Basics of Risk


Table of Contents

1. Introduction to Risks in Banks

Banking risk is inherent in all banking products, activities, processes and systems, and the effective management of risks has always been a fundamental element of a bank’s risk management Program. Banking risk impact the stakeholders, lenders, employees, government, creditors, customers and even the society at large. The typical risks for banking activities consists of the following: credit risk, meaning the risk of losses that result from the inability of the bank's clients or other stakeholders to meet their financial commitments; market risk, generated by trading activities (interest rates, foreign exchange, loss of value of financial instruments, etc.); operational risk, which refers to the risk of losses or sanctions due to procedural failures, human error or external events; liquidity risk, the risk that the bank cannot meet its cash flow obligations when they are due. As a result, sound risk management is a reflection of the effectiveness of the board and senior management in administering its portfolio of products, activities, processes, and systems. Risk management generally encompasses the process of identifying risks to the bank, measuring exposures to those risks (where possible), ensuring that an effective capital planning and monitoring program is in place, monitoring risk exposures and corresponding capital needs on an on-going basis, taking steps to control or mitigate risk exposures and reporting to senior management and the board on the bank’s risk exposures and capital positions. Bank risk managers across the globe struggle to manage these challenges and overcome their impact. To overcome risks, internal controls are typically embedded in a bank’s day-to-day business and are designed to ensure, to the extent possible, that bank activities are efficient and effective, information is reliable, timely and complete and the bank is compliant with applicable laws and regulation.

The banking sector has always been a backbone of the economy; however, failures in financial markets have time and again proved that no bank sector or economy is shielded from developments across the globe. In earlier times, banks had a very limited definition of risk which primarily focused on the risk of misrepresentation in financial statements and operational risk, and therefore, the efforts were also concentrated on managing these risks. However, increasingly changing scenarios in business, society, geography and politics mean with the growing importance of Technology, Environment & Data, many catastrophic risks such as data leakage and privacy risk have now been staring at the face of the banks. Cyber security risk and reputational risk are the latest entrants to the complex web of risks. Further, with very limited tools and resources available to quantify the amount of damage these risks can cause, they have quickly become the topmost agenda of any banking boardroom discussion.

Vulnerability refers to the susceptibility of a Bank to a risk event in terms of criteria related to the bank’s preparedness, agility, and adaptability. Vulnerability is related to impact and likelihood. The more vulnerable the Bank is to the risk, the higher the impact will be should the event occur. If risk responses including controls are not in place and operating as designed, then the likelihood of an event increases. Assessing vulnerability allows entities to gauge how well they’re managing risks. Hence, Sound internal governance forms the foundation of an effective risk management Framework. The board of directors should take the lead in establishing a strong risk management culture. The board of directors and senior management should establish a culture that is guided by strong risk management and that supports and provides appropriate standards and incentives for professional and responsible behaviour. Banks should develop, implement and maintain a Framework that is fully integrated into the bank’s overall risk management processes. The Framework for risk management chosen by an individual bank will depend on a range of factors, including its nature, size, complexity and risk profile.

1.1. Major Risks in Banks

The major risks in banks are:

1. Credit Risk: Credit risk or default risk involves inability or unwillingness of a customer or counterparty to meet commitments in relation to lending, trading, hedging, settlement and other financial transactions. Measurement of risk through credit rating/scoring, Quantifying the risk through estimating expected loan losses, and Risk pricing can some of the mitigations.

2. Market Risk: Market risk arises from adverse changes in market variables, such as interest rate, foreign exchange rate, equity price and commodity price. Banks should have risk measurement systems that capture all material sources of market risk and assess the effects on the bank.

3. The Liquidity Risk: Liquidity risk of banks arises from funding of long-term assets by short-term liabilities, thereby making the liabilities subject to rollover or refinancing risk. A bank has adequate liquidity when sufficient funds can be raised, either by increasing liabilities or converting assets, promptly and at a reasonable cost. It encompasses the potential sale of liquid assets and borrowings from money, capital and forex markets.

4. Preventable Risk: The tolerance levels for Preventable risks should be zero in bank. These are usually the known risks with experience. These risks are usually controllable. In certain cases, preventable risks can be eliminated completely using advanced automations.

5. Strategic Risk: Strategy risks are not undesirable risks as preventable risks. These risks are taken by the bank as they are unavoidable to maintain competitiveness or profitability.

6. Regulatory Risk: Banks faces this risk that regulators expectations might not be met. The risks that any regulatory releases are missed by the banks (if the banks are not very dynamic). To manage such risks, the responsibility is given to the second line of defense in a bank.

7. Business Risk: Business risk comes into picture because of reasons such as concentration (meaning an exposure in single groups or investments etc.), fluctuations in interest rates or forex, lack of liquidity, failing new products, failing investments etc. These risks are to be managed by the most experienced senior managers in the bank.

8. Economic and Political Risk: Political risk is commonly faced by all corporations including banks due to wrong political decisions, policies or events, or conditions significantly affecting the profitability of a business. Economic risks are risks related to huge differences in demand and supply and other economic consequences. The bank has to have a strong vision diversified businesses to face such risks.

1.2. Risk Dynamics in Banks

The Banking sector has always been a backbone of the economy. However, failures in Banks especially too big to fail banks have time and again proved that no Bank is shielded from developments across the globe. With an increase in global trade, there is an ever-increasing dependence on different interconnected Banks for overall sustained growth and hence, newer risks in one economy quickly cascade to the rest of the banking sector economies too.

Risk and its management by banks have always been dynamic and evolving. Long back the two key categories of risk which were perceived important to the management were financial and operational risk. There were controls being devised to ensure there is no financial misstatement, strict reliance on documented procedures and concepts of delegation of authority over key activities to avoid operational failures. Risk management policies were developed more from a point of view of giving shareholders comfort rather than any active risk management. Then came an era of regulatory driven risk management which basically meant corporates had to comply with a plethora of regulations, failing which hefty penalties were levied besides legal charges which could derail a banks growth strategy. This suddenly drew huge attention as no management wanted to cross the line with the regulator.

Compliance departments were set up and manpower deployed to keep a check on any regulatory changes impacting their business and the risks perceived thereof.

Technology adoption is inevitable for any Bank to grow, however, if not adopted in a measured way, technology opens the doors to IT and cyber-security risks. On one hand, concepts such as machine learning, internet of things and artificial intelligence are helping risk managers perform their tasks with efficiency and on the other hand, the growing use of these concepts in the financial sector has opened the doors to frauds.

The world of risks is growing more and more complex and intertwined. Whether it’s a political change in a country, commodity demand supply concerns, or an unpredictable/unfavorable central bank policy, each of these has made the job of risk managers challenging and demanding, and therefore, the response from banks to risk management processes has duly increased.

We now see separate departments being carved out, each responsible for identifying, monitoring and managing of risk, investments being made in people, processes and technology and elevation of the role of the “Chief Risk Officer (CRO)”. Risk mitigating measures have to be commensurate with the Banks size, the country in which it operates its presence around the globe, strength of human resources, past trends of un-favorable circumstances, etc.

2. Phases of Risk in Banks

The risk management process in banks can be broken down into below phases:

  • Risk Identification Analysis and Prioritization

  • Risk Assessment Monitoring and Reporting

  • Risk Control and Mitigation

  • Business Resiliency and continuity

  • Disclosures

  • Risk Communication

2.1. Phases of Risk-Risk Identification

Risk identification is the process of taking stock of vulnerabilities that bank may fall in and raising awareness of these risks inside the bank. It is the starting point for understanding and managing risk activities. However, many legacy risk identification processes have not fully served risk management needs, particularly those related to firm-specific stress testing and identified the firm’s largest vulnerabilities. This, in turn, led to critical gaps in risk management. Hence, comprehensive risk management is done in banks through two techniques called

1) Top Bottom Risk Identification and,

2) Bottom Top Risk Identification

2.1.1. Phases of Risk-Risk Identification-Top Bottom

"If a bank is serious about risk management, then it will be serious from the top till bottom.” The top management should be aware of the major risk factors that would hit the business. The top bottom risk identification talks about the awareness of risk among Sr. Managers (CEO, CFO, COO…) in the bank and what steps they are going to take to mitigate such risks and how they are messaging the bottom lines of their respective LOB’s (/Lines of Business). For e.g., the management should be aware if:

  • There is a concentration risk which is maximum number of exposures which have the potential to produce losses large enough to threaten the ability of the bank to continue operating.

  • The management should be in a position to assess several Investment risks such as possibility that

a) fixed-rate debt instrument will decline in value as a result of a rise in interest rates.

b) the issuer of a stock or a bond may go bankrupt or be unable to pay the interest or principal in the case of bonds

c) a particular bond issuer will not be able to make expected interest rate payments and/or principal repayment

d) the value of an asset or income will be eroded as inflation shrinks the value of a country's currency so on and so forth.

  • Management should take measures to check the Interest Rate Risk which is the potential for changes in interest rates to reduce a bank's earnings and lower its net worth.

  • Management should be cognizant of factors that affect the overall performance of the financial markets.

2.1.2. Phases of Risk-Risk Identification-Bottom Top

Bottom top Risk Identification is more towards the Line of Business level identification of risks. As the name suggests, this is reverse reporting system where Lines of Business identify the risk and report the Sr. Managers of the Bank. The below are the verticals that affect the Bottom top risk identification.

Risk Identification at Process Level

Risk Identification at Department Level

Risk Identification at Functional Level

Risk Identification at Business Unit Level

i) Risk Identification at Process Level:

The type and composition of the process vary among banks depending on the banking organization’s facilities, locations, business units and departments. There are factors, though, that may indicate that a process presents an unacceptable level of risk and merits further evaluation. Those factors include a history of errors, volume, system downtime, complexity of the process, frequency of change in process, availability of required skills, number of interfaces and degree of controls incorporated into a process. Let’s now discuss each of the topics as given below:

a) History of Errors:

The first process of error identification is by studying the historical errors trend. The trend should be built in such a way that it must contain a detail of a) Errors which are critical and non-affordable b) Errors which have regulatory impact c) Errors which are repetitive in nature d) Errors which are silly and caused due to overlook.

b) Volumes:

Volume Analysis is a major challenge in processes such as payments or call centres in a bank as these are customer specific. However, historical volume trends are always available in bank to curtail hike in volumes. Identification becomes imperative or vital when the volumes cannot be handled. The identification of volume process starts with a) Trend analysis b) leveraging business personal and front office knowledge c) Regular follow-ups between and across lines of business in banks d) Study Capacity models to perform skill gap analysis.

c) System Downtime:

System downtime cannot be curbed by any Bank however identification of alternatives while system downtime is always feasible such as

a) Alternate data entry techniques

b) Opportunity to identify light automations to integrate data such as “.xls” to core banking system.

ii) Risk Identification at Department level:

Departmental level risk identification at minimum should contain following:

a) Customer Complaints:

Customer in this scenario does not mean the end user unless such department has direct interaction with the end user (customer). Here the customer means the services which are provided to the next level or to the services giver. Any complaints received from their end should form the basis of risk identification.

b) Employee and Stake holders’ feedback:

All employees, and key stakeholders, may have some insight on risks that they encounter during business as usual that would otherwise are not at all considered. But these feedbacks help to identify departmental level risks.

c) Losses at Departmental level:

Breaches such as confidentiality or data, loss due to downtimes such as system downtimes, loss due to pandemic, loss due to low employee moral which are usually internal to departments should be taken into consideration while calculating the department level risks.

d) Business Continuity:

Business Continuity if available whether is restricted only to Work from home or other plans such as split operations or operations available overseas etc., should be analysed during identification of departmental risk.

iii) Risk Identification at Functional Level:

The identification of risks at functional levels at minimum is as given below:

a) Budget and Head Count Projections:

Risks such as whether the allotted budget at functional level has over shot or underutilized should be measured at a gap of at least every quarter. Head count management such as, early recruitments (due to long notice periods) of incoming employees, whether there are sufficient reward and recognition programs at functional level, frequent Internal job postings, early warning signals from department managers, entertainment budgets for staff and availability of separate attrition budget for staff, all form a part of risk identification.

b) Project Procurement and Execution:

Availability of financing of projects, milestones of projects, sufficient staffing for execution, skill matrix levels of staff executing the project all form a part of functional level risk identification.

c) Migrations:

All the risks of migration of any new project or process such as availability of desks, skillset availability in that location, availability of technology in that location etc., form a part of functional level risk identification.

iv) Risk Identification at Business Unit Level:

Below are the minimum risk identifications at Business Unit Level.

a) Availability of Procedures: Availability of Procedures which are global in nature: Most of the Business units fail as either they do not have procedures or they prefer operating on their own even though the procedures are available or do not have global procedures common to any location where bank or branches or back offices are operating.

b) Communication between First, Second and Third Lines of Businesses:

All the lines of defences should be in sing and should have same understanding of the process at Business Unit Level. Identification of risks starts with any difference of opinion between the three lines of defences.

c) Knowledge Transfer:

Risks such as whether sufficient knowledge transfer is happening between internal departments and external stakeholders forms the basis of risk identification at KT level in a Business Unit.

2.2. Phases of Risk-Risk Analysis

Risk analysis is the systematic study of uncertainties and risks bank may encounter during its business course. Risk Analysts estimate the impact (financial or otherwise) of adverse outcomes. Let us learn some of the Risk Analysis Tools as given below:

a. Audit Findings:

Audit findings primarily focus on control weaknesses and vulnerabilities. They also provide insight into inherent risk due to internal or external factors.

b. Internal Loss Data Collection:

Internal loss data provides meaningful information for assessing a bank’s exposure to operational risk, reputational risk and strategic risk also, effectiveness of internal controls. Analysis of loss events can provide insight into the causes of large losses and information on whether control failures are isolated or systematic. Banks may also find it useful to capture risk contributors such as credit /market risk related losses in order to obtain a more complete view of risk exposure.

c. External Data Collection:

External data elements consist of gross operational loss amounts, dates, recoveries, and relevant causal information for any loss events occurring at organisations other than the bank. External loss data can be compared with internal loss data or used to explore possible weaknesses in the control environment or consider previously unidentified risk exposures.

d. Risk Assessments:

In a risk assessment, often referred to as a Risk Self-Assessment (RSA), a bank assesses the processes underlying its operations against potential threats and vulnerabilities and considers their potential impact. Most of the banks use a similar approach called Risk Control Self Assessments (RCSA) a method that typically evaluates inherent risk (the risk before controls are considered) and the effectiveness of the control environment and residual risk (the risk exposure after controls are considered). Scorecards build on RCSAs by weighting residual risks to provide a means of translating the RCSA output into metrics that give a relative ranking of the control environment.

e. Business Process Mapping:

Business process mappings identify the key steps in business processes, activities and organisational functions. They also identify the key risk points in the overall business process. Process maps can reveal individual risks, risk interdependencies, and areas of control or risk management weakness. They also can help prioritise subsequent management action.

f. Risk and Performance Indicators:

Risk and performance indicators are risk metrics and/or statistics that provide insight into a bank’s risk exposure. Risk indicators, often referred to as Key Risk Indicators (KRIs), are used to monitor the main drivers of exposure associated with key risks. Performance indicators, often referred to as Key Performance Indicators (KPIs), provide insight into the status of operational processes, which may in turn provide insight into operational weaknesses, failures, and potential loss. Risk and performance indicators are often paired with escalation triggers to warn when risk levels approach or exceed thresholds or limits and prompt mitigation plans.

g. Scenario Analysis:

Scenario analysis is a process of obtaining expert opinion of business line and risk managers to identify potential operational risk events and assess their potential outcome. Scenario analysis is an effective tool to consider potential sources of significant risk and the need for additional risk management controls or mitigation solutions. Given the subjectivity of the scenario process, a robust governance framework is essential to ensure the integrity and consistency of the process.

2.3. Phases of Risk-Risk Prioritization

Banks should regularly review the Risk Framework to ensure that the bank has identified and is managing its overall risks arising from internal procedures and policies, external market changes and other environmental factors, as well as those risks associated with new products, activities, processes or systems, including changes in risk profiles and priorities.

A Risk Analysis may identify a number of risks that appear to be of similar ranking or severity. When too many risks are clustered at or about the same level, a method is needed to prioritize risk responses and where to apply resources. Such a method should be tied to the banks mission/business needs and maximize the use of available resources. A rational and common sense prioritization is a key component of a risk management program and becomes necessary when requirements cannot be fully satisfied. To adequately defend risk response decisions made by senior leaders/executives, decision makers should know or be able to obtain the answers to the following questions:

  • How critical would the immediate impact be to banks operations (including mission, functions, image, or reputation) and protection of banks asset?

  • How critical would the future impact be to banks operations (including mission, functions, image, or reputation) and protection of banks asset?

The answers to the above questions provide the basis for a justifiable prioritization that is based on current and future banks’ needs. Mission/business owners (or their designees) and mission/business subject matter experts can be consulted to obtain the most complete and up-to-date information.

Next, answer the following questions to further refine a group of risks with the same or similar rating:

  • What is the expected loss from a single occurrence of the threat?

  • What if the risk can materialize more than once, what is the overall expected loss for the time period of concern?

The remainder of the questions can be used to better understand the relationship of a particular risk and/or mitigation to other risks and/or mitigations.

2.4. Phases of Risk-Risk Assessment

  • Supervisors of the banks should conduct (directly or indirectly), regular independent evaluations of a bank’s policies, processes and systems to assess risks. As part of the assessment of the banking framework, supervisors must ensure that there are appropriate mechanisms in place which allow them to remain apprised of developments at the bank. In performing this assessment, cooperation and exchange of information with other supervisors, in accordance with established procedures, may be necessary.

  • Supervisors if required may choose to use internal auditors and external auditors (in case of urgency/need to know top priority) in these assessment processes. Senior management should ensure the identification and assessment of the operational risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood.

  • Senior management should ensure that there is an approval process for all new products, activities, processes and systems that fully assesses inherent risks. Risk Assessment Procedure of the bank’s operational risk assessment should be incorporated into the overall bank business strategy development processes.

2.5. Phases of Risk-Risk Monitoring

  • Banks should play an active role in encouraging on-going internal development efforts by monitoring and evaluating a bank’s recent improvements and plans for prospective developments.

  • Banks should have measuring tools to monitor each exposures to risks (where possible), and ensure that an effective planning and monitoring programme is in place. Banks should take steps to control or mitigate risk exposures and reporting to senior management and the board on the bank’s risk exposures and capital positions.

  • Banks should ensure that not only internal controls have been embedded in a bank’s day-to-day business but have to monitor whether they are appropriately designed to ensure the extent possible that bank activities are efficient and effective, reliable, timely and complete and the bank is compliant with applicable laws and regulation.

  • Banks should have written procedures describing its approach to establish and monitor thresholds or limits for inherent and residual risk exposure. The board should monitor management adherence to the risk appetite and tolerance statement and provide for timely detection and remediation of breaches.

  • Senior management should ensure that bank activities are monitored by staff with the necessary experience, technical capabilities and access to resources. Staff responsible for monitoring and enforcing compliance with the institution’s risk policy should have “Exclusive Authority” and should be “Independent” from the units they oversee.

  • Banks should capture and monitor contributions to operational, credit and market risk related losses in order to obtain a more complete view of their risk exposures.

  • The implementation of new products, activities, processes and systems should be monitored in order to identify any material differences to the expected operational risk profile, and to manage any unexpected risks.

