Presented by

CA. Rakesh Kaushik

Guest Faculty, IIBF, Mumbai
Email: rmkaushik@gmail.com
Cell: +91 9820151005
INDIAN INSTITUTE OF BANKING & FINANCE
 RISK BASED SUPERVISION – THE BACKDROP
Transformation of the role of Indian Banks from credit
intermediation to integrated customer service.

High growth coupled with the quest for superior customer

service leading to
• Innovation in banking products and channels for delivering innovation to
customers.
• Redundancies in the traditional compliance and transaction testing based
supervisory approach.
• Significant strain on supervisory resources.

Global shift towards financial stability and managing

contagion risk in an increasingly inter-connected
marketplace resulting in
• The need for more inclusive, risk based and data centric supervision.
INDIAN INSTITUTE OF BANKING & FINANCE 2
RISK BASED SUPERVISION-INITIAL EXPERIMENTS

As a part of the monetary and credit policy for 2000-01, the

Reserve Bank of India had announced its intention to move
towards a Risk-based approach to banking supervision.

Risk Based Supervision (RBS) envisaged the monitoring of

banks by allocating supervisory resources and focusing
supervisory attention according to the riskiness of each
banking institution.

The Department of Banking Supervision conducted two

rounds of pilot runs of RBS covering a few banks however,
due to lack of adequate Risk Management Architecture in
banks, the RBS experiment was discontinued.
INDIAN INSTITUTE OF BANKING & FINANCE 3
 THE REVAMPED RBS FRAMWORK

SPARC - Supervisory Programme

for Assessment of Risk and Capital
• More off-site oriented
• Need based, risk based, focused on site
inspections

Started in 2013 with 29 Banks

INDIAN INSTITUTE OF BANKING & FINANCE 4

 OBJECTIVES OF SUPERVISION

Protection of depositors’ interests

Ensure financial health of individual banks/FIs

Ensure financial stability

Customer protection

INDIAN INSTITUTE OF BANKING & FINANCE 5

 THE REVAMPED RBS FRAMEWORK
Forward looking process focusing on both present and future risks

•Focus on inherent risks as opposed to results of past transactions

•Inclusive approach towards early corrective action

Optimization of supervisory resource deployment through off-site monitoring

•Focus on continuous collection of data

•Robust off-site surveillance mechanism
•Move towards a risk indicator based early warning system

Focus of on-site supervision on targeted and thematic reviews

•On-site reviews will focus on high risk areas and industry-wide challenges
•Specialized Teams to address challenges emerging from high risk areas
•Focus supervisory bandwidth on high risk areas

Impetus on corporate governance and regular dialogue with the bank

•Continuous engagement through a single point of contact

•Expected to support inclusiveness
•Facilitate ongoing assessment of the quality of governance and management
INDIAN INSTITUTE OF BANKING & FINANCE 6
 THE REVAMPED RBS FRAMEWORK
The periodicity/intensity of on-site inspection of a bank would depend upon its
position on the Risk-Impact Index Matrix rather than its volume of business.

Supervisory rating would be

• A reflection on the risk elements (inherent business risks and effectiveness of control).
• Aiming to determine the overall probability of failure of the bank in light of risks to which the bank is
exposed, strength of control/governance and oversight framework in place and available capital.

Based on the exercise, the bank would be apprised of the direction/trend of key risk
groups along with overall risk faced by it. Further, a risk mitigation plan, comprising
of need for improving controls, augmenting capital and/or restructuring business
would be given to the bank.

The supervisory intervention including placing a bank under the Prompt Corrective
Action (PCA) framework, if required, would be based on the supervisory rating and
the risk-impact score of the bank.

INDIAN INSTITUTE OF BANKING & FINANCE 7

UNEXPECTED LOSS : CAMELS VS. RBS
CAMELS RBS

No Structured Others… Credit (incl. Market (incl.

Approach Concentration) IRRBB)
Reputation Risk
Supervisory Operational
Concentration Liquidity
Judgment and use (Non IT)
Risk
of templates and
ratios IRRBB
Operational - IT Other Risks
Capital Liquidity Risk
Prescription Under estimation of
??? Pillar I IRISc
Operational Risk
A Multi tiered approach coupled with collective
Market Risk Pillar I Capital supervisory judgment for assessment of the
based on universe of banking risks
Credit Risk standardized Determination of Capital requirement for the
approach unexpected losses for all risks

Pillar I Pillar II Universe of

Risks
Capital for the Unexpected Losses from Universe of Risks

INDIAN INSTITUTE OF BANKING & FINANCE

NEW SUPERVISORY FRAMEWORK-SPARC

REGULATORY
COMPLIANCE-Expected loss 1. Assessment of Regulatory Compliance is a distinct
activity under SPARC .
MEASUREMENT OF 2. Assessment of CRAR is part of Regulatory Compliance-
for the purpose of assessing available capital
UNEXPECTED LOSSES-
STANDARDISED
1. SREP subsumed.
2. Both Pillar I & II risk covered under SPARC.
MEASUREMENT OF 3. Independent measurement of unexpected losses
UNEXPECTED LOSSES- BANK under SPARC-Proprietary framework.
SPECIFIC OVER AND ABOVE 4. No reference to regulatory
STANDARDISED guidelines/Standardised approaches.
UNEXPECTED LOSSES = AGGREGATE RISK (SPARC)

