Risk Management in Indian Banks 9789350432297, 9789350245538

Citation preview

RISK

MANAGEMENT IN INDIAN BAl\IIiS (Policies, Techniques and Implementation)

Dr. K.M. Bhattacharya (M.A., Ph.D. D.Litt. CAiiB) (Professor, Centre for Advanced Banking and Finance Studies, ICFAI Business School, Mumbai.) Formerly Managing Director, The Bank of Rajasthan Ltd., Executive Director, Indusind Bank Ltd. and Chief General Manager, State Bank of India.

Hal GJlimalayaGpublishingGJiouse MUMBAI • DELHI • NAGPUR • BANGALORE • HYDERABAD

©Autbor

ISBN

: 978-93-5024-553-8

Revised Edition: 2010

Publisbed by

Brancb Offices Delhi

Mrs. Meena Pandey, for HIMALAYA PUBLISHING HOUSE, "Ramdoot", Dr. Bhalerao Marg, Girgaon, Mumbai - 400004. Phones: 238601 70/238638 63 Fax: 022 - 2387 71 78 Email: [email protected] Website: www.bimpub.com 'Pooja Apartments', 4-B, Murari Lal Street, Ansari Road, Darya Ganj, New Delhi - 110002. Phone: 2327 03 92 Fax: 0 II - 2325 62 86

Nagpur

Kundanlal Chandak Industrial Estate, Ghat Road, Nagpur - 440 018. Phone: 272 12 16 Te1efax: 0712 - 272 12 15

Bangalore

No. 16/1, (Old 1211), 1st Floor, Next to Hotel Highland, Madhava Nagar, Race Course Road, Bangalore - 560001. Phones: 2228 1541/22385461 Telefax: 080 - 2228 66 11

Hyderabad

No. 2-2-1 167/2H, 1st floor, Near Railway Bridge, Tilak Nagar, Main Road, Hyderabad - 500 044. Phone: 5550 17 45, Fax: 040 - 2756 00 41

Typeset by

Prerana Enterprises 341, Jagannath Shankar Shet Road, Mumbai - 400 002. Phone: 2201 0296

Printed by

Bhave Press Pvt. Ltd. 242, Belasis Road, Nagpada, Mumbai - 400 008.

I

CONTENTS CHAPTER 1 - INTRODUCTION

-

1.1

Need for Risk Management in Banks

01

1.2

Objectives of Risk Management

04

1.3

Conclusion

05

CHAPTER 2 - CONCEPT OF RISKS IN BANKS 2.1

The Concept

06

2.2

Types of Risks in Banks

07

CHAPTERS 3 - RISK MANAGEMENT 3.1

Roles of Risk Management

14

3.2

Goals of Risk Management

16

3.3

The Risk Management Process

20

3.4

Principles of Risk Management

21

3.5

Principles for Management of Liquidity Risk

23

3.6

Principles for Management of Interest Rate Risk

24

3.7

Principles for the Management of Credit Risks

26

3.8

Principles for Management of Operational Risks

29

3.9

Risk Management Principles for Electronic Banking

30

3.10

Risk Management Policies

32

3.11

Need for Integration of Various Risk Categories-

3.12

Integrated Risk Management

33

Risk Management Structure

34

CHAPTER 4 - QUANTITATIVE RISK MEASUREMENT 4.1

Importance of Quantitative Risk Measurement

38

4.2

Indicators for Quantitative Measurement of Risks

38

4.3

Measuring Uncertainty - Stress TesUWorst Case Scenario

39

4.4

Sensitivity Analysis

41

4.5

Volatility

43

4.6

Downside Risk

45

4.7

Potential Loss

46

4.8 4.9

VaR & CaR

47

Risk Adjusted Return on Capital (RAROC)

52

CHAPTER 5 - CREDIT RISK

5.1

Credit - Risk Management

53

5.2

Need for Credit Risk Management for Banks in India

54

5.3

Credit Risk - Definition and Components

55

5.4 5.5

Credit Risk Management Techniques and Instruments

56

Credit Risk Measurement and Potential Loss

71

5.6

Credit Risk Rating Framework (CRF)

77

5.7

Credit Risk Models

110

5.8

Managing Credit Risk in Inter-bank Exposure

116

5.9

Credit Risk in off-Balance-sheet Exposure

120

5.10 Country Risk

120

5.11

123

Loan Review Mechanism/Credit Audit

5.12 RAROC Pricing/Economic Profit

124

5.13 Conclusion

126

CHAPTER 6 - MARKET RISK

6.1

Market Risk Management - Introduction

136

6.2

Need of Market Risk Management for Banks in India

136

6.3

Market Risk Components

137

6.4

Market Risk Management Architecture

140

6.5

Asset Liability Management System in Banks

144

6.6

Management of Liquidity Risk

146

6.7 6.8

Management of Interest Rate Risk

152

Management of Foreign Exchange Risk

163

6.9

Management of Equity Price Risk

170

6.10 Management of Commodity Price Risk 6.11 Measurement of Market Risk - Value at Risk (VaR) and Stress Test Techniques

6.12 Conclusion

172 172 176

CHAPTER 7 - OPERATIONAL RISK

7.1

Operational Risk Management - Introduction

190

7.2

Need of Operational Risk Management for Banks in India

191

7.3

Operational Risk - Components

193

7.4

Management of Operational Risks

198

7.5

Operational Risk Loss Events

222

7.6

Pre-requisites for Operational Risk Management

232

7.7

Conclusion

232

CHAPTER 8 - SOLVENCY RISK - CONCEPT OF CAPITAL ADEQUACY AND RISK BASED CAPITAL

t

8.1

Solvency Risk -Introduction

234

8.2

New Capital Adequacy Framework

235

8.3

Risk Based Capital/Economic Capital

251

8.4

Economic Capital and Solvency Risk

251

8.5 8.6 8.7

Concept of Risk Adjusted Return on Capital (RAROC)

252

Risk Rating and Risk Based Pricing

254

Conclusion

255

CHAPTER 9 - RISK BASED SUPERVISION OF BANKS

9.1

Need of Risk Based Supervision of Banks - Introduction

259

9.2

Objectives of RBS

262

9.3

Process for Risk Based Supervision

262

9.4 9.5

Bank Level Preparations

266

Risk Based Supervision vis-a-vis Current CAMELS Approach

270

9.6

Risk Profiling Technique for RBS Developed by RBI

271

9.7

Risk Focused Internal Audit

279

9.8

Conclusion

283

BIBLIOGRAPHY

284

"This page is Intentionally Left Blank"

INTRODUCTION

1 .1 NEEd

FOR

Risk MANAGEMENT iN BANks

We live in an ever-changing world where many organizations have great difficulties in foreseeing events and the constant enlargement of the pace and scope of activities makes the situation worse. The basic truth is that we all are living in an environment that is full of risk. We are all too preoccupied with the operational and managerial objectives that very little time is actually spent in formally addressing the several dimensions of risk and its management. Thus, there remains some 'unmanaged risks', which, due to oversight or otherwise, expose enterprises to unforeseen dangers. During the last decade, we have witnessed a profound change in the size and structure of the global financial markets. The consequential integration of financial markets has contributed to the creation of more complex financial environment. The trends in the world economy, if taken in its totality, are producing a kind of shift in economic paradigm according to which there is a reordering of institutions and relationships and which is having a dramatic effect on the lives of not only the institutions but also the individuals all over the world. The process of integration of financial markets has generated a worldwide wave of liberalization of trade, investment and capital flows and consequent growth in importance of these flows and of international competition in the world economy. Globalization implies that the distinction between domestic and international arena becomes blurred and it is hard to think anything remaining purely domestic. The growth of trade and commerce has resulted in more complex and geographically diversified financial services. The process of integration of financial markets in the Indian context has evoked mixed response because some people seem to attribute to it all the ills of the economy. For others it is phenomena, which have to be accepted, and still there are some who consider it as something which should be resisted. 2.

The integration of financial market poses certain special problems like:

(a) Global competition is contributing to an evolu"tion in banking which is moving towards a less clear distinctior.' between universal and specialized financial institutions and a blurring of separation between banks and other financial intermediaries / institutions. (b) The complexity of banking activities and operations increases to the extent of integration with the international arena, posing difficult challenges to bank managers, owners and regulators in fulfilling their respective responsibilities.

2

Risk Management in Indian Banks

(c) Banks operating in several countries can arbitrage between regulatory frameworks by undertaking operations in locations where regulations are most favourable. 3.

The forces of market liberalization and the globalization of transactions have transformed the structure of the financial industry virtually everywhere and have given rise to the need of a more efficient and competitive financial industry. Liberalization has provided greater scope for markets to achieve a better allocation of financial resources, domestic and worldwide. It has improved the menu of investment outlets available to the suppliers offunds and offered end users easier and cheaper access to finance. Financial innovation has also provided market participants with new instruments to better manage their risk exposures.

4.

Reduction in transaction costs has raised the liquidity of security market and removal of foreign exchange controls has permitted capital to flow more freely towards higher returns promoting a greater diversification of portfolios. These benefits have not been achieved without endangering the stability of the financial system. Greater market liberalization and internationalization are accompanied with greater risks of potential disruptions, which originate in or are transmitted through financial markets.

5.

Greater competitive pressures squeeze profit margins and in order to retain the same, institutions tend to pursue riskier strategies. The more an economy is open to international capital market the more it is exposed to shocks which though originate elsewhere but tend to transmit through international capital flows.

6.

Weak financial systems can have serious repercussions on overall economic stability. Balance Sheet weakness of financial intermediaries severely affects their ability to mobilize funds from savers for channelising the same to borrower with adverse implications for investments. Decreased financial wealth can then severely affect the ability of firms to raise finance and continue normal operations.

7.

Such a situation also has contagion effects where the failure of one or a few institutions can lead to strains elsewhere in the financial system because of inter-connected activity and mutual exposure through the payment system. Similarly, do debtor countries face problems when a liquidity crisis in another country leads to an abrupt re-evaluation of international investor's assessment of risk? This leads to a sudden reversal of capital inflows resulting in adverse macro-economic consequences.

8.

The characteristics of new financial environment are increased risks of traditional types having heightened perceptions of other types of risks, which may have existed before but were considered to be of lesser concern. There are many kinds of changes in financial markets each of, which is capable of leading to greater uncertainties e.g.

(a) Increased volumes of transactions in market. The implications of this are that the effects of a market disturbance could be considerably greater and affect a wider array of participants; (b) The low cost of transactions has increased the speed at which prices adjust to changes in market conditions thereby enabling almost instantaneous modification of position As a result wide range of other markets can be affected before the official sector has time to react; (c) The conventional borders between banking and non-banking financial institutions have become more blurred; accordingly the traditional structure .of the financial industry is being continuously challenged.

Introduction

3

(d) A growing awareness of the limitations of Govt. backed savings avenues and the increased capacity to manage institutionally diversified portfolio have prompted the growth of other type of pooled investment vehicles encouraging different type of behaviour.

(e) The cross-country capital flows are growing rapidly and domestic systems are getting increasingly exposed to shocks emanating from abroad. The removal of exchange controls has increased the ability of capital to cross borders in search of higher yields or to flow back in quest of higher security. Such flows can now be large enough to pose significant problems for financial and economic stability in the countries most affected. In view of these developments the state of the financial markets is now inherently more risky than in the past. Banks in the process of financial intermediation are confronted with various kinds of financial and non-financial risks viz. credit, interest rate, foreign exchange rate, liquidity, equity price, commodity price, legal, regulatory, reputational, operational, etc. These risks are highly interdependent and events that affect one area of risk can have ramifications for a range of other categories and, therefor, perhaps the greatest challenge, which the banks are currently confronting, relates to the proper management of risks. The most critical task before bank managements today is to put in place sound principles and framework of risk management and control. This is also of significance to regulators and supervisors and in view of the same the Reserve Bank of India has issued comprehensive guidelines to banks asking to put in place proper risk management structure to improve the ability to identify, measure, monitor, and control the overall level of risks undertaken. The Risk Management Structure need to encompass following broad parameters: (i) Organizational structure; (ii) Comprehensive risk management approach; (iii) Risk management policies approved by the Board which should be consistent with the broader business strategies, capital strength, management expertise, and overall willingness to assume risks; (iv) Guidelines and other parameters used to govern risk taking including detailed structure of prudential 'limits; (v) Strong MIS for reporting, monitoring and controlling risks; (vi) Well laid out procedures, effective control and comprehensive risk reporting framework; (vii) Separate risk management framework independent of operational departments and with clear delineation of levels of responsibility for management of risk; and (viii) Periodical review and evaluation. RBI has recently issued detailed guidelines to banks on Risk Management. These guidelines emphasize that Risks being highly interdependent, one area of risks have ramifications .for other risk categories. Therefore top management has to identify, measure, monitor and control risks in a scientific manner. The crux is to enable scientific Risk Management, which is a new concept for the banking industry in the country. Foreign banks are already at an advanced stage in the matter of implementation of Risk Management functions and with a view to meet the ever-growing threats of Non Performing Assets, Indian banks have also to develop matching systems in this direction.

4

Risk Management in Indian Banks

1.2 ObjECTivES of Risk MANAGEMENT Risk has been present always in the banking business but the discussion on managing the same has gained prominence only lately. Bankers world-wide have come to realize that the growing deregulation of local markets and their gradual integration with global markets have deepened their anxieties. With growing sophistication in banking operations, while lending and deposit taking have continued to remain the mainstay of a majority of commercial banks, many have branched into derivatives trading, securities underwriting and corporate advisory businesses. Some banks have even expanded their traditional credit product lines to include asset securitisation and credit derivatives. Still others have greatly increased their transaction processing, custodial services or asset management businesses, in the pursuit of increased fee income. With improvements in information technology, more and more banks have ventured into the relatively new world of on-line electronic banking covering apart from traditional banking, bill presentation and payment services. This would mean an increase in the diversity and complexity of risks. As a consequence, the issue of risk management has gained new dimensions and banks have to develop risk management system that are rigorous and comprehensive, yet flexible enough to address newer risks they assume. The Reserve Bank of India, in the recent years, has issued quite a number of regulations/directions covering the various aspects of risks management viz. Asset-Liability Management, Credit Risk Management etc. The concern of regulator in this regard is also clearly visible in the level of monitoring of the progress made by banks towards implementation of guidelines and putting in place, proper risk management system, as envisaged. In the light of this background, it was thought proper: to carry-out the study, on the subject of "RISK MANAGEMENT IN INDIAN BANKS", with the object to make an assessment of the standard and status of Risk Management Systems and adequacy or otherwise of the guidelines issued by the Reserve Bank of India. The study has been focussed on various aspects of Risk Management in Indian Banks mainly covering following vital areas: • Principles of Risk Management; • Risk Management Policies; • Risk Management Techniquesllnstruments; • Risk Management Structure; • Implementation of Policies; • Opportunities, challenges, and difficulties in implementation; • Conclusion, suggestions, and recommendation.

Following risk areas have been covered in the study: • Credit Risks; • Market Risks, covering; Liquidity Risks Interest Rate Risks

Foreign Exchange Risks

Commodity Price/Equity Price Risks; • Solvency Ris'ks; • Operational Risks/Risks in e-banking; • Risk Aggregation and Capital Allocation.

Introduction

5

1., CoNclusioN Risk is an inherent part of financial intermediation business and the banks will have to recognize the importance of effective risk management for building up sound asset base and improving profitability. Banks are exposed to various risks, as mentioned above, which have been covered in the study and there is urgent need to have in place suitable systems for risk measuring, and risk mitigation and risk based pricing. In the International arena, the Basel Committee on Banking Supervision has proposed the New Basel Capital Accord which is intended to align capital adequacy assessment more closely with the key elements of the banking risk and to provide incentives for banks to enhance their risk measurement and management skills The study will help banks to know the risks they are facing, risks which are important and need to be addressed, context and priorities of risks, and to have clearer understanding leading to healthier and effective management plans to mitigate risks and review the same on an ongoing basis.

DOD

CONCEPT OF RISKS IN BANKS 2.1 litE CoNCEPT Financial markets in the industrially advanced countries have undergone far~reaching changes in the 1980s. In other countries in emerging markets like India also similar changes are, gradually, taking place in recent years. Innovations spurred by deregulation and liberalization have been a marked feature of this transformation. Rapid strides in technology in the areas of telecommunications and electronic data processing have helped to speed up the changes. A major consequence of these changes is the bluffing of the financial frontiers in terms of instruments, institutions and markets. The distinction between banks and non-banking financial institutions has become thin. Restrictions imposed earlier on banks regarding the activities they can undertake have been removed one by one. Effectively, universal banking has become the trend. Another feature of the market is the interlinking of different national markets. With the dismantling of exchange controls and the rapid development in communication systems, funds have started moving from one country to another. It is the interlinking of different national markets, which has come to be known as globalization. Important financial institutions are present in all the leading market centres and markets are open on a 24-hour basis. Deregulation has, thus, meant the dismantling of regulations relating to entry and expansion; it has also meant the removal of all direct controls over interest rate, wherever they existed. The integration of markets, both financially and spatially, has led to a more unified market for allocation of savings and investment among the participating countries which has raised various serious concerns and the state of the financial markets is now inherently more risky than in the past. In a technologically integrated financial world, the chances of systemic risk increase. The potential damage to the system arising out of the failure of a large globally active banking or non-banking financial institution can be immense. The intense competition which banks have come to face, both as a consequence of growth of non-banking financial institutions as well as securitisation has created the fear of high risk and has increased the attention towards risk management and evolving a common code of prudential regulations applicable to all countries. Several significant steps have already been taken in this direction. The three major forces bearing upon the banking industry today are: • The prescription of internationally acceptable prudential and capital adequacy standards; • The growth in financial engineering and the resultent supply of new financial products; • The impact of technology.

Concept of Risks in Banks

7

The new capital rules are compelling banks to readjust. The principle behind capital adequacy norms is to ensure that banks attain sound financial health and depositors' interests are protected. It also aims at incorporating capital weights into management decisions and prompt bank managements to think about the relationship between the risk and the capital in a more consistent and systematic manner. Banks are, therefore, seeking ways to raise new funds, cut costs and restrain their risk asset growth. The latest Basel proposals further aim at strengthening the banking industry's operating standards. This is already having several effects and is compelling banks to review their operating practices and portfolios. Perhaps, the greatest challenge, which the banks are currently confronting, relates to the proper management of risks. The most critical task before bank managements today is to put in place sound principles and framework for risk management and control. This is also of significance to regulators and supervisors and call for a review of the accounting standards, regulatory structures, and supervisory approaches. The challenge is far greater for banking markets like those of India which have a vast network of branch banking, with thousands of staff in hundreds of branches, including vast network of rural branches catering to rural and farm clientele, and bank managements have to put in place proper training for developing risk management skills for their staff.

Risk management in financial markets has increasingly captured the attention of the regulators, the public and, perhaps belatedly, the market participants themselves. Recent years have seen unprecedented levels of losses and litigation resulting from risky trade and investments, and growing number of angry investors and class-action lawsuits. The growth in complexity of products and trading strategies, and the systems required to support them, has been exponential. The responsibilities of the directors and the officers have come under public scrutiny. The tremendous growth of derivative activities, especially over the past decade, has provided banks and customers the benefits of more efficient allocation and management of risks. Wherever the derivatives markets have operated in a continuous, smooth and safe manner, the costs of risk intermediation have been lower and more finely tuned hedges have been made available to investors, institutions and corporates. The end users of these products, as well as those who are market makers in these products must have a complete understanding of the systematic risks and the possibilities of a financial disruption which could be caused due to operation of these and similar products. Skills and techniques must, therefore, be available to critically evaluate risk taking and risk management, the nature of market, credit, liquidity and operational risks. Proper valuation procedures, as well as a responsive Management Information System (MIS) should be in place. A part of training and banking education would, therefore, involve on risk management and also on covering the aspect of understanding of the links between financial markets and their potential systemic implications. Together, these challenges have made clear the need for enhanced standards of control over the risks that are undertaken by any firm active in the financial markets.

2.2 TYPES of Risks iN BANks Banks in the process of financial intermediation are confronted with various kinds of financial and non-financial risks such as: 1. Credit Risk 2. Market Risk

8

Risk Management in Indian Banks

• Liquidity Risk • Interest Rate Risk • Foreign Exchange Risk • Commodity Price Risk • Equity Price Risk 3. Solvency Risk 4. Operational Risk. These risks are highly interdependent and events that affect one area of risk can have ramifications for a range of other risk categories. In this chapter we have briefly discussed the basic features of these risks.

Credit Risk Credit risk is most simply defined as the potential that a bank borrower or counter party will fail to meet its obligations in accordance with agreed terms. Credit risk is the possibility of losses associated with diminution in the credit quality of borrowers or counter parties. It involves inability or unwillingness of a customer to meet commitments in relation to lending, trading, hedging, settlement and other financial transactions. Alternatively, losses result from reduction in portfolio value arising from actual or perceived deterioration in credit quality. Credit risk emanates from a bank's dealings with ah individual, corporate, bank, financial institution or a sovereign. Credit risk may take the following forms: • in the case of direct lending principal and / or interest amount may not be repaid; • in the case of guarantees or letters of credit, funds may not be forthcoming from the constituents upon crystallization of the liability; • in the case of treasury operations the payment or series of payment due from the counter parties under the respective contracts may not be forthcoming or ceases; • in the case of securities trading businesses funds/securities settlement may not be effected; • in the case of cross border exposure the availability and free transfer of foreign currency funds may either cease or restrictions may be imposed by the sovereign. The credit risk is generally made up of transaction risk or default risk and portfolio risk. The portfolio risk in turn comprises intrinsic and concentration risk. The credit risk of a bank's portfolio depends on both external and internal factors. The external factors are the state of the economy, wide swing in the commodity/equity prices, foreign exchange rates and interest rates, trade restrictions, economic sanctions, Government policies etc. The internal factors are deficiencies in loan policies/administration, absence of prudential credit concentration limits, inadequately defined lending limits for Loan Officers/Credit Committees, deficiencies in appraisal of borrowers' financial position, excessive dependence on collaterals, inadequate risk priCing, absence of loan review mechanism- and post sanction surveillance, etc. Another variant of credit risk is counter party risk. It arises from non-performance of the trading partners. The non-performance may arise from counter party's refusal/inability to perform due to adverse price movements or from external constraints that were not anticipated by the principal.

Concept of Risks in Banks

9

The management of credit risk includes; •

Measurement of risk through credit rating/scoring

•

Quantifying the risk through estimating expected loan losses

•

Risk pricing on a scientific basis; and

•

Controlling the risk through effective loan review mechanism and portfolio management.

Since exposure to credit risk continues to be the leading source of problem in banks world-wide; banks should now have a keen awareness of the need to identify, measure, monitor, and control credit risk as well as determine that they hold adequate capital against these risks and that they are adequately compensated for risks taken. The goal of credit risk management is to maximize a bank's risk-adjusted rate of return by maintaining credit risk exposure within acceptable parameters. Banks need to manage the credit risk inherent in the entire portfolio as well as the risk in individual credits or transactions. Banks should also consider the relationship between credit risk and other risks. The effective management of credit risk is a critical component of a comprehensive approach to risk management and essential to the long-term success of any banking orga()ization. Banks need to adopt sound practices in the following areas: (i) establishing an appropriate credit risk environment; (ii) operating under a sound credit-granting process; (iii) maintaining an appropriate credit administration, measurement and monitoring process and (iv) Ensuring adequate controls over credit risk. Banks should have a well defined credit risk policy defining clearly their credit philosophy, credit culture, risk tolerance level, credit approving authority, prudential limits, acceptable bench-mark ratios, risk rating systems, loan review mechanism, robust MIS for monitoring and follow-up and system of periodic review of the policy itself. I propose to cover all these areas in detail in my study.

Market Risk Market risk can be defined as the risk arising from the adverse changes in the market variables such as interest rate, foreign exchange rate, equity price, and the commodity price. Market risk is the risk of adverse deviations of the mark-to-market value of the portfolio during the period required to liquidate the transaction. Change in a market variable causes substantial changes in the income and economic value of the banks. Market risks may take the form of: (i) Liquidity Risk (ii) Interest Rate Risk (iii) Foreign Exchange Risk (iv) Commodity Price Risk (v) Equity Price Risk. Management of market risk is the major concern of the top management of the banks. The Asset-Liability Management Committee (ALCO) function as the top operational unit for managing the balance sheet within the performance/ risk parameters laid down by the Board. The banks also have an independent middle office to track the magnitude of the market risk on a real time basis. The middle office comprises of experts in market risk management, economists, statisticians, and general bankers and is placed directly under ALCO. The middle office is separated from the Dealing/ front office functions and is not involved in day to day management of Treasury.

10

Risk Management in Indian Banks

Liquidity Risk Liquidity planning is an important area of Risk Management Framework in banks. The liquidity risk of banks arises from funding of long term assets by short-term liabilities, thereby making the liabilities subject to roll over or refinancing risk. In a very fundamental sense, liquidity management represents the ability to meet liquidity needs, as and when they emerge, both efficiently and economically i.e., without incurring undue costs. Liquidity is the ability to efficiently accommodate deposit and other liability decreases, as well as fund loan portfolio growth and the possible funding of off-balance sheet claims. Liquidity management in banks may be defined as the process of generating funds to meet contractual or relationship obligations viz. New loan demands, existing loan commitments, and deposit withdrawals etc., at reasonable prices at all times. A bank has adequate liquidity when sufficient funds can be raised, either by increasing the liabilities or converting assets, promptly and at a reasonable cost. It encompasses the potential sale of liquid assets and borrowing money for capital and forex markets. Effective liquidity management helps the bank in building confidence level in the market, developing mutually beneficial relationship with borrowers by meeting their demands timely, avoiding unprofitable sale of assets to generate funds in case of need, and in lowering the size of default-risk premium. Liquidity risk, broadly, comprises of funding risk, time risk, and call risk. •

Funding Risk - need to replace net outflows due to unanticipated withdrawals/nonrenewal of deposits;

•

Time Risk - need to compensate for non-receipt of expected inflows of funds, i.e., performing assets turning into non-performing assets; and

•

Call Risk - due to crystallization of contingent liabilities and inability to undertake profitable business opportunities when desirable.

These can be measured/studied, broadly, under two methods: Static Approach Analysis, or Dynamic Liquidity Analysis.

Ratio

Study of projected cash flows, behavioural pattern, variance analysis, setting of prudential limits on volatile assets and liabilities etc., which are the important tools for the purpose are required to be put in place by banks. The analysis of liquidity involves tracking of cash flow mismatches. For measuring and managing net funding requirements, the use of maturity ladder and calculation of cumulative surplus or deficit of funds at selected maturity dates is considered. The cash flows are placed in different time bands based on future behaviour of assets, liabilities and off-balance sheet items. In other words, banks analyze the behavioural maturity profiles of various components of on/ off balance sheet items on the basis of assumptions and trend analysis supported by time series analysiS. Banks also undertake variance analysis to validate the assumptions. Apart from the above cash flows, banks also track the impact of prepayment of loans, premature closure of deposits and exercise of options built in certain instruments which offer put! call options after specified times. The difference between the cash inflows and out flows in each time period, the excess or deficit of funds, becomes a starting point for a measure of a bank's future liquidity deficit or surplus, at a series of point of time. Banks also monitor high value deposits say Rs. 1 crore or more to track the volatile liabilities. Further, the cash flows ariSing out of contingent liabilities in normal situation and the scope for an increase in cash flows during periods of stress should also be estimated. The banks can also estimate the liquidity profile on a dynamic way by giving due importance to:

Concept of Risks in Banks

11

• Seasonal patterns of deposits/loans; • Potential liquidity needs for meeting new loan demands, unavailed credit limits, loan policy, potential deposit losses, investment obligations, statutory obligations etc.

Interest Rate Risk Deregulation of interest rates has exposed the banks to the adverse impact of interest rate risk. Interest rate risk is the risk where unexpected change in the market interest rate may impact on the Net Interest Income (Nil). Nil means Net Intererst Income = Interest Income -Interest Expenses or Net Interest Margin (NIM). NIM means Net Interest Margin = Net Interest Income/Average Total Assets. Any mismatches in the cash flows (fixed assets or liabilities) or repricing dates (floating assets or liabilities), expose bank's Nil or NIM to variations. The earning of assets and cost of liabilities are closely related to market interest rate volatility. Interest rate risk may take the form of Gap or Mismatch Risk, Basis Risk, Embedded Option Risk, Yield Curve Risk, Price Risk, Reinvestment Risk, and Net Interest Position Risk. •

Gap or Mismatch Risk: It arises from holding assets and liabilities and off- balance sheet items with different principal amounts, maturity dates or repricing dates, thereby, creating exposure to unexpected changes in the level of market interest rates.

•

Basis Risk: The risk that the interest rate of different assets, liabilities and off-balance sheet items may change in different magnitude is termed as basis risk. The degree of basis risk is fairly high in respect of banks that create composite assets out of composite liabilities.

•

Embedded Option Risk: Significant changes in market interest rates create another source of risk bank's profitability by encouraging prepayment of cash crediUdemand loans/term loans and exercise of call/put options on bond's debentures and/or premature withdrawal of term deposits before their stated maturities.

These risks can be measured through different methods such as traditional Maturity Gap Analysis (to measure the interest rate sensitivity of earnings), Duration Gap Analysis (to measure interest rate sensitivity of capital), Simulation, and Value at Risk (VAR) in combination or hybrid form. Before interest rate risk could be managed, they should be identified and quantified.

Foreign Exchange Risk Foreign Exchange Risk is the risk of loss generated by changes in the exchanges in exchange rates between the domestic and foreign currencies. The risk inherent in running open foreign exchange positions has been heightened in recent years by the pronounced volatility in forex rates. The forex risk is the risk that a bank may suffer losses as a result of adverse exchange rates movements during the period in which it has an open position, either spot or forward, or a combination of two, in an individual foreign currency. Even in case where spot or forward position in individual currencies are balanced, the maturity pattern of forward transactions may produce mismatches. In the forex business, banks also face the risk of default of the counterparties or settlement risk. Banks also face another risk called time-zone risk which arises out of time-lags in settlement of one currency in one centre and the settlement of another currency in another time-zone. The forex transaction with counter parties from another country also trigger sovereign or country risk. Because of increase in volume of international trade, currency trading by banks, forex rate volatility, and complexity of products Forex Risk Management has become an important matter for banks. These risks are to be measured for exposure in a single currency as well as for overall foreign exchange

12

Risk Management in Indian Banks

exposure by measuring net spot/forward position in specific currency as well as aggregate exposures. To check the risks, banks are required to set guidelines for internal monitoring, well defined division of responsibility between front, middle and back office, prudential limits on foreign exchange open positions and gaps, capital requirements for value at risk (VAR) etc.

Commodity Price and Equity Price Risks Commodity Price and Equity Price Risks also play an important role in Market Risk management by banks and are measured through VAR techniques for which banks are required to adopt proper measuring and monitoring policies. Management of Market Risks is one of the major concerns for banks and Asset-Liability Management Committee (ALCO) is the top operational unit for managing these risks within the parameters laid down by the Boards of banks. ALCO assumes a major functional responsibility in measurement, monitoring, and controlling these risks for which it is assisted by independent middle office to track the magnitude of market risk on a real time basis.

Operational Risks Operational risks involves break down of internal controls and corporate governance and can lead to financial loss through error, fraud, or failure to perform in a timely manner or cause the interest of the bank to be compromised. Managing Operational Risks is, therefore, becoming an important feature of sound Risk Management practices in modern financial markets in the wake of phenomenal increase in the volume of transactions, high degree of structural changes, and use of computerized technology and complex support system. Measuring Operational Risks require both estimating probability of an operational loss event and the potential size of the loss. Indian banks have so far not evolved any scientific methods for quantifying operational risks. In the absence of any sophisticated models, banks have evolved simple benchmark based on an aggregate measure of business activity such as incidence of frauds, income loss, gross revenue, fee income, operating costs, total assets adjusted for off-balance sheet exposures or a combination of these variables. Internal controls and the internal audit system are used as the primary means to mitigate such risks. Insurance is also an important mitigator for some form of operational risks. Risk education for familiarizing the complex operations at all levels of staff can also reduce operational risks. One of the major tools for managing operational risks is the well-established internal control system, which includes segregation of duties, clear management reporting lines and adequate operating procedures. Most of the operational risk events are associated with weak links in internal control systems or laxity in complying with the existing internal control procedures. The ideal method of identifying problem spots is the technique of self-assessment of internal control environment. The self-assessment could be used to evaluate operational risk alongwith internal/external audit reportslrating or RBI inspection findings. Banks should endeavour for detection of operational problem spots rather than their being pointed out by supervisors/internal or external auditors. Human Resources Development aspects such as trainings etc., could also playa very important role in evaluation and control of operational risks faced in the organization.

Solvency Risk, Risk Aggregation and Capital Allocation Most of the International banks have developed internal processes and techniques to assess and evaluate their own capital needs in the light of their risk profile and business plan. Such banks take into account both qualitative and quantitative factors to assess economic capital, as the capital adequacy in relation to economic risk is necessary condition for long term soundness of banks.

Concept of Risks in Banks

13

Banks, across the world, use different ways to estimate the aggregate risk exposures. The most commonly used approach is the Risk Adjusted Return on Capital (RAROC) in International banks. Each type of risk is measured to determine both the expected and unexpected losses using Value at Risk (VaR) or worst-case type analytical model. Key to RAROC is the matching of revenues, costs and risks on transaction or portfolio basis over a defined time period. This begins with a clear differentiation between expected and unexpected losses. Expected losses are covered by reserves and provisions; and unexpected losses require capital allocation, which is determined on the principles of confidence levels, time horizon, diversification and correlation. The second approach is similar to RAROC, but depends less on capital allocation and more on cash flows or variability in earnings. This is referred to as Earning at Risk (EaR). Accordingly, each bank can restrict the maximum potential loss to certain percentage of past / current income or market value. In Indian banks, presently Capital Adequacy Ratio (CAR) is used for the purpose. Given the level of risk management practices, most of the Indian banks are not in a position to adopt RAROC framework and allocate capital to various business units on the basis of risk at present. However, banks in India are working now to gradually switch over to RAROC framework in consonance with RBI guidelines. All these risks as mentioned above are discussed in details in subsequent chapters in this study.

DOD

RISK MANAGEMENT

,. 1 RolE of Risk MANAGEMENT Recent financial disasters in financial and non-financial firms / companies point to the need for various forms of risk management. Financial misadventures are hardly a new phenomenon, but the rapidity with which economic entities can get into trouble is definitely so. The recent crisis in several co-operative banks, Unit Trust of India and IFel are examples of development of financial disaster rapidly.

Forewarned is forearmed; this old age saying is very true for banks and financial institutions which are faced with ever-growing threats of Risk in all areas of their operations. Forewarning means getting information in time before any unpleasant surprise occurs and organization of data for relevance. Vast information is needed to minimize risk mainly outside the usual feedback through periodical financial statements and reports. The Reserve Bank of India has issued detailed guidelines to banks on Risk Management. These guidelines emphasize that risks being highly interdependent, one area of risk has ramifications for other risk categories and banks have to identify, measure, monitor and control risks in a scientific manner. It must be noted at the very outset that risk management does nC't aim at risk avoidance. Risk management enables banks to bring their risk levels to manageable proportions without severely reducing their income. Thus, risk management enables a bank to take the required level of exposure in order to meet its profit targets. This balancing act between the risk levels and profit need to be well planned. The crux is Scientific Risk Management which is a seven-step process, involving:

1. Risk Identification - to know what the risks are and how to minimize uncertainty: Risk can be anything that can hinder banks from meeting their targeted results. Each risk must be defined precisely in order to facilitate identification, which will enable banks to have a fundamental understanding of the activities originating the risks. Such an understanding is essential to evaluate aspects related to the magnitude of the risks, the tenor and the implications they have on the accounting aspects. At any point of time, a bank generally will be exposed to a host of risks emanating from the exposures.

Risk Management

15

However, if the bank considers aggregate value of these risks, without considering each risk independently, there may be improper estimation of the risks due to netting. All kinds of hidden, economic and competitive exposures are to be considered. This is possible when the bank unbundles the risks involved in each transaction. This is the most critical step where most of the time needs to be spent. Unless the bank idendifies and understands the nature of exposures involved in a transaction, it will not be able to manage them. Further, such unbundling also helps the bank in deciding which risks will have to manage and which it would prefer to eliminate. The process also helps a bank in deciding pricing of the transactions. 2. Risk Measurement - to know their context and priorities: This can also be termed as quantification of risks. By measuring its risks, a bank is indirectly quantifying the consequences of the decisions taken. If the risks are not quantified, the bank will neither be aware of the consequences of the decisions nor will it be in a position to manage the risks. Thus, all risks to which the bank is exposed needs to be quantified. Quantification of risks is a crucial task and its accuracy depends crucially on the information available. The quality of information coming from its various divisions however depends on the bank's reporting system. The information provided needs to be further evaluated to ensure that there are correct and consistent and are avialable on an ongoing basis. Technology and MIS playa crucial role here. 3. Risk Analysis and Evaluation - to know which ones are important; segregation of major and minor risks: After quantification of risks the bank needs to make a thorough analYSis of risks involved by making a proper evaluation of data received. The bank has to decide which risk it will have to accept and manage and which risks it should mitigate/eliminate. Bank should clearly know which risks pose a major threat to it and are important to be handled with priority. 4. Risk Monitoring - to know which ones have not been addressed: As risk profile cannot be static and volatile circumstances keeps the risk profile changing over a period, it is necessary to monitor risk profile on an ongoing basis and to find" out which of the risks have not been addressed. There should be a continuous vigil on the risk profile and strategies to control/ mitigate the risks should be constantly reviewed. 5. Risk Control- through properly structured methodologies: The banks should develop methodologies/policies to control the risks keeping in view the complexities of its portfolio with a view to decide the standard level of exposures that the bank will have to maintain in order to protect cash flows. Policy is a long-term framework to tackle risk and hence the frequency of changes taking place in it is less. Setting on policies for risk management will depend on the bank's objectives and risk tolerance levels. The risk level set by the bank should neither be so high that it goes beyond the bank's capacity to manage it, nor should it be so low that the profitability is affected. The bank should decide on a particular exposure level only if it aids in achieving the bank's objeotives and also if it believes that it has the capacity to manage the risk for gain. If either of the conditions is not met, the bank will have to try to eliminate/ minimize the risk. 6. Risk Mitigation - clearer understanding leads to healthier response/effective management plans: The clearer the understanding of the Risk, the better the response to effectively manage the same. Banks should develop clear understanding of each risk it faces, so that the response to mitigate risks is quick and this would help in effectively managing risk. Better understanding of risk and mitigation plans, would always help the management in planning growth. 7. Risk Avoidance - avoiding unpleasant surprises: Risk mitigation and risk avoidance both are parts of a strategy formulation to implement the policies of the bank. Given the exposures and volatility, a strategy aids in managing risks. Firstly, the possible options and the risks attached to them are examined in order to know the effect of each option on the cash flow and earnings. With

16

Risk Management in Indian Banks

this information, a strategy will be developed to identify the sources of losses/gains, and how efficiently the risks can be shifted to enhance profits while reducing the exposure. Strategies differ widely depending on the nature of exposure, the type of transaction, etc. Depending on these features, a strategy will also state the instruments that are to be used to manage exposure, tenors and counter parties. Thus, the role of Risk Management is identification and evaluation of risks; understanding the dimensions, controllability and consequence of each risk; unearth probable and significant threats; prioritize risks scientifically; foster decisions and action plans based on greater understanding of risks and introduce scientific means to control risks.

'.2

GOAls

of Risk

MANAGEMENT

The goal of risk management is to optimize the risk-reward trade-off and to plan, and find the business accordingly. The primary goal of risk management is to measure risks in order to monitor and control them. Risk management is both a set of tools and techniques and a process that is required to implement the strategy of a bank. Asset Liability Management (ALM), which is a subset of risk management, focuses on liquidity risk and interest rate risk at the global level of the balance sheet. Risk management covers other risks, such as credit, market and operational risk. It also includes all the management processes, and the organization design required to implement efficiently the set of techniques and models which deal with risk measurement and control. The goal of risk management is, therefore, to measure, monitor and control risks with a view to develop capability for several important functions which may include:

Implementation of Strategy Risk management provides banks with a beUer view of the future and the ability to define the business policy accordingly. Risk can appear "theoretical" compared to the more practical realities such as business volume, margins and fees. Risks are possible and uncertain outcomes. Hence, there is a strong temptation to emphasize immediate goals and actions at the expense of future possible outcomes. However, today's risks are tomorrow's realities and cannot be ignored. Similarly, projections of business volumes and earnings cannot be made with absolute certainty and reliability and there remains an element of uncertainty causing doubts on usefulness of such projections, which are normally based upon a single scenario among a large number of others which are equally likely to take place and such a situation hides risks behind assumptions. In the case of banks, the uncertainty is too high to be replaced by some set of assumptions. Earnings are an outcome of constantly moving interest rates and other parameters. Earnings, variations are also at least as important as the projected level of earnings. There is a shift of emphasis from the single average projection to capturing the span of possible deviations and outcomes. Without risk management, there would be no visibility on possible outcomes, and on the possible fluctuations of profitability, nor any way to control the uncertainty over expected earnings and strategy implementation would be limited to commercial guidelines, with no view of their impact on the risk-reward trade-off of the banks .

• Development of competitive advantage: Risk generate future costs that have to be valued in some way. Ignoring today's risks amount to ignoring future losses. It also amounts to giving up taking corrective actions today to avoid them tomorrow. Today, future losses are only a possibility, but tomorrow they will turn into a reality. Controlling future costs, as much as current

Risk Management

17

costs, is a contribution to income, both present and future. This is why risk control is a key factor of profitability and competitive advantage. Risk just as costs, should be charged to customers whenever the competition makes it feasible. This is why risk management is closely related to pricing decisions. The knowledge of risks is a necessary input to finding out the appropriate prices to be charged to customers. It is also the only tool that allows pricing differentiation across customers of varying risks. If such differentiation does not exist, or if it is not risk based, perverse effects appear. The low-risk customers will be charged over-priced rates, and the high-risk customers will be charged under-priced rates. This will discourage the low-risk customers and subsidize the high-risk customers. If other banks price according to risks, the differential increases the adverse effect of mispricing. Not only does the mispricing bank attract high-risk customers, but also competitors discourage them. Similarly, not only does the mispricing bank overprice the low-risk customers, but also competitors attract them with lower rates. Without risk pricing, a bank does not anticipate the related costs in its price. It may discourage low-risk customers and attract high-risk customers and competitors may amplify the adverse effect of this absence of price differentiation whenever they price risks. Risk management helps in removal of such deficiencies and development of competitive advantage for banks. • Measure of risk and solvency: The reference to possible future losses raises the issue of defining what are future losses and also the question of average losses and unexpected losses. There are several types of potential losses; expected, unexpected, and exceptional losses. The expected losses, or EL, is statistical estimate of the average losses. The average losses represent statistical mean of gains and losses that are uncertain as of today. The average loss is often calculated for credit risk because it represents the statistical mean of losses across a portfolio and over all possible outcomes. The unexpected loss, or UL, is the adverse deviation from the average and are those losses that deviate from the expected value. Those deviations will occur with some frequency and needs to be dealt properly. The unexpected loss is the maximum loss that will be exceeded only in a limited given fraction of all cases i.e., the tolerance level.

The exceptional losses are those that occur beyond the maximum unexpected loss, the likelihood of which is normally very low. • Traditional risk management and its shortcomings: Traditional risk management has originally been developed around the concept of average risk. Since gains and losses tend to compensate across portfolio of transactions and across time, it sounds reasonable to consider that the cost of risk is simply the average loss. The concept of average risk presupposes the following principles: •

Across portfolios there will be high losses for some loans and higher earnings for some others;

•

Across time there will be periods of high business volume and earnings and also others where business opportunities and defaults tend to increase due to the general economic conditions,

•

Averaging over time and across portfolios should therefore cover the risk.

The shortcoming of this analysis is that it does not consider unexpected losses as if they do not seem to exist and that no protection is provided against them. The average losses do not capture the deviations from the average and simply suggest that favourable outcomes compensate

18

Risk Management in Indian Banks

for the adverse conditions. The analysis does not provide protection against such deviations. The matter could be better explained with the answer to the question that what would be the use of a shelter against the average rainfall if rainfall becomes greater than the average and the shelter is flooded . . Solvency depends on adverse outcomes, or "downside risk". There will always be losses above average. Most of them should be absorbed by capital to avoid bankruptcy. Though all-possible losses cannot be covered, yet at a minimum, a protection against all average losses, plus some safety cushion, has to be provided. This raises the issue of defining some maximum losses, with some probability, and of defining the adequate level of capital as a function of the losses that it should absorb. Losses are the outcome of all risks. Solvency risk is the end result of all risks combined with the available capital, which sets the maximum loss beyond which defaults occur. Risk management helps in defining the level of all potential losses with some probability and to define the adequate level of capital as a function of losses that it should absorb. It thus helps in assessment of solvency level for the bank derived from the evaluation of potential losses and risk measures .

• Aid to decision-making: Risk Management could be seen as a key factor of success if it is developed up to the stage where it has an impact on decision-making. Risk management includes the reporting and hedging of risks once decisions are made. But it should influence the decision-making process also i.e., the stage before the decisions are made. The challenge is to capture risks upstream in the decision process, not down stream when decisions have been made and when risks already exist. Those institutions, which control their risks, have the ability to take informed decisions. The knowledge of risks is a basic ingredient to decision-making. Risk management does facilitate those decisions because it sheds some light on risk. Obviously, risk management techniques cannot be a substitute for the decision-making process. Risk taking is a judgement process. It is simply not feasible to capture and measure all risk dimensions. Even though risks are measured, a decision still has to be made on the opportunity of a transaction, given its consistency with the commercial and financial policies of the bank. Risk management is not intended to model the entire decision-making process. It is intended to be a help to such a process .

• Aid to pricing decisions: The knowledge of risks allow banks to price them. Without knowledge of risks, the margins are not comparable from one transaction to another, from one customer to another or across business units. Further, if risks are not priced, adequately the protection against future costs is not borne and paid by customers. These are costs with no matching revenues. This is obvious in the case of credit risk. The statistical average of losses is included in the margins charged to customers. But this is not enough. The cost of the additional equity used up, as a protection against deviation of losses from the average should also be included. The issue is similar for all risks. Some risks are not measured at the transaction level, and are captured at portfolio level, such as the portfoliO of business units, or the consolidated portfolio of the bank. This does not change the basic issue that any unexpected loss, whether valued at the transaction or at a portfolio level, should be covered by capital, and that such coverage has a cost. Liquidity and interest rate risks are examples of risks, which are managed at the lev~1 of portfolios. Market risk is also diversified and managed at a portfolio level. All these risks require a capital

Risk Management

19

coverage since they generate unexpected losses. This capital has a cost which should be included in the target earnings. Obviously, the ability to price risks to customers depends upon the commercial capability of doing so. Competition makes this option theoretical for those banks, which are price takers, particularly and when pricing is competition driven. That does not mean that risk measures are useless if they cannot easily be translated into higher margins charged to customers. They allow banks that are price takers to know the cost of risks, and to compare it with other operating costs. Corrective actions can then be taken which focus on the most important cost items, operating costs, or the cost of risk coverage, or shifts in commercial policies, which will better match available capital with risks .

• Reporting and control of risks: Without risk measurement, it becomes unfeasible to compare the earnings across products, customers or business units. It is easy to increase current margins by taking risk. A simple solution is to lend to high-risk customers whose default rates will be above average in the future. But this policy leads to an immediate increase in margins, followed by defaults in a second stage. More prudent business units will maintain their margins over time. Hence, only risk-reward profiles are relevant. Risk reporting should be integrated with the more traditional earning reporting, It could be argued that risk reporting and measurement discourages risk taking by making risk explicit. This is not so, and should actually be understood as the opposite. Risk reporting and monitoring can encourage risk taking by providing explicit information on risks. With unknown risks, prudence will normally prevail and prevent risk taking decisions even though their profitability could be in line with risks. If the credit officers cannot show that expected margins and fees do cover risks, the credit department will be reluctant to take those risks. Risk management does not discourage the risk-taking process. It provides the information useful to take known and calculated risks .

• Management of portfolios of transactions: Even though banks have always followed well-known diversification principles, the active management of banking portfolios has been limited. Portfolio management is widely implemented with market transactions because diversification effects are obvious, because hedging risk is feasible with financial instruments, and because market risk is easily and constantly quantified. This is not so for the banking portfolio with emphasis of credit analysis at the transaction level, subject to limits defined by a credit department. The development of portfolio management for banking transactions is one of the newest fields of risk management"Many new factors have emerged which tend to change the nature and the impact of portfolio management. Such factors include: the willingness to make diversification effects more explicit and subject to quantitative measures, the belief that there is a significant potential to improve the risk-reward trade-off through management of banking portfOlio as a whole; rather than focusing only on individual banking transactions, the emergence of new instruments to manage credit risk, credit derivatives, the emergence of the loan trading market, where loans, otherwise illiquid, can be rated, priced, listed, and sold across an organized market. Such new opportunities generate new tools. Portfolio management deals with the optimization of the risk-reward profile by alterirg the composition of a portfolio. Classical portfolio management techniques rely more on commercial guidelines, based on minimum diversification, and/or aims at

20

Risk Management in Indian Banks

limiting risk concentrations in, some industries or with some big customers. The new portfolio management techniques, however, focus also on other dimensions with emphasis on the potential for improving the risk-reward profile of the portfolio and the means to achieve such goals. The reallocation of exposures across customers or industries can reduce risk without sacrifice in profitability. This is the familiar technique of manipulating the relative weights of individual commitments to improve the risk return trade-off, a technique well known and developed for market portfolios. What is new in this area is the implementation of such tools to banking portfolios with vastly improved measures of diversification. Furthermore, there is an additional flexibility provided by markets to shape the risk pr?file of portfolios through sales of loans or credit derivatives.

