Introduction
This section provides an introduction to the principles of risk management. The vocabulary of risk management is defined in ISO Guide 73, "Risk management. Vocabulary."[2] In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process can be very difficult, and balancing between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled. Intangible risk management identifies a new type of a risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability. For example, when deficient knowledge is applied to a situation, a knowledge risk materializes. Relationship risk appears when ineffective collaboration occurs. Process-engagement risk may be an issue when ineffective operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost effectiveness, profitability, service, quality, reputation, brand value, and earnings quality. Intangible risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity. Risk management also faces difficulties in allocating resources. This is the idea of opportunity cost. Resources spent on risk management could have been spent on more profitable activities. Again, ideal risk management minimizes spending and minimizes the negative effects of risks.
[edit] Method
For the most part, these methods consist of the following elements, performed, more or less, in the following order.
1. 2. 3. 4. 5. identify, characterize, and assess threats assess the vulnerability of critical assets to specific threats determine the risk (i.e. the expected consequences of specific types of attacks on specific assets) identify ways to reduce those risks prioritize risk reduction measures based on a strategy
[edit] Principles of risk management
The International Organization for Standardization (ISO) identifies the following principles of risk management:[4] Risk management should:
y y y y y y y y y y y
create value be an integral part of organizational processes be part of decision making explicitly address uncertainty and assumptions be systematic and structured be based on the best available information be tailorable take into account human factors be transparent and inclusive be dynamic, iterative and responsive to change be capable of continual improvement and enhancement
[edit] Process
According to the standard ISO 31000 "Risk management -- Principles and guidelines on implementation,"[3] the process of risk management consists of several steps as follows:
[edit] Establishing the context
Establishing the context involves:
1. Identification of risk in a selected domain of interest 2. Planning the remainder of the process. 3. Mapping out the following: o the social scope of risk management o the identity and objectives of stakeholders o the basis upon which risks will be evaluated, constraints. 4. Defining a framework for the activity and an agenda for identification. 5. Developing an analysis of risks involved in the process. 6. Mitigation or Solution of risks using available technological, human and organizational resources. [edit] Identification
After establishing the context, the next step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, cause problems. Hence, risk identification can start with the source of problems, or with the problem itself.
y
Source analysis[citation needed] Risk sources may be internal or external to the system that is the target of risk management.
Examples of risk sources are: stakeholders of a project, employees of a company or the weather over an airport.
y
Problem analysis[citation needed] Risks are related to identified threats. For example: the threat of losing money, the threat of abuse of privacy information or the threat of accidents and
casualties. The threats may exist with various entities, most important with shareholders, customers and legislative bodies such as the government.
When either source or problem is known, the events that a source may trigger or the events that can lead to a problem can be investigated. For example: stakeholders withdrawing during a project may endanger funding of the project; privacy information may be stolen by employees even within a closed network; lightning striking an aircraft during takeoff may make all people on board immediate casualties. The chosen method of identifying risks may depend on culture, industry practice and compliance. The identification methods are formed by templates or the development of templates for identifying source, problem or event. Common risk identification methods are:
y y
y
y y
Objectives-based risk identification[citation needed] Organizations and project teams have objectives. Any event that may endanger achieving an objective partly or completely is identified as risk. Scenario-based risk identification In scenario analysis different scenarios are created. The scenarios may be the alternative ways to achieve an objective, or an analysis of the interaction of forces in, for example, a market or battle. Any event that triggers an undesired scenario alternative is identified as risk - see Futures Studies for methodology used by Futurists. Taxonomy-based risk identification The taxonomy in taxonomy-based risk identification is a breakdown of possible risk sources. Based on the taxonomy and knowledge of best practices, a questionnaire is compiled. The answers to the questions reveal risks.[5] Common-risk checking In several industries, lists with known risks are available. Each risk in the list can be checked for application to a particular situation.[6] Risk charting[7] This method combines the above approaches by listing resources at risk, threats to those resources, modifying factors which may increase or decrease the risk and consequences it is wished to avoid. Creating a matrix under these headings enables a variety of approaches. One can begin with resources and consider the threats they are exposed to and the consequences of each. Alternatively one can start with the threats and examine which resources they would affect, or one can begin with the consequences and determine which combination of threats and resources would be involved to bring them about.
[edit] Assessment
Once risks have been identified, they must then be assessed as to their potential severity of impact (generally a negative impact, such as damage or loss) and to the probability of occurrence. These quantities can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in the case of the probability of an unlikely event occurring. Therefore, in the assessment process it is critical to make the best educated decisions in order to properly prioritize the implementation of the risk management plan. Even a short-term positive improvement can have long-term negative impacts. Take the "turnpike" example. A highway is widened to allow more traffic. More traffic capacity leads to greater development in the areas surrounding the improved traffic capacity. Over time, traffic thereby increases to fill available capacity. Turnpikes thereby need to be expanded in a seemingly endless cycles. There are many other engineering examples where expanded capacity
(to do any function) is soon filled by increased demand. Since expansion comes at a cost, the resulting growth could become unsustainable without forecasting and management. The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical information is not available on all kinds of past incidents. Furthermore, evaluating the severity of the consequences (impact) is often quite difficult for intangible assets. Asset valuation is another question that needs to be addressed. Thus, best educated opinions and available statistics are the primary sources of information. Nevertheless, risk assessment should produce such information for the management of the organization that the primary risks are easy to understand and that the risk management decisions may be prioritized. Thus, there have been several theories and attempts to quantify risks. Numerous different risk formulae exist, but perhaps the most widely accepted formula for risk quantification is:
Rate (or probability) of occurrence multiplied by the impact of the event equals risk magnitude
[edit] Composite Risk Index
The above formula can also be re-written in terms of a Composite Risk Index, as follows: Composite Risk Index = Impact of Risk event x Probability of Occurrence The impact of the risk event is commonly assessed on a scale of 1 to 5, where 1 and 5 represent the minimum and maximum possible impact of an occurrence of a risk (usually in terms of financial losses). However, the 1 to 5 scale can be arbitrary and need not be on a linear scale. The probability of occurrence is likewise commonly assessed on a scale from 1 to 5, where 1 represents a very low probability of the risk event actually occurring while 5 represents a very high probability of occurrence. This axis may be expressed in either mathematical terms (event occurs once a year, once in ten years, once in 100 years etc.) or may be expressed in "plain english" - event has occurred here very often; event has been known to occur here; event has been known to occur in the industry etc.). Again, the 1 to 5 scale can be arbitrary or non-linear depending on decisions by subject-matter experts. The Composite Index thus can take values ranging (typically) from 1 through 25, and this range is usually arbitrarily divided into three sub-ranges. The overall risk assessment is then Low, Medium or High, depending on the sub-range containing the calculated value of the Composite Index. For instance, the three sub-ranges could be defined as 1 to 8, 9 to 16 and 17 to 25. Note that the probability of risk occurrence is difficult to estimate, since the past data on frequencies are not readily available, as mentioned above. After all, probability does not imply certainty. Likewise, the impact of the risk is not easy to estimate since it is often difficult to estimate the potential loss in the event of risk occurrence.