INDIAN INSTITUTE OF BANKING & FINANCE

SPARC PROCESS
1. Ensure expected losses are adequately provided
◦adjusted in the assessed capital
◦arrive at available capital
2.Measurement of unexpected losses- Aggregate Risk
3.Assess whether unexpected losses have adequate
capital to sustain- distance from failure

INDIAN INSTITUTE OF BANKING & FINANCE

SPARC: HOLISTIC ASSESSMENT
Pillar I risks - Bank Specific
assessment
CRAR as per
Regulations AFI
(CAMELS) Uniformly
Uniformly Pillar I and II risks
Structured
Structured assessed for
Assessment
Assessment consolidated view

Supervision
(Focused on Expected

(Regulatory Compliance)

Risk Based
SPARC
CAMELS
Losses)

Intensive /
Pillar II Risks Structured
Focused
SREP Compliance
Transaction
Assessment
(Separate Testing

exercise)
Input for risk
Assessed CRAR
assessment

Output = Report, Rating, MAP Output = Report - Risk Scores, SCR, RISK Rating, RMP

INDIAN INSTITUTE OF BANKING & FINANCE

MEASUREMENT OF UNEXPECTED LOSSES = AGGREGATE RISK

INHERENT RISK
• Inherent risk arises due to uncertainty in the business operations of a bank that has the potential to
translate into unexpected loss in future.
• Inherent risk is susceptibility of Economic Capital of a bank due to nature of businesses it undertakes at the
existing level of controls.
• Risk Indicators are proxy for unexpected losses- moderated through subjective assessment
CONTROL GAP RISK
• Control Gap risk measures the gaps in adequacy and robustness of system and control put in place by the
bank for mitigating the Inherent risk. Gaps accentuate the inherent risk.
• RISK CATEGORY LEVEL
• GOVERNANCE & OVERSIGHT –Bank level
Unexpected loss measurement goes beyond the regulatory compliance assessment

INDIAN INSTITUTE OF BANKING & FINANCE

MEASUREMENT OF UNEXPECTED LOSS-EXAMPLES- INHERENT RISK

In the SPARC framework, the focus is on the unexpected losses for which
provisions have not been created. Examples of parameters to assess unexpected
losses are given below:

1
Credit Risk
2 3
Market Risk Liquidity Risk
• Rating downgrade which is an indication of deterioration
of portfolio quality which affects default risk but • Variation between Peak PV01 and Average PV01 • No. of days net borrower is an indication of
provisions not created • MTM of HTM portfolio which is the potential for impending liquidity risk if the markets dry up or if
losses not already provided for interest rates go up.
• Exposures instead of outstanding being taken for Risk
Indicators
• Upgradation of Substandard assets

INDIAN INSTITUTE OF BANKING & FINANCE

 MEASUREMENT OF UNEXPECTED LOSS-EXAMPLES- CONTROL GAPS
1 2
Credit Risk Market Risk
Whether process for identification, measurement and Are the Stress tests conducted on the portfolio
monitoring of credit concentration risk are adequate? relevant to the scale and complexity of position
If not, then there is control gap which can lead to and operation. If not then in times of stress, the
unexpected losses losses could be much more than estimated/
provided by the bank
INDIAN INSTITUTE OF BANKING & FINANCE
3
Liquidity Risk
Does the bank measure expected daily gross
liquidity inflows and outflows, anticipate the
intraday timing of these flows where possible,
and forecast the range of potential net funding
shortfalls that might arise at different points
during the day?
UNIVERSE OF RISKS ASSESSED UNDER SPARC
Governance and Oversight Gap Risks

Board Senior
Risk Governance Internal Audit
Management

Business Risks

Op (IT) Risk
Credit Risk
Market Risk

Liquidity Risk Other Pillar II Risk Op (non-IT) Risk

(Certain Pillar II risks are re-aligned with Pillar I risks for assessment purpose)
Inherent Risk 13
Control Gap Risk

INDIAN INSTITUTE OF BANKING & FINANCE

INHERENT RISK ASSESSMENT- CREDIT RISK

Risk Category Inherent Risk Score

Credit Risk

Risk Driver Supplementary Risk Driver

Indicators: Information Sources
Single borrower
Concentration Risk
Group borrower Concentration Risk
• Balance Sheet
Industry concentration • Profit and Loss
Sectoral concentration • Bank Profile
Complexity of • OSMOS returns Complexity of
• ICAAP
Exposure Risk Exposure Risk
• Analytics Reports
• Bank’s business model
•Bank’s internal policy and
Recovery Risk documents Recovery Risk
• Other Sources
• Select Indicators
• Osmos Profile
Default Risk • ISE findings Default Risk

INDIAN INSTITUTE OF BANKING & FINANCE

RISK AGGREGATION
Credit Risk Credit Risk Control Gap Risks
Inherent Risk CR Control Gap
Score
Score Score

Market Risk Market Risk Risk Drivers (21)