The risk management has a number of potential benefits. But it does raise a number of conceptual and practical challenges e.g., risk management is based on the ability to quantify risks but uncertainty does not lend itself easily to such type of measures. This reason alone explains why the scope of risk management remained limited for a long time. Shifting from implicit and qualitative valuations of risks to explicit quantitative risk management techniques is a quantum leap and implies a renewal of techniques and practices. To make such a change feasible, a number of conditions have to b.e met. First the definition of risk has to be improved so that risks can be tackled more efficiently. Second, the benefits of risk management have to become tangible enough to justify the shift. The potential application and the use of risk management as a policy tool for the top management of banks, greatly helps to meet this condition. Third, external incentives for banks are necessary to make the benefits more tangible. The capital adequacy regulations, with the related emphasis on internal models to value risks, provide such tangible benefits.

, . , TJiE

Risk

MANAGEMENT PROCESS

Risk management is both a top-down and bottom-up process. On the one hand the process involves certain actions initiated at the top of the organization with downward flow and on the other, certain actions are required to be taken at the business unit level with upward flow. At the top level, organizational goals, target earnings and risk limits are defined and are transmitted from the top level to business units responsible for transaction with customers in the form of target revenues, risk limits and guidelines with respect to business unit policies. This is achieved through top-down process. The monitoring and the reporting of risks are bottom-up oriented, starting with transactions and ending with consolidated risks, revenues and volumes of transactions. The aggregation is required for supervision purposes and to compare, at all levels where decisions are made, objectives and realization. In the end, the process involves the entire banking hierarchy from top to bottom, in order to turn global targets into business unit signals, and from bottom to top, to aggregate risks and profitability and monitor them. The risk management process can be explained through an image of pyramid as under: The image of pyramid offers a global view of the risk managementprdcess, combined with the risk diversification effect obtained by moving up the hierarchy. Each face 0f the pyramid can be thought of as a dimension of risk, such as credit risk or market risk. The pyramid image illustrates the important effect of risk diversification. The overall risk is less than the simple arithmetic addition of all original risks generated by transactions (at the base of pyramid) or by portfolios of transactions. From bottom to top, risks diversify. This allows the risks

Risk Management

21

taken at the transaction level to be increased up to the amount consistent with the capital, once the risks are aggregated and a significant portion of them is diversified away. One important challenge of modern risk management is to quantify such diversification effects. Without such quantification there are missing links between the sustainable risks, as measured at the level of transactions and the aggregated risks at the top of the pyramid that should be hedged by the bank's limited capital.

Risk and profitability allocations

'.4 PRiNciplES of Risk MANAGEMENT Risk management in financial markets has increasingly captured the attention of the regulators, the public and, the market participants themselves. Recent years have seen unprecedented levels of losses and litigation resulting from risky trades and investments and the responsibilities and liabilities of directors and officers have come under public scrutiny. The scope of risk management itself has been broadened and the need for enhanced standards of control over the risks has increased giving rise to the requirement of certain well-defined principles for risk management. The underlying fundamental theme for principles for establishing and maintaining a comprehensive and effective risk management framework would encompass the following: •

The ultimate responsibility for risk management must be with the Board of Directors Risk management must be driven down from the top by those charged with overall responsibilities for running the business;

•

The Board and Executive Management must recognize and address a wide variety of risk type, including those such as operational, legal, reputational and human resources risk, that do not readily lend themselves to measurement;

•

Support and control functions, such as the back and middle offices, internal audit, compliance, legal, IT and human resources, need to be an integral part of the overall risk management framework; and

•

Risk management objective and policies must be a key driver of the overall business strategy and must be implemented through supporting operational procedures and controls.

Generally, the principles for risk management should cover the following points: (i) Risk management strategy- Risk organization, capital allocation (ii) Risk management function- day to day responsibility to implement (iii) Risk measurement, reporting and control - quantification of risks

22

Risk Management in Indian Banks

(iv) Operations- front office, back office, firm-wide (v) Risk management systems, etc.

Broad Framework/Principles for Risk Management The Board of Directors should be responsible for recognizing all the risks to which the firm is exposed and ensuring that the requisite culture, practices, internal CC'1trols and systems are in place. The Board should also be responsible for allocating capital to business units in accordance with the firm's risk tolerance. To effect this, an integrated framework of responsibilities and functions driven down to operational levels must underpin the Board's risk management strategy. A risk management group, reporting to the Board normally through an executive committee, should be established with responsibility for defining risk management policies and ensuring that they are implemented effectively. Depending on the nature of the organization, these responsibilities may be assumed by another senior committee, if not the executive committee itself. The risk management policies, alongwith the associated responsibilities, must cover all aspects of risk, most notably market, credit, liquidity, operational, legal, regulatory, reputational and human resources risks. The day to day responsibility for risk monitoring, measurement and evaluation should rest with a dedicated risk management department, whose role is to implement the risk policies associated specifically with market, credit and liquidity risk arising from trading and investment activities. To support the risk management department in its day to day activities, risk managers should be appointed to cover each business unit, who should report to the risk management department on a daily basis. They should act as a link between the department and individual business units, whilst remaining independent from the later. The risk measurement, reporting and control framework requires the quantification of market, credit and liquidity risk. It must provide the capability to aggregate and monitor exposures, a comprehensive set of limits to ensure that the exposures remain within agreed boundaries, and a mechanism for evaluating performance on a risk adjusted basis. The risk measurement framework methodologies should be comprehensive and should adequately cover possible eventualities, for which suitable measures should be adopted which may include: •

a probability based measure such as value at risk;

•

risk sensitivity measures for more detailed analysis and control, especially for derivative products;

•

stress testing methods to determine the effect of abnormal market moves on the market value of the firm's portfolios.

Operational control is also equally important in risk management and many of the recent difficulties encountered by firms active in the financial markets have been a result of operational control problems rather than measurement problems. Accordingly a robust operational control system is required in the front, middle and back offices as well as strong firm-wide support functions covering the principal legal, reputational, technology and human resources risks. The system should include delegation of powers to commit for new risks, adequacy of information for the product, transaction and counterparty, procedures for financing and controls around the model used for pricing, valuation, internal audit, legal compliance, regulatory capital etc., it should also include guidelines for taxation, legal documentation, human resources etc.

Risk Management

23

Risk management system are critical to the success of the risk management framework and therefor the principles of risk management should also focus on data/information required, the requisite functionality of risk systems, requirements of data reconciliation and security controls, all on a timely basis and should also specify back-up and disaster recovery procedures in cases of disruption of systems. Banks should adopt suitable risk management policies and proper risk management techniques to hedge the risks they confront in various areas of their operations so as to match the requirements of capital allocation for the level of risks. To sum-up the framework for risk management and control should cover the full array of risks facing financial market's participants and the implications of managing these risks at all levels of an organization.

,. ~ PRiNciplES FOR MANAGEMENT of liQuidiTY Risk Liquidity risk is the potential inability to meet the bank's liabilities as they become due. It arises when the banks are unable to generate cash to cope with a decline in deposits or increase in assets. It originates from the mismatches in the maturity pattern of assets and liabilities. Measuring and managing liquidity needs are vital for effective operation of commercial banks. By assuring a bank's ability to meet its liabilities as they become due, liquidity management can reduce the probability of an adverse situation developing. Keeping in view the same, the Basel Committee on Banking Supervision has identified following principles fo~ the Assessment of Liquidity Management in Banks.

Developing a Structure for Managing Liquidity Principle 1: Each bank should have an agreed strategy for the day to day management of liquidity. This strategy should be communicated throughout the organization. Principle 2: A bank's Board of Directors should approve the strategy and significant policies related to the management of liquidity. The Board should also ensure that senior management takes the steps necessary to monitor and control liquidity risk. The Board should be informed regularly of the liquidity situation of the bank and immediately if there are any material changes in the bank's current or prospective liquidity position. Principle 3: Each bank should have a management structure in place to execute effectively the liquidity strategy. This structure should include the ongoing involvement of members of senior management. Senior management must ensure that liquidity is effectively managed, and that appropriate poliCies and procedures are established to control and limit liquidity risk. Banks should set and regularly review limits on the size of their liquidity positions over particular time horizons. Principle 4: A bank must have adequate information systems for measuring, monitoring, controlling, and reporting liquidity risk. Reports should be provided on a timely basis to the bank's Board of Directors, senior management and other appropriate personnel.

Measuring and Monitoring Net Funding Requirements Principle 5: Each bank should establish a process for the ongoing measurement and monitoring of net funding requirements. Principle 6: A bank should analyze liquidity utilizing a variety of "what if' scenarios. Principle 7: A bank should review frequently the assumptions utilized in managing liquidity to determine that they continue to be valid.

24

Risk Management in Indian Banks

Managing Market Access Principle 8: Each bank should periodically review its efforts to establish and maintain relationship with liability holders, to maintain the diversification of liabilities, and aim to ensure its capacity to sell assets.

Contingency Planning Principle 9: A bank should have contingency plans in place that address the strategy for handling liquidity crises and include procedures for making up cash flow shortfalls in emergency situations.

Foreign Currency Liquidity Management Principle 10: Each bank should have a measurement, monitoring and control system for its liquidity positions in the major currencies in which it is active. In addition to assessing its aggregate foreign currency liquidity needs and the acceptable mismatch in combination with its domestic currency commitments, a bank should also undertake separate analysis of its strategy for each currency individually. Principle 11: Subject to the analysiS undertaken according to Principle 10, a bank should, where appropriate, set and regularly review limits on the size of its cash flow mismatches over particular time horizons for foreign currencies in aggregate and for each significant individual currency in which the bank operates.

Internal Controls for Liquidity Risk Management Principle 12: Each bank must have an adequate system of internal controls over its liquidity risk management process. A fundamental component of the internal control system involves regular independent reviews and evaluation of the effectiveness of the system and, where necessary, ensuring that appropriate revisions or enhancements to internal controls are made. The results of such reviews should be available to supervisory authorities.

Role of Public Disclosure in Improving Liquidity Principle 13: Each bank should have in place, a mechanism for ensuring that there is an adequate level of disclosure of information about the bank in order to manage public perception of the organization and its soundness.

".6

PRiNciplES FOR MANAGEMENT of INTEREST RATE Risk

The Basel committee on Banking Supervision has issued guiding principles for the management of interest rate risk, in September 1997, giving crucial importance to sound controls and highlighting the need for the banks to have a comprehensive risk management process in place that effectively identifies, measures, monitors and controls interest rate risk exposures which should be subject to appropriate Board and Senior Management oversight. The principles outlined by the Basel Committee have also the objective for use by supervisory authorities while evaluating banks' interest rate management. These principles are intended to be of general applications even though their specific application will depend to some extent on the complexity and range of activities undertaken by individual banks and supervisory authorities should use them to reassess their own supervisory methods and procedures for monitoring how banks control interest rate risk depending upon a host of factors. including their on-site and off-site supervisory techniques. The principles

Risk Management

25

provide a useful framework for prudent supervision and also for obtaining information on interest rate risk, which can be used in a variety of ways by supervisory authorities to provide quantitative assessment of the interest rate risk faced by banks. The principles for the management of interest rate risk in brief are as under:

Board and Senior Management Oversight of Interest Rate Risk Principle 1: In order to carry out its responsibilities, the Board of Directors in a bank should approve strategies and policies with respect to interest rate risk management and ensure that senior management takes the steps necessary to monitor and control these risks. The Board of Directors should be informed regularly of the interest rate risk exposure of the bank in order to assess the monitoring and controlling of such risk. Principle 2 : Senior management must ensure that the structure of the bank's b~siness and the level of interest rate risk it assumes are effectively managed, that appropriate policies and procedures are established to control and limit these risks and that resources are available for evaluating and controlling interest rate risk. Principle 3 : Banks should clearly define the individuals and lor committees responsible for managing interest rate risk and should ensure that there is adequate separation of duties in key elements of risk management process to avoid potential conflicts of interest. Banks should have risk measurement, monitoring and control functions with clearly defined duties that are sufficiently independent from position taking functions of the bank and which report risk exposures directly to senior management and the Board of Directors. Larger or more complex banks should have a designated independent unit responsible for the design and administration of the bank's interest rate risk measurement, monitoring and control functions.

Adequate Risk Management Policies and Procedures Principle 4: It is essential that bank's interest rate risk policies and procedures be clearly defined and consistent with the nature and complexity of their activities. These policies should be applied on a consolidated basis and, as appropriate, at the level of individual affiliates, especially when recognizing legal distinctions and possible obstacles to movements among affiliates. Principle 5: it is important that banks identify the risks inherent in new products and activities and ensure these are subject to adequate procedures and controls before being introduced or undertaken. Major hedging or risk management initiatives should be approved in advance by the Board or its appropriate delegated committee.

Risk Measurement, Monitoring and Control Functions Principle 6: It is essential that banks have interest rate risk measurement systems that capture all material sources of interest rate risk and that assess the effect of interest rate changes in ways that are consistent with the scope of their activities. The assumptions underlying the system should be clearly understood by risk managers and bank management. Principle 7: Banks must establish and enforce operating limits and other practices that maintain exposures within levels consistent with their internal policies. Principle 8: Banks should measure their vulnerability to loss under stressful market conditions - including the breakdown of key assumptions and consider those results when establishing and reviewing their policies and limits for interest rate risk.

26

Risk Management in Indian Banks

Principle 9: Banks must have adequate information system for measuring, monitoring, controlling and reporting interest rate exposures. Reports must be provided on a timely basis to the bank's Board of Directors, Senior Management and where appropriate, individual business line managers.

Internal Controls Principle 10: Banks must have an adequate system of internal controls over their interest rate risk management process. A fundamental component of the internal control system involves regular independent reviews and evaluations of the effectiveness of the system and, where necessary, ensuring that appropriate revisions or enhancements to internal controls are made. The results of such reviews should be available to the relevant supervisory authorities.

Information for Supervisory Authorities Principle 11: Supervisory authorities should obtain from banks sufficient and timely information with which to evaluate their level of interest rate risk. This information should take appropriate account of the range of maturities and currencies in each bank's portfolio, including off-balance sheet items, as well as other relevant factors, such as distinction between trading and non-trading activities.

Capital Adequacy Principle 12: Banks must hold capital commensurate with the level of interest rate risk they undertake.

Disclosure of Interest Rate Risk Principle 13: Banks should release to the public information on the level of interest rate risk and their policies for its management.

'.7 PRiNciplES fOR TIiE MANAGEMENT of CREdiT Risks The Basel Committee on Banking Supervision has released final version of principles for the management of credit risk in September 2000 after obtaining comments of central banks, supervisory authorities, banking associations and other institutions. The committee observed that while financial institutions have faced difficulties over the years for a multitude of reasons, the major cause of serious banking problems continues to be directly related to lax credit standards for borrowers and counterparties, poor portfolio risk management, or lack of attention to changes in economic and other circumstances that can lead to deterioration in the credit standing of a bank's counterparties. This experience is common in both G-10 and non-G-10 countries. Credit risk is most simply defined as the potential that a bank borrower or counterparty will fail to meet its obligations in accordance with agreed terms. The goal of credit risk management is to maximize a bank's risk adjusted rate of return by maintaining credit risk exposure within acceptable parameters. Banks need to manage the credit risk inherent in the entire portfolio as well as the risk in individual credits or transactions. Banks should also consider the relationships between credit risk and other risks. The effective management of credit risk is a critical component of a comprehensive approach to risk management and essential to the long-term success of any banking organization. For most banks, loans are the largest and most obvious source of credit risk; however, other sources of credit risk exist throughout the activities of a bank, including in. the banking book and in

Risk Management

27

the trading book, and both on and off the balance sheet. Banks are increasingly facing credit risk (or counterparty risk) in various financial instruments other than loans, including acceptances, interbank, transactions, trade financing, foreign exchange transactions, financial futures, swaps, bonds, equities, options, and in the extension of commitments and guarantees, and the settlement of transactions. Since exposure to credit risk continues to be the leading source of problems of banks worldwide, banks and their supervisors should be able to draw useful lessons from past experiences. Banks should now have a keen awareness of the need to identify, measure, monitor and control credit risk as well as to determine that they hold adequate capital against these risks and that they are adequately compensated for risks incurred. Keeping in view these observations, the Basel Committee issued the revised document, containing principals for the management of credit risk, in September 2000, in order to encourage banking supervisors globally to promote sound practices for managing credit risk. Although the principles contained in the document are most clearly applicable to the business of lending, they should be applied to all activities where credit risk is present. The sound practices set out in the document specifically address the following areas: (i) establishing an appropriate credit risk environment; (ii) operating under a sound credit granting process, (iii) maintaining an appropriate credit administration, measurement and monitoring process; and (iv) ensuring adequate control over credit risk. Although specific credit risk management practices may differ among banks depending upon the nature and complexity of their credit activities, a comprehensive credit risk management program will address these four areas. These practices should also be applied in conjunction with sound practices related to the assessment of asset quality, the adequacy of proviSions and reserves, and the disclosure of credit risk and should be used in evaluating bank's credit risk management system.

The Principles for the assessment of Bank's Management of Credit Risk, in brief, are as under:

A. Establishing an Appropriate Credit Risk Environment Principle 1: The Board of Directors should have. responsibility for approving and periodically (at least annually) reviewing the credit risk strategy and significant credit policies of the bank. The strategy should reflect the bank's tolerance for risk and the level of profitability the bank expects to achieve for incurring various credit risks. PrinCiple 2: Senior management should have responsibility for implementing the credit riskstrategy approved by the Board of Directors and for developing policies and procedures for identifying, measuring, monitoring and controlling credit risk. Such poliCies and procedures should address credit risk in all of the bank's activities and at both the individual credit and portfolio level. Principle 3: Banks should identify and manage credit risk inherent in all products and activities. Banks should ensure that the risks of products and activities new to them are subject to adequate risk management procedures and controls, before being introduced or undertaken, and approved in advance by the Board of Directors or its appropriate committee.

28

Risk Management in Indian Banks

B. Operating under A Sound Credit Granting Process Principle 4: Banks must operate within sound, well-defined credit-granting criteria. These criteria should include a clear indication of the bank's target market and a thorough understanding of the borrower or the counterparty, as well as the purpose and structure of the credit, and its source of repayment. Principle 5: Banks should establish overall credit limits at the level of individual borrowers and counterparties, and groups of connected counterparties that aggregate in a comparable and meaningful manner different types of exposures, both in the banking and trading book and on and off the balance sheet. Principle 6: Banks should have a clearly-established process in place for approving new credits as well as the amendment, renewal and re-financing of existing credits. Principle 7: All extensions of credit must be made on an arm's-length basis. In particular, credits to related companies and individuals must be authorized on an exception basis, monitored with particular care and other appropriate steps taken to control or mitigate the risks of non-arm's length lending.

C. Maintaining an Appropriate Credit Administration, Measurement and Monitoring Process Principle 8: Banks should have in place a system for the ongoing administration of their various credit risk-bearing portfolios. Principle 9: Banks must have in place a system for monitoring the condition of individual credits, including determining of adequacy of provisions and reserves. Principle 10: Banks are encouraged to develop an internal risk rating system in managing credit risk. The rating system should be consistent with the nature, size and complexity of a bank's activities. Principle 11: Banks must have information systems and analytical techniques that enable the management to measure the credit risk inherent in all on- and off-balance sheet activities. The management information system should provide adequate information on the composition of the credit portfolio, including identification of any concentration of risk. Principle 12: Banks must have in place a system for monitoring the overall composition and quality of the credit portfolio. Principle 13: Banks should take into consideration potential future changes in economic conditions when assessing individual credits and their credit portfolios, and should assess their credit risk exposures under stressful conditions.

D. Ensuring Adequate Controls over Credit Risk Principle 14: Banks must establish a system of independent, ongoing assessment of the bank's credit risk management processes and the results of such reviews should be communicated directly to the Board of Directors and senior management. Principle 15: Banks must ensure that the credit-granting function is being properly managed and that credit exposures are within levels consistent with prudential standards and internal limits. Banks should establish and enforce internal controls and other practices to ensure that exceptions to policies, procedures and limits are reported in a timely manner to the appropriate level of management for action.

29

Risk Management

Principle 16: Banks must have a system in place for early remedial action on deteriorating credits, managing problem credits and similar workout situations.

E. The Role of Supervisors Principle 17: Supervisors should require that banks have an effective system in place to identify, measure, monitor and control credit risk as part of an overall approach to risk management. Supervisors should conduct an independent evaluation of a bank's strategies, policies, procedures and practices related to the granting of credit and the ongoing management of the portfolio. Supervisors should consider setting prudential limits to restrict bank exposures to single borrowers or groups of connected counter parties.

'.8

PRiNciplES FOR MANAGEMENT

of

OPERATiONAl

Risks

Deregulation and globalization of financial services, together with the growing sophistication of financial technology, are making the activities of banks (and thus their risk profiles) more diverse and complex. Developing banking practices suggest that risks other than credit risk, interest rate risk and market risk can be substantial. Examples of these new and growing risks faced by banks include: •

If not properly controlled, the use of more highly automated technology has the potential to transform risks from manual processing errors to system failure risks, as greater reliance is placed on globally integrated systems;

•

Growth of e-commerce brings with it potential risks (e.g., external fraud and system security issues) that are not yet fully understood;

•

Large-scale mergers, de-mergers and consolidations test the viability of new or newly integrated systems;

•

The emergence of banks acting as very large-volume service providers creates the need for continual maintenance of high-grade internal controls and back-up systems;

•

Banks may engage in risk mitigation techniques (e.g., collateral, credit derivatives, netting arrangements and asset securitization) to optimize their exposure to market risk and credit risk, but which in turn may produce other forms of risk, and

•

Growing use of outsourcing arrangements and the participation in clearing and settlement systems can mitigate some risk but can also present significant other risks to banks.

The diverse set of risks listed above can be grouped under the heading of 'operational risk', which for the supervisory purposes the Basel Committee has defined as 'the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events'. The definition includes legal risk but excludes strategic, reputational and systemic risks. For development of an appropriate risk management environment the Committee has structured following risk management principles for management of operational risk in banks:

Developing an Appropriate Risk Management Environment Principle 1: The Board of Directors should be aware of the major aspects of the bank's operational risk as a distinct risk category that should be managed, and it should approve and periodically review the bank's operational risk management framework. The framework should provide a firm-wide definition of operational risk and lay down the principles of how operational risk is to be identified, assessed, monitored, and controlled/mitigated.

30

Risk Management in Indian Banks

Principle 2: The Board of Directors should ensure that the bank's operational risk management framework is subject to effective and comprehensive internal audit by operationally independent, appropriately trained and competent staff. The internal audit function should not be directly responsible for operational risk management. Principle 3: Senior management should have responsibility for implementing the operational risk management framework approved by the Board of Directors. The framework should be implemented throughout the whole banking organization, and all levels of staff should understand their responsibilities with respect to operational risk management. Senior management should also have responsibility for developing policies, processes and procedures for managing operational risk in all of the bank's products, activities, processes and systems.

Risk Management: Identification, Assessment, Monitoring, and Mitigationl Control Principle 4: Banks should identify and assess the operational risk inherent in all material products, activities, processes and systems. Banks should also ensure that before new products, activities, processes and systems are introduced or undertaken, the operational risk inherent in them is subjected to adequate assessment procedures. Principle 5: Banks should implement a process to regularly monitor operational risk profiles and material exposure to losses. There should be regular reporting of pertinent information to senior management and Board of Directors that supports the proactive management of operational risk. Principle 6: Banks should have policies, processes and procedures to control or mitigate material operational risks. Banks should assess the feasibility of alternative risk limitation and control strategies and should adjust their operational risk profile using appropriate strategies, in light of their overall risk appetite and profile. Principle 7: Banks should have in place contingency and business continuity plans to ensure their ability to operate as going concerns and minimize losses in the event of severe business disruptions.

Role of Supervisors Principle 8: Banking supervisors should ensure that all banks, regardless of size, have an effective framework in place to identify, assess, monitor and control or mitigate material operational risk as part of an overall approach to risk management. Principle 9: Supervisors should conduct directly or indirectly, regular independent evaluation of a bank's policies, procedures and practices related to operational risks. Supervisors should ensure that there are appropriate reporting mechanisms in place which allow them to remain appraised of developments at banks.

Role of Disclosure PrinCiple 10: Banks should make sufficient public disclosures to allow market participants to assess their approach to operational risk management.

'.9 Risk MANAGEMENT PRiNciplES FOR ElECTRONic BANkiNG Continuing technological innovations and competition among existing banking organizations and new entrants have allowed for a much wider array of banking products and services to become

Risk Management

31

accessible and delivered to retail and wholesale customers through an electronic distribution channel collectively referred to as e-banking. However, the rapid development of e-banking capabilities carry risk as well as benefits. The Basel Committee on Banking Supervision expects such risks to be recognized, addressed and managed by banking institutions in a prudent manner and has identified following principles for e-banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking acHvities'.

Board and Management Oversight Principle 1: The Board of Directors and senior management should establish effective, management oversight over the risks associated with e-banking activities, including the establishment of specific accountability, policies and controls to manage these risks. Principle 2: The Board of Directors and senior management should review and approve the key aspects of the bank's security control processes. Principle 3: The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the bank's outsourcing relationships and other third party dependencies supporting e-banking.

Security Controls Principle 4: Banks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts business over the internet. Principle 5: Banks should use transaction authentication methods that promote nonrepudiation and establish accountability for e-banking transactions. Principle 6: Banks should ensure that appropriate measures are in place to promote adequate segregation of duties with e-banking systems, databases and applications. Principle 7: Banks should ensure that proper authorization controls and access privileges are in place for e-banking systems, databases and applications. Principle 8: Banks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions, records and information. Principle 9: Banks should ensure that clear audit trails exist for all e-banking transactions. Principle 10: Banks should take appropriate measures to preserve the confidentiality of key e-banking information. Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted and/or stored in databases.

Legal and Reputational Risk Management Principle 11: Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the bank's identity and regulatory status of the bank prior to entering into e-banking transactions. Principle 12: Banks should take appropriate measures to ensure adherence to customer privacy requirements applicable to the jurisdictions to which the bank is providing e-banking products and services. Principle 13: Banks should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-banking systems and services.

32

Risk Management in Indian Banks

Principle 14: Banks should develop appropriate incident response plans to manage, contain and minimize problems arising from unexpected events, including internal and external attacks, that may hamper the provision of e-banking systems and services.

'.10 Risk

MANAGEMENT PoliciES

It must be noted at the very outset that risk management does not aim at risk reduction or risk elimination. Risk will always remain in banking business and returns to banks will depend upon the risks they will undertake. Risk management enables banks to bring their risk levels to manageable proportions while not severely reducing their income. Thus, risk management enables a bank to take the required level of exposures in order to meet its profit targets. This balancing act between the risk levels and profits need to be well planned. The policy formulation by the bank should be done keeping in view the risk appetite and culture, properly defining the objectives of the policy, bank's philosophy, risk tolerance levels i.e., the standard levels of exposure that the bank will maintain in order to protect cash flows, kinds of risk to be absorbed, instruments for management of risks, benchmark levels, MIS for identification and measurement of risks etc. The risk levels set by the bank should neither be so high that it goes beyond the bank's capacity to manage it, nor, should it be so low that the profitability is affected. The bank should decide on a particular risk exposure level only if it aids in achieving the bank's objectives and also if it believes that it has the capacity to manage the risk for a gain. If either of the conditions is not met, the bank will have to try and eliminate/minimize the risk. It may be noted that the decision making is an essential and integral part of management in every organization, including banking. This process becomes complicated for two reasons: •

All decisions are regarding future and consequences are not clearly known at the time of taking the decisions, and

•

The sufficiency and accuracy of the inputs required for the decision are known in retrospective and not in prospective.

An objective approach to decision-making pre-supposes the following: Alternatives to select from Identification of consequences for each alternative Quantification of the consequences Identification of outcomes that are likely to prevail which will determine the quantification of consequences Policy formulation should be done keeping in view all the complexities, which may be required to be addressed in day to day functioning of any banking organization. Normally, a policy is a long-term documenU framework to tackle risk and therefore the frequency of changing the same is generally very low. Banks should, therefore, keep long term perspective in mind while framing the policies and simultaneously formulate strategies to implement the policies. . A strategy is that which is developed to implement a policy. Clearly, then, a strategy will be for a relatively shorter period. Given the exposures and volatilities, a strategy aids in managing these risks. Firstly, the possible options and the risks attached to them are examined in order to know the effect of each option on the cash flows and earnings. With this information, a strategy will be developed to identify the sources of losses/gains, and how efficiently the risks can be shifted to enhance profits

Risk Management

33

while reducing the exposure. Strategies differ widely depending on the nature of exposure, the type of transaction, etc. Depending on these features, a strategy will also state the instruments that are to be used to manage exposure, tenors and counterparties.

'.11 NEEd FOR INTEGRATioN of VARious Risk CATEGORiES INTEGRATEd Risk MANAGEMENT (IRM) One important feature of various bank risks is that there is linkage between them. For example, if the bank charges its client a floating rate of interest, in cases of increasing interest rate scenario, the bank's interest rate risk will be lower. However, this enhances the payment obligations of the borrower and, therefore, other things remaining constant, the default risk increases. If the client is not able to bear the burden of rising rates, there may be possibility of default. Thus, there may be instances where interest rate risk may eventually lead to a credit risk. Further, the credit risk itself is closely associated with the forex risk in the case of borrowers whose earnings are extremely influenced by exchange rates. As risks are highly interdependent and events that effect one area of risk can have ramifications for other risk categories, banks should adopt integrated risk management policies. While framing integrated risk management policies banks should cover all kind of risks they envisage in their day to day business operations which should cover the following: •

Credit Risk; Market Risk, covering;

• Liquidity Risk; • Interest Rate Risk; • Foreign Exchange Risk; • Equity Price Risk; • Commodity Price Risk; • Solvency Risk; • Operational Risk etc. •An integrated risk management framework should drive a comprehensive view of the risk for the whole organization. It should incorporate risk identification, measurement, limit setting, monitoring and control into a bank-wide endeavour. It should be a forward looking framework for making informed decisions. Integrated Risk Management done right, will enable an organization to make risk-return trade-offs and to understand the implications for the entire organization. IRM does not preclude risk taking but helps banks take risks wisely. IRM provides a consistent framework for deciding which risks to take and how to take them. For example it helps in deciding whether to •

Keep all the risk exposures;

•

Put limits on the risk exposures;

•

Use tools to hedge or otherWise mitigate the risks;

•

Share the risks;

•

Insure against it;

•

Transfer it; or

•

Not take it at all.

34

Risk Management in Indian Banks

Integrated Risk

Manag~ment

policies and framework should include the following aspects:

1.

Defining the requirements for business risk management throughout and across the organization. This requires sponsorship from the top, a clear definition that what is expected from whom, and clear responsibilities and accountabilities.

2.

Adopting a common language for risk management. This means having a broad and consistent definition of risk used throughout the organization.

3.

Utilizing analytical and management frameworks to help identify and assess various business risks, their relationship, and their impact.

4.

Creating new structures and/or responsibilities for risk management throughout the entire organization. This means creating structures to monitor outcomes and make decisions, to drive the risk management process, to respond to change, and to provide advice and guidance to best practices.

5.

Clearly defining management processes. controls, monitoring and reporting activities, so that all of the pieces fit together.

6.

Using technology to facilitate the risk management process, capture risks, assess risks/ controls, and product reports e.g., data base to support risk analysis and control activities, decision support tools, and quantitative modelling.

7.

Providing well designed education and support for line managers and their staff so that people know what they are supposed to do and have the skills and tools to do it.

The objective of risk management is to make risk management a core competency used in day to day activities.

,. 12 Risk

MANAGEMENT STRUCTURE

The Board of Directors and senior management assumes the overall responsibility for risk management in banks. Banks are also required to adopt an integrated approach in risk management covering all kinds of risk, which they face in day to day operations and have to adopt suitable risk management structure to meet these requirements. Sound organizational structure is sine qua non for successful implementation of an effective risk management system. A major issue in establishing an appropriate risk management organization structure is choosing between a centralized and decentralized structure. The global trend is towards centralizing risk management with integrated treasury management function to benefit from information on aggregate exposure, natural netting of exposures, economies of scale and easier reporting to top management. The primary responsibility of understanding the risks run by the bank and ensuring that risks are appropriately managed is vested with the Board of Directors. The Board sets risk limits by assessing the bank's risk and risk-bearing capacity. At organizational level, overall risk management is assigned to an independent Risk Management Committee / committees of top executives that reports directly to the Board of Directors. The functions of the committees are to identify, monitor and measure the risk profile of the bank and to monitor compliance of various risk parameters by operating departments. Various other groups/sub-groups may also be formed to take care of different kinds of risk. The committees/groups may manage risks by setting up a suitable MIS. A prerequisite for establishment of an effective risk management system is the existence of a robust MIS, consistent in quality. Wherever required the existing MIS are suitably upgraded for strengthening of the data

Risk Management

35

collection machinery to ensure the integrity and reliability of data. The risk management is a complex function and it requires specialized skills and expertise. Banks have been moving towards the use of sophisticated models for measuring and managing risks. As the domestic market integrates with the international markets, the banks require necessary expertise and skill in managing various types of risks in a scientific manner. However, given the diversity of balance sheet profile, it is difficult to adopt a uniform framework for management of risks in India. The design of risk management should be bank specific, dictated by the size, complexity of functions, the level of technical expertise and the. quality of MIS. As already mentioned above sound organizational structure is sine qua non for successful implementation of an effective risk management system. Banks may adopt structure, which may have the following features: •

The Board of Directors should have the overall responsibility for management of risks. The Board should decide the risk management policy of the bank and set limits for liquidity, interest rate, foreign exchange and equity price risks.

•

The Risk Management Committee (RMC) should be a Board level sub-committee including the Chief Executive Officer (CEO) and heads of Credit, Market and Operational Risk Management Committees. The RMC should devise the policy and strategy for integrated risk management containing various risk exposures of the bank including the credit, market and operational risk. For this purpose, this committee should effectively co-ordinate between the Credit Risk Management Committee (CRMC), the Asset Liability Management Committee (ALCO) and other risk committees of the bank, if any. The independence of the committee should be preserved and the Board should ensure that the same is not compromised at any cost. In the event of the Board not accepting any recommendation of this committee, a system should be put in place to spell out the rationale for such an action and should be properly documented. The responsibilities of Risk Management Committee should include:

•

(i)

Setting policies and guidelines for risk measurement, management and reporting,

(ii)

Ensuring that risk management processes (including people, systems, operations, limits and controls) satisfy bank's policy;

(iii)

Reviewing and approving risk limits fixed for different risk categories;

(iv)

Ensuring robustness of risk management models and the effectiveness of systems used to calculate risks;

(v)

Provision of qualified and competent staff.

The Asset Liability Management Committee (ALCO) should be set up with the objective to manage the position of Assets and Liabilities of the Bank. The ALCO should be responsible for ensuring adherence to the limits set by the Board as well as for deciding the business strategy of the bank in line with bank's budget and decided risk management objectives. The role of ALCO should include: (i)

Product pricing for deposits and advances;

(ii)

Deciding on the desired maturity profile and mix of incremental assets and liabilities;

(iii)

Articulating interest rate view of the bank and deciding on the future business strategy;

(iv)

Reviewing and articulating funding policy;

Risk Management in Indian Banks

36

(v)

Decide the transfer pricing policy of the bank;

(vi)

Reviewing economic and political impact on the balance sheet.

The size of ALCO may depend on the size of the bank, business mix and organizational complexity. To ensure commitment of the Top Management and timely response to market dynamics, the CEO/ED should head the ALCO and the chiefs of Investment, Credit, Resource Management or Planning, Funds ManagementlTreasury (forex and domistic), International Banking and Economic Research can be members of the committee. In addition, the Head of the Technology Division should also be an invitee for building up of MIS and related computerization. Banks may also have sub-committees/support groups to assist the ALCO. The ALM Support Groups consisting of operating staff should be responsible for analyzing, monitoring and reporting the risk profile to the ALCO. The Risk Management Group should prepare forecasts (simulations) showing the effects of various possible changes in market cO{lditions related to the balance sheet and recommend the action needed to adhere to bank's internal limits, etc. Banks may also have the Middle Office responsible for the critical function of independent market risk monitoring, measurement, analysis and reporting for the bank's ALCO. Ideally this is a full time function reporting to, or encompassing the responsibility for acting as ALCO's secretariat. An effective middle office provides the independent risk assessment which is critical to ALCO's key function of controlling and managing market risks in accordance with the mandate established by the Board / Risk Management Committee. It is highly specialized function and must include trained and competent staff, expert in market risk concepts. The methodology for analysiS and reporting will vary from bank to bank depending on their degree of sophistication and exposure to market risks. In respect of banks without a formal Middle Office, it should be ensured that risk control and analysis should rest with a department with clear reporting independence from Treasury or risk taking units, until formal Middle Office frameworks are established. Banks should constitute a high level Credit Policy Committee (CPC), also called Credit Risk Management Committee (CRMC) or Credit Control Committee (CCC) etc., to deal with issues relating to credit policy and procedures and to analyze, manage and control credit risk on a bank wide basis. The Committee should be headed by the Chairman/CEO/ED, and should compromise heads of Credit Department, Treasury, Credit Risk Management Department (CRMD) and the Chief Economist. The Committee should, inter alia, formulate clear pOlicies on standards for presentation of credit proposals, financial covenants, rating standards and benchmarks, delegation of credit approving powers, prudential limits on large credit exposures, asset concentrations, standards for loan collateral, portfolio management, loan review mechanism, risk concentrations, risk monitoring and evaluation, pricing of loans, provisioning, regulatoryllegal compliance, etc. Concurrently, each bank should also set up Credit Risk Management Department (CRMD), independent of the Credit Administration Department (CAD). The CRMD should enforce and monitor compliance of the risk parameters and prudential limits set by the CPC. The CRMD should also lay down risk assessment systems, monitor quality of loan portfolio, identify problems and correct deficiencies, develop MIS and undertake loan review/audit. Large banks may consider separate set up for loan review/audit. The CRMD should be accountable for protecting the quality of the entire loan portfolio. The department should undertake portfolio evaluations and conduct comprehensive studies on the environment to test the resilience of the loan portfolio. While the Asset-Liability Management Committee (ALCO) deals with different type of market risk, the Credit Policy Committee (CPC) oversees the credit! counterparty risk and country risk.

Risk Management

37

Thus, market and credit risks are managed in a parallel two-track approach in banks. Currently, while market variables are held constant for quantifying credit risk, credit variables are held constant in estimating market risk. The economic crises in some of the countries have revealed a strong correlation between unhedged market risk and credit risk. Forex exposures, assumed by corporates who have no natural hedges, will increase the credit risk which banks run vis-a-vis their counter parties. Thus, there is a need for integration of the activities of both the ALGa and the GPG and consultation process need to be established to evaluate impact of market and credit risks on the financial strength of banks. Similarly, to manage operational risks and IT related risks banks should have Operational Risk Management Departments/Committees and IS/IT Security Department/Security Committee. Such departments should take care to devise policies procedures for identification/measurement! monitoring and control of operational risk/IS security risk inolved in activities/products of the bank and should report the same to the Top Management!Board of Directors.

To sum up Risk Management Structure in a Bank may comprise of the following: •

Board of Directors

•

Risk Management Committee

•

Asset Liability Management Committee

•

Market Risk Management Department!Middle Office

•

Credit Policy Committee

•

Credit Risk Management Department

•

Credit Approving Authority/Approval Grid

•

Loan Review Mechanism

•

IT and Software Related Risk Management Department

•

Operational Risk Control Department etc.

DOD

QURNTITRTIVE RISK MERSUREMENT

4. 1

IMPORTANCE of OUANTiTATivE Risk MEASUREMENT

Quantitative measurement of risks playa very important role in risk management as risk measurement can progress only through quantitative risk measures. This is because it is not possible to control risks or set limits without quantitative measures of risks. Banks have been living with risks all along and may be described as 'Risk Machine'. Banks take risks, transform them, embed them into their banking products and service the products. To the extent a bank takes risk more consciously, timely anticipates adverse changes and adopt hedges against the risks, it becomes a source of competitive advantage, as it can offer its products at a better price than its competitors. The bank's, bottom line is also directly related to the success of its risk management practices. While some risks like credit risk are natural to the banking, with progressive deregulation market risks caused by changes in market variables such as interest rate, foreign exchange rate, equity price, commodity price etc., have become more important. Not only these, there are several operational risks to which banks are exposed and which have increased enormously due to adoption of technology and increasing usage of the same. Thus, banks are exposed to a number of risks which need to be managed by them on a regular basis;

The first step in risk management after risk identification is risk measurement. Unless a risk is measured it cannot be managed. The real task in risk management is to identify and measure accurately the risks involved, quantify them, aggregate them to the extent possible to arrive at estimated total risk for the purpose of comparison with bank's capital/earnings etc.

4.2

INdicATORS fOR OUANTiTATivE MEASUREMENT of Risks

There are varieties of sets of risk measures for quantitative measurement of risks, which can be utilized for measurement of risks. Such measures aim at estimating the variation of a given target variable like earnings or market value, generated by some random parameter, such as interest rate or any other market parameter. There are a number of specific quantitative indicators of risks that are commonly used which can be grouped into following three categories:

Quantitative Risk Measurement

39

•

Sensitivity of Target Variables, such as earnings or the interest margins to the movements of underlying market parameters, which captures the deviation of the target variable generated by a unit movement of a single market rate (for instance, an interest rate shift of 1%);

•

Volatility, which captures the variations around the average of any random parameter or target variable, both upside and downside and is a statistical measure of dispersion around the mean; and

•

Downside Risk or VaR, which focus on adverse deviations only and is the magnitude of adverse effects of uncertain parameters on target variables. They are expressed as a "worst case" value of some target variable, such as earnings, with some probability attached to that value.

These different types of measures fit together because they address different dimensions of risks. The downside measure is the most "comprehensive" measure of risk as it integrates sensitivity and volatility with the adverse effect of uncertainty. -

4.'

MEASURiNG UNCERTAiNTY -

STRESS TEST/WORST CASE SCENARio

Concept of Stress Test: All random factors that alter the environment and the financial markets e.g., interest rates, exchange rates, stock indexes etc., are not measurable. There are unexpected and exceptional events that radically and abruptly alter the general environment. Such unpredictable events might generate fatal risks and may cause failure of business. The only way to deal with such risks is through stress scenario, or "worst Gase" scenario where all relevant parameters take extreme values. Those values are considered unlikely, but they serve the purpose of illustrating the consequences of such extreme situations.

Stress testing is a common practice to address highly unlikely evems to assess the risk of a transaction or to see how the market portfolio would behave. Extreme scenarios are also used to structure transactions with several credit risk mitigators that protect them from default of the borrower by making explicit the degree of safety provided by the structure, and how far from the base scenario are the extreme conditions that generate the default and losses. "Stress testing" has been adopted as a generic term describing various techniques used by banks to gauge their potential vulnerability to exceptional, but plausible events. Stress testing addresses the large moves in key market variables of that kind that lie beyond day to day risk monitoring but that could potentially occur. The process of stress testing, therefore, involves first identifying these potential movements, including which market variables to stress, how much to stress them by, and what time frame to run the stress analysis over. Once these market movements and underlying assumptions are decided upon, shocks are applied to the portfolio, Revaluing the portfolios allows one to see what the effect of a particular market movement has on the value of the portfolio and the overall profit and loss. Techniques of Stress Test: Stress Testing covers many different techniques some of which are as under: •

Simple Sensitivity Test for studying the change in portfolio value for one or more shocks to a single risk factor. A simple sensitivity test isolates the short-term impact on a portfolio's value of a series of predefined moves in a particular market risk factor. For example, if the risk factor were an exchange rate, the shocks might be exchange rate changes of ± 2 per cent, 4 per cent, 6 per cent and 10 per cent.

40

Risk Management in Indian Banks

•

Scenario Analysis (hypothetical or historical) for studying the change in portfolio value if the scenario were to occur. A scenario analysis specifies the shocks that might plausibly affect a number of market risk factors simultaneously if an extreme, but possible, event occurs. It seeks to assess the potential consequences for a firm of an extreme, but possible, state of the world. A scenario analysis can be based on an historical event or a hypothetical event. Historical scenarios employ shocks that oCt.Urred in specific historical episodes. Hypothetical scenarios use a structure of shocks thought to be plausible in some foreseeable, but unlikely circumstances for which there is no exact parallel in recent history. Scenario analysis is currently the leading stress testing technique.

•

Maximum Loss for assessment of sum of individual trading units' worst case scenarios. A maximum loss approach assesses the riskiness of a business unit's portfolio by identifying the most potentially damaging combination of moves of market risk factors.

•

Extreme Value Theoryfor probability distribution of extreme losses. Extreme value theory (EVT) is a means to better capture the risk of loss in extreme, but possible, circumstances. EVT is notable for being the only stress test technique that attempts to attach a probability to stress test results.

Characteristics of a Good Stress Test: A good stress test should •

be relevant to the current position;

•

consider changes in all relevant market rates;

•

examine potential regime shifts (whether the current risk parameters will hold or break down);

•

spur discussion;

•

consider market illiquidity; and

•

consider the interplay of market and credit risk.

Usage of Stress Test: Stress tests produce information summarizing the firm's exposure to extreme, but possible, circumstances. The role of risk managers in the bank should be assembling and summarizing information to enable senior management to understand the strategic relationship between the firm's risk-taking (such as the extent and character of financial leverage employed) and risk appetite. Typically, the results of a small number of stress scenarios should be computed on a regular basis and monitored over time. Some of the specific ways stress tests are used to influence deciSion-making are to: •

manage funding risk

•

provide a check on modelling assumptions

•

set limits for traders

•

determine capital charges on trading desks' positions.

Manage funding risk: Senior managers use stress tests to help them make decisions regarding funding risk. Managers have come to accept the need to manage risk exposures in anticipation of unfavourable circumstances. The significance of such information will vary according to a bank's exposure to funding or liquidity risk. Provide a check on modelling assumptions: Scenario analysiS is also used to highlight the role of particular correlation and volatility assumptions in the construction of banks' portfolios of

Quantitative Risk Measurement

41

market risk exposures. In this case, scenario analysis can be thought of as a means through which banks check on the portfolio's sensitivity to assumptions about the extent of effective portfolio diversification.

Set limits for traders: Stress tests are also used to set limits. Simple sensitivity tests may be used to put hard limits on bank's market risk exposures. Determine capital charges on trading desks' positions: Banks may also initiate capital charges based on hypothetical losses under certain stress scenarios. The capital charges are deducted from each business unit's bonus pool. This procedure may be designed to provide each business unit with an economic incentive to reduce the risk of extreme losses.

Limitations of Stress Tests: Stress testing can appear to be a straightforward technique. In practice, however, stress tests are often neither transparent nor straightforward. They are based on a large number of practitioner choices as to what risk factors to stress, how to combine factors stressed, what range of values to consider, and what time frame to analyze. Even after such choices are made, a risk manager is faced with the considerable tasks of sifting through results and identifying what implications, if any, the stress test results might have for how the firm should manage its risk-taking activities. A well-understood limitation of stress testing is that there are no probabilities attached to the outcomes. Stress tests help answer the question "How much could be lost?" The lack of probability measures exacerbates the issue of transparency and the seeming arbitrariness of stress test design. Systems incompatibilities across business units make frequent stress testing costly for some firms, reflecting the limited role that stress testing had played in influencing the firm's prior investments in information technology. Stress tests and quantitative risk measures are not the only way to capture all the uncertainties. First, they are limited to a given set of assumptions, which can underestimate some risks. Second, there are intangibles that require a judgmental evaluation rather than making worst-case assumptions. Even the simplest credit application requires some judgement with respect to the management ability of the borrower, the outlook for the industry and so on, which are not quantified. Therefore, it is more or less necessary for all the due diligence processes to carry out judgmental assessment. Quantitative techniques address only those risks that are measurable. Intangible risks have to be appraised carefully. However, the current trend to focus on quantitative measures and extend their range because all measures of risk should be translated, in the end into risk-based capital, at least as much as it is feasible. The quantitative measures, which are in vogue, include sensitivity, volatility and VaR.

