section 3.1: cooperative banking - indian etd repository
TRANSCRIPT
20
Section 3.1:
Cooperative Banking
3.1.1. A brief historical description of cooperative banks in India 21
3.1.2 Urban Co-operative Banks 24
3.1.3 Rural Co-operative Credit Institutions 24
3.1.4 NABARD and the Co-operative Sector 28
3.1.5 Resources of NABARD 27
3.1.6. Credit extended by NABARD 29
21
3.1.1. A brief historical description of cooperative banks in India
Co-operative banking has passed through many phases since the enactment of the
Agricultural Credit Co-operative Societies Act in 1904. Co-operative banks, developed
largely as an offshoot of official policy, expanded rapidly in the post-independence era and
played an important role in implementation of various Government schemes. Their business
is now being re-engineered to strengthen their role in contributing to financial inclusion and
deepening banking penetration in an increasingly competitive financial landscape.
The co-operative banking structure in India is complex. It comprises urban co-
operative banks and rural co-operative credit institutions.
Urban co-operative financial institutions consist of a single tier, viz., primary co-operative
banks, commonly referred to as urban co-operative banks (UCBs). However, they are
classified according to their scheduled status, operational outreach and purpose/clientele.
Out of the 1,853 UCBs, 55 enjoyed scheduled status, of which 24 had multi-State presence
as on March 31, 2006. Of the non-scheduled UCBs, 117 were Mahila (women) UCBs and
another 6 were Scheduled Caste (SC)/Scheduled Tribe (ST) banks. In addition, there were
79 salary earner‘s UCBs. Out of the 1,853 banks, 914 UCBs were unit banks i.e., having a
single Head office/branch set up.
Historically, rural co-operative credit institutions have played an important role in
providing institutional credit to the agricultural and the rural sectors. These credit
institutions have typically been divided into two distinct structures, commonly known as
the short-term co-operative credit structure (STCCS) and the long-term co-operative credit
structure (LTCCS). The STCCS, comprising primary agricultural credit societies (PACS) at
the village level, district central co-operative banks (DCCBs) at the intermediate level, and
the state co-operative banks (StCBs) at the apex level, provides crop and other working
capital loans primarily for short-term purposes to farmers and rural artisans. The LTCCS,
comprising state co-operative agriculture and rural development banks (SCARDBs) at the
State level and primary co-operative agriculture and rural development banks (PCARDBs)
at the district or block level, has been providing typically medium and long-term loans for
making investments in agriculture, rural industries and, in the recent period, housing.
However, the structure of rural co-operative banks is not uniform across all States of the
country. Some States have a unitary structure with the State level banks operating through
their own branches, while others have a mixed structure incorporating both unitary and
federal systems.
Several measures have been initiated in recent years with the primary objective of
evolving a turnaround in the financial health of the cooperative sector. As announced in the
Mid-Term Review of the Annual Policy 2004-2005, a draft Vision Document for Urban
Co-operative Banks was formulated and placed in the public domain in March 2005. As
UCBs are subject to dual control by the Reserve Bank and the State Governments, the
Vision Document envisaged greater convergence in the approach towards regulation and
supervision over UCBs for facilitating the development of the sector. For strengthening the
rural co-operative credit institutions, the Government of India constituted the Task Force on
Revival of Rural Co-operative Credit Institutions (Chairman: Prof. A. Vaidyanathan) in
August 2004 to formulate a practical and implement able action plan for revival of rural co-
operative banking institutions. In view of the multi-tier regulatory structure, heterogeneous
nature of operations and problems of incentives faced by the co-operative sector,
consultative process of policy formulation guided the approach of reform in this important
22
segment of the financial sector. Prudential regulatory standards were designed keeping in
view the nature of their business with an overall objective of improving their financial
health.
Business operations of UCBs (scheduled and unscheduled), on the whole, expanded
at a moderate rate, though scheduled UCBs grew at a relatively higher rate during the year.
The asset quality of UCBs also improved significantly. Profits of scheduled UCBs
increased during 2005-06.
23
Table 3.1: The cooperative credit institutions
All segments of the rural co-operative sector were able to expand their business
operations during 2004-05, the latest period for which data were available (Table 3.1).
However, their financial performance varied across the institutions. Within the short-term
structure, while the StCBs earned lower profits, on account of a sharp decline in income, as
compared with 2003-04, DCCBs earned higher profits over the same period due to a
significant rise in income. PACS, on the whole, continued to make overall losses, although
a sizable number of them earned profit. In the case of long-term structure, while the
SCARDBs continued to incur net losses during 2004-05 on account of rise in expenditure,
especially in provisions and contingencies, PCARDBs staged a turnaround over the same
period, facilitated by a sharp increase in non-interest income and expenditure containment.
Asset quality of short-term structure of rural co-operative banks improved, while NPAs of
long-term institutions increased. Improvement in the recovery performance of the PACS
also brought down their over dues ratio.
The SHG-Bank linkage programme and extension of financial assistance to micro-
finance institutions (MFIs) continued with their high growth. NABARD continued to play a
pivotal role in refinancing, monitoring project implementation, administering various
Government schemes and capacity building of rural co-operative credit institutions
A significant number of co-operative banks are covered under the deposit insurance
scheme of Deposit Insurance and Credit Guarantee Corporation (DICGC). As on March 31,
2006, the numbers of insured co-operative banks were 2,245. The insurance premium
received from co-operative banks amounted to Rs.190 crore during 2005-06 as against
Rs.143
24
crore during the previous year. During the year, the DICGC settled claims for 43 co-
operative banks for an aggregate amount of Rs.565 crore, an amount much higher than the
premium received. The aggregate amount of claims paid and provided for 147 co-operative
banks, since the inception of the Scheme, amounted to Rs.1,760 crore. Repayment received
by DICGC out of the recoveries since inception amounted to Rs.28 crore (including Rs.8
crore during 2005-06). Together with the strengthening of the prudential standards, deposit
insurance also has played a significant role in enhancing stability of this sector.
3.1.2 Urban Co-operative Banks
UCBs are unique in terms of their clientele mix and channels of credit delivery.
UCBs are organised with the objective of promoting thrift and self-help among the middle
class/lower middle class population and providing credit facilities to the people with small
means in the urban/semi urban centers. On account of their local feel and familiarity, UCBs
are important for achieving greater financial inclusion. In recent times, however, UCBs
have shown several weaknesses, particularly related to their financial health.
Recognising their important role in the financial system, it has been the endeavor of the
Reserve Bank to promote their healthy growth. However, the heterogeneous nature of the
sector has called for a differentiated regime of regulation. In recent years, therefore, the
Reserve Bank has provided regulatory support to small and weak UCBs, while at the same
time strengthening their supervision (Box IV.1).
Box 3.1: Two-Tier Framework for Regulation and Supervision of Urban Co-operative
Banks
3.1.3 Rural Co-operative Credit Institutions
25
The rural credit co-operative system has served as an important instrument of credit
delivery in rural and agricultural areas. The separate structure of rural co-operatives for
long-term and short-term loans has enabled these institutions to improve rural credit
delivery. At the same time, their federal structure has helped in providing support structure
for the guidance and critical financing for the lower structure. Rural institutions have a
wider outreach, with as many as 1,08,779 primary agricultural co-operative societies
(PACS), the grass root organisation of the rural co-operative banking structure, operating in
the country as on March 2005.
26
Table 3.2: Select Indicators of Non-Scheduled Urban Co-operative Banks ñ Centre-wise(As
at end-March 2006)
The rural co-operative credit institutions face many challenges such as low resource
base, lack of diversification, huge accumulated losses, persistent NPAs and low recovery
levels. Many institutions continued to make losses during 2004-05. Total accumulated
losses aggregated Rs.8,746 crore as on March 31, 2004. NABARD and the Reserve Bank,
therefore, have been taking several supervisory and developmental measures in
consultation with the Central Government for the revival of weak institutions and orderly
growth of this important segment of the financial sector.
3.1.4 NABARD and the Co-operative Sector
National Bank for Agriculture and Rural Development (NABARD) was established on July
12, 1982 as a development bank to perform the following functions:
(i) to serve as an apex financing agency for the institutions providing investment and
production credit for promoting various developmental activities in rural areas;
(ii) to take measures towards institution building for improving absorptive capacity of the
credit delivery system, including monitoring, formulation of rehabilitation schemes,
restructuring of credit institutions and training of personnel;
(iii) to co-ordinate the rural financing activities of all institutions engaged in developmental
work at the field level and maintain liaison with the Government of India, the State
Governments, the Reserve Bank and other national level institutions concerned with policy
formulation; and
(iv) to undertake monitoring and evaluation of projects refinanced by it.
NABARD‘s refinance is available to SCARDBs, StCBs,RRBs, commercial banks
and other financial institutions approved by the Reserve Bank. While the ultimate
beneficiaries of investment credit can be individuals, partnership concerns, companies,
27
State-owned corporations or co-operative societies, production credit is generally extended
to individuals.
3.1.5 Resources of NABARD
The Reserve Bank has been providing two General Lines of Credit (GLC) to
NABARD under
Section 17(4E) of the RBI Act, 1934, to enable it to meet the short-term requirements of
scheduled commercial banks, state co-operative banks and RRBs. During 2005-2006 (July-
June), a GLC of
Rs.3,000 crore was sanctioned at an interest rate of 6 per cent per annum, for providing
refinance to state co-operative banks and RRBs for seasonal agricultural operations (SAO).
However, NABARD has been permitted to operate the GLC limit sanctioned for 2005-06
for drawals as well as for repayments up to December 31, 2006. As the limit would not be
available after December 31, 2006, NABARD has been advised to start accessing the
markets on a regular basis for sufficient amounts so that the timeframe indicated for
withdrawal of GLC is adhered to.
Net accretion to the resources of NABARD at Rs.6,826 crore during 2005-06
registered a sharp increase of 39.6 per cent. Rural Infrastructure Development Fund (RIDF)
and issuance of bonds, emerged as the two most important source of funds for NABARD.
After repaying a significant amount of borrowing from commercial banks resorted to in the
previous year and repayment to the Reserve Bank, it was left
with a sizable amount for lending activity during the year (Table 3.3).
28
Table 3.3 : Net Accretion in the Resources of NABARD
29
3.1.6. Credit extended by NABARD
NABARD provides short-term credit facilities to StCBs for financing seasonal
agricultural operations (SAO); marketing of crops; pisciculture activities;
production/procurement and marketing activities of co-operative weavers societies;
purchase and sale of yarn by apex/regional societies; production and marketing activities of
industrial co-operatives; financing of individual rural artisans through PACS; purchase and
distribution of fertilisers and allied activities; and marketing activities. Medium-term
facilities were provided to StCBs and RRBs for converting short-term loans for financing
SAO to medium-term (conversion) loans and for approved agricultural purposes. Long-
term loans are provided to the State Governments for contributing to share capital of co-
operative credit institutions. During 2005-06, NABARD sanctioned total credit limits
aggregating Rs.13,099 crore as against Rs.13,230 crore during 2004-05 for various short
and medium-term purposes to StCBs and RRBs, and long-term loans to the State
Governments. While limits granted to the state cooperative banks declined significantly,
those granted to RRBs increased during the year. However, amounts drawn by these
institutions were significantly higher than the previous year, leading to a sharp increase in
outstanding amount at end March 2006.
To enhance the flow of credit to agriculture sector, NABARD advised StCBs,
DCCBs and RRBs in June 2004 about the measures to be taken under various schemes to
give relief to farmers. While implementing these measures and extension of the
conversion/reschedulement of loans to farmers in distress and farmers in arrears, it was
apprehended that there could be a liquidity crunch in co-operative banks and RRBs,
impairing their ability to provide fresh loans and achievement of the envisaged growth rate
during the year. In order to enable co-operative banks and RRBs to tide over such liquidity
gap, NABARD extended liquidity support to StCBs on behalf of DCCBs for a fixed period
of 36 months at a
concessional interest rate of five per cent and to RRBs for a period of 18 months at a
interest rate of 6.5 per cent. As on 30 June 2006, sanctions under the scheme amounted to
Rs.515 crore to StCBs and Rs.482 crore to RRBs.
30
Section 3.2:
Introduction to Risk Management in
banks
3.2.1 An introduction to risk management in banking system 31
3.2.2 Objective of risk management 32
3.2.3 Some definitions and declaration of objective of risk management 33
3.2.3.1 Reviewing of risk management methods 34
3.2.4 Risk identification 35
3.2.5 Risk assessment methods 37
3.2.6 Risk management 38
3.2.7 Risk management process 43
3.2.8 Risk Management Structure 44
3.2.9 The Risk Management Cycle 46
3.2.10 RBI guidelines in Risk management systems in banks 48
31
3.2.1 An introduction to risk management in banking system
Every one of us knows that human life and possession of assets are frequently
exposed to loss or damage because of various reasons. There is a great deal of
uncertainty and risk in life as well as in industry. Since people are aware of this
uncertainty and risk of their lives and possessions they show a strong desire for
security. The need for security is sought by taking all precautions possible to avoid
or prevent the consequences of risk.24
In view of growing complexity of banks‘ business and the dynamic operating
environment, risk management has become very significant, especially in the
financial sector. Risk at the apex level may be visualized as the probability of a
banks‘ financial health being impaired due to one or more contingent factors. While
the parameters indicating the banks‘ heath may very from net interest margin to
market value of equity, the factor which can cause the important are also numerous.
For instance, these could be default in repayment of loans by borrowers, change in
value of assets or disruption of operation due to reason like technological failure.
While the first two factors may be classified as credit risk and market risk, generally
banks have all risks excluding the credit risk and market risk as operational risk.
Risk Analysis, in a broad sense, is any method — qualitative and/or
quantitative — for assessing the impacts of risk on decisions. Myriad Risk Analysis
methods are used that blend both qualitative and quantitative techniques. The goal of
any of these methods is to help the decision-maker choose a course of action, given
a better understanding of the possible outcomes that could occur.
Risk- is the expression of the likelihood and impact of uncertain future events
with potential to influence the achievement of an organization‘s objectives.
Risk analysis (RA) - the systematic use of information to identify the
probability that something will occur and to assess the impact such events will have
on the achievement of an organization‘s objectives.
24
RISK MANAGEMENT AND TECHNIQUES Dr. Ch, Rama Prasada Rao Professor Dr. P. Murali Krishna Assistant Professor Sri
Krishnadevaraya Institute of Management, S.K. University, Anantapur (India)
32
Risk management (RM) -Risk management is a systematic method of
identifying, analyzing, assessing, treating, monitoring and communicating risk, in
order to keep the organization‘s exposure to risk at acceptable levels.
Operational Risk- Operational risk is the risk of direct or indirect loss from
inadequate or failed internal processes, people, and system from external events.
Credit Risk – credit risk is the risk that a borrower may default on his
obligation, or unable to perform under the terms of the contract.
Market Risk – The part of overall risk of an asset, organization, position or
portfolio, which is due to potential changes in the market prices of assets.
The opportunity for advancement cannot be achieved without taking risk. "Risk in
itself is not bad; risk is essential to progress, and failure is often a key part of learning. But
we must learn to balance the possible negative consequences of risk against the potential
benefits of its associated opportunity. Every one knows that business grows only by taking
risk. Managing risk is important but managing the change before the risk is very important.
Risk Management is the application of proactive strategy to plan, lead,
organize, and control the wide variety of risks that are woven into the fabric of an
organization‘s daily and long-term functioning. Like it or not, risk has a say in the
achievement of our goals and in the overall success of an organization.
.2.1.1 Objective of risk management
The objectives of banks for risk management by the regulatory authorities
may be summed up as follows:
To impose capital adequacy norms keeping in view the risk banks are
required to take as the competitive market demands.
To level the competitive field of banks by setting common benchmarks for all
banks.
To control and monitor 'systemic risk' that may arise due to failure of the
whole banking system.
33
To develop and prescribe appropriate business and supervisory practices to
sustain risks taken by banks under market commands, and
To protect the interest of depositors and other stakeholders of banks.
Therefore principal objective of risk management has been defined as "the effective
planning of resources needed to recover financial balance and operating
effectiveness after a fortuitous loss, thus obtaining a short-term loss of risk stability
and long term risk minimization. "
3.2.11 Some definitions and declaration of objective of risk management
Webster's dictionary defines risk as 'the chance of injury, damage, or loss'. Several
financial management experts have defined 'risk' in their own way. Peterson felt that though
the terms risk and uncertainty are many times used to mean their outcome, in uncertainty is
not knowing what is going to happen, while risk is how we characterize how much
uncertainty exists. He defined risk as “the degree of uncertainty”. The investment thinkers
have opinioned that risk is that the actual return from holding a security will deviate from
the expected return. The psychologists (Kogan and Wallach, Slovic, 1987), economists
(Knight, 1921), anthropologist (Dougias and Wildavsky, 1982) and sociologists (Heiomer,
1988) have examined the role of risk in their respective fields of analyses in different ways.
Risk is the variability in the actual returns in relation to the estimated returns.
The decision situations with reference to risk analysis can be broken up into
three types:
(i) Uncertainty,
(ii) Risk, and
(iii) Certainty.
The risk situation is one, which the probabilities of occurrence of a particular
event are known. These probabilities are not known under the uncertainty situation.
The difference between risk and uncertainty, therefore, lies in the fact that variability
is less in risk than in uncertainty. In other words, in a strict mathematical sense,
there is a distinction between the two:
34
Risk refers to a set of unique outcomes for a given event, which can be assigned
probabilities, while uncertainty refers to the outcomes of a given event, which are too
unsure to be assigned probabilities. That is, risk exists when the decision maker is in a
position to assign probabilities to various outcomes (i.e. probability distribution is known to
him). This happens when the decision maker has some historical data on the basis of which
he assigns probabilities to other projects of the same type. Uncertainty exists when the
decision maker has no historical data from which to develop a probability distribution, and
must make intelligent guesses in order to develop a subjective probability distribution. For
example, if the proposed project is completely new to the bank, the decision maker, through
research and consultation with others, may be able to subjectively assign probabilities to
various outcomes. Throughout this chapter, however, the terms risk and uncertainty will be
used interchangeably to refer to an uncertain decision making situation.
It is, then, obvious that if the future returns will be certain, that is, if they could be
forecast accurately, there would be no risk involved in such situations. The less accurately
they are forecast, the more likely would be the risk involved in the investment decision.
The variability of returns and hence, risk would vary with the type of project. For instance,
lease-purchase capital budgeting will, according to this criterion, have no risk since no
variability is associated with the returns. This is because the firm purchases the asset to give
it on lease for a specified number of annual lease payments. The return, in other words, is
absolutely certain. Another example of risk-free investment is the various types of
government and government-guaranteed securities. Excepting these few cases, the
investment decision is faced with the problem of uncertain returns, which vary widely
depending on the nature and purpose of the decision. Thus, the capital budgeting decision
for starting a new product will have more uncertain returns than the one involving
expansion of an existing one. Further, the estimates of returns from cost-reduction type of
capital budgeting will be subject to a lower degree of risk, than the revenue-expanding
capital budgeting project. In brief, risk, with reference to capital budgeting, results from the
variation between the estimated and the actual returns.
.2.1.2 Reviewing of risk management methods
Organizations face various risks. Unfortunately, their risk management focus
has been primarily on fluctuations in interest rates, exchange rates and stock market indices.
Risk is all about liability and taking steps to reduce it. Several factors contribute to this
35
weakness, not just financial risks. So, taking an integrated view of the various risks faced,
both financial and non-financial, is important for any business entity.
Most organizations deal with risk in a piecemeal fashion. Within the same company,
the finance, treasury, human resources and legal departments might manage risks
independently; an organization-wide view of risk management can greatly improve
efficiencies and generate synergies
Willy-nilly risk and uncertainty are real. Everyone encounters uncertainty in
everyday lire - uncertainty about weather, uncertainty about the performance of one's
investment, and uncertainty about one's health. As future is so abound in uncertainty that to
live through it, despite the thrills it offers to man, this helpless man is compelled to make an
all-out effort to counterbalance this future uncertainty. Men for several years have sought
ways of controlling the risk to which mankind and business ventures are subjected to.
However in recent years risk management has emerged as a distinct subject and as an arm
of practical management in its own right. It brings together ideas and techniques drawn
from many disciplines in order to provide a sound conceptual foundation and a set of tools
for the analysis and control of risk. In view of the importance of risk management, an
attempt is made to present the techniques of managing financial risk.
It has, therefore, become necessary for the monetary authorities all over the world to
develop and prescribe risk management norms and tools to regulate risk-taking activities of
banks and financial institutions. These regulations prescribe norms and models based on
core concepts of risk taking power and admissibility of tools to manage the same. The
regulatory framework keeps in view the necessity of taking risk in banks as per the market
demands while safeguarding the interest of depositors and other stakeholders. It has,
therefore, reposed faith in the core concept of the capital adequacy norms and or risk-based
capital i.e., stressing the need for adequacy of capital to sustain the risks taken. This
obviously implies that there should be quantitative assessment of risk to match the quantum
of capital.
.2.1.3 Risk identification
Risk identification is the first thing to be done, but it is not the first thing to design.
The best way to identifying risks is depends on what you will do with them so has to be
designed last. For example, risk rating that focuses on losses is often supplied with risks by
36
identifying an organization‘s assets and listing the ways those assets could be damaged or
otherwise become less valuable. Risk modeling based on cause-effect models tends to
determine the risks; they are the distributions of the independent variables in the model,
though it is also possible and desirable to adapt the model to incorporate other specific risks
identified by other means.
Here are some considerations for designing the risk identification method:
Partitioning: Whatever risk identification method is chosen it is usually good to do it in a
way that slices up risks so that everything is caught, but only once. There should be no gaps
and no double counting. The breakdown usually takes more than one level. For example,
first by geography, then by business activity and etc. There is a big difference between
having a list of areas to consider and having a list of areas to consider that is complete.
Even taking a list of risk types from an official document such as a risk management
standard does not guarantee that the list is comprehensive, but there are ways to think
through the breakdown that guarantee completeness.
Relative entropy: It is also good to break down large risk sets so that all risk sets carry
about the same amount of risk. This means management reports of risk are more
informative per page than they would be if very large risk sets were not broken down and
instead tiny risk sets were given space for their trivial statistics. This implies some risk
assessment is needed during risk identification.
Clarity of objectives: A popular approach among internal control experts is to derive risks
from business objectives. Risks are simply the ways in which you could fail to achieve your
objectives. Unfortunately, life doesn't always allow clear objectives. Looking at risk is part
of forming objectives, so you often need to do it before objectives have been set. Objectives
are often unclear and shifting for very good reasons; if they did not move for a year it
would imply an extraordinarily stable business environment or managers who have stopped
thinking. Risk management needs to be able to ride this out so if there is any doubt about
business objectives they should not be the sole basis of risk identification.
Volunteering: If you rely on people to volunteer risks they may not volunteer all the risks
they know about. They may keep quiet because they don't want to risk offending senior
management (or other groups they fear such as human resources and IT) or fear being made
responsible for a risk about which little can be done. For risks where this is likely it may be
necessary to put the risk into the register at the start and make rating dependent on objective
criteria. For example, people may be reluctant to suggest "fraud by senior management" as
a risk, and even more reluctant to opine that the risk is high.
37
Richness: Some methods of risk identification tend to lead to bland, unhelpful risks and
little if any insight. Taking your objectives as the source of risk ideas can lead to risks that
are just the original objective with the words "Risk that we fail to" stuck on the front. They
also tend to be inward looking with the external environment ignored. Taking risks as just
the independent variable in existing business models also leads to sterile risks.
.2.1.4 Risk assessment methods
Some of the risk assessment and risk analysis methods are as following:
Risk Measures: The most common approach in the theory of finance is to calculate
expected returns (i.e. what is expected on average) and calculate another number, which
represents the amount of risk involved. Early theories used the variance of returns from an
investment as the measure of its risk. There are now alternatives to this including formulae
that do not involve squaring the difference between points on the distribution and its mean,
and formulae that give a different weight to variations below the mean compared to
variations above the mean. In the capital asset pricing model (CAPM) theory it is only
systematic risk (i.e. risk that cannot be removed by diversification) that is considered.
Value at Risk: In this approach the only outcomes given any weight are those that
lead to collapse of the firm or some other disastrous outcome. Given a level of confidence,
the calculation sets out to estimate the amount of capital backing you would need to be that
confident of avoiding collapse. Other outcomes do not get the same attention so, in effect;
most of the attention goes onto circumstances that are extremely unlikely.
An indicator but not a measure: In some risk management approaches there is no
measurement at all. There may just be relative ratings, points, or categorizations (e.g.
"High, Medium, Low", "Red, Amber, and Green"). If the objective is to direct remedial
action to the right places it may that just know the most risky areas is enough.
Expected Utility: In this theory there is no separate measure of risk . The expected
return is measured in utility instead of money. The theory is that it is possible to assign
numbers to outcomes so that they sum up a rational person's preference for those outcomes
and decisions can be made purely on the basis of maximizing expected utility. Although
there is plenty of evidence that we do not always act in accordance with this theory we
would probably do better in life if we did. Expected Utility is a tool for rational decision
making under uncertainty even in these tough conditions. Each objective is turned into an
attribute in a simple utility formula, and levels of achievement on each attribute are
described to create scales. Once you have established the attributes you value at all, and set
38
out a scale for each, it can take just a few minutes to get a rough idea of how much you
value each level of achievement against each attribute/objective. This can be done using
very simple software based on techniques called conjoint analysis.
.2.1.5 Risk management
Risk management25
is the practice of defining the risk level an institution desires,
identifying the risk level the institution has and using derivatives and such other financial
instruments to control and adjust the level of risk that the institution is expected to bear. As
risk taking is the business of banking it is necessary to adopt suitable risk management
techniques to keep it at a sustainable level.
Risk management is the identification, measurement and treatment of exposures to
potential accidental losses, almost always in situations where the only possible outcomes
are losses or no change in status quo. The principal objective of risk management has been
defined as "the effective planning of resources needed to recover financial balance and
operating effectiveness after a fortuitous loss, thus obtaining a short-term loss of risk
stability and long term risk minimization. " Hence risk management is essentially
associated with losses and as the risk arising from currency fluctuations has assumed
increasing importance in recent years, currency risk management has gained prominence in
international risk management.26
Risk Management has got much importance in the Indian Economy during this
liberalization period. The foremost among the challenges faced by the banking sector today
is the challenge of understanding and managing the risk. The very nature of the banking
business is having the threat of risk imbibed in it. Banks' main role is intermediation
between those having resources and those requiring resources. The investors do not want to
accept the risks attendant thereto. Hence financial intermediation becomes necessary and
banks came into the scene and assured prompt repayment of funds and accepted the risk of
default. As compensation, they earned a net interest margin between what they paid to the
investors and what they charged from the borrowers.27
25
Risk Management Techniques and Application in Banking Under Basel II Accord , April 2006 © 2006 The ICFAI University Press
,Professional bankers pp. 49,50 26 CURRENCY RISK MANAGEMENT Lessons from South Asian Economic Turmoil, Prof.C Siva Rama Krishna Rao, Professor, Department of Economics, Kakatiya University, Warangal - 506 009,pp 141 27
RISK MANAGEMENT -FTNANCE AND BANKING Dr. P. Murali Krishna Assistant Professor, Sri Krishnadevaraya Institute of
Management, S.K.University, Anantapur M.Sreenivasulu ,Officer, Andhra Bank, Pamidi, Anantapur (A.P).
39
For management of risk at corporate level, various risks like credit risk, market risk
or operational risk have to be converted into one composite measure. Therefore, it is
necessary that measurement of operational risk should be in tandem with other
measurements of credit and market risk so that the requisite composite estimate can be
worked out. The qualitative elements of risk are sown in Exhibit 1.
The definition of financial risk is avoided in major texts like Brealey and Myers
(1996) and Copeland and Weston (1992). The discussion plunges straight into the
measurement and management of risk, as if the concept of risk itself was unproblematic.
For example, Eales (1995), a 278-page text on financial risk management, devotes less than
one paragraph to the definition of risk, plunging straight into its management. Eeckhoudt
and Gollier (1995), a significant new text on financial risk, states its fundamental
assumption (p.3) - ‗that the individual or corporation - or more generally the decision
maker - is only interested in one thing: the level of final wealth.... We do not intend to
engage in a debate that tends towards the theological. Thus a fundamental assumption is
stated without any empirical support, and assumed to be justifying because it is commonly
accepted in the literature. In most finance texts, it is as if everyone knows what risk is so
there is no need to define it - lets go ahead and measure it, and even more importantly,
demonstrate ways of managing it.‘
40
The emphasis on risk management and the sub-categorization of risks - interest rate
risk, market risk, and credit risk - are all attempts at grappling with the reality of specific
risks as they affect firms and individuals (Hentschel and Smith, 1994). For example, for
bankers, the evaluation of credit risk is paramount if they are to make profitable lending
decisions. Techniques of evaluating these have evolved in Finance, which provide useful
inroads into the assessment of default. Thus quite sophisticated methods of risk analysis
have evolved in areas where there is commercial benefit from accurate analysis. However,
such approaches do not always enhance the scientific knowledge base of the fundamental
components of financial risk and how they inter-relate to one another.
Financial risk modeling is the practice of measuring risks in various domains of
finance viz. financial markets, banking, insurance etc. It is the most important part of
pricing financial instruments and also helps in regulation of financial activities like
investment banking, and lending. Financial risks can be classified broadly into the
following categories:
1. Market Risk
2. Credit Risk
3. Operational Risk
Market Risk is the change in value of assets due to changes in the underlying
economic factors such as interest rates, foreign exchange rates, macroeconomic variables,
stock prices, and commodity prices. All economic entities that own assets face market risk.
For example, bills receivable of software exporters that are denominated in foreign
currencies are exposed to exchange rate fluctuations; while value of bonds/government
securities owned by investors depend on prevailing interest rates. Organizations with huge
exposures, either have a dedicated treasury department, or outsource market risk
management to banks. The role of modeling in measuring market risk is to forecast the
changes in the economic factors, and assess their impact on the asset value. The most
popular measure for expressing market risk is Value-at-Risk, which is ' the maximum loss'
from an unfavorable event, within a given level of confidence, for a given holding period.
Various financial instruments like options, futures, forwards, swaps etc. can be used
effectively to hedge the market risk. Availability of huge data on various markets has
facilitated the development of many sophisticated models.
Credit Risk is the change in value of a debt due to changes in the perceived ability
of counterparties to meet their contractual obligations (or credit rating). Also known as
default risk or counter party risk, credit risk is faced by lending institutions like banks,
41
investors in debt instruments of corporate houses, and by parties involved in contractual
agreements like forward contracts. There are independent agencies that assess the credit
risk in form of credit ratings. Credit rating is an opinion (of the credit rating agency) on the
ability of the organization to perform its contractual obligations (pay the principle and/or
interest of the loan) on a timely basis. Each level of rating indicates a probability of default.
International credit rating agencies (like Moody's, Fitch, and S&P) use quantitative models
along with their experience to predict the credit ratings. Credit scoring models of banks and
lending institutions use stock prices (if available), financial performance and sector specific
data, and macroeconomic forecasts to predict the credit rating. Although credit ratings for
retail lending are not available, credit scoring models for individuals are gaining popularity.
Credit risk can be transferred using credit derivatives, and also by securitization an attempt
by a consortium of international banks (Basel Accords) to set regulatory standards for
lending institutions has lead to development of better and robust credit assessment models.
Operational Risk is defined as the risk of loss resulting from inadequate or failed
internal processes, people, and systems or from external events. In this sense all
organizations face operational risk. But for a financial institution/bank operational risk can
be defined as the possibility of loss due to mistakes made in carrying out transactions such
as settlement failures, failures to meet regulatory requirements, and untimely collections.
As of today, there is neither a concept nor a model for measuring operational risk that has
gained acceptance by financial engineers. There have been efforts by international banks
and financial institutions to indigenously develop models, none of which are available in
public domain. Till date insurance is the only avenue to manage (transfer) operational risk.
Due to absence of sound techniques, not many insurance companies offer cover for
operational risk Jorion Philippe, 2002 PP 449-457).
However, this approach struggles in the face of future uncertainty and is difficult to
apply in many everyday decisions. The further into the future you look the harder it is to
pin down specific cash flows. Businesses are complex systems with many feedback loops.
What is the value of a satisfied customer, improved brand image, or hiring someone who
has good ideas? Real decision-making relies on what people like to call "strategic"
considerations. In other words, things we think are important but which we can't seem to
reduce to cash flows.
We usually express what we are trying to do using objectives, which rarely have a
quantified link to cash flows. Our objectives are things like "Improved customer service",
"Higher awareness of our new services among our customers", and "A more motivated
42
workforce". The value of different levels of achievement on these objectives is something
we typically have only a gut feel for. It would be nice to be more scientific but gut feel is
usually all we have time for, particularly as our plans and objectives often shift. In finance
and business management theory it is now common to take shareholder value as the
ultimate basis for decisions. This is seen as the same as the market value of a company's
shares and as the net present value (NPV) of future cash flows. Though there are variations
the typical accountant's way of evaluating decisions is to try to build a model that predicts
cash flows and then discount these to find the NPV of each alternative in the decision.
An efficient risk management system is contingent upon development of suitable
system for collection of data, its analysis and presentation. This is a daunting task in
operational risk measurement. Broadly, we can divide the operational risk in two parts.
First - events, which cause comparatively small losses. Usually such events occur at greater
frequency, e.g. errors, outages etc.; Second - events which cause huge loss and may even
threaten the existence of the company are rare. Though appropriate database could have
been developed for the first kind of operational risk events, so far no scientific methods of
data collection, analysis and interpretation have been developed. These events have been
dealt with Yule of thumb' methods evolved by the institutions over a period of time. For
instance, occurrences of frauds are dealt with on such basis. While historical data can be
available of frauds, the experiences gained are used to prevent occurrence of similar frauds
again. This is done through ensuring compliance to existing systems and procedures or
bringing about suitable modifications thereon.
The issue of data availability and measurement is much more complex in case of
rare events associated with large losses. First of all the data is not available either because
the events occur rarely or might not have occurred at all in the history of the institution; or
such events may not have been properly documented. The failure of Barings Bank and
Long Term Capital Management (LTCM), a reputed hedge fund in USA fall in this
category. Even in institutions where attempts have been made to put operational risk
measurement on sound footing, access to external data has remained rather limited, forcing
the institution to depend on data from internal sources which is not only inadequate but
may also have subjective elements.
Another difficulty in measurement of operational risk relates to proper analysis of
the available information. The post facto analysis of the loss events focuses on the factors,
which work prior to or at the time of the event. Effective risk measurement system demands
a statistical examination of cause and effect relationship, which may reoccur in future, and
43
also the relationship between the loss and the control variable. In fact most of the control
variables are understood to have a strong correlation with loss events purely on a priori
reasoning without attempting statistical proof of such relationship.
As risk has to be managed at enterprise wide level where the composite measure of risk
shall encompass all possible risks, it is necessary to align the measure of operational risk
with the measures of other risks viz., credit risk and market risk. Credit/market risks can be
measured using a number of measures such as value at risk (VaR), earning volatility,
default and loss probabilities etc. For instance, impact of changes in asset prices on the
value of the bank's trading portfolio can be easily calculated; in the case of credit risk, the
changes in borrower's credit quality and the impact of interest rate changes can be captured
to assess the potential loss. These measures which require good understanding of the
frequency distribution of loss events, are not suitable for operational risk, while requires
estimating the probability of occurrence of a loss event and the potential size of loss.
Therefore, measurement of operational risk has to be developed using other methods and
loss expectancy therefore will have to be worked out. This still leaves out the difficulty of
alignment of operational risk measures with other risk measures. For the purpose, as
suggested by RBI and also by Bank for International Settlements (BIS), risk management
for all categories of risks should be developed to encompass Risk Adjusted Return on
Capital (RAROC) and capital allocation should be done accordingly. In the Indian context,
this demands substantial progress in risk management systems including that for credit and
market risk by banks.
.2.1.6 Risk management process
Banks in the process of financial intermediation are confronted with various
kinds of financial and non-financial risks viz., credit, interest rate, foreign exchange
rate, liquidity, equity price, commodity price, legal, regulatory, reputation,
operational, etc. These risks are highly interdependent and events that affect one
area of risk can have ramifications for a range of other risk categories. Thus, top
management of banks should attach considerable importance to improve the ability
to identify, measure, monitor and control the overall level of risks undertaken.
The broad parameters of risk management function should encompass:
1. Organizational structure;
44
2. Comprehensive risk measurement approach;
1. Risk management policies approved by the Board which should be
consistent with the broader business strategies, capital strength, management
expertise and overall willingness to assume risk;
2. Guidelines and other parameters used to govern risk taking including
detailed structure of prudential limits;
3. Strong MIS for reporting, monitoring and controlling risks;
4. Well laid out procedures, effective control and comprehensive risk
reporting framework;
5. Separate risk management framework independent of operational
Departments and with clear delineation of levels of responsibility for management
of risk; and
6. Periodical review and evaluation.
.2.1.7 Risk Management Structure
A major issue in establishing an appropriate risk management organization
structure is choosing between a centralized and decentralized structure. The global
trend is towards centralizing risk management with integrated treasury management
function to benefit from information on aggregate exposure, natural netting of
exposures, economies of scale and easier reporting to top management. The primary
responsibility of understanding the risks run by the bank and ensuring that the risks
are appropriately managed should clearly be vested with the Board of Directors. The
Board should set risk limits by assessing the bank's risk and risk-bearing capacity.
At organizational level, overall risk management should be assigned to an
independent Risk Management Committee or Executive Committee of the top
Executives that reports directly to the Board of Directors. The purpose of this top-
level committee is to empower one group with full responsibility of evaluating
overall risks faced by the bank and determining the level of risks, which will be in
the best interest of the bank. At the same time, the Committee should hold the line
management more accountable for the risks under their control, and the performance
of the bank in that area. The functions of Risk Management Committee should
essentially be to identify, monitor and measure the risk profile of the bank. The
45
Committee should also develop policies and procedures, verify the models that are
used for pricing complex products, review the risk models as development takes
place in the markets and also identify new risks. The risk policies should clearly
spell out the quantitative prudential limits on various segments of banks' operations.
Internationally, the trend is towards assigning risk limits in terms of portfolio
standards or Credit at Risk (credit risk) and Earnings at Risk and Value at Risk
(market risk). The Committee should design stress scenarios to measure the impact
of unusual market conditions and monitor variance between the actual volatility of
portfolio value and that predicted by the risk measures. The Committee should also
monitor compliance of various risk parameters by operating Departments.
A prerequisite for establishment of an effective risk management system is
the existence of a robust MIS, consistent in quality. The existing MIS, however,
requires substantial up gradation and strengthening of the data collection machinery
to ensure the integrity and reliability of data.
The risk management is a complex function and it requires specialized skills
and expertise. Banks have been moving towards the use of sophisticated models for
measuring and managing risks. Large banks and those operating in international
markets should develop internal risk management models to be able to compete
effectively with their competitors. As the domestic market integrates with the
international markets, the banks should have necessary expertise and skill in
managing various types of risks in a scientific manner. At a more sophisticated
level, the core staff at Head Offices should be trained in risk modeling and analytical
tools. It should, therefore, be the endeavor of all banks to upgrade the skills of staff.
Given the diversity of balance sheet profile, it is difficult to adopt a uniform
framework for management of risks in India. The design of risk management
functions should be bank specific, dictated by the size, complexity of functions, the
level of technical expertise and the quality of MIS. The proposed guidelines only
provide broad parameters and each bank may evolve their own systems compatible
to their risk management architecture and expertise.
Internationally, a committee approach to risk management is being adopted.
While the Asset - Liability Management Committee (ALCO) deal with different
46
types of market risk, the Credit Policy Committee (CPC) oversees the credit
/counterparty risk and country risk. Thus, market and credit risks are managed in a
parallel two-track approach in banks. Banks could also set-up a single Committee
for integrated management of credit and market risks. Generally, the policies and
procedures for market risk are articulated in the ALM policies and credit risk is
addressed in Loan Policies and Procedures.
Currently, while market variables are held constant for quantifying credit risk, credit
variables are held constant in estimating market risk. The economic crises in some of the
countries have revealed a strong correlation between un-hedged market risk and credit risk.
Forex exposures, assumed by corporate who have no natural hedges, will increase the credit
risk which banks run vis-à-vis their counterparties. The volatility in the prices of collateral
also significantly affects the quality of the loan book. Thus, there is a need for integration
of the activities of both the ALCO and the CPC and consultation process should be
established to evaluate the impact of market and credit risks on the financial strength of
banks. Banks may also consider integrating market risk elements into their credit risk
assessment process.
.2.1.8 The Risk Management Cycle
This cycle consists of four components as shown in figure 1:
(a) Risk Management Philosophy:
47
It defines the bank's approach to not only active risk management but also
specifying whether or not the bank should identify market inefficiencies with a
view to exploiting the same for profit which amounts to speculation which is not
unwarranted altogether. The philosophy not only defines and authorizes what
heading instruments to be used overall, but also determines the limits for broad
and major categories of risks along with who should be the counter parties for
risk heading.
(b) Goals of Risk management:
The bank specifies what it aims at with a risk management program. The benefits of
risk management are myriad in nature but accrue mainly in two ways; one is the benefit of risk
containment and the other is through profit optimization. The benefits include, inter alia, trading
profits, reduced volatility in cash flows, earnings market value, etc. Risk containment options
include, risk transfer, risk avoidance and risk reduction.
(c) Quantifying Risk Exposures:
The bank must know what risks it faces and implement a system of
measuring those risks. Value at Risk (VaR) is the most popular but a "stock"
measure of market risk defined at a point of time. It represents the state-of-the-
art in risk measurement for management. However, many times what is
required is a flow measure in terms of risk of cash flows or earnings. The
management determines which financial prices have a material impact on the
bank's balance sheet, estimates their volatility and aggregates the various risk
exposures into the VaR. Then procedures will be established for stress-testing
and contingency plans. In the near future, risk quantification is going to
graduate towards measuring "cash flow-at-risk" which will be an improved
measure of risk. Nevertheless, despite its several serious shortcomings, VaR is
likely to be with us in the future.
(d) Evaluation and Control
Effective evaluation of the risk containment measures and procedures
constitute the crucial part of any successful risk management system. Such
evaluation procedures should aim at minimizing if not mitigating scope for
48
any unpleasant "surprises", for ensuring of which the control function should
remain independent of the activity itself.
There are several techniques of managing risk. The following are some of
them.
1. Insurance
2. Asset/Liability Management
3. Hedging
4. Transfer
5. Risk Retention
6. Avoiding
7. Risk reduction
8. Research
Combination/Portfolio Management
3.2.10 RBI guidelines in Risk management systems in banks
Banks in the process of financial intermediation are confronted of financial
and non-financial risks viz., credit, interest rate, liquidity, equity price, commodity
price, legal, regulatory, repute; etc. These risks arc highly interdependent and events
that affect have ramifications for a range of other risk categories. Thus, top
management of banks should attach considerable importance to improve the
measure, monitor and control the overall level of risks undertaken.
The broad parameters of risk management function should encompass:
(i) Organizational structure;
(ii) Comprehensive risk measurement approach;
(iii) Risk management policies approved by the Board which should be
consistent with the broader business strategies, capital strength, management
expertise and overall willingness to assume risk;
(iv) Guidelines and other parameters used to govern risk taken including
detailed structure of prudential limits;
(v) Strong MIS for reporting, monitoring and controlling risk ;
49
(vi) Well laid out procedures, effective control and comprehensive
framework;
(vii) Separate risk management framework independent of operational
Department and with clear delineation of levels of responsibility for management of
risk; and
(viii) Periodical review and evaluation.
