| Risk Management is a hot topic in the financial sector | | | | objective. Risk assessments is done to determine the |
| especially in the light of the recent losses of some | | | | relative potential for loss in programs and functions |
| multinational corporations e.g. collapses of Britain's | | | | and to design the most cost-effective and |
| Barings Bank, WorldCom and also due to the incident | | | | productive internal controls.III. Control |
| of 9/11. Rapid changes in business condition, | | | | Activities,Control activities mean the structure, |
| restructuring of organizations to cope with ever | | | | policies, and procedures, which an organization |
| increasing competition, development of new | | | | establishes so that identified risks do not prevent the |
| products, emerging markets and increase in cross | | | | organization from reaching its objectives. |
| border transactions along with complexity of | | | | Policies, procedures, and other items like job |
| transactions has exposed Financial Institutions to new | | | | descriptions, organizational charts and supervisory |
| risks dimensions. Thus the concept of risk has | | | | standards, do not, of course, exist only for internal |
| captured a growing importance in modern financial | | | | control purposes. These activities are basic |
| society.By facilitating transactions and making credit | | | | management practices.IV. Information and |
| and other financial products available, the financial | | | | Communication, andOrganizations must be able to |
| sector is a crucial building block for private as well as | | | | obtain reliable information to determine their risks and |
| public sector development. In its broadest definition, it | | | | communicate policies and other information to those |
| includes everything from banks, stock exchanges, | | | | who need it. Information and communication, the |
| and insurers, to credit unions, microfinance institutions | | | | fourth component of internal control, articulates this |
| and moneylenders. As an efficient service provider, | | | | factor.V. MonitoringLife is change; internal controls are |
| the financial sector simultaneously fulfils an important | | | | no exception. Satisfactory internal controls can |
| function in the overall economy. Various types of | | | | become obsolete through changes in external |
| Financial Institutions actively working in Financial | | | | circumstances. Therefore, after risks are identified, |
| Sectors include Banks, DFIs, Micro Finance Banks, | | | | policies and procedures put into place, and information |
| Leasing Companies, Modarabas, Assets Management | | | | on control activities communicated to staff, superiors |
| Company, Mutual Funds, etc.Thus today's operating | | | | must then implement the fifth component of internal |
| environment demands systematic and more | | | | control, monitoring.Even the best internal control plan |
| integrated risk management approach.Risk:Risk by | | | | will be unsuccessful if it is not followed. Monitoring |
| default has tow components; uncertainty and | | | | allows the management to identify whether controls |
| exposure. If both are not present, there is no risk. | | | | are being followed before problems occur. In the |
| Definition of Risk as per Guidelines on Risk | | | | same way, management must review weaknesses |
| Management issued by State Bank of Pakistan is, | | | | identified by audits to determine whether related |
| "Financial risk in a banking organization is possibility | | | | internal controls need revision.Tools for Monitoring of |
| that the outcome of an action or event could bring | | | | RiskManagement Information SystemM.I.S or |
| up adverse impacts. Such outcomes could either | | | | Management Information System is the collection and |
| result in a direct loss of earnings / capital or may | | | | analysis of data in order to support management's |
| result in imposition of constraints on bank's ability to | | | | decision with respect to the achievement of |
| meet its business objectives. Such constraints pose a | | | | objectives mentioned in the policies and procedures |
| risk as these could hinder a bank's ability to conduct | | | | and the control of various risks therein.It is this area |
| its ongoing business or to take benefit of | | | | i.e. M.I.S, where I.T can play a vital and effective role |
| opportunities to enhance its business."Types of | | | | as with the help of I.T large information may be |
| Risks:Risks are usually defined by the adverse impact | | | | analyzed efficiently and with accuracy, so that |
| on profitability of several distinct sources of | | | | effective decision may be taken by the management |
| uncertainty. More or less all financial institutions have | | | | without the loss of any time.Asset-Liability |
| to manage the following faces of risks:1. Credit Risk | | | | Management Committee (ALCO)In most cases, |
| 2. Market Risk | | | | day-to-day risk assessment and management is |
| 3. Liquidity Risk | | | | assigned to a specialized committee, such as an |
| 4. Operational Risk | | | | Asset-Liability Management Committee (ALCO). |
| 5. Country Risk | | | | Duties pertaining to key elements of the risk |
| 6. Legal Risks | | | | management process should be adequately |
| 7. Compliance Risk | | | | separated to avoid potential conflicts of interest - in |
| 8. Reputational RiskBroadly speaking there are four | | | | other words, a financial institution's risk monitoring and |
