| Risk Management is a hot topic in the | | | | the achievement of an objective. Risk |
| financial sector especially in the light of | | | | assessments is done to determine the relative |
| the recent losses of some multinational | | | | potential for loss in programs and functions |
| corporations e.g. collapses of Britain's | | | | and to design the most cost-effective and |
| Barings Bank, WorldCom and also due to the | | | | productive internal controls.III. Control |
| incident of 9/11. Rapid changes in business | | | | Activities,Control activities mean the |
| condition, restructuring of organizations to | | | | structure, policies, and procedures, which an |
| cope with ever increasing competition, | | | | organization establishes so that identified |
| development of new products, emerging markets | | | | risks do not prevent the organization from |
| and increase in cross border transactions | | | | reaching its objectives. |
| along with complexity of transactions has | | | | |
| exposed Financial Institutions to new risks | | | | Policies, procedures, and other items like |
| dimensions. Thus the concept of risk has | | | | job descriptions, organizational charts and |
| captured a growing importance in modern | | | | supervisory standards, do not, of course, |
| financial society.By facilitating | | | | exist only for internal control purposes. |
| transactions and making credit and other | | | | These activities are basic management |
| financial products available, the financial | | | | practices.IV. Information and Communication, |
| sector is a crucial building block for | | | | andOrganizations must be able to obtain |
| private as well as public sector development. | | | | reliable information to determine their risks |
| In its broadest definition, it includes | | | | and communicate policies and other |
| everything from banks, stock exchanges, and | | | | information to those who need it. Information |
| insurers, to credit unions, microfinance | | | | and communication, the fourth component of |
| institutions and moneylenders. As an | | | | internal control, articulates this |
| efficient service provider, the financial | | | | factor.V. MonitoringLife is change; internal |
| sector simultaneously fulfils an important | | | | controls are no exception. Satisfactory |
| function in the overall economy. Various | | | | internal controls can become obsolete through |
| types of Financial Institutions actively | | | | changes in external circumstances. Therefore, |
| working in Financial Sectors include Banks, | | | | after risks are identified, policies and |
| DFIs, Micro Finance Banks, Leasing Companies, | | | | procedures put into place, and information on |
| Modarabas, Assets Management Company, Mutual | | | | control activities communicated to staff, |
| Funds, etc.Thus today's operating environment | | | | superiors must then implement the fifth |
| demands systematic and more integrated risk | | | | component of internal control, |
| management approach.Risk:Risk by default has | | | | monitoring.Even the best internal control |
| tow components; uncertainty and exposure. If | | | | plan will be unsuccessful if it is not |
| both are not present, there is no risk. | | | | followed. Monitoring allows the management to |
| Definition of Risk as per Guidelines on Risk | | | | identify whether controls are being followed |
| Management issued by State Bank of Pakistan | | | | before problems occur. In the same way, |
| is, "Financial risk in a banking organization | | | | management must review weaknesses identified |
| is possibility that the outcome of an action | | | | by audits to determine whether related |
| or event could bring up adverse impacts. Such | | | | internal controls need revision.Tools for |
| outcomes could either result in a direct loss | | | | Monitoring of RiskManagement Information |
| of earnings / capital or may result in | | | | SystemM.I.S or Management Information System |
| imposition of constraints on bank's ability | | | | is the collection and analysis of data in |
| to meet its business objectives. Such | | | | order to support management's decision with |
| constraints pose a risk as these could hinder | | | | respect to the achievement of objectives |
| a bank's ability to conduct its ongoing | | | | mentioned in the policies and procedures and |
| business or to take benefit of opportunities | | | | the control of various risks therein.It is |
| to enhance its business."Types of Risks:Risks | | | | this area i.e. M.I.S, where I.T can play a |
| are usually defined by the adverse impact on | | | | vital and effective role as with the help of |
