| Risk Management is a hot topic in the financial | | | | assessments is done to determine the relative |
| sector especially in the light of the recent losses | | | | potential for loss in programs and functions and to |
| of some multinational corporations e.g. collapses of | | | | design the most cost-effective and productive |
| Britain's Barings Bank, WorldCom and also due to | | | | internal controls.III. Control Activities,Control |
| the incident of 9/11. Rapid changes in business | | | | activities mean the structure, policies, and |
| condition, restructuring of organizations to cope | | | | procedures, which an organization establishes so |
| with ever increasing competition, development of | | | | that identified risks do not prevent the |
| new products, emerging markets and increase in | | | | organization from reaching its objectives. |
| cross border transactions along with complexity | | | | Policies, procedures, and other items like job |
| of transactions has exposed Financial Institutions | | | | descriptions, organizational charts and supervisory |
| to new risks dimensions. Thus the concept of risk | | | | standards, do not, of course, exist only for |
| has captured a growing importance in modern | | | | internal control purposes. These activities are basic |
| financial society.By facilitating transactions and | | | | management practices.IV. Information and |
| making credit and other financial products | | | | Communication, andOrganizations must be able to |
| available, the financial sector is a crucial building | | | | obtain reliable information to determine their risks |
| block for private as well as public sector | | | | and communicate policies and other information to |
| development. In its broadest definition, it includes | | | | those who need it. Information and |
| everything from banks, stock exchanges, and | | | | communication, the fourth component of internal |
| insurers, to credit unions, microfinance institutions | | | | control, articulates this factor.V. MonitoringLife is |
| and moneylenders. As an efficient service | | | | change; internal controls are no exception. |
| provider, the financial sector simultaneously fulfils | | | | Satisfactory internal controls can become obsolete |
| an important function in the overall economy. | | | | through changes in external circumstances. |
| Various types of Financial Institutions actively | | | | Therefore, after risks are identified, policies and |
| working in Financial Sectors include Banks, DFIs, | | | | procedures put into place, and information on |
| Micro Finance Banks, Leasing Companies, | | | | control activities communicated to staff, superiors |
| Modarabas, Assets Management Company, Mutual | | | | must then implement the fifth component of |
| Funds, etc.Thus today's operating environment | | | | internal control, monitoring.Even the best internal |
| demands systematic and more integrated risk | | | | control plan will be unsuccessful if it is not followed. |
| management approach.Risk:Risk by default has | | | | Monitoring allows the management to identify |
| tow components; uncertainty and exposure. If | | | | whether controls are being followed before |
| both are not present, there is no risk. Definition of | | | | problems occur. In the same way, management |
| Risk as per Guidelines on Risk Management issued | | | | must review weaknesses identified by audits to |
| by State Bank of Pakistan is, "Financial risk in a | | | | determine whether related internal controls need |
| banking organization is possibility that the outcome | | | | revision.Tools for Monitoring of RiskManagement |
| of an action or event could bring up adverse | | | | Information SystemM.I.S or Management |
| impacts. Such outcomes could either result in a | | | | Information System is the collection and analysis |
| direct loss of earnings / capital or may result in | | | | of data in order to support management's |
| imposition of constraints on bank's ability to meet | | | | decision with respect to the achievement of |
| its business objectives. Such constraints pose a | | | | objectives mentioned in the policies and |
| risk as these could hinder a bank's ability to | | | | procedures and the control of various risks |
| conduct its ongoing business or to take benefit of | | | | therein.It is this area i.e. M.I.S, where I.T can play a |
| opportunities to enhance its business."Types of | | | | vital and effective role as with the help of I.T |
| Risks:Risks are usually defined by the adverse | | | | large information may be analyzed efficiently and |
| impact on profitability of several distinct sources | | | | with accuracy, so that effective decision may be |
| of uncertainty. More or less all financial institutions | | | | taken by the management without the loss of |
| have to manage the following faces of risks:1. | | | | any time.Asset-Liability Management Committee |
| Credit Risk | | | | (ALCO)In most cases, day-to-day risk |
| 2. Market Risk | | | | assessment and management is assigned to a |
| 3. Liquidity Risk | | | | specialized committee, such as an Asset-Liability |
| 4. Operational Risk | | | | Management Committee (ALCO). Duties pertaining |
| 5. Country Risk | | | | to key elements of the risk management process |
| 6. Legal Risks | | | | should be adequately separated to avoid potential |
| 7. Compliance Risk | | | | conflicts of interest - in other words, a financial |
| 8. Reputational RiskBroadly speaking there are | | | | institution's risk monitoring and control functions |
