INTRODUCTION TO RISK MANAGEMENT

RISK

Risk is the probability that a hazard will turn into a disaster. Vulnerability and hazards are
not dangerous, taken separately. But if they come together, they become a risk or, in other words,
the probability that a disaster will happen.

Nevertheless, risks can be reduced or managed. If we are careful about how we treat the
environment, and if we are aware of our weaknesses and vulnerabilities to existing hazards, then
we can take measures to make sure that hazards do not turn into disasters.

"What is risk?" And what is a pragmatic definition of risk? Since risk is accepted in
business as a trade off between reward and threat, it does mean that taking risk bring forth
benefits as well. In other words it is necessary to accept risks, if the desire is to reap the
anticipated benefits.

Risk in its pragmatic definition, therefore, includes both threats that can materialize and
opportunities, which can be exploited. This definition of risk is very pertinent today as the
current business environment offers both challenges and opportunities to organizations, and it is
up to an organization to manage these to their competitive advantage.

RISK MANAGEMENT

“Risk Management is the process of measuring or assessing the actual or potential

dangers of a particular situation.”

Risk management is a discipline for dealing with the possibility that some future event will
cause harm. It provides strategies, techniques, and an approach to recognizing and confronting
any threat faced by an organization in fulfilling its mission. Risk management may be as
uncomplicated as asking and answering three basic questions:

 What can go wrong?

1
 What will we do (both to prevent the harm from occurring and in the aftermath of an
"incident")?

 If something happens, how will we pay for it?

2
 RISK MANAGEMENT IN BANKS

Risk management does not aim at risk elimination, but enables the organization to bring
their risks to manageable proportions while not severely affecting their income. This balancing
act between the risk levels and profits needs to be well-planned. Apart from bringing the risks to
manageable proportions, they should also ensure that one risk does not get transformed into any
other undesirable risk. This transformation takes place due to the inter-linkage present among the
various risks. The focal point in managing any risk will be to understand the nature of the
transaction in a way to unbundle the risks it is exposed to.

Risk Management is a more mature subject in the western world. This is largely a result
of lessons from major corporate failures, most telling and visible being the Barings collapse. In
addition, regulatory requirements have been introduced, which expect organizations to have
effective risk management practices. In India, whilst risk management is still in its infancy, there
has been considerable debate on the need to introduce comprehensive risk management
practices.

RISK MANAGEMENT PROCESS IN BANKS

1. Risks in Banking

Risks manifest themselves in many ways and the risks in banking are a result of many
diverse activities, executed from many locations and by numerous people. As a financial
intermediary, banks borrow funds and lend them as a part of their primary activity. This
intermediation activity, of banks exposes them to a host of risks. The volatility in the operating
environment of banks will aggravate the effect of the various risks.

3
2. Risk Assessment:

The very first event in the risk management process is risk assessment, where you identify
the various kinds of risk that are faced by the banks. This is a very crucial step in the
management of risk.

3. Risk Identification

Risk identification sets out to identify an organization’s exposure to uncertainty. This

requires an intimate knowledge of the organization, the market in which it operates, the legal,
social, political and cultural environment in which it exists, as well as the development of a
sound understanding of its strategic and operational objectives, These concern the effective
management and control of the finances of the organization and the effects of external factors
such as availability of credit, foreign exchange rates, interest rate movement and other market
exposures.

4
4. Risk Description

The objective of risk description is to display the identified risks in a structured format,

5. Risk Estimation and Evaluation

Risk estimation can be quantitative, semi quantitative or qualitative in terms of the

probability of occurrence and the possible consequence. Tabulate the consequences of the risk
that can happen with the rate of being high medium or low risk. This would need to not only
evaluation but also evaluation of the risk. When the risk analysis process has been completed, it
is necessary to compare the estimated risks against risk criteria which the organization has
established.

6. Risk Reporting

It can be an internal reporting of risk as well as external reporting of risk. Different levels
within an organization need different information from the risk management process. Any
significant deficiencies uncovered by the system, or in the system itself, should be reported
together

7. Risk Treatment

Risk treatment is the process of selecting and implementing measures to modify the risk.
Risk treatment includes as its major element, risk control/mitigation, but extends further to, for
example, risk avoidance, risk transfer, risk financing, etc.

8. Monitoring

Effective risk management requires a reporting and review structure to ensure that risks are
effectively identified and assessed and that appropriate controls and responses are in place.

5
 BENEFITS OF RISK MANAGEMENT IN BANKS

Proper risk management allows a financial institution to prosper through taking and avoiding
risks. Well run companies are now taking a closer interest in what its management is doing to
mitigate risk exposure, allowing for a more efficient, effective and prudently run business.

Good risk management will greatly improve the transparency of how an organization
operates, providing a roadmap to achieve strategic goals and objectives and reassurance over the
management of risks. A risk based approach can make a company more flexible and responsive
to market fluctuations, making it better able to satisfy the needs of its various stakeholders, in a
constantly changing environment. Companies can also gain an advantage over competitors by
identifying and adapting to circumstances faster than their rivals.

 Increased risk awareness: With the advent of risk management in banks and in banking
system, there is increased awareness on the several of types of risk, this has lead to the
systematized pattern of working and thereby has created awareness among various people
and management for the safe working of the banks. Also RBI has ensured that there is
enough awareness of various risk and thereby banks take care of the risk prior to its
happening.

 Prioritization of business risks to those that matter: With the recognition of the various
risk that are to be happening to the banks and with the increased awareness now banks can
prioritize the risk to that of the other matters.

 Fewer unexpected and unwelcome surprises: Due to increased use of risk management and
its process there are few unexpected surprises, as banks are ready to face the financial and
other hurdles that are on the way. Not only that because of risk management all contingent
risk are reduced to a greater extent

 A better focus internally on doing the right things well: Banks can now focus on the
internal process and its betterment thereby increasing the efficiency of the banks and

6
 increasing the overall brand of the company. Risk management has lead to the increased
efficiency and effectiveness of the banks due to prioritization of the process.

