bank risk management

1. Risk Management in Banks

2. In the new liberalized economy in India, Banks and
regulators in recent years have been making sustained
efforts to understand and measure the increasing risks they
are exposed to.
With the Indian economy becoming global, the Banks are
realising the importance of different types of risks.
Some of the risk are credit risks, market risks, operational
risks, reputational risks and legal risks, using quantitative
techniques in risk modelling.
RBI issued the first set of guidelines to Banks on Risk
Management on October 20, 1999.

3. A risk can be defined as an unplanned event with financial
consequences resulting in loss or reduced earnings.
Therefore, a risky proposition is one with potential profit or a
looming loss.
Risk stems from uncertainty or unpredictability of the future.
In commercial and business risk generates profit or loss
depending upon the way in which it is managed.
Risk can be defined as the volatility of the potential outcome.
Risk is the possibility of something adverse happening.
Risk management is the process of assessing risk, taking steps to
reduce risk to an acceptable level and maintaining that level of
risk.
Thus, we can say that after the risks have been identified, risk
management attempts to lessen their effects. This is done by
applying a range of management techniques. For example, the
risk may be reduced by taking out insurance or using derivatives
or re-plan the whole project.

4. The essential components of any risk management
system are –
Risk Identification i.e the naming and defining of each type
of risk associated with a transaction or type of product or
service;
Risk Measurement i.e. the estimation of the size ,probability
and timing of potential loss under various scenarios;
Risk Control-i.e. the framing of policies and guidelines that
define the risk limits not only at the individual level but also
for particular transaction

5. Measurement of risk is a very important step in risk management
process.
Some risk can be easily quantified like exchange risk, interest rate risk
etc. While some risks like country risk, operational risk etc. cannot be
mathematically deduced. They can only be qualitatively compared and
measured.
Some risks like gap risk in forex operations can be measured using
modern mathematical and statistical tool like value at risk etc.
Therefore it is important to identify and appreciate the risk and
quantify it. Only then the next step management of risk can be
attempted.
The management is a process consisting of the following steps.
Identify all areas of risk
evaluate these risks
set various exposure limits for
•type of business
•mismatches
•counter parties
issue clear policy guidelines / directives.

6. Types of Risks :
1. Credit Risk –
This is the risk of non recovery of loan or the risk of
reduction in the value of asset.
The credit risk also includes the pre-payment risk
resulting in loss of opportunity to the bank to earn
higher interest income.
Credit Risk also arises due excess exposure to a single
borrower, industry or a geographical area.
The element of country risk is also present which is the
risk of losses being incurred due to adverse foreign
exchange reserve situation or adverse political or
economic situations in another country

7. 2. Interest Rate Risk-
This risk arises due to fluctuations in the interest rates.
It can result in reduction in the revenues of the bank
due to fluctuations in the interest rates which are
dynamic and which change differently for assets and
liabilities.
With the deregulated era interest rates are market
determined and banks have to fall in line with the
market trends even though it may stifle their Net
Interest margins

8. 3. Liquidity Risk-
Liquidity is the ability to meet commitments as and
when they are due and ability to undertake new
transactions when they are profitable.
Liquidity risk may emanate in any of the following
situations-
(a) net outflow of funds arising out of withdrawals/non
renewal of deposits
(b) non recovery of cash receipts from recovery of loans
(c) conversion of contingent liabilities into fund based
commitment and
(d) increased availment of sanctioned limits

9. (4) Foreign Exchange Risk - Risk may arise on account of
maintenance of positions in forex operations and it involves
currency rate risk, transaction risks (profits/loss on transfer
of earned profits due to time lag) and transportation risk
(risks arising out of exchange restrictions)
(5) Regulatory Risks- It is defined as the risk associated with
the impact on profitability and financial position of a bank
due to changes in the regulatory conditions, for example the
introduction of asset classification norms have adversely
affected the banks of NPAs and balance sheet bottom lines.
(6) Technology Risk - This risk is associated with computers
and the communication technology which is being
increasingly introduced in the banks. This entails the risk of
obsolescence and the risk of losing business to better
technologically

10. (7) Market Risk-This is the risk of losses in off and on
balance sheet positions arising from movements in
market prices.
(8) Strategic Risk-This is the risk arising out of certain
strategic decisions taken by the banks for sustaining
themselves in the present day scenario for example
decision to open a subsidiary may run the risk of losses
if the subsidiary does not do good business.

