Risk Management in Banking

In the course of their operations, banks are invariably faced with different
types of risks that may have a potentially negative effect on their
business. Risk management in bank operations includes risk
identification, measurement and assessment, and its objective is to
minimize negative effects risks can have on the financial result and
capital of a bank. Banks are therefore required to form a special
organizational unit in charge of risk management. Also, they are requ ired
to prescribe procedures for risk identification, measurement and
assessment, as well as procedures for risk management.

The risks to which a bank is particularly exposed in its operations are:

liquidity risk, credit risk, market risks (interest rate r isk, foreign
exchange risk and risk from change in market price of securities,
financial derivatives and commodities), exposure risks, investment risks,
risks relating to the country of origin of the entity to which a bank is
exposed, operational risk, legal risk, reputational risk and strategic risk.

Liquidity risk is the risk of negative effects on the financial result and
capital of the bank caused by the banks inability to meet all its due
obligations.

Credit risk is the risk of negative effects on the financial result and
capital of the bank caused by borrowers default on its obligations to the
bank.

Market risk includes interest rate and foreign exchange risk.

Interest rate risk is the risk of negative effects on the financial result and
capital of the bank caused by changes in interest rates.

Foreign exchange risk is the risk of negative effects on the financial

result and capital of the bank caused by changes in exchange rates.

A special type of market risk is the risk of change in the market price of
securities, financial derivatives or commodities traded or tradable in the
market.

Exposure risks include the risks of banks exposure to a single entity or

to a group of related entities.

Investment risks include the risks of banks investment in non -financial

sector entities, fixed assets and investment real estate.

Risks relating to the country of origin of the entity to which a bank is

exposed (country risk) is the risk of negative effects on the financial
result and capital of the bank due to bank s inability to collect claims
from such entity for reasons arising from political, economic or social
conditions in such entitys country of origin. Country risk includes
political and economic risk, and transfer risk.

Operational risk is the risk of negative effects on the financial result and
capital of the bank caused by omissions in the work of employees,
inadequate internal procedures and processes, inadequate management of
information and other systems, and unforeseeable external events.

Legal risk is the risk of loss caused by penalties or sanctions originating

from court disputes due to breach of contractual and legal obligations,
and penalties and sanctions pronounced by a regulatory body.

Reputational risk is the risk of loss caused by a negative impact on the

market positioning of the bank.

Strategic risk is the risk of loss caused by a lack of a long-term

development component in the banks managing team.

RISK MANAGEMENT

The last few years have witnessed sea changes in the Indian banking sector. Indian
banking and financial system has been gradually liberalised. Interest rates have been
deregulated, new players, new instruments and new institutions have been
introduced. Moreover, prudential regulations have been expanded and supervision
has been strengthened at various levels. In the sphere of external financial policy, the
exchange rate is market driven, there has been a progressive liberalisation of FDI and
FII investment, and there are now only minimum restrictions on inflow of capital into
the economy, or its repatriation and servicing.
In the new liberalized economy in India, Banks and regulators in recent years have
been making sustained efforts to understand and measure the increasing risks they are
exposed to. With the Indian economy becoming global, the Banks are realising the
importance of different types of risks. Some of the risk are credit risks, market
risks, operational risks, reputational risks and legal risks, using quantitative
techniques in risk modeling. RBI issued the first set of guidelines to Banks on Risk
Management on October 20, 1999.

What is Risk
A risk can be defined as an unplanned event with financial consequences resulting in
loss or reduced earnings. Therefore, a risky proposition is one with potential profit or
a looming loss. Risk stems from uncertainty or unpredictability of the future. In
commercial and business risk generates profit or loss depending upon the way in
which it is managed. Risk can be defined as the volatility of the potential
outcome. Risk is the possibility of something adverse happening. Risk management
 is the process of assessing risk, taking steps to reduce risk to an acceptable level and
maintaining that level of risk.
Thus, we can say that after the risks have been identified, risk management attempts
to lessen their effects. This is done by applying a range of management
techniques. For example, the risk may be lessened by taking out insurance or using
derivatives or re-plan the whole project.

Thus, the essential components of any risk management system are

Risk Identification i.e the naming and defining of each type of risk associated with a
transaction or type of product or service;
Risk Measurement i.e. the estimation of the size ,probability and timing of potential
loss under various scenarios;
Risk Control-i.e. the framing of policies and guidelines that define the risk limits not
only at the individual level but also for particular transaction

Having understood what is risks we will now state the aspect of measuring risks.
Measurement of risk is a very important step in risk management process. Some risk
can be easily quantified like exchange risk, interest rate risk etc. While some risks like
country risk, operational risk etc. cannot be mathematically deduced. They can only
be qualitatively compared and measured. Some risks like gap risk in forex operations
can be measured using modern mathematical and statistical tool like value at risk etc.
Therefore it is important to identify and appreciate the risk and quantify it. Only then
the next step management of risk can be attempted. The management is a process
consisting of the following steps.

Identify all areas of risk

evaluate these risks
set various exposure limits for
type of business
mismatches
counter parties
issue clear policy guidelines / directives.

Different Types of Risks :

(1) Credit Risk - This is the risk of non recovery of loan or the risk of
reduction in the value of asset. The credit risk also includes the pre-
payment risk resulting in loss of opportunity to the bank to earn higher
interest interest income. Credit Risk also arises due excess exposure to a
single borrower, industry or a geographical area. The element of
country risk is also present which is the risk of losses being incurred due
to adverse foreign exchange reserve situation or adverse political or
economic situations in another country
 (2) Interest Rate Risk-This risk arises due to fluctuations in the interest
rates. It can result in reduction in the revenues of the bank due to
fluctuations in theinterest rates which are dynamic and which change
differently for assets and liabilities. With the deregulated era interest
rates are market determined and banks have to fall in line with the market
trends even though it may stifle their Net Interest margins

(3) Liquidity Risk-Liquidity is the ability to meet commitments as and

when they are due and ability to undertake new transactions when they are
profitable. Liquidity risk may emanate in any of the following situations-
(a) net outflow of funds arising out of withdrawals/non renewal of
deposits
(b) non recovery of cash receipts from recovery of loans
(c) conversion of contingent liabilities into fund based commitment and
(d) increased availment of sanctioned limits
(4) Foreign Exchange Risk - Risk may arise on account of maintenance of
positions in forex operations and it involves currency rate risk, transaction risks
(profits/loss on transfer of earned profits due to time lag) and transportation risk
(risks arising out of exchange restrictions)
(5) Regulatory Risks- It is defined as the risk associated with the impact on
profitability and financial position of a bank due to changes in the regulatory
conditions, for example the introduction of asset classification norms have
adversely affected the banks of NPAs and balance sheet bottom lines.
(6) Technology Risk - This risk is associated with computers and the
communication technology which is being increasingly introduced in the
banks. This entails the risk of obsolescence and the risk of losing
business to better technologically
(7) Market Risk-This is the risk of losses in off and on balance sheet
positions arising from movements in market prices.
(8) Strategic Risk-This is the risk arising out of certain strategic decisions
taken by the banks for sustaining themselves in the present day scenario for
example decision to open a subsidiary may run the risk of losses if the
subsidiary does not do good business.
The essential components of any risk management system are
(i) Risk Identification-i.e the naming and defining of each type of risk
associated with a transaction or type of product or service
(ii) Risk Measurement-i.e. the estimation of the size ,probability and
timing of potential loss under various scenarios
(iii) Risk Control-i.e. the framing of policies and guidelines that define
the risk limits not only at the individual level but also for particular
transactions

In risk management exercise the top management has to lay down clear cut
policy guidelines in quantifiable and precise terms - for different layers line
personnel business parameters, limits etc. It is very important for the
management to plant at the macro level what the organisations is looking in for
in any business proposition or venture and convert these expectations into micro
level factors and requirements for field level functionaries only then they will be
able to convert these expectations into reality. A very important assumption is
made but normally omitted or over looked is provision of infra-structural
support and conductive climate. Ultimately top management has a greater role to
play in any risk management process

Risk management in Indian banks

Risk management is the identification, assessment, and prioritization
of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by
coordinated and economical application of resources to minimize, monitor, and
control the probability and/or impact of unfortunate events[1] or to maximize the
realization of opportunities. Risk managements objective is to
assure uncertainty does not deflect the endeavor from the business goals.[2]
Risks can come from various sources: e.g., uncertainty in financial markets, threats
from project failures (at any phase in design, development, production, or sustainment
life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters as well
as deliberate attack from an adversary, or events of uncertain or unpredictable root-
cause. There are two types of events i.e. negative events can be classified as risks
while positive events are classified as opportunities. Several risk
management standards have been developed including the Project Management
Institute, the National Institute of Standards and Technology, actuarial societies, and
ISO standards.[3][4] Methods, definitions and goals vary widely according to whether
the risk management method is in the context of project management,
security, engineering, industrial processes, financial portfolios, actuarial assessments,
or public health and safety.
Risk sources are more often identified and located not only in infrastructural or
technological assets and tangible variables, but also in human factor variables, mental
states and decision making. The interaction between human factors and tangible
aspects of risk highlights the need to focus closely on human factors as one of the
main drivers for risk management, a "change driver" that comes first of all from the
need to know how humans perform in challenging environments and in face of risks
(Daniele Trevisani, 2007). As the author describes, it is an extremely hard task to be
able to apply an objective and systematic self-observation, and to make a clear and
decisive step from the level of the mere "sensation" that something is going wrong, to
the clear understanding of how, when and where to act. The truth of a problem or risk
is often obfuscated by wrong or incomplete analyses, fake targets, perceptual
illusions, unclear focusing, altered mental states, and lack of good communication and
confrontation of risk management solutions with reliable partners. This makes the
Human Factor aspect of Risk Management sometimes heavier than its tangible and
technological counterpart[5]
Strategies to manage threats (uncertainties with negative consequences) typically
include avoiding the threat, reducing the negative effect or probability of the threat,
transferring all or part of the threat to another party, and even retaining some or all of
the potential or actual consequences of a particular threat, and the opposites for
opportunities (uncertain future states with benefits).
Certain aspects of many of the risk management standards have come under criticism
for having no measurable improvement on risk, whereas the confidence in estimates
and decisions seem to increase.[1]For example, it has been shown that one in six IT
projects experience cost overruns of 200% on average, and schedule overruns of
70%.[6]

Introduction[edit]

A Widely used vocabulary for risk management is defined by ISO Guide 73:2009,
"Risk management. Vocabulary."[3]
In ideal risk management, a prioritization process is followed whereby the risks with
the greatest loss (or impact) and the greatest probability of occurring are handled first,
and risks with lower probability of occurrence and lower loss are handled in
descending order. In practice the process of assessing overall risk can be difficult, and
balancing resources used to mitigate between risks with a high probability of
occurrence but lower loss versus a risk with high loss but lower probability of
occurrence can often be mishandled.
Intangible risk management identifies a new type of a risk that has a 100% probability
of occurring but is ignored by the organization due to a lack of identification ability.
For example, when deficient knowledge is applied to a situation, a knowledge risk
materializes. Relationship risk appears when ineffective collaboration occurs.
Process-engagement risk may be an issue when ineffective operational procedures are
applied. These risks directly reduce the productivity of knowledge workers, decrease
cost-effectiveness, profitability, service, quality, reputation, brand value, and earnings
quality. Intangible risk management allows risk management to create immediate
value from the identification and reduction of risks that reduce productivity.
Risk management also faces difficulties in allocating resources. This is the idea
of opportunity cost. Resources spent on risk management could have been spent on
more profitable activities. Again, ideal risk management minimizes spending (or
manpower or other resources) and also minimizes the negative effects of risks.
Method[edit]

For the most part, these methods consist of the following elements, performed, more
or less, in the following order.
 1. identify, characterize threats
2. assess the vulnerability of critical assets to specific threats
3. determine the risk (i.e. the expected likelihood and consequences of specific
types of attacks on specific assets)
4. identify ways to reduce those risks
5. prioritize risk reduction measures based on a strategy
Principles of risk management[edit]

The International Organization for Standardization (ISO) identifies the following

principles of risk management:[7]
Risk management should:

create value resources expended to mitigate risk should be less than the
consequence of inaction, or (as in value engineering), the gain should exceed the
pain
be an integral part of organizational processes
be part of decision making process
explicitly address uncertainty and assumptions
be a systematic and structured process
be based on the best available information
be tailorable
take human factors into account
be transparent and inclusive
be dynamic, iterative and responsive to change
be capable of continual improvement and enhancement
be continually or periodically re-assessed

Process[edit]

According to the standard ISO 31000 "Risk management Principles and guidelines
on implementation,"[4] the process of risk management consists of several steps as
follows:
Establishing the context[edit]

This involves:

1. identification of risk in a selected domain of interest

2. planning the remainder of the process
3. mapping out the following:
the social scope of risk management
the identity and objectives of stakeholders
 the basis upon which risks will be evaluated, constraints.
4. defining a framework for the activity and an agenda for identification
5. developing an analysis of risks involved in the process
6. mitigation or solution of risks using available technological, human and
organizational resources.