| risks as per Risk Management Guidelines which | | | | control functions should be sufficiently independent |
| surround Financial Sector i.e. Credit Risk, Market Risk, | | | | from its risk-taking functions. Larger or more complex |
| Liquidity Risk and Operational Risk. These risk are | | | | institutions often have a designated, independent unit |
| elaborated here under:i. Credit RiskThis is the risk | | | | responsible for the design and administration of |
| incurred in case of a counter-party default. It arises | | | | balance sheet management, including interest rate |
| from lending activities, investing activities and from | | | | risk. Given today's widespread innovation in banking |
| buying and selling financial assets on behalf of others. | | | | and the dynamics of markets, banks should identify |
| This risk is associated with financing transactions i.e.:a. | | | | any risks inherent in a new product or service before |
| Default in repayment by the borrower and | | | | it is introduced, and ensure that these risks are |
| b. Default in obliging the commitment by another | | | | promptly considered in the assessment and |
| Financial Institution in case of syndicated | | | | management process.Corporate Governance |
| arrangements.It is the most critical risk in banking and | | | | PrinciplesCorporate governance relates to the manner |
| one that must be managed carefully. It is also the | | | | in which the business of the organization is governed, |
| risk that requires the most subjective judgment | | | | including setting corporate objectives and a |
| despite constant efforts to improve and quantify the | | | | institution's risk profile, aligning corporate activities and |
| credit decision process.ii. Market RiskMarket risk is | | | | behaviors with the expectation that the management |
| defined as the volatility of income or market value | | | | will operate in a safe and sound manner, running |
| due to fluctuations in underlying market factors such | | | | day-to-day operations within an established risk |
| as currency, interest rates, or credit spreads. For | | | | profile, while protecting the interests of depositors |
| commercial banks, the market risk of the stable | | | | and other stakeholders. It is defined by a set of |
| liquidity investment portfolio arises from mismatches | | | | relationships between the institution's management, |
| between the risk profile of the assets and their | | | | its board, its shareholders, and other |
| funding. This risk involves interest rate risk in all of its | | | | stakeholders.The key elements of sound corporate |
| components: equity risk, exchange risk and | | | | governance in a bank include:a) A well-articulated |
| commodity risk.iii. Liquidity RiskThe liquidity risk is | | | | corporate strategy against which the overall success |
| defined as the risk of not being able to meet its | | | | and the contribution of individuals can be measured.b) |
| commitments or not being able to unwind or offset a | | | | Setting and enforcing clear assignment of |
| position by an organization in a timely fashion because | | | | responsibilities, decision-making authority and |
| it cannot liquidate assets at reasonable prices when | | | | accountabilities that are appropriate for the bank's |
| required.iv. Operational RiskThis risk results from | | | | risk profile.c) A strong financial risk management |
| inadequacies in the conception, organization, or | | | | function (independent of business lines), adequate |
| implementation of procedures for recording any | | | | internal control systems (including internal and external |
| events concerning bank's operations in the accounting | | | | audit functions), and functional process design with |
| system/information systems.Need for Risk | | | | the necessary checks and balances.d) Corporate |
| Management and Monitoring:There are a number of | | | | values, codes of conduct and other standards of |
| reasons as to why there is so much emphasis given | | | | appropriate behavior, and effective systems used to |
| to Risk Management in Financial Sector now a day. | | | | ensure compliance. This includes special monitoring of |
| Some of them are listed below: -1. Present structure | | | | a bank's risk exposures where conflicts of interest |
| of joint stock companies, wherein owners are not | | | | are expected to appear (e.g., relationships with |
| the mangers, hence risks increase; therefore proper | | | | affiliated parties).e) Financial and managerial incentives |
| tools are required to achieve the desired results by | | | | to act in an appropriate manner offered to the |
| covering the risks. | | | | board, management and employees, including |
| 2. The financial sector has come out of simple | | | | compensation, promotion and penalties. (i.e., |
| deposit and lending function. | | | | compensation should be consistent with the bank's |
| 3. The world has become very complex so the | | | | objectives, performance, and ethical values).f) |
| financial transactions and instruments. | | | | Transparency and appropriate information flows |
| 4. Increase in the number of cross border | | | | internally and to the public.Tools mentioned above can |
| transactions which caries its own risks. | | | | be utilized in identifying and managing different risks in |
| 5. Emerging markets | | | | the following manner:I. Credit RiskIt is managed by |
