Risk Management 2023 Short Notes

Module-D: Operational Risk

Unit: 17 OPERATIONAL RISK AND OPERATIONAL Banks' expansion into non-core business activities
RISK MANAGEMENT FRAMEWORK increases the scope for operational risks.
Outsourcing of services introduces risks related to
Operational Risk: service provider failures, non-delivery of services,
Banks find managing operational risk particularly and access to confidential information.
challenging. High economic growth increases demand for
Losses from operational risk events can be financial services and opportunities for cross-
catastrophic both financially and in terms of border banking, but new financial institutions may
reputation. have weaker risk management systems.
Operational risk can arise from preventable
mistakes, flawed transaction processing, and Peculiarity of Operational Risk:
outright fraud. Operational risk is omnipresent, connected to all
Careful handling of business operations and business activities, making it 'transversal' to
proactive measures can help prevent larger losses. different business lines.
Unlike credit and market risks that offer expected
Developments Giving Rise to Increasing Operational rewards, operational risk is typically not directly
Risk: taken in return for an expected reward.
Deregulation, globalization, and financial Operational risk is difficult to collateralize, define
technology have made banking activities more boundaries for, and identify due to its visibility and
complex. overlaps with other risks.
Interconnectedness of business operations Operational risk has an idiosyncratic and
transfers risks between unfamiliar entities. systematic dimension, arising from possible
Lack of skills and knowledge can trigger failures of business processes and control systems.
operational risks.
New risks faced by banks include highly
automated technology, e-commerce risks, large
volume transactions, outsourcing risks, and high
economic growth risks.
Highly automated technology raises concerns
about systems failure, security, hacking, and
fraudulent transactions.
E-commerce growth brings risks of internal and
external fraud and system security issues.
Large volume transactions require robust internal
controls and backup systems.

For Free Study Material Subscribe now

 Operational risk commences before transactions Business Disruption and System Failures: Losses
are executed and remains even after their arising from disruption of business or system failures.
completion. Execution, Delivery and Process Management: Losses
The level of operational risk can be impacted by from failed transaction processing or process
business decisions and strong operational risk management, from relations with trade
management can mitigate this risk. counterparties and vendors.

Definition of Operational Risk: Operational Risk Management Framework:

Operational risk was initially considered as all risk Operational risk is intrinsic to a bank and should
not captured in market and credit risk hence be a crucial part of its enterprise-wide risk
management. management systems.
Basel Committee on Banking Supervision defined A strong operational risk framework provides
it as 'The risk of loss resulting from inadequate or transparency into the risks in the firm, allows for
failed processes, people, and systems or from informed business decision-making, avoids bad
surprises, and provides tools for swift response to
external events'. It excludes strategic and
events.
reputational risk.
The framework involves identifying, measuring,
Operational risk is linked to financial losses and
monitoring, controlling, and mitigating
negative social performance due to failed people,
operational risks, as well as calculating capital to
processes, and systems in a bank’s daily
protect a bank from operational risk losses.
operations.
Operational risk is categorized into people risk,
Operational Risk Culture: A successful operational risk
process risk, systems risk, external events risk, and
framework demands an organizational culture
legal and compliance risk.
emphasizing the importance of operational risk
management. This involves fostering an attitude of
Types of Operational Risk Events: mindfulness and sensitivity towards risks across all
Internal Fraud: Losses due to acts intended to employees. The Board and senior management
defraud, misappropriate property or circumvent should prioritize effective operational risk
regulations, law, or company policy by at least one management and adherence to sound operating
internal party. procedures.
External Fraud: Losses due to acts intended to
defraud, misappropriate property, or circumvent the Operational Risk Organizational Framework: The
law, by a third party. organizational structure for managing operational risk
Employment Practices and Workplace Safety: Losses should consist of the Board of Directors, Risk
arising from acts inconsistent with employment, Management Committee, Operational Risk
health, or safety laws or agreements. Management Committee, Operational Risk
Clients, Products, and Business Practices: Losses Management Department, Operational Risk
arising from an unintentional or negligent failure to Managers, and a Support Group for operational risk
meet a professional obligation to specific clients, or management.
from the nature or design of a product.
Damage to Physical Assets: Losses arising from loss or Board Responsibilities: The Board of Directors,
damage to physical assets from natural disaster or including a designated committee, is responsible for
other events. managing the bank's operational risks.

For Free Study Material Subscribe now

Responsibilities include being aware of the bank’s Liaisons' Key Responsibilities: Liaisons facilitate self-
operational risks, providing clear guidance to senior assessments, design and report on risk indicators,
management, approving and reviewing the coordinate the collection and reporting of loss events,
operational risk management framework, and follow up on action plans and open issues, participate
ensuring effective internal audit coverage. They also in ORMC meetings as needed, and consult with
establish a clear management structure and ensure a business units on risk mitigation. They help their
separation of responsibilities to avoid conflicts of respective departments understand and manage
interest. operational risks and report data to both the
departments and the Operational Risk Management
Risk Management Committee of the Board (RMCB): Department.
The RMCB, created by the Board of Directors, oversees
risk management and determines the operational risk Operational Risk Management Department (ORMD):
matters to be reported to the full Board. It approves The ORMD is responsible for coordinating all
operational risk policies and investments, reviews operational risk activities within a bank. They work to
operational risk profiles, and sets expressions of risk build a comprehensive understanding of the bank's
appetite. The RMCB also reinforces the culture and risk profile and implement tools and strategies to
awareness of operational risk management manage operational risk.
throughout the organization.
ORMD's Specific Activities: These include creating a
Operational Risk Management Committee (ORMC): risk profile, developing and implementing tools for
The ORMC is an executive committee with the primary operational risk management, developing a capital
objective of mitigating operational risk within the measurement methodology for operational risks,
institution by creating and maintaining an operational consolidating and reporting data, analyzing data,
risk management process. The ORMC designs identifying and sharing best practices, consulting on
operational risk management policies, reviews risk management application and risk profile
operational risk exposures, ensures understanding
improvement, optimizing insurance limits and
and action across the business, and holds regular
coverage, drafting and updating operational risk
meetings focused on operational risk issues.
policies, facilitating periodic self-assessments, and
coordinating with the Internal Audit department.
ORMC's Key Roles: The ORMC reviews the risk profile,
assures adequate resources for risk mitigation,
Policy Guidelines and Strategic Approach:
communicates the importance of operational risk
Operational Risk Management Policy sets minimum
management to staff, approves the development of
requirements and controls for business strategy,
operational risk methodologies and tools, receives
compliance, risk mitigation, and employee
reports from business lines about their risk profiles,
sensitization towards operational risk management
evaluates new products for potential risks, and
(ORM). Procedures provide specific instructions for
monitors industry incidents for potential impacts on
implementing policies and performing tasks.
the bank.

Operational Risk Management Framework: This

Organization-Wide Support Departments: Each
business/functional area appoints a person provides strategic direction and ensures an effective
responsible for coordinating the management of operational risk management process throughout the
operational risk. This person or team, known as a institution. It must be tailored to the unique
Liaison, works closely with the Operational Risk operational risk profile of each institution, considering
Management Department and reports to their the scale and materiality of risk and the size of the
respective departments. institution.

For Free Study Material Subscribe now

Key Elements in ORM Process: These include Risk Identification Approach: Risk identification
appropriate policies and procedures, efforts to should be a two-fold process. Top-down identification
identify and measure operational risk, effective is performed by senior management focusing on
monitoring and reporting, a sound system of internal significant exposures and threats, while the bottom-
controls, and appropriate testing and verification of up approach involves identifying specific
the Operational Risk Framework. vulnerabilities or inefficiencies at the business process
level.
Policy Requirement: Every bank must have policies
and procedures outlining their Operational Risk Risk Event Identification and Mapping: A top-down
Management (ORM) framework. This includes approach should be used for identifying operational
identifying, assessing, monitoring, and mitigating risk events, while a bottom-up approach should be
operational risk. Policies should be approved by the used for risk mapping, classification, categorization,
board and effectively implemented at all levels. and aggregation. This provides a comprehensive view
of the operational risk faced by the bank.
Operational Risk Management Policies: Policies and
procedures must be communicated to appropriate
staff and should outline all aspects of the ORM
framework, such as roles and responsibilities,
operational risk definitions, use of internal and
external loss data, development of business
environment assessments, quantification of
operational risk exposure, and the integration of
qualitative factors and risk mitigants.

