8/8/2019 Risk Management Day 3
1/84
Risk ManagementDay 3
8/8/2019 Risk Management Day 3
2/84
Objective
To know aboutthe theoretical
aspects relatingto risk
management
8/8/2019 Risk Management Day 3
3/84
Syllabus Day 3
Risk Management:
Methodology of Risk Management, Insurance Cover, Ten Steps of Making risk management work, Ten attributes of a World-Class Risk Management
Culture, Enterprise Risk Management, Integrated risk management, Risk management in Banking
8/8/2019 Risk Management Day 3
4/84
COSO
Internal Control Framework
An Overview
8/8/2019 Risk Management Day 3
5/84
COSO Definition of Internal Control
Internal control is a process, effected by an entitys board of directors,
management and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives in the following categories:
Reliability of financial reporting
Compliance with applicable laws and regulations
Effectiveness and efficiency of operations
8/8/2019 Risk Management Day 3
6/84
COSO Internal Controls KeyConcepts
Internal control is aprocess. It is a means to an end, not an end in itself.
Internal control is effected by
people. Its not merely policy manuals and forms,
but people at every level of an organization.
Internal control can be expected to provide only reasonable assurance, not
absolute assurance, to an entitys management and board.
Internal control is geared to the achievement ofobjectives in one or more
separate but overlapping categories.
8/8/2019 Risk Management Day 3
7/84
Business Risk Management
8/8/2019 Risk Management Day 3
8/84
Risk Management Architecture
8/8/2019 Risk Management Day 3
9/84
Risk Management Architecture
8/8/2019 Risk Management Day 3
10/84
Risk Management Is An
Individual Decision
No one "right" decision
The "right" decision depends on the
characteristics of the
operation and
individual decision-maker
Risk
Revenue
1
2
3
8/8/2019 Risk Management Day 3
11/84
Prioritizing Which Risks to
Address First
Probability of
Happening
Potential
Impact
Act if costeffective
No actionrequired
Immediate action
Actionrequired
Small Catastrophic
High
Low
8/8/2019 Risk Management Day 3
12/84
Risk Management
Risk Management is the Identification,
Analysis and Economic Control of those
RISKS which can Threaten the Assets(Property, Human) or the Earning
Capacity of an Enterprise
8/8/2019 Risk Management Day 3
13/84
Process of Risk Management`
Risk Identification
Risk Measurement
Risk Control
Risk Transfer
Risk Financing
Risk Retention
8/8/2019 Risk Management Day 3
14/84
Risk Assessment
Financial ImpactP
ro
bab
ilit
yVery High Risk
High RiskLow Risk
Medium Risk
FINANCIAL IMPACT:Threshold Limit to be decidedbased onSize of the corporate
PROBABILITY OFOCCURRENCE:
Organization history & IndustryExperienceto be considered
8/8/2019 Risk Management Day 3
15/84
Handling Risk
Risk Levels
Low & Medium Normal Monitoring at the operational level
High Close control of all potential contributing factors by the RiskManagement Team
Very High Risks of this level should be actively tracked for decisions bythe Risk Management Committee.
8/8/2019 Risk Management Day 3
16/84
Risk Management
Risk management is present in all aspects of life;
it is about everyday trade off between an
expected reward and potential danger
In the business world, often the risk is associatedwith some variability in financial outcomes.
However the notion of risk much larger.
Risk management is an attempt to identify,
measure, monitor and manage uncertainty
8/8/2019 Risk Management Day 3
17/84
8/8/2019 Risk Management Day 3
18/84
Risk Management Process
Identify risk and risk management goals
Gather relevant and comprehensive data to determine and
extent and nature of risk exposures
Analyse the risk exposures
Construct a risk management plan comprising appropriate
risk treatment methods
Implement the plan
Monitor the plan and outcome of the implementation
8/8/2019 Risk Management Day 3
19/84
Seven Challenges for Risk
Management Confusion regarding the concept of risk. Completely avoidable human errors in subjective
judgments of risk. Entirely ineffectual but popular subjective
scoring methods. Misconceptions that block the use of better,
existing methods. Recurring errors in even the most sophisticated
models. Institutional factors. Unproductive incentive structures.