4.4 SENSiTivity ANAlysis Concept: Sensitivity gives the change in value due to change/ variation of the underlying parameter. Sensitivity is the ratio of two variations. Sensitivity can be defined as the ratio of the variation of earnings, such as interest margins or changes of the mark-to market values of instruments, to a given variation of the underlying random parameter (e.g., interest rates, exchange rates and stock prices etc.) that generates this variation. For example, the sensitivity of a bond price with respect to a unit interest rate variation is equal to 10. Such sensitivity means that a 1% interest rate variation generates a relative price variation of the bond of 10%. The same sensitivity can also be expressed in terms of value. For example if the price of a bond is Rs. 1000, its variation will be 10% of Rs. 1000 i.e., Rs. 100. The concept of sensitivity can be expressed by the following formula:

42

Risk Management in Indian Banks

S (value) = tN/A (market parameter)

S (% of value)

=[AN] A (market parameter)

Here S represents sensitivity, tl represents change and V represents value. The sensitivity gives the change in value for a small variation of the underlying parameter and, therefore, the results of the same are approximation of the change. Further, there may be other market parameters that may influence the value and accordingly there will be equal number of sensitivities for various market parameters. For example, a market portfolio may depend upon interest rates in various currencies, exchange rates and equity indexes and, therefore, all sensitivities with respe·ct to anyone of those variables are required to describe the behaviour of the portfolio. The sensitivities measured against the same market parameter for various transaction are additive in nature. With several market instruments, the overall sensitivity with respect to a unique market 'parameter is the total of all sensitivities of each instrument. However, in case the market parameters for sensitivities are different the position will not be the same. Each sensitivity is based on the assumption that one parameter changes by a unit value. Adding up sensitivities across instruments would mean that all parameters change at the same time. In general, this will be an over estimate since all parameters will certainly not change at the same time with the same magnitude. Sensitivities can be utilized in measurement of various risks such as interest rate risk, exchange rate risk, market risk and credit risk. Sensitivity can also be utilized in risk control practices while implementing hedges to cover the risks. Interest Rate Risk: Sensitivity of interest margin can be utilized to measure interest rate risk. Sensitivity to interest margin can be computed by working out the difference between interest revenues and interest charges to unit variation of interest rates or for a parallel shift in the yield curve of 1% (assuming the same change for interest rates at all maturities). This sensitivity is called the "interest rate gap" for the period considered. Interest rate sensitivity of mark-to-market values of assets and liabilities can also be derived similarly. Exchange Rate Risk: The sensitivity of the Rupee value of any exposure labelled in foreign currency to the exchange rate is the variation of the rupee value due toa unit variation of the exchange rate. For example, the rupee value of 10 USD with an exchange rate of Rs. 47/USD is Rs. 470. If the exchange rate becomes Rs. 48/USD the rupee value becomes Rs. 480. The absolute variation in value is Rs. 10. Thus, if there is a forex liability of USD 10 there will be an exchange rate risk of Rs. 10 on account of change in exchange rate which is 470*2.1276%, The relative change is the same for the rupee value and the market parameter value, since 2,1276% the relative increase in the exchange rate in Indian Rs'/USD. Market Risk: The concept of sensitivity can be explained as the ratio of the change of the mark-to-market value of a transaction, or of a portfolio, generated by a unit variation of one of the underlying market parameters. This can also be described as the variation in value due to a market parameter unit change. Sensitivities can be widely used for various kinds of market transactions e.g. bonds, stocks, options etc. and for each of these some specific names can be given depending upon class of instruments. For bonds, the sensitivity is the modified duration, for stocks called "beta'" (relates the relative change in stock price to the relative change in market index), for options the sensitivity with respect to the underlying parameter is the "delta." Credit Risk: Sensitivity is commonly used with market parameters. However, the concept can be, extended to risks, which are not market related, such as credit risk. For a portfolio of

Quantitative Risk Measurement

43

counterparties, the underlying random variable becomes the random number of defaults, observed during a given period. The random variable can also be the default rate, the ratio of number of defaults to the number of counterparties within the portfolio. The sensitivity of earnings can be defined as the increase in loss generated by a unit variation of the default rate. If the total exposure is Rs. 1,000, the sensitivity to a 1% change in default rate is 1000* 1% or Rs. 10 in value. Sensitivity and Risk Control: Many external random factors that impact on the earnings of a bank are not controllable by the bank. They are random market movements or changes in the environment (for instance, those that increase the default rates of borrowers). A bank does not have any influence on environmental variables. Controlling risk means that the bank controls its exposure to various risks, or, in technical terms, the sensitivity of the bank earnings with respect to those external parameters. The sensitivity of portfolios of transactions can be increased or decreased, depending on expectations of future market movements. For example, a bank can invest in long-duration bonds when it anticipates a decrease in interest rates (when interest rates decline, the price of bonds increases, generating a capital gain). It increases the portfolio sensitivity in order to obtain more gains from the expected market move. Or, it can use less sensitive bonds, when interest rates rise. The same line of reasoning applies to all portfolios. Investors can select high beta stocks in a bullish market Le., such stocks where relative change in stock price is higher than the relative change of market index. In a bearish market the position will be reversing i.e., the investors should select low beta stocks. The same is true for interest rate risk of the banking portfolio. The sensitivity of interest margin should be increased when the margin increases with interest rates and when a rise is expected. On the other hand, if a decrease in rates is expected, a hedge should be used to decrease, or reverse the gap. In order to make a target variable immune to outside sources of risks, its sensitivity should be set to zero. Sensitivities are key variables for controlling risks and, therefore, they have to be defined for all target variables and for all risks.

4. ~ VolATilhy Concept: Volatility is a statistical measure of the dispersion around the average of any random variable such as market parameters, earnings or mark-to-market values. Volatility is the standard deviation of the values of these variables. Standard deviation is the square root of the variance of a random variable. Both can be obtained from a time series of observations. Variance: The variance is the sum of the squared deviations around the mean. The mean is the mathematical expectation of a random variable. It is the average of the values of the random variable weighted by their probability of occurrence. With time series of observations, the mean is also the arithmetic average of the observed values of a random variable (with the assumption of identical probabilities of all individual observations). Volatility is widely used measure of the dispersion of any random variable around its mean. It can be calculated for any set of historical data, whether or not they follow a normal distribution. It is used for market parameters such as the interest rate, exchange rate and equity index, because the day-to-day observations are readily available. Volatilities measured from historical observations are called historical volatilities. Such volatilities are constantly updated when new observations are available. Volatility can be calculated with any number of observations. However, a limited number of observations might result in a distorted image of dispersions.

44

Risk Management in Indian Banks

Calculation of Volatility: Volatility can be calculated as soon as numerical values are available. The calculation requires one to choose the period of observation and frequency of observations across this horizon e.g., daily, weekly, or monthly frequencies are used for market data. Quarterly or yearly data can be used for accounting earnings. The longer the observation period, the higher will be the number of observations. The table given below shows an example for calculation of mean and volatility with a time series of observed data.

Month

Earnings (Rs.)

Deviation from mean

1

15.00

12.08.

146.01

2

12,00

9.08

82.51

3

8.00

5.08

25.84

4

7.00

4.08

16.67

5

2,00

-0.92

0.84

6

-3.00

-5.92

35.01

7

-7,00

-9.92

98.34

8

-10.00

-12.92

166.84

9

-5.00

-7.92

62.67

10

0.00

-2.92

8.51

11

5.00

2.08

4.34

12

11.00

8.08

65.34

Sum

35.00

Sum

712.92

Squared

Statistics 1

Mean

2.92

Variance

59.41

Volatility

7.71

lThe mean is obtained by dividing the sum of observed values by the number of observation (12). The variance is the sum of squared deviations divided by 12. The volatility is the square root of variance.

Volatility can also be measured as the percentage change in a variable from the original value of the variable. For example, if a bond's present price is Rs. 98.25 and the price falls to Rs. 97.95, the. price volatility can be computed as {(98.25-97.95)/98.25} x 100 = 0.3%. Volatility can also be expressed as a percentage whereas standard deviation is expressed in the same unit as that of the underlying data, for instance standard deviation of price is in terms of rupees, standard deviation of age is in terms of years, standard deviation of interest rate is in terms of percentage and that of an index is in terms of a number. The calculation of an historical volatility is based upon the choice of an observation period and a frequency of observations. The frequency can be daily, weekly, monthly, yearly or any other relevant time period. Since the time span between two dates determines the magnitude of possible movements of a random variable, the corresponding volatilities are also named daily, weekly, monthly, or yearly volatilities. The horizon of the time series used

45

Quantitative Risk Measurement

determines the number of observations, once the frequency is set. For example, a daily volatility can be estimated from 250 daily observations over one year, since the number of working days is close to 250, or from 600 observations if the observation period is extended over two years. The size of the sample of observations increases with the horizon, improving the accuracy of the estimate. Since there are many reference periods for volatility, a common base should be used for comparison purposes. For instance, it is not relevant to compare an estimate of yearly volatility of an interest rate, say 1%, with the two-year volatility of another interest rate, say 13%. The second figure is higher owing to the time span, but this does not mean that the dispersion of observed values over a common time base is also higher. There is, however, a rule to infer the volatility over various periods/lengths of time. The volatility increases less than proportionally with the length of the unit period between two observations. is

(J

t

The relationship between the volatility (J t over t period and the volatility (J 1 over a unit period (J 1 t

=

-F

According to this rule, the multiples used to convert a yearly volatility into multiple year volatility i.e., time coefficients applicable to volatility are as under: 4

Years

1

2

3

Multiples

1.000

1.414

1.732

5

2.000 2.236

8

9

10

2.828

3.000

3.162

7

6

2.449 2.646

Thus the two year volatility, when the yearly volatility is 1%, will be 1.414%. The volatility increases with time, but less than proportionally. This rule is derived from a set of assumptions and applies when the possible values of the random parameter at date t do not depend upon its value at date t-1 and also when the random process is stable over time .

3.5 - , - - - - - - - - - - - - 3~------------~~·L------­ 2.5 ~-------e--...--L------------

.e-

2 -+---e---1-~=-----------le Series 1.5~~.----------------------

11

1~~:.-------------

0.5 -t----------------------O~-------------

o

5

10

15

Timet

4.6 DOUlNSidE Risk Earning volatility can generate gains as well as losses. Risk deals only with the downside deviations of earnings, not unexpected gains. Adverse deviations are measures of downside risk.

Uncertainty, Volatility and Downside Risk: The two measures of volatility and downside risk are often associated. But volatility and downside risks are not equivalent. Loss risks exist only if earnings are uncertain, hence volatile. The more unstable they are, the bigger the chances of losses. However, if downside changes are not possible, there is volatility but no downside risk at all.

46

Risk Management in Indian Banks

For instance, the two measures of risk diverge for options. The buyer of an option has an uncertain gain but no loss risk. A call option gives the right, but not the obligation, to buy an asset under fixed conditions. For instance, a call option on stock provides the right to purchase the stock at Rs. 100. If the stock price goes up to Rs. 120 the option is in-the-money, and the exercise generates a price of Rs. 20. The profit is random just as the stock price is. However, the downside risk is zero since the option holder will not exercise its option when the price falls below Rs. 100, that is when the option is out-of-the money. But the seller of a call option has a downside risk, since he will have to sell the stock to the buyer at Rs. 100 even though the price is higher. Downside Risk and the Opportunity Costs: If risk is eliminated, there is an opportunity cost. A fixed rate borrower has no downside risk since interest charges are fixed . But if interest rates decline, he pays more than what If he borrowed today at new interest rate. The risk is zero, but the opportunity cost is the difference between what the borrower pays and what he could have paid . This opportunity cost is random just as the interest rates are. Fixed rate transactions have no risk. Hedging eliminates uncertainty but it generates a random opportunity cost. The borrower does not have any risk of loss. But he might consider renewing his loan if interest rates drop significantly.

4.7

POTENTiAl

Loss

There are several types of potential losses: expected, unexpected , and exceptional cases. Expected Loss: The expected loss, or EL, is a statistical estimate of the average losses. The average loss is often calculated for credit risk because it represents the statistical mean of losses across a portfolio and over all possible outcomes. The expected loss is frequently used for assessing credit risk. It represents a statistical average over a portfolio of a large number of loan transactions. The law of large numbers says that losses will be sometimes high or low but average is the expected loss. Statistical losses are more a portfolio concept than an individual transaction concept. For one single transaction, the customer may default or not But the real loss is never equal to the average. For a portfolio, there is always an expected number of defaults, which is the mean of the distribution of defaults. If the average default rate applicable to a portfolio whose exposure is 1000 is 1%, the expected loss is 1% x 1000 = 10. Such default rates are typically derived from ratings and other associated statistics. The actual loss will usually differ from the expected loss, since it will be higher or lower. Expected losses are netted out of revenues by making provisions to hedge the losses. Unexpected Loss: The unexpected loss, or UL, is the maximum loss that will be exceeded only in a limited given fraction of all cases. The unexpected loss is the VaR. The given fraction is the tolerance level. Unexpected losses are those losses that deviate from the expected value. They can take any value. When the tolerance level is specified they become identical to VaR There are as many unexpected losses as there are tolerance levels. Often unexpected loss is also identified as loss volatility, rather than potential loss. This is because the latter is frequently estimated as a multiple of loss volatility. Exceptional Loss: The exceptional losses are those that occur beyond the maximum unexpected loss. Their likelihood of occurrence is normally very low. In practice, exceptional losses are obviously difficult to value owing to their very low probability of occurrence. Exceptional events are not included in unexpected losses. To include them would drastically increase the VaR or CaR measures. At the limit, the total asset of a bank could be lost, although this theoretical possibility is extremely unlikely to occur, owing to diversification effects. This raises the issue of drawing a border between unexpected and truly exceptional losses .

Quantitative Risk Measurement

47

4.8 VAR & CAR VaR - Introduction: Value at Risk (VaR) is "the expected loss from an adverse market movement with a specified probability over a period of time". VaR is defined as an estimate of potential loss in a position or asseVliability or portfolios of assets/liabilities over a given holding period at a given level of certainty.

VaR measures risk. Risk is defined as the probability of the unexpected happening - the probability of suffering a loss. VaR is an estimate of the loss likely to suffer, not the actual loss. The actual loss may be different from the estimate. It measures potential loss, not potential gain. Risk management tools measure potential loss as risk has been defined as the probability of suffering a loss. VaR measures the probability of loss for a given time period over which the position is held. The given time period could be one day or a few days or a few weeks or a year. VaR will change if the holding period of the position changes. The holding period for an instrument/position will depend on liquidity of the instrument! market. With the help of VaR, we can say with varying degrees of certainty that the potential loss will not exceed a certain amount. This means that VaR will change with different levels of certainty. VaR is widely used as measure of a portfOlio's market risk, although strictly speaking, it can be applied to any risk exposure. Simply stated, it is the expected maximum loss of some portfolio during some time period at some predefined level of confidence. Increasingly, VaR has been applied to the aggregate level of all the firm's exposures, in order incorporate several factors affecting the value of the firm into a single number. Moreover, it focuses on a major concern of senior managers - the potential for significant loss in a firm's portfolio of assets. Closely related to VaR is the concept of earnings at risk (EaR) - the expected maximum fall in earnings over a given period. Unlike VaR, EaR considers extreme fluctuations in earnings rather than value, but the two concepts are approximately related by Value at Risk

=

Earning at Risk Risk Free Rate

Provided we assume exposures remain constant over time. Both EaR and VaR have a range of possible uses: •

To estimate the firm's capital at risk - the amount of capital put aside to cover potential future losses.

•

To estimate risk adjusted performance - techniques such as RAROC use VaR as a denominator with which to normalize performance.

•

To estimate market risks and set trading limits.

The Value at Risk, or VaR is the maximum loss at a given tolerance level. Value at Risk (VaR) is a useful tool for measuring and aggregating market and liquidity risks. VaR is a risk measurement and management concept and is recommended by BIS (Bank of International Settlements) as a risk measurement tool for banks operating in its member countries. The earlier popular approaches used for risk measurement, sl:Jch as sensitivity and volatility are being rapidly replaced by VaR. While the concepts of sensitivity measures change in portfoliO value due to change in market rates (interest rates, exchange rates etc.) and the concept of volatility measures variance of portfolio returns on either side of the mean returns the concept of VaR concentrates on worst case loss. It is defined as an estimate of potential loss in a position or asset or portfolio of assets over a given holding period at a given level of certainty. VaR tries to answer the question. "How much can we

48

Risk Management in Indian Banks

lose tomorrow?" It is a measure of the maximum potential change in the value of a portfolio of financial instruments with a given probability over a pre-set horizon. The components of the above definition can be explained as under: •

VaR measures risk. Risk is defined as the probability of the unexpected happening the probability of suffering a loss.

•

Var is an estimate of the loss likely to suffer, not the actual loss. The actual loss may be different from the estimate.

•

VaR measures the potential loss, not potential gain. Risk management tools measure potential loss as risk has been defined as the probability of suffering a loss.

•

VaR measures the probability of loss for a given time period over which the position is held. The given time period could be one day or a few days or a few weeks or a year.

•

VaR will change if the holding period of the position changes. The holding period for an instrumenU position will depend on liquidity of the instrumenU market.

•

With the help of VaR, we can say with varying degree of certainty that our potential loss will not exceed a certain amount. This means that VaR will change with different levels of certainty.

•

The VaR concept embodies three factors: •

Given time horizon

•

Given probability

•

Given amount

•

The VaR model draws heavily from statistical concepts. The concept became popular in mid-1990s when J.P. Morgan in 1994 introduced Risk Metrics - a methodology for measuring market risks. Market risk is defined as the potential loss arising out of an adverse movement in market variables such as interest rates, exchange rates, equity prices or commodity prices

•

The Sank for International Settlements (SIS) has accepted VaR as a measurement of market risks and provisions of capital adequacy for market risks, subject to approval by banks' supervisory authorities. '

VaR is based on a number of statistical concepts such as mean, standard deviation, and normal distribution, level of confidence, volatility etc., as discussed below:

Mean: The arithmetic mean is defined as being equal to the sum of numerical values of each and every observation divided by the total number of observations. Symbolically, it can be represented as X = L XlN where L X indicates the sum of the values of all observations and N is the total number of observations. For example let us consider the age of 25 employees of a bank 24, 23, 28, 35, 25, 30, 27, 24, 38, 26, 21, 29, 31, 34, 33, 22, 25, 29, 39, 42, 23, 33, 46, 27, and 36. The arithmetic mean is sum of all the ages of employees (750) divided by number of employees (25), which comes to 30 years.

Standard Deviation: Standard deviation is a measure of dispersion from the mean. It is computed as the square root of the arithmetic average of the squares of the deviations measured from the mean. The standard deviation of the above can be represented as SO

=r.~(X - X)2 / N .

49

Quantitative Risk Measurement

If we calculate, the standard deviation comes to 6.47. This means that on an average the dispersal of the age from the mean is 6.47 years. The larger the standard deviation, the larger is the dispersion of set of observations from the mean. In a set of observations which is dispersed symmetrically on both sides of the mean (normal distribution), 68.3% of observations are captured within 1.00 standard deviation, 90% within 1.65 standard deviation, 95.5% within 2.00 standard deviations and 99.7% within 3.00 standard deviations. This means that the probability of an observation falling within 1.00 standard deviation is 68.3%, within 2.00 standard deviations is 95.5% and so on. The relationship of landmark standard deviations with probability of an observation failing within that is given below:

Standard Deviation

Probability

1.00

68.3%

1.65

90.0%

2.00

95.5%

3.00

99.7% of

Variance and Covariance: Variance is another measure of dispersion, which is the square of the standard deviation. Like standard deviation, if variance is large, it suggests that the variability or spread within the set of observations is large. Covariance is a measure, which combines the variance of an observation with the variance of another observation. Covariance between two variables tells us whether the two variables tend to rise or fall together and how large those movements tend to be. Normal Distribution: A set of observations will have a mean value and all individual items of observation will be on both sides (positive and negative) of the mean. In normal distribution it is assumed that all observations are equally divided on both sides of the mean. Normal distribution is represented by a bell shaped curve in which the dispersions lie in perfectly symmetrical manner on both sides of the curve with each side containing 50% of dispersions from the mean of the set of observations. Further, a normal distribution has certain area relationship of standard deviation around the mean. This aspect can be understood with the following example: If the mean value of an observation is 100 and its standard deviation is 5 we can conclude the following: 68.3% of the values are contained within 105 and 95 (within ± one standard deviation) 95.5% of the values are contained within 110 and 90 (within ± two standard deviations) 99.7% of the values are contained within 115 and 85 (within ± three standard deviations). However, the relationship is not linear. 99.9% of the values are contained within seven standard deviations. A normal distribution curve is drawn below: Level of Confidence: Standard deviation measures dispersion in both the directions, positive (+) and or gain (-) or gain or loss. In risk management, we are concerned with loss, not gain. Hence, in focussing only on loss, we use another concept called level of confidence. We ignore the positive side of normal distribution curve, which represent the positive dispersal from the mean and concentrate only on the negative side, which represents loss. This is a one tail approach. In this approach the relationship between standard deviation, probability of the observation failling within the standard deviation and level of confidence is given in the table below:

50

Risk Management in Indian Banks

68.3%

95.5% 99.7%

·1

0 1 SO----'

~

4

3

Standard Deviation

Probability of Occurrence

Levelofconfldence

1

68.3%

84%

1.65

90%

95%

2

95.5%

97.5%

3

99.7%

99.9%

·50%

50%

95.5% 99.7% ·3

·1 ~

0 1 SO----'

3

4

VaR Methodologies: VAR can be arrived as the expected loss on a position from an adverse movement in identified market risk parameter(s) with a specified probability over a nominated period of time. Volatility in financial markets is usually calculated as the standard deviation of the percentage changes in the relevant asset price over a specified asset period. The volatility for calculation of VaR is usually specified as the standard deviation of the percentage change in the risk factor over the relevant risk horizon.

51

Quantitative Risk Measurement

The following table describes the three main methodologies to calculate VaR:*

Methodology

Description

Applications

Parametric

Estimates VaR with equation

Accurate for traditional

that specifies parameters

assets and linear

such as volatility, correlation,

derivatives, but less

delta, and gamma.

accurate for non linear derivatives.

Monte Carlo

Estimates VaR by simulating

Simulation

random scenarios and

of instruments, linear

revaluing positions in the

and nonlinear.

Appropriate for all types

portfolio. Historical

Estimates VaR by reliving

Simulation

history; takes actual historical rates and revalues positions for each change in the market.

There are three main approaches to calculating value-at-risk: the correlation method, also known as the VariancelCovariancematrix method; Historical Simulation and Monte Carlo Simulation. All three methods require a statement of three basic parameters: holding period, confidence interval and the historical time horizon over which the asset prices are observed. Under the Correlation Method, the change in the value of the position is calculated by combining the sensitivity of each component to price changes in the underlying asset(s), with a variance/ covariance matrix ofthe various components' volatilities and correlation. It is a deterministic approach. The Historical Simulation Approach calculates the change in the value of a position using the actual historical movements of the underlying asset(s), but starting from the current value of the asset. It does not need a variance/covariance matrix. The length of the historical period chosen does impact the results because if the period is too short, it may not capture the full variety of events and relationships between the various assets and within each asset class, and if it is too long, may be too stale to predict the future. The advantage of this method is that it does not require the user to make any explicit assumptions about correlations and the dynamics of the risk factors because the simulation follows every historical move. The Monte Carlo Simulation Method calculates the change in the value of a portfolio using a sample of randomly generated price scenarios. Here the user has to make certain assumptions about market structures, correlations between risk factors and the volatility of these factors. He is essentially imposing his views and experience as opposed to the have approach of the historical simulation method. At the heart of all three methods is the model. The closer the models fit economic reality, the more accurate the estimated VAR numbers and therefore the better they will be at predicting the true VAR of the firm. There is no guarantee that the numbers returned by each VAR method would be anywhere near each other.

52

Risk Management in Indian Banks

Other uses of VaR: VaR is used as a MIS tool in the trading portfolio in the trading portfolio to "slice and dice" risk by levels/ products/geographic/level of organization etc. It is also used to set risk limits. In its strategic perspective, VaR is used to decisions as to what business to do and what not to do. However, VaR as a useful MIS tool has to be "back tested" by comparing each day's VaR with actuals and necessary re-examination of assumptions needs to be made so as to be close to reality. VaR, therefore, cannot substitute sound management judgement, internal control and other complementary methods. It is used to measure and manage market risks in trading portfoliO and investment portfolio. VaR and Estimating Volatility: VaR uses past data to compute volatility. Different methods are employed to estimate volatility. One is arithmetic moving average from historical time series data. The other is the exponential moving average method. In the exponential moving average method, the volatility estimates rises faster to shocks and declines gradually. Further, different banks take different number of days of past data to estimate volatility. Volatility also does not capture unexpected events like EMU crisis of September 1992 (called "event risk"). All these complicate the estimation of volatility.

VaR should be used in combination with "stress testing" to take care of event risks. Stress test takes into account the worst case scenario.

4.9 Risk AdjusTEd RETURN ON CApiTAl (RAROC) Introduction to RAROC - evolution and role/ultimate goal: Development of the RAROC methodology began in the late 1970's initiated by a group at Bankers Trust. Their original interest was to measure the risk inherent in the bank's credit portfolio, as well as the amount of equity capital necessary to limit the exposure of the bank's depositors and other debt-holders to a specified probability of loss. They felt the need to develop a system that would measure the performance of the banks' traders, a system that would take into account the fact that a trader who makes $1 million on US treasury bonds is using the firm's capital differently than a trader who makes $1 million in positions in a volatile currency. They wanted to level out the difference in those trades so that they could be compared side by side to see how effective they were and how efficiently the traders were using the firm's money. Thus, Bankers Trust developed RAROC and first began to use it to evaluate the performance of their lending businesses and to determine the amount of risk capital needed to provide uniform protection for disparate risks.

Risk Adjusted Return on Capital (RAROC) is a powerful risk measurement too/ that assists banks and financial institutions both in measuring solvency and evaluating performance of different business activities. The increased interest in measuring risk is partly a response to the greater regulatory emphasis on capital adequacy that has come with both the implementation of the Basel risk-based capital requirements issued in 1988 and the passage of FDICIA in 1991. More importantly, there have been fundamental changes in the business of banking which has driven the interest in risk management tools. As the progressive deregulation of the banking industry continues, banks are choosing to provide an increasingly diverse set of products and services. The real innovation in these new performance evaluation tools lies in their ability to allocate banks' capital among their expanding array of non-traditional, fee-based activities - many of which do not involve any use of capital for funding purposes but create a contingent liability for the bank. Thus, the ultimate goal of a riskbased capital allocation system like RAROC is to provide a uniform measure of performance. Management can use this measure to evaluate performance for capital budgeting and as an input to the compensation system.

DOD

CREDIT RISK

~. 1 CREdh

Risk

MANAGEMENT

Introduction Traditionally, the credit risk is thought of as having two components. The first is the solvency aspect of credit risk, which relates to the risk that the borrower is unable to repay in full the sum outstanding. The second is the liquidity aspect of the credit risk that arises when the payments due from a borrower are delayed leading to cash flow problems the lender. The liquidity and solvency risks are, however, closely related. In order to meet the short term liquidity needs, a firm may have to undertake "fire-sale" of assets which might fetch a lower amount for the assets sold as compared to the sale of assets under normal circumstances. This could lead to a situation of "technical insolvency" where the realizable value of assets may be less than the value of liabilities. This problem is more pronounced in case of banks as their balance sheet contains assets (like loans and Investments etc.) which fluctuate in value (in a situation of default, the full amount of loan may not be realizable) whereas the value of deposits remains constant (or "capital certain in the technical language) and in fact might grow on account of interest element. Thus, what may appear to be liquidity risk in the beginning may turn into solvency risk over a period of time. Credit Risk Management is not NPA Management. It is much more than that. NPA management is largely recovery management. A NPA account represents a situation when the credit risk has crystallized - i.e., the situation when default has already taken place. Credit risk management is concerned more with the quality of credit portfolio before default rather than in the post default situation when the recovery proceedings begin. The credit risk approach gives indications of worsening credit quality of the portfolio by tracking credit migration of constituent assets in the credit / investment portfolio much before the actual defaults occur so that management action can be initiated in order to stem the deterioration in the credit portfolio quality. Credit Risk Management is also not merely Credit Management. Credit management as is conventionally understood is confined to selection, limitation and diversification, and overall management of credit. At the time of selection, the borrower's financial conditions, profitability and cash flows etc. are assessed with a view to decide whether or not the borrower has a repaying

54

Risk Management in Indian Banks

capacity. The nature of the industry in which the borrower is operating, the quality of management, the presence of collateral etc., is an essential part of the appraisal process as all these can affect the prospects of recovery. In short, the six Cs viz., Character, Capacity, Cash, Collateral, Conditions and Control related to the borrower are examined. Credit management focuses on probability of repayment, credit risk management focuses on probability of default. l.imitation is based on the premise that the borrower concentrations should not be too large. There are regulatory norms on individual and group exposure limits but the banks may prescribe a lower per borrower / group of borrower exposure limits in their loan policies. Diversification is related to limitation and is based on the age-old principle, which says that do not put all your eggs in one basket. The bank's loan policy normally indicates the exposure limits to various sectors of the economy.

Credit risk management is much more sophisticated than the simple credit management techniques cited above. In the recent years credit risk is being measured and managed in new ways. Although credit risk has been one of the oldest risks in the financial markets, being as old as lending itself, there has been a surge of interest in credit risk during recent years.

~.2

NEEd fOR CREdh Risk MANAGEMENT fOR BANks iN INdiA

Credit risk is the oldest and biggest risk that a bank, by virtue of its very nature of business inherits. This has, however, acquired a greater significance in the recent past for various reasons. Topmost among them is the wind of financial liberalization that is blowing across the globe. The ongoing economic reforms have increased market opportunities manifold and has changed the complexion of the markets. Import tariff structure has changed dramatically. New players have entered the market with a new game plan. Competition from within and outside the country has intensified and has lead to thin margins. Through disintermediation process consumers are being offered a plethora of buying options. The interaction effect of all these aspects has ultimately multiplied risks both in numbers and volume resulting in volatile markets. The post liberalization years have put significant pressure on banks in India with many banks showing signs of distress. One of the primary reasons for this has been the lack of effective credit risk management systems and practices in Indian banks. Banks as intermediaries between 'savers' and 'investors' accept deposits from public and lend the same to entrepreneurs to earn profits. Once money is lent, the borrowers are supposed to return the money so lent along with interest thereon as per repayment schedule agreed upon. Every credit decision implies that the borrower's financial position will remain steady and improve throughout. This, however, need not necessarily be true always as the projected cash flows are impacted by market variables like interest rate hikes, increased competition, business cycles, economic and fiscal policies of the Government and unit-centric problems like production dislocations, financial or managerial inadequacies, etc. Hence, repayments are not always certain. There is always a scope for the borrower to default from his commitment resulting in credit risk to a bank. Time and again, the fundamental business of lending has brought trouble to individual banks and entire banking system. It is, therefore, imperative that the banks have adequate systems for credit assessment of individual projects and evaluating risks associated therewith as well as the industry as a whole. Generally, banks in India evaluate a proposal through the traditional tools of project financing, computing maximum permissible limits, assessing management capabilities and prescribing a ceiling for an industry exposure. As banks move into a new globalized environment for financial operations and trading, with new risks the need is felt for better credit risk management techniques with more sophisticated and versatile instruments for risk assessment, monitoring and controlling risk exposures.

Credit Risk

55

Another ostensible reason has been the increased shareholder awareness of credit risk, heightened by defaults, more recently, by the general decline in the global economy culminating in the steep decline in the markets. Basel Capital Accord and regulatory capital allocation requirements have also fuelled the demand for better credit risk measurement. Regulators impose minimum standards to estimate credit risk for the purpose of capital allocation and for performance measurement of banks. Adoption of sound risk-based pricing mechanism and RAROC concept for performance evaluation has also enhanced the need of better credit management practices.

~.,

CREdiT Risk -

DEfiNiTiON ANd COMPONENTS

Credit risk is defined as the possibility of losses associated with diminution in the credit quality of borrowers or counter parties. In a bank's portfolio, losses stem from outright default due to inability or unwillingness of a customer or counter party to meet commitments in relation to lending, trading, settlement and other financial transactions. Alternatively, losses result from reduction in portfolio value arising from actual or perceived deterioration in credit quality. Credit risk emanates from a bank's dealings with an individual, corporate, bank, financial institution or a sovereign. Credit risk may take the following forms: •

In the case of direct lending: principal and/or interest amount may not be repaid;

•

In the case of guarantees or letters of credit: funds may not be forthcoming from the constituents upon crystallization of the liability;

•

In the case of treasury operations: the payment or series of payments due from the counter parties under the respective contracts may not be forthcoming or ceases;

•

In the case of securities trading businesses: funds/securities settlement may not be effected,

•

In the case of cross-border exposure: the availability and free transfer of foreign currency funds may either cease or restrictions may be imposed by the sovereign.

In this bac~drop, it is imperative that banks have a robust credit risk management system, which is sensitive and responsive to these factors. The effective management of credit risk is a critical component of comprehensive risk management and is essential for the long-term success of any banking organization. Credit risk is most simply defined as the potential that a bank borrower or counterparty will fail to meet its obligations in accordance with agreed terms. It involves inability or unwillingness of a customer to meet commitments in relation to lending, trading, hedging, settlement and other financial transactions. According to Sinket (Commercial Bank Financial Management by Joseph F. Sinkey, Jr.) the business of banking is measuring, managing and accepting risk and because the major risk banks face is credit risk, it follows that the major risk which banks must measure, manage and accept is credit risk or default risk. Credit risk can be understood as the uncertainty associated with borrowers' loan repayments. Credit risk management encompasses identification, measurement, monitoring and control of the credit risk exposures.

Components of Credit Risk Credit risk represents the major risk faced by banks on account of the nature of their business activity, which includes dealings with or lending to a corporate, individual, another bank, financial 1. Commercial Bank Financial Management by Joseph F. Sinkey, Jr.

56

Risk Management in Indian Banks

institution or a country. Credit risk may be carried in the banking book or the trading book or in the off-balance sheet items. Credit risk has got two components: 'Quantity of Risk' which is nothing but the outstanding loan balance as on the date of default and the 'Quality of Risk' i.e., severity of losses that is defined by default probability and the recoveries that could be effected in the event of default. Credit risk includes counterparty risk and portfolio risk. Counterp,~rty risk may be defined as the possibility that a borrower or counterparty will fail to meet its obligations in accordance with agreed terms. It may also be reflected in the downgrading of the standing of the counterparty making him more vulnerable to possibility of defaults. It arises from non-performance of the trading partners. The non-performance may arise from counter party's refusal/inability to perform due to adverse price movements or from external constraints that were not anticipated by the principal.

Portfolio risk arises due to adverse credit distribution, credit concentration/investment concentration etc. Credit risk also includes country risk, which is defined as the possibility that a country will be unable to service or repay its debts to foreign lenders in a timely manner. The credit risk of a bank's portfolio depends on both external and internalfactors. The external factors are the state of the economy, wide swing in the commodity/equity prices, foreign exchange rates and interest rates, trade restrictions, economic sanctions, Government policies etc. The internal factors are deficiencies in loan policies/administration, absence of prudential credit concentration limits, inadequately defined lending limits for Loan Officers/Credit Committees, deficiencies in appraisal of borrower's financial position, excessive dependence on collateral, inadequate risk pricing, absence of loan review mechanism and post sanction surveillance, etc.

~.4 CREdh Risk MANAGEMENT TEChNiQUES/INSTRUMENTS Since exposure to credit risk continues to be the leading source of problem in banks world-wide; banks need to identify, measure, monitor, and control credit risk as well as should determine that they hold adequate capital against these risks and that they are adequately compensated for risks taken. The goal of credit risk management is to maximize a bank's risk-adjusted rate of return by maintaining credit risk exposure within acceptable parameters. Banks need to manage the credit risk inherent in the entire portfolio as well as the risk in individual credits or transactions. Banks should also consider the relationship between credit risk and other risks. The effective management of credit risk is a critical component of a comprehensive approach to risk management and essential to the long-term success of any banking organization.

Banks need to adopt sound practices in the following areas: 2 (i) establishing an appropriate credit risk environment; (ii) operating under a sound credit-granting process;

(iii) maintaining an appropriate credit administration, measurement and monitoring process and (iv) ensuring adequate controls over credit risk. The Credit Risk Management Techniques/lnstruments involves several steps which include the following:

2. The 8lJsel Committee on Banking Supervision in its paper on Principles for the Management of Credit Bank has outlined these four prerequisites for effective management of credit risk.

Credit Risk

57

•

Setting up appropriate Risk Management organization;

•

Framing of appropriate policies, strategies etc;

•

Setting out appropriate benchmarks/limits;

•

Measurement of risk through credit rating/scoring;

•

Quantifying the risk through estimating expected loan losses;

•

Risk pricing on a scientific basis; and

•

Controlling the risk through effective Loan review mechanism and portfolio management.

Banks should have a well defined credit risk policy defining clearly their credit philosophy, credit culture, risk tolerance level, credit approving authority, prudential limits, acceptable bench-mark ratios, risk rating systems, loan review mechanism, robust MIS for monitoring and follow-up and system of periodic review of the policy itself. The following table shows the processes and stages involved in credit risk management:

Credit Risk Management •

Framing of credit policies/credit risk policies

•

Defining corporate philosophy/culture/strategy

•

Setting out risk tolerance levels/benchmark ratios

•

Setting out risk assessment systems

•

Setting up of prudent exposure levels

•

Setting up of Risk Management Organization

Risk rating/scoring

Loan review mechanism

•

•

Set up comprehensive risk

Identify loans with credit weakness to isolate problem areas

rating/scoring system •

Clearly define rating thresholds

•

Determine adequacy of loan loss provisions

•

Periodic review of ratings

•

Assess adherence to policies

•

Map rating migrations to estimate expected loss

and procedures •

Risk pricing •

Link loan pricing to

Portfolio reviews •

Build historical data on

•

default losses •

Allocate capital based on unexpected losses

•

Adopt the RAROC framework

Initiate steps to preserve the desired portfolio quality

expected loss •

Top managemenUinternal reporting

Integrate portfolio reviews with credit decisions

•

Develop and adopt credit risk management models

58

Risk Management in Indian Banks

For risk management adoption of various techniques / instruments are necessary. Looking to the level of operations and nature of complexities in the operations different banks may adopt different techniques/instruments. For management of credit risk various techniques can be adopted looking to the nature of risk involved. As has already been discussed, credit risk is defined as the potential that a bank borrower will fall to meet obligations in accordance with agreed terms. It involves inability or unwillingness of a customer to meet commitments in relation to lending, trading, hedging, settlement and other financial transactions. The credit risk is made up of transaction risk or default risk, and portfolio risk. The portfolio risk in turn comprises instrinsic and concentration risk. The credit risk depends upon both internal and external factors. Banks need to evolve risk management techniques/instruments keeping in view all these aspects and may adopt the following:

Establishing an Appropriate Credit Risk Environment It requires understanding of risks the banks may face while managing the portfolio. The understanding should be spread all over the organization and each one in the organization should have similar approach for managing the risk. While the top management should adopt suitable policies for implementation by the operating staff, the later should ensure proper implementation of the policies. The communication channels should be strong and should convey the same meaning to all in the organization. MIS in the organization should be strong and reliable. The data collection system should be consistent all over the organization and frequency of collection and analysis of data should be high so as to have necessary information as many times as possible. Adoption of proper risk management policies and implementation of the same in the organization in letter and spirit is the best technique for management of credit risk.

Credit Risk Policy The policy document should include risk identification, risk measurement, risk grading/ aggregation techniques, reporting and risk control/mitigation techniques, documentation, legal issues and management of problem loans etc. The policy should also define target markets, risk acceptance criteria, credit approval authority, credit origination/maintenance procedures and guidelines for portfolio management. The policy approved by banks' Board should be communicated to branches/ controlling offices. All dealing officials should clearly understand the bank's approach for credit sanction and should be held accountable for complying with established policies and procedures. Senior Management of the bank should be made responsible for implementing the credit risk policy approved by the Board.

Credit Risk Strategy The credit risk strategy or plan should establish the objectives for banks' credit granting activities and policies/procedures for conducting such activities. The strategy should spell out clearly the organization's credit appetite and the acceptable level of risk-reward trade-off for its activities. The strategy should include a statement of the bank's willingness to grant loans based on the type of economic activity, geographical location, currency, market, maturity and anticipated profitability, which would translate into the identification of target markets and business sectors, preferred levels of diversification concentration, the cost of capital in granting credit and the cost of bad debts. The strategy should provide continuity in approach and should take into account the cyclical aspects of

Credit Risk

59

the economy and the resulting shifts in the composition/quality of the overall credit portfolio. The strategy should be viable in the long-run and through various credit cycles. Senior Management of the bank should be made responsible for implementing the credit risk policy approved by the Board.

Organization Structure Sound organizational structure is sine qua non for successful implementation of an effective credit risk management system. The organizational structure for credit risk management should have the following basic features: The Board of Directors should have the overall responsibility for management of risks. The Board should decide the risk management policy of the bank and set limits for liquidity, interest rate, foreign exchange and equity price risks. The Risk Management Committee which may be an independent Board level Sub committee including CEO and heads of Credit, Market and Operational Risk Management Committees should devise the policy and strategy for integrated risk management containing various risk exposures of the bank including the credit risk. For this purpose, this Committee should effectively co-ordinate with other risk committees of the bank. It is imperative that the independence of this Committee is preserved and the Board should ensure that this is not compromised at any cost. The credit risk strategy and pOlicies adopted by the committee should be effectively communicated throughout the organisation. Each bank may, depending on the size of the organization or loan/ investment book, constitute a high level Credit Risk Management Committee (CRMC). The Committee should be headed by the Chairman/CEO/ED, and should comprise of heads of Credit Department, Treasury, Credit Risk Management Department (CRMD) and the Chief Economist. The functions of the Credit Risk Management Committee shoUld be as under: •

Be responsible for the implementation of the credit risk policy/strategy approved by the Board.

•

Monitor credit risks on a bank wide basis and ensure compliance with limits approved by the Board.

•

Recommend to the Board, for its approval, clear policies on standards for presentation of credit proposals, financial covenants, rating standards and benchmarks,

•

Decide delegation of credit approving powers, prudential limits on large credit exposures, standards for loan collateral, portfolio management, loan review mechanism, risk concentrations, risk monitoring and evaluation, priCing of loans, provisioning, regulatory/ legal compliance, etc.

Concurrently, each bank should also set up Credit Risk Management Department (CRMD), independent of the Credit Administration Department. The CRMD should: •

Measure, control and manage credit risk on a bank-wide basis within the limits set by the Board/CRMC.

•

Enforce compliance with the risk parameters and prudential limits set by the Board/ CRMC.

•

Lay down risk assessment systems, develop MIS, monitor quality of loan/investment portfolio, identify problems, correct deficiencies and undertake loan review/audit. Large banks could consider separate set up for loan review/audit.

60

Risk Management in Indian Banks

•

Be accountable for protecting the quality of the entire loan/ investment portfolio. The Department should undertake portfolio evaluations and·conduct comprehensive studies on the enviromnent to test the resilience of the loan portfolio.

A Typical Organizational Structure for Risk Management in banks suggested by the Reserve Bank of India is appended on page 98.

[ BOARD OF DIRECTORS )

I RISK MANAGEMENT COMMITIEE (BOARD SUBCOMMITIEE INCLUDING CEO AND HEADS OF CREDIT, MARKET, AND OPERATIONAL RISK MANAGEMENT COMMITIEES) CORE FUNCTION: POLICY AND STRATEGY FOR INTEGRATED RISK MANAGEMENT

T

T CREDIT RISK MANAGEMENT COMMITIEE COMMITIEE OF TOP EXECUTIVES INC\..UDING CEO, HEADS OF CREDIT & TREASURY AND CHIEF ECONOMIST)

T [ CREDIT RISK MANAGEMENT DEPARTMENT (CRMD)

J Bisk ~Ii!!!!!ing Definition of procedures Design of credit processes

T

J

ALCO/MARKET RISK MANAGEMENT COMMITTEE

MA~AGEMENT

COMMITIEE

T

l

T

T OPERATIONAL RISK

CREDIT ADMINISTRATION

J

1

Bi~k A~u~~ment

Bi~k Ani!llltic~

and MQnitQring - Sector review - Credit Rating - Review of Credit Proposals (new) - Asset review (existing)

- Credit Risk and pricing models' design & maintenance - Portfolio analysis and reporting

T ~r~dit Ri~~

• Sll~t~m~ - Integration of risk procedures with credit systems - Design and development of support systems for risk assessment & monitoring

Operations I Systems Bank's should have in place an appropriate credit administration, credit risk measurement and monitoring processes. The credit administraion process typically involves the following phases: •

Relationship management phase i.e. business development.

•

Transaction management phase covers risk assessment, loan pricing, structuring the facilities, internal approvals, documentation, loan administration, on going monitoring and risk measurement.

•

Portfolio management phase entails monitoring of the portfolio at a macro level and the management of problem loans.

On the basis of the broad management framework stated above, the banks should have the following credit risk measurement and monitoring procedures: •

Banks should establish proactive credit risk management practices like annual/half yearly industry studies and individual obligor reviews, periodic credit calls that are

Credit Risk

61

documented, periodic visits of plant and business site, and at least quarterly management reviews of troubled exposures/weak credits. •

Banks should have a system of checks and balances in place for extension of credit viz.: -

Separation of credit risk management from credit sanction

-

Multiple credit approvers making financial sanction subject to approvals at various stages viz. credit ratings, risk approvals, credit approval grid, etc.

-

An independent audit and risk review function.

•

The level of authority required to approve credit will increase as amounts and transaction risks increase and as risk ratings worsen.

•

Every obligor and facility must be assigned a risk rating.

•

Mechanism to price facilities depending on the risk grading of the customer,. and to attribute accurately the associated risk weightings to the facilities.

•

Banks should ensure that there are consistent standards for the origination, documentation and maintenance for extensions of credit.

•

Banks should have a consistent approach towards early problem recognition, the classification of problem exposures, and remedial action.

•

Bank should maintain a diversified portfolio of risk assets; have a system to conduct regular analYSis of the portfolio and to ensure on-going control of risk concentrations.

•

Credit risk limits include obligor limits and concentration limits by industry or geography. The Boards should authorize efficient and effective credit approval processes for operating within the approval limits.

•

In order to ensure transparency of risks taken, it is the responsibility of banks to accurately, completely and in a timely fashion, report the comprehensive set of credit risk data into the independent risk system.

•

Banks should have systems and procedures for monitoring financial performance of and for controlling outstanding within limits.

•

A conservative policy for provisioning in respect of non-performing advances may be adopted.

•

Successful credit management requires experience, judgement and commitment to technical development. Banks should have a clear, well-documented scheme of delegation of powers for credit sanction.

Banks must have a Management Information System (MIS), which should enable them to manage and measure the credit risk inherent in all on- and off-balance sheet activities. The MIS should provide adequate information on the composition of the credit portfolio, including identification of any concentration of credit portfolio. Banks should price their loans according to the risk profile of the borrower and the risks associated with the loans.

Operating Under a Sound Credit Granting Process It includes carefully formulated scheme of delegation of powers, constitution of credit committees for sanctioning loans above a specified limit etc. The delegation of powers should be linked to the capabilities of the person to whom the same are delegated. While higher ranking

62

Risk Management in Indian Banks

experienced and senior officers may be given higher powers, the delegation may be lower for junior level officers. Another way of delegation may be delegation linked to the risk rating. While the powers may be higher for low risk categories the same may be lower for high-risk categories. For large credit the proposals may be considered by credit committees involving a number of experienced officers. The principles for exercise of powers and reporting system should be specifically advised to the operating staff for compliance. The process of granting credit should be based on sound lending principles and should take care of Common Sources of Major Credit Problems with in-built techniques to check them. The traditional method of 5 Cs of good and bad lending still hold good and are beneficial for making evaluation of credit proposals. The Journal of Commercial Bank Lending (Golden S. and H. M. Walker, "The Ten Commandments of Commercial Credit: The Cs of good and bad loans, January 1993) has published following ten commandments of lending.

5 Cs of good lending

5 Cs of bad lending

Character

Complacency

Capacity

Carelessness

Capital

Communication Gap

Collacteral

Contingencies - uncared

Conditions - economic

Competition - unhealthy

Character refers to the willingness of the borrower to repay. Normally, there are two type of defaulters, the first, who are willing to repay but unable to repay, and the second, who has the ability to repay but are not willing to repay. The default in the first case could be for a variety of reasons/ factors other than the integrity of the borrower. The second type of default originates because of unwillingness of the borrower to repay and the character of the borrower becomes very important from this perspective. Therefore, the first principle of good lending remains the character of the borrower. Credit information on the borrower, status report from the existing banker, market reports, and interview with borrower are some of the tools to apply this principle of good lending. Capacity is meant as the borrowers' ~apacity to repay the principal and the interest on some and the same can be measured through cash flow from the business. Cash flow is the measure of the capacity of the borrower's business to repay the borrowings. Proper estmation of the cash flow, after factoring into the uncertainties of future, is a tool to determine the capacity to repay and its correct measurement can be considered as 2nd principle of good lending. Economic conditions also play a very important role in ensuring timely repayment of the money lent. Bankers lend to the borrowers and the repayment is based on earnings of the berrower's busin~ss in future. The earnings in future are heavily dependent upon how the venture performs in future amidst environmental changes. Conditions refer to the borrower's sensitivity to external forces such as business Gycles, competitive pressures, government policies, and environmental factors etc: Capital refers to the strength of the borrower's balance sheet. As we know balance sheet is the financial statement of the borrower's business and on a given day it reflects a true and fair view of the assets and liabilities of the borrower's business. The capital is the cushion available in the

Credit Risk

63

business and is the difference between the assets and liabilities of the firm. If for some reasons the value of assets fall below the level of liabilities, the firm will not be in a position to repay. For a lending banker availability of sufficient capital is, therefore, one of the important aspects to be considered. Collateral is the fifth principle of good lending. Collateral refers to the security backing of the loan. Collateral is to be looked from the point of view as insurance for uncertainty of future, which may jeopardize the repayment of credit extended by the banker. Like good principles there are some aspects, which may adversely affect the lending operations and may be termed as Cs of bad lending such as: Complacency is defined as not taking into consideration the Cs of good lending while appraising a lending proposal along with non-observance and non-compliance of the covenants, terms and conditions mutually agreed between the borrower and the banker. Complacency normally arises from the over confidence and not acting diligently. Carelessness, like complacency could be individual or organizational. As in personal lives what happens to a careless person, same th ing happens in credit portfolio, if the banker is careless. Prudent banking means observation of the five principles of good lending on a continuous basis and there should be no room for carelessness. Communication Gap at the time of appraisal (obtaining required data), sanction (communicating sanction terms), disbursement (non-compliance of covenants, defective creation' of securities), follow-up (monitoring of borrowal accounts on an on-going basis) etc. The communication gap may be on the part of the banker in making it amply clear to the borrower that what is required from him and the same may lead to bad lending subsequently. Uncared contingencies may also lead to bad lending. The borrower and the lender both function in a volatile, ever changing environment. Both have to depend on well thought out pre-decided contingencies. The borrowers need to remain alert and sensitive to market and environmental changes which may affect the performance of the business units adversely and to develop contingent strategies and moves to counter the volatility of the market and the enviromnent. The lender needs to be aware of the borrower's strategic initiatives and also to provide counselling services to the borrower for the environmental changes coming to the notice through his network of connections. Unhealthy competition is also a symptom of bad lending. In a competitive market a borrower will always like to get a best bargain available from the lenders for the financial requirements. In easy money market conditions there is a situation that too many lenders chasing too few good borrowers and the borrowers get the opportunity to take advantage of the situation. The borrowers bargain for relaxation in amount of finance, security etc. In such a situation if unhealthy competition comes in the way of prudent financing there may be a situation of bad lending. The credit granting process should take care of Common Sources of Major Credit Problems and should have in-built techniques to check them. Most major banking problems have been either explicitly or indirectly caused by weaknesses in credit risk management in several areas, such as concentrations, failure of due diligence and inadequate monitoring. Credit Risk Management envisages assessment of these weaknesses and to take corrective actions for mitigating of risks arising from these sources of credit problems.