Inherent Risk MR Control Gap
Inherent Risk (6) Score
Score Score CG Parameters (260)
[Score 1-4] [Score 1-4]
Risk Drivers (21) Liquidity Risk Liquidity Risk
LR
[Score 1-4] Inherent Risk Control Gap
Score
Score Score
Indicator Groups (56)
[Score 1-4] Operational Operational
Indicators (142) Risk (IT/Non-IT) OR Risk
[Score 1-4] Inherent Risk Score Control Gap
Score (IT/NonIT) Aggregate Business Risk
Data points Score
Governance &
(536) Pillar II Risk PrII Pillar II Risk Oversight Score
Inherent Risk Score Control Gap
Score Score
Aggregate Risk Score
Aggregate Business
Risk Score 15

INDIAN INSTITUTE OF BANKING & FINANCE

ROLE OF DATA/INFORMATION INASSESSMENTS
Tranche I & IA (536 data points): Objective assessment (subjective assessment also)
Bank profile (13 financial chapters on Organizational details, HR distribution/ costs, risk governance
structure, customer profile, balance sheet, capital/assets/liabilities profile, treasury management, liquidity
management and IT systems/ Audit details) Assessment of Inherent Risk
DSB returns (22)

Tranche II (260 information parameters), Discussions with bank management, Standard list of documents Assessment of Gaps in
(please refer Compendium) Controls

Tranche II (59 information parameters), Standard list of documents (please refer Compendium), Assessment Gaps in
etc. Governance & Oversight

Tranche III information (158 regulations) Assessment of Compliance

Assessment of Capital, capital

Capital, CRAR Computations, ICAAP, Returns planning, quality of capital, etc.

16

INDIAN INSTITUTE OF BANKING & FINANCE

CONTROL ENVIRONMENT - GOVERNANCE

The bank’s Governance structure

Bank’s Governance Structure provides the overarching control
environment encompassing businesses,
risks, Internal Controls and regulatory
compliance
Internal Controls The bank’s Internal Control framework
commensurate with businesses/
activities/ exposure/ risk level controls
(control design, methodology,
accountability structure, review
Controls for Regulatory mechanisms, etc.)

Compliance Controls for ensuring Regulatory

Compliance are the baseline
expectation of controls.

INDIAN INSTITUTE OF BANKING & FINANCE

ONLINE DATA/ INFORMATION UNDER SPARC

Tranche I Tranche II Tranche III

(Quantitative (Control (Compliance

Data) Information) Information)
536 data 319 158
points parameters regulations
Create 1013 Primary “Control Documents”

INDIAN INSTITUTE OF BANKING & FINANCE

 DATA QUALITY SCORING/ SUPERVISORY PENALTY
Objective method for scoring the quality of data points and control parameters
Tranche I scored based on post submission amendments to the data points,RBS information system and documentation
(templates for data points).
◦ Total Number of data points which were amended (4 - if > 20%, 3 - if 10%-20%, 2 - if 5%-10%, 1 if <5%)
◦ Number of Data points which required >10% change in value
◦ RBS Information/ accountability/review structure on a scale of 1-4 (1-best 4-Worst)
◦ Data Documentation on a scale of 1-4 (4-insignificant documentation <25%, 3- partial <25%-50%, 2- partial 50%-
75%, 1>75% documentation)
Tranche II/ III scored based on Documentation/Adequacy/completeness of control info.
◦ Documentation: (4-insignificant documentation <25%, 3- partial <25%-50%, 2- partial 50%-75%, 1>75%
documentation)
◦ Adequacy and completeness of the control info on a scale of 1-4 (4- Incomplete & inaccurate on most of the
parameters, 3- Incomplete but accurate on most, 2- Complete and accurate on most parameters, 1- Adequate and
effective on majority)
The penalty is computed if the score is above a threshold score (e.g. 2.0)
Penalty = Δ bps above threshold * NI
INDIAN INSTITUTE OF BANKING & FINANCE
 SUPERVISORY PROCESSES UNDER RBS
S. NO. STEPS RISK BASED TOOLS

1 Understanding the bank Bank Profile

Assessing risks faced by the bank for

2 supervisory purpose
Risk Assessment / Matrix

Scheduling and Planning Supervisory Planning for supervisory actions /

3 Activities interventions

Defining Examination Activities, on-site Onsite Inspection – objective,

4 reviews and on- going monitoring scope, etc.

Onsite Inspection, conduct of

5 Inspection Procedure SREP, offsite continuous
supervision.
Reporting findings and recommendations Inspection Reports, Updating of
6 and follow-up the bank Profile.
INDIAN INSTITUTE OF BANKING & FINANCE 22
INDIAN INSTITUTE OF BANKING & FINANCE 23
 ASSESSMENT OF PROBABILITY OF FAILURE
 Risk assessment of the various risks embedded in the banks’ business is determined based on the
inherent prudential risks and prudential risk control in place in the bank for each risk group.
 The net risk for all the component risk groups would be rated (using a scorecard template) on a
continuous scale (0 – 4) and would be aggregated into a single score by assigning appropriate weights
to each component as under:
RISK ASSESSMENT MATRIX
Risk net
Risk
Weights (85%)
(15%)

