Risk Management for Banks: Mere a Compliance or Really Required?

Khaled Mahmud Raihan

Most talked about issue in the global financial arena is the risk management as financial service industry is facing various challenges emanating from increased competition, expansion of business network as well as diversity of products and services base. Although Bangladesh has fortunately been spared of recent worst upheavals that have occurred in western countries, the necessity of risk management cannot be ignored. Recent scam of Hall mark further reiterated poor risk management and governance in the banking sector. Bangladesh Bank (BB), however, in its effort to streamline the operation of banks and financial institutions, issued different circulars and risk management guidelines to make the financial sector more shock absorbent and risk resilient. The latest circular titled Risk Management Guidelines for Banks from Department of Off-site Supervision (DOS) has added a new dimension in the risk management framework of the financial system. Although all the banks have already set up Risk Management Unit (RMU) in line with BB requirement, most of them are in place just to comply with regulatory requirements and as such their functions are confined only to regulatory reporting. The major reason behind the same is the Board and senior management perception about RMU a cost center (as it does not have any visible outcome); as such most of the banks form the unit on ad hoc basis without going through great detail of risk management philosophy. However, in reality, the scope of risk management is much broader and the same can contribute towards cost saving through minimizing risk and can be turned into a profit center. Unfortunately, excepting few, most of the banks are yet to look into the intrinsic benefit of risk management. In this paper an attempt has been made to create awareness among the bankers about risk management guidelines and to explore how risk management can improve a banks performance. What are the Banks Risks? Risk is the potentiality that both the expected and unexpected events may have an adverse impact on the banks assets and liabilities having consequent affect on capital or earnings of the bank. The expected loss is to be borne by the borrower and hence is taken care of by adequate pricing of the products through risk premium and reserves created out of the earnings. On the contrary, the unexpected loss is to be borne by the bank itself and hence is to be taken care of by capital or risk management. Why Risk Management in Banks? Risk management has become an integral part of banks operation as banks have now been converted into risk intermediary from traditional financial intermediary. The operations of the banks are not merely confined to mobilizing deposits and extending credit rather stretched out to diversified range of products and services extended beyond the geographical boundary. As a consequence of their operation in a dynamic and competitive business environment, banks are to go through the risk of volatility of national and global markets, technological advances, changing regulatory environment and innovation of financial products from the competitors. Forgoing of any business opportunity is as significant as actual losses. In order to tap potential business opportunity with risk associated market information, risk management plays the most crucial role. The essential functions of risk management are to identify, measure and more importantly monitor the risk profile of the bank. Risk Management system is the pro-active action in the

present for the future; not just making autopsy of the past. Thus, risk management can not be separated from the business units of the bank. How risk management activities should take place? Risk management activities should be taken place in three levels: strategic level, management level and operation level. Strategic Level: This encompasses risk management functions performed by senior management and Board of Directors. Board and Senior Management should have clear understanding of the types of risks inherent in business lines and to ensure continued awareness of any change in risk levels. Management Level: This encompasses risk management within a business area or across business lines. Generally the risk management activities are performed by middle management of units devoted to risk reviews fall into this category. Operational Level: This involves on-the-line risk management where risks are actually created. This covers the risk management activities performed by individuals who take risk on the organizations behalf such as front office and loan origination functions. Risk management unit falls under mgt level category which acts as a bridge between strategic and operational level. Optimum Risk Management Framework of a Bank: Role of RMU In order to ensure sound risk management in a bank, a functional risk management organogram is crucial with defined responsibilities of Board of Directors, Credit and Risk Committee, Executive Board, All Risk Committee, ALM Committee, Executive Board Credit Committee, RMU, Office of CFO, Credit Department, Treasury and Business Units. An Optimum risk management framework is shown below:
Board of Director (BOD) Defining risk appetite Designing organization structure of risk mgt. Understanding inherent risks of the bank Review and approve risk mgt. policies Monitoring compliance with overall risk mgt. policies Internal Audit Duty to senior mgt. and the board via the Audit Committee on the state of governance, risk mgt. and control within the organisation Credit and Risk Committee Consulting panel on significant risk exposure submitted to the Board Functions shall be set by the Board

All Risk Committee Set by EB responsible for all types of risk

Executive Board (EB) Ensure appropriate knowledge and expertise at management and sufficient staff resources Supervising senior managers & head of business lines Identify risks involved in new products & activities Establishing committees and sub-committees for on going risk management ALM Committee Executive Board Credit Committee Senior mgt. level Credit Application that exceeds the lending authorities of committee responsible for business units supervision /management Preparing credit polices for approval by Board of mkt. risk Overall valuation of loan portfolio and the adequacy of (Interest and Liquidity) loan losses allowances

RMU Risk Parameters Models Stress Testing and reporting Monitoring

Office of CFO Capital Management Market Risk Mgt.