Identification

After establishing the context, the next step in the process of managing risk is to
identify potential risks. Risks are about events that, when triggered, cause problems or
benefits. Hence, risk identification can start with the source of our problems and those
of our competitors (benefit), or with the problem itself.

Source analysis[citation needed] - Risk sources may be internal or external to the

system that is the target of risk management (use mitigation instead of
management since by its own definition risk deals with factors of decision-
making that cannot be managed).
Examples of risk sources are: stakeholders of a project, employees of a company or
the weather over an airport.

Problem analysis[citation needed] - Risks are related to identified threats. For example:
the threat of losing money, the threat of abuse of confidential information or the
threat of human errors, accidents and casualties. The threats may exist with
various entities, most important with shareholders, customers and legislative
bodies such as the government.
When either source or problem is known, the events that a source may trigger or the
events that can lead to a problem can be investigated. For example: stakeholders
withdrawing during a project may endanger funding of the project; confidential
information may be stolen by employees even within a closed network; lightning
striking an aircraft during takeoff may make all people on board immediate casualties.
The chosen method of identifying risks may depend on culture, industry practice and
compliance. The identification methods are formed by templates or the development
of templates for identifying source, problem or event. Common risk identification
methods are:

Objectives-based risk identification[citation needed] - Organizations and project teams

have objectives. Any event that may endanger achieving an objective partly or
completely is identified as risk.
 Scenario-based risk identification - In scenario analysis different scenarios are
created. The scenarios may be the alternative ways to achieve an objective, or an
analysis of the interaction of forces in, for example, a market or battle. Any event
that triggers an undesired scenario alternative is identified as risk seeFutures
Studies for methodology used by Futurists.
Taxonomy-based risk identification - The taxonomy in taxonomy-based risk
identification is a breakdown of possible risk sources. Based on the taxonomy and
knowledge of best practices, a questionnaire is compiled. The answers to the
questions reveal risks.[8]
Common-risk checking[citation needed] - In several industries, lists with known risks
are available. Each risk in the list can be checked for application to a particular
situation.[9]
Risk charting [10] - This method combines the above approaches by listing
resources at risk, threats to those resources, modifying factors which may increase
or decrease the risk and consequences it is wished to avoid. Creating
a matrix under these headings enables a variety of approaches. One can begin
with resources and consider the threats they are exposed to and the consequences
of each. Alternatively one can start with the threats and examine which resources
they would affect, or one can begin with the consequences and determine which
combination of threats and resources would be involved to bring them about.

Assessment[edit]

Once risks have been identified, they must then be assessed as to their potential
severity of impact (generally a negative impact, such as damage or loss) and to the
probability of occurrence. These quantities can be either simple to measure, in the
case of the value of a lost building, or impossible to know for sure in the case of the
probability of an unlikely event occurring [clarify]. Therefore, in the assessment process
it is critical to make the best educated decisions in order to properly prioritize the
implementation of the risk management plan.
Even a short-term positive improvement can have long-term negative impacts. Take
the "turnpike" example. A highway is widened to allow more traffic. More traffic
capacity leads to greater development in the areas surrounding the improved traffic
capacity. Over time, traffic thereby increases to fill available capacity. Turnpikes
thereby need to be expanded in a seemingly endless cycles. There are many other
engineering examples where expanded capacity (to do any function) is soon filled by
increased demand. Since expansion comes at a cost, the resulting growth could
become unsustainable without forecasting and management.
The fundamental difficulty in risk assessment is determining the rate of occurrence
since statistical information is not available on all kinds of past incidents.
Furthermore, evaluating the severity of the consequences (impact) is often quite
difficult for intangible assets. Asset valuation is another question that needs to be
addressed. Thus, best educated opinions and available statistics are the primary
sources of information. Nevertheless, risk assessment should produce such
information for senior executives of the organization that the primary risks are easy to
understand and that the risk management decisions may be prioritized within overall
company goals. Thus, there have been several theories and attempts to quantify risks.
Numerous different risk formulae exist, but perhaps the most widely accepted formula
for risk quantification is: "Rate (or probability) of occurrence multiplied by the impact
of the event equals risk magnitude."

Composite risk index[edit]

The above formula can also be re-written in terms of a composite risk index, as
follows:
composite risk index = impact of risk event x probability of occurrence
The impact of the risk event is commonly assessed on a scale of 1 to 5, where 1 and 5
represent the minimum and maximum possible impact of an occurrence of a risk
(usually in terms of financial losses). However, the 1 to 5 scale can be arbitrary and
need not be on a linear scale.
The probability of occurrence is likewise commonly assessed on a scale from 1 to 5,
where 1 represents a very low probability of the risk event actually occurring while 5
represents a very high probability of occurrence. This axis may be expressed in either
mathematical terms (event occurs once a year, once in ten years, once in 100 years
etc.) or may be expressed in "plain English" (event has occurred here very often;
event has been known to occur here; event has been known to occur in the industry
etc.). Again, the 1 to 5 scale can be arbitrary or non-linear depending on decisions by
subject-matter experts.
The composite risk index thus can take values ranging (typically) from 1 through 25,
and this range is usually arbitrarily divided into three sub-ranges. The overall risk
assessment is then Low, Medium or High, depending on the sub-range containing the
calculated value of the Composite Index. For instance, the three sub-ranges could be
defined as 1 to 8, 9 to 16 and 17 to 25.
Note that the probability of risk occurrence is difficult to estimate, since the past data
on frequencies are not readily available, as mentioned above. After all, probability
does not imply certainty.
Likewise, the impact of the risk is not easy to estimate since it is often difficult to
estimate the potential loss in the event of risk occurrence.
Further, both the above factors can change in magnitude depending on the adequacy
of risk avoidance and prevention measures taken and due to changes in the external
business environment. Hence it is absolutely necessary to periodically re-assess risks
and intensify/relax mitigation measures, or as necessary. Changes in procedures,
technology, schedules, budgets, market conditions, political environment, or other
factors typically require re-assessment of risks.

Risk options[edit]

Risk mitigation measures are usually formulated according to one or more of the
following major risk options, which are:

1. Design a new business process with adequate built-in risk control and
containment measures from the start.
2. Periodically re-assess risks that are accepted in ongoing processes as a normal
feature of business operations and modify mitigation measures.
3. Transfer risks to an external agency (e.g. an insurance company)
4. Avoid risks altogether (e.g. by closing down a particular high-risk business
area)
Later research[citation needed] has shown that the financial benefits of risk management
are less dependent on the formula used but are more dependent on the frequency and
how risk assessment is performed.
In business it is imperative to be able to present the findings of risk assessments in
financial, market, or schedule terms. Robert Courtney Jr. (IBM, 1970) proposed a
formula for presenting risks in financial terms. The Courtney formula was accepted as
the official risk analysis method for the US governmental agencies. The formula
proposes calculation of ALE (annualized loss expectancy) and compares the expected
loss value to the security control implementation costs (cost-benefit analysis).
Potential risk treatments[edit]

Once risks have been identified and assessed, all techniques to manage the risk fall
into one or more of these four major categories:[11]

Avoidance (eliminate, withdraw from or not become involved)

Reduction (optimize mitigate)
Sharing (transfer outsource or insure)
Retention (accept and budget)
Ideal use of these strategies may not be possible. Some of them may involve trade-
offs that are not acceptable to the organization or person making the risk management
decisions. Another source, from the US Department of Defense (see link), Defense
Acquisition University, calls these categories ACAT, for Avoid, Control, Accept, or
Transfer. This use of the ACAT acronym is reminiscent of another ACAT (for
Acquisition Category) used in US Defense industry procurements, in which Risk
Management figures prominently in decision making and planning.
Risk avoidance[edit]
This includes not performing an activity that could carry risk. An example would be
not buying a property or business in order to not take on the legal liability that comes
with it. Another would be not flying in order not to take the risk that the airplane were
to be hijacked. Avoidance may seem the answer to all risks, but avoiding risks also
means losing out on the potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also avoids the possibility of
earning profits. Increasing risk regulation in hospitals has led to avoidance of treating
higher risk conditions, in favor of patients presenting with lower risk.[12]
Hazard prevention[edit]
Main article: Hazard prevention

Hazard prevention refers to the prevention of risks in an emergency. The first and
most effective stage of hazard prevention is the elimination of hazards. If this takes
too long, is too costly, or is otherwise impractical, the second stage is mitigation.
Risk reduction[edit]
Risk reduction or "optimization" involves reducing the severity of the loss or the
likelihood of the loss from occurring. For example, sprinklers are designed to put out
a fire to reduce the risk of loss by fire. This method may cause a greater loss by water
damage and therefore may not be suitable. Halon fire suppression systems may
mitigate that risk, but the cost may be prohibitive as a strategy.
Acknowledging that risks can be positive or negative, optimizing risks means finding
a balance between negative risk and the benefit of the operation or activity; and
between risk reduction and effort applied. By an offshore drilling contractor
effectively applying HSE Management in its organization, it can optimize risk to
achieve levels of residual risk that are tolerable.[13]
Modern software development methodologies reduce risk by developing and
delivering software incrementally. Early methodologies suffered from the fact that
they only delivered software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often jeopardized the whole
project. By developing in iterations, software projects can limit effort wasted to a
single iteration.
Outsourcing could be an example of risk reduction if the outsourcer can demonstrate
higher capability at managing or reducing risks.[14] For example, a company may
outsource only its software development, the manufacturing of hard goods, or
customer support needs to another company, while handling the business management
itself. This way, the company can concentrate more on business development without
having to worry as much about the manufacturing process, managing the development
team, or finding a physical location for a call center.
Risk sharing[edit]
Briefly defined as "sharing with another party the burden of loss or the benefit of
gain, from a risk, and the measures to reduce a risk."
The term of 'risk transfer' is often used in place of risk sharing in the mistaken belief
that you can transfer a risk to a third party through insurance or outsourcing. In
practice if the insurance company or contractor go bankrupt or end up in court, the
original risk is likely to still revert to the first party. As such in the terminology of
practitioners and scholars alike, the purchase of an insurance contract is often
described as a "transfer of risk." However, technically speaking, the buyer of the
contract generally retains legal responsibility for the losses "transferred", meaning that
insurance may be described more accurately as a post-event compensatory
mechanism. For example, a personal injuries insurance policy does not transfer the
risk of a car accident to the insurance company. The risk still lies with the policy
holder namely the person who has been in the accident. The insurance policy simply
provides that if an accident (the event) occurs involving the policy holder then some
compensation may be payable to the policy holder that is commensurate with the
suffering/damage.
Some ways of managing risk fall into multiple categories. Risk retention pools are
technically retaining the risk for the group, but spreading it over the whole group
involves transfer among individual members of the group. This is different from
traditional insurance, in that no premium is exchanged between members of the group
up front, but instead losses are assessed to all members of the group.
Risk retention[edit]
Involves accepting the loss, or benefit of gain, from a risk when it occurs. True self
insurance falls in this category. Risk retention is a viable strategy for small risks
where the cost of insuring against the risk would be greater over time than the total
losses sustained. All risks that are not avoided or transferred are retained by default.
This includes risks that are so large or catastrophic that they either cannot be insured
against or the premiums would be infeasible. War is an example since most property
and risks are not insured against war, so the loss attributed by war is retained by the
insured. Also any amounts of potential loss (risk) over the amount insured is retained
risk. This may also be acceptable if the chance of a very large loss is small or if the
cost to insure for greater coverage amounts is so great it would hinder the goals of the
organization too much.
Risk management plan[edit]
Main article: Risk management plan
Select appropriate controls or countermeasures to measure each risk. Risk mitigation
needs to be approved by the appropriate level of management. For instance, a risk
concerning the image of the organization should have top management decision
behind it whereas IT management would have the authority to decide on computer
virus risks.
The risk management plan should propose applicable and effective security controls
for managing the risks. For example, an observed high risk of computer viruses could
be mitigated by acquiring and implementing antivirus software. A good risk
management plan should contain a schedule for control implementation and
responsible persons for those actions.
According to ISO/IEC 27001, the stage immediately after completion of the risk
assessment phase consists of preparing a Risk Treatment Plan, which should
document the decisions about how each of the identified risks should be handled.
Mitigation of risks often means selection of security controls, which should be
documented in a Statement of Applicability, which identifies which particular control
objectives and controls from the standard have been selected, and why.
Implementation[edit]

