Professional Documents
Culture Documents
Customer protection
•On-site reviews will focus on high risk areas and industry-wide challenges
•Specialized Teams to address challenges emerging from high risk areas
•Focus supervisory bandwidth on high risk areas
• A reflection on the risk elements (inherent business risks and effectiveness of control).
• Aiming to determine the overall probability of failure of the bank in light of risks to which the bank is
exposed, strength of control/governance and oversight framework in place and available capital.
Based on the exercise, the bank would be apprised of the direction/trend of key risk
groups along with overall risk faced by it. Further, a risk mitigation plan, comprising
of need for improving controls, augmenting capital and/or restructuring business
would be given to the bank.
The supervisory intervention including placing a bank under the Prompt Corrective
Action (PCA) framework, if required, would be based on the supervisory rating and
the risk-impact score of the bank.
REGULATORY
COMPLIANCE-Expected loss 1. Assessment of Regulatory Compliance is a distinct
activity under SPARC .
MEASUREMENT OF 2. Assessment of CRAR is part of Regulatory Compliance-
for the purpose of assessing available capital
UNEXPECTED LOSSES-
STANDARDISED
1. SREP subsumed.
2. Both Pillar I & II risk covered under SPARC.
MEASUREMENT OF 3. Independent measurement of unexpected losses
UNEXPECTED LOSSES- BANK under SPARC-Proprietary framework.
SPECIFIC OVER AND ABOVE 4. No reference to regulatory
STANDARDISED guidelines/Standardised approaches.
UNEXPECTED LOSSES = AGGREGATE RISK (SPARC)
Supervision
(Focused on Expected
(Regulatory Compliance)
Risk Based
SPARC
CAMELS
Losses)
Intensive /
Pillar II Risks Structured
Focused
SREP Compliance
Transaction
Assessment
(Separate Testing
exercise)
Input for risk
Assessed CRAR
assessment
Output = Report, Rating, MAP Output = Report - Risk Scores, SCR, RISK Rating, RMP
INHERENT RISK
• Inherent risk arises due to uncertainty in the business operations of a bank that has the potential to
translate into unexpected loss in future.
• Inherent risk is susceptibility of Economic Capital of a bank due to nature of businesses it undertakes at the
existing level of controls.
• Risk Indicators are proxy for unexpected losses- moderated through subjective assessment
CONTROL GAP RISK
• Control Gap risk measures the gaps in adequacy and robustness of system and control put in place by the
bank for mitigating the Inherent risk. Gaps accentuate the inherent risk.
• RISK CATEGORY LEVEL
• GOVERNANCE & OVERSIGHT –Bank level
Unexpected loss measurement goes beyond the regulatory compliance assessment
In the SPARC framework, the focus is on the unexpected losses for which
provisions have not been created. Examples of parameters to assess unexpected
losses are given below:
1
Credit Risk
2 3
Market Risk Liquidity Risk
• Rating downgrade which is an indication of deterioration
of portfolio quality which affects default risk but • Variation between Peak PV01 and Average PV01 • No. of days net borrower is an indication of
provisions not created • MTM of HTM portfolio which is the potential for impending liquidity risk if the markets dry up or if
losses not already provided for interest rates go up.
• Exposures instead of outstanding being taken for Risk
Indicators
• Upgradation of Substandard assets
1 2 3
Credit Risk Market Risk Liquidity Risk
Whether process for identification, measurement and Are the Stress tests conducted on the portfolio Does the bank measure expected daily gross
monitoring of credit concentration risk are adequate? relevant to the scale and complexity of position liquidity inflows and outflows, anticipate the
If not, then there is control gap which can lead to and operation. If not then in times of stress, the intraday timing of these flows where possible,
unexpected losses losses could be much more than estimated/ and forecast the range of potential net funding
provided by the bank shortfalls that might arise at different points
during the day?
Board Senior
Risk Governance Internal Audit
Management
Business Risks
Op (IT) Risk
Credit Risk
Market Risk
(Certain Pillar II risks are re-aligned with Pillar I risks for assessment purpose)
Inherent Risk 13
Control Gap Risk
Credit Risk
Tranche II (260 information parameters), Discussions with bank management, Standard list of documents Assessment of Gaps in
(please refer Compendium) Controls
Tranche II (59 information parameters), Standard list of documents (please refer Compendium), Assessment Gaps in
etc. Governance & Oversight
16
Oversight &
Governance
Market Risk 20% 70% 30%
Risk Group
Satisfactory (B):
• Probability of failure within the acceptable Supervisory Risk Appetite
Unsatisfactory (C):
• Probability of failure marginally higher than Supervisory Comfort
Poor (D):
• High probability of failure
• Need for additional capital & for restructuring business
• Placement under PCA Framework & monthly monitoring
Very Poor(E):
• Bank no longer a viable entity
• Need for winding up/merger/amalgamation
• Contributes to the
A sound effectiveness of the
internal control systems
internal • Provides high quality
audit counsel to management
function • Ensures regulatory
compliances
RBI/2020-21/83
Risk Based Internal Audit (RBIA) Framework –
5. Ref.No.DoS.CO.PPG./SEC.04/11.01.005/2020-21
Strengthening Governance arrangements 7th January, 2021
Well defined RBIA policy, duly approved by the Board, needs to be developed.
