| Risk Management is a hot topic in the financial sector | | | | components, which are the necessary foundation for |
| especially in the light of the recent losses of some | | | | an effective internal control system, include: |
| multinational corporations e.g. collapses of Britain's | | | | I. Control Environment, |
| Barings Bank, WorldCom and also due to the incident | | | | Control environment, an intangible factor and the first |
| of 9/11. Rapid changes in business condition, | | | | of the five components, is the foundation for all |
| restructuring of organizations to cope with ever | | | | other components of internal control, providing |
| increasing competition, development of new | | | | discipline and structure and encompassing both |
| products, emerging markets and increase in cross | | | | technical competence and ethical commitment. |
| border transactions along with complexity of | | | | II. Risk Assessments, |
| transactions has exposed Financial Institutions to new | | | | Organizations exist to achieve some purpose or goal. |
| risks dimensions. Thus the concept of risk has | | | | Goals, because they tend to be broad, are usually |
| captured a growing importance in modern financial | | | | divided into specific targets known as objectives. A |
| society. | | | | risk is anything that endangers the achievement of |
| By facilitating transactions and making credit and | | | | an objective. Risk assessments is done to determine |
| other financial products available, the financial sector is | | | | the relative potential for loss in programs and |
| a crucial building block for private as well as public | | | | functions and to design the most cost-effective and |
| sector development. In its broadest definition, it | | | | productive internal controls. |
| includes everything from banks, stock exchanges, | | | | III. Control Activities, |
| and insurers, to credit unions, microfinance institutions | | | | Control activities mean the structure, policies, and |
| and moneylenders. As an efficient service provider, | | | | procedures, which an organization establishes so that |
| the financial sector simultaneously fulfils an important | | | | identified risks do not prevent the organization from |
| function in the overall economy. Various types of | | | | reaching its objectives. |
| Financial Institutions actively working in Financial | | | | Policies, procedures, and other items like job |
| Sectors include Banks, DFIs, Micro Finance Banks, | | | | descriptions, organizational charts and supervisory |
| Leasing Companies, Modarabas, Assets Management | | | | standards, do not, of course, exist only for internal |
| Company, Mutual Funds, etc. | | | | control purposes. These activities are basic |
| Thus today's operating environment demands | | | | management practices. |
| systematic and more integrated risk management | | | | IV. Information and Communication, and |
| approach. | | | | Organizations must be able to obtain reliable |
| Risk: | | | | information to determine their risks and communicate |
| Risk by default has tow components; uncertainty and | | | | policies and other information to those who need it. |
| exposure. If both are not present, there is no risk. | | | | Information and communication, the fourth |
| Definition of Risk as per Guidelines on Risk | | | | component of internal control, articulates this factor. |
| Management issued by State Bank of Pakistan is, | | | | V. Monitoring |
| "Financial risk in a banking organization is possibility | | | | Life is change; internal controls are no exception. |
| that the outcome of an action or event could bring | | | | Satisfactory internal controls can become obsolete |
| up adverse impacts. Such outcomes could either | | | | through changes in external circumstances. |
| result in a direct loss of earnings / capital or may | | | | Therefore, after risks are identified, policies and |
| result in imposition of constraints on bank's ability to | | | | procedures put into place, and information on control |
| meet its business objectives. Such constraints pose a | | | | activities communicated to staff, superiors must then |
| risk as these could hinder a bank's ability to conduct | | | | implement the fifth component of internal control, |
| its ongoing business or to take benefit of | | | | monitoring. |
| opportunities to enhance its business." | | | | Even the best internal control plan will be unsuccessful |
| Types of Risks: | | | | if it is not followed. Monitoring allows the |
| Risks are usually defined by the adverse impact on | | | | management to identify whether controls are being |
| profitability of several distinct sources of uncertainty. | | | | followed before problems occur. In the same way, |
| More or less all financial institutions have to manage | | | | management must review weaknesses identified by |
| the following faces of risks: | | | | audits to determine whether related internal controls |
| 1. Credit Risk | | | | need revision. |
| 2. Market Risk | | | | Tools for Monitoring of Risk |
| 3. Liquidity Risk | | | | Management Information System |
| 4. Operational Risk | | | | M.I.S or Management Information System is the |
| 5. Country Risk | | | | collection and analysis of data in order to support |
| 6. Legal Risks | | | | management's decision with respect to the |
