Managing Risks in Commercial and Retail Banking E-Book

Contents

Cover

Series

Title Page

Copyright

Preface

PART One: Risk Management Approaches and Systems

CHAPTER 1: Business Risk in Banking

1.1 CONCEPT OF RISK

1.2 BROAD CATEGORIES OF RISKS

1.3 CREDIT RISK

1.4 MARKET RISK

1.5 OPERATIONAL RISK

1.6 OPERATING ENVIRONMENT RISK

1.7 REPUTATION RISK

1.8 LEGAL RISK

1.9 MONEY LAUNDERING RISK

1.10 OFFSHORE BANKING RISK

1.11 IMPACT OF RISK

1.12 SUMMARY

CHAPTER 2: Control Risk in Banking

2.1 HOW CONTROL RISK ARISES

2.2 EXTERNAL CONTROL AND INTERNAL CONTROL RISKS

2.3 INTERNAL CONTROL OBJECTIVES

2.4 INTERNAL CONTROL FRAMEWORK

2.5 TASKS IN ESTABLISHING A CONTROL FRAMEWORK

2.6 BUSINESS RISK AND CONTROL RISK RELATIONSHIP

2.7 SUMMARY

CHAPTER 3: Technology Risk in Banking

3.1 WHAT IS TECHNOLOGY RISK?

3.2 RISKS IN ELECTRONIC BANKING

3.3 SOURCES OF TECHNOLOGY RISK

3.4 MANAGEMENT OF TECHNOLOGY RISK

3.5 SUMMARY

CHAPTER 4: Fundamentals of Risk Management

4.1 RISK MANAGEMENT CONCEPT

4.2 RISK MANAGEMENT APPROACH

4.3 RISK IDENTIFICATION APPROACH

4.4 RISK MANAGEMENT ARCHITECTURE

4.5 RISK MANAGEMENT ORGANIZATIONAL STRUCTURE

4.6 SUMMARY

CHAPTER 5: Risk Management Systems and Processes

5.1 RISK MANAGEMENT POLICY

5.2 RISK APPETITE

5.3 RISK LIMITS

5.4 RISK MANAGEMENT SYSTEMS

5.5 MANAGEMENT INFORMATION SYSTEM

5.6 VERIFICATION OF RISK ASSESSMENT

5.7 HUMAN RESOURCE DEVELOPMENT

5.8 TOP MANAGEMENT COMMITMENT

5.9 CAPITAL ADEQUACY ASSESSMENT AND DISCLOSURE REQUIREMENT

5.10 RISK PRIORITIZATION

5.11 SUMMARY

PART Two: Credit Risk Management

CHAPTER 6: Credit Problems and Credit Risk

6.1 GENESIS OF CREDIT PROBLEMS

6.2 CAUSES OF CREDIT RISK

6.3 SUMMARY

CHAPTER 7: Identification of Credit Risk

7.1 MARKET RISK AND CREDIT RISK RELATIONSHIP

7.2 CREDIT RISK IDENTIFICATION APPROACH

7.3 CREDIT RISK IDENTIFICATION PROCESS

7.4 SUMMARY

CHAPTER 8: Credit Risk Rating Concept and Uses

8.1 CREDIT RISK RATING CONCEPT

8.2 CREDIT RISK RATING USES

8.3 CREDIT RISK RATING PRINCIPLES

8.4 SUMMARY

CHAPTER 9: Credit Risk Rating Issues

9.1 RATING PRACTICES IN BANKS

9.2 DESIGN OF THE RATING FRAMEWORK

9.3 CONCEPTUAL ISSUES

9.4 DEVELOPMENTAL ISSUES

9.5 IMPLEMENTATION ISSUES

9.6 RATING FRAMEWORK OVERVIEW

9.7 SUMMARY

CHAPTER 10: Credit Risk Rating Models

10.1 INTERNAL RATING SYSTEMS IN BANKS

10.2 NEED FOR DIFFERENT RATING MODELS

10.3 NEED FOR NEW AND OLD BORROWER RATING MODELS

10.4 TYPES OF RATING MODELS

10.5 NEW CAPITAL ACCORD OPTIONS

10.6 ASSET CATEGORIZATION

10.7 IDENTIFICATION OF MODEL INPUTS

10.8 ASSESSMENT OF COMPONENT RISK

10.9 SUMMARY

CHAPTER 11: Credit Risk Rating Methodology

11.1 RATING METHODOLOGY DEVELOPMENT PROCESS

11.2 DERIVATION OF COMPONENT RATING

11.3 DERIVATION OF COUNTERPARTY RATING

11.4 SUMMARY

CHAPTER 12: Credit Risk Measurement Model

12.1 RISK RATING AND RISK MEASUREMENT MODELS

12.2 CREDIT LOSS ESTIMATION—CONCEPTUAL ISSUES

12.3 QUANTIFICATION OF RISK COMPONENTS

12.4 CREDIT RISK MEASUREMENT MODELS

12.5 BACK-TESTING OF CREDIT RISK MODELS

12.6 STRESS TESTING OF CREDIT PORTFOLIOS

12.7 SUMMARY

CHAPTER 13: Credit Risk Management

13.1 GENERAL ASPECTS

13.2 CREDIT MANAGEMENT AND CREDIT RISK MANAGEMENT

13.3 CREDIT RISK MANAGEMENT APPROACH

13.4 CREDIT RISK MANAGEMENT PRINCIPLES

13.5 ORGANIZATIONAL STRUCTURE FOR CREDIT RISK MANAGEMENT

13.6 CREDIT RISK APPETITE

13.7 CREDIT RISK POLICIES AND STRATEGIES

13.8 EARLY WARNING SIGNAL INDICATORS

13.9 CREDIT AUDIT MECHANISM

13.10 CREDIT RISK MITIGATION TECHNIQUES

13.11 SUMMARY

CHAPTER 14: Credit Portfolio Review Methodology

14.1 PORTFOLIO CLASSIFICATION

14.2 PORTFOLIO MANAGEMENT OBJECTIVES

14.3 PORTFOLIO MANAGEMENT ISSUES

14.4 PORTFOLIO ANALYSIS TECHNIQUE

14.5 PORTFOLIO RISK MITIGATION TECHNIQUES

14.6 SUMMARY

CHAPTER 15: Risk-Based Loan Pricing

15.1 LOAN PRICING CONCEPT

15.2 LOAN PRICING PRINCIPLES

15.3 LOAN PRICING ISSUES

15.4 LOAN PRICE COMPUTATION

15.5 SUMMARY

PART Three: Market Risk Management

CHAPTER 16: Market Risk Framework

16.1 MARKET RISK CONCEPT

16.2 MARKET RISK TYPES

16.3 MARKET RISK MANAGEMENT FRAMEWORK

16.4 ORGANIZATIONAL SETUP

16.5 MARKET RISK POLICY

16.6 MARKET RISK VISION

16.7 SUMMARY

CHAPTER 17: Liquidity Risk Management

17.1 LIQUIDITY RISK CAUSES

17.2 LIQUIDITY RISK MANAGEMENT ACTIVITIES

17.3 LIQUIDITY RISK MANAGEMENT POLICIES AND STRATEGIES

17.4 LIQUIDITY RISK IDENTIFICATION

17.5 LIQUIDITY RISK MEASUREMENT

17.6 LIQUIDITY MANAGEMENT STRUCTURE AND APPROACHES

