Risk Management

Day 3
 Objective

To know about
the theoretical
aspects relating
to risk
management
 Syllabus – Day 3
Risk Management:
• Methodology of Risk Management,
• Insurance Cover,
• Ten Steps of Making risk management work,
• Ten attributes of a World-Class Risk Management
Culture,
• Enterprise Risk Management,
• Integrated risk management,
• Risk management in Banking
 COSO
Internal Control Framework
An Overview
COSO Definition of Internal Control
Internal control is a process, effected by an entity’s board of directors,
management and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives in the following categories:
– Reliability of financial reporting
– Compliance with applicable laws and regulations
–Effectiveness and efficiency of operations
COSO Internal Controls Key Concepts
– Internal control is a process. It is a means to an end, not an end in itself.
– Internal control is effected by people. It’s not merely policy manuals and forms,
but people at every level of an organization.
– Internal control can be expected to provide only reasonable assurance, not
absolute assurance, to an entity’s management and board.
– Internal control is geared to the achievement of objectives in one or more
separate but overlapping categories.
Business Risk Management
Risk Management Architecture
Risk Management Architecture
 Risk Management Is An
Individual Decision
3

Risk
No one "right" decision
2

Revenue

The "right" decision depends on the

characteristics of the
operation and
individual decision-maker
 Prioritizing Which Risks to
Address First
Act if cost Immediat
High
effective e action
Probabilit
y of
Happenin Action
No action
g Low
required
required
Small Catastrophic
Potential
Impact
 Risk Management

• Risk Management is the Identification,

Analysis and Economic Control of those
RISKS which can Threaten the Assets
(Property, Human) or the Earning
Capacity of an Enterprise”
 Process of Risk Management`

• Risk Identification
• Risk Measurement
• Risk Control
• Risk Transfer
• Risk Financing
• Risk Retention
 Risk Assessment
FINANCIAL IMPACT:
Threshold Limit to be decided
based on Medium Risk Very High Risk
Size of the corporate

Probability
Financial Impact

PROBABILITY OF
OCCURRENCE:
Organization history & Industry Low Risk High Risk
Experience
to be considered
 Handling Risk
Risk Levels

