risk management essentials for bankers

Presented by Mr. David Vu

Risk Management Essentials

Date: 24th and 25th Mar 2017

Venue: Sunway Resort Hotel

The purpose of this course is to provide attendees with crucialunderstanding of risk management in financial institutions. Firstly, anintroduction on basic principles of risk management, risk governance andkey risks are made to analyse how it affects the banking institutions,standard risk framework, and essential risk tools. Critical concepts arecovered in risk management like Enterprise Risk Management and standardinternal control framework. Attendees will tackle on case studies offinancial failures such as the financial crisis during 2007-2008. This willenable them to gain a better understanding of cause and effect and how toprevent it from happening in the future. The focus will also be on keyregulations for the banking sector, capital management and stress testing.All this will allow the attendees to gain a robust background of riskmanagement.

Introduction

Overview of Risk Management▫ Understanding corporate governance and risk management▫ Introduction to risk management and identify key risks in banking institutions▫ Analyzing internal control and enterprise risk management▫ Recapping financial failures and financial crisis▫ Understanding risk appetite framework and requirements of Basel II/III▫ Exploring internal capital adequacy assessment process and stress testing

Overview of Liquidity Risk Management▫ Understanding key principles of liquidity risk management▫ Identifying risk measurement, risk limits, and risk reports▫ Understanding stress testing and contingency planning policy

Overview of Interest Rate Risk Management in Banking Book▫ Understanding key principles of interest rate risk management in banking book▫ Identifying risk measurement, risk limits, and risk reports▫ Understanding stress testing

Overview of Operational Risk Management▫ Understanding key principles of operational risk management▫ Understanding risk assessment tools, key risk indicators, risk incidents capturing▫ Understanding technology risk, vendor risk, and insurance program

Training Outline

After completing this course, you will be able to:

• Understand key risks facing banking institutions

• Apply key principles of risk management into your work especially for riskanalysts, risk managers.

• Understand a standard framework of internal control and the concept ofEnterprise Risk Management.

• Understand compliance risk as well as essential regulations in bankingenvironment.

• Understand the financial crisis in 2007 – 2008 and lessons learnt.

• Build up a risk appetite framework for your institution with key principles,risk tolerances, and limit settings.

• Build up risk assessment tools and techniques for risk management.

• Understand Internal Capital Adequacy Assessment Process and criticality ofstress tests in capital management.

Expected Outcomes

OVERVIEW OF RISK MANAGEMENT

CORPORATE GOVERNANCE AND RISK MANAGEMENT

AN INTRODUCTION TO KEY RISKS IN BANKING INSTITUTIONS

INTERNAL CONTROL AND ENTERPRISE RISK MANAGEMENT

FINANCIAL FAILURES AND LESSONS LEARNT

FINANCIAL CRISIS OF 2007 - 2008

RISK APPETITE FRAMEWORK

OVERVIEW OF BASEL II / III

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS

5

Corporate Governance and Risk Management

Corporate Governance: Sample Definitions

“The system by which companies are directed andcontrolled” – Adrian Cadbury, 1992

“The structures, processes, cultures and systems thatengender the successful operation of the organisation” – KKeasey and M Wright, 1993

“The process of supervision and control intended toensure that the company’s management acts inaccordance with the interests of Shareholders” – JParkinson, 1994

6


Components of Corporate Governance

Ethics

Integrity

Code of Conduct

Accountability

Responsibility

Information

Investment Protection

Shareholder Action

Transparency

Internal Control System

Regulations

Why is Corporate Governance is so important?

Even best-run organisations can makemistakes or poor decisions on i.e. investment,recruitment, evaluation, etc.

While risk is an important and unavoidablecomponent of modern management, itshould not imply that governance ofenterprises is overlooked.

A good decision that leads to i.e. a successfulinvestment can be based on poor assessmentof risk. Also, good governance practice canlead to poor decision making. Hence, theremust be a balance.

To help avoid / mitigate agency cost problem.

7


Shareholders

Board of Directors

CEO / MD

Executive Directors

Front Office Functions

Middle Office Functions

Back Office Functions

Put in equity to set up the business

Shareholders nominate a BoD to run thebusiness on their behalf. They set thebusiness policies

Board includes a Management team lead byCEO/MD and Executive Directors who managethe business on a day-to-day basis. They designappropriate strategies to implement policies

Senior Management is recruited todevelop business plans / processes /procedures to execute the strategies

8


What is Risk Management?

In a concise context, Risk Management is the identification, assessment,measurement, monitoring and get corrective actions to risks facing the firm.

It is defined under ISO 31000 as the effect of uncertainty on objectives (whetherpositive or negative) followed by coordinated and economical application ofresources to minimize, monitor, and control the probability and/or impact ofunfortunate events or to maximize the realization of opportunities.

Key Issues

Probability (likelihood) of event occurring

Severity (impact) of the event on set objectives

The strategies to manage risk typically include transferring the risk to another party,avoiding the risk, reducing the negative effect or probability of the risk, or evenaccepting some or all of the potential or actual consequences of a particular risk.

9


Risk Governance in Practice

Select competent board members and establish guidelines to govern theboard organization and structures;

Select competent executive officers, evaluate and compensate themaccordingly;

Review and approve the management-developed strategy i.e. approve theoverall risk-appetite of the institution;

Develop risk culture and monitor the control of the environment;

Ensure that the necessary corrective actions are taken to remedy thesituation;

Ensure the compliance of the institution with its legal and regulatoryrequirements; and

Directors are to perform these functions in the best interest of theshareholders and other stakeholders.

10


8 Principles for Bank Boards & Senior Management

(Basel Committee)

Principle 1: Board qualifications, capabilities and responsibilities

Principle 2: Board’s role regarding the bank’s strategic objectives andcorporate values

Principle 3: Lines of responsibility & accountability

Principle 4: Ensuring oversight by senior management

Principle 5: Auditors and internal control functions

Principle 6: Board & key executive compensation

Principle 7: Transparent governance

Principle 8: “Know your operational structure”

11


12

A S

AM

PLE

OF

RIS

K G

OV

ERN

AN

CE










13

A Concise Typology of Key Risk Exposures in Banking Sector

14

Overview of Key Risks in Banking Institutions

RISKS

Market Risk

Credit Risk

Liquidity Risk

Operational Risk

Legal & Compliance Risk

Business Risk

Strategic Risk

Reputation Risk

Funding Liquidity Risk

Trading Liquidity Risk

A Schematic View of Key Financial Risks

15


Financial Risks

Market Risk

Credit Risk

Transaction Risk

Portfolio Concentration

Issue Risk

Issuer Risk

Counterparty Risk

Equity Price Risk

Interest Rate Risk

Foreign Exchange Risk

Commodity Price Risk

Trading Risk

Gap Risk

General risk

Specific risk

Effective tradeoff of risk and reward

Shared responsibility for risk management

Based on an understanding of risk

Avoid activities that are inconsistent with values

Focus on clients and core values

Use of judgment and common sense

Risk Management Principles

16


Key Risk Definitions

17


Reputational Risk: is the current or prospective risk to earnings and capital arisingfrom an adverse perception of a banking institution on the part of existing andpotential transactional stakeholders, i.e. clients, trading counterparties, employees,suppliers, regulators, governmental bodies, and investors.

Compliance Risk: is the current or prospective risk to earnings, capital andreputation arising from violations or non-compliance with laws, rules, regulations,agreements, prescribed practices, or ethical standards, as well as from incorrectinterpretation of relevant laws or regulations.

Strategic Risk: is the current and prospective impact on earnings, capital, reputationor good standing of a banking institution arising from poor business decisions,improper implementation of decisions or lack of response to industry, economic ortechnological changes. This risk is a function of the compatibility of the bank’sstrategic goals, the business strategies developed to achieve these goals, theresources deployed to meet these goals and the quality of implementation.

Key Risk Definitions (cont.)

18


Credit Risk: is the risk arising from the potential that an obligor is either unwilling toperform on an obligation or its ability to perform such obligation is impaired resulting ineconomic loss to the bank.

Market Risk: is the risk of losses in on and off balance sheet positions as a result of adversechanges in market prices i.e. interest rates, foreign exchange rates, equity prices andcommodity prices. Market risk exists in both trading and banking book. A trading bookconsists of positions in financial instruments and commodities held either with tradingintent or in order to hedge other items of the trading book.

Operational Risk: is the current and prospective risk to earnings and capital arising frominadequate or failed internal processes, people and systems or from external events.

Liquidity Risk: is the risk of losses to a banking institution arising from either its inability tomeet its obligations as they fall due or to fund increases in assets without incurringunacceptable cost or losses. Liquidity risk also arises from the failure to recognize or addresschanges in market conditions that affect the ability to liquidate assets quickly and withminimum loss in value.

19


Market Risk Liquidity Risk Credit RiskOperational

Risk

Framework & Policies

Market Risk

MgmtPolicies

Limits & Controls

Liquidity Mgmt

Policies

Compliance Triggers &

MATs

Credit Risk

MgmtPolicies

Portfolio Caps,

Triggers & Risk Conc.

Risk Models

OpRiskMgmt

Policies

RCSA / KRI / Loss

Capturing

Business Continuity

VaRModels

Valuation Models

Contingency Funding

FTP Model

ALM Model

Liquidity Models

Retail Scoring Model

Internal Credit Rating

Model (SME/Corp)

Scorecard Approach

Advanced Approach(LDA)Model Backtesting

BASEL II/III

ICAAP

IRRBBCredit

Concentration Risk

Stress Testing Framework

Capital Adequacy

Leverage Ratio

Liquidity Standards (LCR/NSFR)

Integrated Risk Management Framework in Practice

20


Credit Risk Management Framework in Practice

CREDIT RISK COMPONENTS

KEY ELEMENTS TO HAVE

Credit Risk Governance

Credit Risk Policy Framework

Credit Risk Model & Validation

Credit Risk Monitoring & Reporting

Risk-based Decision Making

Credit Risk Mgmt Structure

Credit Risk Mgmt TOR & Policies

Credit Risk Mgmt Policy

Collateral Mgmt Policy

Authority Limit Mgmt Framework

Corporate Rating Model

Retail Scoring Model

Model Validation Framework

Credit Risk Capital Charge

Risk Reporting Templates

Reporting Workflow

Risk-based PricingRAROC / RORAC

FrameworkRisk-based

Portfolio Strategy

PD, LGD & EADEstimation

Credit VaR Calculation

21


Market Risk Management Framework in Practice

MARKET RISK COMPONENTS


Market Risk Governance

Market Risk Policy Framework

Market Risk Model & Validation

Credit Risk Monitoring & Reporting

Asset Liability Management

Market Risk Mgmt Structure

Market Risk Mgmt TOR & Policies

Market Risk Mgmt Policy

ALM PolicyLimits Mgmt Framework

Instruments & VaR Model

Valuation ModelModel Validation

Framework

Risk-based Decision Making

Risk Reporting Templates

Reporting Workflow

Liquidity Risk Management

Interest Rate Risk in Trading Book

Interest Rate Risk in Banking Book

Risk-based PricingRisk-based

Portfolio Strategy

22


Operational Risk Management Framework in Practice

OPERATIONAL RISK COMPONENTS


Operational Risk Governance

Operational Risk Policy Framework

Other OpRisk Related Policy Framework

Operational Risk Measurement

Operational Risk Control

OpRisk Mgmt Structure

OpRisk Mgmt TOR & Policies

OpRisk Mgmt Policy

BCP/DRP Framework

New Product Program

Technology & Cyber Risk Policy

Vendor Risk Mgmt Policy

Insurance Program

Operational Risk Capital Charge

RCSA / KRIsLoss / Near Miss

Capturing

Control Design Program

Control Design Review

Corrective Action Plan

BIA / TSA / AMA Approach

OpVaR Calculation

Reporting & Monitoring










23

Internal Control

Objectives of Internal Controls

▫ Accurate Financial Information

▫ Compliance with Policies andProcedures

▫ Safeguarding Assets

▫ Efficient Use of Resources

▫ Accomplishment of Objectivesand Goals

Institute of Internal Auditors (IIA)

Why are Internal Controls Important?