17.7 LIQUIDITY MANAGEMENT UNDER ALTERNATE SCENARIOS

17.8 LIQUIDITY CONTINGENCY PLANNING

17.9 STRESS TESTING OF LIQUIDITY FUNDING RISK

17.10 LIQUIDITY RISK MONITORING AND CONTROL

17.11 SUMMARY

CHAPTER 18: Interest Rate Risk Management

18.1 INTEREST RATE RISK IN TRADING AND BANKING BOOKS

18.2 INTEREST RATE RISK CAUSES

18.3 INTEREST RATE RISK MEASUREMENT

18.4 MATURITY GAP ANALYSIS

18.5 DURATION GAP ANALYSIS

18.6 SIMULATION ANALYSIS

18.7 VALUE-AT-RISK

18.8 EARNINGS AT RISK

18.9 INTEREST RATE RISK MANAGEMENT

18.10 INTEREST INCOME STRESS TESTING

18.11 INTEREST RATE RISK CONTROL

18.12 SUMMARY

CHAPTER 19: Foreign Exchange Risk Management

19.1 EXCHANGE RISK IMPLICATION

19.2 EXCHANGE RISK TYPES

19.3 FOREIGN CURRENCY EXPOSURE MEASUREMENT

19.4 EXCHANGE RISK QUANTIFICATION

19.5 EXCHANGE RISK MANAGEMENT

19.6 EXCHANGE RISK HEDGING

19.7 SUMMARY

CHAPTER 20: Equity Exposure Risk Management

20.1 EQUITY EXPOSURE IDENTIFICATION

20.2 EQUITY EXPOSURE MANAGEMENT FRAMEWORK

20.3 EQUITY EXPOSURE RISK MEASUREMENT

20.4 SUMMARY

CHAPTER 21: Asset Liability Management Review Process

21.1 ASSET-LIABILITY REVIEW

21.2 LIQUIDITY RISK REVIEW

21.3 INTEREST RATE RISK REVIEW

21.4 FOREIGN EXCHANGE RISK REVIEW

21.5 EQUITY PRICE RISK REVIEW

21.6 VALUE-AT-RISK REVIEW

21.7 SUMMARY

PART Four: Operational Risk Management

CHAPTER 22: Operational Risk Management Framework

22.1 OPERATIONAL RISK CONCEPT

22.2 OPERATIONAL RISK SOURCES

22.3 OPERATIONAL RISK CAUSES

22.4 OPERATIONAL RISK POLICY OBJECTIVES

22.5 OPERATIONAL RISK POLICY CONTENTS

22.6 OPERATIONAL RISK MANAGEMENT FRAMEWORK

22.7 SUMMARY

CHAPTER 23: Operational Risk Identification, Measurement, and Control

23.1 OPERATIONAL RISK IDENTIFICATION APPROACH

23.2 OPERATIONAL RISK IDENTIFICATION PROCESS

23.3 BUSINESS LINE IDENTIFICATION

23.4 OPERATIONAL RISK ASSESSMENT METHODS

23.5 OPERATIONAL RISK MEASUREMENT METHODOLOGY

23.6 OPERATIONAL RISK MEASUREMENT PROCESS

23.7 OPERATIONAL RISK MONITORING

23.8 OPERATIONAL RISK CONTROL AND MITIGATION

23.9 HIGH-INTENSITY OPERATIONAL RISK EVENTS—BUSINESS CONTINUITY PLANNING

23.10 BUSINESS CONTINUITY PLAN SUPPORT REQUIREMENTS

23.11 BUSINESS CONTINUITY PLANNING METHODOLOGY

23.12 OPERATIONAL RISK MANAGEMENT ORGANIZATIONAL STRUCTURE

23.13 SUMMARY

PART Five: Risk-Based Internal Audit

CHAPTER 24: Risk-Based Internal Audit—Scope, Rationale, and Function

24.1 INTERNAL AUDIT SCOPE AND RATIONALE

24.2 RISK-BASED INTERNAL AUDIT POLICY

24.3 INTERNAL AUDIT DEPARTMENT STRUCTURE

24.4 SUMMARY

CHAPTER 25: Risk-Based Internal Audit Methodology and Procedure

25.1 RISK-BASED INTERNAL AUDIT METHODOLOGY

25.2 RISK-BASED AUDIT PLANNING AND SCOPE

25.3 RISK-BASED AUDIT PROCESS

25.4 SUMMARY

PART Six: Corporate Governance

CHAPTER 26: Corporate Governance

26.1 CORPORATE GOVERNANCE CONCEPT

26.2 CORPORATE GOVERNANCE OBJECTIVES

26.3 CORPORATE GOVERNANCE FOUNDATION

26.4 CORPORATE GOVERNANCE ELEMENTS

26.5 CORPORATE GOVERNANCE IN BANKS

26.6 TOWARD BETTER CORPORATE GOVERNANCE IN BANKS

26.7 SUMMARY

PART Seven: Lessons from the Asian and the United States' Financial Crises

CHAPTER 27: The Causes and Impact of the Asian and the United States’ Financial Crises

27.1 THE ASIAN FINANCIAL CRISIS CAUSES AND IMPACT

27.2 RISKS EMERGING FROM THE ASIAN FINANCIAL CRISIS

27.3 THE IMPACT OF THE U.S. FINANCIAL CRISIS

27.4 THE U.S. FINANCIAL CRISIS CAUSES AND THE CONCOMITANT RISKS

27.5 BASEL COMMITTEE ON BANKING SUPERVISION RESPONSE (BASEL III)

27.6 SUMMARY

About the Author

Index

Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Australia and Asia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers’ professional and personal knowledge and understanding.

The Wiley Finance series contains books written specifically for finance and investment professionals as well as sophisticated individual investors and their financial advisors. Book topics range from portfolio management to e-commerce, risk management, financial engineering, valuation and financial instrument analysis, as well as much more.

For a list of available titles, visit our Web site at www.WileyFinance.com.

Copyright © 2012 John Wiley & Sons Singapore Pte. Ltd.

Published in 2012 by John Wiley & Sons (Asia) Pte. Ltd. 1 Fusionopolis Walk, #07-01, Solaris South Tower, Singapore 138628