| profitability of several distinct sources of | | | | I.T large information may be analyzed |
| uncertainty. More or less all financial | | | | efficiently and with accuracy, so that |
| institutions have to manage the following | | | | effective decision may be taken by the |
| faces of risks:1. Credit Risk | | | | management without the loss of any |
| | | | time.Asset-Liability Management Committee |
| 2. Market Risk | | | | (ALCO)In most cases, day-to-day risk |
| | | | assessment and management is assigned to a |
| 3. Liquidity Risk | | | | specialized committee, such as an |
| | | | Asset-Liability Management Committee (ALCO). |
| 4. Operational Risk | | | | Duties pertaining to key elements of the risk |
| | | | management process should be adequately |
| 5. Country Risk | | | | separated to avoid potential conflicts of |
| | | | interest - in other words, a financial |
| 6. Legal Risks | | | | institution's risk monitoring and control |
| | | | functions should be sufficiently independent |
| 7. Compliance Risk | | | | from its risk-taking functions. Larger or |
| | | | more complex institutions often have a |
| 8. Reputational RiskBroadly speaking there | | | | designated, independent unit responsible for |
| are four risks as per Risk Management | | | | the design and administration of balance |
| Guidelines which surround Financial Sector | | | | sheet management, including interest rate |
| i.e. Credit Risk, Market Risk, Liquidity Risk | | | | risk. Given today's widespread innovation in |
| and Operational Risk. These risk are | | | | banking and the dynamics of markets, banks |
| elaborated here under:i. Credit RiskThis is | | | | should identify any risks inherent in a new |
| the risk incurred in case of a counter-party | | | | product or service before it is introduced, |
| default. It arises from lending activities, | | | | and ensure that these risks are promptly |
| investing activities and from buying and | | | | considered in the assessment and management |
| selling financial assets on behalf of others. | | | | process.Corporate Governance |
| This risk is associated with financing | | | | PrinciplesCorporate governance relates to the |
| transactions i.e.:a. Default in repayment by | | | | manner in which the business of the |
| the borrower and | | | | organization is governed, including setting |
| | | | corporate objectives and a institution's risk |
| b. Default in obliging the commitment by | | | | profile, aligning corporate activities and |
| another Financial Institution in case of | | | | behaviors with the expectation that the |
| syndicated arrangements.It is the most | | | | management will operate in a safe and sound |
| critical risk in banking and one that must be | | | | manner, running day-to-day operations within |
| managed carefully. It is also the risk that | | | | an established risk profile, while protecting |
| requires the most subjective judgment despite | | | | the interests of depositors and other |
| constant efforts to improve and quantify the | | | | stakeholders. It is defined by a set of |
| credit decision process.ii. Market RiskMarket | | | | relationships between the institution's |
| risk is defined as the volatility of income | | | | management, its board, its shareholders, and |
| or market value due to fluctuations in | | | | other stakeholders.The key elements of sound |
| underlying market factors such as currency, | | | | corporate governance in a bank include:a) A |
| interest rates, or credit spreads. For | | | | well-articulated corporate strategy against |
| commercial banks, the market risk of the | | | | which the overall success and the |
| stable liquidity investment portfolio arises | | | | contribution of individuals can be |
| from mismatches between the risk profile of | | | | measured.b) Setting and enforcing clear |
| the assets and their funding. This risk | | | | assignment of responsibilities, |
| involves interest rate risk in all of its | | | | decision-making authority and |
| components: equity risk, exchange risk and | | | | accountabilities that are appropriate for the |
| commodity risk.iii. Liquidity RiskThe | | | | bank's risk profile.c) A strong financial |
| liquidity risk is defined as the risk of not | | | | risk management function (independent of |
| being able to meet its commitments or not | | | | business lines), adequate internal control |
| being able to unwind or offset a position by | | | | systems (including internal and external |
| an organization in a timely fashion because | | | | audit functions), and functional process |
| it cannot liquidate assets at reasonable | | | | design with the necessary checks and |
| prices when required.iv. Operational RiskThis | | | | balances.d) Corporate values, codes of |
