Basics of Risk
Table of Contents
1. Introduction to Risks in Banks
Banking risk is inherent in all banking products, activities, processes and systems, and the effective management of risks has always been a fundamental element of a bank’s risk management Program. Banking risk impact the stakeholders, lenders, employees, government, creditors, customers and even the society at large. The typical risks for banking activities consists of the following: credit risk, meaning the risk of losses that result from the inability of the bank's clients or other stakeholders to meet their financial commitments; market risk, generated by trading activities (interest rates, foreign exchange, loss of value of financial instruments, etc.); operational risk, which refers to the risk of losses or sanctions due to procedural failures, human error or external events; liquidity risk, the risk that the bank cannot meet its cash flow obligations when they are due. As a result, sound risk management is a reflection of the effectiveness of the board and senior management in administering its portfolio of products, activities, processes, and systems. Risk management generally encompasses the process of identifying risks to the bank, measuring exposures to those risks (where possible), ensuring that an effective capital planning and monitoring program is in place, monitoring risk exposures and corresponding capital needs on an on-going basis, taking steps to control or mitigate risk exposures and reporting to senior management and the board on the bank’s risk exposures and capital positions. Bank risk managers across the globe struggle to manage these challenges and overcome their impact. To overcome risks, internal controls are typically embedded in a bank’s day-to-day business and are designed to ensure, to the extent possible, that bank activities are efficient and effective, information is reliable, timely and complete and the bank is compliant with applicable laws and regulation.
The banking sector has always been a backbone of the economy; however, failures in financial markets have time and again proved that no bank sector or economy is shielded from developments across the globe. In earlier times, banks had a very limited definition of risk which primarily focused on the risk of misrepresentation in financial statements and operational risk, and therefore, the efforts were also concentrated on managing these risks. However, increasingly changing scenarios in business, society, geography and politics mean with the growing importance of Technology, Environment & Data, many catastrophic risks such as data leakage and privacy risk have now been staring at the face of the banks. Cyber security risk and reputational risk are the latest entrants to the complex web of risks. Further, with very limited tools and resources available to quantify the amount of damage these risks can cause, they have quickly become the topmost agenda of any banking boardroom discussion.
Vulnerability refers to the susceptibility of a Bank to a risk event in terms of criteria related to the bank’s preparedness, agility, and adaptability. Vulnerability is related to impact and likelihood. The more vulnerable the Bank is to the risk, the higher the impact will be should the event occur. If risk responses including controls are not in place and operating as designed, then the likelihood of an event increases. Assessing vulnerability allows entities to gauge how well they’re managing risks. Hence, Sound internal governance forms the foundation of an effective risk management Framework. The board of directors should take the lead in establishing a strong risk management culture. The board of directors and senior management should establish a culture that is guided by strong risk management and that supports and provides appropriate standards and incentives for professional and responsible behaviour. Banks should develop, implement and maintain a Framework that is fully integrated into the bank’s overall risk management processes. The Framework for risk management chosen by an individual bank will depend on a range of factors, including its nature, size, complexity and risk profile.
1.1. Major Risks in Banks
The major risks in banks are:
1. Credit Risk: Credit risk or default risk involves inability or unwillingness of a customer or counterparty to meet commitments in relation to lending, trading, hedging, settlement and other financial transactions. Measurement of risk through credit rating/scoring, Quantifying the risk through estimating expected loan losses, and Risk pricing can some of the mitigations.
2. Market Risk: Market risk arises from adverse changes in market variables, such as interest rate, foreign exchange rate, equity price and commodity price. Banks should have risk measurement systems that capture all material sources of market risk and assess the effects on the bank.
3. The Liquidity Risk: Liquidity risk of banks arises from funding of long-term assets by short-term liabilities, thereby making the liabilities subject to rollover or refinancing risk. A bank has adequate liquidity when sufficient funds can be raised, either by increasing liabilities or converting assets, promptly and at a reasonable cost. It encompasses the potential sale of liquid assets and borrowings from money, capital and forex markets.
4. Preventable Risk: The tolerance levels for Preventable risks should be zero in bank. These are usually the known risks with experience. These risks are usually controllable. In certain cases, preventable risks can be eliminated completely using advanced automations.
5. Strategic Risk: Strategy risks are not undesirable risks as preventable risks. These risks are taken by the bank as they are unavoidable to maintain competitiveness or profitability.