Further, both the above factors can change in magnitude depending on the adequacy of risk avoidance and prevention measures taken and due to changes in the external business environment. Hence it is absolutely necessary to periodically re-assess risks and intensify/relax mitigation measures, or as necessary. Changes in procedures, technology, schedules, budgets, market conditions, political environment, or other factors typically require re-assessment of risks.
[edit] Risk Options
Risk mitigation measures are usually formulated according to one or more of the following major risk options, which are: 1. Design a new business process with adequate built-in risk control and containment measures from the start. 2. Periodically re-assess risks that are accepted in ongoing processes as a normal feature of business operations and modify mitigation measures. 3. Transfer risks to an external agency (e.g. an insurance company) 4. Avoid risks altogether (e.g. by closing down a particular high-risk business area)
Later research[citation needed] has shown that the financial benefits of risk management are less dependent on the formula used but are more dependent on the frequency and how risk assessment is performed. In business it is imperative to be able to present the findings of risk assessments in financial, market, or schedule terms. Robert Courtney Jr. (IBM, 1970) proposed a formula for presenting risks in financial terms.[8] The Courtney formula was accepted as the official risk analysis method for the US governmental agencies. The formula proposes calculation of ALE (annualised loss expectancy) and compares the expected loss value to the security control implementation costs (cost-benefit analysis).
[edit] Potential risk treatments
Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories:[9]
y y y y
Avoidance (eliminate, withdraw from or not become involved) Reduction (optimize - mitigate) Sharing (transfer - outsource or insure) Retention (accept and budget)
Ideal use of these strategies may not be possible. Some of them may involve trade-offs that are not acceptable to the organization or person making the risk management decisions. Another
source, from the US Department of Defense, Defense Acquisition University, calls these categories ACAT, for Avoid, Control, Accept, or Transfer. This use of the ACAT acronym is reminiscent of another ACAT (for Acquisition Category) used in US Defense industry procurements, in which Risk Management figures prominently in decision making and planning.
[edit] Risk avoidance
This includes not performing an activity that could carry risk. An example would be not buying a property or business in order to not take on the legal liability that comes with it. Another would be not flying in order not to take the risk that the airplane were to be hijacked. Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of earning profits.
[edit] Hazard Prevention Main article: Hazard prevention
Hazard prevention refers to the prevention of risks in an emergency. The first and most effective stage of hazard prevention is the elimination of hazards. If this takes too long, is too costly, or is otherwise impractical, the second stage is mitigation.
[edit] Risk reduction
Risk reduction or "optimization" involves reducing the severity of the loss or the likelihood of the loss from occurring. For example, sprinklers are designed to put out a fire to reduce the risk of loss by fire. This method may cause a greater loss by water damage and therefore may not be suitable. Halon fire suppression systems may mitigate that risk, but the cost may be prohibitive as a strategy. Acknowledging that risks can be positive or negative, optimising risks means finding a balance between negative risk and the benefit of the operation or activity; and between risk reduction and effort applied. By an offshore drilling contractor effectively applying HSE Management in its organisation, it can optimise risk to achieve levels of residual risk that are tolerable.[10] Modern software development methodologies reduce risk by developing and delivering software incrementally. Early methodologies suffered from the fact that they only delivered software in the final phase of development; any problems encountered in earlier phases meant costly rework and often jeopardized the whole project. By developing in iterations, software projects can limit effort wasted to a single iteration. Outsourcing could be an example of risk reduction if the outsourcer can demonstrate higher capability at managing or reducing risks.[11] For example, a company may outsource only its software development, the manufacturing of hard goods, or customer support needs to another company, while handling the business management itself. This way, the company can concentrate more on business development without having to worry as much about the
manufacturing process, managing the development team, or finding a physical location for a call center.
[edit] Risk sharing
Briefly defined as "sharing with another party the burden of loss or the benefit of gain, from a risk, and the measures to reduce a risk." The term of 'risk transfer' is often used in place of risk sharing in the mistaken belief that you can transfer a risk to a third party through insurance or outsourcing. In practice if the insurance company or contractor go bankrupt or end up in court, the original risk is likely to still revert to the first party. As such in the terminology of practitioners and scholars alike, the purchase of an insurance contract is often described as a "transfer of risk." However, technically speaking, the buyer of the contract generally retains legal responsibility for the losses "transferred", meaning that insurance may be described more accurately as a post-event compensatory mechanism. For example, a personal injuries insurance policy does not transfer the risk of a car accident to the insurance company. The risk still lies with the policy holder namely the person who has been in the accident. The insurance policy simply provides that if an accident (the event) occurs involving the policy holder then some compensation may be payable to the policy holder that is commensurate to the suffering/damage. Some ways of managing risk fall into multiple categories. Risk retention pools are technically retaining the risk for the group, but spreading it over the whole group involves transfer among individual members of the group. This is different from traditional insurance, in that no premium is exchanged between members of the group up front, but instead losses are assessed to all members of the group.
[edit] Risk retention
Involves accepting the loss, or benefit of gain, from a risk when it occurs. True self insurance falls in this category. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained. All risks that are not avoided or transferred are retained by default. This includes risks that are so large or catastrophic that they either cannot be insured against or the premiums would be infeasible. War is an example since most property and risks are not insured against war, so the loss attributed by war is retained by the insured. Also any amounts of potential loss (risk) over the amount insured is retained risk. This may also be acceptable if the chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great it would hinder the goals of the organization too much.
[edit] Create a risk management plan
Select appropriate controls or countermeasures to measure each risk. Risk mitigation needs to be approved by the appropriate level of management. For instance, a risk concerning the image of the organization should have top management decision behind it whereas IT management would have the authority to decide on computer virus risks.