Low & Medium Normal Monitoring at the operational level

High Close control of all potential contributing factors by the Risk

Management Team

Very High Risks of this level should be actively tracked for decisions by
the Risk Management Committee.
 Risk Management
• Risk management is present in all aspects of life;
it is about everyday trade off between an
expected reward and potential danger
• In the business world, often the risk is associated
with some variability in financial outcomes.
However the notion of risk much larger.
• Risk management is an attempt to identify,
measure, monitor and manage uncertainty
 Risk Management process
• It refers to a systematic approach designed
to discover risk exposures faced by the
organisation and to manage them in order to
minimize or eliminate loss arising from these
exposures.
• It should be systematic, comprehensive and
effective and be ideally integrated with other
aspects of the Organisation.
• Risk management = risk reduction ?!
 Risk Management Process
• Identify risk and risk management goals
• Gather relevant and comprehensive data to determine and
extent and nature of risk exposures
• Analyse the risk exposures
• Construct a risk management plan comprising appropriate
risk treatment methods
• Implement the plan
• Monitor the plan and outcome of the implementation
 Seven Challenges for Risk
Management
• Confusion regarding the concept of risk.
• Completely avoidable human errors in subjective
judgments of risk.
• Entirely ineffectual but popular subjective
scoring methods.
• Misconceptions that block the use of better,
existing methods.
• Recurring errors in even the most sophisticated
models.
• Institutional factors.
• Unproductive incentive structures.
 Enterprise Risk Management-
COSO Definition -
• “a process, effected by an entity’s board of
directors, management and other
personnel, applied in strategy-setting and
across the enterprise, designed to identify
potential events that may affect the entity,
and manage risks to be within its risk
appetite, to provide reasonable assurance
regarding the achievement of entity
objectives.”
 What is Risk Management
• a process and a means to an end, not an end in itself;
• effected by people and involving people at every level of the
organization;
• applied in strategy setting and at every level across the
enterprise and taking an entity level portfolio view of risks;
• designed to identify events that potentially affect the entity
and manage risk within its risk appetite;
• provides reasonable assurance to an entity’s management
and board;
• also geared to the achievement of objectives in one or more
separate and overlapping categories.
 Risk Management
• Risk refers to the uncertainty that surrounds future
events and outcomes. It is the expression of the
likelihood and impact of an event with the potential to
influence the achievement of an organization’s
objectives.
• Risk management is a systematic approach to setting
the best course of action under uncertainty by
identifying, assessing, understanding, acting on and
communicating risk issues
 Eight Components of ERM
• Internal Environment
• Objective Setting:
• Event Identification
• Risk Assessment
• Risk Response
• Control Activities
• Information and Communication
• Monitoring
 Internal Environment
• This component reflects an entity’s enterprise risk
management philosophy, riskappetite, board
oversight, commitment to ethical values, competence
and development of people, and assignment of
authority and responsibility. It encompasses the “tone
at the top” of the enterprise and influences the
organization’s governance process and the risk and
control consciousness of its people .
 Objective Setting
• Strategic: high-level goals,
aligned/supporting the mission/vision;
• Operations: effectiveness and efficiency of
the entity’s operations;
• Reporting: internal/external reporting of
financial/non-financial risk;
• Compliance: compliance with applicable
laws and regulations.
 Event Identification
• Management identifies potential events that
may positively or negatively affect an entity’s
ability to implement its strategy and achieve its
objectives and performance goals. Potentially
negative events represent risks that provide a
context for assessing risk and alternative risk
responses. Potentially positive events represent
opportunities, which management channels back
into the strategy and objective-setting
processes.
 Risk assessment
• Management considers qualitative and
quantitative methods to evaluate the
likelihood and impact of potential events,
individually or by category, which might
affect the achievement of objectives over
a given time horizon
 Risk response
• Management considers alternative risk
response options and their effect on risk
likelihood and impact as well as the
resulting costs versus benefits, with the
goal of reducing residual risk to desired
risk tolerances. Risk response planning
drives policy development
 OUTCOME OF RISK & CONTROL
EVALUATION = Risk Prioritization

HIGH HIGH RISK HIGH RISK

LOW IMPACT HIGH IMPACT

LIKELIHOOD

LOW RISK LOW RISK

LOW LOW IMPACT HIGH IMPACT

LOW IMPACT HIGH

 Control activities
• Management implements policies and
procedures throughout the organization, at
all levels and in all functions, to help
ensure that risk responses are properly
executed
 Information and communication
• The organization identifies, captures and
communicates pertinent information from
internal and external sources in a form
and timeframe that enables personnel to
carryout their responsibilities. Effective
communication also flows down, across
and up the organization. Reporting is vital
to risk management and this component
delivers it
 Monitoring
• Ongoing activities and/or separate
evaluations assess both the presence and
functioning of enterprise risk management
components and the quality of their
performance over time
 How to Address the RISKS

• Avoid - ceasing to operate in that area of activity.

• Transfer - transfer an element of the risk to a
third party
• Mitigate - to mitigate either the likelihood
or the impact of the risk (Diversification)
• Accept – after considering cost / likely benefits.
(As the price of doing the business)
 Changing face of risk
management
Risk management is not just about avoiding downside. It’s about realising potential
opportunities and achieving objectives. Failure to manage risk compromises a
company’s ability to succeed, turning strategic goals into own goals.
Definition of Internal Control
Deficiency
May consist of either a design or operating deficiency:
• A design deficiency exists when:
– A necessary control is missing OR
– An existing control is not properly designed so that even when the
control is operating as designed the control objective is not always met
• An operating deficiency exists when:
– A properly designed control is not operating as designed OR
– The person performing the control does not possess the necessary
authority or qualifications to perform the control effectively
• Range from inconsequential internal control deficiencies to material
weaknesses
 Definition of Significant
Deficiency
• An internal control deficiency that could
adversely affect the entity’s ability to
initiate, record, process and report
financial data consistent with the
assertions of management in the financial
statements
• Could arise from a single deficiency or an
aggregation of deficiencies
 Definition of Material
Weakness
• A significant deficiency in one or more of
the internal control components that
alone or in the aggregate precludes the
entity’s internal control from reducing to
an appropriately low level the risk that
material misstatements in the financial
statements will not be prevented or
detected in a timely manner
 Responsibility for Internal
Controls

