CFA),
Philip Te is the author of a two-volume book Financial Risk Manager (FRM), Energy Risk
on Bank Risk Management published by Professional (ERP) and a Certified Public
Oxford University Press and Asian Institute of Accountant (CPA). He placed 2nd in the May
Chartered Bankers. He developed a 2007 Certified Public Accountant Exam. He is
two-level qualification study text on bank also currently taking Masters in
risk management offered extensively to risk Cryptocurrencies.
management professionals in Malaysia. He
wrote and developed the Risk Management
module for the Securities and Exchange
Commission in Philippines. He is currently
writing a book on corporate hedging entitled
“7 Habits of Highly Effective Hedgers” to be
published soon internationally.

www.aicb.org.my