| 7. Compliance Risk | | | | achievement of objectives mentioned in the policies |
| 8. Reputational Risk | | | | and procedures and the control of various risks |
| Broadly speaking there are four risks as per Risk | | | | therein. |
| Management Guidelines which surround Financial | | | | It is this area i.e. M.I.S, where I.T can play a vital and |
| Sector i.e. Credit Risk, Market Risk, Liquidity Risk and | | | | effective role as with the help of I.T large |
| Operational Risk. These risk are elaborated here | | | | information may be analyzed efficiently and with |
| under:i. Credit Risk | | | | accuracy, so that effective decision may be taken |
| This is the risk incurred in case of a counter-party | | | | by the management without the loss of any time. |
| default. It arises from lending activities, investing | | | | Asset-Liability Management Committee (ALCO) |
| activities and from buying and selling financial assets | | | | In most cases, day-to-day risk assessment and |
| on behalf of others. This risk is associated with | | | | management is assigned to a specialized committee, |
| financing transactions i.e.:a. Default in repayment by | | | | such as an Asset-Liability Management Committee |
| the borrower andb. Default in obliging the | | | | (ALCO). Duties pertaining to key elements of the risk |
| commitment by another Financial Institution in case of | | | | management process should be adequately |
| syndicated arrangements. | | | | separated to avoid potential conflicts of interest - in |
| It is the most critical risk in banking and one that | | | | other words, a financial institution's risk monitoring and |
| must be managed carefully. It is also the risk that | | | | control functions should be sufficiently independent |
| requires the most subjective judgment despite | | | | from its risk-taking functions. Larger or more complex |
| constant efforts to improve and quantify the credit | | | | institutions often have a designated, independent unit |
| decision process.ii. Market Risk | | | | responsible for the design and administration of |
| Market risk is defined as the volatility of income or | | | | balance sheet management, including interest rate |
| market value due to fluctuations in underlying market | | | | risk. Given today's widespread innovation in banking |
| factors such as currency, interest rates, or credit | | | | and the dynamics of markets, banks should identify |
| spreads. For commercial banks, the market risk of | | | | any risks inherent in a new product or service before |
| the stable liquidity investment portfolio arises from | | | | it is introduced, and ensure that these risks are |
| mismatches between the risk profile of the assets | | | | promptly considered in the assessment and |
| and their funding. This risk involves interest rate risk | | | | management process. |
| in all of its components: equity risk, exchange risk and | | | | Corporate Governance Principles |
| commodity risk.iii. Liquidity Risk | | | | Corporate governance relates to the manner in which |
| The liquidity risk is defined as the risk of not being | | | | the business of the organization is governed, including |
| able to meet its commitments or not being able to | | | | setting corporate objectives and a institution's risk |
| unwind or offset a position by an organization in a | | | | profile, aligning corporate activities and behaviors with |
| timely fashion because it cannot liquidate assets at | | | | the expectation that the management will operate in |
| reasonable prices when required.iv. Operational Risk | | | | a safe and sound manner, running day-to-day |
| This risk results from inadequacies in the conception, | | | | operations within an established risk profile, while |
| organization, or implementation of procedures for | | | | protecting the interests of depositors and other |
| recording any events concerning bank's operations in | | | | stakeholders. It is defined by a set of relationships |
| the accounting system/information systems. | | | | between the institution's management, its board, its |
| Need for Risk Management and Monitoring: | | | | shareholders, and other stakeholders. |
| There are a number of reasons as to why there is | | | | The key elements of sound corporate governance in |
| so much emphasis given to Risk Management in | | | | a bank include:a) A well-articulated corporate strategy |
| Financial Sector now a day. Some of them are listed | | | | against which the overall success and the contribution |
| below: - | | | | of individuals can be measured.b) Setting and |
| 1. Present structure of joint stock companies, | | | | enforcing clear assignment of responsibilities, |
| wherein owners are not the mangers, hence risks | | | | decision-making authority and accountabilities that are |
| increase; therefore proper tools are required to | | | | appropriate for the bank's risk profile.c) A strong |
| achieve the desired results by covering the risks. | | | | financial risk management function (independent of |
| 2. The financial sector has come out of simple | | | | business lines), adequate internal control systems |
| deposit and lending function. | | | | (including internal and external audit functions), and |
| 3. The world has become very complex so the | | | | functional process design with the necessary checks |