Compliance and Review: Policies must contain

provisions for review and approval of significant policy
exceptions, reporting of critical risk issues, compliance
Business Identification Process: Banks offer
checks, treatment of non-compliance issues, and
numerous services and products that need to be
documented approvals and authorizations for
grouped into different business lines for efficient
accountability.
operational risk management. These lines include
Corporate Finance, Trading and Sales, Retail Banking,
Strategic Approach to Risk Management: The focus Commercial Banking, Payment and Settlement,
should be on minimizing losses and customer Agency Services, Asset Management, and Retail
dissatisfaction, identifying product flaws, aligning Brokerage.
business structures and incentives, developing plans
for external shocks, and cost-effectively mitigating Identification of Business Lines: Identifying business
operational risks. lines is the first step in operational risk identification.
The task is to map the bank's entire activities into
Operational Risk Identification Process: Banks should relevant business lines, segregating risks to deal with
identify and assess operational risk in all material them appropriately. Banks should also develop
products, activities, processes, and systems before specific policies for mapping products or activities to a
their implementation. suitable business line.

For Free Study Material Subscribe now

Identification of Activity Groups and Products: After Self-Risk Assessment: This is an internally driven
identifying the business lines, banks should identify process where a bank assesses its operations and
the product teams or activity groups and the services activities against potential operational risk
they provide under each business line. Each product vulnerabilities. The process often involves checklists
team uses a variety of products for service delivery, and workshops to identify the strengths and
some of which might fall under more than one weaknesses of the operational risk environment.
business line. Scorecards are used to translate qualitative
assessments into quantitative metrics, helping in
Identification of Risk Events: Operational risk ranking different types of operational risk exposures.
identification involves identifying risk events
associated with the products. These events are Risk Mapping: This process involves mapping various
incidents that have caused or can potentially cause business units, organizational functions, or process
significant losses to a bank. They could be internal or flows by risk type. Risk mapping can reveal areas of
external and are typically associated with people, weakness and help prioritize subsequent
processes, or technology. management actions.

Operational Risk Identification Process: This involves Key Risk Indicators: Key risk indicators are statistics or
four steps: identifying the business line, identifying metrics, often financial, which provide insights into a
the product team in each business line, identifying the bank’s risk position. They are reviewed periodically to
products used by the product team, and listing the alert banks to changes that may indicate risk concerns.
operational risk events associated with the products. Indicators may include the number of failed trades,
staff turnover rates, and the frequency or severity of
Cause and Effect Analysis: This encourages banks to errors and omissions.
study operational risk in terms of "effects" and
"causes." Effects refer to the impact of the event, External Consultants: Some banks choose to engage
while causes refer to the underlying failure that external consultants for risk identification to ensure all
permitted a risk to occur. Causes can be people, potential risks, even the smallest ones, are captured.
process-oriented, systems/technology, or external.
Each operational risk event can be related to these Unit: 18 COLLECTION OF INTERNAL LOSS DATA
causes. AND EXTERNAL LOSS DATA
Importance of Loss Data in Operational Risk
Effects of Risk Events: The impacts of risk events can
Framework: Once governance, culture, awareness,
lead to legal liability, regulatory or taxation penalties,
and initial policies and procedures are established, the
loss or damage to assets, loss of recourse, and write-
collection of loss data becomes the next essential step
downs.
in the operational risk management framework. This
data offers valuable insight into the bank's current
Causes of Risk Events: The four major cause
operational risk exposure and helps establish patterns
categories of operational risk are people-related,
that can be used to devise risk mitigation strategies.
process-oriented (transaction-based), process-
oriented (operational control based),
Collection of Loss Data: Loss data, better understood
systems/technology, and external.
as "operational risk event data," refers not just to
Assessment of Operational Risk: Apart from
losses, but to a broader category of operational risk
identifying risk events, banks should also assess their
events. These events can be both internal (happened
vulnerability to these risks. Effective risk assessment
in or to the firm) and external (occurred elsewhere in
allows a bank to better understand its risk profile and
the industry but can affect the firm).
most efficiently allocate risk management resources.

For Free Study Material Subscribe now

Categorization of Loss Data: Banks use risk categories Business Disruption and System Failures: Losses
suggested by the Basel Committee to report arising from disruption of business or system failures.
operational risk events and comply with Basel Execution, Delivery, and Process Management:
regulations. These categories are intended to capture Losses from failed transaction processing or process
a risk event, not a cause. They serve as useful buckets management, from relations with trade
to gather operational risk event data and should be counterparties and vendors.
applied to all loss data across the operational risk
framework.

Internal Fraud: This category includes losses due to

acts intended to defraud, misappropriate property, or
circumvent regulations, the law, or company policy,
excluding diversity/discrimination events. At least one
internal party should be involved in these acts.
External Fraud: Losses due to acts of a type intended
to defraud, misappropriate property, or circumvent
the law, by a third party.
Employment Practices and Workplace Safety: Losses
arising from acts inconsistent with employment,
health, or safety laws or agreements, from payment
of personal injury claims, or from Minimum Loss Data Standard: Banks are expected to
diversity/discrimination events. establish procedures and processes for identifying,
Clients, Products, and Business Practices: Losses collecting, and treating internal loss data. This data
arise from an unintentional or negligent failure to should capture all material activities and exposures
meet a professional obligation to specific clients from all subsystems and geographic locations. The
(including fiduciary and suitability requirements), or minimum threshold for a loss event is set at ₹1,00,000.
from the nature or design of a product. Banks must also collect information on recoveries of
gross loss amounts, the dates of operational risk
events, and details about the drivers or causes of the
loss event.

Foreign Subsidiary Loss Data: Loss impacts

denominated in a foreign currency should be
converted using the same exchange rate used in the
bank’s financial statements of the period in which the
loss impacts are accounted for.

Operational Loss Events: Operational loss events

related to credit risk and accounted for in credit Risk
Damage to Physical Assets: Losses arising from loss Weighted Assets (RWA) are not included in the
or damage to physical assets from natural disaster or operational loss data set. However, operational risk
other events. losses related to market risk should be included.

For Free Study Material Subscribe now

Review of Loss Data: Banks must have processes in Near-misses and Opportunity Costs: Near-misses are
place to independently review the events or sequences of events that could have
comprehensiveness and accuracy of loss data. resulted in damage but didn't. These near-misses can
provide valuable opportunities to improve systems
Loss Definitions: Gross loss is a loss before recoveries and manage operational risks proactively.
of any type. Net loss is defined as the loss after taking Additionally, opportunity costs or lost revenue might
into account the impact of recoveries. The recovery is result from an event, even if there is no direct loss.
an independent occurrence, related to the original Both near-misses and opportunity costs can provide
loss event, in which funds or inflows of economic valuable data for the operational risk management
benefits are received from a third party. Banks use framework.
losses net of recoveries in the loss dataset.
External Loss Data: This involves data on events that
Gross Loss Computation: Gross loss should include occurred outside the firm but may provide valuable
direct charges to the bank’s P&L accounts due to the insights into the operational risks faced by the firm.
operational risk event, costs incurred as a External loss data can inform risk and control self-
consequence of the event, provisions or reserves assessment activities, scenario analysis, and the
accounted for potential operational loss impact, losses development of key risk indicators. It is crucial for
from operational risk events with a definitive financial building operational risk culture and awareness and
impact, and negative economic impacts booked due to can be sourced from various online platforms, news
operational risk events impacting cash flows or articles, and subscription services.
financial statements of previous periods.
Reporting and Transparency: Any exclusions and the
Exclusions from Gross Loss Computation: Costs of
total loss amount and number of exclusions shall be
general maintenance contracts on property, plant or
disclosed under Pillar 3 with appropriate narratives.
equipment, and expenditures to enhance the business
This promotes transparency in the operational risk
after the operational risk losses, such as upgrades,
management process.
improvements, risk assessment initiatives and
enhancements, and insurance premiums, should be
Operational Risk Event Database: Often a loss
excluded.
database is renamed to reflect its purpose and content
more accurately, such as "operational risk event
Loss Allocation: Losses caused by a common
database". This signifies the inclusion of gains, near-
operational risk event or by related operational risk
misses, and opportunity costs along with the loss data.
events over time, but posted to the accounts over
several years, should be allocated to the Challenges of External Data: External data used in
corresponding years of the loss database, in line with operational risk functions must be interpreted
their accounting treatment. cautiously due to certain challenges. The coverage and
Exclusion of Losses: Banks can request to exclude availability of data can be inconsistent, as significant
certain operational loss events that are no longer frauds might receive extensive coverage while other
relevant to their risk profiles. These requests should events may be ignored. Additionally, determining the
be supported by strong justifications, and they should relevance of an event can be tricky as a similar event
demonstrate that the excluded loss experience has no might not occur in a firm with the same business line
relevance to other continuing activities or products. due to differences in products or control
Exclusions must meet a materiality threshold and can environments. External data is best utilized to identify
only be excluded after being included in the bank's the types of errors and control failings that can occur
operational risk loss database for a minimum period. to prevent similar losses.