Risk Inherent Risk Control

Credit Risk 30% 70% 30%

Oversight &
Governance
Market Risk 20% 70% 30%
Risk Group

Operational Risk 20% 70% 30%

Liquidity Risk 20% 70% 30%

Pillar 2 Risk 10% 70% 30%

INDIAN INSTITUTE OF BANKING & FINANCE 24

 SUPERVISORY RATINGS USED BY RBI
Good (A):
• Probability of failure well below the Supervisory Risk Appetite

Satisfactory (B):
• Probability of failure within the acceptable Supervisory Risk Appetite

Unsatisfactory (C):
• Probability of failure marginally higher than Supervisory Comfort

Poor (D):
• High probability of failure
• Need for additional capital & for restructuring business
• Placement under PCA Framework & monthly monitoring
Very Poor(E):
• Bank no longer a viable entity
• Need for winding up/merger/amalgamation

INDIAN INSTITUTE OF BANKING & FINANCE 25

INDIAN INSTITUTE OF BANKING & FINANCE 26
 RISK BASED INTERNAL AUDIT

RBI issued a Guidance Note on Risk

Based Internal Audit (RBIA) in
December, 2002 on the basis of
the recommendations of
Pricewaterhouse Coopers(PwC),
London circulated as a discussion
paper to the banks in August, 2001
for moving towards the RBS/RBIA .
INDIAN INSTITUTE OF BANKING & FINANCE 27
 ROLE OF INTERNAL AUDIT (IA)

• Contributes to the
A sound effectiveness of the
internal control systems
internal • Provides high quality
audit counsel to management
function • Ensures regulatory
compliances

INDIAN INSTITUTE OF BANKING & FINANCE

 THE HISTORICAL PERSPECTIVE OF IA

Traditional Internal Audit Role

Testing of accuracy and reliability of

Concentrating
on transaction
testing
Reliability and Adherence to
Accounting Financial Timeliness of legal and
Integrity
records reports control regulatory
reports requirements

INDIAN INSTITUTE OF BANKING & FINANCE

 RISK BASED INTERNAL AUDIT IN BANKS
S. No. APPLICABLE GUIDELINES/CIRCULARS REFERENCE/DATE OF ISSUE
1. Guidelines of BCBS Various dates

Guidance Note on RBIA issued by RBI DBS.CO.PP.BC . 10 /11.01.005/2002-03

2. 27th December, 2002

Guidelines on Audit systems in Public sector Banks

issued by Ministry of Finance(Department of F. No. 7/124/2012-BOA
3. 26th September, 2012
Financial Service) based on Basant Seth
Committee’s Recommendations
RBI/2016-17/46
4. Risk- based Internal Audit DBS.CO.PPD.05/11.01.005/2016-17
25th August, 2016

RBI/2020-21/83
Risk Based Internal Audit (RBIA) Framework –
5. Ref.No.DoS.CO.PPG./SEC.04/11.01.005/2020-21
Strengthening Governance arrangements 7th January, 2021

International Standards for the Professional

6. Practice of Internal Auditing (Standards) issued by Last Revision in October 2016
the Institute of Internal Auditors
INDIAN INSTITUTE OF BANKING & FINANCE
 RISK BASED INTERNAL AUDIT(RBIA)
Selective and
appropriate transaction
testing

Evaluation of the risk

Risk-based management systems
Internal Focusing on effective risk
Audit Evaluation of the
management and controls
includes control procedures in
bank’s operations
Offering suggestions for
mitigating current risks
Greater emphasis on
the internal auditor's
role in mitigating risks
Anticipate areas of potential
risks

Play an important role in

protecting the bank from various
risks
INDIAN INSTITUTE OF BANKING & FINANCE
RISK MANAGEMENT COMMITTEE/DEPARTMENT VS. RBIA

RBIA Undertakes an independent

RMC/RMD focuses
on formulating the risk-based audit
• Identification of risks
• Monitoring of risks
• Measurement of risks
• Development of policies
and procedures
• Use of risk management
models
risk assessment solely for
plan keeping in view
The inherent
business risks of an
activity/location
The effectiveness of
the control systems
for monitoring the
inherent risks of the
business activity
 SALIENT FEATURES OF RBIA
Audit plan covers every activity/location of the bank, including the risk
management function.

Shifting of Focus from full-scale transaction testing to risk identification,

prioritization of audit areas and allocation of audit resources in accordance with
the risk assessment.

Well defined RBIA policy, duly approved by the Board, needs to be developed.

Functional independence required to avoid conflicts of interest and to ensure

objectivity and impartiality

Board of Directors and top management responsible for an effective RBIA system
and ensuring that its importance is understood throughout the bank.

INDIAN INSTITUTE OF BANKING & FINANCE

 RISK ASSESSMENT
An independent activity

The risk assessment

methodology is
Cover risks at various levels

Covers processes to identify,

measure, monitor and control
the risks.

To be devised keeping in view

the size and complexity of the
bank’s business

Needs approval of the Board

of Directors

INDIAN INSTITUTE OF BANKING & FINANCE

 RISK ASSESSMENT PROCESS

• Identification of inherent
business risks in various
Risk activities
Assessment • Evaluation of the effectiveness
of the control systems
Process • Drawing up a risk-matrix for
includes taking into account both the
factors viz., inherent business
risks and control risks.

