Download - 2 Risk, ion Assessment & Management
-
8/2/2019 2 Risk, ion Assessment & Management
1/58
Risk Assessmentisk Assessment
-
8/2/2019 2 Risk, ion Assessment & Management
2/58
Definition of RiskDefinition of Risk
The uncertainty of an event occurring thatThe uncertainty of an event occurring that
could have an impact on the achievementcould have an impact on the achievement
of objectives. Risk is measured in terms ofof objectives. Risk is measured in terms ofconsequences and likelihood.consequences and likelihood.
-
8/2/2019 2 Risk, ion Assessment & Management
3/58
Risk Managementisk Management Risks are perceived as any thing or event that couldRisks are perceived as any thing or event that could
stand in the way of the organization achieving itsstand in the way of the organization achieving its
objectives.objectives. Hence, risk management is not about being riskHence, risk management is not about being risk
averse. Risk management is not aimed at avoidingaverse. Risk management is not aimed at avoiding
risks. Its focus is on identifying, evaluating,risks. Its focus is on identifying, evaluating,
controlling and mastering risks. Risk managementcontrolling and mastering risks. Risk managementalso means taking advantage of opportunities andalso means taking advantage of opportunities and
taking risks based on an informed decision andtaking risks based on an informed decision and
analysis of the outcomes.analysis of the outcomes.
-
8/2/2019 2 Risk, ion Assessment & Management
4/58
Risk AssessmentRisk Assessment
Every organization, and all of its activities andEvery organization, and all of its activities and
entities faces a variety of risks from external andentities faces a variety of risks from external and
internal sources that must be assessed.internal sources that must be assessed. A precondition to risk assessment isA precondition to risk assessment is
establishment of objectives, linked at differentestablishment of objectives, linked at different
levels and internally consistent.levels and internally consistent.
Risk assessment is the identification and analysisRisk assessment is the identification and analysis
of relevant risks to achievement of theof relevant risks to achievement of the
objectives.objectives.
-
8/2/2019 2 Risk, ion Assessment & Management
5/58
Risk AssessmentRisk Assessment
This forms the basis for determining howThis forms the basis for determining how
the risks should be managed. Becausethe risks should be managed. Because
economic, regulatory and operatingeconomic, regulatory and operatingconditions will continue to change,conditions will continue to change,
mechanisms are needed to identify andmechanisms are needed to identify and
deal with the special risks associated withdeal with the special risks associated withchange.change.
-
8/2/2019 2 Risk, ion Assessment & Management
6/58
ObjectivesObjectives
Objectives must be established beforeObjectives must be established before
management can identify risks to theirmanagement can identify risks to their
achievement and take necessary actions toachievement and take necessary actions tomanage the risks.manage the risks.
Objective setting can be highly structured orObjective setting can be highly structured or
informal. The objectives may be explicit orinformal. The objectives may be explicit or
implied. At the highest level, objectives often areimplied. At the highest level, objectives often arerepresented by the banks mission or valuerepresented by the banks mission or value
statements.statements.
-
8/2/2019 2 Risk, ion Assessment & Management
7/58
ObjectivesObjectives
These global objectives are linked andThese global objectives are linked and
integrated with more specific objectivesintegrated with more specific objectives
established for various "activities" andestablished for various "activities" andentities such as head office groups,entities such as head office groups,
branches, controlling offices etc.branches, controlling offices etc.
-
8/2/2019 2 Risk, ion Assessment & Management
8/58
ObjectivesObjectives
Despite the diversity of objectives, certainDespite the diversity of objectives, certain
broad categories can be established:broad categories can be established:
Operations objectivesOperations objectives Financial reporting objectivesFinancial reporting objectives
Compliance objectivesCompliance objectives
-
8/2/2019 2 Risk, ion Assessment & Management
9/58
Risk FactorsRisk Factors
External Factors:External Factors: Economic changesEconomic changes
Changes in competitors and their strategiesChanges in competitors and their strategies New or changed legislation or regulationsNew or changed legislation or regulations
Technological developmentsTechnological developments
Natural catastrophesNatural catastrophes
-
8/2/2019 2 Risk, ion Assessment & Management
10/58
Risk FactorsRisk Factors
Internal Factors:Internal Factors: New personnelNew personnel
New or revamped information systemsNew or revamped information systems Changes in management responsibilitiesChanges in management responsibilities
Incompetent people given key responsibilitiesIncompetent people given key responsibilities
Poor human resource policies resulting inPoor human resource policies resulting inincreased staff turnover and low moraleincreased staff turnover and low morale
-
8/2/2019 2 Risk, ion Assessment & Management
11/58
Risk AnalysisRisk Analysis
After risks have been identified they must beAfter risks have been identified they must beevaluated. This process, which may be moreevaluated. This process, which may be more
or less formal, usually includes:or less formal, usually includes: Estimating the significance of a riskstimating the significance of a risk Assessing the likelihood (or probability andssessing the likelihood (or probability andfrequency) of the risk occurringrequency) of the risk occurring Considering how the risk should beonsidering how the risk should bemanaged; that is, an assessment of actionsanaged; that is, an assessment of actionsthat could be taken and their relative costshat could be taken and their relative coststo mitigate such risk.o mitigate such risk.