50
Section 3.3:
Basel Committee Accords
(BCA)
3.3.1 Introduction 51
3.3.2 History of Basel Committee 52
3.3.3 Objectives for Basel II 54
3.3.4 Key Elements of Basel II 55
3.3.5 Basel II Implementation in India: A Seven-Step Approach 58
3.3.6 Conclusion 66
51
3.3.1 Introduction
Basel is a small, sleepy town in northwestern Switzerland, close to the borders of
France and Germany. Basel is home to the Bank for International Settlements (BIS), an elite
financial club formed by world's central banks, Established in 1930, it is the oldest
multilateral financial institution in the world.
The Basel commission for bank regulation put forward a proposal for changing
banks' securitization of equity, which, among other things, involves greater differentiation of
loan interest rates. No longer will only exclusively economic risks be considered in the
future when checking creditworthiness. This means that, in the future, banks must deposit
less equity for lower risks and as a result can guarantee better conditions than previously. In
contrast to this, companies with a poorer rating result will be rated in a higher risk class,
which will affect credit conditions negatively. BIS has announced the International
Convergence of Capital Measurement and Capital Standards: A revised framework,
commonly known as Basel II, with the object of preventing major bank failures.
Consequently, Basel II also indirectly demands a rethinking and a reorientation of medium-
sized companies.
For well regulation all the banks and financial institutions could use following
techniques:
– SWOT analysis
– Potential analysis
– Discounted Cash Flow analysis
– Cost effectiveness study
– Forecasts
The analyses will prepare for the banks' internal rating, that is, for classification in a
risk class. The results of analysis will serve as the basis for undertaking changes in the banks
or company.
The regulation of the more exact creditworthiness check will be legally codified as of 2006.
For that reason, banks and financial institutions should be prepare themselves for the
changes by positioning the banks or company according to a clear strategy and uncover the
weak points and opportunities.
52
In this section we will discussed about historical review of Basel committee accords, its
objectives, its key elements, its implications, implementation of Basel II in India with
Seven-step approach.
3.3.2 History of Basel Committee
In the 1980's globalization and deregulation opened the doors for global banking.
Without adequate supervision and regulation the banks collapsed in one country after the
other. In order to prevent such crises the Basel committee came out with sound principles
based on the best international practices, which came to be known as Basel I norms.
It was the first to arrive at an internationally accepted definition of bank capital as
also to prescribe a minimum acceptable level of capital for banks. The norms were
announced in 1988 and were adopted by banks from the end of 1992. The subsequently
Asian financial crisis exposed the chinks in the Armour of Basel I and it exposed its
inadequacies.
Hence the Basel committee in June 1999 proposed a new set of norms to reinforce
the structural soundness of the banks, particularly in the international banks. These norms,
which came to be called Basel II, sought to make use of the advances in risk management
practices and technology to match the required capital more closely with the multiple risks
faced by banks. To put it short and sweet the Basel norms can best be described as "one-size-
fits-all".
The second accord was prepared by Basel Committee on Banking Supervision, a
group of central banks and the bank supervisory authorities in the G-10 countries. The
countries include (Belgium, Canada, France, Germany, Italy, Japan, Luxembourg, the
Netherlands, Spain, Sweden, Switzerland, the United Kingdom and United States) which
developed the first standard in 1988. The Basel committee consists of officials of central
banks of industrialized G-10 countries and it has been debating the new framework since
1999.
The Committee does not possess any formal supranational supervisory authority, and
its conclusions do not, and were never intended to, have legal force. Rather, it formulates
broad supervisory standards and guidelines and recommends statements of best practice in
53
the expectation that individual authorities will take steps to implement them through detailed
arrangements ― statutory or otherwise ― which are best suited to their own national systems.
In this way, the Committee encourages convergence towards common approaches and
common standards without attempting detailed harmonization of member countries
supervisory techniques.
The Committee reports to the central bank Governors of the Group of Ten countries
and seeks the Governors endorsement for its major initiatives. In addition, however, since
the Committee contains representatives from institutions, which are not central banks, the
decisions it takes carry the commitment of many national authorities outside the central
banking fraternity. These decisions cover a very wide range of financial issues. One
important objective of the Committee‘s work has been to close gaps in international
supervisory coverage in pursuit of two basic principles; that no foreign banking
establishment should escape supervision; and that supervision should be adequate. To
achieve this, the Committee has issued a long series of documents since 1975.
In 1988, the Committee decided to introduce a capital measurement system
commonly referred to as the Basel Capital Accord. This system provided for the
implementation of a credit risk measurement framework with a minimum capital standard of
8% by end-1992. Since 1988, this framework has been progressively introduced not only in
member countries but also in virtually all other countries with active international banks. In
June 1999, the Committee issued a proposal for a New Capital Adequacy Framework to
replace the 1988 Accord. The proposed capital framework consists of three pillars; minimum
capital requirement, which seeks to refine the standardized rules set forth in the 1988
Accord; supervisory review of an institution‗s internal assessment process and capital
adequacy; and effective use of disclosure to strengthen market discipline as a complement to
supervisory efforts. Following extensive interactions with banks and industry groups, the
revised framework was issued on 26 June 2004. This text will serve as a basis for national
rule-making and approval processes to continue and for banks to complete their
presentations for the new framework‗s implementation.
Over the past few years, the Committee has moved aggressively to promote sound
supervisory standards worldwide. In close collaboration with many non-G-10 supervisory
authorities, the Committee in 1997 developed a set of Core Principles for Effective Banking
Supervision, which provides a comprehensive blueprint for an effective supervisory system.
54
To facilitate implementation and assessment, the Committee in October 1999 developed the
Core Principles Methodology.
In order to enable a wider group of countries to be associated with the work being
pursued in Basel, the Committee has always encouraged contacts and cooperation between
its members and other banking supervisory authorities. It circulates to supervisors
throughout the world published and unpublished papers. In many cases, supervisory
authorities in non-G-10 countries have seen fit publicly to associate themselves with the
Committee‘s initiatives. Contacts have been further strengthened by an International
conference on Banking Supervisors, which takes place every two years.
Changed Capital requirement in Basel I and Basel II
3.3.3 Objectives for Basel II
The reasons why the original accord must change are several
It does not encourage ―good risk management‖; the current supervisor
imposed risk weights do not distinguish whether the loan is rock solid or very iffy.
Overall, too much money is set aside to guard against default of very good
loans. If the money could be better targeted at riskier loans a huge amount of funds could be
freed up to invest in new projects. This could have a material impact on global growth.
Some risk areas, particularly operational risk do not get enough management
by banks, in part because there is no ―Capital Penalty‖ associated with it
55
So Basel II is an attempt to redraft the international rules on Capital Adequacy to
address the above issues. It has proved a very long process as different countries and
banking groups have different priorities. It is hoped we are getting very close to the end. In
May 2003 the committee issued its third consultative paper (CP3 in the jargon), which it
hopes to formally ratify by the end of this year with a view to implementation in all G10
countries by the end of 2006.
Comparison of Basel Accords
3.3.4 Key Elements of Basel II
The new capital adequacy framework has been crafted following a lengthy and
inclusive consultation process, and offers several approaches of varying degrees of
sophistication aimed at being applicable to diverse banking and supervisory systems.
Basel II consists of three "pillars:"
Pillar 1: Capital Adequacy
Pillar 1 revises the 1988 Accord's guidelines by aligning the minimum capital
requirements more closely to each bank's actual risk of economic loss. It requires higher
levels of capital for those borrowers estimated to present higher levels of credit risk and vice
versa. Pillar 1 provides four basic variants for determining capital adequacy requirements for
banks:
56
1. The "simple standardized approach," broadly based on the Basel I Accord of 1988;
b) the "standardized approach," using external credit ratings as a basis for setting capital
adequacy charges for various asset classes;
2. the "foundation internal ratings-based approach;" or
3. the "advanced internal ratings-based approach."
The latter two methodologies are based on probability of default and other
components of credit risk derived from banks' own internal risk analysis systems.
Pillar 1 also establishes an explicit capital charge for a bank's operational risk.
Pillar 2: Supervisory Review
Pillar 2 reinforces and expands many of the principles in the BCP and recognizes the
necessity of supervisors reviewing banks' internal assessments of their overall risks and
capital needs. Supervisors will evaluate the activities and risk profiles of banks to determine
whether the banks should hold higher levels of capital than what is specified under Pillar 1.
In addition, it suggests how banks could deal with risks not covered in Pillar 1, e.g.,
concentration risk and interest rate risk in the banking book.
Pillar3: Market discipline
Pillar 3 enhances the degree of transparency in bank's public reporting with the
expectation that this will provide a basis for more informed analysis by markets and
customers on banks' financial condition and risk management. Such information will
encourage market discipline, which, in turn, will support the efforts of bank supervisors to
encourage prudent management by banks.
57
Pillar 1:
Capital
Adequacy Main Features Key Requirements
Credit Risk 1 Simplified
Standardized
Approach
(SSA)
Greater risk sensitivity than Basel I
through more risk buckets and risk
weights for sovereigns and banks based
on Export Credit Agency (ECA) risk
scores. Operational risk charge 15
percent of annual gross income. Pillars 2
and 3 applicable.
Credit Risk 2 Standardized
Approach (SA)
More risk buckets than SSA.
Risk weights for asset classes based on
ratings of external credit assessment
agencies (ECAIs) or ECA scores.
Enhanced credit risk mitigation
available.
Ratings of ECAIs.
Ability and capacity to qualify rating agencies and map
agency scores
Credit Risk 3 Foundation
Internal Ratings
Based
Approach (F-
IRB)
Based on risk components:
probability of default (PD), loss given
default (LGD), exposure at default
(EAD), and maturity (M).
Banks can use own PD estimates and
supervisory estimates for other
components.
Stress testing required.
Ability to assess banks' rating system design.
Ability to validate banks' risk management and stress
testing systems.
Ability to provide supervisory estimates of LGD and
EAD
Credit Risk 4 Advanced
Internal Ratings
Based
Approach (A-
IRB)
Capital requirements
determined as in F-IRB Banks can use
own estimates for PD, LGD, EAD and
M; subject to supervisory validation of
systems.
Stress testing required.
Ability to assess banks' rating system design.
Ability to validate banks' risk management and stress
testing systems.
Operational
Risk 1 Basic Indicator
Flat rate of 15 percent of gross
annual income.
58
Approach
Operational
Risk 2 Standardized
Approach
Operational risk charges for
each business line, based on annual
income per business line, multiplied by
risk factor per business line.
System to distinguish business lines and
supervisory ability for validation of this system Data
on operational risk occurrences and cost.
Operational
Risk 3 Advanced
Measurement
Approach
Full reliance on banks' internal
risk measurement systems, subject to
supervisory approval.
Capacity for supervisory validation.
Pillar 2:
Supervisory
Review Main Features Key Requirements
Banks have a process for
assessing capital adequacy (CAAP) and
a strategy for maintaining capital level.
Supervisors evaluate banks' internal
capital adequacy systems and
compliance. Higher capital adequacy
levels for individual banks if risk profile
requires. Early intervention by
supervisors. Stress tests and Assessment
of interest rate risk and concentration
risk.
Supervisory ability and capacity to make the
necessary assessments.
Adequate legal and regulatory framework to take
action.
Pillar3:
Market
discipline
Information to be disclosed includes
Available capital in the group,
capital structure, detailed capital
requirements for credit risk;
Breakdown of asset
classification and provisioning
Breakdown of portfolios
according to risk buckets and risk
components
Credit risk mitigation (CRM)
methods and exposure covered by CRM
Operational risk; and
Banks' information systems to produce
required breakdowns;
Accounting and auditing systems that safeguard
accuracy of disclosures; and
Ability to require disclosure, monitor and verify.
3.3.5 Basel II Implementation in India: A Seven-Step Approach28
The Basel II capital adequacy rules are based on a "menu" approach. Banks and
regulators are offered two distinct sets of options for banks for computing credit risk capital
charges: (i) two "standardized" approaches based on external credit assessments; and (ii) two
28
www.iflexconsulting.com; i-flex solutions limited, i-flex Park, C/o Embassy Business Park, C.V Raman Nagar, Bangalore-560093, India
59
"IRB" approaches which use internal ratings based on banks' own data. For operational risk,
banks and regulators can choose either: (i) the basic indicator approach, based on overall
income; (ii) the standardized approach based on income of business lines; or (iii) the
"advanced measurement approach" (AMA) based on internal models, and using actual loss
data. The minimum requirements for the advanced approaches are technically more
demanding and require extensive databases and more sophisticated risk management
techniques.
The 3 Approaches for implementation of Basel II
The Basel Committee for Banking Supervision (BCBS) has recently published the
final version of the revision to the Capital Accord, better known as Basel II1. The same has
been endorsed by the central banks of all the member countries. Basel II is likely to have a
far-reaching impact on risk and capital management practices of banks globally. Given the
complexity of the Basel II framework and the enterprise-wide nature of its impact,
implementing it is by no means simple for banks. The task calls for a well-planned, well-
structured and centrally coordinated effort. This section outlines a seven-step approach,
which we believe will help banks plan and implement their Basel II compliance program.
This approach is open more creative paths to robust enterprise-wide risk management,
beyond the limited horizon of Basel II compliance.
60
Phase I: Gap Analysis
Step 1: Basel II Program Initiation
Banks embarking on a Basel II compliance program should set up a steering
committee at the strategic level with top level representatives from various relevant business
units across the bank. This committee should be mandated to provide guidance throughout
the project lifecycle and be held primarily accountable for success or failure of the overall
initiative. Ideally, it is this committee, based on its assessment of the bank‘s preparedness
and the prescription of local regulators that should recommend the implementation approach
to the bank‘s board. The board can then decide on the approach to be adopted and set
timelines for complying with Basel II recommendations.
Simultaneously, the bank needs to take up a few other complementary activities:
Initiation of Basel II awareness and training programs to equip employees
with requisite knowledge and expertise;
Establishment of a regular two-way communication channel with regulators
for local implementation essentials;
Communicating management objectives and Basel II strategies to the
employees involved in the program implementation.
It is also at this stage that the bank looks external specialist help that may become
necessary areas. The very nature of Basel II and size implementation effort will require
banks not only to expertise and resources available internally supplement it with any external
help.
Step 2: Gap Analysis
Once the basic program governance structure is established, a Basel II compliance
program involves evaluation of the bank‘s preparedness vis-à-vis the stated objectives of its
management with respect to risk management and Basel II recommendations. As part of this
evaluation, gaps in the following aspects should be identified: organization, policies,
processes, systems and data.
Among the different aspects of gap analysis, as enlisted before, data gaps may be the
most prevalent and unearthing details may require intensive efforts. A detailed study of
various source systems may be required to exactly determine data adequacy of the bank. For
instance, from the point of view of operational risk, gap analysis should focus on data
availability for loss events and key risk indicators.
61
For credit risk, under every approach, collateral data assumes prime importance.
Under the Advanced Internal Ratings Based (IRB) approach for credit risk, banks are
required to maintain histories of data used to estimate risk parameters such as Probability of
Default (PD), Loss Given Default (LGD), Exposure At Default (EAD), etc.
As part of the gap analysis exercise, banks with global operations should also sort out
the issues relating to local adaptations of Basel II recommendations by regulators in the
respective host countries. At the end of this phase, gaps should be prioritized and approved
by the steering committee and the recommendations presented to the management for
approval.
Phase II: Implementation Roadmap
Step 3: Drawing An Implementation Roadmap
Once the gap analysis is complete and the requisite senior management approvals
are obtained, that the bank would be ready to chart its course of Basel II compliance. This
phase may be viewed as a cluster of various planning initiatives.
Activity Planning: Before drawing up the detailed implementation road map and
deciding on the solutions architecture, various tasks falling under the recommendations of
Basel compliance should ideally be identified, prioritized and planned. Typically, this road
map would address all lacunae identified during gap analyses. The road map should also be
aligned with the overall management goals of the bank, as
Basel II may be regarded as the starting point for evolution of a robust risk
management framework. Accordingly, resources should be identified, trained according to
the tasks assigned, if required, and specific responsibilities were assigned. This phase is
critical because the success of a road map hinges on the coordination and the buy-in that is
established between the various business lines of the bank.
62
Technology Planning: Simultaneously, it is recommended that the technology
aspects of the program receive equal focus. From a technology standpoint, the solution
should not only address current needs with respect to Basel II, but also be flexible and
extensible enough to accommodate the larger -possibly future-risk management
requirements of the bank. When evaluating possible technology solutions, it is important that
the focus should be on optimizing and leveraging the existing infrastructure at the bank. It is
possible that the existing infrastructure is inadequate to comply with the recommendations of
the Basel committee.
In such a case, available solutions should be evaluated within the framework of the
bank‘s overall business requirements. As part of this exercise, the bank may want to choose
from the following options:
Packaged solutions vs. customized development
In-house vs. outsourced development
Current architecture vs. replacement
Data Management Planning: Although data management planning is closely
related to technology planning, it is being discussed separately because sourcing missing
data could well be one of the biggest challenges banks face in their compliance program.
Some of the key areas where additional data may be required could be: data for loss events,
Key Risk Indicators (KRI), exposure and rating - both current and historical, LGD, EAD and
collateral.
When designing the data model, the dynamic nature of the bank‘s business model
should be taken into account. The ideal data model would be one that helps banks
understand, monitor and manage their risk exposures while, at the same time, being flexible
enough to extend beyond meeting Basel II norms. A comprehensive, metadata-driven
approach for defining and mapping data sources with the target data structures would
provide banks the extensibility they require.
Planning for Process-related Issues: A basic prerequisite for
Basel II Compliance is to conform to certain minimum process requirements as
mandated in the accord. But as processes are intrinsic to an organization, it requires a
63
cautious and strategic approach towards redesign. A few pertinent issues, which need to be
addressed while planning for process redesign, are:
Close alignment of new systems and processes;
Conformity to long-run organizational objectives;
Extent of external help for redesign
Phase III: Implementation
Implementation of the program consists of various subprojects of different sizes.
Though the projects will be interdependent, they can be implemented with a fair amount of
parallelism and without any obvious chronological dependence.
All these sub-projects can be divided into three broad areas of concentration:
a) Organization, Policies and Processes Redesign
b) Data Management and IT Applications
c) Analytics - Models, Methods and Validation.
These three steps of the program are connected with the focus areas described in the
following paragraphs.
Step 4: Organization, Policies and Processes Redesign
One of the most important tasks for the bank is to ensure Basel II readiness at the
organizational and cultural level. As
Basel II intends to introduce a new level of regulatory expectations and prescriptions;
it may involve readjustment to new processes and procedures. There should be adequate
effort spent on educating and preparing the relevant people for the necessary readjustments.
Moreover, it is of primary importance to build an independent risk management organization
with clearly defined responsibilities, transparent procedures, and direct involvement and
approval of the board. Similarly, risk management policies should be clearly articulated,
completely transparent, and aligned with the regular operations.
The internal processes being followed should be evaluated critically and, if required,
the processes should be redesigned in tune with the proposed risk management practices of
the bank. To facilitate internal controls and enhance corporate governance, suitable
64
provisions for audit trails should be made available. The internal rating processes that are
finally recommended should have the concurrence of the bank‘s top management.
Step 5: Data Management & IT Applications
As discussed earlier, data management issues may present the most significant
problems when complying with Basel II. Ideally, the bank should implement an integrated
enterprise-wide risk management solution, using a data warehouse, which stores credit,
market and operational risk measures, provides standardized and flexible data extraction
facilities, and supports integration and transformation mechanisms. Ideally, the solution must
also provide comprehensive analytical capabilities and establish an infrastructure that is
flexible and extensible. However, depending on the risk management maturity and the scale
of operations, a bank may opt for a simpler data repository. Even so, this repository needs to
be extensible, auditable and reporting enabled.
When creating the infrastructure for data management, the required data should be
identified and extracted from various systems or physical sources and, subsequently,
interpreted/transformed. The critical challenge may emerge in meeting the historical data
requirement. Further, a facility to estimate important parameters such as Loss Events, KRIs,
PD, EAD and LGD from the data model using external and internal databases should be
established. In order to comply with operational risk aspects, external databases may need to
be linked to the bank‘s Loss Events systems consisting of risk indicators and loss effects.
The most important applications, which are required for Basel II compliance
program, are:
Internal Rating System
Collateral Management System
Reporting Tools
Capital Calculation Engines
Analytical Applications including Data Mining Tools.
However, the relevance and the relative importance of the above mentioned
applications and tools would depend on the selected approach. The importance of leveraging
existing applications and systems is high. Even if the bank already has an Internal rating
System (IRS), it should be reviewed to align the system to IRB recommendations.
65
In case the bank has not been using an Internal Rating System, an appropriate IRS
would have to be implemented. Given the complexity of capital computation, the bank may
want to use rule engines as the basis for ―capital charge calculators.‖ Further, once the
required data (current and historical) is available, capital adequacy calculations and reporting
capabilities should be built for supervisory oversight and market disclosures. Similarly,
appropriate analytical tools should be chosen to analyze historical data across different
dimensions, and to validate internal risk models.
While setting up the IRS, amongst other things, a high level of statistical capability is
required to estimate PD and test with reference to historical data. A comprehensive process
framework should be put in place to review and oversee the accuracy and consistency of the
output of the IRS. It should be ensured that all processes (such as rating generation and
internal controls) and the methodologies adopted (such as the rating models used) are
exhaustively documented. The performance of the IRS and reporting of deviations, if any,
should also be documented.
Step 6: Analytics - Models, Methods and Validation
The Basel II accord has been drafted with a view of allowing banks to comply with
the regulations even by means of using their internal risk models to estimate risk parameters.
However, for lesser mature banks, the approaches are much simpler and standardized. The
importance of analytics is more immediate for banks, which would implement the IRB
Approach for Credit Risk and/ or Advanced Measurement Approach (AMA) for Operational
Risk. However, as most banks would progressively adopt more complex approaches, it
would be prudent, for all the banks complying with Basel II, to focus on analytics right from
the start.
The computation of credit risk-based capital in Basel II is based on the following
fundamental parameters - PD, LGD, EAD and maturity. The IRB approach requires that the
bank compute all these parameters by using appropriate quantitative models and
methodologies. A related quantitative task is to measure the effect of risk mitigating factors
such as collaterals, supports and guarantees on risk weighted assets. So, banks need to invest
sufficiently to develop the requisite estimation models and methodologies.
Banks may also take the help of external vendors to develop or buy the models, but
the supervisor should be satisfied that these external models are sufficient for analyzing the
risk profile of the bank‘s portfolio, and that the models are used consistently in the regular
66
risk control operations. Similarly, for operational risk, the banks need to model the loss
distribution function to arrive at the aggregate operational risk estimate.
Banks also need to validate these models against real historical experience and
demonstrate the same to the supervisors for compliance. This also calls for systematic data
management and extensive quantitative expertise.
Phase IV: Compliance and Certification
Step 7: Certification, Parallel Run and Go Live
The Basel compliance project enters its final stage and is ready to go live when the
key areas requiring supervisory approval are identified and communicated to the regulator,
along with the details of the bank‘s preparedness. The regulators may carry out an on-site
inspection prior to attesting the compliance of the bank.
After certification, the banks need to undertake parallel run, which implies
simultaneous working of the existing and the new Basel II compliant risk management
framework for the sake of continuity. Once the bank is satisfied and confident about the
working of the new risk management regime, it would adopt the new framework completely
in its daily operations and the older framework would be gradually phased out.
3.3.7 Conclusion
A major compliance initiative such as Basel II compliance requires a centralized,
dedicated project team, and significant investments in infrastructure and human capital.
Because the impact of such an exercise would be felt across the enterprise, it should be
ensured that the initiative is cross-woven across the bank to derive the desired benefit. On an
ongoing basis, new developments in risk management should be reviewed and appropriate
action be taken to meet the expectations of the bank‘s management and the supervisor‘s
directive.The end of such an initiative is not in the achievement of immediate goals (such as
Basel compliance) but in the constant refinement of processes in the light of changing needs.
67
Section 3.4:
Operational Risk Management
3.4.1 Introduction 68
3.4.2 Background 70
3.4.3 Operational Risk deification 72
3.4.4 Dimensions of operational risk 74
3.4.5 Quantifying Capital For Operational Risk 75
3.4.6 RBI Guidelines 76
3.4.7 Sound Practices of Basel committee 77
3.4.8 Operational Risk Measurement 80
3.4.9 Measurement Methodology 84
3.4.10 Risk Mitigation 86
3.4.11 Factors In Selecting An Approach 96
3.4.12 Operational Risk Management process 97
68
3.4.1 Introduction
Managing operational risk is becoming an important feature of sound risk
management practices in modern financial markets in the wake of phenomenal increase in
the volume of transactions, high degree of structural changes and complex support
systems. The most important type of operational risk involves breakdowns in internal
controls and corporate governance. Such breakdowns can lead to financial loss through
error, fraud, or failure to perform in a timely manner or cause the interest of the bank to be
compromised.
Generally, operational risk is defined as any risk, which is not categoried as
market or credit risk, or the risk of loss arising from various types of human or technical
error. It is also synonymous with settlement or payments risk and business interruption,
administrative and legal risks. Operational risk has some form of link between credit and
market risks. An operational problem with a business transaction could trigger a credit or
market risk.
In view of growing complexity of banks' business and the dynamic operating
environment, risk management has become very significant, especially in the financial
sector. The Basel Committee on Banking Supervision recognizes that the exact approach for
operational risk management chosen by an individual Bank will depend on a range of factors,
including its size and sophistication and the nature and complexity of its activities. However,
despite these differences, clear strategies or oversight by the board of directors and senior
management, a strong operational risk culture and internal control culture (including, among other
things, clear lines of responsibility and segregation of duties), effective internal reporting, and
contingency planning are all crucial elements of an effective operational risk management
framework for banks of any size and scope. The Committee therefore believes that the
principles outlined in its paper Sound Practices (February 2003) establish sound practices
relevant to all banks. The Basel Committee's previous paper A Framework of internal Control
System in Banking Organization (September 1998) underpins its current work in the field of
operational risk (Shri Sanjay)29
.
Reserve Bank of India has already issued guidelines to all banks for implementing
risk management systems. Risk at the apex level may be visualized as the probability of a
bank's financial health being impaired due to one or more contingent factors. While the
29
Shri Sanjay Sharma is Economic Officer, MASD, Head Office, New Delhi.
69
parameters indicating the bank's health may vary from net interest margin to market value
of equity, the factors which can cause the impairment are also numerous. For instance,
these could be default in repayment of loans by borrowers, change in value of assets or
disruption of operations due to reasons like technological failure. While the first two
factors may be classified as credit risk and market risk, generally banks have classified all
risks excluding the credit and marker risk as operational risk. However, this is only a
general definition. In fact, the debate on defining operational risk has overshadowed the
discussions on managing such risk. Leaving aside the varying definitions, a common
thread that runs through them can help narrow down the definition of operational risk as
under:
"Operational risk is the risk of direct or indirect loss resulting from inadequate or failed
internal processes, people, and system from external events".
Traditionally, banks focused on credit risk, as this constituted the main part of
their risk profile. The need for management of market risk was not felt so acutely as the
financial markets were relatively stable in the pre-liberalization era. Further, management
of operational risk was considered as integral part of running the business and therefore,
mitigation of this type of risk was addressed through appropriate design of business
processes. Although such approach for management of operational risk served the purpose
reasonably, it suffered some drawbacks as well. First of all, business processes have to
fulfill various objectives and the most important of them is efficient delivery of product and
services to total satisfaction of customers. Naturally, other objectives including
management of operational risk were given lower priority. Thus, the approach so far
adopted precludes any scientific analysis of operational risk and impact thereof (Jorion
Philippe, 2002 PP 457-463).
However, there is growing recognition that operational risk transcends business
processes and encompasses a wide range from lacunal in corporate governance at apex
level of the bank to human errors at ground level; from internal sources of losses to
external sources of risk such as market failure, war, etc; from minor disruption of
operations to major catastrophe. Similarly, one end of operational risk spectrum has high
frequency of occurrence i.e., low loss events; while at the other end is very rare events of
extraordinarily large losses. Thus, the subject of operational risk is highly complex and
varied. Consequently, it demands a thorough and scientific analysis. Unfortunately, the
complex nature of the subject and paucity of relevant data have hindered such
70
examination. However, the recent developments in the financial market have refocused
attention on operational risk. While huge losses suffered by reputed institutions under-
scored the importance of operational risk, the issues such as Y2K problem highlighted the
new and growing dimension of operational risk.
Regarding to reviewing of risk analysis literature in banking system, many of the
severest risks currently faced by financial institutions fall under the heading of operational
risk. The category is dauntingly broad, abstract and hard to measure, and can veer to the
outer limits of imagined realities in the financial world or any other. The Bank of
International Settlements Basel II Accord defines it as "the risk of loss resulting from
inadequate or failed internal processes, people and systems or from external events." Basel
II doesn't mention some of the biggest risks facing banks today— concrete risks under
reputational risk is one such. Some argue that this is not a separate category, but the
byproduct of other risks, such as fraudulent or incompetent behavior. But others say there's
more to it than that. A concern known as franchise reputational risk, for example, stems
from any decision that makes economic sense in the short term, but may damage a
business's franchise longer term. A bank's closing down of unprofitable rural branches, for
instance, could stir up a political furor rancorous enough to damage its reputation.
Legal reputational risk is yet another concern. This is the risk which, aggressive corporate
behavior, seemingly within the letter of the law, will trigger an investigation by the
authorities and be examined in the media. Regardless of whether any penalty or indictment
is ever handed down, the initial media publicity could cause serious damage. With public
mistrust of corporate reporting currently pandemic, any risk to an institution's reputation
for legality and ethics is dangerous. By the same logic, a reputation for corporate
governance that transcends regulatory requirements can actually help an institution's share
price.
3.4.2 Background
Deregulation and globalisation of financial services, together with the growing
sophistication of financial technology, are making the activities of banks and thus their risk
profiles (i.e. the level of risk across a bank's activities and/or risk categories) more complex.
Developing banking practices suggest that risks other than credit, interest rate and market risk
can be substantial. Examples of these new and growing risks faced by bank include:
71
• If not properly controlled, the greater use of more highly automated technology has the
potential to transform risks from manual processing errors to system failure risks, as greater reliance is
placed on globally integrated systems.
• Growth of e-commerce brings with it potential risks (e.g. internal and external fraud and
system security issues) that are not yet fully understood.
• Large scale acquisitions, mergers, de-mergers and consolidations test the
viability of new or newly integrated systems.
• The.emergence of banks acting as large-volume service providers creates the
need for continual maintenance of high-grade internal controls and back-up systems:
• Banks may engage in risk mitigation techniques (e.g. collateral, credit derivatives,
netting arrangements and asset securitisations) to optimise their exposure to market risk and credit
risk, but which in turn may produce other forms of risk (e.g. legal risk).
• Growing use of outsourcing arrangements and the participation in clearing and
settlement system can mitigate some risks but can also present significant other risks to banks.
The diverse set of risks listed above can be grouped under the heading of 'operational
risk' which the committee has defined as 'the risk of loss resulting from inadequate or failed
internal processes, people and systems or from external events'. The definition includes legal risk
but excludes strategic and reputational risk.
The committee recognizes that operational risk is a term that has a variety of meaning within
the banking industry, and, therefore, for internal purposes {including in the application of the Sound
Practices paper), banks may choose to adopt their own definitions of operational risk.
Whatever is the exact definition, a clear understanding by banks of what is meant by operational
risk is critical to the effective management and control of this risk category. It is also important that
the definition considers the full range of material operational risks facing the bank and captures the
most significant causes of severe operational losses. Operational risk event types that the committee
has identified as having the potential to result in substantial losses include:
• Internal fraud, e.g. intentional misreporting of positions, employee theft, and
insider trading on an employee's own account.
• External fraud, e.g. robbery, forgery, cheque kiting, and damage from computer hacking.
• Employment practices and workplace safety, e.g. workers compensation claims,
violation of employee health and safety rules, organised labour activities, discrimination claims,
and* general liability.
72
• Clients, products and business practices, e.g. fiduciary breaches, misuse of
confidential customer information, improper trading activities on the bank's account, money
laundering, and sale of unauthorised products.
• Damage to physical assets.e.g. terrorism, vandalism, earthquakes, fires and
floods.
• Business disruption and system failure, e.g. hardware and software failures,
telecommunication problems, and utility outages.
• Execution, delivery and process management, e.g. data entry errors, collateral
management failure, incomplete legal documentation, unapproved access given to client
accounts, non-client counterparty mis performance, and vendor dispute.
The committee recognises that management of specific operational risks is not a
new practice. It has always been important for banks to try to prevent fraud, maintain
the integrity of internal controls, reduce errors in transaction processing, and so on. However, what
is relatively new is the view of operational risk management as a comprehensive practice comparable
to the management of credit and market risk in principle, if not always in form. These trends
combined with a growing number of high-profile operational loss events worldwide, have led banks
and supervisors to increasingly view operational risk management as an inclusive discipline.
In the past, banks relied almost exclusively upon internal control mechanisms within
business lines, supplemented by the audit function, to manage operational risk. While these remain
important, recently there has been an emergence of specific structures and processes aimed at
managing operational risk. In this regard, an increasing number of organisations have concluded
that an operational risk management programme provides for bank's safety and soundness, and are
therefore making progress in addressing operational risk as a distant class of risk similar to their
treatment of credit and market risk. For managing exposures relate7d to operational risk, the committee
has attempted to develop some Sound Practices.
3.4.3 Operational Risk deification
A universal definition of operational risk has not yet been established. Risks other than
credit and market risk, include operational risk, legal risk, reputational risk and so forth. As the
definition of operational risk is yet to be finalized, the following is commonly accepted "The
possibility of incurring loss directly or indirectly due to inappropriate internal procedure or
external factors. It also can be define as ―operational risk is categorized into two types, i.e.
73
processing risk such as operational error, property loss, fraud, and systems risk such as system's
error, software bug and data deficiency‖30
. Needless to say, it is essential to start conceptualising
on operational risk based on its clear definition because an ambiguous definition of this type may
lead to confusion.
Banks should identify and assess the operational risk inherent in all material
products, activities, processes, and systems. Banks should also ensure that, before new
products, activities, processes, and systems are introduced or undertaken, the operational
risk inherent in them is identified. Risk identification is paramount for the subsequent
development of a viable operational risk monitoring and control system. Effective risk
identification considers both internal factors (such as the bank‘s structure, the nature of
the bank‘s activities, the quality of the bank‘s human resources, organizational changes,
and employee turnover) and external factors (such as changes in the industry and
technological advances) that could adversely affect the achievement of the bank‘s
objectives. In addition to identifying the most potentially adverse risks, banks should
assess their vulnerability to these risks. Effective risk assessment allows the bank to better
understand its risk profile and most effectively target risk management resources.
Amongst the possible tools used by banks for identifying and assessing
operational risk are:
Self Assessment of Operational Risk :
a bank assesses its operations and activities against a menu of potential
operational risk vulnerabilities. This process is internally driven (often incorporates
checklists and/or workshops) to identify the strengths and weaknesses of the operational
risk environment. Scorecards, for example, provide a means of translating qualitative
assessments into quantitative metrics that give a relative ranking of different types of
operational risk exposures. Some scores may relate to risks unique to a specific business
line while others may rank risks that cut across business lines. Scores may address
inherent risks, as well as the controls to mitigate them. In addition, scorecards may be
used by banks to allocate economic capital to business lines in relation to performance in
managing and controlling various aspects of operational risk.
Risk mapping: in this process,banks and various business units,
organizational functions or process flows are mapped by risk type. This exercise can
reveal areas of weakness and help prioritize subsequent management action.
30
Accordingly at Sumitomo Mitshi Banking Corporation (SMBC)
74
Risk Indicators: risk indicators are statistics and/or metrics, often
financial, which can provide insight into a bank‘s risk position. These indicators tend to
be reviewed on a periodic basis (such as monthly or quarterly) to alert banks to changes
that may be indicative of risk concerns. Such indicators may include the number of failed
trades, staff turnover rates and the frequency and/or severity of errors and omissions.
Measurement: some banks have begun to quantify their exposure to
operational risk using a variety of approaches. For example, data on a bank‘s historical
loss experience could provide meaningful information for assessing the bank‘s exposure
to operational risk and developing a policy to mitigate/control the risk. An effective way
of making good use of this information is to establish a framework for systematically
tracking and recording the frequency, severity and other relevant information on
individual loss events.
3.4.4 Dimensions of operational risk
Operational risk also transcends the boundaries - the level of management i.e. top,
middle or line; machine, man or system; and organizational or external. In fact, all these
may be possible sources of operational risks. Broadly, dimensions of operational risk may
be termed as under: -
1. Relationship Risk: This includes losses caused due to relationships with others
such as clients, regulators, suppliers etc. The losses may be generated through unexpected
change in stance by the counterparty, penalties or other payments caused by specific
contracts etc.
2. Human Risk: The losses caused by intentional or unintentional behaviour of
employees, employment dispute, dispute relating to intellectual property etc.
3. Technology Risk: The losses due to technological factors such as technical
disruption, down time, theft or piracy, hacking, disruption or distortion in data/ information
of transaction or leakage of information etc.
4. Physical Risk: Losses due to damage of property or other assets for which
bank is responsible
5. Other External Risks: The losses caused by actions of external parties such
as fraud perpetrated on the bank or other such changes in the external operating
environment may be classified under this head.
75
Operational risk is not a sum total of the risk generated through these dimensions.
It is the probable loss caused by all the above factors and taken together. While, some
factors may accentuate the risk, others may counteract to reduce the net risk. Therefore,
Operational Risk management addresses the issue of measuring the composite probable
loss due to the operational factors.
3.4.5 Quantifying Capital For Operational Risk31
More and more banks are allocating capital to operational risk based on its measurement in
order to build an incentive for establishing sound control of operational risk. Not a few American
and European Banks allocate a uniform 10 - 20 % of their capital to operational risk. On the other
hand, Japanese Banks tend to think that operational risk is not significant because they have
already spent huge amount of money in operational management. Modeling the measurement of
operational risk would be useful to see whether this attitude is justified.
The quantification of operational risk has advanced to a statistically based model created
from both hard data and qualitative factors. The evolution of operational risk capital models was
set in motion by the process used to measure risk-adjusted returns on capital. Banks find value in
strategic planning, risk analysis, pricing, and performance measurements. Given the variations
among business lines, accurate performance comparisons require adding the operational risk
dimension to market and credit risks. Here, capital methodologies provide the means to profile
operational risk across the bank on an expected and unexpected loss basis.
The quantification of operational risk is characteristically different from market and
credit risk, although they all share the perspective of expected and unexpected loss. More than
ever, when we say 'the risk is high' we must specify whether the risk is from expected or
unexpected losses. While a downgrade from an A to a BBB rating would imply a higher expected
loss and unexpected loss for credit risk, we cannot assume so with operational risk that a risk with
higher expected loss also has higher unexpected losses. The focus here again is on capital or
unexpected loss related to operational risk.
Some common objectives and considerations in any operational risk management
methodology include:
• A stated level of confidence (e.g.99.9%), so that figures can be consistent with
market and credit risk methodologies.
31
PNB Monthly Review * April 2005
76
• A stated time horizon (e.g. one year) indicating the period for which capital is
intended to cover the volatility of losses.
• Reflection of inherent risk, so that higher capital can be assigned to businesses
historically proven to be riskier.
• Sensitivity to change, so that we can create behavioural incentives and capital can
respond quickly up or down to the changes in the risk profile.
• A forward-looking approach, so that current and anticipated
risks (e.g. system changes, mergers, and new products) are reflected in the risk profile.
• A comprehensive outlook covering all business areas,
whether they have a history of operational risk experience or not.
• Transparency, so that all related managers can understand all assumptions as well as
methodology.
• Objectivity, to minimize potential influence on the results by subjective judgment.
3.4.6 RBI Guidelines
RBI, in its guidelines on risk management in banks has highlighted the issues
relating to operational risk along with other risk faced by banks. However, operational risk
is defined in a very broad sense, the focus has remained on settlement or payment risk,
business interruption, administrative and legal risks. Major areas covered under the
guidelines are:
Measurement - Measurement of operational risk requires estimation
of probability of a loss event and potential size of toss. Some of the factors which could
be used for measuring operational risk in each business unit are audit rating, operational
data such as volume, turnover and complexity of operations, data on quality of operations
such as error rate. The association of identified factors with revenue volatility could be
established through examination of historical experience. Measurement of operational risk
should be on bank wide basis, which should be reviewed on regular basis. As banks do not
have any scientific methods for evaluation of operational rsk, a beginning should be made
by evolving simple benchmarks.
Risk Monitoring - Risk monitoring should focus on the relationship
betv/een the factors considered important for operational rsk, occurrences of the loss
events and causes of loss.
77
Control - Besides internal control and audit which are used as
principal means for addressing operational risk, banks should endeavor to set operational
risk limits. Developing contingent facilities, insurance and risk education should also be
adopted for mitigating operational risk.
Policies & procedures - Well defined policies for operational risk
should be formulated which should facilitate aggregation of operational risk at bank level.
Further, the issues relating to internal control, review process etc. should also be
addressed.
Internal Control - Internal control has proved to be most effective
tool for mitigation of operational risk so far. Therefore, stress on adequacy and
effectiveness of internal control mechanism should be ensured.
Self-assessment of internal control environment is an ideal method for
identification of problem spots. This method can be used along with internal/external
audit rating.
Audit committee : Greater and more effective role for audit
committee is also suggested.
3.4.7 Sound Practices of Basel committee
In developing these sound practices, the committee has drawn upon its existing work on the
management of other significant banking risks, such as credit risk, interest rate risk and liquidity risk,
and committee believes that similar rigour should be applied to the management of operational risk.
Nevertheless, it is clear that operational risk differs from other banking risk in that it is typically not
directly taken in return for an expected reward, but exists in the natural course of corporate activity,
and that affects the risk management process. At the same time, failure to properly manage
operational risk can result in a misstatement of an institution's risk profile and expose the institution
to significant losses. Reflecting the different nature of operational risk, 'management' of operational
risk is taken to mean the 'identification, assessment, monitoring and control/ mitigation' of risk. This
definition contrasts with the one used by the committee in previous risk management papers of the
'identification, measurement, monitoring and control' of risk. The committee has structured this
sound practice paper around a number of principles:
3.4.7.1 Basel Acceptance Criteria32
32
PNB Monthly Review * April 2005
78
The Committee has outlined 10 qualitative principles relating to the operational risk
framework that institutions must follow to be eligible to use the more advanced models.These
principles are summarised below:
1. The board of directors should be aware of the major aspects of operational risk,
approve the operational risk strategy and basic structure for managing operational risk, and
ensure that senior management is carrying out its risk management responsibilities.
2. Senior management is responsible for implementing the operational risk
management strategy throughout the organisation and for developing the relevant policies
and systems.
3. Reporting should enable management to monitor the effectiveness of the risk
management system and permit the board to oversee management performance.
4. Banks should identify the operational risk in all products, activities, processes, and
system for both existing operations and new products.
5. Banks should establish the process necessary for measuring operational risk.
6. Banks should implement a system to monitor operational risk exposures and loss
events by major business lines.
7. Banks should have policies, processes, and procedures to control or mitigate
operational risk. They should assess the costs and benefits of alternative strategies and adjust
their exposures appropriately.
8. Bank supervisors should require banks to have as effective operational risk
management strategy as part of an overall approach to risk management.
9. Supervisors should conduct regular independent evaluations of bank's related
operational risk management strategies.
10. Banks should make sufficient public disclosure to allow market participants to assess
their operational risk exposure and the quality of their operational risk management.
3.4.7.2 The Basel Committee Recommendations
The Basel committee has recommended three alternative approaches to
quantification of an operational risk capital charge. These three alternatives, ranging from
the simple to very sophisticated, are intended to offer banks of all sizes and complexities a choice
of what is right for each.
79
Stage I -The basic indicator approach.
This is the simplest alternative, with operational risk capital being a factor (alpha) times
gross revenue.
Stage- II-The standardized approach.
This is similar to the basic indicator approach, but with different factors for each business
line. Capital equals the sum of the factors (beta) times the gross revenue of each business line.