| 6. Terrorism RemittancesRisk monitoring in financial | | | | setting prudent limits for exposures to individual |
| sector is very crucial and an inevitable part of risk | | | | transaction, counterparties and portfolios. Credits |
| management. Risk Monitoring is important in the | | | | limits are set by reference to credit rating established |
| financial sector due to the following reasons:1. Deals in | | | | by Credit Rating Agencies, methodologies established |
| others' money | | | | by Regulators and as per Board's direction.- Monitoring |
| 2. Direct stake of deposit holder. | | | | of per party exposure |
| 3. Much riskier sector than trading and manufacturing. | | | | - Monitoring of group exposure |
| 4. Previous / Recent problems faced by banks i.e. | | | | - Monitoring of bank's exposure in contingent liabilities |
| stuck portfolio that is credit risk. | | | | - Bank's exposure in clean facilities |
| 5. Bankruptcy of Barings Bank due to short selling / | | | | - Analysis of bank's exposure product wise |
| long position that is market risk. | | | | - Analysis of concentration of bank's exposure in |
| 6. Operational risk does not has immediate impact, | | | | various segments of economy |
| but important for continuity and progress of | | | | - Product profitability reportsII. MarketFinancial |
| organization. | | | | Institutions should also have an adequate system of |
| 7. Appetite of a financial institution to take risk is | | | | internal controls to oversee the interest rate risk |
| related with the capital base of the institute so it | | | | management process. A fundamental component of |
| caries a huge risk of over exposure.Components of | | | | such a system is a regular, independent review and |
| Risk Management Frame WorkRisk Management | | | | evaluation to ensure the system's effectiveness and, |
| Frame Work has five components. First of all risk is | | | | when appropriate, to recommend revisions or |
| Identified, then it is Assessed to classify, seek | | | | enhancements.Interest rate risk should be monitored |
| solution and management, after assessing quick | | | | on a consolidated basis, including the exposure of |
| Response and implementation of solution and the last | | | | subsidiaries. The institution's board of directors has |
| phase is Monitoring of the risk management progress | | | | ultimate responsibility for the management of interest |
| and Learning from this experience that such problem | | | | rate risk. The board approves the business strategies |
| never occur again. Whole process is to be well | | | | that determine the degree of exposure to risk and |
| Communicated during the entire process of risk | | | | provides guidance on the level of interest rate risk |
| management if it is to be managed efficiently.The | | | | that is acceptable to the institution, on the policies |
| International Organization for Standardization (ISO) | | | | that limit risk exposure, and on the procedures, lines |
| has defined risk management as the identification, | | | | of authority, and accountability related to risk |
| analysis, evaluation, treatment (control), monitoring, | | | | management. The board also should systematically |
| review and communication of risk. These activities | | | | review risk, in such a way as to fully understand the |
| can be applied in a systematic or ad hoc manner. The | | | | level of risk exposure and to assess the performance |
| presumption is that systematic application of these | | | | of management in monitoring and controlling risks in |
| activities will result in improved decision-making and, | | | | compliance with board policies. Reports to senior |
| most likely, improved outcomes.Structure of Risk | | | | management should provide aggregate information |
| ManagementDepending upon the structure and | | | | and a sufficient level of supporting detail to facilitate |
| operations of organization, financial risk management | | | | a meaningful evaluation of the level of risk, the |
| can be implemented in different ways. Risk | | | | sensitivity of the bank to changing market conditions, |
| management structure defines the different layers of | | | | and other relevant factors.The Asset and Liability |
| an organization at which risk is identified and | | | | Committee (ALCO) plays a key role in the oversight |
| managed. Although there are different layers or level | | | | and coordinated management of market risk. ALCOs |
| at which risk is managed but there are three layers | | | | meet monthly. Investment mandates and risk limits |
| which are common to all. i.e.Risk ManagementFor | | | | are reviewed on a regular basis, usually annually to |
| managing risk there are certain basic principles which | | | | ensure that they remain valid.Risk Management and |
| are to be followed by every organization:1. Corporate | | | | Risk BudgetsA risk budget establishes the tolerance |
| level Policies | | | | of the board or its delegates to income or capital loss |
| 2. Risk management strategy | | | | due to market risk over a given horizon, typically one |
| 3. Well-defined policies and procedures by senior | | | | year because of the accounting cycle. (Institutions |
| management | | | | that are not sensitive to annual income requirements |
| 4. Dissemination, implementation and compliance of | | | | may have a longer horizon, which would also allow for |
| policies and procedures | | | | a greater degree of freedom in portfolio |
