risk management in banking sector main

Summer Training Project Report

ON

Risk Management in Banking Sector

Summer Training Project Report Submitted for Partial Fulfillment for the

Award of the Degree of

MASTER OF BUSINESS ADMINISTRATION

(MBA)

UNDER THE SUPERVISION OF

Prof. S.P Jain

SUBMITTED BY

Varun Sharma

0871913907

GITARATTAN INTERNATIONAL BUSINESS SCHOOL

Risk Management in Banking Sector 0871913907

(Affiliated to GURU GOBIND SINGH INDRAPRASTHA UNIVERSITY)

ROHINI, NEW DELHI – 110085

(2007-09)

ACKNOWLEDGEMENT

I express my heartiest gratitude to Mrs. ANITA KHANNA (CUSTOMER

RELATIONSHIP OFFICER - PNB) for giving me an opportunity to prepare a report on

the project assigned to me. I am also thankful to Prof. S.P Jain, faculty, Gitarattan

International Business School, Rohini. Under their guidance I undertook this project, for

extending the advice and direction that is required to carry on a study of this nature, and

for helping me with the intricate details of the project at every step. Without her support

and able guidance, it would have been very difficult to finish this work in the way I have

done it.

However, I accept the sole responsibility of any possible errors of omission.

Varun Sharma

Gitarattan International Business School 2


TABLE OF CONTENTS

1. INTRODUCTION - Objectives of the study 5 Scope of study 6 Limitations of study 6

2. DEFINITION OF RISK – What is Risk? 12 What is Risk Management? Dose it eliminate Risk? 12 Objectives of Risk Management functions 13 Risk in Banking 14

3. TOPOLOGY OF RISK EXPOSURE – Market Risk 19 Credit Risk 25 Operational Risk 36

4. AN IDEALIZED BANK OF THE FUTURE 48

5. STUDY OF OPERATIONAL RISK AT PUNJAB NATIONAL BANK 49

6. REFERENCES 54



EXECUTIVE SUMMARY

This project at Punjab National Bank was undertaken during the period of 2 months

(JUNE 1st ’08 to JULY 31st ’08) as part of my summer training

As part of summer training, I was made to accompany Customer Relationship Officer to

observe Client Interaction, gauge the level of satisfaction by listening and solving

quarries of existing clients also helped in making new clients.

My Summer Training included the following-

An in-depth induction through the Computer Based Training Module

Learning the basics of the various Baking Operations such as – procedure of opening

new account (Savings, Current), printing and updating of passbook, procedure of

opening a F.D, deposits / withdrawals, issuing of ATM cards and internet banking

passwords etc.

Various Documents Necessary or Required at the Time of Opening of Account

Accompanying Customer Relationship Officer to observe client interaction.

Client Acquisition.

During the course of my training, I got valuable insights about the workings in a bank

branch, internet banking and client interface.



OBJECTIVES

To study broad outline of management of credit, market and operational risks associated

with banking sector .

Though the risk management area is very wide and elaborated, still the project covers

whole subject in concise manner.

The study aims at learning the techniques involved to manage the various types of risks,

various methodologies undertaken. The application of the techniques involves us to gain

an insight into the following aspects:

An overview of the risks in general.

An insight of the various credit, market and operational risks attached to

the banking sector

The methodology related to the management of operational risk followed

at PNB.

Tools applied in for measurement and management of various types of

risks.

Having an insight into the practical aspects of the working of various

departments.



SCOPE OF THE STUDY

The report seeks to present a comprehensive picture of the various risks inherent in the

bank. The risks can be broadly classified into three categories:

Credit risk

Market risk

Operational risk

Within each of these broad groups, an attempt has been made to cover as

comprehensively as possible, the various sub-groups

The computation of capital charge for market risk will also be taken practically as also

the assigning the ratings for individual borrowers. PNB is also under the key process of

testing and implementation of Reuters "KONDOR" software for its VaR calculations and

other aspects of market risk.

LIMITATION OF THE STUDY



1. The major limitation of this study shall be data availability as the data is proprietary

and not readily shared for dissemination.

2. Due to the ongoing process of globalization and increasing competition, no one model

or method will suffice over a long period of time and constant up gradation will be

required. As such the project can be considered as an overview of the various risks

prevailing in Punjab National Bank and in the Banking Industry.

3. Each bank, in conforming to the RBI guidelines, may develop its own methods for

measuring and managing risk.

4. The concept of risk management implementation is relatively new and risk

management tools can prove to be costly.

5. Out of the various ways in which risks can be managed, none of the method is perfect

and may be very diverse even for the work in a similar situation for the future.

6. Due to ever changing environment , many risks are unexpected and the remedial

measures available are based on general experience from the past.

7. Selection of methods depends on the firms expectations as well as the risk appetite.

Also risks can only be minimized not completely erased.



INTRODUCTION

The significant transformation of the banking industry in India is clearly evident

from the changes that have occurred in the financial markets, institutions and products.

While deregulation has opened up new vistas for banks to argument revenues, it has

entailed greater competition and consequently greater risks. Cross- border flows and

entry of new products, particularly derivative instruments, have impacted significantly on

the domestic banking sector forcing banks to adjust the product mix, as also to effect

rapid changes in their processes and operations in order to remain competitive to the

globalized environment. These developments have facilitated greater choice for

consumers, who have become more discerning and demanding compelling banks to offer

a broader range of products through diverse distribution channels. The traditional face of

banks as mere financial intermediaries has since altered and risk management has

emerged as their defining attribute.