| four risks as per Risk Management Guidelines | | | | should be sufficiently independent from its |
| which surround Financial Sector i.e. Credit Risk, | | | | risk-taking functions. Larger or more complex |
| Market Risk, Liquidity Risk and Operational Risk. | | | | institutions often have a designated, independent |
| These risk are elaborated here under:i. Credit | | | | unit responsible for the design and administration |
| RiskThis is the risk incurred in case of a | | | | of balance sheet management, including interest |
| counter-party default. It arises from lending | | | | rate risk. Given today's widespread innovation in |
| activities, investing activities and from buying and | | | | banking and the dynamics of markets, banks |
| selling financial assets on behalf of others. This risk | | | | should identify any risks inherent in a new product |
| is associated with financing transactions i.e.:a. | | | | or service before it is introduced, and ensure that |
| Default in repayment by the borrower and | | | | these risks are promptly considered in the |
| b. Default in obliging the commitment by another | | | | assessment and management process.Corporate |
| Financial Institution in case of syndicated | | | | Governance PrinciplesCorporate governance |
| arrangements.It is the most critical risk in banking | | | | relates to the manner in which the business of |
| and one that must be managed carefully. It is also | | | | the organization is governed, including setting |
| the risk that requires the most subjective | | | | corporate objectives and a institution's risk profile, |
| judgment despite constant efforts to improve | | | | aligning corporate activities and behaviors with the |
| and quantify the credit decision process.ii. Market | | | | expectation that the management will operate in |
| RiskMarket risk is defined as the volatility of | | | | a safe and sound manner, running day-to-day |
| income or market value due to fluctuations in | | | | operations within an established risk profile, while |
| underlying market factors such as currency, | | | | protecting the interests of depositors and other |
| interest rates, or credit spreads. For commercial | | | | stakeholders. It is defined by a set of relationships |
| banks, the market risk of the stable liquidity | | | | between the institution's management, its board, |
| investment portfolio arises from mismatches | | | | its shareholders, and other stakeholders.The key |
| between the risk profile of the assets and their | | | | elements of sound corporate governance in a |
| funding. This risk involves interest rate risk in all of | | | | bank include:a) A well-articulated corporate |
| its components: equity risk, exchange risk and | | | | strategy against which the overall success and |
| commodity risk.iii. Liquidity RiskThe liquidity risk is | | | | the contribution of individuals can be measured.b) |
| defined as the risk of not being able to meet its | | | | Setting and enforcing clear assignment of |
| commitments or not being able to unwind or | | | | responsibilities, decision-making authority and |
| offset a position by an organization in a timely | | | | accountabilities that are appropriate for the bank's |
| fashion because it cannot liquidate assets at | | | | risk profile.c) A strong financial risk management |
| reasonable prices when required.iv. Operational | | | | function (independent of business lines), adequate |
| RiskThis risk results from inadequacies in the | | | | internal control systems (including internal and |
| conception, organization, or implementation of | | | | external audit functions), and functional process |
| procedures for recording any events concerning | | | | design with the necessary checks and balances.d) |
| bank's operations in the accounting system | | | | Corporate values, codes of conduct and other |
| information systems.Need for Risk Management | | | | standards of appropriate behavior, and effective |
| and Monitoring:There are a number of reasons as | | | | systems used to ensure compliance. This includes |
| to why there is so much emphasis given to Risk | | | | special monitoring of a bank's risk exposures |
| Management in Financial Sector now a day. Some | | | | where conflicts of interest are expected to |
| of them are listed below: -1. Present structure of | | | | appear (e.g., relationships with affiliated parties).e) |
| joint stock companies, wherein owners are not | | | | Financial and managerial incentives to act in an |
| the mangers, hence risks increase; therefore | | | | appropriate manner offered to the board, |
| proper tools are required to achieve the desired | | | | management and employees, including |
| results by covering the risks. | | | | compensation, promotion and penalties. (i.e., |
| 2. The financial sector has come out of simple | | | | compensation should be consistent with the bank's |
| deposit and lending function. | | | | objectives, performance, and ethical values).f) |
| 3. The world has become very complex so the | | | | Transparency and appropriate information flows |
| financial transactions and instruments. | | | | internally and to the public.Tools mentioned above |
| 4. Increase in the number of cross border | | | | can be utilized in identifying and managing different |
| transactions which caries its own risks. | | | | risks in the following manner:I. Credit RiskIt is |
| 5. Emerging markets | | | | managed by setting prudent limits for exposures |