All rights reserved.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as expressly permitted by law, without either the prior written permission of the Publisher, or authorization through payment of the appropriate photocopy fee to the Copyright Clearance Center. Requests for permission should be addressed to the Publisher, John Wiley & Sons (Asia) Pte. Ltd., 1 Fusionopolis Walk, #07-01, Solaris South Tower, Singapore 138628, tel: 65--6643--8000, fax: 65--6643--8008, e-mail: [email protected].

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the Publisher is not engaged in rendering professional services. If professional advice or other expert assistance is required, the services of a competent professional person should be sought. Neither the author nor the Publisher is liable for any actions prompted or caused by the information presented in this book. Any views expressed herein are those of the author and do not represent the views of the organizations he works for.

Other Wiley Editorial Offices

John Wiley & Sons, 111 River Street, Hoboken, NJ 07030, USA

John Wiley & Sons, The Atrium, Southern Gate, Chichester, West Sussex, P019 8SQ, United Kingdom

John Wiley & Sons (Canada) Ltd., 5353 Dundas Street West, Suite 400, Toronto, Ontario, M9B 6HB, Canada

John Wiley & Sons Australia Ltd., 42 McDougall Street, Milton, Queensland 4064, Australia

Wiley-VCH, Boschstrasse 12, D-69469 Weinheim, Germany

ISBN 978-1-118-10353-1 (cloth)

ISBN 978-1-118-10355-5 (ebk)

ISBN 978-1-118-10354-8 (ebk)

ISBN 978-1-118-10356-2 (ebk)

Preface

The banking regulatory and supervisory authorities are focusing attention on two key issues: implementation of the new capital adequacy framework in banking institutions and transition to a foolproof risk-based bank supervision system. The New Basel Capital Accord of 2006 is more risk sensitive than the Old Capital Accord of 1988. For the first time, a counterparty rating-based approach has been advocated for regulatory capital assessment. Besides, a new concept of economic capital has been introduced to stick to a capital standard that takes care of unusual losses from severe events.

The New Accord encourages banks to develop internal models for risk rating and risk measurement, strengthen their risk management practices and procedures, and acquire internal capability to assess capital requirements. Concurrently, bank supervisory authorities are taking new initiatives in many countries to focus on a risk-based bank supervision system in order to reduce financial sector vulnerability. The supervisors require banks to undertake self-assessment of their risk profile, identify vulnerabilities in their operations, and improve risk management practices to protect their capital base and ensure long-term solvency. This book takes into account New Capital Accord issues, including those specified in the 2010 Basel Committee response to the global financial crisis, and deals with important aspects of risk management in one place.

Commercial banks, financial institutions, bank auditors, chartered accountant firms, banks’ training colleges, and students who pursue financial risk management courses will find this book useful. The book focuses on practical aspects of risk management; covers risk management–related topics and credit, market, and operational risks; and contains modalities for establishing internal models for risk rating of banks’ counterparties and rating of branch offices for audit prioritization. It contains a balanced mix of concepts, methodologies, and tools pertaining to risk management. Banks that are in the process of implementing New Capital Accord recommendations and the internal and external auditors who are to evaluate independently the soundness of risk management systems and the capital adequacy calculation process in banks will like this book. The book contains summaries at the end of each chapter.

The book comprises seven parts. The first part deals with conceptual aspects of risks and fundamental principles of risk management and gives an outline of the risk management architecture that banks should have.

The second part identifies credit risk management issues and describes procedures for identification, measurement, and management of credit risk. It deals with the modalities for establishing internal models for risk rating and risk measurement and the problematic issues that arise in establishing the rating system across the organization. The rating-based loan pricing mechanism and credit portfolio review techniques are explained in this part.