Who is Responsible for the Design and

Effectiveness of Internal Controls?
Management is responsible for the control
design and assessment of internal controls
within their areas of responsibility. This
responsibility cannot be delegated or
outsourced.
 COSO Internal Control Framework
The COSO Framework’s Three
Dimensions Provide Criteria for
Evaluating Internal Controls
1. Consists of three objectives:

E
S

C
R L
N

O IA

N
N
O

IA
–

TI
Effectiveness and efficiency of operations

EP C
TI

R AN

PL
A
R
–

M
N
Reliability of financial reporting

PE

FI

O
C
O
– Compliance with applicable laws and
MONITORING
regulations

ACTIVITY 3
ACTIVITY 2
ACTIVITY 1
1. Consists of five components: INFORMATION AND
– Control environment COMMUNICATION

UNIT B
UNIT A
– Risk assessment
– CONTROL ACTIVITIES
Control activities
– Information/Communication
– Monitoring RISK ASSESSMENT

1. Requires an entity level focus and an activity CONTROL ENVIRONMENT

level focus
 Control Environment

The control environment sets the tone of the organization,

influencing the control consciousness of its people. It is the
foundation for all other components of internal control, providing
discipline and structure.

Control environment factors include:

• Integrity and ethical values
• Commitment to competence
E
S

NC
R L
N

O IA
N
O

• Board of Directors or Audit Committee

IA
TI
EP C
TI

R AN

PL
A
R

M
N
PE

• Management philosophy and operating style

FI

CO
O

CONTROL ENVIRONMENT
• Organizational structure
• Assignment of authority and responsibility
• Human resource policies and procedures
 Control Environment
Risks to integrity and ethical values for financial reporting practices:
Incentives
• Pressure to meet unrealistic performance targets, particularly for short
term results
• High performance-dependent rewards
• Upper and lower cutoffs on bonus plan
Temptations
E
S

NC

• High decentralization with top management

R L
N

O IA
N
O

IA
TI
EP C
TI

R AN

PL
A

unaware of actions taken at lower organizational

R

M
N
PE

FI

CO

levels
O

CONTROL ENVIRONMENT
• Weak internal control functions does not detect
and report improper behavior
• Penalties for improper behavior are insufficient
to deter temptations
 Risk Assessment

Risk assessment is the identification

and analysis of relevant risks to
achievement of the objectives, forming
a basis for determining how the risks
E
S

should be managed.
G

NC
R AL
N

N
O

PO CI

IA
TI
TI

RE AN

PL
A
R

M
N
PE

FI

CO
O

RISK ASSESSMENT
 Risk Assessment
Objectives (i.e. assertions) must be established prior to the identification
of risks to their achievement and to take necessary actions to manage the
risks. By setting objectives, both at entity and activity
levels, prior to a risk assessment, a company
can determine the critical success factors; then
determine the risks to the critical success
EE
SS

GG

CC
RR L L
NN

factors.
OO IAIA

NN
NN
OO

IAIA
TITI
EPEP NNCC
TITI

PLPL
AA

AA
RR

MM
NN
PEPE

FIFI

OO
RR

A risk assessment usually includes:

CC
OO

RISK
RISK ASSESSMENT
ASSESSMENT • Estimating the significance of a risk
• Assessing the likelihood (or
frequency) of the risk occurring
• Consideration of how the risk should
be managed
 Control Activities
Control activities are the policies and procedures that help ensure
management directives are carried out. They help to ensure that necessary
actions are taken to address risks to achievement of the entity's objectives.
Control activities occur throughout the organization, at all levels and in all
functions.
EE
SS

GG

NNCC
RR LL
NN

Control activities include:

OO IIAA
NN
OO

IIAA
TTII
EPP CC
TTII

RRE AANN

PPLL
AA

•Approvals
RR

MM
NN
PPEE

FFII

CCOO
OO

CONTROL
CONTROLACTIVITIES
ACTIVITIES
•Authorizations
•Verifications
•Reconciliations
•Reviews of operating performance
•Security of assets
•Segregation duties
 Control Classification
Internal controls can be classified as either Preventive or Detective.

