Chapter 8 Risk Management Risk Management is an important feature of all businesses. Companies take risks to generate returns.

The Board of Directors is responsible for ensuring that all material risks are identified, evaluated and managed. Directors must be proactive in the area of risk identification and management. Enterprise Risk Management is a structured process for identifying, assessing, responding to, and reporting on opportunities and threats that affect the achievement of the companys objectives. Every corporate has to put in place an enterprise risk management system- formally or informally depending upon the size of operations and the views of the Board of Directors. The amount of risk varies with the type of business, market conditions and the position of business in the business lifecycle. In other words a young business may be more vulnerable to the threats compared to a mature and established business for the same threats. The directors have to decide the amount of risk that is acceptable to the business entity and this is called the risk appetite of the business. The risk appetite is not a static concept but will change with market conditions and time and the growth of the business. Management of risk involves analysis and proactive responses. Risk can occur through various factors, both internal and external. For example choice of a particular accounting policy may cause a risk to the financial results of the business. On the other hand there are risks which are beyond the control of the company as for example a breakout of war or other causes leading to a sudden
1

increase in the price of inputs. The table below illustrates the types of business risks: INTERNAL Liquidity Cash Flow EXTERNAL Interest Rate Exchange Rate

Financial Risks

Strategic Risks

Credit Research and Development Intellectual property Merger and Acquisition Competition Industry changes Regulations

Operational Risks

IT systems Accounting controls

Hazard Risks

Supply chain Employees Property

Natural events Suppliers Environment Contracts

All directors should be aware of the significant risks faced by the business and should know how the company plans to meet those risks. It is the directors duty to share and communicate the risk management strategies throughout the organization. The risk management process involves steps to identify the risks, understanding the nature and evaluating the effects of the risk occurring, deciding on the response to risk situation and monitoring the risks. The appropriate response to a risk may involve:
2

- Risk Avoidance - Risk Mitigation - Risk Transfer - Risk Acceptance Depending on the cost effectiveness and practicability the particular response may be chosen to any risk being faced by the enterprise. Assumption of risks to earn profits is even more relevant in banking business as banking is primarily a business of taking risks. Risk levels, however, must be appropriately managed. A banks safety and soundness are contingent upon effectively managing its risk exposures. Some transactions or activities may expose a particular bank to a level of risk so great that its board may reasonably conclude that no amount of sound risk management can effectively control it. This type of risk will be unacceptable to the particular bank. To manage risk effectively, a bank must have a well-informed board of directors that guides its strategic direction. A key component of strategic direction is establishing the banks risk tolerance. The board establishes the banks risk tolerance by approving policies that set standards for the nature and level of risk the bank is willing to assume. After adopting policies, the board has to ensure that its guidance is effectively communicated and adhered to throughout the organization. A well-designed monitoring system is the best way for the board to hold management accountable for operating within established risk tolerance levels. Capable management and appropriate staffing are essential to effective risk management. Bank management
3

is responsible for the implementation, integrity, and maintenance of risk management systems. Management must Keep the directors adequately informed about the banks activities. Implement the board-approved strategic direction. Develop policies that reflect the banks risk tolerance and that are compatible with the banks strategic direction. Oversee the development and maintenance of management information systems that provide timely, accurate, and pertinent information. Ensure that the strategic direction and risk tolerances are effectively communicated and adhered to throughout the organization. Because market conditions and bank structures vary, no single risk management system works for all banks. Each bank should develop its own risk management system tailored to its specific needs and circumstances. The sophistication of the risk management system increases with the size, complexity, and geographic diversity of each bank. All sound risk management systems, however, have several common fundamentals. Regardless of the risk management systems design, it should include mechanisms for identifying, measuring, monitoring, and controlling risks: Identifying: Proper risk identification focuses on recognizing and understanding existing risks or risks that may arise from changing economic conditions or new business initiatives. Risk identification should be a continuous process, and risks should be understood at both the transaction (individual) and portfolio (aggregate) level. Measuring: Accurate and timely measurement of risk is essential to effective risk management systems. This also helps in framing the response to the risk.