Credit Department Credit Methods and Processes Credit Portfolio mgt.

Treasury Liquidity Mgt.

In an ideal risk management framework, from the apex body i.e. Board of Directors to the business units, everybody carries some responsibilities. However, RMU is the nerve center of the whole risk management framework. In addition to developing risk parameters, models, along with stress testing, reporting and monitoring activities, RMU is also responsible for designing overall risk management strategy alongside informing the Board and All Risk Committee about the appetite for risk across the bank. It is also responsible for establishing risk management policies and procedures and communicating views of board and senior management throughout the bank. Contribution of Risk Management in improving banks performance Management of Credit Risk: Credit risk is most simply defined as the potential that a banks borrower or counterparty will fail to meet its obligations in accordance with agreed terms. The risk is primarily that of the lender and includes lost principal and interest, disruption to cash flows, and increased collection costs. Major risk of a bank emanates from credit risk in view of inherent business nature. An analysis on the banks reveals that more than 80% (on an average) of the risk weighted assets (RWA) generates from credit risk (considering both balance sheet and off balance sheet exposure). Thus, sound management of credit risk is the main driving force of a banks success. Portfolio and Transaction Risk Management From a broad perspective, portfolio risk and transaction risk are the two main elements of credit risk. Portfolio risk comprises of Concentration Risk (sectoral/group/regional concentration etc.) and Intrinsic Risk (inherent portfolio risk). Portfolio analysis on regular basis can help to identify concentration of credit while default/migration statistics and recovery data can help to address intrinsic risk. Under portfolio management, transaction matrix (client-wise/account wise) and distribution analysis of the borrower in various industries can help a lot. On the other hand transaction risk emanates from a particular deal comprising migration/down gradation risk as well as default events. Default is the extreme event of credit migration. Credit ratings are useful measures of evaluating these transaction risks. Through addressing these types of risks, bank can improve its credit quality which can improve the profitability at the end. Risk Profiling of Industry and Industry Outlook Banks extend credit in different sector/industry. All the industry does not carry the same risk profile and outlook. Focus group in RMU can semiannually review major industries/sectors considering current business trend, govt. policy, default statistics etc. and profile them in terms of risks (high/medium/low etc.) with likely direction or outlook (positive/stable/negative). Banks will be benefited out of industry risk nature and prioritize/restructure the investment portfolio from industry risk profiling. In addition to above, RMU can also support the regular credit/investment division in exposure ceiling (Prudential Limit vs. Threshold Limit). It also can give early alert for further expansion. Risk-based Loan Pricing After the implementation of Basel-II, it was quite evident that all the counterparties of a bank do not carry the same risk weight. Risk weight of the counterparties varies from 20% to 150%. Thus, loan pricing should not be same for all counterparties of the bank. Globally financial

institutions use risk based loan pricing in lending. A risk based loan pricing is a methodology adopted by lenders to measure loan risk in terms of interest rate and other fees. The interest rate on a loan is determined not only by the time value of money, but also by the lender's estimate of the probability that the borrower will default on the loan. A borrower who the lender thinks is less likely to default will be offered a better (lower) interest rate. This means that different borrowers will pay different rates. In order to shift the risks to the lenders to cover expected losses, risk based loan pricing model can be developed keeping in view the risk weight of the counterparty (rated vs. unrated and investment grade vs. non-investment grade), payment behavior, cost of capital, cost savings etc. The above would ensure justice to the clients. Credit monitoring Credit monitoring is another crucial function under credit risk management. Banks need to develop and implement comprehensive procedures and information systems to monitor the condition of each individual credit across various portfolios. Credit Policy should explicitly provide procedural guideline relating to credit risk monitoring which should include the roles and responsibilities of individuals responsible for credit risk monitoring, assessment procedures and analysis techniques (for individual loans & overall portfolio), frequency of monitoring, periodic examination of collaterals and credit covenants, frequency of site visits etc. RMU can work with regular credit department and support them from a broad based approach through providing early signs of irregularity, monitoring timely repayment, branch suspension monitoring (particularly for SMEs), monthly arrangement of SMA and NPL convention, weekly PD (past due) monitoring etc. Internal Risk Rating Model and Move towards IRB In addition to regular credit risk grading (CRG), bank should establish an independent Internal Credit Risk Rating Framework across all types of credit facilities in line with BB regulation and guideline that must be approved by the Board. All credit facilities should be assigned with an internal risk grade. The rating framework may incorporate a wide range of risk factors like business risk, industry risk, financial risk, credibility and relationship risk etc. Credit facilities should independently be reviewed in regular time interval. Although under standardized approach of credit risk, internal risk rating cannot be used for capital adequacy purposes, the framework would help the bank in a number of ways like credit selection, amount of exposure, tenure and price of facility, frequency and intensity of monitoring, level of approving authority and more importantly the migration of rating. Moreover, BB did not change its original road map (circulated in 2008) of Internal Rating Based Approach (IRB) for the banks against credit risk under Basel-II capital adequacy framework. Under this approach, the banks are allowed to develop their own empirical model to estimate the PD (probability of default) for individual clients or groups of clients. Banks can use this approach only subject to prior approval of BB. Internal risk rating model could be a good platform towards IRB for calculating default % to be linked with default statistics. Under Foundation-IRB banks will be required to use regulator's prescribed LGD (Loss Given Default) and other parameters required for calculating the RWA (Risk Weighted Assets). However, database is the most crucial aspect for implementing the same. Unfortunately, none of the bank is yet to approach BB for IRB although it may be a good business proposition for a good number of commercial banks, having a large portfolio base, to positively think of it.