-
8/2/2019 2 Risk, ion Assessment & Management
12/58
Risk Rating GuideRisk Rating Guide
Importance to theImportance to the
bankbank
Complexity ofComplexity of
operationsoperations
IT dependenceIT dependence
How critical are theseHow critical are theseoperations to achievingoperations to achievingbanks goals.banks goals.
Assessment of complexityAssessment of complexityand transparency ofand transparency ofbusiness activity andbusiness activity andresults.results.
Complexity of IT systemsComplexity of IT systemsand their impact onand their impact on
operations.operations.
Rating Criteria Guideline for Assessment
-
8/2/2019 2 Risk, ion Assessment & Management
13/58
Risk Rating GuideRisk Rating Guide (2)(2)
Quality, ExperienceQuality, Experience
and integrity ofand integrity ofpersonnelpersonnel
MaterialityMateriality
Are personnel in handlingAre personnel in handling
sensitive matters ofsensitive matters ofsignificance affecting thesignificance affecting the
bank competent,bank competent,
experience and honest.experience and honest.
Volumes and values ofVolumes and values oftransactions processed intransactions processed in
each areaeach area
Rating Criteria Guideline for Assessment
-
8/2/2019 2 Risk, ion Assessment & Management
14/58
Risk Rating GuideRisk Rating Guide (3)(3)
Record of ControlRecord of Control
Opportunity of fraudOpportunity of fraud
History of controlHistory of controlproblems/issues as per IAproblems/issues as per IAand other reports.and other reports.
History of fraud andHistory of fraud andpotential exposures forpotential exposures forfraudulent activitiesfraudulent activitiesconsidering theconsidering theweaknesses in controlsweaknesses in controls(consider all components(consider all componentsof internal control).of internal control).
Rating Criteria Guideline for Assessment
-
8/2/2019 2 Risk, ion Assessment & Management
15/58
Risk Rating GuideRisk Rating Guide (4)(4)
Political/Political/
Public/RegulatoryPublic/Regulatoryissuesissues
Managements RiskManagements Risk
perceptionsperceptions Changes to systemsChanges to systems
and business.and business.
Are problems likely toAre problems likely tobecome major publicbecome major publicissue/ or of seriousissue/ or of seriousimportance to SBP.importance to SBP.
Managements opinion ofManagements opinion ofkey risk areas.key risk areas.
All major changes affectAll major changes affectcontrol structure, andcontrol structure, andtherefore usuallytherefore usuallyclassified as high risk.classified as high risk.
Rating Criteria Guideline for Assessment
-
8/2/2019 2 Risk, ion Assessment & Management
16/58
Risk ManagementRisk Management
Managing change requires a constantManaging change requires a constant
assessment of risk and the impact onassessment of risk and the impact on
internal controls. All of the above factorsinternal controls. All of the above factorscreate circumstances demanding specialcreate circumstances demanding special
attention.attention.
-
8/2/2019 2 Risk, ion Assessment & Management
17/58
Banking Risksanking Risks
-
8/2/2019 2 Risk, ion Assessment & Management
18/58
Break-downs in Risk Management
Systems. Lapses in risk control often leads to substantial
financial losses for a bank. Barings, MorganGrenfell Asset Management, Daiwa, SumitomoCorporation are some of the significant exampleswho lost huge money as a result of failure in theircontrol systems.
In Pakistan, Mehran Bank, Bankers Equity, IndusBank and more recently Prudential CommercialBank are some of the examples of failures becauseof break-down in risk management systems, thatcost shareholders as well as deposit holdersenormous amount of money.
-
8/2/2019 2 Risk, ion Assessment & Management
19/58
Break-downs in Risk Management
Systems. Massive, and sometimes unanticipated corporate
failures, catastrophes and debacles, natural andman-made, recent accounting and reportingirregularities and deficiencies clearly highlight theimportance of risk management systems.