The risk management plan should propose applicable and effective security controls for managing the risks. For example, an observed high risk of computer viruses could be mitigated by acquiring and implementing antivirus software. A good risk management plan should contain a schedule for control implementation and responsible persons for those actions. According to ISO/IEC 27001, the stage immediately after completion of the risk assessment phase consists of preparing a Risk Treatment Plan, which should document the decisions about how each of the identified risks should be handled. Mitigation of risks often means selection of security controls, which should be documented in a Statement of Applicability, which identifies which particular control objectives and controls from the standard have been selected, and why.
[edit] Implementation
Implementation follows all of the planned methods for mitigating the effect of the risks. Purchase insurance policies for the risks that have been decided to be transferred to an insurer, avoid all risks that can be avoided without sacrificing the entity's goals, reduce others, and retain the rest.
[edit] Review and evaluation of the plan
Initial risk management plans will never be perfect. Practice, experience, and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced. Risk analysis results and management plans should be updated periodically. There are two primary reasons for this:
1. to evaluate whether the previously selected security controls are still applicable and effective, and 2. to evaluate the possible risk level changes in the business environment. For example, information risks are a good example of rapidly changing business environment.
[edit] Limitations
If risks are improperly assessed and prioritized, time can be wasted in dealing with risk of losses that are not likely to occur. Spending too much time assessing and managing unlikely risks can divert resources that could be used more profitably. Unlikely events do occur but if the risk is unlikely enough to occur it may be better to simply retain the risk and deal with the result if the loss does in fact occur. Qualitative risk assessment is subjective and lacks consistency. The primary justification for a formal risk assessment process is legal and bureaucratic. Prioritizing the risk management processes too highly could keep an organization from ever completing a project or even getting started. This is especially true if other work is suspended until the risk management process is considered complete.
It is also important to keep in mind the distinction between risk and uncertainty. Risk can be measured by impacts x probability. INTRODUCTION There are several bodies that lay down the principles and guidelines for the process of risk management. The steps involved remain the same more or less. There are small variations involved in the cycle in different kinds of risk. The risks involved, for example, in project management are different in comparison to the risks involved finance. This accounts for certain changes in the entire risk management process. However the ISO has laid down certain steps for the process and it is almost universally applicable to all kinds of risk. The guidelines can be applied throughout the life of any organization and a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets. As per ISO 31000 (Risk Management - Principles and Guidelines on Implementation), risk management process consists of the following steps and sub-steps:
Establishing the Context Identification Assessment
1. Establishing the Context: Establishing the context means all the possible risks are identified and the possible ramifications are analyzed thoroughly. Various strategies are discussed and decisions are made for dealing with the risk. The break-up of various activities in this stage is as follows: Identification of a risk in one particular domain. Planning out the entire management process. Mapping the manifestations of the risk, identification of objectives of risk etc. Outlining a framework. Designing an analysis of risks involved at each stage. Deciding upon the risk solution/s. 2. Identification: Once the context has been established successfully, the next step is identification of threats or potential risks. This identification can be at the level of the source or the problem level itself. Source analysis means that the source of risks is analyzed and appropriate mitigation measures are put in place. This risk source could be either internal or external to the system. Examples of the risk source could be employees of the company, operational inefficiency in a certain process etc. Problem analysis on the other hand means the effect rather than the cause of the risk is analyzed. For example a drop in production, threat of losing money etc!
The choice of the method varies across industry, organizational culture and other factors. However some common methods of risk identification are: Taxonomy based Risk Identification: The possible risk sources are broke down, hence taxonomy. A questionnaire is made best on existent knowledge; the answers to the questions are the risk. Objective based Risk Identification: An organization or any business activity has a certain objective/s. Any activity that is deemed an obstacle in the achievement of the same is perceived as risk. Scenario based Risk Identification: Here various scenarios, which may be alternative ways to achieve an objective, are created. If an undesired scenario is created, a threat is perceived with the same. Common Risk Check: There are certain risks that are common to an industry. Each risk is listed and checked on time. 3. Assessment: Once the risks have been identified, they are then assessed on their likelihood of occurrence and the impact. This process can be simple as in case of assessment of tangible risks and difficult like in the assessment of intangible risks. This assessment is more or less a guessing game and the best educated guess decides the success of the plan. The fundamental difficulty in risk assessment is
determining the rate of occurrence since statistical information is not available on all kinds of past incidents. Furthermore, evaluating the severity of the consequences (impact) is often quite difficult for immaterial assets. Asset valuation is another question that needs to be addressed. Thus, best educated opinions and available statistics are the primary sources of information. Nevertheless, risk assessment should produce such information for the management of the organization that the primary risks are easy to understand and that the risk management decisions may be prioritized. Thus, there have been several theories and attempts to quantify risks
The industry practice or formula for arriving upon the risk is:
Risk is inherent in any walk of life in general and in financial sectors in particular. Till recently, due to regulated environment, banks could not afford to take risks. But of late, banks are exposed to same competition and hence are compeled to encounter various types of financial and non-financial risks. Risks and uncertainties form an integral part of banking which by nature entails taking risks. There are three main categories of risks; Credit Risk, Market Risk & Operational Risk. Author has discussed in detail. Main features of these risks as well as some other categories of risks such as Regulatory Risk and Environmental Risk. Various tools and techniques to manage Credit Risk, Market Risk and Operational Risk and its various component, are also discussed in detail. Another has also mentioned relevant points of Basel¶s New Capital Accord¶ and role of capital adequacy, Risk Aggregation & Capital Allocation and Risk Based Supervision (RBS), in managing risks in banking sector. overcome.
II. TYPES OF RISKS
When we use the term ³Risk´, we all mean financial risk or uncertainty of financial loss. If we consider risk in terms of probability of occurrence frequently, we measure risk on a scale, with certainty of occurrence at one end and certainty of non-occurrence at the other end. Risk is the greatest where the probability of occurrence or non-occurrence is equal. As per the Reserve Bank of India guidelines issued in Oct. 1999, there are three major types of risks encountered by the banks and these are Credit Risk, Market Risk & Operational Risk. As we go along the article, we will see what are the components of these three major risks. In August 2001, a discussion paper on move towards Risk Based Supervision was published. Further after eliciting views of banks on the draft guidance note on Credit Risk Management and market risk management, the RBI has issued the final guidelines and advised some of the large PSU banks to implement so as to guage the impact. A discussion paper on Country Risk was also released in May 02. Risk is the potentiality that both the expected and unexpected events may have an adverse impact on the
bank¶s capital or earnings. The expected loss is to be borne by the borrower and hence is taken care of by adequately pricing the products through risk premium and reserves created out of the earnings. It is the amount expected to be lost due to changes in credit quality resulting in default. Where as, the unexpected loss on account of the individual exposure and the whole portfolio in entirely is to be borne by the bank itself and hence is to be taken care of by the capital. Thus, the expected losses are covered by reserves/provisions and the unexpected losses require capital allocation. Hence the need for sufficient Capital Adequacy Ratio is felt. Each type of risks is measured to determine both the expected and unexpected losses using VaR (Value at Risk) or worst-case type analytical model.
