2 risk, ion assessment & management

8/2/2019 2 Risk, ion Assessment & Management

1/58

Risk Assessmentisk Assessment


2/58

Definition of RiskDefinition of Risk

The uncertainty of an event occurring thatThe uncertainty of an event occurring that

could have an impact on the achievementcould have an impact on the achievement

of objectives. Risk is measured in terms ofof objectives. Risk is measured in terms ofconsequences and likelihood.consequences and likelihood.


3/58

Risk Managementisk Management Risks are perceived as any thing or event that couldRisks are perceived as any thing or event that could

stand in the way of the organization achieving itsstand in the way of the organization achieving its

objectives.objectives. Hence, risk management is not about being riskHence, risk management is not about being risk

averse. Risk management is not aimed at avoidingaverse. Risk management is not aimed at avoiding

risks. Its focus is on identifying, evaluating,risks. Its focus is on identifying, evaluating,

controlling and mastering risks. Risk managementcontrolling and mastering risks. Risk managementalso means taking advantage of opportunities andalso means taking advantage of opportunities and

taking risks based on an informed decision andtaking risks based on an informed decision and

analysis of the outcomes.analysis of the outcomes.


4/58

Risk AssessmentRisk Assessment

Every organization, and all of its activities andEvery organization, and all of its activities and

entities faces a variety of risks from external andentities faces a variety of risks from external and

internal sources that must be assessed.internal sources that must be assessed. A precondition to risk assessment isA precondition to risk assessment is

establishment of objectives, linked at differentestablishment of objectives, linked at different

levels and internally consistent.levels and internally consistent.

Risk assessment is the identification and analysisRisk assessment is the identification and analysis

of relevant risks to achievement of theof relevant risks to achievement of the

objectives.objectives.


5/58

Risk AssessmentRisk Assessment

This forms the basis for determining howThis forms the basis for determining how

the risks should be managed. Becausethe risks should be managed. Because

economic, regulatory and operatingeconomic, regulatory and operatingconditions will continue to change,conditions will continue to change,

mechanisms are needed to identify andmechanisms are needed to identify and

deal with the special risks associated withdeal with the special risks associated withchange.change.


6/58

ObjectivesObjectives

Objectives must be established beforeObjectives must be established before

management can identify risks to theirmanagement can identify risks to their

achievement and take necessary actions toachievement and take necessary actions tomanage the risks.manage the risks.

Objective setting can be highly structured orObjective setting can be highly structured or

informal. The objectives may be explicit orinformal. The objectives may be explicit or

implied. At the highest level, objectives often areimplied. At the highest level, objectives often arerepresented by the banks mission or valuerepresented by the banks mission or value

statements.statements.


7/58


These global objectives are linked andThese global objectives are linked and

integrated with more specific objectivesintegrated with more specific objectives

established for various "activities" andestablished for various "activities" andentities such as head office groups,entities such as head office groups,

branches, controlling offices etc.branches, controlling offices etc.


8/58


Despite the diversity of objectives, certainDespite the diversity of objectives, certain

broad categories can be established:broad categories can be established:

Operations objectivesOperations objectives Financial reporting objectivesFinancial reporting objectives

Compliance objectivesCompliance objectives


9/58

Risk FactorsRisk Factors

External Factors:External Factors: Economic changesEconomic changes

Changes in competitors and their strategiesChanges in competitors and their strategies New or changed legislation or regulationsNew or changed legislation or regulations

Technological developmentsTechnological developments

Natural catastrophesNatural catastrophes


10/58

Risk FactorsRisk Factors

Internal Factors:Internal Factors: New personnelNew personnel

New or revamped information systemsNew or revamped information systems Changes in management responsibilitiesChanges in management responsibilities

Incompetent people given key responsibilitiesIncompetent people given key responsibilities

Poor human resource policies resulting inPoor human resource policies resulting inincreased staff turnover and low moraleincreased staff turnover and low morale


11/58

Risk AnalysisRisk Analysis

After risks have been identified they must beAfter risks have been identified they must beevaluated. This process, which may be moreevaluated. This process, which may be more

or less formal, usually includes:or less formal, usually includes: Estimating the significance of a riskstimating the significance of a risk Assessing the likelihood (or probability andssessing the likelihood (or probability andfrequency) of the risk occurringrequency) of the risk occurring Considering how the risk should beonsidering how the risk should bemanaged; that is, an assessment of actionsanaged; that is, an assessment of actionsthat could be taken and their relative costshat could be taken and their relative coststo mitigate such risk.o mitigate such risk.