Internal controls are designed to providereasonable assurance regarding theachievement of objectives in the followingcategories:

▫ Effectiveness and Efficiency of Operations

▫ Reliability of Financial Reporting▫ Compliance with Laws and Regulations

Source: Internal Control – Integrated Framework Executive Summary, Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Internal Control and Enterprise Risk Management

24

Internal Control-Integrated Framework (2013 Edition)

• Consists of three parts:

▫ Executive Summary

▫ Framework and Appendices

▫ Illustrative Tools for AssessingEffectiveness of a System ofInternal Control

• Key items:

▫ Definition of internal control

▫ Categories of objectives

▫ Components and principles ofinternal control

▫ Requirements for effectiveness


25


Environments changes... … have driven Framework updates

Expectations for governance oversight

Globalization of markets and operations

Changes and greater complexity in business

Demands and complexities in laws, rules, regulations, and standards

Expectations for competencies and accountabilities

Use of, and reliance on, evolving technologies

Expectations relating to preventing and detecting fraud

COSO Cube (2013 Edition)


26


1. Demonstrates commitment to integrity and ethical values

2. Exercises oversight responsibility

3. Establishes structure, authority and responsibility

4. Demonstrates commitment to competence

5. Enforces accountability

16. Conducts ongoing and/or separate evaluations

17. Evaluates and communicates deficiencies

13. Uses relevant information

14. Communicates internally

15. Communicates externally

10. Selects and develops control activities

11. Selects and develops general controls over technology

12. Deploys through policies and procedures

6. Specifies suitable objectives

7. Identifies and analyzes risk

8. Assesses fraud risk

9. Identifies and analyzes significant change

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring Activities


27


1. The organization demonstrates a commitment tointegrity and ethical values.

2. The board of directors demonstrates independencefrom management and exercises oversight of thedevelopment and performance of internal control.

3. Management establishes, with board oversight,structures, reporting lines, and appropriate authoritiesand responsibilities in the pursuit of objectives.

4. The organization demonstrates a commitment toattract, develop, and retain competent individuals inalignment with objectives.

5. The organization holds individuals accountable fortheir internal control responsibilities in the pursuit ofobjectives.

Control Environment


28


6. The organization specifies objectives with sufficientclarity to enable the identification and assessment ofrisks relating to objectives.

7. The organization identifies risks to the achievementof its objectives across the entity and analyzes risksas a basis for determining how the risks should bemanaged.

8. The organization considers the potential for fraud inassessing risks to the achievement of objectives.

9. The organization identifies and assesses changes thatcould significantly impact the system of internalcontrol.

Risk Assessment


29


10. The organization selects and develops controlactivities that contribute to the mitigation of risksto the achievement of objectives to acceptablelevels.

11. The organization selects and develops generalcontrol activities over technology to support theachievement of objectives.

12. The organization deploys control activities throughpolicies that establish what is expected andprocedures that put policies in place.

Control Activities


30


13. The organization obtains or generates and usesrelevant, quality information to support thefunctioning of internal control.

14. The organization internally communicatesinformation, including objectives andresponsibilities for internal control, necessary tosupport the functioning of internal control.

15. The organization communicates with externalparties regarding matters affecting the functioningof internal control.

Information & Communication


28


16. The organization selects, develops, and performsongoing and/or separate evaluations to ascertainwhether the components of internal control arepresent and functioning.

17. The organization evaluates and communicatesinternal control deficiencies in a timely manner tothose parties responsible for taking correctiveaction, including senior management and theboard of directors, as appropriate.

Monitoring Activities


32


Requirements for effective internal control

Effective internal control provides reasonable assurance regarding theachievement of objectives and requires that:▫ Each component and each relevant principle is present and functioning

▫ The five components are operating together in an integrated manner

Each principle is suitable to all entities; all principles are presumed relevantexcept in rare situations where management determines that a principle is notrelevant to a component (e.g., governance, technology)

Components operate together when all components are present and functioningand internal control deficiencies aggregated across components do not result inone or more major deficiencies

A major deficiency represents an internal control deficiency or combinationthereof that severely reduces the likelihood that an entity can achieve itsobjectives


33

Enterprise Risk Management

ERM is a process, effected by an entity’s board of

directors, management, and other personnel, applied in

strategy setting and across the enterprise, designed to

identify potential events that may affect the entity,

manage risks to be within its risk appetite, to provide

reasonable assurance regarding the achievement of entity

objectives.

- Proposed by COSO (2003)


34

Enterprise Risk Management (ERM)

Integrated Strategy - ERM is important because it supportsthe Department’s strategy and our Management Principlesincluding, “we will manage risk in fulfilling our mission”.

Consistency - Systematic approach for management andoperations – how we make decisions, govern how weestablish and implement requirements, and how we holdourselves accountable.

Better Communication - ERM will provide that frameworkfor clearly articulate the processes we use for programexecution, and governance.

Clear and Concrete Measures of Performance - It willimprove efficiency and allow a bank to consistently speakwith one voice to our contractors, customers, andstakeholders.

Why is ERM

important?


35

COSO Enterprise Risk Management

Risk profiles are increasing

Regulatory/public scrutiny Expanding services increases risks Business change increases risk complexity Need for right kind of risk training Need for risk assessment methodologies/technology tools Stakeholders have different risk needs Inconsistent risk language used

Key Benefits from ERM

Awareness of risk increased Cross-enterprise risk identified Coordination across business units for more effective mitigation Consistent risk information Common risk language established Shareholder value protected or enhanced


36

COSO Enterprise Risk Management

KEY SUCCESS FACTORS FOR ERM

Provide clear goals and objectives

Establish sponsorship or seniormanagement

Link to performance measuresand compensation

Drive the approach from thecorporate/head office

Establish a dedicated corporatefunction

COSO ERM Cube


37

COSO Internal Control vs. Enterprise Risk Management


38

ERM vs. Internal Control

• ERM elaborates and expands on those components of internal controlrelevant to risk:▫ Significantly expands on the “risk assessment” component

▫ Emphasizes and expands on other components as they relate to risk

• Internal control and ERM are 2 separate frameworks considerable overlap:▫ In some respects IC is broader and in others ERM is broader

▫ IC framework remains in tact

▫ ERM framework addresses risk management concepts more broadly and deeply

• ERM is effective only when:▫ IC components are present and functioning effectively▫ ERM components are present and functioning effectively

• You can have effective internal control without enterprise risk management, butyou cannot have effective enterprise risk management without effective internalcontrols


39










40

Case #1 - Barings Bank

Incident

The incident involved the loss of nearly$1.25Bil due to the unauthorized tradingactivities during 1993 to 1995 of a singleand junior trader named Nick Leeson.

Result

The size of the losses relative to BaringsBank’s capital along with potentialadditional losses on outstanding tradesforced Barings into bankruptcy in Feb1995.

Causes

Rouge trading, failed control activities,and internal fraud.

Financial Failures and Lessons Learnt

41

Case #2 – Allied Irish Bank

IncidentJohn Rusnak, a currency option trader incharge of a very small trading book inAIB’s Allfirst First Maryland Bancorpsubsidiary, entered into massiveunauthorized trades during the period1997 through 2002, ultimately resultingin $691Mil in losses.

ResultThis resulted in a major blow to AIB’sreputation and stock price.

CausesRouge trading, failed control activities,and internal fraud.


42

Case #3 – Kidder Peabody

Incident

Between 1992 and 1994, Joseph Jett, head of thegovernment bond trading desk at Kidder Peabody,entered into a series of trades that were incorrectlyreported in the firm’s accounting system, artificiallyinflating reported profit. When corrected in Apr 1994,$350Mil in previously reported gains had to be reversed.

Result

Although Jett’s trades had not resulted in any actual lossof cash for Kidder, the announcement of such a massivemisreporting of earnings triggered a substantial loss ofconfidence in the competence of the firm’smanagement by customers and GE, which ownedKidder. In Oct 1994, GE sold Kidder to Paine Webber,which dismantled the firm later on.


43

Case #4 – Société Générale

IncidentIn Jan 2008, SG reported trading lossesof $7.1Bil that the firm attributed tounauthorized activity by a junior tradernamed Jerome Kerviel.

ResultThe large loss severely damaged SG’sreputation and required it to raise alarge amount of new capital.

CausesRouge trading, failed control activities,and internal fraud.


44

Other Cases

Sumitomo CorporationThe firm lost $2.6Bil in a failed attempt by Yasuo Hamanaka, a senior trader, to corner the world’s coppermarket – that is, to drive up prices by controlling a large portion of the available supply. Sumitomomanagement claimed that Hamanaka had used fraudulent means in hiding the size of his positions fromthem. He also claimed that he had disclosed the positions to senior management. He was sent to jail. SeeAsiaweek (1996), Dwyer (1996), and McKay (1999).

Daiwa BankToshihida Iguchi of Daiwa Bank’s New York office lost $1.1Bil trading Treasury bond between 1984 and 1995.He hid his losses and made his operation appear to be quite profitable by forging trading slips, whichenabled him to sell without authorization bonds held in customer accounts to produce funds he could claimwere part of his trading profit. His fraud was aided by a situation similar to Nick Leeson’s at Barings – Iguchiwas head of both trading and the back-office support function. Iguchi was sent to jail. See more atwww.erisk.com

Merrill LynchThe firm reportedly lost $350Mil in trading mortgage securities in 1987 due to risk reporting that used a 13-year duration for all securities created from a pool of 30-year mortgages. Although this duration is roughlycorrect for an undivided pool of 30-year mortgages, the correct duration is 30 years when the interest-onlypart is sold and the principal-only part is kept, as Merrill was doing. See Crouhy, Galai, and Mark (2001).

