Session 32-33

RISK MANAGEMENT
IN BANKS
The important dimensions of risk management in
banks are: banking risks, RBI prescribed risk
management framework in terms of asset liability
management practices, credit risk management,
operational risk management and stress testing by
Indian banks in the perspective of international
practices.

2
 Banking Risks

Banking risks can be categorised into business-

related risks and control-related risks.

3
 Business Related Risks

Business-related risks are associated with the

operational activities and market environment of
banks. There are six types of such risks: credit risk;
market risk; country risk; business environment risk;
operational risk; and group risk.

4
Credit risk is the possibility of losses associated with
a diminution in the credit quality of
borrowers/counterparties. Losses may arise from
outright default due to inability/ unwillingness of
borrowers/ counterparties to meet commitments, as
also due to risk inherent in the nature of business
activity and environment in terms of obsolescence of
technology/product(s) design, competition,
inadequate supply of inputs, lack of infrastructure and
so on.

5
Market risk is caused due to a change in the market
variables having an adverse impact on the
earnings/capital of a bank. The market risk comprises
of interest rate risk, foreign exchange risk, equity
price risk, commodity price risk and liquidity risk.

6
Interest rate risk may be on account of changes in interest
rates, both of assets and liabilities (basis risk), mismatch
between assets and liabilities (mismatch/gap risk),
depreciation in the assets portfolio due to an increase in the
market interest rate (price risk). Forex risk is caused by the
effect of an adverse exchange rate movement on the foreign
currency exposure of banks and includes transaction
exposure, translation exposure and economic exposure.
Equity price risk relates to capital market exposures which
arise due to an adverse movement in the equity prices.
Liquidity risk is caused by a mismatch in the maturity of assets
and liabilities.

7
Country risk arises when a foreign country is unable
to repay its debts. It includes currency transfer risk,
political risk, cross-border risk and sovereign risk.

Business environment risk arises due to lending

policies relating to identification of target markets,
products/customer base, formulated without prior
planning.

8
Operational risk is caused by deficient internal
processes/systems/procedures, non-conducive work
environment, demotivated/ untrained/incompetent
staff, obsolete/untested technology and so on.

Group risk may arise from subsidiaries of banks

engaged in merchant banking, mutual funds,
insurance and so on.

9
 Control Related Risks

Control-related risks are associated with the

weaknesses in the control systems of banks due to
organisational bottlenecks in the form of
inadequate/inappropriate structure.

10
 ALM Practices

The RBI guidelines relating to ALM focus on interest

rate and liquidity risk management systems in banks,
which form a part of the ALM function. The main
elements of the ALM system are: ALM information
system, ALM organisation and ALM process.

11
 ALM Information System

The ALM system should be built up on a sound

methodology, with the necessary information system
as a back up. Information is key to the ALM process.
A uniform system is not feasible for all banks. The
ALM system analyses information on the basis of
residual maturity and behavioural pattern. Banks
should initially follow the ABC approach, that is,
analyse the behaviour of the asset and liability
products in the sample

12
branches that account for significant business and
make rational assumptions about the behaviour of
the assets and liabilities in other branches. The data
and assumptions can be refined over time in the light
of experience of conducting business within the ALM
framework. The spread of computerisation would
facilitate accessing of data.

13
 ALM Organisation

The Board of Directors should have the overall responsibility

for the management of risk and of deciding the risk
management policy of the bank, besides setting limits for
liquidity, interest rate, forex and equity price risk. The ALCO
should ensure adherence to the limits set by the Board and
decide the business strategy of the bank on the assets and
liability side, in line with the budget and risk management
objectives. A sub-committee of the Board should oversee the
implementation of the system and review its functioning
periodically.

14
 ALM Process

The ALM process mainly addresses liquidity and

interest rate risks.

15
Bank management should not only measure the liquidity
position of banks on an ongoing basis, but also examine how
liquidity requirements are likely to evolve under different
assumptions. Liquidity should be tracked through
maturity/cashflow estimates. The use of the maturity ladder
and calculation of cumulative surplus/deficit of funds at
selected maturity dates may be used to measure/manage the
net funding requirements. The maturity profile of the various
heads of accounts should be used for measuring the future
cashflows in different time brackets: 1-14 days; 15-28 days; 29
days upto 3 months; 3-6

16
months; 6 months – 1 year; 1 – 3 years; 3 – 5 years;
and over 5 years. Within each time bracket, there
could be mismatches between cash-inflows and
outflows. The main focus should be on short-term
mismatches, namely, 1- 14 days and 15-28 days. The
mismatches (negative gap) in the normal course
should not exceed 20 per cent of the cashoutflows in
each time bracket.

