Managing Risk in Financial Sector

Risk Management is a hot topic in the financial sectorobjective. Risk assessments is done to determine the
especially in the light of the recent losses of somerelative potential for loss in programs and functions
multinational corporations e.g. collapses of Britain'sand to design the most cost-effective and
Barings Bank, WorldCom and also due to the incidentproductive internal controls.III. Control
of 9/11. Rapid changes in business condition,Activities,Control activities mean the structure,
restructuring of organizations to cope with everpolicies, and procedures, which an organization
increasing competition, development of newestablishes so that identified risks do not prevent the
products, emerging markets and increase in crossorganization from reaching its objectives.
border transactions along with complexity ofPolicies, procedures, and other items like job
transactions has exposed Financial Institutions to newdescriptions, organizational charts and supervisory
risks dimensions. Thus the concept of risk hasstandards, do not, of course, exist only for internal
captured a growing importance in modern financialcontrol purposes. These activities are basic
society.By facilitating transactions and making creditmanagement practices.IV. Information and
and other financial products available, the financialCommunication, andOrganizations must be able to
sector is a crucial building block for private as well asobtain reliable information to determine their risks and
public sector development. In its broadest definition, itcommunicate policies and other information to those
includes everything from banks, stock exchanges,who need it. Information and communication, the
and insurers, to credit unions, microfinance institutionsfourth component of internal control, articulates this
and moneylenders. As an efficient service provider,factor.V. MonitoringLife is change; internal controls are
the financial sector simultaneously fulfils an importantno exception. Satisfactory internal controls can
function in the overall economy. Various types ofbecome obsolete through changes in external
Financial Institutions actively working in Financialcircumstances. Therefore, after risks are identified,
Sectors include Banks, DFIs, Micro Finance Banks,policies and procedures put into place, and information
Leasing Companies, Modarabas, Assets Managementon control activities communicated to staff, superiors
Company, Mutual Funds, etc.Thus today's operatingmust then implement the fifth component of internal
environment demands systematic and morecontrol, monitoring.Even the best internal control plan
integrated risk management approach.Risk:Risk bywill be unsuccessful if it is not followed. Monitoring
default has tow components; uncertainty andallows the management to identify whether controls
exposure. If both are not present, there is no risk.are being followed before problems occur. In the
Definition of Risk as per Guidelines on Risksame way, management must review weaknesses
Management issued by State Bank of Pakistan is,identified by audits to determine whether related
"Financial risk in a banking organization is possibilityinternal controls need revision.Tools for Monitoring of
that the outcome of an action or event could bringRiskManagement Information SystemM.I.S or
up adverse impacts. Such outcomes could eitherManagement Information System is the collection and
result in a direct loss of earnings / capital or mayanalysis of data in order to support management's
result in imposition of constraints on bank's ability todecision with respect to the achievement of
meet its business objectives. Such constraints pose aobjectives mentioned in the policies and procedures
risk as these could hinder a bank's ability to conductand the control of various risks therein.It is this area
its ongoing business or to take benefit ofi.e. M.I.S, where I.T can play a vital and effective role
opportunities to enhance its business."Types ofas with the help of I.T large information may be
Risks:Risks are usually defined by the adverse impactanalyzed efficiently and with accuracy, so that
on profitability of several distinct sources ofeffective decision may be taken by the management
uncertainty. More or less all financial institutions havewithout the loss of any time.Asset-Liability
to manage the following faces of risks:1. Credit RiskManagement Committee (ALCO)In most cases,