| 6. Terrorism RemittancesRisk monitoring in | | | | to individual transaction, counterparties and |
| financial sector is very crucial and an inevitable | | | | portfolios. Credits limits are set by reference to |
| part of risk management. Risk Monitoring is | | | | credit rating established by Credit Rating Agencies, |
| important in the financial sector due to the | | | | methodologies established by Regulators and as |
| following reasons:1. Deals in others' money | | | | per Board's direction.- Monitoring of per party |
| 2. Direct stake of deposit holder. | | | | exposure |
| 3. Much riskier sector than trading and | | | | - Monitoring of group exposure |
| manufacturing. | | | | - Monitoring of bank's exposure in contingent |
| 4. Previous / Recent problems faced by banks | | | | liabilities |
| i.e. stuck portfolio that is credit risk. | | | | - Bank's exposure in clean facilities |
| 5. Bankruptcy of Barings Bank due to short | | | | - Analysis of bank's exposure product wise |
| selling / long position that is market risk. | | | | - Analysis of concentration of bank's exposure in |
| 6. Operational risk does not has immediate | | | | various segments of economy |
| impact, but important for continuity and progress | | | | - Product profitability reportsII. MarketFinancial |
| of organization. | | | | Institutions should also have an adequate system |
| 7. Appetite of a financial institution to take risk is | | | | of internal controls to oversee the interest rate |
| related with the capital base of the institute so it | | | | risk management process. A fundamental |
| caries a huge risk of over exposure.Components | | | | component of such a system is a regular, |
| of Risk Management Frame WorkRisk | | | | independent review and evaluation to ensure the |
| Management Frame Work has five components. | | | | system's effectiveness and, when appropriate, to |
| First of all risk is Identified, then it is Assessed to | | | | recommend revisions or enhancements.Interest |
| classify, seek solution and management, after | | | | rate risk should be monitored on a consolidated |
| assessing quick Response and implementation of | | | | basis, including the exposure of subsidiaries. The |
| solution and the last phase is Monitoring of the risk | | | | institution's board of directors has ultimate |
| management progress and Learning from this | | | | responsibility for the management of interest rate |
| experience that such problem never occur again. | | | | risk. The board approves the business strategies |
| Whole process is to be well Communicated during | | | | that determine the degree of exposure to risk |
| the entire process of risk management if it is to | | | | and provides guidance on the level of interest rate |
| be managed efficiently.The International | | | | risk that is acceptable to the institution, on the |
| Organization for Standardization (ISO) has defined | | | | policies that limit risk exposure, and on the |
| risk management as the identification, analysis, | | | | procedures, lines of authority, and accountability |
| evaluation, treatment (control), monitoring, review | | | | related to risk management. The board also |
| and communication of risk. These activities can be | | | | should systematically review risk, in such a way |
| applied in a systematic or ad hoc manner. The | | | | as to fully understand the level of risk exposure |
| presumption is that systematic application of | | | | and to assess the performance of management |
| these activities will result in improved | | | | in monitoring and controlling risks in compliance |
| decision-making and, most likely, improved | | | | with board policies. Reports to senior management |
| outcomes.Structure of Risk | | | | should provide aggregate information and a |
| ManagementDepending upon the structure and | | | | sufficient level of supporting detail to facilitate a |
| operations of organization, financial risk | | | | meaningful evaluation of the level of risk, the |
| management can be implemented in different | | | | sensitivity of the bank to changing market |
| ways. Risk management structure defines the | | | | conditions, and other relevant factors.The Asset |
| different layers of an organization at which risk is | | | | and Liability Committee (ALCO) plays a key role in |
| identified and managed. Although there are | | | | the oversight and coordinated management of |
| different layers or level at which risk is managed | | | | market risk. ALCOs meet monthly. Investment |
| but there are three layers which are common to | | | | mandates and risk limits are reviewed on a |
| all. i.e.Risk ManagementFor managing risk there are | | | | regular basis, usually annually to ensure that they |
| certain basic principles which are to be followed by | | | | remain valid.Risk Management and Risk BudgetsA |
| every organization:1. Corporate level Policies | | | | risk budget establishes the tolerance of the board |
| 2. Risk management strategy | | | | or its delegates to income or capital loss due to |
| 3. Well-defined policies and procedures by senior | | | | market risk over a given horizon, typically one |
| management | | | | year because of the accounting cycle. (Institutions |
| 4. Dissemination, implementation and compliance | | | | that are not sensitive to annual income |
| of policies and procedures | | | | requirements may have a longer horizon, which |
| 5. Accountability of individuals heading various | | | | would also allow for a greater degree of freedom |