UBSThe Swiss bank in 2011 reported a loss of $2.3Bil due to unauthorized trading by Kweku Adoboli, a relativelyjunior equity trader. This incident cost the CEO of UBS his job. See Wilson (2011).


45


Lessons learnt from these financial failures

The necessity of an independent trading back office

Always make exhaustive inquiries about unexpected sources of profit or loss.

Always make thorough inquiries about any large unanticipated movement ofcash.

Control personnel are to tighten procedures that may lead to detection offictitious trade entries.

Flag any trader who appears to be using an unusually high number of suchcancellations of trading positions.

Control personnel should be aware of situations in which traders are beingsupervised by temporary or new managers.

Vacation policy needs to be mandatory.

Cash and collateral requirements should be monitored at trader level.

Any patterns of P&L that are unusual relative to expectations need to beidentified and investigated by both management and the control functions.

46










47

Financial Crisis of 2007 - 2008

A Synopsis

Starting in 2000, mortgage originators in the US relaxed their lendingstandards and created large numbers of subprime first mortgages.

This, combined with very low interest rates, increased the demand for realestate and prices rose.

To continue to attract first time buyers and keep prices increasing theyrelaxed lending standards further

Features of the market: 100% mortgages, ARMs, teaser rates, NINJAs, liarloans, non-recourse borrowing

Mortgages were packaged in financial products and sold to investors

48


A Synopsis (cont.)

Banks found it profitable to invest in the AAA rated tranches because thepromised return was significantly higher than the cost of funds and capitalrequirements were low

The property bubble burst in in 2007. Some borrowers could not affordtheir payments when the teaser rates ended. Others had negative equityand recognized that it was optimal for them to exercise their put options.

U.S. real estate prices fell and products, created from the mortgages, thatwere previously thought to be safe began to be viewed as risky

There was a “flight to quality” and credit spreads increased to very highlevels

49


An Origination Model of Asset-Backed Securities (ABS)

Asset 1 (eg Auto loans)

Asset 2 (eg Home loans)

Asset 3 (eg Bonds)

Asset 4 (eg Credit Cards)

Asset n

Total Principal is:

$100 million

SPE

or

SPV

Senior Tranche

Principal: $80 million

Return = 5%

Mezzanine Tranche


Return = 10%

Equity Tranche


Return = 20%

50


And Continue with ABS Collateralized Debt Obligation

Asset Cash Flows

Including

Subprime Mortgages

Senior Tranches (75%)

AAA

Mezzanine Tranches (20%)

BBB

Equity Tranches (5%)

Not Rated

Senior Tranche

(80%) AAA

Mezzanine Tranche

(15%) BBB

Equity Tranche

(5%) BB-

Which one is riskier between a ABS Senior Tranch and ABS CDO Senior Tranch?

51


BBB Tranches BBB tranches of ABSs were often quite thin (1% wide)

This means that they have a quite different loss distribution from BBB bonds andshould not be treated as equivalent to BBB bonds

They tend to be either safe or completely wiped out

What does this mean for the tranches of the Mezzanine ABS CDO?

Regulatory Capital Capital required for securities created from a portfolio of mortgages was

considerably less than capital that would be required if mortgages had been kept onthe balance sheet

Role of Incentives Arguably the incentives of valuers, the creators of ABSs and ABS CDOs, and rating

agencies helped to create the crisis

Compensation plans of traders created short-term horizons for decision making

52


Lessons learnt from the crisis

Be aware of irrational exuberance

Do not underestimate default correlations in stressed markets

Recovery rate depends on default rate

Compensation structures did not create the right incentives

If a deal seems too good to be true (eg, a AAA earning LIBOR plus 100 bp) it probably is

Do not rely on ratings without any due diligence

Transparency is important in financial markets

Resecuritization was a not good idea

53










54

Background and Approach

Many reports (e.g. 2009 SSG) showed that most board of directors and seniormanagement did not actively articulate, measure, and adhere to a level of riskacceptable to firms.

Most firms acknowledged some need for improvement in their procedures forsetting and monitoring risk appetite, and many acknowledged the need torenovate the way in which their boards were receiving financial and riskinformation.

As a result, the Basel Committee on Banking Supervision, in its report Principlesfor Enhancing Corporate Governance, outlined expectations that it is the board’sresponsibility to “approve and oversee the implementation of the bank’s overallrisk strategy, including its risk tolerance/appetite”.

Lastly, for a modern risk management universe today, the Risk AppetiteFramework (RAF) is seen as a critically strategic decision-making tool.

Risk Appetite Framework

55

Linking to Strategic Objectives

Risk appetite articulates the level of risk a company is prepared to acceptin order to achieve its strategic objectives.

Capital Adequacy (CAR)

Earnings Volatility (EAR)

Credit Rating Target

Risk / Reward Tradeoff

Risk Preference / Aversion

Me

asure

s

Regulators

Investors

Debt holders

Stakeh

old

ers

Rating Agencies

Enterprise Risk Tolerance

Risk Appetite for Each Risk Category

Risk Limits


56

Linking to Strategic Objectives

Risk Appetite Framework (RAF)

Strategic Planning

Asset Allocation

Business Planning

Liquidity Management

Capital Allocation

Performance Measurement Others

Understand the constraint and

ability to take risk

Understand the risk/reward

tradeoff


57

Measure Risk Profile

Ensure appropriate action is taken prior Risk Profile surpassing Risk Appetite

Set Risk Limits and Tolerances

Ensure that risk-taking activities are within Risk Appetite

Establish Risk Appetite

Self-Imposed Constraints & Drivers

Define Risk Capacity

Identify regulatory constraints

Risk

Appetite

Framework

A Standard Flow for RAF Implementation


58

Monitoring Risk Profile

Firms with more developed RAFs combine multiple risk metrics that help in managingor mitigating downside risk in a thoughtful, deliberate way. The metrics used shouldrange from the dynamic and forward looking to the static and point-in-time; they mayinclude but not limited to:

Capital targets beyond solely regulatory measures (economic capital, tangible common equity,and total leverage);

Capital at risk amounts; A variety of liquidity ratios, terms, and survival horizons; Net interest income volatility or earnings-at-risk calculations; VaR limits in trading book; Risk sensitivity limits; Risk concentrations by internal and/or external credit ratings; Expected loss ratios; The firm’s own credit spreads; Asset growth ceilings by business line or exposure type; Performance of internal audit ratings; and Economic value added;


59

Risk Appetite Statement (RAS)

KEY OBJECTIVES FOR BUILDING A RISK APPETITE STATEMENT

• By considering the risk and return trade-off, RAS plays a critical role in guiding senior managementon how to govern bank risks to be able to achieve key objectives of the Board and shareholders.

• RAS will help a bank to be able to withstand contingencies such as a market turmoil influencing thebalance sheet of the bank, a deterioration of loan portfolio, a decline in capital adequacy,operational losses, or a liquidity crisis.

• RAS will play as a cornerstone to help bank managers do commitments with the Board in buildinga robust risk management framework with a risk practice in vogue.

• RAS will help to define risk profiles, risk limits, and risk thresholds for each kind of risks.

Shareholders’Objectives

The Board approves RAS to hook into the

business strategy

RAS will define risk profiles and prudential limits

Control and monitor risks based on RAS

RAS is seen as a critical element for a standard RAF


60

Risk Appetite Statement

SHAREHOLDERS

BOARD OF DIRECTORS

BUSINESS STRATEGY

Liquidity Risk

Operational Risk

Market Risk

Credit Risk

Reputational Risk Regulatory Risk

Non-financial Objectives

Financial Objectives

Ap

pro

ve

RISK APPETITE STATEMENT

The Board of a bank will approve the business strategy based on RAS in the hope to achieve non-financial and financial objectives.

Ho

ok

Shareholders of a bank often look at financial objectives.


61

A Sample RAS Report

Type of metric Name Description MAT Green Amber RedAs of

Dec‘XX

Returns

ROE NPAT / Average equity 10.60% >13.2% 8.0% to 13.2% <8% 16.5%

ROA NPAT / Average assets 1.50% >1.91% 1.4% to 1.91% <1.4% 2.5%

Cost to Income Operating Cost / Gross Income 55.00% <50% 50% to 60% >60% 55.5%

Credit Risk

Non-performing Loans

Non-performing loans / Total Loan Outstanding

0.55% <0.5% 0.5% to 0.6% >0.6% 0.45%

Loan Loss Coverage Net Operating profit / Cost of Credit 3.2x >4.0x 2.5x - 4.0x <2.5x 7.0xSingle Borrowing Concentration

Proportion of single loan to total net worth 16.50% <15% 15% to 18% >18% 5.5%

Liquidity Risk

Liquidity Coverage Ratio

Follow Prakas B7-015-349 established on 23 Dec 2015

70.00% >70% 65% to 70% <65% 99.1%

Single lender concentration

Maximum % of contribution from a single lender / Net Worth

16.50% <15% 15% to 18% >18% 7.5%

Overall Capital Total Capital on total Risk Weighted Assets 19.50% >24% 19%-24% <19% 20.5%

Tier 1 Capital Buffer Tier 1 Capital of Total Net Worth 67.50% >75% 65% to 75% <65% 95.2%

Operational Risk Operational Loss % of Annual Revenue 0.55% <0.5% 0.5% - 1% >1% 0.01%

Reputation /Compliance Risk

Major breaches in regulatory reporting

Number of delays in regulatory reporting/submission in last recorded quarter (without management awareness)

0 0 0 0 0

Major monetary finesNumber of monetary fines in last recorded quarter

0 0 0 0 0


62










63

Overview of Basel II

History of Banking Regulations

• Pre-1988

• 1988: BIS Accord (Basel I)

• 1996: Amendment to BIS Accord

• 1999: Basel II first proposed, implemented in 2007

Key Elements of Basel II/III Pacts

• Capital Types

• Key pillars

• Risk Weighted Capital

• Capital Adequacy Ratio

• Capital charges

64


CAPITAL TIERS

Tier 1 Capital: common equity tier (CET), non-cumulative perpetualpreferred shares

Tier 2 Capital: cumulative preferred stock, certain types of 99-yeardebentures, subordinated debt with an original life of more than 5years

CAPITAL TYPES

Economic Capital (EC) is an estimate of the level of capital that abank needs to run its business as usual (BAU).

Regulatory Capital (RC) is the capital that a bank needs to hold byregulators in order to operate or remain its operations.

65


3 KEY PILLARS UNDER BASEL II

Pillar I

Minimum Capital Requirements

Pillar II

Supervisory Review Process

Pillar III

Market Discipline

Minimum standards forcapital management on arisk-based basis:

Credit Risk

Operational Risk

Market Risk

Increases responsibilitiesand levels of discretion forsupervisory reviews andcontrols covering:

Capital Adequacy

Internal Models

Capital charges

Capital Monitoring

Banks are required toincrease informationdisclosure relating tomeasurement of creditand operational risks, andimprove the transparencyof financial information tothe market.