 Reduced losses through process improvements developed by the business of banks: As

there is increased efficiency in the process these results in better output and thereby reducing
the losses that can take places due to process improvements of banks. This increases the
utility of banks and its assets, as a result of these banks have reduced losses and better
process in place.

 Providing a better basis for making key strategic decisions: Risk Management leads to
estimation of the future and the various risks that can be on the way in future. This leads to
proper knowledge of the future, thereby making the future bit more stable and predictable.
This helps in making key strategic decisions and its better implementation for the further
betterment.

 Increasing the chance of change initiatives being achieved: Risk management in banks
leads to various benefits as stated above, all of those benefits leads to increasing the chance
of change initiatives being achieved at earlier stage thereby outperforming the set standards
with better vision of the future.

 Creating a greater likelihood of achieving business goals and objectives: Risk

management leads to effective, efficient business, with vision and goals achieved in due to
time, reducing the possible losses and streamlining the business of banks this leads to
creating a greater likelihood of achieving business goals and objectives

7
 TYPES OF RISKS

Business activities entail a variety of risks. The banking industry has long viewed the
problem of risk management as the need to control four of the above risks which make up most,
if not all, of their risk exposure, viz., credit, interest rate, foreign exchange and liquidity risk For
convenience, we distinguish between different categories of risk: market risk, credit risk,
liquidity risk, etc. Although such categorization is convenient, it is only informal. Usage and
definitions vary. Boundaries between categories are blurred. A loss due to widening credit
spreads may reasonably be called a market loss or a credit loss, so market risk and credit risk
overlap. Liquidity risk compounds other risks, such as market risk and credit risk. It cannot be
divorced from the risks it compounds.

There are various types of risks that occur in the banks and affect its functioning.

Some of these kinds of Risks are as follows:

1. Liquidity Risk

2. Market Risk

3. Interest Rate Risk

4. Credit Risk

5. Operational Risk

6. Strategic Risk

7. Reputation Risk

8
 LIQUIDITY RISK

Liquidity risk is part and parcel for every banking institution. Unfortunately it isn‘t an
isolated risk like credit or market risk, but a consequential risk. It is contingent on other factors
like maturity mismatches or external events such as credit downgrades or market turmoil.

Liquidity risk is financial risk due to uncertain liquidity. An institution might lose
liquidity if its credit rating falls, it experiences sudden unexpected cash outflows, or some other
event causes counterparties to avoid trading with or lending to the institution. A firm is also
exposed to liquidity risk if markets on which it depends are subject to loss of liquidity. Liquidity
Risk also arises from the long term funding of long term assets by the short term liabilities. The
funding liquidity risk is defined as the inability to obtain funds to meet the cash flow obligations.
The funding risk arises from the need to replace net outflow due to unanticipated withdrawal or
non- renewal of deposits.

Liquidity risk tends to compound other risks. If a trading organization has a position in an
illiquid asset, its limited ability to liquidate that position at short notice will compound its market
risk. Suppose a firm has offsetting cash flows with two different counterparties on a given day. If
the counterparty that owes it a payment defaults, the firm will have to raise cash from other
sources to make its payment. Here, liquidity risk is compounding credit risk.

Liquidity risk comprises of:

1. Funding liquidity risk

2. Trading-related liquidity risk.

1. Funding liquidity risk:

Funding liquidity risk relates to a financial institution’s ability to raise the necessary cash
to roll over its debt, to meet the cash, margin, and collateral requirements of counterparties, and
(in the case of funds) to satisfy capital withdrawals. Funding liquidity risk is affected by various
factors such as the maturities of the liabilities, the extent of reliance of secured sources of
funding, the terms of financing, and the breadth of funding sources, including the ability to
access public market such as commercial paper market. Funding can also be achieved through
cash or cash equivalents, “buying power,” and available credit lines.

9
2. Trading-related liquidity risk:

Trading-related liquidity risk, often simply called as liquidity risk, is the risk that an
institution will not be able to execute a transaction at the prevailing market price because there
is, temporarily, no appetite for the deal on the other side of the market. If the transaction cannot
be postponed its execution my lead to substantial losses on position. This risk is generally very
hard to quantify. It may reduce an institution’s ability to manage and hedge market risk as well
as its capacity to satisfy any shortfall on the funding side through asset liquidation.

Managing the Liquidity Risk in the Banks:

Business risk is managed with a long-term focus. Techniques include the careful
development of business plans and appropriate management oversight. Book-value accounting is
generally used, so the issue of day-to-day performance is not material. The focus is on achieving
a good return on investment over an extended horizon.

Liquidity risk has to be managed in addition to market, credit and other risks. Because of
its tendency to compound other risks, it is difficult or impossible to isolate liquidity risk. In all
but the most simple of circumstances, comprehensive metrics of liquidity risk don't exist. Certain
techniques of asset-liability management can be applied to assessing liquidity risk. A simple test
for liquidity risk is to look at future net cash flows on a day-by-day basis. Any day that has a
sizeable negative net cash flow is of concern. Such an analysis can be supplemented with stress
testing. Look at net cash flows on a day-to-day basis assuming that an important counterparty
defaults.

Most financial firms including banks use a variety of metrics to monitor the level of
liquidity risk to which they are exposed. The basic approaches may be categorized into three
types: the liquid assets approach, the cash flow approach, and a mixture of the two.

1. Liquid Assets Approach

Under the liquid assets approach, the firm maintains liquid instruments on its balance
sheet that can be drawn upon when needed. As a variation on this approach, the firm may
maintain a pool of unencumbered assets (usually government securities) that can be used to
obtain secured funding through repurchase agreements and other secured facilities. (The relevant
metrics in this approach are ratios.)

2. Cash Flow Matching Approach

Under the cash flow matching approach, the firm attempts to match cash outflows against
contractual cash inflows across a variety of near-term maturity buckets.

10
3. Mixed Approach

The mixed approach combines elements of the cash flow matching approach and the liquid assets
approach. The firm attempts to match cash outflows in each time bucket against a combination of
contractual cash inflows plus inflows that can be generated through the sale of assets, repurchase
agreement or other secured borrowing. Assets that are most liquid are typically counted in the
earliest time buckets, while less liquid assets are counted in later time buckets.