Board of Directors and top management responsible for an effective RBIA system
and ensuring that its importance is understood throughout the bank.
• Identification of inherent
business risks in various
Risk activities
Assessment • Evaluation of the effectiveness
of the control systems
Process • Drawing up a risk-matrix for
includes taking into account both the
factors viz., inherent business
risks and control risks.
B – Very High Risk- The high inherent business risk coupled with medium control risk makes this a Very
High Risk area
C – Extremely High Risk – Both the inherent business risk and control risk are high which makes this an
Extremely High Risk area. This area would require immediate audit attention, maximum allocation of
audit resources besides ongoing monitoring by the bank’s top management.
D – Medium Risk – Although the control risk is low this is a Medium Risk area due to medium inherent
business risks.
E – High Risk – Although the inherent business risk is medium this is a High Risk area because of control
risk also being medium.
F – Very High Risk – Although the inherent business risk is medium, this is a Very High Risk area due to
high control risk.
G – Low Risk – Both the inherent business risk and control risk are low.
H – Medium Risk - The inherent business risk is low and the control risk is medium.
I – High Risk – Although the inherent business risk is low, due to high control risk this becomes a High Risk
area.
INDIAN INSTITUTE OF BANKING & FINANCE
RISK ASSESSMENT RATINGS
Based on the level and direction of risk, the Risk assessment
ratings could be any of the fifteen as shown below:
OVERALL RISK DIRECTION
1. Extremely High Risk Increasing/Stable/Decreasing
Level of
Operational Risk Compliance Transaction
Testing
Branch Management
Earning Risk – General
- Security
Between 40 – 65 Medium
Below 40 High
Up to + 5% to – 5% Stable
The Audit
Plan should • High Magnitude and high frequency
• High Magnitude and medium
prioritize frequency
audit work • Medium magnitude and high
to give frequency
• High magnitude and low frequency
greater • Medium Magnitude and medium
attention to frequency.
the areas of:
INDIAN INSTITUTE OF BANKING & FINANCE
ILLUSTRATIVE AUDIT SCHEDULE
AUDIT
OVERALL RISK CATEGORY DIRECTION
FREQUENCY(MONTHS)
Extremely High/Very
Any Direction 6-9
High
High Increasing/Stable 9-12
High Decreasing 12
Medium Increasing 9-12
Increasing/Stable
Medium 50%/40%/30%
/Decreasing
Increasing/Stable
Low 40%/30%/20%
/Decreasing
INDIAN INSTITUTE OF BANKING & FINANCE
SCOPE OF RBIA-MINIMUM REQUIREMENTS
Process of identification and management of risks
Major Points:
• SWIFT platform was not linked to CBS (Core
Banking System).
• Authority of maker, checker and authoriser
exercised by the same person.
• Passwords shared with the client.
• Daily Report of all financial incoming and
outgoing messages generated by the SWIFT
System not reconciled with CBS.
INDIAN INSTITUTE OF BANKING & FINANCE
CASE STUDY ON RBIA
Major Points:
• Non-verification of Vouchers generated on
account of LOU with the system generated
reports and Contingent Liability.
• Improper reconciliation of Nostro accounts.
• Non-raising of red flags on account of huge
income without an underlying transaction.
• Non-detection of reimbursements made
without a contra appearing in the Bank books.
INDIAN INSTITUTE OF BANKING & FINANCE
CASE STUDY ON RBIA
Major Points:
• Failure to monitor the movement and build-
up of contingent liability volumes of the
branch.
• Inaction on Monthly irregularity reports.
• Failure of concurrent audit, quarterly
statutory audit by external auditors, periodic
internal audit by HO auditors/inspectors, RBI
Auditors under Section 35 and FEMA Audit.
INDIAN INSTITUTE OF BANKING & FINANCE
MAJOR AUDIT SOFTWARE USED BY BANKS
• Computer Aided Audit, Risk &
GALVANIZE (ACL) Governance Tool
• Risk-free auditing
• Effortless status tracking
• Comprehensive coverage of the entire audit life cycle
Bank of
• Automate manual audit techniques
India had and boost efficiency
been using • Recover lost revenue, pinpoint fraud,
and achieve regulatory compliance
ACL • Cut on-site audit spending by at least
Technology 20%
• Enhance audit workflows,
before transparency and security
• Standardize data for quick, centralized
using analysis
eTHIC to:
INDIAN INSTITUTE OF BANKING & FINANCE
USE OF TECHNOLOGY FOR RBIA – CASE 3
• Increased efficiency and
effectiveness of RBIA
• Risk Based Audit Planning with real
time information on patterns &
trends in Risks
• Boosting the productivity of
Auditors
• Cost savings
ICICI Bank uses • Eliminating gaps and duplication in