8/8/2019 Risk Management Day 3
20/84
Enterprise Risk Management-
COSO Definition -
a process, effected by an entitys board of
directors, management and other
personnel, applied in strategy-setting and
across the enterprise, designed to identifypotential events that may affect the entity,
and manage risks to be within its risk
appetite, to provide reasonable assuranceregarding the achievement of entity
objectives.
8/8/2019 Risk Management Day 3
21/84
What is Risk Management
a process and a means to an end, not an end in itself; effected by people and involving people at every level of the
organization;
applied in strategy setting and at every level across theenterprise and taking an entity level portfolio view of risks;
designed to identify events that potentially affect the entity
and manage risk within its risk appetite; provides reasonable assurance to an entitys management
and board;
also geared to the achievement of objectives in one or moreseparate and overlapping categories.
8/8/2019 Risk Management Day 3
22/84
Risk Management
Risk refers to the uncertainty that surrounds future
events and outcomes. It is the expression of the
likelihood and impact of an event with the potential to
influence the achievement of an organizations
objectives.
Risk management is a systematic approach to setting
the best course of action under uncertainty by
identifying, assessing, understanding, acting on and
communicating risk issues
8/8/2019 Risk Management Day 3
23/84
Eight Components of ERM
Internal Environment
Objective Setting:
Event Identification
Risk Assessment Risk Response
Control Activities
Information and Communication Monitoring
8/8/2019 Risk Management Day 3
24/84
Internal Environment
This component reflects an entitys enterprise risk
management philosophy, riskappetite, board
oversight, commitment to ethical values, competence
and development of people, and assignment of
authority and responsibility. It encompasses the tone
at the top of the enterprise and influences the
organizations governance process and the risk and
control consciousness of its people .
8/8/2019 Risk Management Day 3
25/84
Objective Setting
Strategic: high-level goals,aligned/supporting the mission/vision;
Operations: effectiveness and efficiency of
the entitys operations; Reporting: internal/external reporting of
financial/non-financial risk;
Compliance: compliance with applicablelaws and regulations.
8/8/2019 Risk Management Day 3
26/84
Event Identification
Management identifies potential events that
may positively or negatively affect an entitys
ability to implement its strategy and achieve its
objectives and performance goals. Potentiallynegative events represent risks that provide a
context for assessing risk and alternative risk
responses. Potentially positive events represent
opportunities, which management channels backinto the strategy and objective-setting
processes.
8/8/2019 Risk Management Day 3
27/84
Risk assessment
Management considers qualitative and
quantitative methods to evaluate the
likelihood and impact of potential events,
individually or by category, which mightaffect the achievement of objectives over
a given time horizon
8/8/2019 Risk Management Day 3
28/84
Risk response
Management considers alternative risk
response options and their effect on risk
likelihood and impact as well as the
resulting costs versus benefits, with thegoal of reducing residual risk to desired
risk tolerances. Risk response planning
drives policy development
OUTCOME OF RISK & CONTROL
8/8/2019 Risk Management Day 3
29/84
LOW RISK
LOW IMPACT
LOW RISK
HIGH IMPACT
HIGH RISK
HIGH IMPACT
IMPACTIMPACT
HIGH RISK
LOW IMPACT
LOW HIGH
LOW
HIGH
OUTCOME OF RISK & CONTROL
EVALUATION = Risk Prioritization
LIKELIHOODLIKELIHOOD
8/8/2019 Risk Management Day 3
30/84
Control activities
Management implements policies and
procedures throughout the organization, at
all levels and in all functions, to help
ensure that risk responses are properlyexecuted
8/8/2019 Risk Management Day 3
31/84
Information and communication
The organization identifies, captures andcommunicates pertinent information frominternal and external sources in a form
and timeframe that enables personnel tocarryout their responsibilities. Effectivecommunication also flows down, acrossand up the organization. Reporting is vital
to risk management and this componentdelivers it
8/8/2019 Risk Management Day 3
32/84
Monitoring
Ongoing activities and/or separate
evaluations assess both the presence and
functioning of enterprise risk management
components and the quality of theirperformance over time
8/8/2019 Risk Management Day 3
33/84
How to Address the RISKS
Avoid - ceasing to operate in that area of activity.