11. The essential components of any risk management system are –
(i) Risk Identification-i.e the naming and defining of each type of
risk associated with a transaction or type of product or service
(ii) Risk Measurement-i.e. the estimation of the size ,probability
and timing of potential loss under various scenarios
(iii) Risk Control-i.e. the framing of policies and guidelines that
define the risk limits not only at the individual level but also for
particular transactions
In risk management exercise the top management has to lay
down clear cut policy guidelines in quantifiable and precise terms
- for different layers line personnel business parameters, limits
etc. It is very important for the management to plant at the macro
level what the organisations is looking in for in any business
proposition or venture and convert these expectations into micro
level factors and requirements for field level functionaries only
then they will be able to convert these expectations into reality. A
very important assumption is made but normally omitted or over
looked is provision of infra-structural support and conductive
climate. Ultimately top management has a greater role to play in
any risk management process

12. CREDIT RISK
Credit risk is defined as the possibility of losses associated
with diminution in the credit quality of borrowers or
counterparties.
In a bank’s portfolio, losses stem from outright default due to
inability or unwillingness of a customer or counterparty to
meet commitments in relation to lending, trading, settlement
and other financial transactions.
Alternatively, losses result from reduction in portfolio value
arising from actual or perceived deterioration in credit
quality.
Credit risk emanates from a bank’s dealings with an
individual, corporate, bank, financial institution or a
sovereign.

13. Credit risk may take the following forms:
in the case of direct lending: principal /and or
interest amount may not be repaid;
in the case of guarantees or letters of credit: funds
may not be forthcoming from the constituents upon
crystallization of the liability;
in the case of treasury operations: the payment or
series of payments due from the counter parties under
the respective contracts may not be forthcoming or
ceases;
in the case of securities trading businesses: funds/
securities settlement may not be effected;
in the case of cross-border exposure: the availability
and free transfer of foreign currency funds may either
cease or restrictions may be imposed by the sovereign.

14. In this backdrop, it is imperative that banks have a robust
credit risk management system which is sensitive and
responsive to these factors.
The effective management of credit risk is a critical
component of comprehensive risk management and is
essential for the long term success of any banking
organisation.
The Credit risk management encompasses identification,
measurement, monitoring and control of the credit risk
exposures.
Building Blocks of Credit Risk Management:
In a bank, an effective credit risk management framework
would comprise of the following distinct building blocks:
a) Policy and Strategy
b) Organisational Structure
c) Operations/ Systems

15. Policies and Strategies
The Board of Directors of each bank shall be responsible for
approving and periodically reviewing the credit risk strategy and
significant credit risk policies.
Credit Risk Policy
Every bank should have a credit risk policy document approved by
the Board. The document should include risk identification, risk
measurement, risk grading/ aggregation techniques, reporting
and risk control/ mitigation techniques, documentation, legal
issues and management of problem loans.
Credit risk policies should also define target markets, risk
acceptance criteria, credit approval authority, credit origination/
maintenance procedures and guidelines for portfolio
management.
The credit risk policies approved by the Board should be
communicated to branches/controlling offices. All dealing
officials should clearly understand the bank’s approach for credit
sanction and should be held accountable for complying with
established policies and procedures.
Senior management of a bank shall be responsible for
implementing the credit risk policy approved by the Board.

16. Credit Risk Strategy
v Each bank should develop, with the approval of its Board, its
own credit risk strategy or plan that establishes the objectives
guiding the bank’s credit-granting activities and adopt necessary
policies/ procedures for conducting such activities. This strategy
should spell out clearly the organisation’s credit appetite and the
acceptable level of risk-reward trade-off for its activities.
v The strategy would, therefore, include a statement of the
bank’s willingness to grant loans based on the type of economic
activity, geographical location, currency, market, maturity and
anticipated profitability. This would necessarily translate into the
identification of target markets and business sectors, preferred
levels of diversification and concentration, the cost of capital in
granting credit and the cost of bad debts.
v The credit risk strategy should provide continuity in approach
as also take into account the cyclical aspects of the economy and
the resulting shifts in the composition/ quality of the overall
credit portfolio. This strategy should be viable in the long run and
through various credit cycles.
v Senior management of a bank shall be responsible for
implementing the credit risk strategy approved by the Board.

17. Organisational Structure
Sound organizational structure is sine qua non (end result) for
successful implementation of an effective credit risk management
system.
The organizational structure for credit risk management should have
the following basic features:
The Board of Directors should have the overall responsibility for
management of risks.
The Board should decide the risk management policy of the bank and
set limits for liquidity, interest rate, foreign exchange and equity price
risks.
The Risk Management Committee will be a Board level Sub committee
including CEO and heads of Credit, Market and Operational Risk
Management Committees.
It will devise the policy and strategy for integrated risk management
containing various risk exposures of the bank including the credit risk.
For this purpose, this Committee should effectively coordinate between
the Credit Risk Management Committee (CRMC), the Asset Liability
Management Committee and other risk committees of the bank, if any.
It is imperative that the independence of this Committee is preserved.

