Risk Management in Banking

1

RISK MANAGEMENT

• BUSINESS IS INHERENTLY RISKY

• RISKS CANNOT BE AVOIDED COMPLETELY

• RISKS DEFY CONVENTIONAL THINKING

• IMPORTANCE OF RISKS CHANGES WITH TIME

2

FINANCIAL RISKS

• CREDIT RISKS

• MARKET RISKS

• LIQUIDITY RISKS

• OPERATIONAL RISKS

3

The risk of loss The risk of loss resulting from resulting from

inadequate or failed inadequate or failed internal processes, internal processes, people and systems people and systems

or from external or from external events.events.

The risk that a The risk that a borrower may not be borrower may not be able to repay a loan.able to repay a loan.

The risk of loss The risk of loss arising from the arising from the

fluctuating prices of fluctuating prices of investments as they investments as they

are traded in the are traded in the global markets.global markets.

Operational RiskCredit Risk Market Risk

Operational Risk• Historically, operational has taken a back seat to market

and credit risk-it is not easy to quantify-it means different things to different people-in trading you are paid to assume market and credit risk but not operational risk

However, operational risk can be large when not effectively measured or controlled

5

Operational Risk

• Reserve Bank of India DefinitionAny risk which is not categorized as market or

credit risk, or the risk of loss arising from various types of human or technical error. It is also synonymous with settlement or payments risk and business interruption, administrative and legal risks. Operational risk has some form of link between credit and market risks.

6

What is operational risk?• Basel definition:“The risk of loss resulting from inadequate or failed internal

processes, people and systems, or from external events (including legal risk but excluding strategic and reputational risk)”

Legal Risk – the risk of loss (including litigation costs, settlements and regulatory fines) resulting from the failure of the bank to comply with laws, regulations, prudent ethical standards and contractual obligations in any aspect of the bank’s business.

Generally excludes losses related to credit(outside of the defined boundaries)

Excludes opportunity costs7

Definition - contd

Examples of operational risks in retail branch (illustrative)

– Internal processes: KYC guidelines not observed resulting in fraud

– People related : Lack of Job Knowledge, task misperformance, accounting error, delivery failure etc.

– Systems related : system failure, ATM outages etc. – External events : Natural disasters resulting in

disruptions of operations

•Key Point; Each Bank’s definition for internal management purposes should reflect its unique risk characteristics including its size and sophistication and complexity of its products and activities and nature

8

Compliance / Legal Risk

Compliance/Legal risk includes, but is not limited to, exposure to fines, penalties or punitive damages resulting from supervisory actions, as well as private settlements. Legal/compliance risk arises from an institution’s failure to enact appropriate policies, procedures, or controls to ensure it conforms to laws, regulations, contractual arrangements, and other legally binding agreement and requirements.

9

Documentation Risk

The unpredictability and uncertainty arising out of improper or insufficient documentation which gives rise to ambiguity regarding the characteristics of the financial contract is referred to as documentation risk.

10

Types of Operational Risks• People risk

- Incompetence - Fraud• Process risk

– Transaction risk – Execution error– Product complexity– Settlement error– Documentation/ contract risk

11

Types of Operational Risks• Operational control risk -Exceeding limits -Security risks -Volume risk• Technology risk -System risk -Programming error -Information risk -Telecommunication error• Risk from External Environment

12

Operational Risk

Your perception in back home situation:- Branches- Controllers- Compliance Risk (Risk of legal or regulatory compliance)

HOW TO CONTROL/MITIGATE

13

Features of Operational RiskEmbedded and inherent in internal processes, activities, people and systems across the entire Bank

Cannot quantify / measure in the same manner as credit or market risk

quantifying individual events is a challenge. For e.g. system downtime, business disruption

approach to be adopted for quantifying overall capital charge is a challenge

With continuous changes in operations, processes, technology, external environment of the Bank, nature of operational risk undergoes changes all the time