For Free Study Material Subscribe now

Root-Cause Analysis (RCA): RCA is a structured Unit: 19 RISK AND CONTROL SELFASSESSMENT &
investigation aimed at identifying the true cause of a KEY RISK INDICATOR
problem and the actions necessary to eliminate it. It
involves understanding the problem, brainstorming RCSA Objective: Risk Control and Self-Assessment
about possible causes, collecting and analyzing data (RCSA) aims to establish a structural framework for
related to the problem, identifying the root cause, assessing operational risk exposure and the overall
devising solutions to eliminate the problem, and effectiveness of a bank's internal control system. RCSA
implementing the solution. helps prioritize risk exposures, identify control
weaknesses and monitor corrective actions,
Methods used in RCA: contributing to the development of strategies to
manage operational risks.
5-Whys Analysis: A problem-solving technique that
involves asking "why" repeatedly to get to the root of
Benefits of RCSA: RCSA can help embed operational
the problem.
risk management across an organization, improve
Barrier Analysis: This involves tracing the pathways by management attitudes towards risk, support
which a target is adversely affected by a hazard and governance and compliance activities, and enhance
identifying any failed or missing countermeasures. overall risk culture. It can also contribute to improving
business efficiency by identifying and addressing
Change Analysis: Systematically looks for possible risk control weaknesses and gaps.
impacts and appropriate risk management strategies
where change is occurring. RCSA Process: This involves evaluating the likelihood
and impact of each significant operational risk. It's a
Causal Factor Tree Analysis: This technique records dynamic and iterative method for identifying key
and displays, in a logical, tree-structured hierarchy, all operational risks and controls. It involves corrective
the actions and conditions necessary for a given
actions being tracked and implemented continuously,
consequence to have occurred.
at both the unit level and the institution level.
Failure Mode and Effects Analysis: Examines failures
in products or processes. Stages of RCSA:

Fish-Bone Diagram or Ishikawa Diagram: An analysis Stage 1: Identification of key process owners and
tool that provides a systematic way of looking at participants.
effects and the causes that create or contribute to Stage 2: Identification of inherent risks arising from
those effects. products and activities.
Stage 3: Evaluation of the effectiveness of existing
Pareto Analysis: A statistical technique used for controls.
analysis of selected tasks that produce significant Stage 4: Assessment of remaining levels of risk and
overall effect. It operates under the premise that 80% identification of risk owners.
of problems are produced by 20% of the causes. Residual Risk: This refers to the level of risk exposure
with controls in place, also known as net risk. The
Fault Tree Analysis: This places the event at the root
effectiveness of the controls in place influences the
of a “tree of logic” with each contributing situation
level of residual risk.
added to the tree as a series of logical expressions.

For Free Study Material Subscribe now

Inherent Risk: This is the risk present in an activity, Control Product: This is derived by merging the
product, or function of a bank in the absence of any assessments of control design effectiveness and
mitigation plans and actions. It represents a worst- control operational effectiveness. It gives a measure of
case scenario of audit risks, demonstrating what could the overall effectiveness of the control system in
happen if all internal controls fail. place. The parameters used to derive the Control
Product can differ from bank to bank.
Impact Study: This involves rating the potential loss
COMPUTATION OF RISK ZONE: Key Performance
involved in the products, processes or business lines
Indicator based on the scores generated through Risk
involved in the financial operation of a bank. Impact
Profile Matrix, the branches are categorized into the
scales are generally expressed in relative terms, and
following Risk Zones (Risk Product × Control Product).
larger banks tend to assess risks against various types
of impact, including financial, regulatory, service
delivery, customer service, and reputation.

RCSA Matrix: Most banks in India use a unique RCSA COLOR-CODED RISK LEVELS:
matrix for the bank as a whole. Some bigger banks use
two RCSA matrices: one at group level, collecting the
results of a top-down risk assessment, and one for
business units.

Risk Levels and Actions: Risks can be categorized as

Defining Likelihood: Likelihood scales typically use green, yellow/amber, or red based on their level
timeframes, for instance "occurring × times in a relative to the risk appetite. Green risks need regular
year/years". This refers to the probability of a risk monitoring, while yellow/amber risks require active
event occurring in a specific time period based on past monitoring and possibly further mitigation. Red risks
occurrences. Usually, a 5-point scale is used to rate the are beyond risk appetite and must be addressed with
likelihood of a risk event. It's important for all a risk mitigation action plan.
participants to have the same understanding of these
definitions to avoid any conflicting interpretations.

Study of Effectiveness of Control: As part of the RCSA

process, the effectiveness of controls implemented to
address operational risk events must be assessed. This
is done by considering both their design effectiveness
and operational effectiveness. Similar ordinal scales to
those used for probability and impact are used to
assess control effectiveness. The specifics of these
assessments can vary between different banks.

For Free Study Material Subscribe now

Corrective Action Plan: When a risk is beyond the Performance Indicators: Key Performance Indicators
acceptable level, a specific, measurable, achievable, (KPIs) measure the achievement of targets. They are
realistic, and time-bound (SMART) corrective action applicable to operational risk for exposure reduction,
plan should be developed. This plan will address minimization, or mitigation, and in assessing how well
control deficiencies, implement new controls or a business entity manages its operational risks.
remove obsolete or excessive ones. It should also Examples include cumulative hours of IT system
include details such as the business line, responsible outage, percentage of products/transactions with
officer, test dates, control weaknesses, action plan, faults/errors, or percentage of automated processes
and a reasonable target date for resolution. requiring manual intervention.

RCSA Approach: A well-designed and implemented Leading and Lagging KRIs: Lagging KRIs are based on
Risk Control Self-Assessment (RCSA) is vital for historical measures and help identify trends. They can
operational risk management. It should not be a only show what has already happened, not future
bureaucratic or compliance-oriented exercise but events. On the other hand, leading KRIs are predictive
rather should support business decision making. and can indicate emerging risks. These derive from
preventive controls and their effectiveness
Key Risk Indicators (KRIs): KRIs are quantifiable determines the probability of a risk event.
measurements used to evaluate the potential
operational risk exposure of certain activities or Selecting KRIs: Choosing KRIs requires considering
processes. They can support various operational risk several criteria for an effective KRI system:
management activities, including risk identification,
risk and control assessments, and the implementation
Relevance: KRIs should monitor risk exposure levels,
of effective risk management frameworks.
control effectiveness, or measure performance.

Types of KRIs: KRIs can be categorized into risk

Measurability: KRIs should be quantifiable and
exposure indicators, control effectiveness indicators,
consistently measurable. They could be numbers,
and performance indicators. Risk exposure indicators
monetary values, percentages, ratios, or a value from
measure the level of exposure to a given risk, control
a predefined rating set.
effectiveness indicators measure how well a control is
working, and performance indicators assess the
Predictive: KRIs should provide a leading, lagging, or
overall performance of the risk management
current perspective of an organization’s operational
framework.
risk exposures.
Forms of KRI: KRIs can be specific to different risk
Ease of Monitoring: Data for the KRI should be simple
areas. For instance, the number of customer
and cost-effective to collect and easy to interpret,
complaints can be a KRI for the risk of process errors.
Similarly, control effectiveness indicators such as the understand, and monitor.
number of cases of customer identity
misrepresentation detected can highlight deficiencies Auditability: KRIs should be verifiable. An
in specific controls. Identifying and using the most independent validation of the KRI selection process
effective risk control tools is critical for effective should be undertaken, typically by the organization’s
operational risk management. internal audit function.

For Free Study Material Subscribe now

Comparability: A KRI may not provide sufficient organization’s risk culture. Quantitative risk appetite
information without comparison to a benchmark. involves hard data derived from business
Percentages or ratios may not indicate exposure levels management information. This could involve any
unless compared to a benchmark. combination of performance, risk, or control
indicators, and is usually risk or control specific. By
KRI Selection Process: Two main approaches can be Praveen Rana ADDA247
used to select Key Risk Indicators (KRIs) - top-down or
bottom-up. The top-down approach is initiated by Scenario Analysis:
senior management/directors, while the bottom-up Scenario analysis, stress testing, and reverse stress
approach allows business managers to select their
testing are crucial for assessing operational risks,
own indicators. The aim is to cover the significant
particularly in cases where historical data is limited or
information needs at each organizational level to meet
unreliable. These methods:
strategic objectives.

i. Test organizational resilience to major operational

KRI Identification: KRIs can be identified via a Risk
Control Self-Assessment (RCSA). Focus on significant risk events.
risks and their causes, consider forward-looking and ii. Provide a forward-looking perspective to consider
historical indicators, and collate data systematically. future risk events.
iii. Allow managers to think creatively about future
Setting Thresholds: To interpret the data and identify risks in a less pressured environment.
required actions, thresholds are set for each indicator. iv. Complement other risk identification and
When an indicator breaches the threshold, action assessment techniques.
must be taken. This is an essential part of an effective v. Improve the control environment by identifying
operational risk appetite framework. potential control weaknesses.