The third part describes the market risk management framework and explains the process to identify, measure, and control all forms of market risk. It identifies the causes that accentuate market risks and discusses possible solutions to respond to them.

The fourth part deals with operational risk management and the sources and causes that give rise to operational risk events, and explains in a logical sequence the procedure to make a scientific assessment of operational risk. It identifies the operational risk events that happen in banking institutions and explains the procedure to evaluate the loss-inflicting capacity of those events and assess operational risk in terms of event frequency and impact severity. It discusses the ways and means to tackle significant operational risk events that cause serious business disruption.

The fifth part deals with the risk-based internal audit procedure and describes the sequential steps involved in switching over from a transaction-based to a risk-based audit system. It explains the methodology to compile risk profiles of branch offices of banks and gives an elaboration of the risk-focused audit process and risk-focused report writing technique. Risk-based auditing can be used as a tool to assess the efficacy of risk control systems in a bank. For this reason, this topic has been included in this book.

The sixth part gives an outline of corporate governance. Protection of depositors’ interest is the key element of corporate governance that determines the codes and ethics that banks should follow. Corporate governance in banks will suffer unless the bank management establishes a sound risk management system to protect the interests of depositors, shareholders, and debt holders. In view of this, this topic has been included in this book.

Part seven describes the causes and the impact of the Asian and the U.S. financial crises, the lessons we learned from them, and the possible methods banks can take to contain in future the risks that emerged from the crises.

The book contains references to a few documents of the Basel Committee on Banking Supervision, particularly the document on “International Convergence of Capital Measurement and Capital Standards—A Revised Framework” of June 2006. This document is referred to in this book as the New Basel Capital Accord. I have drawn some points and features from the Basel Committee documents and indicated the source, but I have explained them in my own way. The translation or the exposition is not an official translation of the Bank for International Settlements (BIS). The original texts of documents referred to in this book are available free of charge at the BIS web site (www.bis.org). I am grateful to the Secretariat of the Basel Committee on Banking Supervision for giving me permission in this regard.

AMALENDU GHOSH

PART One

Risk Management Approaches and Systems

CHAPTER 1

Business Risk in Banking

1.1 CONCEPT OF RISK

Risk in banking refers to the potential loss that may occur to a bank due to the happening of some events. Risk arises because of the uncertainty associated with events that have the potential to cause loss; an event may or may not occur, but if it occurs it causes loss. Risk is primarily embedded in financial transactions, though it can occur due to other operational events. It is measured in terms of the likely change in the value of an asset or the price of a security/commodity with regard to its current value or price. When we deal with risks in banking, we are primarily concerned with the possibilities of loss or decline in asset values from events like economic slowdowns, unfavorable fiscal and trade policy changes, adverse movement in interest rates or exchange rates, or falling equity prices. Banking risk has two dimensions: the uncertainty—whether an adverse event will happen or not—and the intensity of the impact—what will be the likely loss if the event happens (that is, if the risk materializes). Risk is essentially a group characteristic; it is not to be perceived as an individual or an isolated event. When a series of transactions are executed, a few of them may cause loss to the bank, though all of them carry the risk element.

1.2 BROAD CATEGORIES OF RISKS

Banks face two broad categories of risks: business risks and control risks. Business risks are inherent in the business and arise due to the occurrence of some expected or unexpected events in the economy or the financial markets, which cause erosion in asset values and, consequently, reduction in the intrinsic value of the bank. The money lent to a customer may not be repaid due to the failure of the business, or the market value of bonds or equities may decline due to the rising interest rate, or a forward contract to purchase foreign currency at a contracted rate may not be settled by the counterparty on the due date as the exchange rate has become unfavorable. These types of business risks are inherent in the business of banks. Credit risk, market risk, and operational risk, the three major business risks, have several dimensions, and therefore require an elaborate treatment. These risks are dealt with in greater detail later in this book.

Control risk refers to the inadequacy or failure of control that is intended to check the intensity or volume of business risk or prevent the proliferation of operational risk. Inadequacy in control arises due to the lack of understanding of the entire business process, while failure in control arises due to complacency or laxity on the part of the control staff. Let us suppose that the bank has estimated an average loan loss of 5 percent in its credit portfolio as per its internal model. The actual loan loss will be more than 5 percent, if adequate control is not exercised on credit sanction and credit supervision. If the loan sanction standard is compromised or collateral is not obtained in accordance with the prescribed norms, or laxity in control prevails over the supervision of borrowers’ business and accounts, the level of credit risk will be higher than that estimated under an internal model. Business risk will be higher if the control system fails to detect the irregularities in time. Banks must have an elaborate control system that spreads over credit, investment, and other operational areas.

The risks can also be classified into two other categories: financial risk and nonfinancial risk. Financial risks inflict loss on a bank directly, while nonfinancial risks affect the financial condition in an indirect manner. Credit, market, and operational risks are financial risks since they have a direct impact on the financial position of a bank. For example, if the market value of a bond purchased by the bank falls below the acquisition price, the bank will incur a loss if it sells the bond in the market. Reputation risk, legal risk, money laundering risk, technology risk, and control risk are nonfinancial risks because they adversely affect the bank in an indirect manner. Business opportunities lost, and consequently income lost, on account of negative publicity against a bank that impairs its reputation, or compensation paid to a customer in response to an unfavorable decree from a court of law against the bank, are examples of nonfinancial risk.

The impact of financial risks can be measured in numerical terms, while that of nonfinancial risks is most often not quantifiable. The impact of nonfinancial risks can be assessed through scenario analysis and indicated in terms of severity such as low, moderate, and high. Business risks comprise both financial and nonfinancial categories of risks, whereas control risk is only a nonfinancial risk as it impacts a bank in an indirect way. Consequently, risk management in banking is concerned with the assessment and control of both financial and nonfinancial risks. Bank regulators and supervisors caution banks about the dangers of ignoring risks and want them to understand the implications of financial and nonfinancial risks and develop methods to assess and manage those risks.