Management of Market Risk Market risk is the risk that the value of a portfolio will decrease due to the change in value of the market risk factors. The four standard market risk factors are stock prices, interest rates, foreign exchange rates, and commodity prices. Due to increased diversity in banking operation, most of the banks are exposed to market risk. Thus management of market risk has become crucial in overall risk management framework of the bank. Interest Rate Risk Interest rate risk is the potential impact on a bank's earnings and net asset values due to changes in market interest rates. Interest rate risk arises when a bank's principal and interest cash flows (including final maturities), both on- and off-balance sheet, have mismatched repricing dates. The amount at risk is a function of the magnitude and direction of interest rate changes and the size and maturity structure of the mismatch position. The immediate impact of a variation in interest rates is on the bank's net interest income, while a long term impact is on the bank's net worth since the economic value of bank's assets, liabilities and off-balance sheet exposures are affected. Thus, interest rate risk should be managed from a holistic approach with proper monitoring and attention. Managing interest rate risk requires a clear understanding of the amount of risk and the impact of changes in interest rates on this risk position. To make these determinations, sufficient information must be readily available to permit appropriate action to be taken within acceptable time frame. In order to ensure efficient management, use of appropriate measurement techniques is vital which include gap analysis, duration analysis, simulation analysis etc. However, before all each bank needs to develop and implement effective and comprehensive procedures and information systems to manage and control interest rate risk in accordance with its interest rate risk policies. Foreign Exchange Risk Foreign exchange risk is the current or prospective risk to earnings and capital arising from adverse movements in currency exchange rates emanating from trading in foreign currencies through spot, forward and option transactions as a market maker or position taker, holding foreign currency positions in the banking book (e.g. in the form of loans, bonds, deposits or cross-border investments) and engaging in derivative transactions that are denominated in foreign currency for trading or hedging purposes. Managing foreign exchange risk involves prudent management of foreign currency positions in order to control the impact of changes in exchange rates on the financial position of the bank. A comprehensive foreign exchange risk management program requires establishing and implementing sound and prudent foreign exchange risk management policies and developing and implementing appropriate and effective foreign exchange risk management and control procedures. A bank should establish a written policy on foreign exchange risk that includes foreign exchange risk principles and objectives, foreign exchange risk limits and delegation of authority. Foreign exchange management and control procedure need to include measurement of foreign exchange risk, control of foreign exchange activities, independent inspection and audit etc.