11
 MARKET RISK

Market risk consumes about nearly 25% of the risk capital in the bank. It is rightly said
that “to win without risk is to triumph without glory”.

Market Risk may be defined as the possibility of loss to a bank caused by changes in the
market variables. The Bank for International Settlements (BIS) defines market risk as “the risk
that the value of 'on' or 'off' balance sheet positions will be adversely affected by movements in
equity and interest rate markets, currency exchange rates and commodity prices". Thus, Market
Risk is the risk to the bank's earnings and capital due to changes in the market level of interest
rates or prices of securities, foreign exchange and equities, as well as the volatilities of those
changes.

Besides, it is equally concerned about the bank's ability to meet its obligations as and
when they fall due. In other words, it should be ensured that the bank is not exposed to Liquidity
Risk. Thus, focus on the management of Liquidity Risk and Market Risk, further categorized
into interest rate risk, foreign exchange risk, commodity price risk and equity price risk. An
effective market risk management framework in a bank comprises risk identification, setting up
of limits and triggers, risk monitoring, models of analysis that value positions or measure market
risk, risk reporting, etc.

It is a risk of adverse deviation of the mark to market value of trading portfolio due to the
market movements during the period required to liquidate the transactions. It is also referred to
as Price Risk. It occurs when the assets are sold before their stated maturities. Price Risk is
closely associated to the trading book, which is created for making profit out of short term
movements in the interest rates.

Market risk is managed with a short-term focus. Long-term losses are avoided by
avoiding losses from one day to the next. On a tactical level, traders and portfolio managers
employ a variety of risk metrics —duration and convexity, the Greeks, beta, etc.—to assess their
exposures. These allow them to identify and reduce any exposures they might consider
excessive. On a more strategic level, organizations manage market risk by applying risk limits to
traders' or portfolio managers' activities. Increasingly, value-at-risk is being used to define and
monitor these limits. Some organizations also apply stress testing to their portfolios.

12
Benefits of Market Risk

The effective measurement of market risk benefits the banks in the following ways:

1. Efficient allocation of the capital to exploit the different risks or rewards pattern.

2. Better product pricing.

3. There is reduced earnings volatility.

4. There is increase in the shareholders value.

Managing the Market Risk in the Banks:

The measurement of risk has changed over time. It has evolved from the simple
indicators, such as Face value/ Notional amount for an individual security to the latest
methodologies of computing VaR. the quest for better and more accurate measure of market risk
is ongoing; each new market turmoil reveals the limitations of even the most sophisticated
measure of market risk. There are various methods of measuring the market risks:

1. The Notional Amount Approach:

Until recently, trading desks in major banks were allocated economic capital by reference to
notional amount. The notional approach measures risk as the notional, or nominal, amount of a
security, or the sum of the notional values of the holdings for a portfolio.

This method is flawed since it does not:

 Differentiate between short and long positions.

 Reflect price volatility and correlation between prices.

Moreover, in the case of derivative positions in the over the counter market, there are
often very large discrepancies between true amount of market exposure, which is often small,
and the notional amount which may be huge. For example, two call options on the same
underlying instrument with the same notional value and same maturity, with one option being in
the money and the other one out-of-the-money, have very different market values and risk
exposures.

2. Value At Risk (VaR):

Value at risk can be defined as the worst loss that might be expected from holding a security
or portfolio over a given period of time (say a single day, 10 days for the purpose of regulatory
capital reporting), given a specified level of probability (known as the “confidence level”)

13
 Value at risk is a measure of market risk, which measures the maximum loss in the market
value of the portfolio with a given confidence. VaR is denominated in the units of currency or as
a percentage of the portfolio holdings.

For example, if we say that a position has a daily VaR of Rs. 10 million at the 99%
confidence level, we mean that the realized daily losses from the position will, on average, be
higher than Rs. 10 million on only one day every 100 trading days (i.e., two to three days each
year).VaR offers probability statement about the potential change in the value of a portfolio
resulting from a change in the market factors, over a specified period of time.

For e.g. a set of portfolio having current value of say Rs.100000 can be described to have a
daily value at risk of Rs.5000 at 99% confidence level, which means there is 1/100th chance of
loss exceeding Rs.5000 considering there are no shifts in the underlying factors.

It is thus a probability of the occurrence and hence it is a statistical measure of the risk
exposure.

14
 CREDIT RISK

Credit risk is the oldest and biggest risk that a bank, by virtue of its very nature of
business, inherits. This has, however, acquired a greater significance in the recent past for
various reasons. Foremost among them is the wind of economic liberalization that is blowing
across the globe. India is no exception to this swing towards market-driven economy. Better
credit portfolio diversification enhances the prospects of the reduced concentration credit risk as
empirically evidenced by direct relationship between concentration credit risk profile and NPAs
of public sector banks.

Bank optimizes utilization of deposits by deploying funds for developmental activities

and productive purposes through credit creation process. Deposit mobilization & Credit
deployment constitute the core of banking activities and substantial portion of expenditure and
income are associated with them. In the case of deposits, baring few stray instances of
operational risks linked to the system and human failure culminating in fraud, forgeries & loss,
there may not be anything very alarming. But credit portfolio is the real dynamic activity that
requires close monitoring and continuous management.
Credit risk is defined as the possibility that a borrower or counterparty will fail to
meet its obligations in accordance with agreed terms. Credit risk, therefore, arises from the
banks' dealings with or lending to a corporate, individual, another bank, financial institution or a
country.

Credit risk may take various forms, such as:

 In the case of direct lending, that funds will not be repaid;

 In the case of guarantees or letters of credit, that funds will not be forthcoming from the
customer upon crystallization of the liability under the contract;
 In the case of treasury products, that the payment or series of payments due from the
counterparty under the respective contracts is not forthcoming or ceases;
 In the case of securities trading businesses, that settlement will not be effected;

15
 In the case of cross-border exposure, that the availability and free transfer of currency is
restricted or ceases.

COMPONENTS OF CREDIT RISK MANAGEMENT

Credit risk management framework broadly categorized into following main components.
a) Board and senior Management’s Oversight
b) Organizational structure
c) Systems and procedures for identification, acceptance, measurement, monitoring and control
risks.

