Enterprise Risk

Management
for 2023 Foundation School
Course Code: FS 123
Business
Communication
Participant’s Manual

Course Course
Code:Code: FS
FS 101
101
2
3

Course Outline

Pg 3
4

Course Outline (cont’d)

5

Course Outline (cont’d)

6

Course Outline (cont’d)

Module 17: Basel System

Basel Parameters for Credit Risk Estimation
o Regulatory models of credit risk measurement
Credit Rating Systems
o Minimum requirements – Basel Accord Credit Rating
systems
o Best practices in Credit Rating Systems
o Validation of Credit Rating Systems

Module 18: Portfolio Credit Risk Management

Understanding approaches of model portfolio models
Credit Metrics model
Portfolio Manager
KMV approach

Module 19: Credit Risk Derivatives

Overview of Credit Risk Transfer, Credit & Other
Derivatives Credit Default
Swaps, Collateralized Debt Obligations, Credit-Linked
Notes, IRS, FX options, Repos
7

Objectives

At the end of this course participants should be able to

8

List Your Expectations from this programme..

9

Module 1:
Fundamentals of Risk
and Risk Management
Introduction

Enterprise Risk Management (ERM) in business

includes the methods and processes used by
organizations to manage risks and seize
opportunities related to the achievement of their
objectives. This course aims to identify, assess,
and prepare for any dangers, hazards, and
other potentials for disaster—both physical and
figurative—that may interfere with an organization's
operations and objectives. This course is
designed to equip participants with theknowledge
and skills required to mitigate risks.

• The methods and processes used by an enterprise to manage risks to its

mission and to establish the trust necessary for the enterprise to support shared
missions. It involves the identification of mission dependencies on enterprise
capabilities, the identification and prioritization of risks due to threats, the
implementation of countermeasures to provide both a static risk postureand an
effective dynamic response to active threats; and it assesses enterprise
performance against threats and adjusts countermeasures as necessary.
(Source: CNSSI 4009-2015 - Committee on National Security Systems - NIST)

• An effective agency-wide approach to addressing the full spectrum of the

organization’s significant risks by understanding the combined impact of risks
as an interrelated portfolio, rather than addressing risks only within silos.
(Source: NISTIR 8286 - EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF
MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503)

• The culture, capabilities, and practices that organizations integrate with

strategy-setting and apply when they carry out that strategy, with a purpose
of managing risk in creating, preserving, and realizing value. (Source: NISTIR
8286 under Enterprise Risk Management from COSO Enterprise Risk
Management)
10

The strategy of the organization will drive each arm of the business that make up the
organization, and each arm often have or adopt an information systems that support
its business function.

Examples of risk that corresponds to the categories shown in the previous slide
are:
• Strategic: Changes in customer preference or stakeholder preference,
executive turnover
• Environmental: Pollution or disturbance of protected areas
• Market: Foreign-exchange rates, availability of commodities and raw materials
• Credit: Interest rates, callable loans, damage to assets for which the
organization is an insurer
• Operational: Employee errors, fraud, theft etc.
• Compliance: Failure to meet regulatory requirements
• IT benefit/value enablement: Delivered projects do not create expected
business value
• IT program and project delivery: Projects are not delivered in a manner
consistent with plans
• IT operations and service delivery: Delivered services fall short of Service Level
Agreements/Requirements (SLA/Rs)
11

Fundamentals of Risk
Risk can be defined as the possibility of loss or injury; someone or something that
creates or suggests a hazard.

Risk is also the degree of probability of such loss; in financial terms it is the chance thatan
investment (such as a stock or commodity) will lose value.

For a bank, risk refers to the ability of a bank to access cash to meet funding
obligations. Obligations include allowing customers to take out their deposits. The
inability to provide cash in a timely manner to customers can result in a snowball effect.

Risk Management

Risk must be managed even though we are interested in returns.

Managing risks may involve three levels - the transaction level, Business Unit level and
the corporate level.

In today’s world, risk is not managed in silos but enterprise-wide.

For Risk management to be effective, everyone must understand what can cause a risk
and its mitigants.

And for accountability, clear responsibilities should be with Standard Operating

Procedures (SOPs) that stems from Policies, Standards etc.

Concept of Bank Risk

Credit Risk – the risk that an individual, company, or government

may not honour a promise or an obligation to make a payment
(usually on loans) as and when due, or not at all.

Market Risk – the risk of losses resulting from unfavourable market

movements or changes in prices of market instruments – interest
rates, FX rates, equity prices, commodity prices.

Asset-Liability Risk – the risk that capital might be depleted (assets

fall and liabilities rise), leading to an inability to meet maturing
obligations.

Operational Risk – the risk of direct or indirect losses resulting from

inadequate or failed internal processes, people and systems or from
external events.
12

Credit Risk – the risk that an individual, company, or government

may not honour a promise or an obligation to make a payment
(usually on loans) as and when due, or not at all.

Market Risk – the risk of losses resulting from unfavourable market

movements or changes in prices of market instruments – interest
rates, FX rates, equity prices, commodity prices.

Asset-Liability Risk – the risk that capital might be depleted (assets

fall and liabilities rise), leading to an inability to meet maturing
obligations.

Operational Risk – the risk of direct or indirect losses resulting from

inadequate or failed internal processes, people and systems or from
external events.

Risk and Return

• The risk-return tradeoff states that the potential return rises with an increase in risk.
Thus, the higher the risk, the higher the potential reward.

• Using this principle, low levels of uncertainty are associated with low potential
returns, and high levels of uncertainty or risk with high potential returns.
13

Key principles of Effective Risk Management

• Ensure risks are identified early – the most important principle, where you identify the
cause of a potential risk and design preventative measures and a response if it was
to occur. After risks have been identified and sourced, risk needs to be measured.

• Factor in organizational goals and objectives - Ensure your risk management

plan ties in with your organization’s overall goals and objectives.

• Manage risk within context - consider both internal and external context when
planning for risk management, as they differ from bank to bank.

• Involve stakeholders - in the decision-making process e.g., team members,

contractors, as well as experts within your organization so that you will identify and
gain insights into potential risks you may not have considered.

• Ensure responsibilities and roles are clear - everyone should know the role they play
in mitigating risk and responsibilities should be clear throughout the risk
management process.

• Create a cycle of risk review - create a step-by-step process to review risk and
during each step, all risks should be evaluated, and interventions or preventative
measures implemented.

• Strive for continuous improvement - always strive to adapt to how you manage risk
and take these learnings with you to your next project.
14

Key principles & Framework of Risk Management – Organizational Context

Organizational Context Establishment – this simply means understanding and assessing

the organization and the environment (or context) in which it operates. Assessing an
organization’s context includes evaluating the intent and capability of threats; the
relative value of assets or resources and the trust that must be placed in them; and the
presence and extent of vulnerabilities that might be exploited to intercept, interrupt,
modify or fabricate data in information assets.

Organizational Context – the following factors should be considered in determining the

context of the organization:
• Organization dependency on a supply chain, e.g., one based in another
geographic region or dependence on just-in-time supply.
• The influences of financing, debt and partners or substantial stakeholders of the
business.
• Vulnerability to changes in economic or political conditions
• Changes to market trends and patterns
• Emergence of new competition
• Impact of new legislation
• Existence of potential natural disaster
• Constraints caused by legacy systems and antiquated technology
• Strained labor relations and inflexible managements.
 15
15

Key principles & Framework of Risk Management – Stakeholder Involvement

Stakeholders play a very critical role in driving ERM in the organization and without them
the success of the ERM drive in the organization could be impaired. The following are
actions that drives stakeholder involvement in ERM:

• ERM stakeholder analysis: can be conducted to identify stakeholders and analyze

their interests, concerns, influence, and expected responses to an ERM initiative
• Effective communication can help improve transparency, avoid misunderstanding
and attract stakeholders.

• Knowledge gap analysis can be used to design a personalized training plan for each
stakeholder.

• Tangible benefits of an investment in risk management capabilities can be quantified

and aligned with the organization’s traditional project decision framework for project
comparison and selection.

• Accountability (RACI Matrix) is important for making sure that risk policies and
strategies are actively followed within the organization.