Preventive controls focus on preventing

errors or exceptions. Such preventive
controls are
– Standard policies and procedures
EE
SS

GG

NNCC
RR LL
NN

OO IIAA
NN
OO

IIAA
TTII
EPP CC
TTII

– Proper segregation of duties

RRE AANN

PPLL
AA
RR

MM
NN
PPEE

FFII

CCOO

– Authorization levels/approvals
OO

CONTROL
CONTROLACTIVITIES
ACTIVITIES
Detective controls are designed to identify
an error or exception after it has
occurred. Such detective controls are:
– Exception reports
– Reconciliations
– Periodic audits
 Control Types
There are three primary control types:

Specific Control – Provide the front line of

EE
SS

GG

NNCC
RR LL
NN

defense in preventing, detecting and correcting

OO IAIA
NN
OO

IAIA
TTI I
EPP CC
TTI I

RRE AANN

PPLL

errors.
AA
RR

MM
NN
PPEE

FFI I

CCOO
OO

CONTROL
CONTROLACTIVITIES
ACTIVITIES Monitoring Control – A control, after the initial
process, to detect misstatements or errors within
a process.

Pervasive Control – A control across the

organization that is not specific to a process but
sets the tone of the organization.
 Control Activities
During an evaluation, you should consider
not only whether established control

E
S

NC
R L
N

O IA

activities are relevant to the risk-

N
O

IA
TI
EP C
TI

R AN

PL
A

assessment process, but also whether they

R

M
N
PE

FI

CO
O

are being applied properly.

CONTROL ACTIVITIES

(Meaning: Designed effectively and

operating effectively)
Information and Communication
When evaluating the information and communication of an entity, one
should consider:
Information –
• Obtaining external and internal information and
E
S

NC
R L
N

O IA
N

provide management with necessary reports

O

IA
TI
EP C
TI

R AN

PL
A

on the entity’s performance relative to

R

M
N
PE

FI

CO

established objectives.
O

INFORMATION AND
COMMUNICATION
• Provide information to the right people in
sufficient detail and on time to enable them to
carry out their responsibilities effectively and
efficiently.
Communication –
• Adequacy of communication across the
organization and the completeness and
timeliness of information.
• Openness and effectiveness of channels with
customers, suppliers and other external parties
for communicating information.
 Information and Communication
Pertinent information must be identified, captured
and communicated in a form and timeframe that
enables people to carry out their responsibilities.

E
S

NC
R L
N

O IA
N
O

IA
TI
EP C
TI

R AN

PL
A

Information systems produce reports, containing

R

M
N
PE

FI

CO

operational, financial and compliance related

O

INFORMATION AND information, that make it possible to run and control

COMMUNICATION
the business.

• Information – Information is needed at all levels of an organization to run the

business, and move toward achievement of the entity’s objectives in all categories.
This will include:
• Operational reports to management to ensure effective and efficient use of
resources
• Financial reports detailing the performance of the company used by company
management and external parties.
• Communication – Communication must take place, dealing with expectations,
responsibilities and other important matters.
 Monitoring
Monitoring is the process of assessment by

E
S

NC
R AL
N

N
O

appropriate personnel of the design and operation of

PO CI

IA
TI
TI

RE AN

PL
A

controls on a suitably timely basis, and taking

R

M
N
PE

FI

CO
O

necessary actions.
MONITORING

It applies to all activities within an organization, and

sometimes to outside contractors as well. This may
include outsourced cash collections (lockbox),
outsourced payment processing (A/P through
Shared Services Center) or waste management
(compliance with EPA regulations).