Implementation follows all of the planned methods for mitigating the effect of the
risks. Purchase insurance policies for the risks that have been decided to be
transferred to an insurer, avoid all risks that can be avoided without sacrificing the
entity's goals, reduce others, and retain the rest.
Review and evaluation of the plan[edit]

Initial risk management plans will never be perfect. Practice, experience, and actual
loss results will necessitate changes in the plan and contribute information to allow
possible different decisions to be made in dealing with the risks being faced.
Risk analysis results and management plans should be updated periodically. There are
two primary reasons for this:

1. to evaluate whether the previously selected security controls are still

applicable and effective
2. to evaluate the possible risk level changes in the business environment. For
example, information risks are a good example of rapidly changing business
environment.

Limitations[edit]

Prioritizing the risk management processes too highly could keep an organization
from ever completing a project or even getting started. This is especially true if other
work is suspended until the risk management process is considered complete.
It is also important to keep in mind the distinction between risk and uncertainty. Risk
can be measured by impacts x probability.
If risks are improperly assessed and prioritized, time can be wasted in dealing with
risk of losses that are not likely to occur. Spending too much time assessing and
managing unlikely risks can divert resources that could be used more profitably.
Unlikely events do occur but if the risk is unlikely enough to occur it may be better to
simply retain the risk and deal with the result if the loss does in fact occur. Qualitative
risk assessment is subjective and lacks consistency. The primary justification for a
formal risk assessment process is legal and bureaucratic.

Areas of risk management[edit]

As applied to corporate finance, risk management is the technique for measuring,

monitoring and controlling the financial or operational risk on a firm's balance sheet,
a traditional measure is the value at risk (VaR), but there also other measures
like profit at risk (PaR) or margin at risk.
The Basel II framework breaks risks into market risk (price risk), credit risk and
operational risk and also specifies methods for calculating capital requirements for
each of these components.
Enterprise risk management[edit]
Main article: Enterprise Risk Management

In enterprise risk management, a risk is defined as a possible event or circumstance

that can have negative influences on the enterprise in question. Its impact can be on
the very existence, the resources (human and capital), the products and services, or the
customers of the enterprise, as well as external impacts on society, markets, or the
environment. In a financial institution, enterprise risk management is normally
thought of as the combination of credit risk, interest rate risk or asset liability
management, liquidity risk, market risk, and operational risk.
In the more general case, every probable risk can have a pre-formulated plan to deal
with its possible consequences (to ensure contingency if the risk becomes aliability).
From the information above and the average cost per employee over time, or cost
accrual ratio, a project manager can estimate:

the cost associated with the risk if it arises, estimated by multiplying employee
costs per unit time by the estimated time lost (cost impact, C where C = cost
accrual ratio * S).
the probable increase in time associated with a risk (schedule variance due to
risk, Rs where Rs = P * S):
 Sorting on this value puts the highest risks to the schedule first. This is
intended to cause the greatest risks to the project to be attempted first so that
risk is minimized as quickly as possible.
This is slightly misleading as schedule variances with a large P and small S
and vice versa are not equivalent. (The risk of the RMS Titanic sinking vs. the
passengers' meals being served at slightly the wrong time).
the probable increase in cost associated with a risk (cost variance due to
risk, Rc where Rc = P*C = P*CAR*S = P*S*CAR)
sorting on this value puts the highest risks to the budget first.
see concerns about schedule variance as this is a function of it, as illustrated
in the equation above.
Risk in a project or process can be due either to Special Cause Variation or Common
Cause Variation and requires appropriate treatment. That is to re-iterate the concern
about extremal cases not being equivalent in the list immediately above.
Medical device risk management[edit]

For medical devices, risk management is a process for identifying, evaluating and
mitigating risks associated with harm to people and damage to property or the
environment. Risk management is an integral part of medical device design and
development, production processes and evaluation of field experience, and is
applicable to all types of medical devices. The evidence of its application is required
by most regulatory bodies such as FDA. The management of risks for medical devices
is described by the International Organization for Standardization (ISO) in ISO
14971:2007, Medical DevicesThe application of risk management to medical
devices, a product safety standard. The standard provides a process framework and
associated requirements for management responsibilities, risk analysis and evaluation,
risk controls and lifecycle risk management.
The European version of the risk management standard was updated in 2009 and
again in 2012 to refer to the Medical Devices Directive (MDD) and Active
Implantable Medical Device Directive (AIMDD) revision in 2007, as well as the In
Vitro Medical Device Directive (IVDD). The requirements of EN 14971:2012 are
nearly identical to ISO 14971:2007. The differences include an Annex that refers to
the new MDD and AIMDD, the requirement for risks to be reduced as low as
possible, and the requirement that risks be mitigated by design and not by labeling on
the medical device (i.e., labeling can no longer be used to mitigate risk).
Typical risk analysis and evaluation techniques adopted by the medical device
industry include hazard analysis, fault tree analysis (FTA), failure mode and effect
analysis (FMEA), hazard and operability study (HAZOP), and risk traceability
analysis for ensuring risk controls are implemented and effective (i.e. tracking risks
identified to product requirements, design specifications, verification and validation
results etc.)
FTA analysis requires diagramming software. FMEA analysis can be done using
a spreadsheet program. There are also integrated medical device risk management
solutions.
Through a draft guidance, FDA has introduced another method named "Safety
Assurance Case" for medical device safety assurance analysis. The safety assurance
case is structured argument reasoning about systems appropriate for scientists and
engineers, supported by a body of evidence, that provides a compelling,
comprehensible and valid case that a system is safe for a given application in a given
environment. With the guidance, a safety assurance case is expected for safety critical
devices (e.g. infusion devices) as part of the pre-market clearance submission, e.g.
510(k). In 2013, FDA introduced another draft guidance expecting medical device
manufacturers to submit cybersecurity risk analysis information.
Risk management activities as applied to project management[edit]
Main article: project risk management

An example of the Risk Register for a project that includes 4 steps: Identify, Analyze,
Plan Response, Monitor and Control. [15]

In project management, risk management includes the following activities:[16][17][18]

Planning how risk will be managed in the particular project. Plans should include
risk management tasks, responsibilities, activities and budget.
Assigning a risk officer a team member other than a project manager who is
responsible for foreseeing potential project problems. Typical characteristic of
risk officer is a healthy skepticism.
Maintaining live project risk database. Each risk should have the following
attributes: opening date, title, short description, probability and importance.
Optionally a risk may have an assigned person responsible for its resolution and a
date by which the risk must be resolved.
Creating anonymous risk reporting channel. Each team member should have the
possibility to report risks that he/she foresees in the project.
Preparing mitigation plans for risks that are chosen to be mitigated. The purpose
of the mitigation plan is to describe how this particular risk will be handled
 what, when, by whom and how will it be done to avoid it or minimize
consequences if it becomes a liability.
Summarizing planned and faced risks, effectiveness of mitigation activities, and
effort spent for the risk management.
Risk management for megaprojects (infrastructure)[edit]

Megaprojects (sometimes also called "major programs") are extremely large-scale

investment projects, typically costing more than US$1 billion per project.
Megaprojects include bridges, tunnels, highways, railways, airports, seaports, power
plants, dams, wastewater projects, coastal flood protection schemes, oil and natural
gas extraction projects, public buildings, information technology systems, aerospace
projects, and defense systems. Megaprojects have been shown to be particularly risky
in terms of finance, safety, and social and environmental impacts.[19] Risk
management is therefore particularly pertinent for megaprojects and special methods
and special education have been developed for such risk management.[20]
Risk management regarding natural disasters[edit]

It is important to assess risk in regard to natural disasters like floods, earthquakes, and
so on. Outcomes of natural disaster risk assessment are valuable when considering
future repair costs, business interruption losses and other downtime, effects on the
environment, insurance costs, and the proposed costs of reducing the risk.[21] There
are regular conferences in Davos to deal with integral risk management.
Risk management of information technology[edit]
Main article: IT risk management

Information technology is increasingly pervasive in modern life in every

sector.[22][23][24]
IT risk is a risk related to information technology. This is a relatively new term due to
an increasing awareness that information security is simply one facet of a multitude of
risks that are relevant to IT and the real world processes it supports.
A number of methodologies have been developed to deal with this kind of risk
alongside adaptations of existing practices to new paradigms including agile risk
management.
ISACA's Risk IT framework ties IT risk to enterprise risk management.
Risk management techniques in petroleum and natural gas[edit]

For the offshore oil and gas industry, operational risk management is regulated by
the safety case regime in many countries. Hazard identification and risk assessment
tools and techniques are described in the international standard ISO 17776:2000, and
organisations such as the IADC (International Association of Drilling Contractors)
publish guidelines for HSE Case development which are based on the ISO standard.
Further, diagrammatic representations of hazardous events are often expected by
governmental regulators as part of risk management in safety case submissions; these
are known as bow-tie diagrams. The technique is also used by organisations and
regulators in mining, aviation, health, defence, industrial and finance.[25]
Risk management as applied to the pharmaceutical sector[edit]

The principles and tools for quality risk management are increasingly being applied to
different aspects of pharmaceutical quality systems. These aspects include
development, manufacturing, distribution, inspection, and submission/review
processes throughout the lifecycle of drug substances, drug products, biological and
biotechnological products (including the use of raw materials, solvents, excipients,
packaging and labeling materials in drug products, biological and biotechnological
products). Risk management is also applied to the assessment of microbiological
contamination in relation to pharmaceutical products and cleanroom manufacturing
environments.[26]

Risk management and business continuity[edit]

Risk management is simply a practice of systematically selecting cost-effective

approaches for minimising the effect of threat realization to the organization. All risks
can never be fully avoided or mitigated simply because of financial and practical
limitations. Therefore, all organizations have to accept some level of residual
risks.[citation needed]
Whereas risk management tends to be preemptive, business continuity
planning (BCP) was invented to deal with the consequences of realised residual risks.
The necessity to have BCP in place arises because even very unlikely events will
occur if given enough time. Risk management and BCP are often mistakenly seen as
rivals or overlapping practices. In fact, these processes are so tightly tied together that
such separation seems artificial. For example, the risk management process creates
important inputs for the BCP (e.g., assets, impact assessments, cost estimates). Risk
management also proposes applicable controls for the observed risks. Therefore, risk
management covers several areas that are vital for the BCP process. However, the
BCP process goes beyond risk management's preemptive approach and assumes that
the disaster will happen at some point.[citation needed]

Risk communication[edit]

Risk communication is a complex cross-disciplinary academic field related to core

values of the targeted audiences.[27][28] Problems for risk communicators involve how
to reach the intended audience, to make the risk comprehensible and relatable to other
risks, how to pay appropriate respect to the audience's values related to the risk, how
to predict the audience's response to the communication, etc. A main goal of risk
communication is to improve collective and individual decision making. Risk
communication is somewhat related to crisis communication.