Stage- III- Advanced measurement approaches
These approaches are intended to be the most risk sensitive and to relate to the
experience of each institution. The Committee has identified three example approaches, but has
left open the option for additional development by the banking institutions.
1. The Internal Measurement approach calls for a standard industry factor (gamma) at
the business line and risk level to be multiplied by an institution's expected loss amounts related
to operational risk.
2. The Loss Distribution Approach (LDA) follows an actuarial methodology where
distributions are constructed based on historical internal and external loss data.
3. Scorecard approaches use a firm-wide capital charge and modify / allocate this amount
over time, based on risk indicators or other qualitative criteria.
The Basic Indicator approach would likely be the choice of smaller institutions and
those institutions without an operational risk framework. The Standardized approach tries to be
more risk sensitive by having different factors for each business line and may appeal to institutions
whose business mix is different from and is less risky than the industry norm. The largest
institutions should likely use the Advanced Measurement approaches to justify a lower capital
charge based on their operational risk practices and their own loss experience.
The Basel Committee also has defined criteria related to quantification for
institutions to qualify for using any of the Advanced Modeling approaches. Ultimately, each local
regulator will have to approve each model. The relevant quantitative criteria are:
• Floor level of capital. The actual capital charge will not be less than 75% of that
calculated by the Standardized approach.
• Capture infrequent but severe events. The methodology must consider rare
events that might not be reflected in the internal loss history of any one institution.
• Five years of loss data. Sufficient history should be there to have reasonable
confidence of a complete loss distribution. Three years of data may be considered for a
transition period.
80
• Disciplined override process. If for any reason any of the historical data points
are deleted from the dataset, there should be a sound reason.
• Extensive stress and scenario testing. This should test the sensitivity to the
underlying assumptions and parameters and ensure the adequacy of the overall model results.
• Disciplined incorporation of external data. Data from other firms are necessary to
understand the full extent of the tails of the distributions.
• Internal and external data should be combined only in statistically valid
manners. Scaling criteria should be defined.
• 99.9% level of confidence and one-year holding period. This implies a
statistical framework where the level of confidence and holding period are direct inputs into the
approach.
• Correlations may be taken into account. Systems for measuring correlations
have to be sound and must demonstrate integrity.
• Benefits of insurance may be considered. The
methodology used to quantify the benefits of insurance must be well documented and
subject to review.
• Qualitative adjustments are permitted. The institution would need standards to
address the structure, comprehensiveness and rig our of the adjustments.
3.4.8 Operational Risk Measurement
For management of risk at corporate level, various risks like credit risk, market risk
or operational risk, have to be converted into one composite measure. Therefore, it is
necessary that measurement of operational risk should be in tandem with other
measurements of credit and market risk so that the requisite composite estimate can be
worked out.
There are two approaches to measurement of risk33
. One is the " top-down approach" in
which the total amount or charge of expenses etc. derived from financial data in the balance
sheet and profit and loss statement are converted to risk amount. Although this approach enables
33
PNB Monthly Review * April 2005
81
easy capturing of overall risk, it does not lead to an appropriate capturing of risk according to
circumstances because it usually applies one uniform set of multification factors regardless of
differences in accounting, systems and procedures, expectation from customers for services and so
forth.
The other approach separates risk factors and builds them up. This is called the "bottom-
up approach" because it analyses risk for each business line (transaction box). This approach
enables the analysis of risk factors and serves as an effective incentive for reduction of
operational cost and mitigation of operational risk including the rev iew of operational work flows,
though it requires complicated analysis of risk by business line. In order to make the risk
management process effective, management of operational risk should be performed to the same
standard as for market risk and credit risk. As regards to the capital charge on operational risk, it
will conform to the objective of risk management i.e. precise capturing of risk, and will lead to
enhancement of risk management capabilities of banks to statistically measure the risk in the
"bottom-up approach" based on historical data on frequency of loss occurrence, size of loss and
so forth. Incidently SMBC has adopted the method for risk management based on "bottom-up
approach" to contribute to the enhancement of risk management capabilities.
An efficient risk management system is contingent upon development of suitable
system for collection of data, its analysis and presentation. This itself is a daunting task in
operational risk measurement. Broadly, we can divide the operational risk in two parts.
First - events, which cause comparatively small losses. Usually such events occur at
greater frequency, e.g. errors, outages etc.; Second - events which cause huge loss and may
even threaten the existence of the company are rare. Though appropriate database could
have been developed for the first kind of operational risk events, so far no scientific
methods of data collection, analysis and interpretation have been developed. These events
have been dealt with Yule of thumb1 methods evolved by the institutions over a period.
For instance, occurrences of frauds are dealt with on such basis. While historical data can
be available of frauds, the experiences gained are used to prevent occurrence of similar
frauds again. This is done through ensuring compliance to existing systems and
procedures or bringing about suitable modifications thereon.
The issue of data availability and measurement is much more complex in case of
rare events associated with large losses. First of all the data is not available either because
the events occur rarely or might not have occurred at all in the history of the institution; or
such events may not have been properly documented. The failure of Barings Bank and
Long Term Capital Management (LTCM), a reputed hedge fund in USA fall in this
82
category. Even in institutions where attempts have been made to put operational risk
measurement on sound footing, access to external data has remained rather limited,
forcing the institution to depend on data from internal sources which is not only inadequate
but may also have subjective elements.
Another difficulty in measurement of operational risk relates to proper analysis of
the available information. The post facto analysis of the loss events focuses on the factors,
which work prior to or at the time of the event. Effective risk measurement system
demands a statistical examination of cause and effect relationship, which may reoccur in
future, and also the relationship between the loss and the control variable. In fact most of
the control variables are understood to have a strong correlation with loss events purely on
a priori reasoning without attempting statistical proof of such relationship.
As risk has to be managed at enterprise wide level where the composite measure
of risk shall encompass all possible risks, it is necessary to align the measure of
operational risk with the measures of other risks viz. credit risk and market risk.
Credit/market risks can be measured using a number of measures such as value at risk
(VaR), earning volatility, default and loss probabilities etc. For instance, impact of
changes in asset prices on the value of the bank's trading portfolio can be easily
calculated; in the case of credit risk, the changes in borrower's credit quality and the
impact of interest rate changes can be captured to assess the potential loss. These measures
which require good understanding of the frequency distribution of loss events, are not
suitable for operational risk, while requires estimating the probability of occurrence of a
loss event and the potential size of loss. Therefore, measurement of operational risk has to
be developed using other methods and loss expectancy therefore will have to be worked
out. This still leaves out the difficulty of alignment of operational risk measures with
other risk measures. For the purpose, as suggested by RBI and also by Bank for
International Settlements (BIS), risk management for all categories of risks should be
developed to encompass Risk Adjusted Return on Capital (RAROC) and capital
allocation should be done accordingly. In the Indian context, this demands substantial
progress in risk management systems including that for credit and market risk by banks.
Because operational risk is a broad and diverse category, measuring operational
risk is a difficult and daunting task. While awareness of operational risk is increasing,
many of banks have yet to fully develop an operational risk management strategy, which
is a natural part of operational risk measurement. In addition, two sources of fluctuations
are accountable for faulty operational risk measurement. Referring to the risk map
83
developed during the risk profiling process as we said before, two specific risk families
are usually improperly measured. High frequency, low impact losses are often ignored
and low frequency, high impact losses occur so seldom that an adequate sample is hard to
gather.
A measurement framework is the foundation for operational risk measurement. It
provides a systematic approach to operational risk management and measurement. An
effective framework should identify important operational risks to the banks and manage
them according to the firm's chosen risk strategy. It divides operational risks into two
categories: controllable and uncontrollable. Those that can be controlled can then be
managed, and those that are uncontrollable are mitigated to reduce their effects.
Measurement Frameworks
There are several types of operational risk measurement frameworks. The most
popular frameworks are:
Control self-assessment: The categories within this framework correspond to the
departments within the banks. Each department completes a questionnaire, which is
scored to determine high-risk areas of the banks. This framework efficiently identifies the
bank's important operational risks, but sometimes accomplishes little else.
Process analysis: is a second type of framework and is most useful for re-
engineering process tasks and controls. It maps out procedures within the banks and
identifies key control points and related risks. However, process analysis is limited in its
scope and only accounts for operational risks related to the procedures analyzed.
Loss categorization: a third example of an operational risk measurement
framework, analyzes the past losses incurred by the banks. They are entered into a
database and separated into categories based on source, such as people or technology. A
loss, which falls into overlapping categories, is possible within this framework and can
result in "double counting", limiting the accuracy of this method.
Performance analysis: is a measurement framework that uses the performance
measures of banks to develop related risk measures. The link between the business
activities and the earnings of a bank is used as a basis for the link between the business
activities and the risk of earnings. Like the other frameworks, though, there are limitations
84
to performance analysis. Its focus on gains hinders its ability to identify all operational
risks to which a bank is exposed.
3.4.9 Measurement Methodology
In view of paucity of data on operational risk, methods for risk measurement have
to be evolved on case-to-case basis. Some of the possible approaches are discussed
hereunder:
Causal factor analysis - Under this method, operational risk profile is built
through analysis of risk factors and risk indicators. A number of indicators such as error
rate, unrecognized entries, outages, loss experiences etc. may be used for the purpose.
Actual number of factors used will depend on the judgment of the concerned managers. If
the indicators show a trend, the same can be used to estimate the likely loss occurrences
for future. Although, this method will show only a partial picture, its flexibility enables
such approach to be used in wide-ranging situations. Further, in initial stages when the
database is inadequate, such approach will prove valuable. The biggest drawback of such
approach is that it focuses on causes without establishing a proven cause-effect
relationship.
Scenario Analysis - This approach is appropriate if a few select numbers of risk
factors have been identified. Various scenarios may be visualized with individual loss
events and also mote than one-loss events occurring in conjunction. In each scenario, the
expected amount of loss and the likelihood of such events will also be worked out. The
scenario can be presented in the form of matrix or a risk profile map.
While the factor analysis can be employed for loss events with higher frequency
and low loss amount, scenario analysis can be employed for remaining key factors with low
frequency and high loss amount. Application of scenario analysis to a large number of risk
factors shall increase the complexity significantly and therefore, the two methods should
be used in combination.
Scenario analysis enables articulation of different point of views on risk profile
and therefore, enriches the analysis. Therefore, it facilitates stress analysis, which is
crucial for operational risk management. However the conclusions drawn from such
analysis will be more qualitative in nature rather than quantitative. Though probabilities
may be assigned to each loss event, such probabilities will also be subjective in nature and
85
therefore the apparent precision given by numbers may mislead.
Actuarial Models - These are essentially statistical models more common among
insurers. Since, these models provide estimates of likely losses, primarily based on past
loss experience, their data requirements are enormous. Therefore, suitability of these
models is restricted to high frequency loss events and large institutions where the sample
size of individual loss event is large. Nevertheless, the method is very scientific and reliable
as compared to other methods. Even if the method cannot be employed in-house, it can be
out-sourced provided the out-sourcing agency has access to reliable database. Purchase of
insurance is one such example.
As evident from the above discussion, there is no single model or approach for
operational risk measurement, which is inherently complex and dynamic. A suitable
combination of approaches, methods, models have to be applied and the actual design of
the risk management system will depend on the specific requirements.
Method For Capturing Risk34
To use the actual loss rate may not be sufficient as a method for measuring the potential
risk because it could refer only to accidental events. In this method, "risk amount" is defined as "
risk rate " X" possible transaction amount". The expected loss amount and the maximum loss
amount are measured after determining the distribution of the "risk amount" by moving the
"risk rate" and the "possible transaction amount" in the measurement model. As for the maximum
loss amount, the confidence level is 99% as in the case with credit risk and market risk, and the
risk horizon (holding period) is 5 years for both processing risk and system risk. This is based on
the assumption that it will take that long to revise operational work flows or depreciate system
investment. The maximum loss is compared with the required capital because the expected loss
is not much greater than the maximum loss according to a trial calculation. Another reason is
that the loss reserve amount is not set as the expected loss.
Thus the measurement of the "risk amount"focuses on the frequency (= "risk rate") and
the impact (+"possible transaction amount"). The risk rate can be called "Expected Accident
Frequency" and is therefore equivalent to the Expected Default Frequency (= EOF), i.e. default
rate in the context of credit risk. This can be estimated by using the actual loss data in the past.
The "possible transaction amount" can be estimated through random selection from the
distribution of the actual transaction amounts (Monte-Carlo simulation). It should be noted
that there are two types of accident, i.e. (i) accident of principal and (II) accident of matters
34
PNB Monthly Review * April 2005
86
related to principal. While the rate of actual loss is 100% of the principal in the case of (i). That
for case (ii), it should be measured according to the characteristics of the operation box
concerned. These calculations can be performed by analogy with the measurement of credit risk
which has already been well established.
3.4.10 Risk Mitigation
Risk mitigation is key to operational risk management. While unbundling, transfer
and transformation of risk constitute major part of financial risk management, risk needs
to be mitigated in case of operational risk. Mitigation comprises specific controls or
programmes (like IT security, compliance reviews etc) aimed at reducing exposure,
frequency and severity of an event. In fact acceptable level of risk may be near zero in
certain types of operational risks and therefore effective mitigation mechanism is crucial.
Similarly, principles of risk- return trade off or cost-benefit trades off, which are widely
applicable in financial risk management may not be acceptable in case of operational risk.
Risk mitigation is dovetailed to risk measurement. Once the risk is identified and
system is placed for its measurement, steps for risk mitigation are also taken
simultaneously. In fact some of the components for risk measurement system also form
part of risk mitigation system, e.g. MIS for risk management.
MIS
MIS for operational risk should facilitate timely monitoring. Its focus should
not be restricted only to the events, which in itself may be only a symptom of a larger
problem. MIS should facilitate identification of the causal factors for the risk events.
Similarly, it should focus on the control factors for operational risk and should facilitate
monitoring of the relationship between causal factors and risk event and also between the
control factors and the risk events. Similarly, the MIS should enable efficient incentive
and accountability system for operational risk. Eventually, an efficient risk management
system will require development of dependable database. Even in initial stages,
comparison and trend analysis is required in case of high frequency - low amount loss
events. Design of MIS should address this need of database development and management
and facilitate establishing linkage between the operational risk and its impact on important
elements in the balance sheets such as provision, capital, risk adjusted return on capital,
etc.
87
Internal control
A survey of risk management practices in banks across the world has revealed that
internal control, which has always been the primary measure for risk mitigation continues
to be relied upon heavily. The importance of this mechanism in India has further been
underlined by the RBI guidelines on operational risk management where special emphasis
has been given to internal control. Internal controls include the entire gamut of activities
such as segregation of duties, clear management reporting lines and adequate operational
procedures. Several events of loss observed internationally during last few years
(provided in annex) have also focused the attention on the importance of internal control.
Among others, reference may be made to the losses incurred by Baring Bank due to
disruption in internal control and the fraud in BCCI. These loss events have proved
catastrophic for these institutions. Bankers across the world including those in India have
realized the importance of effective internal control systems and the likelihood of losses in
case of breach of internal control procedures.
A comparatively recent development in internal control system is self-assessment.
In this system, the business unit is made responsible for self-evaluation of the operational
risk and adherence to the internal control procedures. Such self-evaluation is combined
with regular external audit function. For evaluating operational risk, the results of the self-
assessment are considered along with the external audit and official supervision. The
system of self-assessment fosters greater awareness regarding the operational risk
environment of the bank and acts as a timely and early warning system.
Although the internal controls system has always been the most important for
mitigation of operational risk, the primary responsibility for it‘s functioning has remained
with line management. Further, it is also noted that there is no systematic integration of
internal control systems and risk management system. Recent thinking, as evident in BIS
guidelines and various other publications points towards the need for integration of
internal control mechanism with a scientific risk management system and devolution of
responsibility for risk management on all levels of the management.
At the apex level, Board of directors should bear the ultimate responsibility for
risk management in a bank. Some of the important functions of risk management to be
undertaken at this level are: -
Integration of operational risk with other risks in order to arrive at a
composite risk exposure for the bank
88
Decision regarding the acceptable risk limit and monitoring the actual
level of risk compared to the acceptable level.
Prescribing risk limits for various risk categories including operational
risk.
Determining the acceptable risk level for various components of
operational risk
Delineation of procedures and policies, reporting relationships etc. for
smooth conduct of risk management.
At the second tier of risk management system, senior management of the hanks
has the responsibility for shaping the actual design of risk management system,
monitoring adherence to the policies and procedures, taking note of exceptions and
initiating measures for maintaining the risk profile of the organization within acceptable
limits.
The bulk of the responsibility of implementing the risk control measures and
particularly those relating to internal controls remains with line management.
3.4.10 A general Keys to Effective Operational Risk Management and
Mitigation
3.4.10.1 Role of the Board of Directors
The board or a designated committee is responsible for monitoring and oversight
of a bank‘s risk management functions, and should approve and periodically review the
operational risk management framework prepared by the bank‘s management. The
framework should provide a firm-wide definition of operational risk and establish the
principles of how operational risk is to be identified, assessed, monitored, and
controlled/mitigated.
The board of directors should approve the implementation of a firm-wide
framework to explicitly manage operational risk as a distinct risk to the bank‘s safety and
soundness. The board should provide senior management with clear guidance and
direction regarding the principles underlying the framework, be responsible for reviewing
and approving a management structure capable of implementing the bank‘s operational
89
risk management framework, and should approve the corresponding policies developed by
senior management.
3.4.10.2 Internal Audit
The board (either directly or indirectly through its audit committee) should ensure
that the scope and frequency of the internal audit program focused on operational risk is
appropriately risk focused. Audits should periodically validate that the firm‘s operational
risk management framework is being implemented effectively across the firm. The board,
or the audit committee, should ensure that the internal audit program is able to carry out
these functions independently, free of management directive. To the extent that the audit
function is involved in oversight of the operational risk management framework, the
board should ensure that the independence of the audit function is maintained. This
independence may be compromised if the audit function is directly involved in the
operational risk management process. The audit function may provide valuable input to
those responsible for operational risk management, but should not itself have direct
operational risk management responsibilities. Some banks may involve the internal audit
function in developing an operational risk management program as internal audit
functions generally have broad risk management skills and knowledge of the bank‘s
systems and operations. Where this is the case, banks should see that responsibility for
day-to-day operational risk management is transferred elsewhere in a timely manner.
3.4.10.3 Role of Senior Management
Senior management must ensure that the board-approved operational risk
framework is implemented at all levels of the organization and that all levels of staff
understand their responsibilities with respect to operational risk management. Senior
management should also have responsibility for developing policies, processes, and
procedures for managing operational risk in all of the bank‘s material products, activities,
processes, and systems. Management should translate the operational risk management
framework approved by the board of directors into specific policies, processes, and
procedures that can be implemented and verified within the different business units. While
each level of management is responsible for the appropriateness and effectiveness of
policies, processes, procedures, and controls within its purview, senior management
should clearly assign authority, responsibility, and reporting relationships to encourage
and maintain this accountability, and ensure that the necessary resources are available to
manage operational risk effectively. Moreover, senior management should assess the
90
appropriateness of the management oversight process in light of the risks inherent in a
business unit‘s policy.
Senior management should ensure that bank activities are conducted by qualified
staff with necessary experience, independence, technical capabilities and access to
resources to carry out their duties. Management should ensure that the bank‘s operational
risk management policy has been clearly communicated to staff at all levels in units that
incur material operational risks. Senior management should ensure that the operational
risk management framework is integrated with efforts to manage credit, market, and other
risks. Failure to do so could result in significant gaps or overlaps in a bank‘s overall risk
management program. Particular attention should be given to the quality of
documentation controls and to transaction handling practices. Policies, processes, and
procedures related to advanced technologies supporting high transactions volumes, in
particular, should be well documented and disseminated to all relevant personnel.
4.3.4.10.4 Operational Risk Identification
Banks should identify and assess the operational risk inherent in all material
products, activities, processes, and systems. Banks should also ensure that, before new
products, activities, processes, and systems are introduced or undertaken, the operational
risk inherent in them is identified. Risk identification is paramount for the subsequent
development of a viable operational risk monitoring and control system. Effective risk
identification considers both internal factors (such as the bank‘s structure, the nature of
the bank‘s activities, the quality of the bank‘s human resources, organizational changes,
and employee turnover) and external factors (such as changes in the industry and
technological advances) that could adversely affect the achievement of the bank‘s
objectives. In addition to identifying the most potentially adverse risks, banks should
assess their vulnerability to these risks. Effective risk assessment allows the bank to better
understand its risk profile and most effectively target risk management resources.
Amongst the possible tools used by banks for identifying and assessing
operational risk are:
Self or Risk Assessment: a bank assesses its operations and activities against a
menu of potential operational risk vulnerabilities. This process is internally driven (often
incorporates checklists and/or workshops) to identify the strengths and weaknesses of the
operational risk environment. Scorecards, for example, provide a means of translating
qualitative assessments into quantitative metrics that give a relative ranking of different
91
types of operational risk exposures. Some scores may relate to risks unique to a specific
business line while others may rank risks that cut across business lines. Scores may
address inherent risks, as well as the controls to mitigate them. In addition, scorecards
may be used by banks to allocate economic capital to business lines in relation to
performance in managing and controlling various aspects of operational risk.
Risk mapping: in this process, various business units, organizational functions
or process flows are mapped by risk type. This exercise can reveal areas of weakness and
help prioritize subsequent management action.
Risk Indicators: risk indicators are statistics and/or metrics, often financial,
which can provide insight into a bank‘s risk position. These indicators tend to be reviewed
on a periodic basis (such as monthly or quarterly) to alert banks to changes that may be
indicative of risk concerns. Such indicators may include the number of failed trades, staff
turnover rates and the frequency and/or severity of errors and omissions.
Measurement: some firms have begun to quantify their exposure to operational
risk using a variety of approaches. For example, data on a bank‘s historical loss
experience could provide meaningful information for assessing the bank‘s exposure to
operational risk and developing a policy to mitigate/control the risk. An effective way of
making good use of this information is to establish a framework for systematically
tracking and recording the frequency, severity and other relevant information on
individual loss events.
3.4.10.5 Risk Monitoring
Banks should implement a process to regularly monitor operational risk profiles
and material exposures to losses. There should be regular reporting of pertinent
information to senior management and the board of directors that supports the proactive
management of operational risk. An effective monitoring process is essential for
adequately managing operational risk. Regular monitoring activities can offer the
advantage of quickly detecting and correcting deficiencies in the policies, processes, and
procedures for managing operational risk.
Promptly detecting and addressing these deficiencies can substantially reduce the
potential frequency and/or severity of a loss event. In addition to monitoring operational
loss events, banks should identify appropriate indicators that may provide early warning
of an increased risk of future losses. Such indicators (often referred to as key risk
indicators or early warning indicators) should be forward-looking and could reflect
potential sources of operational risk such as rapid growth, the introduction of new
92
products, employee turnover, transaction breaks, and system downtime, among others.
When thresholds are directly linked to these indicators an effective monitoring process
can help identify key material risks in a transparent manner and enable the bank to act
upon these risks appropriately.
The frequency of monitoring should reflect the risks involved and the frequency
and nature of changes in the operating environment. Monitoring should be an integrated
part of a bank‘s activities. The results of these monitoring activities should be included in
regular management reports, as should compliance reviews performed by the internal
audit and/or risk management functions. Reports generated by (and/or for) supervisory
authorities may also be useful in this monitoring and should likewise be reported
internally to senior management, where appropriate. Senior management should receive
regular reports from appropriate areas such as business units, group functions, the
operational risk management office and internal audit.
The operational risk reports should contain internal financial, operational, and
compliance data that are relevant to decision making. Reports should be distributed to
appropriate levels of management and to areas of the bank on which areas of concern may
have an impact. Reports should fully reflect any identified problem areas and should
motivate timely corrective action on outstanding issues. To ensure the usefulness and
reliability of these risk and audit reports, management should regularly verify the
timeliness, accuracy, and relevance of reporting systems and internal controls in general.
Management may also use reports prepared by external sources (auditors, supervisors) to
assess the usefulness and reliability of internal reports. Reports should be analyzed with a
view to improving existing risk management performance as well as developing new risk
management policies, procedures, and practices. In general, the board of directors should
receive sufficient higher-level information to enable them to understand the bank‘s overall
operational risk profile and focus on the material and strategic implications for the
business.
3.4.10.6 Operational Risk Mitigation
Banks should have policies, processes, and procedures to control and/or mitigate
material operational risks. Banks should periodically review their risk limitation and
control strategies and should adjust their operational risk profile accordingly using
appropriate strategies, in light of their overall risk appetite and profile. Control activities
are designed to address the operational risks that a bank has identified. For all material
93
operational risks that have been identified, the bank should decide whether to use
appropriate procedures to control and/or mitigate the risks, or bear (reduce) the risks. For
those risks that cannot be controlled, the bank should decide whether to accept these risks,
reduce the level of business activity involved, or withdraw from this activity completely.
Control processes and procedures should be established and banks should have a system
in place for ensuring compliance with a documented set of internal policies concerning the
risk management system. Principal elements of this could include, for example:
top-level reviews of the bank's progress towards the stated objectives;
auditing for compliance with management controls;
policies, processes, and procedures concerning the review, treatment and
resolution of noncompliance issues; and
a system of documented approvals and authorizations to ensure accountability
to an appropriate level of management
Although a framework of formal, written policies and procedures is critical, it
needs to be reinforced through a strong control culture that promotes sound risk
management practices. Both the board of directors and senior management are responsible
for establishing a strong internal control culture in which control activities are an integral
part of the regular activities of a bank. Controls that are an integral part of the regular
activities enable quick responses to changing conditions and avoid unnecessary costs. An
effective internal control system also requires that there be appropriate segregation of
duties and that personnel are not assigned responsibilities which may create a conflict of
interest. Assigning such conflicting duties to individuals, or a team, may enable them to
conceal losses, errors or inappropriate actions. Therefore, areas of potential conflicts of
interest should be identified, minimized, and subject to careful independent monitoring
and review.
In addition to separation of duties, banks should ensure that other internal practices
are in place as appropriate to control operational risk. Examples of these include:
close monitoring of adherence to assigned risk limits or thresholds;
maintaining safeguards for access to, and use of, bank assets and records;
ensuring that staffs have appropriate expertise and training;
identifying business lines or products where returns appear to be out of line
with reasonable expectations; and
regular verification and reconciliation of transactions and accounts
94
Operational risk can be more pronounced where banks engage in new activities or
develop new products (particularly where these activities or products are not consistent
with the bank‘s core business strategies), enter unfamiliar markets, and/or engage in
businesses that are geographically distant from the head office. Moreover, in many such
instances, firms do not ensure that the risk management control infrastructure keeps pace
with the growth in the business activity. A number of the most sizeable and highest profile
losses in recent years have taken place where one or more of these conditions existed.
Therefore, it is incumbent upon banks to ensure that special attention is paid to internal
control activities where such conditions exist.
Some significant operational risks have low probabilities but potentially very large
financial impact. Moreover, not all risk events can be controlled (e.g., natural disasters).
Risk mitigation tools or programs can be used to reduce the exposure to, or frequency
and/or severity of, such events. For example, insurance policies, particularly those with
prompt and certain pay-out features, can be used to externalize the risk of ―low frequency,
high severity‖ losses which may occur as a result of events such as third-party claims
resulting from errors and omissions, physical loss of securities, employee or third party
fraud, and natural disasters. However, banks should view risk mitigation tools as
complementary to, rather than a replacement for, thorough internal operational risk
control. Having mechanisms in place to quickly recognize and rectify legitimate
operational risk errors can greatly reduce exposures. Careful consideration also needs to
be given to the extent to which risk mitigation tools such as insurance truly reduce risk, or
transfer the risk to another business sector or area, or even create a new risk (e.g. legal or
counter party risk).
Investments in appropriate processing technology and information technology
security are also important for risk mitigation. However, banks should be aware that
increased automation could transform high frequency, low-severity losses into low
frequency, high-severity losses. The latter may be associated with loss or extended
disruption of services caused by internal factors or by factors beyond the bank‘s
immediate control (e.g., external events). Such problems may cause serious difficulties for
banks and could jeopardize an institution‘s ability to conduct key business activities. As
discussed below, banks should establish disaster recovery and business continuity plans
that address this risk and comply fully with all agency rules, guidance and orders.
Banks should also establish policies for managing the risks associated with
outsourcing activities, doing so in full compliance with all applicable agency rules,
95
guidance, and orders. Outsourcing of activities can reduce the institution‘s risk profile by
transferring activities to others with greater expertise and scale to manage the risks
associated with specialized business activities. However, a bank‘s use of third parties does
not diminish the responsibility of management to ensure that the third-party activity is
conducted in a safe and sound manner and in compliance with applicable laws.
Outsourcing arrangements should be based on robust contracts and/or service level
agreements that ensure a clear allocation of responsibilities between external service
providers and the outsourcing bank. Furthermore, banks need to manage residual risks
associated with outsourcing arrangements, including disruption of services. Depending on
the scale and nature of the activity, banks should understand the potential impact on their
operations and their customers of any potential deficiencies in services provided by
vendors and other third-party or intra-group service providers, including both operational
breakdowns and the potential business failure or default of the external parties.
Management should ensure that the expectations and obligations of each party are
clearly defined, understood and enforceable. The extent of the external party‘s liability
and financial ability to compensate the bank for errors, negligence, and other operational
failures should be explicitly considered as part of the risk assessment. Banks should carry
out an initial due diligence test and monitor the activities of third party providers,
especially those lacking experience of the banking industry‘s regulated environment, and
review this process (including re-evaluations of due diligence) on a regular basis. The
bank should pay particular attention to use of third-party vendors for critical activities.In
some instances, banks may decide to either retain a certain level of operational risk or
self-insure against that risk. Where this is the case and the risk is material, the decision to
retain or self-insure the risk should be transparent within the organization and should be
consistent with the bank‘s overall business strategy and appetite (potential) for risk.
3.4.10.7 Contingency Planning
Senior management should ensure compliance with all applicable agency rules,
guidance and orders regarding contingency planning. Banks should have in place
contingency and business continuity plans to ensure their ability to operate on an ongoing
basis and limit losses in the event of severe business disruption. For reasons that may be
beyond a bank‘s control, a severe event may result in the inability of the bank to fulfill
some or all of its business obligations, particularly where the bank‘s physical,
telecommunication, or information technology infrastructures have been damaged or
96
made inaccessible. This can, in turn, result in significant financial losses to the bank, as
well as broader disruptions to the financial system through channels such as the payments
system. This potential requires that banks establish disaster recovery and business
continuity plans that take into account different types of plausible scenarios to which the
bank may be vulnerable, commensurate with the size and complexity of the bank‘s
operations.
Banks should identify critical business processes, including those where there is
dependence on external vendors or other third parties, for which rapid resumption of
service would be most essential. For these processes, banks should identify alternative
mechanisms for resuming service in the event of an outage. Particular attention should be
paid to the ability to restore electronic or physical records that are necessary for business
resumption, including the construction of appropriate backup facilities.
Banks should periodically review their disaster recovery and business continuity
plans so that they are consistent with the bank‘s current operations and business strategies.
Moreover, these plans should be tested periodically to ensure that the bank would be able
to withstand high-severity risk.
3.4.11 Factors In Selecting An Approach35
The new Basel Accord will provide the banking industry with an opportunity to unify its
internal economic capital methodologies with the regulatory capital requirements. Selection of an
approach requires careful consideration in order to balance cost with accuracy, transparency
and potential benefits in minimum regulatory capital. Key considerations are:
• Data availability. Advanced models are data intensive. IDA models require an
organizational commitment for thorough ongoing data collection.
* Commitment to implement an operational risk framework. All of the
Advanced Measurement approaches require a comprehensive risk management framework with
assessments, indicators, data collection and reporting. Whether required by the regulators or
not is simply for economic capital will make its integration with a framework critical. Without
this commitment, a simpler methodology may be considered
Available technology The framework and capital methodologies require
technology, primarily to support the data collection efforts and the analytics. Appropriate budget
be planned for this.
35
PNB Monthly Review * April 2005,pp-18
97
Size of firm Larger firms tend to be able to justify the investment and the benefit from
lower capital levels would more than offset this charge. Smaller firms would have less of a
benefit, and for approaches such as LDA, the number of events is not sufficient to be conclusive.
Degree of sophistication in relation to economic capital
Firms committed to economic capital and its use as a management tool will be driven to
accurate models and ones that are risk sensitive. They should consider the Advanced
Measurement approaches.
Level of complexity Firms with complex products and operations will have exposure to
more extreme events (tail risk). Advanced models will provide more insight into the true risk
profile and, consequently, into how to manage and price these risks.
Quantitative vs. qualitative orientation Organisations with a strong quantitative
bias and access to the related skills will be attracted to the LDA approach. Others may consider
Score-cards for their intuitive appeal.
3.4.12 Operational Risk Management
Managing operational risk is becoming an important feature of sound risk
management practices in modern financial markets in the wake of phenomenal increase in
the volume of transactions, high degree of structural changes and complex support
systems. The most important type of operational risk involves breakdowns in internal
controls and corporate governance. Such breakdowns can lead to financial loss through
error, fraud, or failure to perform in a timely manner or cause the interest of the bank to be
compromised.
Generally, operational risk is defined as any risk, which is not categoried as market
or credit risk, or the risk of loss arising from various types of human or technical error. It
is also synonymous with settlement or payments risk and business interruption,
administrative and legal risks. Operational risk has some form of link between credit and
market risks. An operational problem with a business transaction could trigger a credit or
market risk.
3.4.12.1 Measurement
There is no uniformity of approach in measurement of operational risk in the
banking system. Besides, the existing methods are relatively simple and experimental,
although some of the international banks have made considerable progress in developing
more advanced techniques for allocating capital with regard to operational risk.
Measuring operational risk requires both estimating the probability of an
operational loss event and the potential size of the loss. It relies on risk factor that
98
provides some indication of the likelihood of an operational loss event occurring. The
process of operational risk assessment needs to address the likelihood (or frequency) of a
particular operational risk occurring, the magnitude (or severity) of the effect of the
operational risk on business objectives and the options available to manage and initiate
actions to reduce/ mitigate operational risk. The set of risk factors that measure risk in
each business unit such as audit ratings, operational data such as volume, turnover and
complexity and data on quality of operations such as error rate or measure of business
risks such as revenue volatility, could be related to historical loss experience. Banks can
also use different analytical or judgmental techniques to arrive at an overall operational
risk level. Some of the international banks have already developed operational risk rating
matrix, similar to bond credit rating. The operational risk assessment should be bank-wide
basis and it should be reviewed at regular intervals. Banks, over a period, should develop
internal systems to evaluate the risk profile and assign economic capital within the
RAROC framework.
Indian banks have so far not evolved any scientific methods for quantifying
operational risk. In the absence any sophisticated models, banks could evolve simple
benchmark based on an aggregate measure of business activity such as gross revenue, fee
income, operating costs, managed assets or total assets adjusted for off-balance sheet
exposures or a combination of these variables.
3.4.12.2 Risk Monitoring
The operational risk monitoring system focuses, inter alia, on operational
performance measures such as volume, turnover, settlement facts, delays and errors. It
could also be incumbent to monitor operational loss directly with an analysis of each
occurrence and description of the nature and causes of the loss.
3.4.12.3 Control of Operational Risk
Internal controls and the internal audit are used as the primary means to mitigate
operational risk. Banks could also explore setting up operational risk limits, based on the
measures of operational risk. The contingent processing capabilities could also be used as
a means to limit the adverse impacts of operational risk. Insurance is also an important
mitigator of some forms of operational risk. Risk education for familiarising the complex
operations at all levels of staff can also reduce operational risk.
3.4.12.4 Policies and Procedures
Banks should have well defined policies on operational risk management. The
policies and procedures should be based on common elements across business lines or
99
risks. The policy should address product review process, involving business, risk
management and internal control functions.
3.4.12.5 Internal Control
One of the major tools for managing operational risk is the well-established
internal control system, which includes segregation of duties, clear management reporting
lines and adequate operating procedures. Most of the operational risk events are
associated with weak links in internal control systems or laxity in complying with the
existing internal control procedures.
The ideal method of identifying problem spots is the technique of self-assessment
of internal control environment. The self-assessment could be used to evaluate operational
risk alongwith internal/external audit reports/ratings or RBI inspection findings. Banks
should endeavor for detection of operational problem spots rather than their being pointed
out by supervisors/internal or external auditors.
Along with activating internal audit systems, the Audit Committees should play
greater role to ensure independent financial and internal control functions.
The Basle Committee on Banking Supervision proposes to develop an explicit capital
charge for operational risk.
3.4.13. Risk Aggregation and Capital Allocation
Most of internally active banks have developed internal processes and techniques
to assess and evaluate their own capital needs in the light of their risk profiles and
business plans. Such banks take into account both qualitative and quantitative factors to
assess economic capital. The Basle Committee now recognises that capital adequacy in
relation to economic risk is a necessary condition for the long-term soundness of banks.
Thus, in addition to complying with the established minimum regulatory capital
requirements, banks should critically assess their internal capital adequacy and future
capital needs on the basis of risks assumed by individual lines of business, product, etc.
As a part of the process for evaluating internal capital adequacy, a bank should be able to
identify and evaluate its risks across all its activities to determine whether its capital levels
are appropriate.
Thus, at the bank's Head Office level, aggregate risk exposure should receive
increased scrutiny. To do so, however, it requires the summation of the different types of
risks. Banks, across the world, use different ways to estimate the aggregate risk exposures.
The most commonly used approach is the Risk Adjusted Return on Capital (RAROC).
The RAROC is designed to allow all the business streams of a financial institution to be
100
evaluated on an equal footing. Each type of risks is measured to determine both the
expected and unexpected losses using VaR or worst-case type analytical model. Key to
RAROC is the matching of revenues, costs and risks on transaction or portfolio basis over
a defined time period. This begins with a clear differentiation between expected and
unexpected losses. Expected losses are covered by reserves and provisions and
unexpected losses require capital allocation which is determined on the principles of
confidence levels, time horizon, diversification and correlation. In this approach, risk is
measured in terms of variability of income. Under this framework, the frequency
distribution of return, wherever possible is estimated and the Standard Deviation (SD) of
this distribution is also estimated. Capital is thereafter allocated to activities as a function
of this risk or volatility measure. Then, the risky position is required to carry an expected
rate of return on allocated capital, which compensates the bank for the associated
incremental risk. By dimensioning all risks in terms of loss distribution and allocating
capital by the volatility of the new activity, risk is aggregated and priced.
The second approach is similar to the RAROC, but depends less on capital
allocation and more on cash flows or variability in earnings. This is referred to as EaR,
when employed to analyse interest rate risk. Under this analytical framework also
frequency distribution of returns for any one type of risk can be estimated from historical
data. Extreme outcome can be estimated from the tail of the distribution. Either a worst
case scenario could be used or Standard Deviation 1/2/2.69 could also be considered.
Accordingly, each bank can restrict the maximum potential loss to certain percentage of
past/current income or market value. Thereafter, rather than moving from volatility of
value through capital, this approach goes directly to current earnings implications from a
risky position. This approach, however, is based on cash flows and ignores the value
changes in assets and liabilities due to changes in market interest rates. It also depends
upon a subjectively specified range of the risky environments to drive the worst case
scenario.
Given the level of extant risk management practices, most of Indian banks may not
be in a position to adopt RAROC framework and allocate capital to various businesses
units on the basis of risk. However, at least, banks operating in international markets
should develop, by March 31, 2001, suitable methodologies for estimating economic
capital.
101
Section 3.5:
Market Risk Management
3.5.1 Introduction 102
3.5.2. Specification of market risk factors 103
3.5.3. Market-type risks 104
3.5.4 Regulation market risk in bank 105
3.5.5 THE INTERNAL MODELS APPROACH 107
3.5.6 Liquidity Risk 115
102
3.5.1 Introduction
Traditionally, credit risk management was the primary challenge for banks. With
progressive deregulation, market risk arising from adverse changes in market variables,
such as interest rate, foreign exchange rate, equity price and commodity price has become
relatively more important. Even a small change in market variables causes substantial
changes in income and economic value of banks. Market risk takes the form of:
1. Liquidity Risk
2. Interest Rate Risk
3. Foreign Exchange Rate (Forex) Risk
4. Commodity Price Risk and
5. Equity Price Risk
Market risk is the risk that factors affecting the securities markets generally will
cause a possibly adverse change in the value of the fixed income securities owned by a
Fund. The value of fixed income securities may decline simply because of economic
changes or other events that impact large portions of the market. The factors include real or
perceived unfavorable market conditions, increases in the rate of inflation, and changes in
the general outlook for consumer spending, home sales and mortgage rates, or corporate
earnings. All of the Funds are subject to this risk.
In other word, it is the risk of change of the assets‘ prices, which compose the
funds‘ portfolio exposed to the market variation, such as: interest rates, rate of exchange,
etc. These variations produce different results depending on the type of the investment of
the fund (stocks, fixed income and exchange).36
Market risk is the risk that market variables will move and result in profits or losses
on positions kept. Market risk arises from trading activities in order to facilitate client
transactions and from trading for the banks own account.
We could manage market risk through risk limits such as VaR, interest rate
sensitivity per basis point, net open position, spread sensitivities, greeks (delta, gamma,
vega, rho), stress tests, scenario analysis, position concentration and position ageing.
Market risk limits are set for each location, for each trading portfolio, as well as at several
key aggregation levels and are monitored on a daily basis.
36 (HSBC Bank Brasil S.A. - Banco Múltiplo 2005 - Todos os direitos reservados. )
103
Internal models meet regulatory requirements and were approved by the central bank for
the calculation of capital for market risk.
3.5.2. Specification of market risk factors
An important part of a bank's internal market risk measurement system is the
specification of an appropriate set of market risk factors, i.e. the market rates and prices that
affect the value of the bank's trading positions. The risk factors contained in a market risk
measurement system should be sufficient to capture the risks inherent in the bank's
portfolio of on- and off-balance sheet trading positions. Although banks will have some
discretion in specifying the risk factors for their internal models, the following guidelines
should be fulfilled.
a. For interest rates, there must be a set of risk factors corresponding to interest
rates in each currency in which the bank has interest-rate-sensitive on- or off-balance sheet
positions.
o The risk measurement system should model the yield curve using one of
a number of generally accepted approaches, for example by estimating forward rates of
zero coupon yields. The yield curve should be divided into various maturity segments in
order to capture variation in the volatility of rates along the yield curve; there will typically
be one risk factor corresponding to each maturity segment. For material exposures to
interest rate movements in the major currencies and markets, banks must model the yield
curve using a minimum of six risk factors. However, the number of risk factors used should
ultimately be driven by the nature of the bank's trading strategies. For instance, an
institution with a portfolio of various types of securities across many points of the yield
curve and that engages in complex arbitrage strategies would require a greater number of
risk factors to capture interest rate risk accurately.
o The risk measurement system must incorporate separate risk factors to
capture spread risk (e.g. between bonds and swaps). A variety of approaches may be used
to capture the spread risk arising from less than perfectly correlated movements between
government and other fixed-income interest rates, such as specifying a completely separate
yield curve for non- government fixed-income instruments (for instance, swaps or
municipal securities) or estimating the spread over government rates at various points along
the yield curve.
b. For exchange rates, the risk measurement system should incorporate risk factors
corresponding to the individual foreign currencies in which the bank's positions are
denominated. Since the value-at-risk figure calculated by the risk measurement system will
104
be expressed in the bank's domestic currency, any net position denominated in a foreign
currency will introduce a foreign exchange risk. Thus, there must be risk factors
corresponding to the exchange rate between the domestic currency and each foreign
currency in which the bank has a significant exposure.
c. For equity prices, there should be risk factors corresponding to each of the equity
markets in which the bank holds significant positions:
o at a minimum, there should be a risk factor that is designed to capture
market-wide movements in equity prices (e.g. a market index). Positions in individual
securities or in sector indices could be expressed in "beta-equivalents" 37
relative to this
market-wide index;
o a somewhat more detailed approach would be to have risk factors
corresponding to various sectors of the overall equity market (for instance, industry sectors
or cyclical and non-cyclical sectors). As above, positions in individual stocks within each
sector could be expressed in beta-equivalents relative to the sector index;
o the most extensive approach would be to have risk factors corresponding
to the volatility of individual equity issues. The sophistication and nature of the modeling
technique for a given market should correspond to the bank's exposure to the overall market
as well as its concentration in individual equity issues in that market.
d. For commodity prices, there should be risk factors corresponding to each of the
commodity markets in which the bank holds significant positions:
o for banks with relatively limited positions in commodity-based
instruments, a straightforward specification of risk factors would be acceptable. Such a
specification would likely entail one risk factor for each commodity price to which the bank
is exposed. In cases where the aggregate positions are quite small, it might be acceptable to
use a single risk factor for a relatively broad class of commodities (for instance, a single
risk factor for all types of oil);
For more active trading, the model must also take account of variation in the
"convenience yield"38
between derivatives positions such as forwards and swaps and cash
positions in the commodity.