Monitoring can be done in two ways:

1.Ongoing Activities
2.Separate Evaluations
 Monitoring

E
S

NC
R AL
N

N
O

PO CI

IA
TI
TI

RE AN

PL
A
R

M
N
PE

FI

CO
O

MONITORING Two ways to do monitoring:

1. Ongoing Activities – Activities to monitor the effectiveness of internal controls in

the ordinary course of operations. These include regular management and
supervisory activities, comparisons, reconciliations and other routine actions.
Example - Data recorded by information systems are compared with physical
assets. Finished product inventories are examined periodically and counts are
then compared with accounting records and differences reports.

2. Separate Evaluations – Evaluations of internal controls performed by

management and/or internal audit. Controls addressing higher-priority risks and
those most critical to reducing a given risk will tend to be evaluated more often.
Internal Controls
 Internal Control Defined

Internal controls are the policies and procedures

that, when implemented effectively and efficiently,
help minimize or reduce the impact of risk on a
company or business process to an acceptable
level.
 Significant Controls
• Controls over initiating, recording, processing and reporting significant
account balances, classes of transactions and disclosures, and the related
assertions embodied in financial statements
• Antifraud programs and controls
• Controls, including general controls, on which other significant controls are
dependent
• Each significant control in a group of controls that functions together to
achieve a control objective
• Controls over significant routine and nonsystematic transactions (such as
accounts involving judgments and estimates)
• Controls over the period-end financial reporting process, including controls
over procedures used to:
– Enter transaction totals into the general ledger
– Initiate, record and process journal entries in the general ledger
– Record recurring and nonrecurring adjustments to the financial
statements
 Integrated Risk Management
• It is diagnostic.
• It is designed to support optimal
investment.
• It is transaction cost based.
• It is inclusive.
• It is coordinated but discriminating.
Risk Management in Banking
 WHAT IS RISK

• Every action has a reaction

• If reaction is for our benefit; no worry and no risk
• If it is against our interest only we are worried
and that is risk
• Risk is therefore possibility of a negative result
for our actions
• Could be due to us or beyond us
 RISK Contd…
• Risk is supposed to have been derivative of
“risicare” which means “to dare”
• Daring is to take steps recognising the potential
for loss
• Extent of this behaviour is “taker” specific
• More risk is taken in view of potential for higher
yield
 RISK Contd…

• Due to risk either , profits and capital may

grow multifold or business may be wiped
out
• Nevertheless we cannot be risk
free/averse banker like a ship in a port
• Banking is therefore risk management
 RISK Contd…

• Return is therefore related to risk

• Returns from businesses are to be
adjusted for risks for comparability-this is
RAROC
 BANKING BUSINESS

• Business is broadly divided into on balance

sheet and off balance sheet activities.
• On balance sheet activities are banking book
(deposits & advances) and trading book
(investments)
• Banking book has no market risk
• Risks common to both books are credit,
operational
 RISKS Contd..

• Major risks are

– Credit risk
– Market risk
• Interest risk
• Liquidity risk
• Price risk
– Operational risk
– Strategic risk
– Reputation risk
 RISK MANAGEMENT
• Identification
• Measurement
– Sensitivity
– Volatility
– Downside potential
• Pricing covering
– Cost of resources
– Cost of operations
– Risk premium
– Capital charge
• Monitoring and control
• Mitigation
– Transferring
 MARKET RISK
• Has a component of credit risk in addition to
price, liquidity and interest rate risks
• Liquidity risk can also be due to markets
• RISK IN INVESTMENTS IS MEASURED THRO’
BPV, MODIFIED DURATION, var AND YIELD
AND PRICE VOLATILITIES
 MONITORING & CONTROL AND
MITIGATION

• Monitoring
– Policy guidelines for various activities
– Caps for transaction sizes, stop loss limits,
guidelines on portfolio sizes both type and
industry, exposure norms
• Mitigation through derivatives
 CREDIT RISK

• Credit selection, prudential limits

• Credit rating
• Credit pricing
• Credit monitoring through rating migration
• Loan review mechanism
• Credit derivatives and securities and
securitisation
 OPERATIONAL RISK