| financial transactions and instruments. | | | | and balances.d) Corporate values, codes of conduct |
| 4. Increase in the number of cross border | | | | and other standards of appropriate behavior, and |
| transactions which caries its own risks. | | | | effective systems used to ensure compliance. This |
| 5. Emerging markets | | | | includes special monitoring of a bank's risk exposures |
| 6. Terrorism Remittances | | | | where conflicts of interest are expected to appear |
| Risk monitoring in financial sector is very crucial and | | | | (e.g., relationships with affiliated parties).e) Financial |
| an inevitable part of risk management. Risk Monitoring | | | | and managerial incentives to act in an appropriate |
| is important in the financial sector due to the | | | | manner offered to the board, management and |
| following reasons: | | | | employees, including compensation, promotion and |
| 1. Deals in others' money | | | | penalties. (i.e., compensation should be consistent with |
| 2. Direct stake of deposit holder. | | | | the bank's objectives, performance, and ethical |
| 3. Much riskier sector than trading and manufacturing. | | | | values).f) Transparency and appropriate information |
| 4. Previous / Recent problems faced by banks i.e. | | | | flows internally and to the public. |
| stuck portfolio that is credit risk. | | | | Tools mentioned above can be utilized in identifying |
| 5. Bankruptcy of Barings Bank due to short selling / | | | | and managing different risks in the following manner: |
| long position that is market risk. | | | | I. Credit Risk |
| 6. Operational risk does not has immediate impact, | | | | It is managed by setting prudent limits for exposures |
| but important for continuity and progress of | | | | to individual transaction, counterparties and portfolios. |
| organization. | | | | Credits limits are set by reference to credit rating |
| 7. Appetite of a financial institution to take risk is | | | | established by Credit Rating Agencies, methodologies |
| related with the capital base of the institute so it | | | | established by Regulators and as per Board's |
| caries a huge risk of over exposure. | | | | direction.o Monitoring of per party exposureo |
| Components of Risk Management Frame Work | | | | Monitoring of group exposureo Monitoring of bank's |
| Risk Management Frame Work has five components. | | | | exposure in contingent liabilitieso Bank's exposure in |
| First of all risk is Identified, then it is Assessed to | | | | clean facilitieso Analysis of bank's exposure product |
| classify, seek solution and management, after | | | | wiseo Analysis of concentration of bank's exposure in |
| assessing quick Response and implementation of | | | | various segments of economyo Product profitability |
| solution and the last phase is Monitoring of the risk | | | | reports |
| management progress and Learning from this | | | | II. Market |
| experience that such problem never occur again. | | | | Financial Institutions should also have an adequate |
| Whole process is to be well Communicated during the | | | | system of internal controls to oversee the interest |
| entire process of risk management if it is to be | | | | rate risk management process. A fundamental |
| managed efficiently. | | | | component of such a system is a regular, |
| The International Organization for Standardization | | | | independent review and evaluation to ensure the |
| (ISO) has defined risk management as the | | | | system's effectiveness and, when appropriate, to |
| identification, analysis, evaluation, treatment (control), | | | | recommend revisions or enhancements. |
| monitoring, review and communication of risk. These | | | | Interest rate risk should be monitored on a |
| activities can be applied in a systematic or ad hoc | | | | consolidated basis, including the exposure of |
| manner. The presumption is that systematic | | | | subsidiaries. The institution's board of directors has |
| application of these activities will result in improved | | | | ultimate responsibility for the management of interest |
| decision-making and, most likely, improved outcomes. | | | | rate risk. The board approves the business strategies |
| Structure of Risk Management | | | | that determine the degree of exposure to risk and |
| Depending upon the structure and operations of | | | | provides guidance on the level of interest rate risk |
| organization, financial risk management can be | | | | that is acceptable to the institution, on the policies |
| implemented in different ways. Risk management | | | | that limit risk exposure, and on the procedures, lines |
| structure defines the different layers of an | | | | of authority, and accountability related to risk |
| organization at which risk is identified and managed. | | | | management. The board also should systematically |
| Although there are different layers or level at which | | | | review risk, in such a way as to fully understand the |
| risk is managed but there are three layers which are | | | | level of risk exposure and to assess the performance |
| common to all. i.e. | | | | of management in monitoring and controlling risks in |
| Risk Management | | | | compliance with board policies. Reports to senior |
| For managing risk there are certain basic principles | | | | management should provide aggregate information |