Being pervasive in nature, who should own its management poses a challenge

Pervasive

Measurement is a challenge

Dynamic

Ownership – a challenge

14

Operational Risk has different qualities from other risks

• People People – Leniency, temptationLeniency, temptation

• Multiplier-effectMultiplier-effect– Multiple control breakdowns can lead to exponential growth Multiple control breakdowns can lead to exponential growth

of potential lossof potential loss

Multiplier effect – Barings 1995:Multiplier effect – Barings 1995:-No independent oversight, no local risk manager- no segregation of duties between front and back-office- systems unable to handle trade flow and trading errors- sizable and repeated HQ cash transfer for ‘client’ margin loan without credit approval- Lack of HQ understanding of business (i.e. huge ‘profits’ in index arbitrage & brokerage)- audit report warnings ignored

15

Pillar 1Pillar 1 Pillar 2Pillar 2 Pillar 3Pillar 3

Minimum Capital Minimum Capital RequirementsRequirements

Supervisory Review Supervisory Review ProcessProcess

Market DisciplineMarket Discipline

Establishes minimum standards for management of capital on a more risk-sensitive basis and specifically addresses:

• Credit risk• Operational risk• Market Risk

Increases the responsibilities and levels of discretion for supervisory reviews and controls covering:

• Processes for capital and risk profile management

• Capital adequacy• Level of capital

charge• Proactive monitoring

of capital levels and ensuring remedial action

Expands the content and improves the transparency of financial disclosures to the market, with disclosure of:

• Description of risk management approaches

• Levels of capital• Analysis of risk

exposures and capital by businesses / segments

The New Basel Capital Accord consists of three mutually enforcing pillars. All three pillars need to be applied by banks.

Structure of the Basel Accord

Risk Management – Needed due to pervasive scope of risk

The pervasive scope of risk points to the need for a bank-wide, comprehensive risk management strategy, supporting structure , monitoring and control, and measurement processes which encompass all key elements of risk.

Risk and Control CultureRisk and Control Culture

Credit Risk• Corporate• Consumer• Counterparty• Sovereign• Model• Insurance

Operational Risk • Internal fraud• External fraud• Employment practices

and workplace safety• Clients, products &

business practices• Damage to physical

assets• Business disruption &

system failure• Execution, delivery &

process management

Market Risk• Underwriting• Liquidity• Market Price• Trading and ALM• Model

Reputational Risk and Business Strategy Risk, both are specifically excluded by BASEL

17

• Credit Risk– Standardised Approach (a modified version of the existing

Basel 1 approach)– Foundation Internal Ratings Based Approach– Advanced Internal Rating Based Approach

• Market Risk (unchanged from Basel 1)– Standardised Approach– Internal Models Approach

• Operational Risk– Basic Indicator Approach– Standardised Approach– Advanced Measurement Approaches

Basel II Menu

Approaches to minimum capital Requirement

Basel II provides banks with a menu of approaches for quantifying the different types of risk under Pillar 1

18

Capital Allocation for Operational Risk

- Basic Indicator Approach – Banks must hold capital equal to 15% of average of previous 3 years annual gross income.

- Standardised Approach - Bank’s activities are decomposed into a number of standard business lines. Capital charge standardised by supervisor; gross income of each business line multiplied by prescribed ‘beta’ factor for that business line.

- Advanced Measurement Approach - Meant for Banks meeting rigorous standards and subject to Supervisory Approval.

19

Basic Indicator Approach• Capital Charge = 15% of av. Gross Annual Income

(positive income) of previous 3 years

• Basel Committee defines Gross Income as: net interest income + net non-interest income

- gross of any provisions (e.g. for unpaid interest), gross of operating expenses (including fees paid to outsourcing service providers), excluding realised profits/losses from sale of securities in the banking book, excluding extraordinary or irregular income such as income from insurance claims

20

Operational Risk Capital : Basic Indicator Approach

KBIA = GI x α where:KBIA = Capital charge under Basic Indicator App. GI = average annual gross income last 3 yrs. α = 15%

Gross income = net interest income + net non-interest income as laid down by supervisors/ national accounting standards.

1. gross of any provisions2. exclude realised profits/losses from sale of securities in

banking book (HTM and AFS) 3. exclude extraordinary/ irregular items/ Insurance Income

21

Bank’s Gross Income mapped to 8 business lines defined by Basel

Capital charge for each business line calculated by multiplying an indicator by a factor assigned to that business line Indicator: annual gross income (as described in BIA) Factor: beta () established by the BCBS

Total capital charge is based on the 3 year average of the simple summation of the regulatory capital charges across each of the business lines in each year

The Standardized Approach

22

The Standardised Approach (TSA)

More refined than Basic Indicator Approach

Gross income for each business line, not the whole institution.

