Risk Management in Banks

In the new liberalized economy in India, Banks and

regulators in recent years have been making
sustained efforts to understand and measure the
increasing risks they are exposed to.
With the Indian economy becoming global, the
Banks are realising the importance of different
types of risks.
Some of the risk are credit risks, market risks,
operational risks, reputational risks and legal risks,
using quantitative techniques in risk modelling.
RBI issued the first set of guidelines to Banks on
Risk Management on October 20, 1999.

A risk can be defined as an unplanned event with financial

consequences resulting in loss or reduced earnings.
Therefore, a risky proposition is one with potential profit or a
looming loss.
Risk stems from uncertainty or unpredictability of the future.
In commercial and business risk generates profit or loss
depending upon the way in which it is managed.
Risk can be defined as the volatility of the potential outcome.
Risk is the possibility of something adverse happening.
Risk management is the process of assessing risk, taking steps
to reduce risk to an acceptable level and maintaining that level
of risk.
Thus, we can say that after the risks have been identified, risk
management attempts to lessen their effects. This is done by
applying a range of management techniques. For example, the
risk may be reduced by taking out insurance or using derivatives
or re-plan the whole project.

The essential components

management system are

of

any

risk

Risk Identification i.e the naming and defining of

each type of risk associated with a transaction or
type of product or service;
Risk Measurement i.e. the estimation of the size
,probability and timing of potential loss under
various scenarios;
Risk Control-i.e. the framing of policies and
guidelines that define the risk limits not only at the
individual level but also for particular transaction

Measurement of risk is a very important step in risk management

process.
Some risk can be easily quantified like exchange risk, interest rate
risk etc. While some risks like country risk, operational risk etc.
cannot be mathematically deduced. They can only be qualitatively
compared and measured.
Some risks like gap risk in forex operations can be measured using
modern mathematical and statistical tool like value at risk etc.
Therefore it is important to identify and appreciate the risk and
quantify it. Only then the next step management of risk can be
attempted.
The management is a process consisting of the following steps.
Identify all areas of risk
evaluate these risks
set various exposure limits for
type of business
mismatches
counter parties
issue clear policy guidelines / directives.

Types of Risks :
1. Credit Risk
This is the risk of non recovery of loan or the
risk of reduction in the value of asset.
The credit risk also includes the pre-payment
risk resulting in loss of opportunity to the bank
to earn higher interest income.
Credit Risk also arises due excess exposure to
a single borrower, industry or a geographical
area.
The element of country risk is also present
which is the risk of losses being incurred due
to adverse foreign exchange reserve situation
or adverse political or economic situations in
another country

2. Interest Rate RiskThis risk arises due to fluctuations in the

interest rates. It can result in reduction in the
revenues of the bank due to fluctuations in
the interest rates which are dynamic and
which change differently for assets and
liabilities.
With the deregulated era interest rates are
market determined and banks have to fall in
line with the market trends even though it
may stifle their Net Interest margins

3. Liquidity RiskLiquidity is the ability to meet commitments

as and when they are due and ability to
undertake new transactions when they are
profitable.
Liquidity risk may emanate in any of the
following situations(a) net outflow of funds arising out of
withdrawals/non renewal of deposits
(b) non recovery of cash receipts from
recovery of loans
(c) conversion of contingent liabilities into
fund based commitment and
(d) increased availment of sanctioned limits

(4) Foreign Exchange Risk - Risk may arise on account

of maintenance of positions in forex operations and it
involves currency rate risk, transaction risks
(profits/loss on transfer of earned profits due to time
lag) and transportation risk (risks arising out of
exchange restrictions)
(5) Regulatory Risks- It is defined as the risk
associated with the impact on profitability and
financial position of a bank due to changes in the
regulatory conditions, for example the introduction of
asset classification norms have adversely affected
the banks of NPAs and balance sheet bottom lines.
(6) Technology Risk - This risk is associated with
computers and the communication technology which
is being increasingly introduced in the banks. This
entails the risk of obsolescence and the risk of losing
business to better technologically

(7) Market Risk-This is the risk of losses in off

and on balance sheet positions arising from
movements in market prices.
(8) Strategic Risk-This is the risk arising out
of certain strategic decisions taken by the
banks for sustaining themselves in the
present day scenario for example decision to
open a subsidiary may run the risk of losses if
the subsidiary does not do good business.

