tome salgueiro - 3448 - corporate governance take-home exam - risk area in a bank

Take-Home Exam: A comprehensive

discussion of the role, organization

and composition of the Risk Area in

a Bank

2217: Corporate Governance

Lecturers: Duarte Pitta Ferraz &

Mariana Carvalho Coelho

Submitted by:

Tomé Guerreiro de Oliveira Salgueiro

Student nº 3448

24 October, 2016

A comprehensive discussion of the role, organization and composition of the risk area in a bank

i

NOVASBE – 2217: Corporate Governance – 2016 Tomé Salgueiro, nº3448

Executive Summary

Purpose and method of this report

Within the evaluation framework of Nova’s SBE 2217: Corporate Governance Course

it was requested the submission of a take-home exam in the form of a report that would

convey a short insight on the risk area of banks. Therefore, this short report intends to

analyze, in a straightforward way, the role, organization and composition of risk

departments in banks. This report is submitted as a final exam and is not, by its own

nature, intended to be an extensive dissertation on the complex topic of risk

management in the banking sector, but instead a simplified approach on the topic.

The methods used to create this report include an extensive overview of the available

bibliography and regulation guidelines about the topic, specifically those recommended

by the Bank of International Settlements (BIS) and European Banking Authority (EBA).

In order to enrich the discussion some external sources were also used, namely

McKinsey, IFC and other academic reports. For full disclosure of these sources please

check the References at the end of this report

Main findings and conclusions

Through the elaboration of this report a main conclusion was reached: risk is an

intrinsic part of all of bank activities.

There are a lot of different risks, going from operational risk to foreign exchange risk,

but it is clear that all of them have potential gains and losses associated to them.

Risk governance is all about detection, assessment and the remedial action needed

to manage those risks.

It is of the outmost importance for a bank to define very clearly its own risk appetite,

culture in order to better design its risk profile.

The 3 lines of defense model is, nowadays, the most consensual model used to

devise risk management responsibilities in any institution. It represents the current

benchmark and, when applied correctly, can help strengthen the entire bank and, at

the same time, assure regulators and costumers of the bank’s soundness and

strength.


ii


Table of Contents

Executive Summary ...................................................................................................... i

Table of Contents ........................................................................................................ ii

1 – What is risk in banking? .................................................................................... 1

1.1 Different types of risk in banking ................................................................... 1

1.1.1 Operational risk ....................................................................................... 1

1.1.2 Credit risk ................................................................................................ 1

1.1.3 Liquidity risk ............................................................................................ 2

1.1.4 Interest rate risk ...................................................................................... 2

1.1.5 Mismatch risk .......................................................................................... 2

1.1.6 Market price risk ...................................................................................... 2

1.1.7 Market risk .............................................................................................. 2

1.1.8 Solvency risk ........................................................................................... 2

1.1.9 Foreign exchange risk ............................................................................. 2

2 – An overview of Risk Governance in banking ..................................................... 3

2.1 What is 'Risk Governance'? ........................................................................... 3

2.2 Identification and risk Frameworks ................................................................ 3

2.2.1 Identification of risk ................................................................................. 3

2.2.2 Risk Management Framework ................................................................ 4

2.2.3 Internal Control Framework..................................................................... 5

2.3 Risk appetite .................................................................................................. 5

2.4 Risk Culture and Conduct .............................................................................. 5

2.4.1 Risk culture ............................................................................................. 5

2.4.2 Risk communication and transparency ................................................... 6

2.4.3 Alignment of remuneration with risk profile ............................................. 7

3 – Structure of the Risk Area ................................................................................. 8


iii


3.1 The three lines of defense model .................................................................. 8

3.1.1 1st LOD .................................................................................................... 8

3.1.2 2nd LOD ................................................................................................... 8

3.1.3 3rd LOD ................................................................................................... 8

3.2 Risk Committee ........................................................................................... 10

3.3 Risk management function .......................................................................... 10

3.4 Chief Risk Officer......................................................................................... 11

3.5 Risk Control Function .................................................................................. 12

3.6 Compliance Function ................................................................................... 13

3.7 Internal Audit Function ................................................................................. 14

3.8 Role of supervisors and regulators .............................................................. 15

4 – Conclusions .................................................................................................... 16

5 – Recommendations .......................................................................................... 17

5.1 To the reader ............................................................................................... 17

5.2 To banks ...................................................................................................... 17

5.3 To clients ..................................................................................................... 19

5.4 To regulators ............................................................................................... 19

6 – References ...................................................................................................... 21

Papers, reports and guidelines .............................................................................. 21

Electronic Sources ................................................................................................ 21


1


1 – What is risk in banking?