A) Board And Senior Management’s Oversight

It is the overall responsibility of bank’s Board to approve bank’s credit risk strategy and
significant policies relating to credit risk and its management which should be based on the
bank’s overall business strategy. To keep it current, the overall strategy has to be reviewed by the
board, preferably annually.

The responsibilities of the Board with regard to credit risk management include:

1. Delineate bank’s overall risk tolerance in relation to credit risk.

2. Ensure that bank’s overall credit risk exposure is maintained at prudent levels and consistent
with the available capital
3. Ensure that top management as well as individuals responsible for credit
4. risk management possess sound expertise and knowledge to accomplish the risk management
function
5. Ensure that the bank implements sound fundamental principles that facilitate the
identification, measurement, monitoring and control of credit risk.
6. Ensure that appropriate plans and procedures for credit risk management are in place.
The senior management of the bank should develop and establish credit policies and credit
administration procedures as a part of overall credit risk management framework and get those
approved from board. Such policies and procedures shall provide guidance to the staff on various
types of lending including corporate, SME, consumer, agriculture, etc.

16
At minimum the policy should include,
1. Detailed and formalized credit evaluation/ appraisal process.
2. Credit approval authority at various hierarchy levels including authority for approving
exceptions.
3. Risk identification, measurement, monitoring and control
4. Risk acceptance criteria
5. Credit origination and credit administration and loan documentation procedures
6. Roles and responsibilities of units/staff involved in origination and management of credit.

B) Organizational Structure

To maintain bank’s overall credit risk exposure within the parameters set by the board of
directors, the importance of a sound risk management structure is second to none. While the
banks may choose different structures, it is important that such structure should be
commensurate with institution’s size, complexity and diversification of its activities. It must
facilitate effective management oversight and proper execution of credit risk management and
control processes.
Each bank, depending upon its size, should constitute a Credit Risk Management
Committee (CRMC), ideally comprising of head of credit risk management Department, credit
department and treasury. This committee reporting to bank’s risk management committee should
be empowered to oversee credit risk taking activities and overall credit risk management
function.

Functions of CRMD:

 To follow a holistic approach in management of risks inherent in banks portfolio and

 Ensure the risks remain within the boundaries established by the Board or Credit Risk
Management Committee.
 The department also ensures that business lines comply with risk parameters and
 Prudential limits established by the Board or CRMC.

17
 Establish systems and procedures relating to risk identification, Management Information
System, monitoring of loan / investment portfolio quality and early warning. The department
would work out remedial measure when deficiencies/problems are identified.

C) Systems And Procedures

Banks must operate within a sound and well-defined criteria for new credits as well as the
expansion of existing credits. Credits should be extended within the target markets and lending
strategy of the institution. Before allowing a credit facility, the bank must make an assessment of
risk profile of the customer/transaction. This may include:

 Credit assessment of the borrower’s industry, and macro economic factors.

 The purpose of credit and source of repayment.
 The track record / repayment history of borrower.
 Assess/evaluate the repayment capacity of the borrower.
 The Proposed terms and conditions and covenants.
 Adequacy and enforceability of collaterals.
 Approval from appropriate authority

Limit setting
An important element of credit risk management is to establish exposure limits for single
obligors and group of connected obligors. Institutions are expected to develop their own limit
structure while remaining within the exposure limits set by RBI. The size of the limits should be
based on the credit strength of the obligor, genuine requirement of credit, economic conditions
and the institution’s risk tolerance. Appropriate limits should be set for respective products and
activities. Institutions may establish limits for a specific industry, economic sector or geographic
regions to avoid concentration risk.
Credit limits should be reviewed regularly at least annually or more frequently if
obligor’s credit quality deteriorates. All requests of increase in credit limits should be
substantiated.

18
Credit Administration:-
Credit administration unit performs following functions:

1. Documentation
It is the responsibility of credit administration to ensure completeness of documentation
(loan agreements, guarantees, transfer of title of collaterals etc) in accordance with approved
terms and conditions. Outstanding documents should be tracked and followed up to ensure
execution and receipt.
2. Credit Disbursement
The credit administration function should ensure that the loan application has proper
approval before entering facility limits into computer systems. Disbursement should be
effected only after completion of covenants, and receipt of collateral holdings. In case of
exceptions necessary approval should be obtained from competent authorities.
3. Risk Rating Model
Set up comprehensive risk scoring system on a six to nine point scale. Clearly define
rating thresholds and review the ratings periodically preferably at half yearly intervals.
Rating migration is to be mapped to estimate the expected loss.
4. Credit monitoring
After the loan is approved and draw down allowed, the loan should be continuously
watched over. These include keeping track of borrowers’ compliance with credit terms,
identifying early signs of irregularity, conducting periodic valuation of collateral and
monitoring timely repayments.
5. Loan Repayment
The obligors should be communicated ahead of time as and when the principal/markup
installment becomes due. Any exceptions such as non-payment or late payment should be
tagged and communicated to the management. Proper records and updates should also be
made after receipt.
6. Maintenance of Credit Files
Institutions should devise procedural guidelines and standards for maintenance of credit
files. The credit files not only include all correspondence with the borrower but should also
contain sufficient information necessary to assess financial health of the borrower and its
repayment performance.

19
7. Collateral and Security Documents
Institutions should ensure that all security documents are kept in a fireproof safe under
dual control. Registers for documents should be maintained to keep track of their movement.
Procedures should also be established to track and review relevant insurance coverage for
certain facilities/collateral. Physical checks on security documents should be conducted on a
regular basis.