The essential components of any risk management system are

(i) Risk Identification-i.e the naming and defining of each type of
risk associated with a transaction or type of product or service
(ii) Risk Measurement-i.e. the estimation of the size ,probability
and timing of potential loss under various scenarios
(iii) Risk Control-i.e. the framing of policies and guidelines that
define the risk limits not only at the individual level but also for
particular transactions
In risk management exercise the top management has to lay down
clear cut policy guidelines in quantifiable and precise terms - for
different layers line personnel business parameters, limits etc. It
is very important for the management to plant at the macro level
what the organisations is looking in for in any business
proposition or venture and convert these expectations into micro
level factors and requirements for field level functionaries only
then they will be able to convert these expectations into reality. A
very important assumption is made but normally omitted or over
looked is provision of infra-structural support and conductive
climate. Ultimately top management has a greater role to play in
any risk management process

CREDIT RISK
Credit risk is defined as the possibility of losses
associated with diminution in the credit quality of
borrowers or counterparties.
In a banks portfolio, losses stem from outright
default due to inability or unwillingness of a
customer or counterparty to meet commitments in
relation to lending, trading, settlement and other
financial transactions.
Alternatively, losses result from reduction in
portfolio value arising from actual or perceived
deterioration in credit quality.
Credit risk emanates from a banks dealings with an
individual, corporate, bank, financial institution or a
sovereign.

Credit risk may take the following forms:

in the case of direct lending: principal /and or
interest amount may not be repaid;
in the case of guarantees or letters of credit:
funds may not be forthcoming from the
constituents upon crystallization of the liability;
in the case of treasury operations: the payment
or series of payments due from the counter
parties under the respective contracts may not be
forthcoming or ceases;
in the case of securities trading businesses:
funds/ securities settlement may not be effected;
in the case of cross-border exposure: the
availability and free transfer of foreign currency
funds may either cease or restrictions may be
imposed by the sovereign.

In this backdrop, it is imperative that banks have a

robust credit risk management system which is
sensitive and responsive to these factors.
The effective management of credit risk is a critical
component of comprehensive risk management and is
essential for the long term success of any banking
organisation.
The
Credit
risk
management
encompasses
identification, measurement, monitoring and control
of the credit risk exposures.
Building Blocks of Credit Risk Management:
In a bank, an effective credit risk management
framework would comprise of the following distinct
building blocks:
a) Policy and Strategy
b) Organisational Structure
c) Operations/ Systems

Policies and Strategies

The Board of Directors of each bank shall be responsible for
approving and periodically reviewing the credit risk strategy and
significant credit risk policies.
Credit Risk Policy
Every bank should have a credit risk policy document approved
by the Board. The document should include risk identification,
risk measurement, risk grading/ aggregation techniques,
reporting
and
risk
control/
mitigation
techniques,
documentation, legal issues and management of problem loans.
Credit risk policies should also define target markets, risk
acceptance criteria, credit approval authority, credit origination/
maintenance
procedures
and
guidelines
for
portfolio
management.
The credit risk policies approved by the Board should be
communicated to branches/controlling offices. All dealing
officials should clearly understand the banks approach for credit
sanction and should be held accountable for complying with
established policies and procedures.
Senior management of a bank shall be responsible for
implementing the credit risk policy approved by the Board.

Credit Risk Strategy

v Each bank should develop, with the approval of its Board, its
own credit risk strategy or plan that establishes the objectives
guiding the banks credit-granting activities and adopt necessary
policies/ procedures for conducting such activities. This strategy
should spell out clearly the organisations credit appetite and the
acceptable level of risk-reward trade-off for its activities.
v The strategy would, therefore, include a statement of the
banks willingness to grant loans based on the type of economic
activity, geographical location, currency, market, maturity and
anticipated profitability. This would necessarily translate into the
identification of target markets and business sectors, preferred
levels of diversification and concentration, the cost of capital in
granting credit and the cost of bad debts.
v The credit risk strategy should provide continuity in approach
as also take into account the cyclical aspects of the economy and
the resulting shifts in the composition/ quality of the overall
credit portfolio. This strategy should be viable in the long run and
through various credit cycles.
v Senior management of a bank shall be responsible for
implementing the credit risk strategy approved by the Board.

Organisational Structure
Sound organizational structure is sine qua non (end result) for
successful implementation of an effective credit risk management
system.
The organizational structure for credit risk management should have
the following basic features:
The Board of Directors should have the overall responsibility for
management of risks.
The Board should decide the risk management policy of the bank
and set limits for liquidity, interest rate, foreign exchange and
equity price risks.
The Risk Management Committee will be a Board level Sub
committee including CEO and heads of Credit, Market and
Operational Risk Management Committees.
It will devise the policy and strategy for integrated risk management
containing various risk exposures of the bank including the credit
risk.
For this purpose, this Committee should effectively coordinate
between the Credit Risk Management Committee (CRMC), the Asset
Liability Management Committee and other risk committees of the
bank, if any. It is imperative that the independence of this
Committee is preserved.