INDIAN INSTITUTE OF BANKING & FINANCE

ILLUSTRATIVE RISK ASSESSMENT MATRIX

INDIAN INSTITUTE OF BANKING & FINANCE

 RISK MATRIX EXPLAINED
A – High Risk- Although the control risk is low, this is a High Risk area due to high inherent business risks.

B – Very High Risk- The high inherent business risk coupled with medium control risk makes this a Very
High Risk area

C – Extremely High Risk – Both the inherent business risk and control risk are high which makes this an
Extremely High Risk area. This area would require immediate audit attention, maximum allocation of
audit resources besides ongoing monitoring by the bank’s top management.

D – Medium Risk – Although the control risk is low this is a Medium Risk area due to medium inherent
business risks.

E – High Risk – Although the inherent business risk is medium this is a High Risk area because of control
risk also being medium.

F – Very High Risk – Although the inherent business risk is medium, this is a Very High Risk area due to
high control risk.

G – Low Risk – Both the inherent business risk and control risk are low.

H – Medium Risk - The inherent business risk is low and the control risk is medium.

I – High Risk – Although the inherent business risk is low, due to high control risk this becomes a High Risk
area.
INDIAN INSTITUTE OF BANKING & FINANCE
 RISK ASSESSMENT RATINGS
Based on the level and direction of risk, the Risk assessment
ratings could be any of the fifteen as shown below:
OVERALL RISK DIRECTION
1. Extremely High Risk Increasing/Stable/Decreasing

2. Very High Risk Increasing/Stable/Decreasing

3. High Risk Increasing/Stable/Decreasing

4. Medium Risk Increasing/Stable/Decreasing

5 Low Risk Increasing/Stable/Decreasing

INDIAN INSTITUTE OF BANKING & FINANCE

 Annual Audit
Risk Assessment Direction of Risk
Plan

On Site/Off Site Frequency of

Business Risk Control Risk
Audit Audit

Credit Functions On Site Snap

Prioritization of
Credit Risk Non Credit Functions Audit (For Select
Audit
Computer Functions Branches)

Level of
Operational Risk Compliance Transaction
Testing

Branch Management
Earning Risk – General
- Security

INDIAN INSTITUTE OF BANKING & FINANCE

PARAMETERS OF RISK ASSESSMENT METHODOLOGY
Previous internal audit reports and compliance
Proposed changes in business lines or change in focus
Significant change in management/key personnel
Results of latest regulatory examination report
Reports of external auditors
Industry trends and other environmental factors
Time lapsed since last audit
Volume of business and complexity of activities
Substantial performance variations from the budget
INDIAN INSTITUTE OF BANKING & FINANCE
ILLUSTRATIVE RISK PARAMETERS USED FOR RANKING BRANCHES
S. No. Business Risk Parameters Control Risk Parameters
1 Composition of Advances Operational Risk
2 NPA Analysis Credit / Advances & Monitoring
3 Composition of Deposits NPA Management
4 Frauds Profitability
5 Customer base Administration
6 Performance of the Branch Miscellaneous Items
Target & Growth Achievements
Advances
Deposits
NPA Management
Profitability
Non-Interest income
Para Banking
7 - Foreign Exchange

INDIAN INSTITUTE OF BANKING & FINANCE

 RANKING PROCESS
 Areas are analysed for the available positive and
negative factors with respect to quantity and quality
and marks are allotted accordingly as per the policy
document. For example
❑ Operational Risk Parameter covers the Branch Operations, All types of
Deposits, KYC, Cross Selling, Customer Service, Marketing, Fraud
Control, IT, Statutory Compliances etc.
❑ Credit/Advances & Monitoring Risk Parameter covers all aspects of
Advances from Application to Renewals.
❑ Administrative Risk Parameter covers housekeeping , control over
sensitive stationery items , periodical test checks , control over staff
records, security etc.
❑ Miscellaneous items Risk Parameter includes Comments in latest
regulatory / statutory Examination Report , change management ,
change in Business line and Unclaimed Deposits

INDIAN INSTITUTE OF BANKING & FINANCE

 ILLUSTRATION OF SCORING SHEET FOR BUSINESS RISK
%tage of
Maximum Score Risk Weighted
SL. NO ASSESSMENT AREA
Score allotted assessment marks
obtained
A. BUSINESS RISK
1 Composition of Advances
Share of exposure to sensitive sector to gross Advances
(Marks may be awarded as per % of non sensitive sector i.e.
Real estate/Capital Market/Commodity Sector) If no advance to
i sensitive sector; full marks to be awarded, if share of sensitive 10 10.0 H 0.00
sector is 10% means 90% advance is to non sensitive sector
hence 90% of max marks may be awarded)