17
A statement of structural liquidity may be prepared by placing
all cash inflows (i.e., maturing assets) and cash outflows (i.e.,
maturing liabilities) in the maturity ladder, according to the
timing of the cashflows. While determining the tolerance level
in mismatches, banks should take into account all the relevant
factors, based on their asset liability base, nature of business,
future strategy and so on and further refined with experience
gained in liquidity management. To monitor their short-term
liquidity on a dynamic basis, over a time horizon spanning
from 1–90 days, banks may estimate

18
their short-term liquidity profiles on the basis of
business projections and other commitments for
planning purposes.

19
Interest rate risk has two dimensions. The immediate effect
of a change in the interest rate is on its net interest income
(NII) or net interest margin (NIM). The long-term impact is
on the market value of equity (MVE)/networth.

Initially, banks should use the traditional gap analysis to

measure the interest rate risk and move over to modern
techniques of interest risk measurement, such as duration
gap analysis, simulation and VaR overtime, when they
acquire sufficient expertise and sophistication in acquiring
and handling MIS.

20
Gap analysis measures mismatches between rate
sensitive liabilities and assets. Such assets and
liabilities should be grouped into time brackets
according to the residual maturity or next repricing
period, whichever is earlier. The gaps may be
classified into the following time-brackets: 1–28
days; 29 days to 3 months; 3–6 months; 6 months
– 1 year; 1–3 years; 3–5 years; over 5 years; and
non-sensitive.

21
 The gap is the difference between rate sensitive
assets (RSAs) and rate sensitive liabilities (RSLs)
for each time bracket. RSAs > RSLs = positive
gap; RSAs < RSLs = negative gap. The gap
report indicates whether the bank can benefit
from rising interest rates (positive gap) or from a
declining interest rate (negative gap).

22
 Credit Risk Management

The main elements of the RBI credit risk

management framework are: credit risk policies and
procedures; organisational structure for effective
credit administration; and credit rating framework.­

23
Credit Risk Policies/Procedures

The credit risk is the possibility of losses associated

with a diminution in the credit quality of the
borrowers/counterparties. Losses may stem from
outright default due to inability/unwillingness of a
customer/ counterparty to meet commitments in
relation to lending/settlement/other financial
transaction. Losses may also result from a
reduction in the portfolio value arising from
actual/perceived deterioration in the credit quality.

24
Banks should prepare a comprehensive and well
articulated/written credit policy document, highlighting the
strategy, policies and procedures for effective management of
credit and mitigation of credit risks. The main features of the
policies/procedures, inter alia, should include identification of
activities/industries doing well, delegation of
approving/sanctioning powers, linking credit risk scoring/rating
system and risk acceptance criteria with risk rating of
borrowers, laying down prudential exposure limits for loans,
discussion of concentration risk/loan review mechanism and
renewal systems, evolution of effective systems of
monitoring operational/

25
financial performance of borrowers, laying down
guidelines on pre-sanction appraisal and monitoring,
discussion of forex risk, fixation of limits for
inter-bank exposures, laying down guidelines on
multiple credit approval/policies on exposure to high-
risk sectors, evolving consistent approach towards
early recognition of problem-exposures and remedial
action, mechanism of loan pricing and creation of
independent set up for credit risk management and
audit and loan review mechanism in line with RBI
guidelines.

26
 Organisational Structure

For the successful implementation of effective

credit administration and risk management
systems, a sound organisational structure should
be created by each bank. The Board of Directors
should have the overall responsibility for
management of credit and other risks. The CRMC
of the Board should be responsible for the
implementation of the credit risk policy/strategy
decided upon by the

27
 Board of Directors. The CRMD of the CRMC
should be independent of the CAD. Banks should
also have an independent setup to perform
functions like risk rating of borrowers,
monitoring/review of loan and for credit risk audit.

28
 Risk Rating Framework

Banks should evolve a comprehensive risk

scoring/rating framework to serve as a single point
indicator of diverse risk factors of
borrowers/counterparties. The risk rating structure
should serve the following purposes: taking credit
decisions, pricing of loans, mitigation of risk, nature of
facilitating delegation of loaning power, selective
monitoring, ensuring quality, migration of credit,
management of credit risk and identification of thrust
areas.

29
A well-structured credit rating framework should be
developed by using a number of operational
parameters, financial ratios, collaterals, qualitative
aspects of management and industry characteristics.
The scores allotted to each parameter may depend
upon their risk predicting capacity. An illustrative list
of parameters has also been given.