2.5.1 What Happens When Risk is Not Monitored-Case Study

On 11th December 2012 Statement of Facts was incorporated by reference as part of the Deferred Prosecution Agreement (the “Agreement”) between the United States Department of Justice, Criminal Division, Asset Forfeiture and Money Laundering Section, the United States Attorney’s Office for the Eastern District of New York, and the United States Attorney’s Office for the Northern District of West Virginia (collectively, the “Department”) and HSBC Bank USA, N.A. (“HSBC Bank USA”) and HSBC Holdings plc (“HSBC Holdings”). The Department alleges, and HSBC Bank USA admits, that HSBC Bank USA’s conduct violated the BSA. Specifically, HSBC Bank USA violated Title 31, United States Code, Section 5318(h)(1), which makes it a crime to willfully fail to establish and maintain an effective AML program, and Title 31, United States Code, Section 5318(i)(1), which makes it a crime to willfully fail to establish due diligence for foreign correspondent accounts. From 2006 to 2010, HSBC Bank USA violated the BSA and its implementing regulations. Specifically, HSBC Bank USA ignored the money laundering risks associated with doing business with certain Mexican customers and failed to implement a BSA/AML program that was adequate to monitor suspicious transactions from Mexico. At the same time, Grupo Financiero HSBC, S.A. de C.V. (“HSBC Mexico”), one of HSBC Bank USA’s largest Mexican customers, had its own significant AML problems. As a result of these concurrent AML failures, at least $881 million in drug trafficking proceeds, including proceeds of drug trafficking by the Sinaloa Cartel in Mexico and the Norte del Valle Cartel in Colombia, were laundered through HSBC Bank USA without being detected. HSBC Group was aware of the significant AML compliance problems at HSBC Mexico, yet did not inform HSBC Bank USA of these problems and their potential impact on HSBC Bank USA’s AML program. There were at least four significant failures in HSBC Bank USA’s AML program that allowed the laundering of drug trafficking proceeds through HSBC Bank USA:

1. Failure to obtain or maintain due diligence or KYC information on HSBC Group Affiliates, including HSBC Mexico.

2. Failure to adequately monitor over $200 trillion in wire transfers between 2006 and 2009 from customers located in countries that HSBC Bank USA classified as “standard” or “medium” risk, including over $670 billion in wire transfers from HSBC Mexico;

3. Failure to adequately monitor billions of dollars in purchases of physical U.S. dollars (“banknotes”) between July 2006 and July 2009 from HSBC Group Affiliates, including over $9.4 billion from HSBC Mexico; and

4. Failure to provide adequate staffing and other resources to maintain an effective AML program.

From at least 2006 to 2010, HSBC Bank USA did not conduct due diligence on HSBC Group Affiliates for which it maintained correspondent accounts, including HSBC Mexico. The decision not to conduct due diligence was guided by a formal policy memorialized in HSBC Bank USA’s AML Procedures Manuals.

From 2006 to 2009, HSBC Bank USA knowingly set the thresholds in CAMP ( Customer Account Monitoring Program) so that wire transfers by customers located in countries categorized as standard or medium risk, including foreign financial institutions with correspondent accounts, would not be subject to automated monitoring unless the customers were otherwise classified as high risk. During this period, HSBC Bank USA processed over 100 million wire transfers totaling over $300 trillion. Over two-thirds of these transactions involved customers in standard or medium risk countries. Therefore, in this four-year period alone, over $200 trillion in wire transfers were not reviewed in CAMP. Despite the Advisory from FinCEN, HSBC failed to properly monitor Banknotes transactions for HSBC Group Affiliates, including HSBC Mexico. Moreover, unlike camp there was no automated system available for reporting suspicious transactions.

2.6. Risk Reporting

Stringent regulations and the need to adjust to market developments require rapid, fact-based decision making, which means banks should develop better risk reporting models and techniques. Banks need to think of replacing paper-based reports with interactive tablet solutions that offer information in real time and enable banks to do quick root-cause analyses.

Risk reporting support to the broad management should have all the facets of financial and non-financial risks. Banks should develop ability to aggregate risk exposures and identify concentrations quickly and accurately at the bank group level, across business lines and between legal entities.

Even though data and risk reporting processes require significant investments of financial and human resources the banks should ensure that proper paper less reporting mechanism exists which will benefit them in long run.

Defining, gathering and processing risk data in banks should be according to suggestions made by regulators and banks must ensure that proper, accurate and reliable information is generated by implementing proper technologies such as machine learning.

Risk reports should include:

  1. Breaches of the bank’s risk appetite and tolerance statement, as well as thresholds or limits

  2. Details of recent significant internal risk events and losses and,

  3. Relevant external events and any potential impact on the bank and operational risk capital.

2.7. Risk Controls

Risk Control strategy comprises of written policies and procedures for risk identification and measurement, appropriate internal organisation/bank’s risk organizational structure, effective and efficient risk management process covering all risks the bank is exposed to or may potentially be exposed to in its operations, adequate internal controls system, appropriate information system and adequate process of internal capital adequacy assessment. Risk Controls are requirement for all of the below processes:

I. Internal Process:

Are the banks in control of their volumes processed, have the banks sufficient metrics to control errors, is there a workflow management in place which place accountabilities for staff in each step of the process, whether workflows have critical control points identified and these critical controls are tested from time to time for the effectiveness, whether policies framed commensurate with the latest regulatory requirements, is there a training team in place to train and decipher new updates to the team, whether standard operating procedures (SOP’s) are updated from time to time and at minimum once in a year, whether an independent body such as business risk checks for the controls and critical controls in place from time to time and regular audit is conducted for cases processed by the processing team. If the answer to all the questions above is yes then only bank is considered to have strong internal process controls in place. Management should be informed for all the lacuna’s/gaps from time to time and each gap should have an action plan attached to it.

II. Regulatory Requirements:

In today's global marketplace, banks have greatly expanded the scope and complexity of their activities and face an ever changing and increasingly complex regulatory environment. Each compliance failure can result in litigation, financial penalties, regulatory constraints, and reputational damage that can strategically affect the bank. Hence, banks are required to be abreast of all the regulatory changes and update their SOP’s from time to time as per the new regulation. The new regulation should also find a place in the organization wide procedures and policies. Every bank should have a regulatory team who explore regulatory websites, liaise with regulators and collect latest information which may affect their process and make changes in the policies and procedures accordingly.

III. Customer Requirements:

Customers are becoming more tech-savvy from time to time. Hence, banks should invest sufficient new technologies in-order to face increased competition that influence on the banking products and pricing, and technology improvements that affects the distribution channels of selling and the operating cost on the banking activities. However, each new development that bank is making to make customers life better comes with a risk e.g. a new product floated in market should have following controls in place:

a. The banking product is acceptable as per the local and other country regulatory norms.

b. The new banking product is not paving path to new kinds of frauds.

c. The new banking product does not meddle with client confidentiality?

IV. External Factors:

External factors are those factors for a bank which are beyond the control of management of banks such as political environment, economic environment, changes in interest rates, and changes in inflation. Each of the external factors should have proper controls in place. For instance, in the phase of inflation, banks should have alternative investments which counter the inflation, banks should exactly estimate the present governments strategies and update their marketing models as per the changes in the interest rates, so on and so forth.

2.7.1. What Happens if Banks Are Left Alone-Case Study

Beginning in 2012, an international investigation into the London Interbank Offered Rate, or Libor, revealed a widespread plot by multiple banks notably Deutsche Bank, Barclays, UBS, Rabobank, and the Royal Bank of Scotland to manipulate these interest rates for profit starting as far back as 2003. Regulators in the United States, the UK, and the European Union have fined banks more than $9 billion for rigging Libor, which underpins over $300 trillion worth of loans worldwide. Since 2015, authorities in both the UK and the United States have brought criminal charges against individual traders and brokers for their role in manipulating rates, though the success of these prosecutions has been mixed. The scandal has sparked calls for deeper reform of the entire Libor rate-setting system, as well as harsher penalties for offending individuals and institutions.

To understand this case study lets understand what a Libor is? Libor is a benchmark interest rate based on the rates at which banks lend unsecured funds to each other on the London interbank market. Published daily, the rate was previously administered by the British Bankers’ Association (BBA). But in the aftermath of the scandal, Britain’s primary financial regulator, the Financial Conduct Authority (FCA), shifted supervision of Libor to a new entity, the ICE Benchmark Administration (IBA), an independent UK subsidiary of the private U.S.-based exchange operator Intercontinental Exchange, or ICE.

To calculate the Libor rate, a representative panel of global banks submits an estimate of their borrowing costs to the Thomson Reuters data collection service each morning at 11:00 a.m. The calculation agent throws out the highest and lowest 25 percent of submissions and then averages the remaining rates to determine Libor. Calculated for five different currencies, the U.S. dollar, the euro, the British pound sterling, the Japanese yen, and the Swiss franc, at seven different maturity lengths from overnight to one year, Libor is the most relied upon global benchmark for short-term interest rates. The rate for each currency is set by panels of between eleven and eighteen banks.

Many banks worldwide use Libor as a base rate for setting interest rates on consumer and corporate loans. Indeed, hundreds of trillions of dollars in securities and loans are linked to Libor, including government and corporate debt, as well as auto, student, and home loans, including over half of the United States’ flexible-rate mortgages. When Libor rises, rates and payments on loans often increase; likewise, they fall when Libor goes down. Libor is also used to “provide private-sector economists and central bankers with insights into market expectations of economic performance and interest rate developments”.

Barclays and fifteen other global financial institutions came under investigation by a handful of regulatory authorities including those of the United States, Canada, Japan, Switzerland, and the UK for colluding to manipulate the Libor rate beginning in 2003. Barclays reportedly first manipulated Libor during the global economic upswing of 2005–2007 so that its traders could make profits on derivatives pegged to the base rate. During that period, “swaps traders often asked the Barclays employees who submitted the rates to provide figures that would benefit the traders, instead of submitting the rates the bank would actually pay to borrow money. Moreover, certain traders at Barclays coordinated with other banks to alter their rates as well. During this period, Libor was maneuvered both upward and downward based entirely on a trader’s position. Hundreds of trillions of dollars in securities and loans are linked to Libor.

The investigation into the Swiss bank UBS focused on the UK trader Thomas Hayes, who was the first person convicted for rigging Libor. Prosecutors argued that this allowed him to post profits in the hundreds of millions for the bank over his three-year stint, after which he moved to the U.S.-based Citigroup. After Hayes was arrested in December 2012, UK politicians criticized UBS executives for “negligence” after the bank’s leadership denied knowledge of the traders’ schemes due to the complexity of the bank’s operations. At the same time, most of the fraudulent collusion occurred between Hayes and traders at Royal Bank of Scotland (RBS), which is majority owned by UK taxpayers, to affect submissions across multiple institutions.

Many experts say that the Libor scandal has eroded public trust in the marketplace. Indeed, securities broker and investment bank Keefe, Bruyette & Woods estimated that the banks being investigated for Libor manipulation could end up paying $35 billion in private legal settlements separate from any fines to regulators. These sums could pose new challenges for financial institutions that are increasingly required to maintain higher reserves to guard against another systemic crisis. It will be another blow to the banks’ ability to hold enough capital to satisfy higher regulatory requirements in the wake of the financial crisis.

A wave of Libor-related prosecutions, led by U.S. and European regulatory bodies, has led to multiple major settlements. All told, global banks have paid over $9 billion in fines. The UK’s Barclays settled a case with U.S. and UK authorities for $435 million in July 2012, and in 2016 agreed to pay an additional $100 million to forty-four U.S. states for its role in manipulating the dollar-denominated Libor rate. In December 2012, Swiss banking giant UBS was slapped with the biggest Libor-related fine up to that point, paying global regulators a combined $1.5 billion in penalties. The complaint, led by the U.S. Commodity Futures Trading Commission (CFTC), cited over two thousand instances of wrongdoing committed by dozens of UBS employees.

In early 2013, U.S. and UK authorities fined RBS $612 million for rate rigging. Then, in December 2013, EU regulatory authorities settled their investigation into Barclays, Deutsche Bank, RBS, and Société Générale, fining the latter three banks a combined total of 1.7 billion euros, or over $2 billion. They were all found guilty of colluding to manipulate market rates between 2005 and 2008. In exchange for revealing the cartel to regulators, Barclay’s was not fined by the EU. JP Morgan Chase and Citigroup also became the first U.S. institutions fined, albeit with much smaller penalties. (In 2016, a separate investigation by U.S. authorities fined Citigroup $425 million after finding that senior managers at the bank knew about Libor trader Tom Hayes’ illicit manipulation of the rate.) Also in 2013, Dutch Rabobank settled charges against it for over $1 billion. In April 2015, Germany’s Deutsche Bank agreed to the largest single settlement in the Libor case, paying $2.5 billion to U.S. and European regulators and entering a guilty plea for its London-based branch. It brings the total amount of fines paid by Deutsche Bank to $3.5 billion, more than twice that of any other institution.

Lessons:

1. Base rates and interbank offer rates needs to be under scrutiny by respective regulators of the countries.

2. Banks should play their part effectively towards world banking and avoid tax payers’ inconvenience.

3. Trading desks are required to be monitored effectively by the senior management of the banks.

4. Central bankers should have insights into market expectations of economic performance and interest rate developments.

5. Financial Institutions should maintain higher reserves to guard against systemic crisis.

2.8. Risk Mitigation

Risk Mitigation plans are the mandatory requirements for today’s banking. Some of the mitigations for smooth running of banks are:

1. Credit Risk Mitigation:

For credit risk mitigation, the bank must have a strong client base over a long period. It can be used in the behavioural models that estimate the probability of the default of the client, based on their credit history and scoring models according to the application (client demographic information, information about client’s workplace, loan parameters, etc.). Some of the common methodologies that can be used are data mining techniques and scoring models such as logistic and linear regression, decision trees, segmentation using K-means, neural network. The set of scoring models according to the application, credit bureaus and information (obtained from systems to prevent fraud) can determine which customer segments can be approved.

2. Market Risk Mitigation:

Market risk is a specific part of the financial risks caused by the emergence of investment and financial activities. Market risk is caused by the influence of the market factors that affect the value of assets, liabilities, and off-balance sheet items. There are different methodologies for evaluating the losses of financial instruments. Most common is the method of quantifying the market risk value of trading positions (Value at Risk – VaR). The basis for the VaR evaluation is the price tools dynamics for a specified time period in the past. Classical methods of volatility estimation, such as the parametric method, the Monte Carlo method, historical simulation, are used to assess the potential market risk level.

3. Operational Risk Mitigation:

Operational Risk is constantly growing with the increase in business and banking, as well as with the globalization of banking services. Some of the mitigations for operations risks are

  • Task segregation

  • Curtailing complexities in business processes

  • Reinforcing organizational ethics

  • The right people for the right job

  • Monitoring and evaluations at regular intervals

  • Periodic risk assessment and

  • Look back and learn

The risks to which a bank is particularly exposed in its operations are Financial risks and Non- financial risks as given below:

4. Liquidity Risk Management:

Banks should use a range of liquidity metrics for the measurement and analysis of their liquidity risk. These metrics should enable the management of a bank to understand its day-to-day liquidity positions and structural liquidity mismatches, as well as its resilience under stressed conditions. In particular, these metrics should perform the functions of:

  • Cash flow forecasting i.e., projecting the banks future cash flows and identifying potential funding gaps and mismatches under both normal and stressed conditions.

  • Liquidity risks that may arise from contingent exposures or events.

  • Assessing the banks’ capability to generate funding

  • Identifying the banks’ vulnerabilities to foreign currency movements.

2.9. Business Resiliency

Business resiliency is the ability of a business to spring back from a disruption to its operations. Business resilience begins with an understanding that workflows must be preserved in order for organizations to survive unexpected events. An often-overlooked challenge of business resilience planning is the human element, whereby individuals in a chaotic situation must be prepared and educated on how to respond accordingly. Business resilience planning is also referred to as business continuity planning. Effective business continuity measures are critical for any banking entity. Every bank should be committed to protecting its staff and ensuring the continuity of critical businesses and functions in order to protect its revenues and sustain a stable financial market and customer confidence. The development, implementation, testing and maintenance of an effective global Business Continuity and Disaster Recovery Program (DRP) are required to sustain these objectives. The business resiliency and continuity plans should cover the following in case of disruption:

  • Data back-up and recovery

  • Alternate communications mode between customers & Bank and Bank & employees

  • Alternate physical location

  • Alternatives to regulatory compliance reporting

  • Alternatives methods to provide continuous services to business customers

Minimum requirements for Resiliency Plans:

  • Banks are exposed to disruptive events, some of which may be severe and result in an inability to fulfil some or all of their business obligations. Incidents that damage or render inaccessible the bank’s facilities, telecommunication or information technology infrastructures, or a pandemic event that affects human resources, can result in significant financial losses to the bank, as well as broader disruptions to the financial system.

  • To provide resiliency against risk, a bank should establish business continuity plans commensurate with the nature, size and complexity of their operations. Such plans should take into account different types of likely or plausible scenarios to which the bank may be vulnerable.

  • Continuity management should incorporate business impact analysis, recovery strategies, testing, training and awareness programs, and communication and crisis management programs. A bank should identify critical business operations, key internal and external dependencies, and appropriate resilience levels.

  • Plausible disruptive scenarios should be assessed for their financial, operational and reputational impact, and the resulting risk assessment should be the foundation for recovery priorities and objectives. Continuity plans should establish contingency strategies, recovery and resumption procedures, and communication plans for informing management, employees, regulatory authorities, customer, suppliers, and where appropriate civil authorities.

  • A bank should periodically review its continuity plans to ensure contingency strategies remain consistent with current operations, risks and threats, resiliency requirements, and recovery priorities. Training and awareness programs should be implemented to ensure that staff can effectively execute contingency plans.

  • Plans should be tested periodically to ensure that recovery and resumption objectives and timeframes can be met. Where possible, a bank should participate in disaster recovery and business continuity testing with key service providers. Results of formal testing activity should be reported to management and the board.

2.9.1. Business Continuity Planning

What is Business Continuity Planning (BCP)?

Business continuity planning is the process whereby financial institutions ensure the maintenance or recovery of operations, including services to customers, when confronted with adverse events such as natural disasters, technological failures, human error, or terrorism. The objectives of a business continuity plan (BCP) are to minimize financial loss to the institution; continue to serve customers and financial market participants; and mitigate the negative effects disruptions can have on an institution's strategic plans, reputation, operations, liquidity, credit quality, market position, and ability to remain in compliance with applicable laws and regulations. Changing business processes (internally to the institution and externally among interdependent financial services companies) and new threat scenarios require financial institutions to maintain updated and viable BCPs.

What is the responsibility of banks board and Sr. Management for BCP?

  • A Bank's board of directors and senior management are responsible for:

  • Support budget allocations for the BCP program

  • Allocating sufficient resources and knowledgeable personnel to develop the BCP

  • Appoint key personnel to lead the program

  • Ensure the BCP team is staffed and fully trained to implement the plan

  • Provide support and resources to implement the BCP process and recovery strategies

  • Setting policy by determining how the institution will manage and control identified Risks

  • Review BCP test results

  • Approving the BCP on an annual basis

  • Ensuring the BCP is kept up-to-date and employees are trained and aware of their role in its implementation

What is the Objective of banks business continuity planning process?

Business continuity planning is about maintaining, resuming, and recovering the business, not just the recovery of the technology. The planning process should be conducted on an enterprise-wide basis.

A thorough business impact analysis and risk assessment is the foundation of an effective BCP and should consider following points:

  • The effectiveness of a BCP can only be validated through testing or practical application.

  • The BCP and test results should be subjected to an independent audit and reviewed by the board of directors.

  • A BCP should be periodically updated to reflect and respond to changes in the financial institution or its service provider(s).

What is Business Impact Analysis?

Business impact analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency. It should include:

  • Identification of the potential impact of uncontrolled, non-specific events on the bank's business processes and its customers

  • Consideration of all departments and business functions, not just data processing

  • Estimation of maximum allowable downtime and acceptable levels of data, operations, and financial losses

  • Each department should document the mission critical functions performed and should consider the following questions:

  • What specialized equipment is required and how it is used?

  • How would the department function if mainframe, network and/or Internet access were not available?

  • What single points of failure exist and how significant are those risks?

  • What are the critical outsourced relationships and dependencies?

  • What is the minimum number of staff and space that would be required at a recovery site?

  • What special forms or supplies would be needed at a recovery site?

  • What communication devices would be needed at a recovery site?

  • What critical operational or security controls require implementation prior to recovery?

  • Is there any potential impact from common recovery sites serving multiple lines of business or departments?

  • Have employees received cross training and has the department defined back-up functions/roles employees should perform if key personnel are not available?