2. Market Riskday-to-day risk assessment and management is
3. Liquidity Riskassigned to a specialized committee, such as an
4. Operational RiskAsset-Liability Management Committee (ALCO).
5. Country RiskDuties pertaining to key elements of the risk
6. Legal Risksmanagement process should be adequately
7. Compliance Riskseparated to avoid potential conflicts of interest - in
8. Reputational RiskBroadly speaking there are fourother words, a financial institution's risk monitoring and
risks as per Risk Management Guidelines whichcontrol functions should be sufficiently independent
surround Financial Sector i.e. Credit Risk, Market Risk,from its risk-taking functions. Larger or more complex
Liquidity Risk and Operational Risk. These risk areinstitutions often have a designated, independent unit
elaborated here under:i. Credit RiskThis is the riskresponsible for the design and administration of
incurred in case of a counter-party default. It arisesbalance sheet management, including interest rate
from lending activities, investing activities and fromrisk. Given today's widespread innovation in banking
buying and selling financial assets on behalf of others.and the dynamics of markets, banks should identify
This risk is associated with financing transactions i.e.:a.any risks inherent in a new product or service before
Default in repayment by the borrower andit is introduced, and ensure that these risks are
b. Default in obliging the commitment by anotherpromptly considered in the assessment and
Financial Institution in case of syndicatedmanagement process.Corporate Governance
arrangements.It is the most critical risk in banking andPrinciplesCorporate governance relates to the manner
one that must be managed carefully. It is also thein which the business of the organization is governed,
risk that requires the most subjective judgmentincluding setting corporate objectives and a
despite constant efforts to improve and quantify theinstitution's risk profile, aligning corporate activities and
credit decision process.ii. Market RiskMarket risk isbehaviors with the expectation that the management
defined as the volatility of income or market valuewill operate in a safe and sound manner, running
due to fluctuations in underlying market factors suchday-to-day operations within an established risk
as currency, interest rates, or credit spreads. Forprofile, while protecting the interests of depositors
commercial banks, the market risk of the stableand other stakeholders. It is defined by a set of
liquidity investment portfolio arises from mismatchesrelationships between the institution's management,
between the risk profile of the assets and theirits board, its shareholders, and other
funding. This risk involves interest rate risk in all of itsstakeholders.The key elements of sound corporate
components: equity risk, exchange risk andgovernance in a bank include:a) A well-articulated
commodity risk.iii. Liquidity RiskThe liquidity risk iscorporate strategy against which the overall success
defined as the risk of not being able to meet itsand the contribution of individuals can be measured.b)
commitments or not being able to unwind or offset aSetting and enforcing clear assignment of
position by an organization in a timely fashion becauseresponsibilities, decision-making authority and
it cannot liquidate assets at reasonable prices whenaccountabilities that are appropriate for the bank's
required.iv. Operational RiskThis risk results fromrisk profile.c) A strong financial risk management
inadequacies in the conception, organization, orfunction (independent of business lines), adequate
implementation of procedures for recording anyinternal control systems (including internal and external
events concerning bank's operations in the accountingaudit functions), and functional process design with
system/information systems.Need for Riskthe necessary checks and balances.d) Corporate
Management and Monitoring:There are a number ofvalues, codes of conduct and other standards of
reasons as to why there is so much emphasis givenappropriate behavior, and effective systems used to
to Risk Management in Financial Sector now a day.ensure compliance. This includes special monitoring of
Some of them are listed below: -1. Present structurea bank's risk exposures where conflicts of interest
of joint stock companies, wherein owners are notare expected to appear (e.g., relationships with
the mangers, hence risks increase; therefore properaffiliated parties).e) Financial and managerial incentives
tools are required to achieve the desired results byto act in an appropriate manner offered to the
covering the risks.board, management and employees, including
2. The financial sector has come out of simplecompensation, promotion and penalties. (i.e.,
deposit and lending function.compensation should be consistent with the bank's
3. The world has become very complex so theobjectives, performance, and ethical values).f)
financial transactions and instruments.Transparency and appropriate information flows
4. Increase in the number of cross borderinternally and to the public.Tools mentioned above can
transactions which caries its own risks.be utilized in identifying and managing different risks in
5. Emerging marketsthe following manner:I. Credit RiskIt is managed by
6. Terrorism RemittancesRisk monitoring in financialsetting prudent limits for exposures to individual
sector is very crucial and an inevitable part of risktransaction, counterparties and portfolios. Credits
management. Risk Monitoring is important in thelimits are set by reference to credit rating established
financial sector due to the following reasons:1. Deals inby Credit Rating Agencies, methodologies established
others' moneyby Regulators and as per Board's direction.- Monitoring
2. Direct stake of deposit holder.of per party exposure
3. Much riskier sector than trading and manufacturing.- Monitoring of group exposure
4. Previous / Recent problems faced by banks i.e.- Monitoring of bank's exposure in contingent liabilities
stuck portfolio that is credit risk.- Bank's exposure in clean facilities
5. Bankruptcy of Barings Bank due to short selling /- Analysis of bank's exposure product wise
long position that is market risk.- Analysis of concentration of bank's exposure in
6. Operational risk does not has immediate impact,various segments of economy
but important for continuity and progress of- Product profitability reportsII. MarketFinancial
organization.Institutions should also have an adequate system of