Digital risk management[edit]

The digital era brings a paradigm shift. Digital risk is risk arising from increased
dependency on information technology systems and digital processes. It will become
a major challenge for the new evolving executive role of digital risk officer.
Executives are accountable for both operational performance and achieving strategic
objectives. There is now a need for executives to understand the direct alignment of
digital risks with the strategic business goals of the enterprise. Digital risk
management is the next evolution in digital risk and security strategies. It is about
re-defining corporate governance and digital perpetuation Digital perpetuation and
should form part of the digital risk management plan.

References[edit]

1. ^ Jump up to:a b Hubbard, Douglas (2009). The Failure of Risk Management:

Why It's Broken and How to Fix It. John Wiley & Sons. p. 46.
2. Jump up^ Antunes, Ricardo; Gonzalez, Vicente (3 March 2015). "A
Production Model for Construction: A Theoretical
Framework". Buildings 5 (1): 209228.doi:10.3390/buildings5010209.
3. ^ Jump up to:a b ISO/IEC Guide 73:2009 (2009). Risk management
Vocabulary. International Organization for Standardization.
4. ^ Jump up to:a b ISO/DIS 31000 (2009). Risk management Principles and
guidelines on implementation. International Organization for
Standardization.
5. Jump up^ Trevisani, Daniele (2007). Regie di Cambiamento (Translated
Title: The Directions of Change), Franco Angeli Publisher, Milan, ISBN
9788846483775
6. Jump up^ Bent Flyvbjerg and Alexander Budzier, 2011, "Why Your IT
Project May Be Riskier Than You Think", Harvard Business Review, vol. 89,
no. 9, pp. 601-603
7. Jump up^ "Committee Draft of ISO 31000 Risk
management" (PDF). International Organization for Standardization. 2007-
06-15.
8. Jump up^ CMU/SEI-93-TR-6 Taxonomy-based risk identification in
software industry. Sei.cmu.edu. Retrieved on 2012-04-17.
9. Jump up^ Common Vulnerability and Exposures list. Cve.mitre.org.
Retrieved on 2012-04-17.
10. Jump up^ Crockford, Neil (1986). An Introduction to Risk Management (2
ed.). Cambridge, UK: Woodhead-Faulkner. p. 18. ISBN 0-85941-332-2.
11. Jump up^ Dorfman, Mark S. (2007). Introduction to Risk Management and
Insurance (9 ed.). Englewood Cliffs, N.J: Prentice Hall. ISBN 0-13-224227-3.
12. Jump up^ McGivern, Gerry; Fischer, Michael D. (1 February 2012).
"Reactivity and reactions to regulatory transparency in medicine,
 psychotherapy and counseling". Social Science & Medicine 74 (3): 289
296. doi:10.1016/j.socscimed.2011.09.035.PMID 22104085.
13. Jump up^ IADC HSE Case Guidelines for MODUs 3.2, section 4.7
14. Jump up^ Roehrig, P (2006). "Bet On Governance To Manage Outsourcing
Risk".Business Trends Quarterly.
15. Jump up^ Kokcharov I. What Is Risk
Management?http://www.slideshare.net/igorkokcharov/what-is-project-risk-
management
16. Jump up^ Lev Virine and Michael Trumper. Project Decisions: The Art and
Science. (2007). Management Concepts. Vienna. VA. ISBN 978-1-56726-
217-9
17. Jump up^ Lev Virine and Michael Trumper. ProjectThink: Why Good
Managers Make Poor Project Choices. Gower Pub Co. ISBN 978-
1409454984
18. Jump up^ Peter Simon and David Hillson, Practical Risk Management: The
ATOM Methodology (2012). Management Concepts. Vienna, VA. ISBN 978-
1567263664
19. Jump up^ Flyvbjerg, Bent (2003). Megaprojects and Risk: An Anatomy of
Ambition. Cambridge University Press. ISBN 0521804205.
20. Jump up^ Oxford BT Centre for Major Programme Management
21. Jump up^ Craig Taylor and Erik VanMarcke, ed. (2002). Acceptable Risk
Processes: Lifelines and Natural Hazards. Reston, VA: ASCE,
TCLEE.ISBN 9780784406236.
22. Jump up^ Cortada, James W. (2003-12-04). The Digital Hand: How
Computers Changed the Work of American Manufacturing, Transportation,
and Retail Industries. USA: Oxford University Press. p. 512. ISBN 0-19-
516588-8.
23. Jump up^ Cortada, James W. (2005-11-03). The Digital Hand: Volume II:
How Computers Changed the Work of American Financial,
Telecommunications, Media, and Entertainment Industries. USA: Oxford
University Press. ISBN 978-0-19-516587-6.
24. Jump up^ Cortada, James W. (2007-11-06). The Digital Hand, Vol 3: How
Computers Changed the Work of American Public Sector Industries. USA:
Oxford University Press. p. 496. ISBN 978-0-19-516586-9.
25. Jump up^ [1]. BowtieXP. Retrieved on 2014-03-04.
26. Jump up^ Saghee M, Sandle T, Tidswell E (editors) (2011). Microbiology
and Sterility Assurance in Pharmaceuticals and Medical Devices (1st ed.).
Business Horizons.ISBN 978-8190646741.
27. Jump up^ Navy and Marine Corps Public Health Center, A Risk
Communication PrimerTools and Techniques
28. Jump up^ U.S. Department of Homeland Security, Understanding Risk
Communication Theory: A Guide for Emergency Managers and
Communicators Report to Human Factors/Behavioral Sciences Division,
Science and Technology Directorate, May 2012

8 Risks in the Banking Industry Faced by Every Bank

The financial industry in the US is the most liquid and the largest market in the world.
In 2014, finance and insurance represented 7.2 percent of U.S. GDP. The banking
industry in the US supports the worlds largest economy with the greatest diversity in
banking institutions and concentration of private credit. The banking industry has
awakened to risk management, especially since the global crisis during 2007-08. But
what are the day to day risks and the long term risks faced by banks? Why do
dedicated risk management practices at companies like FIS Global even exist? Which
risks are their risk management products and services meant for? Heres the list of 8
risks faced by banks:
Credit risk

According to the Bank for International Settlements (BIS), credit risk is defined as the
potential that a bank borrower or counterparty will fail to meet its obligations in
accordance with agreed terms. Credit risk is most likely caused by loans,acceptances,
interbank transactions, trade financing, foreign exchange transactions, financial
futures, swaps, bonds, equities, options, and in the extension of commitments and
guarantees, and the settlement of transactions. In simple words, if person A borrows
loan from a bank and is not able to repay the loan because of inadequate income, loss
in business, death, unwillingness or any other reasons, the bank faces credit risk.
Similarly, if you do not pay your credit card bill, the bank faces a credit risk.
Hence, to minimize the credit risk on the banks end, the rate of interest will be higher
for borrowers if they are associated with high credit risk. Factors like unsteady
income, low credit score, employment type, collateral assets and others determine the
credit risk associated with a borrower. As stated earlier, credit risk can be associated
with interbank transactions, foreign transactions and other types of transactions
happening outside the bank. If the transaction at one end is successful but
unsuccessful at the other end, loss occurs. If the transaction at one end is settled but
there are delays in settlement at the other end, there might be lost investment
opportunities.
Look at it like person A sending US dollars to his family in India at the rate of 60 INR
(Indian Rupee) per dollar. The person B, who is the recipient however receives the
payment late and doesnt get the exchange rate of 60 INR. Instead he receives the
money at the exchange rate of 58 INR. This means they incurred a loss in the
transaction. Similar situations occur during big transactions in banks. If the bank is
not able to settle a transaction at an expected time or during an expected time
duration, they may incur a credit risk. However, this kind of risk is called Settlement
Risk and it is closely associated with credit risk. It depends on the timing of the
 exchange of value, payment/settlement finality and the role of intermediaries and
clearing houses.
While some credit risk is a result of macro forces affecting the economy or specific
markets or even specific individuals, there is another important risk that can be
classified under credit risk: this is the risk of deliberate fraud that is usually borne by
the banks who issue credit products such as credit cards.
Market risk
McKinsey defines market risk as the risk of losses in the banks trading book due to
changes in equity prices, interest rates, credit spreads, foreign-exchange rates,
commodity prices, and other indicators whose values are set in a public market. Bank
for International Settlements (BIS) defines market risk as the risk of losses in on- or
off-balance sheet positions that arise from movement in market prices. Market risk is
prevalent mostly amongst banks who are into investment banking since they are
active in capital markets. Investment banks include Goldman Sachs, Bank of
America, JPMorgan, Morgan Stanley and many others.
Market risk can be better understood by dividing it into 4 types depending on the
potential cause of the risk:
Interest rate risk: Potential losses due to fluctuations in interest rate
Equity risk: Potential losses due to fluctuations in stock price
Currency risk: Potential losses due to international currency exchange rates (closely
associated with settlement risk)
Commodity risk: Potential losses due to fluctuations in prices of agricultural,
industrial and energy commodities like wheat, copper and natural gas respectively
Operational risk
According to the Bank for International Settlements (BIS), operational risk is defined
as the risk of loss resulting from inadequate or failed internal processes, people and
systems or from external events. This definition includes legal risk, but excludes
strategic and reputation risk. Operational risk can widely occur in banks due to human
errors or mistakes. Examples of operational risk may be incorrect information filled in
during clearing a check or confidential information leaked due to system failure.
Operational risk can be categorized in the following way for a better understanding:
Human risk: Potential losses due to a human error, done willingly or unconsciously
IT/System risk: Potential losses due to system failures and programming errors
Processes risk: Potential losses due to improper information processing, leaking or
hacking of information and inaccuracy of data processing
Operational risk may not sound as bad but it is. Operational risk caused the decline of
Britains oldest banks, Barings in 1995. Since banks are becoming more and more
digital and shifting towards information technology to automate their processes,
operational risk is an important risk to be taken into consideration by the banks.
Security breaches in which data is compromised could be classified as an operational
risk, and recent instances in this area have underlined the need for constant
technology investments to mitigate the exposure to such attacks.
Liquidity risk
Investopedia defines liquidity risk as the risk stemming from the lack of marketability
of an investment that cannot be bought or sold quickly enough to prevent or minimize
a loss. However if you find this definition complex, the term liquidity risk speaks for
itself. It is the risk that may disable a bank from carrying out day-to-day cash
transactions.
Look at this risk like person A going to a bank to withdraw money. Imagine the bank
saying that it doesnt have cash temporarily! That is the liquidity risk a bank has to
save itself from. And this is not just a theoretical example. A small bank in Northern
England and Ireland was taken over by the government because of its inability to
repay the investors during the 2007-08 global crisis.
Reputational risk
The Financial Times Lexicon defines reputation risk as the possible loss of the
organisations reputational capital. The Federal Reserve Board in the US defines
reputational risk as the potential loss in reputational capital based on either real or
perceived losses in reputational capital. Just like any other institution or brand, a bank
faces reputational risk which may be triggered by banks activities, rumors about the
bank, willing or unconscious non-compliance with regulations, data manipulation, bad
customer service, bad customer experience inside bank branches and decisions taken
by banks during critical situations. Every step taken by a bank is judged by its
customers, investors, opinion leaders and other stakeholders who mould a banks
brand image.
Business risk
In general, Investopedia defines business risk as the possibility that a company will
have lower than anticipated profits, or that it will experience a loss rather than a
profit. In the context of a bank, business risk is the risk associated with the failure of a
banks long term strategy, estimated forecasts of revenue and number of other things
related to profitability. To be avoided, business risk demands flexibility and
adaptability to market conditions. Long term strategies are good for banks but they
should be subject to change. The entire banking industry is unpredictable. Long term
strategies must have backup plans to avoid business risks. During the 2007-08 global
crisis, many banks collapsed while many made way out it. The ones that collapsed
didnt have a business risk management strategy.
Systemic risk and moral hazard are two types of risks faced by banks that do not
causes losses quite often. But if they cause losses, they can cause the downfall of the
entire financial system in a country or globally.
Systemic risk
The global crisis of 2008 is the best example of a loss to all the financial institutions
that occurred due to systemic risk. Systemic risk is the risk that doesnt affect a single
bank or financial institution but it affects the whole industry. Systemic risks are
associated with cascading failures where the failure of a big entity can cause the
failure of all the others in the industry.
Moral hazard
Moral hazard is a risk that occurs when a big bank or large financial institution takes
risks, knowing thatsomeone else will have to face the burden of those
risks. Economist Paul Krugman described moral hazard as any situation in which
one person makes the decision about how much risk to take, while someone else bears
the cost if things go badly. Economist Mark Zandi of Moodys Analytics described
moral hazard as a root cause of the subprime mortgage crisis of 2008-09