• Analyzing the gap between current and target risk culture helps in designing
intervention plans to improve risk attitudes and risk behaviors.

Key principles & Framework of Risk Management – Stakeholder

Involvement (What could go wrong)
Lack of stakeholder's involvement for ERM could result in the following:
• The benefit of risk management in the organization could be difficult to measure. The
value that ERM can bring to better and more informed decision-making may not be
sufficiently realized by the business.

• Risk management activities may be affected by insufficient resources and internal

politics.

Risk Management Support Structures

• Risk Management Group - responsible for evaluating risks, formulating responses and
plans of action to mitigate them, making plans of action available to all stakeholders,
shareholders and potential investors (Board, CEO, Chief Risk Officer).

• Compliance Group – responsible for the regulation of all company activities to ensure
that they are in line with all applicable laws, rules and regulations, as well as internal
codes of conduct, policies and procedures (Chief Compliance Officer).

• Corporate Governance - the system of rules, practices and processes by which the
bank is directed and controlled which impacts all aspects of the organization e.g.
performance measurement standards, public disclosure of records, policies for the
16

assignment of Board of Director seats, etc .

• Ethics – ethics implies moral principles that govern a person's behaviour or the
conducting of an activity, and the ethics group reviews corporate policies to confirm
that those policies are in accordance with the company's ethical philosophies.

• Internal Audit Group - periodically examines the efficiency and performance of both
the company's risk control functions and other to ensure that all aspects of the bank's
business are adhering to internal and external policies, laws and regulations.

• Risk Assessment and Reporting - researching and determining both current and future
risks that may become hazardous to the bank's business operations by identifying new
competitors, data security issues, reputational or Public Relations (PR) risk, financial or
liquidity risk, product recalls or even weather or natural disaster risks, among other
things.

Key principles & Framework of Risk Management – Support Structure (Executive

Sponsorship)

• Enterprise risk management benefits strongly from the clear support from Senior
Management/Executive Team of the organization, which should require
consultation with risk practitioners to be part of any new project and ensure that
recommendations of the risk management program are evaluated and objectively
addressed before approving or funding projects or business initiatives.

• Senior management support is tremendously important throughout the risk

management process. With it, the risk management process is much more likely to
have the budget, authority, access to personnel and information, and legitimacy that
will provide a successful result. Without it, risk management is almost always
unsuccessful. Senior management support should be visible and active, and
executives should be willing to intervene when necessary to communicate the
importance of risk identification/management efforts and the need for everyone to
actively contribute to the success of the program.

Key principles & Framework of Risk Management – Support Structure (Laws,

Regulations, Standards and Compliance)

• Organizations are required to comply with the laws and regulations of the jurisdictions
in which they operate and face penalties for failing to do so.

• It is important to know what laws apply to the organization and to understand their
requirements, which can be challenging because many laws are open to
interpretation and required levels of compliance are not always stipulated. For
example, a law may require adequate protection of sensitive data without specifying
what constitutes an adequate level of protection.

• Regulations may require organizations to report on their own compliance and impose
financial penalties or loss of a license to operate if these reports are made incorrectly
17

or outside of a directed schedule.

• Compliance may apply to voluntary standards. For instance, the Payment Card
Industry Data Security Standard (PCI DSS), created by members of the payment card
industry, may not be required by law but is generally required by the issuers of
payment cards to be adopted by companies that want to handle payment cards.

Key principles & Framework of Risk Management – Support Structure (Policies and RACI
Model)

• A critical part of establishing the risk management process is the development and
approval of a concise, coherent risk management policy that the attitude
and intent of management in relation to risk. A risk management policy should include
a statement relating to the reasoning or rationale behind the approach to accepting
or mitigating risk, set accountability, and articulate a commitment to continuous
improvement of the risk environment.

• The use of a RACI model (Responsible, Accountable, Consulted, Informed) can assist
in outlining the roles and responsibilities of the various stakeholders. The purpose of a
RACI model is to clearly show the relationships between the various stakeholders, the
interaction between the stakeholders and the roles that each stakeholder plays in the
successful completion of the risk management effort.

Key principles & Framework of Risk Management – Support Structure (RACI Model)

RACI (Responsible, Accountable, Consulted, Informed)

There are four main types of roles that are involved in the risk management process:
• The individuals responsible for managing the risk

• The individuals accountable for the risk management effort

• The individuals who are consulted and provide support and assistance to the risk
management effort

• The individuals who are informed of the risk management effort but may not
necessarily be involved in its execution

Financial Crisis

• Financial Crisis refers to a situation where there is a panic or a bank run, and investors
sell off assets or withdraw money from savings accounts because they fear that the
value of those assets will drop if they remain in a financial institution.

• It can also be seen as any situation where one or more significant financial assets –
such as stocks, real estate, or oil – suddenly (and usually unexpectedly) lose a
substantial amount of their nominal value.
 18

Financial crisis can be caused by different factors, but the major cause is leverage, where there is

credit risk – people take loans and do not repay.

The Process and Control of Financial Contagion

• Financial contagion is the spread of an economic crisis from one market or region to
another and can occur at both a domestic or international level.

• The four agents that influence financial boom or crisis are governments,
financial institutions, investors, and borrowers.

• To control financial crisis and financial risk, all the agents, especially Financial
Institutions, must adopt Risk management strategies and implement the processes in
Risk management.

• Where this is adopted in individual markets, financial crisis and contagion, can be
better controlled and prevented.

Class Exercise
How best can First Bank Nigeria Ltd implement the adoption of Enterprise Risk
Management in their organization?
19

Module 2:
Risk Management Process

Risk Management Process

It is an ongoing process of identifying, treating, and then managing risks. Identifying and
tracking risks that might arise in a project offers significant benefits, including:

 more efficient resource planning by making previously unforeseen costs visible

 better tracking of project costs and more accurate estimates of return on
investment
 increased awareness of legal requirements
 better prevention of physical injuries and illnesses
 flexibility, rather than panic, when changes or challenges do arise
20

Risk Management Process Overview

Risk Management Process

1. Identify – identify the risks that the business is exposed to in its operating environment
as many of these risk factors as possible. These risks are then visible to every
stakeholder in the organization with access to the system.

Identifying risk before it happens reduces losses, boosts employee efficiency, reduces
the risk of unhappy customers and sustains the business.

2. Analyze – critically look at the risks to determine the scope, and understand the link
between the risk, different factors within the organization, determine the severity of the
risk and look at mapping a risk framework that will evaluate risks.

Analysis can be done by simulation, imitating the actual occurrence and seeking ways
to mitigate the said risk, or modelling (creating prototypes of the risk), or stress testing to
and out how resilient something is, including a financial instrument, investment portfolio,
financial institution, or whole economy is at dealing with extreme situations and
economic crises.

Qualitative Analysis is reviewing risk outside quantity to determine their significance e.g. by
the Probability/Impact Assessment. Quantitative Analysis is the numeric evaluation ofrisk.

3. Evaluate – rank and prioritize the risk, showing different categories of risks, depending
on their severity. Low level risks may cause some inconvenience, but risks that can result
in catastrophic loss are rated the highest. Risk appetite and tolerance limit

4. Treat - every risk needs to be eliminated or contained, by connecting with the experts
of the field to which the risk belongs. In a risk management solution, all the relevant
stakeholders can be sent notifications from within the system and can get updates
directly from within the risk management solution. Risk response includes Tolerate, Treat,
Transfer and Terminate.
21

5. Monitor – since not all risks can be eliminated as some risks are always present (e.g.
Market risks and environmental risks), they must be monitored always. If any factor or risk
changes, it is immediately visible to everyone and monitored to allows your business to
ensure continuity.

Risk Identification
Risk identification is the process of identifying and assessing threats to an organization, its
operations, and its workforce. For example, risk identification may include assessing IT
security threats such as malware and ransomware, accidents, natural disasters, and other
potentially harmful events that could disrupt business operations. Companies that develop
robust risk management plans are likely to and they’re able to minimize the impact of threats,
when and if they should occur.

Risk Identification Process

The output of this process is a list

of incident scenarios with their
consequences related to assets
and business processes.
22

Risk Identification - Explanation

What Is Risk Analysis?