Individual exposure - Share of top five exposure

a) Below 5% of Total Adv in all industries/ business
ii = 10 10 5 M 50.00
b) 5% to 10% of Total Adv = 5
c) More than 10% of Total Adv = 0
Group Exposure - Share of top five exposure
a) Below 5% of Total Adv in all
iii. industries/ business = 10 10 5 H 0.00
b) 5% to 10% of Total Adv = 5
c) More than 10% of Total Adv = 0
Share of Unsecured Advances
a) Below 5% of Total Adv in all
iv.
industries/ business = 10 10 0 H 0.00
b) 5% to 20% of Total Adv = 5
c) More than 20% of Total Adv = 0
% of increase in yield of advances on yearly basis
v. a) Increase over previous year = 10
b) Stagnant = 5 10 5 M 50.00
c) Decrease = 0
 ILLUSTRATION OF SCORING SHEET FOR BUSINESS RISK
%tage of
SL. Maximum Score Risk Weighted
ASSESSMENT AREA
NO Score allotted assessment marks
obtained
A. BUSINESS RISK
1 Composition of Advances
vi Spurt in Advances
No spurt in Advances = 10 10 10 L 100.00
Spurt in Advances (Auditor to decide) = 0
vii % of BG invoked to total Turnover of BG (BGs o/s as on
previous audit date+fresh BG issued till date of audit)
a) Below 5% of Turnover of BG = 10
b) 5% to 10% of Total Turnover of BG = 5
10 H 0.00
c) Over 10% of total Turnover of BG = 0
viii. % of LC devolved to Total Turnover of LC (LCs o/s as on
previous audit date+fresh LCs issued till date of audit)
a) Below 5% of Turnover of LC = 10
b) 5% to 10% of Total Turnover of LC = 5
10 H 0.00
c) Over 10% of total Turnover of LC = 0
ix % of time barred NPA to Total NPA(Amount)
(Marks in the ratio of % of nonTime bared NPA/Total NPA e.g.
if time barred debt is 5% then br will get 95% of maximum 10 9 L 90.00
marks)
x Share of High risk exposure to total exposure
a) Below 5% = 10
b) 5% to 10% = 5 10 5 M 50.00
c) More than 10% = 0
 ILLUSTRATION OF SCORING SHEET FOR BUSINESS RISK
%tage of
Maximum Score Risk Weighted
SL. NO ASSESSMENT AREA Score allotted assessment marks
obtained
A. BUSINESS RISK
1 Composition of Advances
xi % of increase in High risk exposure
(Decrese or No increase = 10
up to 10% increase =5 10 10 L 100.00
Above 10% increase =0
xii Share of unrated external credit risk exposure in
applicable cases
(Unrated adv up to 5% = 10 10 5 M 50.00
5% -10% = 5
Above 10% = 0
xiii Share of exposure to total exposure where internal
rating not carried out
(Unrated adv up to 5% = 10 10 0 H 0.00
5% -10% = 5
Above 10% = 0
xiv Revenue Leakage (RL) detected
No RL detected = 10 Marks
RL detected below Rs.5 lakh = 5
10 5 M 50.00
RL detected Rs.5 lakh & above = 0
Composition of Advances SUB TOTAL 140 69 M 49.29
 ILLUSTRATION OF SCORING SHEET FOR BUSINESS RISK
%tage of
SL. Maximum Score Risk Weighted
ASSESSMENT AREA Score allotted assessment
NO marks
obtained
B. NPA Analysis

NPA Analysis SUB TOTAL 180 90 M 50.00

C COMPOSITION OF DEPOSIT
Composition of Deposits SUB TOTAL 60 41 L 68.33
D Frauds
Frauds SUB TOTAL 25 25 L 100.00
E CUSTOMER BASE
Customer Base SUB TOTAL 45 20 M 44.44
F PERFORMANCE OF THE BRANCH (Target and Growth
Achievements)
1 Advances 115 0 H 0.00
2 Deposits 95 73 L 76.84
3 NPA Management(Proportionate marks can be given
depending upon achievements of targets) 90 15 H 16.67

4 Profitability(Proportionate marks can be given)

80 23 H 28.75

5 Non Interest Income 45 15 H 33.33

6 Para Banking 25 8 H 32.00
Performance of the Branch SUB TOTAL 450 134 H 29.78

BUSINESS RISK TOTAL 900 379 M 42.11

SUMMARY OF CONTROLS

INDIAN INSTITUTE OF BANKING & FINANCE

RISK ASSESSMENT BASED ON MARKS
% OF TOTAL MARKS RISK ASSESSMENT
OBTAINED UNDER EACH
UNDER EACH PARAMETER
PARAMETER

More than 65 Low

Between 40 – 65 Medium

Below 40 High

INDIAN INSTITUTE OF BANKING & FINANCE

 RISK RATING OF THE BRANCH
Total Marks obtained
under all parameters
of Inherent Risk Level
Business/Control
Risk category
More than 65 Low
Between 40 to 65 Medium
Below 40 High
INDIAN INSTITUTE OF BANKING & FINANCE
RISK AUDIT MATRIX TO BE PREPARED BY BANKS

INDIAN INSTITUTE OF BANKING & FINANCE

 DETERMINING LEVEL AND TREND OF RISK

VARIATION OF MARKS IN THE SAME TREND / DIRECTION OF RISK

CATEGORY OF THE PREVIOUS AUDIT %

Up to + 5% to – 5% Stable

More than +5% to – 5% Decreasing/Increasing

INDIAN INSTITUTE OF BANKING & FINANCE

 ANNUAL AUDIT PLAN
The schedule and the
rationale for audit work
planned
Contents of
Approved Audit
Plan All risk areas and their
prioritisation based on
the level and direction
of risk