Risk management in Indian banks

Risk management in Indian banks is a relatively newer practice, but has already shown
to increase efficiency in governing of these banks as such procedures tend to increase
the corporate governance of a financial institution. In times of volatility and fluctuations in
the market, financial institutions need to prove their mettle by withstanding the market
variations and achieve sustainability in terms of growth and well as have a stable share
value. Hence, an essential component of risk management framework would be to
mitigate all the risks and rewards of the products and service offered by the bank. Thus
the need for an efficient risk management framework is paramount in order to factor in
internal and external risks.[1]

The financial sector in various economies like that of India are undergoing a monumental
change factoring into account world events such as the ongoing Banking Crisis across
the globe. The 2007present recession in the United Stateshas highlighted the need for
banks to incorporate the concept of Risk Management into their regular procedures. The
various aspects of increasing global competition to Indian Banks by Foreign banks,
increasing Deregulation, introduction of innovative products, and financial instruments as
well as innovation in delivery channels have highlighted the need for Indian Banks to be
prepared in terms of risk management.[2]
Indian Banks have been making great advancements in terms of technology, quality, as
well as stability such that they have started to expand and diversify at a rapid rate.
However, such expansion brings these banks into the context of risk especially at the
onset of increasing Globalization and Liberalization. In banks and other financial
institutions, risk plays a major part in the earnings of a bank. The higher the risk, the
higher the return, hence, it is essential to maintain a parity between risk and return.
Hence, management of Financial risk incorporating a set systematic and professional
methods especially those defined by the Basel II becomes an essential requirement of
banks. The more risk averse a bank is, the safer is their Capital base.

Risk Ratio[edit]

Risk ratio would be defined as the ratio of the probability of an issue occurring as against
to an issue not occurring.[3]

Total Impact of Risk[edit]

Total impact of the risk (TIR) occurring would entail as the impact (I), the risk would
cause multiplied by the Risk Ratio. It is essentially how much a bank would be
impacted in the chance that the risk did occur. This essentially helps ascertain what
is the total value of their investments that may be subject to risk and how it would
impact them.[4]

Risk and Reward[edit]

The ratio is in simplest terms calculated by dividing the amount of profit the
trader expects to have made when the position is closed (i.e. the reward) by the
amount he or she stands to lose if the price moves in the unexpected direction
(i.e. the risk).

To calculate the total risk ensuing with the total expected return, a favored
method is the use of variance or standard deviation. The larger the variance, the
larger the standard deviation, the more uncertain the outcome. The standard
deviation, E is a measure of average difference between the expected value and
the actual value of a random variable (or unseen state of nature).
Here, n stands for a possible outcome, x stands for the expected outcome
and P is the probability (or likelihood) of the difference between n and X
occurring.[5]

Types of Risk[edit]

Types of Risks in Banking

The term Risk and the types associated to it would refer to mean financial
risk or uncertainty of financial loss. The Reserve Bank of India guidelines
issued in Oct. 1999 has identified and categorized the majority of risk into
three major categories assumed to be encountered by banks. These belong
to the clusters:[6]

Credit risk
Market risk
Operational risk

The type of risks can be fundamentally subdivided in primarily of two types,

i.e. Financial and Non-Financial Risk. Financial risks would involve all those
aspects which deal mainly with financial aspects of the bank. These can be
further subdivided into Credit Risk and Market Risk. Both Credit and Market
Risk may be further subdivided.

Non-Financial risks would entail all the risk faced by the bank in its regular
workings, i.e. Operational Risk, Strategic Risk,Funding Risk, Political Risk,
and Legal Risk.[2]

See also[edit]

Risk management tools

 Probabilistic risk assessment

References[edit]

1. Jump up^ Srinivas Nallamothu & Fayaz Ahmed. "Risk Management

Framework for Indian Banks".
2. ^ Jump up to:a b c Dr. Krishn A. Goyal, Prof. Sunita Agrawal (December
2010). "RISK MANAGEMENT IN INDIAN BANKS: SOME EMERGING
ISSUES" (PDF). IJER.
3. Jump up^ Sistrom CL, Garvan CW (January 2004). "Proportions, odds,
and risk". Radiology 230 (1): 12
9. doi:10.1148/radiol.2301031028. PMID 14695382.
4. Jump up^ ART, RiskAoA, RiskPath, SCHRAM
5. Jump up^ Fundamental Analysis Workbook. National Stock Exchange of
India Limited.
6. Jump up^ "Trend and Progress of Banking in India". Reserve Bank of
India. 199697, 199899, 200102 and 200203. Check date values
in: |date= (help)

Principles for the Management of Credit Risk

Introduction

1. While financial institutions have faced difficulties over the years for a multitude of reasons, the
major cause of serious banking problems continues to be directly related to lax credit standards for
borrowers and counterparties, poor portfolio risk management, or a lack of attention to changes in
economic or other circumstances that can lead to a deterioration in the credit standing of a bank's
counterparties. This experience is common in both G-10 and non-G-10 countries.

2. Credit risk is most simply defined as the potential that a bank borrower or counterparty will fail
to meet its obligations in accordance with agreed terms. The goal of credit risk management is to
maximise a bank's risk-adjusted rate of return by maintaining credit risk exposure within
acceptable parameters. Banks need to manage the credit risk inherent in the entire portfolio as well
as the risk in individual credits or transactions. Banks should also consider the relationships
between credit risk and other risks. The effective management of credit risk is a critical component
of a comprehensive approach to risk management and essential to the long-term success of any
banking organisation.

3. For most banks, loans are the largest and most obvious source of credit risk; however, other
sources of credit risk exist throughout the activities of a bank, including in the banking book and in
the trading book, and both on and off the balance sheet. Banks are increasingly facing credit risk
(or counterparty risk) in various financial instruments other than loans, including acceptances,
interbank transactions, trade financing, foreign exchange transactions, financial futures, swaps,
bonds, equities, options, and in the extension of commitments and guarantees, and the settlement
of transactions.

4. Since exposure to credit risk continues to be the leading source of problems in banks world-
wide, banks and their supervisors should be able to draw useful lessons from past experiences.
Banks should now have a keen awareness of the need to identify, measure, monitor and control
credit risk as well as to determine that they hold adequate capital against these risks and that they
are adequately compensated for risks incurred. The Basel Committee is issuing this document in
order to encourage banking supervisors globally to promote sound practices for managing credit
risk. Although the principles contained in this paper are most clearly applicable to the business of
lending, they should be applied to all activities where credit risk is present.

5. The sound practices set out in this document specifically address the following areas: (i)
establishing an appropriate credit risk environment; (ii) operating under a sound credit-granting
process; (iii) maintaining an appropriate credit administration, measurement and monitoring
process; and (iv) ensuring adequate controls over credit risk. Although specific credit risk
management practices may differ among banks depending upon the nature and complexity of
their credit activities, a comprehensive credit risk management program will address these four
areas. These practices should also be applied in conjunction with sound practices related to the
assessment of asset quality, the adequacy of provisions and reserves, and the disclosure of credit
risk, all of which have been addressed in other recent Basel Committee documents.

6. While the exact approach chosen by individual supervisors will depend on a host of factors,
including their on-site and off-site supervisory techniques and the degree to which external
auditors are also used in the supervisory function, all members of the Basel Committee agree that
the principles set out in this paper should be used in evaluating a bank's credit risk management
system. Supervisory expectations for the credit risk management approach used by individual
banks should be commensurate with the scope and sophistication of the bank's activities. For
smaller or less sophisticated banks, supervisors need to determine that the credit risk management
approach used is sufficient for their activities and that they have instilled sufficient risk-return
discipline in their credit risk management processes.

7. The Committee stipulates in Sections II through VI of the paper, principles for banking
supervisory authorities to apply in assessing bank's credit risk management systems. In addition,
the appendix provides an overview of credit problems commonly seen by supervisors.

8. A further particular instance of credit risk relates to the process of settling financial transactions.
If one side of a transaction is settled but the other fails, a loss may be incurred that is equal to the
principal amount of the transaction. Even if one party is simply late in settling, then the other party
may incur a loss relating to missed investment opportunities. Settlement risk (i.e. the risk that the
completion or settlement of a financial transaction will fail to take place as expected) thus includes
elements of liquidity, market, operational and reputational risk as well as credit risk. The level of
risk is determined by the particular arrangements for settlement. Factors in such arrangements that
have a bearing on credit risk include: the timing of the exchange of value; payment/settlement
finality; and the role of intermediaries and clearing houses.

What is Risk Management in

Indian Banking Sector and the
role of RBI
Banking sectors plays a pivotal role in the management of the economy of a country.
You as the aspirants of RBI Grade B Officer needs to know about what are the Risks
of Banking sector, Risk Management and what is the role of RBI in the risk
management.

What is Risk?
Risk refers to a condition where there is a possibility of undesirable occurrence
of a particular result which is known or best quantifiable and therefore
insurable. A risk can be defined as an unplanned event with financial consequences
resulting in loss or reduced earnings. An activity which may give profits or result in
loss may be called a risky proposition due to uncertainty or unpredictability of the
activity of trade in future.
In other words, it can be defined as the uncertainty of the outcome. As risk is directly
proportionate to return, the more risk a bank takes, it can expect to make more money.

Type of Risks
The major risks in banking business as commonly referred can be broadly classified
into:

Liquidity Risk
Interest Rate Risk
Market Risk
Credit or Default Risk
Operational Risk
Liquidity Risk
The liquidity risk of banks arises from funding of long-term assets by short-term
liabilities, thereby making the liabilities subject to rollover or refinancing risk.

The liquidity risk in banks manifest in different dimensions

(a) Funding Risk: Funding Liquidity Risk is defined as the inability to obtain funds
to meet cash flow obligations. For banks, funding liquidity risk is crucial. This arises
from the need to replace net outflows due to unanticipated withdrawal/ non-renewal
of deposits (wholesale and retail).
(b) Time Risk: Time risk arises from the need to compensate for non-receipt of
expected inflows of funds i.e., performing assets turning into non-performing assets.
(c) Call Risk: Call risk arises due to crystallisation of contingent liabilities. It may
also arise when a bank may not be able to undertake profitable business opportunities
when it arises.
2. Interest Rate Risk
Interest Rate Risk arises when the Net Interest Margin or the Market Value of
Equity (MVE) of an institution is affected due to changes in the interest rates.
IRR can be viewed in two ways its impact is on the earnings of the bank or its
impact on the economic value of the banks assets, liabilities and Off-Balance Sheet
(OBS) positions. Interest rate Risk can take different forms.