Escalation Triggers: If a threshold is breached, a Stress testing evaluates the potential impact of
response or 'trigger' is activated. This determines the external stress events, such as economic recession,
necessary action and who is responsible for it. Each pandemic, or political events, on the organization.
threshold will likely trigger a notification to Reverse stress testing begins by identifying the point
increasingly senior management levels. of non-viability for the organization and then
considers internal risk events that may cause losses
Risk Appetite: Risk appetite provides context for exceeding this value.
identified and assessed risks and ensures appropriate
escalation and governance. Operational risk appetite
Uses of KRIs:
usually matures as the operational risk program
develops, guided by internal loss event data, RCSA
Key Risk Indicators (KRIs) serve various functions in
data, scenario analysis workshops, and KRI design and
risk management:
gathering.

Qualitative and Quantitative Risk Appetite: i. Risk Monitoring: KRIs can track changes in
Qualitative risk appetite is expressed through written operational risk exposure and identify emerging risk
statements without quantification, emphasizing trends, current exposure levels, and past events that
specific behaviors, attitudes, and control of an might reoccur.

For Free Study Material Subscribe now

ii. Support Risk Assessments: KRIs can support risk Information Security vs IT Security: Information
assessments and monitor risk exposures between full security extends beyond IT security, encompassing all
updates of operational risk assessment processes. information handling such as creation, viewing,
transportation, storage, or destruction. It's essential
iii. Monitoring Performance: KRIs can measure how for banks to establish an effective information security
well an organization is performing towards its risk governance framework.
objectives and assess the performance of critical
processes or activities. Basic Principles of Information Security:
Confidentiality: Preventing disclosure of information
iv. Regulation and Capital Assessments: In the to unauthorized individuals or systems.
banking sector, KRIs help calculate operational risk Integrity: Data cannot be modified without
capital under the Basel II Advanced Measurement authorization.
Approach (AMA). They also assist in fostering a risk
culture within the organization. Availability: Information must be accessible when
needed.
In the context of risk management, scenario analysis,
stress testing, and the use of KRIs all aim to prepare Authenticity: Data, transactions, communications, or
organizations for unexpected events, helping them documents must be genuine.
understand potential threats and ensuring that their
strategic and operational decisions don't excessively Non-repudiation: A party to a transaction cannot
increase vulnerability to these threats. deny having received or sent an electronic record.

Unit: 20 TECHNOLOGY RISK Identification: Subjects must provide an identity to a

Role of Technology in Banking: Technology plays a system.
significant role in banking, transforming how
transactions are conducted, accounts are reconciled, Authorization: Access must be authorized once a
and information is stored and retrieved. It allows subject is authenticated.
banking services to be delivered anytime, anywhere,
increasing customer expectations for efficient service Accountability and Auditability: Subjects are held
delivery and top-level security. accountable for their actions.

Information as Assets: In the digital banking Information Security Governance: This includes the
environment, information and knowledge based on it leadership, organizational structures, and processes
are considered 'information assets'. These assets are that protect information. It aims to align information
vital for business operations, and banks must provide security with business strategy, manage risks, optimize
adequate levels of protection. By Praveen Rana information security investments, and measure
ADDA247 security performance.

Data Quality in Risk Management: Robust and Necessity and Benefits of Information Security
reliable data is crucial in risk management. Ensuring Governance: Benefits include increased predictability,
the integrity, accuracy, completeness, and timeliness assurance of decision-making, effective risk
management, legal liability protection, process
of data is essential to prevent errors in decision
improvement, reduced security-related losses, and
making.
improved market reputation.

For Free Study Material Subscribe now

Security Program Activities: A comprehensive They report to the Board of Directors on
security program should include policy development, information security activities.
role assignment, security and control framework
development, information asset classification and (D) Chief Information Security Officer (CISO):
ownership assignment, periodic risk assessments, The CISO is a senior level official responsible for
integration of security into all processes, security enforcing information security policies and
incident monitoring, effective identity and access coordinating security related issues within the
management, and security performance metrics organization.
generation. They report directly to the Head of Risk
Organizational Structure, Roles and Responsibilities Management and work with the Chief Information
for Information Security in Banks:
Officer (CIO) to understand the IT infrastructure
and operations.
(A) Boards of Directors/Senior Management:
The CISO is also tasked with training line managers
Responsible for information security and
in managing risks related to technology delivery
understanding the associated risks.
platforms.
Tasked with training board members about
technological developments and their
Policies and Procedures: Banks need a board-
implications.
They are involved in approving the information approved information security policy, supplemented
security policy and monitoring its implementation. with standards, guidelines, and procedures that align
with business needs.
(B) Information Security Team/Function:
This team focuses on information security Risk Assessment: Risk assessment is vital to
management and should be separate from the information security management, ensuring
Information Technology Division. threats/vulnerabilities that impact asset
Their responsibilities include risk assessment, confidentiality, availability, or integrity are identified
security architecture, vulnerability assessment, and managed.
forensic assessment, etc.
Operational components of information security Inventory and Information/Data Classification: Banks
can be outsourced if necessary, but control and should maintain a detailed inventory of information
responsibility rest with the bank. assets, classified based on sensitivity and criticality to
ensure adequate protection levels.
(C) Information Security Committee:
This committee includes executives across the Defining Roles and Responsibilities: Define and
organization and is steered by the Chief communicate roles such as information owner,
Information Security Officer (CISO). application owner, user manager, security
The committee is responsible for developing and administrator, and end-user.
facilitating implementation of information security
policies, standards and procedures.
Access Control: Access to information assets should
They also approve and monitor information
be limited to those with a valid business need and for
security projects, plans, and budgets, and review
a specific time. This can prevent risks from internal
the status of security incidents and awareness
sabotage or attacks.
programs.

For Free Study Material Subscribe now

Information Security and Information Asset Life Data Security: Procedures for ensuring the integrity
Cycle: Information security needs to be considered at and consistency of all electronically stored data need
all planning, design, acquisition, implementation, to be defined and implemented.
maintenance, and disposal stages of an asset's life
cycle. Vulnerability Assessment: Regular scanning for
vulnerabilities and proactive addressing of discovered
flaws is essential to avoid system compromises.
Personnel Security: Background checks and credit
checks should be used to manage risk from
Establishing Ongoing Security Monitoring Processes:
employees, contractors, or third-party employees
Robust monitoring processes should be in place to
with internal access.
identify events and unusual activity patterns that
could affect IT asset security.
Physical Security: Physical security risks should be Security Measures Against Malware: Banks should
mitigated through zone-oriented implementations, implement comprehensive anti-malware tools and
risk assessment, and environmental controls. train staff on avoiding potential threats. These tools
should be modern, updated, and have a layered
User Training and Awareness: Continuous training defense system.
and awareness programs are critical, given that
human error is often the weakest link in information Patch Management: Banks should have documented
security. procedures for effectively and swiftly addressing
system and software vulnerabilities through patch
Incident Management: Banks need to have a management to prevent business impact.
framework for preventing, detecting, analyzing, and
Change Management: Banks need a robust change
responding to security incidents.
management process that covers all types of changes
including software upgrades, emergency fixes, and
Application Control and Security: Proper controls changes to IT infrastructure.
need to be put in place to handle the complexity and
potential risk exposure from different types of Audit Trails: Banks must ensure they have audit trails
applications and access levels. for IT assets to meet regulatory requirements, support
audits, serve as forensic evidence, and assist in
Migration Controls: A Migration Policy ensuring data dispute resolution.
integrity, completeness, confidentiality, and continuity
should be in place during data migration. Information Security Reporting and Metrics: Regular
security monitoring should be carried out to inform
Implementation of New Technologies: New decision-makers about the efficiency of information
technologies should undergo robust diligence and security, areas requiring improvement, and necessary
testing to ensure they meet security standards and actions to minimize risk.
comply with the bank's risk appetite.
Information Security and Service Providers/Vendors:
Banks should ensure that third-party service providers
Encryption: Symmetric and Asymmetric encryption
comply with their IT and security standards. Proper
techniques should be used to protect sensitive data
due diligence of these providers is vital to maintain
during transmission and storage. system security.