It is impossible to talk about risk management without first defining risk, and therefore

acknowledge that it is intrinsically connected to uncertainty. In fact, it is because we

have a randomness of possible outcomes, that we have risk. Bessis put it better in his

book Risk Management in Banking (Bessis, 2010): “Risk exists only when uncertainty

can have a potential adverse effect, which is a possibility of loss.”.

Ultimately a bank is an entity that seeks to maximize its profits and therefore it must

engage in risk, exposing itself to the markets that it operates in, in order to return results

for its shareholders. Exposure to risk does not necessarily mean a loss, but it is

definitely something bankers have to engage in in order to add equity to the bank.

But for a bank there are several types of risk namely: operational risk; credit risk;

liquidity risk; interest rate risk; mismatch risk; market price risk; market risk; solvency

risk and foreign exchange risk (Bessis, 2010). Of course all these risks in banking are

associated with potential losses and should be quantified and managed to the extent

that is possible. Next, we briefly look at some of these risks.

1.1 Different types of risk in banking

1.1.1 Operational risk

Operational risk is the risk associated with the breakdown in internal processes,

malfunctions of the information system and/or management failure. This risk is usually

cause by such events as a law suit, systems failure or damage to assets and there is

still no clear method of measuring and assessing it (UKessays3, 2016).

1.1.2 Credit risk

Credit risk is the risk that the counterparty might default on payment obligations that

are expected by the bank. Default usually leads to a partial or total loss of the amount

lent and it can come in various degrees, namely as a delay in payments, restructuring

of debt or a plain and simple inability to pay, usually associated with bankruptcy.


2


1.1.3 Liquidity risk

Liquidity risk is the risk that the cost of funding might become higher and higher,

creating the impossibility of raising funds. It depends on how the market perceives the

bank and the willingness to lend it short term liquidity.

1.1.4 Interest rate risk

Most assets on the balance sheet of banks either generate revenues or costs that are

associated with interest rates. Therefore, interest rate is associated with the drop in

net interest income (interest revenues – interest costs) due to swings in interest rates.

1.1.5 Mismatch risk

Mismatch risk is associated with both the liquidity and the interest rate risk. Mismatch

can occur when there is a gap between maturities of assets and liabilities. Obviously

this is associated with the way banks conduct their business: by lending on a long term

and being financed in the short term, banks try to capture the positive spread of long-

term and short-term rates. If that gap is not filled, the bank might default.

1.1.6 Market price risk

A risk associated with assets for which trading volume is low or non-existent. Some

assets can lose a lot of value (price drops) if there is no market liquidity.

1.1.7 Market risk

Market risk is directly associated with the valuation of the trading portfolio of the bank.

It is influenced by the natural movements of the market and the period of liquidation is

important for the holder of those assets. Usually over longer horizons, volatility tends

to increase and any decline in value can lead to market loss.

1.1.8 Solvency risk

Usually associated with the risk of being unable to absorb losses with the available

capital. Solvency is related to the actual net worth of the bank and should follow the

principal of “capital adequacy”, this meaning that the bank is able to sustain potential

losses by showing an acceptable solvency level.

1.1.9 Foreign exchange risk

The risk associated with incurring losses due to changes in exchange rates and the

fact that a bank might have assets or liabilities in different foreign currencies.


3


2 – An overview of Risk Governance in banking

2.1 What is 'Risk Governance'?

Before the 2007-2008 crisis it was the responsibility of bank directors to coordinate and

manage long-term strategies, as well as assuming risk management ownership in

processes like credit extension, investment decisions and other bank activities

(Gontarek, 2016). However, after those turbulent years, the entire industry started

looking more seriously into risk and risk management, not only because regulatory

authorities introduced new regulations, but also because they realized they could very

easily jeopardize their business if they didn’t learn from their past mistakes in risk

assessment. In fact, it is widely agreed that the recession that began in 2008 was

largely caused by a very loose and irresponsible credit risk management by banks

operating in the real estate market (Investopedia2, 2016).