The Board should, therefore, ensure that

this is not compromised at any cost.
In the event of the Board not accepting any
recommendation
of
this
Committee,
systems should be put in place to spell out
the rationale for such an action and should
be properly documented.
This document should be made available to
the internal and external auditors for their
scrutiny and comments.
The credit risk strategy and policies
adopted by the committee should be
effectively communicated throughout the
organisation.

Each bank may, depending on the size of the organization or

loan/ investment book, constitute a high level Credit Risk
Management Committee (CRMC).
The Committee should be headed by the Chairman/CEO/ED,
and should comprise of heads of Credit Department, Treasury,
Credit Risk Management Department (CRMD) and the Chief
Economist. The functions of the Credit Risk Management
Committee should be as under:
Be responsible for the implementation of the credit risk
policy/ strategy approved by the Board.
Monitor credit risk on a bank wide basis and ensure
compliance with limits approved by the Board.
Recommend to the Board, for its approval, clear policies on
standards for presentation of credit proposals, financial
covenants, rating standards and benchmarks,
Decide delegation of credit approving powers, prudential
limits on large credit exposures, standards for loan collateral,
portfolio
management,
loan
review
mechanism,
risk
concentrations, risk monitoring and evaluation, pricing of
loans, provisioning, regulatory/legal compliance, etc.

Concurrently, each bank should also set up Credit Risk

Management Department (CRMD), independent of the
Credit Administration Department. The CRMD should:
Measure, control and manage credit risk on a bankwide basis within the limits set by the Board/ CRMC
Enforce compliance with the risk parameters and
prudential limits set by the Board/ CRMC.
Lay down risk assessment systems, develop MIS,
monitor quality of loan/ investment portfolio, identify
problems, correct deficiencies and undertake loan
review/audit. Large banks could consider separate set
up for loan review/audit.
Be accountable for protecting the quality of the
entire loan/ investment portfolio. The Department
should undertake portfolio evaluations and conduct
comprehensive studies on the environment to test the
resilience of the loan portfolio.

Operations / Systems
Banks should have in place an appropriate credit
administration, credit risk measurement and
monitoring processes. The credit administration
process typically involves the following phases:
Relationship management phase i.e. business
development.
Transaction management phase covers risk
assessment, loan
pricing, structuring the
facilities, internal approvals, documentation,
loan administration, on going monitoring and
risk measurement.
Portfolio management phase entails monitoring
of the portfolio at a macro level and the
management of problem loans.

On the basis of the broad management framework stated above, the banks
should have the following credit risk measurement and monitoring procedures:
Banks should establish proactive credit risk management practices like
annual / half yearly industry studies and individual obligor reviews, periodic
credit calls that are documented, periodic visits of plant and business site, and
at least quarterly management reviews of troubled exposures/weak credits.
Banks should have a system of checks and balances in place for extension of
credit viz.:
- Separation of credit risk management from credit sanction
- Multiple credit approvers making financial sanction subject to approvals at
various stages viz. credit ratings, risk approvals, credit approval grid, etc.
- An independent audit and risk review function.
The level of authority required to approve credit will increase as amounts and
transaction risks increase and as risk ratings worsen.
Every obligor and facility must be assigned a risk rating.
Mechanism to price facilities depending on the risk grading of the customer,
and to attribute accurately the associated risk weightings to the facilities.
Banks should ensure that there are consistent standards for the origination,
documentation and maintenance for extensions of credit.
Banks should have a consistent approach towards early problem recognition,
the classification of problem exposures, and remedial action.
Banks should maintain a diversified portfolio of risk assets; have a system to
conduct regular analysis of the portfolio and to ensure on-going control of risk
concentrations.

 Credit risk limits include, obligor limits and concentration limits by

industry or geography. The Boards should authorize efficient and
effective credit approval processes for operating within the approval
limits.
In order to ensure transparency of risks taken, it is the responsibility
of banks to accurately, completely and in a timely fashion, report the
comprehensive set of credit risk data into the independent risk
system.
Banks should have systems and procedures for monitoring financial
performance of customers and for controlling outstanding within
limits.
A conservative policy for provisioning in respect of non-performing
advances may be adopted.
Successful credit management requires experience, judgement and
commitment to technical development. Banks should have a clear,
well-documented scheme of delegation of powers for credit sanction.
Banks must have a Management Information System (MIS), which
should enable them to manage and measure the credit risk inherent in
all on- and off-balance sheet activities. The MIS should provide
adequate information on the composition of the credit portfolio,
including identification of any concentration of risk. Banks should
price their loans according to the risk profile of the borrower and the
risks associated with the loans.