3. Market Risk
The risk of adverse deviations of the mark-to-market value of the trading portfolio,
due to market movements, during the period required to liquidate the transactions is
termed as Market Risk. This risk results from adverse movements in the level or
volatility of the market prices of interest rate instruments, equities, commodities, and
currencies. It is also referred to as Price Risk.

The term Market risk applies to (i) that part of IRR which affects the price of interest
rate instruments, (ii) Pricing risk for all other assets/ portfolio that are held in the
trading book of the bank and (iii) Foreign Currency Risk.

(a) Forex Risk: Forex risk is the risk that a bank may suffer losses as a result of
adverse exchange rate movements during a period in which it has an open position
either spot or forward, or a combination of the two, in an individual foreign currency.
(b) Market Liquidity Risk: Market liquidity risk arises when a bank is unable to
conclude a large transaction in a particular instrument near the current market price.
4. Default or Credit Risk
Credit risk is more simply defined as the potential of a bank borrower or counterparty
to fail to meet its obligations in accordance with the agreed terms. For most
banks, loans are the largest and most obvious source of credit risk. It is the most
significant risk, more so in the Indian scenario where the NPA level of the banking
system is significantly high.
Now, lets discuss the two variants of credit risk
(a) Counterparty Risk: This is a variant of Credit risk and is related to non-
performance of the trading partners due to counterpartys refusal and or inability to
perform. The counterparty risk is generally viewed as a transient financial risk
associated with trading rather than standard credit risk.
(b) Country Risk: This is also a type of credit risk where non-performance of a
borrower or counterparty arises due to constraints or restrictions imposed by a
country. Here, the reason of non-performance is external factors on which the
borrower or the counterparty has no control
Credit Risk depends on both external and internal factors.
The internal factors include Deficiency in credit policy and administration of loan
portfolio, Deficiency in appraising borrowers financial position prior to lending,
Excessive dependence on collaterals and Banks failure in post-sanction follow-up,
etc.

The major external factors are the state of Economy, Swings in commodity price,
foreign exchange rates and interest rates, etc.

Credit Risk cant be avoided but can be mitigated by applying various risk-mitigating
processes

Banks should assess the credit-worthiness of the borrower before sanctioning

loan i.e., Credit rating of the borrower should be done beforehand. Credit
rating is the main tool of measuring credit risk and it also facilitates pricing the
loan.
By applying a regular evaluation and rating system of all investment
opportunities, banks can reduce its credit risk as it can get vital information of
the inherent weaknesses of the account.
Banks should fix prudential limits on various aspects of credit benchmarking
Current Ratio, Debt-Equity Ratio, Debt Service Coverage Ratio, Profitability
Ratio etc.
There should be maximum limit exposure for single/ group borrower.
There should be provision for flexibility to allow variations for very special
circumstances.
 Alertness on the part of operating staff at all stages of credit dispensation
appraisal, disbursement, review/ renewal, post-sanction follow-up can also be
useful for avoiding credit risk.
5. Operational Risk
Basel Committee for Banking Supervision has defined operational risk as the risk of
loss resulting from inadequate or failed internal processes, people and systems or
from external events. Managing operational risk has become important for banks due
to the following reasons

Higher level of automation in rendering banking and financial services

Increase in global financial inter-linkages
Scope of operational risk is very wide because of the above-mentioned
reasons.
Two of the most common operational risks are discussed below

(a) Transaction Risk: Transaction risk is the risk arising from fraud, both internal
and external, failed business processes and the inability to maintain business
continuity and manage information.
(b) Compliance Risk: Compliance risk is the risk of legal or regulatory sanction,
financial loss or reputation loss that a bank may suffer as a result of its failure to
comply with any or all of the applicable laws, regulations, codes of conduct and
standards of good practice. It is also called integrity risk since a banks reputation is
closely linked to its adherence to principles of integrity and fair dealing.
6. Other Risks
Apart from the above-mentioned risks, following are the other risks confronted by
Banks in course of their business operations

(a) Strategic Risk: Strategic Risk is the risk arising from adverse business decisions,
improper implementation of decisions or lack of responsiveness to industry changes.
(b) Reputation Risk: Reputation Risk is the risk arising from negative public
opinion. This risk may expose the institution to litigation, financial loss or decline in
customer base.
Risk Management
Risk Management is actually a combination of management of uncertainty, risk,
equivocality and error. Uncertainty where the outcomes cannot be estimated even
randomly, arises due to lack of information and this uncertainty gets transformed into
risk (where the estimation of outcome is possible) as information gathering
progresses.
Initially, the Indian banks have used risk control systems that kept pace with legal
environment and Indian accounting standards. But with the growing pace of
deregulation and associated changes in the customers behaviour, banks are exposed
to mark-to-market accounting.

Therefore, the challenge of Indian banks is to establish a coherent framework for

measuring and managing risk consistent with corporate goals and responsive to
the developments in the market. As the market is dynamic, banks should maintain
vigil on the convergence of regulatory frameworks in the country, changes in the
international accounting standards and finally and most importantly changes in the
clients business practices.
Therefore, the need of the hour is to follow certain risk management norms suggested
by the RBI and BIS.

Role of RBI in Risk Management in Banks

Here, we will discuss the role of RBI in Risk Management and how the tools called
CAMELS was used by RBI to evaluate the financial soundness of the Banks.
CAMELS is the collective tool of six components namely

Capital Adequacy
Asset Quality
Management
Earnings Quality
Liquidity
Sensitivity to Market risk
The CAMEL was recommended for the financial soundness of bank in 1988 while the
sixth component called sensitivity to market risk (S) was added to CAMEL in 1997.
In India, the focus of the statutory regulation of commercial banks by RBI until the
early 1990s was mainly on licensing, administration of minimum capital
requirements, pricing of services including administration of interest rates on deposits
as well as credit, reserves and liquid asset requirements.

RBI in 1999 recognised the need of an appropriate risk management and issued
guidelines to banks regarding assets liability management, management of credit,
market and operational risks. The entire supervisory mechanism has been realigned
since 1994 under the directions of a newly constituted Board for Financial
Supervision (BFS), which functions under the aegis of the RBI, to suit the
demanding needs of a strong and stable financial system.
A process of rating of banks on the basis of CAMELS in respect of Indian banks and
CACS (Capital, Asset Quality, Compliance and Systems & Control) in respect of
foreign banks has been put in place from 1999.

Credit risk

A credit risk is the risk of default on a debt that may arise from a borrower failing to
make required payments.[1] In the first resort, the risk is that of the lender and includes
lost principal and interest, disruption to cash flows, and increasedcollection costs. The
loss may be complete or partial and can arise in a number of circumstances,[2] for
example:

A consumer may fail to make a payment due on a mortgage loan, credit card, line of
credit, or other loan.
A company is unable to repay asset-secured fixed or floating charge debt.
A business or consumer does not pay a trade invoice when due.
A business does not pay an employee's earned wages when due.
A business or government bond issuer does not make a payment on a coupon or
principal payment when due.
An insolvent insurance company does not pay a policy obligation.
An insolvent bank won't return funds to a depositor.
A government grants bankruptcy protection to an insolvent consumer or business.

To reduce the lender's credit risk, the lender may perform a credit check on the
prospective borrower, may require the borrower to take out appropriate insurance, such
as mortgage insurance, or seek security over some assets of the borrower or
a guarantee from a third party. The lender can also take out insurance against the risk or
on-sell the debt to another company. In general, the higher the risk, the higher will be
the interest rate that the debtor will be asked to pay on the debt. Credit risk mainly arises
when borrowers unable to pay due willingly or unwilingly.

Types of credit risk[edit]

A credit risk can be of the following types:[3]

Credit default risk The risk of loss arising from a debtor being unlikely to pay its
loan obligations in full or the debtor is more than 90 days past due on any material
credit obligation; default risk may impact all credit-sensitive transactions, including
loans, securities and derivatives.
Concentration risk The risk associated with any single exposure or group of
exposures with the potential to produce large enough losses to threaten a bank's
core operations. It may arise in the form of single name concentration or industry
concentration.
Country risk The risk of loss arising from a sovereign state freezing foreign
currency payments (transfer/conversion risk) or when it defaults on its obligations
(sovereign risk); this type of risk is prominently associated with the country's
macroeconomic performance and its political stability.

Must-know: The 8 types of bank risks

Banks and risk
Banks have to take risks all the time. Any bank has to take on risk to make
money. This includes full-service banks like JPMorgan (JPM), traditional
banks like Wells Fargo (WFC), investment banks like Goldman Sachs (GS)
and Morgan Stanley (MS), or any other financials included in an ETF like the
Financial Select Sector SPDR Fund (XLF).
 How risk arises
The risk arises from the occurrence of some expected or unexpected events
in the economy or the financial markets. Risk can also arise from staff
oversight or mala fide intention, which causes erosion in asset values and,
consequently, reduces the banks intrinsic value.

The money lent to a customer may not be repaid due to the failure of a
business. Also, money may not be repaid because the market value of bonds
or equities may decline due to an adverse change in interest rates. Another
reason for no repayment is that a derivative contract to purchase foreign
currency may be defaulted by a counter party on the due date. These types of
risks are inherent in the banking business.

Eight types of bank risks

There are many types of risks that banks face. Well look at eight of the most
important risks.

1. Credit risk
2. Market risk
3. Operational risk
4. Liquidity risk
5. Business risk
6. Reputational risk
7. Systemic risk
8. Moral hazard
Out of these eight risks, credit risk, market risk, and operational risk are the
three major risks. The other important risks are liquidity risk, business risk,
and reputational risk. Systemic risk and moral hazard are unrelated to routine
banking operations, but they do have a big bearing on a banks profitability
and solvency.

All banks set up dedicated risk management departments to monitor,

manage, and measure these risks. The risk management department helps
the banks management by continuously measuring the risk of its current
portfolio of assets, or loans, liabilities, or deposits, and other exposures. The
department also communicates the banks risk profile to other bank functions
and takes steps, either directly or in collaboration with other bank functions, to
reduce the possibility of loss or to mitigate the size of the potential loss

Must-know: Understanding credit risk in the

banking business
By Saul Perez Sep 1, 2014 11:37 am EST

Credit risk
The Basel Committee on Banking Supervision (or BCBS) defines credit risk
as the potential that a bank borrower, or counter party, will fail to meet its
payment obligations regarding the terms agreed with the bank. It includes
both uncertainty involved in repayment of the banks dues and repayment of
dues on time.

Enlarge Graph
All banks face this type of risk. This includes full-service banks like JPMorgan
(JPM), traditional banks like Wells Fargo (WFC), investment banks like
Goldman Sachs (GS) and Morgan Stanley (MS), or any other financials
included in an ETF like the Financial Select Sector SPDR Fund (XLF).
Dimensions of credit risk
The default usually occurs because of inadequate income or business failure.
But often it may be willful because the borrower is unwilling to meet its
obligations despite having adequate income.

Credit risk signifies a decline in the credit assets values before default that
arises from the deterioration in a portfolio or an individuals credit quality.
Credit risk also denotes the volatility of losses on credit exposures in two
formsthe loss in the credit assets value and the loss in the current and
future earnings from the credit.

Banks create provisions at the time of disbursing loan (see Wells Fargos
provision chart above). Net charge-off is the difference between the amount of
loan gone bad minus any recovery on the loan. An unpaid loan is a risk of
doing the business. The bank should position itself to accommodate the
expected outcome within profits and provisions, leaving equity capital as the
final cushion for the unforeseen catastrophe.

An example of credit risk during recent times

During the subprime crisis, many banks made significant losses in the value
of loans made to high-risk borrowerssubprime mortgage borrowers. Many
high-risk borrowers couldnt repay their loans. Also, the complex models used
to predict the likelihood of credit losses turned out to be incorrect.