Risk Analysis is a process that helps you to identify and manage potential problems that
could undermine key business initiatives or projects. However, it can also be applied to
other projects outside of business, such as organizing events or even buying a home!

To carry out a Risk Analysis, you must identify the possible threats that you face,

likelihood that these threats will materialize.

Risk Analysis can be complex, as you'll need to draw on detailed information such as

relevant information. However, it's an essential planning tool, and one that could save
time, money, and reputations.
23

Qualitative vs. quantitative risk Approach

The two main approaches to risk analysis are qualitative and quantitative. Qualitative risk
analysis typically means assessing the likelihood that a risk will occur based on subjective
qualities and the impact it could have on an organization using predefined ranking
scales.

The impact of risks is often categorized into three levels: low, medium or high. The
probability that a risk will occur can also be expressed the same way or categorized as
the likelihood it will occur, ranging from 0% to 100%.

A qualitative risk analysis produces subjective results because it gathers data from
participants in the risk analysis process based on their perceptions of the probability of a
risk and the risk's likely consequences. Categorizing risks in this way helps organizations
and/or project teams decide which risks can be considered low priority and which have
to be actively managed to reduce the effect on the enterprise or the project.

A quantitative risk analysis, in contrast, examines the overall risk of a project and generally
is conducted after a qualitative risk analysis. The quantitative risk analysis numerically
analyzes the probability of each risk and its consequences.
The goal of a quantitative risk analysis is to associate a specific financial amount to each
risk that has been identified, representing the potential cost to an organization if that risk
actually occurs. So, an organization that has done a quantitative risk analysis and is then
hit with a data breach should be able to easily determine the financial impact of the
incident on its operations.

Risk Evaluation

Risk Evaluation is the process used to compare the estimated risk against the given risk
criteria to determine the significance of the risk.

In this step, levels of risk are compared according to risk evaluation criteria adopted by
the organization and risk acceptance criteria. The output is a prioritized list of risk elements
and the incident scenarios that lead to the identified risk elements.

Managing risks in a company starts with a decision to strategically manage risks

organization-wide. Risk management team or executive(s) who is(are) responsible for
implementing the process must first put together a plan that comprises all the elements
that impact risk management process and assemble a team to execute the plan.

Risk Evaluation Criteria

Risk capacity: the amount and type of risk an organization is able to support in pursuit of its
business objectives.

Risk appetite: the amount and type of risk an organization is willing to accept in pursuit of
its business objectives.
24

Risk tolerance: the maximum risk that an organization is willing to take regarding
each relevant risk.

Risk target: the optimal level of risk that an organization wants to take in pursuit of a
business goal.

Risk limit: thresholds to monitor that actual risk exposure does not deviate too much from
the risk target and stays within an organization’s risk tolerance/risk appetite. Exceeding
risk limits will typically act as a trigger for management action.

Risk Treatment/Response Options

Evaluation of an appropriate risk response is part of the risk management process cycle,
not a one-time effort. There are four commonly accepted options for risk response:
• Risk acceptance
• Risk mitigation
• Risk sharing (transfer)
• Risk avoidance
The purpose of defi of
the organization as cost-effectively as possible, not to eliminate or minimize the risk at all
costs.

Risk acceptance: The choice to accept risk is a conscious decision made by senior
management to recognize the existence of risk and knowingly decide to allow (assume)
the risk to remain without (further) mitigation. Management is responsible for the impact
of a risk event should it occur, so the decision to accept a risk is made according to the risk
appetite and risk tolerance set by senior management.

Risk mitigation: Risk mitigation refers to actions that the organization takes in order to
reduce a risk. Mitigation is typically achieved through security controls, which affect the
frequency and/or impact of the risk. Some examples of risk mitigation are:
• Strengthening overall risk management practices, such as implementing sufficiently
mature risk management processes
• Deploying new technical, management or operational controls that reduce either
the likelihood or the impact of an adverse event
• Installing a new access control system
• Implementing policies or operational procedures
• Developing an effective incident response and business continuity plan (BCP)
• Using compensating controls

Risk sharing (transfer): Risk transfer is a decision to reduce loss by having another
organization incur the cost. The most common example of risk transfer is the purchasing of
insurance, which provides a guarantee of compensation or replacement should a loss
occur. Partnerships are another form of risk transfer, in which two or more organizations
work together under an arrangement in which both risk of loss and potential for profit are
divided among the participants according to agreed-upon terms and conditions.
25

Risk Avoidance: Risk avoidance means exiting the activities or conditions that give rise to
risk. Risk avoidance is the choice that remains when no other response is adequate,
meaning all of the following are true:
• The exposure level is deemed unacceptable by management.
• The risk cannot be transferred.
• Mitigation that would bring the risk in line with acceptable levels is either Impossible or
would cost more than the benefits that the organization derives from the activities.
An example of risk avoidance is: Rejecting a partnership agreement in which potential
losses are allocated to your organization, but the partner stands to benefit from most
potential profits

Risk Treatment/Response Options – Selection

Two of the most common forms of analysis used to prepare a business case for risk
response are cost-benefit analysis and return on investment (ROI).
Cost-benefit Analysis: this is used to justify the expense associated with the
implementation of controls. The expenditure on a control cannot be justified if the benefit
realized from the control is less than the cost. There are several factors that must be
included in calculating the total cost of the control:

• Cost of acquisition: Evaluation of solutions, Cost of the control, Cost of training, Cost to
rearchitect systems

• Ongoing cost of maintenance: License costs, Cost of staff to monitor and report on
control, Impact on productivity/performance, Cost of support and technical
assistance

• Cost to remove/replace control

Return on Investment: This is a calculation of how long it takes a business to recoup its cost
of investing in a projects, tools or new ventures through value added or other savings
produced. A new computer system, for example, might pay for itself over three years as a
result of better productivity; lower numbers of staff required or increased sales.

Calculating the ROI associated with the implementation of a control is often difficult, in
part because it depends on predicting the likelihood of a successful attack. An
additional complication is the goal of a control is to bring risk to an acceptable level
rather than eliminating it outright. In determining ROI, the organization is trying to forecast
the likelihood and impact of an incident and deciding what is an adequate level of
protection.
 26

Risk Control Techniques

Controls may be grouped into managerial, technical or physical controls, and within
each of those groups of controls are various types of controls that can be used, such as
preventive, detective and corrective, recovery and compensating controls

Risk Control Techniques – Categories

Preventive: Inhibit attempts to violate security policy. vault-construction doors are

examples of preventive controls.

Deterrent: Provide warnings that may dissuade threat agents from attempting
compromise. E.g., Warning banners and rewards for the arrest of a criminal examples of
deterrent controls.

Directive: Mandate behavior by specifying what actions are and are not permitted,
which may also have a deterrent effect. A policy is an example of directive control.

Detective: Provide warning of violations or attempted violations of security policy. E.g.,

Audit trails.

Corrective: Remediate errors, omissions, unauthorized uses and intrusions when

detected. Data backups and error correction are examples of corrective controls.

Compensating: An alternate form of a control that corrects a deficiency or weakness in

the control structure of the enterprise. This may be considered when an entity cannot
meet a stated requirement due to legitimate technical or business constraints but can
create a comparably acceptable level of risk by other means.
27

Risk Control Techniques – Overview

What steps should be included in a risk management plan?

An effective risk management plan and following process takes a few steps to
achieve.

How to Develop a Risk Management Strategy

This strategy should be appropriate to the size, responsibilities and capacity of your
organization. The questions below can help form your checklist:

1. Who will be responsible for carrying out the initial risk assessment?

2. What will be the scope or focus of the risk assessment?

3. When will they initiate and complete this initial process or assessing risk?

4. Who will be consulted and how?

5. How will be recorded or documented?

6. When will be presented to the Management Committee?

7. How will the risks be assessed and discussed?

8. How regularly will the risk assessment be reviewed and by whom?

28

Monitoring and Review

Monitoring and review should be a planned part of the risk management process and
involve regular checking or surveillance. The results should be recorded and reported
externally and internally, as appropriate. The results should also be an input to the review
and continuous improvement of the risk management framework.