It is therefore important to define risk governance as the process by which the board

and management establish the firm’s strategy, articulates and monitors adherence to

risk appetite and risk limits, and identify, measure and manage said risks (FSB1, 2013).

Basically, every time someone analyses and quantifies the potential losses in the

investment portfolio and then takes appropriate mitigation action, accordingly with their

risk tolerance, they are managing risk.

Following the Bank of international Settlements (BIS) principles and the European

Banking Authority (EBA) guidelines we will now explore some of the attributes of risk

governance in banking, as stated in their most recent reports:

2.2 Identification and risk Frameworks

2.2.1 Identification of risk

According to the 7th BIS principle, a bank should constantly pursue the identification,

monitoring and control of risk. The sophistication of the identification tools should

always pair with the sophistication of its own infrastructure and products, and up to

date with the constant changes associated with external risks and industry practices.

These risk identification tools should be both quantitative and qualitative and bring


4


together internal and external data that can help make strategic business decisions.

Usually a series of models with different macroeconomic trends/data and practical or

conceptual limits are used to identify risk.

2.2.2 Risk Management Framework

After identifying existing or emerging risks the bank needs a strong risk governance

framework that include procedures and processes in order to take action. For each risk

alert there should be a corresponding internal control with a policy or process

associated that is applied upon identification.

According to the EBA - Guidelines on Internal Governance: “An institution's risk

governance framework shall include policies, procedures, limits and controls providing

adequate, timely and continuous identification, measurement or assessment,

monitoring, mitigation and reporting of the risks posed by its activities at the business

line and institution-wide levels.” (EBA, 2011).

It is important that this framework encompasses reporting mechanisms that will help

ensure the management team and all the other business units are provided with

accurate and timely information on risk. Only in this fashion can this framework ensure

that the institutions risk profile (an aggregate of its actual risk and potential risk) is kept

within the limits established and that, if there are any exceptions, they are immediately

addressed. Once weaknesses and potential unwanted risks are identified this

information should be used to improve budgeting, liquidity planning, capital adequacy

and risk appetite.

An excellent way to identify risks is to utilize stress tests or reverse stress tests.

These should include different scenarios and circumstances based on certain

assumptions, dependencies and correlations.


5


2.2.3 Internal Control Framework

To ensure effective and efficient operations and appropriate risk control, the bank

should have a strong internal control framework. This framework should cover the

entire firm, and include all business activities and control units, with the ultimate goal

of assuring the compliance of law, regulations and the prudent conduct of business.

The control functions in a bank should include a Risk Control function, a Compliance

function and an Internal Audit function, all of them with very clear and transparent

administrative and accounting procedures. All these functions should be independent

of the business they monitor and independent from each other. Their staff should

receive proper training in a regular fashion and have free access to internal information

in order to submit their findings to the management body.

2.3 Risk appetite

The risk appetite of a bank is the aggregate level and type of risk a bank is willing to

assume to achieve its strategic objectives and business plan (BIS, 2015). Usually risk

appetite is detailed in a risk appetite statement (RAS), a document in which the bank

explains its position regarding risk in different parts of its business, including

quantitative measures relative to earnings, capital, liquidity and risk. This document

should be very clearly state what the risk limits are and outline the roles and

responsibilities of the people in charge. Best practices suggest that the bank should

also address some reputation and conduct risks as well as qualitative statements

regarding different possible unethical practices.

2.4 Risk Culture and Conduct

2.4.1 Risk culture

According to the EBA (EBA, 2011): “An institution shall develop an integrated and

institution-wide risk culture, based on a full understanding of the risks it faces and how

they are managed, taking into account its risk tolerance/appetite.”. This risk culture is

enforced through example, but also policies, communication and training. From the

beginning, every employee, in every business unit of the bank, should be fully aware


6


of their responsibilities relating to risk and also the baselines of risk appetite of the

institution.

Risk management framework comes into action to underline the risk culture

importance. It should enable the entire institution to make informed decisions that

include not only credit, market or operational risks, but also compliance and

reputational risks.

2.4.2 Risk communication and transparency

In order to successfully deal with risk issues, a bank needs a strong communication

policy across the organization and through the senior management level.