18. The Board should, therefore, ensure that this
is not compromised at any cost.
In the event of the Board not accepting any
recommendation of this Committee, systems
should be put in place to spell out the
rationale for such an action and should be
properly documented.
This document should be made available to
the internal and external auditors for their
scrutiny and comments.
The credit risk strategy and policies adopted
by the committee should be effectively
communicated throughout the organisation.

19. Each bank may, depending on the size of the organization or
loan/ investment book, constitute a high level Credit Risk
Management Committee (CRMC).
The Committee should be headed by the Chairman/CEO/ED, and
should comprise of heads of Credit Department, Treasury, Credit
Risk Management Department (CRMD) and the Chief Economist.
The functions of the Credit Risk Management Committee should
be as under:
Be responsible for the implementation of the credit risk policy/
strategy approved by the Board.
Monitor credit risk on a bank wide basis and ensure compliance
with limits approved by the Board.
Recommend to the Board, for its approval, clear policies on
standards for presentation of credit proposals, financial
covenants, rating standards and benchmarks,
Decide delegation of credit approving powers, prudential limits
on large credit exposures, standards for loan collateral, portfolio
management, loan review mechanism, risk concentrations, risk
monitoring and evaluation, pricing of loans, provisioning,
regulatory/legal compliance, etc.

20. Concurrently, each bank should also set up Credit Risk
Management Department (CRMD), independent of the
Credit Administration Department. The CRMD should:
•Measure, control and manage credit risk on a bank-wide
basis within the limits set by the Board/ CRMC
•Enforce compliance with the risk parameters and
prudential limits set by the Board/ CRMC.
•Lay down risk assessment systems, develop MIS, monitor
quality of loan/ investment portfolio, identify problems,
correct deficiencies and undertake loan review/audit. Large
banks could consider separate set up for loan review/audit.
•Be accountable for protecting the quality of the entire loan/
investment portfolio. The Department should undertake
portfolio evaluations and conduct comprehensive studies
on the environment to test the resilience of the loan
portfolio.

21. Operations / Systems
Banks should have in place an appropriate credit
administration, credit risk measurement and
monitoring processes. The credit administration
process typically involves the following phases:
Relationship management phase i.e. business
development.
Transaction management phase covers risk
assessment, loan pricing, structuring the facilities,
internal approvals, documentation, loan
administration, on going monitoring and risk
measurement.
Portfolio management phase entails monitoring of the
portfolio at a macro level and the management of
problem loans.

22. On the basis of the broad management framework stated above, the banks
should have the following credit risk measurement and monitoring procedures:
· Banks should establish proactive credit risk management practices like annual
/ half yearly industry studies and individual obligor reviews, periodic credit calls
that are documented, periodic visits of plant and business site, and at least
quarterly management reviews of troubled exposures/weak credits.
· Banks should have a system of checks and balances in place for extension of
credit viz.:
- Separation of credit risk management from credit sanction
- Multiple credit approvers making financial sanction subject to approvals at
various stages viz. credit ratings, risk approvals, credit approval grid, etc.
- An independent audit and risk review function.
· The level of authority required to approve credit will increase as amounts and
transaction risks increase and as risk ratings worsen.
· Every obligor and facility must be assigned a risk rating.
· Mechanism to price facilities depending on the risk grading of the customer,
and to attribute accurately the associated risk weightings to the facilities.
· Banks should ensure that there are consistent standards for the origination,
documentation and maintenance for extensions of credit.
· Banks should have a consistent approach towards early problem recognition,
the classification of problem exposures, and remedial action.
· Banks should maintain a diversified portfolio of risk assets; have a system to
conduct regular analysis of the portfolio and to ensure on-going control of risk
concentrations.

23. · Credit risk limits include, obligor limits and concentration limits by
industry or geography. The Boards should authorize efficient and
effective credit approval processes for operating within the approval
limits.
· In order to ensure transparency of risks taken, it is the responsibility of
banks to accurately, completely and in a timely fashion, report the
comprehensive set of credit risk data into the independent risk system.
· Banks should have systems and procedures for monitoring financial
performance of customers and for controlling outstanding within
limits.
· A conservative policy for provisioning in respect of non-performing
advances may be adopted.
· Successful credit management requires experience, judgement and
commitment to technical development. Banks should have a clear, well-
documented scheme of delegation of powers for credit sanction.
Banks must have a Management Information System (MIS), which
should enable them to manage and measure the credit risk inherent in
all on- and off-balance sheet activities. The MIS should provide
adequate information on the composition of the credit portfolio,
including identification of any concentration of risk. Banks should price
their loans according to the risk profile of the borrower and the risks
associated with the loans.