| risk results from inadequacies in the | | | | conduct and other standards of appropriate |
| conception, organization, or implementation | | | | behavior, and effective systems used to |
| of procedures for recording any events | | | | ensure compliance. This includes special |
| concerning bank's operations in the | | | | monitoring of a bank's risk exposures where |
| accounting system/information systems.Need | | | | conflicts of interest are expected to appear |
| for Risk Management and Monitoring:There are | | | | (e.g., relationships with affiliated |
| a number of reasons as to why there is so | | | | parties).e) Financial and managerial |
| much emphasis given to Risk Management in | | | | incentives to act in an appropriate manner |
| Financial Sector now a day. Some of them are | | | | offered to the board, management and |
| listed below: -1. Present structure of joint | | | | employees, including compensation, promotion |
| stock companies, wherein owners are not the | | | | and penalties. (i.e., compensation should be |
| mangers, hence risks increase; therefore | | | | consistent with the bank's objectives, |
| proper tools are required to achieve the | | | | performance, and ethical values).f) |
| desired results by covering the risks. | | | | Transparency and appropriate information |
| | | | flows internally and to the public.Tools |
| 2. The financial sector has come out of | | | | mentioned above can be utilized in |
| simple deposit and lending function. | | | | identifying and managing different risks in |
| | | | the following manner:I. Credit RiskIt is |
| 3. The world has become very complex so the | | | | managed by setting prudent limits for |
| financial transactions and instruments. | | | | exposures to individual transaction, |
| | | | counterparties and portfolios. Credits limits |
| 4. Increase in the number of cross border | | | | are set by reference to credit rating |
| transactions which caries its own risks. | | | | established by Credit Rating Agencies, |
| | | | methodologies established by Regulators and |
| 5. Emerging markets | | | | as per Board's direction.- Monitoring of per |
| | | | party exposure |
| 6. Terrorism RemittancesRisk monitoring in | | | | |
| financial sector is very crucial and an | | | | - Monitoring of group exposure |
| inevitable part of risk management. Risk | | | | |
| Monitoring is important in the financial | | | | - Monitoring of bank's exposure in |
| sector due to the following reasons:1. Deals | | | | contingent liabilities |
| in others' money | | | | |
| | | | - Bank's exposure in clean facilities |
| 2. Direct stake of deposit holder. | | | | |
| | | | - Analysis of bank's exposure product wise |
| 3. Much riskier sector than trading and | | | | |
| manufacturing. | | | | - Analysis of concentration of bank's |
| | | | exposure in various segments of economy |
| 4. Previous / Recent problems faced by banks | | | | |
| i.e. stuck portfolio that is credit risk. | | | | - Product profitability |
| | | | reportsII. MarketFinancial Institutions |
| 5. Bankruptcy of Barings Bank due to short | | | | should also have an adequate system of |
| selling / long position that is market risk. | | | | internal controls to oversee the interest |
| | | | rate risk management process. A fundamental |
| 6. Operational risk does not has immediate | | | | component of such a system is a regular, |
| impact, but important for continuity and | | | | independent review and evaluation to ensure |
| progress of organization. | | | | the system's effectiveness and, when |
| | | | appropriate, to recommend revisions or |
| 7. Appetite of a financial institution to | | | | enhancements.Interest rate risk should be |
| take risk is related with the capital base of | | | | monitored on a consolidated basis, including |
| the institute so it caries a huge risk of | | | | the exposure of subsidiaries. The |
| over exposure.Components of Risk Management | | | | institution's board of directors has ultimate |
| Frame WorkRisk Management Frame Work has five | | | | responsibility for the management of interest |
| components. First of all risk is Identified, | | | | rate risk. The board approves the business |
| then it is Assessed to classify, seek | | | | strategies that determine the degree of |
| solution and management, after assessing | | | | exposure to risk and provides guidance on the |
| quick Response and implementation of solution | | | | level of interest rate risk that is |
| and the last phase is Monitoring of the risk | | | | acceptable to the institution, on the |
| management progress and Learning from this | | | | policies that limit risk exposure, and on the |