Interest Rate Risk (IRR) Management

What is Interest Rate Risk :
Interest rate risk is the risk where changes in market
interest rates might adversely affect a banks financial
condition. The management of Interest Rate Risk should be
one of the critical components of market risk management
in banks. The regulatory restrictions in the past had greatly
reduced many of the risks in the banking system.
Deregulation of interest rates has, however, exposed them
to the adverse impacts of interest rate risk. T
What is the Impact of IRR:
The immediate impact of changes in interest rates is on the
Net Interest Income (NII). A long term impact of changing
interest rates is on the banks networth since the economic
value of a banks assets, liabilities and off-balance sheet
positions get affected due to variation in market interest
rates.

The Net Interest Income (NII) or Net Interest Margin

(NIM) of banks is dependent on the movements of
interest rates. Any mismatches in the cash flows
(fixed assets or liabilities) or repricing dates
(floating assets or liabilities), expose banks NII or
NIM to variations. The earning of assets and the
cost of liabilities are closely related to market
interest rate volatility.
The interest rate risk when viewed from these two
perspectives is known as earnings perspective
and economic value perspective, respectively.
Management of interest rate risk aims at capturing
the risks arising from the maturity and repricing
mismatches and is measured both from the
earnings and economic value perspective.

(a) Earnings perspective involves analysing the

impact of changes in interest rates on accrual or
reported earnings in the near term. This is
measured by measuring the changes in the Net
Interest Income (NII) or Net Interest Margin (NIM)
i.e. the difference between the total interest
income and the total interest expense.
(b) Economic Value perspective involves
analysing the changes of impact og interest on the
expected cash flows on assets minus the expected
cash flows on liabilities plus the net cash flows on
off-balance sheet items. It focuses on the risk to
networth arising from all repricing mismatches and
other interest rate sensitive positions. The
economic value perspective identifies risk arising
from long-term interest rate gaps.

Board and senior management oversight of

interest rate risk
Principle 1: In order to carry out its responsibilities, the
board of directors in a bank should approve strategies
and policies with respect to interest rate risk
management and ensure that senior management takes
the steps necessary to monitor and control these risks.
The board of directors should be informed regularly of
the interest rate risk exposure of the bank in order to
assess the monitoring and controlling of such risk.
Principle 2: Senior management must ensure that the
structure of the bank's business and the level of interest
rate risk it assumes are effectively managed, that
appropriate policies and procedures are established to
control and limit these risks, and that resources are
available for evaluating and controlling interest rate risk.

Principle 3: Banks should clearly define the individuals and/or

committees responsible for managing interest rate risk and should
ensure that there is adequate separation of duties in key elements
of the risk management process to avoid potential conflicts of
interest. Banks should have risk measurement, monitoring and
control functions with clearly defined duties that are sufficiently
independent from position-taking functions of the bank and which
report risk exposures directly to senior management and the board
of directors. Larger or more complex banks should have a
designated independent unit responsible for the design and
administration of the bank's interest rate risk measurement,
monitoring and control functions.
Adequate risk management policies and procedures
Principle 4: It is essential that banks' interest rate risk policies
and procedures are clearly defined and consistent with the nature
and complexity of their activities. These policies should be applied
on a consolidated basis and, as appropriate, at the level of
individual affiliates, especially when recognising legal distinctions
and possible obstacles to cash movements among affiliates.

Principle 5: It is important that banks identify the

risks inherent in new products and activities and
ensure these are subject to adequate procedures
and
controls
before
being
introduced
or
undertaken. Major hedging or risk management
initiatives should be approved in advance by the
board or its appropriate delegated committee.
Risk measurement, monitoring and control
functions
Principle 6: It is essential that banks have interest
rate risk measurement systems that capture all
material sources of interest rate risk and that
assess the effect of interest rate changes in ways
that are consistent with the scope of their
activities. The assumptions underlying the system
should be clearly understood by risk managers and

Principle 7: Banks must establish and enforce

operating limits and other practices that maintain
exposures within levels consistent with their
internal policies.
Principle 8: Banks should measure their
vulnerability to loss under stressful market
conditions - including the breakdown of key
assumptions - and consider those results when
establishing and reviewing their policies and limits
for interest rate risk.
Principle 9: Banks must have adequate
information systems for measuring, monitoring,
controlling and reporting interest rate exposures.
Reports must be provided on a timely basis to the
bank's board of directors, senior management and,
where appropriate, individual business line