66


3 KEY PILLARS UNDER BASEL II

Basel II

Supervisory review process

• How will supervisory bodies assess, monitor and ensure capital adequacy?

• Internal process for

assessing capital adequacy

in relation to risk profile

• Supervisors to review and

evaluate banks’ internal

processes

• Supervisors to require banks

to hold capital in excess of

minimum to cover other

risks, e.g. strategic risk

• Supervisors seek to

intervene and ensure

compliance

Market disclosure

• What and how should banks disclose to external parties?

• Effective disclosure of:

- Banks’ risk profiles

- Adequacy of capital

positions

• Specific qualitative and

quantitative disclosures

- Scope of application

- Composition of capital

- Risk exposure

assessment

- Capital adequacy

Minimum capital requirements

• How is capital adequacy measured particularly for Advanced approaches?

• Better align regulatory

capital with economic risk

• Evolutionary approach to

assessing credit risk

- Standardised (external

factors)

- Foundation IRB

- Advanced IRB

• Evolutionary approaches to

operational risk

- Basic indicator

- Standardised

- Advanced Measurement

Issu

eP

rin

cip

le

• Continue to promote safety and soundness in the banking system

• Ensure capital adequacy is sensitive to the level of risks borne by banks

• Constitute a more comprehensive approach to addressing risks

• Continue to enhance competitive equality

67


RISK WEIGHTED CAPITAL

A risk weight is applied to each on-balance-sheet asset accordingto its risk (e.g. 0% to cash and govt bonds; 20% to claims on OECDbanks; 50% to residential mortgages; 100% to corporate loans,corporate bonds, etc.)

For each off-balance-sheet item we first calculate a creditequivalent amount and then apply a risk weight

Risk weighted amount (RWA) consists of▫ sum of risk weight times asset amount for on-balance sheet items▫ Sum of risk weight times credit equivalent amount for off-balance sheet

items

68


CAPITAL ADEQUACY RATIO

Capital adequacy ratio is a measure of the amount of a bank's capitalexpressed as a percentage of its risk weighted credit exposures.

An international standard which recommends minimum capitaladequacy ratios has been developed to ensure a bank can absorb areasonable level of losses before becoming insolvent.

69


CAPITAL ADEQUACY RATIO

70

Overview of Basel IICapital Charges under Basel II

Approaches that can befollowed in determination

of Regulatory Capitalunder Basel II

Total Regulatory

Capital

Operational Risk

Capital

CreditRisk

Capital

MarketRisk

Capital

Basic IndicatorApproach

Standardized Approach

Advanced Measurement Approach (AMA)

Standardized Approach

Internal Ratings Based (IRB)

Foundation IRB

Advanced IRB

Standard Model

Internal Model

Score Card

Loss Distribution

Internal Modeling

71

Overview of Basel III

Capital Definition and Requirements

Capital Conservation Buffer

Countercyclical Buffer

Leverage Ratio

Liquidity Ratios

Capital for CVA Risk

Contingent Convertible Bonds

72


Capital Definition and Requirements

Three types:– Common equity Tier 1

– Additional Tier 1

– Tier 2

Definitions tightened

Limits– Common equity > 4.5% of RWA

– Tier 1 > 6% of RWA

– Tier 1 plus Tier 2 > 8% of RWA

Phased implementation of capital levels stretching to January 1, 2015

Phased implementation of capital definition stretching to January 1, 2018

73



Extra 2.5% of common equity required in normal times to absorb lossesin periods of stress

If total common equity is less than 7% (=4.5%+2.5%) dividends arerestricted

To be phased in between January 1, 2016 and January 1, 2019

Countercyclical Buffer

Extra equity capital to allow for cyclicality of bank earnings

Left to the discretion of national regulators

Can be as high as 2.5% of RWA

Dividends restricted when capital is below required level

To be phased in between January 1, 2016 and January 1, 2019

74


Leverage Ratio

Objective is to constrain the build-up of leverage in the banking sectorwhich would help to avoid destabilization of deleveraging processesthat may shock the broader financial system and the economy.

This is not a risk-based ratio that the ratio of Tier 1 capital to totalexposure (not risk weighted) must be greater than 3%

Exposure includes all items on balance sheet and some off-balancesheet items

To be introduced on January 1, 2018 after a transition period

75


Liquidity Risk Ratios

Objective of Liquidity Coverage Ratio (LCR) is to ensure that a bank meets its liquidity needsfor a 30 calendar days under liquidity stress scenarios and has adequate stock ofunencumbered High Quality Liquid Assets (HQLA) that can be converted into cash at a littleor no value loss in financial markets.

Objective of NSFR is to promote resilience over a longer time span by creating additionalincentives for a bank to fund their activities with more stable sources of funding on anongoing basis. NSFR complements and supports the LCR and it has been developed toprovide a sustainable maturity structure of assets and liabilities.

76


Key Ratios in Basel III

77


Capital for CVA Risk

CVA is the adjustment to the value of transactions with a counterparty toallow for counterparty credit risk

Basel III requires CVA risk arising from changing credit spreads to beincorporated into market-risk VaR calculations

Contingent Convertible Bonds

Bonds which automatically get converted into equity if certain conditionsare satisfied

For example, in the case of Credit Suisse, a Swiss bank, there is conversionif:

• Tier 1 equity falls below 7% of RWA, or

• Swiss regulator determines that the bank needs public sector support

78


Key Comparisons between Basel II and Basel III

Requirements Under Basel II Under Basel III

Minimum Ratio of Total Capital to RWAs 8% 10.5%

Minimum Ratio of Common Equity Tier to RWAs 2% 4.5% to 7%

Tier I Capital to RWAs 4% 6%

Capital Conservation Buffer (CCB) to RWAs n/a 2.5%

Countercyclical Buffer n/a 0% to 2.5%

Leverage Ratio n/a 3%

Liquidity Coverage Ratio * n/a 100%

Net Stable Funding Ratio * n/a 100%

* The ratio to be differently defined across regulators and timelines

79


Transition period of compliance to Basel III

80










81

A typical bank’s Internal Capital Adequacy Assessment Process(ICAAP) must exhaustively estimate capital required for risks notsufficiently covered or not included under Pillar I

A typical bank’s ICAAP must meet the following objectives:

• Exhaustively identifies and measures all material risks in the bank’sbusiness and the assessment of capital required to support these risks.

• Risk-based and forward-looking

• Integrated into the management process and decision-making culture ofthe bank

• Ability to determine the overall level of capital and the assessmentsupporting such outcome

Internal Capital Adequacy Assessment Process

82

Process flow of ICAAP

Banks are required to put in place an internal process to assess its own capital adequacy.

Board & Senior Management

Oversight

Exhaustive Assessment of

Risks

Sound Capital Assessment

Monitoring and Reporting

Review of ICAAP

Approval of all risk policies

Setting of Risk Appetite Statement

Assess all material risks and required additional capital against such risks

Assess the impact on capital arising from stress events

Assess capital adequacy to support growth

Capital plan and action for capital raising

Ensure that a bank is able to meet minimum capital requirements to operate as a going concern even under stress conditions

Independent review of the implementation of ICAAP


83

Capital Demand and Capital Availability

ICAAP requires a bank to ensure that it has adequate capital to support allits risks in both current and in the future.

This requires banks to determine their DEMAND and SUPPLY of Capital

The ICAAP Operating Framework implemented provides the processes tosystematically identify the bank’s Demand for and availability of capital.

CAPITAL DEMAND

Capital requirements for current Pillar I and Pillar II risk items

Additional Capital to support planned future business growth

Risk appetite and target credit ratings – required capital buffer

CAPITAL AVAILABILITY

Availability of current financial resources

Retained earnings from future P/L

Possible actions to make available previously committed capital

Ability to tap external sources for capital


84

Key Elements under ICAAP

The ICAAP Operating Framework is based on Basel II requirements and best practicesadopted by banks for ICAAP / Capital Management and comprises four key components

Bank Governance at Board & Senior Management Level

Assessment of Capital Demand and Supply

Calibrating Capital Adequacy

Capital Management

Capital Management Policy

Risk Appetite Setting

Business Strategic Planning

Point-in-time Capital Assessment

Core capital, add-on capital

Capital Projection & Forecasting

Availability of Capital

Financial resources

Capital Adequacy Assessment

Capital Planning Capital Allocation


85

Assessment of Capital Demand


CAPITAL DEMAND



Countercyclical Capital Buffer

Increase in Capital Demand under Stress

Events

Pillar 2 Risks(Credit Con. Risk, IRRBB,

Liquidity, Reputation, Legal, Compliance, etc.)

Operational Risk

Market Risk

Credit Risk

Re

gulato

ry Cap

ital R

eq

uire

men

t

Pill

ar 1

+ P

illar

2C

apit

al R

eq

uir

em

en

tsB

ase

l III

R

eq

uir

em

en

t

CAPITAL SUPPLY

Tier 1Common

Equity

Tier 2 Capital

Tier 1Others

Ban

k’s

Re

gula

tory

C

apit

al P

osi

tio

n

Any availability of

financial resources?

Any stress loss

adjustment?

Any Solvency Capital

Adjustment?

86

Risk Materiality Assessment Guidelines


These risk areas are considered materialdue to their criticality and pervasivenessin the bank’s business operations:

All Pillar 1 Risks:

Credit Risk Market Risk Operational Risk

Pillar 2 risk areas:

IRRBB Liquidity Risk Credit Concentration Risk

Reputation Risk

Legal and Compliance Risk

Strategic Risk

For other surging risk areas, a bankshould determine their materiality riskat the episode of Risk Identification:

Is there a plausible scenario in which therisk may result in a negative impact of 5%or more on the bank’s P/L?

Is there a plausible scenario in which therisk may result in critically negativeimpact on the bank’s reputation?

Is there a plausible scenario in which therisk may result in significant customerattrition of more than 10%?

Qualitative Assessment by risk typeowner, in consultation with risk managers/ advisors and business support units?

Material risks that can be quantified

87

Stress Test Impact on Capital Demand and Supply


Increase in Capital Demand Decrease in Capital Supply

Credit Risk Stress Test

Increase in RWA will increaseCapital Requirement for up to 2-3years more.