| experience that such problem never occur | | | | procedures, lines of authority, and |
| again. Whole process is to be well | | | | accountability related to risk management. |
| Communicated during the entire process of | | | | The board also should systematically review |
| risk management if it is to be managed | | | | risk, in such a way as to fully understand |
| efficiently.The International Organization | | | | the level of risk exposure and to assess the |
| for Standardization (ISO) has defined risk | | | | performance of management in monitoring and |
| management as the identification, analysis, | | | | controlling risks in compliance with board |
| evaluation, treatment (control), monitoring, | | | | policies. Reports to senior management should |
| review and communication of risk. These | | | | provide aggregate information and a |
| activities can be applied in a systematic or | | | | sufficient level of supporting detail to |
| ad hoc manner. The presumption is that | | | | facilitate a meaningful evaluation of the |
| systematic application of these activities | | | | level of risk, the sensitivity of the bank to |
| will result in improved decision-making and, | | | | changing market conditions, and other |
| most likely, improved outcomes.Structure of | | | | relevant factors.The Asset and Liability |
| Risk ManagementDepending upon the structure | | | | Committee (ALCO) plays a key role in the |
| and operations of organization, financial | | | | oversight and coordinated management of |
| risk management can be implemented in | | | | market risk. ALCOs meet monthly. Investment |
| different ways. Risk management structure | | | | mandates and risk limits are reviewed on a |
| defines the different layers of an | | | | regular basis, usually annually to ensure |
| organization at which risk is identified and | | | | that they remain valid.Risk Management and |
| managed. Although there are different layers | | | | Risk BudgetsA risk budget establishes the |
| or level at which risk is managed but there | | | | tolerance of the board or its delegates to |
| are three layers which are common to all. | | | | income or capital loss due to market risk |
| i.e.Risk ManagementFor managing risk there | | | | over a given horizon, typically one year |
| are certain basic principles which are to be | | | | because of the accounting cycle. |
| followed by every organization:1. Corporate | | | | (Institutions that are not sensitive to |
| level Policies | | | | annual income requirements may have a longer |
| | | | horizon, which would also allow for a greater |
| 2. Risk management strategy | | | | degree of freedom in portfolio management.). |
| | | | Once an annual risk budget has been |
| 3. Well-defined policies and procedures by | | | | established, a system of risk limits needs to |
| senior management | | | | be put in place to guard against actual or |
| | | | potential losses exceeding the risk budget. |
| 4. Dissemination, implementation and | | | | There are two types of risk limits, and both |
| compliance of policies and procedures | | | | are necessary to constrain losses to within |
| | | | the prescribed level (the risk budget).The |
| 5. Accountability of individuals heading | | | | first type is stop-loss limits, which control |
| various functions/ business lines | | | | cumulative losses from the mark-to-market of |
| | | | existing positions relative to the benchmark. |
| 6. Independent Risk review function | | | | The second is position limits, which control |
| | | | potential losses that could arise from future |
| 7. Contingency plans | | | | adverse changes in market prices. Stop-loss |
| | | | limits are set relative to the overall risk |
| 8. Tools to monitor risksInstitutions can | | | | budget. The allocation of the risk budget to |
| reduce some risks simply by researching them. | | | | different types of risk is as much an art as |
| A bank can reduce its credit risk by getting | | | | it is a science, and the methodology used |
| to know its borrowers. A brokerage firm can | | | | will depend on the set-up of the individual |
| reduce market risk by being knowledgeable | | | | investment process. Some of the questions |
| about the markets it operates | | | | that affect the risk allocation include the |
| in.Functionally, there are four aspects of | | | | following:* What are the significant market |
| financial risk management. Success depends | | | | risks of the portfolio? |
| uponA. A positive corporate culture,No one | | | | |
| can manage risk if they are not prepared to | | | | * What is the correlation among these risks? |
| take risk. While individual initiative is | | | | |