| which are to be followed by every organization: | | | | and a sufficient level of supporting detail to facilitate |
| 1. Corporate level Policies | | | | a meaningful evaluation of the level of risk, the |
| 2. Risk management strategy | | | | sensitivity of the bank to changing market conditions, |
| 3. Well-defined policies and procedures by senior | | | | and other relevant factors. |
| management | | | | The Asset and Liability Committee (ALCO) plays a |
| 4. Dissemination, implementation and compliance of | | | | key role in the oversight and coordinated |
| policies and procedures | | | | management of market risk. ALCOs meet monthly. |
| 5. Accountability of individuals heading various | | | | Investment mandates and risk limits are reviewed on |
| functions/ business lines | | | | a regular basis, usually annually to ensure that they |
| 6. Independent Risk review function | | | | remain valid. |
| 7. Contingency plans | | | | Risk Management and Risk Budgets |
| 8. Tools to monitor risks | | | | A risk budget establishes the tolerance of the board |
| Institutions can reduce some risks simply by | | | | or its delegates to income or capital loss due to |
| researching them. A bank can reduce its credit risk | | | | market risk over a given horizon, typically one year |
| by getting to know its borrowers. A brokerage firm | | | | because of the accounting cycle. (Institutions that are |
| can reduce market risk by being knowledgeable | | | | not sensitive to annual income requirements may |
| about the markets it operates in. | | | | have a longer horizon, which would also allow for a |
| Functionally, there are four aspects of financial risk | | | | greater degree of freedom in portfolio management.). |
| management. Success depends upon | | | | Once an annual risk budget has been established, a |
| A. A positive corporate culture, | | | | system of risk limits needs to be put in place to |
| No one can manage risk if they are not prepared to | | | | guard against actual or potential losses exceeding the |
| take risk. While individual initiative is critical, it is the | | | | risk budget. There are two types of risk limits, and |
| corporate culture which facilitates the process. A | | | | both are necessary to constrain losses to within the |
| positive risk culture is one which promotes individual | | | | prescribed level (the risk budget). |
| responsibility and is supportive of risk taking. | | | | The first type is stop-loss limits, which control |
| B. Actively observed policies and procedures | | | | cumulative losses from the mark-to-market of |
| Used correctly, procedures are powerful tool of risk | | | | existing positions relative to the benchmark. The |
| management. The purpose of policies and procedures | | | | second is position limits, which control potential losses |
| is to empower people. They specify how people can | | | | that could arise from future adverse changes in |
| accomplish what needs to be done. The success of | | | | market prices. Stop-loss limits are set relative to the |
| policies and procedures depends critically upon a | | | | overall risk budget. The allocation of the risk budget |
| positive risk culture. | | | | to different types of risk is as much an art as it is a |
| C. Effective use of technology | | | | science, and the methodology used will depend on |
| The primary role technology plays in risk | | | | the set-up of the individual investment process. Some |
| management is risk assessment and communication. | | | | of the questions that affect the risk allocation include |
| Technology is employed to quantify or otherwise | | | | the following: |
| summarize risks as they are being taken. It then | | | | * What are the significant market risks of the |
| communicates this information to decision makers, as | | | | portfolio? |
| appropriate. | | | | * What is the correlation among these risks? |
| D. Independence or risk management professionals | | | | * How many risk takers are there? |
| To get the desired outcome from risk management, | | | | * How is the risk expected to be used over the |
| risk managers must be independent of risk taking | | | | course of a year? |
| functions within the organization. Enron's experience | | | | Compliance with stop-loss limits requires frequent, if |
| with risk management is instructive. The firm | | | | not daily, performance measurement. Performance is |
| maintained a risk management function staffed with | | | | the total return of the portfolio less the total return |
| capable employees. Lines of reporting were | | | | of the benchmark. The measurement of |
| reasonably independent in theory, but less so in | | | | performance is a critical statistic for monitoring the |
| practice. | | | | usage of the risk budget and compliance with |
| Internal Controls | | | | stop-loss limits. Position limits also are set relative to |
| Para one on first page of the 'Guidelines on Internal | | | | the overall risk budget, and are subject to the same |
| Controls' issued by SBP provides: | | | | considerations discussed above. The function of |
| "Internal Control refers to policies, plans and | | | | position limits, however, is to constrain potential |
| processes as affected by the Board of Directors and | | | | losses from future adverse changes in prices or |