64

Risk Management in Indian Banks

MAJOR SOURCES OF CREDIT PROBLEMS

1. Concentrations A risk concentration refers to an exposure with the potential to produce losses large enough to threaten a financial institution's health or ability to maintain its core operatiopn. Concentrations are probably the single most important cause of major credit problems. Credit concentrations are viewed as any exposure where the potential losses are large relative to the bank's capital its total assets or where adequate measures exist, the bank's overall risk level. Relatively large losses may reflect not only large exposures, but also the potential for unusually high percentage losses given default. Credit concentrations can further be grouped roughly into two categories: •

Conventional credit concentrations which include concentrations of credit to single borrowers or counter-parties, a group of connected counter-parties, and sectors or industries, such as commercial real estate, capital market, NBFCs etc.

•

Concentrations based on common or correlated risk factors reflecting subtler or more situation-specific factors, and often can only be uncovered through analysis e.g., risks arising from correlation between market and credit risks, as well as between those risks and liquidity risk.

Risk concentrations can take many forms, including exposure to: (i) counter-parties; (ii) groups of individual counter-parties or related entities; (iii) counter-parties in specific geographical locations; (iv) industry sectors; (v) specific products; (vi) service providers e.g., back office services, and (viii) natural disasters or catastrophes, etc. Why Concentrations Develop?: The recurrent nature of credit concentration problems, especially involving conventional credit concentrations, raises the issue of why banks allow concentrations to develop. First, in developing their business strategy, most banks face an inherent trade-off between choosing to specialize in a few key areas with a goal of achieving a market leadership position and diversifying their income streams, especially when they are engaged in some volatile market segments. This trade-off has been exacerbated by intensified competition among banks and non-banks alike for traditional banking activities, such as providing credit to investment grade corporations. Concentrations appear most frequently to arise because banks identify "hot" and rapidly growing industries and use overly optimistic assumptions about an industry's future prospects, especially asset appreciation and the potential to earn above-average fees and/or spreads. Banks seem most susceptible to overlooking the dangers in such situations when they are focused on asset growth or market share.

Principles for Management and Control of Risk Concentrations •

Supervisors should take steps, directly or through regulated entities, to provide that institutions have adequate risk management processes in place to manage group-wide

Credit Risk

65

risk concentrations. Where necessary the supervisors should consider appropriate measures, such as reinforcing these processes with supervisory limits. •

Supervisors should monitor material risk concentrations on a timely basis, as needed, through regular reporting or by other means to help form a clear understanding of the risk concentrations of the institutions.

•

Supervisors should encourage public disclosure of risk concentrations.

•

In case of multiplesupervisors such as RBI, SEBI etc., they should liaise closely-with one another to ascertain each other's concern and co-ordinate as deemed appropriate any supervisory action relative to risk concentrations within the group.

•

Supervisors should deal effectively and appropriately with material risk concentrations that are considered to have a detrimental effect on the regulated entities, either directly or through an overall detrimental effect on the group.

Review of Supervisory Practices to Check Risk Concentrations: In the banking sector, supervisors have incorporated large exposure guidance into their national supervisory frameworks. The guidance encourages supervisors to set quantitative limits on exposures to a single counter party or group of related counter parties, using capital as a base. In addition, some jurisdictions impose quantitative limits on investments by regulation. Generally, supervisors require banks to have in place policies and procedures to prudently manage and control risk concentrations and hold Board of Directors and senior management responsible for compliance. Some bank supervisory regimes also impose additional capital requirements or take other supervisory actions if an institution has unwarranted risk concentration. RBI Guidelines on Exposure Norms: To curb credit concentrations it may be useful if banking supervisor i.e., RBI prescribes specific regulations limiting concentrations to one borrower or set of related borrowers, and in fact should also expect banks to set much lower limits on single-obligor exposure, The Reserve Bank of India has already prescribed exposure ceiling guidelines for banks and has also directed banks to have prudential exposure levels, threshold limits, substantial exposure limits etc., in place as a part of credit risk policy to check concentrations. RBI has also prescribed exposure levels for capital market, investments in shares, unsecured advances and guarantees, Tier II bonds etc. As per Banking Regulation Act 1949 also there are restrictions on certain exposures e.g., exposure limit on shareholding of companies etc. The Reserve Bank of India has issued Master Circular on 13.8.2001 highlighting exposure norms for banks which, among others, include following gudelines: •

As a prudential measure aimed at better risk management and avoidance of concentration of credit risks banks should fix limits on their exposure,

•

to individual borrowers and group borrowers in India,

•

to specific industry or sectors,

•

towards unsecured guarantees and unsecured advances,

•

In addition, banks should also observe statutory and regulatory exposure limits in respect of advances against shares, debentures and bonds and investments in such securities.

The credit exposure ceiling should be fixed in relation to bank's capital funds and it should not exceed 25% of the capital funds in the case of individual borrowers including PSUs upto March 31,2000 and 20% from April 1,2000; such credit should not exceed 60% in case of group borrowers. Internationally, exposure ceilings are computed in relation to total capital as defined under capital

66

Risk Management in Indian Banks

adequacy standards (Tier I & Tier II Capital). Taking into account the best international practices, RBI has decided to adopt the concept of capital funds as defined under concept of capital adequacy standards for determining exposure ceiling uniformly both by domestic and foreign banks, effective from March 31, 2002. The exposure-ceiling limit applicable from April 1, 2002 would be 15% of capital funds for single borrower & 40% for group borrower. For infrastructure projects additional 10% exposure is permitted. RBI has prescribed guidelines for computation of exposure and also certain exemptions from the guidelines. Apart from limiting the exposures to individual or group of borrowers, as indicated above RBI has advised banks to consider fixing internal limits for aggregate commitments to specific sectors e.g., textiles, jute, tea etc., so that the exposures are evenly spread over various sectors. These limits could be fixed by the banks having regard to the performance of different sectors and risks perceived. The limits so fixed may be reviewed periodically and revised, as necessary. RBI has also advised banks to frame internal prudential norms for lending to Real Estate Sector, Leasing, Hire Purchase and Factoring Services Sector, and Exposure to Indian Joint VenturesIWholly-owned Subsidiaries Abroad etc. As regards exposure limit on advances against shares and holding of shares as investments there is a statutory limit in terms of section 19(2) of the BR Act, 1949 according to which no banking company shall hold shares in any company, whether as pledgee, mortgagee or absolute owner, of an amount exceeding 30% of the paid-up share capital of that company or 30% of its own paid-up share capital and reserves, whichever is less. This is an aggregate holding limit for each company & while granting any advance against shares, underwriting an issue of shares or acquiring any shares on investment account or even in lieu of debt of any company these statutory prOVisions should be strictly observed. Besides these provisions, there is also a regulatory stipulation that bank's aggregate exposure to capital market sector should not exceed 5% of total outstanding advance as on March 31 of the previous year. This ceiling of 5% will apply to total exposure including both fund based and non-fund based to capital market in all forms. Certain types of loans and advances against shares are also treated as bank's investments in shares for the purpose of observing this ceiling. RBI has also prescribed ceilings for advances against shares to individuals and grant of advances for subscribing to IPOs. The RBI has also advised banks to frame policy/ guidelines for granting of advances against shares, units of mutual funds, bank finance to employees to buy shares of their own companies, advances against shares to stock brokers and market makers, bank loans for financing promoters contributions, bridge loans etc. Further banks have to limit their commitment by way of unsecured guarantees in such a manner that 20% of the bank's outstanding unsecured guarantees plus the total of outstanding unsecured advances do not exceed 15% total outstanding advances. Many banks are now exploring techniques to identify concentrations based on common risk factors or correlation among factors. While small banks may find it difficult not to be at or near limits on concentrations, very large banking organizations must recognize that because of their large capital base, their exposure to single obligors can reach imprudent levels while remaining within regulatory limits. Techniques to Check Credit Concentrations: To avoid credit concentrations banks may put in place their own internal prudential exposure limits lower than the limits prescribed by RBI keeping in view their risk perception. Such limits may take form of following limits: -

Lower level of single/group borrower limit,

-

Threshold limit per borrower,

Credit Risk

-

Substantial exposure limit,

-

Maximum exposure limit to one industry/sector,

-

Maximum exposure limit in identified geographical area,

-

Maximum exposure level in any rating category,

-

Maximum exposure in any product category,

-

Maximum exposure on any other banking/financial institution etc.

By adopting such limits banks can check concentration risks and maintain risk levels reasonable level.

67

withi~

-2. Failure of due diligence in credit granting, review and monitoring process Credit Granting Process: Many credit problems arise due to basic weaknesses in the credit granting and monitoring processes. The shortcomings in underwriting and management of market related credit exposures represent important sources of losses at banks. Many credit problems can be avoided or mitigated by adoption of a strong credit process. Many banks find carrying out a thorough credit assessment (or basic due diligence exercise) a substantial challenge because of time constraints and competitive pressures.

Globalization of credit market has increased the need for financial information based on sound accounting standards and timely macroeconomic data. If the information is not available or reliable, banks relax or dispense with the financial and economic analysis and support credit decisions with simple indicators of credit quality, especially if they perceive a need to gain a competitive foothold in a rapidly growing market. This dilution of the process leads to development of weaknesses in credit granting processes. The absence of testing and validation of new lending techniques is another problem in this area. Adoption of untested lending techniques in new or innovative areas of the market, especially techniques that dispense with sound principles of due diligence or traditional benchmarks for leverage, also leads to serious problems. Sound practices call for application of basic principles to new type of credit activities and critical assessment of effectiveness of any new techniques which are adopted in credit granting process. Sometimes credit problems arise from subjective decision making by credit granting authorities in the bank. Such subjective decision making involves interference with the credit granting process and dilutes the professional approach in granting of credit. This problem includes granting of credit to companies owned/ related to promoters/senior management or their relatives and friends. Sometimes credit is granted to meet a personal agenda or for cultivating special relationship with celebrities and in the process the system is diluted. Credit Review Process: Banks also experience asset quality problems on account of absence of effective credit review process/loan review mechanism. Credit review at larger banks is usually made at a department made up of analysts, independent of lending officers, who make an independent assessment of the quality of a credit or a credit relationship based on documentation such as financial statements, credit analysis provided by the appraising officer and collateral appraisal. At smaller banks the function is more limited and is performed by internal or external auditors. The purpose of credit review is to provide appropriate checks and balances to ensure that credits are made in accordance with bank policy and to provide an independent judgement of asset qual.ty, uninfluenced by the relationship with the borrower. Effective credit review not only helps to detect

68

Risk Management in Indian Banks

poorly underwritten credits, it also helps prevent weak credits being granted, since credit officers are likely to be more diligent if they know their work will be subject to review.

Monitoring of Borrowal Accounts: Failure in post sanction monitoring and follow-up in borrowal accounts and collateral values is also one of the major causes of major credit problems. Many banks neglect to obtain periodic financial information from borrowers or valuations of securities/ collateral etc., in order to evaluate the quality of loans on their books and the adequacy of securities. As a result such banks fail to recognize early warning signals that asset quality is deteriorating and miss the opportunities to work with the borrower to stem their financial deterioration and to protect bank's position. This lack of monitoring subsequently leads to a costly process for banks for determining the dimension and severity of the problem loans and resultant large losses. In some cases, the failure to perform adequate due diligence and financial analysis and to monitor the borrowal account can result into a breakdown of controls to detect credit-related frauds. For example, banks experiencing fraud related losses have neglected to inspect securities/collateral, such as goods in a warehouse or on a showroom floor, have not authenticated or valued financial assets presented as collateral, or have not obtained/examined audited financial statements carefully. An effective credit review and independent collateral appraisal are thus important protective measures, especially to ensure that credit officers and other insiders are not colluding with the borrowers.

Techniques to check deficiencies in credit granting process, credit review and monitoring: (i) Adoption of proper policies for grant of credit, (ii) Setting up of benchmark ratios, (iii) Adoption of proper risk assessment system, (iv) Adoption of proper risk rating system, (v) Adoption of proper appraisal system for computation of permissible finance, (vi) Capturing of economic intelligence information, (vii) In-depth knowledge about the client- customer's background investigation, (viii) Capturing market information about the borrower/promoters/guarantors and exchanging credit information from other bankers/Fls, (ix) Prescribing and obtaining of proper MIS and select operational data from· the borrower and thorough analysis of the same, (x) Obtaining of audited accounts for credit review timely, (xi) Cross checking financial information with IT/ST returns, (xii) Stipulation of suitable covenants for the facilities and enforcement of compliance by the borrowers, (xiii) Keeping watch over the operations, turnover in the account and the securities, (xiv) Physical verification of the securities, (xv) Close monitoring of the conduct of the account. The list is not exhaustive and other checks for credit granting, ,review, and monitoring may be developed keeping in view nature of credit facilities.

Credit Risk

69

3. Other Sources of Credit Problems • Absence of Risk-sensitive Pricing: In addition to shortcoming in due diligence and credit analysis sometimes some other problems are reflected in bank credit. One of such problems is that banks do not use risk sensitive pricing. Banks that lack a sound pricing methodology and the discipline to follow consistently such a methodology tends to attract a disproportionate share of underpriced risks. Such banks remain increasingly disadvantaged in comparison to those banks, which have superior pricing skills. • Lack of Exercise of Caution with Leveraged Credit Arrangements: Many banks have experienced credit losses because of failure to use sufficient caution with certain leveraged credit arrangements. Credit extended to highly leveraged borrowers are risky in nature and are likely to have large losses in default. In such cases the borrowers have low net worth in comparison to liabilities and banks have very small cushion to fall upon in case of problems with the account. • Lending Against Non-financial Assets: Many banks credit activities involve lending against non-financial assets. In such a lending, many banks fail to make an adequate assessment of the correlation between the financial condition of the borrower and the price changes and liquidity of the collateral non-financial asset. Much asset-based business lending and commercial real estate lending appears to involve a relatively high correlation between borrower creditworthiness and asset values. Since the borrower's income, the principal source of repayment, is generally tied to the assets in question, deterioration in the borrower's income stream, if due to industry or regional economic problems, may be accompanied by declines in asset values for the collateral. Some asset based consumer lending (Le., consumer loans, auto finance etc.) exhibits a similar relationship between the financial health of the consumers and the markets for consumer assets. • Business Cycle Effects/absence of a thoughtful Consideration of Downside Scenario: Many banks do not take sufficient account of business cycle effects in lending. As income prospects and asset values rise in the ascending proportion of business cycle, credit analysis may incorporate overly optimistic assumptions. Industries such as real estate, utilities etc. often experience strong cyclical effects. In addition to the business cycle, borrowers may be vulnerable to changes in risk factors such as specific commodity prices, shifts in the competitive landscape and the uncertainty in business strategy, or management direction. Effective stress testing which takes account of business or product cycle effect and using sufficiently adverse assumptions in credit decisions can help in giving a fuller understanding of a borrower's credit risk.

Techniques to Check other Sources of Credit Problems •

Adoption of risk based pricing,

•

Effective stress testing exercise using sufficiently adverse assumption to detect vulnerabilities,

•

Establishing correlation between economic conditions and the industry, and between various industrial segments,

•

Utilization of economic intelligence to know business cycle effects,

•

Taking professional services for monitoring valuation of fixed assets/real estate etc.

70

Risk Management in Indian Banks

• Measurement of Risk through Credit Rating/Scoring and Risk based Pricing: This involves a comprehensive risk scoring/rating system that serves as a single point indicator of diverse risk factors of counter-party and for taking decisions in a consistent manner. For measurement of risk well laid out parameters should be prescribed in such a manner so as to capture risks involved and should cover all aspects which may cause risks including ~conomy Risk, Industry Risk, Financial Risk, Management Risk etc. • Prescribing Prudential Limits, Benchmark Ratios and Exposure Ceilings: These may cover single/group borrower limits, threshold limits, substantial exposure limits, maximum exposure limits to industry/sector, and maturity profile of loan portfolio. These limits will help in mitigating concentration risks in the portfolio. Risk rating wise exposure limits may also be set up to check excessive concentration in any particular risk category, which will help in having proper risk return policy for the bank. Suitable benchmark financial ratios as well as entry level risk bench marks may also be fixed to ensure that exposures are not taken in weak accounts below a particular level.

• Portfolio Management and Quantifying the Risks through Estimating Expected Loan Losses: It covers establishment of proper systems for identification of credit weaknesses well in advance, besides measures to maintain portfolio quality. Such measures include (i) stipulating quantitative ceiling on aggregate exposure in specified rating categories, (ii) evaluating the rating-wise distribution of borrowers in various industries, business segments, etc. (iii) targeting rating~wise volume of loans, probable defaults and provisioning requirements as prudent planning exercise. (iv) undertaking rapid portfolio reviews, stress tests and scenario analysis when external environment undergoes rapid changes. (v) introducing discriminatory time schedules for renewal of borrowal limits. These methods will help in portfolio management, quantifying the risks and in mitigating risks in the portfolio in an efficient manner. The system should carefully assess credit risk in respect of various facets of banking including investment banking, off-balance sheet exposures, inter-bank exposures and country risk.

• Controlling the Risk through Effective Loan Review/Credit Audit Mechanism: Such mechanism is required especially for large value accounts with responsibilities assigned in various areas such as evaluating the effectiveness of the loan administration, maintaining the integrity of credit rating process, assessing the loan loss provisions, portfolio qualityetc. • Adoption of Credit Risk Models: Credit Risk Models can be used as an effective instrument for determining and measuring credit risk. The Basel Committee on Banking Supervision has also issued a paper titled "Credit Risk Modelling-Current Practices and Applications" in April 1999. The paper has covered practices in credit risk modelling and assess the potential applications and limitations of credit risk models for supervisory and regulatory purposes. The paper has pointed out following potential benefits of credit risk models: •

Credit risk models offer banks a framework for examining the risk in a timely manner, centralizing data on global exposures and analyzing marginal and absolute contribution to risk.

Credit Risk

71

•

They may provide a better reflection of concentration risk compared to non-portfolio approaches.

•

Modelling methodology holds out the possibility of providing a more responsive and informative tool for risk management.

•

Models may offer: (a) the Incentive to improve systems and data collection efforts; (b) a more informed setting of limits and reserves; (c) more accurate risk and performance based pricing which may contribute to a more transparent decision making process; and (d) a more consistent basis for economic capital allocation.

•

From a supervisory perspective, a model-based approach may bring capital requirements into closer alignment with the perceived riskiness of underlying assets and portfolio concentrations. It may allow a more comprehensive measure of capital requirements for credit risk and an improved distribution of capital within the financial system.

•

However, models need to be properly evaluated and validated. For proper evaluation of models conceptual methodology, parameters specification & estimation and proper validation should be ensured.

~. ~ CREdh Risk MEASUREMENT ANd POTENTiAl loss Credit risk has got two components: 'Quantity of Risk' which is nothing but the outstanding loan balance as on the date of default and the 'Quality of Risk' i.e., severity of losses that is defined by default probability and the recoveries that could be effected in the event of default. Credit risk is, therefore, a combined outcome of followings: (i) Default- it is the probability of the event of default i.e. missing a payment obligation. In today's parlance and guidelines related to treatment as NPAs the default is considered if a scheduled payment is not made within 180 days from the due date. The period is proposed to be brought down to 90 days w.e.f. the year ending on 31.3,2004. (ii) Exposure - the outstanding balances at the time of default constitutes exposure risk. The exposures include facilities like committed line of credit, overdrafts, project finance, off-balance sheet items etc. At times, exposure risk may also arise out of a borrower breaking covenants of loan sanctions e.g., not maintaining prescribed securities, financial ratios etc. The amount at risk in future that can be lost in case of default is uncertain. The exposure is contingent upon the client's initiative or happening of some specific event. This uncertainty prevailing with future amounts at risk generates exposure risk.

(iii) Recovery - The loss in case of default is the amount outstanding at the time of default less amount recovered. Normally, when a borrower defaults, banks resort to enforce available securities. The enforcement may be with or without intervention of the court and time of realization of the amount from enforcement of securities will vary from case to case. Additional expenses may have to be incurred in enforcement of securities and considerable time may involve in enforcement and recovery. Thus, recoveries are not predictable and will depend upon type of default, availability of risk

72

Risk Management in Indian Banks

mitigators like guarantors/ collateral, their worth, value, and legal system available for enforcement, nature of charge etc. Recovery risk depends upon the nature of charged assets, their location and possession, marketability, economic value etc. At times the realizable value of assets charged may erode or in the circumstances of forced sale the securities may fetch lower value and in that situation recovery risk may be higher. On the other hand, if the realizable value of securities is higher and if securities are capable of generating buyer's interest the loss may be mitigated / eliminated. Similarly, the net worth of the guarantors and their availability to discharge the liabilities of the debtor may create / affect recovery risk. Enforceability of securities and legal provisions also makes it difficult to predict the recoverable amount in advance. (iv) Geographical Spread - Concentration of banks' advances in any particular area also creates credit risk for banks. Geographically well diversified credit reduces the level of credit risk in the circumstances like cyclone, earth quake etc. Risk involves measurement of unexpected losses, changes in asset values or asset returns. In the context of a credit portfolio, credit risk is the volatility of losses, asset values or asset returns of the portfolio. Any attempt at measurement of credit risk must quantify the expected losses and unexpected losses on account of credit portfoliO. For measuring or quantifying credit risk banks must have a measure of expected losses and unexpected losses. The measurement of credit risk entails quantification of the following components of credit risk: •

Probability of Default (PD)

•

Exposure at Default (EAD)

• • •

Loss Given Default (LGD) Maturity or Tenor of the Exposure (real not contractual) Level of diversification in bank's loan portfolio (using credit risk correlation between the different borrowers in a portfolio)

•

Correlation between credit risk and other risk factors

The Internal Credit Risk Ratings capture the factors like PD, EAD, LGD and also in some cases the maturity / tenor of the exposure. The diversification benefits in a portfolio of assets arising out of correlation between the different borrowers in the credit portfolio are captured in the Internal Credit Risk Models. The correlation between credit risk and other risk factors are captured in an Enterprise-wide risk management framework where the market risk, credit risk and operational risk are addressed on a uniform basis. The discussion paper by the Basel Committee on Banking Supervision on the Range of Practice in Banks' Internal Rating Systems published in January 2000 defines the internal ratings as under: The Internal Ratings are a key summary indicator of the risk inherent in an individual credit, Ratings typically embody an assessment of the risk of loss due to default of the counter-party, based on consideration of relevant quantitative and qualitative information. Although the approaches may vary from bank to bank but exposure in each internal grade typically have specific and measurable loss characteristics such as: •

The borrower's probability of default;

•

The facility's loss given default;

Credit Risk

73

•

The level of exposure at the time of default;

•

The credit's expected loss (EL), which is a function of these three variables; and

•

The unexpected loss (UL) associated with these and possibly other concepts and characteristics relating to borrowers and exposures.

Expected Loss and its Characteristics The Expected Loss (EL) is a product of Probability of Default (PD), Loss Given Default (LGD) and the Exposure at Default (EAD) and can be expressed symbolically as under: EL

=PO x LGO x EAO

Let us suppose that the bank has given a loan of Rs. 100 to a borrower. The chances of the borrower defaulting in a one-year horizon or the Probability of Default is 2%. When the default occurs, the loss (or the Loss Given Default) is likely to be 50%. In such a situation the Expected Loss on the transaction is .02 x 100 x .S or Rs. 1. The level of Expected Losses depends on the quality of constituent assets of a portfolio and the Portfolio Expected Loss is a simple sum of the Individual Expected Losses from all the risky assets in the portfolio and this relationship is linear and additive. The Expected Losses are taken care of by way of pricing and provisioning. The Expected Losses can be viewed as the normal cost of doing business. Many international banks such as Barclays Bank pic., Swiss Banking Corporation, Westpac (an Australian Bank) etc., are making provisions based on the expected losses at the time of origination of the loan/taking a credit asset on the balance-sheet itself. The provision based on expected losses (statistical or dynamic provisioning) is more risk sensitive and sophisticated as compared to the accounting methodology of making provisions. This methodology also generates information that is valuable for other purposes such as loan pricing and risk-based capital allocation. Secondly, under the accounting approach recognition of income and losses in the credit portfolio is at different pOints of time, inspite of the fact that the two events are related. While the accrued interest is booked on a monthly basis, provisions are made at a different time/intervals. By recognizing the Expected Losses in the credit portfolio the income and expenses are more clearly reflected at all points in time. The Assets are stated at Expected Net Realizable Value i.e. equal to Outstanding Principal less Expected Losses. This is one step forward towards marking to market the liabilities and assets of banks. Unexpected Losses: The Expected Loss indicates the average or the mean loss that the bank might incur on the transaction. It may however turnout that actual losses may be different from the Expected Loss. Unexpected Losses (UL) are those losses that deviate from the expected value. They can take any value. The actual loss (in the aforesaid example) may turn out to be Rs. 2 or Rs. 5 or something else.

The Unexpected Loss (UL) for an individual transaction is derived as under:

As the above equation shows the Unexpected Loss (UL) arises due to the variance (J2) of the LGD and the PD. In case (J2LGD and (J2PD are zero, i.e., there is no variance in PO or in LGD, the

74

Risk Management in Indian Banks

above expression becomes zero and the UL is zero. In other words, the unexpected losses will be equal to the expected losses. It is only on account of variations in PD and LGD values ex-post from their values taken ex-ante that gives rise to UL. At the portfolio level, the Unexpected Losses depend on the diversification of the portfolio. If a portfolio is well diversified then the probability of large Unexpected Losses is reduced. If a distribution of losses is drawn up, the Expected Losses would be somewhere near the center of the distribution. In a well-diversified portfolio the tail of the loss distribution gets shortened.

A fatter toul - less diversified portfolio

The toul is short. The loss a well portfolio ~ Expected Loss

The diversification in the context of portfolio approach to credit risk is based on the covariance of credit returns or the correlation among the constituent assets. Covariance measures the manner in which the prices of two assets vary in relation to each other and is a product of correlation and standard deviation of the two assets.

QUANTiFiCATioN of CREdiT Risk 1. Necessary Building Blocks: The building blocks for measuring credit risk in the Bank's portfolio and structuring the risk-related pricing for a credit relationship are the following: •

An internal Credit Risk Rating System.

•

Data on rating transition for each credit in the portfolio over a period of time.

•

Historical default data.

•

Historical loan loss data.

These building blocks are equally necessary when moving towards adopting Internal Rating Based (IRB) approach for arriving at capital requirement for credit risk. 2. Characteristics of a Good Internal Credit Risk Rating System: Critical to the adoption of the IRB approach proposed by the Basle Committee, as well as the prevalent credit risk measurement models is the existence and established use of a robust internal Credit Risk Rating System, generally conforming to following specifications: •

The system should have a mix of quantitative and qualitative risk factors.

•

Risk 'factors should normally relate to the borrower's financial condition, industry, standing of the borrower within the industry and quality of management.

•

The rating process and the mechanism by which various risk factors are combined to arrive at a credit risk rating should be well documented.

75

Credit Risk

•

A defined number of credit grades to achieve a fine distinction of the default risk of the various counter-parties. Ideally, there must be a minimum of six to nine grades for Performing borrowers and a minimum of two grades for non-performing borrowers, which enhances bank's ability -to analyze its portfolio risk position, appropriately Price low-risk borrowers and prudently allocate risk capital particularly to the non investment grade assets where the range of default rates is of a large magnitude.

•

The system should generate a meaningful distribution of exposure across grades and ensure that each grade does not exceed a specified gross percentage of credit exposures.

•

There should be clarity and consistency in implementation of the rating system bankwide. The operational flow of the process should be designed towards promoting accuracy and consistency of ratings without hindering the exercise of judgement.

3. Capturing of Rating Migration: Using the internal risk-rating model, the bank should arrive at a credit rating for each exposure in its portfolio, every year. The model should be consistently used across the portfolio and over the years and the bank should capture the ratings year-wise for each borrower in a database and track the migration in the rating categories over the years. From the data base the bank should build a transition matrix (frequency distribution) for a given horizon on a portfolio level. The transition matrix for a given horizon will look as indicated below:

AM

AA+

AA

A

BBB

BB+

BB

B

CC

C

Total

AM

100%

-

-

-

-

-

-

-

-

-

1

AA+

-

90%

10%

-

-

-

-

-

-

-

10

AA

-

2%

67%

31%

-

-

-

-

-

-

48

A

-

8%

75%

17%

1%

-

-

-

-

-

13%

71%

16%

1%

-

-

-

103

BBB

-

BB+

-

-

-

2%

21%

54%

21%

-

2%

-

52

BB

-

-

-

-

7%

14%

57%

7%

14%

-

14

B

-

-

-

-

-

-

0%

-

-

-

CC

-

-

-

-

-

-

-

50%

50%

2

-

-

-

-

-

-

-

-

0%

-

C

116

As per the above matrix, of 100 exposures, which were rated AA+ in year 1, 90 exposures retained their rating in year 2 (1 year horizon), while 10 slipped to AA rating. Similarly, of 100 exposures rated as BB+ in year 1 ,54 exposures remained at BB+ in year 2, whereas 21 exposures upgraded to BBB and 2 exposures to A while 21 slipped to BB and 2 defaulted (CC & C). The bank should build transition matrixes as above for every year (where the horizon is one year). From these matrixes, a mean (probability) transition matrix and a standard deviation matrix should be generated. The mean transition matrix will throw up the probability of an exposure with a given rating migrating upward or downward, including to a default stage (Probability of Default). For example, assuming the above matrix to be a mean transition matrix, the PD of a corporate rated BB over a one year period is 14%, while for a AA rated corporate the PD is estimated as Nil. Each internal risk rating will thus be associated with a particular PD over a stated horizon. This historical default/migration data will enable relating the rating to a relative frequency of default or they become the basis for the valuation of an asset.

76

Risk Management in Indian Banks

4. Historical Default Data (Exposure at Default): For capturing Historical Default data, ideally, the bank should capture data on every exposure, which defaulted in the history of the bank, but the same may be difficult. Bank should, therefore, capture data minimum over one year cycle. The types of data that the bank will capture for each exposure are: (a)

Nature and size of committed exposures on and off balance sheets at the time of default

(b) Actual exposure at the time of default (c)

Activity / Industry

Principally, (a) and (b) above for all defaulted credits will be used for computing the estimated Exposure at Default (EAD) in percentage terms. 5. Historical Loss Data (Loss Given Default): For capturing Historical Loss Data banks should capture following information for each of the defaulted exposure as mentioned in the preceding paragraph: (a)

Date of default

(b) Amount and date of each recovery made in the credit after default (c)

Expenses incurred on the credit after default for legal proceedings, maintenance of security, recoveries, etc.

(d)

Nature, seniority, share and value of security.

The bank should discount the cash flows and work out the present value of the net recovery in the credit as at the time of default. The net recovery as a percentage of the actual exposure at the time of default will give the recovery rate (%). 100 minus the recovery rate (%) will yield the Loss Given Default (LGD) expressed in percentage terms. This should be computed for each exposure to arrive at an overall estimated LGD. Besides an overall LGD, banks should also capture LGD specific to each industry as well as by seniority of charge on security and by type of exposure, which data can be used to assess LGD in a more realistic manner. 6. The New Basle Capital Accord and Credit Risk Management: The New Capital Accord has outlined new approaches for measurement of credit risk from a regulator y perspective and prescribing regulatory capital charge for credit risk. The New Accord is based on three pillars as under:

Pillar First Pillar Second Pillar Third Pillar

Focus Area Minimum Capital Requirement· Supervisory Review Process Market Discipline

In the New Capital Accord, while the definition of Capital Funds remains the same, the method of calculation of Risk Weighted Assets has been modified to factor market risk and operational risk, in addition to credit risk, that alone was reckoned in the 1988 Capital Accord. Different approaches may be adopted for arriving at the total risk weighted assets, in the Credit Risk Menu as mentioned ~~: . Standardized Approach: The bank allocates a risk weight to each asset as well as offbalance sheet items and produces a sum of RWA values. The risk weights are to be refined by reference to a rating provided by an external credit assessment institution that meets certain strict standards.

Credit Risk

77

Foundation Internal Rating Based Approach: The bank rates the borrower and results are translated into estimates of a potential future loss amount which forms the basis of minimum capital requirement. Advanced Internal Rating Based Approach: In this approach the range of risk weights will be well diverse.

~.6

CREdiT Risk RATiNG FRAMEWORk (CRF)

The amount of risk should be paired with some information of risk quality to assess a complete picture of risk. It can be captured through rating system. The system ranks borrowers according to their credit quality. Sometimes, facilities are also rated, in order to capture the quality of the protection against the default of the borrower that is embedded with the facility. A credit-risk rating framework is necessary to avoid the limitation associated with a simplistic and broad classification of an exposure into a good or bad category. A good rating framework should be capable to capture various kinds of risk which may have impact on the credit quality such as risk related to the economic scenario, industry, borrowers' position in the industry, financial risk, management related risk etc. The CRF should generate a number/alphabeUsymbol as a primary summary indicator of associated with a credit exposure. Such a rating framework is the basic module for developing a credit risk management system and all advanced credit risk models are based on the credit risk rating structure. The rating system can be used for following purposes:

(a) individual credit selection, wherein either a borrower or a particular exposure/ facility is rated on the CRF. (b)

Pricing (credit spread) and specific features of the loan facility. This would largely constitute transaction-level analysis.

(c)

Portfolio-level analysis.

(d) Surveillance, monitoring and internal MIS. (e) Assessing the aggregate risk profile of bank/ lender. These would be relevant for portfolio-level analysis. For instance, the spread of credit exposures across various CRF categories, the mean and the standard deviation of losses occurring in each CRF category and the overall migration of exposures would highlight the aggregated credit-risk for the entire portfolio of the bank. The grades (symbols, numbers, alphabets, descriptive terms) used in the internal credit-risk grading system should represent, without any ambiguity, the default risks associated with an exposure. The grading system should enable comparisons of risks for purposes of analysis and top management decision-making. It should also reflect regulatory requirements of the supervisor on asset classification (e.g. the RBI asset classification). The grading system should be flexible and should accommodate the refinements in risk categorization. The grading system adopted in a CRF could be an alphabetic or numeric or an alphanumeric scale. Since rating agencies follow a particular scale (MA, AA+, BBB etc.), it would be prudent to adopt a different rating scale to avoid confusion in internal communications. Besides, adoption of a different rating scale would permit comparable benchmarking between the two mechanisms. Banks may utilize a numeric rating scale. The number of grades for the "acceptable" and the "unacceptable" credit risk categories would depend on the finesse of risk gradation. Normally, numeric scales developed for CRFs are such that the lower the credit-risk, the lower is the calibration on the scale.

78

Risk Management in Indian Banks

Illustration

A rating scale could consist of 9 levels, of which levels 1 to 5 represent various grades of acceptable credit risk and levels 6 to 9 represent various grades of unacceptable credit risk associated with an exposure. The scale, starting from "1" (which would represent lowest level credit risk and highest level of safety/comfort) and ending at "9" (which would represent the highest level of credit risk and lowest level of safety/ comfort), could be deployed to calibrate, benchmark compare and monitor credit risk associated with the bank's exposures and give indicative guidelines for credit risk management activities. Banks may consider adopting suitable alphabetic prefix to their rating scales, which would make their individual ratings scale distinct and unique. The number of grades used in the CRF depends on the anticipated spread in credit quality of the exposures taken by the bank. This, in turn, is dependent on the present and the future business profile of the bank and the anticipated level of specialization/ diversification in the credit portfolio. CRFs with a large number of levels/grades on the rating scale are, as evident, more expensive to operate as the costs of additional information for (very) fine gradation of credit-quality increase sharply. A bank can initiate the risk-grading activity on a relative smaller/ narrower scale and introduce new Categories as the risk-gradation improves.

Key Outputs of the CRF •

The calibration on the rating scale is expected to define the pricing and related terms and conditions for the accepted credit exposures. It is possible to define broad pricing bands and directly link the band with the calibration on the rating scale. Further, refinement in the pricing proposal would be based on the bank's judgement of the prominent elements of the loan proposal and the relationship with the borrower.

•

In addition to the pricing related decisions, the calibration on the rating scale would allow Prescription of limits on the maximum quantum of exposure permissible for any credit proposal, The quantum (or amount of facility sanctioned) would depend on the credit-score on the CRF. These limits could be linked to an internal parameter (viz. a certain percentage of bank's capital funds) or could be linked to an external parameter (viz. a certain percentage of the total debt required by the borrower). This would help in a larger dispersion of risk amongst lenders and limit risk concentration rnoderate credit-quality projects.

•

The rating scale could also be used for deciding on the tenure of the proposed assistance.

•

The rating scale could also be used to decide on the frequency/ intensity of monitoring of the exposure. Banks may also use the rating scale to keep a close track of deteriorating credit quality and decide on the remedial measures, which the deterioration may warrant, For instance, the frequency of surveillance on category 5 exposures could be kept at quarterly intervals, while those on category 3 loans could be half-yearly. More importantly, movement of an existing exposure to the "unacceptat,Ip." category of credit risk (grades 6 to 9) should directly identify the extent of provisioning (loan loss reserves) that need to be earmarked for expected losses.

•

Though loss-provisions are often specified by the regulator (e.g. the RBI provisioning norms), banks should develop their own internal norms and maintain certain level of "reasonable over-provisioning" as a best practice. Specifically, while the credit exposure/

Credit Risk

79

asset is clearly facing rapid/steady erosion and is on the downhill transition path, anticipatory provisioning can be done based on the calibrations on the riskrating scale. These provisions could be in the nature of general provisions.

OpERATiNG DESiGN of ThE CRF Which Exposures are Rated?: The first element of the operating design is to determine which exposures are required to be rated through the CRF. There may be a case for size-based classification of exposures and linking the risk-rating process to these size-based categories. The shortcoming of this arrangement is that though significant credit migration/deterioration/erosion occurs in the smaller sized exposures, these are not captured by the CRF. In addition, the size-criteria are also linked with the tenure-criteria for an exposure. In several instances, large-sized exposures over a short-tenure may not require the extent of surveillance and credit monitoring that is required for a smaller sized long-tenure exposure. Given this apparent back of clarity, a policy of 'aI/ exposures are to be rated' should be followed. The Risk-Rating Process: The credit approval process within the bank is expected to replicate the flow of analysis/ appraisal of credit-risk calibration on the CRF. As indicated above the CRF may be designed in such a way that the risk rating has certain linkages with the amount, tenure and pricing of exposure. These default linkages may be either specified upfront or may be developed with empirical details over a period of time. The risk rating assigned to each credit proposal would thus directly lead into the related decisions af acceptance (or rejection), amount, tenure and pricing of the (accepted) proposal.

For each proposal, the crediU risk staff would assign a rating and forward the recommendation to the higher level of credit selection process. The proposed risk rating is either reaffirmed or re-calibrated at the time of final credit approval and sanction. Any revisions that may become necessary in the risk-ratings are utilized to upgrade the CRF system and the operating guidelines. In this manner, the CRF maintains its "incremental upgradation" feature and changes in the lending enviromnent are captured by the system. The risk-rating process would be equally relevant in the credit-monitoring/ surveillance stage. All changes in the underlying credit-quality are calibrated on the risk-scale and corresponding remedial actions are initiated. Assigning and Monitoring Risk-Rating: In conventional banks, the practice of segregating the "relationship management" and the "credit appraisal" functions is quite prevalent. One of the variants of this arrangement is that responsibilities for calibration on the risk-rating scale are divided between the "relationship" and the "credit" groups. All large sized exposures (above a limit) are appraised independently by the 'credit' group. Generally, the activities of assigning and approving risk-ratings need to be segregated. Though the front office or conventional relationship staff can assign the risk-ratings, the responsibilities of final approval and monitoring should be vested with a separate credit staff. Mechanism of Arriving at Risk-Ratings: The risk ratings, as specified above, are collective readings on the pre-specified scale and reflect the underlying credit-risk for a prospective exposure. The CRF could be separate for relatively peculiar businesses like banking, finance companies, real-estate developers, are. For all industries (manufacturing sector), a common CRF may be used. The pecularity of a particular industry can be captured by assigning different weights to aspects like entry barriers, access to technology, ability of new entrants to access raw materials, etc. The following step-wise activities outline the indicative process for arriving at risk-ratings.

80

Risk Management in Indian Banks

Step I

Identify all the principal business and financial risk elements

Step II

Allocate weights to principal risk components

Step III

Compare with weights given in similar sectors and check for consistency

Step IV

Establish the key parameters (sub-components of the principal risk elements)

Step V

Assign weights to each of the key parameters

Step VI

Rank the key parameters on the specified scale

Step VII

Arrive at the credit-risk rating on the CRF

Step VIII Compare with previous risk-ratings of similar exposures and check for consistency Step IX

Conclude credit-risk calibration on the CRF.

The risk-rating process would represent collective decision making principles and as indicated above, would involve some in-built arrangements for ensuring the consistency of the output. The rankings would be largely comparative. As a bank's perception of the exposure improves/changes during the course of the appraisal, it may be necessary to adjust the weights and the rankings given to specific risk-parameters in the CRF. Such changes would be deliberated and the arguments for substantiating these adjustments would be clearly communicated in the appraisal documents. Standardisation and Benchmarks for Risk-Ratings: In a lending environment dominated by industrial and corporate credits, the assignors of risk-ratings utilize benchmarks or pre-specified standards for assessing the risk profile of a potential borrower. These standards usually consist of financial ratios and credit-magration statistics, which capture the financial risks faced by the potential borrower (e.g. operating and financial leverage, profitability, liquidity, debt-servicing ability, etc.). The business risks associated with an exposure (e.g. cyclicality of industry, threats of product or technology substitution etc.) are also addressed in the CRF. The output of the credit-appraisal process, specifically the financial ratios, is directly compared with the specified benchmarks for a particular risk category. In these cases, the risk rating is fairly standardized and CRF allocates a grade or a numeric value for the overall risk profile of the proposed exposure. Illustration The CRF may specify that for the risk-rating exercise: If Gross Revenues are between Rs. 800 to Rs. 1000 crores

assign a score of 2

If Operating Margin is 20% or more

assign a score of 2

If Return on Capital Employed (ROCE) is 25% or more

assign a score of 1

If-Debt: Equity is between 0.60 and 0.80

assign a score of 2

If interest cover is 3.50 or more

assign a score of I

If Debt Service Coverage Ratio (DSCR) is 1.80 Or more

assign a score of 1

Credit Risk

81

The next step would be to assign weights to these risk-parameters. In an industrial credit enviromnent, the CRF may place higher weights on size (as captured in gross revenues), profitability of operations (operating margins), financial leverage (debt: equity) and debt-servicing ability (interest cover). Assume that the CRF assigns a 20% weight to each of these four parameters and the ROCE and DSCR are given a 10% weight each. The weighted-average score for the financial risk of the proposed exposure is 1.40, which would correspond with the extremely low risk/highest safety level-category of the CRF (category 1). Similarly, the business and the management risk of the proposed exposure are assessed and an overall/comprehensive risk rating is assigned. The industrial credit environment permits a significantly higher level of benchmarking and standardization, specifically in reference to calibration of financial risks, associated with credit exposures. For all prominent industry-categories, any lender can compile profitability, leverage and debt-servicing details and utilize these to develop internal benchmarks for the CRF. As evident, developing such benchmarks and risk-standards for a portfolio of project finance exposures, as in the case of the bank, would be an altogether diverse exercise. The CRF may also use qualitative/ subjective factors in the credit decisions. Such factors are both internal and external to the company. Internal factors could include integrity and quality of management of the borrower, quality of inventories/ receivables and the ability of borrowers to raise finance from other sources. External factors would include views on the economy and industry such as growth prospects, technological change and options.

Written Communication and Formality of Procedure: The two critical aspects of the formality of procedure in the risk-rating process are: (i) the process-flow through which a credit-transaction would flow across various units and (ii) the written communication on the risk-ratings assigned to a particular proposal. The process-flow required for the credit appraisal exercise, may be explicitly drafted and communicated. It may clearly identify the transactions and linkages between various operating units of the bank. The above discussion broadly presents some of the essential dimensions in the design of a CRF by banks. These details are indicative of the scope of work required for the CRF Banks may make appropriate modifications to suit their requirements.

CRFs ANd AGGREGATioN of CREdiT.. Risk Analyzing exposures using the CRF technique would highlight the spread (or frequency distribution) of the credit-risk in the bank's asset portfolio and would give an indication for its future asset build-up efforts. This section briefly covers some aspects of portfolio credit-risk management, a process that would possibly be facilitated by implementing the CRF.

Portfolio Surveillance and Reporting The conventional internal MIS of a bank would identify the problem-loans in the asset portfolio, as per the guidelines given by the regulator (Le. the asset-classification guidelines of RBI). These details, however, represent only a component of the credit-risks accumulated in the asset portfolio of a bank. The CRF can be used for informing the top management on the frequency distribution of

82

Risk Management in Indian Banks

assets across risk-rating scale. the extent of migration in the past (e.g. movement of exposures from higher to lower risk-categories or vice versa) and the anticipated developments in the aggregated credit portfolio. The senior management may benefit from such outputs in terms of steering the organization through various risk-cycles (e.g. initial low-risk low-return phase to consolidation and further to an incremental rise in relatively high-risk high-return exposures).

Adequate Levels of Provisioning for Credit Events The spread of the asset portfolio across the risk-rating scale and the trends in rating migration would allow the bank management to determine the level of provisioning required. in addition to the regulatory minimum. to absorb unanticipated erosions in the credit quality of the assets. In most cases. provisions for loan-losses are based on the Prevailing regulatory and accounting directives. However. the management may find merit in certain prudent level of "over-provisioning". This exercise may add stability and resilience to the capital adequacy and profitability of the bank. The extent of provisioning required could be estimated from the Expected Loss on Default (which is a product of the Probability of Default (PO) and Loss Given Default (LGD). Since these probabilities can be assigned only after significant empirical details are available, an alternative would be to adopt a policy of allocating! provisioning an amount which may be a proportion of the aggregate exposures in the risk-rating scale which reflect the likelihood of the assets slipping into the NPA category.

Guidelines for Asset Build-up, Aggregate Profitability and Pricing A clear analysis of the prevailing risk-posture of the bank. facilitated by the CRF. would give strong recommendations for future asset build-up and business development activities. The extent of provisioning would be based on actual and anticipated erosion in credit quality and would define the "cost" of maintaining an exposure in the bank's credit Portfolio. A similar analysis could be undertaken for a specific credit-product and the risk-adjusted return can be assessed. This will involve an analysis of the pricingdecisions, provisioning requirements. loss on default and the incremental impact on bank's profitability.

An Illustrative model for risk rating exercise is given in Annexure. The model is illustrative in nature an banks may suitably modify the same keeping in view their business requirements.

Credit Risk

83

ANNEXURE The risk rating of a borrowal company relates to future, which is uncertain. Risk emetes from uncertainty and is co-extensive with the latter. It means the more hazy and uncertain is the future; the higher is the element of risk. While measuring the risk involved in lending, the banker has to assess the chances of repayment of the proposed has with interest in time by the prospective borrower. It is a sort of risk measurement exercise. In other words, the risk measurement by a bank in regard to a prospective borrower involves gathering of information on the probability of that prospective loan meet remaining "standard" and performing in future. The collection of such relevant data and information entail detailed analysis of various parameters encompassing position of the economy, position of the industry, borrower's position in the industry, borrower's financials, management quality, and availability of collateral security coverage, past dealing experience, and any other parameter, which may be considered relevant to any particular case under consideration. The bank can evaluate borrower's creditworthiness, financial strength, accounting policies, cash flow adequacy, and position of economy, industrial outlook, management expertise and capacity to assess the level of risk in any proposal.

ECONOMY ANd INdUSTRY Economy: Any development in the economic environment and industrial outlook can have far reaching impact on the strength of any industrial sector in general and any industry/borrower in particular. The health of the economy can be measured by the GDP growth as well as economic/ credit policies announced by the Government and the Reserve Bank of India. The economic survey published by the Govt. also highlights the conditions of the economy and various sectors thereof. By referring to such reports some basic parameters can be derived to assess and fixing benchmark levels of relevant set of norms which need to be applied to any borrower subjected to risk rating exercise. Some of such parameters are as mentioned below, out of which suitable parameters can be applied while assessing risk rating: (i) performance of the economy in terms of GDP growth-effect of the growth of GDP of the economy on the industry; (ii) monetary indicators-effect of Credit Policy of the Reserve Bank of India; (iii) external trade and commerce decisions-changes in import duty, bilateral pacts etc; (iv) global commitments- acquiring membership of bodies like WTO; (v) global macro economic indicators-performance of developed economies or demand supply gaps in other economies for the product; (vi) consumption growth-disposable income with consumers leading to higher growth of the industry; (vii) level of infrastructure growth leading to performance of the indu;;'lry; (viii) other economic policies of the Government e.g. abolition of licensing, entry of private participants, rationalization of excise duties etc. All these parameters of economy section may not be relevant for all the industries and therefore relevant parameters may be identified and applied to the borrower being rated.

84

Risk Management in Indian Banks

INduSTRY Industry out Look: Each industry is a group of individual firms producing homogenous products. Obviously a company is operating as one unit in the industry and any factor affecting the fortune of the industry is bound to affect the each operating unit of the industry. In other words risk always passes on to individual units or companies belonging to that industry. Similarly, various industries within the country are interdependent on another in a complex manner and because of interdependency their fortune is linked with one another in general and availability of infrastructure facilities in the economy in particular. Banks generally do have Economic Intelligence Department where analysts specialize in each industry and assess the prospects of various industries in which they have considerable stake. Department prepares industry studies, highlighting various positive and negative features/factors, including trade cycle, economic trends, Government regulations and industrial policies, state of basic facilities like power, transport and communication, ports, competition, technological change, export outlook, labour laws etc. Various factors affecting future performance of an industry may include both favorable and unfavorable factors e.g.