Transfer - transfer an element of the risk to a
third party
Mitigate - to mitigate either the likelihood
or the impact of the risk (Diversification)
Accept after considering cost / likely benefits.(As the price of doing the business)
Changing face of risk
8/8/2019 Risk Management Day 3
34/84
Changing face of risk
managementRisk management is not just about avoiding downside. Its about realising potential
opportunities and achieving objectives.Failure to manage risk compromises a
companys ability to succeed, turning strategic goals into own goals.
8/8/2019 Risk Management Day 3
35/84
May consist of either a design or operating deficiency:
A design deficiency exists when:
A necessary control is missing OR
An existing control is not properly designed so that even when thecontrol is operating as designed the control objective is not always met
An operating deficiency exists when:
A properly designed control is not operating as designed OR
The person performing the control does not possess the necessaryauthority or qualifications to perform the control effectively
Range from inconsequential internal control deficiencies to materialweaknesses
Definition of Internal Control
Deficiency
8/8/2019 Risk Management Day 3
36/84
An internal control deficiencythat could
adversely affect the entitys ability to
initiate, record, process and report
financial data consistent with theassertions of management in the financial
statements
Could arise from a single deficiency or anaggregation of deficiencies
Definition of Significant
Deficiency
8/8/2019 Risk Management Day 3
37/84
A significant deficiency in one or more of
the internal control components that
alone or in the aggregate precludes the
entitys internal control from reducing to
an appropriately low level the risk that
material misstatements in the financial
statements will not be prevented ordetected in a timely manner
Definition of Material
Weakness
8/8/2019 Risk Management Day 3
38/84
Who is Responsible for the Design and
Effectiveness of Internal Controls?Management is responsible for the control
design and assessment of internal controls
within their areas of responsibility. Thisresponsibility cannot be delegated or
outsourced.
Responsibility for Internal
Controls
8/8/2019 Risk Management Day 3
39/84
COSO Internal Control Framework
1. Consists of three objectives:
Effectiveness and efficiency of operations
Reliability of financial reporting Compliance with applicable laws and
regulations
1. Consists of five components: Control environment Risk assessment
Control activities Information/Communication Monitoring
1. Requires an entity level focus and an activity
level focus
MONITORING
INFORMATION AND
COMMUNICATION
CONTROL ACTIVITIES
RISK ASSESSMENT
CONTROL ENVIRONMENT
OPE
RATIONS
FINA
NCIAL
R
EPORT
ING
COMPLIANC
E
UNIT
A
UNITB
ACTIVITY
1
ACTIVITY
2
ACTIVITY
3
The COSO Frameworks Three
Dimensions Provide Criteria forEvaluating Internal Controls
8/8/2019 Risk Management Day 3
40/84
Control Environment
CONTROL ENVIRONMENT
OPE
RATIONS
FINA
NCIAL
REPO
RTIN
G
COMPLIANC
E
The control environment sets the tone of the organization,
influencing the control consciousness of its people. It is the
foundation for all other components of internal control, providing
discipline and structure.
Control environment factors include:
Integrity and ethical values
Commitment to competence
Board of Directors or Audit Committee
Management philosophy and operating style
Organizational structure
Assignment of authority and responsibility
Human resource policies and procedures
8/8/2019 Risk Management Day 3
41/84
Control Environment
CONTROL ENVIRONMENT
OPE
RATIONS
FINA
NCIAL
REPO
RTIN
G
COMPLIANC
E
Risks to integrity and ethical values for financial reporting practices:
Incentives
Pressure to meet unrealistic performance targets, particularly for shortterm results
High performance-dependent rewards
Upper and lower cutoffs on bonus plan
Temptations
High decentralization with top management
unaware of actions taken at lower organizationallevels
Weak internal control functions does not detectand report improper behavior
Penalties for improper behavior are insufficientto deter temptations
8/8/2019 Risk Management Day 3
42/84
Risk Assessment
RISK ASSESSMENT
OPE
RATIONS
FINA
NCIAL
REPO
RTING
COMPLIANC
E
Risk assessment is the identification
and analysis of relevant risks to
achievement of the objectives, forminga basis for determining how the risks
should be managed.