| functions/ business lines | | | | in portfolio management.). Once an annual risk |
| 6. Independent Risk review function | | | | budget has been established, a system of risk |
| 7. Contingency plans | | | | limits needs to be put in place to guard against |
| 8. Tools to monitor risksInstitutions can reduce | | | | actual or potential losses exceeding the risk |
| some risks simply by researching them. A bank | | | | budget. There are two types of risk limits, and |
| can reduce its credit risk by getting to know its | | | | both are necessary to constrain losses to within |
| borrowers. A brokerage firm can reduce market | | | | the prescribed level (the risk budget).The first |
| risk by being knowledgeable about the markets it | | | | type is stop-loss limits, which control cumulative |
| operates in.Functionally, there are four aspects of | | | | losses from the mark-to-market of existing |
| financial risk management. Success depends | | | | positions relative to the benchmark. The second is |
| uponA. A positive corporate culture,No one can | | | | position limits, which control potential losses that |
| manage risk if they are not prepared to take risk. | | | | could arise from future adverse changes in |
| While individual initiative is critical, it is the | | | | market prices. Stop-loss limits are set relative to |
| corporate culture which facilitates the process. A | | | | the overall risk budget. The allocation of the risk |
| positive risk culture is one which promotes | | | | budget to different types of risk is as much an |
| individual responsibility and is supportive of risk | | | | art as it is a science, and the methodology used |
| taking.B. Actively observed policies and | | | | will depend on the set-up of the individual |
| proceduresUsed correctly, procedures are | | | | investment process. Some of the questions that |
| powerful tool of risk management. The purpose | | | | affect the risk allocation include the following:* |
| of policies and procedures is to empower people. | | | | What are the significant market risks of the |
| They specify how people can accomplish what | | | | portfolio? |
| needs to be done. The success of policies and | | | | * What is the correlation among these risks? |
| procedures depends critically upon a positive risk | | | | * How many risk takers are there? |
| culture.C. Effective use of technologyThe primary | | | | * How is the risk expected to be used over the |
| role technology plays in risk management is risk | | | | course of a year?Compliance with stop-loss limits |
| assessment and communication. Technology is | | | | requires frequent, if not daily, performance |
| employed to quantify or otherwise summarize | | | | measurement. Performance is the total return of |
| risks as they are being taken. It then | | | | the portfolio less the total return of the |
| communicates this information to decision makers, | | | | benchmark. The measurement of performance is |
| as appropriate.D. Independence or risk | | | | a critical statistic for monitoring the usage of the |
| management professionalsTo get the desired | | | | risk budget and compliance with stop-loss limits. |
| outcome from risk management, risk managers | | | | Position limits also are set relative to the overall |
| must be independent of risk taking functions | | | | risk budget, and are subject to the same |
| within the organization. Enron's experience with | | | | considerations discussed above. The function of |
| risk management is instructive. The firm | | | | position limits, however, is to constrain potential |
| maintained a risk management function staffed | | | | losses from future adverse changes in prices or |
| with capable employees. Lines of reporting were | | | | yields.III. Liquidity RiskThe Basel Committee has |
| reasonably independent in theory, but less so in | | | | established certain quantitative standards for |
| practice.Internal ControlsPara one on first page of | | | | internal models when they are used in the capital |
| the 'Guidelines on Internal Controls' issued by SBP | | | | adequacy context.a. Allocation of capital into |
| provides:"Internal Control refers to policies, plans | | | | various types of business after taking into |
| and processes as affected by the Board of | | | | account the operational risks i.e. disruption of |
| Directors and performed on continuous basis by | | | | business activity, which has especially increased |
| the senior management and all levels of | | | | due to excessive EDP usage |
| employees within the bank. These internal controls | | | | b. Allocation of the capital is also made amongst |
| are used to provide reasonable assurance | | | | various products i.e. long term, short term, |
| regarding the achievement of organizational | | | | consumer, corporate etc. considering the risks |
| objectives. The system of internal controls | | | | involved in each product and its life cycle to avoid |
| includes financial, operational and compliance | | | | any liquidity crunch for which gap analysis is made. |
| controls."The current official definition of internal | | | | This is the job of ALCO |
| control was developed by the Committee of | | | | c. For instance Contingent liabilities not more than |
| Sponsoring Organization (COSO) of the Treadway | | | | 10 times of capital, |
| Commission. In its influential report, Internal | | | | d. Fund based not more than 6 times of capital |