A typical risk can occur from multiple sources. For example, credit risk occurs from loans and advances, investments, off-balance-sheet items including derivative products, and cross-border exposures. Likewise, market risk occurs from changes in the interest rate that affects banking book and trading book exposures, changes in bond/equity/commodity prices, and change in the foreign exchange rate. The boundaries between different types of risks are sometimes blurred. A loss due to shrinking credit spreads may be either credit risk loss or market risk loss. Credit risk and market risk may sometimes overlap. Capital risk and earning risk are not risks by themselves for a bank. They are the two financial parameters that absorb the ultimate loss from the materialization of risks. The minimization (or optimization) of the impact of business risk and control risk on the capital and earnings of banks is the ultimate goal of risk management.

Different types of financial and nonfinancial risks are shown in Figure 1.1.

1.3 CREDIT RISK

What Is Credit Risk?

The Basel Committee on Banking Supervision (BCBS) has defined credit risk as the potential that a bank borrower or counterparty will fail to meet its obligations in accordance with the agreed terms.1 Credit risk, also called default risk, arises from the uncertainty involved in repayment of the bank's dues by the counterparty on time. Credit risk has two dimensions: the possibility of default by the counterparty on the bank's credit exposure and the amount of loss that the bank may suffer when the default occurs. The default usually occurs because of inadequacy of income or failure of business. But often it may be willful, because the counterparty is unwilling to meet its obligations though it has adequate income. Credit risk also signifies a decline in the values of credit assets before default that arises from deterioration in portfolio or individual credit quality.

What Does Credit Risk Denote?

Credit risk denotes the volatility of losses on credit exposures in two forms: the loss in the value of the credit asset and the loss in the earnings from the credit. Let us assume that a bank has lent U.S. $1 million to a customer at 5 percent annual interest repayable in eight quarterly installments beginning one year after the date of the loan. The credit risk on the exposure of U.S. $1 million is denoted by a risk grade, either derived through the bank's internal model or taken from an outside rating agency. The rating assigned to the borrower will reveal the level of risk associated with the exposure, such as high risk, moderate risk, or low risk. The rating will give an idea of whether the counterparty is likely to default on its repayment obligation over the life of the loan or within some specified time horizon. The amount of loss that the bank may suffer on the exposure will have to be assessed separately through the risk measurement model. In the event of default by the counterparty to repay the amount of U.S. $1 million together with the interest on the due dates, either in part or in full, credit risk has actually materialized. It does not matter whether the default is intentional or unintentional. If the counterparty does not pay the installments at the contracted interest rate, the loss suffered by the bank will include both principal and interest. But if he or she agrees to repay the principal and requests the bank to waive the interest amount due on the loan, partly or fully, due to the inadequacy of income, loss of earning on the credit has occurred. Thus, credit risk denotes uncertainty in the recovery of the principal value of the loan and the contracted interest amount, either in part or in full.

What Is Intermediate Credit Risk?

Credit risk occurs in different intensities. The most severe is the risk of default in repayment of the principal and the interest. An intermediate credit risk occurs when the creditworthiness of the counterparty deteriorates causing a decline in the market value of the credit exposure. In such a situation, credit risk appears in the form of a rating downgrade. When the credit quality declines, credit risk may be deemed to have materialized before the occurrence of default. The extent of credit risk can be assessed from the current risk grade assigned to the exposure. In a market, where loans are traded between lending banks, deterioration in credit quality will fetch a lower amount when the asset is put up for sale. The estimated loss in the asset value before default is an intermediate form of credit risk.

What Is Country Risk?

Another element of credit risk, which arises from cross-border lending and investment, is “country risk.” The latter term denotes the possibility that a sovereign country is unable or unwilling to meet its commitments to foreign lenders. The risk is greater in countries where the economy is weak and the financial system is fragile and not well regulated. Country risk arises from exposures both to the sovereign government and the private borrowers who are resident in that country and have borrowed money from banks located in other countries. The default on obligations can arise due to the restrictions imposed by the government for conversion of domestic currency into foreign currency on account of depletion in foreign currency reserves, or it can arise from very adverse movement in the foreign currency exchange rate that increases substantially the amount repayable in domestic currency on foreign currency loans. The default can also occur due to political changes or economic policy changes. Sometimes, the government itself may renege on its liability, or the borrower located in the foreign country may refuse to repay.

1.4 MARKET RISK

What Is Market Risk?

BCBS has defined market risk as:

The risk of losses in on or off-balance-sheet positions arising from movement in market prices. The risks subject to this requirement are:

Market risk refers to the possibility of decline in the market values of assets or earnings that arise from changes in market variables. Market risk arises from financial transactions undertaken by banks to build up inventories of financial assets or take up positions deliberately in expectation of favorable movements in interest rates, exchange rates, and bond/equity prices to make gains. Banks may build up positions in securities and shares or off-balance-sheet items, like forward contracts in foreign exchange or futures in commodities, and so on.

1.5 OPERATIONAL RISK

What Is Operational Risk?

BCBS has defined operational risk “as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputation risk.”3 Operational risk is sometimes perceived as “residual risk” and arises in almost all departments of the bank—credit department, investment and funds department, treasury, information technology department, and so on.