S.No. Favorable Factors

S.No. Un-favorable Factors

1.

Steady growth in in demand

1

Low priority in the- eyes of the Government

2.

Low level of competition

2

Intense competition-low level of margin

3.

Sunrise industry experiencing

3

Excess of supply over demand

High supportive Govt. policy

4

Sunset industry with bleak future

High margin and likely to continue

5

Sluggish global demand.

very high growth

4.

5.

in future due to rare skill

6.

Bright overseas demand.

Importance of the industry to the economy is a very important factor to decide that how the industry will function in future. If an industry is such that other industries and other sector of the economy heavily depend on the industry under reference then there are always chances that the unit will perform and the expected Govt. policies will be favorable to it. While examining the importance of the industry some of the relevant parameters may be considered: (i) level of importance of the industry to the economy-support of the industry to other industries by way of raw material and othet supplies e.g. borrower industry belonging to the core sector; (ii) impact of the industry specific Govt. regulations-effect of various controls of the Govt. over the industry e.g Drug Price Control Order in drug industry; (iii) growth in market size/historical growth rates etc.--compounded annual growth rate may be used for the purpose; (iv) Inputs/raw material availability-indigenous supplies of quality goods, substitutes, affordability etc. (v) Diversification among different consumer segments-market concentrations for the product demand;

Credit Risk

85

(vi) Demand supply gap; (vii) Threat of substitutes-products with powerful substitutes may be considered as risky; (viii) Effect of cyclicality/seasonality in the industry; (ix) Industry financials-profitability (operating profit margin, return on capital (x) Industry financials employed, earning stability), others (debt-equity ratio, current ratio Availability of transportation and cost effectiveness; (xi) Influence of a parallel and unorganized market structure; (xii) International competitiveness-quality, prices etc. Some of these aspects affect the industry in one way or the other and therefore to assess the risks involved with the industry relevant parameters need consideration.

Borrower's Position in the Industry While the economy and the industry give a general overview about the performance of the industry, the position of the borrower in the- industry also plays a very important role in assessing the level of risk and making risk rating useful. The parameters for this purpose could be as under; (i) Barriers to entry-high start-up cost, high gestation period, existing players' control, Govt. regulations, brand equity, extent of investment in R&D, technology etc.; (ii) Locational issues-availability of infrastructure, proximity to inputs, proximity to market, presence in a state with favorable policies etc.; (iii) Operating efficiency of the borrower-the borrower's operating ratios compared to industry standards; (iv) Size of the closest competitor-turnover of the borrower vis-a-vis turnover of the closest competitor; (v) Product characteristics, product range, quality, support service facility, customization of the product as per customer's need; (vi) Comparison of indirect cost structure e.g employee cost, selling and distribution cost etc.; (vii) Applicability of the level of technological sophistication of the product; (viii) Capacity utilization; (ix) Market share information; (x) Distribution Set-up; (xi) Target markets-diversification. While making assessment of risk for rating purposes these aspects for study of the borrower's position in the industry can playa very important role and should be taken into consideration appropriately.

86

Risk Management in Indian Banks

BORROWER'S FINANCIALS The rnost important aspect in risk rating exercise is the study of the financial strength of the borrower who is being rated. If the borrower himself is strong enough to face the .. erging situations, may be due to any factor, and his cash flows/ liquid sources are sufficient to meet the liabilities, foreseen or unforeseen, the risk will be minimal and.risk rating will be stl.Jng. For the purpose of study of the financials certain preliminary tasks need to be completed e.g. the balance sheet and the profit & loss account for the last three years should be transformed into a standardized format to ease in presentation and analysis. The accounting quality of the financial statements in respect to the use of proper accounting standards as per Indian GMP, remarks of the auditors of the borrower should be studied and impact of the same should be applied with retrospective effect. Future projections made by the borrower should also be analyzed in the same manner. Various relevant ratios should be computed and put on a pre-determined scale of measurement of benchmark levels fixed for the purpose. The assessment of risk can be done statically as well as dynamically i.e., the ratio as per latest audited balance sheet may be given weightage as per prescribed bench-marks (static study), a comp,arison may be made by making a study of movement of ratios over a period of time so also by making comparison of ratios with the industry level ratios or the ratios of nearest competitor (dynamic study). These studies and comparisons will help in making proper analysis of strengths and weaknesses of the borrower and ultimately to arrive at the level of risks connected with the account. The study of borrower's financials (static and dynamic) may be done by computing and analyzing following ratios:

1. Profitability Ratios Operating Profit Margin (OPBDIT/Operating Income)-it assesses the profitability from the main operations of the borrower. The cost efficiency of the borrower can also be assessed. Return of Capital Employed ={(PAT+lntt.)*(1-Tax Rate)+-(Total Debt + Net Worth)}-it asseses the return on the investment made in the borrower's business. It can be compared with the industry standards.

2. Solvency Ratios Total Debt Equity Ratio Long-Term Debt Equity Ratio

These ratios reflect debt-paying capacity of the borrower. These also reflect promoters stake in the business vis-a-vis the outside liabilities. These ratios will be lower if TNW of the borrower is high and will be an index of the strength of the customer reflecting cushion available to creditors in the event of any big losses to the company or decrease in its asset value. Level of contingent IibilitiesITNW

This ratio measures the amount of contingent liabilities as a proportion to TNW since any devolvement of contingent liabilities will reduce the TNW.

Liquidity Ratios Current Ratio (Current Assets/ Current Liabilities) Quick Ratio (Current Assets-Inventory) +- Current Liabilities Net Working Capital (Current Assets Current Liabilities)

Credit Risk

87

Current liabilities are paid out of current assets. Hence, the extent of current assets over current liabilities is a test of short-term liquidity. That is why higher the net working capital (excess of current assets over current liabilities) of a company better or more creditworthy it is from the angle of liquidity criteria. Quick ratio is a slightly stricter test of liquidity of a company. While current ratio is a relative measure of liquidity, which can be used for the purposes of inter-firm comparisons, the net working capital is an absolute measure and can be used for inter-period comparisons of a company.

Activity Ratio,s These ratios are also described as turnover ratios. Any number of turnover ratios can be computed to arrive at the rating e.g. Rate of turnover of total tangible assets (Net Sales! Total Capital Employed) Fixed assets turnover ratio (Net Sales! Net Fixed Assets) Current assets turnover ratio (Net Sales! Current Assets) This ratio can be further bifurcated in various components of current assets e.g. receivable turnover ratio, inventory turnover ratio etc. Activity ratios can also be described by way of average debtor collection period, average material holding period, average finished goods holding period etc. These ratios give indication about how the company's activities are being conducted and results may be drawn by carrying out inter-firm!inter-period comparisons. Analysis of borrower's financials as of a given date alone in a static manner will not give a clear indication of the soundness of the activity of the borrower. All these ratios should be examined in a dynamic manner by drawing/making comparisons of actual with last estimates and future projections as well as with industry data developed by industry intelligence department of the bank or received from outside intelligence services engaged in providing such data against payment! subscription. Keeping in view past trends a pre-determined comfort level may be used to assess the strength. Besides the financials mentioned above cash flow adequacy could also be utilized to judge availability of cash coverage for interest payments! meeting debt obligations by the borrower in future. For term loans stress testing or scenario analysis may be undertaken which will help in evaluating the worst case scenario of the borrower's ability to make repayments and in making comprehensive view on the risk involved. Stress testing is the analysis of the change in the end result for a change in the given variables like: Expected sales volume growth; Expected realization per product; Expected capacity utilization; Change in the duty structure; These criteria will depend upon the nature of activity of the borrower.

88

Risk Management in Indian Banks

MANAGEMENT OUAlil)' Like industry analysis, evaluation of managerial quality is more subjective as compared to borrower's financials. But for rating of risk and creditworthiness of a client, evaluation of managerial competence is very necessary and is recognized generally by all the b?nks. Management competence evaluation may be done by taking into consideration various aspects such as: Technical expertise of personnel; Professional approach; Hands-on experience of the management; Industrial relationship in the past; Well defined succession plan; Strategic initiatives in the past; Good governance; Resistance during adverse situations; Honouring financial commitments; Professional approach; Presence in RBI default list; Quality of information supplies in the past; Group performance, and support from group companies etc. I

Management competence evaluation may be subjective to certain extent.

CollATERAl SECURil)' ANd lOYAll)' Availability of cover of collateral security and loyal and satisfactory dealings of the client over a period could also be criteria for risk assessment. If the client has given collateral cover for full value of risk a cushion is available to the bank in case of difficulty which reduces the risk level and suitable weights can be given depending upon risk perception. Past dealing experience also gives an insight of level of risk involved with a particular client. Taking into consideration all these aspects banks can develop their risk rating system by using their own credit rating matrix by prescribing scores and weights to various criteria and then a grading pattern for the borrowal accounts at micro level and for the portfolio as a whole at macro level can also be developed. The rating system can be used for pricing of loans as per corporate policy of the bank. Keeping in view these parameters a risk rating model may be developed as under which may be initially applied to large borrowal accounts over and above certain pre-determined cut-off point.

Credit Risk

89

Risk Rating Model for borrowers enjoying limits of Rs.

Crores and above

Particulars of the Borrower

Name of the Borrower: Branch: Region: Rating for the Period:

Marks scored/Risk Rating assessed (Summary) Marks Obtained Economy & Industry Section

Maximum Score

Weights

-

56

15

-

40

20

-

100

35

-

8

15

-

48

15

252

100

%

(To be done by Head Office - as per Module I) Borrower's Position in the Industry

(To be done at the Branch - as per Module II) Borrower's Financials

(To be done at the Branch - as per Module III benchmarks and tolerance levels prescribed by Head Office) Collateral Security & Loyalty

(To be done at the Branch - as per Module V) Management Quality

(To be done at the Branch - as per Module IV) TOTAL Rating Assigned as per net score of the borrower

Net Score

90

Risk Management in Indian Banks

MODULE

1-

ECONOMY AND INDUSTRY

There is one compulsory parameter marked 'C' and other relevant parameters marked 'R' (out of which two relevant parameters should be chosen for the industry) ECONOMY SECTION

Sr. No.

Parameter

CIR

Criteria

Beneficial (4)

1.

Performance of the economy in terms of GOP Growth

C

Effect of the growth of GOP of the economy on the Industry

2.

Monetary Indicators

R

Effect of restrictive credit policy of RBI

3.

External trade and commerce decisions

R

Change in import duty, bilateral trade pacts etc.

4.

Global Commitments

R

Acquiring membership of bodies like WTO

5.

Global Macroeconomic Indicators

R

Performance of developed economies or demand supply gaps in other developing economies on the product

6.

Consumption Growth

R

Higher amount of disposable income being used for consumption leading to higher growth of industry

7.

Level of infrastrustural growth

R

Level of growth in infrastructure in the country would affect the performance of the industry

8.

Other economic policies of the Government

R

Effect of formulation of new economic policies and change in existing policies e.g. abolition in licensing, entry of private participants rationalisation of excise duties etc.

Favour- Neu- Unfav- Dama- Marks able tral ourable glng Scored (3)

(2)

(1)

(O)

,

Credit Risk

91

INDUSTRY SECTION There are 10 compulsary parameters marked 'C' and 3 relevant parameters marked 'R'. (out of which 1 relevant parameter'should be chosen.

Sr.

Parameter

CIR

Criteria

Allotted Marks

No.

1.

2.

3.

4.

Level of importance of the industry to the economy

C

Impact of industry specific Govt. regulations

C

Growth in market size to historical growth rates

C

InpuVs RawMaterialAvailability

C

Support of industry to other industries by way of raw material and other supplies e.g. borrower industry belonging to core sector

Very High (4)

High

Mode rate

Low

Insignificant

(3)

(2)

(1 )

(0)

Effect of various control of the Govt. over the industry e.g. DPCO in Drugs Industry

Beneficial (4)

Favourable

Neutral

(3)

(2)

Growth in market Very size (for sunrise High (4) industries) I CAGAR for historical growth rate Compounded Annual Growth Rate

High

Moderate

Low

Negative

(3)

(2)

(1 )

(0)

To consider availability of

Very High (4)

High

Moderate

Low

Very Low

(3)

(2)

(1 )

(0)

Very High (4)

High

Moderate

Low

Very Low

(3)

(2)

(1 )

(0)

Unfav- Damaourable ging (1 ) (0)

(a) Quality inputs indigenously (b) Substiutes for inputs (c) Smooth supply without interference of cartels (d) Affordability of quality inputs

ARITHMETIC MEAN OF (a+b+c+d)/4

5.

Diversification among different consumer segments

C

Diversification of market concentration risk say not relying on a particular segments

Marks Score

92

Risk Management in Indian Banks

6.

7.

Demand Supply Gap

Threat of Substitutes

C

C

Positive demand supply gap or negative gap, over capacity in the industry

Beneficial (4)

Favourable

(3)

Products with No powerful substitutes Threat are Risky. (Number (4) SubstituteslDeg ree of replaceability by the substitutes)

8.

Cyclicality/Sea sonality

C

Effect of Cyclical effects of the industry on the earning stability

9.

Industry FinancialsProfitability (Average of)

C

Industry's Operating Profit Margin (OPM)

Low threat

(3)

Low (4)

Earnings Stability

10. Industry FinancialsOthers

C

Total Debt-Equity Ratio (TOE)

Moderate (2)

High (1 )

Moderate (2)

10%

5%

0%

DL) a decrease in interest rates will have a positive impact on net interest income as well as the market value of the equity of the bank. In other words net interest income will increase. When the duration gap is negative (DL>DA) net interest income as well as the market value of the equity of a bank increases with the increase in interest rates. Thus, the technique of duration analyses the impact of changes in interest rates on net interest income as well as market value of equity of a bank.

6.7.7 SiMUlATioN ANAlysis Simulation is an interactive process for assessing impact volatility of Net Interest Income under different interest rate scenarios. This technique involves making assumption about future path/futuristic movements in interest rates, shape of yield curve, change in business mix, pricing and hedging strategies, etc. The simulation involves detailed assessment of the potential effects of the changes in interest rates on earnings and economic value. The simulation techniques involve detailed analysis of various components of on and off-balance sheet positions. Since a lot of data is used, with so many assumptions, simulation analysis requires to develop computer-based models for analysis. Simulation technique attempts to overcome the limitations of Gap and Duration approaches by computer modelling the bank's interest rate sensitivity. The output of simulation can take a variety of forms, depending on users' need. Simulation can provide current and expected periodic gaps, duration gaps, balance sheet and income statements, performance measures, budget and financial reports. The simulation model provides an effective tool for understanding the risk exposure under variety of interest rate/balance sheet scenarios. This technique also plays an integral-planning role in evaluating the effect of alternative business strategies on risk exposures. The simulation can be carried out under static and dynamic environment. While the current on and off-balance sheet positions are evaluated under static enviromnent, the dynamic simulation builds in more detailed assumptions about the future course of interest rates and the unexpected changes in bank's business activity. The usefulness of the simulation technique depends on the structure of the model, validity of the assumption, technology support and technical expertise of banks. Many of the international banks are now using balance sheet simulation models to gauge the the effect of market interest rate variations on reported earnings/economic values over different time zones.

6.7.8 MARkET VAlUE ANd INTEREST RATE Risk All debt instruments/securities which provide a fixed income or return to the investors irrespective of any change in the interest rate in the system/market like Government! Quasi-Government debt instruments, corporate debentures, PSU bonds etc., carry risk of change in market value whenever there is a change in interest rates. The interesUincome on these securities is fixed at the time of issue. After the issue, when there is a change in the interest rate for similar type/risk instrument, the prices/values of these securities undergo change in the market so as to provide the new investor with the market rate of return. For example, if a Rs. 100 bond with a maturity of three years is providing a fixed interest income of 10% p.a. and the market interest rate has increased to 12%, the price of the bond will fall to such an extent (Rs. 95.20) that the new investor with a lower base purchase price will get a return of 12%. The vice versa will also happen i.e. if the market Interest rate falls to 8%, the price of the bond will appreciate to Rs. 105.15 and with the higher base purchase price, the investor will be able to reap a return of only 8% and not 10% fixed for the bond.

Market Risk

161

It may, therefore, be observed that the price of a bond will always change with the change in interest rate in the system/market. Such equilibrating change in bond price is known as 'bond dynamics'.

6.7.9

TECIiNiQUES FOR MANAGEMENT of INTEREST RATE Risk

For management of interest rate risks various strategies can be adopted some of which are listed below: • Dedication: In this method matching of the cash flows of various assets and liabilities is required. For this purpose groups of assets and liabilities, whether original or constructed, with matching duration and convexities are developed and analyzed. Specific assets and lor liabilities to iron out mismatches can also be considered. Inspite of high transaction cost at the outset while setting up dedication of assets and liabilities, this is a simple method to use. This eliminates interest rate risk and liquidity risk if properly implemented. There is no need to rebalance hedges or undergo future transaction costs either. However, finding suitable assets and liabilities matching enough to set up dedication is difficult. • Immunization: In this method, the duration of the portfOlio is the important measure used. The average duration of the asset portfolio and that of the liability portfolio are matched together and if necessary, specific assets/liabilities churned around in order to create a duration match. Also, off-balance sheet items can be chosen to construct the immunized portfOlio. Since the duration is the operative constraint, there is a large flexibility in the choice of instruments.

This strategy preserves the market value against any change in interest rates. However, convexity differences are not taken care of in this, and as a result periodic rebalancing is needed. This strategy is also exposed to non-parallel shifts in yield curves. • Indexation: In this indexing of assets is required to be done against a specific bond index (which could be broad based or customized). This is done by targeting the average duration of assets to that of the specific index, the objective being to match or exceed the index, on a weighted market basis.

It might not be possible to replicate the index exactly, but a close match is usually good enough. • Active Management: The essence of this strategy is in taking advantage of shifting relative values by taking positions between various instruments and various maturities etc. Positions on various kinds of swaps like basis swaps, yield curve swaps are also required to be taken and duration matched off setting swaps.

Though termed a rate risk management strategy, this implies taking position on basis risk, yield curve risk, credit risk etc. • Rate Anticipation: This involves taking views on the rate movements in respect of balance sheet exposures and taking decisions. As is obvious, this is the riskiest strategy and can compound the original exposure leading to enhanced losses in adverse conditions. Likewise there are a number of interest rate protection or management products available in the global market which can be utilized to manage interest rate risk.

There are a plethora of interest rate protection or management products available in the global market today. However, most of these are specific and tailored/customized to meet specific needs e.g.

162

Risk Management in Indian Banks

• Swaps: Swap is a contract under which the parties agree to exchange cash flows, the amounts of which are determined by reference to an underlying asset, instrument, index, or notional amount. An interest rate swap is a legal agreement between two counter parties involving the exchange of fixed rate interest for floating rate interest in the same currency calculated by reference to an agreed notional amount of principal. • Forward Rate Agreements: FRA is a contract for difference under which one party (the buyer) and (the other party the seller) agree to exchange at a specified time the difference between a pre-agreed fixed rate and the then current interest rate. If rates have risen, the seller pays to the buyer at maturity the difference in rates. If on the other hand, rates have fallen, the buyer pays the seller, the difference. Unlike caps or floors, there is no payment of an up-front premium. Forward rate agreement is a contract, which is akin to a forward contract in case of a foreign currency. If a party intends to borrow/lend at a future date he can do so on that date at the predetermined rate which will eliminate the uncertainty regarding interest rates. FRA is an interest rate contract for exchange, whereby the two parties to a contract agrees to exchange the difference between the market rate of interest (generally inter-bank offered rate) on the contract's effective date, and the pre-agreed fixed rate, struck on the date of execution of the FRA contract. • Caps: Cap is a transaction in which one party (the buyer) pays an up-front premium to the other party (the seller) in return for the obligation to pay a single or periodic amount representing the excess, if any, of the current rate or price over a pre-agreed rate or price. A cap provides the right to receive the difference amount in case of increase in interest rates; it will not have the obligation to pay the difference in case of decline in interest rates. However, the bank will have to pay premium to the seller of the Cap on the date of contract. • Floors: Floor is a transaction in which one party (the buyer) pays an up-front premium to the other party (the seller) in return for the obligation to pay a single or periodic amount representing the excess, if any, of a pre-agreed rate or price over the current rate or price. A floor transaction establishes a minimum interest rate or price for the buyer and is usually entered into by the buyer for the purpose of limiting its exposure to any downward movement in an interest rate or a price. It is useful for a lender needing protection against interest rate falls. If the bank is lending instead of borrowing it can buy a floor to ensure that it can take the benefit of increase in the interest rates while not suffering from a fall in interest rates by paying an upfront fee to the seller of the floor. • Collars: Collar is the combination of Cap and Floor where one party (the buyer) sells a cap at one level and, in order to reduce some or all of its costs, sells a floor at a lower level and thus the advantage of favourable movements and the disadvantages of adverse movements are bound by limits specified. Consequently, the upfront premium in case of a collar is lower than that of a cap or a floor. • Futures: Futures are contracts to buy or sell a standard quantity of a specific asset at a predetermined future date and at a price agreed. It is a form of forward contract, which conveys the right to purchase or sell a specified quantity of an asset at a fixed price on a fixed future date. • Options: Options give right but not the obligation to buy or sell. There are two forms of options. Put options are contracts sold for a premium that gives one party (the buyer) the right, but not the obligation, to sell to the other party (the seller) of the contract, a specified quantity of a particular product or financial instrument at a specified price. Call options are similar contracts sold

Market Risk

163

for a premium that gives the buyers the right, but not the obligation, to buy from the seller of the option. By their nature, options give rise to different risk profiles between buyers and sellers. Option buyers are exposed to limited loss (Le. the premium or fee), but theoretically unlimited profits. Option sellers, on the other hand, have limited opportunities for profits, but potentially unlimited loss, although such exposures can be limited by hedging or by contractual provisions which "cap" the amount of potential loss. Usually one or more of the above is used to address specific problems of interest rate risk management. However, there are certain difficulties in implementation of these strategies in the Indian markets which include: •

Absence of well defined yield curves

•

Non-availability of Instruments

•

Incompleteness of Markets

•

Regulation of certain aspects

•

Low maturity level of the market.

6.8 MANAGEMENT of FOREiGN ExchANGE Risk 6.8.1 FOREiGN ExchANGE Risk The risk inherent in running open foreign exchange positions have been heightened in recent years by the pronounced volatility in forex rates, thereby adding a new dimension to the risk profile of banks' balance sheet. Foreign exchange risk is the risk arising from a foreign currency exposure. Foreign Exchange Risk is the risk that a bank may suffer loss as a result of adverse exchange rate movements during a period in which it has an open position, either spot or forward, or a combination of the two, in an individual foreign currency. Foreign currency exposures and the attendant risks arise, whenever a business has an income or expenditure, or an asset or liability in a currency other than the balance sheet currency. Exposures will thus include foreign currency denominated items in the balance sheet, contracted purchases and sales, foreign currency denominated receipts and payments which could fructify if the proposed trading activity is realized. The commonly understood three types of currency exposures are transaction, translation and economic exposures. Transaction Exposure can be defined as the risk that the base currency value of a foreign currency denominated transaction will vary with changes in exchange rates during the life of the transaction. Transaction exposure arises when a business has foreign currency denominated receipts or payments. The risk here is an adverse movement of the exchange rate from the time the transaction is budgeted till the time the exposure is extinguished by sale or purchase of foreign currency. Translation Exposure is also called "accounting exposure" concerns the past. It arises from the need to "translate" foreign currency assets or liabilities into the home currency for the purpose of finalizing the accounts for any given period. It can thus be defined as the risk which will alter the domestic currency value of assets and liabilities in the balance sheet, which arise when translated at foreign exchange rates, resulting in a reported gain or loss.

164

Risk Management in Indian Banks

Economic Exposure: While transaction and translation exposures are accounting concepts and can affect the bottom line directly, economic exposure is more a managerial concept. It can be defined as a change in future earning power and cash flow as a result of adjustment of the currencies. It thus represents a change in competitive position. Economic exposure to an exchange rate is the risk that the change in exchange rates is likely to affect the company's competitive position in the market and hence indirectly its profits.

6.8.2 TypES of FOREiGN ExdiANGE Risks Banks dealing in foreign exchange markets face following types of risk: • Exchange Risk on Open and Mismatched Position: Banks or Authorized Dealers dealing in the foreign exchange market, in the course of their dealings with exporters; importers and others, buy and sell currencies and build up open positions in various currencies in which these transactions are denominated. An open position arises when a bank buys or sells currency outright and does not square it up by undertaking an offsetting opposite transaction.

Open currency positions are created by banks through merchant operations or cover operations as they are referred to, and proprietary trading or trading operations. When the assets which would include outstanding purchase contracts, exceed the liabilities including outstanding sales contracts, a long or "overbought" position is created in that currency. Movement in the exchange rates affect the open currency positions. • Gap Risk: These are risks owing to adverse movements in implied interest rates or actual interest rate differentials arising through transactions involving foreign currency deposits, forward contracts, currency swaps, forward rate agreements and through other currency and interest rate derivatives.

Bank not only buys and sells currencies for spot value (delivery after two business days) but also for deliveries extending beyond spot dates. i.e. forward value dates. At times, purchase and sales of a currency for a particular forward value date may not match, which is referred to as a Gap or mismatch between foreign currency assets & liabilities. Gap risk arises in such cases. The maturity spread of a bank's assets and liabilities may differ i.e. the assets and contracts to purchase a currency may mature in advance of liabilities and contracts to sell that currency or vice versa. Such maturity gaps arise in the normal course of business and some mismatching of maturities in general is unavoidable. At, times banks create deliberate gaps as a trading strategy. Losses from mismatched securities generally arise because of adverse movements in interest rates or because of adverse movement in forward margins in local market. Forward differentials are a function of interest rate differentials between the currencies and in a fully integrated financial market, interest rate differential determines the forward premia or discount. Any movement in interest rates of the currencies will effect forward differentials, which in turn will affect cash flows underlying open gaps or mismatches. The Exchange Risk or Price Risk ariSing out of open short or long position can be contained by the top management within manageable limits by fixing limits on intra-day open positions in each currency, limits on overnight open positions in each currency and a limit on aggregate open positions for all currencies taken together, which would be lower than the total of the currency-wise limits. Generally, the above limits are referred to as Daylight limit, Overnight limits and aggregate limits. Daylight limit as the term suggests is the limit on the intra day open position given to the dealer by the bank's management for dealing during a dealing day or business hours. Daylight limits should be large enough to cover merchant transactions but should not be too large to provide scope for the dealers to speculate. Overnight limits define the size of the authorized open position at the close of business hours when the foreign exchange market is closed. The aggregate limit ensures that long

Market Risk

165

and short positions in vari()lls currencies do not result in excessive exposures. The size of these limits is usually definec by the top management in as policy document taking into account the risk perception of the mardgement, size of merchant/trading volume, average size of transactions, liquidity and depth of rnarket etc. The basic difference between the daylight and overnight limit is usually the day light limits are higher than the overnight limits, the underlying logic being during the day the dealers are active and have access to the markets and thus depending upon the movement of the exchange rates they can exercise effective control and cover open positions by undertaking an offsetting deal in the market. Overnight limits on the other hand are fixed to the minimum possible keeping in view the overall open limit prescribed by the regulatory authorities, size of transactions in the pipeline etc. Gap risks arising out of open gaps can be contained within manageable limits by fixing suitable gap limits. To ensure that there is no unreasonable mismatch in positions, gap limits may be fixed for each currency, for each forward month. Usually two types of gap limits are fixed-Individual gap limit (IGL) and aggregate gap limit (AGL). IGL is the limit which defines net overbought or oversold position for a particular month or forward delivery date/ period for an individual currency, whereas AGL is the aggregate of IGLs for all the months or forward periods taken together ignoring the signs i.e. overbought (+) and oversold (-). The size of gap limits is usually linked to a certain percentage of the net worth of bank, as all losses arising out of foreign currency operations will have to be met out of the owned funds of the bank. The overall size of the gap limit is a function of a number of factors like merchant and trading turnover, size of overdue export bills purchased/discounted/negotiated, size of FCNR portfolio etc. Besides these factors, while fixing the gap limits the liquidity and availability of quotes in the forward market should also be kept in view.

Regulatory Prescription The Reserve Bank has prescribed guidelines for foreign exchange exposure limits of Banks in it's A.P (DIR Series) Circular No. 19 on "Risk management and Inter-Bank Dealings" addressed to all Authorized Dealers in Foreign Exchange. As per the guidelines, calculation of the overall Net Open Position would involve measurement of risks inherent in a bank's mix of long and snort position in different currencies. Banks have been advised to adopt the "shorthand method" which is accepted internationally for arriving at the overall net open position. Banks have also been advised to calculate the overall net open position as follows: (i) Calculate the net open position in each currency (ii) Convert the net position into rupees at the FEDAI indicative spot rates for the day. (iii) Arrive at the sum of all the net short positions (iv) Arrive at the sum of all the net long positions. Overall net foreign exchange position is higher of (iii) and (iv). The overall net foreign exchange position arrived at as above must be kept within the limit approved by the Reserve Bank. In respect of Position and Gaps, the overnight open exchange position and the aggregate gap limits are required to be approved by the Reserve Bank.

Credit Risk Credit risk arises when a counterpart to a foreign exchange transaction is unable or unwilling to meet his obligation under th') contract. A foreign exchange transaction is confirmed by a contract,

166

Risk Management in Indian Banks

which stipulates that on a specific date, both parties to the contract will deliver to each other, specific amounts of currency, in a designated bank for the account of a specific beneficiary. The risk here is that one counter party may not be able to execute his side of the contract before the due date or is unable to execute his side of the contract on the due date. Failure of execution may arise because the defaulting party is unable to pay. There are two elements of risk associated with foreign exchange contracts, one in the pre-settlement risk, which is the risk of loss due to counter party defaulting on a contract during the life of a transaction. This is also referred to as the Replacement cost, which can be defined as the cost of replacing the contract. The level of this exposure varies through the life of the product and is known with certainty only at the time of default.

Settlement Risk, is the risk of loss arising when a bank performs on its obligation under a contract before the counter party does so. This arises when the defaulting counter party has received settlement payment, but has yet to make the requisite counter payment in foreign currency. This kind of risk is very frequent in international transactions because of time-zone differences. Settlement Risk is also referred to as Herstatt or Time-zone Risk named after the 1974 failure of the Bankhaus Herstatt, a bank in West Germany. In the case of Bankhaus Herstatt, several banks suffered losses under contracts, which matured on the day the bank's operations were shut down by the Bundesbank the German central bank. The closure of the bank was after closure of business hours in Germany but before the business day had opened in New York. The banks, which had sold German marks to Bank Herstatt against dollars, could not get their dollars in New York. Credit Risk can be managed through fixing of counter party limits, appropriate measurement of exposures, ongoing credit evaluation and monitoring and following sound operating procedures. As a me'asure for controlling credit risks, banks generally fix limits for each customer/authorized dealer/overseas bank with whom exchange deals are made/to be made. These limits are also to be reviewed periodically.

Country Risk Dealing in foreign currencies with banks domiciled outside India involves country risk. It may be broadly defined as that uncertainty which is created where a foreign entity, private or sovereign may be unwilling or unable to fulfil its foreign obligation for different reasons like a sovereign entity's immunity from legal process in which case the lender has no legal recourse against the entity who fails to perform on the contractual obligation. A possible change in the government or policies of the government 'could also be responsible for invalidating any previous contract. Country risk can be mitigated to some extent by fixing country limits. It is also necessary to monitor developments in the countries, especially those in the high-risk category periodically. Generally, no corporate or bank, private or sovereign can have a higher rating than the country in which it operates.

Operating Risks These are risks arising out of failure and lack of internal controls, human error, frauds etc. Reserve Bank had come out with comprehensive guidelines in December 1996 for internal control over foreign exchange business. These guidelines cover all aspects relating to risk controls and management of various risks in foreign exchange business. The guidelines also cover aspects relating to dealing through exchange brokers, evaluation of foreign exchange profits and losses, reconciliation of nostro balances, management of risks in vostro account, control over miscellaneous aspects of dealing operations and auditing. These guidelines are very useful in understanding the risk control measures for managing various risks arising in foreign exchange transactions. FEDAI had also way back in 1985 evolved a code of conduct for bank dealers and brokers in the inter-bank market which is followed by banks till date.

Market Risk

167

Legal Risks Legal risk arises from the legal enforceability of contracts. It is thus important that banks and corporates understand these risks and protect themselves. The best way to do this Would be to insist on exchange of internationally accepted Master Agreements between the parties like ISDA and supported with other relevant documentation.

Value at Risk Value at Risk or (VaR) as it is popularly known is a risk measurement concept for measurement of market risks. It is defined as an estimate of potential loss in a position or uset or portfolio of assets over a given holding period at a given level of certainty. VaR a based on a number of statistical concepts such as mean, standard deviation, normal distribution, level of confidence, volatility etc. The BIS has accepted VaR as a tool for measuring market risks, subject to the same being approved by banks' supervisory authorities. VaR has its uses as a valid tool for setting limits on a dynamic basis by banks, as currently, market risk in foreign exchange is controlled by using limits like daylight, overnight and gap limits. These limits are fixed for a period of time and do not take into account the potential losses these limits may result in. VaR can be used as the basis of a limits system, so that necessary action can be taken when VaR exceeds as predefined VaR can act as a common denominator across various markets. As these limits under VaR would represent a reasonable estimate of how much could be lost, it would be more meaningful from the management's point of view. VaR limits can be set up at various levels starting from an individual trader to the entire portfolio of the organization. Presently, FEDAI has evolved a VaR model for the authorized dealers, which is essentially a very simple model covering only USDIINR limited to three maturities up to six months. No back testing is done by FEDAI and it is estimated on the basis of volatility data of the last 251 days. FEDAI proposes to introduce a more advanced model with wider coverage of currencies with provision of back testing covering latest 500 days data. The banks are also exposed to interest rate risk, which arises from the maturity mismatching offoreign currency positions. Even in cases where spot and forward positions in individual currencies are balanced, the maturity pattern of forward transactions may produce mismatches. As a result, banks may suffer losses as a result of changes in premia/discounts of currencies concerned.

6.8.}

FOREX

Risk

MANAGEMENT MEASURES

Following measures can be taken for management of Forex risk: •

Set appropriate limits - open positions and gaps.

•

Clear-cut and well-defined division of responsibility between front, middle and back offices.

•

Adoption of VaR approach to measure risk associated with exposures.

Foreign Exchange Risk As has been mentioned herein above Foreign Exchange Risk can be defined as the variance of the domestic currency value of an asset, liability or operating income that is attributable to unanticipated changes in the exchange rates. Simply put, it is the risk that relates to the gains/ losses that arise due to fluctuations in the exchange rates. All assets and liabilities that are denominated in foreign currency are exposed to foreign exchange risks. An appreciation or a depreciation in the exchange rate will lead to a change in the value of all those assets or liabilities

168

Risk Management in Indian Banks

that are denominated in foreign currency. An appreciation in the domestic currency will decrease the value of assets and the liabilities, while depreciation in the domestic currency will enhance the value of assets and liabilities. Such risks cannot be managed directly and therefore, to manage FOREX risk banks can adopt techniques of setting levels of exposures to sustain the risks that might arise due to exchange rate fluctuations and by adopting hedging techniques. Banks can set exposures in the following areas: •

Net open exchange position representing the maximum open position outstanding at any point of the day depending upon risk appetite, size of the transactions handled and capital base of banks.

•

Daylight limit and overnight limit indicating the extent to which any currency will be long or short and the period for which the position may be held. The limits should be fixed for each currency individually. While daylight limits are advisory in nature and are required to be monitored during business hours, overnight limits are essential as the same are required to be held outside business hours. Because of the possibility of having more control over the open position during business hours, daylight limits are always more than the overnight limits. The daylight limits should allow for greater exposure constantly and undertake market operations to maximize the return on the exchange position. The overnight position has to be necessarily smaller, since the exposure allowed is prone to greater risks as the same remains unattended during the non-business hours till the opening of next trading day.

•

Gap risks on mismatch maturity limits.

These limits control exposure for mismatch in maturity dates and are basically guided by asset liability management principle. Since forex gaps are a function of swap differences, which are nothing but interest rate differential, the gap risks are risks due to adverse movements in interest rates or interest rate differentials. These may include transactions involving foreign currency deposits, forward contracts, currency swaps, FRAs. Options and other currency and interest rate derivatives. Gaps may arise due to various factors such as: (i) Mismatch in assets and liabilities due to different maturity dates; (ii) Non-availability of exact cover for merchant forwards; (iii) Uncertainty with merchant transactions due to early/delayed realizations of exports proceeds; (iv) Option period available to merchant for delivery of merchant forwards in an Indian scenario; (v) Gaps created by dealers to take cover at a later stage/date and thereby try to gain on swap difference; (vi) Banks trading in gaps i.e. swap difference with a view to reverse the position when the market moves in their favour. Control of gaps is usually made on monthly intervals by netting the assets and liabilities (inflows and outflows) during the particular month which ultimately shows individual gap for the particular month. The total of all individual gaps for different months shows the aggregate gap that the bank carries for that currency. The IGL of a currency depends upon the size of transactions handled in the currency, the maturity pattern and depth of the market along with market lots. AGL depends upon the volume of business in the currency. The IGL and AGL are normally fixed separately for major currencies having large volumes. The same may be clubbed as a single limit for other miscellaneous currencies.

Market Risk

169

•

Dealer-wise limits are the level of authorization given to particular dealers in the bank authorized to undertake deals on behalf of the bank. The limits may be fixed for merchanU trading operations and inter-bank operations. The daylight limits may be bifurcated among dealers suitably and for any crossover higher level of authority be suitably authorized.

•

Interbank limits: These limits are necessary to cover credit risks arising due to failure of a counter party to a foreign exchange contracUtransaction to honour the commitment. Inter-bank limits are required for covering merchant transactions, management of funds in NOSTRO accounts, management of FC funds, undertaking arbitrage operations and trading positions, such limits are necessary to contain exchange credit risk and settlement risk. Settlement risk is also known as a clean risk. Though the settlement of currencies for any foreign exchange deal is to be done on same value date but the time zone difference between different centers could result in one currency being paid before the other is received. The failure of a counter party after receipt of currency, but before payment could result in settlement risk which needs to be monitored on the basis of settlements due on a particular day by way of settlement risk limits.

•

Deal size limit may be fixed to limit the contract risk as well as any operational risks involved in the settlements. Such limits may be fixed for outright deals as well as swaps. Limits for swaps are generally higher due to requirements for undertaking arbitrage deals.

•

VaR limit may be fixed to keep control on value at risk at any particular point of time and is very important in risk management process.

To control risks internal and external techniques can be applied by firms dealing in foreign currencies, some of which may also be useful for banks in controlling the risks. Such techniques may include the following:

Internal Techniques Internal techniques of exposure management are part of a bank's own financial management and do not warrant any special agreement with any other company or agency in order to manage currency exposure e.g.

1. Netting: Netting is a method adopted wherein a asset in a foreign currency is used to pay-up a liability in a foreign currency so that there is no need for conversion. For example, if an exporter has a receivable denominated in US dollars and also a payable denominated in the same currency then the inflow on account of the receivable can be used for payment. Netting presupposes a simultaneous occurrence of inflows and outflows in the same currency and for the same amount. However, these conditions are not likely to be fulfilled in real life. An exporter may deposit foreign currency receipts in an EEFC account and use it later to pay for an import. If a bank has a FCNR deposit maturing along with a later to pay for foreign currency denominated loan, then netting the loan can take place. Similarly, if a purchases an export bill and effects payments for an import the need to take cover is only for the net amount. 2. Leading and Lagging: As normally it is not possible to ensure inflows and outflows materializing at the same time and in the same currency because the transactions are subjected to different terms and conditions. If these transactions materialize according to their tenor, they occur at different points of time and if each of them is dealt separately, it will involve as many conversions as the number of transactions. Each conversion provides scope for exchange risk and to avoid exchange risks it may be considered to delay or to advance a cash flow to that it matches with another cash flow in the opposite direction. The techniques of leading and lagging become handy

170

Risk Management in Indian Banks

for the purpose of such matching. Leading means making a flow occur earlier than the due date while lagging means delaying the flow beyond the due date. To the extent such matching is possible, the need for conversion is eliminated and so also the exchange risk. 3. Invoicing: Exchange risk can be avoided if ao invoice is made in domestic currency thereby avoiding the need for conversion. However, this does not normally happen since both parties are interested in denominating the invoice in a currency that is strong and not very volatile. If someone is able to avoid exchange risk by invoicing, it is more an exception than rule.

External Techniques Under these techniques a hedger undertakes a transaction consequent to which a part or whole of the exchange risk is transferred to others. There are many tools available that can be used, either independently or in combination e.g. 1. Forward Contracts: It is an agreement to buy or sell foreign exchange for a pre-determined amount, at a pre-determind rate, and on a pre-determined date. These contracts are over the counter firms the products that are entered into depending on the need of a hedger. For firms the counterparty happens to be a banker and hence a bank acquires transaction exposure through such contracts. The bank, normally, in turn, covers its position by entering into a forward contract with other bank. This does not involve any cash flow at the time of entering into a contract and the actual cash flow takes place on the date of delivery. The forward rate of a currency can be at a premium or discount reflecting the interest rate differential of the respective currencies. 2. Currency Futures: The difference between forward contracts and currency futures is that the forward contracts are OTC products and do not have secondary market for transfer. The exit route available in case of forward contract is by way of cancellation of the same. On the other hand currency futures are traded on exchanges as per the guidelines of the exchanges. Currency futures are of standard size, standard maturity date etc. and it is easier to exit from a futures contract by simply selling on the exchange at the prevailing prices. 3. Currency Options: The currency options contract gives the buyer of the option a right without an obligation to buy or sell foreign currency at a pre-determined price on a specified future date. The contract, which gives the right to buy, is known as a call option and the contract, which gives the right to sell, is known as a put option. Correspondingly, the seller of an option (also known as the writer of the option) acquires an obligation to sell (in case of a call option) or to buy (in case of a put option) for which buyer of an option pays a premium to the seller. Options are also traded on exchanges and hence have standard sizes, maturity dates, guidelines stipulated by the exchanges for settlement and payment. 4. Currency Swaps: Under a currency swap the parties agree to exchange a series of cash flow over the life of a swap depending upon the future outlook about the currencies concerned.

6.9 MANAGEMENT of EQuiTY PRiCE Risk Changes in the equity prices can result in losses to the bank holding an equity portfolio. In India banks are not allowed to sell any security without actually holding the same. Consequently, banks cannot have any short positions. Reserve Bank of India has issued detailed guidelines on banks' exposure to equity market. The banks are free to acquire shares, convertible debentures of corporates and units of equity oriented mutual funds, subject to a ceiling of 5 per cent of the bank's total outstanding domestic

Market Risk

171

credit (excluding inter-bank lending and advances outside India) as on March 31 of the previous year. A bank's Board of Directors is free to adopt a lower ceiling for the bank, keeping in view its overall risk profile. Banks may make investment in shares directly taking into account the in-house expertise available within the bank as per the investment policy approved by the Board of Directors subject to the risk management and internal control guidelines of RBI. Banks may also make investment in units of UTI and SEBI approved other diversified mutual funds, with good track records, as per the investment policy approved by the Board of Directors. Banks should make investment in specific schemes of mutual funds/UTI and not place funds with mutual funds/UTI for investment in the capital market on their behalf. Underwriting commitments taken up by the banks in respect of primary issues through book building route would also be within the above overall ceiling. Investment in shares and debentures/bonds should be reckoned for the purpose of arriving at the prudential norm of single borrower and borrower-group exposure ceilings.

Equity Risk Management Banks desirous of making investments in equity shares, etc. within the above ceiling and financing of equities, should observe the following guidelines:

(a) Build up adequate expertise in equity research by establishing a dedicated equity research department, as warranted by their scale of operation. (b) Formulate a transparent policy and procedure for investment in shares, etc. (e) The decision in regard to individual investments in shares, etc. should be taken by the investment committee set up by the bank. The Investment Committee should be held accountable for the investments made by the banks. (d) Bank should review on an ongoing basis, their investment in shares with a view to assessing the risks due to volatility in asset prices. (e) As a prudential measure, a bank's exposure to investment in equities whose prices are subject to volatility (e.g. shares, convertible debentures and units of equity-oriented mutual funds) should not normally exceed 20 per cent of its net worth. (f)

The Boards of banks should lay down a prudential ceiling on the bank's total exposure to capital market, keeping in view its overall risk profile. Accordingly, in addition to the ceiling of 5 per cent on investments prescribed above, Board of Directors of banks should also fix an overall ceiling on advances against shares, i.e. financing of IPOs, advances to individuals and share brokers and market makers, issue of guarantees on behalf of brokers, advances to corporates to meet promoters' contribution, etc.

The following may be excluded for reckoning the bank's aggregate exposure by way of finanCing of equities: •

Advances against collateral security of shares

•

Advances to individuals for personal purposes like education, housing, consumption, etc., against the security of shares.

Banks should mark to market their investment portfolio in equities like other investments as per the valuation norms indicated in RBI circular DBOD.No.BP.BC.32/21.0~i:048/ 2000-2001 dated 16th October 2000. Further, banks should disclose the total investments made in shares, convertible debentures and units of equity-oriented mutual funds as also aggregate advances against shares etc., in the 'Notes of Accounts' to their balance sheets, beginning from the year ending March, 2001.

172

Risk Management in Indian Banks

6.10 MANAGEMENT of COMMOdiTY PRicE Risk A commodity is defined as a physical product which is or can be traded on a secondary market, e.g. agricultural products, minerals, oil and precious metals (excluding gold, which is treated as foreign currency as per Basel Committee norms). In India banks have very little direct exposure to commodities either in their banking or trading books. The Price Risk in commodities is often more complex and volatile than that associated with currencies and interest rates. Commodity markets may also be less liquid and as a result changes in supply and demand conditions can make the market volatile making effective hedging of the commodities risk rather difficult. Banks in developed markets use derivatives to hedge commodity price risk. However, this exposes them to additional risks such as "basis risk" (the risk that the relationship between the prices of similar commodities alter through time). Interest rate risks (the risk of a change in the cost of for forward position) and forward gap risks (the risk that the forward price may change for reasons other than a change in interest rates). As and when Indian banks get exposed to commodity price risk they will have to acquire the skills to manage these complex risks also.

6.11 MEASUREMENT of MARkET Risk - VAluE AT Risk (VAR) ANd STRESS TESTiNG TEdfNiQUES Definition: VaR is defined as an estimate of potential loss in a position or asset/liability or portfolio of assets/liabilities over a given holding period at a given level of certainty.

VaR measures risk. Risk is defined as the probability of the unexpected happening-the probability of suffering a loss. VaR is an estimate of the loss likely to suffer, not the actual loss. The actual loss may be different from the estimate. It measures potential loss, not potential gain. Risk management tools measure potential loss as risk has been defined as the probability of suffering a loss. VaR measures the probability of loss for a given time period over which the position is held. The given time period could be one day or a few days or a few weeks or a year. VaR will change if the holding period of the position changes. The holding period for an instrument/position will depend on liquidity of the instrument/market. With the help of VaR, we can say with varying degrees of certainty that the potential loss will not exceed a certain amount. This means that VaR will change with different levels of certainty. The Bank for International Settlements (BIS) has accepted VaR as a measurement of market risks and provision of capital adequacy for market risks, subject to approval by banks' supervisory authorities.

VaR Methodologies VAR can be arrived as the expected loss on a position from an adverse movement in identified market risk parameter(s) with a specified probability over a nominated period of time. Volatility in financial markets is usually calculated as the standard deviation of the percentage changes in the relevant asset price over a specified asset period. The volatility for calculation of VaR is usually specified as the standard deviation of the percentage change in the risk factor over the relevant risk horizon.

There are three main approaches to calculating value-at-risk: the correlation method, also known as the variance/covariance matrix method; historical simulation and Monte Carlo simulation. All three methods require a statement of three basic parameters: holding period, confidence interval and the historical time horizon over which the asset prices are observed.

Market Risk

173

Under the correlation method, the change in the value of the position is calculated by combining the sensitivity of each component to price changes in the underlying asset(s), with a variance/covariance matrix of the various components' volatilities and correlation. It is a deterministic approach. The historical simulation approach calculates the change in the value of a position using the actual historical movements of the underlying asset(s), but starting from the current value of the asset. It does not need a variance/covariance matrix. The length of the historical period chosen does impact the results because if the period is too short, It may not capture the full variety of events and relationships between the various assets and within each asset class, and if it is too long, may be too stale to predict the future. The advantage of this method is that it does not require the user to make any explicit assumptions about correlations and the dynamics of the risk factors because the simulation follows every historical move. The Monte Carlo simulation method calculates the change in the value of a portfolio using a sample of randomly generated price scenarios. Here the user has to make certain assumptions about market structures, correlations between risk factors and the volatility of these factors. He is essentially imposing his views and experience as opposed to the naive approach of the historical simulation method. At the heart of all three methods is the model. The closer the models fit economic reality, the more accurate the estimated VAR numbers and therefore the better they will be at predicting the true VAR of the firm. There is no guarantee that the numbers returned by each VAR method will be anywhere near each other.

Other uses of VaR VaR is used as a MIS tool in the trading portfolio to 'slice and slice' risk by levels/ products/ geographic/level of organization etc. It is also used to set risk limits. In its strategic perspective, VaR is used to decisions as to what business to do and what not to do. However VaR as a useful MIS tool has to be "back tested" by comparing each day's VaR with actual and necessary reexamination of assumptions needs to be made so as to be close to reality. VaR, therefore, cannot substitute sound management judgment, internal control and other complementary methods. It is used to measure and manage market risks in trading portfoliO and investment portfolio.

