Académique Documents
Professionnel Documents
Culture Documents
Day 3
Objective
To know about
the theoretical
aspects relating
to risk
management
Syllabus – Day 3
Risk Management:
• Methodology of Risk Management,
• Insurance Cover,
• Ten Steps of Making risk management work,
• Ten attributes of a World-Class Risk Management
Culture,
• Enterprise Risk Management,
• Integrated risk management,
• Risk management in Banking
COSO
Internal Control Framework
An Overview
COSO Definition of Internal Control
Internal control is a process, effected by an entity’s board of directors,
management and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives in the following categories:
– Reliability of financial reporting
– Compliance with applicable laws and regulations
–Effectiveness and efficiency of operations
COSO Internal Controls Key Concepts
– Internal control is a process. It is a means to an end, not an end in itself.
– Internal control is effected by people. It’s not merely policy manuals and forms,
but people at every level of an organization.
– Internal control can be expected to provide only reasonable assurance, not
absolute assurance, to an entity’s management and board.
– Internal control is geared to the achievement of objectives in one or more
separate but overlapping categories.
Business Risk Management
Risk Management Architecture
Risk Management Architecture
Risk Management Is An
Individual Decision
3
Risk
No one "right" decision
2
Revenue
• Risk Identification
• Risk Measurement
• Risk Control
• Risk Transfer
• Risk Financing
• Risk Retention
Risk Assessment
FINANCIAL IMPACT:
Threshold Limit to be decided
based on Medium Risk Very High Risk
Size of the corporate
Probability
Financial Impact
PROBABILITY OF
OCCURRENCE:
Organization history & Industry Low Risk High Risk
Experience
to be considered
Handling Risk
Risk Levels
Very High Risks of this level should be actively tracked for decisions by
the Risk Management Committee.
Risk Management
• Risk management is present in all aspects of life;
it is about everyday trade off between an
expected reward and potential danger
• In the business world, often the risk is associated
with some variability in financial outcomes.
However the notion of risk much larger.
• Risk management is an attempt to identify,
measure, monitor and manage uncertainty
Risk Management process
• It refers to a systematic approach designed
to discover risk exposures faced by the
organisation and to manage them in order to
minimize or eliminate loss arising from these
exposures.
• It should be systematic, comprehensive and
effective and be ideally integrated with other
aspects of the Organisation.
• Risk management = risk reduction ?!
Risk Management Process
• Identify risk and risk management goals
• Gather relevant and comprehensive data to determine and
extent and nature of risk exposures
• Analyse the risk exposures
• Construct a risk management plan comprising appropriate
risk treatment methods
• Implement the plan
• Monitor the plan and outcome of the implementation
Seven Challenges for Risk
Management
• Confusion regarding the concept of risk.
• Completely avoidable human errors in subjective
judgments of risk.
• Entirely ineffectual but popular subjective
scoring methods.
• Misconceptions that block the use of better,
existing methods.
• Recurring errors in even the most sophisticated
models.
• Institutional factors.
• Unproductive incentive structures.
Enterprise Risk Management-
COSO Definition -
• “a process, effected by an entity’s board of
directors, management and other
personnel, applied in strategy-setting and
across the enterprise, designed to identify
potential events that may affect the entity,
and manage risks to be within its risk
appetite, to provide reasonable assurance
regarding the achievement of entity
objectives.”
What is Risk Management
• a process and a means to an end, not an end in itself;
• effected by people and involving people at every level of the
organization;
• applied in strategy setting and at every level across the
enterprise and taking an entity level portfolio view of risks;
• designed to identify events that potentially affect the entity
and manage risk within its risk appetite;
• provides reasonable assurance to an entity’s management
and board;
• also geared to the achievement of objectives in one or more
separate and overlapping categories.
Risk Management
• Risk refers to the uncertainty that surrounds future
events and outcomes. It is the expression of the
likelihood and impact of an event with the potential to
influence the achievement of an organization’s
objectives.