Internal controls
Principle 10: Banks must have an adequate system of
internal controls over their interest rate risk management
process. A fundamental component of the internal control
system involves regular independent reviews and evaluations
of the effectiveness of the system and, where necessary,
ensuring that appropriate revisions or enhancements to
internal controls are made. The results of such reviews should
be available to the relevant supervisory authorities.
Information for supervisory authorities
Principle 11: Supervisory authorities should obtain from
banks sufficient and timely information with which to
evaluate their level of interest rate risk. This information
should take appropriate account of the range of maturities
and currencies in each bank's portfolio, including off-balance
sheet items, as well as other relevant factors, such as the
distinction between trading and non-trading activities.

Capital adequacy
Principle 12: Banks must hold capital commensurate with the level of
interest rate risk they undertake.
Disclosure of interest rate risk
Principle 13: Banks should release to the public information on the
level of interest rate risk and their policies for its management.

Sources, effects and measurement of interest rate risk

Interest rate risk is the exposure of a bank's financial condition to
adverse movements in interest rates. Accepting this risk is a normal
part of banking and can be an important source of profitability and
shareholder value. However, excessive interest rate risk can pose a
significant threat to a bank's earnings and capital base. Changes in
interest rates affect a bank's earnings by changing its net interest
income and the level of other interest-sensitive income and operating
expenses. Changes in interest rates also affect the underlying value of
the bank's assets, liabilities and off-balance sheet instruments
because the present value of future cash flows (and in some cases,
the cash flows themselves) change when interest rates change.

Liquidity Risk Management

What is Liquidity Risk :
Liquidity risk is the potential inability to meet the
liabilities as they become due. It arises when the
banks are unable to generate cash to cope with a
decline in deposits or increase in assets. It
originates from the mismatches in the maturity
pattern of assets and liabilities.
Importance of Liquidity Risk :
Measuring and managing liquidity needs are vital
for effective operation of commercial banks. By
assuring a banks ability to meet its liabilities as
they become due, liquidity management can
reduce the probability of an adverse situation
developing.

Liquidity Risk Management

Analysis of liquidity risk involves the measurement
of not only the liquidity position of the bank on an
ongoing basis but also examining how funding
requirements are likely to be affected under crisis
scenarios.
Net
funding
requirements
are
determined by analyzing the banks future cash
flows based on assumptions of the future behavior
of assets and liabilities that are classified into
specified time buckets and then calculating the
cumulative net flows over the time frame for
liquidity assessment.
Future cash flows are to be analysed under what
if scenarios so as to assess any significant positive
/ negative liquidity swings that could occur on a
day-to-day basis and under bank specific and

Factors to be taken into consideration while

determining liquidity of the banks future stock of
assets and liabilities include
their potential marketability,
the extent to which maturing assets /liability will be
renewed,
the acquisition of new assets / liability and
the normal growth in asset / liability accounts.
Factors affecting the liquidity of assets and
liabilities of the bank cannot always be forecast
with precision. Hence they need to be reviewed
frequently to determine their continuing validity,
especially given the rapidity of change in financial
markets.

The liquidity risk in banks manifest in different dimensions:

i) (a) Funding Risk need to replace net outflows due to
unanticipated withdrawal/non-renewal of deposits (wholesale and
retail);
(b) Time Risk need to compensate for non-receipt of expected
inflows of funds, i.e. performing assets turning into non-performing
assets; and
(c) Call Risk due to crystallisation of contingent liabilities and
unable to undertake profitable business opportunities when desirable.
How is it measured :
Liquidity measurement is quite a difficult task and can be measured
through stock or cash flow approaches. The key ratios, adopted across
the banking system are
Loans to Total Assets,
Loans to Core Deposits,
Large Liabilities (minus) Temporary Investments to Earning Assets
(minus) Temporary Investments,
Purchased Funds to Total Assets,
Loan Losses/Net Loans,

However, the ratios do not reveal the intrinsic

liquidity profile of Indian banks which are operating
generally in an illiquid market. Experiences show
that assets commonly considered as liquid like
Government securities, other money market
instruments, etc. have limited liquidity as the
market and players are unidirectional.
Thus, analysis of liquidity involves tracking of cash
flow mismatches. For measuring and managing net
funding requirements, the use of maturity ladder
and calculation of cumulative surplus or deficit of
funds at selected maturity dates is recommended
as a standard tool.