| 5. Accountability of individuals heading various | | | | management.). Once an annual risk budget has been |
| functions/ business lines | | | | established, a system of risk limits needs to be put in |
| 6. Independent Risk review function | | | | place to guard against actual or potential losses |
| 7. Contingency plans | | | | exceeding the risk budget. There are two types of |
| 8. Tools to monitor risksInstitutions can reduce some | | | | risk limits, and both are necessary to constrain losses |
| risks simply by researching them. A bank can reduce | | | | to within the prescribed level (the risk budget).The |
| its credit risk by getting to know its borrowers. A | | | | first type is stop-loss limits, which control cumulative |
| brokerage firm can reduce market risk by being | | | | losses from the mark-to-market of existing positions |
| knowledgeable about the markets it operates | | | | relative to the benchmark. The second is position |
| in.Functionally, there are four aspects of financial risk | | | | limits, which control potential losses that could arise |
| management. Success depends uponA. A positive | | | | from future adverse changes in market prices. |
| corporate culture,No one can manage risk if they are | | | | Stop-loss limits are set relative to the overall risk |
| not prepared to take risk. While individual initiative is | | | | budget. The allocation of the risk budget to different |
| critical, it is the corporate culture which facilitates the | | | | types of risk is as much an art as it is a science, and |
| process. A positive risk culture is one which promotes | | | | the methodology used will depend on the set-up of |
| individual responsibility and is supportive of risk | | | | the individual investment process. Some of the |
| taking.B. Actively observed policies and | | | | questions that affect the risk allocation include the |
| proceduresUsed correctly, procedures are powerful | | | | following:* What are the significant market risks of |
| tool of risk management. The purpose of policies and | | | | the portfolio? |
| procedures is to empower people. They specify how | | | | * What is the correlation among these risks? |
| people can accomplish what needs to be done. The | | | | * How many risk takers are there? |
| success of policies and procedures depends critically | | | | * How is the risk expected to be used over the |
| upon a positive risk culture.C. Effective use of | | | | course of a year?Compliance with stop-loss limits |
| technologyThe primary role technology plays in risk | | | | requires frequent, if not daily, performance |
| management is risk assessment and communication. | | | | measurement. Performance is the total return of the |
| Technology is employed to quantify or otherwise | | | | portfolio less the total return of the benchmark. The |
| summarize risks as they are being taken. It then | | | | measurement of performance is a critical statistic for |
| communicates this information to decision makers, as | | | | monitoring the usage of the risk budget and |
| appropriate.D. Independence or risk management | | | | compliance with stop-loss limits. Position limits also are |
| professionalsTo get the desired outcome from risk | | | | set relative to the overall risk budget, and are |
| management, risk managers must be independent of | | | | subject to the same considerations discussed above. |
| risk taking functions within the organization. Enron's | | | | The function of position limits, however, is to |
| experience with risk management is instructive. The | | | | constrain potential losses from future adverse |
| firm maintained a risk management function staffed | | | | changes in prices or yields.III. Liquidity RiskThe Basel |
| with capable employees. Lines of reporting were | | | | Committee has established certain quantitative |
| reasonably independent in theory, but less so in | | | | standards for internal models when they are used in |
| practice.Internal ControlsPara one on first page of the | | | | the capital adequacy context.a. Allocation of capital |
| 'Guidelines on Internal Controls' issued by SBP | | | | into various types of business after taking into |
| provides:"Internal Control refers to policies, plans and | | | | account the operational risks i.e. disruption of business |
| processes as affected by the Board of Directors and | | | | activity, which has especially increased due to |
| performed on continuous basis by the senior | | | | excessive EDP usage |
| management and all levels of employees within the | | | | b. Allocation of the capital is also made amongst |
| bank. These internal controls are used to provide | | | | various products i.e. long term, short term, consumer, |
| reasonable assurance regarding the achievement of | | | | corporate etc. considering the risks involved in each |
| organizational objectives. The system of internal | | | | product and its life cycle to avoid any liquidity crunch |
| controls includes financial, operational and compliance | | | | for which gap analysis is made. This is the job of |
| controls."The current official definition of internal | | | | ALCO |
| control was developed by the Committee of | | | | c. For instance Contingent liabilities not more than 10 |
| Sponsoring Organization (COSO) of the Treadway | | | | times of capital, |
| Commission. In its influential report, Internal Control - | | | | d. Fund based not more than 6 times of capital |