7. Appetite of a financial institution to take risk isinternal controls to oversee the interest rate risk
related with the capital base of the institute so itmanagement process. A fundamental component of
caries a huge risk of over exposure.Components ofsuch a system is a regular, independent review and
Risk Management Frame WorkRisk Managementevaluation to ensure the system's effectiveness and,
Frame Work has five components. First of all risk iswhen appropriate, to recommend revisions or
Identified, then it is Assessed to classify, seekenhancements.Interest rate risk should be monitored
solution and management, after assessing quickon a consolidated basis, including the exposure of
Response and implementation of solution and the lastsubsidiaries. The institution's board of directors has
phase is Monitoring of the risk management progressultimate responsibility for the management of interest
and Learning from this experience that such problemrate risk. The board approves the business strategies
never occur again. Whole process is to be wellthat determine the degree of exposure to risk and
Communicated during the entire process of riskprovides guidance on the level of interest rate risk
management if it is to be managed efficiently.Thethat is acceptable to the institution, on the policies
International Organization for Standardization (ISO)that limit risk exposure, and on the procedures, lines
has defined risk management as the identification,of authority, and accountability related to risk
analysis, evaluation, treatment (control), monitoring,management. The board also should systematically
review and communication of risk. These activitiesreview risk, in such a way as to fully understand the
can be applied in a systematic or ad hoc manner. Thelevel of risk exposure and to assess the performance
presumption is that systematic application of theseof management in monitoring and controlling risks in
activities will result in improved decision-making and,compliance with board policies. Reports to senior
most likely, improved outcomes.Structure of Riskmanagement should provide aggregate information
ManagementDepending upon the structure andand a sufficient level of supporting detail to facilitate
operations of organization, financial risk managementa meaningful evaluation of the level of risk, the
can be implemented in different ways. Risksensitivity of the bank to changing market conditions,
management structure defines the different layers ofand other relevant factors.The Asset and Liability
an organization at which risk is identified andCommittee (ALCO) plays a key role in the oversight
managed. Although there are different layers or leveland coordinated management of market risk. ALCOs
at which risk is managed but there are three layersmeet monthly. Investment mandates and risk limits
which are common to all. i.e.Risk ManagementForare reviewed on a regular basis, usually annually to
managing risk there are certain basic principles whichensure that they remain valid.Risk Management and
are to be followed by every organization:1. CorporateRisk BudgetsA risk budget establishes the tolerance
level Policiesof the board or its delegates to income or capital loss
2. Risk management strategydue to market risk over a given horizon, typically one
3. Well-defined policies and procedures by senioryear because of the accounting cycle. (Institutions
managementthat are not sensitive to annual income requirements
4. Dissemination, implementation and compliance ofmay have a longer horizon, which would also allow for
policies and proceduresa greater degree of freedom in portfolio
5. Accountability of individuals heading variousmanagement.). Once an annual risk budget has been
functions/ business linesestablished, a system of risk limits needs to be put in
6. Independent Risk review functionplace to guard against actual or potential losses
7. Contingency plansexceeding the risk budget. There are two types of
8. Tools to monitor risksInstitutions can reduce somerisk limits, and both are necessary to constrain losses
risks simply by researching them. A bank can reduceto within the prescribed level (the risk budget).The
its credit risk by getting to know its borrowers. Afirst type is stop-loss limits, which control cumulative
brokerage firm can reduce market risk by beinglosses from the mark-to-market of existing positions
knowledgeable about the markets it operatesrelative to the benchmark. The second is position
in.Functionally, there are four aspects of financial risklimits, which control potential losses that could arise
management. Success depends uponA. A positivefrom future adverse changes in market prices.
corporate culture,No one can manage risk if they areStop-loss limits are set relative to the overall risk
not prepared to take risk. While individual initiative isbudget. The allocation of the risk budget to different
critical, it is the corporate culture which facilitates thetypes of risk is as much an art as it is a science, and
process. A positive risk culture is one which promotesthe methodology used will depend on the set-up of
individual responsibility and is supportive of riskthe individual investment process. Some of the
taking.B. Actively observed policies andquestions that affect the risk allocation include the
proceduresUsed correctly, procedures are powerfulfollowing:* What are the significant market risks of
tool of risk management. The purpose of policies andthe portfolio?
procedures is to empower people. They specify how* What is the correlation among these risks?
people can accomplish what needs to be done. The* How many risk takers are there?
success of policies and procedures depends critically* How is the risk expected to be used over the
upon a positive risk culture.C. Effective use ofcourse of a year?Compliance with stop-loss limits
technologyThe primary role technology plays in riskrequires frequent, if not daily, performance
management is risk assessment and communication.measurement. Performance is the total return of the
Technology is employed to quantify or otherwiseportfolio less the total return of the benchmark. The
summarize risks as they are being taken. It thenmeasurement of performance is a critical statistic for
communicates this information to decision makers, asmonitoring the usage of the risk budget and
appropriate.D. Independence or risk managementcompliance with stop-loss limits. Position limits also are
professionalsTo get the desired outcome from riskset relative to the overall risk budget, and are
management, risk managers must be independent ofsubject to the same considerations discussed above.