The following prudential limits are considered by

Banks to put in place to avoid liquidity crisis:i) (i) Cap on inter-bank borrowings, especially call
borrowings; ii) Purchased funds vis--vis liquid
assets; iii) Core deposits vis--vis Core Assets i.e.
Cash Reserve Ratio, Statutory Liquidity Ratio and
Loans; iv) Duration of liabilities and investment
portfolio; v) Maximum Cumulative Outflows across
all time bands; vi) Commitment Ratio track the
total commitments given to corporates / banks and
other financial institutions to limit the off-balance
sheet exposure; vii) Swapped Funds Ratio, i.e.
extent of Indian Rupees raised out of foreign
currency sources.

BCBS Principles for the Assessment of

Liquidity Management in Banks
Developing
a
Structure
for
Managing
Liquidity
Principle 1: Each bank should have an agreed
strategy for the day-to-day management of
liquidity. This strategy should be communicated
throughout the organisation.
Principle 2: A banks board of directors should
approve the strategy and significant policies
related to the management of liquidity. The board
should also ensure that senior management takes
the steps necessary to monitor and control liquidity
risk. The board should be informed regularly of the
liquidity situation of the bank and immediately if
there are any material changes in the banks

Principle 3: Each bank should have a

management structure in place to execute
effectively the liquidity strategy. This structure
should include the ongoing involvement of
members
of
senior
management.
Senior
management must ensure that liquidity is
effectively managed, and that appropriate policies
and procedures are established to control and limit
liquidity risk. Banks should set and regularly review
limits on the size of their liquidity positions over
particular time horizons.
Principle 4: A bank must have adequate
information systems for measuring, monitoring,
controlling and reporting liquidity risk. Reports
should be provided on a timely basis to the banks
board of directors, senior management and other

Measuring and Monitoring Net Funding

Requirements
Principle 5: Each bank should establish a process
for the ongoing measurement and monitoring of
net funding requirements.
Principle 6: A bank should analyse liquidity
utilising a variety of what if scenarios.
Principle 7: A bank should review frequently the
assumptions utilised in managing liquidity to
determine that they continue to be valid.
Managing Market Access
Principle 8: Each bank should periodically review
its efforts to establish and maintain relationships
with liability holders, to maintain the diversification
of liabilities, and aim to ensure its capacity to sell

Contingency Planning
Principle 9: A bank should have contingency plans in place that
address the strategy for handling liquidity crises and include
procedures for making up cash flow shortfalls in emergency
situations.
Foreign Currency Liquidity Management
Principle 10: Each bank should have a measurement,
monitoring and control system for its liquidity positions in the
major currencies in which it is active. In addition to assessing its
aggregate foreign currency liquidity needs and the acceptable
mismatch
in
combination
with
its
domestic
currency
commitments, a bank should also undertake separate analysis of
its strategy for each currency individually.
Principle 11: Subject to the analysis undertaken according to
Principle 10, a bank should, where appropriate, set and regularly
review limits on the size of its cash flow mismatches over
particular time horizons for foreign currencies in aggregate and
for each significant individual currency in which the bank
operates.

Internal Controls for Liquidity Risk Management

Principle 12: Each bank must have an adequate system of
internal controls over its liquidity risk management process.
A fundamental component of the internal control system
involves regular independent reviews and evaluations of
the effectiveness of the system and, where necessary,
ensuring that appropriate revisions or enhancements to
internal controls are made. The results of such reviews
should be available to supervisory authorities.
Role of Public Disclosure in Improving Liquidity
Principle 13: Each bank should have in place a
mechanism for ensuring that there is an adequate level of
disclosure of information about the bank in order to manage
public perception of the organisation and its soundness.
Sound Practices for managing liquidity in banking
organizations, Basel Committee on Banking Supervision,
February, 2000

OPERATIONAL RISK (OR)

What is Operational Risk ?
Operational risk has been defined by the Basel
Committee on Banking Supervision1 as the risk of loss
resulting from inadequate or failed internal processes,
people and systems or from external events. This
definition is based on the underlying causes of
operational risk. It seeks to identify why a loss happened
and at the broadest level includes the breakdown by four
causes: people, processes, systems and external factors.
Management of specific operational risks is not a new
practice; it has always been important for banks to try to
prevent fraud, maintain the integrity of internal controls,
reduce errors in transaction processing, and so on.
However, what is relatively new is the view of operational
risk
management
as
a
comprehensive
practice
comparable to the management of credit and market risk.