• Can be classified based on both

Source, impact and event
• Risk mitigation can be through audit,
various reports
 Components of Bank Balance Sheet
• Liabilities
– Capital
– Reserves and Surplus
– Deposits
– Borrowings
– Other Liabilities
 Components of Bank Balance Sheet

• Assets
– Cash and Balances with RBI
– Bal with Banks, Money at Call and Short
notices
– Investments
– Advances
– Fixed Assets
– Other Assets
 Banks Profit and Loss
• Income
- Interest Earned
- Other Income
• Expenses
- Interest Paid
- Operating Expenses
- provisions
- Taxes
 Risk in Banking Business
Three major heads for the purposes of
Risk Management

• Banking Book
• Trading Book
• Off Balance Sheet Exposures
 Banking Business
• Characteristics of Assets and Liabilities
– They are normally held till maturity
– Accrual system of accounting is adopted
• Since Assets and Liabilities are held till
maturity their mismatch may lead to cash
in flow (excess) or cash shortage at a
particular point of time. This is normally
denoted as “Liquidity Risk”
 Banking Book
• Due to change in interest rates assets and
liabilities are subject to interest rate risks or re-
pricing
• Assets side of the balance sheet generates
credit risk arising from defaults in payment of
interest or installments by the borrowers
• Banking book also suffers from Operational Risk
 Trading Book
• The trading book includes all the assets
that are held with the intention of trading,
which are marketable.
• These assets are classified as “Held for
Trading”
• These assets are subjected to Market Risk
and marked to market (MTM)
 Off Balance Sheet Exposures

• Off Balance Sheet exposure is contingent in

nature e.g. Letter of Credit , Bank Guarantees
• A contingent exposure may become fund based
exposure in Banking Book or Trading Book
• Thus these exposures may have liquidity,
interest rate, market, credit or default risks and
operational risks
 Anatomy of Banking Risk
• Non Financial Risk
– Business Risk
– Strategic Risks
• Financial Risks
– Delivery of Financial Services Risk
• Operational Risks
• Legal Risks
• Reputation Risks
– Balance Sheet Risk
 Balance Sheet Risk
• Credit Risk
– Concentration Risks (Industry / Geographic)
– Intrinsic Risks (Credit Card, Merchant Banking)
• Market Risk
– Interest Rate Risk
– Liquidity Risk
– Currency Risk
– Commodities Risk
 Interest rate Risk
• Price Risk
• Reinvestment Risk
• Gap Risk
• Yield Curve Risk
• Basis Risk
 Market Risk
• Losses resulting from adverse changes in
financial asset price which could include
changes in:
– Interest Rates
– Currency Rates
– Equity prices and
– Commodity prices
 Market Risks
• Interest Rate Risks – Adverse movements in interest
rates, which affect banks earnings – (NII or other interest
sensitive income) and operating expenses
• Liquidity Risk arises due to mismatches in maturity and
cash flows
• Exchange Risk arises due to adverse movements in
exchange rates
• Equity / Commodity price risks arises due to adverse
movements in prices of securities and commodities,
where banks have invested
 Credit Risk
• Credit risk is the possibility of losses associated
with changes in credit profiles of borrowers or
third parties
• It involves the inability or unwillingness of a
borrower to meet the obligations
• Credit Risk is made up of
– Transaction Risk
• Concentration , Intrinsic
– Portfolio risk
• Downgrade , Default
 Operational Risk
• Credit Risk and Market risks emanate
from Operational Risk
• Operational risk is the risk of direct and
indirect loss resulting from inadequate or
inefficient internal processes people and
system or from external events.
 Credit Risk Management
• Credit risk is the potential loss arising out of the
inability or unwillingness of a customer or
counter party to meet its commitments in relation
to lending, trading, hedging, settlement and
other financial transactions.
• Philosophy behind credit risk management is –
Higher the Risk higher is the expected reward
 Credit risk management
• The CRM framework includes:
– Policies and procedures
– Organization structure for effective credit
management
– Credit risk rating framework