12/58

Risk Rating GuideRisk Rating Guide

Importance to theImportance to the

bankbank

Complexity ofComplexity of

operationsoperations

IT dependenceIT dependence

How critical are theseHow critical are theseoperations to achievingoperations to achievingbanks goals.banks goals.

Assessment of complexityAssessment of complexityand transparency ofand transparency ofbusiness activity andbusiness activity andresults.results.

Complexity of IT systemsComplexity of IT systemsand their impact onand their impact on

operations.operations.

Rating Criteria Guideline for Assessment


13/58

Risk Rating GuideRisk Rating Guide (2)(2)

Quality, ExperienceQuality, Experience

and integrity ofand integrity ofpersonnelpersonnel

MaterialityMateriality

Are personnel in handlingAre personnel in handling

sensitive matters ofsensitive matters ofsignificance affecting thesignificance affecting the

bank competent,bank competent,

experience and honest.experience and honest.

Volumes and values ofVolumes and values oftransactions processed intransactions processed in

each areaeach area



14/58


Record of ControlRecord of Control

Opportunity of fraudOpportunity of fraud

History of controlHistory of controlproblems/issues as per IAproblems/issues as per IAand other reports.and other reports.

History of fraud andHistory of fraud andpotential exposures forpotential exposures forfraudulent activitiesfraudulent activitiesconsidering theconsidering theweaknesses in controlsweaknesses in controls(consider all components(consider all componentsof internal control).of internal control).



15/58


Political/Political/

Public/RegulatoryPublic/Regulatoryissuesissues

Managements RiskManagements Risk

perceptionsperceptions Changes to systemsChanges to systems

and business.and business.

Are problems likely toAre problems likely tobecome major publicbecome major publicissue/ or of seriousissue/ or of seriousimportance to SBP.importance to SBP.

Managements opinion ofManagements opinion ofkey risk areas.key risk areas.

All major changes affectAll major changes affectcontrol structure, andcontrol structure, andtherefore usuallytherefore usuallyclassified as high risk.classified as high risk.



16/58

Risk ManagementRisk Management

Managing change requires a constantManaging change requires a constant

assessment of risk and the impact onassessment of risk and the impact on

internal controls. All of the above factorsinternal controls. All of the above factorscreate circumstances demanding specialcreate circumstances demanding special

attention.attention.


17/58

Banking Risksanking Risks


18/58

Break-downs in Risk Management

Systems. Lapses in risk control often leads to substantial

financial losses for a bank. Barings, MorganGrenfell Asset Management, Daiwa, SumitomoCorporation are some of the significant exampleswho lost huge money as a result of failure in theircontrol systems.

In Pakistan, Mehran Bank, Bankers Equity, IndusBank and more recently Prudential CommercialBank are some of the examples of failures becauseof break-down in risk management systems, thatcost shareholders as well as deposit holdersenormous amount of money.


19/58

Break-downs in Risk Management

Systems. Massive, and sometimes unanticipated corporate

failures, catastrophes and debacles, natural andman-made, recent accounting and reportingirregularities and deficiencies clearly highlight theimportance of risk management systems.

Tall buildings disappear in an instant and entiremulti-billion dollar shareholder value of a companyevaporates.

The conditions highlighted above underscore theneed and the importance of risk management incorporate governance.


20/58

What Is the Banks PhilosophyWhat Is the Banks Philosophy

Towards Financial Risks?Towards Financial Risks? Only the BOD can assess and allocate the riskOnly the BOD can assess and allocate the risk

bearing capacity of the bank, which in turnbearing capacity of the bank, which in turn

depends on the risk culture of the entity. Thedepends on the risk culture of the entity. Theboard must state clearly the banks riskboard must state clearly the banks risk

philosophy regarding financial risks.philosophy regarding financial risks.

Once this is stated in black and white, theOnce this is stated in black and white, the

banks senior management will be able tobanks senior management will be able towork out the banks risk bearing capacity andwork out the banks risk bearing capacity and

formulate significant policies relating to theformulate significant policies relating to the

management and control of financial risks.management and control of financial risks.


21/58

How Can the Board Foster a Riskow Can the Board Foster a RiskManagement Culture Within theanagement Culture Within theBank?ank? The board must clearly allocate managementThe board must clearly allocate management

responsibilities among various senior managers toresponsibilities among various senior managers topromote and ensure management accountabilitypromote and ensure management accountability

for risk control. Senior members must be made tofor risk control. Senior members must be made torealize that their jobs are on the line if there arerealize that their jobs are on the line if there aremajor failures in control.major failures in control.