3.5.3. Market-type risks
37 A "beta-equivalent" position would be calculated from a market model of equity price returns (such as the CAPM model) by regressing the return on the individual stock or sector index on the risk-free rate of return and the return on the market index. 38 The convenience yield reflects the benefits from direct ownership of the physical commodity (for example, the ability to profit from temporary market shortages), and is affected both by market conditions and by factors such as physical storage costs.
105
There exist six fundamental market-type risks that can affect adversely the value of
a portfolio of securities39
:
Absolute price or rate (delta) risk
Convexity or gamma risk
Volatility or vega risk
Time decay or theta risk
Basis or correlation risk
Discount rate or rho risk
Each of the six risks outlined above can be measured across the different maturities
of the instruments in the portfolio. Once the portfolio has been decomposed into its
component parts - that is, once the market risk of each particular product is broken down
into its fundamental elements - the various risks can be aggregated and managed on a net
basis.
Modern portfolio theory suggests that only an overall portfolio approach, consisting
of all the bank‘s positions, is the appropriate way to measure risk. This is because the
marginal contribution that a given position makes to total portfolio risk is a function of
what else there is in the portfolio, which is another way of saying that risk is context-
dependent. Any appropriate system for setting capital requirements should recognize this
basic tenet of portfolio theory. With respect to portfolios of derivatives40
and underlying
securities, therefore, the relevant market risk exposure for financial institutions is their un-
hedged and un-diversified portion, that is the residual exposure after taking account of the
netting out, of correlation, and of portfolio diversification of positions in the same or
different instruments.
3.5.4 Regulation market risk in bank
Market risk has become an increasingly important issue for banks, and
consequently for bank regulation. Three main approaches to the setting of risk-based
39 See Hull (1993) 40 Derivative instruments are securities whose value depends on the values of other basic underlying assets. They fall into four main
market groups: interest rate contracts, foreign exchange contracts, commodity contracts, and equity contracts. The first two groups are the dominant and older segments of the market. The instruments themselves consist of two basic types depending on their relationship with
the underlying asset prices, those with linear payoffs (for example, forward contracts) and those with non-linear payoffs (for example,
option contracts).
106
minimum capital adequacy standards for market risk have developed and are discussed here
- the building bloc, the internal models, and the precommitment approach.
The building bloc approach, which has been adopted in the EU in the form of
the Capital Adequacy Directive (CAD), and also appears in the standardized version of the
Basle market risk standard;
The internal models approach, which has been incorporated lately in the Basle
market risk standard;
The precommitment approach, which has been a very recent, though promising,
arrival to the scene, and has not yet been officially discussed.
The three main regulatory approaches to the measurement of, and the capital
provisions for, market risk41
,is describing based on Kupiec and O‘Brien (December 1995).
The first one, which is the Building Blocs Approach (BBA), consists of a single
model to be applied to all banks. It is a set of rules that assigns risk charges to specific
instruments and crudely accounts for selected portfolio effects on banks‘ risk exposures. A
―building bloc‖ framework, a framework it shares with the 1988 Basle Accord credit risk
capital standards, characterizes this approach. Two regulatory frameworks, those of the
Capital Adequacy Directive (CAD) of the European Union and of the Basle Standardized
Measure (BSM), incorporate this approach. In both cases, the required market risk capital
will supplement the regulatory capital required under the current credit risk capital
standards.
A second approach is the Internal Models Approach (IMA), whereby capital
charges would be based on market risk estimates from banks‘ internal risk measurement
models. The bank would use its proprietary risk measurement model to estimate its trading
risk exposure which, when multiplied by a certain scaling factor as a measure of regulators‘
conservatism, would become the basis for the regulatory capital charge for market risk.
Regulators would also impose a number of standardizing restrictions on banks‘ internal
models, in order to ensure rough comparability across banks that use this approach. The
Basle Committee as an alternative measure to the BSM has adopted the IMA recently.
The third and latest proposal is the Precommitment Approach (PA), based on work
done by two Federal Reserve economists, Kupiec and O‘Brien42
. Under this approach,
41 Other approaches for setting position (market) risk requirements, such as the US SEC‘s Comprehensive Approach and the UK
Simplified Portfolio Approach are not discussed here, primarily because they apply to securities firms only. See Dimson and Marsh (July 1995).
107
which has not yet been officially suggested or operationally described in great detail, each
bank pre-commits to a maximum loss exposure over a designated horizon. The maximum
loss commitment becomes the bank‘s market risk capital charge. If the bank incurs trading
losses in excess of its capital commitment, it is subject to penalties, which may include
fines, a capital surcharge in future periods, or other regulatory disciplinary measures. The
next three Sections will describe and assess in greater detail these three approaches
respectively.
3.5.5 THE INTERNAL MODELS APPROACH
3.5.5.1Market Risk Measurement: Value-at-risk Models and Stress Tests
a. VAR Models
In the past, banks have usually measured the risks in individual parts of their trading
books separately. Nowadays, however, they are increasingly moving towards a whole
trading book approach using a value-at-risk (VAR) model, which is a statistical approach to
the evaluation of market risk. The aim of the VAR model is to calculate consistently the
loss, with a specified probability over a specified holding period of time that a bank might
experience on its portfolio from an adverse market movement. For example, with a
confidence interval of 97.5%, corresponding to about two standards deviations from the
mean, any change in portfolio value over one day resulting from an adverse market
movement will not exceed a specific amount x, given the relationships between assets
holding over the observation period. VAR should therefore encompass changes in all major
market risk components.
There are three main VAR approaches43
. Firstly, under the variance/covariance (or
correlation) approach, a bank uses summary statistics on the magnitude of past price
volatilities and correlations between price movements to estimate likely potential losses in
42 See, for example, Kupiec and O‘Brien, ―Model Alternative‖ in Risk magazine, Vol. 8, No. 6 (June 1995). 43 See Jackson (May 1995), and ―Value At Risk‖, a Risk magazine Special Supplement (June 1996).
108
its trading portfolio. Placing equal weights on all past observations can do this or, in order
to give more weight to more recent observations so that large jumps in volatility/correlation
in the distant past are avoided, by using unequal weighting44
. Secondly, under the
(historical) simulation approach, a bank bases its expectations of potential future losses on
calculations - using data on past price movements - of the loss that would have been
sustained on that book in the past. The main difference between the two is that, with the
first approach the confidence interval is calculated statistically45
, whereas with the second
approach it is observed. The latter approach is, therefore, computationally more intensive
and its results are susceptible to the frequency of rare events in the historical observation
period, as well as to its length.
Finally, under the Monte Carlo (or stochastic simulation) approach, a bank tests the
value of the portfolio under a large sample of randomly chosen combinations of price
scenarios, whose probabilities are based on historical experience. This method is more
flexible and is particularly useful in measuring the risk in instruments with nonlinear price
characteristics, but it is less frequently used because of its time and cost demands.
Banks can use any of the three approaches to allocate capital between their various
operations. So far, there is no industry consensus on the best method for calculating VAR.
As with any statistical model, VAR depends on assumptions whose choice is dictated by
the user‘s awareness and aversion to them.
The issue of correlations is extremely important for VAR models. Different
approaches capture different correlations46
. Measuring correlation is important because of
the empirically well-established ‗fat‘ tails in the distribution of market returns.
Leptocurtosis means that measures of VAR based on a normal distribution of returns will
likely understate actual VAR.
In addition, during extreme market movements, correlations change significantly
which has implication for VAR measurement. During the October 1987 equity markets
crash, the correlation between markets was close to 1 - all markets moved together. There is
little benefit at such times from market diversification, but considerable benefit from
44 The two most used methods for unequal weighting are the Garch (General Autoregressive Conditional Heteroscedasticity) family of
models and the exponentially weighted moving averages method.
45 For example, one version of the first approach assumes that the returns on risk factors are normally distributed, the correlations
between factors are constant, and the delta of each portfolio constituent is constant. All of these can be criticized as unrealistic.
46
The variance/covariance approach, for example, is based on average correlations
calculated for the whole data period, while the simulation approach reflects the actual
correlations on particular days.
109
having long and short positions in different markets. At other times - for example, after the
1987 Nikkei equity index crashed alone - the correlation between some markets was closer
to zero, or even -1. The benefits from diversification then would much exceed the benefits
from hedging.
b. Stress Testing
For the risk profile of a trading book, and for day-to-day risk management, it is
short-term ‗normal‘ correlations that are important because of the daily marking to market
of positions. However, for the regulators, it is instances of extreme market pressure, when
correlations can change dramatically and market liquidity drains, which are the focus. The
emphasis therefore of regulation is on the tails of the distribution of price movements that is
on adverse extreme events. This is also the explicit aim of stress tests, the other main
market risk measurement device.
Stress tests calculate the possible extent on a trading book of exposures under
extreme market movement scenarios or, more generally, when some of the basic
assumptions underlying the VAR model are violated. The trading book is revalued
according to imposed hypothetical, albeit improbable, parameters, rather than according to
summary statistics calculated from past data as in the variance/covariance approach. As
such, there is no standard way to do stress testing since it involves experimenting with the
limits of a risk model.
3.5.5.2 The Basle Internal Model Approach
a. Overall Description
As a result of the public criticism of the Basle Standardized Measure (BSM)
proposals, the Basle Committee has, in its final market risk standard decision47
, agreed to
include the IMA (Internal Model Approach) as an alternative approach to the BSM. The
market risk standard covers the trading account of internationally active banks only. There
is going to be a two-year implementation period, followed by the adoption of the standard,
on a voluntary basis depending on the decision by the country‘s regulatory authorities, on
the first of January 1998.
47
See Basle Committee on Banking Supervision (January 1996).
110
The assumptions underlying the BIMA are that banks are in a better position than
regulators to devise models that accurately measure risk exposure over a holding period of
concern to regulators, and that the regulatory authority can verify that each bank‘s model is
providing such an accurate measure. In effect, the regulators ‗piggyback‘ on a bank‘s
existing risk-management model to determine levels of risk capital to be held. At the heart
of this approach lies the VAR model described above.
b. The IMA Process48
Setting capital adequacy standards under this regime is a three-stage process.
Firstly, the regulators set the quantitative standards (risk parameters) for capital
calculation, which are the following49
:
The model must cover all material risks in the trading book and must have a
minimum number of thirteen risk factors (maturity bands). Moreover, it must be able to
account for the non-linear pricing characteristics of option instruments;
A 99% one-sided ‗conservative‘ confidence interval, in order to account for
adverse movements only. This amounts to a risk estimate of three standard deviations away
from the mean of a normal distribution of portfolio value changes;
A ten trading-day (that is, two weeks) holding period. This has been imposed to
extend the period sufficiently to be of interest to regulators, and can be justified by
appealing to concerns about illiquidity and the inability to wind down positions during
extreme market movements;
A minimum of one year as the observation period for historical data to be used in
calculating volatility, to be updated at least once a quarter. This is intended to resolve
problems of differential volatilities and correlations arising from the choice of the size of
the sample period;
All correlations are allowed, both within and across different asset classes (risk
categories), to be estimated with equally-weighted daily data;
Since there is no economic model for determining how to extrapolate daily
VARs to the ten trading-day holding periods, that regulatory capital requirement is scaled
48 See the Federal Register (25 July 1995) for a more detailed description of the BSM and the BIMA as proposed to be applied to the
United States. 49 Quantitative standards were placed in an attempt to make consistent estimates across institutions. This was in response to important
differences in model practice, identified when the Basle Committee compiled and distributed a test portfolio to fifteen banks in the major G-10 countries in order to get their VAR estimates. Moreover, the standards aim to address some overall measurement shortcomings. See
Basle Committee on Banking Supervision (April 1995).
111
up by the square root of time. Options exposures, which have nonlinear payoffs as a
function of time, must be measured directly by considering the variance of two-week price
movements. This can be done through nonlinear approximation methods involving higher-
order risk factor sensitivities (gamma risk), volatility changes (vega risk), and spread risk;
The bank‘s capital charge is based on the larger of the bank‘s previous day VAR
estimate and the average of its risk estimates over the prior sixty business days subject to a
multiplication factor. This minimum scaling factor is included as a measure of the
regulators‘ conservatism regarding the model‘s capital estimates. The proposed minimum
value is 3, making the implied holding period equivalent to 90 days of un-hedged exposure.
The multiplier can be increased if the supervisor is not satisfied with the accuracy of the
estimates (see ‗plus factor‘ below);
An additional capital charge for the specific (idiosyncratic) risk of trading book
debt and equity positions is levied. This is equal to one-half of the specific risk capital
charge as calculated under the BSM;
For verifying risk estimates, a one-day back-testing methodology is proposed to
be used quarterly, based on the frequency of realized daily losses exceeding the model‘s
predicted losses at the 1% critical values. Banks are required to add to the multiplication
factor a ‗plus factor‘ directly related to the ex-post performance of the model.
Secondly, regulators must validate the VAR statistical models and processes, which
banks use to measure risk using the following qualitative standards:
There must exist senior management oversight and active involvement in the
process;
The model must be fully integrated into the daily risk management process;
Risk management must be independent of the business line - that is, it must
belong to an autonomous risk control unit;
Controls over inputs, data, model changes, and systems must be strong;
The modeling system and the risk management process should be subject to
an adequate, independent validation by the bank or a third party. This can be based on
either, or both, the adequacy of the VAR estimates - for example, through back-testing and
stress tests and the documentation of the bank‘s policies and procedures.
Finally, the bank must estimate overall VAR capital requirements on a daily basis.
As in the BSM approach, a third tier of eligible capital to cover market risks, made up of
short-term subordinated debt subject to various restrictions, is provided here. Stress testing
112
simulations are periodically going to be used in order to address concerns about the
complexity and opaqueness of derivative instruments risks.
There are also rules regarding banks, which temporarily use a combination of the
BSM and the IMA approaches. The Basle Committee, despite setting no timetable, is keen
to ensure that a bank which has developed one or more models will not be able to revert to
measuring the risk using the BSM approach, unless the supervisor withdraws approval for
the model.
3.5.5.3 THE PRECOMMITMENT APPROACH
a. Overall Description50
An alternative to models-based regulation, the Pnishment Approach (PA) focuses
on goals - namely, maintaining sufficient capital to cover trading losses - and leaves it to
banks to determine the best models and inputs to achieve those goals. It is a relatively new
idea in the field of regulation of market risk, floated by the Federal Reserve, and its specific
mechanisms have not yet been set out in detail.
Under this approach, each bank pre-commits an amount of capital to cover what is
believed to be its maximum trading loss exposure over a given regulatory horizon, which
can be one quarter or even a shorter period. This capital becomes the focus of regulation. A
bank would be in breach of this pre-commitment if cumulative losses from the beginning of
the capital period exceeded its capital commitment on any close of business mark-to-market
within the quarter. Banks that have good risk management systems, conservative portfolios,
or more risk averse preferences, could pre-commit to lower maximum loss levels and hold
less capital because of their confidence that they will not reach their pre-committed
maximum trading losses.
b. The Nature of the Penalties
Breaches would be penalized in two ways. Firstly, there would be explicit
regulatory penalties. Secondly, the commitment could be publicly disclosed, providing a
double incentive for the bank - to contain losses within its committed capital and to not
greatly over-commit capital. The latter may send a signal of an ineffective risk
50
See Kupiec and O‘Brien, ―Model Alternative‖ in Risk magazine, Vol. 8, No. 6 (June
1995); Bliss
113
measurement system, as well as of possible excessive risk exposure in the upcoming
period51
. It also encourages the regulatory authorities to act promptly over breaches,
imposing the necessary penalties and determining management shortcomings. Disclosure
therefore both complements and strengthens the incentives created by the penalties52
.
A number of regulatory punishment methods, individually or in combination, are
envisaged, depending on the situation, if trading losses exceed banks‘ market risk capital
recommitments:
A fine penalty;
An additional capital penalty. For example, banks could be required to hold
capital in excess of their loss pre-commitments in subsequent periods. This has been
criticized, though, on the grounds that it causes banks to respond to such a violation penalty
by taking measures to nullify it;
Depending on the severity of the problem, supervisory actions could include less
formal penalties such as supervisory sanctions. These could include a detailed review of the
bank‘s risk management system, increased backtesting, close monitoring of activities, and
even restrictions on trading activity or permitted risk exposure.
All penalties should have the important characteristic that they increase nonlinearly
with the size of the violation53
. This requirement provides disincentives to deferring today‘s
losses in the hope that future outcomes will reverse them, in an apparent attempt to ‗bail the
boat‘.
Of course, in times of unusual financial market stress situations - for example,
systemic crises - no reasonable capital commitment can fulfill those risks. Regulators must
therefore have the flexibility to waive penalties during those times. The issue of setting a
penalty function becomes all-important for regulators since it sets the tone of incentives for
compliance. In particular, that function must have the characteristic of perfect incentive
compatibility, thus avoiding over- or under-commitment of capital.
Moreover, the multiplier used to determine capital set-aside from recommitted
maximum losses need not be fixed at unity. While the system is being implemented, and
51
This means that, for a bank, which has excess regulatory capital, the implied cost of that capital is not zero, though it is probably less
than the cost of penalties. The end result is that the banks will choose to be conservative. 52 The usefulness of public disclosure has been questioned by market practitioners who believe that disclosed penalties might lead to
market overreaction, which will cause runs on those banks that have breached their pre-commitment. 53 See Bliss (September/October 1995).
114
until enough experience is gathered, a higher initial multiplier would provide an additional
degree of safety. This precaution may be dispensed with time, though it cannot be used as
an incentive device since it encourages gaming in the same fashion as capital penalties
described above.
5. Market Risk Management
Management of market risk should be the major concern of top management of
banks. The Boards should clearly articulate market risk management policies, procedures,
prudential risk limits, review mechanisms and reporting and auditing systems. The policies
should address the bank's exposure on a consolidated basis and clearly articulate the risk
measurement systems that capture all material sources of market risk and assess the effects
on the bank. The operating prudential limits and the accountability of the line management
should also be clearly defined. The Asset-Liability Management Committee (ALCO)
should function as the top operational unit for managing the balance sheet within the
performance/risk parameters laid down by the Board. The banks should also set up an
independent Middle Office to track the magnitude of market risk on a real time basis. The
Middle Office should comprise of experts in market risk management, economists,
statisticians and general bankers and may be functionally placed directly under the ALCO.
The Middle Office should also be separated from Treasury Department and should not be
involved in the day-to-day management of Treasury. The Middle Office should apprise the
top management / ALCO / Treasury about adherence to prudential / risk parameters and
also aggregate the total market risk exposures assumed by the bank at any point of time.
115
3.5.6 Liquidity Risk
Liquidity Planning is an important facet of risk management framework in banks.
Liquidity is the ability to efficiently accommodate deposit and other liability decreases, as
well as, fund loan portfolio growth and the possible funding of off-balance sheet claims. A
bank has adequate liquidity when sufficient funds can be raised, either by increasing
liabilities or converting assets, promptly and at a reasonable cost. It encompasses the
potential sale of liquid assets and borrowings from money, capital and Forex markets. Thus,
liquidity should be considered as a defence mechanism from losses on fire sale of assets.
The liquidity risk of banks arises from funding of long-term assets by short-term
liabilities, thereby making the liabilities subject to rollover or refinancing risk. The liquidity
risk in banks manifest in different dimensions:
a. Funding Risk - need to replace net outflows due to unanticipated
withdrawal/non-renewal of deposits (wholesale and retail);
b. Time Risk - need to compensate for non-receipt of expected inflows of
funds, i.e. performing assets turning into non-performing assets; and
c. Call Risk - due to crystallisation of contingent liabilities and unable to
undertake profitable business opportunities when desirable.
The first step towards liquidity management is to put in place an effective liquidity
management policy, which, inter alia, should spell out the funding strategies, liquidity
planning under alternative scenarios, prudential limits, liquidity reporting / reviewing, etc.
116
Liquidity measurement is quite a difficult task and can be measured through stock
or cash flow approaches. The key ratios, adopted across the banking system are:
1. Loans to Total Assets
2. Loans to Core Deposits
3. Large Liabilities (minus)Temporary Investments to Earning Assets (minus)
Temporary Investments, where large liabilities represent wholesale deposits which are
market sensitive and temporary Investments are those maturing within one year and those
investments which are held in the trading book and are readily sold in the market;
4. Purchased Funds to Total Assets, where purchased funds include the entire
inter-bank and other money market borrowings, including Certificate of Deposits and
institutional deposits; and
5. Loan Losses/Net Loans.
While the liquidity ratios are the ideal indicator of liquidity of banks operating in
developed financial mar surplus or deficit of funds at selected maturity dates is
recommended as a standard tool. The format prescribed by RBI in this regard under ALM
System should be adopted for measuring cash flow mismatches at different time bands. The
cash flows should be placed in different time bands based on future behavior of assets,
liabilities and off-balance sheet items. In other words, banks should have to analyze the
behavioral maturity profile of various components of on / off-balance sheet items on the
basis of assumptions and trend analysis supported by time series analysis. Banks should
also undertake variance analysis, at least, once in six months to validate the assumptions.
The assumptions should be fine-tuned over a period which facilitate near reality predictions
about future behavior of on / off-balance sheet items. Apart from the above cash flows,
banks should also track the impact of prepayments of loans, premature closure of deposits
and exercise of options built in certain instruments which offer put/call options after
specified times. Thus, cash outflows can be ranked by the date on which liabilities fall due,
the earliest date a liability holder could exercise an early repayment option or the earliest
date contingencies could be crystallized.
The difference between cash inflows and outflows in each time period, the excess or
deficit of funds, becomes a starting point for a measure of a bank's future liquidity surplus
or deficit, at a series of points of time. The banks should also consider putting in place
certain prudential limits to avoid liquidity crisis:
1. Cap on inter-bank borrowings, especially call borrowings;
2. Purchased funds vis--vis liquid assets;
117
3. Core deposits vis--vis Core Assets i.e. Cash Reserve Ratio, Liquidity Reserve
Ratio and Loans;
4. Duration of liabilities and investment portfolio;
5. Maximum Cumulative Outflows. Banks should fix cumulative mismatches
across all time bands;
6. Commitment Ratio - track the total commitments given to corporates/banks and
other financial institutions to limit the off-balance sheet exposure;
7. Swapped Funds Ratio, i.e. extent of Indian Rupees raised out of foreign currency
sources.
Banks should also evolve a system for monitoring high value deposits (other than
inter-bank deposits) say Rs.1 croreor more to track the volatile liabilities. Further the cash
flows arising out of contingent liabilities in normal situation and the scope for an increase
in cash flows during periods of stress should also be estimated. It is quite possible that
market crisis can trigger substantial increase in the amount of draw downs from cash
credit/overdraft accounts, contingent liabilities like letters of credit, etc.
The liquidity profile of the banks could be analyzed on a static basis, wherein the
assets and liabilities and off-balance sheet items are pegged on a particular day and the
behavioral pattern and the sensitivity of these items to changes in market interest rates and
environment are duly accounted for. The banks can also estimate the liquidity profile on a
dynamic way by giving due importance to:
1.7.3 Seasonal pattern of deposits/loans;
2.7.3 Potential liquidity needs for meeting new loan demands, unavailed credit
limits, loan policy, potential deposit losses, investment obligations, statutory obligations,
etc.
Alternative Scenarios
The liquidity profile of banks depends on the market conditions, which influence
the cash flow behavior. Thus, banks should evaluate liquidity profile under different
conditions, viz. normal situation, bank specific crisis and market crisis scenario. The banks
should establish benchmark for normal situation, cash flow profile of on / off balance
sheet items and manages net funding requirements.
Estimating liquidity under bank specific crisis should provide a worst-case
benchmark. It should be assumed that the purchased funds could not be easily rolled over;
some of the core deposits could be prematurely closed; a substantial share of assets have
turned into non-performing and thus become totally illiquid. These developments would
118
lead to rating down grades and high cost of liquidity. The banks should evolve contingency
plans to overcome such situations.
The market crisis scenario analyses cases of extreme tightening of liquidity
conditions arising out of monetary policy stance of Reserve Bank, general perception about
risk profile of the banking system, severe market disruptions, failure of one or more of
major players in the market, financial crisis, contagion, etc. Under this scenario, the
rollover of high value customer deposits and purchased funds could extremely be difficult
besides flight of volatile deposits / liabilities. The banks could also sell their investment
with huge discounts, entailing severe capital loss.
Contingency Plan
Banks should prepare Contingency Plans to measure their ability to withstand
bank-specific or market crisis scenario. The blue-print for asset sales, market access,
capacity to restructure the maturity and composition of assets and liabilities should
be clearly documented and alternative options of funding in the event of bank's
failure to raise liquidity from existing source/s could be clearly articulated. Liquidity
from the Reserve Bank, arising out of its refinance window and interim liquidity
adjustment facility or as lender of last resort should not be reckoned for contingency
plans. Availability of back-up liquidity support in the form of committed lines of
credit, reciprocal arrangements, liquidity support from other external sources,
liquidity of assets, etc. should also be clearly established.
119
Section 3.6:
Credit Risk Management
3.6.1 Introduction 120
3.6.2 Objective of credit risk management 121
3.6.3 Difficulties face to credit risk management 121
3.6.4 Managing of credit risk 123
3.6.5 Credit Risk Environment 124
3.6.6 Credit Risk Strategy 124
3.6.7 Credit policy 125
3.6.8 Instruments of Credit Risk Management 126
3.6.9 RBI GUIDELINES ON CREDIT RISK RATING 130
3.6.10 LINKAGES OF CREDIT RISK RATING 131
3.6.11 Testing risk rating model 132
3.6.12 Risk Pricing 132
3.6.13 Portfolio Management 133
3.6.14 Loan Review Mechanism (LRM) 135
3.6.15 Credit risk in off-balance sheet Exposure 136
3.6.16 Role of Analytical Techniques and MIS in Credit Risk Management 137
3.6.17 Training 138
120
3.6.1 Introduction
Banks are in the business of risk and banking is all about managing risk and return.
The balancing of risks and returns presents a major challenge and banks are successful
when the risks taken are reasonable, controllable and within their financial resources and
credit competence. Banks, in the course of their business, are confronted with various kinds
of risks, which all these risks are interrelated, interdependent and overlapping in their cause
and effects.
The issuers of fixed income securities may default by failing to make interest
payments or to repay principal in a timely manner. This is referred to as credit risk. To
illustrate, credit risk is virtually non-existent for securities issued by the any government of
countries. Credit risk is higher for fixed-income securities issued by corporations. The
degree of credit risk is reflected in credit ratings described below. Securities with higher
credit risks (and lower ratings) often referred to as high yield securities, generally pay a
higher interest rate to compensate investors for the additional risk. In other word credit risk
is is the risk of a certain security does not honour its commitments within the agreed
maturity. Consequently, the fund that holds this security in its portfolio will have a loss
equivalent to its investment. Normally, this risk may be evaluated by the rating of the
security. Also Credit Risk is simply defined as the probability that a bank borrower will fail
to meet its obligations in accordance with agreed terms and involves inability or
unwillingness of a customer to meet commitments in relation to lending, trading, hedging,
settlement and other financial transactions. Credit Risk is generally made up of (a)
transaction risk or default risk and (b) portfolio risk.
Credit risk is the risk of financial loss arising from the failure of a borrower or other
financial counterparty to meet its contractual obligations to the Bank. The pursuit of the
Bank‘s development objectives renders substantial credit risk an unavoidable and necessary
consequence of its business operations. Credit risk is the major part of the Bank‘s overall
risk, and, in ensuring that the institution remains financially sustainable and is therefore
able to achieve its objectives, managing this risk takes precedence.
The Board of Directors and its subcommittee, the Credit Committee, authorize
larger credit decisions, while the operations executives are authorized to approve smaller
credits. All credit decisions, irrespective of nominal size, are based on a comprehensive and
documented appraisal process. In evaluating and monitoring credit risk, the Bank employs a
well-tested internal rating model that ensures a thorough and all-embracing risk assessment
121
of each client. Loans and guarantees provided are classified in accordance with the Bank‘s
associated risk classification system and all clients are reassessed on a semi-annual basis, as
part of the ongoing risk monitoring process. The semi-annual risk classification process is
documented in the form of a credit risk migration matrix, which forms the basis for
determining the Bank‘s loan loss provisioning. Credit decisions are further subject to both
single obligor limits and the appraised debt service capacity of the borrowers. As part of the
credit risk mitigation process the Bank also requires collateral in the form of eligible assets
or third-party guarantees, when deemed prudent. Assets held as security against loans are
revalued at prescribed intervals, which vary according to the nature and liquidity of these
assets.
Credit risk management is a process, rather a comprehensive system. The process
begins with identifying the target markets and proceeds through a series of stages to loan
repayment. Different types of risk management techniques need to be employed at each
stage of the credit process. Every activity in credit risk management is undertaken with the
ultimate aim of protecting and improving the loan quality, which is critical to the health of
banks. A healthy loan portfolio, in turn, leads to maximization of profits and shareholders‘
wealth.
3.6.2 Objective of credit risk management
The factors and objectives that shape up the bank‘s policies towards credit risk
management are:
To make available sufficient liquidity to meet loan a ailments, interest,
operational and other costs and losses;
To maximize profits; and
To support broad national policy objectives of liquidity, interest rate stability,
financial stability and above all, allocation of scarce financial resources efficiently to foster
economic growth.
3.6.3 Difficulties face to credit risk management
122
Banks in emerging markets like India, face intense challenges in managing Credit
Risk. These may be determined by factors external/internal to the bank.The external factors
include:
Delay in production schedules/production difficulties of borrowers
Frequent instability in the business environment
Wide swings in commodity/equity prices, foreign exchange rates and interest
rates
Legal framework less supportive of debt recovery
Financial restrictions
Government policies and controls
Economic sanctions
Natural disasters, etc
These may be aggravated by internal factors / deficiencies in the management of
credit risk within the bank like:
Deficiencies in loan policies / administration
Lack of portfolio concentration limits
Excessive centralization or decentralization of lending authority
Deficiencies in appraisal of financial position of the borrowers
Poor industry analysis
Excessive reliance on collateral
Inadequate risk pricing
Poor controls on loan documentation
Infrequent customer contact
Inadequate post-sanction surveillance
Lack of articulated loan review mechanism
Failure to improve collateral position as credits deteriorate
Absence of stringent asset classification and loan loss provisioning standards
Inadequate checks and balances in the credit process
Failure to control and audit the credit process effectively
These deficiencies can lead to loan portfolio weaknesses, including over
concentration of loans in one industry or sector, large portfolios of non-performing loans
and credit losses. These may further lead to miss liquidity and ultimately insolvency. The
fact that the banks operate in an economic environment that poses objective difficulties for
123
good credit management gives all the more reason to strengthen their credit risk
management practices.
3.6.4 Managing of credit risk
The management of credit risk should receive the top management‘s attention and
the process should encompass:
1. Measurement of risk through credit rating/scoring;
2. Quantifying the risk through estimating expected loan losses i.e. the amount
of loan losses that bank would experience over a chosen time horizon (through tracking
portfolio behavior over 5 or more years) and unexpected loan losses i.e. the amount by
which actual losses exceed the expected loss (through standard deviation of losses or the
difference between expected loan losses and some selected target credit loss quantity);
3. Risk pricing on a scientific basis; and
4. Controlling the risk through effective Loan Review Mechanism and portfolio
management.
The credit risk management process should be articulated in the bank‘s Loan
Policy, duly approved by the Board. Each bank should constitute a high level Credit Policy
Committee, also called Credit Risk Management Committee or Credit Control Committee
etc., to deal with issues relating to credit policy and procedures and to analyze, manage and
control credit risk on a bank wide basis. The Committee should be headed by the
Chairman/CEO/ED, and should comprise heads of Credit Department, Treasury, Credit
Risk Management Department (CRMD) and the Chief Economist. The Committee should,
inter alia, formulate clear policies on standards for presentation of credit proposals,
financial covenants, rating standards and benchmarks, delegation of credit approving
powers, prudential limits on large credit exposures, asset concentrations, standards for loan
collateral, portfolio management, loan review mechanism, risk concentrations, risk
monitoring and evaluation, pricing of loans, provisioning, regulatory/legal compliance, etc.
Concurrently, each bank should also set up Credit Risk Management Department (CRMD),
independent of the Credit Administration Department. The CRMD should enforce and
monitor compliance of the risk parameters and prudential limits set by the CPC. The
CRMD should also lay down risk assessment systems, monitor quality of loan portfolio,
identify problems and correct deficiencies, develop MIS and undertake loan review/audit.
124
Large banks may consider separate set up for loan review/audit. The CRMD should also be
made accountable for protecting the quality of the entire loan portfolio. The Department
should undertake portfolio evaluations and conduct comprehensive studies on the
environment to test the resilience of the loan portfolio.
3.6.5 Credit Risk Environment
A fundamental prerequisite for credit risk management is establishment of an appropriate
credit risk environment. Banks should have a clear-cut perspective on credit risk strategy and evolve
suitable policies and procedures to implement it. These should be effectively communicated
throughout the organization. All relevant personnel should clearly understand the bank's approach to
granting credit and should comply with the established policies and procedures.
Internationally, the responsibility for designing and implementing the credit risk management
systems (viz. identifying, measuring, monitoring and controlling credit risks) is vested with the top
management of the banks. The Basel committee document referred to earlier, has recommended that:
The board of directors should have the responsibility for approving and
periodically reviewing the credit risk strategy and significant credit risk policies of the bank. The
strategy should reflect the bank's tolerance for risk and the level of profitability the bank expects to
achieve for incurring various credit risks.
Senior management should have the responsibility for implementing the credit
risk strategy approved by the board and for developing the policies and procedures for identifying
measuring, monitoring and controlling credit risk. Such policies and procedures should address credit
risk in all the bank's activities and at both individual credit and portfolio levels.
Bank should identify and manage credit risk inherent in all products and
activities. New products and activities should be subject to adequate procedures and controls before
being introduced or undertaken.
3.6.6 Credit Risk Strategy
A credit risk strategy or plan establishes the objectives guiding the bank's credit-granting
activities and its credit risk management functions. The strategies or directives:
125
Typically provide general parameters for the types of credits that the bank will
offer and the types of customers that the bank will serve, as dictated by current strategic decisions
e.g., in a particular year, the bank may like to concentrate on infrastructure finance, or may like to
expand in the retail finance segment. These should be well laid out in the bank's document on credit
risk strategy.
Regulate loan-concentration levels in particular industries or market segments
Give recognition to the goals of credit quality, earnings and growth
Provide continuity in approach. These will need to take into account the cyclical
patterns of the industry and economy and the resultant shifts in the overall composition and the
quality of the credit portfolio. These strategies should be viable in the long run.
Should be effectively communicated throughout the organisation.
3.6.7 Credit policy
Credit policy provides the framework for the entire credit management process.
Written credit policies and procedures are the cornerstones of sound credit management.
They set the objective standards and parameters to guide bank officers who grant loans and
manage the loan portfolio. They also provide the board of directors, regulators, and internal
and external auditors with a basis for evaluating a bank‘s credit management performance.
When credit policies are carefully formulated, administered from the top, and clearly
understood at all organizational levels, they enable the bank management to maintain
proper credit standards, avoid excessive risks, and evaluate business opportunities properly.
Lending policy is one facet of the overall spectrum of policies that guide a bank‘s
operations.
Credit policy should address such topics as target markets, standards for
presentation of loan proposals, financial covenants (both price and non-price terms), rating
standards and benchmarks, delegation of credit approving powers, prudential limits on
large credit exposures, asset concentrations, standards for loan collateral, portfolio
management, loan review mechanism, levels of risk concentration, risk monitoring and
evaluation, pricing of loans, provisioning for loan losses, regulatory/legal compliance,
exceptional reporting, etc. It should also encompass other elements such as availability of
126
funds and term structure of liabilities. In short, the credit policy of a bank should address
total management of credit risk.
The importance of such policies and procedures that are properly developed and
implemented enable the bank to:
1. Maintain uniform and sound credit-granting standards;
2. Ensure operational consistency;
3. Monitor and control credit risk;
4. Evaluate new business opportunities; and
5. Identify and administer problem credits.
Developing credit policy is particularly important when a bank must adapt to a
complex and rapidly changing environment. Credit policy by establishing a common credit
language throughout the organization, helps in determining the level of acceptable risk and
expected return.
3.6.8 Instruments of Credit Risk Management
Credit Risk Management encompasses a host of management techniques, which
help the banks in mitigating the adverse impacts of credit risk.
3.6.8.1 Credit Approving Authority
Banks usually adopt either a committee or sequential process of credit approval.
The former requires ultimate approval of a loan or credit facility by a committee that
customarily consists of members of senior management and the heads of the credit
departments. The sequential process involves an approval chain of individual loan officers
with ascending levels of authority to sanction credit. Most of the Indian banks, especially in
the public sector, have adopted the sequential system of loan sanction.The proponents of
the committee system believe that:
The committee has better decision making capabilities, by virtue of the
combined experience of its members and
There is greater transparency in the decision making process.
Advocates of the sequential system, however, argue that:
127
Majority of the members may follow the preferences of the senior members
of the committee.
The system may not always help in speedy decision-making.
It may be difficult to fix accountability to generate more responsible
decision-making.
Committee may hence be more risk- prone.
Ultimately, the size of the bank, the scope of its operations and most important - its
credit culture will determine the type of credit approval process to be adopted by it. It may
be mentioned that RB1 in its recent guidelines has asked banks to consider establishment of
the ‗Committee‘ system of loan approval.
The banks should also evolve suitable framework for reporting and evaluating the
quality of credit decisions taken by various functional groups. The quality of credit
decisions should be evaluated within a reasonable time, say 3 - 6 months, through a well-
defined Loan Review Mechanism.
3.6.8.2 Prudential Limits
In order to limit the magnitude of credit risk, prudential limits should be laid down
on various aspects of credit:
1. Stipulate benchmark current/debt equity and profitability ratios, debt service
coverage ratio or other ratios, with flexibility for deviations. The conditions subject to
which deviations are permitted and the authority therefore should also be clearly spelt out
in the Loan Policy;
2. single/group borrower limits, which may be lower than the limits prescribed
by Reserve Bank to provide a filtering mechanism;
3. substantial exposure limit i.e. sum total of exposures assumed in respect of
those single borrowers enjoying credit facilities in excess of a threshold limit, say 10% or
15% of capital funds. The substantial exposure limit may be fixed at 600% or 800% of
capital funds, depending upon the degree of concentration risk the bank is exposed;
4. maximum exposure limits to industry, sector, etc. should be set up. There
must also be systems in place to evaluate the exposures at reasonable intervals and the
limits should be adjusted especially when a particular sector or industry faces slowdown or
other sector/industry specific problems. The exposure limits to sensitive sectors, such as,
advances against equity shares, real estate, etc., which are subject to a high degree of asset
price volatility and to specific industries, which are subject to frequent business cycles, may
128
necessarily be restricted. Similarly, high-risk industries, as perceived by the bank, should
also be placed under lower portfolio limit. Any excess exposure should be fully backed by
adequate collaterals or strategic considerations; and
5. banks may consider maturity profile of the loan book, keeping in view the
market risks inherent in the balance sheet, risk evaluation capability, liquidity, etc.
3.6.8.3 Credit Risk Rating
An important tool in monitoring the quality of individual credits as well as the total
portfolio is the use of an internal risk rating system. A well-structured internal risk rating
system is a good means of differentiating the degree of credit risk in different credit
exposures of a bank. This will allow more accurate determination of the overall
characteristics of the credit portfolio, concentrations, problem credits and the adequacy of
loan loss provisions.
Need for credit risk rating model
The liberalization of Indian economy has brought up sweeping changes in the
economic environment of the country. The banking sector, which has been traditionally
used to lend in the closed environment is suddenly open to various kinds of risks arising out
of globalization. The consistent reduction in the import duties and withdrawal of
subsidies/tax benefits facilitating the industries to compete globally under a free
environment has necessitated the banks to assess the risks involved in financing a borrower
and update the same on a continuous basis.
There is need to change from the present system of demand driven credit to supply
driven credit where the bank predetermines the extent of exposure, terms of credit, form of
credit, etc. based on the riskiness of borrower represented by rating. This has become
necessary to contain potential loss and also to ensure quality of credit portfolio.
Typically, an internal risk rating system categorizes credits into various classes
designed to take into account the gradations in risk. The risk rating system should be drawn
in a structured manner, incorporating, inter-alia, financial analysis, projections and
sensitivity, industrial and management risks. Banks may use the following parameters for
developing a risk rating system suited for the bank:
A. Financial aspects
1. Quantitative parameters
129
Financial indicators: Financial indicators is mainly net worth, sales turnover, profits,
and ratios such as liquidity, profitability, gearing, turnover etc.
Historical comparison of the indicators
Inter-firm comparisons
Operational parameters - conduct of account, turnover in the account, etc.
Collaterals
2. Qualitative aspects: Qualitative analysis of financial risks that could
impact the borrowing company’s bottom line such as
Accounting policies
Auditor‘s qualifying remarks, etc.
B. Management aspects: Evaluation of the management of the borrowing
company, such as
Structure & systems,
Its track record,
Honesty and integrity,
The promoters - their expertise, competence & commitment,
Market perception of the company and its promoters, etc
C. Industry aspects such as:
3.6.8.4 The industry and its trends
The trade cycle
Regulatory aspects such as government policies, controls, etc
Competition faced from the peers and the market for the products
Technology levels of the unit vis-à-vis the developments in the country and
abroad
The input profile - raw materials, infrastructure, etc. and their pricing
Products / user characteristics, the alternatives / substitutes available etc
Once the risk rating systems are put in place, the ratings assigned to the borrowers
can be used as critical inputs for setting pricing and non-price terms of loans as also present
meaningful information for review and management of loan portfolio. Within the rating
framework, banks can prescribe certain level of standards or critical parameters, beyond
which no proposals should be entertained. A separate rating framework may also be
130
developed for large corporates, small borrowers, traders, etc. that exhibit varying nature and
degree of risk.
Internal risk rating systems are thus pivotal to credit risk management. These ratings
serve as important tools in monitoring and controlling credit risk. The rating assigned to
individual borrowers or counterparties at the time the credit is granted must be reviewed on
a periodic basis and individual credits should be assigned a new rating when conditions
improve or deteriorate. The bank‘s risk rating system should be responsive to the indicators
of potential or actual deterioration in credit quality. Advances with deteriorating ratings
should be subject to continuous monitoring. Such internal risk ratings can be used for
continuously evaluating the credit portfolio and determining the necessary changes to the
credit strategy of the bank.
3.6.9 RBI GUIDELINES ON CREDIT RISK RATING
Banks should have a comprehensive risk scoring/rating system that serves as a
single point indicator of diverse risk factors of a counterparty and for taking decision in a
consistent manner.
The risk rating system should be devised to reveal the overall risk of lending
which is the critical input for setting price and non-price terms of loans as also present
meaningful information for review and management of loan portfolio.