Tall buildings disappear in an instant and entiremulti-billion dollar shareholder value of a companyevaporates.
The conditions highlighted above underscore theneed and the importance of risk management incorporate governance.
-
8/2/2019 2 Risk, ion Assessment & Management
20/58
What Is the Banks PhilosophyWhat Is the Banks Philosophy
Towards Financial Risks?Towards Financial Risks? Only the BOD can assess and allocate the riskOnly the BOD can assess and allocate the risk
bearing capacity of the bank, which in turnbearing capacity of the bank, which in turn
depends on the risk culture of the entity. Thedepends on the risk culture of the entity. Theboard must state clearly the banks riskboard must state clearly the banks risk
philosophy regarding financial risks.philosophy regarding financial risks.
Once this is stated in black and white, theOnce this is stated in black and white, the
banks senior management will be able tobanks senior management will be able towork out the banks risk bearing capacity andwork out the banks risk bearing capacity and
formulate significant policies relating to theformulate significant policies relating to the
management and control of financial risks.management and control of financial risks.
-
8/2/2019 2 Risk, ion Assessment & Management
21/58
How Can the Board Foster a Riskow Can the Board Foster a RiskManagement Culture Within theanagement Culture Within theBank?ank? The board must clearly allocate managementThe board must clearly allocate management
responsibilities among various senior managers toresponsibilities among various senior managers topromote and ensure management accountabilitypromote and ensure management accountability
for risk control. Senior members must be made tofor risk control. Senior members must be made torealize that their jobs are on the line if there arerealize that their jobs are on the line if there aremajor failures in control.major failures in control.
The board must insist that senior managers placeThe board must insist that senior managers place
control issues at a par with other strategic businesscontrol issues at a par with other strategic businessmatters.matters. Management accountability for internal controlsManagement accountability for internal controls
can also be encouraged through comprehensivecan also be encouraged through comprehensive
annual assessments and reporting on the riskannual assessments and reporting on the riskmana ement s stems.mana ement s stems.
-
8/2/2019 2 Risk, ion Assessment & Management
22/58
Key Risks Associated With Banking
Activities
Credit Risk.
Country or transfer risk.
Replacement risk. Settlement risk.
Market risk.
Modeling risk. Interest rate risk.
Currency risk.
Liquidity risk.
Operational risk. Legal and documentary
risk.
Regulatory risk.
Fiduciary risk.
Reputation risk.
-
8/2/2019 2 Risk, ion Assessment & Management
23/58
Credit Risk
The risk that a customer or counter-party will notsettle an obligation for full value, either when dueor at any time thereafter.
Credit risk, particularly from commercial lending,
may be considered the central element of risk inbanking operations.
Credit risk arises from lending to individuals,companies, banks and governments.
It also exists in assets other than loans, such asinvestments, balances due from other banks and inoff-balance sheet commitments.
Credit risk also appears in the form of country risk,
replacement risk and settlement risk.
-
8/2/2019 2 Risk, ion Assessment & Management
24/58
Principles for the management of
Credit Risk
The above document issued by the Basel Committeeon Banking Supervision sets out 17 principles toaddress five main areas:
Establishing an appropriate credit risk
environment; Operating under sound credit granting process;
Maintaining an appropriate creditadministration, measurement and monitoring
process; Ensuring adequate controls over credit risk; and
Role of Supervisors.
-
8/2/2019 2 Risk, ion Assessment & Management
25/58
Country or Transfer Risk
The risk of foreign customers and counter-
parties failing to settle their obligations due to
economic, political and social factors of the
foreign country and external to the customer
or counter-party.
This means therisk of counter-
This means therisk of counter-
E d U
End User:
-
8/2/2019 2 Risk, ion Assessment & Management
26/58
Replacement Risk
The risk of failure of a customer or counter-party to
perform the terms of a contract. This failure creates
the need to replace the failed transaction with another
at the current market price. This may result in a loss
to the bank equivalent to the difference between the
contract price and the current market price.
End User:End User:
-
8/2/2019 2 Risk, ion Assessment & Management
27/58
Settlement Risk
The risk that one side of a transaction will be
settled without value being received from the
customer or counter-party. This will result inthe loss to the bank of the full principal
amount.
-
8/2/2019 2 Risk, ion Assessment & Management
28/58
Market Risk
The risk of loss arising from adverse
changes in market conditions, including
interest rates, foreign exchange rates,equity and commodity prices and from
movements in market prices of
investments.