Major banks all over the globe suffered similar losses due to incorrectly
assessing the likelihood of default on mortgage payments. This inability to
assess or respond correctly to credit risk resulted in companies and
individuals around the world losing many billions of U.S. dollars.

Must-know: Why market risk is important to

banks
By Saul Perez Sep 1, 2014 11:37 am EST

Market risk
The Basel Committee on Banking Supervision defines market risk as the risk
of losses in on- or off-balance sheet positions that arise from movement in
market prices. Market risk is the most prominent for banks present in
investment banking. These investment banks include Goldman Sachs (GS),
Morgan Stanley (MS), JPMorgan (JPM), Bank of America (BAC), and other
investment banks in an ETF like the Financial Select Sector SPDR
Fund (XLF). This is because they are generally active in capital markets.
 Enlarge Graph

Major components of market risks

The major components of market risk include:

Interest rate risk

Equity risk
Foreign exchange risk
Commodity risk
Interest rate risk
Its the potential loss due to movements in interest rates. This risk arises
because a banks assets usually have a significantly longer maturity than
its liabilities. In banking language, management of interest rate risk is also
called asset-liability management (or ALM).

Equity risk
Its the potential loss due to an adverse change in the stock price. Banks can
accept equity as collateral for loans and purchase ownership stakes in other
companies as investments from their free or investible cash. Any negative
change in stock price either leads to a loss or diminution in investments
value.

Foreign exchange risk

Its the potential loss due to change in value of the banks assets or liabilities
resulting from exchange rate fluctuations. Banks transact in foreign exchange
for their customers or for the banks own accounts. Any adverse movement
can diminish the value of the foreign currency and cause a loss to the bank.

Commodity risk
Its the potential loss due to an adverse change in commodity prices. These
commodities include agricultural commodities (like wheat, livestock, and
corn), industrial commodities (like iron, copper, and zinc), and energy
commodities (like crude oil, shale gas, and natural gas). The commodities
values fluctuate a great deal due to changes in demand and supply. Any bank
holding them as part of an investment is exposed to commodity risk.

Market risk is measured by various techniques such as value at risk and

sensitivity analysis. Value at risk is the maximum loss not exceeded with a
given probability over a given period of time. Sensitivity analysis is how
different values of an independent variable will impact a particular dependent
variable.

The chart above shows how Goldman Sachs measures its various market
risk. In the next part of the series, well look at what is probably the most
important day-to-day risk for a bankoperational risk.

Operational riskthe risk in all banking

transactions
By Saul Perez Sep 1, 2014 11:37 am EST

Operational risk
The Basel Committee on Banking Supervision defines operational risk as the
risk of loss resulting from inadequate or failed internal processes, people and
systems or from external events. This definition includes legal risk, but
excludes strategic and reputation risk.

Full-service banks like JPMorgan (JPM), traditional banks like Wells Fargo
(WFC), investment banks like Goldman Sachs (GS) and Morgan Stanley (MS),
or any other banks included in an ETF like the Financial Select Sector SPDR
Fund (XLF) face operational risk.
Operational risk occurs in all day-to-day bank activities. Operational risk
examples include a check incorrectly cleared or a wrong order punched into a
trading terminal. This risk arises in almost all bank departmentscredit,
investment, treasury, and information technology.

Causes of operational risks

 There are many causes of operational risks. Its difficult to prepare an
exhaustive list of causes because operational risks may occur from unknown
and unexpected sources. Broadly, most operational risks arise from one of
three sources.

1. People risk: Incompetency or wrong posting of personnel and misuse of powers

2. Information technology risk: The failure of the information technology system, the hacking of
the computer network by outsiders, and the programming errors that can take place any time
and can cause loss to the bank
3. Process-related risks: Possibilities of errors in information processing, data transmission, data
retrieval, and inaccuracy of result or output

Operational risk can lead to a banks collapse

The fall of one of Britains oldest banks, Barings, in 1995, is an example of
operational risk leading to a banks collapse. It was mainly due to failure of its
internal control processes. One of Barings traders in Singapore, Nick Leeson,
was able to hide his trading losses for more than two years.

Nick was able to authorize his own trades and enter them into the banks
system without any supervision due to weak and inefficient internal auditing
and control measures. His supervisors were alerted after the losses became
too huge. By that time, it wasnt possible to keep the trades and the losses a
secret.

Must-know: Liquidity riskwhen banks

have too little cash
Liquidity risk
Liquidity by definition means a bank has the ability to meet payment
obligations primarily from its depositors and has enough money to give loans.
So liquidity risk is the risk of a bank not being able to have enough cash to
carry out its day-to-day operations.

Provision for adequate liquidity in a bank is crucial because a liquidity shortfall

in meeting commitments to other banks and financial institutions can have
serious repercussions on the banks reputation and the banks bond prices in
the money market.

Liquidity risk can ruin banks

A very recent example of a bank being taken into state ownership due to its
inability to manage liquidity risk was Northern Rock. Northern Rock was a
small bank in Northern England and Ireland. Northern Rock didnt have a
large depositor base.

It was only able to fund a small part of its new loans from deposits. So it
financed new loans by selling the loans that it originated to other banks and
investors. This process of selling loans is known as securitization.

Northern Rock would then take short-term loans to fund its new loans. So the
bank was dependent on two factorsdemand for loans, which it sold to other
banks, and availability of credit in financial markets to fund those loans. When
markets were under pressure in 20072008, the bank wasnt able to sell the
loans it had originated. At the same time, it also wasnt able to secure short-
term credit.

Due to the financial crisis, a lot of investors took out their deposits, causing
the bank to have a severe liquidity crisis. Northern Rock got a credit line from
the government. But the problems persisted, and the government took over
the bank.

This shows us how important the role of liquidity management is in a bank. In

the next part of our series, well look into a banks reputational risk.

Must-know: Reputational riskwhen banks

lose the publics trust
By Saul Perez Sep 1, 2014 11:37 am EST

Reputational risk
Reputational risk is the risk of damage to a banks image and public standing
that occurs due to some dubious actions taken by the bank. Sometimes
reputational risk can be due to perception or negative publicity against the
bank and without any solid evidence of wrongdoing. Reputational risk leads to
the publics loss of confidence in a bank.

An example of reputational risk

In the 1990s, Salomon Brothers was the the fifth largest investment bank in
the U.S. All banks are allowed to buy government securities up to a specified
limit at auctions. Salomon falsified records to buy government securities in
quantities much larger than it was allowed.

By buying such large quantities, the bank was able to control the price that
investors paid for these securities. In 1991, the government caught the bank
in its act. Salomon Brothers suffered considerable loss of reputation. The U.S.
government fined Salomon Brothers to a tune of $290 million, the largest fine
ever levied on an investment bank at the time.
Must-know: Business risksits all about a
banks strategy
By Saul Perez Sep 1, 2014 11:37 am EST

Business risk
Business risk is the risk arising from a banks long-term business strategy. It
deals with a bank not being able to keep up with changing competition
dynamics, losing market share over time, and being closed or acquired.
Business risk can also arise from a bank choosing the wrong strategy, which
might lead to its failure.

Must-know: Systemic riskthe economy

affecting banks
Overview
Until now, weve looked at risks arising from banking activities, decisions, and
strategies. But the last two types of risks that well discuss are quite unrelated.
Out of these two, well first look at systemic risk.

Systemic risk
Systemic risk is the name of the most nightmarish scenario you can think of.
This type of scenario happened in 2008 across the world. Broadly, it refers to
the risk that the entire financial system might come to a standstill. It can also
be stated as the possibility that default or failure by one financial institution
can cause domino effects among its counter parties and others, threatening
the stability of the financial system as a whole.

he Chicago Board Options Exchange Volatility Index

The table above shows the Chicago Board Options Exchange (or CBOE)
Volatility Index (or VIX) for last ten years. Its a good proxy for systemic risk.
High values of VIX show periods of high systemic risk. Systemic risk by itself
doesnt lead to losses. But in an environment where systemic risk is high,
many other risk factorsespecially market riskrise to a very high level that
leads to losses.

An analogy to systemic risk would be like an epidemic or an anthrax attack

that would require large-scale safeguards for public health. Larger banks will
be the cause of high systemic risk because of their size and related counter
party dealings. Smaller banks will be more affected by systemic risk because
they generally have weaker capital bases and less access to money markets.
Systemic risk impacts traditional banks like Wells Fargo (WFC), investment
banks like Goldman Sachs (GS) and Morgan Stanley (MS), full-service banks
like JPMorgan (JPM), and any other banks included in an ETF like the
Financial Select Sector SPDR Fund (XLF).
In the next part of this series, well look at a different type of risk that is
also the most recently talked aboutmoral hazard.

Must-know: Why Too-big-to-fail is like

moral hazard in banks
Moral hazard
Moral hazard is the most interesting risk that well cover. You must have read
or heard the phrase too-big-to-fail in the media. Too-big-to-fail is nothing but
moral hazard in a sense.

Moral hazard refers to a situation where a person, a group (or persons), or an

organization is likely to have a tendency or a willingness to take a high-level
risk, even if its economically unsound. The reasoning is that the person,
group, or organization knows that the costs of such risk-taking, if it
materializes, wont be borne by the person, group, or organization taking the
risk.

Overview: Other risks, such as legal and

country, that banks face
By Saul Perez Sep 1, 2014 11:38 am EST

Recap
In this series, weve learned about eight different types of risks that are
inherent in a banking system. A bank can exercise a large degree of control
over some types of risks like operational risk by having strong systems and
processes. A bank can also control risk by ensuring stringent audits and
compliance.

There are other types of risks that a bank has little control over, such as
systemic risk. The only things a bank can do to avoid such risks are to have a
strong capital base, to have the best-in-class processes, and to hope for the
best.

Other risks
 There are some other minor types of risks that a bank carries. These arent
as important as the previous risks discussed, but well mention them in this
article.

Legal risk
A bank can be exposed to legal risk. Legal risk can be in the form of financial
loss arising from legal suits filed against the bank or by a bank for applying a
law wrongly.

Country risk
A bank that operates in many countries also faces country risk when theres a
localized economic problem in a certain country. In such a scenario, the
banks holding company may need to bear losses in case it exceeds the
capital of a subsidiary in an another country. The holding company in certain
cases may also need to provide capital.

All large banks that operate in many countries bear country risks. These
banks include JPMorgan (JPM), Citigroup (C), Goldman Sachs(GS), Morgan
Stanley (MS), and banks in an ETF like the Financial Select Sector SPDR
Fund (XLF).
Look at the above chart to see the results of uncontrolled risks for Lehman
Brothers. So we can say that a successful bank is one thats able to manage
various risks successfully and continuously evolve with the changing needs in
the banking landscape.

Must-know: 2 broad categories of controlling

bank risks
By Saul Perez Sep 1, 2014 11:38 am EST

Controlling risks
So far in this series, weve learned all about banking risks. Now lets turn our
attention to ways of controlling risks. There are many ways risks can be
controlled. There are two broad categories for controlling risks:

At the bank level

At the government levelhaving binding regulations
Control at the bank level
At the bank level, the risks are controlled by having rules, systems, and
processes that enable prudent banking and that are difficult to circumvent.
These rules, systems, and processes can be at the branch level, the regional
or zone level, and the top management level. All banks use such systems and
processes, including JPMorgan (JPM), Wells Fargo (WFC), Citigroup (C),
Capital One (COF), and banks in an ETF like the Financial Select Sector
SPDR Fund (XLF).
The aim of such rules is to control risk. Banking processes, wherever
possible, are standardized to avoid ambiguous interpretation by staff. As an
example, a check clearance requires clearance from the branchs bank
manager.

But no matter how robust the rules, systems, and processes might be, they
leave a bank open to risk. Banking risks can quickly become a contagion and
lead to a collapse in financial markets. Such situations impact the whole
economy of a country, and in many large cases the reverberations are felt
across the globe.