III CREDIT RISK
Credit Risk is the potential that a bank borrower/counter party fails to meet the obligations on agreed terms. There is always scope for the borrower to default from his commitments for one or the other reason resulting in crystalisation of credit risk to the bank. These losses could take the form outright default or alternatively, losses from changes in portfolio value arising from actual or perceived deterioration in credit quality that is short of default. Credit risk is inherent to the business of lending funds to the operations linked closely to market risk variables. The objective of credit risk management is to minimize the risk and maximize bank¶s risk adjusted rate of return by assuming and maintaining credit exposure within the acceptable parameters. Credit risk consists of primarily two components, viz Quantity of risk, which is nothing but the outstanding loan balance as on the date of default and the quality of risk, viz, the severity of loss defined by both Probability of Default as reduced by the recoveries that could be made in the event of default. Thus credit risk is a combined outcome of Default Risk and Exposure Risk. The elements of Credit Risk is Portfolio risk comprising Concentration Risk as well as Intrinsic Risk and Transaction Risk comprising migration/down gradation risk as well as Default Risk. At the transaction level, credit ratings are useful measures of evaluating credit risk that is prevalent across the entire organization where treasury and credit functions are handled. Portfolio analysis help in identifying concentration of credit risk, default/migration statistics, recovery data, etc. In general, Default is not an abrupt process to happen suddenly and past experience dictates that, more often than not, borrower¶s credit worthiness and asset quality declines gradually, which is otherwise known as migration.
Default is an extreme event of credit migration. Off balance sheet exposures such as foreign exchange forward cantracks, swaps options etc are classified in to three broad categories such as full Risk, Medium Risk and Low risk and then translated into risk Neighted assets
CHARTERED ACCOUNTANT 842 FEBRUARY 2003
MANAGEMENT
through a conversion factor and summed up. The management of credit risk includes a) measurement through credit rating/ scoring, b) quantification through estimate of expected loan losses, c) Pricing on a scientific basis and d) Controlling through effective Loan Review Mechanism and Portfolio Management.
A) Tools of Credit Risk Management.
The instruments and tools, through which credit risk management is carried out, are detailed below: a) Exposure Ceilings: Prudential Limit is linked to Capital Funds ± say 15% for individual borrower entity, 40% for a group with additional 10% for infrastructure projects undertaken by the group, Threshold limit is fixed at a level lower than Prudential Exposure; Substantial Exposure, which is the sum total of the exposures beyond threshold limit should not exceed 600% to 800% of the Capital Funds of the bank (i.e. six to eight times). b) Review/Renewal: Multi-tier Credit Approving Authority, constitution wise delegation of powers, Higher delegated powers for better-rated customers; discriminatory time schedule for review/renewal, Hurdle rates and Bench marks for fresh exposures and periodicity for renewal based on risk rating, etc are formulated. c) Risk Rating Model: Set up comprehensive risk scoring system on a six to nine point scale. Clearly define rating thresholds and review the ratings periodically preferably at half yearly intervals. Rating migration is to be mapped to estimate the expected loss. d) Risk based scientific pricing: Link loan pricing to expected loss. High-risk category borrowers are to be priced high. Build historical data on default losses. Allocate capital to absorb the unexpected loss. Adopt the RAROC framework. e) Portfolio Management The need for credit portfolio management emanates from the necessity to optimize the benefits associated with diversification and to reduce the potential adverse impact of concentration of exposures to a particular borrower, sector or industry. Stipulate quantitative ceiling on aggregate exposure on specific rating categories, distribution of borrowers in various industry, business group and conduct rapid portfolio reviews. The existing framework
of tracking the non-performing loans around the balance sheet date does not signal the quality of the entire loan book. There should be a proper & regular on-going system for identification of credit weaknesses well in advance. Initiate steps to preserve the desired portfolio quality and integrate portfolio reviews with credit decision-making process. f) Loan Review Mechanism This should be done independent of credit operations. It is also referred as Credit Audit covering review of sanction process, compliance status, review of risk rating, pick up of warning signals and recommendation of corrective action with the objective of improving credit quality. It should target all loans above certain cut-off limit ensuring that at least 30% to 40% of the portfolio is subjected to LRM in a year so as to ensure that all major credit risks embedded in the balance sheet have been tracked. This is done to bring about qualitative improvement in credit administration. Identify loans with credit weakness. Determine adequacy of loan loss provisions. Ensure adherence to lending policies and procedures. The focus of the credit audit needs to be broadened from account level to overall portfolio level. Regular, proper & prompt reporting to Top Management should be ensured. Credit Audit is conducted on site, i.e. at the branch that has appraised the advance and where the main operative limits are made available. However, it is not required to visit borrowers factory/office premises.