The board must insist that senior managers placeThe board must insist that senior managers place

control issues at a par with other strategic businesscontrol issues at a par with other strategic businessmatters.matters. Management accountability for internal controlsManagement accountability for internal controls

can also be encouraged through comprehensivecan also be encouraged through comprehensive

annual assessments and reporting on the riskannual assessments and reporting on the riskmana ement s stems.mana ement s stems.


22/58

Key Risks Associated With Banking

Activities

Credit Risk.

Country or transfer risk.

Replacement risk. Settlement risk.

Market risk.

Modeling risk. Interest rate risk.

Currency risk.

Liquidity risk.

Operational risk. Legal and documentary

risk.

Regulatory risk.

Fiduciary risk.

Reputation risk.


23/58

Credit Risk

The risk that a customer or counter-party will notsettle an obligation for full value, either when dueor at any time thereafter.

Credit risk, particularly from commercial lending,

may be considered the central element of risk inbanking operations.

Credit risk arises from lending to individuals,companies, banks and governments.

It also exists in assets other than loans, such asinvestments, balances due from other banks and inoff-balance sheet commitments.

Credit risk also appears in the form of country risk,

replacement risk and settlement risk.


24/58

Principles for the management of

Credit Risk

The above document issued by the Basel Committeeon Banking Supervision sets out 17 principles toaddress five main areas:

Establishing an appropriate credit risk

environment; Operating under sound credit granting process;

Maintaining an appropriate creditadministration, measurement and monitoring

process; Ensuring adequate controls over credit risk; and

Role of Supervisors.


25/58

Country or Transfer Risk

The risk of foreign customers and counter-

parties failing to settle their obligations due to

economic, political and social factors of the

foreign country and external to the customer

or counter-party.

This means therisk of counter-

This means therisk of counter-

E d U

End User:


26/58

Replacement Risk

The risk of failure of a customer or counter-party to

perform the terms of a contract. This failure creates

the need to replace the failed transaction with another

at the current market price. This may result in a loss

to the bank equivalent to the difference between the

contract price and the current market price.

End User:End User:


27/58

Settlement Risk

The risk that one side of a transaction will be

settled without value being received from the

customer or counter-party. This will result inthe loss to the bank of the full principal

amount.


28/58

Market Risk

The risk of loss arising from adverse

changes in market conditions, including

interest rates, foreign exchange rates,equity and commodity prices and from

movements in market prices of

investments.


29/58

Modeling Risk

The risk associated with the imperfections

and subjectivity of valuation models used

to determine the values of assets orliabilities.


30/58

Interest Rate Risk

The risk of loss arising from the sensitivity

of earnings to future movements in interest

rates.


31/58

Currency Risk

The risk of loss arising from future

movements in the exchange rates

applicable to foreign currency assets,liabilities, rights and obligations.


32/58

Liquidity Risk

The risk of loss arising from the possibility of thebank not having sufficient funds to meet itsobligations, from the banks inability to access

capital markets to raise required funds or fromthe banks inability to unwind a position atmarket prices because of inadequate marketdepth or disruptions in the market place.


33/58

Operational Risk

The risk that deficiencies in information systemsor internal controls will result in unexpectedlosses.

Operational risk is associated with:

human error, particularly when dealing withcomplex transactions;

system failures due to inability to cope withvolumes or nature of trading; and

inadequate procedures and controls.


34/58

Operational Risk Arises Out Of: (OR-1)

The need to process high volumes of transactions accuratelywithin short time-frames. This need is almost alwaysaddressed through the use of large-scale use of CIS, withthe resultant risks of:

failure to process executed transactions within required

time-frames, causing an inability to receive or makepayments for those transactions;

wide-scale error arising from a breakdown in internalcontrol;

loss of data arising from system failure; corruption of data arising from unauthorized interference

with the system; and.

exposure to market risks arising from lack of reliable up-to-date financial information.


35/58

Operational Risk Arises Out Of:(OR-2)

The conduct of operations in a number of

locations with a resultant geographic dispersion

of transaction processing and internal controls.As a result:

control breakdowns may occur and remain

undetected and uncorrected because of thephysical separation between management and

those who handle the transactions.


36/58


The need to monitor and manage significant exposures

which can arise over short time-frames. The process of

clearing transactions may cause a significant build-up of

receivables and payables during a day, most of which are

completed by the end of the day. This is ordinarily

referred to as intra-day payment risk. The nature of these

exposures can arise from transactions with customersand counter-parties and can include interest rate,

currency and market risks.


37/58


The dealing in large volumes of monetary items,

including cash, negotiable instruments and

transferable customer balances, with the

resultant risk of loss arising from theft and fraud

by employees or other parties.