Measuring Credit Risk

The measurement of credit risk is of vital importance in credit risk management. A number
of qualitative and quantitative techniques to measure risk inherent in credit portfolio are
evolving. To start with, banks should establish a credit risk rating framework across all type of
credit activities. Among other things, the rating framework may, incorporate:

 Business Risk
1. Industry Characteristics
2. Competitive Position (e.g. marketing/technological edge)
3. Management

 Financial Risk
1. Financial condition
2. Profitability
3. Capital Structure
4. Present and future Cash flows

Types of Credit Rating

Credit rating can be classified as:
1. External credit rating.
2. Internal credit rating

1. External Credit Rating:

A credit rating is not, in general, an investment recommendation concerning a given

security. In the words of S&P,” A credit rating is S&P's opinion of the general creditworthiness
of an obligor, or the creditworthiness of an obligor with respect to a particular debt security or
other financial obligation, based on relevant risk factors.” In Moody's words, a rating is, “ an

20
opinion on the future ability and legal obligation of an issuer to make timely payments of
principal and interest on a specific fixed-income security.”
Since S&P and Moody's are considered to have expertise in credit rating and are regarded
as unbiased evaluators, there ratings are widely accepted by market participants and regulatory
agencies. Financial institutions, when required to hold investment grade bonds by their regulators
use the rating of credit agencies such as S&P and Moody's to determine which bonds are of
investment grade.

The rating process includes quantitative, qualitative, and legal analyses, quantitative
analyses. The quantitative analysis is mainly financial analysis and is based on the firm’s
financial reports. The qualitative analysis is concerned with the quality of management, and
includes a through review of the firm’s competitiveness within its industry as well as the
expected growth of the industry and its vulnerability to technological changes, regulatory
changes, and labor relations.

Internal Credit Rating:

A typical risk rating system (RRS) will assign both an obligor rating to each borrower (or
group of borrowers), and a facility rating to each available facility. A risk rating (RR) is designed
to depict the risk of loss in a credit facility. A robust RRS should offer a carefully designed,
structured, and documented series of steps for the assessment of each rating.

21
Risk Rating Models

Short term ratings Risk weights

CARE CRISIL FITCH ICRA

PR1+ P1+ F1+ A1+ 20%

PR1 P1 F1 A1 30%

PR2 P2 F2 A2 50%

PR3 P3 F3 A3 100%

PR4/PR5 P4/P5 B/C/D AR/A5 150%

UNRATED UNRATED UNRATED UNRATED 100%

Under the New Basel II Accord, assessment of Credit Risk can be carried out in any of the
three approaches viz.
1. Standardized Approach
2. Foundation Internal Rating Based Approach and
3. Advanced Internal Rating Based Approach.
At present, banks in India in general and PSU banks in particular, are ready to migrate to Basel II
only at a conceptual and academic level.
1. Standardized Approach

Banks may use external credit ratings by institutions recognized for the purpose by the
central bank for determining the risk weight. Exposure on sovereigns and their central banks
could vary from zero percent to 150 percent depending on credit assessment from ‘AAA’ to
below B- . Similarly, exposure on public sector entities, multilateral development banks, other
banks, securities firms and corporates also may have risk weights from 20 percent to 150
percent. Exposure on retail portfolio may carry risk weight of 75 percent. While Basel II
stipulates minimum capital requirement of 8 percent on risk weighted assets, India has prescribed

22
9 percent. Under Basel II exposure on a corporate with ‘AAA’ rating will have a risk weight of
only 20 percent. This implies that for Rs. 100 crore exposure on a ‘AAA’ rated corporate the
capital adequacy will be only Rs.1.8 crore (100 x 20% x 9%) compared to the earlier requirement
of Rs. 9 crore. However, claims on a corporate with below BB- rating will carry a risk weight of
150 percent and the capital requirement will be Rs.13.50 crore (100 x 150% x 9%). Thus, a bank
with a credit portfolio with superior rating may be able to save capital while banks having lower
rated credit exposure will have to mobilize more capital.

2. Internal Ratings Based (IRB) Approach: Foundation and Advanced Approach.

Banks, which have developed reliable Management Information System (MIS) and have
received the approval of the central bank, can use the IRB approach to measure credit risk on
their own. The bank should have reliable data on Probability of Default (PD), Loss Given
Default (LGD), Exposure at Default (EAD) and effective maturity (M) to make use of IRB
approach.

Example of Union Bank of India:-

In UBI, a business receiving Credit Rating above level 6 are not considered good from
point of investment and thus are avoided.

23
Rating Score Revised w.e.f. 01.04.09

Working capital Term loan

CR-1 >90 BPLR BPLR+ 0.25%

CR-2 86-90 BPLR+ 0.25% BPLR+ 0.75%

CR-3 81-85 BPLR+ 0.75% BPLR+ 1.25%

CR-4 76-80 BPLR+ 1.00% BPLR+ 1.75%

CR-5 71-75 BPLR+ 1.25% BPLR+ 2.25%

CR-6 61-70 BPLR+ 1.75% BPLR+ 2.75%

CR-7 51-60 BPLR+ 3.50% BPLR+ 3.50%

CR-8 50 & below BPLR+ 3.50% BPLR+ 3.50%

24
 INTEREST RATE RISK

“Interest rate risk arises when there is a mismatch between positions, which are subject
to interest rate adjustment within a specified period. The bank’s lending, funding and investment
activities give rise to interest rate risk. The immediate impact of variation in interest rate is on
bank’s net interest income, while a long term impact is on bank’s net worth since the economic
value of bank’s assets, liabilities and off-balance sheet exposures are affected.”
Consequently there are two common perspectives for the assessment of interest rate risk
1. Earning perspective:
In earning perspective, the focus of analysis is the impact of variation in interest rates on
accrual or reported earnings. This is a traditional approach to interest rate risk assessment and
obtained by measuring the changes in the Net Interest Income (NII) or Net Interest Margin
(NIM) i.e. the difference between the total interest income and the total interest expense.

2. Economic Value perspective:

Economic Value perspective involves analyzing the expected cash inflows on assets minus
expected cash out flows on liabilities plus the net cash flows on off-balance sheet items. The
economic value perspective identifies risk arising from long-term interest rate gaps.

Objective of Interest Rate Risk Management

1. To maintain earnings
2. Improve the capability,
3. Ability to absorb potential loss
4. To ensure the adequacy of the compensation received for the risk taken and effect risk return
trade-off.