• Risk management is a systematic approach to setting
the best course of action under uncertainty by
identifying, assessing, understanding, acting on and
communicating risk issues
Eight Components of ERM
• Internal Environment
• Objective Setting:
• Event Identification
• Risk Assessment
• Risk Response
• Control Activities
• Information and Communication
• Monitoring
Internal Environment
• This component reflects an entity’s enterprise risk
management philosophy, riskappetite, board
oversight, commitment to ethical values, competence
and development of people, and assignment of
authority and responsibility. It encompasses the “tone
at the top” of the enterprise and influences the
organization’s governance process and the risk and
control consciousness of its people .
Objective Setting
• Strategic: high-level goals,
aligned/supporting the mission/vision;
• Operations: effectiveness and efficiency of
the entity’s operations;
• Reporting: internal/external reporting of
financial/non-financial risk;
• Compliance: compliance with applicable
laws and regulations.
Event Identification
• Management identifies potential events that
may positively or negatively affect an entity’s
ability to implement its strategy and achieve its
objectives and performance goals. Potentially
negative events represent risks that provide a
context for assessing risk and alternative risk
responses. Potentially positive events represent
opportunities, which management channels back
into the strategy and objective-setting
processes.
Risk assessment
• Management considers qualitative and
quantitative methods to evaluate the
likelihood and impact of potential events,
individually or by category, which might
affect the achievement of objectives over
a given time horizon
Risk response
• Management considers alternative risk
response options and their effect on risk
likelihood and impact as well as the
resulting costs versus benefits, with the
goal of reducing residual risk to desired
risk tolerances. Risk response planning
drives policy development
OUTCOME OF RISK & CONTROL
EVALUATION = Risk Prioritization
LIKELIHOOD
E
S
C
R L
N
O IA
N
N
O
IA
–
TI
Effectiveness and efficiency of operations
EP C
TI
R AN
PL
A
R
–
M
N
Reliability of financial reporting
PE
FI
O
C
O
– Compliance with applicable laws and
MONITORING
regulations
ACTIVITY 3
ACTIVITY 2
ACTIVITY 1
1. Consists of five components: INFORMATION AND
– Control environment COMMUNICATION
UNIT B
UNIT A
– Risk assessment
– CONTROL ACTIVITIES
Control activities
– Information/Communication
– Monitoring RISK ASSESSMENT
NC
R L
N
O IA
N
O
R AN
PL
A
R
M
N
PE
CO
O
CONTROL ENVIRONMENT
• Organizational structure
• Assignment of authority and responsibility
• Human resource policies and procedures
Control Environment
Risks to integrity and ethical values for financial reporting practices:
Incentives
• Pressure to meet unrealistic performance targets, particularly for short
term results
• High performance-dependent rewards
• Upper and lower cutoffs on bonus plan
Temptations
E
S
NC
O IA
N
O
IA
TI
EP C
TI
R AN
PL
A
M
N
PE
FI
CO
levels
O
CONTROL ENVIRONMENT
• Weak internal control functions does not detect
and report improper behavior
• Penalties for improper behavior are insufficient
to deter temptations
Risk Assessment
should be managed.
G
NC
R AL
N
N
O
PO CI
IA
TI
TI
RE AN
PL
A
R
M
N
PE
FI
CO
O
RISK ASSESSMENT
Risk Assessment
Objectives (i.e. assertions) must be established prior to the identification
of risks to their achievement and to take necessary actions to manage the
risks. By setting objectives, both at entity and activity
levels, prior to a risk assessment, a company
can determine the critical success factors; then
determine the risks to the critical success
EE
SS
GG
CC
RR L L
NN
factors.
OO IAIA
NN
NN
OO
IAIA
TITI
EPEP NNCC
TITI
PLPL
AA
AA
RR
MM
NN
PEPE
FIFI
OO
RR
RISK
RISK ASSESSMENT
ASSESSMENT • Estimating the significance of a risk
• Assessing the likelihood (or
frequency) of the risk occurring
• Consideration of how the risk should
be managed
Control Activities
Control activities are the policies and procedures that help ensure
management directives are carried out. They help to ensure that necessary
actions are taken to address risks to achievement of the entity's objectives.