38/58


The use of high gearing (that is, high debt-to-

equity ratios), which results in the exposure to:

the risk of significant erosion of capitalresources as a result of a relatively small

percentage loss in asset value; and.

the risk of being unable to obtain the fundsrequired to maintain operations at a reasonable

cost as a result of a loss of depositor confidence.


39/58


The inherent complexity and volatility of the

environment in which banks operate, resulting in

the risk of inappropriate risk managementstrategies in relation to such matters as the

development of new products and services.


40/58


The need to adhere to laws and regulations. The

failure to do so could result in exposure to

sanctions in the nature of fines or operating

restrictions.


41/58

Legal and Documentary Risk

The risk that contracts are documented

incorrectly or are not legally enforceable in

the relevant jurisdiction in which thecontracts are booked or where the counter-

parties operate.


42/58


43/58

Fiduciary Risk

The risk of loss arising from factors such as

failure to maintain safe custody or

negligence in the management of assets onbehalf of other parties.


44/58

Reputation Risk

The risk of losing business/income due to negative

public opinion and damage to reputation arising

from failure to properly manage some of the

above risks, or from involvement in improper or

illegal activities by the bank or its senior

management, such as money laundering or

attempts to cover up losses.


45/58


46/58


47/58

Ensuring Integrity of RiskEnsuring Integrity of Risk

Management Systems.Management Systems. Internal and external auditors play an importantInternal and external auditors play an important

role in the risk management process of the bankrole in the risk management process of the bankby risk auditing, i.e., Auditing and testing the riskby risk auditing, i.e., Auditing and testing the risk

management process and internal controls onmanagement process and internal controls onperiodic basis. They must make sure that theperiodic basis. They must make sure that thesystems are robust.systems are robust.

If they uncover weaknesses or if there haveIf they uncover weaknesses or if there have

been significant changes in the product line orbeen significant changes in the product line ormarket circumstances, then they must risk auditmarket circumstances, then they must risk auditthese internal systems more frequently.these internal systems more frequently.


48/58

Managements Responsibilities for Effective

Risk Management System

1. Oversight of the control process by theBoard.

2. Identification, measurement andmonitoring of Risks through anindependent risk management unit.

3. Appropriate control activities.

4. Effective monitoring activities.

5. Reliable information system.


49/58

Basel Committee on Banking Supervision Guidance

Documents on Developing Effective Risk Management

System.

1. Core Principles Methodology.

2. Enhancing Corporate Governance

Framework in Banking Organizations.

3. Framework for Internal Control Systems

in Banking Organizations.

4. Principle for Management of Credit Risk.

5. Risk Concentration Principles.


50/58

Audit Risksudit Risks


51/58

Audit RiskThe risk that the auditor may unknowingly fail toappropriately modify the opinion on financialstatements that are materially misstated.


52/58

Auditors RiskThe exposure to loss or injury to professionalcareer from litigation, adverse publicity, or otherevents arising in connection with financial

statements audited and reported on.


53/58

Types of Audit Risks Inherent Risks: The insusceptibility of an

assertion to material misstatement in the financialstatements in absence of internal controls. In

most of the cases a direct link exist betweencontrol risk and inherent risk.

Control Risk: The risk that material misstatementwill not be detected / prevented on timely basis byoperations management through internal controls.


54/58

Types of Audit Risks -Cont Detection Risks: The risk that substantive audit

procedures performed will not detect a materialmisstatement.


55/58

Control Risk Appropriate Management oversight Clear job description and assignment

Adequate / proper record keeping Segregation of duties Appropriate system of approval of transactions Physical safeguard over cash & liquid instruments Documentation of transactions Mandatory vacations


56/58

Managing Audit RisksAudit Risk Assessment Module

AR=IR X CR X DR

Where,

AR = Audit Risk

IR = Inherent Risk

CR = Control Risk

DR = Detection Risk


57/58

Managing Audit Risks The Auditor should plan the engagement so that

audit risk will be at sufficiently low level beforeissuing an opinion on financial statement.

The Risk assessment described above is purelyfor External Audit however, selective components

or combinations of some components of thismodel can also be used by the internal auditorsalso.


58/58

Recommendations Increase professional skepticism by questioning

and critically assessing audit evidences. Assign more experience auditors who have the

knowledge, skills and abilities commensurate withincreased risk of the assignments.

Consider significant accounting policies

Modify the nature, timing and extent of auditprocedures to obtain more reliable evidence anduse increase sample size or more extensiveanalytical procedures.