Within the rating framework banks should also prescribe certain levels of
standards or critical parameters beyond which no proposals should be entertained. Banks
may also consider separate rating framework for large corporate/small borrowers, etc.
Reserve Bank of India in their notification on risk management system in banks
have outlined the following guidelines in respect of risk rating of a borrower:
a. The overall score for risk is to be placed on numerical scale ranging
between 1 to 6, 1 to 8, etc.
b. Bank should ensure that unhedged market risk exposures of
borrowers (foreign exchange exposure assumed by the corporate who have no natural
hedges) should also be considered in the rating framework.
131
c. Credit risk assessment should be reviewed biannually and should be
delinked invariably from the regular renewal exercise.
d. In order to ensure consistency and accuracy of internal ratings the
responsibility for setting or confirming such ratings should vest with the loan review
function and examined by an independent loan review group.
e. Bank should undertake comprehensive study on migration of
borrowers in the ratings.
3.6.10 LINKAGES OF CREDIT RISK RATING
Credit risk rating is the pivot around which various functions of credit department is
related. Credit risk rating is linked to the following aspects :-
a. To lend or not: Within the rating framework banks are to decide the rating
beyond which they will not take any additional exposure. Credit risk rating facilitates in
deciding the rating/grade upto which taking up additional exposure can be considered.
b. Pricing: Borrowers with weak financial position and placed under high credit
risk category should be priced high. Banks should evolve scientific systems to price the
credit risk which should have a bearing on the expected probability of default. The pricing
of loans should be linked to risk rating. However, the fact such as value of collateral,
market forces, perceived value of accounts, future business potential and strategic reasons
may also play an important role in pricing.
c. Norms for collateral/margins: The extent of collateral security required and the
need to step up margin requirements are linked to credit risk rating of a borrower. The
higher the risk category the volume of collateral required will be more and the margins
stipulated will be high. Banks may evolve norms on the above aspect related to risk rating
criteria.
d. Product mix guidelines: There is need to gradually shift from the present form
of borrowers availing credit facility by way of Cash Credit limit to term lending in Working
Capital. In case of high credit risk category banks may consider offering demand loan for
shorter duration keeping in view the risk involved. Similarly, for those borrowers with low
credit risk category banks may consider fixing the Line of Credit/pre-sanctioned limits for
disbursal at short notice. Similarly declining CC rate based on the volume of credit that
may be availed by low risk category borrowers may also be considered.
132
e. Delegation of powers: The delegation of loaning powers may be linked to credit
risk rating of a borrower. The authorities at various levels may apply their expertise in
evaluating exposure to high credit risk category borrowers rather than high volume
borrowers only. Similarly, the delegation of loaning powers should also be linked to the
maturity of loan.
f. Vary the frequency of renewal and follow up process:
Renewal of facility in case of low credit risk category of borrowers can be
considered biannually whereas for high risk rating borrower can be done twice a year or
even at quarterly intervals.
3.6.11 Testing risk rating model
Creating a risk-rating model requires a period of intense testing for a relatively short
period of time. Three of the most important aspects of testing any credit rating system are
the following:
Sensitivity of ratings to real changes in credit quality
Lead time with respect to recognized changes in quality,
Stability of ratings when no change has occurred.
One of the biggest problems for the banks in general is that they are too slow to
recognize real changes. Lowering of rating based on false alarms can also have negative
consequences for a relationship with a borrower. There is a tendency to give the customer
the benefit of doubt and to wait and see if the company can work things out on its own.
Unfortunately, the reluctance to recognize the truth about a borrower can lead to problems
if real deterioration takes place.
3.6.12 Risk Pricing
Risk-return pricing is a fundamental tenet of risk management. In a risk-return
setting, borrowers with weak financial position and hence placed in high credit risk
category should be priced high. Thus, banks should evolve scientific systems to price the
credit risk, which should have a bearing on the expected probability of default. The pricing
of loans normally should be linked to risk rating or credit quality. The probability of default
could be derived from the past behavior of the loan portfolio, which is the function of loan
133
loss provision/charge offs for the last five years or so. Banks should build historical
database on the portfolio quality and provisioning / charge off to equip themselves to price
the risk. But value of collateral, market forces, perceived value of accounts, future business
potential, portfolio/industry exposure and strategic reasons may also play important role in
pricing. Flexibility should also be made for revising the price (risk-premia) due to changes
in rating / value of collaterals over time. Large sized banks across the world have already
put in place Risk Adjusted Return on Capital (RAROC) framework for pricing of loans,
which calls for data on portfolio behavior and allocation of capital commensurate with
credit risk inherent in loan proposals. Under RAROC framework, lender begins by charging
an interest mark-up to cover the expected loss - expected default rate of the rating category
of the borrower. The lender then allocates enough capital to the prospective loan to cover
some amount of unexpected loss- variability of default rates. Generally, international banks
allocate enough capital so that the expected loan loss reserve or provision plus allocated
capital covers 99% of the loan loss outcomes.
The systems to price credit risk should be scientific and take into account the
expected probability of default. The pricing of loans is normally linked to risk rating or
credit quality. Hence, risk rating, especially in the case of commercial loans, will be the
anchor for pricing loans. However, this may be duly supplemented and supported by other
factors, such as:
Market forces and competition
Portfolio / industry exposure
Value of collateral
Value of account, both short term and long term
Strategic reasons such as additional business potential or threat of loss of
business, etc.
3.6.13 Portfolio Management
The existing framework of tracking the Non Performing Loans around the balance
sheet date does not signal the quality of the entire Loan Book. Banks should evolve proper
systems for identification of credit weaknesses well in advance. Most of international banks
have adopted various portfolio management techniques for gauging asset quality. The
CRMD, set up at Head Office should be assigned the responsibility of periodic monitoring
of the portfolio. The portfolio quality could be evaluated by tracking the migration (upward
or downward) of borrowers from one rating scale to another. This process would be
134
meaningful only if the borrower-wise ratings are updated at quarterly / half-yearly intervals.
Data on movements within grading categories provide a useful insight into the nature and
composition of loan book.
The banks could also consider the following measures to maintain the portfolio
quality:
1. Stipulate quantitative ceiling on aggregate exposure in specified rating
categories, i.e. certain percentage of total advances should be in the rating category of 1 to
2 or 1 to 3, 2 to 4 or 4 to 5, etc.;
2. Evaluate the rating-wise distribution of borrowers in various industry,
business segments, etc.;
3. Exposure to one industry/sector should be evaluated on the basis of overall
rating distribution of borrowers in the sector/group. In this context, banks should weigh the
pros and cons of specialization and concentration by industry group. In cases where
portfolio exposure to a single industry is badly performing, the banks may increase the
quality nal environment undergoes rapid changes (e.g. volatility in the forex market,
economic sanctions, changes in the fiscal/monetary policies, general slowdown of the
economy, market risk events, extreme liquidity conditions, etc.). The stress tests would
reveal undetected areas of potential credit risk exposure and linkages between different
categories of risk. In adverse circumstances, there may be substantial correlation of various
risks, especially credit and market risks. Stress testing can range from relatively simple
alterations in assumptions about one or more financial, structural or economic variables to
the use of highly sophisticated models. The Board should review the output of such
portfolio-wide stress tests and suitable changes may be made in prudential risk limits for
protecting the quality. Stress tests could also include contingency plans, detailing
management responses to stressful situations.
4. Introduce discriminatory time schedules for renewal of borrower limits.
Lower rated borrowers whose financials show signs of problems should be subjected to
renewal control twice/thrice a year.
Banks should evolve suitable framework for monitoring the market risks especially
forex risk exposure of corporates who have no natural hedges on a regular basis. Banks
should also appoint Portfolio Managers to watch the loan portfolio‘s degree of
concentrations and exposure to counterparties. For comprehensive evaluation of customer
exposure, banks may consider appointing Relationship Managers to ensure that overall
exposure to a single borrower is monitored, captured and controlled. The Relationship
135
Managers have to work in coordination with the Treasury and Forex Departments. The
Relationship Managers may service mainly high value loans so that a substantial share of
the loan portfolio, which can alter the risk profile, would be under constant surveillance.
Further, transactions with affiliated companies/groups need to be aggregated and
maintained close to real time. The banks should also put in place formalized systems for
identification of accounts showing pronounced credit weaknesses well in advance and also
prepare internal guidelines for such an exercise and set time frame for deciding courses of
action.
Many of the international banks have adopted credit risk models for evaluation of
credit portfolio. The credit risk models offer banks framework for examining credit risk
exposures, across geographical locations and product lines in a timely manner, centralizing
data and analyzing marginal and absolute contributions to risk. The models also provide
estimates of credit risk (unexpected loss), which reflect individual portfolio composition.
The Altman‘s Z Score forecasts the probability of a company entering bankruptcy within a
12-month period. The model combines five financial ratios using reported accounting
information and equity values to produce an objective measure of borrower‘s financial
health. J. P. Morgan has developed a portfolio model ‗CreditMetrics’ for evaluating credit
risk. The model basically focuses on estimating the volatility in the value of assets caused
by variations in the quality of assets. The volatility is computed by tracking the probability
that the borrower might migrate from one rating category to another (downgrade or
upgrade). Thus, the value of loans can change over time, reflecting migration of the
borrowers to a different risk-rating grade. The model can be used for promoting
transparency in credit risk, establishing benchmark for credit risk measurement and
estimating economic capital for credit risk under RAROC framework. Credit Suisse
developed a statistical method for measuring and accounting for credit risk which is known
as CreditRisk+. The model is based on actuarial calculation of expected default rates and
unexpected losses from default.
The banks may evaluate the utility of these models with suitable modifications to
Indian environment for fine-tuning the credit risk management. The success of credit risk
models impinges on time series data on historical loan loss rates and other model variables,
spanning multiple credit cycles. Banks may, therefore, endeavor building adequate database
for switching over to credit risk modeling after a specified period of time.
3.6.14 Loan Review Mechanism (LRM)
136
LRM is an effective tool for constantly evaluating the quality of loan book and to
bring about qualitative improvements in credit administration. Banks should, therefore, put
in place proper Loan Review Mechanism for large value accounts with responsibilities
assigned in various areas such as, evaluating the effectiveness of loan administration,
maintaining the integrity of credit grading process, assessing the loan loss provision,
portfolio quality, etc. The complexity and scope of LRM normally vary based on banks‘
size, type of operations and management practices. It may be independent of the CRMD or
even separate Department in large banks.
3.6.14.1 The main objectives of LRM could be:
To identify promptly loans which develop credit weaknesses and initiate
timely corrective action;
To evaluate portfolio quality and isolate potential problem areas;
to provide information for determining adequacy of loan loss provision;
To assess the adequacy of and adherence to, loan policies and procedures,
and to monitor compliance with relevant laws and regulations; and
To provide top management with information on credit administration,
including credit sanction process, risk evaluation and post-sanction follow-up.
Accurate and timely credit grading is one of the basic components of an effective
LRM. Credit grading involves assessment of credit quality, identification of problem loans,
and assignment of risk ratings. A proper Credit Grading System should support evaluating
the portfolio quality and establishing loan loss provisions. Given the importance and
subjective nature of credit rating, the credit ratings awarded by Credit Administration
Department should be subjected to review by Loan Review Officers who are independent
of loan administration.
3.6.15 Credit Risk in Off-balance Sheet Exposure
Banks should evolve adequate framework for managing their exposure in off-
balance sheet products like forex forward contracts, swaps, options, etc. as a part of overall
credit to individual customer relationship and subject to the same credit appraisal, limits
and monitoring procedures. Banks should classify their off-balance sheet exposures into
three broad categories - full risk (credit substitutes) - standby letters of credit, money
guarantees, etc, medium risk (not direct credit substitutes, which do not support existing
137
financial obligations) - bid bonds, letters of credit, indemnities and warranties and low risk
- reverse repos, currency swaps, options, futures, etc.
The trading credit exposure to counterparties can be measured on static (constant
percentage of the notional principal over the life of the transaction) and on a dynamic basis.
The total exposures to the counterparties on a dynamic basis should be the sum total of:
1. The current replacement cost (unrealized loss to the counterparty); and
2. The potential increase in replacement cost (estimated with the help of VaR
or other methods to capture future volatilities in the value of the outstanding contracts/
obligations).
The current and potential credit exposures may be measured on a daily basis to
evaluate the impact of potential changes in market conditions on the value of counterparty
positions. The potential exposures also may be quantified by subjecting the position to
market movements involving normal and abnormal movements in interest rates, foreign
exchange rates, equity prices, liquidity conditions, etc.
3.6.16 Role of Analytical Techniques and MIS in Credit Risk Management
Once having identified the sources and types of credit risk present in the various
activities of the bank, the next and major step is to quantify these risks and analyze them at
both individual and portfolio level. For the purpose, banks need to adopt techniques and
methodologies which should take into account various parameters such as the nature of the
credit, its contractual and financial conditions (interest rate, repayment schedule etc.), its
maturity profile, collateral securities or guarantees held and its internal risk rating and
potential changes during the duration of the loan. Banks should undertake the process of
risk measurement and analysis at appropriate intervals and compare the results with the
prudential limits set by them.
Internationally, banks have adopted different models for evaluation of risk in their
credit portfolio. Use of statistical models to predict credit risk and the resultant loan loss
gained importance and recognition with the development of the Z score equation in 1968
by Edward Altman. This model uses 5 financial ratios to forecast the probability of a
company becoming bankrupt over a time period of thirteen months. Another portfolio
model, „Credit Metrics‟developed by J.P. Morgan, estimates the change in the value of
assets (volatility) caused by variations in their quality. ‗Credit Metrics‘ uses migration
analysis and tracks the probability that the borrower might migrate from one rating
category to the other for computing the volatility. Credit Suisse has developed yet another
138
statistical model called „Credit Risk+‟ for measuring and accounting credit risk, using
actuarial calculation of expected default rates and unexpected losses from default.
Whatever the model adopted for measuring credit risk, banks need to fine-tune the same to
suit their internal and external environment of credit management.
The major limitation in the designing and implementation of credit risk models in
the Indian context is lack of availability of accurate historical data on loan loss rates. The
infrequent nature of default events and longer time horizons used in measuring credit risk
also contribute to the lack of available database for developing credit risk models. Hence, to
effectively develop and use credit risk models, banks need to build adequate database on all
the model variables over a period of time.
The effectiveness of a bank‘s risk measurement process is highly dependent on the
quality and accuracy of management information systems. The information generated from
such systems enables the top management to evaluate the risks and returns, as also
determine the adequate level of capital that the bank should be holding to cover the risks.
Next to quality and accuracy, timeliness is the most important factor critical to effective
credit risk management. The MIS of the bank should permit the management to quickly and
accurately gauge the credit risk incurred by it and review the results vis-à-vis the bank‘s
credit risk strategy. It is also important that the bank‘s MIS has a triggering mechanism to
indicate exposures approaching prudential limits bring it to the attention of senior
management.
3.6.17 Training
Credit risk management is a complex function and requires specialized skills and
expertise. As the domestic market integrates with the international markets, banks will need
more and more expertise and skills in managing various types of risks in a scientific
manner. The Indian public sector banks have to develop and train their existing human
resources to meet the credit risk management challenges.
139
Section 3.7:
Interest rate risk management
3.7.1 Introduction 140
3.7.2 The most common target accounts for managing interest rate risk 140
3.7.3 Components of interest rate risk 142
3.7.4 Interest Rate Risk (IIR) management 142
3.7.5 Sources of Interest Rate Risk 144
3.7.6 Type of Interest Rate Risk 146
3.7.7 Supervisory guidelines 147
3.7.8 Interest rate risk measurement techniques 149
3.7.9 Adequate risk management policies and procedures 157
3.7.10 Internal controls 163
3.7.11 Information for supervisory authorities 166
3.7.12 Capital adequacy 167
3.7.13 Disclosure of interest rate risk 167
3.7.14 Supervisory treatment of interest rate risk in the banking book 168
3.7.15 Conclusion 170
140
3.7.1 Introduction
Interest Rate Risk is the impact on the value of your portfolio/position because of
a movement in interest rates. In other word, one lesser-understood affect of changing
interest rates is how changing rates cause the value of fixed income investments to rise or
fall. This is called "interest rate risk." When interest rates rise, the values of fixed income
investments, like bonds, fall. Conversely, when interest rates fall, the values of bonds rise.
This happens because ultimately the values of bonds are determined in the
marketplace. There are thousands of traders and investors that are constantly buying and
selling bonds. The prices at which they will buy and sell are based on the existing interest
rate environment.
The amount by which the values rise or fall is primarily dependent on the maturity
of the bond. The longer the maturity a bond has, the greater its value will change when
interest rates change. For short-term bonds, like 90 day Treasury Bills, the affect is very
small.
The primary objectives of interest rate risk management are to achieve a target
level of return while maintaining the institution‘s interest rate risk exposures within
prudent bounds. In pursuing these objectives, management should ensure that the risk to
the institution‘s earnings and to its economic value is within prudent bounds over a range
of plausible interest rate environments. The objective is not to eliminate interest rate risk,
but rather to maintain risk exposures at levels that are prudent and acceptable to the
institution‘s board of directors. The risk and return objectives of a Bank should be
consistent with the housing finance and community investment mission and consistent
with the safety and soundness objectives of remaining adequately capitalized, liquid, and
able to raise funds in the capital markets.
3.7.2 The most common target accounts for managing interest rate risk
At financial institutions, interest rate risk is generally managed with respect to an
institution‘s earnings or economic capital, or both. With respect to earnings, net interest
income is the most common target account (i.e., the focal point of management) for
141
measuring, managing, and controlling interest rate risk.54
With respect to capital, the two
most common targets are net portfolio value55
and the economic capital ratio.56
When net interest income is the target account, the risk management objective is to
maintain net interest earnings within an acceptable range over a specified time horizon.
The time horizon over which interest rate risk is managed is typically relatively short --
usually three to 12 months. For example, the management objective may be to ensure that
net interest income will remain within certain parameters -- or not fall below pre-specified
levels -- during the next three months over a range of hypothetical interest rate scenarios.
When net portfolio value is the focus, a common objective is to keep the
institution‘s net portfolio value from falling below pre-specified limits over a range of
interest rate scenarios. For example, the objective may be to ensure that net portfolio
value does not fall by more than 5 percent over a range of scenarios.
From a safety and soundness perspective, however, a more relevant objective is to
ensure that the institution‘s economic capital ratio does not fall below a pre- specified
level over a range of pre-determined interest rate scenarios. The advantages of using the
economic capital ratio to limit interest rate risk are:
1. It is an unambiguous means of communicating an institution‘s tolerance
for risk;
2. It represents a ―floor‖ that does not have to be linked to a specific time
horizon; and
3. It addresses the loss to economic value from all key risk factors – parallel
rate shocks, non-parallel rate shock, prepayment risk, and so forth. Moreover, the focus on
economic capital is consistent with the goal of maximizing risk-adjusted returns to
shareholders over the long run. By focusing on economic value and the economic capital
ratio, management is less likely to inadvertently sacrifice long-term economic earnings in
pursuit of short-term gains.
54
No institution can concurrently eliminate or minimize the risk to both earnings and net portfolio value. Specifically, a reduction in the
volatility of net interest income will result in an increase in the volatility of net portfolio value and vice versa. An institution‘s net cash flows can be modified to become less sensitive to interest rates or more sensitive to interest rates. If the pattern of net cash flows is
modified so as to become more stable, its market value of equity will behave more like a fixed rate bond, that is, when interest rates rise
the value of the bond will fall and vice versa. On the other hand, if the pattern of net cash flows (i.e., earnings) is modified so as to move in lockstep with changes in interest rates its market value of equity will behave more like an adjustable rate bond, that is, when interest
rates rise or fall the value of the bond will remain at or close to par. 55 Net portfolio value represents the underlying net economic value (or net present value) of an institution's portfolio of assets and liabilities, including any off-balance sheet items. Net portfolio value is defined as the present value of assets less the present value of
liabilities plus the net present value of any off-balance sheet contracts. In contrast to the GAAP-based shareholders‘ equity account, net
portfolio value represents the shareholders‘ equity account expressed in present value terms. 56 The economic capital ratio is simply the economic value of an institution‘s equity base (net portfolio value) divided by the economic
value of assets (market value of assets). Market value of assets includes the net market value of off-balance sheet contracts.
142
3.7.3. Components of interest rate risk
As described above Interest rate risk (IRR) is defined as the change in a bank's
portfolio value due to interest rate fluctuations. Taking on IRR is a key part of what banks
do; but taking on excessive IRR could threaten a bank's earnings and its capital base,
raising concerns for bank supervisors. In practice, IRR management systems have been
developed to measure and control such risk exposures, both in the trading book (i.e.,
assets that are relatively liquid and regularly traded) and in the banking book (i.e., assets,
such as loans, that are much less actively traded).
IRR can be roughly decomposed into four categories: re-pricing risk, yield curve
risk, basis risk, and optionality (see Basel Committee on Banking Supervision (BCBS)
2003). Re-pricing risk refers to fluctuations in interest rate levels that have differing
impacts on bank assets and liabilities; for example, a portfolio of long-term, fixed-rate
loans funded with short-term deposits (i.e., a case of duration mismatch) could
significantly decrease in value when rates increase, since the loan payments are fixed (and
funding costs have increased). Yield curve risk refers to changes in portfolio values
caused by unanticipated shifts in the slope and shape of the yield curve; for example,
short-term rates might rise faster than long-term rates, clearly affecting the profitability of
funding long-term loans with short-term deposits. Basis risk refers to the imperfect
correlation between index rates across different interest rate markets for similar maturities
for example; a bank funding loans whose payments are based on U.S. Treasury rates with
deposits based on Libor rates is exposed to the risk of unexpected changes in the spread
between these index rates. Finally, optionality refers to risks arising from interest rate
options embedded in a bank assets, liabilities, and off-balance-sheet positions. Such
options can be explicitly purchased from established markets for interest rate derivatives
or included as a term within a loan contract, such as the prepayment option included in
residential mortgages.
3.7.4 Interest Rate Risk (IIR) management
Banks have access to a wide array of financial tools for managing their IRR, such
as standard asset-liability management procedures and interest rate derivatives. Banks
commonly use one of two approaches when assessing aggregate IRR exposures across
their various business lines and portfolios—the traditional earnings approach and the more
143
challenging economic value approach. The earnings approach focuses on how interest rate
changes affect a bank's overall earnings, which are typically measured as net interest
income (the difference between total interest income and total interest expenses). Broader
measures that include non-interest income, such as revenue from mortgage servicing
activities, and expenses have become common, however. The main point of this approach
is to examine earnings sensitivity to interest rate fluctuations of different sizes.
The economic value approach takes a broader perspective on IRR management by
focusing on how interest rate changes affect total expected net cash flows from all of a
bank's operations. Thus, this approach examines expected cash flows from assets minus
expected payments on liabilities plus the expected net cash flows from off-balance-sheet
positions, such as fees charged for borrower credit lines. This approach is more
challenging to conduct since, at a minimum, it requires collecting and aggregating more
data; at the same time, it provides greater insight into a bank's aggregate IRR exposure.
In addition to such aggregate IRR management approaches, banks use more
focused IRR measurement techniques for derivatives and other instruments with
especially complex risk profiles, such as mortgage-backed securities. While the aggregate
approaches typically involve making judgmental adjustments to interest rates and tracking
their impact across the bank, the focused techniques explicitly use mathematical models
of interest rate dynamics for various index rates and their yield curves. For example, many
possible future interest rate paths are generated and used to examine the potential effects
of interest rate changes on portfolio values, investment returns, and cash flows from
different assets. Since the models can examine the components of interest rate risk
separately, risk managers use them to gauge and control their portfolios' exposures to a
broader range of interest rate fluctuations. In theory, the more sophisticated IRR
management techniques could be applied to the bank as a whole. Important developments
in this direction have been made, but several important challenges still remain, especially
in aggregating IRR exposures across business lines.
A key advantage of these mathematical IRR management techniques is that they
provide a consistent framework for analyzing a wide variety of possible interest rate
scenarios. For example, banks can consider multiple scenarios accounting for changes in
the general level of interest rates and changes in the relationships among interest rates.
However, since models are just simplifications of actual phenomena, prudent IRR
management requires considering extreme scenarios that might not be within a given
model's structure. This practice is commonly called stress testing, since the underlying
144
model and IRR management system are "stressed" by examining uncommon, although
plausible, scenarios. Common stress scenarios include abrupt changes in the general level
of interest rates (i.e., re-pricing risk), changes in the relationships among key market rates
(i.e., basis risk), changes in the slope and shape of the yield curve (i.e., yield curve risk),
changes in the liquidity of key financial markets, and changes in the volatility of market
rates. Optionality risks typically are affected by all of these scenarios.
3.7.5. Sources of Interest Rate Risk
The adequacy of a bank's IRR management system depends on its ability to
identify and effectively capture all material activities and products that expose the bank to
interest rate risk and then measure the specific risks presented. A review of the following
items will allow examiners to identify material bank exposures and the type of risks
presented.
Interest Rate Risk Standards Analysis (IRRSA),
Bank interest rate risk analysis, and independent review findings,
Related bank policies and procedures,
Balance sheet and account data,
Strategic and business plans,
Product pricing guidelines,
Hedging or derivative activity, and
Current and prior related examination findings.
Funding sources
Funding sources may create re-pricing risk, basis risk, yield curve risk, or option
risk. Examiners should evaluate the fundamental relationship between funding sources
and asset structure. Potentially volatile or market-based funding sources may increase
interest rate risk, especially when matched to a longer-term asset portfolio. For example,
fixed-rate mortgages funded by purchased National funds create re-pricing risk. Funding
costs may increase substantially, while asset yields remain fixed.
Non-maturity deposits
Non-maturity deposits may mitigate some interest rate risk. Non-maturity deposit
funding costs generally demonstrate less volatility than market interest rates. As a result,
high non-maturity deposit volumes may actually reduce re-pricing risk and moderate
145
overall IRR. However, significant interest rate or economic changes can rapidly alter
customers' non-maturity deposit behavior.
Non-maturity deposit assumptions are crucial components of any interest rate risk
measurement system and require careful review and analysis. Those assumptions should
be reasonable and well supported.
Off-balance sheet derivatives
Off-balance sheet derivatives may introduce complex interest rate risk exposures.
Depending on the specific instrument, derivatives may create re-pricing, basis, yield
curve, option, or price risk.
Mortgage banking operations
Mortgage banking operations create price risk within the loan pipeline, held-for-
sale portfolio, and mortgage servicing rights portfolio. Interest rate changes affect not
only current values, but also determine future business volume and related fee income.
Fee income businesses
Fee incomes businesses may be contain IRR; particularly mortgage banking, trust,
credit card servicing, and non-deposit investment sales. Changing interest rates may
dramatically affect such activities.
Product pricing strategies
Product pricing strategies may introduce IRR, particularly basis risk or yield curve
risk. If funding sources and assets are linked to different market indices, then basis risk
exists. If funding sources and assets are linked to similar indices with different maturities,
then yield curve risk exists.
Embedded options
Embedded options associated with assets and liabilities, and off-balance sheet
derivatives can create interest rate risk. Embedded options include any feature that can
alter an instrument's cash flows when interest rates change. Many instruments contain
various embedded options, including:
Non-maturity deposits,
Callable bonds,
Structured notes,
Derivatives,
Mortgage loans, and
Mortgage-backed securities (MBS).
146
Mortgage loans and MBSs contain prepayment options. Borrowers may prepay
loan principal at any time, which alters the mortgages' cash flows and creates material
interest rate risk considerations.
3.7.6. Type of Interest Rate Risk
Interest rate risk is the exposure of a bank's current or future earnings and
capital to adverse interest rate changes. Interest rate fluctuations affect earnings by
changing net interest income and other interest-sensitive income and expense levels.
Interest rate changes affect capital by changing the net present value of a bank's future
cash flows, and the cash flows themselves, as rates change. Accepting this risk is a normal
part of banking and can be an important source of profitability and shareholder value.
However, excessive interest rate risk can threaten banks' earnings, capital, liquidity, and
solvency. As the above, interest rate risk has many components, including re-pricing risk,
basis risk; yield curve risk, option risk, and price risk which, each one can be describe as
fellow:
Re-pricing risk
Re-pricing risk results from timing differences between coupon changes or cash
flows from assets, liabilities, and off-balance sheet instruments. For example, long-term
fixed-rate securities funded by short-term deposits may create re-pricing risk. If interest
rates change, then deposit-funding costs will change more quickly than the yield on the
securities. Likewise, the present value of the securities (i.e., their market price) will
change more than the value of the deposits, thereby affecting the value of capital.
Basis risk
Basis risk results from weak correlation between coupon rate changes for assets,
liabilities, and off-balance sheet instruments. For example, LIBOR-based deposit rates
may change by 50 basis points, while Prime-based loan, rates may only change by 25
basis points during the same period.
Yield curve risk
Yield curve risk results from changing rate relationships between different
maturities of the same index. For example, a 30-year Treasury bond's yield may change
by 200 basis points, but a three-year Treasury note's yield may change by only 50 basis
points during the same time period.
Option risk
147
Option risk results when a financial instrument's cash flow timing or amount can
change because of market interest rate changes. This can adversely affect earnings by
reducing asset yields or increasing funding costs, and it may reduce the net present value
of expected cash flows.
For example, assume that a bank purchased a callable bond, issued when market
interest rates were 10 percent that pays a 10 percent coupon and matures in 30 years. If
market rates decline to eight percent, the bond's issuer will call the bond (new debt will be
less costly). [17]
At call, the issuer effectively repurchases the bond from the bank. As a result, the
bank will not receive the cash flows that it originally expected (10 percent for 30 years).
Instead, the bank must invest that principal at the new, lower market rate.
Examples of instruments with embedded options include various types of bonds
and notes with call or put provisions, loans which give borrowers the right to prepay
balances, and various types of non-maturity deposit instruments which give depositors the
right to withdraw funds at any time, often without penalty.
Price risk
Price risk results from changes in the value of marked-to-market financial
instruments that occur when interest rates change.
For example, trading portfolios, held-for-sale loan portfolios, and mortgage
servicing assets contain price risk. When interest rates decrease, mortgage servicing asset
values generally decrease. Since those assets are marked-to-market, any value loss must
be reflected in current earnings.
3.7.7 Supervisory guidelines
Regarding to general principles on IRR management issued by BCBS, the
principles intended to be used in the supervisory evaluation of the adequacy and
effectiveness of bank IRR management systems and in developing supervisory responses
to these systems. The principles are based on the current IRR management practices of
large international banks and are intended for IRR exposures arising from trading and
book activities.
The principles advocate that banks have in place comprehensive management
systems that measure and control IRR exposures effectively. The systems must be subject
to appropriate board of directors and senior management oversight. Specifically with
148
respect to supervisors, the principles advocate that banks' own IRR management systems
should, whenever possible, form the basis of supervisors' measurement of and response to
their interest rate sensitivity. The BCBS principles can be grouped into four categories:
IRR management oversight issues, issues related to adequate bank policies and
procedures, issues specific to IRR monitoring and control, and specific supervisory issues.
With respect to management oversight issues, the principles state that a bank's
board of directors should approve IRR strategies and policies and ensure that senior
management effectively monitors, communicates, and controls these risks. Furthermore,
risk managers within the IRR management system must be independent from the risk-
taking functions of the bank in order to avoid potential conflicts of interest. Risk managers
also should be able to report IRR exposures directly to senior management and the board
of directors.
Senior management must ensure that a bank's IRR policies and procedures are
clearly defined and consistent with the nature and complexity of the bank's activities. For
example, senior management could articulate its risk tolerance, both for the bank as a
whole and for the disaggregated business units, by crafting policy statements identifying
specific interest rate instruments and activities that are permissible. When proposing new
interest rate products or activities, management should work to identify the inherent risks
clearly and ensure that adequate procedures and controls are in place before introducing
them.
With respect to IRR monitoring and control issues, banks must capture all material
IRR exposures, whether in their trading or banking books, within their management
systems. Operating limits and related practices for keeping IRR exposures within levels
consistent with internal policies must be clearly established and enforced. Furthermore, all
IRR modeling assumptions and parameters must be well documented and updated with
reasonable frequency. Stress-testing should be regularly used to assess the bank's interest
rate sensitivity and examine the appropriateness of key modeling assumptions. Stress-test
results must be considered when establishing and reviewing IRR policies and procedures.
A bank must have adequate information systems for reporting accurate IRR exposure
information on a timely basis to its board of directors and senior management. Finally,
effective IRR management systems require regular evaluations by independent auditors,
whether internal or external.
With respect to supervisory issues, the BCBS principles address four main
concerns. First, since banks' own systems are to form the basis of supervisory oversight of
149
IRR management, supervisors should receive sufficient and timely information with
which to evaluate bank's IRR systems. For example, supervisors should have ready access
to information on the range of maturities and currencies in bank portfolios, including off-
balance-sheet items. Information contained in internal management reports, such as
earnings and economic value estimates, and the results of stress tests would be useful.
Second, banks should disclose publicly information on their aggregate IRR exposures and
their policies for managing them. The BCBS has issued recommendations for the public
disclosure of information on IRR as part of the overall review of the Basel Accord (Lopez
2003).
Third, to facilitate supervisory monitoring of IRR exposures across institutions,
banks should try to use standardized rate changes to provide the results of their internal
measurement systems, expressed in terms of changes to economic value. According to the
BCBS guidelines, these rate changes should in principle be determined by banks but
based on the recommended criteria. For example, for IRR exposures in G-10 currencies,
either banks should consider a parallel rate change of ±200 basis points or the changes
implied by the 1st and 99th percentiles of historically observed interest rate changes over
at least five years. Fourth, senior management and boards of directors should periodically
review both the design and the results of their stress tests. Supervisors will continue to
expect institutions to examine multiple scenarios in evaluating the appropriate level of
their IRR exposures.
If supervisors determine that a bank's management system does not capture its IRR
exposures fully, the bank would be required to bring its system up to the appropriate
supervisory standards. If supervisors determine that a bank is not holding sufficient capital
for its level of IRR exposure, especially in the banking book, remedial action should be
considered, requiring the bank to reduce its risk or to set aside additional capital or a
combination of the two, depending on the situation.
3.7.8 Interest rate risk measurement techniques
This section provides a brief overview of the various techniques used by banks to
measure the exposure of earnings and of economic value to changes in interest rates. The
variety of the techniques ranges from calculations that rely on simple maturity and re-
pricing tables, to static simulations based on current on- and off-balance sheet positions,
to highly sophisticate dynamic modeling techniques that incorporate assumptions about
the behavior of the bank and its customers in response to changes in the interest rate
150
environment. Some of these general approaches can be used to measure interest rate risk
exposure from both an earnings and an economic value perspective, while others are more
typically associated with only one of these two perspectives. In addition, the methods vary
in their ability to capture the different forms of interest rate exposure: the simplest
methods are intended primarily to capture the risks arising from maturity and re-pricing
mismatches, while the more sophisticated methods can more easily capture the full range
of risk exposures.
As this discussion suggests, the various measurement approaches described below
have their strengths and weaknesses in terms of providing accurate and reasonable
measures of interest rate risk exposure. Ideally, a bank's interest rate risk measurement
system would take into account the specific characteristics of each individual interest
sensitive position, and would capture in detail the full range of potential movements in
interest rates. In practice, however, measurement systems embody simplifications that
move away from this ideal. For instance, in some approaches, positions may be
aggregated into broad categories, rather than modeled separately, introducing a degree of
measurement error into the estimation of their interest rate sensitivity. Similarly, the
nature of interest rate movements that each approach can incorporate may be limited: in
some cases, only a parallel shift of the yield curve may be assumed or less than perfect
correlations between interest rates may not be taken into account. Finally, the various
approaches differ in their ability to capture the optionality inherent in many positions and
instruments. The discussion in the following sections will highlight the areas of
simplification that typically characterize each of the major interest rate risk measurement
techniques.
A. Re-pricing Schedules
The simplest techniques for measuring a bank's interest rate risk exposure begin
with a maturity/re-pricing schedule that distributes interest-sensitive assets, liabilities and
off balance sheet positions into a certain number of predefined time bands according to
their maturity (if fixed rate) or time remaining to their next re-pricing (if floating rate).
Those assets and liabilities lacking definitive re-pricing intervals (e.g. sight deposits or
savings accounts) or actual maturities that could vary from contractual maturities (e.g.
151
mortgages with an option for early repayment) are assigned to re-pricing time bands
according to the judgment and past experience of the bank.
Gap analysis: Simple maturity/re-pricing schedules can be used to generate simple
indicators of the interest rate risk sensitivity of both earnings and economic value to
changing interest rates. When this approach is used to assess the interest rate risk of
current earnings, it is typically referred to as gap analysis. Gap analysis was one of the
first methods developed to measure a bank's interest rate risk exposure, and continues to
be widely used by banks. To evaluate earnings exposure, interest rate sensitive liabilities
in each time band are subtracted from the corresponding interest rate sensitive assets to
produce a re-pricing "gap" for that time band. This gap can be multiplied by an assumed
change in interest rates to yield an approximation of the change in net interest income that
would result from such an interest rate movement. The size of the interest rate movement
used in the analysis can be based on a variety of factors, including historical experience,
simulation of potential future interest rate movements, and the judgment of bank
management.
A negative, or liability-sensitive, gap occurs when liabilities exceed assets
(including off-balance sheet positions) in a given time band. This means that an increase
in market interest rates could cause a decline in net interest income. Conversely, a
positive, or asset sensitive, gap implies that the bank's net interest income could decline
because of a decrease in the level of interest rates.
These simple gap calculations can be augmented by information on the average
coupon on assets and liabilities in each time band. This information can be used to place
the results of the gap calculations in context. For instance, information on the average
coupon rate could be used to calculate estimates of the level of net interest income arising
from positions maturing or re-pricing within a given time band, which would then provide
a "scale" to assess the changes in income implied by the gap analysis.
Although gap analysis is a very commonly used approach to assessing interest rate
risk exposure, it has a number of shortcomings. First, gap analysis does not take account
of variation in the characteristics of different positions within a time band. In particular,
all positions within a given time band are assumed to mature or re-price simultaneously, a
simplification that is likely to have greater impact on the precision of the estimates as the
degree of aggregation within a time band increases. Moreover, gap analysis ignores
differences in spreads between interest rates that could arise as the level of market interest
152
rates changes (basis risk). In addition, it does not take into account any changes in the
timing of payments that might occur because of changes in the interest rate environment.
Thus, it fails to account for differences in the sensitivity of income that may arise from
option-related positions. For these reasons, gap analysis provides only a rough
approximation to the actual change in net interest income, which would result from the
chosen change in the pattern of interest rates. Finally, most gap analyses fail to capture
variability in non-interest revenue and expenses, a potentially important source of risk to
current income.
Duration: A maturity/re-pricing schedule can also be used to evaluate the effects
of changing interest rates on a bank's economic value by applying sensitivity weights to
each time band. Typically, such weights are based on estimates of the duration of the
assets and liabilities that fall into each time band. Duration is a measure of the percent
change in the economic value of a position that will occur given a small change in the
level of interest rates.57
It reflects the timing and size of cash flows that occur before the
instrument's contractual maturity. Generally, the longer the maturity or next re-pricing
dates of the instrument and the smaller the payments that occur before maturity (e.g.
coupon payments), the higher the duration (in absolute value). Higher duration implies
that a given change in the level of interest rates will have a larger impact on economic
value.
Duration-based weights can be used in combination with a maturity/re-pricing
schedule to provide a rough approximation of the change in a bank's economic value that
would occur given a particular change in the level of market interest rates. Specifically, an
"average" duration is assumed for the positions that fall into each time band. The average
durations are then multiplied by an assumed change in interest rates to construct a weight
for each time band. In some cases, different weights are used for different positions that
fall within a time band, reflecting broad differences in the coupon rates and maturities (for
57
In its simplest form, duration measures changes in economic value resulting from a percentage change of interest rates
under the simplifying assumptions that changes in value are proportional to changes in the level of interest rates and that the timing of payments is fixed. Two important modifications of simple duration are commonly used that relax one or both of these assumptions. The first case is so-called modified duration. Modified duration - which is standard duration divided by 1 + r, where r is the level of market interest rates - is elasticity. As such, it reflects the percentage change in the economic value of the instrument for a given percentage change in 1 + r. As with simple duration, it assumes a linear relationship between percentage changes in value and percentage changes in interest rates. The second form of duration relaxes this assumption, as well as the assumption that the timing of payments is fixed. Effective duration is the percentage change in the price of the relevant instrument for a basis point change in yield.
153
instance, one weight for assets, and another for liabilities). In addition, different interest
rate changes are sometimes used for different time bands, generally to reflect differences
in the volatility of interest rates along the yield curve. The weighted gaps are aggregated
across time bands to produce an estimate of the change in economic value of the bank that
would result from the assumed changes in interest rates.
Alternatively, an institution could estimate the effect of changing market rates by
calculating the precise duration of each asset, liability and off-balance sheet position and
then deriving the net position for the bank based on these more accurate measures, rather
than by applying an estimated average duration weight to all positions in a given time
band. This would eliminate potential errors occurring when aggregating positions/cash
flows. As another variation, risk weights could also be designed for each time band based
on actual percent changes in market values of hypothetical instruments that would result
from a specific scenario of changing market rates. That approach - which is sometimes
referred to as effective duration - would better capture the non-linearity of price
movements arising from significant changes in market interest rates and, thereby, would
avoid an important limitation of duration.
Estimates derived from a standard duration approach may provide an acceptable
approximation of a bank's exposure to changes in economic value for relatively non-
complex banks. Such estimates, however, generally focus on just one form of interest rate
risk exposure – re-pricing risk. As a result, they may not reflect interest rate risk arising –
for instance - from changes in the relationship among interest rates within a time band
(basis risk). In addition, because such approaches typically use an average duration for
each time band, the estimates will not reflect differences in the actual sensitivity of
positions that can arise from differences in coupon rates and the timing of payments.
Finally, the simplifying assumptions that underlie the calculation of standard duration
mean that the risk of options may not be well captured.
B. Simulation Approaches
Many banks (especially those using complex financial instruments or otherwise
having complex risk profiles) employ more sophisticated interest rate risk measurement
systems than those based on simple maturity/re-pricing schedules. These simulation
techniques typically involve detailed assessments of the potential effects of changes in
interest rates on earnings and economic value by simulating the future path of interest
rates and their impact on cash flows.
154
In some sense, simulation techniques can be seen as an extension and refinement
of the simple analysis based on maturity/re-pricing schedules. However, simulation
approaches typically involve a more detailed breakdown of various categories of on- and
off balance sheet positions, so that specific assumptions about the interest and principal
payments and non-interest income and expense arising from each type of position can be
incorporated. In addition, simulation techniques can incorporate more varied and refined
changes in the interest rate environment, ranging from changes in the slope and shape of
the yield curve to interest rate scenarios derived from Monte Carlo simulations.
Static simulations: the cash flows arising solely from the bank's current on- and
off-balance sheet positions are assessed. For assessing the exposure of earnings,
simulations estimating the cash flows and resulting earnings streams over a specific
period are conducted based on one or more assumed interest rate scenarios. Typically,
these simulations not always entail relatively straightforward shifts or tilts of the yield
curve, or changes of spreads between different interest rates. When the resulting cash
flows are simulated over the entire expected lives of the bank's holdings and discounted
back to their present values, an estimate of the change in the bank's economic value can
be calculated58
.
Dynamic simulation approach: the simulation builds in more detailed
assumptions about the future course of interest rates and the expected changes in a bank's
business activity over that time. For instance, the simulation could involve assumptions
about a bank's strategy for changing administered interest rates (on savings deposits, for
example), about the behavior of the bank's customers (e.g. withdrawals from sight and
savings deposits) and/or about the future stream of business (new loans or other
transactions) that the bank will encounter. Such simulations use these assumptions about
future activities and reinvestment strategies to project expected cash flows and estimate
dynamic earnings and economic value outcomes. These more sophisticated techniques
allow for dynamic interaction of payments stream and interest rates, and better capture the
effect of embedded or explicit options.