8/8/2019 Risk Management Day 3
43/84
Risk Assessment
RISK ASSESSMENT
OPE
RATIONS
FINA
NCIAL
REPO
RTING
COMPLIANC
E
Objectives (i.e. assertions) must be established prior to the identification
of risks to their achievement and to take necessary actions to manage the
risks. By setting objectives, both at entity and activity
levels, prior to a risk assessment, a company
can determine the critical success factors; thendetermine the risks to the critical success
factors.
A risk assessment usually includes:
Estimating the significance of a risk
Assessing the likelihood (orfrequency) of the risk occurring
Consideration of how the risk shouldbe managed
RISK ASSESSMENT
OPE
RATIONS
FINA
NCIAL
REPO
RTING
COMPLIANC
E
8/8/2019 Risk Management Day 3
44/84
Control Activities
CONTROL ACTIVITIES
OPE
RATIONS
FINA
NCIAL
REPO
RTIN
G
COMPLIANC
E
Control activities are the policies and procedures that help ensure
management directives are carried out. They help to ensure that necessary
actions are taken to address risks to achievement of the entity's objectives.
Control activities occur throughout the organization, at all levels and in all
functions.Control activities include:
Approvals
Authorizations
Verifications
Reconciliations
Reviews of operating performance
Security of assets
Segregation duties
CONTROL ACTIVITIES
OPE
RATIONS
FINA
NCIAL
REPO
RTING
COMPLIANC
E
8/8/2019 Risk Management Day 3
45/84
Control Classification
Preventive controls focus on preventingerrors or exceptions. Such preventive
controls are Standard policies and procedures
Proper segregation of duties
Authorization levels/approvals
Detective controls are designed to identifyan error or exception after it hasoccurred. Such detective controls are:
Exception reports
Reconciliations
Periodic audits
Internal controls can be classified as either Preventive or Detective.
CONTROL ACTIVITIES
OPE
RATIONS
FINA
NCIAL
REPO
RTIN
G
COMPLIANC
E
CONTROL ACTIVITIES
OPE
RATIONS
FINA
NCIAL
REPO
RTING
COMPLIANC
E
8/8/2019 Risk Management Day 3
46/84
8/8/2019 Risk Management Day 3
47/84
Control Activities
CONTROL ACTIVITIES
OPE
RATIONS
FINA
NCIAL
REPO
RTIN
G
COMPLIANC
E
During an evaluation, you should consider
not only whether established control
activities are relevant to the risk-
assessment process, but also whether they
are being applied properly.
(Meaning: Designed effectively and
operating effectively)
8/8/2019 Risk Management Day 3
48/84
Information and Communication
When evaluating the information and communication of an entity, one
should consider:Information
Obtaining external and internal information andprovide management with necessary reports
on the entitys performance relative toestablished objectives.
Provide information to the right people insufficient detail and on time to enable them to
carry out their responsibilities effectively and
efficiently.
Communication Adequacy of communication across the
organization and the completeness and
timeliness of information.
Openness and effectiveness of channels withcustomers, suppliers and other external parties
for communicating information.
INFORMATION AND
COMMUNICATION
OPERA
TIONS
FIN
ANCIAL
REP
ORT
ING
COM
PLIANC
E
8/8/2019 Risk Management Day 3
49/84
INFORMATION AND
COMMUNICATION
OPE
RATIONS
FINA
NCIAL
REPO
RTING
COMPLIANC
E
Pertinent information must be identified, captured
and communicated in a form and timeframe that
enables people to carry out their responsibilities.
Information systems produce reports, containing
operational, financial and compliance relatedinformation, that make it possible to run and control
the business. Information Information is needed at all levels of an organization to run the
business, and move toward achievement of the entitys objectives in all categories.
This will include:
Operational reports to management to ensure effective and efficient use ofresources
Financial reports detailing the performance of the company used by companymanagement and external parties.
Communication Communication must take place, dealing with expectations,responsibilities and other important matters.
Information and Communication
8/8/2019 Risk Management Day 3
50/84
Monitoring
MONITORING
OPE
RATIONS
FINA
NCIAL
REPO
RTING
COMPLIANC
E Monitoring is the process of assessment by
appropriate personnel of the design and operation of
controls on a suitably timely basis, and taking
necessary actions.