B. Risk Rating Model Credit Audit is conduced on site, i.e. at the branch that has appraised the advance and where the main operative limits are made available. However, it is not required to risk borrowers¶ factory/office premises. As observed by RBI, Credit Risk is the major
component of risk management system and this should receive special attention of the Top Management of the bank. The process of credit risk management needs analysis of uncertainty and analysis of the risks inherent in a credit proposal. The predictable risk should be contained through proper strategy and the unpredictable ones have to be faced and overcome. Therefore any lending decision should always be preceded by detailed analysis of risks and the outcome of analysis should be taken as a guide for the credit decision. As there is a significant co-relation between credit ratings and default frequencies, any derivation of probability from such historical data can be relied upon. The model may consist of minimum of six grades for performing and two grades for non-performing assets. The distribution of rating of assets should be such that not more than 30% of the
advances are grouped under one rating. The need for the adoption of the credit risk-rating model is on account of the following aspects. ² Disciplined way of looking at Credit Risk. ² Reasonable estimation of the overall health status of an account captured under Portfolio approach as
CHARTERED ACCOUNTANT FEBRUARY 2003 843
MANAGEMENT
contrasted to stand-alone or asset based credit management. ² Impact of a new loan asset on the portfolio can be assessed. Taking a fresh exposure to the sector in which there already exists sizable exposure may simply increase the portfolio risk although specific unit level risk is negligible/minimal. ² The co-relation or co-variance between different sectors of portfolio measures the inter relationship between assets. The benefits of diversification will be available so long as there is no perfect positive corelation between the assets, otherwise impact on one would affect the other. ² Concentration risks are measured in terms of additional portfolio risk arising on account of increased exposure to a borrower/group or co-related borrowers. ² Need for Relationship Manager to capture, monitor and control the over all exposure to high value customers on real time basis to focus attention on vital few so that trivial many do not take much of valuable time and efforts. ² Instead of passive approach of originating the loan and holding it till maturity, active approach of credit portfolio management is adopted through secuitisation/ credit derivatives. ² Pricing of credit risk on a scientific basis linking the loan price to the risk involved therein. ² Rating can be used for the anticipatory provisioning. Certain level of reasonable over-provisioning as best practice. Given the past experience and assumptions about the future, the credit risk model seeks to determine the present value of a given loan or fixed income security. It also seeks to determine the quantifiable risk that the promised cash flows will not be forthcoming. Thus, credit risk models are intended to aid banks in quantifying, aggregating and managing risk across geographical and product lines. Credit models are used to flag potential problems in the portfolio to facilitate early corrective action. The risk-rating model should capture various types of risks such as Industry/Business Risk, Financial Risk and Management Risk, associated with credit. Industry/Business risk consists of both systematic and
unsystematic risks which are market driven. The systematic risk emanates from General political environment, changes in economic policies, fiscal policies of the government, infrastructural changes etc. The unsystematic risk arises out of internal factors such as machinery breakdown, labour strike, new competitors who are quite specific to the activities in which the borrower is engaged. Assessment of financial risks involves appraisal of the financial strength of a unit based on its performance and finacial indicators like liquidity, profitability, gearing, leverage, coverage, turnover etc. It is necessary to study the movement of these indicators over a period of time as also its comparison with industry averages wherever possible. A study carried out in the western corporate world reveals that 45% of the projects failed to take off simply because the personnel entrusted with the test were found to be highly wanting in qualitatively managing the project. The key ingredient of credit risk is the risk of default that is measured by the probability that default occurs during a given period. Probabilities are estimates of future happenings that are uncertain. We can narrow the margin of uncertainty of a forecast if we have a fair understanding of the nature and level of uncertainty regarding the variable in question and availability of quality information at the time of assessment. The expected loss/unexpected loss methodology forces banks to adopt new Internal Ratings Based approach to credit risk management as proposed in the Capital Accord II. Some of the risk rating methodologies used widely is briefed below: a. Altman¶s Z score Model involves forecasting the probability of a company entering bankruptcy. It separates defaulting borrower from non-defaulting borrower on the basis of certain financial ratios converted into simple index. b. Credit Metrics focuses on estimating the volatility of asset values caused by variation in the quality of assets. The model tracks rating migration which is the probability that a borrower migrates from one risk rating to another risk rating. c. Credit Risk +, a statistical method based on the insurance industry, is for measuring credit risk. The model is based on acturial rates and unexpected losses from defaults. It is based on insurance industry model of event risk. d. KMV, through its Expected Default Frequency (EDF) methodology derives the actual probability of default for each obligor based on functions of capital structure, the volatility of asset returns and the current asset value. It calculates the asset value of a firm from the market value of its equity using an option pricing based approach that recognizes equity as a call option
on the underlying asset of the firm. It tries to estimate the asset value path of the firm over a time horizon. The default risk is the probability of the estimated asset value falling below a pre-specified default point. e. Mckinsey¶s credit portfolio view is a multi factor model
CHARTERED ACCOUNTANT 844 FEBRUARY 2003
MANAGEMENT
which is used to stimulate the distribution of default probabilities, as well as migration probabilities conditioned on the value of macro economic factors like the unemployment rate, GDP growth, forex rates, etc. In to-days parlance, default arises when a scheduled payment obligation is not met within 180 days from the due date and this cut-off period may undergo downward change. Exposure risk is the loss of amount outstanding at the time of default as reduced by the recoverable amount. The loss in case of default is D* X * (I-R) where D is Default percentage, X is the Exposure Value and R is the recovery rate. Credit Risk is measured through Probability of Default (POD) and Loss Given Default (LGD). Bank should estimate the probability of default associated with borrowers in each of the rating grades. How much the bank would lose once such event occurs is what is known as Loss Given Default. This loss is also dependent upon bank¶s exposure to the borrower at the time of default commonly known as Exposure at Default (EaD). The extent of provisioning required could be estimated from the expected Loss Given Default (which is the product of Probability of Default, Loss Given Default & Exposure & Default). That is ELGD is equal to PODX LGD X EaD. Credit Metrics mechanism advocates that the amount of portfolio value should be viewed not just in terms of likelihood of default, but also in terms of credit quality over time of which default is just a specific case. Credit Metrics can be worked out at corporate level, at least on an annual basis to measure risk- migration and resultant deterioration in credit portfolio. The ideal credit risk management system should throw a single number as to how much a bank stands to lose on credit portfolio and therefore how much capital they ought to hold.
IV MARKET RISK
Market Risk may be defined as the possibility of loss to bank caused by the changes in the market variables. It is the risk that the value of on-/off-balance sheet positions will be adversely affected by movements in equity and interest rate markets, currency exchange rates and commodity prices. Market risk is the risk to the bank¶s
earnings and capital due to changes in the market level of interest rates or prices of securities, foreign exchange and equities, as well as the volatilities, of those prices. Market Risk Management provides a comprehensive and dynamic frame work for measuring, monitoring and managing liquidity, interest rate, foreign exchange and equity as well as commodity price risk of a bank that needs to be closely integrated with the bank¶s business strategy. Scenario analysis and stress testing is yet another tool used to assess areas of potential problems in a given portfolio. Identification of future changes in economic conditions like ± economic/industry overturns, market risk events, liquidity conditions etc that could have unfavourable effect on bank¶s portfolio is a condition precedent for carrying out stress testing. As the underlying assumption keep changing from time to time, output of the test should be reviewed periodically as market risk management system should be responsive and sensitive to the happenings in the market.