As with other approaches, the usefulness of simulation-based interest rate risk
measurement techniques depends on the validity of the underlying assumptions and the
accuracy of the basic methodology. The output of sophisticated simulations must be
assessed largely in the light of the validity of the simulation's assumptions about future
58
The duration analysis described in the previous section can be viewed as a very simple form of static simulation.
155
interest rates and the behavior of the bank and its customers. One of the primary concerns
that arise is that such simulations do not become ―black boxes‖ that lead to false
confidence in the precision of the estimates.
C. Additional Issues
One of the most difficult tasks when measuring interest rate risk is how to deal
with those positions where behavioral maturity differs from contractual maturity (or
where there is no stated contractual maturity). On the asset side of the balance sheet, such
positions may include mortgages and mortgage-related securities, which can be subject to
prepayment. In some countries, borrowers have the discretion to prepay their mortgages
with little or no penalty, a situation that creates uncertainty about the timing of the cash
flows associated with these instruments. Although there is always some volatility in
prepayments resulting from demographic factors (such as death, divorce, or job transfers)
and macroeconomic conditions, most of the uncertainty surrounding prepayments arises
from the response of borrowers to movements in interest rates. In general, declines in
interest rates result in increasing levels of prepayments, as borrowers refinance their loans
at lower yields. In contrast, when interest rates rise unexpectedly, prepayment rates tend
to slow, leaving the bank with a larger than anticipated volume of mortgages paying
below current market rates.
On the liability side, such positions include so-called non-maturity deposits such
as sight deposits and savings deposits, which can be withdrawn, often without penalty, at
the discretion of the depositor. The treatment of such deposits is further complicated by
the fact that the rates received by depositors tend not to move in close correlation with
changes in the general level of market interest rates. In fact, banks can and do administer
the rates on the accounts with the specific intention of managing the volume of deposits
retained.
The treatment of positions with embedded options is an issue of special concern in
measuring the exposure of both current earnings and economic value to interest rate
changes. In addition, the issue arises across the full spectrum of approaches to interest rate
measurement, from simple gap analysis to the most sophisticated simulation techniques.
In the maturity/re-pricing schedule framework, banks typically make assumptions about
the likely timing of payments and withdrawals on these positions and ―spread‖ the
balances across time bands accordingly. For instance, it might be assumed that certain
percentages of a pool of 30-year mortgages prepay in given years during the life of the
mortgages. As a result, a large share of the mortgage balances that would have been
156
assigned to the time band containing 30-year instruments would be spread among nearer
term time bands. In the simulation framework, more sophisticated behavioral assumptions
could be employed, such as the use of option-adjusted pricing models to better estimate
the timing and magnitude of cash flows under different interest rate environments. In
addition, the simulations can incorporate the bank's assumptions about its likely future
treatment of administered interest rates on non-maturity deposits.
As with other elements of interest rate risk measurement, the quality of the
estimates of interest rate risk exposure depends on the quality of the assumptions about
the future cash flows on the positions with uncertain maturities. Banks typically look to
the past behavior of such positions for guidance about these assumptions. For instance,
econometric or statistical analysis can be used to analyze the behavior of a bank's holdings
in response to past interest rate movements. Such analysis is particularly useful to assess
the likely behavior of non-maturity deposits, which can be influenced by bank-specific
factors such as the nature of the bank's customers and local or regional market conditions.
In the same vein, banks may use statistical prepayment models - either models developed
internally by the bank or models purchased from outside developers - to generate
expectations about mortgage-related cash flows. Finally, input from managerial and
business units within the bank could have an important influence, since these areas may
be aware of planned changes to business or re-pricing strategies that could affect the
behavior of the future cash flows of positions with uncertain maturities.
D. Sound interest rate risk management practices
Sound interest rate risk management involves the application of four basic
elements in the management of assets, liabilities and off-balance-sheet instruments:
Appropriate board and senior management oversight;
Adequate risk management policies and procedures;
Appropriate risk measurement, monitoring and control functions; and
Comprehensive internal controls and independent audits.
The specific manner in which a bank applies these elements in managing its
interest rate risk will depend upon the complexity and nature of its holdings and activities
as well as on the level of interest rate risk exposure. What constitutes adequate interest
rate risk management practices can therefore vary considerably. For example, less
157
complex banks whose senior managers are actively involved in the details of day-to-day
operations may be able to rely on relatively basic interest rate risk management processes.
However, other organizations that have more complex and wide-ranging activities are
likely to require more elaborate and formal interest rate risk management processes, to
address their broad range of financial activities and to provide senior management with
the information they need to monitor and direct day-to-day activities. Moreover, the more
complex interest rate risk management processes employed at such banks require
adequate internal controls that include audits or other appropriate oversight mechanisms
to ensure the integrity of the information used by senior officials in overseeing
compliance with policies and limits. The duties of the individuals involved in the risk
measurement, monitoring and control functions must be sufficiently separate and
independent from the business decision makers and position takers to ensure the
avoidance of conflicts of interest.
As with other risk factor categories, the Committee believes that interest rate risk
should be monitored on a consolidated, comprehensive basis, to include interest rate
exposures in subsidiaries. At the same time, however, institutions should fully recognize
any legal distinctions and possible obstacles to cash flow movements among affiliates and
adjust their risk management process accordingly. While consolidation may provide a
comprehensive measure in respect of interest rate risk, it may also underestimate risk
when positions in one affiliate are used to offset positions in another affiliate. This is
because a conventional accounting consolidation may allow theoretical offsets between
such positions from which a bank may not be able to benefit in practice, because of legal
or operational constraints. Management should recognize the potential for consolidated
measures to understate risks in such circumstances.
3.7.9 Adequate risk management policies and procedures
Banks should have clearly defined policies and procedures for limiting and
controlling interest rate risk. These policies should be applied on a consolidated basis and,
as appropriate, at specific affiliates or other units of the bank. Such policies and
procedures should delineate lines of responsibility and accountability over interest rate
risk management decisions and should clearly define authorized instruments, hedging
strategies and position taking opportunities. Interest rate risk policies should also identify
158
quantitative parameters that define the level of interest rate risk acceptable for the bank.
Where appropriate, such limits should be further specified for certain types of
instruments, portfolios, and activities. All interest rate risk policies should be reviewed
periodically and revised as needed. Management should define the specific procedures
and approvals necessary for exceptions to policies, limits and authorizations.59
A policy statement identifying the types of instruments and activities that the bank
may employ or conduct is one means whereby management can communicate their
tolerance of risk on a consolidated basis and at different legal entities. If such a statement
is prepared, it should clearly identify permissible instruments, either specifically or by
their characteristics, and should describe the purposes or objectives for which they may be
used. The statement should also delineate a clear set of institutional procedures for
acquiring specific instruments, managing portfolios, and controlling the bank's aggregate
interest rate risk exposure.
Products and activities that are new to the bank should undergo a careful
reacquisition review to ensure that the bank understands their interest rate risk
characteristics and can incorporate them into its risk management process. When
analyzing whether or not a product or activity introduces a new element of interest rate
risk exposure, the bank should be aware that changes to an instrument's maturity,
repricing or repayment terms can materially affect the product's interest rate risk
characteristics. To take a simple example, a decision to buy and hold a 30 year treasury
bond would represent a significantly different interest rate risk strategy for a bank that had
previously limited its investment maturities to less than 3 years. Similarly, a bank
specializing in fixed-rate short-term commercial loans that then engages in residential
fixed-rate mortgage lending should be aware of the optionality features of the risk
embedded in many mortgage products that allow the borrower to prepay the loan at any
time with little, if any, penalty.60
59 Principle 4: It is essential that banks' interest rate risk policies and procedures are clearly defined and consistent with the nature and complexity of their activities. These policies should be applied on a consolidated basis and, as appropriate, at the level of individual
affiliates, specially when recognizing legal distinctions and possible obstacles to cash movements among affiliates.
60 Principle 5: It is important that banks identify the interest rate risks inherent in new products and activities and ensure these are
subject to adequate procedures and controls before being introduced or undertaken. Major hedging or risk management initiatives should be approved in advance by the board or its appropriate delegated committee.
159
Prior to introducing a new product, hedging, or position-taking strategy,
management should ensure that adequate operational procedures and risk control systems
are in place. The board or its appropriate delegated committee should also approve major
hedging or risk management initiatives in advance of their implementation. Proposals to
undertake new instruments or new strategies should contain these features:
A description of the relevant product or strategy;
An identification of the resources required to establish sound and effective
interest rate risk management of the product or activity;
An analysis of the reasonableness of the proposed activities in relation to the
bank's overall financial condition and capital levels; and
The procedures to be used to measuring, monitoring, and controlling the risks
of the proposed product or activity.
In general, but depending on the complexity and range of activities of the
individual bank, banks should have interest rate risk measurement systems that assess the
effects of rate changes on both earnings and economic value. These systems should
provide meaningful measures of a bank's current levels of interest rate risk exposure, and
should be capable of identifying any excessive exposures that might arise.
Measurement systems should:
Assess all material interest rate risk associated with a bank's assets, liabilities,
and OBS positions;
Utilize generally accepted financial concepts and risk measurement techniques;
and
Should have well documented assumptions and parameters.
As a rule, it is desirable for any measurement system to incorporate interest rate
risk exposures arising from the full scope of a bank's activities, including both trading and
non-trading sources. This does not preclude different measurement systems and risk
management approaches being used for different activities; however, management should
have an integrated view of interest rate risk across products and business lines.
160
A bank's interest rate risk measurement system should address all material sources
of interest rate risk including repricing, yield curve, basis and option risk exposures. In
many cases, the interest rate characteristics of a bank's largest holdings will dominate its
aggregate risk profile. While all of a bank's holdings should receive appropriate treatment,
measurement systems should evaluate such concentrations with particular rigor. Interest
rate risk measurement systems should also provide rigorous treatment of those
instruments, which might significantly affect a bank's aggregate position, even if they do
not represent a major concentration. Instruments with significant embedded or explicit
option characteristics should receive special attention.
A number of techniques are available for measuring the interest rate risk exposure
of both earnings and economic value. Their complexity ranges from simple calculations to
static simulations using current holdings to highly sophisticated dynamic modeling
techniques that reflect potential future business and business decisions.
The simplest techniques for measuring a bank's interest rate risk exposure begin
with a maturity/repricing schedule that distributes interest-sensitive assets, liabilities and
OBS positions into "time bands" according to their maturity (if fixed rate) or time
remaining to their next repricing (if floating rate). These schedules can be used to generate
simple indicators of the interest rate risk sensitivity of both earnings and economic value
to changing interest rates. When this approach is used to assess the interest rate risk of
current earnings, it is typically referred to as gap analysis. The size of the gap for a given
time band - that is, assets minus liabilities plus OBS exposures that reprice or mature
within that time band -gives an indication of the bank's repricing risk exposure.
A maturity/repricing schedule can also be used to evaluate the effects of changing
interest rates on a bank's economic value by applying sensitivity weights to each time
band. Typically, such weights are based on estimates of the duration of the assets and
liabilities that fall into each time-band, where duration is a measure of the percent change
in the economic value of a position that will occur given a small change in the level of
interest rates. Duration-based weights can be used in combination with a
maturity/repricing schedule to provide a rough approximation of the change in a bank's
economic value that would occur given a particular set of changes in market interest rates.
Many banks (especially those using complex financial instruments or otherwise
having complex risk profiles) employ more sophisticated interest rate risk measurement
systems than those based on simple maturity/repricing schedules. These simulation
techniques typically involve detailed assessments of the potential effects of changes in
161
interest rates on earnings and economic value by simulating the future path of interest
rates and their impact on cash flows. In static simulations, the cash flows arising solely
from the bank's current on- and off-balance sheet positions are assessed. In a dynamic
simulation approach, the simulation builds in more detailed assumptions about the future
course of interest rates and expected changes in a bank's business activity over that time.
These more sophisticated techniques allow for dynamic interaction of payments streams
and interest rates, and better capture the effect of embedded or explicit options.
Regardless of the measurement system, the usefulness of each technique depends
on the validity of the underlying assumptions and the accuracy of the basic methodologies
used to model interest rate risk exposure. In designing interest rate risk measurement
systems, banks should ensure that the degree of detail about the nature of their interest
sensitive positions is commensurate with the complexity and risk inherent in those
positions. For instance, using gap analysis, the precision of interest rate risk measurement
depends in part on the number of time bands into which positions are aggregated. Clearly,
aggregation of positions/cash flows into broad time bands implies some loss of precision.
In practice, the bank must assess the significance of the potential loss of precision in
determining the extent of aggregation and simplification to be built into the measurement
approach.
Estimates of interest rate risk exposure, whether linked to earnings or economic
value, utilize, in some form, forecasts of the potential course of future interest rates. For
risk management purposes, banks should incorporate a change in interest rates that is
sufficiently large to encompass the risks attendant to their holdings. Banks should
consider the use of multiple scenarios, including potential effects in changes in the
relationships among interest rates (i.e. yield curve risk and basis risk) as well as changes
in the general level of interest rates. For example, for determining probable changes in
interest rates, simulation techniques could be used. Statistical analysis can also play an
important role in evaluating correlation assumptions with respect to basis or yield curve
risk.
The integrity and timeliness of data on current positions is also a key component of the
risk measurement process. A bank should ensure that all material positions and cash flows,
whether stemming from on- or off-balance-sheet positions, are incorporated into the
measurement system on a timely basis. Where applicable, these data should include
162
information on the coupon rates or cash flows of associated instruments and contracts. Any
manual adjustments to underlying data should be clearly documented, and the nature and
reasons for the adjustments should be clearly understood. In particular, any adjustments to
expected cash flows for expected prepayments or early redemptions should be well
reasoned and such adjustments should be available for review.61
In assessing the results of interest rate risk measurement systems, it is important
that the assumptions underlying the system are clearly understood by risk managers and
bank management. In particular, techniques using sophisticated simulations should be
used carefully so that they do not become "black boxes", producing numbers that have the
appearance of precision, but that in fact are not very accurate when their specific
assumptions and parameters are revealed. Key assumptions should be recognized by
senior management and risk managers and should be re-evaluated at least annually. They
should also be clearly documented and their significance understood. Assumptions used in
assessing the interest rate sensitivity of complex instruments and instruments with
uncertain maturities should be subject to particularly rigorous documentation and review.
When measuring interest rate risk exposure, two further aspects call for comment
that is more specific:
The treatment of those positions where behavioral maturity differs from
contractual maturity and
The treatment of positions denominated in different currencies.
Positions such as savings and sight deposits may have contractual maturities or may be
open-ended, but in either case, depositors generally have the option to make withdrawals
at any time. In addition, banks often choose not to move rates paid on these deposits in
line with changes in market rates. These factors complicate the measurement of interest
rate risk exposure, since not only the value of the positions but also the timing of their
cash flows can change when interest rates vary. With respect to banks' assets, prepayment
features of mortgages and mortgage related instruments also introduce uncertainty about
the timing of cash flows on these positions. These issues are described in more detail in
Annex 1, which forms an integral part of this text.
61 Principle 6: It is essential that banks have interest rate risk measurement systems that capture all material sources of interest rate
risk and that assess the effect of interest rate changes in ways that are consistent with the scope of their activities. The assumptions
underlying the system should be clearly understood by risk managers and bank management.
163
Banks with positions denominated in different currencies can expose themselves
to interest rate risk in each of these currencies. Since yield curves vary from currency to
currency, banks generally need to assess exposures in each. Banks with the necessary
skills and sophistication, and with material multi-currency exposures, may choose to
include in their risk measurement process methods to aggregate their exposures in
different currencies using assumptions about the correlation between interest rates in
different currencies. A bank that uses correlation assumptions to aggregate its risk
exposures should periodically review the stability and accuracy of those assumptions. The
bank also should evaluate what its potential risk exposure would be in the event that such
correlations break down.
3.7.10 Internal controls
Banks should have adequate internal controls to ensure the integrity of their
interest rate risk management process. These internal controls should be an integral part of
the institution's overall system of internal control. They should promote effective and
efficient operations, reliable financial and regulatory reporting, and compliance with
relevant laws, regulations and institutional policies. An effective system of internal
control for interest rate risk includes:
A strong control environment;
An adequate process for identifying and evaluating risk;
The establishment of control activities such as policies, procedures and
methodologies;
Adequate information systems; and,
Continual review of adherence to established policies and procedures.
With regard to control policies and procedures, attention should be given to
appropriate approval processes, exposure limits, reconciliation, reviews and other
mechanisms designed to provide a reasonable assurance that the institution's interest rate
risk management objectives are achieved. Many attributes of a sound risk management
process, including risk measurement, monitoring and control functions, are key aspects of
164
an effective system of internal control. Banks should ensure that all aspects of the internal
control system are effective, including those aspects that are not directly part of the risk
management process.
In addition, an important element of a bank's internal control system over its interest
rate risk management process is regular evaluation and review. This includes ensuring that
personnel are following established policies and procedures, as well as ensuring that the
procedures that were established actually accomplish the intended objectives. Such reviews
and evaluations should also address any significant change that may impact the
effectiveness of controls, such as changes in market conditions, personnel, technology, and
structures of compliance with interest rate risk exposure limits, and ensure that appropriate
follow-up with management has occurred for any limits that were exceeded. Management
should ensure that all such reviews and evaluations are conducted regularly by individuals
who are independent of the function they are assigned to review. When revisions or
enhancements to internal controls are warranted, there should be a mechanism in place to
ensure that these are implemented in a timely manner.62
Reviews of the interest rate risk measurement system should include assessments
of the assumptions, parameters, and methodologies used. Such reviews should seek to
understand, test, and document the current measurement process, evaluate the system's
accuracy, and recommend solutions to any identified weaknesses. If the measurement
system incorporates one or more subsidiary systems or processes, the review should
include testing aimed at ensuring that the subsidiary systems are well integrated and
consistent with each other in all critical respects. The results of this review, along with
any recommendations for improvement, should be reported to senior management and/or
the board and acted upon in a timely manner.
The frequency and extent to which a bank should re-evaluate its risk measurement
methodologies and models depend, in part, on the particular interest rate risk exposures
created by holdings and activities, the pace and nature of market interest rate changes, and
62
Principle 10: Banks must have an adequate system of internal controls over their interest rate risk management
process. A fundamental component of the internal control system involves regular independent reviews and evaluations of the effectiveness of the system and, where necessary, ensuring that appropriate revisions or
enhancements to internal controls are made. The results of such reviews should be available to relevant supervisory
authorities.
165
the pace and complexity of innovation with respect to measuring and managing interest
rate risk.
Banks, particularly those with complex risk exposures, should have their
measurement, monitoring and control functions reviewed on a regular basis by an
independent party (such as an internal or external auditor). In such cases, reports written
by external auditors or other outside parties should be available to relevant supervisory
authorities. It is essential that any independent reviewer ensures that the bank's risk
measurement system is sufficient to capture all material elements of interest rate risk,
whether arising from on- or off-balance sheet activities. Such a reviewer should consider
the following factors in making the risk assessment:
The quantity of interest rate risk, e.g.
o The volume and price sensitivity of various products;
o The vulnerability of earnings and capital under differing rate
changes including yield curve twists;
o The exposure of earnings and economic value to various other
forms of interest rate risk, including basis and optionality risk.
The quality of interest rate risk management, e.g.
o Whether the bank's internal measurement system is appropriate to
the nature, scope, and complexities of the bank and its activities;
o Whether the bank has an independent risk control unit responsible
for the design and administration of the risk measurement, monitoring and control
functions;
o Whether the board of directors and senior management are
actively involved in the risk control process;
o Whether internal policies, controls and procedures concerning
interest rate risk are well documented and complied with;
o Whether the assumptions of the risk measurement system are well
documented, data accurately processed, and data aggregation is proper and reliable; and
o Whether the organization has adequate staffing to conduct a sound
risk management process
166
In those instances where the independent review is conducted by internal auditors, banks
are encouraged to have the risk measurement, monitoring and control functions
periodically reviewed by external auditors.
3.7.11 Information for supervisory authorities
Supervisory authorities should obtain sufficient information to assess individual
banks' interest rate risk exposures, on a regular basis. In order to minimize reporting
burden, internal management reports are the preferred method for obtaining this
information, but it could also be obtained through standardized reports that are submitted
by banks, through on-site examinations, or by other means. The precise information
obtained could differ among supervisors, but must include the results of the standardized
rate shock applied under Principle 14. As a minimum, supervisors should have enough
information to identify and monitor banks that have significant repricing mismatches.
Information contained in internal management reports, such as maturity/repricing gaps,
earnings and economic value simulation estimates, and the results of stress tests can be
particularly useful in this regard.
Supervisors may want to collect additional information on those positions where
the behavioral maturity is different from the contractual maturity. Reviewing the results of
a bank's internal model, perhaps under a variety of different assumptions, scenarios and
stress tests, can also be highly informative.
Banks operating in different currencies can expose themselves to interest rate risk
in each of these currencies. Supervisory authorities, therefore, will want banks to analyze
their exposures in different currencies separately, at least when exposures in different
currencies are material.
Another question is the extent to which interest rate risk should be viewed on a
whole bank basis or whether the trading book, which is marked to market, and the
banking book, which is often not, should be treated separately. As a rule, it is desirable for
any measurement system to incorporate interest rate risk exposures arising from the full
scope of a bank's activities, including both trading and non-trading sources. This does not
167
preclude different measurement systems and risk management approaches being used for
different activities; however, management should have an integrated view of interest rate
risk across products and business lines. Supervisors may want to obtain information more
specifically, on how trading and non-trading activities are measured and incorporated into
a single measurement system. They should also ensure that interest rate risk in both
trading and non-trading activities is properly managed and controlled.
A meaningful analysis of interest rate risk is only possible if the supervisor
receives the relevant information regularly and on a timely basis. Since the risk profile in
the traditional banking business changes less rapidly than in the trading business,
quarterly or semi-annual reporting of the former may be sufficient for many banks.63
3.7.12 Capital adequacy
Changes in interest rates expose banks to the risk of loss, which, may be in
extreme cases, threaten the survival of the institution. In addition to adequate systems and
controls, capital has an important role to play in mitigating and supporting this risk. As
part of sound management, banks translate the level of interest rate risk they undertake,
whether as part of their trading or non-trading activities, into their overall evaluation of
capital adequacy, although there is no general agreement on the methodologies to be used
in this process.
In cases where banks undertake significant interest rate risk in the course of their
business strategy, a substantial amount of capital should be allocated specifically to
support this risk.
Where interest rate risk is undertaken as part of a bank‘s trading activities, the
supervisory capital treatment of that risk is set out in the Market Risk Amendment. Where
it is undertaken as part of a bank‘s non-trading activities, the supervisory treatment,
covering both capital and other tools of supervision, is set out in Principles 14 and 15 of
this document.64
3.7.13 Disclosure of interest rate risk
63 Principle 11: Supervisory authorities should obtain from banks sufficient and timely information with which to evaluate their level of interest rate risk. This information should take appropriate account of the range of maturities and currencies in each bank's portfolio,
including off-balance-sheet items, as well as other relevant factors, such as the distinction between trading and non-trading activities. 64 Principle 12: Banks must hold capital commensurate with the level of interest rate risk they undertake.
168
The core objective of public disclosure is to facilitate market participants‘
assessment of banks‘ interest rate risk profiles in both the banking and trading books. The
Committee has laid down recommendations for the public disclosure of information on
interest rate risk as part of the overall review of the Accord7.
These include information about the banks‘ risk management processes, the
characteristics of any models used, the rate scenarios used and key assumptions on
judgmental aspects of assets and liability portfolios that drive the resulting risk measure.
3.7.13 Supervisory treatment of interest rate risk in the banking book
Supervisors should evaluate whether internal measurement systems for banking
book interest rate risk are adequate for managing risk in a safe manner and adequate for
use in supervisory evaluations of capital adequacy. Depending on the nature and scale of a
bank‘s business, a wide variety of methodologies could be employed in internal
measurement systems. Such evaluations could be performed through a review of internal
and external audit findings or through on-site supervisory reviews.65
A bank‘s internal systems must meet the following criteria, which amplify the key
points set out in Principle 6.
(a) They must assess all material interest rate risk associated with a bank‘s assets,
liabilities and off-balance-sheet positions in the banking book. To do this, they must
accurately incorporate all a bank‘s interest rate sensitive on and off-balance sheet
holdings.
(b) They must utilize generally accepted financial concepts and risk measurement
techniques. In particular, they must be capable of measuring risk on both an earnings and
economic value approach. The monitoring of interest rate risk in the banking book for
supervisory purposes would be based on risk as measured by the economic value
approach66
.
(c) Their data inputs are adequately specified (commensurate with the nature and
complexity of a bank‘s holdings) with regard to rates, maturities, re-pricing, embedded
65 Principle 13: Banks should release to the public information on the level of interest rate risk and their policies for its management. 66 The use of the economic value perspective is one area where the application of this approach to banks outside the G10 internationally
active population might be varied.
169
options and other details to provide a reasonably accurate portrayal of changes in
economic value or earnings.
(d) The system‘s assumptions (used to transform positions into cash flows) are
reasonable, properly documented and stable over time. This is especially important for
assets and liabilities whose behavior differs markedly from contractual maturity or
repricing, and for new products. Material changes to assumptions should be documented,
justified and approved by management. In particular, supervisors would not normally
expect core deposits - those deposits which can be withdrawn without notice but which in
practice tend to remain with the bank - to be given an assumed maturity or repricing
frequency of longer than three to five years without additional empirical analysis.
(e) Interest rate risk measurement systems must be integrated into the bank‘s daily
risk management practices. The output of the systems should be used in characterizing the
level of interest rate risk to senior management and boards of directors.
(f) The interest rate shock (or the equivalent parameters) as determined has been
properly incorporated into the systems,
If supervisors determine that, a bank‘s internal measurement system does not
adequately capture interest rate risk in the banking book, the first, most immediate course
of action is to require the bank to bring its system to the required standard. In the interim,
the bank must supply its supervisor with information on the interest rate risk in its
banking book in a form specified by the supervisor. Supervisors may wish to use this
information in making their own estimates of risk using a standardized framework
applying the same standardized rate shock.67
This standardized rate shock should be based on the following:
For exposures in G10 currencies, either:
(a) An upward and downward 200 basis point parallel rate shock, or
(b) 1st and 99th percentile of observed interest rate changes using a one year (240
working days) holding period and a minimum five years of observations.
For exposures in non-G10 currencies, either:
67 Principle 14: Supervisory authorities must assess whether the internal measurement systems of banks adequately capture the interest
rate risk in their banking book. If a bank‘s internal measurement system does not adequately capture the interest rate risk, banks must bring the system to the required standard. To facilitate supervisors‘ monitoring of interest rate risk exposures across institutions, banks
must provide the results of their internal measurement systems, expressed in terms of the threat to economic value, using a standardized
interest rate shock.
170
(a) A parallel rate shock substantially consistent with 1st and 99th percentile of
observed interest rate changes using a one year (240 working days) holding period and a
minimum five years of observations for the particular non-G10 currency, or
(b) 1st and 99th percentile of observed interest rate changes using a one year (240
working days) holding period and a minimum five years of observations.
Many banks will be exposed to interest rate risk in more than one currency. In
such cases, banks should carry out a similar analysis for each currency accounting for 5%
or more of their banking book assets, using an interest rate shock calculated according to
the rules set out above. To ensure complete coverage of the banking book, any remaining
exposures should be subject to a 200 basis point shock.
The relative simplicity of the 200 basis point parallel rate shock has the
disadvantage of ignoring exposures that might be revealed through scenarios that include
yield curve twists, inversions and other relevant scenarios. As has already been noted,
such alternative scenarios are a necessary component of the overall management of
interest rate risk. Supervisors will continue to expect institutions to perform multiple
scenarios in evaluation of their interest rate risk as appropriate to the level and nature of
risk they are taking.
Banks must hold capital to support the level of interest rate risk they undertake.
Supervisors should be particularly attentive to the capital sufficiency of ―outlier banks‖ –
those whose interest rate risk in the banking book leads to a economic value decline of
more than 20% of the sum of Tier 1 and Tier 2 capital following the standardized interest
rate shock or its equivalent (as determined under Principle 14).
The response in cases where supervisors determine that there is insufficient capital
will depend on a variety of factors. However, the response must result in the bank either
holding additional capital or reducing the measured risk (through, for example, hedging or
a restructuring of the banking book), or a combination of both, depending on the
circumstances of the case.68
3.7.15 Conclusion
68
Principle 15: If supervisors determine that a bank is not holding capital commensurate with the level of interest rate risk in the banking
book, they should consider remedial action, requiring the bank either to reduce its risk, to hold a specific additional amount of capital, or
a combination of both.
171
In support of the revised Basel Accord, the BCBS has issued several guidelines
regarding IRR management for both bankers and bank supervisors. The BCBS is aware
that banks' IRR management techniques continue to evolve, so certain details of their
guidelines will need to be updated. However, the principle that banks' own assessments of
their IRR exposures should form the basis of supervisory oversight is a defining
characteristic of future supervisory efforts.
172
Section 3.8:
Asset liability management (ALM)
3.8.0 Introduction 173
3.8.1 Objectives of asset and liabilities 174
3.8.2 Help of ALM 175
3.8.3 Previous Research 175
3.8.4 General ALM approaches at the country level 177
3.8.5 Proactive ALM at Banks 178
3.8.6 Asset Liability Management in Indian banking system 179
3.8.7 ALM Organization 180
3.8.8 ALM process 180
3.8.9 A general analytical framework for ALM 181
3.8.10 Integrated ALM Approach 181
3.8.11 Advantages of the integrated ALM approach 182
3.8.12 Reporting Requirements 183
173
Introduction
Asset-Liability Management according to the Society of Actuaries (1998) ―… is the
practice of managing a business so that decisions on assets and liabilities are coordinated. It
can be defined as the ongoing process of formulating, implementing, monitoring and
revising strategies related to assets and liabilities in an attempt to achieve financial
objectives for a given set of tolerances and constraints... ALM is relevant to, and critical
for, the sound management of the finances of any institution that invest to meet liabilities‖.
Asset and Liability Management (ALM) is about optimizing the bank's balance
sheet. It focuses primarily on capital, liquidity & interest risk management and, depending
on the nature of the bank, credit, market & operational risk. The A.L.M. function provides
the policy framework for bank treasury and prescribes the techniques and instruments used
in the everyday implementation of policy.
Assets and liabilities are both affected by interest rate changes, so measuring,
managing interest rate risk is the key to making sure your asset, and liability mix performs
at its peak. Proper management of the total exposure, maturity schedules, and nominal rates
on both side of the equation can dramatically reduce damages and increase net profits. To
acquire and maintain these skills in the face of new instruments and volatile environments,
A/L managers and staff need effective, affordable, ongoing training.
Asset and liability management remain high-priority areas for bank
regulators, with an emphasis on management of market risk, liquidity risk, and
credit risk. Asset/liability managers face the challenge of keeping pace with industry
changes as new areas of risk are identified and new tools and models are developed
to help measure and manage risk.
Liquidity management has always been an important matter for banks. In today‘s
world, many banks face increased liquidity strains, as competition for deposits forces them
to look for alternative funding sources. At the same time, financial development has
increased both the opportunities and risks in liquidity management. As a result, it is
increasingly important that banks plan for there liquidity needs to ensure that they are using
stable and low-cost methods to fund their operations. In a highly competitive world, only
the efficient survive, and using high-cost funds puts a bank at a competitive disadvantage.
174
3.8.1 Objectives of asset and liabilities
The object of asset and liability management is to provide a net interest income
stream sufficient to support the Bank‘s dividend target and to protect the market value of
the Bank's equity capital in a financial market environment in which changes in interest
rates and rate relationships can occur suddenly and unexpectedly. Asset and liability
management has become increasingly complicated and challenging. Financial engineers are
combining highly advanced mathematics with powerful technological resources to create an
ever-expanding array of sophisticated financial instruments with complex risk and return
profiles. Analyzing and managing these instruments in the modern bank balance sheet
requires a well-trained staff, operating with reliable systems and controls, accurately
calibrating risks to achieve suitable returns. Asset/liability management attempts to meet
the Bank's objectives within the risk parameters determined by the Board of Directors, and
in compliance with the regulations and regulatory guidance of the Federal Housing Finance
Board, and the Bank‘s Capital Plan.
To contain financial risk, primarily defined as the inability to meet dividend expectations
and/or deterioration of market value of equity, the Bank will maintain an organization and
climate which fosters:
Identification and understanding of key component risks;
Rigorous, thorough analysis;
A systematic decision-making process, and
A system of measurement and control that is detailed, complete, timely, and
accurate.
The purpose of this policy is to define the asset/liability management process of the Bank;
to outline the roles and responsibilities of those involved in that process; to prescribe the
measurements and limits that govern risk-taking; and to detail reporting and control
requirements for management and the Board of Directors.
The assets and liabilities shall be managed to attempt to achieve the following
minimum objectives:
1. A return on assets above ____ %.
2. A return on equity above ____ %.
3. An equity capital-to-assets ratio above ____ %.
4. A risk-based capital ratio of ____ %.
175
3.8.2 Help of ALM
So what more can be expected from ALM than the established techniques? To
answer this, it is necessary to ascertain the pitfalls and difficulties encountered when
making investment decisions. It is important to understand the risks that are borne
when investing is in a particular security or portfolio of securities. Generally, the higher the
risks undertaken, cause the higher the possible returns on that investment. However, other
constraints cannot be ignored such as the nature of uncertainty in the decision process,
taxes and transactions costs. There may also be legal guidelines and other policy
requirements such as institution-specific rules on asset mix.
Returning to the fundamental aspect that any company has both assets and liabilities
it is clear that in the course of business the company will benefit from cash inflows and
have to meet liabilities. When asset streams are greater than liability streams, there is a
surplus and vice-versa when liability streams are greater than asset streams, there is a
deficit 69
to avoid this financial quagmire, requires advanced and meticulous financial
planning, and for large organizations ALM is invaluable.
3.8.3 Previous Research
Bank asset and liability management is defined as the simultaneous planning of all
assets and liability positions on the bank‘s balance sheet under consideration of the
different bank management objectives and legal, managerial and market constraints, for the
purpose of mitigating interest rate risk, providing liquidity and enhancing the value of the
bank (Gup and Brooks, 1993).
Looking to the past, we find the first mathematical models in the field of bank
management. Asset and liability management models can be deterministic or stochastic
(Kosmidou and Zopounidis, 2001). Deterministic models use linear programming, assume
particular realizations for random events, and are computationally tractable for large
69 A company will always try to make sure that there is always a surplus but, in situations where there is a deficit, corrective measures can be taken to protect the company financially in the short-term. In the long term however, a company continuing to accumulate shortfalls is likely to be in a serious financial position and may be on the verge of insolvency.
176
problems. The deterministic linear programming model of Chambers and Charnes (1961) is
the pioneer in ALM.
The methods used to obtain the scenario generation model may be based on cascade
structures following the work of Mulvey & Thorlacius (1998), and of Wilkie (1986, 1995),
but in the present work we fit the time series with an Autoregressive Vector Error
Correction Model (henceforth VECM), following the line set out by Boender et al. (1995,
1998), Dert (1995, 1998), Kim & Mina (2000) and Kim et al (1999).
There are three basic approaches to liquidity management:
Asset Management
Liability Management
Capital Management
Although they are listed separately, the three approaches are often used in combination
to manage a bank‘s liquidity position.
Sensitivity to market risk (that is, changes in interest rates) can reduce a bank‘s earnings
and erode its capital. In light of these performance consequences, it is an important board
responsibility to see that a bank‘s market risk is effectively managed.
Few banks in recent history have failed because of uncontrolled market risk. (Market
risk is the risk to a bank's earnings and capital from changes in interest rates.) Even in well
publicized instances, such as the 1995 failure of Barings Bank, one of the oldest banks in
England, where market risk was linked directly to the bank's performance problems, it is
usually the failure of a bank's operational controls that prevents the bank from identifying
its market risk exposure until it is too late.
Although most banks will never fail outright, they can experience significant loss of
earnings and capital due to uncontrolled market risk. Because of this, the federal banking
agencies make it a board responsibility to ensure that a bank's market risk is effectively
managed:
Establish and guide the bank‘s tolerance for interest rate risk, including
approving risk limits and other key policies, identifying lines of authority and
177
responsibility for managing interest rate risk, and ensuring adequate resources are
devoted to interest rate risk management…‖ May 23, 1996, Joint Policy Statement
on Interest Rate Risk
Risk management is about managing risk, not eliminating it. Asset liability
management is concerned with strategic balance sheet management
involving all market risks.
Banks today deal in a wide range of financial instruments, both as assets and as
liabilities. The risk profile and profit performance of banks are substantially affected by
their asset and liability management. Recently, the importance of this function has grown
considerably due to the dynamic and volatile conditions that prevail in the economy and in
the financial markets.
3.8.4 General ALM approaches at the country level
The starting point of our discussion is that the development of a strategic approach
for ALM at the country level has lagged behind approaches in the corporate and financial
sectors. Typical approaches to country ALM are copied from approaches for firms and
financial institutions, but do not incorporate country-specific factors while strategic aspects
are usually missing. They often exclude, for example, trade flows and fiscal dimensions.
Modeling flexibility is very limited, with country adaptation often happening through a
piece-meal approach using ad-hoc analysis rather than optimization and starting from first
principles. Their perspective is often also the development of benchmarks, rather than
strategic asset allocations or liability choices. By requiring a benchmark, which is constant
over time, they fail to incorporate the dynamic realignment of portfolios. The treatment of
uncertainty is typically also very limited and constraints are often not included in the
optimization process itself, but rather through iterating around the solution.
The need for strategic ALM for sovereigns is all the more necessary, as sovereigns
often have to consider risks on a much broader scale than corporations or financial
institutions do. Risks for a sovereign concern not only the government‘s own direct
financial exposures, such as those arising from debt and reserves management, but also
those arising from contingent liabilities due to risks in the banking system, restructuring of
state-owned enterprises, or restructuring and reform of the corporate sector. Approaches
178
also need to relate to measures of the government‘s earning potential. This may mean risks
need to be defined differently. Instead of measuring nominal variability in government
debt service, for example, risk measures may need to take into account the sensitivity of
fiscal revenues to global factors, such as interest rates. Without these factors, approaches to
risk can ignore the existence of natural hedges in the external and fiscal sectors, limit the
analysis to "on-balance" liabilities only, and ignore many important constraints. It is also
essential that the sovereign adopts a truly dynamic approach. Countries often face, for
example, many constraints in rapidly adjusting their assets and liabilities; transactions costs
can be high and market access may vary with general financial markets conditions and
investors‘ sentiment, especially for developing countries but also for developed countries.
Typical ALM strategies pursued for financial institutions and corporations can thus clearly
be less than optimal for sovereigns or central banks and measuring exposures only in terms
of duration, asset composition, and currency composition may even add to risk.
3.8.5 Proactive ALM at Banks
Proactive ALM requires an accurate depiction of risk and the communication of
such risk to product managers. Often, the major challenge for bank management is
addressing the natural tension between loan and deposit product managers and ALM
managers. While product managers may be constantly meeting customer demand by
innovating more sophisticated product, ALM managers carefully update their models to
measure and control these new risks. RAROC70
methodologies encourage product
managers to price competing products with these risks in mind to maximize profits for a
given level of risk.
ALM managers‘ measure and monitor interest rate risk for all on- and off- balance sheet
instruments from two perspectives: earnings and market value (see diagram). The earnings
perspective focuses on the impact of interest rate changes on a bank's near-term earnings;
while the market value perspective focuses on a bank's underlying value. The interest rate
sensitivity of financial instruments depends on many factors, including duration, yield
curve, basis, repricing characteristics, and embedded options affecting the timing of cash
flows.
70 . Risk Adjusted Return on Capital
179
ALM managers‘ measure and monitor interest rate risk for all on- and off- balance
sheet instruments from two perspectives:
Earnings value
market value
The earnings perspective focuses on the impact of interest rate changes on a bank's
near-term earnings; while the market value, perspective focuses on a bank's underlying
value. The interest rate sensitivity of financial instruments depends on many factors,
including duration; yield curve, basis, re-pricing characteristics, and embedded options
affecting the timing of cash flows.
3.8.6 Asset Liability Management in Indian banking system
On the threshold of the new millennium, the Indian banking sector is waking up to a
concept of Asset Liability Management. ALM as a practice has been in existence for quite a
long time. The emergence of this concept can be traced to the mid 1970s in the US when
deregulation of the interest rates compelled the banks to undertake active planning for the
structure of the balance sheet. The uncertainty of interest rate movements gave rise to
interest rate risk thereby causing banks to look for processes to manage their risk. In the
wake of interest rate risk, came liquidity risk and credit risk as inherent components of risk
for banks. The recognition of these risks brought Asset Liability Management to the center-
stage of financial intermediation.
The Indian economy has witnessed a similar scenario. The post-reform banking
scenario is marked by interest rate deregulation, entry of new private banks, and gamut of
new products and greater use of information technology. To cope with these pressures
banks were required to evolve strategies rather than ad hoc fire fighting solutions. These
strategies are executed in the form of ALM practices. An efficient ALM technique aims to
manage the volume, mix, maturity, rate sensitivity, quality and liquidity of the assets and
liabilities as a whole so as to earn a predetermined, acceptable risk/reward ratio.
180
Recognizing the need for a strong and sound banking system, the RBI has come out
with ALM guidelines for banks and FIs in April 1999. ALM framework rests on three
pillars
3.8.7 ALM Organization
In line with the RBI guidelines, all banks have their ALCO in place. However,
foreign banks and private banks have their ALCOs in place much before the guidelines, to
keep pace with global practices. Some progressive public sector banks like Corporation
Bank too had ALCO in place, before the guidelines. It was also observed that the foreign
banks and the private sector banks accorded greater seriousness to their ALCOs vis-a-vis
the PSBs.
The ALCO consisting of the banks senior management including CEO
should be responsible for adhering to the limits set by the board as well as for
deciding the business strategy of the bank in line with the banks budget and decided
risk management objectives. ALCO is a decision-making unit responsible for
balance sheet planning from a risk return perspective including strategic
management of interest and liquidity risk. ALM Information System is the most
important for data collection of information accurately, adequately and
expeditiously. Information is the key to the ALM process. A good information
system gives the bank management a complete picture of the bank's balance sheet.
ALM Process The basic ALM process involves identification, measurement and
management of risk parameters.
3.8.8 ALM process
The RBI in its guidelines has asked Indian banks to use traditional techniques like
Gap Analysis for monitoring interest rate and liquidity risk. HOWEVER, RBI is expecting
Indian banks to move towards sophisticated techniques like Duration, Simulation, and VaR
in the future.
As regards the trading portfolio all foreign banks and top Indian private sector
banks Value at Risk (VaR). For the accrued portfolio, most Indian Private sector banks use
Gap analysis, but are gradually moving towards duration analysis. Most of the foreign
181
banks use duration analysis. They are expected to move towards advanced methods like
Value at Risk for the entire balance sheet. Some foreign banks are already using VaR for
the entire balance sheet.
The presentation critically evaluated the Maturity gap method, Duration analysis on
the parameters of their theoretical efficacy and their practical implications. However, the
area of maximum interest was the Value at Risk method.
3.8.9 A general analytical framework for ALM
The review of the approaches taken by central banks already shows that it is
unlikely that a single reserves management model will be applicable to all situations. No
single model can be expected to be optimal for every central bank‘s reserves management
requirements. Every model developed today will need to change tomorrow. Flexibility
must thus be built into any approach to reserves management modeling. The purpose
therefore should be to provide a framework that allows for substantial flexibility in model
development in both theory and application. A framework has to be dynamic as well. Any
medium to long-term analysis of reserves must include procedures for the dynamic
rebalancing of the reserves portfolio for two reasons: the density functions of outcomes in
the far future depend upon decisions taken beforehand, that is in the near future; and
changing regime conditions mean future decisions need to be made dependent on future
outcomes. We will discuss these desirable features in turn.