24. Interest Rate Risk (IRR) Management
What is Interest Rate Risk :
Interest rate risk is the risk where changes in market interest rates
might adversely affect a bank’s financial condition. The
management of Interest Rate Risk should be one of the critical
components of market risk management in banks. The regulatory
restrictions in the past had greatly reduced many of the risks in
the banking system. Deregulation of interest rates has, however,
exposed them to the adverse impacts of interest rate risk. T
What is the Impact of IRR:
The immediate impact of changes in interest rates is on the Net
Interest Income (NII). A long term impact of changing interest
rates is on the bank’s networth since the economic value of a
bank’s assets, liabilities and off-balance sheet positions get
affected due to variation in market interest rates.

25. The Net Interest Income (NII) or Net Interest Margin (NIM)
of banks is dependent on the movements of interest rates.
Any mismatches in the cash flows (fixed assets or liabilities)
or repricing dates (floating assets or liabilities), expose
bank’s NII or NIM to variations. The earning of assets and
the cost of liabilities are closely related to market interest
rate volatility.
The interest rate risk when viewed from these two
perspectives is known as ‘earnings perspective’ and
‘economic value’ perspective, respectively.
Management of interest rate risk aims at capturing the risks
arising from the maturity and repricing mismatches and is
measured both from the earnings and economic value
perspective.

26. (a) Earnings perspective involves analysing the impact of
changes in interest rates on accrual or reported earnings in
the near term. This is measured by measuring the changes in
the Net Interest Income (NII) or Net Interest Margin (NIM)
i.e. the difference between the total interest income and the
total interest expense.
(b) Economic Value perspective involves analysing the
changes of impact og interest on the expected cash flows on
assets minus the expected cash flows on liabilities plus the
net cash flows on off-balance sheet items. It focuses on the
risk to networth arising from all repricing mismatches and
other interest rate sensitive positions. The economic value
perspective identifies risk arising from long-term interest
rate gaps.

27. Board and senior management oversight of interest
rate risk
Principle 1: In order to carry out its responsibilities, the
board of directors in a bank should approve strategies and
policies with respect to interest rate risk management and
ensure that senior management takes the steps necessary to
monitor and control these risks. The board of directors
should be informed regularly of the interest rate risk
exposure of the bank in order to assess the monitoring and
controlling of such risk.
Principle 2: Senior management must ensure that the
structure of the bank's business and the level of interest rate
risk it assumes are effectively managed, that appropriate
policies and procedures are established to control and limit
these risks, and that resources are available for evaluating
and controlling interest rate risk.

28. Principle 3: Banks should clearly define the individuals and/or
committees responsible for managing interest rate risk and
should ensure that there is adequate separation of duties in key
elements of the risk management process to avoid potential
conflicts of interest. Banks should have risk measurement,
monitoring and control functions with clearly defined duties that
are sufficiently independent from position-taking functions of
the bank and which report risk exposures directly to senior
management and the board of directors. Larger or more complex
banks should have a designated independent unit responsible for
the design and administration of the bank's interest rate risk
measurement, monitoring and control functions.
Adequate risk management policies and procedures
Principle 4: It is essential that banks' interest rate risk policies
and procedures are clearly defined and consistent with the nature
and complexity of their activities. These policies should be
applied on a consolidated basis and, as appropriate, at the level of
individual affiliates, especially when recognising legal distinctions
and possible obstacles to cash movements among affiliates.

29. Principle 5: It is important that banks identify the risks
inherent in new products and activities and ensure these are
subject to adequate procedures and controls before being
introduced or undertaken. Major hedging or risk
management initiatives should be approved in advance by
the board or its appropriate delegated committee.
Risk measurement, monitoring and control functions
Principle 6: It is essential that banks have interest rate risk
measurement systems that capture all material sources of
interest rate risk and that assess the effect of interest rate
changes in ways that are consistent with the scope of their
activities. The assumptions underlying the system should be
clearly understood by risk managers and bank management.

30. Principle 7: Banks must establish and enforce operating
limits and other practices that maintain exposures within
levels consistent with their internal policies.
Principle 8: Banks should measure their vulnerability to
loss under stressful market conditions - including the
breakdown of key assumptions - and consider those results
when establishing and reviewing their policies and limits for
interest rate risk.
Principle 9: Banks must have adequate information systems
for measuring, monitoring, controlling and reporting
interest rate exposures. Reports must be provided on a
timely basis to the bank's board of directors, senior
management and, where appropriate, individual business
line managers.