30
 The risk rating framework for larger, medium and
small enterprises and traders may vary. Normally,
it should have nine grades of which, the first five
may represent acceptable credit while the
remaining four may represent unacceptable
credit. It should have some minimum cut-off score
below which no credit proposal should be
entertained. For any relaxation, there should be
clear guidelines in the loan policy, especially
indicating the authority who can permit such
relaxation.

31
 The rating exercise should be undertaken
normally, at quarterly intervals or at least on a half
yearly basis, to assess the migration in the credit
quality.

Credit risk in non-fund based businesses should

be assessed on the same lines as the
assessment of fund-based business. Financial
guarantees should be evaluated in the same
manner as term loans.

32
 Banks should put in place a risk-based internal
audit system. They should determine the scope of
such audit for low, medium, high and extremely
high-risk areas. The minimum coverage of the
audit report should, inter alia, include, reliability of
process of identification/ management of various
risk areas, gaps in control mechanism, verification
of compliance of policies/procedures, examination
of effectiveness of control system,
assessment of integrity/ reliability of data and
its timely preparation, position by

33
budgetary control/performance review, verification
of asset-related transactions, monitoring
compliances with risk-based internal audit reports
and so on.­· The parameters used by banks in
designing a scoring/rating system fall into four
broad categories: operational/ financial
performance of the unit; bank accounts and
securities available; business/industry outlook;
and promoters/management.

34
 Operational Financial
Performance
The important parameters generally used by
banks under the head operational/financial
performance include plant capacity, break-even
point, sales/profit trend/projections, profit margin,
ROCE, DER, DSCR, ratio of sales to working
capital/assets, inventory turnover, average
collection/payment period and so on.

35
 Bank Accounts and Securities
Available

The important parameters relevant to bank accounts

and securities available are: regularity in the conduct
of accounts, compliance with the terms of sanction of
loan, annual review/renewal of loan facility,
submission of data, nature/volume of security, validity
of charge, transparency/disclosure in accounts,
diversion of funds, unauthorised withdrawal of funds,
utilisation of loans, auditors’ comment on
quality/valuation of assets and so on.

36
 Business Industry Outlook

The business and industry outlook would be

reflected in factors such as competition,
technology, market demand and growth potential,
quality of products, exports-potential, import
barriers, foreign exchange component, volatility of
prices of the product, and so on.

37
 Promoters/Management

The major components of promoters/

management assessment are ownership pattern
of the unit, qualifications, integrity/commitment/
sincerity, market reputation/credibility, financial
strength, functioning/support of other group
companies, turnover of top management,
succession plan and so on.

38
 Operational Risk

Management of operational risk means the identification

assessment and/or measurement, monitoring and
control/mitigation of the risk. Operational risk is the risk of loss
resulting form inadequate or failed processes, people and
systems or from external events/factors. The operational risks
events having the potential to result in substantial losses
include (i) internal frauds, (ii) external fraud, (iii) employment
practices and workplace safety, (iv) clients, products and
business practices, (v) damage to physical assets, (vi)
business disruptions and system failure and (vii) execution,
delivery and process management.

39
The main elements of the RBI Guidelines Notes on
management of operational risk are: (a)
organisational setup and key responsibilities, (b)
policy requirements, (c) identification and
assessment of operational risk, (d) monitoring of risk,
(e) control/mitigation of risk, (f) independent
evaluation and (g) capital allocation.

40
 Organisational Set-up

The Board of Directors/senior management should

promote an organisational culture for management of
operational risk in terms of corporate values,
attitudes, competencies and behaviour that
determine a bank’s commitment to and style of
operational risk management; clear lines of
responsibility and segregation of duties; effective
internal reporting and contingency

41
planning.The organisational setup for operational risk
management should include the Board
ofDirectors, Risk Management Committee of the
Board, Operational Risk Management Committee,
Operational Risk Management Department,
Operational Risk Managers and Support Groups for
Operational Risk Management.

42
 Policy Requirement

The operational risk management framework

provides the strategic direction to ensure that an
effective process is adopted throughout the bank.
The policies/procedures should clearly describe the
major elements of the framework including identifying
assessing, monitoring and controlling/mitigating risk.

43
 Identification/Assessment Risk

There is need to adopt specific structures and processes for

managing operational risk. Inadequate internal controls can
lead to significant loses for banks. The major control break-
downs may be (1) lack of control culture, (2) inadequate
recognition and assessment of risk of certain activities, (3)
absence of key control structure and activities, (4) inadequate
communication and (5) inadequate/ ineffective
audit/monitoring programmes. The guiding principles for banks
to manage operational risk are identification, assessment,
measurement, monitoring and control of these risks.