Credit Risk Stress Test

Credit Risk Stress losses deductedfrom Capital Supply

Market Risk Stress Test

Market Risk Stress losses deductedfrom Capital Supply

Interest Rate Risk in Banking Book

IRRBB stress losses from EVEsimulation deducted from CapitalSupply

Example:

CR Stress Test RWA: $10 MilCR Stress Test Loss: $2 MilMR Stress Test Loss: $0.5 MilIRRBB Stress Test Loss: $1 Mil

88

Stress Testing Methodology

Internal Capital Adequacy Assessment ProcessO

vera

ll M

eth

od

olo

gyEv

en

ts

Multiple possible scenarios with different combination of political/ natural / macro-economic events

Stress is assumed to hit during a time span and peaks over a timepoint before easing off by end of another time point

Appropriate level of stressing on Growth, Yield, Cost of Risk,Expense at both portfolio and product level

Summarization of P/L and Balance Sheet impact for each scenario

Global Events

Local Events

QE tapering by US Fed going to impact every economy around the world Brent price hike in global market Pandemic impacting multiple geographies

• Strong currencies (USD, EUR) appreciation leading to pressure on SME sector• Reform in banking industry with the advent of tough government policies• Conflict ties across countries (i.e. India-Pakistan, China-Japan, etc.)• Pricing cap by regulators impacting on P/L• Exclamities – flood, earthquake, nuclear factories, etc.

89

Stress Testing Framework and Process


Events Identification

Scenario Description

Macro Factors Portfolio ImpactFinalize

Stress Test Report

1. Global Recession

2. Country Rating Downgrade

3. Brexit

4. Natural Disaster

5. Cyber Attack

6. Pandemic

Preparation of stress scenarios for each event identified and extent of economic impact on each risk factor.

1. S0 – Base2. S1 – Mild3. S2 – Moderate

4. S3 – Severe

1. GDP

2. Inflation (CPI)

3. Interest Rate

4. Property Price

5. Unemployment

6. FDI

7. Stock market

8. Government Revenue

9. Currency stability

10. Oil Price

11. Deposit Run

12. Credit crunch

1. Impact on Credit Risk• Consumer

Lending – by programs

• Business Lending – by economic sectors

2. Market & Liquidity Risk Impact• Interest rate• Price risk

3. Operational Risk Impact

1. Run stress test impact on earnings, asset quality and capital for S1, S2, and S3.

2. Report review and acceptance

3. BOD approval

90

Internal Assumptions for Stress Testing


Severity impact of macroeconomic factors on the impaired loans for each product / industrysector under stress condition is delivered using the following NPL Multiplier (benchmark).

Stress NPL impact on vulnerable segments and Large Borrowers is derived using the same NPLmultiplier above plus add-on factor, i.e. 10% add-on for Large Borrowers and 20% add-on forvulnerable segments.

Stress LGD is derived from Consumer Banking and SME Banking’s actual LGD:

91

Understanding the difference between Corporate Governance andRisk Management

Recognizing specific risks in banking environment

Be aware of a standard risk management framework

Recognizing COSO framework on Internal Control and EnterpriseRisk Management

Understanding financial failures with lessons learnt

Understanding financial crisis during 2007 to 2008

Recognizing a standard risk appetite framework

Recognizing requirements under Basel II/III

Understanding ICAAP and Stress Testing

Overview of Risk Management: Wrap-up

92

OVERVIEW OF LIQUIDITY RISK MANAGEMENT

KEY PRINCIPLES OF LIQUIDITY RISK MANAGEMENT

LIQUIDITY RISK MEASUREMENT

LIQUIDITY RISK LIMITS AND RISK REPORTS

LIQUIDITY STRESS TESTING

CONTINGENCY FUNDING PLAN

94

95

Definition

Liquidity is the ability of a bank to fund increases in assets and meet obligationsas they come due, without incurring unacceptable losses. The fundamental roleof banks in the maturity transformation of short-term deposits into long-termloans makes banks inherently vulnerable to liquidity risk, both of an institution-specific nature and that which affects markets as a whole. Virtually everyfinancial transaction or commitment has implications for a bank’s liquidity.

Effective liquidity risk management helps ensure a bank's ability to meet cashflow obligations, which are uncertain as they are affected by external events andother agents' behavior. Liquidity risk management is of paramount importancebecause a liquidity shortfall at a single institution can have system-widerepercussions. Financial market developments in the past decade haveincreased the complexity of liquidity risk and its management.

Management Principles of Liquidity Risk

Source: Principles for sound liquidity risk management and supervision (BCBS, Sep 2008)

96

Principle 1

A bank is responsible for the sound management of liquidity risk. A bank shouldestablish a robust liquidity risk management framework that ensures itmaintains sufficient liquidity, including a cushion of unencumbered, high qualityliquid assets, to withstand a range of stress events, including those involving theloss or impairment of both unsecured and secured funding sources. Supervisorsshould assess the adequacy of both a bank's liquidity risk managementframework and its liquidity position and should take prompt action if a bank isdeficient in either area in order to protect depositors and to limit potentialdamage to the financial system.


Fundamental principle for the management and supervision ofliquidity risk


97

Principle 2

A bank should clearly articulate a liquidity risk tolerance that is appropriate for its businessstrategy and its role in the financial system.

Principle 3

Senior management should develop a strategy, policies and practices to manage liquidity risk inaccordance with the risk tolerance and to ensure that the bank maintains sufficient liquidity.Senior management should continuously review information on the bank’s liquiditydevelopments and report to the board of directors on a regular basis. A bank’s board ofdirectors should review and approve the strategy, policies and practices related to themanagement of liquidity at least annually and ensure that senior management managesliquidity risk effectively.

Principle 4

A bank should incorporate liquidity costs, benefits and risks in the internal pricing, performancemeasurement and new product approval process for all significant business activities (both on-and off-balance sheet), thereby aligning the risk-taking incentives of individual business lineswith the liquidity risk exposures their activities create for the bank as a whole.


Governance of liquidity risk


98

Principle 5

A bank should have a sound process for identifying, measuring, monitoring and controllingliquidity risk. This process should include a robust framework for comprehensivelyprojecting cash flows arising from assets, liabilities and off-balance sheet items over anappropriate set of time horizons.

Principle 6

A bank should actively monitor and control liquidity risk exposures and funding needswithin and across legal entities, business lines and currencies, taking into account legal,regulatory and operational limitations to the transferability of liquidity.

Principle 7

A bank should establish a funding strategy that provides effective diversification in the sourcesand tenor of funding. It should maintain an ongoing presence in its chosen funding markets andstrong relationships with funds providers to promote effective diversification of funding sources.A bank should regularly gauge its capacity to raise funds quickly from each source. It shouldidentify the main factors that affect its ability to raise funds and monitor those factors closely toensure that estimates of fund raising capacity remain valid.


Measurement and Management of Liquidity Risk


99

Principle 8

A bank should actively manage its intraday liquidity positions and risks to meet paymentand settlement obligations on a timely basis under both normal and stressed conditionsand thus contribute to the smooth functioning of payment and settlement systems.

Principle 9

A bank should actively manage its collateral positions, differentiating betweenencumbered and unencumbered assets. A bank should monitor the legal entity andphysical location where collateral is held and how it may be mobilised in a timely manner.

Principle 10

A bank should conduct stress tests on a regular basis for a variety of short-term andprotracted institution-specific and market-wide stress scenarios (individually and incombination) to identify sources of potential liquidity strain and to ensure that currentexposures remain in accordance with a bank’s established liquidity risk tolerance. A bankshould use stress test outcomes to adjust its liquidity risk management strategies, policies,and positions and to develop effective contingency plans.




100

Principle 11

A bank should have a formal contingency funding plan (CFP) that clearly sets out thestrategies for addressing liquidity shortfalls in emergency situations. A CFP should outlinepolicies to manage a range of stress environments, establish clear lines of responsibility,include clear invocation and escalation procedures and be regularly tested and updated toensure that it is operationally robust.

Principle 12

A bank should maintain a cushion of unencumbered, high quality liquid assets to be heldas insurance against a range of liquidity stress scenarios, including those that involve theloss or impairment of unsecured and typically available secured funding sources. Thereshould be no legal, regulatory or operational impediment to using these assets to obtainfunding.

◦ The principle 13 talks about public disclosure and principle 14 to 17 talks about the role ofsupervisors.










101

102

Purpose

It’s critical for a bank to establish an appropriate set of liquidity risk measures (or liquidityratios) so as to facilitate the bank in monitoring and controlling liquidity risk. The mainpurpose of liquidity risk measures is to enable the entity to capture various aspects ofliquidity risk, such as deposit concentration, level of highly liquid financial assets andamount of undrawn commitments.

Key Liquidity Ratios

• Liquidity Ratio – defined as the ratio of total liquid assets to total short term (less than 1year) liabilities.

• Loan to Deposit Ratio – defined as the ratio of of total non-bank loans to the total 3rd

party deposits, but excluding interbank deposits.

• CASA to Total Deposit Ratio – defined as the ratio of the total current and savingsaccount deposits to total deposits.

• Interbank Deposit to Total Liabilities Ratio – defined as the ratio of the short terminterbank deposits to total liabilities.

Measurement of Liquidity Risk

103

Other Liquidity Ratios to Consider

• Core Deposit Ratio

• Secondary Reserve Ratio

• Head Office Excess Cash Reserve Ratio

• Large Fund Provider / Total Deposits Ratio

• Total Undrawn Commitments

• Maximum Cash Outflow (MCO) Limits

Cash-flow Modelling

Cash flow profiling under different operating conditions is a useful approach formanaging liquidity risk. Under this approach, a bank should put in place appropriatesystem and procedures to achieve the following objectives:

◦ To monitor on a daily basis the net funding requirements under normal businessconditions.

◦ To conduct at least monthly cash flow analyses based on stress scenarios.

Measurement of Liquidity Risk







104

105

Liquidity Risk Limits and Reports

Limit Purpose

Liquidity Ratio Limits To facilitate in monitoring the extent to which it can liquidate assets to cover short-term liabilities.

Loan-to-Deposit Ratio LimitsTo facilitate in monitoring the extent of its reliance on external funding sources as compared with

non-bank deposits.

Wholesale Deposits Ratio Limits To facilitate in monitoring deposit concentration with respect to non-retail and non-bank deposits.

Liquidity Gap Ratio Limits To facilitate in monitoring its contractual cumulative cash-flow over the next 90 days.

Core Deposit Ratio Limits To facilitate in monitoring the stability of its deposit base.

Secondary Reserves Ratio LimitsTo monitor whether a bank maintains sufficient amount of highly liquid assets as secondary

reserves.

Head Office Excess Cash Reserve

Ratio Limits

To ensure that on a bank-wide basis, a bank maintains sufficient cash in the clearing accounts for

daily clearing.

Large Fund Provider / Total Deposits

Ratio Limits

To facilitate in monitoring the stability and reliance on external funding sources as compared to

total deposit base.

Interbank Deposit Ratio Limits To facilitate in monitoring its deposit concentration with respect to interbank deposits.

Total Undrawn Commitment Limits To facilitate in monitoring the total undrawn commitments granted to its customers.

Maximum Cash Outflow (“MCO”)

Limits

To facilitate in monitoring the potential cash outflows projected by the behavioral cash flow

models over the next business day and next week and under the business-as-usual conditions.