In order to manage interest rate risk, banks should begin evaluating the vulnerability of their
portfolios to the risk of fluctuations in market interest rates. One such measure is Duration of
market value of a bank asset or liabilities to a percentage change in the market interest rate. The

25
difference between the average duration for bank assets and the average duration for bank
liabilities is known as the duration gap which assesses the bank’s exposure to interest rate risk.
The Asset Liability Committee (ALCO) of a bank uses the information contained in the duration
gap analysis to guide and frame strategies. By reducing the size of the duration gap, banks can
minimize the interest rate risk.

SOURCES OF INTEREST RATE RISKS:

Interest rate risk occurs due to,

1. Differences between the timing of rate changes and the timing of cash flows(re-pricing
risk);
2. Changing rate relationships among different yield curves effecting bank activities(basis
risk);
3. changing rate relationships across the range of maturities (yield curve risk);
4. Interest-related options embedded in bank products (options risk).

Types of Interest Rate Risks

1. Gap/Mismatch risk:
It arises from holding assets and liabilities and off balance sheet items with different
principal amounts, maturity dates & re-pricing dates thereby creating exposure to unexpected
changes in the level of market interest rates.
2. Basis Risk:
It is the risk that the Interest rat of different Assets/liabilities and off balance items may
change in different magnitude. The degree of basis risk is fairly high in respect of banks that
create composite assets out of composite liabilities.
3. Embedded option Risk:
Option of pre-payment of loan and Fore- closure of deposits before their stated maturities
constitute embedded option risk,
4. Yield curve risk:
Movement in yield curve and the impact of that on portfolio values and income.
5. Reprice risk:
When assets are sold before maturities.

26
6. Reinvestment risk:
Uncertainty with regard to interest rate at which the future cash flows could be reinvested.
7. Net interest position risk:
When banks have more earning assets than paying liabilities, net interest position risk arises in
case market interest rates adjust downwards. There are different techniques such a
a) the traditional Maturity Gap Analysis to measure the interest rate sensitivity,
b) Duration Gap Analysis to measure interest rate sensitivity of capital,
c) Simulation and
d) Value at Risk for measurement of interest rate risk.

Interest Rate Risk Management

While rising interest rates make banks vulnerable to treasury losses, banks in India have a
number of lines of defense. First, banks have, in recent years, realized substantial profits from
their holdings of government securities, thanks to the soft interest rate environment. Banks are
required to follow conservative accounting practices in respect of unrealized capital gains on
their investment portfolio and have constituted latent reserves. Moreover, banks in India have
been encouraged to build up investment fluctuation reserves as a cushion gainst interest rate
risk. Finally, banks can adjust their behavior to offset treasury losses by adequately managing
their asset-liability mismatch.

Banks manage interest rate risk through a number of measures. Banks could
(i) Reduce the duration of their assets by selling long-dated government securities;
(ii) Reduce their holdings of government securities and increase their loan books by building
on the recent high growth in consumer credit and infrastructure;
(iii) Increase the contribution of fee-based income to operating income.

27
 REPUTATION RISK

Reputation risk is arising from negative public opinion. This risk may be exposed the
financial loss or a decline in a customer based or decline in the reputation of business.
“Reputation risk is the risk to earning or capital arising from negative public opinion of the
bank”. Negative public opinion can arise from poor service, failure to serve the credit needs of
their communities or for other reasons. This affects the institution’s ability to establish new
relationships or services or continue servicing existing relationships.

The Bank manages reputation risk with the aim to bring potential losses down, preserve
and maintain the Bank’s reputation among customers, counteragents, shareholders, participants
of the financial market, state governmental authorities, local self-government, the Bank unions
(association), self-governed organizations, in which the Bank participates.

Aggregate Level of Reputation Risk Indicators:

The following indicators should be used when assessing the aggregate level of reputation.

 Low
1. Management anticipates and responds well to changes of a market or regulatory nature that
impact its reputation in the marketplace.
2. Management fosters a sound culture that is well supported throughout the organization and
has proven very effective over time.
3. The Bank effectively self-policies risks.
4. Internal control and audit are fully effective
5. Franchise value is only minimally exposed by reputation risk. Exposure from reputation risk
is expected to remain low in the foreseeable future.
6. Losses from fiduciary activities are low relative to the number of accounts, the volume of
assets under Management, and the number of affected transactions. The Bank does not
regularly experience litigation or customer complaints.

28
7. Management has a clear awareness of privacy issues and uses customer information
responsibly.

 Moderate
1. Management adequately responds to changes of a market or regulatory nature that impact the
institution’s reputation in the marketplace.
2. Administration procedures and processes are satisfactory. Management has a good record of
correcting problems. Any deficiencies in management information systems are minor.
3. The Bank adequately self-policies risks.
4. Internal control and audit are generally effective.
5. The exposure of franchise value from reputation risk is controlled. Exposure is not expected
to increase in the foreseeable future.
6. The Bank has avoided conflicts of interest and other legal or control breaches. The level of
litigation, losses, and customer complaints are manageable and commensurate with the
volume of business conducted.
7. Management understands privacy issues and generally uses customer information
responsibly.

 High
1. Management does not anticipate or take timely or appropriate actions in response to changes
of a market or regulatory nature.
2. Weaknesses may be observed in one or more critical operational, administrative, or
investment activities. Management information at various levels exhibits significant
weaknesses.
3. The institution’s performance in self-policing risk is insufficient.
4. Internal control or audit are not effective in reducing exposure. Management has either not
initiated, or has a poor record of, corrective action to address problems.
5. Franchise value is substantially exposed by reputation risk shown in significant litigation,
large dollar losses, or a high volume of customer complaints. The potential exposure is

29
 increased by the number of accounts, the volume of assets under Management, or the number
of affected transactions. Exposure is expected to continue in the foreseeable future.
6. Poor administration, conflicts of interest, and other legal or control breaches may be evident.
7. Management is not aware and/or concerned with privacy issues and may use customer
information irresponsibly.