It applies to all activities within an organization, and
sometimes to outside contractors as well. This may
include outsourced cash collections (lockbox),
outsourced payment processing (A/P through
Shared Services Center) or waste management
(compliance with EPA regulations).
Monitoring can be done in two ways:
1.Ongoing Activities
2.Separate Evaluations
8/8/2019 Risk Management Day 3
51/84
Monitoring
MONITORING
OPE
RATIONS
FINA
NCIAL
REPO
RTING
COMPLIANC
E
Two ways to do monitoring:
1. Ongoing Activities Activities to monitor the effectiveness of internal controls in
the ordinary course of operations. These include regular management and
supervisory activities, comparisons, reconciliations and other routine actions.
Example - Data recorded by information systems are compared with physical
assets. Finished product inventories are examined periodically and counts are
then compared with accounting records and differences reports.
2. Separate Evaluations Evaluations of internal controls performed by
management and/or internal audit. Controls addressing higher-priority risks and
those most critical to reducing a given risk will tend to be evaluated more often.
8/8/2019 Risk Management Day 3
52/84
Internal Controls
8/8/2019 Risk Management Day 3
53/84
Internal Control Defined
Internal controls are the policies and procedures
that, when implemented effectively and efficiently,help minimize or reduce the impact of risk on a
company or business process to an acceptable
level.
Si ifi t C t l
8/8/2019 Risk Management Day 3
54/84
Controls over initiating, recording, processing and reporting significantaccount balances, classes of transactions and disclosures, and the relatedassertions embodied in financial statements
Antifraud programs and controls
Controls, including general controls, on which other significant controls aredependent
Each significant control in a group of controls that functions together toachieve a control objective
Controls over significant routine and nonsystematic transactions (such asaccounts involving judgments and estimates)
Controls over the period-end financial reporting process, including controlsover procedures used to:
Enter transaction totals into the general ledger
Initiate, record and process journal entries in the general ledger
Record recurring and nonrecurring adjustments to the financialstatements
Significant Controls
8/8/2019 Risk Management Day 3
55/84
Integrated Risk Management
It is diagnostic.
It is designed to support optimal
investment.
It is transaction cost based.
It is inclusive.
It is coordinated but discriminating.
8/8/2019 Risk Management Day 3
56/84
Risk Management in Banking
8/8/2019 Risk Management Day 3
57/84
WHAT IS RISK
Every action has a reaction
If reaction is for our benefit; no worry and no risk
If it is against our interest only we are worried
and that is risk Risk is therefore possibility of a negative result
for our actions
Could be due to us or beyond us
8/8/2019 Risk Management Day 3
58/84
RISK Contd
Risk is supposed to have been derivative of
risicare which means to dare
Daring is to take steps recognising the potential
for loss Extent of this behaviour is taker specific
More risk is taken in view of potential for higher
yield
8/8/2019 Risk Management Day 3
59/84
RISK Contd
Due to risk either , profits and capital may
grow multifold or business may be wiped
out
Nevertheless we cannot be risk
free/averse banker like a ship in a port
Banking is therefore risk management
8/8/2019 Risk Management Day 3
60/84
RISK Contd
Return is therefore related to risk
Returns from businesses are to be
adjusted for risks for comparability-this is
RAROC
8/8/2019 Risk Management Day 3
61/84
BANKING BUSINESS
Business is broadly divided into on balance
sheet and off balance sheet activities.