  • Are emotional support and family care needs adequately considered?

What may be the Business Continuity vulnerabilities that may affect a bank?

At any time, unforeseen circumstances beyond a Bank’s control can influence the operational status of a business unit. Hence, departmental managers should regularly monitor incidents that may cause a business disruption and/or have a serious impact to operations. Following are scenarios to identify any vulnerability that may affect operational continuity.

a. Human errors or failures:

  • Lack of training or policy guidance

  • Inadequate supervision

  • Intentional or unintentional disruptive practices

b. Human resource limitations:

  • Strike

  • Inaccessibility to site

  • Pandemic outbreak

c. Supply chain dependencies:

  • Transport

  • Internet

  • IT

  • Vendor unavailability

d. Technology-related failures:

  • Cyber-attacks

  • Data fraud/theft

  • Critical system or network failures

  • Communication network failure

e. Infrastructure failures:

  • Power failure

  • Improper site maintenance

  • Water supply crisis

f. Failure of regulatory compliance:

  • Fines

  • Mandated shutdowns

  • Reporting obligations

g. Natural disasters:

  • Fires

  • Earthquake

  • Severe flooding

  • Hurricane/typhoon

  • Tornado

  • Volcanic eruption

  • Tsunami

  • Landslides

h. Regional and civil disturbances

  • Terrorism

  • Corruption

  • Religious fanaticism

  • Protests

i. Economic:

  • Price fluctuations in critical commodities and/or natural resources

  • Dependence on central and/or commercial banks

  • Political influences

Who are Business Continuity Coordinators?

Business Continuity Coordinators are typically responsible for the development and maintenance of business continuity plans. They must work closely with critical business units to understand their processes, identify risks, and provide solutions to help manage and minimize those risks. Their roles are as given below:

  • Draft work plan necessary to develop the BCP.

  • Compile BIA for all departments.

  • Send out periodic emails to all staff providing project updates.

  • Compile information of critical staff and critical processes in a bank.

  • From time to time conduct call tree tests to determine availability of staff.

  • Create emergency response team by choosing at least one member from each department.

  • Develop recovery strategies and communicate those strategies with department leaders.

What is Recovery Time Objective (RTO)?

The Recovery Time Objective (RTO) is one of the main components in BIA which is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption).

What is Recovery Point Objective (RPO)?

The recovery point objective (RPO) is the age of files that must be recovered from backup storage for normal operations to resume if a computer, system, or network goes down as a result of a hardware, program, or communications failure.

What is crisis management?

While definition of crisis management and business continuity are closely related, they are not one and the same. Crisis Management is a strategic management process which begins long before the triggering event and continues after the triggering event has been brought under control. Some of the aspects of crisis management as given below:

  • Identifying and proactively managing potential crisis issues before they happen

  • Getting ready for when a crisis does happen

  • Responding effectively to the event

  • Restoring business as usual

  • Responding to the highly damaging risks which often arise after the event has happened

  • Learning from what happened and incorporating it into future planning

What are the Business Continuity Recovery Solutions?

The goal of business continuity is to limit risk and get a bank running as close to normal as possible after an unexpected interruption. To do this some of the continuity recovery solutions recommended are as given below:

1. Alternate Sites: Alternate Site is a facility to be occupied in the event that access to the primary site is prevented or simply called disaster recovery site

2. Technology Disaster Recovery: Technology disaster recovery strategies mean restore hardware, applications and data in time to meet the needs of the business recovery.

3. Reciprocal Agreements: Agreement between two organizations (or two internal business groups) with similar equipment/environment that allows each one to recover at the others.

4. Displacement Strategy: To displace staff to alternative site or other branch that is operational

5. Remote Access: Remote access is the ability to access a computer or a network remotely through a network connection e.g. Work from home facilities provided by banks through VPN (Virtual Private Network).

2.10. Disclosure

  • A bank’s public disclosures should allow stakeholders to assess its approach to risk management. A bank’s public disclosure of relevant risk management information can lead to transparency and the development of better industry practice through market discipline.

  • The amount and type of disclosure should be commensurate with the size, risk profile and complexity of a bank’s operations, and evolving industry practice.

  • A bank should disclose its risk management framework in a manner that will allow stakeholders to determine whether the bank identifies, assesses, monitors and controls/mitigates operational risk effectively.

  • A bank’s disclosures should be consistent with how senior management and the board of directors assess and manage the operational risk of the bank.

  • A bank should have a formal disclosure policy approved by the board of directors that addresses the bank’s approach for determining what operational risk disclosures it will make and the internal controls over the disclosure process.

  • In addition, banks should implement a process for assessing the appropriateness of their disclosures, including the verification and frequency of them.

2.11. Risk Communication

  1. Risk communication is any purposeful exchange of information about risks between senior managers in the bank and banking staff (up to the junior most staff in the bank).

  2. Risk communication components include explanation of the following:

  • Levels of risks in banks.

  • The significance of each of the risks in banks

  • The decisions, actions or policies aimed at managing or controlling these risks.

  • Incident management strategies to timely mitigate risks.

  1. A key consideration of risk communication is that the target will rarely be a single audience, but usually a variety of audiences, and as such messages must be tailored to consider the different audiences that are likely to have different interests, values, levels of intelligence, education and understanding.

3. Types of Risks in Banks

Banks provide a vast variety of services to both the retail sector as well as to the corporate sector. Due to the vast variety of products and services provided by banks there are a myriad of risks involved in its transactions too hence, it is crucial to minimize these risks in order for the banks to function well. The Major risks for banks include credit risk, operational risk, market risk, liquidity risk and Systemic Risk.

Taking risks is said to be the business of bank management. However, taking balanced risks is the new mantra for banks as avoiding all risks will make them stagnant and on the other hand, a bank that takes excessive risks is likely to run into difficulties. Many banking risks arise from the common cause of mismatching. If banks had perfectly matched assets and liabilities (i.e. identical maturities, interest rate conditions and currencies) it is said to be perfect bank. However, this is not possible, hence, banks take calculated risks.

3.1. Credit Risk

Credit risk, or the risk that money owed is not repaid, has been prevalent in banking history. It is a principal and perhaps the most important risk type that has been present in finance, commerce and trade transactions from ancient cultures till today. Numerous small and large failures, combined with the corresponding economic and social impact, further accelerated the importance of credit risk management throughout history. Credit risk management is a process that involves the identification of potential risks, the measurement of these risks, the appropriate treatment, and the actual implementation of risk models.

Efficient credit risk management tools have been vital in allowing the phenomenal growth in consumer credit during the last 50years. Without accurate automated decision tools, credit lending would not have allowed banks to expand the loan book with the speed they have. Nowadays, effective credit risk measurement and management is recognized by many economic actors, not in the least because of financial failures of banks themselves. The recent Basel II capital accord articulates new market standards for credit risk management and capital adequacy for banks. The level of capital, a cushion to absorb credit and other losses, is matched to the portfolio risk depending on the risk characteristics of individual transactions, their concentration and correlation. All organizations, including banks, need to optimally allocate capital in relation to the selective investments made. Hence, efficient tools and techniques for risk measurement are a key cornerstone of a good credit risk management.

a. Definition: Credit risk is most simply defined as the potential that a bank borrower or counterparty will fail to meet its obligations in accordance with agreed terms. The goal of credit risk management is to maximise a bank's risk-adjusted rate of return by maintaining credit risk exposure within acceptable parameters. Banks need to manage the credit risk inherent in the entire portfolio as well as the risk in individual credits or transactions. Banks should also consider the relationships between credit risk and other risks. The effective management of credit risk is a critical component of a comprehensive approach to risk management and essential to the long-term success of any banking organisation.

b. Example: For most banks, loans are the largest and most obvious source of credit risk; however, other sources of credit risk exist throughout the activities of a bank, including in the banking book and in the trading book, and both on and off the balance sheet. Banks are increasingly facing credit risk (or counterparty risk) in various financial instruments other than loans, including acceptances, interbank transactions, trade financing, foreign exchange transactions, financial futures, swaps, bonds, equities, options, and in the extension of commitments and guarantees, and the settlement of transactions.

3.1.1 Credit Risk-Expected Losses (EL=PD*LGD*ED)

Credit risk is typically calculated by means of three factors: Probability of default (PD), Loss Given Default (LGD) and Exposure at Default (EAD):

Expected loss=PD*LGD*EAD.

1. Default Risk (PD):

Probability of default (PD) is a financial term describing the likelihood of a default over a particular time horizon. It provides an estimate of the likelihood that a borrower will be unable to meet its debt obligations. PD is used in a variety of credit analyses and risk management frameworks. The default risk is the probability that a default event occurs. There are many definitions of a default event. The most common definition of a default event is a payment delay of at least 3 months. Other definitions may add specific events. The default risk depends on many factors. Counterparts with a weak financial situation, high debt burden, low and unstable incomes have a higher default probability. Apart from quantitative factors, qualitative factors like sector information and management quality also allow discriminating between counterparts with high and low default risk. In markets with increased competition, reducing industry margins, and a macroeconomic downturn, the default rates are expected to be higher than on average. The continuous default probability is typically represented on an internal rating scale with an ordinal ranking of the risk and discrete, increasing default probabilities. There also exist external rating agencies that provide an independent and external assessment of the default risk for investors in debt and other products. In most cases, default risk is defined on a counterpart, not on a product.

2. Loss Risk (LGD):

Loss given default (LGD) is the amount of funds that is lost by a bank or other financial institution when a borrower defaults on a loan. Academics suggest that there are several methods for calculating the loss given default, but the most frequently used method compares actual total losses to the total potential exposure at the time of default. Of course, most banks don't simply calculate the LGD for one loan. Instead, they review their entire portfolio and determine LGD based on cumulative losses and exposure. The loss risk determines the loss as a fraction of the exposure in the case of default. In the Basel II terminology, this parameter is known as the loss given default (LGD). In the case of no loss, the LGD is equal to zero. When one loses the full exposure amount, the LGD is equal to 100%. A negative LGD indicates a profit (e.g., due to penalty fees and interest rate). In some cases, the LGD can be above 100%, e.g., due to litigation costs and almost zero recovery from the defaulted counterpart. In practice, the LGD values are observed to vary quite a lot and depend upon the type of default and its resolution as given below:

  1. Cure: The financial health of the defaulted counterpart is cured shortly after the default event, e.g., because of an additional income or a shareholder intervention. The counterpart continues to fulfil its contractual obligations. There is no significant loss for the bank and the relation with the customer is not impacted.

  2. Restructuring: The defaulted counterpart is able to recover from default after a debt restructuring, e.g., debt renegotiations resulting in a longer maturity and partial debt forgiveness. The bank–customer relation is damaged, but is often maintained. The bank accepts a medium loss to avoid higher losses in a liquidation or bankruptcy procedure.

  3. Liquidation: The customer’s facilities are liquidated, collateral is seized. The relationship with the customer is ended. Liquidation procedures may involve high legal costs and losses are typically high. It is difficult to predict the resolution type before default. On average, liquidation is expected to occur more for the weakest counterparts for which investors and banks are less eager to reinvest. In the cases of high default and loss risk, the bank will try to reduce the loss risk by requiring collateral or guarantees. In the case of a default event, the bank will try to recover the outstanding debt and delayed payments from the collateral, guarantees and the counterpart.

3. Exposure Risk (EAD):

Exposure at default (EAD) is the total value that a bank is exposed to at the time of default. Each underlying exposure that a bank has is given an EAD value and is identified within the bank's internal system. Using the internal ratings board (IRB) approach, financial institutions will often use their own risk management default models to calculate their respective EAD systems. The exposure at the time of default (EAD) may not be known beforehand. For some products like a bond or a straight loan, the amount is a fixed amount. For credit cards or overdraft facilities, the amount varies with the liquidity needs of the borrower. The counterpart can take cash up to a negotiated credit limit. The credit limit bounds the commitment of the bank. Other products have no explicit limit, but each additional drawing needs approval of the bank. Exposure at default - along with loss given default (LGD) and probability of default (PD) - is used to calculate the credit risk capital of financial institutions. The expected loss that will arise at default is often measured over one year. The calculation of EAD is done by multiplying each credit obligation by an appropriate percentage. Each percentage used coincides with the specifics of each respective credit obligation.

3.1.2. Credit Risk-Counterpart or Borrower Risk

Counterparty risk is the probability that one of those involved in a transaction might default on its contractual obligation. Let us see at what stages it could happen:

Pre-Settlement Risk: Pre-settlement risk can exist over long periods, often years, starting from the time a loan/bond/derivative contracted until settlement. Pre-settlement risk is either the counterparty defaults before the payment is due or the financial intermediary responsible for the settlement declares bankruptcy before the transaction is settled. In addition to the counterpart default risk, there is also a risk that the counterpart is prohibited to pay when it’s country of domicile defaults and blocks all foreign payments. This risk is called sovereign transfer risk.

Settlement Risk: Settlement risk is the risk that counterparty does not deliver a security or its value in cash as per agreement when the security was traded after the other counterparty or counterparties have already delivered security or cash value as per the trade agreement. Settlement risk is the possibility your counter party will never pay you. Settlement risk was a problem in the forex market up until the creation of continuously linked settlement (CLS), which is facilitated by CLS Bank International, which eliminates time differences in settlement, providing a safer forex market. Settlement risk is sometimes called "Herstatt risk", named after the well-known failure of the German bank Herstatt.

3.1.2.1. Credit Risk-Counterpart or Borrower Risk-Case Study

Herstatt Bank was a privately owned bank in the German city of Cologne. The bank collapsed in June of 1974 because of over-trading on the foreign currency markets. While the bank itself was not large, its failure became synonymous with foreign exchange settlement risk, and its lessons served as the impetus for work over the subsequent three decades to implement real-time settlement systems now used the world over. The Herstatt bank case is so vital to understand the settlement risk as it caused chain reaction across financial centres as banks in different countries delayed settling their payments to each other. Herstatt got into trouble because of its large and risky foreign exchange business. In September 1973, Herstatt became over-indebted as the bank suffered losses four times higher than the size of its own capital. The losses resulted from an unanticipated appreciation of the dollar. For some time, Herstatt had speculated on a depreciation of the dollar. Only late in 1973 did the foreign exchange department change its strategy. The strategy of the bank to speculate on the appreciation of the dollar worked until mid-January 1974, but then the direction of the dollar movement changed again. The mistrust of other banks aggravated Herstatt’s problems. In March 1974, a special audit authorised by the Federal Banking Supervisory Office (BAKred) discovered that Herstatt’s open exchange positions amounted to DM (Deutschmarks) 2 billion, eighty times the bank’s limit of DM 25 million. The foreign exchange risk was thus three times as large as the amount of its capital. The special audit prompted the management of the bank to close its open foreign exchange positions. When the severity of the situation became obvious, the failure of the bank could not be avoided. In June 1974, Herstatt’s losses on its foreign exchange operations amounted to DM 470 million. On 26 June 1974, BAKred withdrew Herstatt's licence to conduct banking activities. It became obvious that the bank's assets, amounting to DM 1 billion, were more than offset by its DM 2.2 billion liabilities. As the bank was closed in the middle of the day by regulators, it left the dollars that it owed on its foreign-exchange deals unpaid what we call today as settlement risk. Shortly after this event, Peter Cooke from the Bank of England proposed setting up a committee of central banks and banking supervisory authorities, which became known as the Basel Committee. In 1988, this committee issued a set of guidelines known as the Basel I recommendations. In particular these featured the Cooke ratio, which set financial institutions an 8% target minimum ratio for capital to loans granted.

3.1.3. Credit Risk- Intrinsic Risk

It focuses on the risk inherent in certain lines of business and loans to certain industries. Commercial real estate construction loans are inherently more risky than consumer loans. Intrinsic risk addresses the susceptibility to historic, predictive, and lending risk factors that characterize an industry or line of business. Historic elements address prior performance and stability of the industry or line of business. Predictive elements focus on characteristics that are subject to change and could positively or negatively affect future performance. Lending elements focus on how the collateral and terms offered in the industry or line of business affect the intrinsic risk.

3.1.4. Credit Risk-Concentration Risk

Concentration risk is the risk posed to a financial institution by any single or group of exposures which have the potential to produce losses large enough to threaten the ability of the institution to continue operating as a going concern. In other words, it's the opposite of a diversified portfolio. For example, an institution may have a concentration of loans in a certain geographic area. If that area experienced an economic downturn an unexpected volume of defaults might occur, which could result in significant losses to or failure of the institution. Or an institution may have a concentration in a certain type of lending, for example construction lending. If construction slows unexpectedly, the impact to the institution could be significant. By their very nature community banks and credit unions have some degree of concentration risk; geographically, within their customer/member base, and by products they specialize in and offer. The smaller the geographic area served, the more limited the customer base is, and the fewer number of products offered all lead to increased concentration risk. Concentrations can also exist in asset categories, such as residential real estate, automobiles, business loans, etc.), within asset categories, such as junior position home equity lines of credit within a residential category, indirect auto loans within an automobile category, or SBA loans within a business loans category, or as loan quality rating categories, such as a concentration of lower quality credits (loans). Lastly, concentrations can exist in seemingly unrelated categories. A classic example is a financial institution that invests in mortgage back securities in its investment portfolio, while at the same time investing in mortgage loans in its loan portfolio.

A diversified portfolio tends to be harder to achieve than simply following the mantra: don't put all your investment eggs in one basket.

3.1.5. Credit Risk-Consumer Credit Risk

It is the risk of loss due to a customer's non re-payment (default) on a consumer credit product such as a mortgage, unsecured personal loan, credit card, overdraft etc. Not all decisions can be made automatically for giving consumer credit as insufficient data, regulatory requirements etc., are hinderances. Hence, in banks, highly trained professionals called underwriters manually review the case and make a decision. To turn an application score into a Yes/No decision, "cut-offs" are generally used. A cut-off is a score (also called application score) at and above which customers have their application accepted and below which applications are declined. Application score is also used as a factor in deciding such things as an overdraft or credit card limit. Banks are generally happier to extend a larger limit to higher scoring customers than to lower scoring customers, because they are more likely to pay borrowings back.

3.1.6. Credit Risk-Credit Derivative

A credit derivative consists of privately held negotiable bilateral contracts that allow users to manage their exposure to credit risk. Credit derivatives are financial assets such as forward contracts, swaps and options for which the price is driven by the credit risk of economic agents, such as private investors or governments. For example, a bank concerned that one of its customers may not be able to repay a loan can protect itself against loss by transferring the credit risk to another party while keeping the loan on its books.

3.1.7. Management of Credit Risk

I. Establishing an appropriate credit risk environment:

The board of directors should have responsibility for approving and periodically reviewing the credit risk strategy and significant credit risk policies of the bank. The strategy should reflect the bank’s tolerance for risk and the level of profitability the bank expects to achieve for incurring various credit risks. Senior management should have responsibility for implementing the credit risk strategy approved by the board of directors and for developing policies and procedures for identifying, measuring, monitoring and controlling credit risk. Such policies and procedures should address credit risk in all of the bank’s activities and at both the individual credit and portfolio levels. Banks should identify and manage credit risk inherent in all products and activities. Banks should ensure that the risks of products and activities new to them are subject to adequate procedures and controls before being introduced or undertaken, and approved in advance by the board of directors or its appropriate committee.

II. Operating under a sound credit granting process:

Banks must operate under sound, well-defined credit-granting criteria. These criteria should include a thorough understanding of the borrower or counterparty, as well as the purpose and structure of the credit, and its source of repayment. Banks should establish overall credit limits at the level of individual borrowers and counterparties, and groups of connected counterparties that aggregate in a comparable and meaningful manner different types of exposures, both in the banking and trading book and on and off the balance sheet. Banks should have a clearly established process in place for approving new credits as well as the extension of existing credits.

All extensions of credit must be made on an arm’s-length basis. In particular, credits to related companies and individuals must be monitored with particular care and other appropriate steps taken to control or mitigate the risks of connected lending.