6. Regulatory Risk: Banks faces this risk that regulators expectations might not be met. The risks that any regulatory releases are missed by the banks (if the banks are not very dynamic). To manage such risks, the responsibility is given to the second line of defense in a bank.
7. Business Risk: Business risk comes into picture because of reasons such as concentration (meaning an exposure in single groups or investments etc.), fluctuations in interest rates or forex, lack of liquidity, failing new products, failing investments etc. These risks are to be managed by the most experienced senior managers in the bank.
8. Economic and Political Risk: Political risk is commonly faced by all corporations including banks due to wrong political decisions, policies or events, or conditions significantly affecting the profitability of a business. Economic risks are risks related to huge differences in demand and supply and other economic consequences. The bank has to have a strong vision diversified businesses to face such risks.
1.2. Risk Dynamics in Banks
The Banking sector has always been a backbone of the economy. However, failures in Banks especially too big to fail banks have time and again proved that no Bank is shielded from developments across the globe. With an increase in global trade, there is an ever-increasing dependence on different interconnected Banks for overall sustained growth and hence, newer risks in one economy quickly cascade to the rest of the banking sector economies too.
Risk and its management by banks have always been dynamic and evolving. Long back the two key categories of risk which were perceived important to the management were financial and operational risk. There were controls being devised to ensure there is no financial misstatement, strict reliance on documented procedures and concepts of delegation of authority over key activities to avoid operational failures. Risk management policies were developed more from a point of view of giving shareholders comfort rather than any active risk management. Then came an era of regulatory driven risk management which basically meant corporates had to comply with a plethora of regulations, failing which hefty penalties were levied besides legal charges which could derail a banks growth strategy. This suddenly drew huge attention as no management wanted to cross the line with the regulator.
Compliance departments were set up and manpower deployed to keep a check on any regulatory changes impacting their business and the risks perceived thereof.
Technology adoption is inevitable for any Bank to grow, however, if not adopted in a measured way, technology opens the doors to IT and cyber-security risks. On one hand, concepts such as machine learning, internet of things and artificial intelligence are helping risk managers perform their tasks with efficiency and on the other hand, the growing use of these concepts in the financial sector has opened the doors to frauds.
The world of risks is growing more and more complex and intertwined. Whether it’s a political change in a country, commodity demand supply concerns, or an unpredictable/unfavorable central bank policy, each of these has made the job of risk managers challenging and demanding, and therefore, the response from banks to risk management processes has duly increased.
We now see separate departments being carved out, each responsible for identifying, monitoring and managing of risk, investments being made in people, processes and technology and elevation of the role of the “Chief Risk Officer (CRO)”. Risk mitigating measures have to be commensurate with the Banks size, the country in which it operates its presence around the globe, strength of human resources, past trends of un-favorable circumstances, etc.
2. Phases of Risk in Banks
The risk management process in banks can be broken down into below phases:
Risk Identification Analysis and Prioritization
Risk Assessment Monitoring and Reporting
Risk Control and Mitigation
Business Resiliency and continuity
2.1. Phases of Risk-Risk Identification
Risk identification is the process of taking stock of vulnerabilities that bank may fall in and raising awareness of these risks inside the bank. It is the starting point for understanding and managing risk activities. However, many legacy risk identification processes have not fully served risk management needs, particularly those related to firm-specific stress testing and identified the firm’s largest vulnerabilities. This, in turn, led to critical gaps in risk management. Hence, comprehensive risk management is done in banks through two techniques called
1) Top Bottom Risk Identification and,
2) Bottom Top Risk Identification
2.1.1. Phases of Risk-Risk Identification-Top Bottom
"If a bank is serious about risk management, then it will be serious from the top till bottom.” The top management should be aware of the major risk factors that would hit the business. The top bottom risk identification talks about the awareness of risk among Sr. Managers (CEO, CFO, COO…) in the bank and what steps they are going to take to mitigate such risks and how they are messaging the bottom lines of their respective LOB’s (/Lines of Business). For e.g., the management should be aware if:
There is a concentration risk which is maximum number of exposures which have the potential to produce losses large enough to threaten the ability of the bank to continue operating.
The management should be in a position to assess several Investment risks such as possibility that
a) fixed-rate debt instrument will decline in value as a result of a rise in interest rates.
b) the issuer of a stock or a bond may go bankrupt or be unable to pay the interest or principal in the case of bonds
c) a particular bond issuer will not be able to make expected interest rate payments and/or principal repayment
d) the value of an asset or income will be eroded as inflation shrinks the value of a country's currency so on and so forth.