The Bank manages reputation risks by

 The system of marginal values (limits);

 The system of authorities and decision-making;

 The system of reputation risk monitoring;

 The system of minimization and control

30
 STRATEGIC RISK

Strategic risk is a risk arising from adverse business decisions, improper implementation
of decisions of lack of responsiveness to industry change. “Strategic risk is the risk to earnings
or capital arising from making bad business decisions that adversely affect the value of the
bank.”

Strategic risk is the risk of losses of the credit organization as a result of mistakes made
(imperfections) in taking decisions. Strategic risk is the risk associated with the financial
institution’s future business plans and strategies. This risk category includes plans for entering
new business lines, expanding existing services through mergers and acquisitions, and enhancing
infrastructure (e.g., physical plant and equipment and information technology and networking).
The Bank uses the following methods of strategic risk management:

 Business planning;

 Financial planning;

 Market analysis;

 Readjustment of plans.

31
 OPERATIONAL RISK

Operational risk is faced by all organizations in one way or the other. The exposure to
Operational risk depends upon the complexity of the Organization. Operational risk would arise
due to deviations from normal and planned functioning of systems, procedures, technology and
human failures of omission and commission. This not only affects the revenue of the
organization but also cost it in terms of opportunities loss that would be otherwise feasible. Basel
Committee has defined 'Operational Risk' as follows

“The risk of loss resulting from inadequate or failed internal processes, people and
systems, or from external events".

Need For Operational Risk Management

The criticality of operational risk in the functioning of banks has to be viewed in the
context of changes that has taken place in the banking industry. Since late nineties in India, there
has been a remarkable change in the functioning of banks. Driven by deregulation and need to
become globally competitive, the banks have made tremendous technological advances, brought
in a plethora of new financial products, and are catering to a very large volume of customers on
several platforms.

The time tested systems and procedures in traditional banking were developed over
several decades. In the process of perfecting the systems and procedures banks may have faced
operational losses but as the changes were only few and far between, systems had time to
stabilize. For e.g. the computerization of banks which took place slowly in Indian banking
industry. In the present context of fast changing environment and work practices, the time
required to stabilize systems and procedures is not enough. So, as banks respond to the needs of
competition, systems and procedures and human adaptation of the changes create operational
risks inherent in the banking business. Accordingly, this risk needs to be factored in and taken
into account in the banking business. Therefore, proper management of operational risks is an

32
imperative. If operational risks are managed well, the rewards are available by way of lesser risk
capital and cost reductions in operations. Both have a favorable impact on competitive edge.
Basic motivation for management of operational risk stems from it.

Types Operational Risk

Operational risk arises from almost all the activities undertaken and consequently it is
everywhere in an Organization. Impact of various forms of operational risk on the organization
may vary in degree i.e., some risks may have more potential of causing damages while some
may have less potential, some may occur more frequently while some may occur less frequently.
As the activities of an organization changes in response to market and competition, new and until
then unknown factors may add to operational risks.

Operational risks vary in their components. Some are high occurrence low value risks,
while some are low occurrence high value risks. Operational risks in the Organization
continuously change especially when an Organization is undergoing changes.

Basel II suggested classification of operational risks based on the 'Causes' and 'Effects'.
That is classifications based on causes that are responsible for operational risks or classifications
based on effects of risks were suggested. Classifications based on 'Causes' and 'Effects' are listed
below.

1. CAUSE BASED

 People oriented causes: negligence, incompetence, insufficient training, integrity, key man.
 Process oriented (Transaction based) causes: business volume fluctuation, organizational
complexity, product complexity, and major changes.
 Process oriented (Operational control based) causes: inadequate segregation of duties,
lack of management supervision, inadequate procedures.
 Technology oriented causes: poor technology and telecom, obsolete applications, lack of
automation, information system complexity, poor design, development and testing.
 External causes: natural disasters, operational failures of a third party, deteriorated social
or political context.

33
2. EFFECT BASED

 Legal liability
 Regulatory, compliance and taxation penalties
 Loss or damage to assets
 Restitution
 Loss of recourse
 Write downs

However, the Third Consultative Paper recommended for event based classification. They are
listed below.

3. EVENT BASED

 Internal Fraud
Losses due to acts of a type intended to defraud, misappropriate property or circumvent
regulations, the law or company policy, excluding diversity/ discrimination events, which
involves at least one internal party.

 External Fraud
Losses due to acts of a type intended to defraud, misappropriate property or circumvent the
law, by a third party.

 Employment practices and workplace safety

Losses arising from acts inconsistent with employment, health or safety laws or agreements
from payment of personal injury claims, or from diversity/ discrimination events.

 Clients, products and business practices

Losses arising from an unintentional or negligent failure to meet a professional obligation to
specific clients (including fiduciary and suitability requirements), or from the nature or design of
a product.

34
 Damage to physical assets
Losses arising from loss or damage to physical assets from natural disasters or other events.

 Business disruption and system failures

Losses arising from disruption of business or system failures

 Execution, delivery and process management

Losses from failed transaction processing or process management, from relations with trade
counterparties and vendors

OPERATIONAL RISK MANAGEMENT (ORM) PRACTICES

Basel II document provides guidelines for operational risk management practices. These
are called 'Sound Practices for the Management of Operational Risks'. Out of 10 first 7 are
relevant at the organization level. Out of remaining three, two are relevant to
regulators/supervisors and one related to disclosure requirements have not been reproduced.

Principle 1

Board of directors' should be aware of the major aspects of bank's operational risk as a distinct
risk category that should be managed, and it should approve and periodically review the bank's
ORM (Operational Risk Management) framework. The framework should provide a firm wide
definition of operational risk and lay down the principles of how operational risk is to be
identified, assessed, monitored, and controlled/ mitigated.

Principle 2

The Board of Directors should ensure that the ORM framework is subject to effective and
comprehensive internal audit by operationally independent and competent staff. The internal
audit function should not be directly responsible for operational risk management.

Principle 3

Senior management should have responsibility for implementing ORM framework approved by
board of directors. The framework should be consistently implemented throughout the whole

35
banking organization, and all levels of staff should understand their responsibilities with respect
to ORM. Senior management should also have responsibility for developing policies, processes
and procedures for managing operational risk in all of the bank's material products, processes
and systems.