Responsibilities for monitoring and review should be clearly de

and review processes should encompass all aspects of the risk management process for
the purposes of:

 Ensuring that controls are effective and in both design and operation
 Obtaining further information to improve risk assessment
 Analysing and learning lessons from risk events, including near-misses, changes, trends,
successes and failures
 Detecting changes in the external and internal context, including changes to risk
criteria and to the risks, which may require revision of risk treatments and priorities
 Identifying emerging risks.
29

Module 3:
Risk Governance and
Internal Reporting
§ Governance is the accountability for protection of the assets of an organization.
In a corporate structure, the directors of an organization (frequently organized as a
board) are accountable for governance and entrust the senior management team
with the responsibility to manage the day-to-day operations of the organization in
alignment with the strategic mandates that the directors approve.
§ Governance answers 4 Strategic questions:
• Are we doing the right things?
• Are we doing them the right way?
• Are we getting them done well?
• Are we getting the benefits?
§ Risk Governance helps ensure that risk management practices are embedded
in the enterprise, enabling it to secure optimal risk-adjusted return.

Risk Governance – Audit

Audit teams provide independent and objective review of the effectiveness and
appropriateness of the control environment. Information provided by auditors can
underline the need for control enhancement and bring risk to the attention of
management. By working with audit and control teams, risk practitioner can align the
risk management program with the audit program and may be able to provide
supporting data to the auditors. Recommendations provided by audit in turn will often
require the attention of the risk practitioner through the updating of risk action plans
and the risk register as well as enhancement of controls.
30

Risk Governance Objective

Risk Reporting

A report to management on the status of the risk management program and the overall
risk profile of the organization will be required for the ERM cycle to be complete. Making
such a report requires the review of the effectiveness of the controls in the organization
and their compliance with established policy. Controls may need adjustment,
replacement or removal depending on the changes in the risk environment and the
acceptance and appropriateness of the controls.

The effectiveness of control monitoring and reporting is dependent on the following:

• Timeliness of the reporting—Are data received in time to take corrective action?
• Skill of the data analyst—Does the analyst have the skills to properly evaluate the
controls and report properly?
• Quality of monitoring data available—Are the monitoring data accurate and
complete?
• Quantity of data to be analyzed—Can the risk practitioner and the important data in the
midst of all the other log data available?
31

Risk Reporting - Maturity Model Assessment and Improvement Techniques

Routine use of a capability maturity model (CMM) shows the maturation of the risk
management process year over year. A CMM starts with level zero— undefined and ad
hoc activities and progresses—through the steps of defining and following a program;
learning and enhancement of the program; and finally, a mature program that represents
stable, quality processes and reliable, accurate information.
32

Module 4:
Market Risk: Market Risk
Concept
Market Risk

Market risk is the risk of losses in positions arising from movements in market prices – interest
rates, fx rates, equity prices, etc.

Market risk is the possibility that an individual or other entity will experience losses due to
factors that affect the overall performance of investments in the financial markets.

Types of Market Risk

1. Interest Rate Risk - Interest rate risk arises from unanticipated fluctuations in the interest
rates due to monetary policy measures undertaken by the central bank. The yields offered
on securities across all markets must get equalized in the long run by adjustment of market
demand and supply of the instrument. Hence, an increase in the rates would cause a fall in
the security price. It is primarily associated with fixed-income securities.

2. Commodity Risk - Certain commodities, such as oil or food grain, are necessities for any
economy and compliment the production process of many goods due to their utilization
as indirect inputs. Any volatility in the prices of the commodities trickles down to affect the
performance of the entire market, often causing a supply-side crisis. Such shocks result in a
decline in not only stock prices and performance-based dividends, but also reduce a
company’s ability to honor the value of the principal itself.

3. Currency Risk - Currency risk is also known as exchange rate risk. It refers to the possibility
of a decline in the value of the return accruing to an investor owing to the depreciation of
the value of the domestic currency. The risk is usually taken into consideration when an
international investment is being made. In order to mitigate the risk of losing out on foreign
investment, many emerging market economies maintain high foreign exchange reserves in
order to ensure that any possible depreciation can be negated by selling the reserves.

4. Country Risk - Many macro variables that are outside the control of a financial market
can impact the level of return due to an investment. They include the degree of political
stability, level of fiscal deficit, proneness to natural disasters, regulatory environment, easeof
doing business, etc. The degree of risk associated with such factors must be taken into
33

consideration while making an international investment decision.

Emerging Market Risk

Emerging markets is a term that refers to an economy that experiences considerable

economic growth and possesses some, but not all, characteristics of a developed
economy. Emerging markets are countries that are transitioning from the “developing”
phase to the “developed” phase.

Emerging markets are nations that are investing in more productive capacity. They are
moving away from their traditional economies that have relied on agriculture and the
export of raw materials.

Note
34

Module 5:
Market Risk Measurement

Market Risk Measurement

Risk measurement refers to evaluation of the likelihood and extent (magnitude) of a

risk.

Market risk factors that affect the value of traded portfolios and the income stream or
value of non-traded portfolio and other business activities should be identified and
quantified using data that can be directly observed in markets or implied from
observation or history.

Tools and Techniques

• Value at Risk (VaR)

• Gap analysis
• Sensitivity analysis ( Mark to market)
• Stress- testing

Monitoring of Market Risk Management

Risk Monitoring is aimed at evaluating adherence to the risk’s strategies, policies and
procedures in achieving the overall goals of management of Market Risk.
35

Module 6:
Market Risk in
“Trading” book
Trading Activity

The trading activity means the Bank's proprietary positions in financial instruments
which are intentionally held for short-term resale and/or which are taken by the
Bank with the intention of benefiting in the short-term from actual and/or expected
differences between their buying and selling prices, or from other price or interest-
rate variations, and positions in financial instruments arising from matched principal
brokering and market making, or positions taken in order to hedge other elements
of the trading book.

Security classification

The Classification of securities shall depend on management's intention at the timeof

purchase.
• Held to Maturity
• Held for Trade
• Available for Sale

• Held to Maturity (HTM): Only securities which the Bank intends and have the
ability to hold to maturity will be placed in the Held-to-Maturity (HTM) portfolio. The
bank shall not have a positive intention to hold to maturity an investment with an
undefined maturity date and if it stands ready to sell the financial asset (other than if a
situation arises that is non-recurring and could not have been reasonably anticipated
by the bank) in response to changes in market interest rates, risks or liquidity needs.

• Held for Trade: The Bank’s securities will be classified into HFT if acquired for the
purpose of selling or repurchasing in the short term, or a security that has recent
evidence of actual pattern of short-term profit-taking. The key criterion shall be
intention to make profit out of short-term price movements. Investments in securities
that do not have a quoted market price in an active market and whose fair value
cannot be reliably measured shall not be classified as HFT.

• Available for Sale (AFS):Investment securities are securities that are designated
as available for sale (any time) or when it is not in any of the other two classifications
(HTM or HFT).Securities to be held for indefinite periods of time, but not necessarily to
be held-to-maturity or on a long-term basis shall be classified as available-for-sale. If
36

the bank decides to sell a security that has been classified as available-for-sale, it
should not be transferred to trading. The Bank shall include its investments in equity
shares in AFS category.

Risk Measures in Trading Activity

• Sensitivity analysis
• Stress testing
• Value-at-Risk

Market risk in the trading portfolio arises from the possibility of losses arising from
unfavourable market movements. It is the risk of losing money because the perceived
value of an instrument that is being traded has changed due to changes in factors
such as interest rate, foreign exchange rates, equity prices etc.

Managing market risks in the trading portfolio therefore involves understanding the
relationship between the changes in the value of the instrument or portfolio of
instruments and the related charges in the market factors.

Limits and control framework

• Exposure Limits
• Risk Limits
• Nominal trading Limits
• Stop – loss Limits
37

Module 7:
Investment Risk:
Investment Risk Concept
Definition of 'Investment Risk’

Investment risk can be as the probability or likelihood of occurrence of losses

relative to the expected return on any particular investment.

Description: Stating simply, it is a measure of the level of uncertainty of achieving the

returns as per the expectations of the investor. It is the extent of unexpected results to be
realized.

Risk is an important component in assessment of the prospects of an investment. Most

investors while making an investment consider less risk as favorable. The lesser the
investment risk, more lucrative is the investment. However, the thumb rule is the higher the
risk, the better the return.