3.8.10 Integrated ALM Approach
Traditionally only interest rate risk and liquidity risks have been considered in the
ALM framework. A bank would have managed a major portion of its risks by having in
place a proper ALM policy attending to its interest rate risk and liquidity risk. These two
risks when managed properly lead to enhanced profitability and adequate liquidity.
ALM is an important tool in the overall risk management process for any bank.
ALM should be used strategically for deciding the pricing and structure of assets and
liabilities in such a way that profitability, liquidity and credit exposure is maintained. From
now, one cannot neglect credit risk in the ALM process. Based on this rationale, the
182
students presented a qualitative argument why credit risk should be incorporated in the
overall ALM framework.
Consider the procedure for sanctioning a loan. The borrower, who approaches the
bank, is apprised by the credit department on various parameters like industry prospects,
operational efficiency, financial efficiency, management evaluation and others, which
influence the working of the client company. Based on this appraisal the borrower is
charged certain rate of interest to cover the credit risk. For example, a client with credit
appraisal AAA will be charged PLR. While somebody with BBB rating will be charged
PLR + 2.5 %, say. Naturally, there will be certain cut-off for credit appraisal, below which
the bank will not lend e.g. Bank will not like to lend to D rated client even at a higher rate
of interest. The guidelines for the loan sanctioning procedure are decided in the ALCO
meetings with targets set and goals established. The role-played by the treasury in the loan
sanctioning process is limited to satisfying the demands for funds. All exceptional cases
however, are referred to the treasury, which looks at the gaps created by the proposal and
based on the policies of the bank and its long-term objectives the proposal is either rejected
or sanctioned with appropriate pricing. All the three parameters viz. Interest rate, credit risk
and liquidity positions should be dynamically looked at simultaneously for better decision-
making.
In the proposed approach, the credit appraisal comes out with a credit score, the
treasury comes up with a liquidity score, the corporate banking division comes up with a
interest rate score. This information is used to arrive at a composite score to evaluate the
proposal.
3.8.11 Advantages of the integrated ALM approach:
A bank will price the loan even taking the liquidity risk, i.e. considering the impact
of loan on the gap mismatch of the balance sheet. Incorporating the default probabilities
helps the bank to price the loan appropriately in line with its risk profile. Hence, bank
would also look at the impact of such a loan on its liquidity along with the credit risk and
not in isolation.
The bank would now have flexibility in accepting and rejecting the loan only after
having considered all parameters. It will provide the necessary direction to the bank in
183
structuring the loan in such a way, that liquidity profile of the bank is improved. If the
liquidity profile of the portfolio is improved, the loan can be priced favorably for the
borrower.
This model helps us to identify those loans that contribute to the ROA and Roe of the bank.
This puts the bank on the road to SHAREHOLDER VALUE CREATION. By
identifying the acceptable risk limits, the bank achieves greater stability thus ensuring
higher returns for the shareholders.
While a similar system might already be in use in several competitive banks in one
form or the other, other banks that do not employ such a system in totality might find it
useful to adopt the integrated ALM approach, which has been presented as a conceptual
argument.
3.8.12 Reporting Requirements
The ALCO shall provide the following to the Board of Directors on a quarterly
basis:
1. Average daily balance sheet
2. Interest income and interest expense statements
3. Non-interest income and non-interest expense statements
4. Interest spread statement and GAP Report
5. Relevant ratios (detailed above)
6. Net interest change analysis attributable to dollar volumes, earning, paying and market
rates as well as time (simulation) compared to policy limits.
7. Investment portfolio and loan activity report
8. A summary approximating investment portfolio values
9. Duration analysis to approximate investment portfolio values for different rate scenarios
(annual)
10. Projected flow of funds analysis
11. Recommended Asset/Liability Management plan including a quarterly strategy for the
management of interest rate risk and liquidity risk
12. Assessment of performance against the prior quarter's strategy
184
Section 3.9:
None performing assets (NPA)
3.9.1. Introduction 185
3.9.2. Indian economy and NPAs 185
3.9.3. Global Developments and NPAs 186
3.9.4 Meaning of NPAs 186
3.9.5 Asset Classification 187
3.9.6. A huge levels of NPAs exist in the Indian banking system (IBS 188
3.9.7 Credit Risk and NPAs 191
3.9.8 The importance of credit rating in assessing the risk of default for lenders
191
3.9.9 Usage of financial statements in assessing the risk of default for lenders 192
3.9.10 Capital Adequacy Ratio (CAR) of RBI and Basle committee on banking
supervision (BCBS) 193
3.9.11 Excess of liquidity 194
3.9.12 High cost of funds due to NPAs 194
3.9.13 Need for effective asset management policies 195
3.9.14 Asset management 196
185
3.9.1. Introduction
By its very nature, banking involves taking risks. In most countries, banks have
deployed their funds into loans, which form the bulk of their assets. Consequently, one of
the most significant risks faced by banks has been and will continue to be credit risk that
is the risk, which the counter party will default on his obligations as agreed. Banks are
now coming up with new techniques to measure, manage and mitigate the risks to which
they are exposed.
Loans become non-performing when borrowers fall in arrears in the repayment of
principal or interest payment or both. Some borrowers have the means to repay but do not
have the willingness to repay; i.e. they become willful defaulters on the loans. On the
other hand, there are borrowers who cannot afford to repay because of hardships of an
economic nature. An economic slowdown can severely undermine the capacity of
borrowers to continue servicing and to repay their debts. In such circumstances, an
effective asset management policy in the financial system can help to come to grips with
the problem of non-performing assets and so prevent a crisis that may go out of control.
Traditionally, banks have placed undue reliance on the collaterals when extending
credit facilities. When borrowers default and all means are exhausted to recover their
dues, banks finally have
to foreclose the assets held as security. The foreclosing and disposal of the assets do not
always produce the desired results. It's a known fact that the banks and financial
institutions in India face the problem of swelling non-performing assets (NPAs) and the
issue is becoming more and more unmanageable. In order to bring the situation under
control, some steps have been taken recently. The Securitisation and Reconstruction of
Financial Assets and Enforcement of Security Interest Act, 2002 was passed by
Parliament, which is an important step towards elimination or reduction of NPAs.
3.9.2. Indian economy and NPAs
Undoubtedly the world economy has slowed down, recession is at its peak, globally
stock markets have tumbled and business itself is getting hard to do. The Indian economy
has been much affected due to high fiscal deficit, poor infrastructure facilities, sticky legal
system, cutting of exposures to emerging markets by foreign institutional investors (FIIs),
etc.
186
Further, international rating agencies like, Standard & Poor have lowered India's
credit rating to sub-investment grade. Such negative aspects have often outweighed
positives such as increasing fore reserves and a manageable inflation rate. Under such a
situation, it is understood that banks are no exception and are bound to face the heat of a
global downturn. One would be surprised to know that the banks and financial institutions
in India hold non-performing assets worth Rs. 1,10,000 crores. Bankers have realized that
unless the level of NPAs is reduced drastically, they will find it difficult to survive.
3.9.3. Global Developments and NPAs
The core banking business is of mobilizing the deposits and utilizing it for lending
to industry. Lending business is generally encouraged because it has the effect of funds
being transferred from the system to productive purposes that results into economic
growth.
However lending also carries credit risk, which arises from the failure of borrower to
fulfill its contractual obligations either during the course of a transaction or on a future
obligation.
A question that arises is how much risk can a bank afford to take? Recent
happenings in the business world - Enron, WorldCom, Xerox, Global Crossing do not
give much confidence to banks. In case after case, these giant corporates became bankrupt
and failed to provide investors with clearer and more complete information thereby
introducing a degree of risk that many investors could neither neither anticipate nor
welcome. The history of financial institutions also reveals the fact that the biggest banking
failures were due to credit risk.
Due to this, banks are restricting their lending operations to secured avenues only with
adequate collateral on which to fall back upon in a situation of default.
3.9.4 Meaning of NPAs
An asset is classified as non-performing asset (NPAs) if dues in the form of
principal and interest are not paid by the borrower for a period of 180 days. However with
effect from March 2004, default status would be given to a borrower if dues are not paid
for 90 days. If any advance or credit facilities granted by bank to a borrower becomes
non-performing, then the bank will have to treat all the advances/credit facilities granted
to that borrower as non-performing without having any regard to the fact that there may
187
still exist certain advances / credit facilities having performing status. In berif "Non-
performing Asset" means an asset in respect of which
a. Interest or principal (or installment thereof) is overdue for a period of more
than 180 days;
b. interest for principal is overdue for a period of more than 180 days from the
expiry of planning period, wherever applicable;
c. any other receivable, if it is overdue for a period of more than 180 days.
3.9.5 Asset Classification
Every Securitization / Reconstruction Company shall, after taking into account the
degree of well defined credit weaknesses and extent of dependence on collateral security
for realization, classify the assets it has acquired for reconstruction and held by it, into the
following categories into four broad groups, viz., (a) Standard assets, (b) Sub-standard
assets, (c) Doubtful assets, (d) Loss assets:
(a) Standard assets - Standard asset is one which does not disclose any
problems and which does not carry more than normal risk attached to the business. Such
an asset is not a NPA.
(b) Sub-standard Assets - Sub-standard asset is one which has been classified
as NPA for a period not exceeding two years.
(c) Doubtful assets - With a view to moving closer to international practices in
regard to provisioning norms, an asset should be classified as doubtful, if it has remained
in the sub-standard category for 18 months instead of 24 months, as at present, by March
31, 2001. Banks are permitted to achieve this norm for additional provisioning in phases,
as under :
(i) As on March 31, 2001: Provisioning of not less than 50 per cent on the
assets which have become doubtful on account of the new norm.
(ii) As on March 31, 2002: Balance of the provisions not made during the
previous year, in addition to the provisions needed, as on March 31, 2002.]
(d) Loss assets - A loss asset is one where loss has been identified by the bank
or internal or external auditors or in the Reserve Bank inspection report. In other words,
such an asset is considered uncollectible and of such little value that its continuance as a
bankable asset is not warranted although there may be some salvage or recovery value.
188
3.9.6. A huge levels of NPAs exist in the Indian banking system (IBS)
The origin of the problem of burgeoning NPAs lies in the quality of managing
credit risk which concerned by the banks. What is needed is having adequate preventive
measures in place namely, fixing pre-sanctioning appraisal responsibility and having an
effective post-disbursement supervision. Banks concerned should continuously monitor
loans to identify accounts that have potential to become non-performing.
3.9.6.1 NPAs and India banks and financial institutions
To start with, performance in terms of profitability is a benchmark for any
business enterprise including the banking industry. However, increasing NPAs have a
direct impact on banks profitability as legally banks are not allowed to book income on
such accounts and at the same time banks are forced to make provision on such assets as
per the Reserve Bank of India (RBI) guidelines.
In addition, with increasing deposits made by the public in the banking system, the
banking industry cannot afford defaults by borrower s since NPAs affects the repayment
capacity of banks. Further, Reserve Bank of India (RBI) successfully creates excess
liquidity in the system through various rate cuts and banks fail to utilize this benefit to its
advantage due to the fear of burgeoning non-performing assets.
3.9.6.2 RBI guidelines on income recognition (interest income on NPAs)
Banks recognize income including interest income on advances on accrual basis.
That is, income is accounted for as and when it is earned. The prima-facie condition for
accrual of income is that it should be reasonable to expect its ultimate collection.
However, NPAs involves significant uncertainty with respect to its ultimate collection.
Considering this fact, in accordance with the guidelines for income recognition issued by
the Reserve Bank of India (RBI), banks should not recognize interest income on such
NPAs until it is actually realized.
3.9.6.3 Accounting Standard 9 (AS 9) on revenue recognition issued by ICAI
The Accounting Standard 9 (AS 9) on `Revenue Recognition' issued by the
Institute Of Chartered Accountants of India (ICAI) requires that the revenue that arises
from the use by others of enterprise resources yielding interest should be recognized only
when there is no significant uncertainty as to its measurability or collect ability. In
189
addition, interest income should be recognized on a time proportion basis after taking into
consideration rate applicable and the total amount outstanding.
3.9.6.4 RBI guidelines on NPAs and ICAI Accounting Standard 9 on revenue recognition
In view of the guidelines issued by the Reserve Bank of India (RBI), interest
income on NPAs should be recognised only when it is actually realized.
As such, a doubt may arise as to whether the aforesaid guidelines with respect to
recognition of interest income on NPAs on realization basis are consistent with
Accounting Standard 9, `Revenue Recognition'. For this purpose, the guidelines issued by
the RBI for treating certain assets as NPAs seem to be based on an assumption that the
collection of interest on such assets is uncertain. Therefore complying with AS 9, interest
income is not recognized based on uncertainty involved but is recognized at a subsequent
stage when actually realized thereby complying with RBI guidelines as well.
In order to ensure proper appreciation of financial statements, banks should
disclose the accounting policies adopted in respect of determination of NPAs and basis on
which income is recognized with other significant accounting policies.
3.9.6.6 RBI guidelines on classification of bank advances
Reserve Bank of India (RBI) has issued guidelines on provisioning requirement
with respect to bank advances. In terms of these guidelines, bank advances are mainly
classified into:
Standard Assets: Such an asset is not a non-performing asset. In other words, it
carries not more than normal risk attached to the business.
Sub-standard Assets: It is classified as non-performing asset for a period not
exceeding 18 months
Doubtful Assets: Asset that has remained NPA for a period exceeding 18 months
is a doubtful asset.
Loss Assets: Here loss is identified by the banks concerned, by internal auditors,
by external auditors, or by Reserve Bank India (RBI) inspection.
In terms of RBI guidelines, as and when an asset becomes a NPA, such advances
would be first classified as a sub-standard one for a period that should not exceed 18
months and subsequently as doubtful assets. It should be noted that the above
classification is only for the purpose of computing the amount of provision that should be
made with respect to bank advances and certainly not for the purpose of presentation of
190
advances in the banks balance sheet. The Third Schedule to the Banking Regulation Act,
1949, solely governs presentation of advances in the balance sheet.
Banks have started issuing notices under the Securitisation Act, 2002 directing the
defaulter to either pay back the dues to the bank or else give the possession of the secured
assets mentioned in the notice. However, there is a potential threat to recovery if there is
substantial erosion in the value of security given by the borrower or if borrower has
committed fraud. Under such a situation, it will be prudent to directly classify the advance
as a doubtful or loss asset, as appropriate.
3.9.6.7 RBI guidelines on provisioning requirement of bank advances
As and when an asset is classified as an NPA, the bank has to further sub-classify
it into sub-standard, loss and doubtful assets. Based on this classification, bank makes the
necessary provision against these assets.
Reserve Bank of India (RBI) has issued guidelines on provisioning requirements
of bank advances where the recovery is doubtful. Banks are also required to comply with
such guidelines in making adequate provision to the satisfaction of its auditors before
declaring any dividends on its shares.
In case of loss assets, guidelines specifically require that full provision for the
amount outstanding should be made by the concerned bank. This is justified because such
an asset is considered uncollectible and cannot be classified as bankable asset. Also in
case of doubtful assets, guidelines requires the bank concerned to provide entirely the
unsecured portion and in case of secured portion an additional provision of 20%-50% of
the secured portion should be made depending upon the period for which the advance has
been considered as doubtful. For instance, for NPAs that are up to 1-year old, provision
should be made of 20% of secured portion, in case of 1-3 year old NPAs up to 30% of the
secured portion and finally in case of more than 3-year-old NPAs up to 50% of secured
portion should be made by the concerned bank.
In case of a sub-standard asset, a general provision of 10% of total out standings
should be made. Reserve Bank of India (RBI) has merely laid down the minimum
provisioning requirement that should be complied with by the concerned bank on a
mandatory basis. However, where there is a substantial uncertainty to recovery, higher
provisioning should be made by the bank concerned.
191
3.9.7 Credit Risk and NPAs
Quite often credit risk management (CRM) is confused with managing non-
performing assets (NPAs). However there is an appreciable difference between the two.
NPAs are a result of past action whose effects are realized in the present i.e they represent
credit risk that has already materialized and default has already taken place.
On the other hand managing credit risk is a much more forward-looking approach
and is mainly concerned with managing the quality of credit portfolio before default takes
place. In other words, an attempt is made to avoid possible default by properly managing
credit risk.
Considering the current global recession and unreliable information in financial
statements, there is high credit risk in the banking and lending business.To create a
defense against such uncertainty, bankers are expected to develop an effective internal
credit risk models for the purpose of credit risk management.
3.9.7.1 Requirement as to capital adequacy
Every Securitisation/Reconstruction Company shall maintain, on an ongoing basis,
a minimum capital adequacy ratio, which shall not be less than 15 percent of its total risk
weighted financial assets. The risk-weighted asset shall be calculated as the weighted
aggregate of funded items as detailed hereunder:
3.9.7.2 Weighted risk assets - On-Balance Sheet
items
Percentage
weight
(i) Cash and bank balances including fixed
deposits and certificates of deposits with scheduled
commercial banks
0
(ii) Investments
State/Central Government securities 0
(iii) Other financial assets 100
3.9.8 The importace of credit rating in assessing the risk of default for lenders
192
Fundamentally, Credit Rating implies evaluating the creditworthiness of a
borrower by an independent rating agency. Here objective is to evaluate the probability of
default. As such, credit rating does not predict loss but it predicts the likelihood of
payment problems.
Credit rating has been explained by Moody's a credit rating agency as forming an
opinion of the future ability, legal obligation and willingness of a bond issuer or obligor to
make full and timely payments on principal and interest due to the investors.Banks do rely
on credit rating agencies to measure credit risk and assign a probability of default.
Credit rating agencies generally slot companies into risk buckets that indicate
company's credit risk and is also reviewed periodically. Associated with each risk bucket
is the probability of default that is derived from historical observations of default behavior
in each risk bucket.
However, credit rating is not foolproof. In fact, Enron was rated investment grade
until as late as a month prior to it's filing for Chapter 11 bankruptcy when it was assigned
an in-default status by the rating agencies. It depends on the information available to the
credit rating agency. Besides, there may be conflict of interest, which a credit rating
agency may not be able to resolve in the interest of investors and lenders.
Stock prices are an important (but not the sole) indicator of the credit risk
involved. Stock prices are much more forward looking in assessing the creditworthiness
of a business enterprise. Historical data proves that stock prices of companies such as
Enron and WorldCom had started showing a falling trend many months prior to it being
downgraded by credit rating agencies.
3.9.9 Usage of financial statements in assessing the risk of default for lenders
For banks and financial institutions, both the balance sheet and income statement
have a key role to play by providing valuable information on a borrower‘s viability.
However, the approach of scrutinizing financial statements is a backward looking
approach. This is because; the focus of accounting is on past performance and current
positions.
The key accounting ratios generally used for the purpose of ascertaining the
creditworthiness of a business entity is that of debt-equity ratio and interest coverage
ratio. Highly rated companies generally have low leverage. This is because; high leverage
is followed by high fixed interest charges, non-payment of which results into a default.
193
3.9.10 Capital Adequacy Ratio (CAR) of RBI and Basle committee on banking supervision
(BCBS)
Reserve Bank of India (RBI) has issued capital adequacy norms for the Indian
banks. The minimum CAR, which the Indian Banks are required to meet at all, times is
set at 9%. It should be taken into consideration that the bank's capital refers to the ability
of bank to withstand losses due to risk exposures.
To be more precise, capital charge is a sort of regulatory cost of keeping loans
(perceived as risky) on the balance sheet of banks. The quality of assets of the bank and
its capital are often closely related. Quality of assets is reflected in the quantum of NPAs.
By this, it implies that if the asset quality were poor, then higher would be the quantum of
non-performing assets and vice-versa.
Market risk is the risk arising due to the fluctuations in value of a portfolio due to
the volatility of market prices.
Operational risk refers to losses arising due to complex system and processes.
It is important for a bank to have a good capital base to withstand unforeseen
losses. It indicates the capability of a bank to sustain losses arising out of risky assets.
The Basel Committee on Banking Supervision (BCBS) has also laid down certain
minimum risk based capital standards that apply to all internationally active commercial
banks. That is, bank's capital should at least be 8% of their risk-weighted assets. This
infect helps bank to provide protection to the depositors and the creditors.
The main objective here is to build a sort of support system to take care of
unexpected financial losses thereby ensuring healthy financial markets and protecting
depositors.
3.9.11 Excess of liquidity
One should also not forget that the banks are faced with the problem of increasing
liquidity in the system. Further, Reserve Bank of India (RBI) is increasing the liquidity in
the system through various rate cuts. Banks can get rid of its excess liquidity by
increasing its lending but, often shy away from such an option due to the high risk of
default.
In order to promote certain prudential norms for healthy banking practices, most of
the developed economies require all banks to maintain minimum liquid and cash reserves
broadly classified into Cash Reserve Ratio (CRR) and the Statutory Liquidity Ratio
(SLR).
194
Cash Reserve Ratio (CRR) is the reserve which the banks have to maintain with
itself in the form of cash reserves or by way of current account with the Reserve Bank of
India (RBI), computed as a certain percentage of its demand and time liabilities. The
objective is to ensure the safety and liquidity of the deposits with the banks.
On the other hand, Statutory Liquidity Ratio (SLR) is the one, which every
banking company shall maintain in India. This is in the form of cash, gold or
unencumbered approved securitiesan amount. This amount shall not, at the close of
business on any day be less than such percentage of the total of its demand and time
liabilities in India as on the last Friday of the second preceding fortnight, as the Reserve
Bank of India (RBI) may specify from time to time.
A rate cut (for instance, decrease in CRR) results into lesser funds to be locked up
in RBI's vaults and further infuses greater funds into a system. However, almost all the
banks are facing the problem of bad loans, burgeoning non-performing assets, thinning
margins, etc. as a result of which, banks are little reluctant in granting loans to corporate.
As such, though in its monetary policy RBI announces rate cut but such news are
no longer warmly greeted by the bankers.
3.9.12 High cost of funds due to NPAs
Quite often genuine borrowers face the difficulties in raising funds from banks due
to mounting NPAs. Either the bank is reluctant in providing the requisite funds to the
genuine borrowers or if the funds are provided, they come at a very high cost to
compensate the lender‘s losses caused due to high level of NPAs.
Therefore, quite often corporate prefer to raise funds through commercial papers
(CPs) where the interest rate on working capital charged by banks is higher.
With the enactment of the Securitisation and Reconstruction of Financial Assets
and Enforcement of Security Interest Act, 2002, banks can issue notices to the defaulters
to pay up the dues and the borrowers will have to clear their dues within 60 days. Once
the borrower receives a notice from the concerned bank and the financial institution, the
secured assets mentioned in the notice cannot be sold or transferred without the consent of
the lenders.
The main purpose of this notice is to inform the borrower that either the sum due
to the bank or financial institution be paid by the borrower or else the former will take
action by way of taking over the possession of assets. Besides assets, banks can also
takeover the management of the company. Thus the bankers under the aforementioned
195
Act will have the much needed authority to either sell the assets of the defaulting
companies or change their management.
However, the protection under the said Act only provides a partial solution. What
banks should ensure is that they should move with speed and charged with momentum in
disposing off the assets. This is because as uncertainty increases with the passage of time,
there is all possibility that the recoverable value of asset also reduces and it cannot fetch
good price. If faced with such a situation than the very purpose of getting protection under
the Securitisation Act, 2002 would be defeated and the hope of seeing a must have
growing banking sector can easily vanish.
3.9.13 Need for effective asset management policies
Non-performing loans represent a major threat to any bank. They carry the
potential to bring about the collapse of a bank. In times of economic slowdown, a surge in
non-performing loans can be
expected which could threaten the whole financial system and, ultimately, the
whole economy. The main South Asian countries successfully tackled the problem by
using Asset Management Companies (AMCs), which they set up during their economic
crisis. An effective asset management policy can help to prevent the problem of non-
performing assets assuming unmanageable proportions. An AMC helps to stabilize the
financial condition of a distressed bank by the following means:
1. Borrowers get value for money. They are freed from the mercy of
unscrupulous buyers.
2. Banks recover their dues.
3. It restores liquidity and solvency to financial institutions, restores
confidence in the valuation of assets.
4. It frees banks from the worries of perpetually having to resolve their non-
performing loans and helps them to concentrate on banking. The prompt resolution of
non-performing assets helps to reallocate resources, which is vital to economic recovery.
5. The simultaneous offer of sale of a large number of similar assets exerts a
downward pressure on prices. An effective asset management policy will counter that
pressure and help to normalize asset prices.
196
3.9.14 Asset management
Asset management involves in the first instance the identification of non-
performing assets. A non-performing asset means an asset or account of borrower, which
has been classified by a bank as a sub-standard, doubtful or loss asset in accordance with
the guidelines issued by the central bank. This asset is then categorized into one of four
broad categories of selling, recovery, restructuring and setting off depending on the
characteristics of the asset. Where any borrower, who is under a liability to a bank under a
security agreement, makes any default in repayment, is secured debt or any installment.
Therefore, his accounts in respect of such debt are classified by the secured creditor as
non-performing asset. Therefore, The bank may require the borrower by notice in writing
to discharge in full his liabilities to the secured creditor within 60 days from the date of
notice failing which the secured creditor would be entitled to exercise any or all of the
following rights to recover his secured debt:
(a) Take possession of the secured assets
(b) Take over the management of the secured assets of the borrower
(c) Appoint any person to manage the secured assets the possession of which has
been taken over by the secured creditor55
Where an AMC exists, it will take over from the bank the above responsibilities
until the assets are liquidated. The AMC will acquire the assets at a fair market value.
Determining a fair value is a complex exercise. The evaluation can be based on net cash
flows arising from the loan, viz:
• Expected interest and principal repayments;
• Security value;
• Collection, workout and realization risks;
• Transaction costs.
On acquiring the asset from the bank, the AMC will endeavor to negotiate with the
borrower to maximize the prospects of recovery. Various courses of action are open to the
AMC:
Immediate sale of some or all of the loans to a third party;
Providing borrower additional time to settle his dues;
Providing additional finance to enable borrower to become viable;
Re-schedulement of interest and/or principal payments.
197
The success of any of the above approaches is contingent on the borrower‘s conditions,
type of loan and macro-economic conditions prevailing in the country. The ultimate
objective of the AMC is to maximize disposal proceeds and produce a win/win situation for
both the borrower and the bank.
3.9.14.1 TYPES OF AMCs
The main types of AMCs currently in place in various countries are:
1. A central disposition agency
2. An entity specific to a particular bank
3. An auction process
The first type would take loans from all financial institutions and manage them alone. The
second type would manage the non-performing loans of all the banks forming part of a
particular bank and/or group of banks. The auction process would involve accumulating
assets rapidly and selling them without considering the other courses of action open to
AMCs. It will become evident that the type of an effective AMC will depend primarily on
the size of market.
3.9.14.2 FRAMEWORK FOR AN EFFECTIVE ASSET MANAGEMENT COMPANY
Any effective AMC is highly dependent on two main prerequisites:
(a) Legal Framework and
(b) Licensing and Regulation of AMC.
An AMC should be backed by an adequate legal framework in which both
creditors and debtors have confidence. Besides, defining the rights of ownership and the
legal obligations of debtors and creditors, the legal framework should provide for the
orderly and expeditious resolution of disputed claims, including debt recovery and
realization of collateral for unpaid debt.
While the AMC does provide financial institutions with a powerful weapon to
bring defaulting borrowers to be up to standard, it should not abuse the rights of
borrowers by foreclosing assets indiscriminately. Therefore, the law should provide for
rights of appeal. Under the Securitisation, Reconstruction of Financial Assets and
Enforcement of Security Interest Ordinance 2002 (India) an aggrieved customer may
appeal to the Debts Recovery Tribunal within 45 days. If the borrower is still aggrieved
by an order made by the Debts Recovery Tribunal, he may appeal to an Appellate
Tribunal within 30 days from the date of receipt of
198
the order of the Debts Recovery Tribunal. A sound regulatory and supervisory
framework is a basic condition to safeguard the smooth running of an AMC. The
mainspring of an asset management policy is non-performing loans. Therefore, the
regulator needs to define an appropriate loan classification system and provisioning rules.
Licensing and regulation of AMC is usually vested with central banks. Applicants have
statutory conditions to fulfill before being licensed. The central bank may cancel a
certificate of registration granted to a securitisation company if such company fails to
comply with any conditions subject to which the certificate was granted. Realization and
securitisation of Assets in order to ensure transparency, the company should maintain
accounts in accordance with requirements and submit or offer for inspection its books of
accounts or other relevant documents when so required by the central bank.
3.9.15 Advances with potential threats of recovery
In respect of accounts where there are potential threats to recovery on account of
erosion in the value of security or non-availability of security and existence of other
factors such as frauds committed by borrowers, it will not be prudent to classify them first
as sub-standard and then as doubtful after expiry of two years from the date the account
has become NPA. In such cases, the account should be straightaway classified as doubtful
asset or loss asset as appropriate irrespective of the period for which it has remained as
NPA.
3.9.15.1 Rescheduled Debts
An asset where the terms of the loan agreement regarding interest and principal have
been renegotiated or resche-duled after commencement of production should be classified
as sub-standard/doubtful and should remain in such category for at least two years of
satisfactory performance under the renegotiated or rescheduled terms. In other words, the
classification of an asset should not be upgraded merely as a result of rescheduling.With
effect from the year ended 31-3-1999, the period of two years may be reduced to one year
(or four quarters) if the interest and instalment of loans have been serviced regularly as per
the terms of reschedulement].
3.9.15.2 Advances granted under rehabilitation packages
As the banks are not permitted to upgrade the classification of any advance in
respect of which the terms had been renegotiated, unless the package of renegotiated
199
terms have worked satisfactorily for a period of two years, they are required to provide for
according to the classification of the original advances as sub-standard or doubtful on the
additional facilities sanctioned. However, the banks need not provide for a period of one
year from the date of disbursement in respect of additional facilities sanctioned under
rehabilitation packages approved by BIFR/term lending institutions.
200
Section 3.10:
Foreign Exchange Management:
3.10.1 Foreign Exchange (Forex) Risk 201
3.10.2 Forex Risk Management Measures 201
3.10.3. Capital for Market Risk 202
201
3.10.1 Foreign Exchange (Forex) Risk
The risk inherent in running open foreign exchange positions have been
heightened in recent years by the pronounced volatility in Forex rates, thereby
adding a new dimension to the risk profile of banks' balance sheets.
Forex risk is the risk that a bank may suffer losses as a result of adverse
exchange rate movements during a period in which it has an open position,
either spot or forward, or a combination of the two, in an individual foreign
currency. The banks are also exposed to interest rate risk, which arises from
the maturity mismatching of foreign currency positions. Even in cases where
spot and forward positions in individual currencies are balanced, the maturity
pattern of forward transactions may produce mismatches. As a result, banks
may suffer losses as a result of changes in premia/discounts of the currencies
concerned. Foreign exchange risk is the risk of loss arising from movements in foreign
exchange rates. This risk arises when there is a difference between financial assets and
liabilities denominated in foreign currencies.
In the Forex business, banks also face the risk of default of the
counterparties or settlement risk. While such type of risk crystallization does
not cause principal loss, banks may have to undertake fresh transactions in the
cash/spot market for replacing the failed transactions. Thus, banks may incur
replacement cost, which depends upon the currency rate movements. Banks
also face another risk called time-zone risk or Herstatt risk which arises out of
time-lags in settlement of one currency in one center and the settlement of
another currency in another time-zone. The Forex transactions with
counterparties from another country also trigger sovereign or country risk.
3.10.2 Forex Risk Management Measures
1. Set appropriate limits - open positions and gaps.
202
2. Clear-cut and well-defined division of responsibility between front,
middle and back offices.
The top management should also adopt the VaR approach to measure the
risk associated with exposures. Reserve Bank of India has recently introduced
two statements viz. Maturity and Position (MAP) and Interest Rate Sensitivity
(SIR) for measurement of Forex risk exposures. Banks should use these
statements for periodical monitoring of Forex risk exposures.
3.10.3. Capital for Market Risk
The Basle Committee on Banking Supervision (BCBS) had issued
comprehensive guidelines to provide an explicit capital cushion for the price
risks to which banks are exposed, particularly those arising from their trading
activities. The banks have been given flexibility to use in-house models based
on VaR for measuring market risk as an alternative to a standardized
measurement framework suggested by Basle Committee. The internal models
should, however, comply with quantitative and qualitative criteria prescribed
by Basle Committee.
Reserve Bank of India has accepted the general framework suggested
by the Basle Committee. RBI has also initiated various steps in moving
towards prescribing capital for market risk. As an initial step, a risk weight of
2.5% has been prescribed for investments in Government and other approved
securities, besides a risk weight each of 100% on the open position limits in
Forex and gold. RBI has also prescribed detailed operating guidelines for
Asset-Liability Management System in banks. As the ability of banks to
identify and measure market risk improves, it would be necessary to assign
explicit capital charge for market risk. In the meanwhile, banks are advised to
study the Basle Committee's paper on 'Overview of the Amendment to the
203
Capital Accord to Incorporate Market Risks' - January 1996. While the small
banks operating predominantly in India could adopt the standardized
methodology, large banks and those banks operating in international markets
should develop expertise in evolving internal models for measurement of
market risk.
The Basle Committee on Banking Supervision proposes to develop
capital charge for interest rate risk in the banking book as well for banks
where the interest rate risks are significantly above average ('outliers'). The
Committee is now exploring various methodologies for identifying 'outliers'
and how best to apply and calibrate a capital charge for interest rate risk for
banks. Once the Committee finalizes the modalities, it may be necessary, at
least for banks operating in the international markets to comply with the
explicit capital charge requirements for interest rate risk in the banking book.
204
Section 3.11:
New technology and its risk in banks
3.11.1 Introduction 205
3.11.2. What is Technology Risk and it’s importance? 206
3.11.3 Technology-Related Risk Management Process 207
3.11.4. Measure and Monitor Performance 213
3.11.5. Internet Banking Risks 214
3.11.6. Risk Management Tools 218
205
3.11.1 Introduction
Companies, financial institutions and banks need to address technology risk
management as they implement increasingly powerful, automated technologies to scale
their businesses, more effectively link with customers and business partners, and reach
broader markets. Successful application of these technologies for the delivery of
predictable business value requires careful management and control of a diverse range of
complex legal, regulatory, and business issues. In particular, companies require counsel
with a comprehensive and sensitive understanding of industry trends and practices, business
technology, and associated legal issues to assist them to understand, control and manage the
risks of the new commercial ecosystems in which they are engaged.
For decades, banks used technology almost exclusively for back-office processing.
Today, technology has moved "out front" into virtually all aspects of banking. Technology
is a key aspect of many bank business decisions and many new bank products are reliant on
new technologies. Uses of technology are integral to bank operations and have been a
primary force in creating new competitive opportunities for banks. New and improved
technology-related products and services, delivery channels, and processing options have
changed the way banks make decisions, interact with customers, and process bank
transactions. Although some banks have developed new products and services in-house,
many have relied on vendors to develop and operate their technology-related products and
services.
While new technologies have provided important benefits to banks and their
customers, they also have exposed banks to new and different risks. As banks increase
their dependency on technology to deliver services and process information, the risk of
unfavorable consequences from operational failures increases. For example, some banks
have taken days to recover from operational failures arising out of technology system
failures. Also, as banks continue to increase their retail on-line payments, system security
may pose even greater challenges to banks in the future. These and other technology-
related problems could result in financial and reputation losses, which in turn could
potentially threaten the safety and soundness of an institution.
Increasing reliance on technology and network connectivity, coupled with
increasing threats to information technology resources are demanding more and more bank
resources. A strong information risk management program will help bankers identify and
prioritize risks so that effective controls can be developed to address the risks while
maximizing the bank's return on investment.
206
Regulators heightened their focus on IT risk in 1999 as technology began redefining
the face of banking PC use was skyrocketing. The TCP/IP communications protocol was
becoming the norm. Broadband was elevating Internet communications to warp speed.
Cyber criminals had started commandeering entire websites, using them to convey their
message or defame organizations. As technology continued to make the transfer and
storage of information easier and faster, regulators became even more concerned. In the
year 2000, additional papers and bulletins were released detailing the importance of
firewalls, intrusion detection systems, and the need to secure local and wide area networks.
3.11.2. What is Technology Risk and it’s importance?
Technology risk, a subset of operational risk, arises through the use, misuse and
abuse of tools, of automation, which we choose to do in order to improve and extend our
business. Automation, it has been said, takes a manual process that works, and turns it into
one which nearly works, but is faster and cheaper, and different.
As we have already discussed, our business information, and therefore the IT
systems and networks that support it, are all important business assets. Their availability,
integrity and confidentiality are essential to the continuance of competitive edge, cash flow,
profitability, compliance and respected organizational image. We recognize that our
organizations are facing increasing security threats from a wide range of sources and, in
particular, IT systems and networks are direct targets for a range of serious threats, which
include computer-based fraud, espionage, sabotage and vandalism. Computer viruses and
hackers continue to emerge and it is reasonable to expect them to become more widespread,
more ambitious and increasingly sophisticated.
Our regulatory bodies should be shows a heightened supervisory interest in the
effectiveness of our security methods, presumably to ensure continued trust in the banking
system. These bodies have made two general observations:
The importance of a comprehensive, management-directed information
security programme which will foster awareness throughout the organization that
information security is considered to be an important cultural value;
That computer networks have the most significant inherent vulnerabilities,
which require continuous attention and proactive support.
207
The former observation is a lesson that we will have learnt most completely during
the year 2000 exercises. The latter is well accepted by financial institutions, at least in the
way that they approach the use of the Internet – with caution and with security measures
commensurate with the services offered. It is possible, however, that these organizations
may not recognize to the same degree the vulnerabilities of the internal networks.
Technology-Related Risk Management Process
The technology-related risk management process is designed to help a bank to
identify, measure, monitor, and control its risk exposure. The process involves three
essential elements:
(1) Plan for its use of technology,
(2) Decide how it will implement the technology, and
(3) Measure and monitor risk-taking.
3.11.3.1 Plan
When considering whether to adopt a new technology or to upgrade existing
systems, a bank should assess how it will use the technology within the context of its
overall strategic goals and its market. Planning should consider issues such as the:
Costs of development and costs related to designing, Testing, and operating
the systems, both internally and through outside vendors;
Ability to resume operations swiftly and with data intact in the event of
system failure or unauthorized intrusions;
Adequacy of internal controls, including controls for outside vendors; and
Ability to determine when a specific risk exposure exceeds the ability of an
institution to manage and control that risk.
Given the specialized expertise needed to design, implement, and service new
technologies, vendors may provide a valuable means to acquire expertise and resources that
a bank cannot provide on its own. In planning whether and how to contract for its
technology needs, a bank should assess how it will manage the risks associated with these
new relationships. Without adequate controls, the use of vendors to design or support new
208
bank technologies and systems could increase a bank's exposure to risk. While a bank can
outsource many functions, management remains responsible for the performance and
actions of its vendors while the vendors are performing work for the bank.
Because technology is constantly changing, bank management should periodically
assess its uses of technology as part of its overall business planning. Such an enterprise-
wide and ongoing approach helps to ensure that all major technology projects are consistent
with the bank's plans.71
Proper planning minimizes the likelihood of computer hardware
and software systems incompatibilities and failures, and maximizes the likelihood that a
bank's technology is flexible enough to adapt to future needs of the bank and its customers.
There are three basic components of an effective planning process for technology-
related applications:
(1) Involve the board of directors and senior management in decision-making
throughout the planning process;
(2) Gather and analyze relevant information regarding new and existing
technologies; and
(3) Assess needs and review relevant options.
These components serve to stimulate thoughtful analysis and to ensure coordination
and project integration among all interested parties. For banks with more complex
operations, the interested parties may include technology specialists, marketing
representatives, business managers, and senior management.
Banks that use technology extensively, particularly large banks, should have
sufficient expertise and knowledge among managers and staff to provide critical review and
oversight of technology projects and to manage risks associated with them. Projects should
be coordinated to ensure that they adhere to appropriate policies, standards, and risk
management controls. In addition, senior managers with knowledge of the bank's
technology initiatives should report periodically to the board of directors on technology-
related initiatives.
71 Technology planning often involves strategic, business, and project planning. The strategic plan establishes the overall role of
technology as it relates to the bank's mission and assesses the type of technology that a bank needs to fulfill that role. The business plan
integrates the new technology into existing lines of business and determines the level of technology best suited to meet the needs of particular business lines. The project plan establishes resource needs, time lines, benchmarks, and other information necessary to convert
the business plan into operation. The review and planning cycle may vary depending on the type of institution and its uses of different
types of technologies.
209
Gather and Analyze Information; as part of this process to gather and analyze
information, banks should:
Banks should review their existing systems (Inventory existing systems and
operations), to determine whether they satisfy current and projected bank needs. They
also should evaluate how new technologies will fit into existing systems and whether
additional changes to those systems will be necessary to accommodate the new
technologies.
Bank management should assess current and developing industry standards
in determining whether to implement specific technologies. Technical standards help to
ensure that systems are compatible and interoperable.
Timing is critical because there are risks in deploying new technologies too
slowly or too rapidly, then management should be determine the right time to deploy new
technology.
Assess Needs and Review Options; in this stage the technology needs of bank
management is carefully assessed and reviewed its options within the context of overall
planning. Management should consider carefully whether the necessary resources, time,
and project management expertise is available to complete successfully any new
technology proposal. Prior to adopting new technologies, bank management should
identify weaknesses or deficiencies in the bank's ability to use them. Management also
should consider whether staff could operate both new and existing systems at the same
time. These considerations will help management to choose the type and level of
technology best suited to support its key business needs and objectives.
Banks should use caution in establishing project objectives and should ensure that
the objectives are neither too ambiguous nor too ambitious. Management should control
the bank's risk exposure through practical planning. This planning may include dividing up
projects into manageable segments and establishing specific decision points as to whether a
project should be modified or terminated. Planning also should establish contingency and
exit plans in the event a new project does not proceed as planned.
210
3.11.3.2 Implement
Management in place controls should be ensures proper implementation. Proper
implementation of projects and initiatives is needed to convert plans into better products
and services, delivery channels, and processes. Banks should establish the necessary
controls to avoid operational failures and unauthorized intrusions, which could result in,
increased losses and damaged reputation. At a minimum, management should establish
technology standards that set the direction for the bank in terms of the overall structure or
architecture of its technology systems.
Management should establish priorities to ensure proper coordination and
integration of projects among managers, work units, and team members. Proper project
implementation includes controls, policies and procedures, training, testing, contingency
planning, and proper oversight of any outsourcing. Management should provide clearly
defined expectations, including user and resource requirements, cost estimates, project
benchmarks, and expected delivery dates. Proper project monitoring by all relevant
parties is important. Project managers should inform senior management of obstacles as
early as possible to ensure that proper controls are in place and corrective action can be
taken to manage risk exposure.
3.11.3.3 Controls
Banks should adopt adequate controls based on the degree of exposure and the
potential risk of loss arising from the use of technology. Controls should include clear and
measurable performance goals, the allocation of specific responsibilities for key project
implementation, and independent mechanisms that will both measure risks and minimize
excessive risk- taking. These controls should be re-evaluated periodically.
Bank information system security controls are particularly important. Security
measures should be clearly defined with measurable performance standards. Responsible
personnel should be assigned to ensure a comprehensive security program. Bank
management should take necessary steps to protect mission-critical systems from
unauthorized intrusions. Systems should be safeguarded, to the extent possible, against
risks associated with fraud, negligence, and physical destruction of bank property. Control
211
points should include facilities, personnel, policies and procedures, network controls,
system controls, and vendors. For example, security access restrictions, background checks
on employees, separation of duties, and audit trails are important precautions to protect
system security within the bank and with vendors. As technologies and systems change or
mature, security controls may need to change periodically as well.