Communication allows risk awareness and information on risk-taking policy to flow

vertically from the board to the business units (might they be the branches, the

investment/market department or other control functions). Management should be

proactive to engage with the lower seniority levels, but it is absolutely crucial that

control functions at the business units’ level are forthcoming with information about

their activities in order to be discharged of responsibility.

According to Principle 12 of the BIS guidelines the bank should be “adequately

transparent to its shareholders, depositors, other relevant stakeholders and market

participants.” This principle allows all the interested parties to effectively assess the

effectiveness of the governance at the board and senior level and check if they are

compliant. In practice, the following information should be disclosed:

Material information on the bank’s objectives;

Organizational and governance structures and policies (including established

committees, mandates and composition;

Major share ownership and voting rights;

Incentive and compensation policy;

Measures that reflect the longer-term performance of the bank;

Key points concerning its risk exposures and risk management strategies

without breaching necessary confidentiality;

The nature, extent, purpose and economic substance of transactions with

affiliates and related parties.


7


It is increasingly important that the entire institutions staff understand and adhere to

policies and procedures, and at the same time are informed of the bank strategy in a

clear and consistent way.

2.4.3 Alignment of remuneration with risk profile

Remuneration plays an important role when structuring the risk profile of a bank,

especially because it is common practice to award bank workers with bonus that

correlate with the gains they are able to generate to the bank and its clients. EBA does

not impose strict limitations to this type of remuneration but it argues that it should be

consistent with the risk profile of the bank and help promote sound and effective risk

management.

Remuneration should not encourage excessive risk taking and should be in line with

the values and long term interests of the bank itself. If there are severance payments

that reward failure, then the entire risk management structure could go to ruin.

An excellent way for the bank to be forthcoming with information is to issue a risk

governance statement in its annual corporate report where it clearly states risk-

related information, making it available to all interested parts.

A way to ensure remuneration is fair is assuring bonus are based on a combination

of individual and collective performance and include a flexible risk-adjusted

component.


8


3 – Structure of the Risk Area

3.1 The three lines of defense model

In 2013 the Institute of Internal Auditors schematized a three-lines-of-defense model,

a benchmark for control and risk management responsibilities in complex

organizations. This model’s goal is to help establish a coordination of control

responsibilities in an effective and efficient manner, while allowing for a clear

communication of risk to every group of professionals involved. Very shortly, the 3

Lines Of Defense (LOD) in a bank are (Arndorfer, 2015):

3.1.1 1st LOD

Constitutes the revenue-generating business units that are primarily responsible for

trading, sales, client relationships and asset management. The staff at this level is

familiar with the usual workflow and potential weaknesses, so it should be easier for

them to detect problems early on, provide immediate information to management

levels and take immediate action to minimize risk.

3.1.2 2nd LOD

When the 1st LOD fails or is absent, a second line should be present in functions like

risk management, compliance, finance, risk control, model validation and information.

This LOD has expanded in the last few decades, along with the tighter regulatory

requirements of the industry and with the advent of progressively more complex

products in banking. The 2nd LOD defines preventive and detective control

requirements, and at the same time assuring that they conform with the policies and

procedures of the institution. It should be independent of the 1st LOD and based on

clear risk assessment criteria, that are applied in an ongoing or periodical basis.

3.1.3 3rd LOD

This LOD comprises the internal audit functions that should provide independent and

direct assurance to senior management and have unrestricted access to the board. It

should provide, at least annually, a risk assessment of the bank and identify areas that


9


exhibit high levels of risk, providing some intuitive lines of action for monitoring and/or

reparation. It should be able to report on a number of issues including: efficiency and

effectiveness of operations, safeguarding of assets, reliability of reporting processes

and compliance with regulation/law.

The next figure illustrates a comprehensively example of the 3 LOD model previously

described. This model was adapted by the author of this report so it could apply to the

structure of a bank, keeping in mind the main functions in a risk area that are described

by the Basel Committee - Bank of International Settlements (BIS).

Figure 1 - The 3 Lines of Defense Model (Adapted and redesigned for banks from the original IIA publication)

Disclosure: This is a model proposed by the author of this report and in no way is it a binding structure directly proposed by any

regulator.