risk taking functions within the organization. Enron'sThe function of position limits, however, is to
experience with risk management is instructive. Theconstrain potential losses from future adverse
firm maintained a risk management function staffedchanges in prices or yields.III. Liquidity RiskThe Basel
with capable employees. Lines of reporting wereCommittee has established certain quantitative
reasonably independent in theory, but less so instandards for internal models when they are used in
practice.Internal ControlsPara one on first page of thethe capital adequacy context.a. Allocation of capital
'Guidelines on Internal Controls' issued by SBPinto various types of business after taking into
provides:"Internal Control refers to policies, plans andaccount the operational risks i.e. disruption of business
processes as affected by the Board of Directors andactivity, which has especially increased due to
performed on continuous basis by the seniorexcessive EDP usage
management and all levels of employees within theb. Allocation of the capital is also made amongst
bank. These internal controls are used to providevarious products i.e. long term, short term, consumer,
reasonable assurance regarding the achievement ofcorporate etc. considering the risks involved in each
organizational objectives. The system of internalproduct and its life cycle to avoid any liquidity crunch
controls includes financial, operational and compliancefor which gap analysis is made. This is the job of
controls."The current official definition of internalALCO
control was developed by the Committee ofc. For instance Contingent liabilities not more than 10
Sponsoring Organization (COSO) of the Treadwaytimes of capital,
Commission. In its influential report, Internal Control -d. Fund based not more than 6 times of capital
Integrated Framework, the Commission definese. Capital market operations not more than 1 time of
internal control as follows:"Internal control is acapital
process, effected by an entity's Board of Directors,f. However these limits cannot exceed the
management and other personnel, designed toregulations.
provide reasonable assurance regarding theg. Parameters of controls
achievement of objectives in the following- Regulatory Requirements
categories: Effectiveness and efficiency of- Board's directions
operations.- Prudent practicesFor liquidity management
 Reliability of financial reporting.organizations are compelled to hold reserves for
 Compliance with applicable laws andunexpected liquidity demands. The ALCO has
regulations.This definition reflects certain fundamentalresponsibility for setting and monitoring liquidity risk
concepts: Internal control is a process. It islimits. These limits are set by Regulatory Bodies and
a means to an end, not an end in itself.under Board's directions keeping in mind the market
 Internal control is effected by people. It iscondition and past experience.The Basel Accord
not policy manuals and forms, but people at everycomprises a definition of regulatory capital, measures
level of an organization.of risk exposure, and rules specifying the level of
 Internal control can be expected tocapital to be maintained in relation to these risks. It
provide only reasonable assurance, not absoluteintroduced a de facto capital adequacy standard,
assurance, to an entity's management andbased on the risk-weighted composition of a bank's
board.Internal control should assist and never impedeassets and off-balance-sheet exposures that ensures
management and staff from achieving theirthat an adequate amount of capital and reserves is
objectives. Control must be taken seriously. Amaintained to safeguard solvency. The 1988 Basel
well-designed system of internal control is worse thanAccord primarily addressed banking in the sense of
worthless unless it is complied with, since thedeposit taking and lending (commercial banking under
assemblance of control will be likely to convey a falseUS law), so its focus was credit risk.In the early
sense of assurance. Controls are there to be kept,1990s, the Basel Committee decided to update the
not avoided. For instance, exception reports should1988 accord to include bank capital requirements for
be followed up. Senior management should set amarket risk. This would have implications for non-bank
good example about control compliance. For instance,securities firms.Thus, the formula for determining
physical access restrictions to secure areas should becapital adequacy can be illustrated as follows:= Tier I
observed equally by senior management as by junior+ Tier 2 + Tier 3 *- 8% .Risk-weighted Assets +
personnel.Components of Internal(Market Risk Capital Charge x 12.5)IV. Operational
ControlsComponents of internal control also dependRiskTo manage this risk documented policies and
upon the structure of the business unit and nature ofprocedures are established. In addition, regular training
its operation. The COSO Report describes the internalis provided to ensure that staffs are well aware of
control process as consisting of five interrelatedorganization's objective, statutory requirements.-
components that are derived from and integratedReporting of major/ unusual/ exceptional transactions
with the management process. The components arewith respect to ensuring the compliance of the
interrelated, which means that each componentprinciples of KYC and Anti-money laundering measure
affects and is affected by the other four. These five- Analysis of system problemsConclusionFor any
components, which are the necessary foundation forbusiness to grow and stay in the market
an effective internal control system, include:I. Controlmanagement style is a key and Risk management is
Environment,Control environment, an intangible factorbasically the management style of managing the
and the first of the five components, is therisks.It is so important and that State Bank of
foundation for all other components of internalPakistan plans to replace Prudential Regulations with
control, providing discipline and structure andRisk management guidelines, which will be adopted by
encompassing both technical competence and ethicalbanks according to their size and complexity of
commitment.II. Risk Assessments,Organizations existoperations.Risk is inherent in every business and
to achieve some purpose or goal. Goals, becauseevery organization has to manage it according to its
they tend to be broad, are usually divided intosize and nature of operation because without it no
specific targets known as objectives. A risk isorganization no organization can survive in long run.
anything that endangers the achievement of an