Control activities occur throughout the organization, at all levels and in all
functions.
EE
SS
GG
NNCC
RR LL
NN
IIAA
TTII
EPP CC
TTII
RRE AANN
PPLL
AA
•Approvals
RR
MM
NN
PPEE
FFII
CCOO
OO
CONTROL
CONTROLACTIVITIES
ACTIVITIES
•Authorizations
•Verifications
•Reconciliations
•Reviews of operating performance
•Security of assets
•Segregation duties
Control Classification
Internal controls can be classified as either Preventive or Detective.
GG
NNCC
RR LL
NN
OO IIAA
NN
OO
IIAA
TTII
EPP CC
TTII
PPLL
AA
RR
MM
NN
PPEE
FFII
CCOO
– Authorization levels/approvals
OO
CONTROL
CONTROLACTIVITIES
ACTIVITIES
Detective controls are designed to identify
an error or exception after it has
occurred. Such detective controls are:
– Exception reports
– Reconciliations
– Periodic audits
Control Types
There are three primary control types:
GG
NNCC
RR LL
NN
IAIA
TTI I
EPP CC
TTI I
RRE AANN
PPLL
errors.
AA
RR
MM
NN
PPEE
FFI I
CCOO
OO
CONTROL
CONTROLACTIVITIES
ACTIVITIES Monitoring Control – A control, after the initial
process, to detect misstatements or errors within
a process.
E
S
NC
R L
N
O IA
IA
TI
EP C
TI
R AN
PL
A
M
N
PE
FI
CO
O
NC
R L
N
O IA
N
IA
TI
EP C
TI
R AN
PL
A
M
N
PE
FI
CO
established objectives.
O
INFORMATION AND
COMMUNICATION
• Provide information to the right people in
sufficient detail and on time to enable them to
carry out their responsibilities effectively and
efficiently.
Communication –
• Adequacy of communication across the
organization and the completeness and
timeliness of information.
• Openness and effectiveness of channels with
customers, suppliers and other external parties
for communicating information.
Information and Communication
Pertinent information must be identified, captured
and communicated in a form and timeframe that
enables people to carry out their responsibilities.
E
S
NC
R L
N
O IA
N
O
IA
TI
EP C
TI
R AN
PL
A
M
N
PE
FI
CO
E
S
NC
R AL
N
N
O
IA
TI
TI
RE AN
PL
A
M
N
PE
FI
CO
O
necessary actions.
MONITORING
E
S
NC
R AL
N
N
O
PO CI
IA
TI
TI
RE AN
PL
A
R
M
N
PE
FI
CO
O
• Monitoring
– Policy guidelines for various activities
– Caps for transaction sizes, stop loss limits,
guidelines on portfolio sizes both type and
industry, exposure norms
• Mitigation through derivatives
CREDIT RISK
• Assets
– Cash and Balances with RBI
– Bal with Banks, Money at Call and Short
notices
– Investments
– Advances
– Fixed Assets
– Other Assets
Banks Profit and Loss
• Income
- Interest Earned
- Other Income
• Expenses
- Interest Paid
- Operating Expenses
- provisions
- Taxes
Risk in Banking Business
Three major heads for the purposes of
Risk Management
• Banking Book
• Trading Book
• Off Balance Sheet Exposures
Banking Business
• Characteristics of Assets and Liabilities
– They are normally held till maturity
– Accrual system of accounting is adopted
• Since Assets and Liabilities are held till
maturity their mismatch may lead to cash
in flow (excess) or cash shortage at a
particular point of time. This is normally
denoted as “Liquidity Risk”
Banking Book
• Due to change in interest rates assets and
liabilities are subject to interest rate risks or re-
pricing
• Assets side of the balance sheet generates
credit risk arising from defaults in payment of
interest or installments by the borrowers
• Banking book also suffers from Operational Risk
Trading Book
• The trading book includes all the assets
that are held with the intention of trading,
which are marketable.
• These assets are classified as “Held for
Trading”
• These assets are subjected to Market Risk
and marked to market (MTM)
Off Balance Sheet Exposures