III. Maintaining an appropriate credit administration, measurement and monitoring process:

Banks should have in place a system for the on-going administration of their various credit risk-bearing portfolios. Banks must have in place a system for monitoring the condition of individual credits, including determining the adequacy of provisions and reserves. Banks should develop and utilise internal risk rating systems in managing credit risk. The rating system should be consistent with the nature, size and complexity of a bank’s activities. Banks must have information systems and analytical techniques that enable management to measure the credit risk inherent in all on- and off-balance sheet activities. The management information system should provide adequate information on the composition of the credit portfolio, including identification of any concentrations of risk. Banks must have in place a system for monitoring the overall composition and quality of the credit portfolio. Banks should take into consideration potential future changes in economic conditions when assessing individual credits and their credit portfolios, and should assess their credit risk exposures under stressful conditions.

IV. Ensuring adequate controls over credit risk:

Banks should establish a system of independent, on-going credit review and the results of such reviews should be communicated directly to the board of directors and senior management. Banks must ensure that the credit-granting function is being properly managed and that credit exposures are within levels consistent with prudential standards and internal limits. Banks should establish and enforce internal controls and other practices to ensure that exceptions to policies, procedures and limits are reported in a timely manner to the appropriate level of management. Banks must have a system in place for managing problem credits and various other workout situations.

V. The role of supervisors:

Supervisors should require that banks have an effective system in place to identify measure, monitor and control credit risk as part of an overall approach to risk management. Supervisors should conduct an independent evaluation of a bank’s strategies, policies, practices and procedures related to the granting of credit and the on-going management of the portfolio. Supervisors should consider setting prudential limits to restrict bank exposures to single borrow

3.1.8. Conclusion

Credit Risk Management in today’s deregulated market is a big challenge. Increased market volatility has brought with it the need for smart analysis and specialized applications in managing credit risk. A well-defined policy framework is needed to help the operating staff identify the risk-event, assign a probability to each, quantify the likely loss, assess the acceptability of the exposure, price the risk and monitor them right to the point where they are paid off. The management of banks should strive to embrace the notion of ‘ uncertainty and risk’ in their balance sheet and instils the need for approaching credit administration from a ‘risk-perspective’ across the system by placing well drafted strategies in the hands of the operating staff with due material support for its successful implementation. The principal difficulties with CRM models are obtaining sufficient hard data for estimating the model parameters such as ratings, default probabilities and loss given default and identifying the risk factors that influence the parameter, as well as the correlation between risk factors. Because of these difficulties one should be aware that credit system.

3.2. Market Risk

The Basel Committee on Banking Supervision defines market risk as the risk of losses in on- or off-balance sheet positions that arise from movement in market prices. Market risk is the most prominent for banks present in investment banking. To manage market risk, banks deploy a number of highly sophisticated mathematical and statistical techniques. Chief among these is value-at-risk (VAR) analysis, which over the past 15 years has become established as the industry and regulatory standard in measuring market risk. The imposition of higher capital requirements may make the financial system safer, but from a modelling perspective this is a fairly blunt instrument. The on-going refinements in stress testing are a welcome complement to the main work on VAR, but almost all banks would agree that risk models need more work. Banks are curious about the design choices entailed in simulation and valuation; they are probing for the right balance between sophistication and accuracy, on the one hand, and simplicity, transparency, and speed on the other. Having high-quality market data turns out to be just as critical as the models themselves, but many banks are uncertain about where to draw the line between acceptable and unacceptable levels of quality. Valuation models have become increasingly complex. And most banks are now in the process of integrating new stress-testing analytics that can anticipate a broad spectrum of macroeconomic changes. Banks want from the market-risk management group; primarily they want to understand their market-risk profile, including both short-term profit-and-loss (P&L) volatilities and long-term economic risk. They want to know how much risk they have accumulated and how the total compares with the bank’s stated risk appetite. And they want the group to develop and win regulatory approval of a fair treatment of RWAs (Risk Weighted Averages), allowing the bank to get maximum efficiency out of its capital.

3.2.1 Market Risk-Interest Rate Risk

Interest rate risk is the probability that variations in the interest rates will have a negative influence on the quality of a given financial instrument or portfolio, as well as on the institution's condition as a whole. Assuming of that risk is a normal aspect of the bank's activity and can be an important source of profit and share value. However, excess interest rate risk can significantly jeopardize the bank's incomes and capital base. Variations in the interest rates influence the bank's incomes and change its net interest revenues and the level of other interest-sensitive earnings and operative costs. Interest rate variations also affect the basic value of the bank's assets, liabilities and off-balance instruments, because the present value of the future cash flows (and in some cases the cash flows themselves) alters when interest rates change. Interest rates variations can also influence the level of credit risk and the ability to retain the attracted resources. That is why the effective interest risk management that keeps risk in reasonable limits is of vital importance for bank stability.

Sources of interest rate risk

A) Re-pricing Risk:

Banks in their capacity as financial brokers face interest rate risk every day. The most common and debated form of interest rate risk originates from the time differences of maturity (for fixed rate), and changes in the interest rates (for floating rate) of the bank's assets, liabilities and off-balance items. Although these discrepancies are fundamental for the bank's activity, they can expose the bank's income and basic economic value to unexpected fluctuations when interest rates vary. For example, a bank which finances a longterm credit with a fixed interest rate with a short-term deposit can experience a decrease in the future revenues and in its basic value if the interest rates rise. This decrease happens because the cash flows are fixed for the credit period while the interests paid on the funding are variable and the interest rates' increase takes place after the short-term deposit matures (respectively, the interest-related costs increase).

B) Yield Curve Risk

The re-pricing discrepancies can also expose the bank to changes of the yield curve tilt and shape. The yield curve risk arises when unexpected changes of the yield curve have an adverse effect on the bank's returns or basic economic value. The yield curve risk results from a change in the percentage ratios of identical instruments with different maturities. For example, the 30-year government bond' profitability can change by 200 basis points, while the profitability of a 3-year government promissory note can change by only 50 basis points for the same time period (one basis point is defined as one hundredth of a percent, i.e. 100 basis points are equal to 1%). Or, the basic economic value of a long position in 10-year government bonds, which is hedged with a short position in 5-year government promissory notes, can abruptly drop if the yield curve steepens even if the position is hedged against parallel changes of the yield curve.

C) Basis Risk:

The basis risk is a result from a weak correlation adjustment of the interest rates which are received and paid on various instruments otherwise having the same re-pricing characteristics. When the interest rates change, that absence of correlation can cause unexpected alterations in the cash flow and the spread between assets, liabilities and off-balance instruments with similar maturities. For example, three-month interest rates are paid on three-month inter-bank deposits, three-month Euro-dollar deposits and three-month treasury bills. However, these three-month rates do not form ideal ratios among each other and their profitability margins can change over time. As a result, three-month treasury bills financed by three-month Euro-dollar deposits represent an improperly balanced or hedged position which can cost the bank a lot when interest rates change.

D) Option Risk:

An additional source of interest rate risk with increasing significance is the risk arising from options imbedded in many bank's assets, liabilities and off-balance portfolios. Formally, these options provide their holder with the right, but not the obligation to buy, sell or change in a certain way the cash flow of a given instrument or financial contract. Instruments with imbedded options include various types of bonds and promissory notes with call or put option, credits which provide the borrowers with the right to premature repayment, as well as various types of undated deposit instruments which entitle the depositors to withdrawing their money at any time, often without any penalties. This type of risk can have an adverse impact on the profit or economic value of the bank's own capital via a decrease in the assets' profitability, increase in the attracted funds' price or decrease in the expected cash flow's net present value. For example, if a client repays their credit earlier during a period of decreasing interest rates, the bank will not receive the initially expected cash flow. And thus it will have to re-invest the sum at a lower interest rate.

E. Reinvested Risk:

Reinvestment risk is the risk arising out of uncertainty with regard to interest rate at which the future cash flows could be reinvested. Any mismatches in cash flows i.e., inflow and outflow would expose the banks to variation in Net Interest Income. This is because market interest received on loan and to be paid on deposits move in different directions.

F. Net Interest Position Risk:

Net Interest Position Risk arises when the market interest rates adjust downwards and where banks have more earning assets than paying liabilities. Such banks will experience a reduction in NII as the market interest rate declines and the NII increases when interest rate rises. Its impact is on the earnings of the bank or its impact is on the economic value of the banks’ assets, liabilities and OBS positions.

3.2.2 Market Risk-Equity Risk

Equity risk is the potential losses involved in holding equity in a particular investment due to fluctuations in stock price. A lot of people tend to believe that mitigating equity risk is as simple as holding a few dozen stocks or a handful of mutual funds. Although these practices are conceptually true, they are wholly incomplete methods of diversification and only touch the surface of what can be done. Mitigating equity risk to the fullest extent possible involves holding multitudes of stocks and asset classes, and doing so in meaningful allocations across the spectrum of equity opportunities. Recently, some experts have been coming out with a more extreme call for diversification, urging the average investor to own at least 30 or more stocks.

Another way to avoid equity risk is in more specific diversification of the types of equities that the investor owns. For example, holding stock in various “sectors” like energy, technology, retail, or agriculture, helps with lowering equity risk. All of these methods help investors to balance out their stock purchases and lower the risk that their total values will experience sudden price drops. Investors can also use various types of modern funds to help with equity risks. Mutual funds and exchange traded funds are some specific kinds of financial products that can help traders get into more stocks quickly and easily. Many of these funds are a more appealing substitute for all of the tedious single purchases that would go into broader diversification of a stock portfolio.

3.2.3 Market Risk-Foreign Exchange Risk

Foreign-exchange risk is the risk that an asset or investment denominated in a foreign currency will lose value as a result of unfavourable exchange rate fluctuations between the investment's foreign currency and the investment holder's domestic currency. Foreign-exchange risk is an additional dimension of risk which offshore investors must accept. Though foreign-exchange risk specifically addresses undesirable movements that might result in losses, it is possible to benefit from favourable fluctuations with the potential for additional value above and beyond that of an already-stable investment.

Types of foreign exchange risk:

1. Transaction Risk

This is the risk of an exchange rate changing between the transaction date and the subsequent settlement date, i.e. it is the gain or loss arising on conversion. This type of risk is primarily associated with imports and exports. If a company exports goods on credit then it has a figure for debtors in its accounts. The amount it will finally receive depends on the foreign exchange movement from the transaction date to the settlement date. As transaction risk has a potential impact on the cash flows of a company, most companies choose to hedge against such exposure.

2. Economic Risk

Transaction exposure focuses on relatively short-term cash flows effects; economic exposure encompasses these plus the longer-term effects of changes in exchange rates on the market value of a company. Basically this means a change in the present value of the future after tax cash flows due to changes in exchange rates. There are two ways in which a company is exposed to economic risk.

Directly: If your firm's home currency strengthens then foreign competitors are able to gain sales at your expense because your products have become more expensive (or you have reduced your margins) in the eyes of customers both abroad and at home.

Indirectly: Even if your home currency does not move vis-a -vis your customer's currency you may lose competitive position. For example suppose a South African firm is selling into Hong Kong and its main competitor is a New Zealand firm. If the New Zealand dollar weakens against the Hong Kong dollar the South African firm has lost some competitive position.

Economic risk is difficult to quantify but a favoured strategy to manage it is to diversify internationally, in terms of sales, location of production facilities, raw materials and financing. Such diversification is likely to significantly reduce the impact of economic exposure relative to a purely domestic company, and provide much greater flexibility to react to real exchange rate changes.

3. Translation Risk

The financial statements of overseas subsidiaries are usually translated into the home currency in order that they can be consolidated into the group's financial statements. Note that this is purely a paper-based exercise - it is the translation not the conversion of real money from one currency to another. The reported performance of an overseas subsidiary in home-based currency terms can be severely distorted if there has been a significant foreign exchange movement.

3.2.4. Market Risk-Commodity Risk

Commodity risk is the risk that a business’s financial performance or position will be adversely affected by fluctuations in the prices of commodities. Producers of commodities, for example in the minerals (gold, coal etc.), agricultural (wheat, cotton, sugar etc.) and energy sectors (oil, gas and electricity), are primarily exposed to price falls, which mean they will receive less revenue for the commodities they produce. Consumers of commodities, such as airlines, transport companies, clothing manufacturers and food manufacturers, are primarily exposed to rising prices, which will increase the cost of the commodities they purchase. Commodities generally fall into three categories:

  • Soft commodities include agriculture products such as wheat, coffee, sugar and fruit.

  • Metals include gold, silver, copper and aluminium.

  • Energy commodities include gas, oil and coal.

A business should consider managing commodity risks where fluctuations in commodity pricing and/or supply may impact on the business’s profitability. In an organisation in which the core operations are anything other than financial services, such risk should be appropriately managed so that the focus of the organisation is on providing the core goods or services without exposing the business to unnecessary risks.

Types of commodity risk:

There are four types of commodity risk to which an organisation may be exposed:

  • Price Risk: arises from an adverse movement in the price of a commodity as determined by forces outside the control of the organisation

  • Quantity Risk: arises from changes in the availability of commodities

  • Cost (input) Risk: arises when adverse movements in the price of commodities impact business costs

  • Political Risk: arises from compliance or regulation impacts on price or supply of commodities.

Generally, there are three groups that will be exposed to commodity risk:

  • Producers: Can include farmers, other agricultural producers and miners. They can be exposed to all of the types of risks noted above.

  • Buyers: Can include cooperatives, commercial traders and manufacturers who consume commodities in their production processes. Such

  • Time Lag: Organisations can be exposed to commodity risk through the time lag between order and receipt of goods.

  • Exporters: Face risk from the time lag between order and receipt from sales, as well as political risk where compliance, regulation or availability can adversely impact sales price.

3.2.5. Market Risk-Derivative Risk

Commodity risk is the risk that a business’s financial performance or position will be adversely affected by fluctuations in the prices of commodities. Producers of commodities, for example in the minerals (gold, coal etc.), agricultural (wheat, cotton, sugar etc.) and energy sectors (oil, gas and electricity), are primarily exposed to price falls, which mean they will receive less revenue for the commodities they produce. Consumers of commodities, such as airlines, transport companies, clothing manufacturers and food manufacturers, are primarily exposed to rising prices, which will increase the cost of the commodities they purchase. Commodities generally fall into three categories:

  • Soft commodities include agriculture products such as wheat, coffee, sugar and fruit.

  • Metals include gold, silver, copper and aluminium.

  • Energy commodities include gas, oil and coal.

A business should consider managing commodity risks where fluctuations in commodity pricing and/or supply may impact on the business’s profitability. In an organisation in which the core operations are anything other than financial services, such risk should be appropriately managed so that the focus of the organisation is on providing the core goods or services without exposing the business to unnecessary risks.

Types of commodity risk:

There are four types of commodity risk to which an organisation may be exposed:

  • Price Risk: arises from an adverse movement in the price of a commodity as determined by forces outside the control of the organisation

  • Quantity Risk: arises from changes in the availability of commodities

  • Cost (input) Risk: arises when adverse movements in the price of commodities impact business costs

  • Political Risk: arises from compliance or regulation impacts on price or supply of commodities.

Generally, there are three groups that will be exposed to commodity risk:

  • Producers: Can include farmers, other agricultural producers and miners. They can be exposed to all of the types of risks noted above.

  • Buyers: Can include cooperatives, commercial traders and manufacturers who consume commodities in their production processes. Such

  • Time Lag: Organisations can be exposed to commodity risk through the time lag between order and receipt of goods.

  • Exporters: Face risk from the time lag between order and receipt from sales, as well as political risk where compliance, regulation or availability can adversely impact sales price.

3.2.5.1. Market Risk-Derivatives-Complete Analysis

Derivative Definition:

Derivatives have become important to the overall risk profile and profitability of banks throughout the world. Broadly defined, a derivatives instrument is a financial contract whose value depends on the values of one or more underlying assets or indexes. Derivatives transactions include financial contracts, including forwards, futures, swaps and options. While some derivatives instruments may have very complex structures, all of them can be divided into the basic building blocks of options, forward contracts or some combination thereof. The use of these basic building blocks in structuring derivatives instruments allows the transfer of various financial risks to parties who are more willing or better suited, to take or manage them.

Exchange Traded Derivative vs. OTC Derivative:

Derivatives contracts are entered into throughout the world on organized exchanges and through over-the-counter (OTC) arrangements. Exchange-traded contracts are typically standardized as to maturity, contract size and delivery terms. OTC contracts are custom-tailored to an institution’s needs and often specify commodities, instruments and/or maturities that are not offered on any exchange.

Derivate a risk management tool or a revenue generator:

Derivatives are used by banks both as risk management tools and as a source of revenue. From a risk management perspective, they allow financial institutions and other participants to identify, isolate and manage separately the market risks in financial instruments and commodities. When used prudently, derivatives can offer managers efficient and effective methods for reducing certain risks through hedging. Derivatives may also be used to reduce financing costs and to increase the yield of certain assets. For a growing number of banks, derivatives activities are becoming a direct source of revenue through "market-making" functions, position taking and risk arbitrage:

Market-Making vs. Position-Taking

“Market-Making” functions involve entering into derivatives transactions with customers and with other market-makers while maintaining a generally balanced portfolio with the expectation of earning fees generated by a bid/offer spread; “Position-Taking”, on the other hand, represents efforts to profit by accepting the risk that stems from taking outright positions in anticipation of price movements.

Participants of Derivatives Markets:

Participants of derivatives markets are a broad range of financial institutions such as banks, securities firms and insurance companies; institutional investors such as pension funds, mutual funds and specialized investment partnerships; and corporations, local and state governments, government agencies and international agencies.

Role of Intermediaries:

Intermediaries sometimes referred to as "dealers", cater to the needs of end-users by "making markets" in OTC derivatives instruments. In doing so, they expect to generate income from transaction fees, bid/offer spreads and their own trading positions. Important intermediaries, or derivative dealers, include major banks and securities firms around the world. As intermediaries, banks have traditionally offered foreign exchange and interest rate risk management products to their customers and generally view derivatives products as a financial risk management service.

Basic Risks Associated with Derivatives:

The basic risks associated with derivatives transactions are not new to banking organizations. In general, these risks are credit risk, market risk, liquidity risk, operations risk and legal risk. Because they facilitate the specific identification and management of these risks, derivatives have the potential to enhance the safety and soundness of banks and to produce a more efficient allocation of financial risks. However, since derivatives also repackage these basic risks in combinations that can be quite complex, they can also threaten the safety and soundness of institutions if they are not clearly understood and properly managed.

Sound Risk Management to use Derivatives:

  • Appropriate oversight by boards of directors and senior management;

  • An adequate risk management process that integrates prudent risk limits, sound measurement procedures and information systems:

  • Continuous risk monitoring and frequent management reporting;

  • Comprehensive internal controls and audit procedures.

Standard Practices for Sound Risk Management in banks:

  • As is standard practice for most banking activities, an institution should maintain written policies and procedures that clearly outline its risk management guidance for derivatives activities.

  • At a minimum these policies should identify the risk tolerances of the board of directors and should clearly delineate lines of authority and responsibility for managing the risk of these activities.

  • The board of directors should approve all significant policies relating to the management of risks throughout the institution. These policies, which should include those related to derivatives activities, should be consistent with the organization’s broader business strategies, capital strength, management expertise and overall willingness to take risk.

  • Before engaging in derivatives activities, management should ensure that all appropriate approvals are obtained and that adequate operational procedures and risk control systems are in place.

In Banks Proposals to undertake derivatives activities should include:

  • Description of the relevant financial products, markets and business strategies

  • The resources required to establish sound and effective risk management systems and to attract and retain professionals with specific expertise in derivatives transactions

  • An analysis of the reasonableness of the proposed activities in relation to the bank’s overall financial condition and capital levels

  • An analysis of the risks that may arise from the activities

  • The procedures the bank will use to measure monitor and control risks

  • The relevant accounting guidelines

  • The relevant tax treatment; and

  • An analysis of any legal restrictions and whether the activities are permissible.