A set of MCO limits should be imposed for each major currency in which a bank operates in. a

separate set of MCO limits should also be imposed for stress testing purposes (see below).

Stress MCO Limits

These limits are used to facilitate in monitoring the potential cash outflows projected by the

behavioral cash flow models over the next 5 business days under stressful conditions.

A set of MCO limits shall be imposed for each major currency in which a bank operates in.

106


A Sample of Structural Liquidity Flow

107


A Sample of Liquidity Coverage Ratio Report







108

109

Liquidity Stress Testing

Required under ALM Policy on Funding & Liquidity RiskManagement

Ensure sufficient diversified funding sources

Liquidity Stress Testing should include key liquidity metrics:

Liquidity Ratios

Loans to Deposits

Bank Policy Metrics

Liquidity Coverage Ratio (LCR)

Net Stable Funding Ratio (NSFR)

110

Liquidity Stress Testing

Contractual and modeled Cash Flows

Scenario Analysis

aggregationCash Flow Profile of Assets

Liability Roll-over Vectors

Liquidity Gap

Asset Liquidation and Counterbalancing

Net Liquidity Position resulting from Scenario

parameterization

+

=

+

=







111

112

Contingency Funding Plan

The liquidity contingency plan mentions alternative funding sources ifcurrent projections of funding sources and uses are not correct.

The contingency plan will act as the bridge between the actual liquidity thatis being held by a bank and the maximum that would be needed in the eventof a run on liquidity.

The plan will address:

• Identifying and developing potential funding sources

• Setting up plans for assigning responsibilities under various definedhypothetical liquidity situations.

• Predefining triggers that would initiate liquidity management andremedial action plans.

113


SCOPE

The scope of Contingency Funding Plan (CFP) is to build an action plan totackle stressed conditions of liquidity due to some factors from the marketimpacting on a bank.

Funding sources used to solve stressed liquidity will be referenced toLiquidity Policy Manual of a bank.

PURPOSE

The purpose is to come up with a well-organized action plan to be able tocontrol a liquidity contingency efficiently and effectively.

Identifying events resulting in a liquidity contingency and coming up withpromptly corrective actions to control the liquidity situation.

114


EARLY WARNINGS

It is very important to identify of early warnings of a liquidity contingency tobe able to come up with actions in place. A bank needs to look at followingwarning signals in order to take promptly corrective actions:

• Some liquidity indicators lie on management action triggers.

• There is a general liquidity stress in the market.

• Some rumors on the market that not certified.

• Hardship in making loan disbursements.

• Hardship in finding funding sources.

• Damage or robbery occurred at HO or one of branches of a bank.

• Any liquidity problem happened with another bank/MFI in the market.

• Reports of cash deficiency at branches.

115


TRIGGER EVENTS

Some following events maybe trigger for a liquidity crisis:

- Depositors are queuing for a long row at one or some branches or at ATMmachines for withdrawals.

- Many calls from VIP customers or even from central bank requesting toknow the current status of a bank.

- Some journalists want to meet top managers of a bank for someenquiries relating to the current status of a bank.

- Many depositors are earlier withdrawing their deposits.

- Many VIP customers request to withdraw cash with their FD accountsabnormally.

- Many customers keep withdrawing all or very little of their balances.

116


MAIN ACTIVITIES

The CFP will include but not limited to following main activities:

• Forming a management team to face with the liquidity crisis in whichresponsibilities and functions need to be clearly defined;

• Roles and responsibilities of relevant departments in case of a liquidity crisis;

• Indicators for early warnings to find out potential liquidity risk;

• The list and plan of liquid assets that are available for sale or hypothecation tobe able to convert into cash when necessary;

• The list, classification, orders of funding sources in case of a liquidity crisis inwhich includes financial institutions, individuals, big corporations withestimated deposits to be mobilized as well as the strategy to remain therelationship according to the importance and scope;

• Funding sources mobilized from central bank through OMO;

• Plan for assets and liabilities in case of a liquidity crisis;

• Plan for internal and external communication when a liquidity crisis exists;

117


Liquidity Funding Plan

Review AFS marketable securities, reliability and ability to liquidate or makeREPOs with central bank under a liquidity crisis.

Review the structure of other assets as well as the liquidity degree of them.

Review other available sources of funds on money market and capital market.

Money Market

• Term deposits.

• Repos.

• Swap.

NBC• Repos T-Notes with central bank.• Any bailouts with some assets to be discounted.

Vault Cash

118


Reporting

• Daily MCO Report & Unencumbered assets Report.

• Maturity Mismatch Report with local currency and FCY.

• Duration Gap Report on the balance sheet.

• Daily MCO Report in details with products impacted by the contingency.

• Report on reserve requirements on both local currency and FCY.

• Report on FX position.

• Report on forecast of depositors’ behaviors.

Funding Sources

• Review all external funding sources including interbank lines.

• Review the capital structure and adjust the durations of assets andliabilities components.

• Call for funds from FX markets.

• Contact with potential partners in funding the bank.

OVERVIEW OF INTEREST RATE RISK MANAGEMENT IN BANKING BOOK

KEY PRINCIPLES OF INTEREST RATE RISK MANAGEMENT INBANKING BOOK

INTEREST RATE RISK MEASUREMENT IN BANKING BOOK

INTEREST RATE RISK LIMITS AND REPORTS

INTEREST RATE RISK STRESS TESTING

119

Management Principles of Interest Rate Risk in Banking Book (IRRBB)

120

DefinitionInterest rate risk is a bank’s exposure to adverse movements in interest rates.Interest rate risk in the banking book (IRRBB) more specifically refers to thecurrent or prospective risk to the bank’s capital and earnings arising from adversemovements in interest rates that affect the institution’s banking book positions.When interest rates change, the present value and timing of future cash flowschange. This in turn changes the underlying value of a bank’s assets, liabilities andoff-balance sheet instruments and hence its economic value (EV).

Banking and supervisory practicesAccording to a survey of supervisory and regulatory practices with respect toIRRBB among member jurisdictions of the Committee, most jurisdictions employa Pillar 2 approach based on an economic value (EV) or economic value of equity(EVE) 10 measure, together with some version of Pillar 3 or other disclosurestandard. IRRBB frameworks in these jurisdictions are typically applied to all legalentities.

Source: Interest Rate Risk in the Banking Book (BCBS, Jun 2015)


121

Principle 1IRRBB is an important risk for all banks that should be specifically identified,measured, monitored and controlled.

Principle 2The board of directors of each bank is responsible for oversight of the IRRBB riskmanagement framework, and for agreeing the bank’s risk appetite for IRRBB.Directors should collectively have adequate knowledge and understanding ofIRRBB for this task. Monitoring and management of IRRBB may be delegated bythe board to appropriate expert individuals or groups/committees.

Principle 3The risk appetite of a bank for IRRBB should be calibrated in terms of both riskeconomic value and risk to earnings. Risk appetite should be expressed thoughappropriate policy limits and internal controls.



122

Principle 4Measurement of IRRBB should be based on outcomes for both economic valueand earnings arising from a wide and appropriate range of interest rate shockscenarios (including stress scenarios) that result in changes to interest ratesacross the term structure.

Principle 5In measuring IRRBB, key behavioral and strategic assumptions should be fullyunderstood, conceptually sound and documented. Such assumptions should berigorously tested and should be aligned with the corporate plan. Assumptionsshould not be adjusted sole to take account of expectations for changes ininterest rates.

Principle 6Measurement systems and models used for IRRBB should be based on completeand accurate data, and subject to appropriate documentation, testing andcontrols to give assurance on the accuracy of calculations. Models used tomeasure IRRBB should be comprehensive and covered by strong internalvalidation process.



123

Principle 7Measurement outcomes of IRRBB levels and hedging strategies should bereported to management and the board on a regular basis, at relevant levels ofaggregation (by consolidation level and currency)

Principle 8Information on IRRBB positions and limits should be reported to supervisorswhen requested and public disclosure should be made on a regular basis

Principle 9Internal capital should be specifically allocated to IRRBB as approved by theboard, in line with the agreed risk appetite.







124

Measurement of Interest Rate Risk in Banking Book (IRRBB)

125

• The purposes of measuring IRRBB▫ establish the amount of economic capital to be held against such risks

▫ how to reduce the risks by buying or selling interest-rate-sensitiveinstruments

• Although ALM risk is a form of market risk, it cannot be effectively measured using the trading- VaR framework

• This VaR framework is inadequate for two reasons.▫ first, the ALM cash flows are complex functions of customer behavior.

▫ second, interest-rate movements over long time horizons are not wellmodeled by the simple assumptions used for VaR.


126

• Banks use three alternative approaches to measure ALM interest-raterisk, as listed below:

▫ Gap reports

▫ Rate-shift scenarios

▫ Simulation methods similar to Monte Carlo VaR

• GAP REPORTS

▫ The “gap” is the difference between the cash flows from assets andliabilities

▫ Gap reports are useful because they are relatively easy to create

▫ This measure is only approximate because gap reports do not includeinformation on the way customers exercise their implicit options indifferent interest environments

▫ There are three types of gap reports: contractual maturity, re-pricingfrequency, and effective maturity.


127

• Contractual-Maturity Gap Reports

▫ A contractual-maturity gap report indicates when cash flows arecontracted to be paid for liabilities, it is the time when payments wouldbe due from the bank, assuming that customers did not roll over theiraccounts.

▫ For example, the contractual maturity for checking accounts is zerobecause customers have the right to withdraw their funds immediately.

▫ The contractual maturity for a portfolio of three-month certificates ofdeposit would (on average) be a ladder of equal payments from zero tothree months.

▫ The contractual maturity for assets may or may not includeassumptions about prepayments. In the most simple reports, allpayments are assumed to occur on the last day of the contract.


128

• Re-pricing Gap Reports

▫ Re-pricing refers to when and how the interest payments will be reset

• Effective-Maturity Gap Reports

▫ Although the re-pricing report includes the effect of interest-ratechanges, it does not include the effects of customer behavior.

▫ This additional interest-rate risk is captured by showing the effectivematurity.

▫ For example, the effective maturity for a mortgage includes the expectedprepayments, and may include an adjustment to approximate the riskarising from the response of prepayments to changes in interest rates.

▫ Gap reports give an intuitive view of the balance sheet, but theyrepresent the instruments as fixed cash flows, and therefore do not allowany analysis of the nonlinearity of the value of the customers' options. Tocapture this nonlinear risk requires approaches that allow cash flows tochange as a function of rates.


129

• Estimating Economic Capital Based on Gap Reports






130

131

IRRBB Limits and Reports

Position Limits. Any position limit imposed should be consistently monitored on a

daily basis against its applicable set of positions.