For Free Study Material Subscribe now

Network Security: Banks should deploy a multi- Assessment: This involves a comprehensive study to
layered defense strategy, called defense in depth, to locate security vulnerabilities and recommend
protect against cyber threats. This includes firewalls, corrective actions. An assessment doesn't use a set
intrusion detection systems, network intrusion standard to test against but provides the tester with
prevention systems, etc. full access to the systems.

Remote Access: Banks should have strict policies General Information Regarding Delivery Channels:
restricting remote access to their systems. All remote Banks should provide electronic banking channels like
access devices should be controlled to prevent ATM/debit cards/internet banking only at the option
potential attacks. of the customers. Banks should also ensure customers
are well-informed about the risks and benefits of using
Distributed Denial of Service Attacks (DDoS/DoS): these services.
Banks should be equipped to detect, monitor, and
analyze anomalies in networks and systems as these Emerging Technologies and Information Security:
could indicate a DDoS attack.
Virtualization: This involves operating systems for
different applications residing on a single hardware
Implementation of ISO 27001 Information Security
unit, providing the benefits of decentralization like
Management System: Banks should adopt
security and stability, while maximizing machine
Information Security Management System (ISMS) best
resources. However, it poses challenges including
practices like those described in ISO/IEC 27001 and
compatibility, support, licensing, staff training, and
ISO/IEC 27002.
reliability.
Cloud Computing: This refers to a shared computing
Wireless Security: Banks using wireless networks
environment accessed through the internet. While it
should carefully evaluate the associated risks and
can make use of virtualization and grid computing, its
implement additional controls. Wireless networks rely biggest concerns are related to security and privacy.
on extensive encryption to authenticate users and
shield communications. Implementation of Recommendations of the
Business Continuity Considerations: Business Working Group on Information Security, Electronic
continuity plans should account for various security Banking, Technology Risk Management, and Cyber
implications due to unexpected events. These plans Frauds:
should be integrated with the overall security process The banking industry has made significant efforts
and include provisions for disaster recovery systems. to address security challenges in coordination with
various stakeholders like governments, regulators,
Information Security Assurance: and technology providers.

Penetration Testing: This process involves a formal set In 2011, the Reserve Bank of India issued
of procedures to bypass security controls to test guidelines based on the report from a working
system's resistance to potential attacks. group led by Shri. G. Gopalakrishna. These
Audits: Auditing involves comparing current practices guidelines covered areas of information security,
with established policies, standards, and guidelines to electronic banking, technology risk management,
ensure they are being adhered to. and cyber frauds.

For Free Study Material Subscribe now

 These guidelines are not one-size-fits-all and need Benefits of Digital Banking:
to be implemented based on the risk profile, scope
of activities, and the technology environment of Convenience: Digital banking provides 24/7 account
the bank. access, allowing users to conduct banking tasks
anytime, anywhere, including cashless transactions.
Banks using extensive technology support were
required to implement all the stipulations from the Features: Digital banking apps often offer
guidelines. Banks were also required to conduct a personalized financial advice, savings tools, big
gap analysis between their current status and the purchase calculators, and more. They also allow users
to view account balances, transfer funds, and pay bills,
guidelines to create a time-bound action plan to
among other features.
address any gaps.

Security: Banks prioritize security in mobile and online

These guidelines aim to enhance safety, security,
banking, offering features like multi-factor
and efficiency in banking processes for the benefit
authentication and biometric logins.
of both banks and their customers.
Control: Digital banking gives users more control over
As the technology and threat landscape evolves, their finances, allowing real-time access to manage
banks are required to proactively create, fine- and move money as needed.
tune, or modify their policies, procedures, and
technologies based on new developments and Impact of Digital Banking on Traditional Banking:
emerging concerns.
Changing Customer Profile: With digital banking,
Digital Banking in Modern Financial Systems: customers can easily switch banks or compare services
and offers due to the readily available information on
Digital Banking Definition: Digital banking refers to the Internet.
banking conducted via digital platforms, eliminating
paperwork and making all banking activities available Market Transparency: The banking market has
online. It combines online and mobile banking become more transparent, with banks obtaining more
services under one umbrella. information about competitors' product ranges.

Cross-selling: Digital banking enables banks to cross-

Online Banking: Online banking involves accessing
sell other financial products and services due to the
banking services through a bank’s website via a
availability of customer banking trends and
computer. It allows users to check balances, pay bills,
preferences.
apply for loans or credit cards, and more without
leaving home.
Brand Names: In an e-banking environment with
limited personal contact, a bank's brand name plays a
Mobile Banking: Mobile banking involves using a crucial role in distinguishing itself from competitors.
bank's app on a mobile device to access banking Transaction Costs: Digital banking significantly
features. These apps typically allow for fund transfers, reduces transaction costs as compared to traditional
bill payments, and even peer-to-peer payments, and branch banking. The reduced costs render a large
they can send banking alerts to users. branch network less of a competitive advantage.

For Free Study Material Subscribe now

Branches: While digital banking has increased, Reputation Risk: Negative public opinion can harm a
branches continue to hold importance for services bank's reputation, impairing its ability to maintain
requiring personal attention, such as loan processing customer relationships. This risk is not only significant
and financial advice. for the concerned institution but may also have
systemic implications.
Digital Banks and Digital Banking Units: With the rise
of digital banking, the Reserve Bank introduced Mitigating Risks: To reduce these risks, banks must
"Digital Banking Units" (DBUs) to widen the reach of have knowledgeable staff managing their compliance
digital banking services. DBUs offer electronic banking functions, formal incident response and management
services with high automation and cross-institutional procedures, and customer education initiatives.
service capabilities. Money Laundering Risk: In digital banking, traditional
methods for detecting and preventing criminal
Digital Banking Risks: The shift to digital banking activities might not apply, increasing the risk of money
brings its own set of risks, including strategic, laundering. Banks can mitigate this by designing
operational, security, compliance, and reputation robust customer identification and screening
risks. Banks need to manage these risks carefully, techniques, developing audit trails, and conducting
including ensuring data security and complying with regular compliance reviews.
evolving regulatory requirements.
Cross Border Risks: Digital banking's global reach
Strategic Risk: Technology-related decisions made by introduces legal and regulatory risks, including
management without proper planning can lead to uncertainty about legal requirements in various
strategic risk. Aligning technology-related plans with countries. Additionally, monitoring service providers
strategic business planning can help mitigate this risk. located in another country could be challenging,
increasing operational and country risks.
Operational Risk: This risk impacts the ability to
deliver services and can result in financial losses, Credit Risk: Digital banking might amplify credit risk,
affecting customer data's confidentiality and integrity. as banks may struggle to accurately evaluate a
It is the most common form of risk associated with customer's creditworthiness remotely. Proper
digital banking and can arise from weaknesses in evaluation and audit of lending processes are
design, implementation, and monitoring of banks' necessary to mitigate this risk.
information systems.
Liquidity Risk: Banks involved in electronic money
Security Risk: With digital banking, banks face security transfers must ensure sufficient funds to cover
risks, such as unauthorized access to critical redemption and settlement demands. Failure to do so
information stores. A security breach can lead to can lead to liquidity risk, legal action, and reputational
direct financial loss, reputational damage, and legal risk.
implications.
Risk Management Challenges: E-banking's structural
Compliance Risk: Banks engaging in e-banking face and operational differences from traditional banking
compliance risks due to frequently changing increase and modify risk management challenges.
regulatory requirements and the evolving nature of These include the speed of change, integration with
technology. Compliance risk is heightened for cross- legacy systems, third-party dependencies, and
border transactions due to jurisdictional ambiguity. security issues related to open networks.