On balance sheet activities are banking book
(deposits & advances) and trading book(investments)
Banking book has no market risk
Risks common to both books are credit,
operational
8/8/2019 Risk Management Day 3
62/84
8/8/2019 Risk Management Day 3
63/84
RISK MANAGEMENT
Identification
Measurement Sensitivity
Volatility
Downside potential Pricing covering
Cost of resources
Cost of operations
Risk premium
Capital charge
Monitoring and control
Mitigation Transferring
8/8/2019 Risk Management Day 3
64/84
MARKET RISK
Has a component of credit risk in addition to
price, liquidity and interest rate risks
Liquidity risk can also be due to markets
RISK IN INVESTMENTS IS MEASURED THROBPV, MODIFIED DURATION, var AND YIELD
AND PRICE VOLATILITIES
MONITORING & CONTROL AND
8/8/2019 Risk Management Day 3
65/84
MONITORING & CONTROL AND
MITIGATION
Monitoring
Policy guidelines for various activities
Caps for transaction sizes, stop loss limits,
guidelines on portfolio sizes both type andindustry, exposure norms
Mitigation through derivatives
8/8/2019 Risk Management Day 3
66/84
8/8/2019 Risk Management Day 3
67/84
8/8/2019 Risk Management Day 3
68/84
Components of Bank Balance Sheet
Liabilities Capital
Reserves and Surplus
Deposits
Borrowings
Other Liabilities
8/8/2019 Risk Management Day 3
69/84
Components of Bank Balance Sheet
Assets
Cash and Balances with RBI
Bal with Banks, Money at Call and Short
notices Investments
Advances
Fixed Assets Other Assets
8/8/2019 Risk Management Day 3
70/84
Banks Profit and Loss
Income
- Interest Earned
- Other Income
Expenses
- Interest Paid
- Operating Expenses
- provisions- Taxes
8/8/2019 Risk Management Day 3
71/84
Risk in Banking Business
Three major heads for the purposes of
Risk Management
Banking Book
Trading Book
Off Balance Sheet Exposures
8/8/2019 Risk Management Day 3
72/84
Banking Business
Characteristics of Assets and Liabilities They are normally held till maturity
Accrual system of accounting is adopted
Since Assets and Liabilities are held tillmaturity their mismatch may lead to cashin flow (excess) or cash shortage at aparticular point of time. This is normallydenoted as Liquidity Risk
8/8/2019 Risk Management Day 3
73/84
Banking Book
Due to change in interest rates assets and
liabilities are subject to interest rate risks or re-
pricing
Assets side of the balance sheet generatescredit risk arising from defaults in payment of
interest or installments by the borrowers
Banking book also suffers from Operational Risk
8/8/2019 Risk Management Day 3
74/84
Trading Book
The trading book includes all the assets
that are held with the intention of trading,
which are marketable.
These assets are classified as Held forTrading
These assets are subjected to Market Risk
and marked to market (MTM)
8/8/2019 Risk Management Day 3
75/84
Off Balance Sheet Exposures
Off Balance Sheet exposure is contingent innature e.g. Letter of Credit , Bank Guarantees
A contingent exposure may become fund based
exposure in Banking Book or Trading Book Thus these exposures may have liquidity,
interest rate, market, credit or default risks and
operational risks
8/8/2019 Risk Management Day 3
76/84
8/8/2019 Risk Management Day 3
77/84
Balance Sheet Risk
Credit Risk
Concentration Risks (Industry / Geographic)
Intrinsic Risks (Credit Card, Merchant Banking)
Market Risk Interest Rate Risk
Liquidity Risk
Currency Risk
Commodities Risk
8/8/2019 Risk Management Day 3
78/84
Interest rate Risk
Price Risk
Reinvestment Risk
Gap Risk
Yield Curve Risk
Basis Risk
8/8/2019 Risk Management Day 3
79/84
8/8/2019 Risk Management Day 3
80/84
C di Ri k
8/8/2019 Risk Management Day 3
81/84
Credit Risk
Credit risk is the possibility of losses associatedwith changes in credit profiles of borrowers orthird parties
It involves the inability or unwillingness of a
borrower to meet the obligations Credit Risk is made up of
Transaction Risk Concentration , Intrinsic
Portfolio risk Downgrade , Default
O ti l Ri k
8/8/2019 Risk Management Day 3
82/84
Operational Risk
Credit Risk and Market risks emanatefrom Operational Risk
Operational risk is the risk of direct and
indirect loss resulting from inadequate orinefficient internal processes people and
system or from external events.
C dit Ri k M t
8/8/2019 Risk Management Day 3
83/84
Credit Risk Management
Credit risk is the potential loss arising out of theinability or unwillingness of a customer or
counter party to meet its commitments in relation
to lending, trading, hedging, settlement and
other financial transactions.
Philosophy behind credit risk management is
Higher the Risk higher is the expected reward
C dit i k t
8/8/2019 Risk Management Day 3
84/84
Credit risk management
The CRM framework includes:
Policies and procedures
Organization structure for effective credit
management Credit risk rating framework