31. Internal controls
Principle 10: Banks must have an adequate system of internal
controls over their interest rate risk management process. A
fundamental component of the internal control system involves
regular independent reviews and evaluations of the effectiveness
of the system and, where necessary, ensuring that appropriate
revisions or enhancements to internal controls are made. The
results of such reviews should be available to the relevant
supervisory authorities.
Information for supervisory authorities
Principle 11: Supervisory authorities should obtain from banks
sufficient and timely information with which to evaluate their
level of interest rate risk. This information should take
appropriate account of the range of maturities and currencies in
each bank's portfolio, including off-balance sheet items, as well as
other relevant factors, such as the distinction between trading
and non-trading activities.

32. Capital adequacy
Principle 12: Banks must hold capital commensurate with the level of
interest rate risk they undertake.
Disclosure of interest rate risk
Principle 13: Banks should release to the public information on the
level of interest rate risk and their policies for its management.
Sources, effects and measurement of interest rate risk
Interest rate risk is the exposure of a bank's financial condition to
adverse movements in interest rates. Accepting this risk is a normal part
of banking and can be an important source of profitability and
shareholder value. However, excessive interest rate risk can pose a
significant threat to a bank's earnings and capital base. Changes in
interest rates affect a bank's earnings by changing its net interest
income and the level of other interest-sensitive income and operating
expenses. Changes in interest rates also affect the underlying value of
the bank's assets, liabilities and off-balance sheet instruments because
the present value of future cash flows (and in some cases, the cash flows
themselves) change when interest rates change.

33. Liquidity Risk Management
What is Liquidity Risk :
Liquidity risk is the potential inability to meet the liabilities
as they become due. It arises when the banks are unable to
generate cash to cope with a decline in deposits or increase
in assets. It originates from the mismatches in the maturity
pattern of assets and liabilities.
Importance of Liquidity Risk :
Measuring and managing liquidity needs are vital for
effective operation of commercial banks. By assuring a
bank’s ability to meet its liabilities as they become due,
liquidity management can reduce the probability of an
adverse situation developing.

34. Liquidity Risk Management
Analysis of liquidity risk involves the measurement of not
only the liquidity position of the bank on an ongoing basis
but also examining how funding requirements are likely to
be affected under crisis scenarios. Net funding requirements
are determined by analyzing the bank’s future cash flows
based on assumptions of the future behavior of assets and
liabilities that are classified into specified time buckets and
then calculating the cumulative net flows over the time
frame for liquidity assessment.
Future cash flows are to be analysed under “what if”
scenarios so as to assess any significant positive / negative
liquidity swings that could occur on a day-to-day basis and
under bank specific and general market crisis scenarios.

35. Factors to be taken into consideration while determining
liquidity of the bank’s future stock of assets and liabilities
include
their potential marketability,
the extent to which maturing assets /liability will be
renewed,
the acquisition of new assets / liability and
the normal growth in asset / liability accounts.
Factors affecting the liquidity of assets and liabilities of the
bank cannot always be forecast with precision. Hence they
need to be reviewed frequently to determine their
continuing validity, especially given the rapidity of change in
financial markets.

36. The liquidity risk in banks manifest in different dimensions:
i) (a) Funding Risk – need to replace net outflows due to
unanticipated withdrawal/non-renewal of deposits (wholesale and
retail);
(b) Time Risk – need to compensate for non-receipt of expected
inflows of funds, i.e. performing assets turning into non-performing
assets; and
(c) Call Risk – due to crystallisation of contingent liabilities and unable
to undertake profitable business opportunities when desirable.
How is it measured :
Liquidity measurement is quite a difficult task and can be measured
through stock or cash flow approaches. The key ratios, adopted across
the banking system are
Loans to Total Assets,
Loans to Core Deposits,
Large Liabilities (minus) Temporary Investments to Earning Assets
(minus) Temporary Investments,
Purchased Funds to Total Assets,
Loan Losses/Net Loans,

37. However, the ratios do not reveal the intrinsic liquidity
profile of Indian banks which are operating generally in an
illiquid market. Experiences show that assets commonly
considered as liquid like Government securities, other
money market instruments, etc. have limited liquidity as the
market and players are unidirectional.
Thus, analysis of liquidity involves tracking of cash flow
mismatches. For measuring and managing net funding
requirements, the use of maturity ladder and calculation of
cumulative surplus or deficit of funds at selected maturity
dates is recommended as a standard tool.