3.2.6. Liquidity Risk

Liquidity risk is a financial risk that for a certain period of time at a given financial asset, security or commodity cannot be traded quickly enough in the market without impacting the market price. Market liquidity is a market's ability to purchase or sell an asset without causing drastic change in the asset's price. Equivalently, an asset's market liquidity (or simply "an asset's liquidity") describes the asset's ability to sell quickly without having to reduce its price to a significant degree. Liquidity is about how big the trade-off is between the speed of the sale and the price it can be sold for. In a liquid market, the trade-off is mild: selling quickly will not reduce the price much. In a relatively illiquid market, selling it quickly will require cutting its price by some amount

Market liquidity can be categorized into two types. The first is the liquidity in the inter-bank market, where liquidity is being traded among banks, while the second is the liquidity in the asset market, where assets are being traded among financial agents. These two types of liquidity are the main sources for any financial institution/bank to acquire funding liquidity from the markets and thereby explain the interactions between various liquidity types.

3.2.6.1. Types of Liquidity Risk

A. Funding Liquidity Risk:

Funding Liquidity risk is driven by the possibility that over a specific period of time, the bank is unable to settle obligations when due. The nature of bank is to borrow short that is, taking on customer deposits and lending long, that is, issuing loans/mortgages. This exposes the bank to funding liquidity risk. In simple terms, it is the risk that the bank cannot meet the demand of customers wishing to withdraw their deposits.

For banks to pay their liabilities as they fall due, they need to be able to meet expected levels of withdrawals, plus have additional liquidity resources to meet unexpected withdrawals. Liquidity resources include:

  • Deposits at the central bank

  • Short dated liquid assets such as treasury bills that provide liquidity on maturity

  • Longer-dated liquid assets such as gilts that can be pledged as collateral in sale and repurchase (repo) transactions

  • Contingency funding lines (interbank lending)

  • Assets available for sale. E.g., books of mortgages that can be securitised.

The first four do not require an asset to be sold, and hence are not subject to market liquidity risk. Banks must find a balance between holding enough liquid assets to meet unexpected funding needs versus the higher yield available from less liquid assets. The liquidity coverage ratio

(LCR), published by the Basel Committee on Banking Supervision, specifies the type of assets that the bank can classify as high quality liquid assets (HQLA) and sets the minimum amount of liquid assets that must be held enough to cover net cash outflows for 30 days under stressed market conditions.

B. Contingency Liquidity Risk:

The risk that future events may require a significantly larger amount of cash than the bank’s projections allow. This can arise due to unusual deviations of timing of cash flows. Having a “Contingency Financial Plan” in place will help banks to avoid this risk.

C. Market Liquidity Risk:

Market liquidity risk is the loss incurred when a Bank wants to execute a trade or to liquidate a position immediately while not hitting the best price. In simple terms, an asset becomes illiquid when Bank cannot find a buyer to buy that asset and consequently the market liquidity risk increases.

3.2.7. Margining Risk

Margining risk is a financial risk that future cash flows are smaller than expected due to the payment of margins. Margin payments ensure that each investor is serious about buying or selling shares.

Margins in the cash market segment comprise of the following three types:

  • Value at Risk (VaR) Margin: VaR is a technique used to estimate the probability of loss of value of an asset or group of assets (for example a share or a portfolio of a few shares), based on the statistical analysis of historical price trends and volatilities.

  • Extreme Loss Margin: The extreme loss margin aims at covering the losses that could occur outside the coverage of VaR margins.

  • Mark to Market Margin (MTM): MTM is calculated at the end of the day on all open positions by comparing transaction price with the closing price of the share for the day.

3.2.8. Price Risk

Risk when the fair value or future cash flows of capital and debt financial instruments (stocks, bonds, indexes and derivatives connected with them) fluctuate as a result from market prices' changes, no matter whether these changes are caused by factors typical for individual instruments or for their issuer (counterparty), or by factors related to all the instruments traded on the market. The risk connected with the commodity exchange prices is the probability of unfavorable changes in the value of commodities traded by the bank. Price risks associated with commodities differ significantly from interest rate and currency risks, and require careful monitoring and management as most of the commodities are traded on markets where the supply concentration can increase the price volatility. What is more, changes in the market liquidity are often accompanied by significant price volatility. That is why the commodities' prices are in broad lines more unstable than those of most financial assets commonly traded. The risk assessment associated with commodities prices should be performed market by market and it should include not only analysis of historical price movements, but also assessment of the supply and demand structure on the market, so that the probability for unusually large price movements can be assessed.

3.2.9. Managing Market Risk

Primarily, banks want to understand their market-risk profile, including both short-term profit-and-loss (P&L) volatilities and long-term economic risk. They want to know how much risk they have accumulated and how the total compares with the bank’s stated risk appetite. And they want to develop and win regulatory approval of a fair treatment of RWAs (Risk-weighted asset is a bank's assets or off-balance-sheet exposures, weighted according to risk. This sort of asset calculation is used in determining the capital requirement or Capital Adequacy Ratio (CAR) for a financial institution.) allowing the bank to get maximum efficiency out of its capital. These needs are supported by risk models. But while the requirements for market-risk modelling are quite consistent among banks, actual practices vary substantially.

To manage market risk, banks deploy a number of highly sophisticated mathematical and statistical techniques. Chief among these is value-at-risk (VAR) analysis, which over the past 15 years has become established as the industry and regulatory standard in measuring market risk. The demands placed on VAR and other similar techniques have grown tremendously, driven by new products such as correlation trading, multi-asset options, power-reverse dual currency swaps, and other such innovations.

The number of risk factors required to price the trading book at a global institution has now grown to several thousand, and sometimes as many as 10,000. Valuation models have become increasingly complex. And most banks are now in the process of integrating new stress-testing analytics that can anticipate a broad spectrum of macroeconomic changes. Despite these accomplishments, VAR and other risk models have continually come up short.

The 1998 crisis at Long Term Capital Management demonstrated the limitations of risk modeling. In the violent market upheavals of 2007–08, many banks reported more than 30 days when losses exceeded VAR, a span in which 3 to 5 such days would be the norm. In 2011, just before the European sovereign crisis got under way, many banks’ risk models treated eurozone government bonds as virtually risk free. Indeed, the perceived limitations of VAR are bringing the industry under severe scrutiny.


3.3. Exposure Risk

Simple meaning of exposure is risk of suffering a loss in a transaction, or uncertainty by concentrating in single business type or group. In short, the three factors deciding exposure to bank are as given below:

1) Total amount of unsecured loans.

2) Total amount of loans advanced to a single borrower, group, industry, or country.

3) Probability of loss from devaluation, revaluation, or foreign exchange fluctuations.

3.3.1. Exposure Risk-Total Amount of Unsecured Loans

Definition: An unsecured loan is issued to the borrower's based on creditworthiness rather than by any type of security (such as property). Hence, borrowers must generally have high credit ratings to be approved for certain unsecured loans.

Types of Unsecured Loans given by banks:

  • Credit Card

  • Personal Loans

  • Small Business Loans

  • Payday Loan

  • Line of Credit

  • Cash Advance

  • Signature Loans

  • Student Loans

  • Peer to Peer Loans

  • Term Loans

1. Credit Cards:

A Credit Card is an unsecured loan since money is borrowed from the credit card company to make a purchase with the intention of paying them back at a later date. As the technology used by criminals gets cheaper, so does the cost of hacking to credit card accounts. Moreover, “Card-Not-Present” the fraudulent transactions that occur when the card isn’t physically present is more vulnerable to Banks exposure as credit card is unsecured loan. If any customer’s credit card is compromised, the potential harm to the customer is relatively small as they can contact the issuer bank to report any false charges and they have to do some basic paperwork that’s all. But no money leaves from their hands. Since a credit card charge is essentially a loan from the bank, it’s not customers own money, hence, the exposure is on bank that has issued that card. Also, the bank has full accountability of investigating the report which is time bound and lead to manpower loss.

Risks: Credit Cards have the largest number of defaults compared with other revolving retail credit products. Hence, Banks should ensure that their exposure to credit cards should account for only five per cent of the banks total consumer loan portfolios. The small relative exposure to credit card debt should always dull the impact of the expected fallout such as economy failing or severe job cuts or especially in times of recession.

2. Personal Loans:

Personal loans help the households meet any shortfall they experience in buying a house or a car, in children's higher education, or even in cases of medical contingencies, among other things. It is provided on the basis of key criteria such as income level, credit exposure, employment history, repayment capacity, etc.

The credit standing of an applicant for a personal loan is investigated intensively because it indicates, within reasonable limits, the likelihood of repayment. It should not be assumed, however, that a bank officer can foretell with certainty how faithfully a borrower will meet his obligations few applicants have economic prospects so bad that there is not some small chance of repayment, and few are so well situated that there is not some possibility of delinquency or even default. The selection of borrowers must therefore rest on probabilities. On the basis of experience, and to some extent intuition, the loan officer decides which applicants are more likely to default than others.

Risks: The risk with personal loans is involvement of collection costs. Hence, Banks should ensure that their exposure to personal loans should account for lower than eight per cent of the banks total consumer loan portfolios.

3. Small Business Loans:

An unsecured small/SME (Small and Medium Scale Enterprises) business loan is a loan that requires no collateral but is rather based solely upon the creditworthiness of the business borrower. Banks usually apply a general lien (a right to keep possession of property belonging to another person until a debt owed by that person is discharged) on business assets until the loan balance is paid in full.

Risks: Banks usually face the below risks with this type of loan:

  • Small businesses are inherently riskier than their larger counterparts, which makes banks think twice before extending them credit.

  • Underwriting (Evaluation of Risk) costs for a large loan is same as a small loan

4. Payday Loan:

A pay day loan (also known as payroll loan/salary loan) is given to wagers who are employed with some employers. A relatively small amount of money lent at a high rate of interest on the agreement that it will be repaid when the borrower receives their next pay-check/salary.

Risks: Although the concept is not new however, the business is in nascent stage with banks.

5. Line of Credit:

A line of credit is an agreement between a bank and a customer that establishes maximum amount of a loan that the customer can borrow. The borrower can access funds from the line of credit at any time as long as the customer does not exceed the maximum amount set in the agreement and makes timely minimum payments. As this arrangement allows borrowers to spend the money, repay it and spend it again in a virtually never-ending revolving cycle, hence, it is also called as revolving line of credit.

Banks have only recently begun to market these products to any significant extent. This may be a by-product of an economy that has reduced loan demand and new regulations that have restricted fee-based sources of income.

Risks: Lines of credit tend to be lower-risk revenue sources relative to credit card loans, but they do complicate a bank's earning somewhat, as the outstanding balances can't really be controlled once the line of credit has been approved.

6. Cash Advances:

A cash advance allows customer to use credit card to get a short-term cash loan at a bank or ATM. Theft of credit cards are used for cash advances hence, this is a risky product to a bank. Teller based on confirmations from issuer bank should not give cash advances to its customers. Also, default risk plays a major role for banks issuing cash advances.

Risks: The most risky part of this product is that it can be availed through ATM services if the credit card is a chip based card. Hence, a new avenue of money for hackers and thief’s relying on cards.

7. Signature Loans:

A signature loan is a fixed rate, fixed term personal loan. Banks will require that applicants satisfy their requirements for creditworthiness.

Risks: It is not of much of a riskier product offered by banks.

8. Student Loans:

A student loan is provided to help students pay for tuition fees, books and living expenses. But it is noteworthy that of late, repayment and recovery of student loans has become a cause of serious concern to the banks.

Risks: It is believed that due to slowed down economy and fewer job prospects, students have been defaulting on their loans. Banks have been facing a problem of rising Non-Performing Assets (NPAs), and are finding it difficult to recover dues.

9. Peer to Peer Loans:

Internet companies are challenging one of a bank’s most traditional roles lending. The peer-to-peer lending uses digital technology to match lenders to borrowers. P2P websites robotically match lenders to borrowers. Banks are also pairing up with these lending sites in order to increase their reach. For e.g., In 2014 USA-based Union Bank and Lending Club partnered on personal loans, followed shortly by Europe-based Bank Santander teaming with Funding Circle on small-business credits. The Royal Bank of Scotland also paired up with Funding Circle in 2015.

Risks: P2P Lenders are un-regulated and are riskier.

10. Term Loans:

It’s an asset-based loan payable in a fixed number of equal instalments over the term of the loan. The loan usually last between one and ten years, but can last as long as 30 years in some cases. Term loans are generally provided as working capital for acquiring income producing assets (machinery, equipment, inventory…) that generate the cash flows for repayment of the loan. The loan carries a fixed or variable interest rate, monthly or quarterly repayment schedule, and set maturity date.

Risk: Default risk is the most possible risk for these kinds of loans.

Loan portfolio is essentially the largest asset base for banks and it is the predominantly greatest source of income. Effective management of loan portfolio and credit function is fundamental to a bank’s safety and soundness. Unsecured loans require more attention as they are the riskiest loan portfolios and % of defaulters are high. Hence, for unsecured loans banks should have strong loan portfolio management process in place. The definition of a good loan manager is to have concentrated effort on prudently approving loans and carefully monitoring loan performance. Loan managers of the banks from time to time have to repackage their services and products to satisfy the needs of the customers and not only retain their market share but in the process reduce the bad loans. The value of an unsecured loan portfolio not only depends on the interest rates earned on the loans, but also on the quality or like hood that interest and principal will be paid. Good loan performance will ensure that the existing loans are repaid together with the accrued interest which will avail funds to the bank.

The total amount of unsecured loan needs to be decided on what % of repayment the bank is able to collect. For example, a bank having Rs.X in unsecured debt is a red flag if bank is only making Rs.X+10% a year owing to high number of defaulters. But, X in unsecured loan portfolio isn't a problem if the bank is bringing in X+20% a year. Banks should always have an eye on debt-to-income ratio in mind.

3.3.2. Exposure Risk-Total amount of loans advanced to a single borrower, group, industry, or country

Concentration risk usually arise from large credits to single borrower, related borrowers, borrowers having high risk ratings, borrowers from the same country, geographic region, economic sector, the same type of collateral, maturity, currency of denomination, the same type of credit product, etc. Types of above type of risks are:

  • Single Name Concentration Risk;

  • Sectorial Concentration Risk;

  • Contagion Risk;

  • Concentration in Currency Risk.

a. Single Name Concentration Risk:

Single Name Concentration is a form of credit risk concentration describing a condition in which a Credit Portfolio has a material share allocated to a single counterparty or a group of related counterparties linked by specific ties (e.g., corporate group). Single Name Concentration risk comprises the risks resulting from the potential default of a single borrower or a legally connected group of borrowers. The term “single-name concentration risk” is used if the exposures to large individual borrowers account for the bulk of all loans in a portfolio.

b. Sectorial Concentration:

Sectorial concentration risk arises from uneven distribution of exposures to particular sectors or geographical regions or industries or products which are capable of generating losses large enough leading to an institution’s solvency. For example, if leather industry is in its down turn session, their loss possibility/default is increasing.

c. Contagion Risk:

Contagion risk is defined as the probability that the instability of the given institution (instrument, market, infrastructure, financial system sector) will spread to other parts of the financial system with negative effects, leading to a system-wide crisis.

d. Concentration in Currency Risk:

Currency concentration risk, commonly referred to as exchange-rate risk arises from the change in price of one currency in relation to another. A bank holding assets or liabilities in a single foreign currency impacts the earnings and capital of bank due to the fluctuations in the exchange rates.

3.3.3. Exposure Risk-Probability of loss from Devaluation, Revaluation, or Foreign Exchange Fluctuations

1. Loss from devaluation:

Devaluation is a deliberate downward adjustment to the value of a country's currency relative to another currency, group of currencies or standard. In general terms, a weaker currency will stimulate exports and make imports more expensive, thereby decreasing a nation's trade deficit (or increasing surplus) over time. The devaluation of the currency will hurt banking sector capitalisation, as banks have large numbers of foreign-currency denominated loans and are exposed to losses on short FX positions.

2. Loss from revaluation:

Revaluation of a currency is a calculated adjustment to a country's official exchange rate relative to a chosen baseline. The baseline could in principle be anything from wage rates to the price of gold to a foreign currency. Revaluations affect not just the currency being examined but can also affect the valuation of assets held by banks in that particular currency.

3. Foreign exchange fluctuations:

Foreign exchange rate fluctuations affect banks both directly and indirectly. The direct effect comes from banks' holdings of assets (or liabilities) with net payment streams denominated in a foreign currency.

3.3.4. Managing Exposure Risk

Exposure risks should be managed by bank in a more holistic approach identifying where it resides and how one kind of risk can potentially affect others. Banks need to determine their exposures to other markets that can easily come under pressure. Decisions must also be made on the methods and instruments available to manage exposure risks e.g., a bank having exposure to foreign currency can borrow in the same foreign currency to avoid foreign currency fluctuations.

When considering loss probability, banks usually divide risk into two categories

a. Pure Risk: Pure risks are categories of risk that are beyond anyone's control, such as natural disasters/epidemic/sudden change in govt. policy without intimation to banks.

b. Speculative Risk: Types of speculative risk include financial investments or any activities that will result in either a profit or a loss for the bank. Speculative risks carry an uncertain outcome.

To calculate risk exposure, variables are determined to calculate the probability of the risk occurring. These are then multiplied by the total potential loss of the risk. To determine the variables, banks must know the total loss in currency that might occur, as well as a percentage depicting the probability of the risk occurring. The objective of the risk exposure calculation is to determine the overall level of risk that the bank can tolerate for the given situation, based on the benefits and costs involved.

3.4. Investment Risk

Investment risk can be defined as the probability or likelihood of occurrence of losses relative to the expected return on any particular investments made by the banks. Hence, for modern day banks the essence of investment should be management of risks and not the management of returns. The Banks inorder to manage investment risks should ask itself the following questions from time to time.

  • Was there any event happened or going to happen which can effect the bank's investments? If that event can effect, what extent is the damage to the bank?

  • Which investments may decline due to change in government policies?

  • Does investments will get effected because of economic developments?

  • What is the extent of risk that the investments can be sold immediately at a fair price?

  • Is banks investments concentrated or well diversified?

  • How much returns will get eroded due to inflation?

  • What is the extent of loss/profit for investments made by the banks overseas?

3.4.1. Types of Investment Risk

A. Market Risk:

Market risk for banks in terms of definition is simple “Performance of a particular security”. Otherwise defined as, the risk that the value of an investment by bank will decrease due to changes in market factors such as government decisions, international transactions, speculation/expectation, and supply and demand.

The main types of market risks for banks are

  • Equity Risk

  • Interest rate risk

  • Currency Risk

1. Equity Risks for the banks:

Equity risk applies to an investment in shares. The market price of shares varies all the time depending on demand and supply. Equity risk is the risk of loss because of a drop in the market price of shares. Usually for banks equity risk is understood to be the risk of losses arising from negative changes in the fair value of that portion of the long-term equity investments portfolio in which the risks are not included in other types of risk. Equity risks are generally taken care by departments such as strategy and control or International Markets or Accounting and Legal Affairs or Investment Planning and Control departments.

The monitoring and measurement of equity risk is the responsibility of the relevant planning and control departments as mentioned above who must then submit reports on the results of their activities to the Board and Managing Directors responsible for supporting these investments.

2. Interest Rate Risk:

For Banks Interest rate risk is most relevant to fixed-income securities whereby a potential increase in market interest rates is a risk to the value of fixed-income securities. Meaning, interest rate applies to debt investments such as bonds. It is the risk of losing money because of a change in the interest rate. For example, if the interest rate goes up, the market value of bonds will drop.

3. Currency Risk:

Currency or exchange rate risk for a bank is risk that arises from the change in price of one currency against another. The constant fluctuations in the foreign currency in which an investment is denominated may add risk to the value of a security.

B. Liquidity Risk:

Liquidity is a bank’s capacity to fund increase in assets and meet both expected and unexpected cash and collateral obligations at reasonable cost and without incurring unacceptable losses. Liquidity risk in terms of investments for a bank is being unable to sell its investment at a fair price and get money out when it wants. To sell its investment, bank may need to accept a lower price. Banks regularly find imbalances (gaps) between the asset and the liability side that need to be equalized because, by nature, banks accept liquid liabilities but invest in illiquid.