| critical, it is the corporate culture which | | | | * How many risk takers are there? |
| facilitates the process. A positive risk | | | | |
| culture is one which promotes individual | | | | * How is the risk expected to be used over |
| responsibility and is supportive of risk | | | | the course of a year?Compliance with |
| taking.B. Actively observed policies and | | | | stop-loss limits requires frequent, if not |
| proceduresUsed correctly, procedures are | | | | daily, performance measurement. Performance |
| powerful tool of risk management. The purpose | | | | is the total return of the portfolio less the |
| of policies and procedures is to empower | | | | total return of the benchmark. The |
| people. They specify how people can | | | | measurement of performance is a critical |
| accomplish what needs to be done. The success | | | | statistic for monitoring the usage of the |
| of policies and procedures depends critically | | | | risk budget and compliance with stop-loss |
| upon a positive risk culture.C. Effective use | | | | limits. Position limits also are set relative |
| of technologyThe primary role technology | | | | to the overall risk budget, and are subject |
| plays in risk management is risk assessment | | | | to the same considerations discussed above. |
| and communication. Technology is employed to | | | | The function of position limits, however, is |
| quantify or otherwise summarize risks as they | | | | to constrain potential losses from future |
| are being taken. It then communicates this | | | | adverse changes in prices or |
| information to decision makers, as | | | | yields.III. Liquidity RiskThe Basel Committee |
| appropriate.D. Independence or risk | | | | has established certain quantitative |
| management professionalsTo get the desired | | | | standards for internal models when they are |
| outcome from risk management, risk managers | | | | used in the capital adequacy |
| must be independent of risk taking functions | | | | context.a. Allocation of capital into various |
| within the organization. Enron's experience | | | | types of business after taking into account |
| with risk management is instructive. The firm | | | | the operational risks i.e. disruption of |
| maintained a risk management function staffed | | | | business activity, which has especially |
| with capable employees. Lines of reporting | | | | increased due to excessive EDP usage |
| were reasonably independent in theory, but | | | | |
| less so in practice.Internal ControlsPara one | | | | b. Allocation of the capital is also made |
| on first page of the 'Guidelines on Internal | | | | amongst various products i.e. long term, |
| Controls' issued by SBP provides:"Internal | | | | short term, consumer, corporate etc. |
| Control refers to policies, plans and | | | | considering the risks involved in each |
| processes as affected by the Board of | | | | product and its life cycle to avoid any |
| Directors and performed on continuous basis | | | | liquidity crunch for which gap analysis is |
| by the senior management and all levels of | | | | made. This is the job of ALCO |
| employees within the bank. These internal | | | | |
| controls are used to provide reasonable | | | | c. For instance Contingent liabilities not |
| assurance regarding the achievement of | | | | more than 10 times of capital, |
| organizational objectives. The system of | | | | |
| internal controls includes financial, | | | | d. Fund based not more than 6 times of |
| operational and compliance controls."The | | | | capital |
| current official definition of internal | | | | |
| control was developed by the Committee of | | | | e. Capital market operations not more than 1 |
| Sponsoring Organization (COSO) of the | | | | time of capital |
| Treadway Commission. In its influential | | | | |
| report, Internal Control - Integrated | | | | f. However these limits cannot exceed the |
| Framework, the Commission defines internal | | | | regulations. |
| control as follows:"Internal control is a | | | | |
| process, effected by an entity's Board of | | | | g. Parameters of controls |
| Directors, management and other personnel, | | | | |
| designed to provide reasonable assurance | | | | - Regulatory Requirements |
| regarding the achievement of objectives in | | | | |
| the following | | | | - Board's directions |
| categories: Effectiveness and | | | | |
| efficiency of operations. | | | | - Prudent practicesFor liquidity management |
| | | | organizations are compelled to hold reserves |
| Reliability of financial reporting. | | | | for unexpected liquidity demands. The ALCO |
| | | | has responsibility for setting and monitoring |