38. The following prudential limits are considered by Banks to
put in place to avoid liquidity crisis:-
i) (i) Cap on inter-bank borrowings, especially call
borrowings; ii) Purchased funds vis-à-vis liquid assets; iii)
Core deposits vis-à-vis Core Assets i.e. Cash Reserve Ratio,
Statutory Liquidity Ratio and Loans; iv) Duration of
liabilities and investment portfolio; v) Maximum Cumulative
Outflows across all time bands; vi) Commitment Ratio –
track the total commitments given to corporates / banks and
other financial institutions to limit the off-balance sheet
exposure; vii) Swapped Funds Ratio, i.e. extent of Indian
Rupees raised out of foreign currency sources.

39. BCBS Principles for the Assessment of Liquidity
Management in Banks
Developing a Structure for Managing Liquidity
Principle 1: Each bank should have an agreed strategy for
the day-to-day management of liquidity. This strategy
should be communicated throughout the organisation.
Principle 2: A bank’s board of directors should approve the
strategy and significant policies related to the management
of liquidity. The board should also ensure that senior
management takes the steps necessary to monitor and
control liquidity risk. The board should be informed
regularly of the liquidity situation of the bank and
immediately if there are any material changes in the bank’s
current or prospective liquidity position.

40. Principle 3: Each bank should have a management structure
in place to execute effectively the liquidity strategy. This
structure should include the ongoing involvement of
members of senior management. Senior management must
ensure that liquidity is effectively managed, and that
appropriate policies and procedures are established to
control and limit liquidity risk. Banks should set and
regularly review limits on the size of their liquidity positions
over particular time horizons.
Principle 4: A bank must have adequate information
systems for measuring, monitoring, controlling and
reporting liquidity risk. Reports should be provided on a
timely basis to the bank’s board of directors, senior
management and other appropriate personnel.

41. Measuring and Monitoring Net Funding Requirements
Principle 5: Each bank should establish a process for the
ongoing measurement and monitoring of net funding
requirements.
Principle 6: A bank should analyse liquidity utilising a
variety of “what if” scenarios.
Principle 7: A bank should review frequently the
assumptions utilised in managing liquidity to determine
that they continue to be valid.
Managing Market Access
Principle 8: Each bank should periodically review its efforts
to establish and maintain relationships with liability holders,
to maintain the diversification of liabilities, and aim to
ensure its capacity to sell assets.

42. Contingency Planning
Principle 9: A bank should have contingency plans in place that
address the strategy for handling liquidity crises and include
procedures for making up cash flow shortfalls in emergency
situations.
Foreign Currency Liquidity Management
Principle 10: Each bank should have a measurement, monitoring
and control system for its liquidity positions in the major
currencies in which it is active. In addition to assessing its
aggregate foreign currency liquidity needs and the acceptable
mismatch in combination with its domestic currency
commitments, a bank should also undertake separate analysis of
its strategy for each currency individually.
Principle 11: Subject to the analysis undertaken according to
Principle 10, a bank should, where appropriate, set and regularly
review limits on the size of its cash flow mismatches over
particular time horizons for foreign currencies in aggregate and
for each significant individual currency in which the bank
operates.

43. Internal Controls for Liquidity Risk Management
Principle 12: Each bank must have an adequate system of
internal controls over its liquidity risk management process. A
fundamental component of the internal control system involves
regular independent reviews and evaluations of the effectiveness
of the system and, where necessary, ensuring that appropriate
revisions or enhancements to internal controls are made. The
results of such reviews should be available to supervisory
authorities.
Role of Public Disclosure in Improving Liquidity
Principle 13: Each bank should have in place a mechanism for
ensuring that there is an adequate level of disclosure of
information about the bank in order to manage public perception
of the organisation and its soundness.
Sound Practices for managing liquidity in banking organizations,
Basel Committee on Banking Supervision, February, 2000

44. OPERATIONAL RISK (OR)
What is Operational Risk ?
Operational risk has been defined by the Basel Committee
on Banking Supervision1 as the risk of loss resulting from
inadequate or failed internal processes, people and systems
or from external events. This definition is based on the
underlying causes of operational risk. It seeks to identify
why a loss happened and at the broadest level includes the
breakdown by four causes: people, processes, systems and
external factors.
Management of specific operational risks is not a new
practice; it has always been important for banks to try to
prevent fraud, maintain the integrity of internal controls,
reduce errors in transaction processing, and so on. However,
what is relatively new is the view of operational risk
management as a comprehensive practice comparable to the
management of credit and market risk.