Management should take measures to check the Interest Rate Risk which is the potential for changes in interest rates to reduce a bank's earnings and lower its net worth.
Management should be cognizant of factors that affect the overall performance of the financial markets.
2.1.2. Phases of Risk-Risk Identification-Bottom Top
Bottom top Risk Identification is more towards the Line of Business level identification of risks. As the name suggests, this is reverse reporting system where Lines of Business identify the risk and report the Sr. Managers of the Bank. The below are the verticals that affect the Bottom top risk identification.
• Risk Identification at Process Level
• Risk Identification at Department Level
• Risk Identification at Functional Level
• Risk Identification at Business Unit Level
i) Risk Identification at Process Level:
The type and composition of the process vary among banks depending on the banking organization’s facilities, locations, business units and departments. There are factors, though, that may indicate that a process presents an unacceptable level of risk and merits further evaluation. Those factors include a history of errors, volume, system downtime, complexity of the process, frequency of change in process, availability of required skills, number of interfaces and degree of controls incorporated into a process. Let’s now discuss each of the topics as given below:
a) History of Errors:
The first process of error identification is by studying the historical errors trend. The trend should be built in such a way that it must contain a detail of a) Errors which are critical and non-affordable b) Errors which have regulatory impact c) Errors which are repetitive in nature d) Errors which are silly and caused due to overlook.
Volume Analysis is a major challenge in processes such as payments or call centres in a bank as these are customer specific. However, historical volume trends are always available in bank to curtail hike in volumes. Identification becomes imperative or vital when the volumes cannot be handled. The identification of volume process starts with a) Trend analysis b) leveraging business personal and front office knowledge c) Regular follow-ups between and across lines of business in banks d) Study Capacity models to perform skill gap analysis.
c) System Downtime:
System downtime cannot be curbed by any Bank however identification of alternatives while system downtime is always feasible such as
a) Alternate data entry techniques
b) Opportunity to identify light automations to integrate data such as “.xls” to core banking system.
ii) Risk Identification at Department level:
Departmental level risk identification at minimum should contain following:
a) Customer Complaints:
Customer in this scenario does not mean the end user unless such department has direct interaction with the end user (customer). Here the customer means the services which are provided to the next level or to the services giver. Any complaints received from their end should form the basis of risk identification.
b) Employee and Stake holders’ feedback:
All employees, and key stakeholders, may have some insight on risks that they encounter during business as usual that would otherwise are not at all considered. But these feedbacks help to identify departmental level risks.
c) Losses at Departmental level:
Breaches such as confidentiality or data, loss due to downtimes such as system downtimes, loss due to pandemic, loss due to low employee moral which are usually internal to departments should be taken into consideration while calculating the department level risks.
d) Business Continuity:
Business Continuity if available whether is restricted only to Work from home or other plans such as split operations or operations available overseas etc., should be analysed during identification of departmental risk.
iii) Risk Identification at Functional Level:
The identification of risks at functional levels at minimum is as given below:
a) Budget and Head Count Projections:
Risks such as whether the allotted budget at functional level has over shot or underutilized should be measured at a gap of at least every quarter. Head count management such as, early recruitments (due to long notice periods) of incoming employees, whether there are sufficient reward and recognition programs at functional level, frequent Internal job postings, early warning signals from department managers, entertainment budgets for staff and availability of separate attrition budget for staff, all form a part of risk identification.
b) Project Procurement and Execution:
Availability of financing of projects, milestones of projects, sufficient staffing for execution, skill matrix levels of staff executing the project all form a part of functional level risk identification.
All the risks of migration of any new project or process such as availability of desks, skillset availability in that location, availability of technology in that location etc., form a part of functional level risk identification.
iv) Risk Identification at Business Unit Level:
Below are the minimum risk identifications at Business Unit Level.
a) Availability of Procedures: Availability of Procedures which are global in nature: Most of the Business units fail as either they do not have procedures or they prefer operating on their own even though the procedures are available or do not have global procedures common to any location where bank or branches or back offices are operating.
b) Communication between First, Second and Third Lines of Businesses:
All the lines of defences should be in sing and should have same understanding of the process at Business Unit Level. Identification of risks starts with any difference of opinion between the three lines of defences.
c) Knowledge Transfer:
Risks such as whether sufficient knowledge transfer is happening between internal departments and external stakeholders forms the basis of risk identification at KT level in a Business Unit.