Next, we will be looking at the exact structure of the risk area, making sure to highlight

the most important functions in the model proposed by the BIS and the European

Banking Authority (EBA):

Supported by strong Risk Management and Internal Control Frameworks


10


3.2 Risk Committee

The risk committee is one of the most important structures in a bank. Every bank

should have a risk committee responsible for advising the board on issues like the

current and future risk appetite and the implementation of the Risk Appetite Statement.

A risk committee should be made up of a majority of independent members, including

some with experience and practice in risk management. It should also have an

independent director that does not sit on the board or any other committee in the bank.

Following the 6th Principle guidance, the committee receives regular reporting from

the CRO about the risk profile of the bank, limit breaches, mitigation plans and makes

suggestions regarding needed adjustments on the governance framework of the bank.

For an easier understanding of their role, here follows a list of functions of the risk

committee, according to the BIS:

Review and discuss all risk strategies on an aggregate basis and by type to

make recommendations to the board;

Review the bank’s risk policy at least annually;

Oversee the processes put forward by the management to promote adherence

to the approver risk policy;

Oversee the activity and role of the Chief Risk Officer (CRO), and serve as a

bridge between him/her, the audit committee and the board.

3.3 Risk management function

Following the 6th BIS Principle every bank should have, in their 2nd line of defense, an

independent risk management function with sufficient stature, immediate access to the

senior management, independence and enough resources to be effective.

Overall, the risk committee should oversee all strategies for capital and liquidity

management and also all sorts of risks like: operational risk, credit risk, market risk

and reputational risk.


11


The risk management function should be composed of qualified and experienced

personnel, with a high level of knowledge of the bank’s products. They should do this,

despite being sufficiently independent of the business units that generate revenue.

For an easier understanding of their role, here follows a list of functions of risk

management, according to the BIS:

Identification of present and emerging risks as well as on-going monitoring;

Assessment and measurement of the bank’s exposure;

Defining the bank’s risk culture, appetite and limits (subject to approval from the

board);

Establishing an early warning system for breaches of the bank’s risk appetite or

limits;

Reporting to senior management, board and risk committee and challenging

their decisions when necessary.

3.4 Chief Risk Officer

An increasingly important role in the bank is that of before mentioned Chief Risk Officer

(CRO). The CRO should have the authority and stature, as well as the necessary skills,

to oversee all the risk management activities of a bank. They are appointed and

dismissed either by the board and/or by the risk committee members, and these

decisions should be justified and presented to the regulator supervisor.

He/she should be independent and have no other overlapping responsibilities or be

engaged in any operational lines of business in the bank. It should be part of its powers

to hire the staff with the necessary skills and attributes to help with oversight, as well

as developing a plan for continuous training and development of skills for existing staff.

The CRO has the overall responsibility for monitoring the bank’s risk management

framework across the entire organization.


12


The CRO should have free access and priority to all information in the banks books

that will allow the pursuit of its oversight duties. This regular access should extend itself

to the board and the risk committee where the CRO should have specific timeframes

to intervene and report.

For an easier understanding of its role, here follows a list of functions of the CRO,

according to the BIS:

Oversight over risk management function;

Provide comprehensive information on risk to the board so that they understand

the bank’s risk profile;

Decision making power when it comes to risk policy, processes, models, limits

and reports.

Participating in, or even managing issues like strategic planning, capital and

liquidity planning, new products, compensation policy;

Veto power over all important risk management decisions.

3.5 Risk Control Function

In order to identify and manage risk at the business unit level, each bank should have

an independent Risk Control Function (RCF). It should be independent of the business

units it supports, but not isolated from them, in order to have a deep knowledge of all

aspects of the business.

The RCF should be a central organizational feature of the bank, structured so that it

can implement risk policies and control the risk management framework.

The RCF is actively involved in the elaboration of the bank’s risk strategy and in all

material risk management decisions, ensuring those processes are in place.


13


For an easier understanding of its role, here follows a list of functions of the RCF,

according to the EBA:

Provide independent information, technical analysis and judgement on risk

exposures ensuring the bank complies with the previously defined risk appetite;

Provide advice on all risk decisions made by management and business units;

Recommend improvements on the risk management framework;

Recommend changes on the risk policies, procedures and limits;

3.6 Compliance Function

According to the BIS 9th Principle, the bank’s senior management should establish an

independent compliance function as part of the 2nd line of defense. The compliance

function must have sufficient stature, authority, resources, and once established,

management should not interfere with the fulfilment of their duties. A Compliance

Officer (a.k.a Head of Compliance) can be appointed to be responsible for this function

across the entire bank.