For Free Study Material Subscribe now

Digital Risk Management Framework: A five-pillar transparency, and understanding of the bank's
approach to risk management in digital banking operational structure.
includes: Risk management framework, information
security management, outsourcing management, Impact of Corporate Governance Failures: Failures of
business continuity management, and legal and GRC can lead to crises like those experienced by Global
regulatory compliance. Trust Bank, PMC Bank, Yes Bank, and Lakshmi Vilas
Bank. These incidents underscore the critical role of
Unit: 21 CORPORATE GOVERNANCE corporate governance in banking.
Significance of Governance in Banks: The growing Importance of Risk Management in Corporate
complexity of India's financial system necessitates Governance: The board of directors should prioritize
stronger governance standards in banks. Governance, risk management to safeguard shareholders' value,
Risk, and Compliance (GRC) are the three strategic mitigate risks, and minimize agency risk. This is best
pillars of governance. Good governance influences achieved through risk governance.
resource allocation efficiency, depositors' interest
protection, and financial stability.
Principles of Corporate Governance: These include
fairness, transparency, integrity, risk management,
Corporate Governance: Corporate governance is the
responsibility, and accountability. The board should
system of rules and practices by which a firm is
uphold these principles to ensure the company's
directed and controlled. It includes the relationships
successful performance.
between a company's management, its board,
shareholders, and other stakeholders. Good
governance structures help companies attain their Corporate Governance in the Banking Sector:
objectives and monitor performance, facilitating Corporate governance is significant in banking due to
effective decision making. lack of information for retail depositors, opacity and
illiquidity of bank assets, and potential contagion
Corporate Governance in Banking: Effective effects from bank instability.
corporate governance in the banking industry is
crucial due to its unique role in the economy and the Basel Committee and Corporate Governance: The
need for public trust. Banks have wider stakeholders, Basel Committee released principles to enhance
including regulatory supervisors, governments, and corporate governance in banks, emphasizing the
depositors, and their interests must be addressed in a importance of risk management. It promotes a three-
transparent manner. Bank failures can lead to broader line defence system - business line, risk management
macroeconomic implications and substantial public function, and internal audit function.
costs, highlighting the importance of robust
governance structures.

Basel Committee and Corporate Governance: The

Basel Committee on Banking Supervision (BCBS)
advocates for a governance structure in banking that
includes a board of directors and senior management.
They've outlined several principles of sound corporate
governance, focusing on qualifications of board
members, clear lines of responsibility, oversight by
senior management, effective utilization of audit
functions, consistency of compensation policies,

For Free Study Material Subscribe now

Overall Responsibilities of the Board of Directors: The Third Line of Defense - Internal Audit and Vigilance
board oversees the bank's culture, governance Functions: They provide an independent review and
framework, and the implementation of strategic assurance of the effectiveness of the first two lines of
objectives. They must reinforce ethical behavior and
defense and ensure all transactions follow systems
values within the organization.
and procedures while minimizing misconduct and
Responsibilities of the Board - Culture and Values: misuse of funds.
The board must establish a strong ethical culture
within the bank, promoting a clear code of conduct, Risk Governance Framework Operation: An effective
implementing an effective feedback system, and risk governance framework operates through a strong
incorporating adherence to values in employee risk culture, well-articulated risk appetite through a
performance appraisals. Risk Appetite Statement (RAS), and well-defined
responsibilities for internal control and assurance
Responsibility of the Board - Managing Conflicts of
functions.
Interest: The board must identify and manage
potential conflicts of interest within the organization.
This includes a formal written 'conflicts of interest' Risk Appetite and Role of the Board: The board is
policy and a robust review process for activities that involved in defining the risk appetite aligned with the
might lead to conflicts. Appropriate public disclosure bank's strategic, capital, financial plans, and
should be made for policies on actual, potential, or compensation practices. The risk appetite is conveyed
perceived conflicts of interest.
through a RAS that is easily understood by all relevant
parties.
Board's role in risk governance: The board is
responsible for overseeing a robust risk governance
framework. The framework is organized around three Development of RAS: The Risk Appetite Statement
lines of defense - business line, risk management and (RAS) is developed through both top-down leadership
compliance, and internal audit and vigilance. from the board and bottom-up management
involvement. It includes both quantitative and
First Line of Defense - Business Units: Business units qualitative considerations, and it outlines the types
are responsible for identifying, assessing, managing,
and level of risk the bank is willing to take.
and reporting risks considering the bank's risk
appetite, policies, and procedures.
Board's Oversight of Risk Governance: The board
Finance Function Role: Despite being a part of the first must ensure the second and third lines of defense are
line of defense, the finance function is crucial in adequately positioned, staffed, and resourced.
accounting and financial data. It ensures accurate Regular reviews of key policies and controls should
recognition and reporting of business performance to take place, and the board must oversee the bank's
the board and management.
adherence to the RAS, risk policy, and risk limits.

Second Line of Defense - Risk Management and

Compliance Functions: Independent from the first Risk Management Meetings: To fulfill its
line, they oversee the bank's risk-taking activities, responsibilities towards 'risk appetite, management,
assess risks, monitor compliance with all applicable and assurance,' the board must hold at least one
rules, regulations, codes, and policies. meeting exclusively focused on these topics.

For Free Study Material Subscribe now

Oversight of Senior Management: The board has the v. The board should approve financial statements,
following responsibilities: ensure independent reviews of the finance function,
oversee the bank’s compensation approach, integrity
i. Determine roles and responsibilities of senior
of whistle-blower policies, and compliance policy
management including the CEO and Whole-Time
implementation.
Directors (WTDs).

ii. Oversee the performance of senior management, vi. The board should also ensure that customer service
holding them accountable for actions, especially aspects are periodically reviewed and compliance
regarding the bank’s values, risk appetite, and risk issues are resolved effectively.
culture.
Board’s Structure and Practices:
iii. Regularly interact and critically review explanations
and information provided by senior management.
i. The board should define appropriate governance
iv. Establish performance and remuneration standards structures and practices for its own work, review them
for senior management in line with the bank's periodically for effectiveness.
strategic objectives and financial soundness.
ii. The board should structure itself in terms of
v. Assess whether senior management's knowledge
leadership, size, and use of committees to effectively
and expertise match the bank’s risk profile and nature
of business. carry out its roles.

vi. Ensure appropriate succession plans are in place for iii. The board should maintain or update the bank's
senior management positions. memorandum or articles of association, or any
resolution passed by the bank in a general meeting.
Other Board Responsibilities:

iv. The board should carry out regular assessments of

i. The board is responsible for the bank’s business
strategy, financial soundness, key personnel decisions, its structure, size, composition, the effectiveness of its
and internal organization. governance practices, and the ongoing suitability of
each board member.
ii. The board should establish an organizational
structure that facilitates effective decision-making and v. Use the results of these assessments for ongoing
good governance.
improvement efforts of the board and share the
iii. Board members must exercise their ‘duty of care’ results with the supervisor where required.
and ‘duty of loyalty’ to the bank as per regulatory
standards. The Audit Committee of the Board (ACB) is an integral
committee that comprises of Non-Executive Directors
iv. The board should actively engage in the bank's (NEDs) only. It ensures that two-thirds of its members
affairs, oversee the development and implementation
are independent directors, with a minimum of three
of the bank's objectives and strategy, and act timely to
NEDs required for quorum.
protect the bank's long-term interests.

For Free Study Material Subscribe now

The ACB is tasked with overseeing the bank's The Risk Management Committee of the Board
financial reporting process, internal financial (RMCB) is another important committee formed by
controls, and financial risks. They are responsible the board. It consists of Non-Executive Directors
for the review and approval of financial (NEDs) only, with at least three members and two-
statements, accounting policies, and the adequacy thirds of them being independent directors. One
of accounting controls. They also ensure that member of the RMCB must have risk management
significant changes or issues relating to financial expertise.
statements, audit findings, compliance with
regulations, and related party transactions are The RMCB meetings are chaired by an independent
adequately addressed. director who does not chair any other committee of
The ACB meets at least six times a year, with no the board. The committee meets at least six times a
more than 60 days elapsing between two year, with a maximum of 60 days between two
meetings. Meetings are chaired by an meetings. The Chief Risk Officer (CRO) serves as the
independent director, and the head of internal committee's secretary, and the Head of Compliance
audit acts as the committee secretary. reports to the RMCB.
ACB members are financially literate and have a
strong understanding of accounting standards, The responsibilities of the RMCB include:
internal financial controls, and financial reporting. Ensuring accurate internal and external data for
At least one member must have specific expertise identifying, assessing, and mitigating risks, making
in accounting or related financial management. strategic business decisions, and determining
The ACB approves the appointment of the CFO and
capital and liquidity adequacy.
auditors, monitors auditor independence and
Setting the bank's risk appetite based on its risk
performance, discusses audit scope and concerns
capacity through the formulation of the Risk
with auditors, reviews internal audit operations,
Appetite Framework (RAF) and Risk Appetite
and investigates issues referred by the board. They
Statement (RAS).
are responsible for addressing suspected fraud,
Allocating risk limits based on the agreed risk
internal control failures, violations, and breaches
appetite and holding the first line of defense
of internal controls.
accountable for breaches in risk limits.
The committee also oversees fraud risk
Establishing a system where risk management
management, reviews penalties imposed on the
functionaries are not involved in activities they
bank, monitors revenue leakage, approves
previously had revenue-generating responsibilities
transactions with related parties, and implements
for, and ensuring effective challenge of business
effective whistle-blower mechanisms.
operations regarding all aspects of risk.
Finally, the ACB reviews and approves policies
Deciding the composition and mandate of sub-
related to audits, insider trading, and related party
committees for specific risks, including the Asset
transactions. It ensures that all transactions and
related information are subject to external audit Liability Management Committee.
and reflected in the bank's books of accounts. The Implementing governance structures that prevent
ACB has full access to the bank's records and can compromise by officers/executives and ensuring
seek information from any employee or external clear segregation between risk origination,
sources when necessary. underwriting, and documentation/operations
functions.