Principle 4

Banks should identify and assess OR inherent in all material products, activities, processes and
systems. Banks should also ensure that before new products, activities, processes and systems are
introduced or undertaken, the operational risk inherent in them is subject to adequate assessment
procedures.

Principle 5

Banks should implement a process to regularly monitor operational risk profiles and material
exposures to losses. There should be regular reporting of pertinent information to senior
management and the board of directors that supports the proactive management of operational
risk.

Principle 6

Banks should have Policies, processes and procedures to control/mitigate material operational
risks. Banks should periodically review their risk limitation and control strategies and should
adjust their operational risk profile accordingly using appropriate strategies, in light of their
overall risk appetite and profile.

Principle 7

Banks should have in place contingency and business continuity plans to ensure their ability to
operate on an ongoing basis and limit losses in the event of severe business disruption.

Principle 8

Banking supervisors should require that all banks, regardless of size, have an effective
framework in place to identify, assess, monitor and control or mitigate material operational risks
as part of an overall approach to risk management.

36
Principle 9

Supervisors should conduct, directly or indirectly, regular independent evaluation of a bank’s

policies, procedures and practices related to operational risks. Supervisors should ensure that
there are appropriate reporting mechanisms in place which allow them to remain apprised of
developments at banks.

Principle 10

Banks should make sufficient public disclosure to allow market participants to assess their
approach to operational risk management

Operational Risk Management Practices should be based on a well laid out policy duly
approved at the board level that describes the processes involved in controlling operational risks.
It should meet the standards set in terms of the principles mentioned above. In addition, well laid
down procedures in dealing with various products and activities should be in place. The policies
and procedures should also be communicated across the Organization.

The Policy should cover

 Operational risk management structure

 Role and responsibilities
 Operational risk management processes
 Operational risk assessment/measurement methodologies

Operational Risk Quantification

The measurement of this risk is most difficult. This is because behavioral pattern of
operational risk does not the statistically normal distribution pattern and that makes it difficult to
estimate the probability of an event resulting in losses. Basel II has recognized this and has
provided options in the measurement of operational risk for this purpose.
1. The Basic Indicator Approach
2. The Standardized Approach
3. Advanced Measurement Approaches (AMA)

37
 Of these, basic indicator approach and Standardized approach are based on income
generated. The advance measurement approach is based on operational loss measurement.

1. The Basic Indicator Approach

Banks using the Basic Indicator Approach must hold capital for operational risk. Equal to the
average over the previous three years of a fixed percentage (15%) of positive annual gross
income. Figures for any year in which annual gross income is negative or zero should be
excluded from both the numerator and denominator when calculating the average.

Gross income is defined as net interest income plus net non interest income, gross of any
provisions (e.g. for unpaid interest) , gross of operating expenses, including fees paid to
outsourcing service providers, exclude realized profits/ losses from the sale of securities in the
banking book; and exclude extraordinary or irregular items as well as income derived from
insurance.

2. The Standardized Approach

In the Standardized Approach, banks' activities are divided into eight business lines:
commercial banking, Corporate finance, trading and sales, retail banking, payment and
settlement, agency services, asset management, and retail brokerage.

Within each business line, gross income is a broad indicator that serves as a proxy for the
scale of business operations and thus the likely scale of operational risk exposure within each of
these business lines. The capital charge for each business line is calculated by multiplying gross
income by a factor (denoted beta) assigned to that business line (Beta Factors).

Business Lines Beta Factors

corporate finance 18%

Trading and sales 18%

Retail banking 12%

Commercial banking 15%

Payment and settlement 18%

Agency services 15%

38
 Business Lines Beta Factors

Asset management 12%

Retail brokerage 12%

3. Advanced Measurement Approaches (AMA)

Under the AMA, the regulatory capital requirement will equal the risk measure generated by
the bank's internal operational risk measurement system using the quantitative and qualitative
criteria for the AMA discussed below. Use of the AMA is subject to supervisory approval.

A Generic Measurement Approach

The first step in measurement approach is operation profiling. The steps involved OP Profiling
is:

 Identification and quantification of operational risks in terms of its components

 Prioritization of operational risks and identification of risk concentrations hot spots
resulting in lower exposure.
 Formulation of bank's strategy for operational risk management and risk based audit
Estimated level of operational risk depends on

 Estimated probability of occurrence

 Estimated potential financial impact
 Estimated impact of internal controls
Estimated Probability of Occurrence

This will be based on historical frequency of occurrence and estimated likelihood of future
occurrence. Probability is mapped on a scale of 5 say where

1. implies negligible risk

2. implies low risk
3. implies medium risk
4. implies high risk
5. implies very high risk

39
Estimated Potential Financial Impact

This will be based on severity of historical impact and estimated severity of impact from
unforeseen events. Probability is mapped on a scale of 5 as mentioned above.

Estimated Impact of Internal Controls

This will be based on historical effectiveness of internal controls and estimated impact of internal
controls on risks. This is estimated as fraction in relation to total control, which is valued at
100%.

Estimated level of operational risk = Estimated probability of occurrence x Estimated potential

financial impact x Estimated impact of internal controls

In case of a hypothetical example where Probability of occurrence = 2 (Medium)

Potential financial impact = 4 (very high) impact of internal controls = 50% Estimated level of
operational risk = [( 2 x 4 x (1 0.501 ^ 0.5 = 2.0 or 'Low'

40
 CONCLUSION

In the today’s fierce competitive world, each sector in the industry is undergoing
revolution every now and then. Banking Sector is no exception to it. But with it comes great
uncertainty of events making banks vulnerable in the market. Thus for all banks risk
management becomes necessary to stay in the competition. Risk management allows banks to
access the actual as well as potential dangers. The banks have become more conscious about risk
management as negligence may not only cost bank loosing its profit but also it may wipe out the
presence of the bank. Although some risks can not be avoided but they can be managed properly
so as to cause less damage, whereas others can be avoided completely.

41