a) Liquidity Risk:
Bank Deposits generally have a much shorter contractual maturity than loans and liquidity management needs to provide a cushion to cover anticipated deposit withdrawals. Liquidity is the ability to efficiently accommodate deposit as also reduction in liabilities and to fund the loan growth and possible funding of the off-balance sheet claims. The cash flows are placed in different time buckets based on future likely behaviour of assets, liabilities and off-balance sheet items. Liquidity risk consists of Funding Risk, Time Risk & Call Risk. Funding Risk : It is the need to replace net out flows due to unanticipated withdrawal/nonrenewal of deposit Time risk : It is the need to compensate for nonreceipt of expected inflows of funds, i.e. performing assets turning into nonperforming assets. Call risk : It happens on account of crystalisation of contingent liabilities and inability to undertake profitable business opportunities when desired. The Asset Liability Management (ALM) is a part of the overall risk management system in the banks. It implies examination of all the assets and liabilities simultaneously on a continuous basis with a view to ensuring a proper balance between funds mobilization and their deployment with respect to their a) maturity profiles, b) cost, c) yield, d) risk exposure, etc. It includes product pricing for deposits as well as advances, and the desired maturity profile of assets and liabilities. Tolerance levels on mismatches should be fixed for
various maturities depending upon the asset liability proCHARTERED ACCOUNTANT FEBRUARY 2003 845
MANAGEMENT
file, deposit mix, nature of cash flow etc. Bank should track the impact of pre-payment of loans & premature closure of deposits so as to realistically estimate the cash flow profile.
b) Interest Rate Risk
Interest Rate Risk is the potential negative impact on the Net Interest Income and it refers to the vulnerability of an institution¶s financial condition to the movement in interest rates. Changes in interest rate affect earnings, value of assets, liability off-balance sheet items and cash flow. Hence, the objective of interest rate risk management is to maintain earnings, improve the capability, ability to absorb potential loss and to ensue the adequacy of the compensation received for the risk taken and effect risk return trade-off. Management of interest rate risk aims at capturing the risks arising from the maturity and re-pricing mismatches and is measured both from the earnings and economic value perspective. Earnings perspective involves analyzing the impact of changes in interest rates on accrual or reported earnings in the near term. This is measured by measuring the changes in the Net Interest Income (NII) equivalent to the difference between total interest income and total interest expense. In order to manage interest rate risk, banks should begin evaluating the vulnerability of their portfolios to the risk of fluctuations in market interest rates. One such measure is Duration of market value of a bank asset or liabilities to a percentage change in the market interest rate. The difference between the average duration for bank assets and the average duration for bank liabilities is known as the duration gap which assess the bank¶s exposure to interest rate risk. The Asset Liability Committee (ALCO) of a bank uses the information contained in the duration gap analysis to guide and frame strategies. By reducing the size of the duration gap, banks can minimize the interest rate risk. Economic Value perspective involves analyzing the expected cash in flows on assets minus expected cash out flows on liabilities plus the net cash flows on off-balance sheet items. The economic value perspective identifies risk arising from long-term interest rate gaps. The various types of interest rate risks are detailed below: Gap/Mismatch risk: It arises from holding assets and liabilities and off balance sheet items with different principal amounts, maturity dates & re-pricing dates thereby creating exposure to unexpected changes
in the level of market interest rates. Basis Risk: It is the risk that the Interest rat of different Assets/liabilities and off balance items may change in different magnitude. The degree of basis risk is fairly high in respect of banks that create composite assets out of composite liabilities. Embedded option Risk: Option of pre-payment of loan and Fore- closure of deposits before their stated maturities constitute embedded option risk Yield curve risk: Movement in yield curve and the impact of that on portfolio values and income. Reprice risk: When assets are sold before maturities. Reinvestment risk: Uncertainty with regard to interest rate at which the future cash flows could be reinvested. Net interest position risk: When banks have more earning assets than paying liabilities, net interest position risk arises in case market interest rates adjust downwards. There are different techniques such as a) the traditional Maturity Gap Analysis to measure the interest rate sensitivity, b) Duration Gap Analysis to measure interest rate sensitivity of capital, c) simulation and d) Value at Risk for measurement of interest rate risk. The approach towards measurement and hedging interest rate risk varies with segmentation of bank¶s balance sheet. Banks broadly bifurcate the asset into Trading Book and Banking Book. While trading book comprises of assets held primarily for generating profits on short term differences in prices/yields, the banking book consists of assets and liabilities contracted basically on account of relationship or for steady income and statutory obligations and are generally held till maturity/payment by counter party. Thus, while price risk is the prime concern of banks in trading book, the earnings or changes in the economic value are the main focus in banking book. Value at Risk (VaR) is a method of assessing the market risk using standard statistical techniques. It is a statistical measure of risk exposure and measures the worst expected loss over a given time interval under normal market conditions at a given confidence level of say 95% or 99%. Thus VaR is simply a distribution of probable outcome of future losses that may occur on a portfolio. The actual result will not be known until the event takes place. Till then it is a random variable whose outcome has been estimated. As far as Trading Book is concerned, bank should be able to adopt standardized method or internal models
for providing explicit capital charge for market risk.
CHARTERED ACCOUNTANT FEBRUARY 2003 846
MANAGEMENT
c) Forex Risk
Foreign exchange risk is the risk that a bank may suffer loss as a result of adverse exchange rate movement during a period in which it has an open position, either spot or forward or both in same foreign currency. Even in case where spot or forward positions in individual currencies are balanced the maturity pattern of forward transactions may produce mismatches. There is also a settlement risk arising out of default of the counter party and out of time lag in settlement of one currency in one center and the settlement of another currency in another time zone. Banks are also exposed to interest rate risk, which arises from the maturity mismatch of foreign currency position. The Value at Risk (VaR) indicates the risk that the bank is exposed due to uncovered position of mismatch and these gap positions are to be valued on daily basis at the prevalent forward market rates announced by FEDAI for the remaining maturities. Currency Risk is the possibility that exchange rate changes will alter the expected amount of principal and return of the lending or investment. At times, banks may try to cope with this specific risk on the lending side by shifting the risk associated with exchange rate fluctuations to the borrowers. However the risk does not get extinguished, but only gets converted in to credit risk. By setting appropriates limits-open position and gaps, stop-loss limits, Day Light as well as overnight limits for each currency, Individual Gap Limits and Aggregate Gap Limits, clear cut and well defined division of responsibilities between front, middle and back office the risk element in foreign exchange risk can be managed/monitored.