 Monitoring: The bank should monitor risk levels to ensure timely review of risk positions and exceptions. Controlling: The bank should establish and communicate risk limits through policies, standards, and procedures that define responsibility and authority. These limits should serve as a means to control exposures to the various risks associated with the banks activities. The limits should be tools that management can adjust when conditions or risk tolerances change. The various types of risks to which banks are exposed are: i) Credit Risk- The adverse impact on earnings and capital of a bank arising out of the inability of the bank to recover money lent to a borrower. ii) Interest Rate Risk- The adverse impact on the earnings and capital of a bank arising due to the loss of opportunity to get higher rates of returns when market interest rates change due to locking into different interest rates at an earlier time. iii) Liquidity Risk- The adverse impact on the earnings and capital of a bank which arises as a result of failure to service the commitments due to a lack of adequate liquidity by the bank as the funds have been deployed for longer tenures at some point in the past. iv) Price Risk- is the risk to which a bank is exposed due to pricing its products at particular rates and the inability to take advantage of favorable price movements in the markets for the same products at a later date. Also, the risk of adverse impact on the earnings due to mispricing of a product is a factor.

v) Operational Risk- The risk to earnings or capital arising from inadequate or failed internal processes or systems, the misconduct or errors of people, and adverse external events. Operational losses result from internal fraud; external fraud; employment practices and workplace safety; clients, products, and business practices; damage to physical assets; business disruption and systems failures; and execution, delivery, and process management. vi) Compliance Risk- The risk to earnings or capital arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies and procedures, or ethical standards. Compliance risk also arises in situations where the laws or rules governing certain bank products or activities of the banks clients may be ambiguous or untested. This risk exposes the bank to fines, civil money penalties, payment of damages, and the voiding of contracts. Compliance risk can lead to diminished reputation, reduced enterprise value, limited business opportunities, reduced expansion potential, and an inability to enforce contracts. vii) Strategic Risk- The risk to earnings, capital, or enterprise value arising from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. This risk is a function of the compatibility of an organizations strategic goals, the business strategies developed to achieve those goals, the resources deployed, and the quality of implementation. The resources needed to carry out business strategies are both tangible and intangible. They include communication channels, operating systems, delivery networks, and managerial capacities and capabilities. viii) Reputation Risk- The risk to earnings, capital, or enterprise value arising from negative public opinion. This risk affects the banks ability to
6

establish new relationships or services or continue servicing existing relationships. This risk may expose the bank to litigation or financial loss, or impair its competitiveness or ability to attract or retain funding or capital. Reputation risk exposure is present throughout the bank and requires management to exercise an abundance of caution in dealing with customers, investors, and the community. Solvency and Liquidity are the two core pillars of banking. Solvency risks arise from the credit creation and investment function in banking, as some obligors may default and some investments may lose their value, resulting in unexpected losses. Liquidity risks arise from the maturity transformation function in banking specifically, banks borrow at a short duration from depositors or markets, and lend at a long duration to borrowers or invest in illiquid securities. In most banks, solvency and liquidity are managed as separate functions with minimal consideration for interdependencies. Risk management is usually responsible for solvency, mostly expressed in the language of the Basel framework, whereas treasury and asset-and liability management departments are responsible for funding and liquidity. Diagramatically, we can represent the components of Effective Risk Management as under:

Effective R isk Manag em ent Promote efficiency of . Internal Audit

Promote efficiency of

Internal Controls

Monitor Banks risk profile

R isk Analysis and m onitoring

Ensure adequacy of resources..

R is k Infra structure and MIS

Review adequacy of approach

R iskManag em ent fram ework

Set Limits

R isk Manag em ent function

Define

R isk Appetite Risk Limits

RISK CULTURE

Operating managers in their eagerness to expand business and improve the bottomline sometimes end up assuming unacceptable risks. The level of risks which a bank should accept is decided by the board of directors keeping in view the capital and the business strategy of the bank. As an example let us take the foreign exchange operations of the bank- the treasury department is always given a limit to which the bank may be exposed to exchange fluctuations. Let us say that the board sets this limit at an overnight position of USD 3 million. This implies that on no single day the bank should have a total uncovered exposure of more than this amount at the end of the day and the treasury department should ensure that the
8

uncovered position in foreign exchange is brought below this figure at the time of closing for the day even if the trader in the currency trading desk feels that US Dollar will strengthen overnight and he could make lot of money for the bank by holding higher amounts of US Dollars. For monitoring the performance of the bank the directors look at many parameters. Some of the most important parameters are listed hereunder: a) Return on Assets b) Return on Equity c) Net Interest Margin d) Leverage Ratio e) NPAs to total assets The board of directors plays the vital role in setting the limits to which a risk can be assumed by the bank without endangering the viability of operations of the bank. The board takes stock of the available capital and resources along with the existing risks from various business operations before setting the prudent limits for individual areas of operations. Risk management is the most important function for a bank and the amount of risk that can be assumed depends upon the capital employed in business.

In this chapter we:

a) Appreciated the importance of Risk Management b) Defined the concepts of risk appetite and risk tolerance c) Identified the sources of risks in business of banking d) Discussed the ways of identifying, measuring and managing risks e) Discussed the ways of Risk Management f) Realized the importance of the Risk Management process to business g) Defined Solvency and Liquidity Risks h) Discussed a few ratios which help in assessing the performance of banks

10