Gross income for a business line- same definition as in Basic Indicator Approach.

Capital charge- multiply gross income by a factor (beta) assigned to that business line.

Total capital charge, KTSA={Σyears 1-3 max[Σ(GI1-8 x β1-8),0]}/3where:KTSA= capital charge The Std. App. GI1-8 = Gross Income β1-8 = multiplication factor

23

Standardised Approach

Business Lines Beta factor ()Corporate Finance 18 %

Trading & sales 18 %

Retail Banking 12 %

Commercial Banking 15 %

Payments & settlements 18 %

Agency services 15 %

Asset Management 12 %

Retail Brokerage 12 %

24

Operational Risk Capital: The Standardised Approach (TSA) – an example

Business Lines Average Gross Income of 3 years (Rupees in

crores)

Beta factor () Capitalcharge

Corporate Finance 200 18 % 36

Trading & sales 100 18 % 18

Retail Banking 200 12 % 24

Commercial Banking 200 15 % 30

Payments & settlements 200 18 % 36

Agency services 100 15 % 15

Asset Management 100 12 % 12

Retail Brokerage 100 12 % 12

Total 1200 183

25

OR Capital : BIA vs TSA

• Under TSA capital computation is a function of the nature of bank’s business composition. E.g. for banks where Treasury & Commercial segments are the major contributor the Bank will have to allocate a higher capital (Commercial – 15%, Trading & Sales – 18%) as against banks who are active in retail segment where beta factor is 12%

• Thus TSA presents a more realistic capital computation approach as compared to BIA as it is a function of business mix.

• Income is still the proxy for risk and therefore both TSA and BIA don’t provide Bank with any incentive for improved risk management

26

Advanced Measurement ApproachDefinition:

Under Advanced Measurement Approach, the regulatory capital will equal the risk capital measured by Bank’s internal operational risk measurement system using Bank specific statistical models

Banks under this approach are allowed to develop their own empirical model to quantify required capital for Op risk based upon the 4 data elements.

Banks have flexibility in the specific methods used for incorporating the elements in the models

27

Advanced Measurement Approach

28

Advanced Measurement Approach

• Under this approach, regulatory capital requirement for Operational Risks will be calculated on the basis of risk measure generated by bank’s internal operational risk measurement system using quantitative & qualitative criteria

– subject to supervisory approval

29

Advanced Measurement Approach• 1st step in AMA is Operation Profiling: - Identification & quantification of ORs in terms of its

components - Prioritization of ORs and identification of risk concentrations - Formulation of bank’s strategy for OR management & risk

based audit• Estimated level of Operational Risk depends on - estimated probability of occurrence - estimated potential financial impact - estimated impact of internal controls (problem: absence of reliable historical data) ( Need to Extract Loss Data in various business lines and

strengthen MIS.)30

• RCSA (Risk and Control Self Assessment)• KRI (Key Risk Indicator)• Loss Data Entry

Advanced Measurement Approach

31

Capital Computation Approach for Operational Risk

αα

32

Business Lines & Loss Events• Basel – II & RBI have identified :• 8 Business lines and 7 Risk Event Categories

BUSINESS LINES/EVENT TYPES

INTERNAL FRAUD

EXTERNAL FRAUD

EMPLOYMENT PRACTICES AND WORK PLACE SAFETY

CLIENTS, PRODUCTS & BUSINESS PRACTICES

DAMAGES TO PHYSICAL ASSETS

BUSINESS DISTRUPTION AND SYSTEM FAILURES

EXECUTION DELIVERY & PROCESS MANAGEMENT

CORPORATE FINANCE              

TRADING AND SALES              

RETAIL BANKING              

COMMERCIAL BANKING              

PAYMENT AND SETTLEMENT              

AGENCY SERVICES              

ASSET MANAGEMENT              

RETAIL BROKERAGE               33

Mapping of Business Lines

• Internal historical loss data to be mapped onto Level – 1 business lines

Level – 1 Level – 2 Activity Group

Corporate Finance Corporate Finance M&A, Underwriting, Securitisation, Syndication,