C. Business Risk

In terms of investment Business Risk is the measure of risk associated with a particular security also known as unsystematic risk. Business risk refers to the possibility that the issuer of a stock or a bond may go bankrupt or be unable to pay the interest or principal in the case of bonds.

3.5. Country Risk

Country risk covers the various risks that can arise from the economic, social and political environment of a given foreign country, which could have favorable or adverse consequences for foreign banks debt and/or equity investments in that country.

Types of Country Risks:

a. Macro-economic risk:

Macro-Economic risk is financial risk for a bank that is associated with macroeconomic (such as economic output, unemployment, inflation, savings and investment) or political factors. Macro risk can also refer to types of economic factors which influence the volatility of investments, assets and portfolios.

b. Transfer risk:

Transfer risk is the risk that a borrower may not be able to secure foreign exchange to service its external obligation. Where a country suffers economic, political or social problems, leading to a drain in its foreign currency reserves, the borrowers in that country may not be able to convert their funds from local currency to foreign currency to repay their external obligations. Hence, banks should be extra careful while lending to countries where it has transfer risk problems. The borrowers of the bank from those countries may not able to repay their obligations owing to non-conversion of currency that will directly affect the balance sheets of that lending bank.

c: Sovereign risk:

Sovereign risk refers to the risk that a sovereign entity will fail to honour its debt obligations. This risk is increasing because sovereign credit quality has declined on the back of increased public indebtedness arising from long-term structural deficits and fiscal stimulus in response to the global credit crisis. The sovereign risk affects to those banks which holds sovereign debts such as sovereign bonds with them.

Country Risk Management:

Every bank should develop country risk management program by appropriate senior managers at the bank and should be duly adopted by the board of directors. The board is also responsible to review the country risk on at least an annual basis. Regulators usually look for Programs, Policies and Procedures during examination of the bank. Hence, banks should have minimum program, policies and procedures to cover country risks such as:

  • Bank’s plan for its international investments and operations

  • Products and transactional support that will be offered internationally

  • Criteria for choosing to enter a new country and what due diligence will be conducted to uncover the various risks of doing business in that new country

  • Bank’s methodologies to know bank’s exposure in each country in which it operates

  • Type of legal vehicles that the bank will operate in a foreign country such as direct offices, separate subsidiaries, or may be a joint venture

  • Types of businesses or customers banks target internationally

3.6. Dilution Risk

Dilution risk is the possibility of occurrence of adverse effects on the bank’s financial result and capital due to the reduced value of purchased corporate and retail receivables as a result of cash or non-cash liabilities. Banks shall calculate the risk-weighted exposure amounts for dilution risk of purchased corporate and retail receivables. Dilution risk is mostly applicable to securitization processes that banks are involved. Some of the factors of dilutions risks are:

Discounts: Discounts offered to customers for faster repayment can increase dilution rate for banks.

Collection costs: The greater the fees directly paid to collect on banks receivables, the less of receivables balance banks will realize.

Bad debt: Receivables not collected due to the default or other negligence of the customer.

Offsets: A banking vendor not giving enough expected value to the bank.

3.6. Residual Risk

Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made. Example, Residual risk is the likelihood of occurrence of adverse effects on financial result and bank’s capital due to the fact that credit risk mitigation techniques are less efficient than anticipated or their implementation does not have sufficient influence on the reduction of risks to which the bank is exposed. In short, residual risk is something banks might need to live with based on choices they've made regarding risk mitigation. The best way to deal with residual risks are to identify them timely and transfer them to a third party. There is a slight difference between inherent risks and residual risks, inherent risks have already been accepted by the banks and only the remains are known to form the residual risks. In short, residual risks are inherent risks subtracted by the negative impact of the failed risk controls. Apart from transferring the risk, banks can also try mitigate the residual risks by doing the following:

1. Bank identifies that the Residual risk is below the acceptable level.

2. Put in some more controls which can be effective.

3. Keep a tap on risk appetite in the banks.

4. Check on the mitigation costs if it is more than that of the residual risk cost, drop it.

3.7. Electronic-Payment Risks

Banks face paramount risks on electronic-Payments (e-payments) support it gives to its customers. E-payment risks come in several forms such as loss due to a default on a contract, risk of loss due to payment not delivered on time, frauds, Money laundering etc. Banks handle a high volume and also value payments online where blocking of payments and especially bulk frauds which hamper its reputation. Banks are forced to bring new focus and drive to their payment risk management strategies. Let's see some of the major risks of E-payments below:

1. Money Laundering Risk:

All transactions through the electronic payments channel are done remotely and banking systems allow it to be straight through without manual intervention. Therefore, it is difficult for banks to detect and prevent criminal activities and laundering of money. The banks need to have robust controls in making payments such as questioning the source of funds, having records of audit trials of repeated transactions, transactions below threshold levels etc., to avoid Laundering of money.

2. Fraud Risk:

The banking systems use protocols such as passwords and security questions to establish the identity of the person authorizing a payment, which are not foolproof in determining the identity of a person. As long as the password and the answers to the security questions are correct, the banking systems make the payments through and it doesn’t know who’s on the other side. If someone gains access to password or the answers to security questions of a customer, they will have gained access to customer’s money and can steal it easily. Banks to avoid frauds have begun multi-factor authentication or multi-layered security structure. Some banks are moving towards face recognition technology and biometrics or finger prints authentications to frauds.

3. Cross-border Risks:

The core idea of e-payments is to extend the geographical reach of its customers leading to several cross-border risks such as payments going to sensitive countries (such as a sanctioned country), tax heavens and to third parties who are not known customers of the banks leading to legal and regulatory risks. With banks outsourcing its activities rapidly, operational risk of a service provider (especially located in a different country) exists. Also, the e-payments are indirectly encouraging credit risk through cross border transactions as banks are playing intermediary roles facilitating payments. Hence to avoid all these, banks should have strong filter mechanisms during initiation of payment built inside electronic systems. Now days, the banks are encouraging to fill in forms electronically before the payment is executed to avoid any cross border risks.

4. Tax Evasion:

Businesses should declare their financial transactions and provide paper records of them so that tax compliance can be verified. However, the electronic systems allow payments straight through without investigating the supporting documents for any transactions. Hence, encourage tax evaders to use more and more electronic systems for payments. Even the transaction monitoring processes in banks are not so cumbersome that they can catch such evaders. Hence, it is making difficult for revenue services across countries to collect appropriate tax. To avoid these some countries have woke up and are encouraging digital buying and selling so that all the transactions and related taxations are known. From banking side, at present is restricted to only reporting the suspicion, hope technological advances bring in some changes in future.

5. Legal Risk:

Whenever there is a violation of laws, regulations, or prescribed practices, or when the legal rights and obligations of any of the parties to a transaction are not established, then there is a legal risk involved. Electronic payment is relatively new especially to the developing countries hence; there is a lot of uncertainty and ambiguity about certain laws and rules in other jurisdictions causing increase in the legal risk. Every bank should have SOP's developed with inclusion of special treatments (if any) for those countries with stringent laws. Also, banks are required to be careful from onboarding the client, till the complete details of customer transactions are known.

3.9. Operational Risks

The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events is called operation risk. Errors in data entry, miscommunication, deadline misses, accounting errors, inaccurate reports, incorrect client records, negligent loss of client assets and vendor disputes are some of the common examples for operational risk events for a bank. Operational risk is in-built in all activities, processes and systems and the effective management of operational risk has always been a fundamental element of a bank’s risk management programme. Strong internal governance forms the foundation of an effective operational risk management framework overseen by the senior managers in the bank. All the heads of three lines of defence namely “The business line management” (Responsible for identifying and managing the risks inherent in the products, activities, processes and systems for which it is accountable), “The Business Risk and Control Management” function and an independent review by “The audit” (who are responsible to challenge the bank’s operational risk management controls, processes and systems in a bank) are equally responsible for operational risk. That does not mean that Analysts and officers have no roles, they have major roles in identification of risks and reporting to the above heads.

3.9.1. Operational Risk-Fundamentals

  • The board of directors should take the lead in establishing a strong risk management culture. The board of directors and senior management should establish a corporate culture that is guided by strong risk management and that supports and provides appropriate standards and incentives for professional and responsible behaviour. In this regard, it is the responsibility of the board of directors to ensure that a strong operational risk management culture exists throughout the whole organisation.

  • Banks should develop, implement and maintain a framework that is fully integrated into the bank’s overall risk management processes. The framework for operational risk management chosen by an individual bank will depend on a range of factors, including its nature, size, complexity and risk profile.

  • Identify the governance structures used to manage operational risk, including reporting lines and accountabilities

  • Describe the risk assessment tools and how they are used

  • Describe the bank’s accepted operational risk appetite and tolerance, as well as thresholds or limits for inherent and residual risk, and approved risk mitigation strategies and instruments

  • Describe the bank’s approach to establishing and monitoring thresholds or limits for inherent and residual risk exposure;

  • Establish risk reporting and Management Information Systems (MIS);

  • Provide for a common taxonomy of operational risk terms to ensure consistency of risk identification, exposure rating and risk management objectives

  • Provide for appropriate independent review and assessment of operational risk; and

  • Require the policies to be reviewed whenever a material change in the operational risk profile of the bank occurs, and revised as appropriate.

3.9.2. Types of Operational Risk

The following lists the seven official Basel II event types for operational risk with some examples for each category:

  • Internal Fraud – misappropriation of assets, tax evasion, intentional mismarking of positions, bribery.

  • External Fraud – theft of information, hacking damage, third-party theft and forgery.

  • Employment Practices and Workplace Safety – discrimination, workers compensation, employee health and safety.

  • Clients, Products, and Business Practice – market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning.

  • Damage to Physical Assets – natural disasters, terrorism, vandalism.

  • Business Disruption and Systems Failures – utility disruptions, software failures, hardware failures.

  • Execution, Delivery, and Process Management – data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets.

Detailed explanation of some of above aspects of operational risks are as given below.

3.9.2.1. Types of Operational Risk-Internal Frauds

Internal frauds happen usually in banks due to the misuse of authority given to its employees. Some of the examples are as given below:

i) Access to Accounts:

Insiders have exclusive access to accounts payable or suspense accounts, which are used to temporarily record items such as loans in process, interdepartmental transfers, or currency in transit. This makes it easier for insiders to move funds between accounts. An employee who has the authority to create an accounts payable record for a vendor, for instance, could also create a fake company in the system and issue payments to that company/transfer funds to his/her account by debiting suspense account/ a personal banker allegedly opened both fictitious accounts and accounts with the names and identifying information of bank customers. The employee used these accounts to funnel money from these general ledger accounts.

ii) Stolen Accounts:

Employees within banks can steel personal information of customers to create bank accounts or credit accounts and transfer the funds from credit account to his/her personal account.

iii) Takeover accounts/Account Theft:

A bank employee may open a deposit account for a customer and later set up online banking on the account without the customer's knowledge. The employee may then make unauthorized withdrawals from the account.

To avoid above, banks should have maker checker concept for every transaction and a third eye or quality check should be in place to avoid frauds.

3.9.2.2. Types of Operational Risk-External Frauds

External Fraud is the risk of unexpected financial, material or reputational loss as the result of fraudulent action of persons external to the bank. Types of external fraud can vary by business line in a bank. Some of the indicative list is as below:

  • Corporate Finance: Loan Fraud, Client Misrepresentation of Information, Theft

  • Trading and Sales: Cybercrime, Forgery

  • Retail Banking: Cybercrime, Check Fraud, Theft of Information, Theft of Assets

  • Commercial Banking: Fraudulent Transfer of Funds, Credit Product Fraud (loans, letters of credit, guarantees)

  • Payment & Settlement: Payment Fraud

External fraud is mitigated with strong internal controls comprising both of systems and processes and supported by the firm's risk culture embedded in employees.

3.9.2.3. Types of Operational Risk-Employee Practices

The best employment practices should be well placed within the bank for the best interest of the bank and its employees to avoid operational risk. Some of the aspects of employment practices are as given below:

  • Regular Communication with employees describing code of conduct

  • Regular Training on AML, frauds, malpractices

  • Raising a Risk Culture

  • Educating from time to time to staff regarding compensation and benefits

  • Decipher of ethics and compliance procedures to all employees

  • Easy access to top management for conflict management

Absence of best employment practices will lead to confusion, chaos and miscommunication to the employees of the bank which may result in operational risk.

3.9.2.4. Types of Operational Risk-Workplace Safety

Its duty of the bank to ensure safety of its employees with respect to working environment, transport, health, safety measures in buildings etc. Safety in modern banking has now included psychological safety to its employees i.e. responsibilities of identifying workplace hazards such as work related stress, bullying, aggression and violence that generates psychological symptoms. Absence of workplace safety can lead to operational risk and sometimes even de-moral to the employees working in banks.

3.9.2.5. Types of Operational Risk-Damage to Physical Assets

Losses incurred by damages to physical assets caused due to natural disasters such as earth quakes or Tsunami and events like terrorism and vandalism by mobs due to some political issues causing damages to assets. Unexpected changes in climatic and political conditions have been a constant cause of concern in the banking business world.

Every bank should have a Damage Control department independently taking charge in case of such calamities or unexpected events saving banks assets as much as possible.

3.9.2.6. Types of Operational Risk-Business Disruptions

Hardware failure or slowdown, Software enhancements or malfunction such as data vanish, Telecommunications problems and Utility outage usually lead to operational losses or failures.

Every bank should have a BCP (Business Continuity Planning) department exclusively created with nominated members who assess the risk, prepare recovery time objectives and identify critical functions and related back up recovery plans.

3.9.2.7. Types of Operational Risk-Execution

Failure to execute can lead to operational risk. In this stage a step-wise execution of process is necessary for every department. Each step should be well defined and delay or downtime or shrinkage needs to be calculated in advance to avoid operational risk.

Below are some of the challenges processes faces during execution stage.

a. Execution while creation:

When a process is in beginning stage the process if awaits information either from external or internal sources. Execution in this stage if have too many embedded and related dependencies may lead to more lead time or waiting time for the resources, leading to an inability to meet process deadlines. Hence, every bank should ensure that each beginning of the process should have minimal dependencies. If dependencies are unavoidable, ensure that the data required for the beginning of the process is reached to the first assembly line of process well before creation stage (a difference of minimum 1 hour buffer is recommended). Just in time concept for beginning/creation stage may fail.

b. Execution in the assembly line:

In a process assembly line only one process can be executed at one time, and all other "concurrently executing" processes will be waiting for execution. Processes which are kept in a queue to get processed may lead to operational risk. Hence, every bank needs a back-up plan for waiting resources and cross training plans should be in place to avoid congestion in process.

c. Execution at the end stage:

Processes reaching end stage require at-most focus by every bank. Absence of a final “Quality Check” or absence of maker checker (also called 4 eye concepts) may lead to operational risk. Some banks proactively use their supervisors to do sample quality checking (also called 6 eye concept) to enable smooth delivery of the process and it helps supervisors to understand loopholes in the process.

3.9.2.8. Types of Operational Risk-Delivery

Banks are experiencing unprecedented pressure to deliver process/products/projects on time for better client experience. However, factors such as high-demand environment, increasing congestion, reduced work periods, workforce issues, management pressure and severe revenue pressures may be the reasons for blockade of effective delivery management leading to operational risks. Banks are seeking ways to deliver process/products/projects in the most efficient and expeditious manner possible. Two type of known delivery management are

  • On time delivery to process

  • On time delivery to client

A. On time delivery to process:

Every process in the banks needs to get evaluated on the below criterion for better delivery to process.

  • Process size

  • Work complexity

  • Metrics systems

1. Process Size:

Every process in the bank is not alike and requires different delivery treatments as per its size. The meaning of process size is simple, the number of steps involved in the process from start till end. Identification of apt size of resources, building up process steps, controls in place for execution and delivery risk analysis are some of the controls that banks should have in place for good delivery management. The delivery management becomes more effective if teams do not work in silo’s and has combination of below traits especially if the process size is huge:

  • The team resources working for the process are composed of interconnected team members and communicate well among themselves.

  • Roles and responsibilities must be clearly understood by the resources and there should be centralized controlling management in place with effective measurement/metrics tools in place.

  • Successful hand offs from one division or discipline to another and from one work phase to another.

  • Accountability program should be in place for supervisors managing the process.

  • Resource continuous training should be in place with curriculum shared to resources as per new developments or upgrades or updates in the process.

  • Consultants or internal SME’s may be used to streamline the process and identify the non-value-added items in a process and its elimination.

2. Work Complexity:

Work complexity is defined by the below factors:

  • Number of activities in a process

  • Number of controls in a process

  • Number of decisions to be made in a process

  • Number of people involved in the process

  • Number of organizations/departments involved in the process

  • The number of IT systems or IT services required to fulfil the process

  • Level of uncertainty and potential change in any of the process activities

One single factor mentioned above cannot define a work to be complex. Combination of few or all of the above factors associated together makes a work complex. Depends from bank to bank how they want to define complexity.

Work Complexity requires strong process controls and time and motion analysis for each of the major steps in process. Delivery time will get affected if and only if stepwise analysis and gap analysis is not in place by the banks. Usually complex processes require strong lean management programs. A key idea in Lean is that there are two different types of efficiencies which can be saved namely “Resource Efficiency” and “Flow Efficiency”. Resource efficiency can be developed as time passes by sharing best practices, errors analysis and continuous training on updates received. However, flow efficiency is time consuming process and requires going through process flow diagrams followed by identification of non-value added works, cutting steps and streamlining in a way to encourage straight through process.

3. Metrics System:

The goal of tracking and analysing process metrics is to determine the quality of the current process. On a more granular level, process development managers are trying to reach the below goals through continuous metrics analysis:

  • Increase return on investment (ROI) for the bank

  • Identify areas of improvement

  • Manage workloads

  • Reduce overtime and

  • Reduce costs

These goals can be achieved by providing information and clarity throughout the organization about complex processes. Metrics are an important component of quality assurance, management awareness, measure of performance and estimating costs.

Absence of Metrics will directly affect the delivery of the process/product/project as managers will not be able to identify, prioritize, track and communicate any issues to foster better team productivity/delivery. Metrics enables effective management and allows assessment and prioritization of problems within process development. The sooner managers can detect process problems, the easier and less-expensive the troubleshooting process. Process managers can use process metrics to communicate the status of process development projects, pinpoint and address issues, and monitor, improve on, and better manage their workflow. Process metrics offer an assessment of the impact of decisions made during process development phases. This helps managers assess and prioritize objectives and performance goals.

B. On time delivery to client:

Banking customers have become choosy; they like to compare the products and quick delivery of those products. No banking customer wants to stand in queues to deposit their monies, customer want a simple procedure when it comes to getting loans at the time, they most need it, customer want to see all their consolidated statements in one single page, customer wants banking at its door step and that too free of cost, customer wants to repatriate monies in foreign countries without banks intervention (such as filling forms and getting them executed) so on and so forth. Each of the above expectation of customer can be met by banks only by correcting their delivery channels and delivery management. Only those banks will be successful who are able to deliver customer expectations first. Banks somewhere needs to understand that they need to invest big in data analytics, new software and new innovations to understand delivery management in better way. Banks also needs to understand that they will get both data and improvement ideas by listening to customers’ experience. The next generation of banking is dependent on speedy delivery. Any delays in delivery will directly impact operational losses and will lead to operational risk. Hence, banks have no choice to automate most of their processes which are manual in nature. Two of the simple steps in delivery management to avoid any operational losses are as given below:

1) Be Available even before customer ask: Availability and accountability are two simple traits that customer expects from the banking industry. Customer should not be given a chance to inquire about status of any receivable that belongs to him/her rather, delivery of services or products should be so smooth that customer is made aware of every step-in delivery; customer is informed about the status in advance; customer is aware about the delay’s; customer is aware about time lags and suitable reasons for those lags.

2) Superior Services: Banking customers expect instant delivery solutions from the bank. They expect superior services in terms of say alternatives which a banking customer can use before delivery of original service. E.g., can a debit card/credit card be embedded in phone for instant access and not waiting for them and for pins to be delivered separately?