The firm should approve and implement a compliance policy that contains the main

processes by which compliance risks are identified, reported and managed by all levels

of the organization.

For an easier understanding of its role, here follows a list of roles of the Compliance

Function, according to the BIS:

Ensure that the bank acts responsibly by following all internal policies,

processes and corporate values;

Advise senior management on the compliance with laws, rules and standards;

Report its findings at the business unit level to the senior management (could

also include direct access to board);

Assess the possible impact of changes in regulation and law;

The Compliance Function main goal is to ensure that the bank operates within the

frame of integrity and compliance associated with internal regulations, laws and

regulations.


14


Inform and educate staff on compliance issues, providing direct guidance on

how to effectively apply regulation;

Verify if new products and procedures comply;

Elaborate compliance manuals or codes of conduct with practical guidelines.

3.7 Internal Audit Function

Following the BIS 10th Principle, every bank should have an independent Internal

Audit Function (IAF), helping the board to ensure an effective governance process and

long-term soundness of the bank. The internal audit function is part of third line of

defense and should be independent of the audited activities and accountable to the

board. It should be provided to them sufficient authority, standing and resources in

order to effectively carry on their duties, as well as unconditional access to any data or

records in the bank.

The IAF reports directly to the management or to an audit committee created for that

effect. The job of this audit committee is to make sure that the audit’s recommendations

are implemented by all levels of management in a follow-up procedure.

For an easier understanding of its role, here follows a list of functions of the Internal

Audit Function, according to the BIS and EBA:

Provide independent guarantees to the board of directors on the effectiveness

of the bank’s internal control, risk management and governance processes;

Perform periodic assessments of the bank’s internal control framework;

Evaluate the compliance of all units of the institution with policies, procedures

and regulatory requirements. This should include the evaluation of the Risk

Control Function and Compliance Function;

Verify the integrity of processes, techniques, assumptions and sources of

information in the internal models of the bank;

Evaluate the quality of risk identification and assessment tools.

An important part of the Internal Audit Function’s role is to help the bank’s

management protect the reputation of the bank.


15


3.8 Role of supervisors and regulators

Despite not being part of the banks risk structure, the BIS guidelines has a word

regarding the role of supervisors. According to the 13th Principle, supervisors should

provide guidance and supervise the corporate governance of the bank. Supervisors

should have access to comprehensive reports to assess the performance of the senior

managers of the bank.

Supervisors should require that banks follow the national and international law,

regulations and codes as well as providing guidance on how to do so. Regulators

should provide expectations for checks and balances, allocation of responsibility and

transparency, while sharing the best practices of corporate governance with other

banks they supervise and other supervisors/authorities.

Supervisors should have regular interaction with the board and senior

management, requiring improvement and remedial action if necessary. This could

be achieved by way of written report, access to documents of self-assessment

developed by the bank, but also through interviews with board members and other

personnel.


16


4 – Conclusions

After exploring the topic of risk in banks it is clear that risk if at the core of what the

banking sector is. Through this investigation it was possible to find at least 9 different

kinds of risk. Risk pervades all bank operations and business units, and it goes far

beyond just credit risk. It seems that all these different risks can be associated with

potential losses but are often times associated with possible gains, so the balance of

forces and the lengths they are willing to go to on risk management should be one of

the primary focus in their overall governance.

In fact, risk governance is all about detection, assessment and remedial action of risks,

and it is clear that banks are still trying to adjust to the fast pace technology-driven

environment that surrounds them, especially after the 2007-2008 global crisis debacle.

It is of the outmost importance that each and every bank defines their own risk appetite

and culture, but more importantly, that it really takes a strong stance and effort to

enforce it. This might include steps like a redefinition of goals, procedures and policies,

as it became clear when the transparency and communication topics were explored in

this report. Banks need to become less opaque organizations, in order to regain the

trust of customers and re-establish the way people perceive the entire segment.