Types of Investment Risk

There are different types of investment risks. The main ones are

Systematic risks

Unsystematic risks
38

Types of Investment Risk

Systematic risks are also known as market risks, and they tend to have an effect on the
entire economic market or at least a large percentage of it. This type of risk represents the
risk of losing investments because of factors like macroeconomic risk and political risk,
which usually have a negative effect on the market’s performance. It is not easy to manage
market risk by using portfolio diversification.

Apart from this type of risk, systematic risks also include currency risk, inflation risk, country
risk, rate risk, liquidity risk, and sociopolitical risk.

Unsystematic risks
an effect on a certain company or an industry. It represents the risk of losing an investment
due to any hazard specific to the industry or the company.

Some situations like this could be a product recall, a new competitor, or a management
change. Diversification is often used to combat this.

Other types of investment risks apart from these include business risk, country risk, foreign-
exchange risk, counterparty risk, political risk, interest rate risk, liquidity risk, and default or
credit risk.

Note
39

Module 8:
Investment Risk Measurement
Framework/Process
Overview

Risk measures are statistical measures that are historical predictors of investment risk
and volatility, and they are also major components in modern portfolio theory (MPT).
MPT is a standard financial methodology for assessing the performance of an investment
as compared to its benchmark index.

It involves identifying and analyzing risk in an investment and deciding whether or

not to accept that risk given the expected returns for the investment.

Tools and Techniques

• Standard deviation
• Sharpe ratio
• Beta
• Value-at-risk (VaR)
• R-squared

• Standard deviation - Standard deviation is a method of measuring data

dispersion in regards to the mean value of the dataset and provides a measurement
regarding an investment’s volatility.

• Sharpe ratio - The Sharpe ratio measures performance as adjusted by the

associated risks. This is done by removing the rate of return on a risk-free investment,
such as a Treasury Bond, from the experienced rate of return.

• Beta - Beta measures the volatility or systemic risk of a fund in comparison to the
market or the selected benchmark index.

• Value-at-risk (VaR) - a statistical measurement used to assess the level of risk

associated with a portfolio or company.

• R-squared - R-Squared measures the percentage of an investment's movement

attributable to movements in its benchmark index.
40

Module 9:
Investment Risk
Management
Overview

All investments carry with them some degree of risk. In the financial world, individuals,
professional money managers, financial institutions, and many others encounter and
must deal with risk. Investors can either accept or try to mitigate the risk in investment
decision-making. If they choose inaction and engage in inadequate risk management,
they are likely to experience severe consequences. If investors take appropriate actions
given their investment objectives and risk tolerances, they may lessen the potential for
investment losses. Thus, risk management should be proactive as opposed to reactive.

Therefore, investment risk management is a two-step process of determining what risks

exist in an investment and then handling those risks in a way best-suited to an investor’s
investment.

Monitoring of Investment Risk Management

Any material change in outcome of risk measurement unexplained by a corresponding

change in the following shall be monitored on a daily basis:

• Volatility
• Correlation
• Holding Period
• Portfolio size
41

Module 10:
Portfolio Management

Overview

Portfolio involves investing in a handful of securities. This wide range of investments

would help diversify away the risk of the portfolio. That is, the management of portfolio
combination in such a way that would maximize returns and minimize the associated
risks.

Portfolio management therefore involves the following activities:

• Securities Analysis
• Portfolio Analysis
• Portfolio Selection
• Portfolio Revision
• Portfolio Evaluation.

Portfolio management is the art and science of selecting and overseeing a group of
investments that meet the long-term financial objectives and risk tolerance of a client,a
company, or an institution.

Some individuals do their own investment portfolio management. That requires a basic
understanding of the key elements of portfolio building and maintenance that make
for success, including asset allocation, diversification, and rebalancing.

• Securities Analysis – This refers to analyzing the value of securities like shares and
other instruments to assess the business's total value.

• Portfolio Analysis – This is the process of reviewing or assessing the elements of

the entire portfolio of securities or products in a business. The review is done for careful
analysis of risk and return.

• Portfolio Selection - Portfolio selection aims to assess a combination of securities

from a large quantity of available alternatives. It aims to maximize the investment
returns of investors. Here, investors must make a trade-off between return maximization
and risk minimization.
42

• Portfolio Revision - The process of addition of more assets in an existing portfolio or

changing the ratio of funds invested is called as portfolio revision. This is the sale and
purchase of assets in an existing portfolio over a certain period of time to maximize returns
and minimize risk.

• Portfolio Evaluation - The portfolio performance evaluation involves the

determination of how a managed portfolio has performed relative to some comparison
benchmark.

Performance Management

Portfolio performance refers to evaluating the performance of an investor's investment

portfolio. It is essentially a process of comparing a portfolio's return with the return earned
on a benchmark portfolio (or one or more other portfolios or indices).

There are three sets of performance measurement tools to assist with portfolio
evaluations. The Treynor, Sharpe, and Jensen ratios combine risk and return performance
into a single value, but each is slightly different.
43

Module 11:
Buying and Selling Activities

Introduction and techniques

Buying and selling may be either passive or active.

• Passive management is the set-it-and-forget-it long-term strategy. It may involve

investing in one or more exchange-traded (ETF) index funds. This is commonly
referred to as indexing or index investing. Those who build indexed portfolios may
use modern portfolio theory (MPT) to help them optimize the mix.

• Active management involves attempting to beat the performance of an index by

actively buying and selling individual stocks and other assets. Closed-end funds are
generally actively managed. Active managers may use any of a wide range of
quantitative or qualitative models to aid in their evaluations of potential
investments.

Portfolio management

Portfolio management requires the ability to weigh strengths and weaknesses,

opportunities and threats across the full spectrum of investments.

The key to effective portfolio management involves the following.

• Asset allocation
• Diversification
• Rebalancing

• Asset allocation is based on the understanding that different types of assets do not
move in concert, and some are more volatile than others. A mix of assets provides
balance and protects against risk.

• Diversification involves spreading the risk and reward of individual securities within
an asset class, or between asset classes. Because it is difficult to know which subset
of an asset class or sector is likely to outperform another.

• Rebalancing is used to return a portfolio to its original target allocation at regular

intervals, usually annually. This is done to reinstate the original asset mix when the
movements of the markets force it out of kilter.
44

Module 12:
Liquidity Risk: Liquidity
Risk Concept
Overview of Liquidity Risk

Liquidity is a bank's ability to meet its cash and collateral obligations without sustaining
unacceptable losses. Liquidity risk refers to how a bank’s inability to meet its obligations
(whether real or perceived) threatens its financial position or existence. Institutions
manage their liquidity risk through effective asset liability management (ALM).

Prior to the global financial crisis, financial institutions of all shapes and sizes took liquidity and
balance sheet management for granted. But during the crisis, many institutions struggled
to maintain adequate liquidity and appropriate balance sheet structure, whichled to both
bank failures and the need for central banks to inject liquidity into national
financial systems to keep the economy afloat.

As the dust from the crisis began to settle, one thing became clear: Banks and capital
markets firms need to do a better job managing their liquidity and balance sheets. And
self-preservation isn’t the only motive for doing so. The consequences of poor asset-liability
management can reach far beyond the walls of any one financial institution. It can affect
the entire financial ecosystem and even the global economy.

Regulatory bodies are doing their part to prevent another financial crisis in the future. The
onus is now on the financial institutions themselves to shore up liquidity risk and balance
sheet management, both for the good of the firm and the economy.

How can banks achieve adequate liquidity?

Banks can increase their liquidity in multiple ways, each of which ordinarily has a cost,
Including:
• Shorten asset maturities
• Improve the average liquidity of assets
• Lengthen liability maturities
• Issue more equity
• Reduce contingent commitments
• Obtain liquidity protection
45

Impact of liquidity crisis: deposits, creditors and systemic issues

Individual financial institutions are not the only ones who can have a liquidity problem.
When many financial institutions experience a simultaneous shortage of liquidity and draw
down their self-financed reserves, seek additional short-term debt from credit markets, or try
to sell-off assets to generate cash, a liquidity crisis can occur. Interest rates rise, minimum
required reserve limits become a binding constraint, and assets fall in value or become
unsaleable as everyone tries to sell at once.