Equity Risk Equity price risk is the risk of losses caused by changes in equity prices. These losses could arise because of changes in the value of listed shares held directly by the bank; changes in the value of listed shares held by a banks subsidiary; changes in the value of listed shares used as collateral for loans from a bank or a bank subsidiary, whether or not the loan was made for the purpose of buying the shares; and changes in the value of unlisted shares. Equity price risk associated with equities could be systematic or unsystematic. The former refers to sensitivity of portfolio's value to changes in overall level of equity prices, while the later is associated with price volatility that is determined by firm specific characteristics. Banks need to have security/equity analysts and portfolio management experts to take judicious decision. Sound portfolio management involves prudent management of risk/reward relationship and controlling and minimizing portfolio risks across a variety of dimensions such as quality, portfolio concentration/diversification, maturity, volatility, marketability, type of security, and the need to maintain adequate liquidity. For a comprehensive securities management program, banks need to have well documented securities portfolio management policies, portfolio management process, portfolio monitoring and controlling procedure, portfolio management control and independent inspection on internal and regulatory compliance. Again there should be portfolio concentration limit along with transaction approval authorities to keep the risk in a tolerable level. Globally different tools are used in measuring equity price risk such as VaR (Value at Risk), variance-covariance method, historical simulation method etc. These methods are used to predict maximum loss over a target horizon within a given confidence level. Management of Liquidity Risk Liquidity risk is the potential for loss to a bank arising from either its inability to meet its obligations as they fall due or to fund increases in assets as they fall due without incurring unacceptable cost or losses. Liquidity risk arises when the cushion provided by the liquid assets are not sufficient enough to meet maturing obligations. Banks with large off-balance sheet exposures or those rely heavily on large corporate deposits have relatively high level of liquidity risk. Further, banks experiencing a rapid growth in assets should have major concerns for liquidity. Basel Committee on Banking Supervision (BCBR) also gives due consideration to liquidity in Basel-III capital adequacy framework. Considering its importance, BB also started monitoring liquidity profile of the banks in regular interval. Liquidity risk management involves not only analyzing banks on and off-balance sheet positions to forecast future cash flows but also how the funding requirement would be met. The later involves identifying the funding market the bank has access, understanding the nature of those markets, evaluating banks current and future use of the market and monitor signs of confidence erosion. While devising liquidity management strategy, banks should consider specific policies on composition of assets and liabilities, diversification and stability of liabilities, managing liquidity in different currencies etc. In order to measure liquidity position and predict liquidity needs banks can use different tools like maturity ladder, liquidity ratios and limits and contingency funding plan etc. Management of Operational Risks Operational risk is defined as the risk of unexpected losses due to physical catastrophe, technical failure and human error in the operation of a bank, including fraud, failure of management,

internal process errors and unforeseeable external events. Operational risk can be subdivided into two components: operational strategic risk and operational failure risk. Operational strategic risk arises from environmental factors such as a new competitor that changes the business paradigm, a major political and regulatory regime change, and other factors that are generally outside the control of the bank. On the other hand, operational failure risk arises from the potential for failure in the course of operating the business emanating from people, process and technology. Operational strategic risks can be managed through proper strategic planning on market scenario while operational failure risk can be managed through internal control and internal audit, code of conduct, delegation of authority, segregation of duties, compliance, succession planning, mandatory leave, staff compensation, recruitment and training, complaint handling, record keeping etc. Adoption of operational risk management tools ultimately helps the bank to minimize internal and external fraud, damage to physical assets, business disruption and system failure and can take the advantage of changing business environment. Capital Management Capital management plays the most crucial rule under Basel-II capital adequacy framework. Capital management refers to implementing measures to maintain adequate capital. It helps to ensure that bank has sufficient capital to cover minimum risks under Pillar-I as well as capital required under supervisory review process (Pillar-II) through Internal Capital Adequacy assessment Process (ICAAP). In order to ensure sound capital management, bank should set an appropriate level of capital target for short-term, medium-term and long-term and develop a capital plan to achieve the business target considering BBs regulatory capital requirement, coverage of unexpected losses up to certain probability of occurrence (economic capital), expected asset growth and profitability, dividend policy and stress test scenarios. For the same, banks need to have the policy of capital rationing in each business segment considering their risk weights. While PSEs, banks, NBFIs and corporate exposures carry variable risk weight (depending on the credit rating of the counter-parties by ECAIs), others carry fixed risk weight. Capital rationing should be started with a sound capital allocation process. Capital requirements against operational and market risks are usually centrally controlled while capital allocation against credit risk is to be based on business line wise, sector-wise and more importantly branch wise. It is quite evident from the above discussion that there will be a complete demarcation between a bank which has a sound risk management system and a bank which does not have the same. However, successful implementation of sound risk management mechanism can only be ensured through an active oversight of Board of directors and senior management, adequate policies, procedures and limits, adequate risk management, monitoring and information system, comprehensive internal control and above all sound and trained human resource base to take the lead. Only then risk management can be turned into a profit center from a so called cost center!

[This article is an abridged version of the upcoming week long training course of CRISL titled Implementation of Mandatory Risk Management Guideline for Banks] The Author is the Chief Rating Officer of Credit Rating Information and Services Ltd. and Director Academic Affairs of CCFA Program. raihan@crislbd.com