Causes of Operational Risk

The causes of operational risks are many, and it is difficult to prepare a complete list of the causes because sometimes the risk occurs from unknown and unexpected sources. If we are clear about the causes and sources of credit and market risks, we can understand why risks emerging from failed people, processes and systems, and from external events are grouped under operational risk. Risks from people arise on account of incompetency or wrong positioning of personnel and misuse of powers. The bank faces risks if the staff handling certain transactions do not have adequate knowledge or technical skills to handle those transactions, or the staff who are known to have doubtful honesty and integrity are placed in sensitive areas of operations, or the staff misuse their loan sanction powers. The employees may commit fraud by themselves or in collusion with outsiders, or they can access computers without authorization and manipulate or alter data and information. In all these situations, the bank will incur financial loss from the dishonesty and irregular actions of its employees.

Process-related risks arise from possibilities of errors in information processing, data transmission, data retrieval, or inaccuracy of result or output. Process risks can occur in execution of complex transactions, such as option pricing, currency swapping, or interest rate swapping. Errors can occur in payments and settlements due to faulty processing of data or mutilation of messages and data during the processing and transmission stage that may result in excess payment. Errors can also take place in making decisions on loans and investments due to generation of faulty outputs. For example, in making decisions on large loans or investment in bonds, the risk grade of the counterparty is crucial. The rating grade assigned to a party can be erroneous due to model error or processing error. The model output may not reflect the reality of the situation. The risks arising from these types of process-related errors can be attributed to the “process” component of operational risk.

Banks depend on computer systems for smooth conduct of their operations, and the hardware and software systems that process and store huge volumes of information and data every day are highly vulnerable. Several situations arise in the course of the bank's day-to-day operations that give rise to high levels of risk. The failure of the computer system or the telecommunication system, the breakdown of automated teller machines, the hacking of the computer network by outsiders, and the programming errors are incidents that can take place any time and disrupt the bank's business. These incidents ultimately cause losses to the bank. The risks that arise from these types of incidents can be ascribed to the “systems” component of operational risk. Operational risks from external events like earthquake, flood, riot, burglary, looting, and so forth are obvious and need no elaboration.

Operational risk arises from different events and situations that take place every day in banks. The risks from these incidents, which relate to either the people or the process or the systems, cannot be clearly attributed to credit and market risks based on definitions. One cannot definitively say that these three sources of operational risk are independent of one another, and there is no interrelation among them. The more acceptable proposition is that these three elements are closely linked, and operational risk often arises as a result of their combined effects. When a bank enters into a business relationship with a client, it is the process (procedure) prescribed in the operation manual that is applied for initiating the transaction, it is the people who do the processing for analyzing the transaction and making the decision, and it is the computer system (technology) that supports the process to deliver the service. All three sources of operational risk are intermingled, and it is sometimes difficult to pinpoint the exact source.

Awareness about Operational Risk

Historically speaking, banks have been quite familiar with operational risk events for decades. This has been evident from their eagerness to identify vulnerable areas of operations and take special measures to plug the loopholes. Banks have made sustained efforts in the past to streamline the procedures for credit and investment decisions, reduce irregularities in transaction handling, and prevent frequent occurrence of fraud. They have devoted specific attention to fraud-prone areas, like reconciliation of books of accounts and security of the computer network system. These preventive measures have been taken in response to internal and external audit findings. But there has been no systematic approach to deal with operational risk in a comprehensive manner. Bank management has not given due treatment to operational risk that they have given to credit risk and market risk. Operational risk differs from other business risks in that it is not taken for an expected return, but it is implicit in the business activities of the bank. It has high potential to inflict large losses, and omitting to recognize the risk in its entirety will distort the actual risk profile of a bank.

1.6 OPERATING ENVIRONMENT RISK

The operating environment includes the economic, political, social, legal, and regulatory environments. Banks scan the environment in which they operate and prepare business plans (annual performance budgets). Severe competition in the financial services sector makes it extremely difficult for banks to prepare realistic business plans that are achievable in the given environment. Different strategies are required for different types of clients, markets, and products. Banks run the risk of business loss due to the incompatibility of business strategy with business potential and business environment, besides technological inadequacy, lack of expertise, and delay in delivery of services.

Banks face operating environment risks that arise from changes in macroeconomic and microeconomic factors. The business environment changes due to slower economic growth, high inflation, an adverse balance of payments situation, high interest rates, and money market and capital market restrictions. Banks also face constraints due to the sudden introduction of new regulatory and supervisory directions. High fiscal deficits, stringent regulatory restrictions, and the environmental changes that trigger movements in asset prices are some of the important factors that affect business growth and profitability. Also, the government sometimes issues directives to banks for achieving minimum lending targets in chosen sectors of the economy, like residential housing, agriculture, and small-scale industry, or preferred groups of people, like low- and middle-income people. Banks also face constraints due to the customer's preferences, limited range of innovative products, lack of geographical reach, and lack of opportunities for enlargement of market share. The degree and the duration of environment risks that a bank will face depend on its preparation and willingness to adapt to the changing environment. The sudden changes in operating environment often make it difficult for banks to reorient their business plans, and they run the risk of loss of business and earnings. In a competitive environment, the loss of business during a particular period tends to make future years more vulnerable as banks will be under pressure to achieve aggressive targets to make up for the shortfall. Formulation of medium-term business plans based on research that takes into account possible changes in the business environment with a clear focus on target clientele, target products, and target markets is crucial for managing operating environment risks effectively.

1.7 REPUTATION RISK

Reputation risk is the risk of damage to a bank's image and goodwill that occurs due to negative publicity against it or erroneous perceptions about its soundness and operational integrity. Reputation risk triggers loss of confidence in the public and sometimes creates a gigantic liquidity problem for the bank that may precipitate its failure. The bank's failure to honor commitments to the government, regulators, and the public at large impairs its reputation, but reputation risk cannot be perceived as the risk that solely arises from failure to meet liabilities. It can arise from any type of situation relating to mismanagement of the bank's affairs or nonobservance of the codes of conduct under corporate governance. Risks emerging from suppression of facts and manipulation of records and accounts also come under the ambit of reputation risk. Bad customer service, inappropriate behavior of the staff, and delay in decisions create a bad image of the bank among the public and hamper development of business. Loss of reputation may also arise due to the action of a third party, which may be beyond the control of the bank. The management's failure to be cognizant of the events that damage the bank's reputation and to take remedial actions in time may lead to erosion of its standing in the market.