For Free Study Material Subscribe now

 Assessing internal controls and risk management Enterprise risk management: If the bank is part of a
systems, evaluating the bank's risk profile, and group, the RMCB is responsible for establishing a
monitoring risk exposures. group-wide enterprise risk management system.
Ensuring the effectiveness of risk management
processes, risk reporting systems, and risk
Risk governance framework: Implementing an
monitoring.
enterprise-wide risk governance framework, including
Promoting a strong risk culture through ongoing
communication, risk awareness, and open policies and control procedures, to ensure that the
challenge/communication about risk-taking across bank's risk identification, aggregation, monitoring,
the organization. and mitigation capabilities align with its size,
Establishing effective communication and complexity, and risk profile.
coordination with the audit committee,
exchanging information, and adjusting the risk Risk appetite: Based on the risk capacity, determining
governance framework as needed. the risk appetite for the bank after engaging with the
Formulating the bank's compliance policy,
first line of defense functionaries. Disaggregating and
identifying and managing compliance risks
allocating risk appetite down to the business unit and
throughout the organization, and conducting
quarterly reviews to assess the effectiveness of risk taker level.
compliance risk management.
Reviewing technology-enabled systems to track Risk identification and assessment: Developing
covenant adherence, verifying opinions from third policies and processes to identify and assess
parties, implementing fraud risk assessment and individual, aggregate, and emerging risks, ensuring
management systems, and evaluating risk models consistency with business strategies, capital strength,
and assumptions.
and overall risk-taking willingness.
Ensuring the bank has a robust data infrastructure,
information technology infrastructure, and data
architecture to support risk management. Organizational structure and access: Establishing an
Maintaining ultimate responsibility for risk effective organizational structure for the risk
assessment and promoting effective risk management function with qualified and experienced
communication and coordination within the staff. Ensuring unrestricted access to business lines,
organization. relevant subsidiaries, and affiliates, as well as records
The RMCB plays a crucial role in overseeing risk and management information systems.
management practices, ensuring adherence to risk
appetite, and promoting a strong risk culture
Independent assurance: Providing independent
throughout the bank.
assurance to the RMCB on the quality and
The risk management function and its functionaries effectiveness of the bank's internal controls and risk
play a crucial role in the governance structure of a mitigants implemented by the first line of defense.
bank. Their responsibilities include:
Risk monitoring and reporting: Ongoing monitoring
Accountability and reporting: The risk management of risk-taking activities and risk exposures, establishing
function reports only to the Risk Management early warning or trigger systems for breaches of risk
Committee of the Board (RMCB) and is not involved in appetite and limits, and challenging decisions that
revenue generation, assuming risks, internal controls,
give rise to material risk.
compliance, or the third line of defense.

For Free Study Material Subscribe now

Approval and risk culture: Approving new processes The internal audit function has complete access to
and products before their introduction and promoting all records, systems, and properties of the bank,
a risk culture throughout the bank through ensuring the effectiveness of internal controls and
instructions, training, and addressing risk risk management.
management failures and breaches. The ACB can receive internal audit reports without
management filtering, and serious deficiencies are
Chief Risk Officer (CRO): The CRO, reporting to the
promptly reported to the board.
RMCB, has overall responsibility for coordinating risk
The internal audit function must not be
management, supervising other risk management
staff, and ensuring effective risk management outsourced, though experts can be hired on a
capabilities. The CRO participates in key decision- contract basis if necessary.
making processes and engages with the board, RMCB, An external auditor working on an assignment in
and management on risk issues. the bank should not be given another assignment
in the same bank for at least a year after the
Seniority and qualifications: The CRO holds a senior assignment's completion.
position in the hierarchy, with equivalence no less
than one level below the Whole-Time Directors Vigilance
(WTDs)/CEO. The CRO should have the necessary The vigilance function includes preventive
professional qualifications and experience in risk
vigilance, surveillance and detection, and punitive
management.
vigilance.
Access and budget: Risk management functionaries A policy should be in place for directors,
have direct access to the RMCB. The RMCB proposes employees, and third parties to report genuine
the budget for the risk management function, and the concerns, with safeguards against victimisation.
compensation of risk management functionaries is The bank should have procedures for staff to
proposed jointly by the RMCB and Nomination and report breaches, and there should be mechanisms
Remuneration Committee (NRC). for employees to report concerns outside regular
reporting lines.
Comprehensive risk management policy: The board, The bank should implement advanced analytics to
through the RMCB, is responsible for establishing a monitor employee income, assets, and wealth,
comprehensive risk management policy, including
and initiate preventive vigilance.
principles for recognizing, measuring, monitoring,
Employees should be trained/retrained on specific
mitigating, and managing risks across the
standard operating procedures and should be
organization. The policy undergoes periodic review by
the RMCB, internal audit function, and external empowered to report instances of oral
assessments every three years. instructions that breach any
policy/process/guideline/statute/regulations.
Internal Audit The vigilance function will be headed by the Chief
Internal audit is the third line of defence in control of Internal Vigilance (CIV), who will be a senior
systems, providing independent assurance rather official with appropriate professional
than advisory services. qualifications/experience.
Internal auditors are accountable to the board via Any premature removal of the CIV should be with
the Audit Committee of the Board (ACB), auditing the prior approval of the board and should be
all activities of the first and second line of defence
disclosed publicly.
and vigilance function.

For Free Study Material Subscribe now

Unit-22 CLIMATE RISK AND SUSTAINABLE Green Swan Event: Inspired by the "Black Swan"
FINANCE concept, a Green Swan event is unexpected and rare,
with catastrophic impacts that are explained post-fact.
Climate Change Impact: Environmental degradation However, unlike Black Swans, Green Swans present
and climate change impact not just the planet, but more serious systemic risks, including potential
also the economy and financial system. Scientists existential threats to humanity due to their complexity
predict global temperatures could exceed 4°C by the and unpredictable reactions in environmental,
end of the century if no action is taken. geopolitical, social, and economic dynamics.
Climate Risk: Refers to potential risks from climate
Paris Agreement: More than 190 countries signed the change or efforts to mitigate it, impacting the financial
Paris Agreement in 2015 to limit global warming to sector through physical risks (changes in weather and
climate impacting economies) and transition risks
below 2°C. Over 130 countries now aim to reduce
(risks arising from the adjustment towards a low-
emissions to net zero, with India committing to this by
carbon economy).
2070.
Physical Risk: Physical risks are the economic costs
India’s NDC: India submitted its Nationally and financial losses due to increasing frequency and
Determined Contribution (NDC) to the UNFCCC in severity of extreme climate change-related weather
2015, with aims including reducing emissions intensity events and longer-term shifts in the climate, such as
of its GDP by 45% by 2030, achieving 50% non-fossil changes in precipitation and rising sea levels.
fuel-based energy resources by 2030, and creating a
carbon sink of 2.5 to 3 billion tons of CO2 equivalent Transition Risks: These refer to risks from the process
through additional forest and tree cover by 2030. of adjustment towards a low-carbon economy. They
are influenced by changes in climate-related policies
and regulations, emergence of newer technologies,
Net Zero Emissions: This refers to balancing the
and shifting customer sentiments and behaviors.
amount of greenhouse gases produced and removed
from the atmosphere. This can be achieved through
Unique Characteristics of Climate Change: Climate
processes like planting new forests or technologies change impacts multiple business lines, sectors, and
that reduce atmospheric greenhouse gases. geographies; the timing, outcome and future
pathways are uncertain; and climate risk drivers can
Climate Situation in India: A 2020 report from India's trigger non-linearities (i.e., tipping points)
Ministry of Earth Sciences indicates increasing average exacerbating uncertainty.
temperatures, decreasing monsoon precipitation, and
increasing intensity and frequency of severe cyclones Financial Risks from Climate Related Risk: Climate-
since mid-twentieth century. This has direct related and environmental risks can potentially affect
implications on the economy and financial systems. the prudential risk categories, including credit risk.
They can impact household, corporate, or sovereign
income and/or wealth, and affect a bank’s ability to
Basel Committee and Climate Risk: The Basel
recover the value of a loan in case of default.
Committee describes climate change as a "green
swan" event, representing a colossal and irreversible Weather vs Climate: While weather refers to short-
risk of staggering complexity. Financial institutions are term changes in the atmosphere, climate refers to
thus required to manage these risks and opportunities atmospheric changes over longer periods of time,
that arise from climate change. usually 30 years or more.