Control at the government level

To reduce the chances of such occurrences and to control losses and impacts
on economies, governments, through their central banks and other bodies,
regulate the banking sector. In the U.S., the main body responsible for this is
the Federal Reserve (see the above chart for the structure of the Fed). Such
regulations aim to strengthen the banks abilities to survive shocks and reduce
the risk of large-scale flare-ups in the banking, capital, and financial markets.

As an investor, you must know about these regulations in detail. Itll help you
understand the sector better and help you analyze and select the correct
stocks to invest in.
 Quantitative Risk Management Tools
Trading Market Risk Requirements
In December 2011 we received model approvals, from the
BaFin, for the stressed value-at-risk, incremental risk
charge and comprehensive risk measure models. These are
additional methods we use to measure market
risk exposures.
Stressed value-at-risk: calculates a stressed value-at-risk
measure based on a continuous 1 year period of significant
market stress.
Incremental Risk Charge: captures default and credit
migration risks in addition to the risks already captured in
value-at-risk for credit-sensitive positions in the trading book.
Comprehensive Risk Measure: captures incremental risk for
the correlation trading portfolio calculated using an internal
model subject to qualitative minimum requirements as well
as stress testing requirements.
Market Risk Standardized Approach: calculates regulatory
capital for securitizationsand nth-to-default credit derivatives.
Stressed value-at-risk, incremental risk charge and the
comprehensive risk measure are calculated for all relevant
portfolios. The results from the models are used in the day-
to-day risk management of the bank, as well as for defining
regulatory capital.

Stressed Value-at-Risk
We calculate a stressed value-at-risk measure using a
99 % confidence level and a holding period of one day. For
regulatory purposes, the holding period is ten days.
Our stressed value-at-risk calculation utilizes the same
systems, trade information and processes as those used for
the calculation of value-at-risk. The only difference is that
historical market data from a period of significant financial
stress (i.e., characterized by high volatilities) is used as an
input for the Monte Carlo Simulation. The time window
selection process for the stressed value-at-risk calculation is
based on the identification of a time window characterized by
high levels of volatility and extreme movements in the top
value-at-risk contributors. The results from these two
indicators (volatility and number of outliers) are combined
using chosen weights intended to ensure qualitative aspects
are also taken into account (i.e., inclusion of key crisis
periods).
Incremental Risk Charge
The incremental risk charge is based on our own internal
model and is intended to complement the value-at-risk
modeling framework. It represents an estimate of the default
and migration risks of unsecuritized credit products over a
one-year capital horizon at a 99.9 % confidence level, taking
into account the liquidity horizons of individual positions or
sets of positions. We use a Monte Carlo Simulation for
calculating incremental risk chargeas the 99.9 % quantile of
the portfolio loss distribution and for allocating contributory
incremental risk charge to individual positions. The model
captures the default and migration risk in an accurate and
consistent quantitative approach for all portfolios.
We calculate the incremental risk charge on a weekly basis.
The charge is determined as the higher of the most recent
12 week average of incremental risk charge and the most
recent incremental risk charge. The market and position data
are collected from front office systems and are subject to
strict quality control. The incremental risk charge figures are
closely monitored and play a significant role in the
management of the covered portfolios. Additionally, the
incremental risk charge provides information on the
effectiveness of the hedging positions which is reviewed by
the risk managers.

The contributory incremental risk charge of individual

positions, which is calculated by expected shortfall
allocation, provides the basis for identifying risk
concentrations in the portfolio and designing strategies to
reduce the overall portfolio risk.

We use our credit portfolio model, a core piece of

our economic capital methodology, to calculate the
incremental risk charge. Important parameters for the
incremental risk charge calculation are exposures, recovery
rates and default probabilities, ratingsmigrations, maturity,
and liquidity horizons of individual positions.
Liquidity horizons are conservatively set to the time required
to sell a position or to hedge all material relevant price risks
in a stressed market. Liquidity horizons are specified at
product level and reflect our actual practice and experience
during periods of systematic and idiosyncratic stresses. We
have defined the sets of positions used for applying liquidity
horizons in a way that meaningfully reflects the differences in
liquidity for each set. Market risk managers who specialize in
each product type determine liquidity horizons, with a
liquidity horizon floor of 3-months. Liquidity horizons are
regularly reviewed so that the act of selling or hedging, in
itself, would not materially affect the price. Default and rating
migration probabilities are defined by rating migration
matrices which are calibrated on historical external rating
data. Taking into account the trade-off between granularity of
matrices and their stability we apply a global corporate
matrix and a sovereign matrix comprising the seven main
rating bands. Accordingly, issue or issuerratings from the
rating agencies Moodys, S&P and Fitch are assigned to
each position.
To quantify a loss due to rating migration, a revaluation of a
position is performed under the new rating. The probability of
joint rating downgrades and defaults is determined by the
migration and rating correlations of the incremental risk
charge model. These correlations are specified through
systematic factors that represent geographical regions and
industries and are calibrated on historical rating migration
and equity time series. The simulation process incorporates
a rollover strategy that is based on the assumption of a
constant level of risk. This assumption implies that positions
that have experienced default or rating migration over their
liquidity horizon are re-balanced at the end of their liquidity
horizon to attain the initial level of risk. Correlations between
positions with different liquidity horizons are implicitly
specified by the dependence structure of the underlying
systematic and idiosyncratic risk factors, helping to ensure
that portfolio concentrations are identified across liquidity
horizons. In particular, differences between liquidity horizons
and maturities of hedges and hedged positions are
recognized.
Apart from regular recalibrations there have been no
significant model changes in 2013.

Direct validation of the incremental risk charge through back-

testing methods is not possible. The charge is subject to
validation principles such as the evaluation of conceptual
soundness, ongoing monitoring, process verification and
benchmarking and outcome analysis. The validation of the
incremental risk charge methodology is embedded in the
validation process for our credit portfolio model, with
particular focus on the incremental risk charge specific
aspects. Model validation relies more on indirect methods
including stress tests and sensitivity analyzes. Relevant
parameters are included in the annual validation cycle
established in the current regulatory framework. The
incremental risk charge is part of the quarterly group-wide
stress test using the stress testing functionality within our
credit engine. Stressed incremental risk charge figures are
reported on group level and submitted to the Stress Testing
Oversight Committee and Cross Risk Review Committee.
Comprehensive Risk Measure
The comprehensive risk measure for the correlation trading
portfolio is based on our own internal model. We calculate
the comprehensive risk measure based on a Monte Carlo
Simulation technique to a 99.9 % confidence level and a
capital horizon of 1 year. Our model is applied to the eligible
correlation trading positions where typical products
includecollateralized debt obligations, nth-to-default credit
default swaps, and index- and single-name credit
default swaps. Re-securitizations or products which
reference retail claims or real estate exposures are not
eligible. Furthermore, trades subject to the comprehensive
risk measure have to meet minimum liquidity standards to be
eligible. The model incorporates concentrations of the
portfolio and nonlinear effects via a full revaluation approach.
Comprehensive risk measure is designed to capture defaults
as well as the following risk drivers: interest rates, credit
spreads, recovery rates, foreign exchange rates and
basecorrelations, index-to-constituent and base correlation
basis risks.
Comprehensive risk measure is calculated on a weekly
basis. Initially, the eligible trade population within the
correlation trading portfolio is identified. Secondly, the risk
drivers of the P&L are simulated over a one year time
horizon. The trade population is then re-valued under the
various Monte Carlo Simulation scenarios and the 99.9 %
quantile of the loss distribution is extracted.

The market and position data are collected from front office
systems and are subject to strict quality control. The
comprehensive risk measure figures are closely monitored
and play a significant role in the management of the
correlation trading portfolio. We use historical market data to
estimate the risk drivers to the comprehensive risk measure
with a history of up to three years.

In our comprehensive risk measure model the liquidity

horizon is set to 12 months, which equals the capital horizon.

In order to maintain the quality of our comprehensive risk

measure model we continually monitor the potential
weaknesses of this model. Backtesting of the trade
 valuations and the propagation of single risk factors is
carried out on a monthly basis and a quarterly recalibration
of parameters is performed. In addition, a series of stress
tests have been defined on the correlation trading portfolio
where the shock sizes link into historical distressed market
conditions.

Model validation is performed by an independent team and

reviews, but is not limited to, the above mentioned
backtesting, the models which generate risk factors,
appropriateness and completeness of risk factors, the Monte
Carlo Simulation stability, and performs sensitivity analyzes.

During 2013 we have improved our comprehensive risk

measure model as follows:

Simulation of obligor defaults based on one-year credit

spreads;
Extension of FX risk to include further balance sheet items;
Re-calibration of credit spreads and FX correlations.
Market Risk Standardized Approach
Market Risk Management monitors exposures and
addresses risk issues and concentrations for certain
exposures under the specific Market Risk Standardized
Approach (MRSA). We use the MRSA to determine the
regulatory capital charge for the interest rate risk of nth-to-
default credit default swaps and for the correlation trading
portfolio securitization positions which are not eligible for the
comprehensive risk measure. For these positions we either
assign all retained securitization positions that are unrated or
rated below BB a risk weight of 1,250 percent to
the exposure or deduct them directly from capital. Such
capital deduction items (CDI) are deducted in equal share
from Tier 1 capital and from Tier 2 capital.
We also use the MRSA to determine the regulatory capital
charge for longevity risk as set out in SolvV regulations.
Longevity risk is the risk of adverse changes in life
expectancies resulting in a loss in value on longevity linked
policies and transactions. For risk management purposes,
stress testing and economic capital allocations are also used
to monitor and manage longevity risk.

Furthermore, certain types of investment funds require a

capital charge under the MRSA. For risk management
purposes, these positions are also included in our internal
reporting framework.
 Validation of Front Office models
Market Risk Management validates front office models that
are used for official pricing and risk management of trading
positions. New model approval, ongoing model approval and
model risk assessment are the teams key activities and
related tasks include:

Verification of the mathematical integrity of the models and

their implementation;
Periodic review of the models intended to ensure that the
models stay valid in different market conditions;
Assessment of model suitability for the intended business
purposes;
Identification of model limitations that inform model reserves;
and
Establishment of controls that enforce appropriate use of
models across businesses.

Trading Market Risk Management

Framework at Postbank
Market risk arising from Postbank has been included in our
reporting since 2010. Since the domination agreement
between Deutsche Bank and Postbank became effective in
September 2012, aggregate market risk limits for Postbank
are set by Deutsche Bank according to our market risk limit
framework. Postbanks Head of Market Risk Management
has a functional reporting line into our Market Risk
Management organization and acts based upon delegated
authority with respect to monitoring, reporting and managing
market risk exposure according to market risk limits
allocated to Postbank.

Sub limits are allocated by the Postbank Market Risk

Committee to the individual operating business units.
Deutsche Bank is represented by a senior member of Market
Risk Management on the Postbank Market Risk Committee.
The risk economic capital limits allocated to specific
business activities define the level of market risk that is
reasonable and desirable for Postbank from an earnings
perspective.

Market risk at Postbank is monitored on a daily basis using a

system of limits based on value-at-risk. In addition,
Postbanks Market Risk Committee has defined sensitivity
limits for the trading and banking book as well as for key
sub-portfolios. Postbank also performs scenario analyzes
and stress tests in addition to the value-at-risk calculations.
The assumptions underlying the stress tests are reviewed
and validated on an ongoing basis.

Value-at-Risk at Postbank
Postbank also uses the value-at-risk concept to quantify and
monitor the market risk it assumes. Value-at-risk is
calculated using a Monte Carlo Simulation. The risk factors
taken into account in the value-at-risk include interest rates,
equity prices, foreign exchange rates, and volatilities, along
with risks arising from changes in credit spreads. Correlation
effects between the risk factors are derived from equally-
weighted historical data.
Postbanks trading book value-at-risk is currently not
consolidated into the value-at-risk of the remaining Group.
However, it is shown separately in the internal value-at-risk
report.

We also apply the MRSA for the determination of the

regulatory capital charge for Postbanks trading market risk.