Re-pricing Gap Limits. Re-pricing gap limits, by tenor bucket, should be monitored

against the net re-pricing gap observed in each re-pricing bucket as measured in the

static re-pricing gap analysis.

Interest Rate PV01 Limits. This measures the maximum change in value as a result of a

basis point change in interest rate. It provides the most specific measure of

diminution in value due to interest rate risk. The entity should apply different levels of

interest rate shocks and set specific PV01 limits for its portfolios.

NII and EVE Limits

NII limit should be compared against the largest drop in NII estimated in the dynamic NII

simulation under various interest rate scenarios.

EVE limit should be compared against the largest drop in EVE estimated in the static EVE

simulation under various interest rate scenarios.

NII stress limit should be compared against the largest drop in NII estimated in the NII stress

testing under various interest rate stress scenarios.

132


The data as at 31-Dec-20XX (equivalents in USD Million) (based on residual tenors)

Maturity / Re-pricing < 1M 1M-3M >3M-6M >6M-9M >9M-12M >1Y-2Y >2Y-3Y >3Y

RATE-SENSITIVE ASSETS (RSA)

Cash on hand 10,089 - - - - - - -

Balances with the NBC 60,834 2,500 - - - - - -

Balances with other banks 63,244 4,050 200 - - - - -

Loans and advances 122 200 730 1,487 2,438 21,087 42,751 177,321

Total RSA 154,290 6,750 930 1,487 2,438 21,087 42,751 177,321

RATE-SENSITIVE LIABILITIES (RSL)

Deposits from non-individuals 17,275 24,674 12,026 7,143 14,583 - - -

Deposits from individuals 44,420 43,803 48,657 58,329 46,041 21,324 2 2

Borrowings - - - - 10,000 - 6,000 -

Total RSL 61,695 68,477 60,683 65,472 70,624 21,324 6,002 2

Dollar Gap 72,595 -61,727 -59,753 -63,986 -68,186 -237 36,749 177,319

Dollar Gap Cum. 72,595 10,868 -48,885 -112,871 -181,057 -181,293 -144,544 32,774

Interest Sensitivity Ratio 2.2 0.1 0.0 0.0 0.0 1.0 7.1

Dollar Gap % Liabilities 20.5% -17.4% -16.9% -18.1% -19.2% -0.1% 10.4% 50.1%

Dollar Gap % Assets 16.7% -14.2% -13.7% -15.7% -0.1% 8.4% 11.1% 18.7%

133


The data as at 31-Dec-20XX (equivalents in USD Million)

Maturity / Re-pricing Date USD KHR THB Total

RATE-SENSITIVE ASSETS (RSA)

Cash on hand 9,367 551 171 10,089

Cash in banks 168,274 2,300 195 170,769

Loans and advances 242,763 5,823 6,076 254,662

Total RSA 420,404 8,673 6,443 435,520

RATE-SENSITIVE LIABILITIES (RSL)

Deposits from non-individuals 64,718 6,314 4,669 75,701

Deposits from individuals 261,622 533 424 262,579

Borrowings 16,000 - - 16,000

Total RSL 342,341 6,847 5,093 354,280

FX Gap Position 78,063 1,826 1,350 81,239

FX Gap Position % Assets 17.9% 0.4% 0.3% 18.7%






134

IRRBB Stress Testing

135

• Rate-shift scenarios attempt to capture the nonlinear behavior ofcustomers.

• A common scenario test is to shift all rates up by 1%. After shiftingthe rates, the cash flows are changed according to the behaviorexpected in the new environment

• For example, mortgage prepayments may increase, some of thechecking and savings accounts may be withdrawn, and the primerate may increase after a delay.

• The NPV of this new set of cash flows is then calculated using thenew rates.

136

• As an example, let us consider a bank with $90 million in savingsaccounts and $100 million in fixed-rate mortgages. Assume that thecurrent interbank rate is 5%, the savings accounts pay 2%, and themortgages pay 10%. The expected net income over the next year is $8.2million:

Interest Income = 10% x $100M - 2% x $90M = $8.2M

• If interbank rates move up by 1 %, assume that savings customers willexpect to be paid an extra 25 basis points, and 10% of them will movefrom savings accounts to money-market accounts paying 5%. Nothingwill happen to the mortgages. In this case the expected income fallsslightly to $7.5 million:

Interest Income = 10% x $100M - 2.25% x $81M - 5% x $9M = $7.5M

• Now assume that interbank rates fall by 1 %. Savings customers areexpected to be satisfied with 25 basis points less, but 10% of themortgages are expected to prepay and refinance at 9%. The expectedincome in these circumstances is $8.3 million:

Interest Income = 10% x $90M + 9% x $10M - 1.75% x $90M = $8.3M


137


• The example above shows the nonlinear change of income. We can extend this toshow changes over several years. By discounting these changes, we can get ameasure of the change in value.

• An approximate estimate of the economic capital can be obtained by assumingthat rates shift up or down equal to three times their annual standard deviation,and then calculating the cash flows and value changes in that scenario. Theeconomic capital is then estimated as the worst loss from either the up or downshifts.

• The rate-shift scenarios are useful in giving a measure of the changes in value andincome caused by implicit options, but they can miss losses caused by complexchanges in interest rates such as a shift up at one time followed by a fall. Tocapture such effects properly we need a simulation engine that assesses valuechanges in many scenarios.

• The purpose of using simulation methods is to test the nonlinear effects withmany complex rate scenarios and obtain a probabilistic measure of the economiccapital to be held against ALM interest-rate risks.

• Monte Carlo simulation can use the same behavior models as the rate-shiftscenarios. The difference is that in a simulation, the scenarios are complex, time-varying interest-rate paths rather than simple yield-curve shifts.

OVERVIEW OF OPERATIONAL RISK MANAGEMENT

KEY PRINCIPLES OF OPERATIONAL RISK MANAGEMENT

RISK ASSESSMENT TOOLS

KEY RISK INDICATORS

CAPTURING OPERATIONAL RISK INCIDENTS

OVERVIEW OF TECHNOLOGY RISK

OVERVIEW OF VENDOR RISK

INSURANCE PROGRAM

138

Definition of Operational Risk

Current Basel II definition is “the risk of loss resulting frominadequate or failed internal processes, people and systemsor from external events”

Includes both internal and external event risk

Legal risk is also included, but strategic, reputational and systemicrisks are not

Direct losses are included, but indirect losses (opportunity costs) andnear misses are not

Key Principles of Operational Risk Management

139

Drivers of Operational Risk

Internal ProcessLosses that have incurred due to a deficiency in an existing procedure, absenceof a procedure or failure to follow any existing procedure.

PeopleThe risk that people do not follow the organization's policies, procedures orestablished practices or are not adequately trained to carry out their duties,resulting in errors, omissions.

SystemsRisks relating to systems are: system availability, virus attacks, data corruption,data integrity, confidential client information compromised etc.

External EventsExternal fraud, natural disaster, terrorist attacks etc.


140


Source: Principles for the Sound Management of Operational Risk (BCBS, Jun 2011)141


Source: Principles for the Sound Management of Operational Risk (BCBS, Jun 2011)

142


Source: Principles for the Sound Management of Operational Risk (BCBS, Jun 2011)143


144

A Sample of Operational Risk Heatmap

145





KEY RISK INDICATORS




INSURANCE PROGRAM

146

Operational Risk

Identification of Risk Events

• Assessment and evaluation

• Scenario analysis

• Questionnaires

Insurance

Business Continuity Planning

Control Self-Assessment

Operational Risk Capital Calculation

Risk Assessment Tools in Flow

Risk Assessment Tools

147

Operational Risk

Control Activities

• CSA process

• Review control weaknesses

• Track actions

• Link control evidence to risks

• Review incidents as evidence of control failures

Insurance






148

Operational Risk

Mitigation of Operational Risks

• Crisis Management Team & Plan

• Incident Management Teams

• Crisis Management Centre

• Work-Area Recovery

• Disaster Recovery strategy

Insurance






149

Operational Risk

Risk Transfer

• Placement

• Claims Handling

• Specific perils e.g. Buildings/Contents, Business Interruption Insurance, Transit Insurance, Fidelity Insurance

• Advice & Guidance

Insurance






150

Operational Risk

Capital Charge Calculation

• Apply specific methods for calculations

• Planning

Insurance






151

Purpose

Vision

5-Year Strategic Plan

Strategy

Core Processes

Critical Systems

Colleagues

External Eventsi.e. Calamities,

Terrorism

Change agenda

Bottom-up Operational Risk

Profile

Scenarios

Top-down Operational Risk

Profile

Facilities

Operational Risk Capital

Operational Risk Appetite

Business Continuity

Incident & Near-Miss Reporting

Resilience

Work-Area Recovery

Disaster Recovery

Incident & Crisis Management

Insurance Programme

Operational Risk strategy and plan

ReportingSuppliers & Outsource Vendors

Operational Risk

End-to-end Process view

Key Controls


Policies

Claims


152

153

Risk Register Template for Event Identification and Risk Assessment

RISK IDENTIFICATION INHERENT RISK ASSESSMENT

No.RISK

CATEGORYRISK/THREAT TO BE IDENTIFIED

SCOPE LIKELIHOOD IMPACT SEVERITY

1 OperationalThe risk of AML, KYC & Black Person Compliance will severe impact on Bank-wide.

Bank-wide Possible (3) High (4) High

2 OperationalThe risk of misconduct on Account Opening will moderately impact on Operation function.

Bank-wide Possible (3) High (4) Medium

RISK IDENTIFICATION RESIDUAL RISK ASSESSMENT

No.RISK

CATEGORYRISK/THREAT TO BE IDENTIFIED RISK

TOLERANCERISK

RESPONSECONTROL ACTIVITIES

1 OperationalThe risk of AML, KYC & Black Person Compliance will severe impact on Bank-wide.

<12 MitigateUsing policies, checklists, checks and trainings.IT procedures/reports are in place.

2 OperationalThe risk of misconduct on Account Opening will moderately impact on Operation function.

<12 MitigateUsing policies, checklists, checks and trainings





KEY RISK INDICATORS




INSURANCE PROGRAM

154

Key Performance Indicators (KPIs)

Used for managers to monitorbusiness performance to assurethat the business operations arefollowed and congruent withbusiness objectives.

Key Risk Indicators (KRIs)

Used for forecast purpose and tofacilitate for managers to be ableto manage risks and threats inthe future and not just forrecent incidents/risks.

Key Risk Indicators

155

Definition of Key Risk Indicator (KRI)

Indicator: is a figure presented as a number or a percentage originatingfrom a series of events that are observed and implementable withrelevant changes.

Therefore, KRI is a combination of indicator and the risk perspective tocome up with a measurement of early risk warnings.

Key Risk Indicators for a banking institution will come from differentbranches and various departments at HO such as IT, HR, Finance, Risk,Credit, Operations, Legal & Compliance, Marketing, Internal Audit.