d) Country Risk
This is the risk that arises due to cross border transactions that are growing dramatically in the recent years owing to economic liberalization and globalization. It is the possibility that a country will be unable to service or repay debts to foreign lenders in time. It comprises of Transfer Risk arising on account of possibility of losses due to restrictions on external remittances; Sovereign Risk associated with lending to government of a sovereign nation or taking government guarantees; Political Risk when political environment or legislative process of country leads to government taking over the assets of the financial entity (like nationalization, etc) and preventing discharge of liabilities in a manner that had been agreed to earlier; Cross border risk arising on account of the borrower being a resident of a country other than the country where the cross
border asset is booked; Currency Risk, a possibility that exchange rate change, will alter the expected amount of principal and return on the lending or investment. In the process there can be a situation in which seller (exporter) may deliver the goods, but may not be paid or the buyer (importer) might have paid the money in advance but was not delivered the goods for one or the other reasons. As per the RBI guidance note on Country Risk Management published recently, banks should reckon both fund and non-fund exposures from their domestic as well as foreign branches, if any, while identifying, measuring, monitoring and controlling country risk. It advocates that bank should also take into account indirect country risk exposure. For example, exposures to a domestic commercial borrower with large economic dependence on a certain country may be considered as subject to indirect country risk. The exposures should be computed on a net basis, i.e. gross exposure minus collaterals, guarantees etc. Netting may be considered for collaterals in/guarantees issued by countries in a lower risk category and may be permitted for bank¶s dues payable to the respective countries. RBI further suggests that banks should eventually put in place appropriate systems to move over to internal assessment of country risk within a prescribed period say by 31.3.2004, by which time the new capital accord would be implemented. The system should be able to identify the full dimensions of country risk as well as incorporate features that acknowledge the links between credit and market risks. Banks should not rely solely on rating agencies or other external sources as their only country risk-monitoring tool. With regard to inter-bank exposures, the guidelines suggests that banks should use the country ratings of international rating agencies and broadly classify the country risk rating into six categories such as insignificant, low, moderate, high, very high & off-credit. However, banks may be allowed to adopt a more conservative categorization of the countries. Banks may set country exposure limits in relation to the bank¶s regulatory capital (Tier I & II) with suitable sub limits, if necessary, for products, branches, maturity etc. Banks were also advised to set country exposure limits and monitor such exposure on weekly basis before eventually switching over to real tie monitoring. Banks should use variety of internal and external sources as a means to measure country risk and should not rely solely on rating agencies or other external sources as their only tool for monitoring country risk. Banks are expected to disclose the ³Country Risk Management´ policies in their Annual Report by way of notes.
CHARTERED ACCOUNTANT FEBRUARY 2003 847
MANAGEMENT
V OPERATIONAL RISK
Always banks live with the risks arising out of human error, financial fraud and natural disasters. The recent happenings such as WTC tragedy, Barings debacle etc. has highlighted the potential losses on account of operational risk. Exponential growth in the use of technology and increase in global financial inter-linkages are the two primary changes that contributed to such risks. Operational risk, though defined as any risk that is not categorized as market or credit risk, is the risk of loss arising from inadequate or failed internal processes, people and systems or from external events. In order to mitigate this, internal control and internal audit systems are used as the primary means. Risk education for familiarizing the complex operations at all levels of staff can also reduce operational risk. Insurance cover is one of the important mitigators of operational risk. Operational risk events are associated with weak links in internal control procedures. The key to management of operational risk lies in the bank¶s ability to assess its process for vulnerability and establish controls as well as safeguards while providing for unanticipated worst-case scenarios. Operational risk involves breakdown in internal controls and corporate governance leading to error, fraud, performance failure, compromise on the interest of the bank resulting in financial loss. Putting in place proper corporate governance practices by itself would serve as an effective risk management tool. Bank should strive to promote a shared understanding of operational risk within the organization, especially since operational risk is often interwined with market or credit risk and it is difficult to isolate. Over a period of time, management of credit and market risks has evolved a more sophisticated fashion than operational risk, as the former can be more easily measured, monitored and analysed. And yet the root causes of all the financial scams and losses are the result of operational risk caused by breakdowns in internal control mechanism and staff lapses. So far, scientific measurement of operational risk has not been evolved. Hence 20% charge on the Capital Funds is earmarked for operational risk and based on subsequent data/feedback, it was reduced to 12%. While measurement of operational risk and computing capital charges as envisaged in the Basel proposals are to be the ultimate goals, what is to be done at present is start implementing the Basel proposal in a phased manner and carefully plan in that direction. The incentive for banks to move the measurement chain is not just to reduce regulatory capital but more importantly to provide assurance to the top management that the bank holds the required capital.
VI REGULATORY RISK
When owned funds alone are managed by an entity, it is natural that very few regulators operate and supervise them. However, as banks accept deposit from public obviously better governance is expected of them. This entails multiplicity of regulatory controls. Many Banks, having already gone for public issue, have a greater responsibility and accountability. As banks deal with public funds and money, they are subject to various regulations. The very many regulators include Reserve Bank of India (RBI), Securities Exchange Board of India (SEBI), Department of Company Affairs (DCA), etc. More over, banks should ensure compliance of the applicable provisions of The Banking Regulation Act, The Companies Act, etc. Thus all the banks run the risk of multiple regulatory-risk which inhibits free growth of business as focus on compliance of too many regulations leave little energy and time for developing new business. Banks should learn the art of playing their business activities within the regulatory controls.
VII ENVIRONMENTAL RISK
As the years roll by and technological advancement take place, expectation of the customers change and enlarge. With the economic liberalization and globalization, more national and international players are operating the financial markets, particularly in the banking field. This provides the platform for environmental change and exposes the bank to the environmental risk. Thus, unless the banks improve their delivery channels, reach customers, innovate their products that are service oriented, they are exposed to the environmental risk resulting in loss in business share with consequential profit.