For Free Study Material Subscribe now

Green Swan Event: The Basel Committee describes Operational Risk: Physical climate risks can disrupt the
climate change as a green swan event. These are bank’s infrastructure, processes, staff and systems,
unpredictable and could cause colossal and affecting business continuity.
potentially irreversible risk of staggering complexity.
Reputational Risk: This can arise from banks financing
Climate Change Impact on India: A report by the environmentally damaging activities. Negative
Ministry of Earth Sciences, Government of India, notes perception can adversely affect banks’ abilities to
a rise in average temperature, decrease in monsoon maintain or establish business relationships.
precipitation, rise in extreme temperature, droughts,
Climate Risk Management Framework: It's important
and sea levels, and increase in the intensity and
for banks to build resilience against climate risk. This
frequency of severe cyclones since the mid-twentieth
can be achieved through robust environmental risk
century. management policies, green financing and investment
activities.
India's Climate Commitments: India’s Nationally
Determined Contribution (NDC) under the Paris Board of Directors: They play a critical role in
Agreement includes reduction in Emissions Intensity identifying climate-related risks and opportunities and
of its GDP by 45 percent by 2030, achieving about 50 assessing their impact on the bank’s strategies and
percent cumulative electric power installed capacity plans. They oversee the development and
from non-fossil fuel-based energy resources by 2030, implementation of climate-related risk strategies, and
creating an additional carbon sink through additional ensure that both the business and assurance functions
forest and tree cover, and aiming for net Zero emission dealing with these risks are adequately staffed.
by 2070.
Committee/Sub-committee at the Board: They are
Net Zero Emission: Refers to achieving a balance responsible for developing and implementing
between greenhouse gas emissions produced and environmental risk management framework and
policies, reviewing their effectiveness, establishing an
taken out of the atmosphere, such as planting new
internal escalation process for managing
forests, or using drawdown technologies like direct air
environmental risk, and allocating adequate resources
capture.
for managing the bank’s environmental risk.
Market Risk: Climate risk, through physical and
transition risks, can alter future economic conditions Strategy: Banks need a proper strategy to navigate
or asset values, leading to price shocks and increased climate-related risks. This strategy should address the
market volatility. Transition-related changes could financial risk from climate and environmental
lead to changes in borrowing costs and abrupt degradation within the overall business strategy and
repricing of financial assets. risk appetite.

Liquidity Risk: Extreme weather events can directly Policies and Procedures: Banks should frame a
and indirectly impact banks’ liquidity position. Natural climate-related policy considering material physical
disasters may lead to increased demand for loans and and transition risks. This policy should define roles and
withdrawals, exacerbating liquidity stresses. Banks responsibilities across all lines of defence. The bank
may struggle to liquidate assets impacted by weather should implement effective risk management
events or the transition towards a sustainable practices and internal controls to manage
economy. environmental risk.

For Free Study Material Subscribe now

Risk Identification and Measurement: Banks should Risk Reporting: Regular reports on climate-related risk
develop methodologies to identify and assess risks exposures should be provided to the Board of
arising from environmental and climate change at Directors. The frequency of reporting should be
customer, sector, and portfolio levels. Risk tailored to the nature and magnitude of the risks.
measurement practices can include climate risk scores
or ratings, scenario analysis, stress testing, sensitivity Climate-related Disclosure Framework: Banks should
analysis, natural capital analysis, and climate value-at- disclose their approach to managing environmental
risk assessments. risk in a clear and meaningful way to stakeholders. The
Task Force on Climate-related Financial Disclosures
Climate Risk Scores: These rate the climate risk (TCFD) is a prominent disclosure framework for
exposure of assets, companies, portfolios, or climate and sustainability.
countries, helping banks assess the relative climate Green Finance for Sustainable Development
exposure of existing and prospective credit
intermediation. Green Finance: It refers to financial arrangements for
environmentally sustainable projects or projects
Scenario Analysis: A forward-looking projection of risk adopting climate change aspects. It involves
outcomes, examining the effects of a wide range of increasing financial flows from public, private, and
plausible scenarios. non-profit sectors to sustainable development
priorities. These could include renewable energy
Stress Testing: A specific subset of scenario analysis production, clean transportation, green building,
used to evaluate a financial institution’s near-term waste management, and more.
resiliency to economic shocks.
Green Financial Instruments: New instruments and
Sensitivity Analysis: Evaluates the effect of a specific institutions like green bonds, carbon tax, green banks,
variable on economic outcomes. and green funds are being established to meet the
financial needs of sustainable projects.
Natural Capital Analysis: Assesses how natural
degradation negatively impacts a financial institution. International Best Practice: Climate change is a
priority for the G20, with emphasis on developing a
Climate Value-at-Risk: Applies the traditional VaR circular carbon economy (CCE) and promoting green
framework to gauge the impacts of climate change on initiatives. The four categories of global regulatory
financial institutions’ balance sheets. framework include sustainability disclosure, directed
and concessional lending, micro and macro-prudential
Monitoring: Banks should use a range of metrics and regulations, and establishment of green financial
tools to monitor their exposure to financial risks from institutions.
climate change.
Progress in India: India's emphasis on green finance
Risk Management and Mitigation: Banks should take began in 2007. The Reserve Bank of India (RBI) and
measures to mitigate or refrain from climate-related Security and Exchange Board of India (SEBI) have
risks. These could include tenor limitations, lower released various notifications and guidelines to
loan-to-value limits, insurance requirements, and promote sustainability. Fiscal and financial incentives
sustainable energy transition strategies for customers have been implemented to reduce greenhouse gas
in high-risk sectors. emissions and increase renewable energy capacity.

For Free Study Material Subscribe now

Government of India (GoI) Incentives: Subsidies and Greenhouse Effect: Greenhouse gases are those
incentives have been provided for installation of gaseous constituents of the atmosphere, both natural
rooftop solar panels and for electric vehicle and anthropogenic, that absorb and emit radiation at
production and sales. Excess power generated from specific wavelengths within the spectrum of thermal
renewable sources can be sold at government-set infrared radiation emitted by the Earth’s surface, by
tariffs. the atmosphere itself, and by clouds. This property
causes the greenhouse effect
Reserve Bank of India Initiatives: RBI has included the
small renewable energy sector under its Priority
Sector Lending (PSL) scheme and has set a target for Physical risk: Economic costs and financial losses
450 GW of renewable energy generation by 2030. RBI resulting from the increasing severity and frequency
also released a "Discussion Paper on Climate Risk and of climate related events
Sustainable Finance" in 2022. Transition Risk: The risks related to the process of
adjustment towards a low-carbon economy.
Green Lending: The aggregate outstanding bank
credit to the non-conventional energy sector was Stress Test: The evaluation of a financial institution’s
around `36,543 crore as of end-March 2020, making financial position under a severe but plausible
up 7.9% of the outstanding bank credit to power scenario. Tipping Point: A level of change in system
generation. properties beyond which a system reorganises, often
abruptly, and does not return to the initial state even
Green Bonds: Green bonds are used for financing
if the drivers of the change are abated.
environmentally sustainable projects. As of February
12, 2020, the outstanding amount of green bonds in
India was US$16.3 billion. Despite being a small Green Finance: Green finance refers to the financial
portion of the total bond issuance, India holds a arrangements that are specific to the use for projects
favorable position compared to several advanced and that are environmentally sustainable or projects that
emerging economies. adopt the aspects of climate change.

Climate: Climate in a narrow sense is usually defined Green Loan: A green loan is loan available for for
as the average weather, or more rigorously, as the green eligible sustainable projects.
statistical description in terms of the mean and
variability of relevant quantities over a period of time Green Bond: Green bonds are the bonds issued by any
ranging from months to thousands or millions of years sovereign entity, inter-governmental groups or
alliances and corporates with the aim that the
Climate Related Financial Risk: The potential risks
proceeds of the bonds are utilised for projects
that may arise from climate change or from efforts to
classified as environmentally sustainable
mitigate climate change, their related impacts and
their economic and financial consequences.
Carbon Taxation: Carbon tax (or energy tax) generally
ESG: ESG (environmental, social and governance) refers to a tax levied on the carbon content of some
refers to a set of criteria that play a role in the goods and services, typically in the transport and/or
investment decision-making process or in a company’s energy sectors. The purpose is to reduce CO2
operations. Environmental factors consider how an emissions by increasing the price of these goods and
investment, or a company contributes to services. It is one of the main types of tools used in
environmental issues such as climate change and climate change policies around the world.
sustainability.

For Free Study Material Subscribe now