3.10. Legal Risk

Basel II classified legal risk as a subset of operational risk in 2003. Legal risk is the risk of loss to a bank which is primarily caused by:

a) A defective transaction; or

b) A claim (including a defence to a claim or a counterclaim) being made or some other event occurring which results in a liability for the institution or other loss (for example, as a result of the termination of a contract) or

c) Failing to take appropriate measures to protect assets (for example, intellectual property) owned by the institution; or

d) Change in Law.

In simple language, legal risk is the risk of financial or reputational loss that can result from lack of awareness or misunderstanding or ambiguity in or reckless indifference to or the way law and regulation apply to the banking business, its relationships, processes, products and services.

Legal risk management can be broken down into identification, assessment, monitoring and control/mitigation. For any of these functions to be effective, it is important that legal risk, as part of a firm-wide definition of operational risk, is appropriately defined. Some banks, for example, may feel that certain kinds of legal risk are so unlikely to affect them that they feel it appropriate to discount them in their risk management procedures.

This ultimately must be a matter of judgment for the management of the bank.

3.10.1. Identification of Legal Risk

Identification of legal risks is a by-product of how banks define legal risks. Legal risk identification is an issue spotting exercise. The objective is to compile a broad list of risks. There are three steps to identify legal risks:

1. Sources of legal risk: The primary sources of legal risk are as given below:

A. Legal and governance structure: Whether bank has set correct tone foundation for processes around taxation, liability, required documentation and how management and operational decisions made can affect the legality. Senior Management need to understand the pros and cons of each legal structure, and need to adopt strong corporate governance that promotes ethical business practices throughout the entire bank. Once a legal and governance structure has been defined, it’s important to identify the bank risks such as fraud or unethical business practices, and implement controls, like audits and awareness programs, to manage these risks.

B. Assets: Senior Management in banks need to understand is the risk to assets. The value of both tangible assets, like buildings, and intangible assets, like human capital and intellectual property, need to be protected. To protect the rights and obligations related to the legal assets owned by a business, Senior Management require a clear picture of all the company’s assets so that they can identify and manage risk to avoid negative result.

C. Contracts: Contract risk is often defined as the possibility of financial loss either due to a buyer defaulting on the contract or a failure by the bank to adequately manage the contractual benefits or obligations. However, when looking at contract risk it’s equally important to look at the contract management process to fully understand banks risk exposure. Poor contract processes, such as manual mistakes, non-compliant terms and/or an inability to close a contract on time, can put a bank at risk.

D. Disputes: Legal disputes include any dispute in which a legal claim is made, including employee misconduct, accidents, product liability, etc. Senior management responsibilities are to limit the risk of disputes. Even if disputes don’t end in litigation, they can damage business relationships, reputations and cost bank valuable time and resources. To reduce the risk of disputes and litigation, Senior Management can take proactive steps like using risk transfer agreements, ensuring compliance, maintaining accurate records and using legal management software that can alert potential dispute risks.

E. Regulatory: Regulatory risks is the risk of having your company’s license to operate withdrawn by a regulator or having conditions applied that adversely impact the economic value of the bank. Banks are always subject to regulations from government institutions, commissions and/or agencies. It’s important to understand the specific regulations that apply to banks activities and the related rules, such as specifications, policies, standards or laws, bank must follow to avoid penalties and/or litigation. It’s also important to know when changes are made so that bank is not at risk of non-compliance. Proactive regulatory risk management requires implementing specific policies, procedures and protocols to ensure that bank is in compliance well in advance of regulatory changes.

2. Recognize potential vs. actual risks:

The concept of legal risk is generally understood to refer to the combination of the probability and magnitude of some future harm. According to this understanding, risks are considered "high" or "low" depending on whether they are more (or less) likely to occur, and whether the harm is more (or less) serious. Uncertainties with legal consequences can arise from “hazards” (Biological such as unsafe work place encouraging viruses and bacteria to germinate, Chemical such as vicinity of the office nearer to industrial areas releasing toxic gases and ergonomic such as improper set up of work stations, loose wirings etc.), “events” (such as employees engaged in political agitations), situations (such as entering international market with wrong combination of products without understanding local regulations), and scenarios (counterparties suing the bank).

3. Record risks in a risk register:

Every bank is required to maintain risk register having separate categorization for those events which may lead to legal risk and with action plans/mitigation factors.

3.10.2. Analysis of Legal Risk

Legal risk management is a strategy having application throughout the bank and is one of the key factors where banks’ decisions can be impacted and overall business planning has to factor legal risk. Legal Risk analysis is about understanding the risks in the risk register. Analysis of legal risk begins with an assessment of controls. Once you have gauged the effectiveness of risk controls, analyse the likelihood and consequences of each risk. The likelihood of a legal risk is the combination of the chance of discovery (will a claimant or regulator identify the problem) and the chance of an adverse decision. Similarly, consequences are the product of damages (usually in financial terms) and frequency (the number of incidents).

Banks need to meet certain minimum standards in order to sell their services (quality assurance) or their products (quality control). From a legal perspective, quality assurance and quality control are also great methods for preventing breach of contract (by meeting quality standards or specifications) and for avoiding negligence, especially professional malpractice (by making sure professionals are, and remain, qualified).

Compliance planning has become a legal necessity for all banks. It is all about making sure that the bank complies with state and federal law, particularly the regulations of agencies that license, certify, or otherwise have the authority to seriously affect the bank. Aspects of compliance planning are similar to enterprise risk management, but the two are different. Compliance planning is strictly about developing a plan to ensure the bank complies with the law on particular issues. The steps in analysing legal risks are as given below:

  1. Which areas of business and its activities have major legal impacts?

  2. Focusing this information into identifying where risk exists.

  3. Quantifying or giving weight to the risk.

  4. Making choices based on most to least risky, or whatever method the bank chooses; the risk areas will be quantified, and the drivers or root causes of the legal risk in the various activities will be determined.

3.10.3. Evaluation and Communication of Legal Risk

Evaluating legal risks is quite different from the analysis of risks. To evaluate a legal risk is to prioritize the response to the risk. At the core of risk evaluation is bank's risk tolerance. Legal risks that are above the line or intolerable need risk treatment. The idea behind risk treatment is to modify the risk so that it becomes tolerable. Some of the techniques of risk treatments are as given below:

  1. Avoid the risk by not starting or continuing the activity that can create the uncertainty

  2. Remove the source of the risk

  3. Change the likelihood and/or consequence of the risk

  4. Share the risk through contracting or insurance

  5. Bring in legal professionals closer to the operations.

Further, Once legal risks are inventoried and analysed in the risk register, it is important to communicate the results to the broader senior management in the bank. Each risk identified needs to contain priority of managing those risks also, methods to manage those risks.

3.11. Reputation Risk

Definition by Basel Committee (2001):

Reputation risk is the potential that adverse publicity regarding a bank’s business practices and associations, whether accurate or not, will cause a loss of confidence in the integrity of the institution.

Definition by Basel Committee (2009):

Reputation risk is the risk arising from negative perception on the part of customers, counterparties, shareholders, investors or regulators that can adversely affect a bank’s ability to maintain existing, or establish new, business relationships and continued access to sources of funding.

3.11.1. Causes of Reputation Risk

The vast majority reputation risks stem from malfunctioning of policies and procedures, compliance, anti-money laundering and fraud preventives. Bad sales strategies, services not provided in time and products not functioning as per the prescribed features or have many faults can also cause damage to the reputation of the banks. Banks should also be careful the way their staffs behave to customers or, how the bank itself behaves in public. Some of the sources of reputation risk are included below:

  • Product or service faults or shortcomings which also sometimes include wrong advertisement messaging, or perceived negative advertisement by the public.

  • Failure to meet the higher standards of governance imposed by regulators

  • Failure to meet legal or contractual obligations

  • Security breaches, particularly “Information Technology” related

  • Default by a third party upon which the company depends effecting banking services

  • Dissemination of ‘negative news’ through news and media channels

  • Exposure of staff mistakes or misdeeds in media

  • Detrimental policies, exposure of unethical practices, bad planning or mishandling of a crisis by a bank

  • Failure to achieve promised growth targets or declared strategy milestones.

3.11.2. Managing Reputation Risk

Reputation risk can be avoided by the below strategies of the banks:

  1. Strategic Alignment: Banks having effective board oversight, integration of risk as a strategy while business planning and have built in plans for image and brand building.

  2. Innovation: Banks which differentiate themselves from their competitors through innovative processes and products tend to have recognition and high reputation value.

  3. Quality commitment: Commitment on quality in bank wide policies procedures and actions.

  4. Ethics and Integrity: Firms with strong ethical policies are more trustworthy in the eyes of stakeholders.

  5. Crisis response: Banks that respond quickly on difficult situations and assess them in advance/takes strong action during a crisis situation are safe from reputational risk.

  6. Safety: Strong safety policies affirm that the bank has strong commitment for the protection of the health and safety of employees hence, considered to be value creators.

  7. Cultural alignment: Strong corporate values and culture regarding compliance with laws and regulations supported by appropriate performance incentives.

  8. Resiliency: Business recoveries strategies are in place for continual business.

3.12. Strategic Risk

Strategic Risk is failure of business plan of a bank meaning failure to identify or assess uncertainties, affected by internal and external events or scenarios that could inhibit banks’ ability to achieve its strategy and strategic objectives with the ultimate goal of creating and protecting shareholder and stakeholder value.

Basel II related definition:

Strategic risk is identified as a potentially significant risk in Pillar II of the Basel II framework, but no definition is provided. In its Pillar II guidelines, the Committee of European Banking Supervisors (CEBS) suggests the following: strategic risk is “the current or prospective risk to earnings and capital arising from changes in the business environment and from adverse business decisions, improper implementation of decisions or lack of responsiveness to changes in the business environment”.

3.12.1. Types of Strategic Risk

1. Strategic Governance Risk:

Governance in a bank determines the allocation of authority and responsibilities by which the business and affairs of a bank are carried out by its board and senior management, including how they:

  • Set the bank’s strategy and objectives

  • Select and oversee personnel

  • Operate the bank’s business on a day-to-day basis;

  • Protect the interests of depositors, meet shareholder obligations, and take into account the interests of other recognised stakeholders;

  • Align corporate culture, corporate activities and behaviour with the expectation that the bank will operate in a safe and sound manner, with integrity and in compliance with applicable laws and regulations

  • Establish control functions.

Absence of governance lead to strategies getting failed as there would be no accountability.

2. Strategic Execution Risk:

Execution of strategy is simply the successful implementation of a strategic plan. The risk of execution of strategy comes into picture when strategic ambition of the bank is poorly translated downstream or bank fails to appropriately adapt the strategy when conditions change or its capabilities are not properly churned.

3. Strategic Change Management Risk:

Change management is a systematic approach to dealing with the transition or transformation of banks’ goals, processes or technologies. Strategic Change management should gauge for risk that employees will resist the change resulting in process disruptions and mitigate the risk by engaging employees early on in the planning process.

4. Strategic Program Risk:

Large projects are undertaken by banks. To have centralized control over these projects, programs are created. The strategy involves a large scale program with dozens of projects that have inter dependencies. Due to its overall complexity, the program has a large risk of failures such as cost overruns and schedule misses. The bank reduces the risk by hiring an accomplished program management team.

5. Strategic Competitive Risk:

Strategic competitive risk is the risk that competitive forces will prevent banks from achieving their strategies by putting better products or innovation in market or collectively with other forces stop execution of banks strategies. It is often associated with the risk of declining business revenue or margins due to the actions of a competitor.

6. Strategic Regulatory Risk:

Regulatory risk is the risk of a change in regulations and law that might affect banking business. Such changes in regulations can make significant changes in the framework of the bank and in its cost-structure. Strategically business plan might be correct however, anticipated regulatory risks should be a part of such strategies and business plan should also be flexible to imbed any changes as per changed regulations.

7. Strategic Marketing Risk:

Marketing risk is the potential for losses and failures of marketing. This includes risks related to pricing, product development, promotion, distribution, branding, customer experience and sales. A bank while launching new products should have as a strategy risk element noted and tested in simulated environment prior to launching them.

8. Strategic Innovation Risk:

Innovation risk is considered a special category of risk whereby a bank expects regular failures as it tries many newer things to see what works. Innovation is an approach to change that seeks revolution over improvement. Banks that innovate are able to advance the competition by creating designs, technologies, processes, capabilities and experiences that are an order of magnitude better than the current state of the art. Innovation in itself presents challenges to banks that strategize to gain more market share or to stimulate growth. As sr. executives of banks seek to produce innovative products or offer innovative services, they often run into problems of finding an optimal means for effectively managing innovation risk as the risks are not known already. Hence, strategically, the innovation plans should have adjustment fields in order to accommodate regulatory requirements, client expectation and market changes.

9. Strategic Merger & Acquisition Risk:

Mergers and acquisitions come with inherent risks of technology platforms being different, cultural difference, marketing difference, branding difference, price model difference and lastly strategy difference. Banks do take these risks because they believe the risk/reward ratio is attractive as they seek to dominate the market. Hence, banks should have a integration model (such as integration of technology platform, integration of marketing and branding strategies, integration of price models etc.) in place to avoid failure of mergers and acquisitions.

10. Strategic Security Risk:

Strategic Security risk is failure to identify cyber threats, scams and other vulnerabilities resulting in breach of confidential information of the bank to others. Data driven security, asset identification and security inventory, threat assessments, vulnerability assessments, securities embedded in policies and procedures, physical security assessments, in some cases, forensic securities should all be covered in banking security strategy.

11. Strategic Compliance Risk:

Strategic Compliance Risk is the risk of breach of contractual arrangements, legal or regulatory norms, sanctions, complying with its internal regulations, AML/KYC laws and local laws. All banks should have a compliance manual in place which is updated from time to time or at least once in every ½ year to accommodate latest developments in compliance related matters such as changes in regulations and its effects.

12. Strategic Economic Risk

Economic risk centres on macroeconomic circumstances and conditions which include inflation, exchange rates, new government regulations and other decisions that may adversely affect banks’ profits. For the most effective economic risk management strategy, banks should understand and gauge the variety of economic threats to it business.

13. Strategic Design Risk

The concept is the first step in producing product designs and is a basis for evaluating, judging, and gauging the design. Strategy of design should include the bank's values and the design should be new, innovative, easy to use and easily marketable with existing supply chain to avoid strategic design risk.

14. Strategic Procurement Risk

Banks in its strategy should answer the below questions pertaining to their supply chains to avoid procurement risks:

  • Operational risk, arising in the event of a disaster or supply contingencies.

  • Information security risk, attributable to data, physical and network security, and the use of public cloud technologies.

  • Risk arising due to non-performance, third-party frauds and negative brand perception.

  • Geographical risk due to volatile political or economic climates.

  • Regulatory risk, arising due to non-compliance to regulations, such as anti-bribery and anti-corruption laws.

  • Financial risk emanating from financial instability and a lack of creditworthiness of the supplier.

3.12.2. Managing Strategic Risk

Managing strategic risk involves steps which must be integrated within the strategic planning and execution process of bank in order to be effective:

1. Integrating risk and strategy:

Most of forward-looking bank entities are connecting risk more closely with strategy. They mix/ connect risk discussions along with strategy conversations. Banks have started understanding that every strategy, every strategic choice, carries risk hence, they tend to scan and monitor strategic risk on an on-going basis and create regular, high-quality reporting.

2. Integrating risk frameworks while defining business strategy and objectives:

Banks should integrate risk frameworks such as from simple SWOT (Strength, Weakness, Opportunity and Threat) analysis to creation of Balanced Scorecard to plan out strategy.

3. Key Performance Indicators:

Banks should establish key performance indicators (KPIs) to measure results of the strategies in place. The best KPIs identify risks that can drive variability in performance.

4. Scenario Planning:

It is one of the methods that can help banks see a set of both risks and opportunities more broadly, to imagine potential futures that might challenge their current strategic assumptions, and to spot potential sources of risk that may not surface in other ways. There have been a number of advances over the last few years in data analytics and the ability to scan, search and analyse huge sets of structured and unstructured data for a variety of risks, both internal and external.

5. Key Risk Indicators:

Establish key risk indicators (KRIs) and tolerance levels for critical risks while executing the strategy. Whereas KPIs measure historical performance, KRIs are forward-looking leading indicators intended to anticipate potential roadblocks. Tolerance levels serve as triggers for action.

3.13. Compliance Risk

The Compliance Risk is defined as the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organisation standards, and codes of conduct applicable to its banking activities (together, “compliance laws, rules and standards”).

II. Sources of Compliance Risk:

  • Compliance Data such as Surveillance Findings

  • Internal audit findings such as SOX testing results

  • External reviews and settlements such as results of examinations done by regulators available publicly having full details of inquiries, investigations and settlements done by the regulators

  • Customer Data such as customer complaints

  • Business Data such as failure of new product launches

  • Regulatory Data such as regulatory changes, areas of regulatory focus, results of scrutiny by regulators available in regulatory sites

3.13.1. Managing Compliance Risk

Every bank should have a compliance-risk management program which is an essential for sound and vibrant banking system contains the following elements:

1. Compliance Program: The responsibilities of the compliance function should be carried out under a compliance program that sets out its planned activities, such as the implementation and review of specific policies and procedures, compliance risk assessment, compliance testing, and educating staff on compliance matters. The compliance program should be risk based and subject to oversight by the head of compliance to ensure appropriate coverage across businesses and co-ordination among risk management functions.

2. Integration of Compliance Function with Audit: Compliance risk should be included in the risk assessment methodology of the internal audit function, and an audit programme that covers the adequacy and effectiveness of the bank’s compliance function should be established, including testing of controls commensurate with the perceived level of risk.

3. Active Board and Senior Management Oversight: An effective board and senior management oversight is the cornerstone of an effective compliance risk management process.

4. Training: Effective training on Compliance laws, rules and standards covering matters such as observing proper standards of market conduct, managing conflicts of interest, treating customers fairly, and ensuring the suitability of customer advice should be in place with the bank. The coverage of topics should also include specific areas such as the prevention of money laundering and terrorist financing, and may extend to tax laws that are relevant to the structuring of banking products.

5. Effective Policies and Procedures: Compliance risk management policies and procedures should be clearly defined, aligned to company’s governance structure, maintained by dedicated compliance office, and consistent with the nature and complexity of a banking institution’s activities.

6. Cross Jurisdictional Business: Banks that choose to conduct business in a particular jurisdiction should comply with local laws and regulations. For example, banks operating in subsidiary form must satisfy the legal and regulatory requirements of the host jurisdiction. Certain jurisdictions may also have special requirements in the case of foreign bank branches. It is for local businesses to ensure that compliance responsibilities specific to each jurisdiction are carried out by individuals with the appropriate local knowledge and expertise, with oversight from the head of compliance in co-operation with the bank’s other risk management functions.

7. Compliance Risk Analysis and Comprehensive Controls: Banking organizations should use appropriate tools in compliance risk analysis like self-assessment, risk maps, process flows, key indicators and audit reports; which enables establishing an effective system of internal controls.

8. Outsourcing: A bank should ensure that any outsourcing arrangements do not impede effective supervision by its supervisors. Regardless of the extent to which specific tasks of the compliance function are outsourced, the board of directors and senior management remain responsible for compliance by the bank with all applicable laws, rules and standards.

9. Compliance Culture: Compliance should be part of the culture of the organization and should not be just the responsibility of specialist compliance staff.

10. Effective Compliance Monitoring and Reporting: Banking organizations should ensure that they have adequate management information systems that provide management with timely reports on compliance like training, effective complaint system and certifications.

11. Testing: Independent testing should be conducted to verify that compliance-risk mitigation activities are in place and functioning as intended throughout the organization.

12. Independent Compliance Function: Regardless of how the compliance function is organized within a bank, it should be independent and sufficiently resourced, its responsibilities should be clearly specified, and its activities should be subject to periodic and independent review by the internal audit function.

13. Compliance Assessment: At least once a year, banks should identify and assess the main compliance risk issues facing the bank and the plans to manage them. Such plans should address any shortfalls in policy, procedures, implementation or execution related to how effectively existing compliance risks have been managed, as well as the need for any additional policies or procedures to deal with new compliance risks identified as a result of the annual compliance risk assessment.