Estimating Volatility VaR uses past data to compute volatility. Different methods are employed to estimate volatility. One is arithmetic moving average from historical time series data. The other is the exponential moving average method. In the exponential moving average method, the volatility estimates rises faster to shocks and declines gradually. Further, different banks like different number of days of past data to estimate volatility. Volatility also does not capture unexpected events (called "event risk"). All these complicate the estimation of volatility. VaR should be used in combination with Back Testing and "stress testing" to take care of event risks. Stress test takes into account the worst case scenario.

Back Testing Back Test is a process where model based VaR is compared with the actual performance of the portfolio. This is carried out for evaluating a new model or to assess the accuracy of the existing models.

174

Risk Management in Indian Banks

Back testing for evaluating a new model requires comparison with actual performance on a continuous basis for a given period. Assessment of accuracy of an existing model needs back test on a regular basis. Bank should generally back test risk models at a regular periodic interval'i.e. monthly/quarterly to verify accuracy. The purpose is to verify whether trading results fall within the pre-specified bands as predicted by the VaR models. If the models perform poorly they should probe further to find the cause (e.g. integrity of market data, model parameters, methodology, etc.)

Stress Testing and Value at Risk "Stress testing" has been adopted as a generic term describing various techniques used by banks to gauge their potential vulnerability to exceptional, but plausible, events. Stress testing addresses the large moves in key market variables of that kind that lie beyond day-to-day risk monitoring but that could potentially occur. The process of stress testing, therefore, involves first identifying these potential movements, including which market variables to stress, how much to stress them by, and what time frame to run the stress analysis over. Once these market movements and underlying assumptions are decided upon, shocks are applied to the portfolio. Revaluing the portfolios allows one to see what the effect of a particular market movement has on the value of the portfolio and the overall Profit and Loss. Stress test reports can be constructed that summarise the effects of different shocks of different magnitudes. Normally, then there is some kind of reporting procedure and follow up with traders and management to determine whether any action need to be taken in response. Stress tests supplement value-at-risk (VaR). VaR is thought to be a critical tool for tracking the riskiness of a firm's portfolio on a day-to-day level, and for assessing the risk-adjusted performance of individual business units. However, VaR has been found to be of limited use in measuring firms' exposures to extreme market events. This is because, by definition, such events occur too rarely to be captured by empirically driven statistical models. Furthermore, observed correlation patterns between various financial prices (and thus the correlations that would be estimated using data from ordinary times) tend to change when the price movements themselves are large. Stress tests offer a way of measuring and monitoring the portfolio consequences of extreme price movements of this type. Stress Testing Techniques: Stress testing covers many different techniques. The four discussed here are listed in the Table below along with the information typically referred to as the "result" of that type of a stress test.

Stress Testing Techniques Technique

What is the "stress test result"

Simple Sensitivity Test

Change in portfolio value for one or more shocks to a single risk factor

Scenario Analysis

Change in portfolio value if the scenario were to occur

(hypothetical or historical) Maximum loss

Sum of individual trading units' worst-case scenarios

Extreme value theory

Probability distribution of extreme losses

Market Risk

175

A Simple sensitivity test isolates the short-term impact on a portfolio's value of a series of predefined moves in a particular market risk factor. For example, if the risk factor were an exchange rate, the shocks might be exchange rate changes of ± 2 per cent, 4 per cent, and 10 per cent. A scenario analysis specifies the shocks that might plausibly affect a number of market risk factors simultaneously if an extreme, but possible, event occurs. It seeks to assess the potential consequences for a firm of an extreme, but possible, state of the world. A scenario analysis can be based on an historical event or a hypothetical event. Historical scenarios employ shocks that occurred in specific historical episodes. Hypothetical scenarios use a structure of shocks thought to be plausible in some crseable, but unlikely circumstances for which there is no exact parallel in recent history. Scenario analysis is currently the leading stress testing technique. A maximum loss approach assesses the riskiness of a business unit's portfolio by identifying the most potentially damaging combination of moves of market risk factors. Interviewed risk managers who use such "maximum loss" approaches find the output of such exercises to be instructive but they tend not to rely on the results of such exercises in the setting of exposure limits in any systematic manner, an implicit recognition of the arbitrary character of the combination of shocks captured by such a measure. Extreme value theory (EVT) is a means to better capture the risk of loss in extreme, but possible, circumstances. EVT is the statistical theory on the behaviour of the "tails" (i.e., the very high and low potential values) of probability distributions. Because it focuses only on the tail of a probability distribution, the method can be more flexible. For example, it can accommodate skewed and fat-tailed distributions. A problem with the extreme value approach is adapting it to a situation where many risk factors drive the underlying return distribution. Moreover, the usually unstated assumption that extreme events are not correlated through time is questionable. Despite these drawbacks, EVT is notable for being the only stress test technique that attempts to attach a probability to stress test results. Prerequisites of a good stress test and role of risk managers A good stress test should be relevant to the current position consider changes in all relevant market rates examine potential regime shifts (whether the current risk parameters will hold or break down) spur discussion consider market illiquidity, and consider the interplay of market and credit risk. Stress tests produce information summarizing the bank's exposure to extreme, but? circumstances. The role of risk managers in the bank should be assembling and summarizing information to enable senior management to understand the strategic relationship between the firm's risk-taking (such as the extent and character of financial? employed) and risk appetite. Typically, the results of a small number of stress scenarios should be computed on a regular basis and monitored over time. Some of the specific ways stress tests are used to influence decision-making are to:

176

Risk Management in Indian Banks

manage funding risk provide a check on modelling assumptions set limits for traders determine capital charges on trading desks' positions.

Limitations of Stress Tests Stress testing can appear to be a straightforward technique. In practice, however, stress tests are often neither transparent nor straightforward. They are based on a large number of practitioner choices as to what risk factors to stress, how to combine factors stressed, what range of values to consider, and what time frame to analyse. Even after such choices are made, a risk manager is faced with the considerable tasks of sifting through results and identifying what implications, if any, the stress test results might have for how the bank should manage its risk-taking activities. A well-understood limitation of stress testing is that there are no probabilities attached to the outcomes. Stress tests help answer the question "How much could be lost?" The lack of probability measures exacerbates the issue of transparency and the seeming arbitrariness of stress test design. Systems incompatibilities across business units make frequent stress testing costly for some banks, reflecting the limited role that stress testing had played in influencing the bank's prior investments in information technology.

6. 12 CoNclusiON Although credit risk management has remained the primary challenge for banks but with progressive deregulation, market risk arising from adverse changes in market variables, such as interest rate, foreign exchange rate, equity price and commodity price has become relatively more important as a small change in market variables may cause substantial changes in income and economic value of banks. Intense competition, both in assets and liabilities markets, falling spreads, changing regulatory enviromnent etc. are forcing banks to have adequate capital for the risks taken and shareholders' dynamism and activism are leading to adopt risk adjusted performance measures. Heightened market volatility and the introduction of new financial products such as derivatives has made the market risk management a critically important function for the banks today. Market risk is caused not only as a result of a straight forward exposure to a single market position but is also driven by more complex factors such as interplay of two or more market positions, and problems of market structures. As against other risks like credit risks which affect specific banks (owing to bank specific credit decisions), market risks affect the industry as a whole and, therefore, is required to be managed effectively. Considering the importance of Market Risk Management in banks, the Reserve Bank of India has, therefore, vide its circular DBOD. No. BP. 520/21.04.103 /2002-03 dated October 12, 2002 issued to all scheduled commercial banks has circulated Guidance Note on Market Risk Management. The note refers to earlier guidelines on Asset Liability Management and Risk Management System in Banks issued in the year 1999 covering various risks purported to serve as a benchmark to establish integrated risk management system in banks and also the Draft Guidance Note on Market Risk Management issued on March 26, 2002.

177

Market Risk

The Guidance Note issued by the Reserve Bank of India is a comprehensive document in which the Reserve Bank of India has identified further steps, which are required to be taken by banks for upgrading their market risk management systems. The Reserve Bank of India has advised banks that the design of risk management framework should be oriented towards the banks' own requirements dictated by the size and complexity of business, risk philosophy, market perception and the expected level of capital. The systems, procedures and tools prescribed in the Guidance Note are, therefore, only indicative in nature but it is desired that the Risk Management Systems in banks should be adaptable to changes in business size, the market dynamics and the introduction of innovative products by banks in future. As per the views expressed in the note, with the adoption of the New Accord, banks will require substantial upgradation of the existing market risk management systems and to adopt suitable market risk models to meet the requirements of market risk management. While selecting or developing the model the prevailing conditions and commonly acceptable framework for the banking system as a whole need to be kept in view. As lack of availability of proper MIS/representative data is one of the main problems, suitable models for collection and analysis of data will also have to be developed. Banks may adopt any model depending on their size, complexity, risk bearing capacity and risk apetide etc. The Guidance Note, which is divided in 6 chapters, covers various aspects of market risk management in banks in details.

ANNEXURE -I Name of the Bank: Satement of Structural Liquidity as on: (Amounts in Crores of Rupees)

RESIDUAL MATURITY OUTFLOWS

1 to 14 15 to 28 29 days days

days

and up to

3 months

1.

Capital

2.

Reserves & Surplus

3.

Deposits (i) Current Deposits (ii) Savings Bank Deposits (iii) Term Deposits (iv) Certificates of Deposit

XXX

XXX

XXX

Over

Over

3

6

months months and upto

and upto

6

1

months

years

xxx

xxx

Over

Over

Over

1

3

5

year and

year

years

upto

upto

3

5

Total

years years

XXX

XXX

XXX

XXX

178

Risk Management in Indian Banks

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

12. Interest payable

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX XXX

XXX

13. Others (specify)

XXX XXX

XXX

XXX

4.

Borrowings (i) Call and Short Notice (ii) Inter-Bank (Term) (iii) Refinances (iv) Others (Specify)

5.

Other Liabilities & Provisions

(i) Bills Payable (ii) Inter-office Adjustment (iii) Provisions (iv) Others

.6.

Lines of Credit committed to (i) Institutions (ii) Customers

7.

Unavailed portion of Cash Credit! Overdraft/Demand Loan componet of Working Capital

8.

Letters of Credit! Guarantees

9.

Repos

10. Bills Rediscounted (DUPN)

11. Swaps (Buy/Sell)/ maturing forwards

14. TOTAL OUTFLOWS

179

Market Risk

OUTFLOWS

1.

Cash

2.

Balances with RBI

3.

Banks with

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

other banks (i) Current Deposits (ii) Money at Call and short notice (iii) Term deposits and other placements

4.

Investments including those under but excluding inerse repos)

5.

Advance (performing) (i) Bills Purchased and discounted (including his under DUPN) (ii) Cash Credits, overdrafts and. Loans payable on demand (iii) Term Loans

6.

NPAs (Advances and investments)*

7.

Fixed Assets

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

8.

Other Assets

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

(i) Inter-office Adjustment (ii) Leased Assets (iii) Others

9.

Reverse Repos

10. Swaps (Sell/Buy) 11. Bills Rediscounted (DUPN)

Risk Management in Indian Banks

180

12. Others (Specify)

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

B. TOTAL ASSETS C. GAP (B-A) Other Products (Interest Rate) (i)

FRAs

(ii) Swaps (iii) Futures (iv) Options (v) Others D. TOTAL OTHER PRODUCTS E

NEXT GAP (C-D)

F.

CUMULATIVE GAP

G.

EAS % TOA

*Amounts to be shown net of provision, interest suspense and claims received from ECGC/DICGC.

Market Risk

181

ANNEXURE - II Name of the Bank: Satement of Interest Rate Sensitivity as on: (Amounts in Crores of Rupees)

INTEREST RATE SENSITIVITY 1.

Liabilities

1 to 28 29 days

days

1.

Capital

2.

Reserves & Surplus

3.

Deposits (i)

Over

Over

Over

Over

Over

Non-

and

3

6

1

3

5

sensitive

upto

months

months

year

year years

3

and

and

and

upto

months

upto

upto

upto

5

6

1

3

years

months

years

years

Total

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

Current Deposits

(ii) Savings Bank Deposits (iii) Term Deposits (iv) Certificates of Deposit 4.

Borrowings (i)

Call and Short Notice

(ii) Inter-Bank (Term) (iii) Refinances (iv) Others (Specify)

5.

Other Liabilities & Provisions (i)

Bills Payable

(ii) Inter-office Adjustment (iii) Provisions· (iv) Others

Risk Management in Indian Banks

182

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

11. Swaps (Buy/Sell)

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

13. Others (specify)

XXX

XXX XXX

XXX

XXX

XXX

XXX XXX

XXX XXX XXX

XXX

12. Interest payable

XXX XXX XXX

6.

Lines of Credit committed to (i)

Institutions

(ii) Customers

7.

Unavailed portion of Cash Creditl Overdraft/Demand Loan component of Working Capital

8.

Letters of Creditl Guarantees

9.

Repos

10. Bills Rediscounted (DUPN)

14. TOTAL LIABILITIES *Excluding provision for NPAs and investments.

XXX

XXX

183

Market Risk

ASSETS

1.

Cash

2.

Reserves with RBI

3.

Reserves with other

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

banks (i)

Current Deposits

(ii) Money at Call and short notice (iii) Term deposits and other placements

4.

Investments including those under but excluding inerse repos)

5.

Advance (performing) (i)

Bills Purchased and accounted (including his under DUPN)

(ii) Cash Credits, overdrafts and Loans payable on demand (iii) Term Loans

6.

NPAs (Advances and investments)*

7.

Fixed Assets

XXX

8.

Other Assets

XXX

XXX XXX

XXX

XXX

(i)

Inter-office Adjustment

(ii) Leased Assets (iii) Others

9.

Reverse Repos

10. Swaps (Sell/Buy)

184

Risk Management in Indian Banks

11. Bills Rediscounted (DUPN)

12. Others (Specify)

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

XXX

B. TOTAL ASSETS C. GAP (B-A) Other Products (Interest Rate) (i)

FRAs

(ii) Swaps (iii) Futures (iv) Options (v) Others D. TOTAL OTHER PRODUCTS E. NEXT GAP (C-D)

F. CUMULATIVE GAP G. EAS % TO B

*AMOUNTS TO BE SHOWN NET OF PROVISION, INTEREST SUSPENSE AND CLAIMS RECEIVED FROM ECGC/DICGC

Market Risk

185

ANNEXURE - III Name of the Bank: Satement of Short-term Dynamic Liquidity as on .......... . (Amounts in Crores of Rupees) A. OUTFLOWS 1 -14 days

1.

Net increase in loans and advances

2.

Net increase in investments: (i) Approved securities (ii) Money market instruments (other than Treasury bills) (iii) Bonds/Debentures/Shares (iv) Others

3.

Inter-bank obligations

4.

Off-balance sheet items (Repos, swaps, bills discounted, etc.)

5.

Others TOTAL OUTFLOWS B.INFLOWS

1.

Net cash position

2.

Net increase in deposits (less CRR obligations)

3.

Interest on investments

4.

Inter-bank claims

5.

Refinance eligibility (Export credit)

6.

Off-balance sheet items (Reverse repos, swaps, bills discounted etc.)

7.

Others TOTAL INFLOWS C. Mismatch (B - A) D. Cumulative mismatch E. C as a% to total outflows

15 - 28 days

29 - 90 days

186

Risk Management in Indian Banks

APPENDIX - I Maturity Profile -Liquidity Heads of Accounts

Classification into time buckets

A. Outflows 1. Capital Reserves and Surplus

Over 5 years bucket.

2. Demand Deposits (Current and Savings Bank Deposits)

Savings Bank and Current Deposits may be classified into volatile and core portions. Savings Bank (10%) and Current (15%) Deposits are generally withdrawable on demand. This portion may be treated as volatile. While volatile portion can be placed in the first time bucket i.e., 1-14 days, the core portion may be placed in over 1- 3 years bucket. The above classification of Savings Bank and Current Deposits is only a benchmark. Banks which are better equipped to estimate the behavioural pattern, roll-in and roll-out, embedded options, etc. on the basis of past datal empirical studies could classify them in the appropriate buckets, i.e. behavioural maturity instead of contractual maturity, subject to the approval of the Board/ALCO.

3. Term Deposits

Respective maturity buckets. Banks which are better equipped to estimate the behavioural pattern, roll-in and roll-out, embedded -options, etc. on the basis of past datal empirical studies could classify the retail deposits in the appropriate buckets on the basis of behavioural maturity rather than residual maturity. However, the wholesale deposits should be shown under respective maturity buckets.

4. Certificates of Deposit, Borrowings (including Sub-ordinated Debt)

Respective maturity buckets. Where call/put options and Bonds are built into the issue structure of any instrumenUs, the call/put date/s should be reckoned as the maturity date/s and the amount should be shown in the respective time buckets.

B. Other Liabilities and Provisions 1. Bills Payable

The core component which could reasonably be estimated on the basis of past data and behavioural pattern may be shown under over 1-3 years time bucket. The balance amount may be placed in 1-14 days bucket.

2. Inter-office Adjustment

The net credit balance may be shown in 1-14 days bucket.

3. Provisions other than for loan loss and depreciation in investments

Respective buckets depending on the purpose.

Market Risk

187

4. Other Liabilities

Respective maturity buckets. Items not representing cash payables (Le. income received in advance, etc.) may be placed in over 5 years bucket.

5. Export Refinance Availed

Respective maturity buckets of u"nderlying assets.

6.

1-14 days bucket.

Export Refinance - Unavailed

C. Inflows 1. Cash

1-14 days bucket.

2. Balances with RBI

While the excess balance over the required CRRlSLR may be shown under 1-14 days bucket, the Statutory Balances may be distributed amongst various time buckets corresponding to the maturity profile of DTL with a time-lag of 14 days.

3. Balances with other Banks 1. Current Account

(i) Non-withdrawable portion on account of stipulations of minimum balances may be shown under over 1-3 years bucket and the remaining balances may be shown under 1- 14 days bucket.

2. Money at Call and Short Notice, Term Deposits and placements

(ii) Respective maturity buckets.

4. Investments (Net of provisions)* 1. Approved securities

(i) Respective maturity buckets excluding the amount required to be reinvested to maintain SLR corresponding to the DTL profile in various time buckets.

2. Corporate debentures and bonds, PSU bonds, CDs and CPs, Redeemable preference shares, Units of Mutual Funds (close ended), etc.

(ii) Respective maturity buckets. Investments classified as NPAs should be shown under over 3-5 years bucket (sub-standard) or over 5 years bucket (doubtful).

3. Shares/Units of Mutual

(iii) Over 5 years bucket.

Funds (open ended) 4.

Investments in

(iv) Over 5 years bucket.

Subsidiaries/Joint Ventures 5. Securities in the Trading Book

(v) 1-14 days, 15-28 days and 29-90 days according to defeasance periods.

·provisions may be netted from the gross investments provided provisions are held maturity-wise. Otherwise provisions should be shown in over 5 years bucket.

Risk Management in Indian Banks

188

5. Advances (Performing) 1. Bills Purchased and Discounted (including bills under DUPN)

(i) Respective maturity buckets.

2. Cash Credit / Overdraft (including TOD) and Demand Loan component of Working Capital

(ii) Banks should undertake a study of behavioural and seasonal pattern of availments based on outstandings and the core and volatile portion should be identified. While the volatile portion could be shown in the near-term maturity buckets, the core portion may be shown under over 1-3 years bucket.

3. Term Loans

(iii) Interim cash flows may be shown under respective maturity buckets.

6. NPAs (Net of provisions, interest depense and claims received '. from CGC/DICGC)

1. Sub-standard.

(i) Over 3-5 years bucket.

2. Doubtful and Loss

(ii) Over 5 years bucket.

3. Fixed Assets

Over 5 years bucket.

7. Other Assets 1. Inter-office Adjustment

The net debit balance may be shown in 1 -14 days bucket. Intangible assets and assets not representing cash receivables may be shown in over 5 years bucket.

2. Leased Assets

Interim cash flows may be shown under respective maturity buckets.

8. Contingent Liabilities/Lines of Credit committed/available and other Inflows/Outflows

(i)

Lines of Credit committed to from Institutions

(ii) Unavailed portion of Cash CrediU Overdraft Demand loan component of Working Capital limits (outflow)

(i) 1-14 days bucket. (ii) Banks should undertake a study of the behavioural and seasonal pattern of potential availments in the in the accounts and the amounts so arrived at may be shown under relevant maturity buckets upto 12 months.

Market Risk

189

1. Letters of Credit / Guarantees (outflow)

Devolvement of Letters of Credit Guarantees, initially entails cash outflows. Thus, historical trend analysis ought to be conducted on the devolvements and the amounts so arrived at in respect of outstanding Letters of Credit / Guarantees (net of margins) should be distributed various .time buckets. The assests created out of devolvements may be shown under respective maturity buckets on the basis of probable recovery dates.

Bills Rediscounted

Respective maturity buckets.

Swaps INRIUSD, forex forward etc. (outflow/inflow) Interest payable receivable

Respective maturity buckets.

(inflow) - Accrued which are appearing in books on the reporting day

(i)

Liability on account of event cash flows i.e. short fall in CRR balance on reporting Fridays, wage settlement, capital expenditure, etc. which are known to the banks and any other contingency may be shown under respective maturity buckets.

(ii)

All overdue liabilities may be placed in the 1- 14 days bucket.

(iii)

Interest and instalments from advances and investments, which are overdue for less than one month may be placed in over 3-6 months bucket. Further, interest and instalments due (before classification as NPAs) may be placed in over 6-12 months bucket without the grace period of one month if the earlier receivables remain uncollected.

Financing of Gap: In case the negative gap exceeds the prudential limit of 20% of 1-14 days and 15-28 days, the bank may show by way of a foot as to how -It Proposes Lo finance the gap to bring the mismatch the prescribed limits. The gap can be financed from market followings (call term), Bills Rediscounting, Repos, and deployment of foreign currency resources after conversion into rupees (unswapped foreign currency funds) etc.

DOD

OPERATIONAL RISKS

7.1

OPERATiONAl

Risk

MANAGEMENT -

INTRoduCTioN

Operational Risk Management is a new management discipline with the goal of enhancing management performance through early identification and avoidance of business disruption. Its specific focus is on the failing of people, process, systems or external events. Operational risk is defined as any risk that is not categorized as credit or market risk. It is the risk of loss arising from various types of technical or human er~or or failed internal process, legal hurdles, fraud, failure of people and system and from external agencies. In its proposals of January 2001, the Basel Committee defined operational risk as "the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events. In this definition the exact meaning of "direct or indirect loss" created certain ambiguities/causes of concern and as it was not the intention to cover all indirect losses or opportunity cost in the ambit of operational risk the reference to "direct or indirect loss" was dropped and the Basel Committee has now redefined Operational Risk as "the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events". This definition is based on the four basic causes / sources of operational risk; •

Internal Processes;

•

People;

•

Systems; and

•

External Events.

Operational risk events are associated with weak links in internal control systems or laxity in complying with the existing internal control procedures. Operational risk involves breakdown in internal controls and corporate governance leading to error, fraud, failure to perform in a timely manner, compromise on the interest of the bank resulting in financial loss. Operational risk is associated with all business lines, more so with business lines high volume, high turnover (transactions/time), high degree of structural change, and/or complex support system. In short, operational risk encompasses virtually all aspects of business process in banks.

191

Operational Risks

In order to mitigate operational risk internal control and internal audit are used as the primary means. Risk education for familiarizing the complex operations at all level of staff can also reduce operational risk. Insurance cover is one of the important mitigators of the operational risk. Putting in place proper corporate governance practices, by itself, would also serve as an effective risk management tool.

7.2 NEEd of OPERATioNAl Risk MANAGEMENT

FOR

BANks iN INdiA

Deregulation and globalisation of financial services, together with the growing sophistication of financial technology, are making the activities of banks and thus their profiles more complex. Evolving banking practices suggest that risks other than credit risks and market risks can be substantial. The main drivers of these risks are: •

Highly Automated Technology -If not controlled, the greater use of more highly automated technology has the potential to transform risks from manual processing errors to system failure risks, as greater reliance is placed on integrated systems.

•

Emergence of E-Commerce - Growth of e-commerce brings with it potential risks (e.g. internal and external fraud and system securities issues).

•

Emergence of banks acting as very large volume service providers creates the need for continual maintenance of high-grade internal controls and back-up systems.

•

Outsourcing - growing use of outsourcing arrangements and the participation in clearing and settlement systems can mitigate some risks but can also present significant other risks to banks.

•

Large-scale acquisitions, mergers, de-mergers and consolidations test the viability of new or newly integrated systems.

•

Banks may engage in risk mitigation techniques (e.g. collateral, derivates, netting arrangements and asset securitization) to optimise their exposure to market risk and credit risk, but which in turn may produce other forms of risk (e.g. legal risk).

These changes have been making the activities of banks more diverse and complex and, as a result, operational risk has become one of the main reasons for several bank failures of recent years. The col/apse of Barings Bank is the best known example and it showed that the ability to manage such risks is becoming more crucial for financial institutions. Growing number of highprofile operational loss events worldwide have led banks and supervisors to increasingly view operational risk management as an inclusive discipline. Management of specific operational risks is not a new practice; it has always been important for banks to try to prevent fraud, maintain the integrity of internal controls, reduce errors in transaction processing, and so on. However, what is . relatively new is the view of operational risk management as a comprehensive practice comparable to the management of credit and market risk. 'Management' of operational risk is taken to mean the 'identification, assessment, monitoring and control/mitigation' of this risk. In view of this, increasing supervisory attention is being focused on the importance of sound operational risk management in banks and to greater prominence of operational risk in banks' internal capital assessment and allocation processes. The Basel Committee on Banking Supervision has prescribed additional charge for operational risk in the New Basel Capital Accord. Operational risk is neither a new risk nor negligible. In fact, it is this form of risk that has resulted in the most severe losses suffered by banks in recent years and, therefore, the first risk that banks must manage, even before they disburse their first loan or execute their first trade is the operational risk.

192

Risk Management in Indian Banks

The idea that operational risk management is a formal discipline with its own managem,ent structure, tools and processes, much like credit or market risk, is, however, new. Financial markets, products, and the technology and techniques used to produce them have undergone a sea change in recent past. Globalization, greater product sophistication and complexity, rapid introduction of new technology and the growth in business and transaction volumes have fuelled the development of operational risk management and are reasons requiring banks to set up and have a proper structure to manage operational risk. The creation of formal operational risk management frameworks has occurred primarily over the past three years.

Present Status Despite the importance of operational risk management banks have not done much in this area. Even for banks that are most actively engaged in this subject, operational risk management is still an innovation rather than a mature capability and therefore industry has not yet fully grasped the consequences of such risks. Nevertheless, the benefits of a sound operational risk management framework should. not be underestimated. Like market and credit risk, quantification of operational risk assists in better allocation of economic capital. When this is linked with the strategic planning process it will increase a bank's shareholder value and enable a bank to put itself ahead of the competition. Managing operational risk is becoming an important feature of sound risk management practice in modern financial markets in the wake of phenomenal increase in the volume of transactions, high degree of structural changes and complex support systems. The Basel Committee on Banking Supervision has, initiated work related to operational risk in the year 1998. The committee issued a consultative document on operational risk in January 2001 for comments by the industry. The object and the scope of the consultative paper was to enhance operational risk assessment efforts by encouraging the industry to develop methodologies and collect data related to managing (measuring, monitoring & mitigating) operational risk. In framing the consultative paper on operational risk the Basel Committee adopted definition as "the risk of direct or indirect loss resufting from inadequate or failed internal processes, people and systems or from external events. "This definition though focuses on the causes of operational risk but the committee believes that the definition may be appropriate for risk management and measurement. With a view to study Operational Risk in major banks, a working group was set by Basel Committee who after interview with 30 major banks from various member countries have arrived at following findings about Operational Risks: •

Awareness of Operational Risk among bank boards and senior management is increasing;

•

Awareness of Operational Risk as a separate risk category is relatively recent. Many banks are in the early stages of developing an Operational Risk Measurement and Monitoring framework;

•

Many banks have identified significant conceptual issues and data needs which would need to be addressed to develop general measures of Operational Risk;

•

Unlike Market and Credit Risk, the risk factors in Operational Risk are largely internal to the incamp;

•

In Operational Risk, the cost of investigating and correcting the problems underlying a loss event are significant and in many cases the same exceed even the direct cost of operational losses.

Operational Risks

193

•

Major Operational Risk Losses have low probability incidence but have very large impact - exceeding those of Market or Credit Risk;

•

Measuring Operational Risk requires both estimating the probability of an operational loss event and the potential size of the loss;

•

Most banks rely on risk factors that provide some indication of the likelihood of an operational loss event occurring;

•

A clear mathematical or statistical link between individual risk factors and the likelihood and size of operational loss does not exist;

•

Experience with large operational losses are generally infrequent;

•

Banks lack historical data on their own operational losses and their causes;

•

Banks developing models for operational risk measurement rely on similar set of risk factors viz., Internal Audit Ratings, Internal Control Self Assessment, Operational Indicators such as volume, turnover, rate of errors, loss experience and income volatility;

•

High level overseeing of operational risk is performed by Board of Directors, Management Committees or Audit Committee.

These findings of the working group provide important cue for understanding the need and present status of operational risk management in banks.

7.' OPERATioNAl Risks - COMPONENTS Banks face operational risk in day-to-day operations. Such risks may be related to its activities related to its traditional banking business or the business related to new generation banking business related to computers and telecommunications systems. While the nature of risks in both type of activities may be more or less similar e.g. breakdown of systems & procedures, errors, frauds etc., but the level of risk in computerized enviromnent is much more than the level of risk in traditional banking business.

7. ,. 1 Risks iN TRAdiTioNAl BANkiNG BusiNESS • Disregard of Systems and Procedures: This type of risk arises due to overlooking and disregard of prescribed systems and procedures in the bank. Systems and procedures in banks are prescribed with the aim to safeguard the banks' assets from external or internal threats. Internally, the risk comes from breakdowns in internal controls and corporate governance that can lead to financial losses through error, fraud, theft, burglary, or failure to perform in a timely manner. Such breakdowns can also cause the interests of the bank to be compromised in some other way; for example, by the dealers, lending officers, or other staff exceeding their authority or conducting business in an unethical manner. There can be numerous examples of disregard of systems and procedures leading to operational risk in banks, depending upon the nature of activity being undertaken by the bank. These may include:

•

Non-adherence to the guidelines and procedure for opening and operating deposit accounts;

•

Disregard of safeguards against unscrupulous persons opening accounts mainly to use the accounts as conduit for fraudulently encashing payment instruments;

194

Risk Management in Indian Banks

•

Disregard of instructions for accepting and handling cash, clearing or payment instruments from customers;

•

Non-adherence to the guidelines for handling cash receipts, payments and cash in hand;

•

Non-adherence to the guidelines for handling bills received or sent for collection;

•

Non-adherence to the guidelines for handling credit portfolio which may include guidelines for granting credit, monitoring and follow up and recovery;

•

Disregard of guidelines related to safe custody of cash and other items required to be held in safe or held for trust;

The aforesaid list is only an indicative one and in fact there may be a large number of such items where disregard of systems and procedures may lead to operational risk. Such disregard of systems and procedures may also result into errors, frauds, theft, burglary, and interruptions in the business and may also cause legal, strategic and reputation risk to banks. • Error Risk: This risk may arise due to incidence of errors in operations, which may result in losses to banks. The errors may be due to disregard of systems and procedures or due to other reasons. In errors the intentions of staff/officers is normally absent and instances of error take place inadvertently or due to negligence. Error risk may be due to inadvertent wrong feeding of information, entering into transactions, additions, alterations or calculation mistakes/processing errors and may damage customer service and operational performance before they are detected. • Fraud Risk: Such risk may arise due to unauthorized transactions, additions, alterations or deletions in records or data intentionally. In such matters involvement of bank's staff/officers or third parties with the intention to commit fraud is generally observed. Disregard of systems and procedures is one of the major causes of commission of frauds and exposing banks with fraud risk. • Theft, Burglary: In case security measures are disregarded or not followed/implemented properly banks may face the risk of theft or burglary which is again a kind of operational risk. These risks, as also other operational risks may create interruptions in bank's operations and may also cause losses to banks in case proper insurance or other loss mitigation tools are not put in place.

7.'.2

Risks RElATEd TO COMPUTERS ANd TElECOMMUNiCATioN SYSTEMS

The speed of technological innovation in computers and telecommunications in recent years and the integration of automated operations are increasing the dependence of banks on the reliability and continuity of their EDP systems. Banks have always been exposed to risks such as error and fraud but the scale of those risks and the speed with which they can arise have changed dramatically. Furthermore, with computerized settlement systems, the default by one bank because of systems problem is passed along the system in a chain reaction that threatens to envelop and paralyze the entire settlement system. Managing risks in computer and telecommunication cation system is therefore, very important for the banks functioning in computerized environment. The type of risk which characterize an EDP enviromnent and the security and control procedures includes following type of risks: • Organization Risk: Absence of clear reporting lines and responsibilities in the organization structure can result in poor distribution of human and financial resources. Poor segregation of duties an result in risk of error and fraud in an IT environment. • Location Risk: With increase in computerization, blJsiness objectives become more dependent on technology resources, which are susceptible to natural and unforseen risks. Location

Operational Risks

195

of the bank's data processing equipment may determine their susceptibility to events such as floods, earthquakes, storms, riots or sabotage. • Outsourcing Risk: It is common practice for all banks to outsource some or all of their data processing and IT. Without proper management control and documentation the responsibilities and liabilities of supplier and customer may not be clear. Over reliance on a single supplier increases the risks from the supplier failure and resultant high cost. • Error Risk: Errors typically and frequently occur during the entry of data and during the development and amendments of programmes. Significant errors can also arise during the system design process, during routine systems 'house keeping' procedures and when using special programmes to correct other errors. The cause is usually human failure, it being relatively rare for errors to be caused by failure of internal electronic or mechanical components. Errors can also be introduced into software packages where these are "customized" and adapted to meet the needs of a particular user. When purchasing standard software packages the aim should be to keep the number of changes to a minimum. • Fraud Risk: Data flows in banking represent assets or instructions, which ultimately move assets. The speed with which assets can be transferred using electronic payment and message switching systems complicates the task of internal control and can be a cause of frauds. Successful frauds will not only result in a direct financial loss for the institution but, when reported in the media, will detract from confidence in the institution and in the banking system in general. The wide variety of ways that computer records can be accessed creates many possibilities for fraud. For example: •

Unauthorized transactions can be entered into the computer system, Unauthorized changes to programmes can be made during routine development or maintenance which may cause the programme to generate fraudulent transactions automatically, to ignore control checks on selected accounts or to remove records of specified transactions;

•

Special programmes can be used to make unauthorized changes to computer records in a way that bypasses the normal control and audit trail facilities built into the computer systems;

•

Computer files can be removed physically from a computer installation, amended elsewhere by the insertion of fraudulent transactions or balances and returned for processing;

•

Transactions can be introduced or intercepted and amended raudulently whilst being transmitted through telecommunication network.

At present, new forms of payments are being introduced permitting payments to be initiated by third parties using electronic equipment. This is likely to increase the probabilities of some of these types of fraud through unauthorized access to telecommunication networks. Most banking systems contain control facilities and produce reports designed to assist in the prevention or detection of these types of fraud. These two, however, may be vulnerable to manipulation by persons with access to computer terminals or files. In constructing effective systems of internal control, it is paramount to identify all the vulnerable points in each system. Critical records and programmes must be particularly protected against unauthorized changes. Attention must also be given to ensuring that staff in critical areas is properly trained and the duties are appropriately segregated.

196

Risk Management in Indian Banks

• Interruption of Business due to Hardware or Software Failure: Computer systems consists of large numbers of individual equipment and software components, the failure of anyone of which may bring down the system. Often these components are concentrated in one or a few places increasing the vulnerability of accidents. The classical remedy for system failure was to revert to manual processes that the computer system superseded. In the majority of cases this procedure is now unrealistic and few banks could operate without computer systems. The processing and delivery of information through improved technology has expanded management dependence on the availability and reliability of automated systems. The continued availability of a bank's information systems is integral to effective management decision making. When computer systems are out of action, the damaging effects on the real-time banking services to clients are immediate and increase rapidly. Processing backlogs develop quickly and, after a breakdown lasting several hours, these may take days to clear. Particularly devastating are the effects in case of EFT and payment systems, in particular those providing a guaranteed same-day settlement service where beneficiaries depend upon receiving funds to offset their commitments. The consequential costs of a serious systems failure can far exceed the costs of replacing damaged equipment, data or software. The existence of effective contingency plans is one way by which the management can reduce the impact of similar operational problems. Such contingency plans should form an extension of a bank's system of internal control and physical security. It should include provisions for continuing operations and for recovery when the bank's systems become disrupted or inoperative, that is provisions for off-site backup of critical data files of software and of hardware, as well as alternative means of processing information. The bank's contingency plans should be tested periodically to demonstrate their contiuned efficiency. A bank that relies on an outside EDP service provider for its data processing needs should be certain that service provider's contingency plans complement its own .

• Improper Disclosure of Information: Most bank information is created by or directly linked to computer processing. Data and documents are routinely throughout a bank or between a bank and its correspondents and clients via public telecommunications links, such as telephone lines and satellites. Many users, including employees and bank customers, can directly access this data through computer terminals or telephones. These activities, while improving customer services and internal operations, have also increased the risk of error and abuse of the bank's information. Much of that information is confidential and could damage customer relations and the reputation of the bank, as well as give rise to claims for damages, if it falls into the wrong hands. Customer balances, overdraft limits and transaction details are few of the examples of such information. Correspondence and bank strategies are also created and stored through text processing. The particular danger of unauthorized disclosure of confidential information in EDP systems, compared with manual systems, lies in the fact that much larger quantities of information can be removed in a more convenient and processable form (e.g. copies on tapes or disks) and there may be no trace of unauthorized access having occurred. Adequate security and control procedures are therefore necessary to protect the bank. The level of control must be assessed against the degree of exposure and the impact of loss (or disclosure) to the institution. Technology controls for information security might include: encryption, a process by which plain text is converted into encrypted strings of meaningless symbols; the use of message identification codes, in which a particular code is designed to protect against unauthorized alteration of electronic data transactions during transmission or storage; and the use of security application

Operational Risks

197

software designed to restrict access to computer-based data, files, programmes, utilities, and system commands. Such systems can control access by user, by transaction, and by terminal. Security violations, including attempted violations, can be reported.

• Ineffective Planning: Sound planning is a crucial factor. Banking efficiency and quality of service are now so dependent on computer systems that any failure in planning or developing new systems may have significant commercial consequences. Failure in implementing new systems ,nd providing new services quickly enough may place a bank at serious disadvantage with respect to its competitors. But, on the other hand, computerization at all costs, especially where the benefits are marginal has often proved to be a costly mistake. Some financial institutions have experienced -significant problems in attempting to introduce largescale integrated financial systems. An integrated software system is a structure in which programmes for different applications - loans, deposits, retail and wholesale - that normally are designed and operated as stand-alone programmes are built from the start as related part of a whole. This approach is adopted in an attempt to increase the timeliness of information, foster operational efficiency and ease the introduction of new products. In some cases the cost, time and personal resources required for the successful installation of integrated systems has been under estimated. Projects developed over many years have been abandoned with enormous costs. The complexity of EDP systems and their impact on the entire organization require a commitment from top management for every project to be successful. Management should pay close attention to long-term (strategic) planning of computer systems, equipment and software, feasibility studies, specification of systems requirements, selection of suppliers and project control.

• Risk Associated with end user Computing Operations: Until recently Personal Computers (PCs), microcomputers and end-user computing devices have played a relatively small role in system data-processing activities. Presently, the technological advantages, expediency and cost benefits of end-user computing have greatly increased the use of such devices, taking part of data processing out of the centralized control environment. Computerrelated risks are now in new areas of the banks and very often basic control and supervision of these computer activities have not been introduced. The main worry with end-user computing is that the implementation of these new information delivery and processing networks has outpaced the implementation of controls. The risks are in general the same as those involved with mainframes but particular attention needs to be paid to the possibility of corruption or loss of data or software and consequent impediment to the efficient functioning of the overall operations network of the institution. Microcomputers are now being used not only as word processors but also, as communications terminals with other computers and stand-alone computer processors. As there is a tendency for these systems to be highly personalized and independent, with one single person often fully responsible for the development, testing, implementation, and operation of a set of programmes, the possibility of the use of procedures and treatment of data different from and incompatible with the standards adopted elsewhere in the institution becomes greater.

• Interruption of business due to natural calamities, loss of connectivity I data or disasters due to war or terrorist activities: Such risk may arise due to occurrence of natural calamities such as floods, earth quakes, storms, fire, occurrence of war or terrorists activit;es, sabotage of systems and network, virus propagation etc which may cause wide spread losse 3 to computer systems and telecommunications network. In such a contingency the data may be destroyed which may lead to losses to the institution in varied forms.

198

7.4

Risk Management in Indian Banks

MANAGEMENT

of OPERATiONAL Risks

• Operational Risk Management Process - Designing and Implementing an Operational Risk Management Framework: The creation of formal operational risk management frameworks in banks is necessary mainly due to following reasons: •

Senior Management Vision and Commitment that the approach has merit;

•

Perceived Increase in Operational Risk due to globalization of business, greater product sophistication, introduction of new technology, growing settlement complexity etc;

•

Reaction to major Loss Events that have occurred internally to others;

•

Focus on Enterprise-wide Risk Management - after development of processes for market and credit risk management, operational risk is the next logical step;

•

Regulatory Attention.

The most crucial part of operational risk management is the identification and mitigation of the risks associated. Operational risk management comprises a host of activities: •

Identifying the risk: What can go wrong?

•

Measuring the risk: Approximately how critical is a particular risk?

•

Preventing operational losses e.g., standardized deal documentation.

•

Mitigating the loss impact after it has occurred by reducing the bank's sensitivity to the event, e.g., disaster contingency planning.

•

Predicting operational losses, e.g., projecting the potential legal risks and market cannibalization associated with a new product or service.

•

Transferring the risk to external parties presumably better able to handle the risk, e.g., insurance, hedging, surety.

•

Changing the form of the risk to another type of risk and dealing with that risk.

•

Allocating capital to cover operational risk.

The operational risk management process in banks requires evolution of practices in a variety of ways depending on the culture and the organization's operational risk event history. The evolution of formal operational risk management process may be bifurcated into five stages. The first stage in operational risk management is giving a focused attention to existing internal control procedures. In fact operational risks have always existed and have dominated all other risk categories till SIS announced its capital adequacy guidelines in 1988. Then for over a decade, credit and market risk got attention of banks and now operational risk management is receiving the attention of banks. As operational risk are older than other categories of risk banks have been managing the same since inception through adoption of suitable internal control systems. For creation of a formal operational risk management framework the first requirement is, therefor, to study the same, which can be a valued input at the first stage. Similarly, the depth of internal audit programmes, their reliability, existing operational risk mitigation techniques programmes, work culture and reliance on the quality of work force/staff also provides valuable inputs at the first stage of formalizing an operational risk management framework.

Operational Risks

199

The second stage in the evolution of operational risk management is development of awareness. The senior management of the bank plays the most important role in this direction. A starting point in this direction is the commitment of senior management to make the organization more proactive in its understanding of operational risk and creation of a responsibility position to manage operational risk. The responsibility may be assigned to a department headed by a responsible officer (operational risk manager) and he may be asked to develop a common understanding and assessment of operational risk. The understanding of operational risk should be uniform throughout the organization and the assessment should be made accordingly. This assessment begins with the formulation of operational risk policies, a definition and development of common tools and governance structure. The tools may include self assessment of operational risk, risk process map and development of early indicators of operational risk levels and collection of loss events. Such tools provide a common framework for risk identification, definition of controls, and prioritization of issues and mitigation programmes. This stage also requires gaining of senior management commitment and the buy-in of ownership of the operational risk at the business unit level. The third stage in the evolution of operational risk management involves monitoring of the risk. Once all the operational risks are identified banks require understanding the implications of these risks to the business. At this stage tracking the current level of operational risk and effectiveness of management functions becomes the focus. Risk indicators (both quantitative and qualitative) and escalation criteria (which are goals or limits) are established to monitor performance. Measures are consolidated into an operational risk scoreboard alongwith other relevant issues for senior management. Clear vision and goals for operational risk management are set. Evaluation of operational risk management process is made and work is assigned to dedicated staff to analyze the processes and monitor activity and introduction of operational risk programme. The fourth stage in operational risk management process is related to quantification of risk. For this purpose comprehensive database for operational losses is developed. With a better understanding of the current situation, focus is kept on the changes taking place and quantifying the relative risks and predicting what will happen. More analytical tools, based on actual data, are used to determine the financial impact of operational risk on the organization and provide data to conduct empirical analysis on causes and mitigants. Based on results of predictive analysis and leading indicators risk based economic models are developed and utilized. The fifth stage involves management focus on integrating and implementing processes and solutions by recognizing the value of lessons learned by each business unit and complimentary nature of the individual business tools. Balancing business and corporate values, qualitative versus quantitative, different levels of management needs etc. the risk cation is integrated into the economic capital processes and linked to compensation. Quantification is also applied to make better cost / benefit decisions and operational risk management is linked to strategic planning process and quality initiatives. After establishment of linkage the relationship between operational risk management and shareholder value is determined and operational risk management process is then utilized for increasing the shareholder value.

• Approaches in Designing of Operational Risk Management Framework: It is essential that any framework for managing operational risk must be integrated with management of other forms of risk. It is therefore important that principles and guidelines for operational risk management are considered within the context of an overall framework for risk management.

200

Risk Management in Indian Banks

As has also been discussed earlier, risk management is the overall process by which a bank: •

Identifies and understand the full spectrum of its risks;

•

Defines its appetite for risk based on strategic objectives;

•

Assesses the risks and means of mitigation on a cost benefit basis in order to take informed actions;

•

Reduces the likelihood and impact of loss events; and

•

Decrease the uncertainty of overall performance.

Operational Risk Management relates to the management of those risks that could lead to a loss resulting from inadequate or failed internal processes, people and systems or from external events. An operational risk management framework is a framework with three components: •

Organizational structure (including risk management group, committees, roles and responsibilities, etc.);

•

Policy (operational risk management strategy, policies and procedures);

•

Operational risk management process (processes for the identification, assessment quantification, management/mitigation, monitoring and reporting of operational risks).

It should be noted that the underlying concepts of risk management apply to all type of risks (i.e. credit risk, market risk, and operational risk) and banks need to consider how the procedures and framework for managing different types of risks should be integrated in order to ensure both consistency and completeness in their overall risk management framework. The basic objective of the Operational Risk Management framework should ideally be to answer the following questions viz. •

What are the risks?

•

How severe are the risks?

•

What can be done to reduce or eliminate these risks?

•

Can a framework be implemented to continuously manage operational risk and to provide self-regulation?

The framework should address these questions and should also assist in managing operational risk and any breakdown or potential breakdown in operations.

• Sound Practices for the Management and Supervision of Operational Risk The Basel Committee on Banking Supervision has developed following sound practices for the management of operational risk in banks. In developing these sound practices, the Committee has drawn upon its existing work on the management of other significant banking risks, such as credit and liquidity risk and the Committee has believed that similar rigour should be applied to the identification, measurement, monitoring and control of operational risk. Nevertheless, the Committee has observed that operational risk differs from other banking risks, in that it is typically not directly taken in return for an expected reward, but exists in the natural course of corporate activity, and that this impacts the risk management process. The principles developed by the Basel Committee are as follows:

Operational Risks

•

201

Developing an Appropriate Risk Management Environment

Principle 1: The Board of Directors should be aware of the major aspects of the bank's operational risk as a distinct and controllable risk category and should approve and periodically review the bank's operational risk strategy. The strategy should reflect the bank's tolerance for risk and its understanding of the specific characteristics of the risk category. The Board should also be responsible for approving the basic structure of the framework for managing operational risk and ensuring that senior management is carrying out its risk management responsibilities. Principle 2: Senior management should have responsibility for implementing the operational risk strategy approved by the Board of Directors. The strategy should be implemented consistently throughout the whole banking organization and all levels. TOP Management should understand their responsibilities with respect to operational risk management. Senior management should also have responsibility for developing policies, processes and procedures for managing operational risk in all of the bank's products, activities, processes and systems. Principle 3: Information flows within the banking organization playa key role in establishing and maintaining an effective operational risk management framework. Communication flows within the bank should establish a consistent operational risk management culture across the bank. Reporting flows should enable senior management to monitor the effectiveness of the risk management system for operational risk, and also enable the Board of Directors to oversee senior management performance.

• Risk Management: Identificatioh, Measurement, Monitoring and Control Principle 4: Banks should identify the operational risk inherent in all types of products, activities, processes and systems. Banks should also ensure that before new products, activities, processes and systems are introduced or undertaken the operational risk inherent in them is subject to adequate assessment procedures. Principle 5: Banks should establish processes necessary for measuring operational risk. Principle 6: Banks should implement a system to monitor, on an on-going basis, operational risk exposures and loss events by major business lines. Principle 7: Banks should have policies, processes and procedures to control or mitigate operational risk. Banks should assess the costs and benefits of alternative risk limitation and control strategies and should adjust their operational risk exposure using appropriate strategies, in light of their overall risk profile.

• Role of Supervisors Principle 8: Banking supervisors should require banks to have an effective system in place to identify, measure, monitor and control operational risk as part of an overall approach to risk management. Principle 9: Supervisors should conduct, directly or indirectly, regular independent evaluation of a bank's strategies, policies, procedures and practices related to operational risks. Supervisors should ensure that there are effective reporting mechanisms in place, which allow them to remain apprised of developments at banks.

• Role of Disclosure Principle 10: Banks should make sufficient public disclosures to allow market participants to assess their operational risk exposure and the quality of their operational risk management.