Government Finance

Merchant Banking

Advisory Services

Trading & Sales Sales Foreign Exchange, Repos, Brokerage, Income from Cross Selling

Market Making

Treasury

Retail Banking Retail Banking Private Lending & deposits, other banking services

Card Services

Commercial Banking Commercial Banking Gross Income

Continues…

34

Mapping of Business Lines

Level – 1 Level – 2 Activity Group

Payment & Settlement External Clients Payments and Collections, Funds Transfer, Clearing &b Settlement

Agency Services Custody Depository, Securities lending, Corporate Actions,Corporate Agency

Retail Brokerage Retail Brokerage Execution Services

Asset Management Discretionary Fund Management

Institutional, Retail

Non-discretionary Fund Management

35

Detailed Loss Event Type Classification

Event Type Category Level 1

Definition Categories (Level 2) Activity Example (Level 3)

Internal Fraud Losses due to acts of a type intended to defraud or circumvent regulations, which involves at least one internal party

Unauthorized Activity

Transactions not reported (intentional)Sanctioning Unauthorised Activities

Theft & Fraud Fraud / Credit Fraud/ Theft / Embezzlement / RobberyMisappropriation of assetsForgeryImpersonation Tax non-compliance / Evasion of TaxBribes / Kickbacks

External Fraud Losses due to acts of a type intended to defraud, circumvent rules, by a third party

Theft & Fraud Theft / RobberyForgery

System Security HackingTheft of information

36

Detailed Loss Event Type ClassificationEvent Type

Category Level 1

Definition Categories (Level 2)

Activity Example (Level 3)

Employment practices & workplace safety

Losses arising from acts inconsistent with employment, health or safety laws,From payment of personal injury claims or from discrimination events

Employee Relations

Compensation, Termination Issues, Organized Labour Activity

Safe Environment General Liability, Employee health, Workers Compensation

Diversity & Discrimination

All discrimination types

Damage to Physical Assets

Losses arising from loss or damage to physical assets from natural disaster or other events

Disaster & Other Events

Natural Disaster LossesHuman losses from external sources (terrorism etc.)

Business disruption and system failures

Losses arising from disruption of business or system failures

Systems HardwareSoftwareTelecommunicationsUtility outage 37

Detailed Loss Event Type ClassificationEvent Type

Category Level 1Definition Categories

(Level 2)Activity Example

(Level 3)Clients, Products & Business Practices

Losses arising from an unintentional or negligent failure to meet professional obligation to specific clients or from the nature of design of a product

Suitability, Disclosure & Fiduciary

Fiduciary breaches / guidelines violationsSuitability (KYC), Breach of Privacy, Aggressive Sale, Account Churning, Misuse of Confidential Information, Lender Liability

Improper Business or Market Practices

Improper Trade / market practicesMarket ManipulationInsider TradingUnlicensed ActivityMoney Laundering

Product Flaws Product defects Model errors

Selection, Sponsorship & Exposures

Failure to investigate client per guidelinesExceeding client exposure limits

Advisory Activities Disputes over performance of advisory services 38

Detailed Loss Event Type ClassificationEvent Type

Category Level 1Definition Categories

(Level 2)Activity Example (Level 3)

Execution, Delivery & Process Management

Losses from failed transaction processing or process management from relations with trade counterparties and vendors

Transaction Capture, Execution & Maintenance

MiscommunicationData Entry, Maintenance or loading errorMissed deadline or responsibilityAccounting error / entity attribution errorDelivery failureCollateral management failureReference Data Maintenance

Monitoring & Reporting

Failed mandatory reporting obligationInaccurate External Reports

Customer Intake & Documentation

Client permissions / disclaimers missingLegal documents missing / incomplete

Customer Account management

Unapproved access given to accountsIncorrect customer recordsNegligent loss or damage

Vendor & Suppliers OutsourcingVendor Disputes

39

AMA : Data Elements A bank’s internal measurement system must reasonably estimate unexpected losses based on the combined use of :-

Internal Loss Data External Loss Data Scenario Analysis Business Environment & Internal Control