Site Develo
Risk Management in Banks ________________________________________
The face of banking in India is changing rapidly. The enhanced role of the banking sector in the Indian economy, the increasing levels of deregulation along with the increasing levels of competition have facilitated globalisation of the India banking system and placed numerous demands on banks. Operating in this demanding environment has exposed banks to various challenges and risks. Traditional Risk Management Systems Commercial banks are in the risk business. In the process of providing financial services, they assume various kinds of financial risks. So we need to determine an approach to examine large-scale risk management systems. The management of the banking firm relies on a sequence of steps to implement a risk management system. These can be seen as containing the following four parts: Standards and reports Position limits or rules Investment guidelines or strategies Incentive contracts and compensation
In general, these tools are established to measure exposure, define procedures to manage these exposures, limit individual positions to acceptable levels, and encourage decision makers to manage risk in a manner that is consistent with the firm's goals and objectives. Types of Risk The banking industry has long viewed the problem of risk management as the need to control four of the above risks which make up most, if not all, of their risk exposure, viz., credit, interest rate, foreign exchange and liquidity risk. While they recognize counterparty and legal risks, they view them as less central to their concerns. Value Based Risk Management Systems Value-at-risk (VaR) Value-at-risk (VaR) is a measure of the worst expected loss over a given time interval under normal market conditions at a given confidence level. Value-at-risk is widely used by banks, securities firms and other trading organizations. Such firms could track their portfolios' market risk by using historical volatility as a risk metric. Use of Derivatives There has been a significant increase in the use of derivatives in the risk management. Credit Default Swaps - Credit derivatives are being used by almost all the banks now. Out of a total of $250 trillion of derivative contracts traded round the world, more than 50% are in form of credit derivatives. Then banks are using swaps for match their asset liability mismatch. Interest Rate Swaps - A bank having a fixed income and floating outflow can go in for a swap to get fixed outflow. Similarly, swaps can be arranged to hedge currency risks. Universal banking system is now spreading fast. This is diversifying the bank's operational risk. Stress Testing It is another modern risk management practice which has found wide acceptability in Indian Banking System. Determining the required buffer size of capital is an important risk management issue for banks, which the Basle Committee (2002) suggests should be approached via stress testing.
Stress testing permits a forward-looking analysis and a uniform approach to identifying potential risks to the banking system as a whole. Stress tests done on German banks found that, "it is not only the capital and reserves base which is crucial for the long-term stability of the banks, however. The institutions also have to make further progress in their efforts to achieve a sustained improvement in their profitability and in limiting their credit and market risks." All these dynamics are well captured by Stress Testing models. RBI has said that, "Banks should identify their major sources of risk and carry out stress tests appropriate to them. Some of these tests may be run daily or weekly, some others may be run at monthly or quarterly intervals. This stress testing would also form a part of preparedness for Pillar 2 of the Basel II framework." Basel Committee Basel 1 In July 1988, the Basel Committee came out with a set of recommendations aimed at introducing minimum levels of capital for internationally active banks. These norms required the banks to maintain capital of at least 8 per cent of their risk-weighted loan exposures. Different risk weights were specified by the committee for different categories of exposure. For instance, government bonds carried risk-weight of 0 per cent, while the corporate loans had a risk-weight of 100 per cent. Basel II To set right these aspects, the Basel Committee came up with a new set of guidelines in June 2004, popularly known as the Basel II norms. These new norms are far more complex and comprehensive compared to the Basel I norms. Also, the Basel II norms are more risksensitive and they rely heavily on data analysis for risk measurement and management. They have given three pillars which act as guideline for implementation of Basel II. Pillar 1 Basel II norms provide banks with guidelines to measure the various types of risks they face - credit, market and operational risks and the capital required to cover these risks. Pillar II (Supervisory Reviews) ensures that not only do the banks have adequate capital to cover their risks, but also that they employ better risk management practices so as to minimise the risks. Capital cannot
be regarded as a substitute for inadequate risk management practices. This pillar requires that if the banks use asset securitisation and credit derivatives and wish to minimise their capital charge they need to comply with various standards and controls. As a part of the supervisory process, the supervisors need to ensure that the regulations are adhered to and the internal measurement systems are standardised and validated. Pillar III (Market Discipline) This market discipline is brought through greater transparency by asking banks to make adequate disclosures. The potential audiences of these disclosures are supervisors, bank's customers, rating agencies, depositors and investors. Market discipline has two important components: Market signalling in form of change in bank's share prices or change in bank's borrowing rates Responsiveness of the bank or the supervisor to market signals What they Mean for banks Basel II norms are expected to have far-reaching consequences on the health of financial sectors worldwide because of the increased emphasis on banks' risk-management systems, supervisory review process and market discipline. Active Risk Management The new norms bring to fore not only the issues of bank-wide risk measurement but also of active risk management. This will help in better pricing of the loans in alignment with their actual risks. The beneficiary will be the customer with high credit-worthiness and ratings as they will be able to get cheaper loans. Higher Risk Sensitivity Higher risk sensitivity of the norms provides no incentive to lend to borrowers with declining credit quality. During economic downturns, corporate profits and ratings tend to decline. This can lead to banks pulling the plugs on lending to corporates with falling credit ratings, at a time when these companies will be in desperate need of credit. The opposite is expected during economic booms, when corporate credit worthiness improves and banks will be more than willing to lend to corporates. Lower Risk Weight Available Only for a Few Corporate
With better risk measurement practices in place the capital allocation for loans to quality borrowers are going to decrease. Banks can use this capital for other purposes to increase profits. But the population of rated corporate is small in India and most of them would have to be assigned a risk weight of 100 per cent. The benefit of lower risk weight of 20 per cent and 50 per cent would, therefore, be available only for loans to a few corporates. The cover required for bad loans will increase exponentially with deteriorating credit quality, which can lead to an increase in capital requirement. Trends in Indian Banks Oriental Bank of Commerce - The practices being employed by the bank are directed by the principle of defined risk assessment and measurement including VaR Analysis, Stress Testing, etc. For management of Exchange Rate Risk in Forex, Day Light Limit for Trading Activities, Overnight Position Limits, Inter-bank Liability Limits, and other limits have been imposed for effective control. The Bank in consultation with NIBM, Pune, has finalized Credit Rating Framework for various Credit Products incorporating Risk parameters for such categories of Loans & Advances to provide finer analytical techniques for better Market Risk Management. Other banks like ICICI, IDBI and Bank of India have also implemented risk management practices in accordance with the Basel II norms. The Way Forward for India Continue to deepen the collaborative dialogue between industry and regulators, to deepen shared understanding of the challenges and opportunities for strengthening risk management capability in Indian banks. We also need acceptance of pragmatic solutions to the challenges of Basel II implementation. We need to make sure that bureaucracy and costs are minimised, & business benefits maximised. Our main goal is improved risk management, not regulatory compliance. In this context, banks need to upgrade their credit assessment and risk management skills and retrain staff, develop a cadre of specialists and introduce technology driven management information systems Advertisement