14. Reporting: Banks should have a mechanism for reporting promptly to the board of directors or a committee of the board on any material compliance failures e.g. failures that may attract a significant risk of legal or regulatory sanctions, material financial loss, or loss to reputation.

3.14. Moral Hazard

Moral hazard happens when a bank has the opportunity to take advantage of a situation by taking risks that others will pay for. In those cases, the consequences of risk-taking don’t fall on the risk-taker i.e., bank in this instance, but the benefits do. The situation creates a temptation to ignore the moral implications of a choice; instead of doing right, a bank does what benefits them. The financial crisis of 2007-09 was the result of numerous market inefficiencies, bad practices and a lack of transparency in the banking sector. Banks knowingly participated and encouraged collateralization of questionable assets consequently, putting the banking and financial system on the brink of collapse.

3.14.1. Managing Moral Hazard

Avoiding Moral Hazard is more to do with self-control and maintenance by banks following the concept of safe banking. Some of aspects to avoid or manage moral hazard risk is as given below:

1. Control over Trading Desks: Trading desks are where traders are allowed to take maximum risk for maximum returns. Traders are often compensated the highest in the market even though they might lose while trading. Traders who do not work in controlled environment meaning matching their own expectations with bank’s expectation, often go overboard and falls prey to moral hazard. Hence, banks should have written rules and trading policies, put certain limits for their trading ability, audit function should separately gauge all the trade transaction done and the traders are asked appropriate questions for the trading activities done by them, Senior management should have oversight over trades done through metrics report and constantly interact with traders based on these metrics, the risk functions should be integrated in trading processes identifying risks and having controls in place so on and so forth.

2. Practice Ethical values:

There are several ethical values that bankers are expected to uphold to avoid Moral hazard risks which are:

  • Honest – Be forthright in dealings and offer value and integrity.

  • Responsibility – Accept consequences of mistakes while being good stewards in services

  • Treat Customer fairly– Avoid manipulation in all forms while protecting the information of the customers.

  • Respect – Acknowledge basic human dignity of all the people involved through efforts to communicate, understand and meet needs and appreciate contributions of others.

3. Continual assessment of Risks:

Non-compliance or practices knowingly that it may lead to Moral Hazard risk should be avoided by the banks. Bankers especially the senior management should and must assess risk in every practice that bank follows. Some of the risks associated to moral hazard and mitigation factors are discussed as below:

a. Investment Strategies: Building Risky investment strategies with such funds who are known for mal-practices in market. If the fund fails, the risk is on the fund and not on the bank. To avoid such moral hazard risk, every bank should have KYD process in place meaning know your distributor and having strong policies of not to build strategies with those companies or funds who are inappropriate and un-ethical.

b. Compliance: Selling of structured products by the subsidiary of bank in foreign market to the targeted audience whom these products should not have been marketed as per the local regulations. If the practice is known to the regulators, the risk is on the subsidiary and not on the bank. To avoid such moral hazards, banks policy should be embedded in subsidiary policies also, bank must know local regulations and have a policy in place where local regulations supersede the global regulations for doing business in that local market.

c. Bail outs: Banks are aware that in case of losses government would bail out. This implicit guarantee to bailout to banks does not mean that banks can take risks left right and centre as they know that they are still safe even-though they are eating away customers money’s in risky investments. The transfer of risk here is to the government which should be avoided by the banks.

4. Transparency:

Moral Hazard is causes due to information asymmetry meaning bank holds more information than the customer and bank is trying to transfer the risk of its products deficiencies to customers which is un-ethical.

Hence, transparency is the concept required by banks to create a spirit of openness in the practice of banking through communication, action and disclosure.

5. Policies avoiding Ponzi schemes:

Below are some of the indications of Ponzi schemes which banks should avoid in practise and also by putting strong ethical values in the firm-wide policies and procedures:

  • Guaranteeing high profits with very low risk.

  • Putting too many conditions for customer to withdraw money.

  • Banks do not tell their customer “What they invest into?”

  • Ponzi schemes typically award people with profits in case they bring in new people into the system or a network.

6. Principal agent transparency:

In the terminology of principal-agent theory transparency is a means by which the 'principal' controls its 'agent' by being transparent. Every bank should ensure that agents pursue principals’ policies and do not promote its own interests rather than the interests of the principal.

3.15. Systemic Risk

Systemic risk also called contagion risk is the possibility that an event at a bank level could trigger severe instability or collapse of an entire banking industry and effect economy. The banking system is a network of interconnected balance sheets. As a result, an increasingly complex web of daily transactions means that a shock hitting one bank can spread to the other banks that are connected to it and become systemic. Because of settlement and interbank linkages, the failure of each of these specific banks threatened wider problems for connected banks that were otherwise sound. Systemic risk can even collapse big banks which are known as “too big to fail”.

3.15.1. Managing Systemic Risk

Banks which are immune with any external triggers or shocks and have wide spread business across borders with diversified products are safe from Systemic risks. Some of the indicators for immunity against Systemic risk are as given below:

1. Capital and Liquidity:

Systemic risk affects capital and liquidity of the banks and hence, banks need to ensure that proper buffers are in place and banks will be required to hold a sufficient amount of liquid assets with a high quality to obviate at least short-term disruptions.

2. Information across intertwined bodies:

Systemic risks arise mainly due to financial panics created in the market. If all the intertwined banks come together and analyse the problem in deep, understand the gravity of the situation and come to a common understanding of how to tackle the crisis, the systemic risk can be averse to a greater extent. The banks should also take responsibility to manage the crisis with its counterparts such as broker dealers, prime brokers; insurance agents so on and so forth.

3. Disclosure:

Banks should properly disclose the risks related to offers and keeping them transparent to all market players to reduce asymmetry of information thus eliminating ambiguities.

4. Imposing Exposure Limits.

Imposing tighter limits on interbank exposures thus avoiding contagion effect, policies of banks containing clear definitions of permissible exposure, business models created considering exposure limits, diversify business in case analysis is prompting towards group or single counterparty (/ies) exposure etc., can prevent banks to manage Systemic risk.

5. Uniform Policies across bank:

Too big to fail banks have failed due to lack of internal controls in their branches and subsidiaries especially those which were merged or acquired. Global policies should be rolled out and should be common for all branches and subsidiaries. Any violations should have strong penalties imposed.

3.16. AML/CFT Risk

AML/CFT risk is the risk faced by banks where individuals who are involved in Money Laundering or Terrorist financing are its customers. To combat this risk, banks must have a robust AML/CFT program and advanced technology that can support the bank’s AML/CFT compliance function to better identify, measure, monitor, control, and report on Money Laundering/Financing of Terrorism (ML/FT) risks. A strong risk management framework sets the foundation for establishing a robust AML/CFT program. Regardless of size and complexity, a bank must have effective risk management programs appropriately designed to the banking organization’s products, services, customers and overall risk profile. Adequate risk management frameworks can vary considerably in sophistication based on the bank’s business strategy, markets, and risk profile but are ultimately judged by their effectiveness in managing risk across all a bank’s operations.

3.16.1. Managing AML/CFT Risk

  1. All banks should be required to have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the banking sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities.

  2. Sound risk management requires the identification and analysis of ML/FT risks present within the bank and the design and effective implementation of policies and procedures that are commensurate with the identified risks. In conducting a comprehensive risk assessment to evaluate ML/FT risks, a bank should consider all the relevant inherent and residual risk factors at the country, sectorial, bank and business relationship level, among others, in order to determine its risk profile and the appropriate level of mitigation to be applied.

  3. A bank should develop a thorough understanding of the inherent ML/FT risks present in its customer base, products, delivery channels and services offered (including products under development or to be launched) and the jurisdictions within which it or its customers do business.

  4. The board of directors should have a clear understanding of ML/FT risks. Information about ML/FT risk assessment should be communicated to the board in a timely, complete, understandable and accurate manner so that it is equipped to make informed decisions.

  5. As a general rule and in the context of AML/CFT, the business units (eg front office, customer facing activity) are the first line of defence in charge of identifying, assessing and controlling the risks of their business. They should know and carry out the policies and procedures and be allotted sufficient resources to do this effectively. The second line of defence includes the chief officer in charge of AML/CFT, the compliance function but also human resources or technology. The third line of defence is ensured by the internal audit function.

  6. A bank should have adequate policies and processes for screening prospective and existing staff to ensure high ethical and professional standards. All banks should implement on-going employee training programmes so that bank staff is adequately trained to implement the bank’s AML/CFT policies and procedures.

  7. A bank should have a monitoring system in place that is adequate with respect to its size, its activities and complexity as well as the risks present in the bank. For most banks, especially those which are internationally active, effective monitoring is likely to necessitate the automation of the monitoring process.

  8. The IT monitoring system should enable a bank to determine its own criteria for additional monitoring, filing a suspicious transaction report (STR) or taking other steps in order to minimise the risk.

  9. A bank should develop and implement clear customer acceptance policies and procedures to identify the types of customer that are likely to pose a higher risk of ML and FT pursuant to the bank’s risk assessment.

  10. Where the risks are higher, banks should take enhanced measures to mitigate and manage those risks. Enhanced due diligence may be essential for an individual planning to maintain a large account balance and conduct regular cross-border wire transfers or an individual who is a politically exposed person (PEP).

  11. The identity of customers, beneficial owners, as well as persons acting on their behalf, should be verified by using reliable, independent source documents, data or information.

  12. Banks should oversee the coordination of information-sharing. Subsidiaries and branches should be required to proactively provide the head office with information concerning higher-risk customers and activities relevant to the global AML/CFT standards, and respond to requests for account information from the head office or parent bank in a timely manner.

3.16.1.1. Case Study- Affects of In-Sufficient AML/KYC Procedures

Denmark’s largest bank was under investigation in the United States, Denmark, Estonia, France and Britain over 200 billion euros ($226 billion) in payments that were found to have flowed through its Estonian branch from Russia, former Soviet states and elsewhere between 2007 and 2015. A confidential EU document, seen by Reuters, showed that Russia’s central bank sent warnings to Estonian and Danish regulators in 2007 and 2013 about suspect transactions at Danske Bank’s Estonian branch, but they were largely ignored. The investigation covers some 15,000 customers with a total of 9.5 million transactions between them.

Until the end of 2015, Danske Bank had a portfolio of foreign customers in Estonia. These were so-called non-residents i.e. customers not residing in or conducting business from Estonia. For a large number of these customers, it was possible during the period from 2007 to 2015 to use Danske Bank’s branch in Estonia for suspicious payments, and according to the investigations led by Bruun & Hjejle, many of them appear to have been suspicious customers. In other words, Danske had a large number of customers that should never have been customers and they made payments that should never have been made.

This took place because the Estonian branch had insufficient focus on compliance with anti-money laundering (AML) rules, that the branch operated too independently of the rest of the Group (it had its own IT platform, for example), and there were major deficiencies in the branch’s control systems and monitoring. At the same time, Danske also suspect that employees in Estonia actively participated in suspicious activities or colluded with customers. When Danske itself investigated in September 2018, they had examined the 6,200 customers found to have hit the most risk indicators as part of the portfolio investigation. Of these, the vast majority have been reported to the authorities.

Danske overlooked the suspicious activities because they did not focus enough on and knew too little about that part of the business and the risk associated with it. Large transaction volumes are not necessarily a problem in themselves if AML procedures are in place. And in that respect, Danske Bank’s management in Copenhagen had the wrong impression that allowance had been made for the large risks associated with the portfolio. Furthermore, the Estonian branch was using its own IT systems, which impeded the Group’s insight into and control of the transactions. The total number of transactions has taken the bank by surprise.

There are indications that one or more employees at the Estonian branch have tried to conceal what was going on or have in some way taken part in suspicious activities. On the basis of the investigation, they have found reason to report 42 employees to the Estonian authorities, of which eight have been reported directly to the police. A number of employees have subsequently been charged by the Estonian police.

Lessons:

  1. The bank's management should ensure that standard rules are applicable to all its branches and subsidiaries.

  2. Employee KYC should be done at least every couple of years.

  3. Every Branch should have an independent auditor reporting directly to management.

  4. All the branches should have standard systems used not separate from its parent and SOP’s should be revised and updated at least every year.

  5. Indicators given by regulators and central banks should not be ignored and Sr. management should investigate deeply on the reports received.

  6. Non-resident customers need special screening and transaction monitoring rules.


3.17. UBLB (‘Uncertain but Lucrative Business’) Risk

There are several products like CDO (Collateralized Debt Obligation), CLO (Collateralized Loan Obligation), RMBS (Residential Mortgage Back Securities), ABCP and CMBS (Commercial Mortgage Back Securities) which are very lucrative but if not handled properly can lead even to Recession. The housing Bubble was a perfect example for UBLB risk. Let’s try and understand each of these products:

1. CDO (Collateralized Debt Obligation): CDOs are a particular kind of derivative. As its name implies, a derivative is any financial product that derives its value from another underlying asset. CDOs, or collateralized debt obligations, are financial tools that banks use to repackage individual loans (auto loans, credit card debt, and mortgage) and sell it as securities in secondary markets.

2. CLO (Collateralized Loan Obligation): Collateralized loan obligations (CLOs) similar to CDO are also a derivative. They are a form of securitization where payments from middle sized and large business loans are pooled together and passed on to different classes of owners in various tranches.

3. RMBS (Residential Mortgage Back Securities): Residential mortgage backed securities (RMBS) are a debt-based security (similar to a bond), backed by the interest paid on loans for residences

4. CMBS (Commercial Mortgage Back Securities): Commercial mortgage-backed securities (CMBS) are a type of mortgage-backed security backed by commercial mortgages rather than residential real estate

5. ABCP (Asset-Backed Commercial Paper): Asset-backed commercial paper (ABCP) is a short-term money-market security that is issued by a special purpose vehicle (SPV) or conduit, which is set up by a sponsoring Bank.

The recession and fall of too big to fail banks were due to the packaging of subprime loans whose loan takers defaulted due to housing bubble.

3.17.1 UBLB-Case Study

The housing market in US experienced steady growth from the period of 1995 to 1999. It all happened when the stock market crashed in 2000 due to '.com bubble', there was a shift in dollars going away from the stock market into housing. To further fuel the housing bubble there was plenty of cheap money available for new loans in the wake of the economic recession. The Federal Reserve and banks praised the housing market for helping to create wealth and provide a secured asset that people could borrow money to help the economy grow.

There was a lot of financial innovation at the time which included all sorts of new lending types such as 'interest adjustable loans', 'interest-only loans' and 'zero down loans' the then types of Mortgage loans. As people saw housing prices going up, they were stepping over each other to buy to get in on the action. Some were flipping homes in an effort to take advantage of market conditions.

With each loan getting into their nerves with the help of investment banks, the lending banks would quickly securitize the loan and pass the risk off to someone else. Rating agencies put AAA ratings on these loans that made them highly desirable to foreign investors and pension funds. The total amount of derivatives held by the banks exploded and the total % cash reserves grew smaller and smaller.

In large areas of California and Florida, there were multiple years of prices going up 20% per year. Some markets like Las Vegas saw the housing market climb up 40% in just one year. In California, over ½ of the new loans were interest only or negative-amortization. From 2003 to 2007 the number of subprime loans had increased a whopping 292% from 332 billion to 1.3 trillion.

The Beginning of the Crash

The housing market peaked somewhere in 2006 and then, early signs of trouble when some types of subprime loans started to go into default. There wasn’t worry at that time since never in history have prices for housing market gone down nationally. Once the credit markets froze in summer 2007, things began to deteriorate rapidly. Subprime credit stopped completely and interest rates for credit for other types of borrowing including corporate loans as well as consumer loans rose dramatically.

Timeline of Events for 2007

February: Freddie Mac announced that they were no longer buying the riskiest subprime.

April: Subprime lender New Century Financial Corporation files for bankruptcy.

June: Bear Stearns announced a loan of 3.2 billion dollars to help bail out one of its funds that invested in collateralized debt obligations (CDOs).

July: The stock market hit a new all-high over 14,000. On July 31, Bear Stearns liquidates two of its mortgage-back security hedge funds

August: A worldwide credit crunch had begun and there were no subprime loans available. Subprime lender American Home Mortgage files for bankruptcy. This marked the start of the housing market crash

September: The Libor rate rises to its highest level since December of 1998, at 6.8%.

December: The stock market finishes the year at 13,264.

Timeline of Events for 2008

January 11: Bank of America acquired Countrywide financial for 4.1 billion dollars. Countrywide had a total of 1.5 trillion dollars’ worth of loans.

March 16: Bear Stearns on the verge of bankruptcy signs a merger agreement with J.P. Morgan to sell itself for $2 a share which was a fraction of the current trading price.

May 19: The markets had its final day above 13,000 closing at 13028.

September 6: The Treasury announced a takeover of both Fannie Mae and Freddie Mac that had over 5 trillion dollars in mortgages.

September 14: Bank of America signs a deal to acquire Merrill Lynch.

September 15: Lehman Brothers files for bankruptcy. The Dow drops 400 points closing at 10,917

September 17: The federal lends $85 billion dollars to American International Group (AIG).

September 18: Fed Chairman Ben Bernanke and Treasury Secretary meet with Congress to propose a $700 billion dollar bailout. Bernanke tells Congress “If we don’t do this, we may not have an economy on Monday.”

September 26: Federal regulators seize Washington Mutual and then strike a deal to sell most of it to J.P. Morgan for 1.9 billion dollars. This represents the largest bank failure in U.S. history.

September 29: Congress votes down the $700 billion bailout plan. That same day Citigroup acquires Wachovia.

October 1: The Senate passes the $700 billion bailout bill.

October 3: The house passes the $700 billion bailout plan and the president signs it into law.

October 6: The Fed announces that it will provide $900 billion in short-term loans to banks. The Dow closes below 10,000.

October 7: The fed announced that it will lend around 1.3 trillion dollars directly to companies outside the banking sector.

October 10: The Dow closes at 8451; the stock market has had its worst week ever losing 22% over the past 8 trading days or 8.4 trillion dollars from the market highs in 2007.

October 14: The Treasury taps $250 billion of the bailout fund and uses the money to shore up the nation’s top banks.

December 31: There were over 3 million foreclosures by this year. Florida, Arizona and California had rates of 4% with Nevada at 7.3%

The aftermath:

Even though the financial crisis was resolved by the start of 2009 the housing market continued to decline throughout 2009. There were over 3 million foreclosure filings for 2009. Unemployment rose to over 10% and the housing market crash created the worst recession since the early 1980’s. By the 4th quarter of 2009, the U.S. has experienced significant GDP growth and corporate earnings had increased by over 100%. The Unemployment Rate had stabilized towards the end of 2009 and rest is history.

3.18. Mergers and Acquisitions Risk

Mergers and Acquisition of banks are not risk free. Amidst the complex paperwork, deals and logistics that come with all mergers and acquisitions (M&A), it’s easy to forget the chief reasons of M&A. Furthermore, it’s just as easy to forget the dangers that bank mergers or acquisitions pose to parties involved. Below, we explore some of the risks of M&A event.

  1. Cultural Differences: Plenty of prospective bank mergers and acquisitions only look at the two banks on paper without taking their people or culture into account. Failure to assess cultural fit is one reason why many bank mergers ultimately fail.

  2. Banking Platform Mergers: Execution risk is another major danger in bank mergers. In some cases, banking executives don’t commit enough time and resources into bringing the two banking platforms together and the resulting impact on their customers causes the newly merged bank to fail completely.

  3. Customer Impact and Perception: Most of the banks once the acquisition is fully underway, do not consider the impact on customers at every stage. Anything from changing technology platforms to financial products could impact the acquired bank's customers negatively if attention is not paid.

  4. Risk and Compliance Policy Differences: Risk and compliance culture of each bank is different. Every bank handles Compliance functions so differently hence, it’s important that the two merging banks agree on their approach moving forward. When two mismatched risk cultures clash during a bank merger, it negatively affects the profitability of the business down the road if they haven’t come to a working solution.