Factors (BEICF)

40

Loss Events Database – OR Redefined

• Creation of Loss Events Database :• Clarity on definition –

• Example : a loan goes badClearly : Credit RiskBut, it is found that the faulty documentation is not

enforceable Now clearly : Operational Risk

• Example : a dealer runs a position resulting in loss due to market movements

Clearly : Market RiskBut, it is found that the dealer exceeded permitted limitsNow clearly : Operational Risk

41

Internal Loss Data

Definition:

“Any data on exposures held in a bank’s existing or historical portfolios, including data elements or information provided by third parties regarding such exposures.” e.g. Penalties, Compensation paid etc.

42

Internal Loss Data

Platform & Systematic process for comprehensive data collection of Operational loss

Operational losses must be mapped to 7 event types and 8 business lines

Threshold for data collection , banks to demonstrate that no important loss data is excluded

Internal loss data is used for direct input to Op Risk capital model. Also as input in scenario analysis & BEICF (Business Environment & Internal Control Factors)

Issues related with the collection of Loss Data from branches developed

43

External Loss Data

Bank’s operational risk measurement system must use relevant external operational loss data (either public data and / or pooled industry data)

Obtained from data consortia, vendors, newspapers, court records, insurance companies, etc

Multiple Uses i) Management reports ii) Direct input into capital model, iii) Supplement internal loss data for low frequency and high severity events (tail events)

44

External Loss Data

Definition:“ External data refers to information on exposures

held outside of the bank’s portfolio or aggregate information across an industry.”

It along with scenario analysis helps in capturing data for tail events (high severity- low frequency)

45

Loss Data – Near Misses

"Near Misses" are operational risk events where no loss has actually been incurred by the Bank. Examples are Attempted Frauds, Failed Controls, Potential System failure etc.

It can also be explained as an operational risk event which results in no financial impact by chance, or following any action taken by counterparty or a third party. The fact that there is no financial impact is neither due to the efficiency of controls nor to a specific internal action.

Live Example:In a branch, if there was an attempt to encash fake dividend warrant of an amount of Rs 100000.00 which was prevented by vigilant staff.

46

Business Environment & Internal Control Factors (BEICF)

The Indicators of an institution’s operational risk profile that reflect a current and forward looking assessment of its underlying business risk factors and internal control environment.

Tools Used to support BEICF Requirement Risk Control Self-Assessment s (RCSA)Key Risk Indicators

47

Operational Risk Management - RCSA• RCSA is a systematic and rigorous process which leverages the

collective knowledge of individuals within the organization to proactively Identify, Assess, Mitigate/Control and Report `Significant Risks’

• RCSA questionnaires developed for various entities, viz. front office, mid office and back office

• RCSA process customized to suit various risk entities of the Bank

• After the risks are identified, controls are to be put in place and the efficacy of which can be measured in the subsequent RCSA exercise resulting in better risk management.

• It is a continuous process.

48

RCSA : Risk AssessmentRisk assessment enables management to rate

and analyze significant risks based on impact (severity) and likelihood (frequency) and identify controls for risk mitigation

As part of the risk assessment process an “Owner” is defined for each risk and timelines for implementation

Risk assessment forms basis for subsequent steps of risk mitigation, measurement and reporting.

49

RCSA : Assessment ScaleSEVERITY OF OPERATIONAL LOSS1. Very low impact2. Low impact3. Moderate impact4. High impact5. Very high impact

PROBABILITY OF LOSS1.Very low likelihood2. Low likelihood3. Moderate likelihood4. High likelihood5. Very high likelihood

50

KEY RISK INDICATORS • KRIs are early warning signals used to monitor Op Risk.

KRIs are generally derived from key risks identified in the RCSA exercise to enable the bank track the trajectory of risks.

• KRIs could reflect potential sources of operational risk such as rapid growth, the introduction of new products, employee turnover (attrition in treasury), system downtime and so on.