Key Risk Indicators

156

Key Risk Indicators - Key Traits

1. KRIs should imply an ability to forecast withpotential risk factors and should bequantifiable.

2. After establishing KRIs, we need toadequately collect data on time with thecheapest cost.

3. The data needs to be analyzed andmonitored to identify the heat map ofoperational risks.

4. Indicators need to be evaluated periodicallyto assure the reliability and long-termmanagement.

5. KRIs need to be updated when we havechanges in the business environment.

1. Identify & Define

2. Collect data

3. Analyze & Monitor

4. Evaluation

5. Update & Adjust

Key Risk Indicators

157

Key Risk Indicators - Sequential Cycles


Business Impact

KRI Identification

Data Recording

Analysis of Indicators

ReportingAdjustment & Update KRIs


Key Risk Indicators

158

Key Risk Indicators - Setting Thresholds

1. So much data to do analysis,and we need ORM unit toevaluate the heat map ofoperational risks.

2. Set up thresholds to filterdata to focus on excesses ofpermitted limits.

3. Improve the efficacy ofanalyses.

4. Data for categorizing riskswill facilitate to identify theheat map of operationalrisks.

Threshold

Low Risk Medium Risk High Risk

Key Risk Indicators

159




KEY RISK INDICATORS




INSURANCE PROGRAM

160

Operational Loss should be classified and linked to Basel II riskcategorization in order to maintain close compliance with central bank’sregulations. Linkages to three levels of risks are part of the frameworkallowing effective means of loss data capture, analysis and reporting.

Operational Loss

Data

Internal

Fraud

External

Fraud

Employee

Claims

Client & Third

Party Claims

Damage to

Physical

Assets

Business

Disruption &

System

Failures

Transaction

Processing

Errors /

Omissions

We would internationalize Op-Risk practice based on 7 Event Types under Basel II criteria.

Introduction

Capturing Operational Risk Incidents

161

Cycle of Best Practice

Awareness and

Training

sessions

Identification

Escalation and

Reporting

Investigation and

Analysis

Corrective Action

Plan

Processenhancementto reduce /avoidrecurrence ofincidents

Organization culture and clarity on roles & responsibilities

Re-classification and realization of losses vs. general expenses

Data relating to the loss or near loss incidents

Commence investigation works

The Cycle of Operational

Incident Reporting


162

Categorizing key elements

RISK DRIVERS

1. People2. Systems3. Processes4. External events

INCIDENT EVENT TYPES

1. Internal Fraud2. External Fraud3. Employment Practices

& Workplace Safety4. Clients, Products &

Business Practice5. Damage to Physical

Assets6. Business Disruptions &

Systems Failure7. Execution, Delivery &

Process Management

LOSS TYPES

1. Legal & Liability2. Regulatory

Penalties3. Loss or Damage

to Assets4. Restitution5. Loss of Recourse6. Write Downs


163

Risk Drivers

PROCESSS

- Undocumented processes and procedures.- Ineffective design of processes and procedures.- Lack of control self-assessments at some critical functions but too many

control self-assessments at some non-critical functions.

SYSTEMS

- Errors of systems (Core banking, ATM machines, LOS, Reporting, Call center, software, hardware, etc.)

- External hacks to systems.- Lack of automatic procedures or back-up systems.

EXTERNAL EVENTS

- Calamities (fires, flood, heavy rains, earthquake, storm, terrorist, etc.)- Externalities from third parties (vendors, customers, partners, etc.)- Changes of regulatory policies from the government, central bank.- Systemic effects from macro changes.

- Ineffective control & self-assessment.- Lack of skills, experience to operate smoothly and effectively.- Incompliance with internal policies and procedures.- Involving in fraudulent activities.

PEOPLE


164

Definition of Event Types under Basel II

Event Type Examples

Internal Fraud Unauthorized transaction resulting in monetary loss

Embezzlement of funds

External Fraud Branch robbery

Hacking damage (systems security)

Employment Practices & Workplace Safety

Employee discrimination issues

Inadequate employee health or safety rules

Clients, Products & Business Practices

Money laundering

Lender liability from disclosure violations or aggressive sales

Damage to Physical Assets Natural disasters, e.g. earthquakes

Terrorist activities

Business Disruption and System Failures

Utility outage (e.g. blackout)

Execution, Delivery & Process Management

Data entry error

Incomplete or missing legal documents

Disputes with vendors/outsourcing


165

Risk Incident Reporting

The Purpose of Collecting Operational Risk Incidents

Identifying raising or existing operational risks in the institution so that we can conductanalysis, evaluation, reporting, monitoring, and controlling operational risks.

Providing helpful information, causes of raising operational risks to enhance controllingenvironment and help to alleviate frequency and impact of operational risks.

Identifying and collecting Op-Risk Incidents

ProcessingData analyzing and

Reporting

DATAORMUnit

Branches

HO Depts.


166




KEY RISK INDICATORS




INSURANCE PROGRAM

167

168

Overview of Technology Risk

Objectives

The objective of the Technology Risk Management is to provide a consistent approachto address the various technology risks that may surface with changing businessenvironments, evolving technology and threats, in order to minimizeunexpected/catastrophic losses and enable new business opportunities to be pursuedin a risk controlled manner.

Coverage

IT Standards and Guidelines

Components of Technology Risk Management Framework

IT Risk Domains

IT Business Process

IT Systems

IT Business Model

169


170


171


172





KEY RISK INDICATORS




INSURANCE PROGRAM

173

174

Objectives

The objective of the vendor risk management is to ensure that the risks associated withoutsourcing arrangements are identified and addressed prior to the engagement of third-partyservice providers, and that is conforms with appropriate legal and regulatory requirements aswell as the entity’s risk management policies and systems.

Key Risks Associated with Outsourcing

Operational Risk – The operational risks arise because the intermediary losses direct control overthe activities and the processes, procedures, systems and people engaged in these activities.Hence, if failed to to exercise due diligence if the activity / service falls short of the regulatorystandards.

Reputation Risk – arise from failure by the 3rd party to deliver as per regulatory standards whichmay invite regulatory actions.

Legal Risk – the risk emanates from the failure to enforce the contractual obligations particularlywhen the contractual relationship is not redefined with every change in activities outsourced orthe way these are discharged.

Other circumstances risk like Country Risk arise when activities are outsourced to offshore centers/ foreign firm.

Concentration and systemic risk if we focus so much on a few 3rd parties for the same activity.

Overview of Vendor Risk

175


PLAN SELECT NEGOTIATE MONITOR TERMINATE

IDENTIFY NEED

DEVELOP RFP

DUE DILIGENCE

EVALUATE

DEVELOP KPI

REVIEW CONTRACT

AUDIT ACCESS

FOLLOW UP

REVOKE ACCESS

TRANSITION PLAN

Vendor Risk Management Flow

High Risk Vendor Categories

Core Processors

Internet Banking / Bill Payment / Cash Management Providers / etc.

Credit / Debit Card Processors

Cheque Printers

Network Security Consultants

ATM Networks

Network Security Providers

Web site / Email hosting

CRM Providers

Payroll Processors

And not limited to other categories etc.

176


Vendor Risk Management Framework

Planning / Risk Assessment

Vendor Due Diligence

Risk Measurement & Control

Cost Benefit Analysis

Business outsourcing with Risk Assessment

Regulatory & Process Compliance

Pre-Contract

3rd Party experience

Referrals, qualifications

Data security and member confidentiality

Business resumption or contingency planning

Network & Desktop Security

Personnel Control Security

Client Confidentiality Agreement (e.g NDA)

HR Review – staff background checks

Info Security – physical security & controls

177


Key Risks and Business Impact

# Key Risks Business Impact

1 Loss of key staff or technology infrastructureResponding to these ERMrisks would require a robustvendor risk managementframework.

2Adverse changes in law and government affecting the firm’s business model

3 Loss of market share or revenue through competition

4Introduction of competitive products and technologies by other firms Associating with improper

vendors may cause additionalunforeseen risks such aswasted capital, product lossesand reputation risk

5 Inability to attract and retain key employees

6 Failure to develop global management and information systems

7 Exposures to litigation related to the firm’s products or services

8 Deficient products/services provided resulting in reputation loss

9Inability to react to changes in overseas legal, economic or regulatory environment

Any lapse in controls at 3rd

party service provider couldpotentially defeat thepurpose of an effective ERM.

10 Increased pricing pressure from competitors and/or custmers

… Other unlimited risks to take into account

178


Key Principles when Outsourcing

An Exhaustive policy to guide – whether and how activities can be properlyoutsourced.

A comprehensive outsourcing risk management program to address the outsourcedactivities and the relationship with the 3rd party.

The intermediary should ensure that outsourcing arrangements neither diminish itsability to fullfil its obligations to customers and regulators.

Due Diligence (financial soundness, length of service, job seniority, compatibilitywith objective of intermediary, 3rd party business reputation, etc.) in selecting the 3rd

party.

Outsourcing relationships should be governed by written contracts / agreements.

Establish and maintain contingency plans, including a plan for disaster recovery andperiodic testing of backup facilities.




KEY RISK INDICATORS




INSURANCE PROGRAM

179

180

Objectives

A banking institution should put in place various classes of insurance coverage for itsassets and to mitigate operational risks in order to protect itself against potentiallosses. The objectives of an Insurance Policy is to set out appropriate guidelines onthe identification of new risks to be insured, assessment, review and renewal ofexisting insurance policies, and the administration of insurance policies in terms ofpremium payment and claims processes.

Insurance Coverage

Roles of relevant parties

Essential Insurance Policies

Identification of new risks to be insured

Review and Renewal of Insurance Policies

Cost-benefit analysis

Payment of Insurance Premium

Processes for Making Insurance Claims

Custodian of Insurance Policies

Insurance Program

181

Essential Insurance Policies

Banker Blanket Bonds (BBB) Insurance Policy to cover operational risksarising from banking activities, e.g. fraudulent acts of employee, moneylost in premises and in transit, forgery of documents, responsibilities ofdirectors and officers, etc.

Property Damage / Business Interruption and Liability Insurance Policy tocover property damage and public / products liability.

Directors’ Liability Policy to protect the Directors from any liability whenperforming individual role as BOD members.

Electronic and Computer Prime Insurance Policy.

Insurance Program

Understanding the difference between Corporate Governance and RiskManagement

Recognizing specific risks in banking environment

Be aware of a standard risk management framework

Recognizing COSO framework on Internal Control and Enterprise RiskManagement

Understanding financial failures with lessons learnt

Understanding financial crisis during 2007 to 2008

Recognizing a standard risk appetite framework

Recognizing requirements under Basel II/III

Understanding ICAAP and Stress Testing

Understanding Liquidity Risk and Interest Rate Risk in Banking Book

Understanding Operational Risk Management

Wrap-up of the course

182

THANK YOU

risk management essentials for bankers

Economy & Finance