3.11.3.4 Policies and Procedures
The management should adopt and enforces appropriate policies and procedures to
manage risk related to a bank's use of technology. The effectiveness of these policies and
procedures depends largely on whether they are in practice among bank personnel and
vendors. Testing compliance with these policies and procedures often helps banks correct
problems before they become serious. Clearly written and frequently communicated
policies can establish clear assignments of duties, help employees to coordinate and
perform their tasks effectively and consistently, and aid in the training of new employees.
Bank management should ensure that policies, procedures, and systems are current and well
documented.
3.11.3.5 Expertise and Training
The management should has a plan to ensure that key employees and vendors have
the expertise and skills to perform necessary functions and that they are properly trained.
Management should allocate sufficient resources to hire and train employees and to ensure
that adequate back -up exists if a critical person leaves. Training may include technical
course work, attendance at industry conferences, participation in industry working groups,
as well as time allotment for appropriate staff to keep abreast of important technological
and market developments. Training also includes outreach to customers to ensure that a
bank's customers understand how to use or access a bank's technology products and
services and that they are able to do so in an appropriate and sound manner.
3.11.3.6 Testing
The management should have thoroughly tested new technology systems and
products. Testing validates that equipment and systems function properly and produce the
212
desired results. As part of the testing process, management should verify whether new
technology systems operate effectively with the bank's older technology and, where
appropriate, should include vendors. Pilot programs or prototypes can be helpful in
developing new technology applications before they are used on a broad scale. Testing
should be conducted periodically to help manage risk exposure.
3.11.3.7 Contingency Planning and Business Continuity
The bank systems should be assessed whether the systems are designed to reduce
bank vulnerability to system failures, unauthorized intrusions, and other problems. Back-up
systems should be exist and have been fully maintained and tested on a regular basis to
minimize the risk of system failures and unauthorized intrusions. The risk of equipment
failure and human error is possible in all systems. This risk may result from sources both
within and beyond the bank's control. System failures and unauthorized intrusions may
result from design defects, insufficient system capacity, and destruction of a facility by
natural disasters or fires, security breaches, inadequate staff training, or uncontrolled
reliance on vendors.
Business continuity plans should be in place before a bank implements new
technology. They should establish a bank's course of action in the event of a system failure
or unauthorized intrusions and should be integrated with all other business continuity plans
for bank operations. The plan may address data recovery, alternate data- processing
capabilities, emergency staffing, and customer service support. Management should
establish a communications plan that designates key personnel and outlines a program for
employee notification. The plan should include a public relations and outreach strategy to
respond promptly to customer and media reaction to system failure or unauthorized
intrusions. Management also should plan for how it may respond to events outside the bank
that may substantially affect customer confidence, such as an operational failure
experienced by a competitor that relies on similar technology.
213
3.11.3.8 Outsourcing
Bank management's efforts should be assessed to ensure that all necessary controls
are in place to manage risks associated with outsourcing and external alliances.
Management should ensure that vendors have the necessary expertise, experience, and
financial strength to fulfill their obligations. They also should ensure that the expectations
and obligations of each party are clearly defined, understood and otherwise enforceable.
For example, management should make certain that the bank has audit rights for vendors so
that the bank can monitor performance under the vendor contract.
The key elements of proper project implementation apply whether a bank relies on
employees, vendors, or a combination to develop and implement projects. Failure to
establish necessary controls may result in compromised security, substandard service, and
the installation of incompatible equipment, system failure, uncontrolled costs, and the
disclosure of private customer information. If a bank joins or forms alliances with other
banks or companies, management should perform adequate due diligence to ensure that the
joint-venture partners are competent and have the financial strength to fulfill their
obligations. Adequate bank resources will be required to monitor and measure
performance under the terms of any third-party agreement.
3.11.4. Measure and Monitor Performance
Management should monitor and measure the performance of technology-related
products, services, delivery channels, and processes in order to avoid potential operational
failures and to mitigate the damage that may arise if such failures occur.
Management should be established controls that identify and manage risks so that
the bank can adequately manage them. To ensure accountability, management should
specify which managers are responsible for the business goals, objectives, and results of
specific technology projects or systems and should establish controls, which are
independent of the business unit, to ensure that risks are properly managed. Technology
processes should be reviewed periodically for quality and compliance with control
requirements.
214
3.11.4.1 Auditing
The adequacy of audits in identifying and managing technology-related risks
should be assessed. Auditors provide an important control mechanism for detecting
deficiencies and managing risks in the implementation of technology. They should be
qualified to assess the specific risks that arise from specific uses of technology. Bank
management should provide auditors with adequate information regarding standards,
policies, procedures, applications, and systems. Auditors should consult with bank
management during the planning process to ensure that technology-related systems are
audited thoroughly and in a cost-effective manner.
3.11.4.2 Quality Assurance
Bank management should established procedures to ensure that quality assurance
efforts take place and that the results are incorporated into future planning in order to
manage and limit excessive risk taking. These procedures may include, for example,
internal performance measures, focus groups and customer surveys. The quality of
assurance should be reviews whenever it engages in a significant combination with another
institution or acquires another business.
As part of both planning and monitoring, banks must establish clearly defined
measurement objectives and conduct periodic reviews to ensure that goals and standards
established by bank management are met. Goals and standards should include an emphasis
on data integrity, which is essential to any effective use of technology. Information should
be complete and accurate both before and after it is processed. This is a particular concern
in any significant merger with other institutions or acquisition of other businesses. Control
of technology projects is complex because of the difficulty in measuring progress and
determining actual costs. It is important that bank management establish benchmarks that
are appropriate for particular applications. Ultimately, the success of technology depends
on whether it delivers the intended results.
3.11.5. Internet Banking Risks
The Internet is not simply another distribution channel for the financial institution's
products, and offering banking services on the Internet is not as simple as adding a new
215
branch. Further, the risks presented by Internet banking extend beyond the realm of
firewalls and access controls. It cannot be overstated that the risks of offering Internet
banking need to be actively evaluated and addressed by the Board; mere reliance upon
technical "gurus" will not suffice.
Beyond the highly publicized concerns regarding hackers and viruses that can
threaten the institution's performance, Internet banking heightens various types of
traditional risks. A complete understanding of how these general business risks affect the
financial institution - and, potentially, its directors - must be considered and addressed
before senior management and the Board approve a plan to implement an Internet banking
platform.
Regulators outline six general business risk categories (strategic, operational,
reputation, transactional, compliance, and credit) that may be impacted by implementing an
Internet banking program. These risk categories are discussed briefly below, with emphasis
on directors' duties and responsibilities.
3.11.5.1. Strategic Risk
Expanding into Internet banking requires as much, if not more, strategic evaluation
and planning by management as expanding existing banking services into a new geographic
or economic area. Strategic risk may arise from a lack of appropriate planning and
implementation of Internet technology or from a failure to adequately evaluate how Internet
banking will impact the institution's overall business strategy. Poor financial performance
arising from a badly designed website or from over-commitment of the institution's
resources to Internet banking at the expense of more traditional activities can result in
impaired earnings and/or capital, ultimately giving rise to shareholder class action lawsuits
or regulatory actions against your directors.
3.11.5.2. Operational Risk
Universal access to the Internet eliminates traditional geographic boundaries, and
provides a larger pool of potential customers compared to conventional forms of marketing.
Internet customers have a greater tendency to shop for the best rates and terms and may
exhibit little or no loyalty to a particular institution. This can increase deposit volatility
arising from shifts in interest rates. Further, a financial institution may be exposed to price
risk if it uses the Internet to create or expand its deposit brokering, loan sales or
securitization programs. Consequently, the institution must be ready to respond quickly to
216
changes in market conditions, must have appropriate asset/liability and loan portfolio
management systems in place, and may need to increase monitoring of liquidity and
fluctuations in the loan and deposit ratio.
Since Internet banking broadens the institution's pool of potential customers, it also
increases the risk of being sued in an unfriendly or inconvenient venue. The effect of such
broadened exposure on the financial institution's resources and the ability of the institution
to respond to suits in distant jurisdictions must be fully evaluated. Consideration should be
given to limiting the financial institution's exposure through geographic restrictions of
customers.
3.11.5.3. Reputation Risk
Negative publicity about a financial institution's Internet banking services can affect
relationships with existing and potential customers, lead to expensive litigation, and impair
earnings and capital. Damage to the institution's reputation can occur if its Internet banking
program is not user-friendly or is unreasonably slow. Reports of unauthorized access to
information via the financial institution's website can create concerns about the
confidentiality of customers' financial information. Loss of communications or other
system failures can also impact the bank's reputation.
Hyperlinks to third-party websites may be viewed by financial institution customers
as an endorsement of the products, services or information on the third-party's website. To
mitigate potential problems arising from acts of the third-party (i.e., if the third-party site
contains inaccurate or offensive information), the website should make it clear to users
when they are leaving the website and transferring to the site of another entity with proper
disclaimers of liability. The institution should also have procedures in place to evaluate the
websites of third parties before and after any link is established.
3.11.5.4. Transactional Risk
Transactional risk is the risk to earnings and capital resulting from fraud, error, or
inability to deliver the product or service. In an Internet banking environment, the
institution is exposed to significant transactional risk due to potential deficiencies in system
reliability and integrity, internal (employee) and external (hacker) security breaches, poor
design, implementation and maintenance, and customer misuse, both intentional and
unintentional.
217
Additional transactional risk results from the need to outsource many Internet-
related activities to third-party service providers, whose practices are beyond the immediate
control of the institution. The inability of a vendor to provide reliable, secure service for
any reason or the vendor's failure to maintain confidentiality of customer data can result in
claims against the institution.
3.11.5.5. Compliance Risk
Compliance risk arises from potential violations of the many statutes, rules and
regulations to which the financial services industry is subject. Violations of these rules
expose the institution, and possibly its directors, to fines, civil money penalties, civil
damages and regulatory orders. Violations can also lead to reputation damage, loss of
business opportunities, reduced earnings and lack of contract enforceability. In general, all
of the statutes, rules and regulations that apply to "brick and mortar" banking also apply to
banking services provided on the Internet.
However, it is not always clear how laws and regulations designed for a "brick and
mortar" institution should be implemented in the changing technological environment of an
Internet website. Thus, the risk associated with compliance with the myriad statutes, rules
and regulations to which all financial institutions are subject is heightened when the
institution provides services or information on the Internet. If Internet banking services are
provided to customers in foreign countries, regulatory compliance is further complicated
since these countries may seek to apply their laws and regulations to a foreign bank
conducting transactions with a customer located in that country.
3.11.5.6. Credit Risk
Credit risk is the risk of financial loss to the institution resulting when a borrower or
other obligor fails to meet contractual obligations. The inherent lack of personal contact,
potential geographic distance and difficulties of verifying collateral and perfecting security
agreements magnify credit risk in the Internet banking scenario. Concentration in out-of-
area credits or credits within a single industry provide additional risk. Analysis of credit
risk is further complicated by the unsettled question of which state or country's law controls
an Internet relationship. The Board must ensure that its directors understand the risks
associated with Internet lending transactions and that their lending policies, procedures and
practices adequately address the unique risks associated with such transactions.
218
3.11.6. Risk Management Tools
Once management has assessed the risks of elevating an Internet banking platform
and decided to proceed with offering Internet banking services, the following risk
management tools are necessary to ensure that the safety and soundness of the institution
are preserved.
Management Oversight
Strategic Plan
Vendor Due Diligence
Audit and Internal Controls
Compliance Review
Insurance
3.11.6.1 Management Oversight
Consistent with its other duties to the institution, the Board of Directors bears the
ultimate responsibility for the deployment of electronic systems and should approve the
overall business and technology strategies. The heightened risks inherent in Internet
banking - stemming from global access to confidential and proprietary information, rapidly
advancing technology, significant allocation of resources and reliance on vendor
competence - compel active Board oversight.
This process involves undergoing a comprehensive risk analysis and feasibility
study, formalizing a Strategic Plan, and developing appropriate written policies and
procedures. The Strategic Plan should be reviewed at least annually and updated as needed
to address technological advances and material changes or major deviations. As always,
documentation of all critical aspects of the process should be detailed in the Board minutes.
Documentation of this process is a critical component in formulating a defense using the
Business Judgment Rule.
Management should have the authority and resources to implement the Internet
banking plan; however, failure of the Board to oversee its direction and continuously
monitor the implementation against the Strategic Plan can result in not only risk to the
integrity of the institution, but also personal liability for directors and officers. In the face
of any potential exposures, management involvement and Board oversight are evidenced
through:
219
Board minutes documenting director discussions regarding the planning
process;
A written Strategic Plan formalizing the Internet banking plan;
Documentation of the risk analysis and steps taken to mitigate risks; and
Implementation of adequate policies and procedures.
3.11.6.2 Strategic Plan
In a recent survey of community banks involved in Internet banking, 52% did not
have a Strategic Plan. Such a plan is critical to ensure that the Board of Directors perform
adequate due diligence. Just like any other Strategic Plan, the Internet banking
Strategic Plan should be reviewed regularly and modified as necessary, both pre- and post-
implementation, and issues and their resolutions presented to senior management and the
Board. A Strategic Plan must be dynamic and reflect the experience and forward vision of
the institution, or it will not be effective as a tool for managing the risks inherent in the
undertaking.
3.11.6.3 Vendor Due Diligence
Financial institutions venturing into the Internet arena rely heavily on external
vendors to provide technological expertise beyond the grasp of the financial institution's
management. Reliance on a third-party to perform critical functions, particularly in the
Internet arena, demands that management scrutinize the vendor very closely to ensure that
it meets the institution's needs and minimizes potential exposures. Due diligence must take
into consideration the following four areas:
Expertise, Reputation and Service Expectations: The vendor must possess the
technical expertise to provide and service the Internet banking program. While management
will not likely assess the technical expertise to evaluate the vendor's abilities, due diligence
should include researching regulatory and independent third-party reviews, as well as peer
references.
Regulators conduct intensive reviews of all major vendors that provide Internet banking
products. They require that all Internet banking vendors undergo an external audit and
security assessment, the results of which are available to management. There may also be
other vendor information available to assist you in your efforts. For example, the Banking
Industry Technology Secretariat (BITS), in an effort to further the growth and safety of
220
Internet banking, has developed criteria by which a vendor can obtain a BITS "tested
mark", ensuring that the vendor and its products have met established security criteria.
As with all outsourcing arrangements, it is prudent to consult with the vendors' customers
to gauge post-implementation satisfaction. You should also contact state and national
industry associations to collect any available information about potential vendors. Be sure
to document your efforts and ultimate decisions regarding your choice of an Internet
banking vendor.
Security, Monitoring Reports and Systems Testing: Security precautions,
including fire walls, encryption and intrusion detection, as well as contingency disaster
recovery plans for the Internet banking vendor, must be adequate to safeguard both the
assets of the institution and the integrity of its data. Further, audit reports and systems
monitoring reports should not only be available, but should be reviewed by both vendor
management and the financial institution. In order to assist you in managing transaction
risk, reports should be available to monitor:
Transaction activity to look for anomalies in transaction types, volumes, values
and time-of-day presentment;
Log-on violations or attempts to identify patterns of suspect activity; and
Restricted transactions, correcting and reversing entries or unsuccessful attempts
to access restricted information.
The bank should also determine the extent and frequency of systems testing at the
vendor level. Stress testing to ensure systems capacity and vulnerability or penetration
testing should be performed on a regular basis to safeguard the financial institution's assets.
In addition, the vendor should be required to undergo periodic security audits by a qualified
third-party, and the results of those tests be made available to management in a timely
fashion.
Indemnification, Liability and Insurance:
Many vendor contracts disclaim vendor liability for negligence, errors and
omissions. It is therefore imperative that, in addition to standard contract provisions, the
institutions have counsel review the contract language with regard to limitations of liability
and indemnification. All vendor contracts should hold the financial institution harmless for
losses resulting from vendor negligence, misconduct, and breach of security. If the vendor
contract does not contain these provisions, the institution may be assuming liability under
221
contract for which it would not otherwise be held legally liable.
In addition to the financial condition of the vendor, management should explore the extent
of insurance that the vendor maintains to protect itself and its customers against losses
arising from negligence, misconduct, breach of security and liability exposures.
Financial Condition:
In a recent discussion about Internet banking vendors, one community banker
expressed that "I rely on them tremendously and their contract holds them liable for any
problems that arise; however, looking at their financial condition, I'm not sure I'd make a
loan to them!" While a vendor may assume full liability by contract, financial instability
may negate any indemnification in the case of a severe loss. After the Internet banking
program is implemented, management should continue to monitor the financial condition of
the vendor on an ongoing basis. Establishing a process to monitor the institution's vendors
will help to avoid an interruption of service caused by an unanticipated decline in or
cessation of vendor operations.
3.11.6.4 Audit and Internal Controls
Many directors make the mistake of assuming that they can rely on the vendor to
provide the appropriate audit and internal controls for the Internet banking platform.
However, it is imperative that the appropriate audit and internal control procedures also be
implemented internally, as well. If audit trails are insufficient, electronic fraud might go
undetected for a significant period of time. Regular audits of internal control systems help
ensure that internal controls are appropriate and functioning properly. The internal audit
policy should be modified to encompass all online activities, and internal controls should be
commensurate with the level of Internet risk. An objective independent review of the
institution's online banking product, through the development phase and ongoing operation,
is also critical to detect any weaknesses in security or operations. Therefore, management
should ensure that both the internal and external audit functions are adequately
comprehensive and encompass all electronic banking activities.
3.11.6.5 Compliance Review
To ensure that the institution minimizes compliance risk when introducing any type
of Internet service, the compliance officer should be involved throughout the development
and implementation stages to ensure that all relevant compliance issues are addressed. It is
222
critical that institutions providing electronic delivery services maintain an in-depth
knowledge of the continuously evolving statutes and regulations as they are modified to
address Internet banking.
Ensuring that the Internet banking vendor has an understanding of compliance
issues is also important in laying the groundwork for compliance. Continuous monitoring
of developments in banking regulations is a process that all financial institutions must have
in place. How these banking rules and regulations impact Internet banking and the website
should be incorporated into the regular compliance review function.
3.11.6.6 Insurance
Even with the best review and controls in place, losses may occur. As a safety net,
the institution's insurance program should be reviewed very closely to ensure that losses
stemming from Internet banking are covered to the fullest extent possible. At the very least,
the Board should consult with an insurance professional to determine the scope of existing
coverage. It may be appropriate to increase the limits on your existing insurance policies or
purchase an "e-insurance" policy to cover your Internet banking exposure. Before you
review your insurance portfolio with your insurance professional, be sure that you
understand the types of products and services offered over the Internet, functionality of the
website, customer base, reliance upon third-party service providers, contractual
arrangements, and use of web technology. When you review your insurance portfolio, you
will find that the insurance industry has not kept pace with technological change; therefore,
existing policies may not cover, or only partially cover, losses resulting from Internet
banking.
223
Section 3.12:
Value at Risk (VaR)
3.12.1 Introduction 224
3.12.2 What is VaR? 225
3.12.3 VaR parameters 228
3.12.4 Use of VaR in Risk Measures 229
3.12.5 Determining VaR 231
3.12.6 Risk Metrics 237
224
3.12.7 Introduction
Measuring of risks, associated with being a participant in the financial markets, has become
the focus of intense study by banks, corporations, investment managers and regulators. Certain
risks such as counter party default have always figured at the top of most banks' concerns. Others,
such as, market risk (the potential loss associated with market behavior) have only been in the lime
light over the past few years.
Imagine selling a product or making a loan to your customer because it has the proper
correlation. Imagine that your customer issue‘s debt in a foreign currency and needs a
hedge based on decreasing exposure to price movements. Does fixed debt provide the right
correlation or is a currency swap, long dated forward or a basket option the most
appropriate hedge? If you know your customer‘s Value at Risk (VaR) parameters, you can
answer the question.
In economics and finance, VaR is a measure (a number) saying how the market value of an
asset or of a portfolio of assets is likely to decrease over a certain time period (usually over
1 day or 10 days) under usual conditions. It is typically used by security houses or
investment banks to measure the market risk of their asset portfolios (market value at
risk), but is actually a very general concept that has broad application.
VaR is a relatively new tool in the effort to measure risk. We have been following
the development of and discourse on VaR since 1994, when J.P. Morgan developed the first
set of standardized assumptions (called RiskMetrics) for use by VaR models. While we
have never used a VaR methodology for institutional portfolios, we have made similar
calculations with portfolio analytics. Our long-term estimates of portfolio returns in the 5th
percentile are analogous to a VaR estimate, in that it is a descriptor of ―downside risk.‖ We
believe that VaR is more suited to day-today portfolio monitoring, and not easily applicable
to long-term institutional portfolios.
VaR analysis began in the early 1990‘s as a way for Wall Street firms to estimate
their daily exposure to trading losses. In 1995 the Basle Capital Accord endorsed the use of
VaR in determining capital requirements for banks, lending credibility to the practice. The
Securities and Exchange Commission also forwarded VaR as one of three possible methods
for the disclosure of derivative exposure by U.S. corporations.
225
The goal of VaR is to calculate the expected down-side loss over a specified time
period with a specified degree of certainty. A common time period used for VaR is one day
or one month, since largely traders and financial institutions with multi-currency portfolios
have used it. Confidence levels are usually calculated at the 95th and 99th percentiles. Part
of the basic foundation for VaR comes from Modern Portfolio Theory (MPT). The
calculations implicitly include the volatility-dampening effects of diversification when
examining a multi-asset or multi-currency portfolio. For an international bank, this means
recognizing that stocks and bonds denominated in various currencies will not all move in
the same direction (and to the same degree) at once. It also allows a bank to summarize its
risk from various assets into one measure denominated in the bank‘s home currency.
Value-at-Risk (VAR) is a method of measuring the financial risk of an asset,
portfolio, or total exposure of banks or an institution over some specific period of time.
VAR produces a summary risk measure across different financial instruments and business
activity. For a financial institution, VAR considers interest rate risk, credit risk, foreign
exchange risk, etc. This measure is typically used as an approximation of the maximum
reasonable loss banks or an institution can expect to realize from all its financial exposures
VAR has been accepted by the Basle Committee, the international organization for
uniform risk management of banks for the G-10 countries. The Basle Committee first
developed criteria for risk-rating assets on- and off-balance sheet for G-10 banks in 1988.
In the recent years the committee re-addressed the risk criteria and decided that VAR would
be the new risk measurement standard for G-10 banks beginning in 2000.
3.12.8 What is VaR?
Value-at-Risk is a summary statistic that quantifies the exposure of an asset,
portfolio or entire institution to market risk, or the risk that a position declines in value with
adverse market price changes. To arrive at a VAR measure for a given portfolio, banks or
an institution must first generate a probability distribution of possible changes in the value
of some portfolio over a specific time or ‗risk horizon‘ (e.g. one day). The value at risk of
the portfolio is the dollar loss corresponding to some pre-defined probability level (usually
5% but may be less) as defined by the left-hand tail of the distribution.
226
One feature of VAR is its consistent measurement of financial risk. By expressing
risk using a possible dollar loss metric, VAR makes possible direct comparisons of risk
across different business line and distinct financial products (e.g. interest rate or currency
swaps). In addition to consistency, VAR also is probability based. With whatever degree of
confidence banks or an institution wants to specify, VAR enables the firm to associate a
specific loss with that level of confidence. Therefore, VAR measures can be interpreted as
forward-looking approximations of potential market risk. A third feature of VAR is its
reliance on a common time horizon called the risk horizon.
The literature on VaR has developed greatly in the last few years. Several articles
calculate the estimate of market risk on the basis of VaR, using various methods. Lopez
(1996) compares these methods, and assesses the accuracy of each one. Jackson et al.
(1997) examine the possibility of predicting the variance of risk factors (interest rates, share
prices, and exchange rates), and compare parametric and non-parametric methods of
measuring VaR, while Crnkovic and Drachman (1996) examine the possibility of
predicting all the parameters of distribution of risk factors. Bassi et al. (1996) discuss the
difficulties of estimating the probability that exceptional events will occur, and recommend
preferring the use of extreme values rather than the accepted methods of calculating VaR.
Kupiec (1995) ran backtesting for the VaR model, examining the length of time that passed
until the first failure of the estimate, as well as performance tests for the failure rate. At a
later stage the Basle Committee adopted these tests as the basis for examining banks‘
internal models. These studies do not provide clear statistical tests of the accuracy of each
of the estimation methods, and most of them deal neither with the capital requirement,
which is derived from the various methods of calculating variance, nor with the subject of
the use of historical market data rather than simulations.
Investigation of the advantages and disadvantages of each method as regards the
following aspects: time of calculation vis-à-vis accuracy of estimates (Pritsker, 1997);
adaptation to different geographical regions (Powell and Balzarotti, 1996); the effect of
financial instruments included in the trading book (Aussenegg and Pichler, 1997). Among
the studies that examined the application of VaR models in different countries, that of
Powell and Balzarotti (1996), which compares the application of VaR models and the
standard approach in several Latin American countries, is particularly interesting. To some
extent, the current study takes a similar approach, as there are greater similarities between
227
the macroeconomic characteristics some western countries (the G10) that use VaR models.
Powell and Balzarotti (1996) reach the conclusion that the standard approach is preferable
to the various VaR models for the purposes of supervisory bodies, but this is merely an
assessment.
The various internal models make several assumptions and use different
measurement tools, which could produce varying results for the same set of market
parameters and positions in the trading book. Furthermore, VaR models are highly sensitive
to assumptions and the way data are estimated, especially in the context of assets that are
not basically linear, such as derivatives (Marshall and Seigel, 1997). Marshall and Seigel
note that this sensitivity, and the freedom banks have to determine the formation of the
internal models, could expose the supervisory and banking systems to ‗implementation
risk.‘ Thus, the wide variety of points that have to be taken into account when estimating
VaR, and the considerable freedom of choice the authorities give the banks that adopt
internal models, could give rise to implementation risk, i.e., significant differences in
results for identical portfolios and the same market parameters, as is in fact reported by
Marshall and Seigel (1997).
A variety of models exist for estimating VaR. Each model has its own set of
assumptions, but the most common assumption is that historical market data is our best
estimator for future changes. Several articles72
compare the standard approach to estimating
market risk, as presented by the Basle Committee, with the VaR model, which is based on
three main approaches:
(a) variance-covariance (VCV), assuming that risk factor returns are always
(jointly) normally distributed and that the change in portfolio value is linearly dependent on
all risk factor returns,
(b) the historical simulation, assuming that asset returns in the future will have the
same distribution as they had in the past (historical market data),
(c) Monte Carlo simulation, where future asset returns are more or less randomly
simulated
72 Hendricks (1996), Pritsker (1997), Linsmeier and Pearson (1996), Jackson et al. (1997), and Aussenegg and Pichler (1997).
228
To estimate the VAR of a portfolio, possible future values of that portfolio must be
generated, yielding a distribution called the VAR distribution. Once the VAR distribution is
created for a chosen risk horizon, the VAR itself is just a number on the curve (i.e. the
change in value of the portfolio leaving the specified amount of probability in the left-hand
tail.
Creating a VAR distribution for a particular portfolio and a given risk horizon can
be viewed as a two-step process. First, the price or return distributions for each individual
security or asset in the portfolio must be generated. These distributions represent possible
value changes in each of the component asset in the portfolio over the risk horizon. Assets
are assumed to have payoffs to be linear. If an asset‘s payoff is non-linear (e.g. a bond
option) then one must first generate changes in the underlying bond‘s price and its volatility
and then compute associated option price changes rather than generating option price
changes directly. Next, the individual distributions must be aggregated into a portfolio
distribution using appropriate measures of correlation. The resulting portfolio distribution
then serves as the basis for the VAR summary measure.
An assumption in VAR calculations is that the portfolio whose risk is being
evaluated does not change over the risk horizon. This is probably not a bad assumption if
the time horizon is short, such as one day. However, it would probably not be a good
assumption over long time horizons, such as one year.
3.12.9 VaR parameters
VaR has three parameters:
The time horizon (period) we are going to analyze (i. e. the length of time over
which we plan to hold the assets in the portfolio - the "holding period"). The typical
holding period is 1 day, although 10 days are used, for example, to compute capital
requirements under the European Capital Adequacy Directive (CAD). For some problems,
even a holding period of 1 year is appropriate.
The confidence level at which we plan to make the estimate. Popular confidence
levels usually are 99% and 95%.
The unit of the currency which will be used to denominate the VaR.
229
VaR, with the parameters: holding period x days; confidence level y%, measures what will
be the maximum loss (i. e. decrease in portfolio market value) over x days, if one assumes
that the x-days period will not be one of the (100 − y)% x-days periods that are the worst
under normal conditions. One can also define VaR as a lower y% quantile of a profit/loss
probability distribution, i.e., it is a best outcome from a set of bad outcomes on a bad day.
Note that VaR cannot anticipate changes in the composition of the portfolio during the day.
Instead, it reflects the riskiness of the portfolio based on the portfolio's current composition.
Example
Consider a trading portfolio. Its market value in US dollars today is known, but its market
value tomorrow is not known. The investment bank holding that portfolio might report that
its portfolio has a 1-day VaR of $5 million at the 95% confidence level. This implies that
(provided usual conditions will prevail over the 1 day) the bank can expect that, with a
probability of 95%, the value of its portfolio will decrease by 5 million or less during 1 day,
or in other words: it can expect that with a probability of 5% (i. e. 100%-95%) the value of
its portfolio will decrease by more than 5 million during 1 day. Stated yet differently, the
bank can expect that the value of its portfolio will decrease by 5 million or less on 95 out of
100 usual trading days, in other words by more than 5 million on 5 out of every 100 usual
trading days.
3.12.10 Use of VaR in Risk Measures
To understand when a VaR calculation is useful we must look at the assumptions
underlying the calculation. The premise underlying VaR is that there is a set of random
variables that affect the value of our portfolio and that it is possible to determine the future
statistical properties of these variables.
VaR seems most useful as a risk measure in liquid markets. Invariably we end up
assuming that the future will be like the past and that we can observe the past sufficiently
clearly to determine its statistical properties. These assumptions seem to work well in liquid
markets that are actively traded. For instance, we have enough observations to show that
the statistical properties of stock prices do not change too much over time, and that the
changes that occur seem to be fairly gradual in general. Thus, we can have reasonable
230
confidence that recent stock price history allows us to forecast the near future statistical
behavior of stock prices. In liquid, active markets we can use VaR to measure how much
risk or exposure we are willing to take on. It provides a reasonably good measure of the
likely worst-case loss that we will face and if this loss occurs we can use the market
liquidity to terminate further losses.
In less liquid markets VaR does not seem to be as useful a risk measure for several
reasons. It is usually not possible to observe enough transactions to determine what the
statistical properties of the market are. For instance, in the real estate market there are quite
a few transactions but liquidity is not high and each transaction is to some extent unique.
For any particular real estate asset not only do we not know how the prices may vary over
time but we may be reasonably uncertain about the current value of the asset.
Even if we knew the statistical properties of the market, the lack of liquidity means
that it might take several months to sell our portfolio. In this case we would have to forecast
our loss limits over this much greater time span. However, as we try to predict farther into
the future our predictions become much more uncertain. The way prices behave may
change slowly but it does change. Three weeks from now the market may be much more or
less volatile than it is now.
In summary VaR seems to be most useful as a risk control for actively managed
portfolios in liquid markets. In these circumstances it provides a plausible measure of how
large the losses might be before mitigating action can instigated. Even in these
circumstances VaR is not an infallible risk measure. There are rare occasions when the
nature of the market changes drastically in a very short space of time. The dramatic one-day
decline of global equity markets in October 1987 is a good illustration of such an event.
The risk of this type of event is not captured by VaR measures. Often, stress scenarios of
this type to measure the catastrophic risks that a portfolio faces augment the VaR analysis.
The purpose of any risk measurement system and summary statistic is to facilitate
risk reporting and control decisions. The popularity of VAR owes much to Dennis
Weatherstone, former chairman of J.P. Morgan & Co., Inc., who demanded to know the
total market risk exposure of the firm by 4:15 pm every day. The demand was met by the
creation of RiskMetrics, a program that provided the required information.
231
Commercial banks use VAR measures to quantify current trading exposures and
compare them to established counter-party risk limits. Further, VAR can assist banks in
monitoring their customer credit exposure, in setting exposure limits, and in determining
and enforcing collateral requirements. Increasingly, banks are using VAR as a monitoring
tool for detecting unauthorized increases in certain off-balance sheet positions.
However, for intermediaries whose mission is to take some risks (for banks this
would be credit risks), VAR measures of risk are meaningful only when interpreted
alongside estimates of corresponding potential gains.
3.12.11 Determining VaR
Calculating VAR is easy once you have generated the probability distribution for
future values of the portfolio. Creating that VAR distribution can be difficult. There are
numerous methods for calculating the VAR distribution ranging from the simple variance-
based approaches to the more esoteric conditional-variance models. We will focus on
RiskMetrics
In all the methods VaR is calculated on the same schematic basis: first, basic
parameters, such as the period of the sample, the holding period, and the confidence level,
are set; then the relevant risk factors are selected and risk mapping is undertaken; finally,
VaR is calculated. One of the main problems in estimating market risks by means of VaR is
calculating the contribution of each risk factor to the total risk in the portfolio. For this
purpose, the effect on the value of the portfolio of a change in each of the risk factors, or in
the position of each asset, must be calculated holding everything else constant.
The methods for calculating VaR are usually divided into two:
1. Parametric and;
2. Nonparametric.
232
How to Calculate Value-at-Risk
VAR IN CONCEPT
A conceptual illustration of VaR is given at Fig. 1. A market risk estimate can be
calculated by following these steps:
Fig. 1
Value the current portfolio using today‘s prices, the components of which
are ―market factors‖. For example the market factors that affect the value of a bond
denominated in a foreign currency are the term structure of that currency‘s interest rate
(either the zero coupon curve or the par yield curve) and the exchange rate;
Revalue the portfolio, using alternative prices based on changed market
factors and calculate the change in the portfolio value that would result.
Revaluing the portfolio using a number of alternative prices gives a
distribution of changes in value. Given this a portfolio value-at-risk can be specified in
terms of confidence levels;
The risk manager can calculate the maximum the bank can lose over a
specified time horizon at a specified probability level.
233
In implementing VaR the main problem is finding a way to obtain a series of
vectors of different market factors. We will see how the various methodologies try to
resolve this issue for each of the three methods that can be used to calculate VaR.
3.12.5.1 HISTORICAL METHOD
Values of the market factors for a particular historical period are collected and
changes in these values over the time horizon are observed for use in the calculation. For
instance if a 1-day VaR is required using the past 100 trading days, each of the market
factors will have a vector of observed changes that will be made up of the 99 changes in
value of the market factor. A vector of alternative values is created for each of the market
factors by adding the current value of the market factor to each of the values in the vector
of observed changes.
The portfolio value is found using the current and alternative values for the market
factors. The changes in portfolio value between the current value and the alternative values
are then calculated. The final step is to sort the changes in portfolio value from the lowest
value to highest value and determine VaR based on the desired confidence interval. For a
one day, 95% confidence level VaR using the past 100 trading days, the VaR would be the
95th most adverse change in portfolio value.
3.12.5.2.1 SIMULATION METHOD
The first step is to define the parameters of the distributions for the changes in
market factors, including correlations among these factors. Normal and lognormal
distributions are usually used to estimate changes in market factors, while historical data is
most often used to define correlations among market factors. The distributions are then
used in a Monte Carlo simulation to obtain simulated changes in the market factors over the
time horizon to be used in the VaR calculation.
A vector of alternative values is created for each of the market factors by adding the
current value of the market factor, to each of the values in the vector of simulated changes.
Once this vector of alternative values of the market factors is obtained, the current and
alternative values for the portfolio, the changes in portfolio value and the VaR are
calculated exactly as in the historical method.
234
3.12.5.2.2 VARIANCE-COVARIANCE, ANALYTIC OR PARAMETRIC
METHOD
The variance-covariance, or delta-normal, model was popularized by J.P. Morgan Chase
formerly J.P. Morgan) in the early 1990s. In the following, we will take the simple case,
where the only risk factor for the portfolio is the value of the assets themselves. The
following two assumptions enable to translate the VaR estimation problem into a linear
algebraic problem:
(1) The portfolio is composed of assets whose deltas are linear, more exactly: the change in
the value of the portfolio is linearly dependent on (i.e. is a linear combination of) all the
changes in the values of the assets, so that also the portfolio return is linearly dependent on
all the asset returns.
(2) The asset returns are jointly normally distributed.
The implication of (1) and (2) is that the portfolio return is normally distributed because it
always holds that a linear combination of jointly normally distributed variables is itself
normally distributed.
We will use the following notation:
means ―of the return on asset i― (for σ and μ) and "of asset i" (otherwise)
means ―of the return on the portfolio‖ (for σ and μ) and "of the portfolio"
(otherwise)
all returns are returns over the holding period
there are N assets
μ= expected value, i. e. mean
σ = standard deviation
V = initial value (in currency units)
= vector of all ωi (T means transposed)
= covariance matrix = matrix of covariances between all N asset returns, i. e. an
NxN matrix
The calculation goes as follows.
235
(i)
(ii)
The normality assumption allows us to z-scale the calculated portfolio standard deviation to
the appropriate confidence level. So for the 95% confidence level VaR we get:
(iii)
The benefits of the variance-covariance model are the use of a more compact and
maintainable data set which can often be bought from third parties, and the speed of
calculation using optimized linear algebra libraries. Drawbacks include the assumption that
the portfolio is composed of assets whose delta is linear, and the assumption of a normal
distribution of asset returns (i. e. market price returns).
In summary this is similar to the historical method in that historical values of market
factors are collected in a database. The next steps are then to:
Decompose the instruments in the portfolio into cash equivalent positions in more
basic instruments
Specify the exact distributions for the market factors (or ―returns‖) and
Calculate portfolio variance and VaR using standard statistical methods.
Decompose financial instruments
The analytic method assumes that financial instruments can be decomposed or
―mapped‖ into a set of simpler instruments that are exposed to only one market factor. For
example a two-year UK Gilt can be mapped into a set of zero-coupon bonds representing
each cash flow. Each of these zero-coupon bonds is exposed to only one market factor - a
specific UK zero-coupon interest rate. Similarly a foreign currency bond can be mapped
into a set of zero-coupon bonds and a cash foreign exchange amount subject to movement
in the spot FX rate.
236
Specify distributions
The analytic method makes assumptions about the distributions of market factors.
For example the most widely used analytic method, JP Morgan‘s RiskMetrics, assumes
that the underlying distributions are normal. With normal distributions all the historical
information is summarized in the mean, variance and covariance of the returns (market
factors), so users do not need to keep all the historical data.
Calculate portfolio variance and VaR
If all the market factors are assumed to be normally distributed, the portfolio, which
is the sum of the individual instruments can also be assumed to be normally distributed.
This means that the portfolio variance can be calculated using standard statistical methods
(similar to modern portfolio theory), namely:
The portfolio VaR is then a selected number of portfolio standard deviations, for
example 1.645 standard deviations will isolate 5% of the area of the distribution in the
lower tail of the Normal curve, providing 95% confidence in the estimate. Consider an
example where, using historical data the portfolio variance for a package of UK Gilts is
£348.57. The standard deviation of the portfolio would be, which is
£18.67. A 95% one-day VaR would be 1.645 x £18.67, which is £30.71.
Of course a bank‘s trading book will contain many hundreds of different assets, and
the method employed above, useful for a two-asset portfolio, will become unwieldy.
Therefore matrices are used to calculate the VaR of a portfolio where many correlation
coefficients are used.
237
Matrix calculation of variance-covariance VaR
Consider the following hypothetical portfolio, invested in two assets, as shown in
Table 1. The standard deviation of each asset has been calculated on historical observation
of asset returns. Note that returns are returns of asset prices, rather than the prices
themselves; they are calculated from the actual prices by taking the ratio of closing prices.
The returns are then calculated as the logarithm of the price relatives. The mean and
standard deviation of the returns are then calculated using standard statistical formulae.
This would then give the standard deviation of daily price relatives, which is converted to
an annual figure by multiplying it by the square root of the number of days in a year,
usually taken to be 250.
The standard equation is used to calculate the variance of the portfolio, using the
individual asset standard deviations and the asset weightings; the VaR of the book is the
square root of the variance. Multiplying this figure by the current value of the portfolio
gives us the portfolio VaR, which is £2,113,491.
3.12.12 Risk Metrics
To facilitate one-day VAR calculations and extrapolate risk measures for longer risk
horizons, J. P. Morgan, in association with Reuters, began making their RiskMetricsTM
data
sets. This data includes historical variances and covariances on a variety of simple assets,
called primitive assets. Most other assets have cash flows that can be ‗mapped‘ into these
simpler RiskMetrics assets for VAR calculation purposes.
238
In the RiskMetrics data set, daily variances and correlations are computed using an
‗exponentially weighted moving average‘. Unlike the simple moving-average volatility
estimate, an exponentially weighted moving average allows the most recent observations to
be more influential in the calculation than observations further in the past. This has the
advantage of capturing shocks in the market better than simple moving averages.
Value-at-Risk is a measure of the maximum potential change in value of the
portfolio of financial instruments with a given probability over a pre-set horizon. VaR
answers the question, "How much can I lose with x% probability over a given time
horizon?" For example, if you think that there is a 95% change that the DEM/USD
exchange rate will not fall by more than 1% of its current value over the next day, you can
calculate the maximum potential loss on, say, a USD 100 million DEM/USD position by
using the methodology and data provided by Risk Metrics.
Value-at-Risk is a number that represents the potential changes in portfolios future
value. How this change is defined depends on (1) the horizon over which the portfolios
change in value is measured and (2) the "degree of confidence" chosen by the risk manager.
VaR calculations can be performed without using standard deviation or correlation
forecasts. These are simply one set of inputs that can be used to calculate VaR and that Risk
Metrics provides for that purpose. The principal reason for referring to work with standard
deviations (volatility) is the strong evidence that the volatility of financial returns is
predictable. Therefore, if volatility is predictable, it makes sense to make forecast of it to
predict future values of the return distribution.
VaR for Indian Banks for Foreign Exchange Forward Position
The Foreign Exchange Dealers Association of India (FEDAI) with effect introduced a simple
model of VaR for banks in India for their forward positions from 29 August 1996. The VaR model
was based on data base built by FEDAI internally from 8 June 1995 to 28 June 1996 [more than one
year) for 1,3,6 months swap rates. The overnight variations in swap rates in paisa per dollar were
worked out. This is the daily volatility in swap rates. The standard deviation of overnight variations
in swap rates was calculated. This is the volatility in swap rates for the relevant period.
239
The resultant figure is multiplied by 2 standard deviations to achieve 95.5% probability
and 97.5% level of confidence. The data can be updated every day by omitting day 1 and adding
the new day's data. Let us work out an example given by FEDAI in the table below:
1
Month
3
Months
6
Months
a
Number
of days in a
trading year
251
251
25
1
b
Standard
deviation, i.e.
Daily Volatility
6.0
3 paisa per
dollar
10.
05 paisa per
dollar
13.
95 paisa
per dollar
c
Daily
volatility at 2
standard
deviation (b*2)
(at 95.5%
probability and
97.5% level of
confidence
12.
06 paisa per
dollar
20.
10 paisa per
dollar
27.
90 paisa
per dollar
d Volatilit
y for 3 day
holding period
C* 3
20.
88 paisa per
dollar
34.
82 paisa
per dollar
48.
31 paisa
per dollar
Total VaR =2.08+3.48+ 4.83= Rs. 10.39 lakh
The gaps are marked to market every day. FEDAI will announce VaR for USD 1 million
positions every year. All that the banks have to do is to multiply each day's aggregate gap by
the figure furnished by FEDAI. Banks through the process of interpolation can arrive at VaR
for other maturities. The forward positions of banks in India are covered either in the forward
market or in the spot market and thereafter rolled over till maturity. Therefore, banks in India are
not required to maintain capital charge against their VaR. However, VaR serves the purpose of
management information for risk monitoring.