As of 2016, it seems clear that there is no magical all-solving panacea when it comes

to designing the risk area structure in banks. This being said, with the help of the work

done by the Basel committee (BIS), the Institute of Internal Auditors, central banks and

authorities like the EBA, there seems to be an agreement on the overall lines of

reference. So far the Three Lines of Defense model seems to gather more consensus

and it is apparent that it represents a great improvement from the lather models. It

provides a simple and effective way to enhance control and communication of risk by

clarifying important roles and duties and therefore improving its effectiveness. It does

so by dividing the risk structure in 3 main functions: functions that own and manage

risks; functions of oversight; functions of independent assurance.

Finally, it can be concluded that the implementation of the main guidelines presented

throughout this report will ensure the bank’s risk area (and therefore the entire

business) becomes stronger and, furthermore, will allow the bank to improve its

standing in the eyes of the regulators and garner important reputational advantages

that will probably allow them to grow in a safe and sound fashion.


17


5 – Recommendations

5.1 To the reader

First and foremost, this report (excluding the Conclusions and Recommendations) was

based solemnly on the information provided by external sources, with great emphasis

in the guidelines and regulations provided both by the Bank of International

Settlements and the European Banking Authority. The author of this report intended to

compile and present the information in an easier way for the reader to access it.

Despite this, in no way is this document a replacement for the full and detailed reports

that are mentioned. To a reader with interest in knowing more about this topic there

are no substitute for the original reports, which you can access online by following the

references detailed at the end of this report. Those original reports, for which we

recommend a careful reading, are: EBA Guidelines on Internal Governance (2011)

and Basel Committee on Banking Supervision - Guidelines: Corporate

governance principles for banks (2015).

If the reader just wants to be more aware of the general framework and a simplified

version of the roles and structure of the risk area in a bank, this report might fulfill that

requirement.

If the reader is interested in more information about the real application of the

aforementioned frameworks in banks, we also recommend the reading of some recent

reports on risk in banking, in particular one elaborated by McKinsey & Company

entitled McKinsey on Risk - Nº1, Summer 2016. In this report Mckinsey underlines

the importance of issues like Compliance in 2016, and Nonfinancial risk and the Future

of bank risk management. It is interesting to understand what are the most recent

trends in the risk area in banking, especially because the issues are addressed from

the point of view of the actual banks.

5.2 To banks

Regarding the positioning of banks in the risk area, it is clear there must be a concerted

effort from both senior management and boards to allow for a smooth transition into a

more regulated environment post-2008 crisis. Most banks have already implemented


18


changes brought forth by de EBA and BIS, but if not, it would be helpful to constitute a

temporary committee to help reorganize the banks structure.

This committee, to be dissolved once the changes are in place, should have a

previously established time schedule and clear objectives, as well as the necessary

funds and manpower to achieve their goals. It should be made up of people with

previous experience in all units of business and deep knowledge of the new regulation.

They should be allowed to get advice and feedback from staff, but also have the

capacity to employ people with the necessary skills to put in place the new risk

framework and structure.

Once in place, there should be a robust culture of accountability for workers and

management. This implies that the remuneration and reward system be reanalyzed

and possibly changed in order to make it fairer and also not encourage excessive risk-

taking behaviors. Inside the bank there should be a philosophy of actively looking for

unethical behavior and reporting, either to senior management, or to the regulator.

Employees should be free to request and consult with regulators without suffering any

adverse consequences inside the institution, and they should have a right of privacy

when doing so.

The recruiting processes might also be improved, especially for those working directly

with investment and financial markets. It would be important to previously assess the

risk profile of each individual before positioning them in different roles. The bank should

also be aware and active regarding the constant change in the technological side of

the business. A strong investment in the talent pool and more advanced analytic

capabilities will surely help ease the transition towards a more connected business

world.

A relatively recent change in the way banks process big data and the way they use

machine-learning, will definitely facilitate the introduction of new alerts and triggers

when excessive exposure to risk occurs. New risk models need to be created and they

should be carefully analyzed and updated based on that big data. This will help move

the decision making process from a more bias-one to a more data-oriented one.

Inside the bank it is also important to reinforce collaboration and communication

between different business units. This will help improve the customer experience and

implement rules to protect clients, for instance, by disclosing more risk related


19


information and being more transparent as an organization. This will definitely bring

reputational gains to the institution.

Finally, it is increasingly important for the institution to be aware of new and upcoming

risks, many of them related, for example, with cybersecurity. This is one of the reasons

why it is of the outmost importance to continually invest in staff training, IT-

infrastructure and skill development, so that the bank, as a whole, might be more

prepared to face the challenges that the future reserves.