The occurrence of events that generate negative opinion about the bank or the publicity of some secret transactions or affairs of the bank by the media that questions the management's integrity involves great reputation risk. For instance, the delay or refusal to honor commitments promptly under a financial guarantee issued by the bank to the beneficiary, which has been invoked, creates doubts about the bank's intentions to follow established banking practices. Such events may lead to situations where financial guarantees issued by the bank may not be accepted by others. Customers’ perceptions, shareholders’ perceptions, and regulators’ perceptions about a bank are the bases that help in detecting the flaws that give rise to reputation risk. The gossip in the market about a large fraud that has taken place or a large loan that has become nonperforming too soon after disbursal of funds creates bad impression about the integrity of the management. Banks are highly vulnerable to negative publicity that can cause loss of existing and future business. Loss of reputation may force certain valued customers to discontinue their relationship with the bank. Reputation risk, though nonfinancial in nature, has the potential to cause loss to the bank in an indirect way.

1.8 LEGAL RISK

Legal risk is the risk of financial loss that arises from uncertainty of outcomes of legal suits filed by the bank in a court of law or from legal actions taken against it by third parties. Legal risk arises due to errors in application or interpretation of laws or omissions to perform obligations under the laws. Banking transactions involve contracts between the bank and the customers, which can become unenforceable due to defects in their execution, or which can be challenged in a court of law if one of the parties is ineligible to enter into transactions or negotiations. The agreement can become unenforceable due to deficient documentation or invalid charges on collateral. Even unforeseen circumstances may invalidate a contract. Inappropriate or incomplete documentation or defects in contractual agreements between the bank and the customers and between the bank and the vendors (on outsourcing arrangements) are the principal reasons that cause legal risk.

Banks also face legal risk as their actions can be challenged in a court of law on the ground that the actions are not in conformity with the banking laws or other laws of the country. They can face legal suits initiated by customers, third parties, and service providers for redress of their grievances or settlement of their disputes arising from nebulous issues. The customers can accuse banks of negligence in handling their business or in taking unilateral action that has been detrimental to the interest of their business. Legal risk also arises in cross-border transactions when the applicable laws of other countries are unknown or unclear, or when jurisdictional ambiguities arise in identification of responsibilities of different national authorities.

1.9 MONEY LAUNDERING RISK

Money laundering risk arises from the bank's failure to comply with domestic and international anti–money laundering laws and regulations, including those of other countries in which the bank has its branch offices or affiliated units. Money laundering is the criminal practice of converting illegal sources of money through a series of transactions that look like genuine transactions into a pool of genuine proceeds, which are utilized for illegal and criminal purposes. Financial sector supervisors face several challenges to ensure that financial service providers are not used as intermediaries for the deposit or transfer of illegal money derived from criminal activities.

Money launderers usually generate funds at their country of residence through tax evasion, drug trafficking, illegal arms dealing, and the like, and then transfer those funds to other dummy accounts at foreign centers or invest them in financial instruments to give a legitimate appearance. They use that money for business at foreign centers to generate more illegal income in disguised names or to carry out criminal and terrorist activities. They utilize many tricks to conceal the transfer of money, like selling property or other assets to dummy entities owned by them against deferred payments which are never settled, or remitting money for payment of goods and services by creating fictitious invoices, or making false claims as deductible expenses for payments made to their dummy entities toward rentals and depreciation on fictitious machinery and equipment, or depositing checks payable to dummy entities for collection by a bank at tax haven. Likewise, money launderers utilize a variety of methods to repatriate funds at chosen places, such as taking loans from fictitious parties at offshore centers or utilizing deposit receipt of offshore funds as collateral for borrowing money at their place of operation, or utilizing credit and debit cards issued by offshore banks on their accounts.

Reliable estimates of the amount of money laundering are not available, but it is believed to be in trillions of U.S. dollars. Money laundering is posing a significant threat to individual financial institutions and the global financial system, and the threat is more from parties operating at offshore banking centers and tax havens. The bank faces reputation risk because its failure to detect money laundering affects its integrity, the volume of cross-border business, and its international standing.

Compliance with anti–money laundering laws is complicated because the chances of unintentional mistakes in detecting money laundering activities are high. First, no certain definition exists regarding the types of financial transactions that are considered money laundering, because countries are free to determine what constitutes illegal sources of money, and also, banks cannot track the actual sources of money. Second, banks find it difficult to comply with the bank regulators' directives to segregate transactions of individual values above certain specified limits and screen them to detect the suspicious ones, because the unscrupulous customers either break large transaction into multiple transactions of individual values below the specified limit or open and operate multiple accounts in different fictitious names to escape from scrutiny by bank officials. Bank staff find it difficult to trace money laundering transactions as they handle large volumes of transactions during the day, though they may have received training on “Know Your Customer” principles and the controls are in place to monitor operations in accounts. Third, there is a conflict of interest between the bank's obligation to maintain the secrecy of customers’ accounts under the Bank Secrecy Act and its responsibility to report transactions involving suspicious activities under the anti–money laundering laws. Banks face the risk of reporting genuine transactions as suspicious and, in the process, breaching the contract to preserve the secrecy of customers' accounts.