Growing number of high-profile operational loss events worldwide

have led banks and supervisors to increasingly view operational
risk management as an inclusive discipline. OR can arise from
internal and external fraud, failure to comply with employments
laws or meet workplace safety standards, policy breaches,
compliance breaches, key personnel risks, damage to physical
assets, business disruptions and system failures, transaction
processing failures, information security breaches and the like.
The Basel Committee on Banking supervision has recognized that
managing OR is becoming an important feature of sound risk
management practice in modern financial markets. The Committee
has noted that the most important types of operational risk
involve
breakdowns
in
internal
controls
and
corporate
governance. Such breakdowns can lead to financial losses through
error, fraud or failure to perform within accepted time-lines or
cause the interests of the bank to be compromised in some other
way, for example by its dealers, lending officers or other staff
exceeding their authority or conducting business in an unethical
or risky manner. Other aspects of operational risk include major
failure of information technology systems or events such as major
fires or other disasters.

The Basel Committee has identified the following types of operational

risk events as having the potential to result in substantial losses:Internal fraud. For example, intentional misreporting of positions,
employee theft, and insider trading on an employees own account.
External fraud. For example, robbery, forgery, cheque kiting, and
damage from computer hacking.
Employment practices and workplace safety. For example, workers
compensation claims, violation of employee health and safety rules,
organised labour activities, discrimination claims, and general liability.
Clients, products and business practices. For example, fiduciary
breaches, misuse of confidential customer information, improper
trading activities on the banks account, money laundering, and sale
of unauthorised products.
Damage to physical assets. For example, terrorism, vandalism,
earthquakes, fires and floods.
Business disruption and system failures. For example, hardware and
software failures, telecommunication problems, and utility outages.
Execution, delivery and process management. For example: data entry
errors,
collateral
management
failures,
incomplete
legal
documentation, and unauthorized access given to client accounts,
non-client counterparty mis-performance, and vendor disputes.

Several recent cases demonstrate that inadequate internal

controls can lead to significant losses for banks. The types of
control break-downs may be grouped into five categories:
Lack of Control Culture - Managements inattention and laxity
in control culture, insufficient guidance and lack of clear
management accountability.
Inadequate recognition and assessment of the risk of certain
banking activities, whether on-or-off-balance sheet. Failure to
recognise and assess the risks of new products and activities or
update the risk assessment when significant changes occur in
business conditions or environment. Many recent cases highlight
the fact that control systems that function well for traditional or
simple products are unable to handle more sophisticated or
complex products.
Absence/failure of key control structures and activities, such as
segregation of duties, approvals, verifications, reconciliations
and reviews of operating performance.
Inadequate communication of information between levels of
management within the bank upward, downward or crossfunctional.
Inadequate /effective audit/monitoring programs.

Measuring Operational Risk

Operational risk is more difficult to measure than
market or credit risk due to the non-availability of
objective data, redundant data, lack of knowledge of
what to measure etc. Operational risk, however, is an
ill-defined inside measurement, related to the
measures of internal performance, such as internal
audit ratings, volume, turnover, error rates and
income volatility, interaction of people, processes,
methodologies,
technology
systems,
business
terminology and culture.
Risk Management Tools
A robust operational risk management process
consists of clearly defined steps which involve
identification of the risk events, analysis,
assessment of the impact,
treatment and reporting.

While sophisticated tools for measuring and managing

operational risks are still to evolve, the current practices in
this area are based on self-assessment. The starting point is
the development of enterprise-wise generic standards for OR
which includes Corporate Governance standards. It is
extremely important for a robust risk management framework
that the operational risks are managed where they originate.
Risk management and compliance monitoring is a line
management function and the risk culture has to be driven by
the line Manager. It is, therefore, the line managers
responsibility to develop the generic operational risk standards
applicable to his line of business. The purpose of this tool is to
set minimum operational risk standards for all business and
functional units to establish controls and monitor risks through
Control Standards and Risk Indicators. Once the standards are
set, the line manager has to undertake a periodic operational
risk self assessment to identify key areas of risk so that
necessary risk based controls and checks can be developed to
monitor and mitigate the risks. Control Standards set minimum
controls and minimum requirements for self-assessment of
effectiveness of controls for the key processes.

The Risk indicators identify operational risks and control

weaknesses through statistical trend analysis. The Risk
Indicators are reviewed periodically to ensure that they are
constantly updated. Reporting is a very important tool in the
management of operational risks since it ensures timely
escalation and senior management overview. Reporting
should include significant operational risk exceptions,
corporate governance exceptions, minutes of meetings of
Operations Risk Committee and real time incident reports.
Conclusion
Operational Risk management is one of the most complex
and fastest growing areas in banking across the world. The
methods to quantify the risk are evolving rapidly but though
they are still far away from the desired levels. Nevertheless,
it is extremely important that the significance and impact of
this risk area on the overall viability of a banking enterprise
is given due recognition so that there are strong incentives
for banks to continue to work towards developing models to
measure operational risks and to hold the required capital
buffers for this risk.