| Integrated Framework, the Commission defines | | | | e. Capital market operations not more than 1 time of |
| internal control as follows:"Internal control is a | | | | capital |
| process, effected by an entity's Board of Directors, | | | | f. However these limits cannot exceed the |
| management and other personnel, designed to | | | | regulations. |
| provide reasonable assurance regarding the | | | | g. Parameters of controls |
| achievement of objectives in the following | | | | - Regulatory Requirements |
| categories: Effectiveness and efficiency of | | | | - Board's directions |
| operations. | | | | - Prudent practicesFor liquidity management |
| Reliability of financial reporting. | | | | organizations are compelled to hold reserves for |
| Compliance with applicable laws and | | | | unexpected liquidity demands. The ALCO has |
| regulations.This definition reflects certain fundamental | | | | responsibility for setting and monitoring liquidity risk |
| concepts: Internal control is a process. It is | | | | limits. These limits are set by Regulatory Bodies and |
| a means to an end, not an end in itself. | | | | under Board's directions keeping in mind the market |
| Internal control is effected by people. It is | | | | condition and past experience.The Basel Accord |
| not policy manuals and forms, but people at every | | | | comprises a definition of regulatory capital, measures |
| level of an organization. | | | | of risk exposure, and rules specifying the level of |
| Internal control can be expected to | | | | capital to be maintained in relation to these risks. It |
| provide only reasonable assurance, not absolute | | | | introduced a de facto capital adequacy standard, |
| assurance, to an entity's management and | | | | based on the risk-weighted composition of a bank's |
| board.Internal control should assist and never impede | | | | assets and off-balance-sheet exposures that ensures |
| management and staff from achieving their | | | | that an adequate amount of capital and reserves is |
| objectives. Control must be taken seriously. A | | | | maintained to safeguard solvency. The 1988 Basel |
| well-designed system of internal control is worse than | | | | Accord primarily addressed banking in the sense of |
| worthless unless it is complied with, since the | | | | deposit taking and lending (commercial banking under |
| assemblance of control will be likely to convey a false | | | | US law), so its focus was credit risk.In the early |
| sense of assurance. Controls are there to be kept, | | | | 1990s, the Basel Committee decided to update the |
| not avoided. For instance, exception reports should | | | | 1988 accord to include bank capital requirements for |
| be followed up. Senior management should set a | | | | market risk. This would have implications for non-bank |
| good example about control compliance. For instance, | | | | securities firms.Thus, the formula for determining |
| physical access restrictions to secure areas should be | | | | capital adequacy can be illustrated as follows:= Tier I |
| observed equally by senior management as by junior | | | | + Tier 2 + Tier 3 *- 8% .Risk-weighted Assets + |
| personnel.Components of Internal | | | | (Market Risk Capital Charge x 12.5)IV. Operational |
| ControlsComponents of internal control also depend | | | | RiskTo manage this risk documented policies and |
| upon the structure of the business unit and nature of | | | | procedures are established. In addition, regular training |
| its operation. The COSO Report describes the internal | | | | is provided to ensure that staffs are well aware of |
| control process as consisting of five interrelated | | | | organization's objective, statutory requirements.- |
| components that are derived from and integrated | | | | Reporting of major/ unusual/ exceptional transactions |
| with the management process. The components are | | | | with respect to ensuring the compliance of the |
| interrelated, which means that each component | | | | principles of KYC and Anti-money laundering measure |
| affects and is affected by the other four. These five | | | | - Analysis of system problemsConclusionFor any |
| components, which are the necessary foundation for | | | | business to grow and stay in the market |
| an effective internal control system, include:I. Control | | | | management style is a key and Risk management is |
| Environment,Control environment, an intangible factor | | | | basically the management style of managing the |
| and the first of the five components, is the | | | | risks.It is so important and that State Bank of |
| foundation for all other components of internal | | | | Pakistan plans to replace Prudential Regulations with |
| control, providing discipline and structure and | | | | Risk management guidelines, which will be adopted by |
| encompassing both technical competence and ethical | | | | banks according to their size and complexity of |
| commitment.II. Risk Assessments,Organizations exist | | | | operations.Risk is inherent in every business and |
| to achieve some purpose or goal. Goals, because | | | | every organization has to manage it according to its |
| they tend to be broad, are usually divided into | | | | size and nature of operation because without it no |
| specific targets known as objectives. A risk is | | | | organization no organization can survive in long run. |
| anything that endangers the achievement of an | | | | |