• KRIs to link to different risk dimensions such as: Potential frequency Average severity or cumulative loss

51

KEY RISK INDICATORS – 2

• KRIs to be readily defined, understandable and quantifiable– Collectable at a reasonable cost/time units– Comparable through time and across business units– Auditable

• Indicators may be either numeric or financial– Financial are preferred

• Institutions / Banks are all very different– There cannot be any standard library of KRIs- organisation /

business specific - function of internal controls too.– Different Banks/offices/Businesses may use different KRIs

for the same risk

52

KEY RISK INDICATORS - Example

Value Escalation Trigger

% Change over Last Quarter

% Change over Last

Year

Staff Turnover Rate 5% 15% 10% 20%

Downtime in IT system during Trading Hours

22 hours

24 Hours 15% 25%

Material Data Security Breaches 1 2 100% 100%

Number of Failed Critical Systems

6 10 100% 200%

Value of Loss due to Suspicious Activity

1.6 million

3 million 111% 103%

Value of Unreconciled items over 30 days

3.22 million

3 million 77% 262%

53

Scenario Analysis A systematic process of obtaining opinions from

Business Managers & Risk Management experts to derive reasoned assessments of the likelihood & impact of operational losses

Where scenarios are used:• Input for Operational Loss capital • Basis of a Operational Risk analytical framework

Use of scenarios varies widely among institutions

54

Example: Components of a Scenario

• Scenario: Rogue Trader• Output: Scenario loss amount and probability• Key considerations: “Each scenario should use internal loss

data, external loss data, business environment and internal control factors to determine the scenario severity and probability parameters.”

• Internal Loss Data– What losses has the firm experienced for the given

scenario?– What were the size of losses, frequency of major events?– What management actions have been taken to prevent

future occurrence or reduce potential size of loss?

55

Example: Components of a Scenario (cont.)• External Loss Data

– What major events of this particular scenario have occurred to other firms similar to the firm?

– What is the potential range of losses? How frequently have the events occurred?

– What is the potential loss and likelihood of occurrence for the firm?

• Business Environment & Internal Control Factors– What are the BEICFs that could affect size and likelihood of

loss?– Complexity of product/business, pace of change or market

regulation, volumetrics, key risk indicators.

56

Why is Operational Risk receiving increased attention ?

Growing complexity in the banking industry (products, services, technology, globalization, acquisitions/mergers, etc.)

Several large and widely publicized operational losses in recent years eg. Barings Bank, Sumitomo Corp, Diawa Bank (NY), Societe Generale , SATYAM,

Rapid pace of innovation Increased focus on corporate governance Increased global competition A changing regulatory capital regime.

57

BARINGS BANKThis is one of the most infamous tales of financial demise. Trader Nick Leeson was supposed to be exploiting low-risk arbitrage opportunities between derivatives written on the Nikkei equity index traded on the Singapore Money Exchange (SIMEX) and on the Osaka exchange. In practice, he was running open futures contracts on the two exchanges. Thanks to the lax attitude of senior management, Leeson was given control over the both the trading and back office functions.AS Leeson’s losses mounted, he increased his bets by selling options. Unfortunately, the major Kobe earthquake in February 1995 caused the Nikkei Index to drop sharply. Leeson’s losses increased rapidly, and Barings were unable to continue to fund his positions. Despite emergency meetings at the Bank of England, external support was not forthcoming for Barings, and in March 1995 it was purchased by the Dutch bank ING for just GBP 1.

58

Control of Operational Risk• Book of Instructions• Circulars• Delegation of Financial Powers• Appropriate Reporting System• Policies of the Bank• Use of Information Technology• Self Assessment• Audit committeesUnless you are able to implement your controls & you have

powers to penalise, the controls will be meaningless.59

Mitigating Operational Risk

Basic objective of Operational Risk Management is to mitigate Operational Risk:

• Inspection & Audit• Insurance• Training• Rewards

60

Best Practices of Operational Risk

• Identify• Assess• Report• Mitigate• Measurement

61

Control of Operational Risk

• Book of Instructions / Manuals

• Circulars

• Delegation of Financial Powers

• Appropriate Reporting System

• Policies of the Bank

• Use of Information Technology

• Self Assessment

• Audit committees62

Implementation at Role holders’ level – a Process

• Identify the events / transactions• Identify the parties involved• Identify the potential pressure points• Identify the processes :

– Awareness– Systems / Procedures

• Follow • Strengthen

• Own Implementation

63

THANK YOU

64