The consequences of banks' failure to detect and report suspicious transactions to the supervisory authorities under the anti–money laundering laws are very severe in certain countries. The individual bank employees are subject to termination of service, criminal conviction in a court of law, and imprisonment, if evidence of money laundering is established. Banks themselves are liable to pay a high monetary penalty imposed by the supervisory authorities, and the collateral, the personal property, and even the genuine deposit accounts of customers are subject to forfeiture, if they have any linkage with money laundering activities. If bank officials detect money laundering attempts by customers, they should be cautious in sanctioning loans against the security of risk-free assets, like high cash margin or mortgage of properties, if the sources of acquisition of cash or other assets by the customers are unknown.

1.10 OFFSHORE BANKING RISK

Banks face risks from their own clients engaged in offshore banking and from other counterparties operating in offshore banking centers. Most of the offshore banking centers are also tax havens, and financial institutions operating in tax havens are highly protected through bank secrecy laws. Customers may have a genuine need for offshore banking accounts because of better investment opportunities and low taxation, but many customers deal in offshore centers to conceal money earned through illegal sources or to store money for illegal activities. Customers do not disclose their financial dealings and income earned in offshore centers to their home country tax authorities. Many customers prefer tax havens because of the low or negligible level of taxes applicable in those areas, and because sources of funds are not questioned nor operations in their accounts appropriately supervised. Offshore banking centers provide all types of banking services including conversion of local currency into foreign currency, and their operations have become voluminous as multinational corporations set up trusts and subsidiaries in those jurisdictions to hold and manage assets to reduce tax burdens or evade specific taxes. Most authorities apply the following four criteria to identify tax havens:

Offshore banking has assumed enormous significance in the international financial system because large amount of assets, believed to be in the region of U.S. $5 trillion, are held in offshore tax havens, but at the same time it has become a source of threat to international financial stability. The regulation and supervision of financial institutions at many tax havens are very weak, and consequently, the risk from offshore counterparties remains hidden. Customers divert income and evade their tax obligations by opening bank accounts at offshore centers and later withdraw those monies through debit or credit cards. Banks face credit risk, money laundering risk, and reputation risk from their clients because the national authorities could prosecute the clients for tax avoidance or involvement in criminal activities through offshore accounts.

Money launderers usually choose offshore banking centers or tax havens to park their illegal money by establishing trusts, corporations, subsidiaries, investment companies, or insurance companies under fictitious names, because the chances of detection of money laundering activity are very low in those centers due to weak anti–money laundering laws and lax implementation. Bank secrecy provisions vary between locations, and people usually choose those locations that offer maximum protection against disclosure of information.

1.11 IMPACT OF RISK

Different types of risks impact the banks with different intensities. Each broad category of risk, like credit, market, and operational risks, impacts the bank through a number of risk factors, and the impact is ultimately reflected through capital loss, revenue loss, and decline in asset values. The impact of financial and nonfinancial risks is shown in Figures 1.2 and 1.3.

1.12 SUMMARY

Risk in banking refers to the loss that may occur to a bank on account of some events happening. Risk signifies potential loss and is primarily embedded in financial transactions, though it can arise from other operational events.

Banks face business risk and control risk. Credit, market, and operational risks are the three major business risks and cause erosion in asset values and earnings. Control risk refers to the inadequacy or failure of control to check the intensity of business risk and influences the quantum of loss that arises from business risks.

Risks can be classified into financial and nonfinancial risks. Credit, market, and operational risks are financial risks, while operating environment risk, reputation risk, legal risk, money laundering risk, technology risk, strategy risk, and control risk are nonfinancial risks. Financial risks inflict loss directly, and nonfinancial risks cause loss of income in an indirect manner, besides avoidable expenditure. The impact of financial risks is measured in numerical terms, while that of nonfinancial risks is indicated in terms of severity, such as low, moderate, high, and extremely high.

Credit risk is the risk of default by the counterparty and the potential loss that can occur from the default. Market risk is the risk of decline in asset values or erosion in earnings that may arise from changes in market variables. Operational risk is the risk of potential loss that may occur from adverse events associated with people, internal processes and systems, and external events. Operational risk is taken, not for an expected return; it is implicit in the ordinary course of corporate activities.

Operating environment risk causes loss of business from changes in the operating environment, and reputation risk leads to flight of deposit money and business due to negative publicity against the bank. Legal risk arises from errors in application or interpretation of laws and regulations and not performing contractual or legal obligations that may involve payment of claims under court decrees. Money laundering risk arises from breach of anti–money laundering laws and rules that may result in criminal conviction and payment of a penalty.

NOTES

1. Principles for the Management of Credit Risk, BCBS, September 2000.

2. Basel Committee on Banking Supervision (BCBS), “International Convergence of Capital Measurement and Capital Standards: A Revised Framework— Comprehensive Version,” June 2006 (New Basel Capital Accord), paragraph 683(i).

3. New Basel Capital Accord, paragraph 644.

CHAPTER 2

Control Risk in Banking

2.1 HOW CONTROL RISK ARISES

Banks are susceptible to control risk because of the inadequacy of their control framework and the possibility of human failure in the application of control. Human failure may occur due to the lack of knowledge about the products and the business process. Control risk arises because of negligence in the application of control or because of complicity and compromise with the business principles and rules. Controls are predesigned checks to prevent occurrence of errors, slippages, and excesses in conducting the bank's business. But risks may emerge from unknown and unanticipated events, for which the control framework may sometimes fall short of the requirements. It is perhaps not possible to visualize every possible way in which risks can occur and then set up an elaborate control framework to respond to any risk event, because certain types of events rarely happen. Control managers must be able sense the dangers and set up a temporary monitoring mechanism as long as fears from such dangers persist. The alertness and the sincerity of individuals who are responsible for the application of control are more important than the elaborateness and the niceties of the control procedures. The impact of control risk is high, and therefore, a bank cannot but have a foolproof control system.