44
 Monitoring

An effective monitoring process is essential for

adequately managing operational risk. Banks should
identify appropriate indicators that provide early
warning of an increased risk of future losses. The
elements of the monitoring mechanism should be (1)
management information system, (2) business line
identification, and (3) operational risk loss events.

45
 Risk Mitigation

Risk management is the process of mitigating risks

faced by a bank. Several methods may be adopted
for mitigating the operational risk, such as, insurance
for natural disasters, back up facilities for business
disruption and strong internal auditing procedures for
loss due to internal factors. A system of effective
internal control is a critical component of operational
risk management. Banks should have
policies,

46
processes and procedures to control and/or mitigate
material operational risks. They should
periodically review their risk limitation and control
strategies and adjust their operational risk profiles
accordingly, using appropriate strategies in the light
of their overall risk appetite and profile.

47
 Independent Valuation

Internal audit is part of the ongoing monitoring of the bank’s

system of internal control as it provides an independent
assessment of the adequacy of, and compliance with, the
bank’s establishment policies and procedures. Banks should
have in place adequate internal audit coverage to verify that
operating policies and procedures have been implemented
effectively. The Board of Directors should ensure that the
scope and frequency of the audit programme is appropriate to
the risk exposures.

48
 Capital Allocation

There are three approaches for calculating operational

risk capital charges: (1) Basic Indicator Approach, (2)
Standard Approach, and (3) Advanced Measurement
Approach. The RBI has proposed that all banks in India
should, to begin with, adopt the Basic Indicator Approach.
Under this approach, banks have to hold capital for
operational risk equal to a fixed percentage (alpha) of a
single indicator, that is, gross income. The charge may be
expressed as follows:

49
 [KBIA = {(SGia)}/n]
Where
KBIA = Capital charge under the Basic Indicator
Approach
GI = Gross income over the previous three year
a = 15%
n = number of 3 years

50
 Street Testing

Stress testing is used to evaluate the potential

vulnerability to some unlikely but plausible
events/movements in financial variables and the
assessment of their impact on the financial position
of a bank. There are two broad categories of stress
tests, namely, sensitivity tests and scenario tests.
The sensitivity tests are normally used to assess the
impact of change in one variable, say, a large
movement in the equity

51
index, on the financial position of the bank. The
scenario tests include simultaneous moves in a
number of variables such as equity prices, oil prices,
interest rates and so on. The historical scenario is
based on a single event experienced in the past, for
instance, a stock market crash. The hypothetical
scenario is based on a plausible market event that
has yet not happened, for example, sudden severe
economic downturn.

52
The major elements of the RBI guidelines on stress
testing are (1) utility, (2) framework requirements, (3)
identification of risks, (4) stress scenarios/levels, (5)
frequency of testing, and (6) remedial action.

53
 Utility

The stress testing framework performs the dual role

of being a diagnostic tool for improving a bank’s
understanding of its risk profile, for assessing the
adequacy of internal capital, for supplementing the
internal capital models and for improving a forward
looking element in the capital assessment process.

54
 Framework

The stress testing framework should satisfy the following

essential requirements: (1) the frequency and procedure for
identifying the principal risk factors, methodology for
constructing stress tests, monitoring, remedial action and so
on, (2) active involvement of the senior management in the
process, (3) regular review of the results of scenario analysis
and stress tests, (4) calibration of the framework according to
the complexity of business activities, (5) freedom to banks to
choose the various assumptions underlying the stress tests
and, (6) use of appropriate, accurate and complete data.

55
 Risk Identificaiton

Banks should identify all the risks to which they are

exposed to with regard to their specific
circumstances and portfolio such as market risks,
credit risks, operational risks and liquidity risk and so
on.

56
 Stress Scenarios

Banks should stress the relevant parameters at least

at three levels of increasing adversity: (a) minor, (b)
medium and (c) major with reference to the normal
situation and estimate the financial resources needed
by it under each of the circumstances to meet the (i)
risks as it arises, (ii) liabilities as they fall due and (iii)
meet the minimum CRAR requirements.

57
 Frequency

Banks may apply stress tests at various frequencies

dictated by their respective business requirements,
relevance and cost, for instance, daily, weekly,
monthly, quarterly and so on.

58
 Remedial Action

The remedial action that banks may consider may

include reduction of risk limits, reduction of risk by
enhancing collateral requirements, amend pricing
policies, augment capital levels and enhance sources
of funding.

59
Thank You!!!
60