202

Risk Management in Indian Banks

• Establishing a Sound Operational Risk Management System 1. From the ten principles mentioned above one can observe that an effective operational risk strategy should implement an operational risk management process and ensure effective board and senior management oversight. The formality and sophistication of the operational risk management process should be commensurate with the risk incurred by the bank. 2. The Board of Directors should address explicitly operational risk as a distinct and controllable risk to the bank's safety and soundness. Failure to address operational risk, which is present in virtually all bank transactions and activities, may greatly increase the likelihood that some risks will go unrecognized and uncontrolled. The Board may address operational risk in part by approving a definition of operational risk that clarifies those risks that the bank has decided it can manage internally and those it may wish to be transferred. 3. The Board should approve a bank-wide operational risk strategy and establish a management structure capable of implementing that strategy. The strategy should define explicitly the bank's level of risk tolerance and how the bank will keep risks within that level, including specific lines of responsibility. The Board should review the strategy regularly to ensure that the bank is managing the operational risks arising from external market changes and other environmental factors, as well as those operational risks associated with new products, activities or systems. This review process should also aim to incorporate industry innovations in operational risk management into the bank's systems and processes. If necessary, the Board should revise the operational risk management framework in light of this analysis to ensure that material operational risks are captured within the framework. 4. Banks should have in place adequate internal audit coverage to verify that operating policies and procedures are effectively implemented. The Board either directly, or indirectly through its audit committee should ensure that the scope and frequency of the audit programme is appropriate to the risks involved. To the extent that the audit function is involved in this process, the Board should ensure that the independence of the audit function is maintained. This independence may be compromised if the audit function is directly involved in the operational risk management process. 5. Management must translate the operational risk management strategy established by the Board of Directors into policies, processes and procedures that can be implemented and verified. While each level of management is responsible for the appropriateness and effectiveness of policies, processes, procedures and controls within its purview, senior management must clearly assign authority, responsibility and reporting relationship to encourage this accountability. This responsibility includes ensuring that the necessary resources are available to manage operational risk effectively. Moreover, senior management should assess the appropriateness of the management oversight process in light of the risks inherent in a business line's strategy and ensure that staff is apprised of their responsibilities. 6. Senior management should ensure that bank activities are conducted by qualified staff with the necessary experience and technical capabilities and that the staff responsible for monitoring and enforcing the institution's risk strategy have authority independent from the business units they oversee.

Operational Risks

203

7. Senior management should also ensure that the bank's remuneration policies reflect its risk strategy. Remuneration policies that reward staff that deviate from policies weaken the bank's risk management processes. 8. Integrated objectives among managerial levels are particularly crucial for banks using, or in the process of implementing, advanced technologies to support high transaction volumes. Particular attention should be given to the quality of the documentation controls and transaction-handling practices, policies, processes and procedures related to such technologies should be well-documented and disseminated to all relevant personnel. 9. The Board of Directors and senior management, at their respective responsibility levels, must communicate that the management of operational risk is an institutional priority. Senior management should communicate to all staff its risk management expectations, and maintain effective channels of communication to ensure that staff understand fully and adhere to the policies, processes and procedures affecting their duties and responsibilities. An explicit operational risk management strategy helps the Board to communicate clearly its expectations to senior and other management and to hold management accountable for meeting those expectations. 10. Specific consideration should be given to co-ordinating internal communications. It is vital that operational risk managers communicate effectively with their counterparts in other areas, such as those dealing with credit or market risk, as well as with the department(s) responsible for the procurement of external services, such as insurance purchasing and outsourcing agreements. 11. In order to assess accurately risk exposures against risk tolerances stated in the Board's strategy and adherence to internal policies, processes and procedures, senior management should receive regular reports from both business units and internal audit function. The report should contain internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision making. Reports should be distributed to appropriate levels of management and areas of the Bank where topics of concern may have an impact, Reports should reflect fully any identified problem areas and should motivate timely corrective action on outstanding issues. To ensure the usefulness and reliability of these risk and audit reports, management should regularly verify the timeliness, accuracy and relevance of reporting systems and internal controls in general. Management may also use reports prepared by external sources (auditors, supervisors) to assess the usefulness and reliability of internal reports. Reports should be analyzed with a view to improving existing risk management performance as well as developing new risk management policies, procedures and practices. 12. Risk identification is critical for the subsequent development of viable operational measurement, monitoring and control. Effective risk identification considers both internal factors (such as the complexity of the bank's structure, the nature of the Wk's activities, the quality of personnel, organizational changes and employee turnover) and external factors (such as fluctuating economic conditions, changes in the industry and technological advances) that could adversely affect the achievement of the bank's objectives. 13. The risk identification process should also include a determination of which risks are controllable by the bank and which are not. There are several processes commonly used by banks to help them identify operational risk:

Risk Management in Indian Banks

204

•

Self-Assessment - A bank assesses its operations and activities against a menu of operational risk events. This process is internally driven and often incorporates checklists and/or workshops to identify the strengths and weaknesses of the operational risk events.

•

Risk Mapping - In this process, various business units, organizational functions or process flows are mapped by risk type. This exercise can reveal areas of weakness and help prioritize subsequent management action.

•

Key Risk Indicators- Risk indicators are statistics and/or metrics, often financial, which can provide insight into a bank's risk position. These indicators should be reviewed on a periodic basis (often monthly or quarterly) to alert banks to changes that may be indicative of risk concerns. Such indicators may include for example the number of failed trades, staff turnover rates and the frequency and/or severity of errors and omissions.

•

Thres!70ld Limits- Typically tied to risk indicators, threshold levels (or changes) in key risk indicators, when exceeded, alert management to areas of potential problems.

•

Scorecards - These provide a means of translating qualitative assessments into quantitative metrics that can be used to allocate economic capital to business lines in relation to performance in managing and controlling various aspects of operational risk.

14. Measuring operational risk requires both estimating the probability of an operational loss event and the potential size of the loss. All banks should engage in tracking group wide operational risk data. Such information is fundamental to measuring, monitoring and controlling operational risk exposure. For any reliable measurement system, data would need to be collected in order to develop general measures of operational risk. While the nature of the data collected may vary across banks, to be useful, the breadth, history and integrity of the data collected must be commensurate with the bank's operational risk profile and approach to managing risk. 15. Banks should develop sound internal reporting practices and systems that are consistent with the scope of operational risk defined by supervisors and banking industry. In addition, banks should have an operational risk measurement methodology, knowledgeable staff and an appropriate systems infrastructure capable of identifying and gathering operational risk data. 16. An effective monitoring process is essential for adequately managing operational risk. Ongoing monitoring activities can offer the advantage of quickly detecting and correcting deficiencies in the policies, processes and procedures for managing operational risk. Promptly detecting and addressing these deficiencies can substantially reduce the potential severity of a loss event. 17. The frequency of monitoring should reflect the risks involved and the frequency and nature of changes in the operating environment. Monitoring is most effective when the system of internal control is integrated into the bank's operations and produces regular reports. The result of these monitoring activities should be included in the management and Board reports, as should compliance reviews performed by the internal audit and/ or risk management functions. Supervisory reports may also inform this monitoring and should likewise be reported internally.

Operational Risks

205

18. Control activities are designed and implemented to address the risks that the bank has identified. For those risks that are controllable, the bank must decide the extent to which it wishes to use control procedures and other appropriate techniques or bear the risk. For those risks that cannot be controlled, the bank must decide whether to accept these risks or to withdraw from or reduce the level of business activity involved. Control processes and procedures should be established and bank should have a system in place for ensuring compliance with a documented set of internal policies concerning the risk management system. Principal elements of this could include: •

Top-level reviews of the bank's progress towards the stated objectives;

•

Checking for compliance with management controls;

•

Policies, processes and procedures concerning the review, treatment and resolution of non-compliance issues; and

•

A system of documented approvals and authorizations to ensure accountability to an appropriate level of management.

19. To be effective, control activities should be an integral part of the regular activities of a bank, and should involve all levels of personnel in the bank, including both senior management and business unit personnel. Controls that are an integral part of the regular activities enable quick responses to changing conditions and avoid unnecessary costs. 20. An effective internal control system also requires that there be appropriate segregation of duties and that personnel are not assigned responsibilities which may create a conflict of interest. Assigning such conflicting duties to individuals, or a team, may enable them to conceal losses, errors or inappropriate actions. Therefore, areas of potential conflicts of interest should be identified, minimized and subject to careful independent monitoring and review. 21. Some significant operational risks have low probabilities but potentially very large financial impact. Risk mitigation tools or programmes can be used to reduce the exposure to such events. However, banks should view these as complementary to, ra.ther than a replacement for, thorough internal operational risk control, as an important mitigation technique is the timely internal resolution of errors. Having mechanisms in place to quickly recognize and rectify legitimate operational risk errors can greatly reduce exposures. Careful consideration also needs to be given to whether a risk mitigation strategy is truly reducing risk, or merely transferring the risk to another business sector or area. One growing risk mitigation technique IS the use of insurance to help mitigate operational risk. Innovative insurance policies with prompt and certain pay-out features could be used to externalize the risk of "low frequency, high severity" losses which may occur as a result of events such as errors and omissions, physical loss of securities, employee or third party fraud and natural disasters. 22. Investments in appropriate processing technology and information technology security are also important for risk mitigation. However, banks should be aware that increased automation can transform high frequency, low-severity losses into low frequency, high severity losses. The latter may be associated with loss or extended disruption of services caused by internal factors or by the factors beyond the bank's immediate control (e g., external events). Such problems may cause serious difficulties for banks and could jeopardize an institution's ability to conduct key business activities. The potential requires

206

Risk Management in Indian Banks

that banks establish business resumption and contingency plans that take into account different types of plausible scenarios, including disruption to communication technology, to which the bank may be vulnerable. 23. Banks should also establish sound policies for managing the risks associated with outsourcing activities. Clearly, the outsourcing of activities has the potential to enhance the bank's performance and can reduce the institution's risk profile by transferring the activities to others with greater expertise and scale to manage the risks associated with specialized business activities. Outsourcing activities should be based on rigorous legal agreements ensuring a clear allocation of costs between external service providers and the outsourcing bank. Furthermore, banks need to manage and control any residual risks associated with outsourcing arrangements, including disruption of services or reputational risks. 24. Depending on the importance and criticality of the activity, banks should understand the potential impact on their operations and on their customers of any potential deficiencies in services provided by vendors and other third party service providers, including both operational breakdowns and the potential business failure or default of the external parties. The extent of the external party's liability and financial ability to compensate the bank for errors, negligence and other operational failures should be explicitly considered as part of the risk assessment. Banks should carry out due diligence tests and monitor the activities of third party service providers, especially those lacking experience of the banking industry's regulated environment. For critical activities, the bank may need to consider contingency plans, including the availability of alternative external parties and the costs and resources required to switch external parties, potentially on very short notice .

• Reserve Bank of India Guidelines In October 2005, the Reserve Bank of India, released guidance note for banks for management of Operational Risk. Banks will be required to implement the guidelines keeping in view their size of operations and complexity of business. The RBI in its guidance note has reiterated that banks/financial institutions are in the business of risk management and hence they should develop sophisticated risk management systems for which they may get suitable incentives. The basic components of a risk management system are identifying the risks the entity is exposed to, assessing their magnitude, monitoring them, controlling or mitigating them using a variety of procedures, and setting aside provisions or capital for potential losses. Deregulation and globalisation of financial services, together with the growing sophistication of financial technology, are making the activities of banks and thus their profiles more complex. Evolving banking practices suggest that risks other than credit risks and market risks can be substantial. The main drivers of these risks are: •

Highly Automated Technology -If not controlled, the greater use of more highly automated technology has the potential to transform risks from manual processing errors to system failure risks, as greater reliance is placed on integrated systems.

•

Emergence of E-Commerce - Growth of e-commerce brings with it potential risks (e.g. internal and external fraud and system securities issues)

•

Emergence of banks acting as very large volume service providers creates the need for continual maintenance of high-grade internal controls and back-up systems.

Operational Risks

207

•

Outsourcing - growing use of outsourcing arrangements and the participation in clearing and settlement systems can mitigate some risks but can also present significant other risks to banks.

•

Large-scale acquisitions, mergers, de-mergers and consolidations test the viability of new or newly integrated systems.

•

Banks may engage in risk mitigation techniques (e.g. collateral, derivates, netting arrangements and asset securitization) to optimise their exposure to market risk and credit risk, but which in turn may produce other forms of risk (e.g. legal risk).

•

Growing number of high-profile operational loss events worldwide have led banks and supervisors to increasingly view operational risk management as an inclusive discipline. Management of specific operational risks is not a new practice; it has always been important for banks to try to prevent fraud, maintain the integrity of internal controls, reduce errors in transaction processing, and so on. However, what is relatively new is the view of operational risk management as a comprehensive practice comparable to the management of credit and market risk. 'Management' of operational risk is taken to mean the 'identification, assessment, monitoring and control/mitigation' of this risk.

It is in the light of aforesaid developments and the New Basel Accord (BASEL II) the Reserve Bank of India has come out with the guidance note which is structured into 8 chapters covering the issue of Operational Risk from defining the operational risk and its likely manifestation, creation of an enabling organisational culture, placing high priority on effective operational risk management and implementation of risk management processes, The guidance note gives a typical outline of the organisational setup in the bank, together with the responsibilities of the Board and Senior Management, policy requirements and strategiC approach to Operational Risk Management which should outline all aspects of the bank's Operational Risk Management Framework. The note also covers issues of identification and assessment and monitoring of Operational Risk putting in one place the business lines that a bank need to identify and the principles underlying mapping of these business lines. Details of effective control/mitigation of Operational Risk, internal audit and its scope for an independent evaluation of the Operational Risk Management function, an outline of sound principles for effective management and supervision by banks, capital allocation for Operational Risk based on Basic Indicator Approach etc. are also outlined in the guidance note. The exact approach for operational risk management chosen by banks will depend on a range of factors. Despite these differences, clear strategies and oversight by the Board of Directors and senior management, a strong operational risk culture, effective internal control and reporting, contingency planning are the crucial elements for an effective operational risk management framework. Initiatives required to be taken by banks in this regard will include the following: •

The Board of Directors is primarily responsible for ensuring effective management of the operational risks in banks. The bank's Board of Directors has the ultimate responsibility for ensuring that the senior management establishes and maintain.s an adequate and effective system of internal controls.

•

Operational risk management should be identified and introduced as an independent risk management function across the entire bank! banking group.

•

The senior management should have clear responsibilities for implementing operational risk management as approved by the Board of Directors.

Risk Management in Indian Banks

208

•

The direction for effective operational risk management should be embedded in the policies and procedures that clearly describe the key elements for identifying, assessing, monitoring and controlling/mitigating operational risk.

•

The internal audit function assists the senior management and the Board by independently reviewing application and effectiveness of operational risk management procedures and practices approved by the Board/senior management.

The New Capital Adequacy Framework has put forward various options for calculating operational risk capital charge in a "continuum" of increasing sophistication and risk sensitivity and increasing complexity. Despite the fact that banks may adopt anyone of the approaches, it is intended that they will benchmark their operational risk management systems with the various options and aim to move towards more sophisticated approaches. The Guidance Note issued by RBI is summarised below:

Definition Definition of operational risk has evolved rapidly over the past few years. At first, it was commonly defined as every type of unquantifiable risk faced by a bank. However, furth,er analysis has refined the definition considerably. Operational risk has been defined by the Basel Committee on Banking Supervision 1 as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk. This definition is based on the underlying causes of operational risk. It seeks to identify why a loss happened and at the broadest level includes the breakdown by four causes: people, processes, systems and external factors.

Likely Forms of Manifestation of Operational Risk A clear appreciation and understanding by banks of what is meant by operational risk is critical to the effective management and control of this risk category. It is also important to consider the full range of material operational risks facing the bank and capture all significant causes of severe operational losses. Operational risk is pervasive, complex and dynamic. Unlike market and credit risk, which tend to be in specific areas of business, operational risk is inherent in all business processes. Operational risk may manifest in a variety of ways in the banking industry. The examples of operational risks listed above can be considered as illustrative. The Basel Committee has identified the following types of operational risk events as having the potential to result in substantial losses: •

Internal fraud. For example, intentional misreporting of positions, employee theft, and insider trading on an employee's own account.

•

External fraud. For example, robbery, forgery, cheque kiting, and damage from computer hacking.

•

Employment practices and workplace safety. For example, workers compensation claims, violation of employee health and safety rules, organised labour activities, discrimination claims, and general liability.

•

Clients, products and business practices. For example, fiduciary breaches, misuse of confidential customer information, improper trading activities on the bank's account, money laundering, and sale of unauthorised products.

Operational Risks

209

•

Damage to physical assets. For example, terrorism, vandalism, earthquakes, fires and floods.

•

Business disruption and system failures. For example, hardware and software failures, telecommunication problems, and utility outages.

•

Execution, delivery and process management. For example: data entry errors, collateral management failures, incomplete legal documentation, and unauthorized access given to client accounts, non-client counterparty misperformance, and vendor disputes.

Organisational Setup and Key Responsibilities for Operational Risk Management Relevance of Operational Risk Function Operational Risk differs from other banking risks in that it is typically not directly taken in return for an expected reward but is implicit in the ordinary course of corporate activity and has the potential to affect the risk management process. However, it is recognised that in some business lines with minimal credit or market risks, the decision to incur operational risk, or compete based on the perceived ability to manage and effectively price this risk, is an integral part of a bank's risk/ reward calculus. At the same time, failure to properly manage operational risk can result in a misstatement of an institution's risk profile and expose the institution to significant losses. 'Management' of operational risk is taken to me::ln the 'identifiGation, assessment and/or measurement, monitoring and control/mitigation' of this risk. Organizational set up and culture. Operational risk is intrinsic to a bank and should hence be an important component of its enterprise wide risk management systems. The Board and senior management should create an enabling organizational culture placing high priority on effective operational risk management and adherence to sound operating procedures. Successful implementation of risk management process has to emanate from the top management with the demonstration of strong commitment to integrate the same into the basic operations and strategic decision making processes. Therefore, Board and senior management should promote an organizational culture for management of operational risk. It is recognised that the approach for operational risk management that may be chosen by an individual bank will depend on a range of factors, including size and sophistication, nature and complexity of its activities. However, despite these differences, clear strategies and oversight by the Board of Directors and senior management; a strong operational risk culture, i.e., the combined set of individual and corporate values, attitudes, competencies and behaviour that determine a bank's commitment to and style of operational risk management; internal control culture (including clear lines of responsibility and segregation of duties); effective internal reporting; and contingency planning are all crucial elements of an effective operational risk management framework. Ideally, the organizational setup for operational risk management should include the following: 1.

Board of Directors (Decide overall risk management policy and strategy)

2.

Risk Management Committee of the Board

.

Board Sub-Committee including CEO and Heads of Credit, Market and Operational Risk Management Committees (Policy and Strategy for Integrated Risk Management)

Risk Management in Indian Banks

210

3.

Operational Risk Management Committee (Policy and Strategy for Integrated Risk Management)

4. 5.

Operational Risk Management Department Operational Risk Managers

6.

Support Group for Operational Risk Management

It has to be ensured that each type of major risk viz. Credit Risk, Market Risk and Operational Risk, is managed as an independent function. Hence, banks should have corresponding risk management committees, which are assigned the specific responsibilities. Banks may structure the risk management department(s) as appropriate without compromising on the overall prinCiples. Board of Directors of a bank is primarily responsible for ensuring effective management of operational risks. The Board would include Committee of the Board to which the Board may delegate specific operational risk management responsibilities: •

The Board of Directors should be aware of the major aspects of the bank's operational risks as a distinct risk category that should be managed, and it should approve an appropriate operational risk management framework for the bank and review it periodi~ally.

•

The Board of Directors should provide senior management with clear guidance and direction.

•

The Framework should be based on appropriate definition of operational risk which clearly articulates what consjitutes operational risk in the bank and covers the bank's appetite and tolerance for operational risk. The framework should also articulate the key processes the bank needs to have in place to manage operational risk ..

•

The Board of Directors should be responsible for establishing a management structure capable of implementing the bank's operational risk management framework. Since a significant aspect of managing operational risk relates to the establishment of strong internal controls, it is particularly important that the Board establishes clear lines of management responsibility, accountability and reporting. In addition, there should be separation of responsibilities and reporting lines between operational risk control functions, business lines and support functions in order to avoid conflicts of interest.

•

Board shall review the framework regularly to ensure that the bank is managing the operational risks arising from external market changes and other environmental factors, as well as those operational risks associated with new products, activities or systems. This review process should also aim to assess industry best practice in operational risk management appropriate for the bank's activities, systems and processes. If necessary, the Board should ensure that the operational risk management framework is revised in light of this analysis, so that material operational risks are captured within.

•

Board should ensure that the bank has in place adequate internal audit coverage to satisfy itself that policies and procedures have been implemented effectively. The operational risk management framework should be subjected to an effective and comprehensive internal audit by operationally independent, appropriately trained and competent staff. The internal audit function should not directly involved in the operational risk management process. Though, in smaller banks, the internal audit function may be responsible for developing the operational risk management programme, responsibility for day-to-day operational risk management should be transferred elsewhere. Senior Management Responsibilities

Operational Risks

211

Senior management should have responsibility for implementing the operational risk management framework approved by the Board of Directors. The framework should be consistently implemented throughout the whole banking organisation, and all levels of staff should understand their responsibilities with respect to operational risk management. The additional responsibilities that devolve on the senior management include the following: •

To translate operational risk management framework established by the Board of Directors into specific policies, processes and procedures that can be implemented and verified within the different business units.

•

To clearly assign authority, responsibility and reporting relationships to encourage and maintain this accountability, and ensure that the necessary resources are available to manage operational risk effectively.

•

To assess the appropriateness of the management oversight process in light of the risks inherent in a business unit's policy.

•

To ensure bank's activities are conducted by qualified staff with the necessary experience, technical capabilities and access to resources, and that staff responsible for monitoring and enforcing compliance with the institution's risk policy have authority independent from the units they oversee.

•

To ensure that the bank's operational risk management policy has been clearly communicated to staff at all levels in the units that incur material operational risk.

•

To ensure that staff responsible for managing operational risk communicate effectively with staff responsible for managing credit, market, and other risks as well as with those in the bank who are responsible for the procurement of external services such as insurance purchasing and outsourcing agreements. Failure to do so could result in Significant gaps or overlaps in a bank's overall risk management programme.

•

To give particular attention to the quality of documentation controls and transaction-handling practices. Policies, processes and procedures related to advanced technologies supporting high transaction volumes, in particular, should be well documented and disseminated to all relevant personnel.

•

To ensure that the bank's HR policies are consistent with its appetite for risk and are not aligned to rewarding staff who deviate from policies.

The broad indicative role of each organisational arm of the risk management structure both at the corporate level and at the functional level are given below, which can be customised to the actual requirements of each bank depending upon the size, risk profile, risk appetite and level of sophistication.

A. Key Functions of Risk Management Committee of Board (RMCB) 1.

Approve operational risk policies and issues delegated to it by the Board.

2.

Review profiles of operational risk throughout the organization.

3.

Approve operational-risk capital methodology and resulting attribution.

4.

Set and approve expressions of risk appetite, within overall parameters set by the Board.

5.

Re-enforce the culture and awareness of operational risk management throughout the organization.

212

Risk Management in Indian Banks

B. Key Functions of Operational Risk Management Committee The Operational Risk Management Committee is an executive committee. It shall have as its principal objective the mitigation of operational risk within the institution by the creation arxl maintenance of an explicit operational risk management process. The committee will be presented with detailed reviews of operational risk exposures across the bank. Its goals are to take a cross-business view and assure that a proper understanding is reached and actions are being taken to meet the sta'ted goals and objectives of operational risk management in the bank. The Committee may meet quarterly, or more often as it determines is necessary. The meetings will focus on all operational risk issues that the bank faces. Key roles of the Committee are: •

Review the risk profile, understand future changes and threats, and concur on areas of highest priority and related mitigation strategy.

•

Assure adequate resources are being assigned to mitigate risks as needed Communicate to business areas and staff components the importance of operational risk management, and assure adequate participation and cooperation

•

Review and approve the development and implementation of operational risk methodologies and tools, including assessments, reporting, capital and loss event databases.

•

Receive and review reports/presentations from the business lines and other areas about their risk profile and mitigation programs.

•

To monitor and ensure that appropriate operational risk management frameworks are in place.

•

To proactively review and manage potential risks which may arise from regulatory changes/ or changes in economic/political environment in order to keep ahead.

•

To discuss and recommend suitable controls/mitigations for managing operational risk.

•

To analyse frauds, potential losses, non compliance, breaches etc. and recommend corrective measures to prevent recurrences.

•

To discuss any issues ariSing/directions in anyone business uniUproduct which may impact the risks of other business/products.

•

To continually promote risk awareness across all business units so that complacency does not set in.

C. Key Functions of Operational Risk Management Department (ORMD) The ORMD is responsible for coordinating all the operational risk activities of the Bank, working towards achievement of the stated goals and objectives. Activities include building an understanding of the risk profile, implementing tools related to operational risk management, and working towards the goals of improved controls and lower risk. ORMD works with the operational liaisons within the business units, staff areas and with the corpor9te management staff. The group is organized within the Risk-Management function. Specific activities of the ORMD include: 1. Risk Profile - ORMD will work with all areas of the bank and assemble information to build an overall risk profile of the institution, understand and comfTlunicate these risks, and analyze . changes/trends in the risk profile. ORMD will utilize the following four-pronged approach to develop these profiles:

Operational Risks

•

Risk Indicators

•

Self-Assessment

•

Loss Database

•

Capital Model

213

2. Tools - ORMD is responsible for the purchase or development and implementation of tools that the Bank will use in its operational risk management program. 3. Capital- ORMD is jOintly responsible with the department involved in capital management for development of a capital measurement methodology for operational risks. It will also coordinate the assembly of required inputs, documentation of assumptions, gaining consensus with the business areas, and coordination with other areas of the bank for the use of the results in the strategic planning, performance measurement, cost benefit analysis, and pricing processes. 4. Consolidation and Reporting of Data - ORMD will collect relevant information from all areas of the bank, build a consolidated view of operational risk, assemble summary management reports and communicate the results to the risk committees or other interested parties. Key information will include risk indicators, event data and self-assessment results and related issues. 5. Analysis of Data - ORMD is responsible to analyze the data on a consolidated basis, on an individual basis and on a comparative basis. 6. Best Practices - ORMD will identify best practices from within the bank or from external sources and share these practices with management and risk specialists across the Bank as beneficial. As part of this role, they will participate in industry conferences surVeys, keep up to date on rules and regulations, monitor trends and practices in the industry, and maintain a database/ library of articles on the subject. 7. Advice/Consultation - ORMD will be responsible for working with the Risk Specialists and the businesses as a team to provide advice on how to apply the operational risk management framework, identify operational risks and work on solving problems and improving the risk profile of the Bank. 8. Insurance - ORMD will work with the Bank's insurance area to determine optimal insurance limits and coverage to assure that the insurance policies the bank purchases are cost beneficial and align with the operational risk profiles of the Bank. 9. Policies - ORMD will be responsible for drafting, presenting, updating and interpreting, the Operational Risk Policy. 10. Self-Assessment - ORMD will be responsible for facilitating periodic self assessments for the purpose of identifying and monitoring operational risks. 11. Co-ordination with Internal Audit - ORMD will work closely with Internal Audit to plan assessments and concerns about risks in the Bank. ORMD and Internal Audit will share information and coordinate activities so as to minimize potential overlap of activities.

D. Key Functions of Chief Risk Officer (CRO) The CRO has supervisory responsibilities over the Operational Risk Management Department as well as responsibility over market risk and credit risk:

Risk Management in Indian Banks

214

1.

Review Recommendations - The CRO will supervise the activities and review and approve the recommendations of the ORMD before submission to the Operational Risk Committee or Risk Management Committee.

2.

Assess interrelationships between Operational, and other risk types - The CRO will facilitate the analysis of risks and interrelationsh,ips of risks across market, credit and operational risks. The CRO will assure communication between risk functions and that risk measures and economic capital measures reflect any interrelationships.

3.

Create Awareness - The CRO will help assure that line and executive management maintains an ongoing understanding of operational risks and participates in related risk management activities.

E. Key Function of Operational Risk Management Specialists The bank-wide support departments (e.g., Legal, Human Resources, and Information Technology) shall assign a representative(s) to be designated as Operational Risk Specialists. Their main responsibility is to work with ORMD and the departments/businesses to identify, analyze, explain and mitigate operational issues within their respective areas of expertise. They will also act as verifiers for their related risks in the self assessment process. They will accorpplish this responsibility by involving themselves in the following:

1.

Committee Participation - The Operational Risk Management Specialists shall be members of the committees and task forces related to operational risk management, as applicable. They must be ready to discuss operational issues and recommend mitigation strategies.

2.

Risk-indicators - Assist in the development and review 'Of appropriate risk indicators, bath on a bank-wide and business specific basis far their area of speciality.

3.

Self-Assessment - Assist in the review of Self-Assessment results and 'Opine on the departmental/business assessment 'Of risk types, quantification and frequency.

4.

Loss Database - Assist in the timely identification and recarding 'Of operatianal lass data and explanations.

5.

Gaps/Issues - Ensure that all 'Operational risk issues are brought to the attentian of ORMD and the Department/business.

6.

Mitigation - Assist the department/business in the design and implementation 'Of risk mitigatian strategies.

F. Key Functions of Business Operational Risk Managers It is expected that each business/functianal area will appoint a persan responsible to coordinate the management of operatianal risk. This respansibility may be assigned to an existing jab, be a full time pasition, or even a team of peaple, as the size and complexity justify. Business/Functianal areas shauld determine how this shauld be 'Organized within their respective areas. Risk Managers will repart to their respective departments/businesses, but wark closely with ORMD and with consistent toals and risk management framework and policy. The Operational Risk Management Committee will assure that these liaisans are appointed and approve their selectian. The key responsibilities of the liaisons are:

1.

Self-Assessments - Will help facilitate, partake and verify the results 'Of the selfassessment pracess.

Operational Risks

215

2.

Risk Indicators - Design, collection, reporting, and data capture of risk indicators and related reports. Liaisons will monitor results and help work with their respective departments on identified issues. Resulting information will be distributed to both the departments and ORMD on a timely and accurate basis.

3.

Loss Events - Coordinate collection, recording and data capture of loss events within the businesses and regular reporting of these events, the details, amounts.

4.

Gaps/Issues - Responsible for the timely follow-up, documentation and status of action plans, open issues (internal Audit, External Audit, Regulator and Inspector) and other initiatives waiting to be completed.

5.

Committee Participation - Must prepare to be called upon to attend the Operational Risk Management Committee meetings, when necessary, to discuss operational risk issues.

6.

Risk Mitigation - Responsible for consulting/advising the business units on ways to mitigate risks. Work with business areas and respective departments on risk analysis and mitigation.

G. Key Functions of Department Heads Business/Functional area heads are responsible for risk taking, related controls and mitigation. They are ultimately responsible for implementation of sound risk management practices and any resulting impact for operational losses. To support this responsibility, they will have the following responsibilities related to operational risk management.

1.

Risk Ownership - The department heads shall take ownership of the operational risks faced in their departments/businesses.

2.

Understanding - Understanding the profile of operational risk facing the area and monitoring changes in the business and risk profile. Department Heads may be expected to present their risk profiles and action plans to the Operational Risk Management Committee.

3.

Risk Indicators -

4.

Loss Events - Identification of loss events within the businesses and regular reporting of these events, the details, amounts and circumstances to ORMD on a complete and timely basis.

5.

Self-Assessment -

6.

Risk Mitigation - The businesses are responsible for developing strategies for the mifi'gation of risk where required (or managing those risks deemed to be acceptable).

Collection and Preparation of various risk indicator reports.

Responsible for the periodic completion of self assessments.

Policy Requirements and Strategic Approach The operational risk management framework provides the strategic direction and ensures that an effective operational risk management and measurement process is adopted throughout the institution. Each institution's operational risk profile is unique and requires a tailored risk management approach appropriate for the scale and materiality of the risk present, and the size of the institution. There is no single framework that would suit every institution; different approaches will be needed for different institutions. In fact, many operational risk management techniques continue to evolve rapidly to keep pace with new technologies, business models and applications.

Risk Management in Indian Banks

216

Operation risk is more a risk management than measurement issue. The key elements in the Operational Risk Management process include •

Appropriate policies and procedures;

•

Efforts to identify and measure operational risk;

•

Effective monitoring and reporting;

•

A sound system of internal controls; and

•

Appropriate testing and verification of the Operational Risk Framework. Policy Requirement.

Each bank must have policies and procedures that clearly describe the major elements of the Operational Risk Management framework including identifying, assessing, monitoring and controlling/mitigating operational risk. Operational Risk Management policies, processes, and procedures should be documented and communicated to appropriate staff i.e., the personnel at all levels in units that incur material operational risks. The policies and procedures should outline all aspects of the institution's Operational Risk Management framework, including: •

The roles and responsibilities of the independent bank-wide Operational Risk Management function and line of business management.

•

A definition for operational risk, including the loss event types that will be monitored.

•

The capture and use of internal and external operational risk loss data including data potential events (including the use of Scenario analysis).

•

The development and incorporation of business environment and internal control factor assessments into the operational risk framework.

•

A description of the internally derived analytical framework that quantifies the operational risk exposure of Lhe institution. .

•

A discussion of qualitative factors and risk mitigants and how they are incorporated into the operational risk framework.

•

A discussion of the testing and verification processes and procedures.

•

A discussion of other factors that affect the measurement of operational risk.

•

Provisions for the review and approval of significant policy and procedural exceptions.

•

Regular reporting of critical risk issues facing the banks and its control/mitigations to senior management and Board.

•

Top-level reviews of the bank's progress towards the stated objectives.

•

Checking for compliance with management controls.

•

Provisions for review, treatment and resolution of non-compliance issues.

•

A system of documented approvals and authorisations to ensure accountability at an appropriate level of management.

•

Define the risk tolerance level for the bank, break it down to appropriate sublimits and prescribe reporting levels and breach of limits.

•

Indicate the process to be adopted for immediate corrective action.

Operational Risks

217

Given the vast advantages associated with effective Operational Risk Management, it is imperative that the strategic approach of the risk management function should be oriented towards: •

An emphasis on minimising and eventually eliminating losses and customer dissatisfaction due to failures in processes.

•

Focus on flaws in products and their design that can expose the institution to losses due to fraud etc.

•

Align business structures and incentive systems to minimize conflicts between employees and the institution.

•

Analyze the impact of failures in technology/systems and develop mitigants to minimize the impact.

•

Develop plans for external shocks that can adversely impact the continuity in the institution's operations.

The institution can decide upon the mitigants for minimizing operational risks rationally, by looking at the costs of putting in mitigants as against the benefit of reducing the operational losses.

Identification and Assessment of Operational Risk In the past, banks relied almost exclusively upon internal control mechanisms within business lines, supplemented by the audit function, to manage operational risk. While these remain important, there is need to adopt specific structures and processes aimed at managing operational risk. Several recent cases demonstrate that inadequate internal controls can lead to significant losses for banks. The types of control break-downs may be grouped into five categories: •

Lack of Control Culture - Management's inattention and laxity in control culture, insufficient guidance and lack of clear management accountability.

•

Inadequate recognition and assessment of the risk of certain banking activities, whether on-or-off-balance sheet. Failure to recognise and assess the risks of new products and activities or update the risk assessment when significant changes occur in business conditions or environment. Many recent cases highlight the fact that control systems that function well for traditional or simple products are unable to handle more sophisticated or complex products.

•

Absence/failure of key control structures and activities, such as segregation of duties, approvals, verifications, reconciliations and reviews of operating performance.

•

Inadequate communication of information between levels of management within the bank - upward, downward or cross-functional.

Inadequate/ineffective audit/monitoring programs: Managing Operational Risk is emerging as an important feature of sound risk management practice in modern financial markets in the wake of phenomenal increase in volume of transactions, high degree of structural changes and complex technological support systems. Some of the guiding principles for banks to manage operational risks are identification, assessment, monitoring and control of these risks. These principles are dealt in detail below:

Identification of Operational Risk Banks should identify and assess the operational risk inherent in all material products, activities, processes and systems. Banks should also ensure that before new products, activities, processes

218

Risk Management in Indian Banks

and systems are introduced or undertaken, the operational risk inherent in them is identified clearly and subjected to adequate assessment procedures. Risk identification is paramount for the subsequent development of a viable operational risk monitoring and control system. Effective risk identification should consider both internal factors (such as the bank's structure, the nature of the bank's activities, the quality of the bank's human resources, organizational changes and employee turnover) and external factors (such as changes in the industry and technological advances) that could adversely affect the achievement of the bank's objectives. The first step towards identifying risk events is to list out all the activities that are susceptible to operational risk. Usually this is carried out at several stages. To begin with, we can list: •

The main business groups viz. corporate finance, trading and sales, retail banking, commercial banking, payment and settlement, agency services, asset management, and retail brokerage.

•

The analysis can be further carried out at the level of the product teams in these business groups, e.g. transaction banking, trade finance, general banking, cash management and securities markets.

•

Thereafter the product offered within these business groups by each product team can be analysed, e.g. import bills, letter of credit, bank guarantee under trade finance.

•

After the products are listed, the various operational risk events associated with these products are recorded. An operational risk event is an incident! experience that has caused or has the potential to cause material loss to the bank either directly or indirectly with other incidents. Risk events are associated with the people, process and technology involved with the product. They can be recognized by: (i)

Experience - The event has occurred in the past;

(ii)

Judgment - Business logic suggests that the bank is exposed to a risk event;

(iii)

Intuition - Events where appropriate measures saved the institution in the nick of time,

(iv)· Linked Events - This event resulted in a loss resulting from other risk type (credit, market etc.); (v)

Regulatory Requirement- regulator requires recognition of specified events.

These risk events can be catalogued under the last tier for each of the products. Assessment of Operational Risk. In addition to identifying the risk events, banks should assess their vulnerability to these risk events. Effective risk assessment allows a bank to better understand its risk profile and most effectively target risk management resources. Amongst the possible tools that may be used by banks for assessing operational risk are: Self Risk Assessment: A bank assesses its operations and activities against a menu of potential operational risk vulnerabilities. This process is internally driven and often incorporates checklists and/or workshops to identify the strengths and weaknesses of the operational risk environment. Scorecards, for example, provide a means of translating qualitative assessments into quantitative metrics that give a relative ranking of different types of operational risk exposures.

Operational Risks

219

Some scores may relate to risks unique to a specific business line while others may rank risks that cut across business lines. Scores may address inherent risks, as well as the controls to mitigate them. Risk Mapping: In this process, various business units, organizational functions or process flows are mapped by risk type. This exercise can reveal areas of weakness and help prioritise subsequent management action. Key Risk Indicators: Key risk indicators are statistics and/or metrics, often financial, which can provide insight into a bank's risk position. These indicators should be reviewed on a periodic basis (such as monthly or quarterly) to alert banks to changes that may be indicative of risk concerns. Such indicators may include the number of failed trades, staff turnover rates and the frequency and/ or severity of errors and omissions. Measurement:

A key component of risk management is measuring the size and scope of the bank's risk exposures. As yet, however, there is no clearly established, single way to measure operational risk on a bank-wide basis. Banks may develop risk assessment techniques that are appropriate to the size and complexities of their portfolio, their resources and data availability. A good assessment model must cover certain standard features. An example is the "matrix" approach in which losses are categorized according to the type of event and the business line in which the event occurred. Banks may quantify their exposure to operational risk using a variety of approaches. For example, data on a bank's historical loss experience could provide meaningful information for assessing the bank's exposure to operational risk and developing a policy to mitigate/control the risk. An effective way of making good use of this information is to establish a framework for systematically tracking and recording the frequency and severity of each loss event along with other relevant information on individual loss events. In this way, a bank can hope to identify events which have the most impact across the entire bank and business practices which are most susceptible to operational risk. Once loss events and actual losses are defined, a bank can analyze and perhaps even model their occurrence. DOing so requires constructing databases for monitoring such losses and creating risk indicators that summarize these data. Examples of such indicators are the number of failed transactions over a period of time and the frequency of staff turnover within a division. Every risk event in the risk matrix is then classified according to its frequency and severity. By frequency, the reference is to the number/ potential number (proportion) of error events that the product type/risk type point is exposed to. By severity, the reference is to the loss amounU potential loss amount that the operational risk event is exposed to when the risk event materializes. The classification can be on any predefined scale (say 1-10, Low, Medium, High etc.). All risk events will thus be under one of the four categories, namely high frequency-high severity, high frequency-low severity, low frequencyhigh severity, low frequency-low severity in the decreasing order of the risk exposure. Potential losses can be categorized broadly as arising from "high frequency, low severity" (HFLS) events, such as minor accounting errors or bank teller mistakes, and "low frequency, high severity" (LFHS) events, such as terrorist attacks or major fraud. Data on losses arising from HFLS events are generally available from a bank's internal auditing systems. Hence, modeling and budgeting these expected future losses due to operational risk potentially could be done very accurately. However, LFHS events are uncommon and thus limit a single bank from having sufficient data for modeling purposes. Scenario analysis can be used for filling up scarce data. Scenarios can be treated as potential future events which need to be captured in terms of their potential frequency and potential loss severity. Scenarios should be generated for all material operational risks faced by all the organizational units of the bank. An assessment of the generated scenarios is carried out by the business experts based on the information such as historical losses, key risk indicators, insurance

220

Risk Management in Indian Banks

coverage, risk factors and the control environment, etc. The above assessments are subjected to data quality check which may be based on a peer review of the estimates made by the business expert, internal audit, etc. The data can be fed into an internal model for generating economic capital requirements for operational risk. Risk assessment should also identify and evaluate the internal and external factors that could adversely affect the bank's performance, information and compliance by covering all risks faced by the bank that operate at all levels within the bank. Assessment should take account of both historical and potential risk events. Historical risk events are assessed based on:· (i) Total number of risk events (ii) Total financial reversals (iii) Net financial impact (iv) Exposure: Based on expected increase in volumes (v) Total number of customer claims paid out (vi) IT indices: Uptime etc. (vii) Office Accounts Status. The factors for assessing potential risks include: (i) Staff related factors such as productivity, expertise, turnover (ii) Extent of activity outsourced (iii) Process clarity, complexity, changes (iv) IT Indices (v) Audit Scores (vi) Expected changes or spurts in volumes

Monitoring of Operational Risk An effective monitoring process is essential for adequately managing operational risk. Regular monitoring activities can offer the advantage of quickly detecting and correcting deficiencies in the policies, processes and procedures for managing operational risk. Promptly detecting and addressing these deficiencies can substantially reduce the potential frequency and/or severity of a loss event. In addition to monitoring operational loss events, banks should identify appropriate indicators that provide early warning of an increased risk of future losses. Such indicators (often referred to as early warning indicators) should be forward-loOking and could reflect potential sources of operational risk such as rapid growth, the introduction of new products, employee turnover, transaction breaks, system downtime, and so on. When thresholds are directly liked to these indicators, an effective monitoring process can help identify key material risks in a transparent manner and enable the bank to act upon these risks appropriately. The frequency of monitoring should reflect the risks involved and the frequency and nature of changes in the operating environment. Monitoring should be an integrated part of a bank's activities. The results of these monitoring activities should be included in regular management and Board reports, as should compliance reviews performed by the internal audit and/or risk management

Operational Risks

221

functions. Reports generated by (and/or for) intermediary supervisory authorities may also inform the corporate monitoring unit which should likewise be reported internally to senior management and the Board, where appropriate. Senior management should receive regular reports from appropriate areas such as business units, group functions, the operational risk management unit and internal audit. The operational risk reports should contain internal financial, operational, and compliance data, as well as external market information about events and conditions that are relevant to decision making. Reports should be distributed to appropriate levels of management and to areas of the bank on which areas of concern may have an impact. Reports should fully reflect any identified problem areas and should motivate timely corrective action on outstanding issues. To ensure the usefulness and renability of these risk reports and audit reports, management should regularly verify the timeliness, accuracy, and relevance of reporting systems and internal controls in general. Management may also use reports prepared by external sources (auditors, supervisors) to assess the usefulness and reliability of internal reports. Reports should be analysed with a view to improving existing risk management performance as well as developing new risk management pOlicies, procedures and practices.

Management Information Systems Banks should implement a process to regularly monitor operational risk profiles and material exposures to losses. There should be regular reporting of pertinent information to senior management and the Board of Directors that supports the proactive management of operational risk. In general, the Board of Directors should receive sufficient higher-level information to enable them to understand the bank's overall operational risk profile and focus on the material and strategic implications for the business. Towards this end it would be relevant to identify all activities and all loss events in a bank under well defined business lines.

Business Line Identification Banks have different business mixes and risk profiles. Hence, the most intractable problem banks face in assessing operational risk capital is due to this diversity. The best way to get around this intractable problem in computation is by specifying a range of operational risk multipliers for specified distinct business lines. The following benefits are expected to accrue by specifying business lines: •

banks will be able to crystallise the assessment processes to the underlying operational risk and the regulatory framework;

•

the line managers will be aware of operational risk in their line of business;

•

confusion and territorial overlap which may be linked to subsets of the overall risk profile of a bank can be avoided.

For the purpose of operational risk management, the activities of a bank may be mapped into eight business lines identified in the New Capital Adequacy Framework. The various products launched by the banks are also to be mapped to the relevant business line. Banks must develop specific policies for mapping a product or an activity to a business line and have the same documented to indicate the criteria. The following are the eight recommended business lines. 1. Corporate finance 2. Trading and sales 3. Retail banking

222

Risk Management in Indian Banks

4. Commercial banking 5. Payment and settlement 6. Agency services 7. Asset management 8. Retail brokerage. The following are the principles to be followed for business line mapping: (i) All activities must be mapped into the eight level - 1 business lines in a mutually exclusive and jointly exhaustive manner. (ii) Any banking or non banking activity which cannot be readily mapped into the business line framework, but which represents an ancillary function to an activity included in the framework, must be allocated to the business line it supports. If more than one business line is supported through the ancillary activity, an objective mapping oriteria must be used. (iii) The mapping of activities into business lines for operational risk management must be consistent with the definitions of business lines used for management of other risk categories, i.e. credit and market risk. Any deviations from this principle must be clearly motivated and documented. (iv) The mapping process used must be clearly documented. In particular, written business line definitions must be clear and detailed enough to allow third parties to replicate the business line mapping. Documentation must, among other things, clearly motivate any exceptions or overrides and be kept on record. (v) Processes must be in place to define the mapping of any new activities or products. (vi) Senior management is responsible for the mapping policy (which is subject to approval by the Board of Directors). (vii) The mapping process to business lines must be subject to independent review. The following principles might be relevant for determining mapping of activities into appropriate business lines: (a) Activities that constitute compound activities may be broken up into their components which might be related to the level 2 activities under the eight business lines and these components of the complex activity may be assigned to the most suitable business lines, in accordance with their nature and characteristics. (b) Activities that refer to more than a business line may be aSSigned to the most predominant business line and if no predominant business line exist, then it may be mapped to the most suitable business lines, in accordance with their nature and characteristics.

7. ~ OPERATioNAl Risk loss EVENTS Banks must meet the following data requirement for internally generating operational risk measures. •

The tracking of individual internal event data is an essential prerequisite to the development and functioning of operational risk measurement system. Internal loss data is crucial for tying a bank's risk estimates to its actual loss experience.

Operational Risks

223

•

Internal loss data is most r~levant when it is clearly linked to a bank's current business activities, technological process and risk management procedures. Therefore, bank must have documented procedures for assessing on-going relevance of historical loss data, including those situations in which judgement overrides, scaling, or other adjustments may be used, to what extent it may used and who is authorised to make such decisions.

•

Bank's internal loss data must be comprehensive in that it captures all material activities and exposures from all appropriate sub-systems and geographic locations. A bank must be able to justify that any activities and exposures excluded would not have a significant impact on the overall risk estimates. Bank may have appropriate de minimis gross loss threshold for internal loss data collection, say Rs.1 0,000. The appropriate threshold may vary somewhat between banks and within a bank across business lines and / or event types. However, particular thresholds may be broadly consistent with those used by the peer. banks. Measuring Operational Risk requires both estimating the probability of an operational loss event and the severity of the loss.

•

Banks must track actual loss data (i.e., where losses have actually materialised) and map the same into the relevant level 1 category defined in Annex 3. Banks must endeavour to map. the actual loss events to level 3. Operational risk loss would be the financial impact associated with the operational event that is recorded in the financial statement and would include for example, (a) loss incurred, and (b) expenditure incurred to resume normal functioning, but would not include opportunity costs and foregone revenue etc. However, the banks must also track the potential loss (i.e. extent to which further loss may be incurred due to the same operational risk event), near misses, attempted frauds, etc where no loss has actually been incurred by the bank, from the point of view of strengthening the internal systems and controls and avoiding the possibility of such events turning into actual operational risk losses in future.

•

Aside from information on gross loss amounts, bank should collect information about the data of the event, any recoveries, as well as some descriptive information about the cause/drivers of the loss event. The level of descriptive information should be commensurate with the size of the gross loss amount.

•

Bank must develop specific criteria for assigning loss data ariSing from an event in a centralised function (e.g. information technology, administration department etc.) or any activity that spans more than one business line.

•

External loss data - bank may also collect external loss data to the extent possible. External loss data should include data on actual loss amounts, information on scale of business operations where the event occurred, information on causes and circumstances of the loss events or any other relevant information. Bank must develop systematic process for determining the situations for which external data should be used and the methodologies used to incorporate the data.

•

The loss data collected must be analysed loss event category and business line wise. Banks to look into the process and plug any deficiencies in the process and take remedial steps to reduce such events.