-
8/2/2019 2 Risk, ion Assessment & Management
29/58
Modeling Risk
The risk associated with the imperfections
and subjectivity of valuation models used
to determine the values of assets orliabilities.
-
8/2/2019 2 Risk, ion Assessment & Management
30/58
Interest Rate Risk
The risk of loss arising from the sensitivity
of earnings to future movements in interest
rates.
-
8/2/2019 2 Risk, ion Assessment & Management
31/58
Currency Risk
The risk of loss arising from future
movements in the exchange rates
applicable to foreign currency assets,liabilities, rights and obligations.
-
8/2/2019 2 Risk, ion Assessment & Management
32/58
Liquidity Risk
The risk of loss arising from the possibility of thebank not having sufficient funds to meet itsobligations, from the banks inability to access
capital markets to raise required funds or fromthe banks inability to unwind a position atmarket prices because of inadequate marketdepth or disruptions in the market place.
-
8/2/2019 2 Risk, ion Assessment & Management
33/58
Operational Risk
The risk that deficiencies in information systemsor internal controls will result in unexpectedlosses.
Operational risk is associated with:
human error, particularly when dealing withcomplex transactions;
system failures due to inability to cope withvolumes or nature of trading; and
inadequate procedures and controls.
-
8/2/2019 2 Risk, ion Assessment & Management
34/58
Operational Risk Arises Out Of: (OR-1)
The need to process high volumes of transactions accuratelywithin short time-frames. This need is almost alwaysaddressed through the use of large-scale use of CIS, withthe resultant risks of:
failure to process executed transactions within required
time-frames, causing an inability to receive or makepayments for those transactions;
wide-scale error arising from a breakdown in internalcontrol;
loss of data arising from system failure; corruption of data arising from unauthorized interference
with the system; and.
exposure to market risks arising from lack of reliable up-to-date financial information.
-
8/2/2019 2 Risk, ion Assessment & Management
35/58
Operational Risk Arises Out Of:(OR-2)
The conduct of operations in a number of
locations with a resultant geographic dispersion
of transaction processing and internal controls.As a result:
control breakdowns may occur and remain
undetected and uncorrected because of thephysical separation between management and
those who handle the transactions.
-
8/2/2019 2 Risk, ion Assessment & Management
36/58
Operational Risk Arises Out Of:(OR-3)
The need to monitor and manage significant exposures
which can arise over short time-frames. The process of
clearing transactions may cause a significant build-up of
receivables and payables during a day, most of which are
completed by the end of the day. This is ordinarily
referred to as intra-day payment risk. The nature of these
exposures can arise from transactions with customersand counter-parties and can include interest rate,
currency and market risks.
-
8/2/2019 2 Risk, ion Assessment & Management
37/58
Operational Risk Arises Out Of:(OR-4)
The dealing in large volumes of monetary items,
including cash, negotiable instruments and
transferable customer balances, with the
resultant risk of loss arising from theft and fraud
by employees or other parties.
-
8/2/2019 2 Risk, ion Assessment & Management
38/58
Operational Risk Arises Out Of: (OR-5)
The use of high gearing (that is, high debt-to-
equity ratios), which results in the exposure to:
the risk of significant erosion of capitalresources as a result of a relatively small
percentage loss in asset value; and.
the risk of being unable to obtain the fundsrequired to maintain operations at a reasonable
cost as a result of a loss of depositor confidence.
-
8/2/2019 2 Risk, ion Assessment & Management
39/58
Operational Risk Arises Out Of: (OR-6)
The inherent complexity and volatility of the
environment in which banks operate, resulting in
the risk of inappropriate risk managementstrategies in relation to such matters as the
development of new products and services.
-
8/2/2019 2 Risk, ion Assessment & Management
40/58
Operational Risk Arises Out Of: (OR-7)
The need to adhere to laws and regulations. The
failure to do so could result in exposure to
sanctions in the nature of fines or operating
restrictions.
-
8/2/2019 2 Risk, ion Assessment & Management
41/58
Legal and Documentary Risk
The risk that contracts are documented
incorrectly or are not legally enforceable in
the relevant jurisdiction in which thecontracts are booked or where the counter-
parties operate.
-
8/2/2019 2 Risk, ion Assessment & Management
42/58
-
8/2/2019 2 Risk, ion Assessment & Management
43/58
Fiduciary Risk
The risk of loss arising from factors such as
failure to maintain safe custody or
negligence in the management of assets onbehalf of other parties.