| performed on continuous basis by the senior | | | | yields. |
| management and all levels of employees within the | | | | III. Liquidity Risk |
| bank. These internal controls are used to provide | | | | The Basel Committee has established certain |
| reasonable assurance regarding the achievement of | | | | quantitative standards for internal models when they |
| organizational objectives. The system of internal | | | | are used in the capital adequacy context.a. Allocation |
| controls includes financial, operational and compliance | | | | of capital into various types of business after taking |
| controls." | | | | into account the operational risks i.e. disruption of |
| The current official definition of internal control was | | | | business activity, which has especially increased due |
| developed by the Committee of Sponsoring | | | | to excessive EDP usageb. Allocation of the capital is |
| Organization (COSO) of the Treadway Commission. | | | | also made amongst various products i.e. long term, |
| In its influential report, Internal Control - Integrated | | | | short term, consumer, corporate etc. considering the |
| Framework, the Commission defines internal control | | | | risks involved in each product and its life cycle to |
| as follows: | | | | avoid any liquidity crunch for which gap analysis is |
| "Internal control is a process, effected by an entity's | | | | made. This is the job of ALCOc. For instance |
| Board of Directors, management and other personnel, | | | | Contingent liabilities not more than 10 times of |
| designed to provide reasonable assurance regarding | | | | capital,d. Fund based not more than 6 times of |
| the achievement of objectives in the following | | | | capitale. Capital market operations not more than 1 |
| categories: | | | | time of capitalf. However these limits cannot exceed |
| Effectiveness and efficiency of operations. | | | | the regulations.g. Parameters of controlso Regulatory |
| Reliability of financial reporting. | | | | Requirementso Board's directionso Prudent practices |
| Compliance with applicable laws and | | | | For liquidity management organizations are compelled |
| regulations. | | | | to hold reserves for unexpected liquidity demands. |
| This definition reflects certain fundamental concepts: | | | | The ALCO has responsibility for setting and |
| Internal control is a process. It is a means | | | | monitoring liquidity risk limits. These limits are set by |
| to an end, not an end in itself. | | | | Regulatory Bodies and under Board's directions |
| Internal control is effected by people. It is | | | | keeping in mind the market condition and past |
| not policy manuals and forms, but people at every | | | | experience. |
| level of an organization. | | | | The Basel Accord comprises a definition of regulatory |
| Internal control can be expected to | | | | capital, measures of risk exposure, and rules |
| provide only reasonable assurance, not absolute | | | | specifying the level of capital to be maintained in |
| assurance, to an entity's management and board. | | | | relation to these risks. It introduced a de facto capital |
| Internal control should assist and never impede | | | | adequacy standard, based on the risk-weighted |
| management and staff from achieving their | | | | composition of a bank's assets and off-balance-sheet |
| objectives. Control must be taken seriously. A | | | | exposures that ensures that an adequate amount of |
| well-designed system of internal control is worse than | | | | capital and reserves is maintained to safeguard |
| worthless unless it is complied with, since the | | | | solvency. The 1988 Basel Accord primarily addressed |
| assemblance of control will be likely to convey a false | | | | banking in the sense of deposit taking and lending |
| sense of assurance. Controls are there to be kept, | | | | (commercial banking under US law), so its focus was |
| not avoided. For instance, exception reports should | | | | credit risk. |
| be followed up. Senior management should set a | | | | In the early 1990s, the Basel Committee decided to |
| good example about control compliance. For instance, | | | | update the 1988 accord to include bank capital |
| physical access restrictions to secure areas should be | | | | requirements for market risk. This would have |
| observed equally by senior management as by junior | | | | implications for non-bank securities firms. |
| personnel. | | | | Thus, the formula for determining capital adequacy |
| Components of Internal Controls | | | | can be illustrated as follows: |
| Components of internal control also depend upon the | | | | = Tier I + Tier 2 + Tier 3 *- 8% . |
| structure of the business unit and nature of its | | | | Risk-weighted Assets + (Market Risk Capital Charge |
| operation. The COSO Report describes the internal | | | | x 12.5) |
| control process as consisting of five interrelated | | | | IV. Operational Risk |
| components that are derived from and integrated | | | | To manage this risk documented policies and |
| with the management process. The components are | | | | procedures are established. In addition, regular training |
| interrelated, which means that each component | | | | is provided to ensure that staffs are well aware of |
| affects and is affected by the other four. These five | | | | organization's objective, statutory requirements. |