Controls/Mitigation of Operational Risk Risk management is the process of mitigating the risks faced by a bank. With regard to operational risk, several methods may be adopted for mitigating the risk. For example, losses that might arise on account of natural disasters can be insured against. Losses that might arise from

224

Risk Management in Indian Banks

business disruptions due to telecommunication or electrical failures can be mitigated by establishing redundant backup facilities. Loss due to internal factors, like employee fraud or product flaws, which may be difficult to identify and insure against, can be mitigated through strong internal auditing procedures. Although a framework of formal, written policies and procedures is critical, it needs to be reinforced through a strong control culture that promotes sound risk management practices. Both the Board of Directors and senior management are responsible for establishing a strong internal control culture in which control activities are an integral part of the regular activities of a bank, since such integration enables quick responses to changing conditions and avoids unnecessary costs. A system of effective internal controls is a critical component of bank management and a foundation for the safe and sound operation of banking organisations. Such a system can also help to ensure that the bank will comply with laws and regulations as well as policies, plans, internal rules and procedures, and decrease the risk of unexpected losses or damage to the bank's reputation. Internal control is a process effected by the Board of Directors, senior management and all levels of personnel. It is not solely a procedure or policy that is performed at a certain point in time, but rather it is continually operating at all levels within the bank. The internal control process, which historically has been a mechanism for reducing instances of fraud, misappropriation and errors, has become more extensive, addressing all the various risks faced by banking organisations. It is now recognised that a sound internal control process is critical to a bank's ability to meet its established goals, and to maintain its financial viability. In varying degrees, internal control is the responsibility of everyone in a bank. Almost all employees produce information used in the internal control system or take other actions needed to effect control. An essential element of 'a strong internal control system is the recognition by all employees of the need to carry out their responsibilities effectively and to communicate to the appropriate level of management any problems in operations, instances of non-compliance with the code of conduct, or other policy violations or illegal actions that are noticed. It is essential that all personnel within the bank understand the importance of internal control and are actively engaged in the process. While having a strong internal control culture does not guarantee that an organisation will reach its goals, the lack of such a culture provides greater opportunities for errors to go undetected or for improprieties to occur. An effective internal control system requires that•

an appropriate control structure is set up, with control activities defined at every business level. These should include: top level reviews; appropriate activity controls for different departments or divisions; physical controls; checking for compliance with exposure limits and follow-up on noncompliance; a system of approvals and authorisations; and, a system of verification and reconciliation.

•

there is appropriate segregation of duties and personnel are not assigned conflicting responsibilities. Areas of potential conflicts of interest should be identified, minimised, and subject to careful, independent monitoring.

•

there are adequate and comprehensive internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision making. Information should be reliable, timely, accessible, and provided in a consistent format.

Operational Risks

225

•

there are reliable information systems in place that cover all significant activities of the bank. These systems, including those that hold and use data in an electronic form, must be secure, monitored independently and supported by adequate contingency arrangements.

•

effective channels of communication to ensure that all staff fully understand and adhere to policies and procedures affecting their duties and responsibilities and that other relevant information is reaching the appropriate personnel.

Adequate internal controls within banking organisations must be supplemented by an effective internal audit function that independently evaluates the control systems within the organisation. Internal audit is part of the ongoing monitoring of the bank's system of internal controls and of its internal capital assessment procedure, because internal audit provides an independent assessment of the adequacy of, and compliance with, the bank's established policies and procedures. Operational risk can be more pronounced where banks engage in new activities or develop new products (particularly where these activities or products are not consistent with the bank's core business strategies), enter unfamiliar markets, and/or engage in businesses that are geographically distant from the head office. It is incumbent upon banks to ensure that special attention is paid to internal control activities where such conditions exist. In some instances, banks may decide to either retain a certain level of operational risk or selfinsure against that risk. Where this is the case and the risk is material, the decision to retain or self-insure the risk should be transparent within the organisation and should be consistent with the bank's overall business strategy and appetite for risk. The bank's appetite as specified through the policies for managing this risk and the bank's prioritisation of operational risk management activities, including the extent of, and manner in which, operational risk is transferred outside the bank. The degree of formality and sophistication of the bank's operational risk management framework should be commensurate with the bank's risk profile. Banks should have policies, processes and procedures to control and/or mitigate material operational risks. Banks should periodically review their risk limitation and control strategies and should adjust their operational risk profile accordingly using appropriate strategies, in light of their overall risk appetite and profile. •

For all material operational risks that have been identified, the bank should decide whether to use appropriate procedures to control and/or mitigate the risks, or bear the risks. For those risks that cannot be controlled, the bank should decide whether to accept these risks, reduce the level of business activity involved, or withdraw from this activity completely. Control processes and procedures should be established and banks should have a system in place for ensuring compliance with a documented set of internal policies.

•

Some significant operational risks have low probabilities but potentially very large financial impact. Classification of operational loss event into various risk categories based on frequency and severity matrix prioritise the events to be controlled and tracked. Audit benchmarks can be set for high loss events. Moreover, not all risk events can be controlled (e.g., natural disasters). Risk mitigation tools or programmes can be used to reduce the exposure to, or frequency and/or severity of, such events. For example, insurance policies, particularly those with prompt and certain pay-out features, can be used to externalise the risk of "low frequency, high severity" losses which may occur as a result of events such as thirdparty claims resulting from errors and omissions, physical loss of securities, employee or third-party fraud, and natural disasters.

Risk Management in Indian Banks

226

•

However, banks should view risk mitigation tools as complementary to, other than a replacement for, internal operational risk control. Having mechanisms in place to quickly recognise and rectify legitimate operational risk errors can greatly reduce exposures. Careful consideration also needs to be given to the extent to which risk mitigation tools such as insurance truly reduce risk, or transfer the risk to another business sector or area, or even create a new risk (e.g. legal or counterparty risk).

•

Investment in appropriate processing technology and information technology security are also important for risk mitigation. However, banks should be aware that increased automation could transform high frequency-low severity losses into low frequency-high severity losses. The latter may be associated with loss or extended disruption of services caused by internal factors or by factors beyond the bank's immediate control (e.g., external events). Such problems may cause serious difficulties for banks and could jeopardise an institution's ability to conduct key business activities. Banks should establish disaster recovery and business continuity plans that address this risk.

•

Banks should also establish policies for managing risks associated with outsourcing activities. Outsourcing of activities can reduce the institution's risk profile by transferring activities to others with greater expertise and scale to manage the risks associated with specialised business activities. However, a bank's use of third parties does not diminish the responsibility of management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws. Outsourcing arrangements should be based on robust contracts and/or service level agreements that ensure a clear allocation of responsibilities between external service providers and the outsourcing bank. Furthermore, banks need to manage residual risks associated with outsourcing arrangements, including disruption of services.

•

Depending on the scale and nature of the activity, banks should understand the potential impact on their operations and their customers of any potential deficiencies in services provided by vendors and other third party or intra group service providers, including both operational breakdowns and the potential business failure or default of the external parties. Banks should ensure that the expectations and obligations of each arty are clearly defined, understood and enforceable. The extent of the external party's liability and financial ability to compensate the bank for errors, negligence, and other operational failures should be explicitly considered as part of the risk assessment. Banks should carry out an initial due diligence test and monitor the activities of third party providers, especially those lacking experience of the banking industry's regulated environment, and review this process (including re-evaluations of due diligence) on a regular basis. For critical activities, the bank may need to consider contingency plans, including the availability of alternative external parties and the costs and resources required to switch external parties, potentially on very short notice.

Business Continuity Planning Contigency Planning is the process of devising plans and strategies for coping with emergency stiuations that cause disruption of normal computer operations. Developing contingency plans consists of analysis of business and organizational needs, evaluation of alternatives, decision making, design of contingencies systems and operations, development of plan, testing and implementation. The guidelines for Business Resumption/Continuity and Disaster Recovery Plan include the following:

Operational Risks

• • • • • •

227

Employee awareness Fire Detection and Prevention Hard Copy Records Human Factor Local Area Networks Media Handling and Storage.

Disaster Management & Disaster Recovery Planning Disaster happens in all forms, accidental and deliberate, natural and man-made. While it may not be practical to protect against all possibilities and effective disaster recovery plans protects against the two most likely data disasters; human error (accidental file deletion, misplaced media), and equipment failure (disk drive crash, transient power failures). The key to effective disaster recovery is the creation and protection of back-up data sets. Safely stood in back-ups offsite is the only defence against the loss of physical data centre or computing facility. But the most sinister and frequently the most catastrophic form of disaster, is deliberate; a disgruntled employee or ex-employee seeking revenge by trashing or stealing key data or introducing a debilitating virus. Also, in this category are the possibilities of corporate espionage or damage from hackers. Disaster Management aspect should, therefore, addresses the issues of disaster avoidance, recovery, contingency and planning. •

Banks should have in place contingency and business continuity plans to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption. These plans needs to be stress tested annually and the plans may be revised to appropriately address any new or previously unaddressed parameters for these plans. For reasons that may be beyond a bank's control, a severe event may result in the inability of the bank to fulfil some or all of its business obligations, particularly where the bank's physical, telecommunication, or information technology infrastructures have been damaged or made inaccessible. This can, in turn, result in significant financial losses to the bank, as well as broader disruptions to the financial system through channels such as the payments system. This potential requires that banks establish disaster recovery and business continuity plans that take into account different types of plausible scenarios to which the bank may be vulnerable, commensurate with the size and complexity of the bank's operations.

•

Banks should periodically review their disaster recovery and business continuity plans so that they are consistent with the bank's current operations and business strategies. Moreover, these plans should be tested periodically to ensure that the bank would be able to execute the plans in the unlikely event of a severe business disruption.

Independent Evaluation of Operational Risk Management Function The bank's Board of Directors has the ultimate responsibility for ensuring that senior management establishes and maintains an adequate and effective system of internal controls, a measurement system for assessing the various risks of the bank's activities, a system for relating risks to the bank's capital level, and appropriate methods for monitoring compliance with laws, regulations, and supervisory and internal policies.

228

Risk Management in Indian Banks

Internal audit is part of the ongoing monitoring of the bank's system of internal controls because internal audit provides an independent assessment of the adequacy of, and compliance with, the bank's established policies and procedures. As such, the internal audit function assists senior management and the Board of Directors in the efficient and effective discharge of their responsibilities as described above. Banks should have in place adequate internal audit coverage to verify that operating policies and procedures have been implemented effectively. The Board (either directly or indirectly through its Audit Committee) should ensure that the scope and frequency of the audit programme is appropriate to the risk exposures. The scope of internal audit will broadly cover: •

the examination and evaluation of the adequacy and effectiveness of the internal control systems and the functioning of specific internal control procedures;

•

the review of the application and effectiveness of operational risk management procedures and risk assessment methodologies;

•

the review of the management and financial information systems, including the electronic information system and electronic banking services;

•

the review of the means of safeguarding assets;

•

the review of the bank's system of assessing its capital in relation to its estimate of operational risk;

•

the review of the systems established to ensure compliance with legal and regulatory requirements, codes of conduct and the implementation of policies and procedures;

•

the testing of the reliability and timeliness of the regulatory reporting;

•

mitigating risks through risk based audit

All functional departments should ensure that the operational risk management department is kept fully informed of new developments, initiatives, products and operational changes to ensure that all associated risks are identified at an early stage. •

Operational risk groups are likely to focus on regulatory liaison, operational risk measures, best practice in areas involving risk quantification such as model risk, new products approval and optimizing operations and processes. Audit should periodically validate that the bank's operational risk management framework is being implemented effectively across the bank. To the extent that the audit function is involved in oversight of the operational risk management framework, the Board should ensure that the independence of the audit function is maintained. This independence may be compromised if the audit function is directly involved in the operational risk management process. The audit function may provide valuable input to those responsible for operational risk management, but should not itself have direct operational risk management responsibilities.

•

Examples of what an independent evaluation of operational risk should review include the following:

•

The effectiveness of the bank's risk management process and overall control environment with respect to operational risk;

•

The bank's methods for monitoring and reporting its operational risk profile, including data on operational losses and other indicators of potential operational risk;

Operational Risks

229

•

The bank's procedures for the timely and effective resolution of operational risk events and vulnerabilities;

•

The effectiveness of the bank's operational risk mitigation efforts, such as the use of insurance;

•

The quality and comprehensiveness 0f the bank's disaster recovery and business continuity plans

•

To ensure that, where banks are part of a financial group, there are procedures in place to ensure that operational risk is managed in an appropriate and integrated manner across the group. In performing this assessment, cooperation and exchange of information with other supervisors, in accordance with established procedures, may be necessary.

Capital Allocation for Operational Risk The Guidance Note is an outline of a set of sound principles for effective management and supervision of operational risk by banks. As mentioned earlier, the exact approach may differ among banks and the operational risk management chosen by a bank would depend on a broad range of factors. The Basel Committee has put forward a framework consisting of three options for calculating operational risk capital charges in a 'continuum' of increasing sophistication and risk sensitivity. These are, in the order of their increasing complexity, viz., (i) the Basic Indicator Approach (ii) the Standardised Approach and (iii) Advanced Measurement Approaches. The Basic Indicator Approach Reserve Bank has proposed that, at the minimum, all banks in India should adopt this approach while computing capital for operational risk while implementing Basel II. Under the Basic Indicator Approach, banks have to hold capital for operational risk equal to a fixed percentage (alpha) of a single indicator which has currently been proposed to be "gross income". This approach is available for all banks irrespective of their level of sophistication. The charge may be expressed as follows: KBIA = [I(GI * a)]/n, Where KBIA

= the capital charge under the Basic Indicator Approach.

GI

= annual gross income, where positive, over the previous three years

a

= 15% set by the Committee, relating the industry-wide level of required capital to the industry-wide level of the indicator.

n

=

number of the previous three years for which gross income is positive.

The Basel Committee has defined gross income as net interest income and has allowed each relevant national supervisor to define gross income in accordance with the prevailing accounting practices. Accordingly, gross income will be computed for this purpose as defined by the Reserve Bank of India for implementation of the new capital adequacy framework. Though the Reserve Bank proposes to initially allow banks to use the Basic Indicator Approach for computing regulatory capital for operational risk, some banks are expected to move along the range toward more sophisticated approaches as they develop more sophisticated operational risk management systems and practices which meet the prescribed qualifying criteria.

230

Risk Management in Indian Banks

The Standardized Approach In the Standardized Approach, banks' activities are divided into standardized business units and business lines. With each business line, there is a specified broad indicator that reflects the size or volume of banks' activities in that area. The indicator serves as a rough proxy for the amount of operational risk with each of these business lines. The table below shows the business units, business lines and indicators, which may be used for adoption of standardizea approach.

Business Units

Business Lines

Indicator

Capital Factors

Investment

Corporate finance

Gross income

B1

Banking

Trading and sales

Gross income

B2

(or VaR) Banking

Others

Retail banking

Annual average assets

B3

Commercial banking

Annual average assets

B4

Payment and

Annual settlement

B5

settlement

throughput

Retail brokerage

Gross income

B6

Asset management

Total funds under

B7

management Within each business line, the capital charge is calculated by multiplying the indicator by a capital factor (denoted ~) assigned to that business fine, as set out by the committee/supervisors on the basis of rough proxy for the industry-wide relationship between the operational risk loss experience for a given business line and the indicator for that business line. If a bank is unable to allocate an activity to a particular business line, the Basel Committee has proposed that the income related to that activity should be subject to highest beta factor. The total capital charge may be expressed as follows:

Where KTSA = the capital charge under the Standardized Approach

E1 1•7 =the level of an exposure indicator for each of the 7 business lines ~1.7 = a fixed percentage, set by the committee/supervisor, relating to the level of the required capital to the level of the gross income for each of the 7 business lines.

The total capital charge is calculated as the simple summation of the regulatory capital charges across each of the business line.

The Internal Measurement Approach The Internal Measurement Approach provides discretion to individual banks on the use of internal loss data, while the method to calculate the required capital is uniformly set by the supervisors (RBI). In implementing this approach, supervisors would impose quantitative and qualitative standards

Operational Risks

231

to ensure the integrity of the measurement approach, data quality, and the. adequacy of the internal control environment. For this approach development of data necessary to implement the approach is the basic requirement.

Structure of Internal Measurement Approach Under the Internal Measurement Approach a capital charge for the operational risk of banks is determined using the following procedures: •

A bank's activities are categorized into the same business lines as in the standardized approach;

•

Within each business line/risk type combina'tion, the supervisor specifies an exposure indicator (EI) which is the proxy for the size (or amount of risk) of each business line's operational risk exposure to each risk type;

•

For each business line 1 risk type combination, in addition to the exposure indicator, banks measure, based on their internal loss data, a parameter representing the probability of loss event (PE) and a parameter representing the loss given that event (LGE). The product of EI, PE and LGE is used to calculate the expected loss (EL);

•

The supervisor supplies a factor (denoted gamma) for each business line/risk type combination. Gamma translates the expected loss into a capital charge and is determined by supervisors based on industry-wide data. The capital charge for each business linel risk type combination is the product of gamma and EL;

•

The overall capital charge for a bank is the simple sum of all the resulting products. This can be expressed in the following formula:

Required capital

= L i L i [y (i, j) * El (i, j) * PE (i, j) * LGE (i, j)]

(i is the business line and j is the risk type.) To facilitate the process of supervisory validation, banks supply their supervisors with the individual components of the expected loss calculation (Le. EI, PE, LGE) instead of just the product EL

Business Lines and Loss Types The business lines may be the same as those mentioned in Standardized Approach. Operational risk in each business fine may be divided into a number of non-overlapping and comprehensive loss types based on current understanding of loss events. By having multiple loss types, the scheme can better address differing characteristics of loss events while the number of loss types should be limited to a reasonable number to maintain the simplicity of the scheme.

Loss Distribution Approac.h A more advanced version of an "internal methodology· is the Loss Distribution Approach. Under the LOA, a bank using its internal data, estimates two probability &nbution functions for each business line (and risk type), one on single event impact and the other on event frequency for the next (one) year. Based on the two estimated distributions, the bank then computes the probability distribution function of the cumulative operational loss. The capital charge is based on the simple sum of the VaR for each business line (and risk type). The assumptions used by the bank for the purpose should be realistic and acceptable as per industry norms as set out by supervisors (RBI).

232

Risk Management in Indian Banks

7.6 PRE-REQuisiTES fOR OPERATioNAl Risks MANAGEMENT For management of operational risks the bank needs to adopt techniques and instruments so as to prevent occurrence of frauds and systems risk. These may include followings: •

Well defined internal guidelines for management of operational risks;

•

Well defined rules and checklist on the responsibilities with regard tQ exercise of delegated powers;

•

Well defined job description and work procedure for employees in key position;

•

Proper understanding of role and internal control system and active participation by employees in the working of the organization;

•

Adequate guidelines and safeguards to prevent occurrence of frauds and systems risk emanating from failure of computer systems;

•

Formulation of rules and work procedures on the conduct of domestic and foreign currency deposit accounts and proper compliance by dealing officials;

•

Formulation and compliance of work procedures forday-to-day business activities being undertaken by the organization;

•

Fixation of a rational benchmark tolerance level for operational risks arising from trends of frauds, computer system failure and human error;

•

Strengthening of inspection, audit, vigilance and monitoring systems to check operational risks in the system and to ensure compliance of internal controls in the bank;

The above list is illustrative and not exhaustive. Looking to the nature of operations banks may evolve various techniques to manage operational risks.

Internal Controls Banks also need to strengthen their internal controls by ensuring that the senior management of the bank attends to its responsibilities concerning risk management and internal controls. The Board of Directors of banks need to ensure the same so also have to develop suitable control mechanism to oversee the risk management practices and controls in the bank. By having effective internal control and monitoring systems and well developed and comprehensive MIS and reporting systems the Board of Directors can exercise effective control over various risks confronting the bank.

7.7 CoNclusiON Managing operational risk is becoming an important feature of sound risk management practices in modern financial markets in the wake of phenomenal increase in the volume of transactions, high degree of structural changes and complex support systems. The most important type of operational risk involves breakdowns in internal controls and corporate governance. Such breakdowns can lead to financial loss through error, fraud, or failure to perform in a timely manner or cause the interest of the bank to be compromised. Generally, operational risk is defined as any risk, which is not categorized as market or credit risk, or the risk of loss arising from various types of human or technical error. It is also synonymous with settlement or payments risk and business interruption, administrative and legal risks. Operational risk has some form of link between credit and market risks. An operational problem with a business transaction could trigger a credit or market risk.

Operational Risks

233

As operational risk management is emerging as an important function in banking Operations, measurement, monitoring and control of operational risk through more and more advanced techniques has become a necessity for banks. Measuring operational risk requires both estimating the probability of an operational loss event and the potential size of loss. It relies on risk factor that provides some indication of the likelihood of an operational loss event occurring. The process of operational risk assessment needs to address the likelihood of a particular operational risk occurring, the magnitude of the effect of the operational risk on business objectives and the options available to manage and initiate actions to reduce/mitigate operational risk. The set of risk factors that measure risk in each business unit such as audit ratings, operational data such as volume, turnover and complexity, and data on quality of operations such as error rate or measure of business risks such as revenue volatility, could be related to historical loss experience and banks can use different analytical or judgmental techniques to arrive at an overall operational risk level. The operational risk monitoring can be done through focus on operational performance measures such as volume, turnover, settlement facts, delays and errors and also through monitoring operational loss directly with an analysis of each occurrence and description of the nature and causes of the loss. Intemal controls and the internal audit may be used as the primary means to mitigate operational risk. Banks could also set up operational risk limits, based on the measures of operational risk. Banks should have well defined policies on operational risk management. The policies and procedures should be based on common elements across business lines or risks. The policy should address product review process, involving business, risk management and internal control functions. One of the major tools for managing operational risk is the well established internal control system, which includes segregation of duties, clear management reporting lines and adequate operating procedures. Most of the operational risk events are associated with weak links in internal control systems or laxity in complying with the existing internal control procedures. The ideal method of identifying problem spots is the technique of self-assessment of internal control environment. The self-assessment could be used to evaluate operational risk alongwith internal/external audit reportslratings or RBI inspection findings. Banks should endeavour for detection of operational problem spots rather than their being Pointed out by supervisors / internal or external auditors. Alongwith activating internal audit systems, the Audit Committees should playa greater role to ensure independent financial and internal control functions.

DOD

SOLVENCY RISK CONCEPT OF CAPITAL ADEQUACY AND RISK BASED CAPITAL 8.1

SOLVENCY

Risk -

INTROduCTioN

Solvency risk in banks is the risk of not having enough capital to absorb losses generated by all risks, which triggers default. It is the risk of being unable to cover losses, generated by all types of risks, with the available capital. Solvency risk is, therefore, the risk of default of the bank and more or less identical to the credit risk incurred by the counter parties of the bank. Solvency is the end result of the available capital and of al/ risks taken: credit, interest rate, liquidity, market or operational risk and is critical for regulators. The fundamental issue of capital adequacy is to define what level of capital should be associated with the overall risk in order to sustain an acceptable solvency level. The following principle of capital adequacy follows and sets up the major orientation of risk management: •

All risks generate potential losses;

•

The ultimate protection for such losses is capital;

•

Capital should be adjusted to the level required to make it capable of absorbing potential losses generated by all risks.

The implementation of the above principle requires that: •

All risks should be quantified in terms of potential losses; and

•

A measure of aggregated potential losses should be derived from the measurement of potential losses generated by the different risks.

A major challenge of risk management is to implement these principles and define quantitative measures required to obtain the adequate capital. or derive which levels of risk are sustainable given the capital constraints. The concept of Solvency Risk can be explained through the Value at Risk (VaR) and capital at risk (CaR) concepts. VaR can be used as a management tool to compare the actual risks at the level of business units, It can also be used to determine the capital at risk for the entire bank, and to allocate this

Solvency Risk - Concept of Capital Adequacy and Risk Based Capital

235

capital to the various business units. VaR is a tool to manage risk at the decision-making level of individual transaction. CaR on a consolidated basis when compared with available capital gives assessment of solvency risk. CaR is referred to the capital required to absorb potential losses, due to a/l risks, at a given tolerance level. CaR addresses the issue of capital adequacy and is the available capital in line with actual risks. Since capital is the only insurance against losses, the capital adequacy concept is of major importance for banks to assess the level of their solvency. To ensure availability of sufficient capital to manage Solvency Risks regulations have been framed from time to time. While at the international level Basel Committee on Banking Supervision is engaged in framing regulations, regulators in individual countries are framing guidelines at the country level. Presently, at the international level guidelines prescribed by Basel Committee - I are prescribed which are being reviewed by Basel - II and consultative papers are being issued for consideration of regulators in different countries. After finalization of recommendations of Basel - II the revised guidelines will be prescribed. Proposed regulations as per Basel-II aim at improving the safety of the banking industry and will have a decisive impact on risk management. The proposed regulatory framework sets up the constraints and the guidelines that inspire risk management, and stimulates the development of internal risk management models and processes within banks. They promote more accurate definitions of risks, more adequate methodologies to measure them, and the concept of "risk based capital", the capital necessary to cover the actual risks of banks. At the same time, the rules setting the minimum required capital are a strong incentive to improve risk measures and control. For banks, the cost of additional risk becomes the cost of additional capital.

8.2 NEW CApiTAl AdEQUACY FRAMEWORk 8.2.1 BAsel COMMiTTEE ON BANkiNG SUPERVisioN Introduction: The Basel Committee on Banking Supervision (BCBS), a committee of central banks and bank supervisorsiregulators from major industrialized countries provide broad policy guidelines that each country's supervisors can use to determine their own upervisory policies. The Committee does not possess any formal supranational supervisory authority and its conclusions do not and were never intended to have legal force. However, some of regulatory/supervisory standards viz. Capital Accord (1988) and Core principles for Effective Banking Supervision (1997) are evolved in the expectation that supervisors' across the world would follow more closely these standards. In addition, the international Monetary Fund and World Bank use to Basel Committee's standards as a benchmark in conducting their assessment of the bank system of a country. Further, the international rating agencies, financial institutions, etc., closely watch the adoption of the standards set by the Basel Committee for evaluating the financial strength of banks. In order to enable a wider group of countries to be associated with the standard Sitting exercise, the Committee has constituted a Core Principles Liaisons Group and Capital Group, where India, among certain emerging markets, is also a member. India and other emerging markets work as pressure group in influencing the standard setting exercise of the Committee and evolving regulatory and supervisory practices, which are suitable even to emerging market economies.

8.2.2 BAsEl CApiTAl ACCORd - I The Basel Committee published the current Capital Accord In July 1988, which was to be adopted by internationally active banks by end-1992. Although the Accord was applicable only to

236

Risk Management in Indian Banks

internationally active banks, supervisors over 140 countries including India adapted it uniformly to all types of banks. The Accord provided a framework for fair and reasonable degree of consistency in the application of capital standards in different countries, on a shared definition of capital.

8.2.' CApiTAl AdEQUACY RATio-CONCEPT The basic objectives of capital adequacy measures are soundness and stability of banking system and level playing by reducing the source of competitive inequalities in the system. The basic approach of capital adequacy ratio is derived from Basel committee framework by computing unimpaired capital vis-a-vis risk weighted assets and level of risk weights are decided on the basis of probabilities of counter party failures. Under the BIS norms, capital adequacy is the ratio of capital to risk weighted assets. Capital is of two types, core capital, i.e., 'capital which is wholly visible in the published accounts, defined as tier 1 capital and tier 2 capital which fulfils some, but not all characteristic features of core capital. The basic characteristic features of tier 1 (core) capital are as under: •

Fully paid;

•

Permanent;

•

Readily available for absorption of losses;

•

No fixed charge/obligation;

•

Subordinate to all other creditors.

Tier 1 capital consists of paid up capital, statutory reserves, disclosed free reserves and capital reserves arising out of sale of fixed assets. Core capital (tier 1 capital) is supplemented by tier 2 capital, which includes undisclosed reserves and cumulative perpetual preference shares, revaluation reserves, general provisions and loss reserves, hybrid debt capital instruments and subordinated debts. Undisclosed reserves are those, which qualify to be, core capital but could not be disclosed/ published due to secrecy requirements. Such reserves should not be encumbered by any known liability and should not be used routinely for normal loan or operating losses. Unpublished or hidden reserves may be constituted in various ways according to legal and accounting guidelines. Under this heading are included only reserves which, though unpublished, have been passed through the profit and loss account and which are accepted by bank's supervisory authorities. They may be inherently of the same intrinsic quality as published retained earnings, but, due to lack of transparency on account of legal restrictions or accounting standards the same are excluded from core equity capital. Revaluation reserves serve as cushion against unexpected losses. These are less permanent in nature and could not be core capital. Such reserves arise out of revaluation of undervalued assets on the bank's books like bank premises. Such reserves are discounted at the prescribed rate of 55% as per guidelines in force. Reliability of revaluation reserves depends upon following factors: •

Fair market valuation;

•

Possible deterioration in values;

•

Realizable value in the situation of forced sale;

Solvency Risk - Concept of Capital Adequacy and Risk Based Capital

•

Tax consequences of revaluation;

•

Discount prescribed.

237

Formal revaluation reserve should be reflected on the face ace of the balance sheet and latent revaluation should not be done. General provisions and loss reserves should be those which are not attributable to either diminution in value or potential loss in any specific asset. Such reserves can be resorted 10 only after sufficient provisions are made against known and identifiable losses. For the, purpose of CAR these cannot exceed 1.25% of risk weighted assets. Hybrid debt capital instruments are those which combine certain characteristics of equity and also debt and should be included when they can support absorption of losses on an ongoing basis without triggering liquidation. Subordinated debt should be •

fully paid up,

•

unsecured in nature,

•

with original maturity not less than 5 years,

•

subordinated to the claims of other creditors,

•

free from restrictive clauses,

•

not redeemable at the initiative of the holder; or without the consent of bank's supervisory authority,

•

included in the capital with progressive discount towards the end of their fixed maturity period,

Subordinated debts with remaining maturity of less than one year should be excluded and such debts should not exceed 50% of core capital.

The level of tier 2 capital is restricted and is not allowed to exceed the level of tier I capital. All assets are assigned prescribed risk weights and all off-balance sheet items are assigned with credit conversion factors and risk weights. Based on the prescribed parameters aggregate risk weighted assets are computed taking into account entire assets and offbalance items and then capital to risk weighted assets ratio is computed. As per present RBI guidelines banks are required to maintain CAR of 9%.

8.2.4

MEASUREMENT of CApiTAl AdEQUACY RATio

For measurement of capital adequacy ratio the elements of capital are first bifurcated in different categories and overall capital base is computed by applying various limits and restrictions and also by deducting intangibles as under:

A. Capital Elements Tier 1

(a)

paid-up share capital

(b)

Disclosed reserves

238

Risk Management in Indian Banks

Tier 2 (a)

Undisclosed reserves

(b)

Asset revaluation reserves

(c)

General provisions/general loan-loss reserves

(d)

Hybrid (debt/equity) capital instruments

(e)

Subordinated debt

The sum of tier 1 and tier 2 elements will be eligible for inclusion in the capital base. subject to the following limits.

B. Limits and Restrictions (i) The total of tier 2 (supplementary) elements will be limited to a maximum of 100% of the total of tier 1 elements; (ii) (ii) Subordinated term debt will be limited to a maximum of 50% of tier 1 elements; (iii) (iii) General provisions/general loan-loss reserves eligible for inclusion in tier 2 will be limited to a maximum of 1.25% of weighted risk assets-, (iv) (iv) Asset revaluation reserves which take the form of latent gains will be subject to a discount of 55%.

C. Deductions from Capital Base From tier 1: Goodwill/other intangible assets if any; Equity investments in subsidiaries.

From tier 2: Subordinated debt instruments included in Tier 2 capital are required to be subjected to discount as under:

Remaining Maturity of Instruments

Rate of discount (%)

Less than 1 year

100

1 year and more but less than 2 years

80

2 years and more but less than 3 years

60

3 years and more but less than 4 years

80

.!! years and more but less than 5 years

20

Tier 3 (The capital requirement as defined in the Basel Market Risk Amendment dated 25th November, 2005) Banks may also at the discretion of their national authority. employ a third tier capital (tier 3) consisting of short-term subordinated debt; as defined below for the sole purpose of meeting a proportion of capital requirement for market risks.

Solvency Risk - Concept of Capital Adequacy and Risk Based Capital

239

For short-term subordinated debt to be eligible as tier 3 capital, it needs, if circumstances demand, to be capable of becoming a part of a bank's permanent capital and thus be available to absorb losses in the event of insolvency. It must, therefore, at a minimum: •

Be unsecured, subordinated and fully paid-up;

•

Have an orginal maturity of at least two years;

•

Not be repayable before the agreed repayment date unless the supervisory authority agrees.

Banks will be entitled to user tier 3 capital solely to support market risk, subject to the following conditions: •

Any capital requirement arising in respect of credit and counter party risk in terms of the Basel Capital Framework, including the counterparty risk in respect of derivatives in both trading and banking books needs to be met by the existing definition of capital in the 1988 accord. (i.e. tiers 1 & 2);

•

Tier 3 Capital will be limited to 250% of a bank's tier 1 capital i.e. required to support market risks;

•

Tier 2 elements may be substituted for tier 3 upto the same limit of 250% in so far as the overall limits in the 1988 Accord are not breached; i.e. to say eligible tier 2 capital may not exceed total tier 1 capital and long term subordinated debt may not exceed 50% of tier 1 capital;

•

In addition, since the Committee believes that tier 3 capital is only appropriate to meet market risk, a significant number of member countries are in favour of retaining the principles in the present Accord that tier 1 capital should be present at least half of total eligible capital i.e. that the sum total of tier 2 and tier 3 capital should not exceed total tier 1.

According to January 2006, RBI circular, at present banks are not allowed to raise tier 3 capital. The options for raising tier 1 & tier 2 capital funds as available to the banks in India, in terms of the present guidelines on capital adequacy do not allow banks to raise capital funds through the issue of:

(a) Preference Shares - both cumulative & non-cumulative; (b) Innovative capital instruments for inclusion in tier 1 capital, and (c)

Hybrid date instruments for inclusion in tier 2 capital.

The feasibility of allowing banks to raise capital funds through the above mentioned instruments has been examined by RBI. However, since tier 3 capital is short-term in nature and is an optional item of capital for meeting a portion of banks' exposures to market risks, this option has not been considered for the present. Taking into consideration the above, and with a view to provide banks in India additional options for raising capital funds, to meet both the increasing business requirements as well as Basel" requirements within the existing lega! framework, it has been decided that banks may augment their capital funds by issue of the following additional instruments:

(a) Innovative Perpetual Debt Instruments (IPDI) eligible for inclusion as Tier 1 capital; (b) Debt Capital Instruments eligible for inclusion as Upper Tier 2 Capital;

240

Risk Management in Indian Banks

(c)

Perpetual non-cumulative preference share eligible for inclusion at Tier 1 Capital, subject to laws in force from time to time; and

(d)

Redeemable cumulative preference shares eligible for inclusion as Tier 2 Capital, subject to laws in force from time to time.

After computation of capital base eligible for inclusion in capital adequacy, risk weighted assets are calculated. For this purpose all on balance sheet assets are assigned prescribed risk weights and all off balance sheet assets are applied with credit conversion factors and then risk weights are assigned as under:

A. Risk Weights by Category of on-Balance-sheet Assets Sf.

Item of Asset or Liability

No.

Risk Weight %

I. 1.

Cash, balances with RBI

2.

(i) Balances in current account with other banks

20

(ii) Claims on BanklFls (as per Annexure 2A)

20

Balances 0

II. 1.

Investments Investments in Government Securities

2.5

2.

Investments in other approved securities guaranteed by Central/State Government.

2.5

3.

Investments in other securities where payment of interest and repayment of principal are guaranteed by Central Govt. (This will include investments in Indira/Kisan Vikas Patra (IVP/KVP) and investments in Bonds and Debentures where payment of interest and principal is guaranteed by Central Govt.)

2.5

4.

Investments in other securities where payment of interest and repayment of principal are guaranteed by State Governments.

2.5

Note:

Where guarantee has been invoked and the concerneed State Government has remained in default, banks should assign 102.5% risk weight. However, the banks need to assign 102.5% risk weight only on those State Government guaranteed securities issued by the defaulting entities and not on all the securities issued or guaranteed by that State Government.

5.

Investments in other approved securities where payment of interest and repayment of prinCipal are not guaranteed by Central/State Govt.

22.50

G.

Investments in Government guaranteed secunties of Government Undertakings which do not form part of the approved market borrowing programme.

22.50

Note:

In order to provide sufficient time to comply with this proVision, banks are permitted to account for the risk weight on the outstanding stock of such securities in the portfolio of the banks as on 31.03.2000 in two phases of 10 percent each in 2001-2002 and 2002-2003. This implies that on purchases after 31.03.2000, full 20 per cent risk weight will have to be assigned during the year of purchase. Further, above securities will also attract uniform risk weight of 2.5 per cent towards market risk.

Solvency Risk - Concept of Capital Adequacy and Risk Based Capital

241

7.

Claims on commercial banks and public financial institutions [as per Annexure 2AJ

22.S0

8.

Investments in bonds issued by other banks/PFls [as per Annexure 2A)

22.S0

9.

Investments in securities which are guaranteed by banks or PFls [as per Annexure 2AJ as to payment of interest and repayment of principal.

22.S0

10.

Investments in subordinated debt instruments and bonds issued by other banks or Public Financial Institutions for their Tier II capital.

102.S0

11.

Deposits placed with SIDBIINABARD in lieu of shortfall in lending to priority sector.

102.S0

All other investments

102.S0

12.

Note:

Equity investments in subsidiaries, intangible assets and losses deducted from Tier I capital should be assigned zero weight.

III.

Loans & Advances including bills purchased and discounted and other credit facilities

1. 2.

Loans guaranteed by Govt. of India Loans guaranteed by State Govts. Note:

3. 4. S.

0 0

Loans guaranteed by State Govts. where guarantee has been invoked and the concerned State Govt has remained in default as on March 31,2000, a risk weight of 20 per cent should be assigned on such advances. Where State Govts. continue to be in default, even after March 31,2001, a risk weight of 100 per cent should be assigned.

Loans granted to public sector undertakings of Govt. of India Housing finance to individuals against mortgage backed securities

100 SO*

6.

Retail Loans

100' 12S*

7. 8. 9. 10.

Loans for financing Real Estates

1S0*

Others

100 100 SO

Loans granted to public sector undertakings of State Govts.

Leased assets Advances covered by DICGC/ECGC Note: The risk weight of 50% should be limited to the amount guaranteed and not the entire outstanding balance in the accounts. In other words, the outstandings in excess of the amount guaranteed, will carry 100% risk weight.

11.

SSI Advances Guaranteed by Credit Guarantee Fund Trust for Small Industries (CGTSI) up to the guaranteed portion.

0

Note: Banks may assign zero risk weight for the guaranteed portion. The balance outstanding in excess of the guaranteed p.ortion would attract a risk-weight as appropriate to the counter-party. Two illustrative examples are given in Annexure 2B.

12.

Advances against term deposits, Life policies, NSCs, IVPs and KVPs where adequate margin is available.

13.

Loans and Advances granted to staff of banks which are fully covered by super-annuation benefits and mortgage of flat/house. "increased the 75% in the RBI credit poling announced in April, 2006.

0 20

242

Risk Management in Indian Banks

14. Takeout Finance (i)

Unconditional takeover (in the books of lending institution) (a) Where full credit risk is assumed by the ta,king over institution

20

(b) Where only partial credit risk is assumed by taking over institution (i)

the amount to be taken over

20

the amount not to be taken over

100 100

(ii) Conditional take-over (in the books of lending and Taking over institution)

IV.

Other Assets

1.

Premises, furniture and fixtures

2.

(i)

Income tax deducted at source (net of provision)

100 0

(ii) Advance tax paid (net of provision)

0

(iii) Interest due on Government securities

0

(iv) Accrued interest on CRR balances and claims on RBI on account of Government transactions (net of claims of GovernmenURBI on banks on account of such transactions)

0

(v)

All other assets

100

B. Credit Conversion Factors for off-Balance-sheet Items The credit risk exposure attached to off-Balance Sheet items has to be first calculated by multiplying the face value of each of the off-Balance Sheet items by 'credit conversion factor' as indicated in the table below. This will then have to be again multiplied by the % eights attributable to the relevant counter-party as specified above.

Sr.

Instruments

No.

Credit Conversion Factor(%)

1.

Direct credit substitutes e.g. general guarantees of indebtedness (including standby LlCs serving as financial guarantees for loans and securities) and acceptances (including endorsements with the character of acceptance).

100

2.

Certain transaction-related contingent items (e.g. performance bonds, bid bonds, warranties and standby LlCs related to particular transactions).

50

3.

Short-term self-liquidating trade-related contingencies (such as documentary credits collateralised by the underlying shipments).

20.

4.

Sale and repurchase agreement and asset-sales with recourse, where the credit risk remains with the bank.

100

243

Solvency Risk - Concept of Capital Adequacy and Risk Based Capital

5.

Forward asset purchases, forward deposits and partly paid shares and securities, which represent commitments with certain drawdown.

100

6. 7.

Note issuance facilities and revolving underwriting facilities.

50 50

Other commitments (e.g., formal standby facilities and credit lines) with an original maturity of over one year.

8.

Similar commitments with an original maturity upto one year, or which can be unconditionally cancelled at any time.

9.

Aggregate outstanding foreign exchange contracts of original maturity -

10.

0

less than one year • for • each additional year or part thereof Take-out Finance in the books of taking-over institution

2

3

100 50

(i) Unconditional take-out finance (ii) Conditional take-out finance Note: As the counter-party exposure will determine the risk weight. it will be 100 percent in respect of all borrowers or zero percent if covered by Government guarantee.

NOTE: In regard to off-balance sheet items. the following transactions with non-bank counter·parties will be treated as claims on banks and carry a risk-weight of 20%.

(a) Guarantees issued by banks against the counter guarantees of other banks. (b) Rediscounting of documentary bills accepted by banks. Bills discounted by banks which have been accepted by another bank will be treated as a funded claim on a bank. In all the above cases banks should be fully satisfied that the risk exposure is in fact on the other bank.

Risk Weights for Open Positions Item

Sr. No.

Risk weight

(%)

1.

Foreign exchange open position.

100

2.

Open position in gold

100

Note:

The risk weighted position both in respect of foreign exchange and gold open position limits should be added to the other risk weighted assets for calculation ofCRAR

D. Risk Weights for Forward Rate Agreement (FRA) Iinterest Rate Swap (IRS) For reckoning the minimum capital ratio, the computation of risk weighted assets on account of FRAs/lRS should be done as per the two steps procedure set out below:

244

Risk Management in Indian Banks

Step 1

The notional principal amount of each instruments is to be multiplied by the conversion factor given below: Original Maturity

Conversion Factor

Less than one year

0.5 per cent

One year and less than two years

1.0 per cent

For each additional year

1.0 per cent

Step 2 The adjusted value thus obtained shall be multiplied by tbe risk weightage allotted to the relevant counter-party as specified below: Banks I All India Financial Institutions All other (except Government)

20 per cent 100 per cent

III. Procedure 1.

2.

While calculating the aggregate of funded and non-funded exposure of a borrower for the purpose of assignment of risk weight, banks may 'net-off' against the total outstanding exposure of the borrower (a)

advances collateralised by cash margins or deposits,

(b)

credit balances in current or other accounts, which are not earmarked for specific purposes and free from any lien,

(c)

in respect of any assets where provisions for depreciation or for bad debts have been made,

(d)

claims received from DICGC/ECGC and kept in a separate account pending adjustment, and

(e)

subsidies received against IRDP advances and kept in a separate account.

After applying the conversion factor as indicated above, the adjusted off Balance Sheet value shall again be multiplied by the weight attributable to the relevant counter-party as specified.

Foreig,n exchange contracts with an original maturity of 14 calendar days or less irrespective of the counterparty, may be assigned "zero" risk weight as per international practice. After computation of total risk weighted assets and eligible capital for the purpose of capital adequacy ratio, the capital adequacy is computed as per the format given in Annexure to this Chapter. While the original Accord focused mainly on credit risk, it has been partially amended in 1996 to address market risk. Interest rate risk in the banking book and other risks such as operational, liquidity, legal and reputational risks were not explicitly addressed. Further, the methods used to determine the capital charges for credit risk are not overly sophisticated. Over a period of time, financial innovation and growing complexity of financial transactions have caUed for a review of the existing capital adequacy framework.

Solvency Risk - Concept of Capital Adequacy and Risk Based Capital

245

8.2. ~ BASEl CApiTAl ACCORd - II ANd iTs IMplicATioNS Recognizing the need for a more broad-based and flexible framework, the Basel Committee released in June 1999 a consultative paper on 'A New Capital Adequacy Framework' or comments by central banks, market planers and other interested parties (First Consultative Document). The New Framework, designed to promote more effectively the stability and soundness of the financial system, calls for better alignment of regulatory capital with underlying risks, by replacing the current broad brush approach with preferential risk weighting. The Framework provides for explicit capital charge for other risks viz., operational risk and interest rate risk in the banking book for banks where interest rate risk are significantly above average (Outliers). A three pillar approach - Minimum Capital Requirement, which seeks to develop and expand on the standardized rules set forth in the 1988 Accord, Supervisory Review of a bank's capital adequacy and internal assessment process, and effective use of Market Discipline as a lever to strengthen disclosure and encourage safe and sound banking practices - has been designed to strengthen the international financial architecture. The adoption of the New Framework in the proposed format would have important implications for emerging market economies as it calls for structural changes in the current regulatory/supervisory standards. Specifically, the proposals for assigning capital on a consolidated basis, use of external credit assessments as a means for assigning preferential risk weights, sophisticated techniques for estimating economic capital etc., may need suitable modifications to adequately reflect the institutional and macro-economic factors specific to emerging market economies. Recognizing the implications of the New Framework for emerging market economies like India, RBI had formulated its comments, explicitly suggesting to the Basel Committee that some of the proposals may require modification/ flexibility to fully reflect the macro-economic environment, structural rigidities and concerns of the emerging market economies. The RBI's comments mainly focused on relying on external credit rating agencies, assigning greater role to external rating agencies in the regulatory process, greater reliance on internal rating-based approaches, delinking the risk weights of the sovereign for assigning preferential risk weights to banks and corporates, favourable risk weighting to short-term claims, enhanced disclosures and transparency, more transition period to implement the proposals etc. The proposals contained in the New Framework had generated considerable debate among the financial institutions and academia across the world. The comments of the Reserve Bank of India were also released to the public and other supervisors, especially in emerging markets to form collective views on issues affecting those countries. The Basel Committee released a Second Consultative Document on the proposed New Basel Capital Accord in January 2001, which contained refined proposals for the three pillars of the New Accord. The Basel Committee recognized that the New Accord, as articulated in the Second Consultative Package, is more extensive and complex than the 1988 Accord and also that the New Accord is more risk sensitive, and contains a range of new options for measuring both credit and operational risks. The Committee re-emphasized the role of supervisory review process and market discipline as complement to minimum capital. The Committee considered that the three Pillars are a package and that the revised Accord cannot be considered fully implemented if all the Pillars are not in place. While formulating the revised New Accord (Second Consultative Document), the Committee had addressed some of the concerns expressed and recommendations made by India and other emerging markets on the first Document, and invited comments on all aspects of the Second Document by May 31, 2001. The Committee received more than 250 comments and considered the same and it has released a revised document (Third Consultative Document) and extended the implementation date by one more year to 2005. The New Accord is likely to be implementated in 2005 and is required to be adhered to by all internationally active banks and all Significant banks after a certain period of time. The salient features of the proposals, and implications for the financial system are as under:

246

Risk Management in Indian Banks

Overall Capital The Committee proposes two approaches, viz., Standardized and Internal Rating Sased (IRS) for estimating regulatory capital. Under the standardized approach, the Committee desires neither to produce a net increase nor a net decrease, on an average, in minimum regulatory capital, even after accounting for operational risk. Under the IRS approach, the Committee's ultimate goals are to ensure that the overall level of regulatory capital is sufficient to address the underlying credit risks and also provides capital incentives relative to the standardized approach, i.e., a reduction in the risk weighted assets of2% to 3% (foundation IRS approach) and 90% of the capital requirement under foundation approach for advanced IRS approach to encourage banks to adopt IRS approach for providing capital. It is felt that the complexity and sophistication of the proposals restrict its universal application in emerging markets, where the banks continue to be the major segment in financial intermediation and would be facing considerable challenges in adopting an the proposals. The spirit of flexibility, universal applicability and discretion to national supervisors, consistent with the macro economic conditions specific to emerging markets ought to be preserved while finalizing the New Accord.

Scope of Application The proposed New Accord would be extended to include, on fully consolidated basis, to holding companies, that are present of groups that are predominantly banking groups, Therefore, the Accord will apply, on a sub-consolidated basis, to all internationally active banks at every tier below the top banking group level. The committee now recognizes the difficulties associated with consolidation of insurance subsidiaries. Accordingly, the Committee now proposes that, at this stage it is appropriate to deduct banks' investment in insurance subsidiaries. Similarly, national supervisors have been given flexibility in either pro rata consolidation or deduction of significant minority investments in non-insurance financial entities. Adding a new dimension, the Committee now proposes deduction from banks' capital of any significant investments in commercial entitles which exceed certain thresholds (15% and 60% of banks' capital for single and aggregate investments, respectively), as it believes that commercial investments provide incentive for banks to bolster the financial condition of the commercial enterprises by making loans -owned equity investments in or injecting more capital. Currently, significant minority financial and commercial entities are not deducted in India. Once the Accord is in place, investments in these entitles above a threshold would have to be deducted.

PILLAR-I Minimum Capital Requirements The minimum capital adequacy ratio would continue to be 8% of the risk-weighted assets, which cover capital requirements for market (trading book), credit and operational risks. For credit risk, the range of options to estimate capital extends to include a standardized, a foundation IRS and an advanced IRS approach. As for operation risk, three approaches (basic indicator, standardized and internal measurement) have been provided.

Credit Risk The Committee offers two approaches for calculating risk-weighted assets i.e. the standardized and IRS approaches:

247

Solvency Risk - Concept of Capital Adequacy and Risk Based Capital

Standardized Approach Under the standardized approach, preferential risk weights in the range of 0%, 20%, 50%, 100% and 150% would be assigned on the basis of external credit assessments recognized as eligible by national supervisors in accordance with the criteria defined by the Committee. The risk weights on various counter-parties are as follQws:

Risk Weight Scale Rating

Sovereigns

Banks

Corporates

0

20

20

A+-A-

20

50

50

BBB+-888-

50

50

100(88-)

88+-8-

100

100

150«88-)