| Compliance with applicable laws and | | | | liquidity risk limits. These limits are set |
| regulations.This definition reflects certain | | | | by Regulatory Bodies and under Board's |
| fundamental concepts: Internal | | | | directions keeping in mind the market |
| control is a process. It is a means to an | | | | condition and past experience.The Basel |
| end, not an end in itself. | | | | Accord comprises a definition of regulatory |
| | | | capital, measures of risk exposure, and rules |
| Internal control is effected by | | | | specifying the level of capital to be |
| people. It is not policy manuals and forms, | | | | maintained in relation to these risks. It |
| but people at every level of an organization. | | | | introduced a de facto capital adequacy |
| | | | standard, based on the risk-weighted |
| Internal control can be expected to | | | | composition of a bank's assets and |
| provide only reasonable assurance, not | | | | off-balance-sheet exposures that ensures that |
| absolute assurance, to an entity's management | | | | an adequate amount of capital and reserves is |
| and board.Internal control should assist and | | | | maintained to safeguard solvency. The 1988 |
| never impede management and staff from | | | | Basel Accord primarily addressed banking in |
| achieving their objectives. Control must be | | | | the sense of deposit taking and lending |
| taken seriously. A well-designed system of | | | | (commercial banking under US law), so its |
| internal control is worse than worthless | | | | focus was credit risk.In the early 1990s, the |
| unless it is complied with, since the | | | | Basel Committee decided to update the 1988 |
| assemblance of control will be likely to | | | | accord to include bank capital requirements |
| convey a false sense of assurance. Controls | | | | for market risk. This would have implications |
| are there to be kept, not avoided. For | | | | for non-bank securities firms.Thus, the |
| instance, exception reports should be | | | | formula for determining capital adequacy can |
| followed up. Senior management should set a | | | | be illustrated as follows:= Tier |
| good example about control compliance. For | | | | I + Tier 2 + Tier 3 *- 8% |
| instance, physical access restrictions to | | | | .Risk-weighted Assets + (Market Risk |
| secure areas should be observed equally by | | | | Capital Charge x 12.5)IV. Operational RiskTo |
| senior management as by junior | | | | manage this risk documented policies and |
| personnel.Components of Internal | | | | procedures are established. In addition, |
| ControlsComponents of internal control also | | | | regular training is provided to ensure that |
| depend upon the structure of the business | | | | staffs are well aware of organization's |
| unit and nature of its operation. The COSO | | | | objective, statutory requirements.- Reporting |
| Report describes the internal control process | | | | of major/ unusual/ exceptional transactions |
| as consisting of five interrelated components | | | | with respect to ensuring the compliance of |
| that are derived from and integrated with the | | | | the principles of KYC and Anti-money |
| management process. The components are | | | | laundering measure |
| interrelated, which means that each component | | | | |
| affects and is affected by the other four. | | | | - Analysis of system problemsConclusionFor |
| These five components, which are the | | | | any business to grow and stay in the market |
| necessary foundation for an effective | | | | management style is a key and Risk management |
| internal control system, include:I. Control | | | | is basically the management style of managing |
| Environment,Control environment, an | | | | the risks.It is so important and that State |
| intangible factor and the first of the five | | | | Bank of Pakistan plans to replace Prudential |
| components, is the foundation for all other | | | | Regulations with Risk management guidelines, |
| components of internal control, providing | | | | which will be adopted by banks according to |
| discipline and structure and encompassing | | | | their size and complexity of operations.Risk |
| both technical competence and ethical | | | | is inherent in every business and every |
| commitment.II. Risk Assessments,Organizations | | | | organization has to manage it according to |
| exist to achieve some purpose or goal. Goals, | | | | its size and nature of operation because |
| because they tend to be broad, are usually | | | | without it no organization no organization |
| divided into specific targets known as | | | | can survive in long run. |
| objectives. A risk is anything that endangers | | | | |