45. Growing number of high-profile operational loss events
worldwide have led banks and supervisors to increasingly view
operational risk management as an inclusive discipline. OR can
arise from internal and external fraud, failure to comply with
employments laws or meet workplace safety standards, policy
breaches, compliance breaches, key personnel risks, damage to
physical assets, business disruptions and system failures,
transaction processing failures, information security breaches
and the like.
The Basel Committee on Banking supervision has recognized that
managing OR is becoming an important feature of sound risk
management practice in modern financial markets. The
Committee has noted that the most important types of
operational risk involve breakdowns in internal controls and
corporate governance. Such breakdowns can lead to financial
losses through error, fraud or failure to perform within accepted
time-lines or cause the interests of the bank to be compromised
in some other way, for example by its dealers, lending officers or
other staff exceeding their authority or conducting business in an
unethical or risky manner. Other aspects of operational risk
include major failure of information technology systems or
events such as major fires or other disasters.

46. The Basel Committee has identified the following types of operational
risk events as having the potential to result in substantial losses:-
Internal fraud. For example, intentional misreporting of positions,
employee theft, and insider trading on an employee’s own account.
External fraud. For example, robbery, forgery, cheque kiting, and
damage from computer hacking.
Employment practices and workplace safety. For example, workers
compensation claims, violation of employee health and safety rules,
organised labour activities, discrimination claims, and general liability.
Clients, products and business practices. For example, fiduciary
breaches, misuse of confidential customer information, improper
trading activities on the bank’s account, money laundering, and sale of
unauthorised products.
Damage to physical assets. For example, terrorism, vandalism,
earthquakes, fires and floods.
Business disruption and system failures. For example, hardware and
software failures, telecommunication problems, and utility outages.
Execution, delivery and process management. For example: data entry
errors, collateral management failures, incomplete legal
documentation, and unauthorized access given to client accounts, non-
client counterparty mis-performance, and vendor disputes.

47. Several recent cases demonstrate that inadequate internal
controls can lead to significant losses for banks. The types of
control break-downs may be grouped into five categories:
§ Lack of Control Culture - Management’s inattention and laxity
in control culture, insufficient guidance and lack of clear
management accountability.
§ Inadequate recognition and assessment of the risk of certain
banking activities, whether on-or-off-balance sheet. Failure to
recognise and assess the risks of new products and activities or
update the risk assessment when significant changes occur in
business conditions or environment. Many recent cases highlight
the fact that control systems that function well for traditional or
simple products are unable to handle more sophisticated or
complex products.
§ Absence/failure of key control structures and activities, such as
segregation of duties, approvals, verifications, reconciliations
and reviews of operating performance.
§ Inadequate communication of information between levels of
management within the bank – upward, downward or cross-
functional.
§ Inadequate /effective audit/monitoring programs.

48. Measuring Operational Risk
Operational risk is more difficult to measure than market or
credit risk due to the non-availability of objective data,
redundant data, lack of knowledge of what to measure etc.
Operational risk, however, is an ill-defined “inside
measurement,” related to the measures of internal
performance, such as internal audit ratings, volume,
turnover, error rates and income volatility, interaction of
people, processes, methodologies, technology systems,
business terminology and culture.
Risk Management Tools
A robust operational risk management process consists of
clearly defined steps which involve
identification of the risk events, analysis,
assessment of the impact,
treatment and reporting.

49. While sophisticated tools for measuring and managing
operational risks are still to evolve, the current practices in this
area are based on self-assessment. The starting point is the
development of enterprise-wise generic standards for OR which
includes Corporate Governance standards. It is extremely
important for a robust risk management framework that the
operational risks are managed where they originate. Risk
management and compliance monitoring is a line management
function and the risk culture has to be driven by the line Manager.
It is, therefore, the line manager’s responsibility to develop the
generic operational risk standards applicable to his line of
business. The purpose of this tool is to set minimum operational
risk standards for all business and functional units to establish
controls and monitor risks through Control Standards and Risk
Indicators. Once the standards are set, the line manager has to
undertake a periodic operational risk self assessment to identify
key areas of risk so that necessary risk based controls and checks
can be developed to monitor and mitigate the risks. Control
Standards set minimum controls and minimum requirements for
self-assessment of effectiveness of controls for the key processes.

50. The Risk indicators identify operational risks and control
weaknesses through statistical trend analysis. The Risk
Indicators are reviewed periodically to ensure that they are
constantly updated. Reporting is a very important tool in
the management of operational risks since it ensures timely
escalation and senior management overview. Reporting
should include significant operational risk exceptions,
corporate governance exceptions, minutes of meetings of
Operations Risk Committee and real time incident reports.
Conclusion
Operational Risk management is one of the most complex
and fastest growing areas in banking across the world. The
methods to quantify the risk are evolving rapidly but though
they are still far away from the desired levels. Nevertheless,
it is extremely important that the significance and impact of
this risk area on the overall viability of a banking enterprise
is given due recognition so that there are strong incentives
for banks to continue to work towards developing models to
measure operational risks and to hold the required capital
buffers for this risk.