-
8/2/2019 2 Risk, ion Assessment & Management
44/58
Reputation Risk
The risk of losing business/income due to negative
public opinion and damage to reputation arising
from failure to properly manage some of the
above risks, or from involvement in improper or
illegal activities by the bank or its senior
management, such as money laundering or
attempts to cover up losses.
-
8/2/2019 2 Risk, ion Assessment & Management
45/58
-
8/2/2019 2 Risk, ion Assessment & Management
46/58
-
8/2/2019 2 Risk, ion Assessment & Management
47/58
Ensuring Integrity of RiskEnsuring Integrity of Risk
Management Systems.Management Systems. Internal and external auditors play an importantInternal and external auditors play an important
role in the risk management process of the bankrole in the risk management process of the bankby risk auditing, i.e., Auditing and testing the riskby risk auditing, i.e., Auditing and testing the risk
management process and internal controls onmanagement process and internal controls onperiodic basis. They must make sure that theperiodic basis. They must make sure that thesystems are robust.systems are robust.
If they uncover weaknesses or if there haveIf they uncover weaknesses or if there have
been significant changes in the product line orbeen significant changes in the product line ormarket circumstances, then they must risk auditmarket circumstances, then they must risk auditthese internal systems more frequently.these internal systems more frequently.
-
8/2/2019 2 Risk, ion Assessment & Management
48/58
Managements Responsibilities for Effective
Risk Management System
1. Oversight of the control process by theBoard.
2. Identification, measurement andmonitoring of Risks through anindependent risk management unit.
3. Appropriate control activities.
4. Effective monitoring activities.
5. Reliable information system.
-
8/2/2019 2 Risk, ion Assessment & Management
49/58
Basel Committee on Banking Supervision Guidance
Documents on Developing Effective Risk Management
System.
1. Core Principles Methodology.
2. Enhancing Corporate Governance
Framework in Banking Organizations.
3. Framework for Internal Control Systems
in Banking Organizations.
4. Principle for Management of Credit Risk.
5. Risk Concentration Principles.
-
8/2/2019 2 Risk, ion Assessment & Management
50/58
Audit Risksudit Risks
-
8/2/2019 2 Risk, ion Assessment & Management
51/58
Audit RiskThe risk that the auditor may unknowingly fail toappropriately modify the opinion on financialstatements that are materially misstated.
-
8/2/2019 2 Risk, ion Assessment & Management
52/58
Auditors RiskThe exposure to loss or injury to professionalcareer from litigation, adverse publicity, or otherevents arising in connection with financial
statements audited and reported on.
-
8/2/2019 2 Risk, ion Assessment & Management
53/58
Types of Audit Risks Inherent Risks: The insusceptibility of an
assertion to material misstatement in the financialstatements in absence of internal controls. In
most of the cases a direct link exist betweencontrol risk and inherent risk.
Control Risk: The risk that material misstatementwill not be detected / prevented on timely basis byoperations management through internal controls.
-
8/2/2019 2 Risk, ion Assessment & Management
54/58
Types of Audit Risks -Cont Detection Risks: The risk that substantive audit
procedures performed will not detect a materialmisstatement.
-
8/2/2019 2 Risk, ion Assessment & Management
55/58
Control Risk Appropriate Management oversight Clear job description and assignment
Adequate / proper record keeping Segregation of duties Appropriate system of approval of transactions Physical safeguard over cash & liquid instruments Documentation of transactions Mandatory vacations
-
8/2/2019 2 Risk, ion Assessment & Management
56/58
Managing Audit RisksAudit Risk Assessment Module
AR=IR X CR X DR
Where,
AR = Audit Risk
IR = Inherent Risk
CR = Control Risk
DR = Detection Risk
-
8/2/2019 2 Risk, ion Assessment & Management
57/58
Managing Audit Risks The Auditor should plan the engagement so that
audit risk will be at sufficiently low level beforeissuing an opinion on financial statement.
The Risk assessment described above is purelyfor External Audit however, selective components
or combinations of some components of thismodel can also be used by the internal auditorsalso.
-
8/2/2019 2 Risk, ion Assessment & Management
58/58
Recommendations Increase professional skepticism by questioning
and critically assessing audit evidences. Assign more experience auditors who have the
knowledge, skills and abilities commensurate withincreased risk of the assignments.
Consider significant accounting policies
Modify the nature, timing and extent of auditprocedures to obtain more reliable evidence anduse increase sample size or more extensiveanalytical procedures.