Shorter intervals for

Areas/activities identified
as high, very high or
extremely high risk (based
on risk matrix)
Audit Periodicity

Longer intervals for to

medium or low risk areas

INDIAN INSTITUTE OF BANKING & FINANCE

 PRIORITY IN AUDIT PLAN

The Audit
Plan should • High Magnitude and high frequency
• High Magnitude and medium
prioritize frequency
audit work • Medium magnitude and high
to give frequency
• High magnitude and low frequency
greater • Medium Magnitude and medium
attention to frequency.
the areas of:
INDIAN INSTITUTE OF BANKING & FINANCE
 ILLUSTRATIVE AUDIT SCHEDULE
AUDIT
OVERALL RISK CATEGORY DIRECTION
FREQUENCY(MONTHS)
Extremely High/Very
Any Direction 6-9
High
High Increasing/Stable 9-12
High Decreasing 12
Medium Increasing 9-12

Medium Stable/Decreasing 12-15

Low Increasing 12-15

Low Stable/Decreasing 15-18
INDIAN INSTITUTE OF BANKING & FINANCE
 LEVEL OF TRANSACTION TESTING
MINIMUM LEVEL OF
OVERALL RISK CATEGORY DIRECTION TRANSACTION
TESTING
Increasing/Stable
Extremely High/Very High 100%
Decreasing

High Increasing/Stable 80%

High Decreasing 70%

Increasing/Stable
Medium 50%/40%/30%
/Decreasing
Increasing/Stable
Low 40%/30%/20%
/Decreasing
INDIAN INSTITUTE OF BANKING & FINANCE
 SCOPE OF RBIA-MINIMUM REQUIREMENTS
Process of identification and management of risks

Control environment in various areas

Gaps in control mechanism which might lead to frauds

Identification of fraud prone areas

Data integrity, reliability and integrity of MIS

Internal, regulatory and statutory compliance

Budgetary control and performance reviews

Transaction testing/verification of assets to the extent considered necessary

Monitoring compliance with the risk-based internal audit report

Variation in the assessment of risks under the audit plan vis-à-vis the risk
based internal audit.
INDIAN INSTITUTE OF BANKING & FINANCE
 OTHER IMPORTANT POINTS
Communication channels to encourage reporting of negative
and sensitive findings

Serious deficiencies and Significant issues posing a threat to

the bank’s business to be reported immediately

Periodic Performance review to include evaluation of

effectiveness of RBIA

Internal Audit Department to be provided with appropriate

resources

Due diligence to be conducted for outsourcing of RBIA

INDIAN INSTITUTE OF BANKING & FINANCE

STRENGTHENING GOVERNANCE ARRANGEMENTS
Coverage of RBI Circular dated 7th January, 2021
• Authority, Stature and Independence
• HIA to be senior
• IA to be independent
• Competence
• Knowledge and experience may include banking operations,
accounting, information technology, data analytics and
forensic investigation among others
• Staff Rotation except where managed by specialists
• Minimum period of service to be approved by the Board
• Consider appointing staff with specialised knowledge in IA
at least once
INDIAN INSTITUTE OF BANKING & FINANCE
STRENGTHENING GOVERNANCE ARRANGEMENTS
Coverage of RBI Circular dated 7th January, 2021
• Minimum Tenor of Three Years for HIA
• Reporting Lines
• Direct Reporting to ACB/MD&CEO/WTD
• ACB to meet HIA once every quarter where HIA does not report to
ACB
• Remuneration
• Not to be linked with the financial performance of the business
lines audited by IA Staff
• To avoid creating conflict of interest and compromising audit’s
independence and objectivity
• No outsourcing
• Except Experts and Former Employees on Contractual basis
• Ownership of audit reports in all cases to rest with regular
functionaries INDIAN INSTITUTE OF BANKING & FINANCE
 CASE STUDY ON RBIA
The case:
• Fake/Unauthorised Letters of Undertaking (LoU) issued
for Rs. 14,357 Crore by a leading SCB
RBI’s Stand/Action:
• The fraud is a case of operational risk arising on
account of delinquent behaviour by one or more
employees of the bank and failure of internal controls.
RBI has already undertaken a supervisory assessment
of control systems in the Bank and will take
appropriate supervisory action. LoUs and LoCs have
since been discontinued.
INDIAN INSTITUTE OF BANKING & FINANCE
 CASE STUDY ON RBIA

Major Points:
• SWIFT platform was not linked to CBS (Core
Banking System).
• Authority of maker, checker and authoriser
exercised by the same person.
• Passwords shared with the client.
• Daily Report of all financial incoming and
outgoing messages generated by the SWIFT
System not reconciled with CBS.
INDIAN INSTITUTE OF BANKING & FINANCE
 CASE STUDY ON RBIA

Major Points:
• Non-verification of Vouchers generated on
account of LOU with the system generated
reports and Contingent Liability.
• Improper reconciliation of Nostro accounts.
• Non-raising of red flags on account of huge
income without an underlying transaction.
• Non-detection of reimbursements made
without a contra appearing in the Bank books.
INDIAN INSTITUTE OF BANKING & FINANCE
 CASE STUDY ON RBIA