5.3 To clients

For many clients, especially in commercial banks, having more knowledge of the risk

profile of their bank might not appear important. Nonetheless, risk is an inherent

characteristic of banking activity and it pervades all its business units, so it surely has

a significant role in the way the client should perceive their bank. It is important to

remain informed about the way the bank conducts its businesses and operations and

if their risk profile is compatible with the client’s values and ways.

This is particularly important if the client conducts business and/or investments through

their bank. Banks have a reputation to maintain so they can, often times, be opaque

institutions. Despite this, sometimes it might be apparent for the client that some ways

of conducting business are not up to standards and they should report those situations

to management or ultimately the regulators and supervisors.

Clients have the responsibility of disclosing their own experience, and might actually

be of great help when it comes to the identification of problems in a bank.

5.4 To regulators

It is of the outmost importance to keep guidelines and information clear. In reading the

extensive reports issued by the regulators, it might not be easy for banks to implement,

if a timely manner, all the different guidelines.

It is the author’s opinion that regulators should keep documents concise and simple.

The simple listing of tasks for the different roles in banking is a lot more helpful, when

compared to extensive text on the issue. Perhaps it would be possible to use those

lists and then add more detailed information in a subsequent section of the text. In that


20


way it would be easier for the bank’s personnel and management to be immediately

aware of their roles and the skills necessary to execute them.

There should also be an effort to disclose and publicize the information on important

risk issues to the general public. Keeping in mind that the regulators have a

responsibility of privacy and that they have access to classified information that

pertains to each bank, the clients should, nonetheless, be informed about the way their

bank is conducting business and the risks they are taking. Only in this way can the

client’s rights be effectively defended, allowing them to make informed decisions when

it comes to choosing their bank.


21


6 – References

Papers, reports and guidelines

Arndorfer, I. December 2015. Occasional Paper No 11 - The “four lines of defence

model” for financial institutions - Taking the three-lines-of-defence model further to

reflect specific governance features of regulated financial institutions. Bank for

International Settlements (BIS), Utrecht University.

Bank for International Settlements (BIS). July 2015. Guidelines Corporate governance

principles for banks. Basel Committee on Banking Supervision.

Bessis, J. 2010. Risk management in banking. Third edition. John Wiley & Sons Ltd.

European Banking Authority (EBA). 27 September 2011. Guidelines on Internal

Governance (GL 44). EBA, London.

Gontarek W. January 2016. Risk governance of financial institutions: The growing

importance of risk appetite and culture. Journal of Risk Management in Financial

Institutions, Vol. 9,2 120-129. Cranfield School of Management, UK.

Härle P., Havas A., Kremer A., Rona D., Samandari H. December 2015. McKinsey

Working Papers on Risk: The future of bank risk management. McKinsey & Company,

USA.

Institute of Internal Auditors (IIA), January 2013. Position Paper: The three lines of

defense in effective risk management and control. IIA, Florida, USA.

International Finance Corporation Advisory Services in Europe and Central Asia. 2012.

Standards on risk governance in financial institutions. World Bank Group, Financial

Market Crisis Response Program in Eastern Europe and Central Asia, Ukraine.

McKinsey & Company. July 2016. Number 1, Summer 2016 - McKinsey on Risk. USA.

Electronic Sources

Financial Stability Board (FSB1). ‘Thematic review on risk governance’ [Online]

Available: http://www.fsb.org/2013/02/r_130212/ Accessed 20th October 2016.

Investopedia2. ‘What is risk management?’ [Online] Available:

http://www.investopedia.com/terms/r/riskmanagement.asp#ixzz4NICFvyHH

Accessed: 20th October 2016.

Ukessays3. ‘Risks faced by banks.’ [Online] Available:

https://www.ukessays.com/essays/banking/risks-faced-by-banks.php Accessed: 20th

October 2016.

http://www.fsb.org/2013/02/r_130212/

http://www.investopedia.com/terms/r/riskmanagement.asp#ixzz4NICFvyHH

https://www.ukessays.com/essays/banking/risks-faced-by-banks.php

tome salgueiro - 3448 - corporate governance take-home exam - risk area in a bank

Documents