51. What is ALM ?
ALM is a comprehensive and dynamic framework for measuring,
monitoring and managing the market risk of a bank. It is the
management of structure of balance sheet (liabilities and assets)
in such a way that the net earning from interest is maximised
within the overall risk-preference (present and future) of the
institutions. The ALM functions extend to liquidly risk
management, management of market risk, trading risk
management, funding and capital planning and profit planning
and growth projection.
Benefits of ALM - It is a tool that enables bank managements to
take business decisions in a more informed framework with an
eye on the risks that bank is exposed to. It is an integrated
approach to financial management, requiring simultaneous
decisions about the types of amounts of financial assets and
liabilities - both mix and volume - with the complexities of the
financial markets in which the institution operates

52. The concept of ALM is of recent origin in India. It has been
introduced in Indian Banking industry w.e.f. 1st April, 1999. ALM
is concerned with risk management and provides a
comprehensive and dynamic framework for measuring,
monitoring and managing liquidity, interest rate, foreign
exchange and equity and commodity price risks of a bank that
needs to be closely integrated with the banks’ business strategy.
Therefore, ALM is considered as an important tool for
monitoring, measuring and managing the market risk of a bank.
With the deregulation of interest regime in India, the Banking
industry has been exposed to the market risks. To manage such
risks, ALM is used so that the management is able to assess the
risks and cover some of these by taking appropriate decisions.
The assets and liabilities of the bank’s balance sheet are nothing
but future cash inflows or outflows. With a view to measure the
liquidity and interest rate risk, banks use of maturity ladder and
then calculate cumulative surplus or deficit of funds in different
time slots on the basis of statutory reserve cycle, which are
termed as time buckets.

53. As a measure of liquidity management, banks are required to
monitor their cumulative mismatches across all time buckets in
their Statement of Structural Liquidity by establishing internal
prudential limits with the approval of the Board / Management
Committee.
The ALM process rests on three pillars:
ALM Information Systems
Management Information Systems
Information availability, accuracy, adequacy and expediency
ALM Organisation
Structure and responsibilities
Level of top management involvement
ALM Process
Risk parameters
Risk identification
Risk measurement
Risk management
Risk policies and tolerance levels.

54. As per RBI guidelines, commercial banks are to distribute
the outflows/inflows in different residual maturity period
known as time buckets. The Assets and Liabilities were
earlier divided into 8 maturity buckets (1-14 days; 15-28 days;
29-90 days; 91-180 days; 181-365 days, 1-3 years and 3-5 years
and above 5 years), based on the remaining period to their
maturity (also called residual maturity). All the liability
figures are outflows while the asset figures are inflows. In
September, 2007, having regard to the international
practices, the level of sophistication of banks in India, the
need for a sharper assessment of the efficacy of liquidity
management and with a view to providing a stimulus for
development of the term-money market, RBI revised these
guidelines and it was provided that
(a) the banks may adopt a more granular approach to
measurement of liquidity risk by splitting the first time
bucket (1-14 days at present) in the Statement of Structural
Liquidity into three time buckets viz., next day , 2-7 days and
8-14 days. Thus, now we have 10 time buckets.

55. After such an exercise, each bucket of assets is matched
with the corresponding bucket of the liabililty. When in
a particular maturity bucket, the amount of maturing
liabilities or assets does not match, such position is
called a mismatch position, which creates liquidity
surplus or liquidity crunch position and depending
upon the interest rate movement, such situation may
turnout to be risky for the bank. Banks are required to
monitor such mismatches and take appropriate steps
so that bank is not exposed to risks due to the interest
rate movements during that period.
(b) The net cumulative negative mismatches during the
Next day, 2-7 days, 8-14 days and 15-28 days buckets
should not exceed 5 % ,10%, 15 % and 20 % of the
cumulative cash outflows in the respective time
buckets in order to recognise the cumulative impact on
liquidity.

56. The Board’s of the Banks have been entrusted with the
overall responsibility for the management of risks and
is required to decide the risk management policy and
set limits for liquidity, interest rate, foreign exchange
and equity price risks.
Asset-Liability Committee (ALCO) is the top most
committee to oversee the implementation of ALM
system and it is to be headed by CMD or ED. ALCO
considers product pricing for both deposits and
advances, the desired maturity profile of the
incremental assets and liabilities in addition to
monitoring the risk levels of the bank. It will have to
articulate current interest rates view of the bank and
base its decisions for future business strategy on this
view.