Major Points:
• Failure to monitor the movement and build-
up of contingent liability volumes of the
branch.
• Inaction on Monthly irregularity reports.
• Failure of concurrent audit, quarterly
statutory audit by external auditors, periodic
internal audit by HO auditors/inspectors, RBI
Auditors under Section 35 and FEMA Audit.
INDIAN INSTITUTE OF BANKING & FINANCE
 MAJOR AUDIT SOFTWARE USED BY BANKS
• Computer Aided Audit, Risk &
GALVANIZE (ACL) Governance Tool

VUEFRAME • Audit Automation and Risk Monitoring

• Integrated Enterprise Technology

PENTANA Solution for Risk and Audit Management

• Risk Based Audit & Compliance

eTHIC Application

• GRC Apps and Solutions for Banking and

MetricStream Financial Services
INDIAN INSTITUTE OF BANKING & FINANCE
 LIST OF eTHIC Users
PUBLIC SECTOR BANKS
• STATE BANK OF INDIA
• UCO BANK
• INDIAN OVERSEAS BANK
• SYNDICATE BANK
• UNITED BANK OF INDIA
• UNION BANK OF INDIA
• INDIAN BANK
• BANK OF INDIA
• PUNJAB NATIONAL BANK
PRIVATE SECTOR BANKS
• J&K Bank Ltd.
• Axis Bank Ltd.
• Karur Vysya Bank Ltd.
• HDFC Bank Ltd.
• City Union Bank Ltd.
• RBL Bank Ltd.
• South Indian Bank Ltd.
• Lakshmi Vilas Bank Ltd.
• Tamilnadu Mercantile Bank Ltd.
• Dhanlakshmi Bank Ltd.
• Catholic Syrian Bank Ltd.
INDIAN INSTITUTE OF BANKING & FINANCE
 LIST OF eTHIC Users
REGIONAL RURAL BANKS
• Andhra Pragathi Grameena Bank
• Prathama Bank
• Karnataka Vikas Grameena Bank
• Madhyanchal Gramin Bank
• Chattisgarh Rajya Gramin Bank
• Rajasthan Marudhara Gramin Bank
• Telangana Grameena Bank
• Andhra Pradesh Grameena Vikas Bank
• Saurashtra Gramin Bank
• Uttarakhand Gramin Bank
• Mizoram Rural Bank
• Jharkhand Rajya Gramin Bank
• Utkal Grameen Bank
• Ellaquai Dehati Bank
• Meghalaya Rural Bank
• Arunachal Pradesh Rural Bank
• Nagaland Rural Bank
INDIAN INSTITUTE OF BANKING & FINANCE
 LIST OF eTHIC Users
OTHER BANKS & NBFCs
• NABARD
• Janata Sahakari Bank Limited
• Saraswat Bank
• Belstar Microfinance Limited
• L&T Finance Limited
• CanFin Homes Limited
• ESAF Small Finance Bank
INDIAN INSTITUTE OF BANKING & FINANCE
USE OF TECHNOLOGY FOR RBIA – CASE 1

Dhanlaxmi Bank is using eTHIC software for:

• Risk-free auditing
• Effortless status tracking
• Comprehensive coverage of the entire audit life cycle

By implementing the audit software,

adequacy and effectiveness of the internal
audit has been improved.
INDIAN INSTITUTE OF BANKING & FINANCE
USE OF TECHNOLOGY FOR RBIA – CASE 2

Bank of
• Automate manual audit techniques
India had and boost efficiency
been using • Recover lost revenue, pinpoint fraud,
and achieve regulatory compliance
ACL • Cut on-site audit spending by at least
Technology 20%
• Enhance audit workflows,
before transparency and security
• Standardize data for quick, centralized
using analysis
eTHIC to:
INDIAN INSTITUTE OF BANKING & FINANCE
USE OF TECHNOLOGY FOR RBIA – CASE 3
• Increased efficiency and
effectiveness of RBIA
• Risk Based Audit Planning with real
time information on patterns &
trends in Risks
• Boosting the productivity of
Auditors
• Cost savings
ICICI Bank uses • Eliminating gaps and duplication in

Pentana Audit Coverage

• Improving Visibility, Enterprise wide
Works Risk and Audit Landscape
• Report Automation with Extensive
System(PAWS)for Comparative real-time Reporting
• Online real time Issue closure cycle
and traceability
• GRC convergence
• Quantitative Score based rating
system with Qualitative dimension
of Risk Analysis
• Adoption of Best Practices and
Adherence to RBI guidelines

INDIAN INSTITUTE OF BANKING & FINANCE

USE OF TECHNOLOGY FOR RBIA – CASE 4
• Assists Remote Users to View and Download the
exceptions
• Provides an Exception Dashboard with analytical tool
capability
• Assists Exceptions Trend Identification over a period
of time for a branch / all branches in a zone
• Generates a graph of the exception for a branch /
all branches in a zone
Axis Bank uses a • Provides MIS and an Exception Database to
web based software Controllers/Concerned Departments
• Mails Exceptions generated to Branches
VUEFRAME which automatically

INDIAN INSTITUTE OF BANKING & FINANCE

INDIAN INSTITUTE OF BANKING & FINANCE 72
 THANK YOU
&
HAVE A NICE DAY

INDIAN INSTITUTE OF BANKING & FINANCE