| Control - Integrated Framework, the Commission | | | | e. Capital market operations not more than 1 |
| defines internal control as follows:"Internal control | | | | time of capital |
| is a process, effected by an entity's Board of | | | | f. However these limits cannot exceed the |
| Directors, management and other personnel, | | | | regulations. |
| designed to provide reasonable assurance | | | | g. Parameters of controls |
| regarding the achievement of objectives in the | | | | - Regulatory Requirements |
| following categories: Effectiveness and | | | | - Board's directions |
| efficiency of operations. | | | | - Prudent practicesFor liquidity management |
| Reliability of financial reporting. | | | | organizations are compelled to hold reserves for |
| Compliance with applicable laws and | | | | unexpected liquidity demands. The ALCO has |
| regulations.This definition reflects certain | | | | responsibility for setting and monitoring liquidity risk |
| fundamental concepts: Internal control is | | | | limits. These limits are set by Regulatory Bodies |
| a process. It is a means to an end, not an end in | | | | and under Board's directions keeping in mind the |
| itself. | | | | market condition and past experience.The Basel |
| Internal control is effected by people. | | | | Accord comprises a definition of regulatory capital, |
| It is not policy manuals and forms, but people at | | | | measures of risk exposure, and rules specifying |
| every level of an organization. | | | | the level of capital to be maintained in relation to |
| Internal control can be expected to | | | | these risks. It introduced a de facto capital |
| provide only reasonable assurance, not absolute | | | | adequacy standard, based on the risk-weighted |
| assurance, to an entity's management and | | | | composition of a bank's assets and |
| board.Internal control should assist and never | | | | off-balance-sheet exposures that ensures that an |
| impede management and staff from achieving | | | | adequate amount of capital and reserves is |
| their objectives. Control must be taken seriously. | | | | maintained to safeguard solvency. The 1988 Basel |
| A well-designed system of internal control is | | | | Accord primarily addressed banking in the sense |
| worse than worthless unless it is complied with, | | | | of deposit taking and lending (commercial banking |
| since the assemblance of control will be likely to | | | | under US law), so its focus was credit risk.In the |
| convey a false sense of assurance. Controls are | | | | early 1990s, the Basel Committee decided to |
| there to be kept, not avoided. For instance, | | | | update the 1988 accord to include bank capital |
| exception reports should be followed up. Senior | | | | requirements for market risk. This would have |
| management should set a good example about | | | | implications for non-bank securities firms.Thus, the |
| control compliance. For instance, physical access | | | | formula for determining capital adequacy can be |
| restrictions to secure areas should be observed | | | | illustrated as follows:= Tier I + Tier 2 + Tier 3 *- |
| equally by senior management as by junior | | | | 8% .Risk-weighted Assets + (Market Risk Capital |
| personnel.Components of Internal | | | | Charge x 12.5)IV. Operational RiskTo manage this |
| ControlsComponents of internal control also | | | | risk documented policies and procedures are |
| depend upon the structure of the business unit | | | | established. In addition, regular training is provided |
| and nature of its operation. The COSO Report | | | | to ensure that staffs are well aware of |
| describes the internal control process as consisting | | | | organization's objective, statutory requirements.- |
| of five interrelated components that are derived | | | | Reporting of major/ unusual/ exceptional |
| from and integrated with the management | | | | transactions with respect to ensuring the |
| process. The components are interrelated, which | | | | compliance of the principles of KYC and |
| means that each component affects and is | | | | Anti-money laundering measure |
| affected by the other four. These five | | | | - Analysis of system problemsConclusionFor any |
| components, which are the necessary foundation | | | | business to grow and stay in the market |
| for an effective internal control system, include:I. | | | | management style is a key and Risk management |
| Control Environment,Control environment, an | | | | is basically the management style of managing the |
| intangible factor and the first of the five | | | | risks.It is so important and that State Bank of |
| components, is the foundation for all other | | | | Pakistan plans to replace Prudential Regulations |
| components of internal control, providing discipline | | | | with Risk management guidelines, which will be |
| and structure and encompassing both technical | | | | adopted by banks according to their size and |
| competence and ethical commitment.II. Risk | | | | complexity of operations.Risk is inherent in every |
| Assessments,Organizations exist to achieve some | | | | business and every organization has to manage it |
| purpose or goal. Goals, because they tend to be | | | | according to its size and nature of operation |
| broad, are usually divided into specific targets | | | | because without it no organization no organization |
| known as objectives. A risk is anything that | | | | can survive in long run. |
| endangers the achievement of an objective. Risk | | | | |