The acute need for liquidity across institutions becomes a mutually self-reinforcing positive
feedback loop that can spread to impact institutions and businesses that were not initially
facing any liquidity problem on their own.

Entire countries—and their economies—can become engulfed in this situation. For the
economy as a whole, a liquidity crisis means that the two main sources of liquidity in the
economy—banks loans and the commercial paper market—become suddenly scarce.
Banks reduce the number of loans they make or stop making loans altogether.

Fundamental principle for the management and supervision of liquidity risk Principle 1: A
bank is responsible for the sound management of liquidity risk. A bank should establish a
robust liquidity risk management framework that ensures it maintains sufficient liquidity,
including a cushion of unencumbered, high quality liquid assets, to withstand a range of
stress events, including those involving the loss or impairment of both unsecured and
secured funding sources. Supervisors should assess the adequacy of both a bank's
liquidity risk management framework and its liquidity position and should take prompt
action if a bank is deficient in either area in order to protect depositors and to limit
potential damage to the financial system.

Interrelationship between liquidity, credit, market, operational risks

Liquidity conditions interact with operational risk, market risk and credit risk through the
horizon over which assets can be liquidated. In particular, deteriorating market liquidity
often forces banks to lengthen the horizon over which they can execute their risk
management strategies. As this time horizon lengthens, overall risk exposures generally
increase, as does the contribution of credit risk relative to market risk. The liquidity of
traded products can vary substantially over time and in unpredictable ways. Such
liquidity fluctuations, all else equal, should have a larger impact on prices of products with
greater credit risk. Conversely, as the financial crisis illustrates, valuation uncertainties or
other shocks that enhance actual or perceived credit risks can have adverse effects on
liquidity and put in motion a downward spiral between market prices and liquidity of
traded credit products.
46

Role of Supervision

Supervisors are expected to regularly perform a comprehensive assessment of a bank’s

overall liquidity risk management framework and liquidity position to determine whether
they deliver an adequate level of resilience to liquidity stress given the bank’s role in the
financial system.

Supervisors should require that banks:

• have a robust liquidity risk management strategy, policies and procedures to

identify, measure, monitor and control liquidity risk; and
• maintain a sufficient level of liquidity as insurance against liquidity stress.

Supervisors should have in place a supervisory framework which allows them to make
thorough assessments of banks’ liquidity risk management practices and the adequacy
of their liquidity, in both normal times and periods of stress. Such assessments may be
conducted through on-site inspections and off-site monitoring and should include regular
communication with a bank’s senior management and/or the board of directors. The
supervisory framework should be publicly available.
47

Module 13:
Liquidity Risk Governance

Liquidity risk tolerance

A bank should clearly articulate a liquidity risk tolerance that is appropriate for its business
strategy and its role in the financial system.

This is often referred to the level of liquidity risk that the firm is willing to assume.

A bank should set a liquidity risk tolerance in light of its business objectives, strategic
direction and overall risk appetite. The board of directors is ultimately responsible for the
liquidity risk assumed by the bank and the manner in which this risk is managed and
therefore should establish the bank’s liquidity risk tolerance. The tolerance, which should
define the level of liquidity risk that the bank is willing to assume, should be appropriate for
the business strategy of the bank and its role in the financial system and should reflect the
bank’s financial condition and funding capacity.

The tolerance should ensure that the firm manages its liquidity strongly in normal times in
such a way that it is able to withstand a prolonged period of stress. The risk tolerance
should be articulated in such a way that all levels of management clearly understand the
trade-off between risks and profits. There are a variety of qualitative and quantitative ways
in which a bank can express its risk tolerance. For example, a bank may quantify its
liquidity risk tolerance in terms of the level of unmitigated funding liquidity risk the bank
decides to take under normal and stressed business conditions.

Strategies, policies, and practices

Senior management are expected to develop a strategy, policies and practices to

manage liquidity risk in accordance with the risk tolerance and to ensure that the Bank
maintains sufficient liquidity.

Senior management should continuously review information on the Bank’s liquidity

developments and report to the board of directors on a regular basis. A Bank’s board of
directors should review and approve the strategy; policies and practices related to the
management of liquidity at least annually and ensure that senior management
manages liquidity risk effectively.
48

Senior management is responsible for developing and implementing a liquidity risk

management strategy in accordance with the bank’s risk tolerance. The strategy should
include of
assets and liabilities; the diversity and stability of funding sources; the approach to
managing liquidity in different currencies, across borders, and across business lines and
legal entities; the approach to intraday liquidity management; and the assumptions on
the liquidity and marketability of assets. The strategy should take account of liquidity
needs under normal conditions as well as liquidity implications under periods of liquidity
stress, the nature of which may be institution- -wide or a combination of
the two. The strategy may include various high-level quantitative and qualitative targets.

The liquidity strategy should be appropriate for the nature, scale and complexity of a
bank’s activities. In formulating this strategy, the bank should take into consideration its
legal structures (e.g mix of foreign branches versus foreign operating subsidiaries),
key business lines, the breadth and diversity of markets, products, and jurisdictions in
which it operates, and home and host regulatory requirements.

Liquidity costs, benefits and risks

Banks are expected to incorporate liquidity costs, benefits and risks in the internal pricing,
performance measurement and new product approval process for all significant
business activities (both on- and off-balance sheet), thereby aligning the risk-taking
incentives of individual business lines with the liquidity risk exposures their activities create
for the bank as a whole.

Senior management should ensure that a bank’s liquidity management process includes
measurement of the liquidity costs, benefits and risks implicit in all significant business
activities, including activities that involve the creation of contingent exposures which
may not immediately have a direct balance sheet impact. These costs, benefits and risks
should then be explicitly attributed to the relevant activity so that line management
incentives are consistent with and reinforce the overarching liquidity risk tolerance and
strategy of the bank, with a liquidity charge assigned as appropriate to positions,
portfolios, or individual transactions. This assignment of liquidity costs, benefits and risks
should incorporate factors related to the anticipated holding periods of assets and
liabilities, their market liquidity risk characteristics, and any other relevant factors,
including the benefits from having access to relatively stable sources of funding, such as
some types of retail deposits.

Depositor Insurance schemes

Deposit insurance schemes are designed to minimize or eliminate the risk that depositors
placing funds with a bank will suffer a loss. Deposit insurance thus offers protection to the
deposits of households and small business enterprises, which may represent life savings or
vital transactions balances. With a deposit insurance system in place, these households
and businesses can “go about their business” with some assurance that their funds are
secure. This in turn supports the stability and smooth operations of the economy.
49

Module 14:
Asset Liquidity and
Funding Needs
Overview

Asset/liability management is a crucial process designed to maximize an institution's

profitability while managing risk. The broad goal of ALM is to help produce sustainable
earnings without compromising other interests of the institution.

Breaking this goal of ALM down, this means accomplishing three key objectives:
• Meet financial goals
• Manage risks
• Maintain safety and soundness.

Liquidity of Assets under stressed market conditions

A stressed market condition can lead to a simultaneous increase in demand and

decrease in supply of liquidity across many financial institutions or other businesses.
At the root of this are widespread maturity mismatching among banks and other
businesses and a resulting lack of cash and other liquid assets when they are needed.

Stability of funding and appropriateness for asset base

Stability of funding and appropriateness for asset base refers to the types and amounts
of equity and liability financing expected to be reliable sources of funds over a time
horizon under conditions of extended stress".

Fair-valued asset pricing hierarchies

Level 1 assets include listed stocks, bonds, funds, or any assets that have a regular mark-
to-market mechanism for setting a fair market value.

Level 2 assets are financial assets and liabilities that are difficult to value. Although a fair
value can be determined based on other data values or market prices, these assets do
not have regular market pricing.

Level 3 assets are financial assets and liabilities considered to be the most illiquid and
hardest to value. They are not traded frequently, so it is difficult to give them a reliable
and accurate market price.
50

Collateral Assessment
This is the methodology used by a bank to measure the value of collateral linked to their
lending or trading activities. This involves;

• Understanding an asset’s condition and its overall desirability.

• Identifying how stable an asset’s value is, how active its secondary market is, and
how easy it is to transfer the title.
• Employing an appraisal to support estimates of an asset’s value and to provide
commentary on its condition.