What is ALM ?
ALM is a comprehensive and dynamic framework for
measuring, monitoring and managing the market risk of a
bank. It is the management of structure of balance sheet
(liabilities and assets) in such a way that the net earning from
interest is maximised within the overall risk-preference
(present and future) of the institutions. The ALM functions
extend to liquidly risk management, management of market
risk, trading risk management, funding and capital planning
and
profit
planning
and
growth
projection.
Benefits of ALM - It is a tool that enables bank managements
to take business decisions in a more informed framework with
an eye on the risks that bank is exposed to. It is an integrated
approach to financial management, requiring simultaneous
decisions about the types of amounts of financial assets and
liabilities - both mix and volume - with the complexities of the
financial markets in which the institution operates

The concept of ALM is of recent origin in India. It has been

introduced in Indian Banking industry w.e.f. 1 st April, 1999. ALM is
concerned with risk management and provides a comprehensive
and dynamic framework for measuring, monitoring and
managing liquidity, interest rate, foreign exchange and equity
and commodity price risks of a bank that needs to be closely
integrated with the banks business strategy.
Therefore, ALM is considered as an important tool for monitoring,
measuring and managing the market risk of a bank. With the
deregulation of interest regime in India, the Banking industry has
been exposed to the market risks. To manage such risks, ALM is
used so that the management is able to assess the risks and
cover some of these by taking appropriate decisions.
The assets and liabilities of the banks balance sheet are nothing
but future cash inflows or outflows. With a view to measure the
liquidity and interest rate risk, banks use of maturity ladder and
then calculate cumulative surplus or deficit of funds in different
time slots on the basis of statutory reserve cycle, which are
termed as time buckets.

As a measure of liquidity management, banks are required to

monitor their cumulative mismatches across all time buckets
in their Statement of Structural Liquidity by establishing
internal prudential limits with the approval of the Board /
Management Committee.
The ALM process rests on three pillars:
ALM Information Systems
Management Information Systems
Information availability, accuracy, adequacy and expediency

ALM Organisation
Structure and responsibilities
Level of top management involvement

ALM Process
Risk
Risk
Risk
Risk

parameters
identification
measurement
management

Risk policies and tolerance levels.

As per RBI guidelines, commercial banks are to distribute

the outflows/inflows in different residual maturity period
known as time buckets. The Assets and Liabilities were
earlier divided into 8 maturity buckets (1-14 days; 15-28
days; 29-90 days; 91-180 days; 181-365 days, 1-3 years and
3-5 years and above 5 years), based on the remaining
period to their maturity (also called residual maturity). All
the liability figures are outflows while the asset figures are
inflows. In September, 2007, having regard to the
international practices, the level of sophistication of banks
in India, the need for a sharper assessment of the efficacy
of liquidity management and with a view to providing a
stimulus for development of the term-money market, RBI
revised these guidelines and it was provided that
(a) the banks may adopt a more granular approach to
measurement of liquidity risk by splitting the first time
bucket (1-14 days at present) in the Statement of
Structural Liquidity into three time buckets viz., next day ,
2-7 days and 8-14 days. Thus, now we have 10 time
buckets.

After such an exercise, each bucket of assets is

matched with the corresponding bucket of the
liabililty. When in a particular maturity bucket, the
amount of maturing liabilities or assets does not
match, such position is called a mismatch position,
which creates liquidity surplus or liquidity crunch
position and depending upon the interest rate
movement, such situation may turnout to be risky for
the bank. Banks are required to monitor such
mismatches and take appropriate steps so that bank
is not exposed to risks due to the interest rate
movements during that period.
(b) The net cumulative negative mismatches during
the Next day, 2-7 days, 8-14 days and 15-28 days
buckets should not exceed 5 % ,10%, 15 % and 20 %
of the cumulative cash outflows in the respective
time buckets in order to recognise the cumulative
impact on liquidity.

The Boards of the Banks have been entrusted

with
the
overall
responsibility
for
the
management of risks and is required to decide
the risk management policy and set limits for
liquidity, interest rate, foreign exchange and
equity price risks.
Asset-Liability Committee (ALCO) is the top
most committee to oversee the implementation
of ALM system and it is to be headed by CMD or
ED. ALCO considers product pricing for both
deposits and advances, the desired maturity
profile of the incremental assets and liabilities
in addition to monitoring the risk levels of the
bank. It will have to articulate current interest
rates view of the bank and base its decisions for
future business strategy on this view.