Early warning signals

Early warning signals (EWSs) are a group of statistical time-series signals which could be
used to anticipate a critical transition before it is reached. Examples of EWS is a liquidity
spiral

Liquidity spiral: a situation in which falling asset prices can prompt banks to reduce the
supply of credit, causing further falls in asset prices.

Stress scenarios

Stress Scenario is a collection of assumptions about potential future economic conditions

that are not the expected outcome over an assessment horizon but do have a material
probability to incur and would tend to induce huge losses if they did occur.
It impacts from an idiosyncratic (unsystematic) or market-wide (systematic) standpoint
idiosyncratic stress is that which is endemic to an individual asset or an particular entity.
Systematic stress refers to that which is inherent to the entire market or market segment.

Systemic risk and impact on market and funding liquidity

Systemic risk
company, industry, financial institution, or an entire economy. It is the risk of a major
failure of a financial system, whereby a crisis occurs when providers of capital, i.e.,
depositors, investors, and capital markets, lose trust in the users of capital, i.e., banks,
borrowers, leveraged investors, etc. or in a given medium of exchange. It is inherent in a
market system, and hence unavoidable.
51

Stress testing

impact on portfolio values of unlikely, although plausible, events or movements in a set

of financial variables.

The stress test should factor in the following

dimensions within a portfolio;
• Illiquidity of the position.
• Concentrated positions.
• One-way market movements.
• Non-linear products.
• Deep out-of-money positions.
• Jumps-to-default.
• Shifts in correlation and volatility.
• Portfolio sensitivity.

Trigger events

A risk trigger is a indicator that a risk is about to occur

or has occurred. Triggers may be discovered during the risk identification process and
monitored as a process is executed.
A reliable method for identifying a risk trigger is to first identify the root cause of the risk.
Every risk event should have an accompanying trigger that is documented and
observed for by someone familiar with the process of risk monitoring.
52

Module 15:
Liquidity Risk Management

Liquidity Risk Tolerance

Liquidity risk tolerance refers to both the absolute risk a Bank is open to take and the
actual limits that the Bank pursues.

All investments involve some degree of risk and knowing their risk tolerance level
helps investors plan their entire portfolio, determining how they invest. Based on how
much risk they can tolerate, investors are classified as aggressive, moderate, and
conservative.

Regulatory responses to liquidity problems

• Regulators are to supplement their regular assessments of a bank’s liquidity risk

management framework and liquidity position by monitoring a combination of
internal reports, prudential reports and market information.

• Regulators are to intervene by requiring effective and timely remedial action by a

bank to address deficiencies in its liquidity risk management processes or liquidity
position.

• Regulators are to communicate with other public authorities, such as central banks,
both within and across national borders, to facilitate effective cooperation
regarding the supervision and oversight of liquidity risk management.

Bank actions to strengthen liquidity risk management

• A bank should have a sound process for identifying, measuring, monitoring and
controlling liquidity risk.

• A bank should actively monitor and control liquidity risk exposures and funding needs
within and across legal entities, business lines and currencies, taking into account
legal, regulatory and operational limitations to the transferability of liquidity.

• A bank should establish a funding strategy that provides effective diversification in

the sources and tenor of funding.
53

• A bank should actively manage its intraday liquidity positions and risks to meet
payment and settlement obligations on a timely basis under both normal and
stressed conditions.

• A bank should actively manage its collateral positions, differentiating between

encumbered and unencumbered assets.

• A bank should conduct stress tests on a regular basis for a variety of short-term and
protracted institution- -wide stress scenarios (individually and in
combination) to identify sources of potential liquidity strain and to ensure that current
exposures remain in accordance with a bank’s established liquidity risk tolerance.

• A bank should have a formal contingency funding plan (CFP) that clearly sets out the
strategies for addressing liquidity shortfalls in emergency situations.

• A bank should maintain a cushion of unencumbered, high quality liquid assets to be

held as insurance against a range of liquidity stress scenarios, including those that
involve the loss or impairment of unsecured and typically available secured funding
sources.
54

Module 16:
Credit Risk: Overview
of Credit Risk
Overview of Credit Risk

Credit risk arises from both lending and trading activities. In lending business, credit risk is
the potential that an obligor is either unwilling to perform on an obligation or its ability to
perform such obligation is impaired resulting in economic loss to the Bank. In the case of
trading activity, credit risk reflects the possibility that the trading counterparty will not be
able to complete the contract at any stage.

Losses due to credit risk could emanate from the Bank’s dealings with an individual,
corporate, financial institution or a sovereign.

Types of Credit Risk

Pre- settlement Risk

Pre- settlement risk (PSR) is the risk of default on a contractual obligation before
settlement of the contract by a counter party in a transaction.

Settlement Risk
Settlement risk is occurs when payments are not exchanged simultaneously. For instance,
a bank makes a payment to a counterparty but will not be recompensed until sometime
later; the risk is that the counterparty may default before making the counter payment.

Default Risk
This is the risk that companies or individuals will be unable to pay the contractual interest
or principal on their debt obligations. For example, a debt issuer is said to be in default
when it indicates it will not make a contractual interest payments to lenders.
The likelihood of the default occurring is known as the probability of default.

Counterparty Risk
Counterparty credit risk is the risk that a counterparty to a transaction will fail to perform
according to the terms and conditions of the contract, thus causing the holder of the
claim to suffer a loss in cash or market value.
55

Credit concentration Risk

A risk concentration is any single exposure or group of exposures with the potential to
produce losses large enough (relative to a bank's capital, total assets, or overall risk level)
to threaten a bank's health or ability to maintain its core operations.

Components of Credit Risk Measurement

Exposure at default
Exposure at default is the predicted amount of loss a lender may incur if a debtor defaults
on their loan. It is the realized value of what the bank may lose if one of its borrowers is
unable to satisfy their debt obligation.

Probability of default
Probability of default (PD), is the likelihood that a borrower will fail to pay back a debt. For
individuals, a credit scorecard is used to gauge credit risk. For businesses, probability of
default is reflected in credit ratings.

Loss given default

Loss given default (LGD) is the estimated amount of money a bank or other financial
institution loses when a borrower defaults on a loan.

Credit Risk correlations

Default Correlation denotes a measure of Default Dependency between different

borrowers when considered as part of a Credit Portfolio. It measures the likelihood of Joint
Default within the period of consideration.

Default correlation measures whether credit risky assets are more likely to default
together or separately.

Techniques for analyzing probability of Default Risk

Credit scoring

A credit rating is an opinion of a particular credit agency regarding the ability and
willingness an entity (government, business, or individual) to fulfill its financial obligations in
completeness and within the established due dates. A credit rating also signifies the
likelihood a debtor will default.

There are many alternatives for estimating the probability of default. Default probabilities
may be estimated from a historical data base of actual defaults. This may be further
segmented in two categories; Historical data and statistical technique.

For historical data, Banks use logistic regression to estimate actual default in small
businesses and external credit rating in much larger Businesses.
56

For statistical techniques, the following models are used.

• Linear regression
• Discriminant analysis
• Logit and probit Models
• Panel models
• Cox proportional hazards model
• Neural networks
• Classification trees

Techniques for analyzing probability of Default

Logit, Probit models of Probability of Default Risk Estimation

The logit model is used to model the odds of success of an event as a function of
independent variables, while the probit model is used to determine the likelihood that an
item or event will fall into one of a range of categories by estimating the probability that
observation with features will belong to a particular category.

Altman Z score and Zeta models

Altman’s Z-Score model is a numerical measurement that is used to predict the chances
of a business going bankrupt in the next two years. It is considered an effective method of
predicting the state of financial distress of any organization by using multiple balance
sheet values and corporate income.

The Z-score model is based on five key financial ratios.

• Working Capital/Total Assets
• Retained Earnings/Total Assets
• Earnings Before Interest and Tax/Total Assets
• Market Value of Equity/Total Liabilities
• Sales/Total Assets

1. Working Capital/Total Assets

Working capital is the difference between the current assets of a company and its current
liabilities. The value of a company’s working capital determines its short-term financial
health. A positive working capital means that a company can meet its short-term
financial obligations and still make funds available to invest and grow.

In contrast, negative working capital means that a company will struggle to meet its
short-term financial obligations because there are inadequate current assets.

2. Retained Earnings/Total Assets

The retained earnings/total assets ratio shows the amount of retained earnings or losses in
a company. If a company reports a low retained earnings to total assets ratio, it means
that it is financing its expenditure using borrowed funds rather than funds from its retained
earnings. It increases the probability of a company going bankrupt.
57

On the other hand, a high retained earnings to total assets ratio shows that a company
uses its retained earnings to fund capital expenditure. It shows that the company
achieved profitability over the years, and it does not need to rely on borrowings.

3. Earnings Before Interest and Tax/Total Assets

EBIT, a measure of a company’s profitability, refers to the ability of a company to generate
profits solely from its operations. The EBIT/Total Assets ratio demonstrates a company’s
ability to generate enough revenues to stay profitable and fund ongoing operations and
make debt payments.

4. Market Value of Equity/Total Liabilities

The market value, also known as market capitalization, is the value of a company’s
equity. It is obtained by multiplying the number of outstanding shares by the current price
of stocks.

The market value of the equity/total liabilities ratio shows the degree to which a
company’s market value would decline when it declares bankruptcy before the value of
liabilities exceeds the value of assets on the balance sheet. A high market value of equity
to total liabilities ratio can be interpreted to mean high investor confidence in the
company’s financial strength.

5. Sales/Total Assets
The sales to total assets ratio shows how efficiently the management uses assets to
generate revenues vis-à-vis the competition. A high sale to total assets ratio is translated
to mean that the management requires a small investment to generate sales, which
increases the overall profitability of the company.

In contrast, a low or falling sales to total assets ratio means that the management will
need to use more resources to generate enough sales, which will reduce the company’s
profitability.

Credit Risk Rating Systems & Validation

Risk rating models are tools used to assess the probability of default. The concept of a risk
rating model is deeply interconnected with the concept of default risk and a key tool in
areas such as risk management, underwriting, capital allocation, and portfolio
management.

Factors Used in Risk Rating Models

• Judgment vs. Data
• Borrower’s Financial Health
• Industry Characteristics
• Management’s Quality and Reliability
• Political and Environmental Risks
58

Types of credit rating

Long-term ratings are assigned to issuers or obligations with an original maturity of one
year or more and reflect both on the likelihood of a default on contractually promised
payments and the expected financial loss suffered in the event of default.

Short-term ratings are assigned to obligations with an original maturity of thirteen months
or less and reflect both on the likelihood of a default on contractually promised payments
and the expected financial loss suffered in the event of default.

Issuer Ratings are opinions of the ability of entities to honor senior unsecured debt and
debt like obligations. As such, Issuer Ratings incorporate any external support that is
expected to apply to all current and future issuance of senior unsecured financial
obligations and contracts.

Issue credit rating is a forward-looking opinion about the creditworthiness of an obligor

with respect to a specific financial obligation. It takes into consideration the
creditworthiness of guarantors, insurers, or other forms of credit enhancement on the
obligation and takes into account the currency in which the obligation is denominated.

Ratings scales
59

Concept of Credit rating migration

Credit rating migration reflects a change in the credit rating of a company or (bond)
issuer. Investors can use credit migration to determine if a company's credit is getting
better or worse.

A change in a rating reflects the assessment that the company’s credit quality has
improved (upgrade) or deteriorated (downgrade).

Credit Rating migration matrices

A Rating Migration Matrix is a fundamental mathematical object used in the connection

of a Credit Rating System that employs a Rating Scale. The matrix captures the probability
that a certain obligor will transition (migrate) from one credit state to another over a given
time period.
60

Module 17:
Basel System
Basel permits banks a choice between two broad methodologies for calculating credit
risk. One alternative, the Standardized Approach, will be to measure credit risk in a
standardized manner, supported by external credit assessments

The other alternative, the Internal Ratings-based Approach, which is subject to the explicit
approval of the bank’s supervisor, would allow banks to use their internal rating systems for
credit risk.

Credit Rating Systems

The internal ratings-based approach to credit risk allows banks to model their own inputs
for calculating risk-weighted assets from credit exposures to retail, corporate, financial
institution and sovereign borrowers, subject to supervisory approval. Under foundation IRB,
banks model only the probability of default.

Under the advanced IRB approach, banks can also model their own loss given default
(LGD) and exposure-at-default (EAD) levels. LGD is the absolute amount of money lost if a
borrower defaults while EAD is the amount a bank is exposed to at the time of the same
default.
61

Minimum requirements – Basel Accord Credit Rating systems

• Meaningful differentiation of credit risk;
• Completeness and integrity of rating assignment;
• Oversight of the rating system and processes;
• Criteria of rating system;
• Estimation of PD;
• Data collection and IT systems;
• Use of internal ratings;
• Internal validation; and
• Disclosure

Best practices in Credit Rating Systems

There are five key elements.

A classification of exposures by broad exposure type;

• For each exposure class, certain risk components which a bank must provide, using
standardized parameters or its internal estimates;
• A risk-weight function which provides risk weights (and hence capital requirements)
for given sets of these components;
• A set of minimum requirements that a bank must meet in order to be eligible for IRB
treatment for that exposure, and
• Across all exposure classes, supervisory review of compliance with the minimum
requirements.

Validation of Credit Rating Systems

This process describes the requirements for internal validation for both the PD estimates
assigned to the rating grades and the techniques used to assign the ratings. It is one of the
most important requirements for banks to properly execute if they are to credibly estimate
their level of credit risk and the resulting regulatory capital requirements. As a result of its
importance, validation will likely receive significant supervisory attention prior to allowing a
bank to adopt the IRB approach. A bank should also be able to readily demonstrate these
capabilities to its supervisor prior to adoption of the IRB approach and on an ongoing
basis.
62

Module 18:
Portfolio Credit Risk
Management
Understanding approaches of model portfolio

A model portfolio is a collection of assets owned by the underlying investor and

continually managed by professional investment managers. Model portfolios employ a
diversified investment approach to target a particular balance of return and risk or
portfolio objective.

It is also used by to estimate a credit portfolio’s probability density function (PDF).

There are three major types of models of credit portfolio at present:
• Moody's KMV model (Portfolio Model).
• CreditMetrics model by JPMorgan.
• Portfolio approach

Credit risk model

CreditMetrics model is used to analyze and manage credit risk of investment

instruments portfolio, unlike other models which are more specialized in the analysis of
credit risk of individual investment instruments.

The KMV model supposes that the company is in situation of defect when the value of
its asset is less than the value of its debts.
63

Module 19:
Credit Risk Derivatives

Overview

A credit derivative is a financial contract that allows parties to minimize their exposure to
credit risk. Credit derivatives consist of a privately held, negotiable bilateral contract
traded over-the-counter (OTC) between two parties in a creditor/debtor relationship.
These allow the creditor to effectively transfer some or all of the risk of a debtor defaulting
to a third party. This third party accepts the risk in return for payment, known as the
premium.

Types of credit derivatives

Credit default swap (CDS) is a financial derivative that allows an investor to swap or offset
their credit risk with that of another investor. To swap the risk of default, the lender buys a
CDS from another investor who agrees to reimburse them if the borrower defaults.

Collateralized debt obligation (CDO) is a complex structured finance product that is

backed by a pool of loans and other assets and sold to institutional investors.

Credit-linked note (CLN) is a security with an embedded credit default swap permitting
-linked notes are created
through a special purpose vehicle (SPV), or trust, which is collateralized with AAA-rated
securities.

Interest Rate Swap (IRS) is a derivative financial instrument in the form of an agreement
between various parties (counterparties) to exchange periodic interest payments at a
certain amount of a specified nominal value, called the notional principal amount.

Forex options are derivatives based on underlying currency pairs. Trading forex options
involves a wide variety of strategies available for use in forex markets, where foreign
currencies are traded.

Repurchase agreement (repo) is a form of short-term borrowing for dealers in government

securities. In the case of a repo, a dealer sells government securities to investors, usually on
an overnight basis, and buys them back the following day at a slightly higher price. That
small difference in price is the implicit overnight interest rate.
64
65
66

Personal Development Action

Plan
67