Currently, the most important factor shaping the world is globalization. The

benefits of globalization have been well documented and are being increasingly

recognized. Integration of domestic markets with international financial markets has been

facilitated by tremendous advancement in information and communications technology.

But, such an environment has also meant that a problem in one country can sometimes

adversely impact one or more countries instantaneously, even if they are fundamentally

strong.



There is a growing realisation that the ability of countries to conduct business

across national borders and the ability to cope with the possible downside risks would

depend, interalia, on the soundness of the financial system. This has consequently meant

the adoption of a strong and transparent, prudential, regulatory, supervisory,

technological and institutional framework in the financial sector on par with international

best practices. All this necessitates a transformation: a transformation in the mindset, a

transformation in the business processes and finally, a transformation in knowledge

management. This process is not a one shot affair; it needs to be appropriately phased in

the least disruptive manner.

The banking and financial crises in recent years in emerging economies have

demonstrated that, when things go wrong with the financial system, they can result in a

severe economic downturn. Furthermore, banking crises often impose substantial costs on

the exchequer, the incidence of which is ultimately borne by the taxpayer. The World

Bank Annual Report (2002) has observed that the loss of US $1 trillion in banking crisis

in the 1980s and 1990s is equal to the total flow of official development assistance to

developing countries from 1950s to the present date. As a consequence, the focus of

financial market reform in many emerging economies has been towards increasing

efficiency while at the same time ensuring stability in financial markets.

From this perspective, financial sector reforms are essential in order to avoid such

costs. It is, therefore, not surprising that financial market reform is at the forefront of

public policy debate in recent years. The crucial role of sound financial markets in

promoting rapid economic growth and ensuring financial stability. Financial sector

reform, through the development of an efficient financial system, is thus perceived as a

key element in raising countries out of their 'low level equilibrium trap'. As the World

Bank Annual Report (2002) observes, ‘ a robust financial system is a precondition for a

sound investment climate, growth and the reduction of poverty ’.



Financial sector reforms were initiated in India a decade ago with a view to

improving efficiency in the process of financial intermediation, enhancing the

effectiveness in the conduct of monetary policy and creating conditions for integration of

the domestic financial sector with the global system. The first phase of reforms was

guided by the recommendations of Narasimham Committee.

The approach was to ensure that ‘the financial services industry operates on the

basis of operational flexibility and functional autonomy with a view to enhancing

efficiency, productivity and profitability'.

The second phase, guided by Narasimham Committee II, focused on

strengthening the foundations of the banking system and bringing about structural

improvements. Further intensive discussions are held on important issues related

to corporate governance, reform of the capital structure, (in the context of Basel II

norms), retail banking, risk management technology, and human resources

development, among others.

Since 1992, significant changes have been introduced in the Indian financial

system. These changes have infused an element of competition in the financial system,

marking the gradual end of financial repression characterized by price and non-price

controls in the process of financial intermediation. While financial markets have been

fairly developed, there still remains a large extent of segmentation of markets and non-

level playing field among participants, which contribute to volatility in asset prices. This

volatility is exacerbated by the lack of liquidity in the secondary markets. The purpose of

this paper is to highlight the need for the regulator and market participants to recognize

the risks in the financial system, the products available to hedge risks and the

instruments, including derivatives that are required to be developed/introduced in the

Indian system.



The financial sector serves the economic function of intermediation by ensuring

efficient allocation of resources in the economy. Financial intermediation is enabled

through a four-pronged transformation mechanism consisting of liability-asset

transformation, size transformation, maturity transformation and risk transformation.

Risk is inherent in the very act of transformation. However, prior to reform of

1991-92, banks were not exposed to diverse financial risks mainly because interest rates

were regulated, financial asset prices moved within a narrow band and the roles of

different categories of intermediaries were clearly defined. Credit risk was the major risk

for which banks adopted certain appraisal standards.

Several structural changes have taken place in the financial sector since 1992. The

operating environment has undergone a vast change bringing to fore the critical

importance of managing a whole range of financial risks. The key elements of this

transformation process have been

1. The deregulation of coupon rate on Government securities.

2. Substantial liberalization of bank deposit and lending rates.

3. A gradual trend towards disintermediation in the financial system in the wake of

increased access of corporates to capital markets.

4. Blurring of distinction between activities of financial institutions.

5. Greater integration among the various segments of financial markets and their

increased order of globalisation, diversification of ownership of public sector

banks.

6. Emergence of new private sector banks and other financial institutions, and,

7. The rapid advancement of technology in the financial system.



DEFINITION OF RISK

What is Risk?

"What is risk?" And what is a pragmatic definition of risk? Risk means different

things to different people. For some it is "financial (exchange rate, interest-call money

rates), mergers of competitors globally to form more powerful entities and not leveraging

IT optimally" and for someone else "an event or commitment which has the potential to

generate commercial liability or damage to the brand image". Since risk is accepted in

business as a trade off between reward and threat, it does mean that taking risk bring

forth benefits as well. In other words it is necessary to accept risks, if the desire is to reap

the anticipated benefits.

Risk in its pragmatic definition, therefore, includes both threats that can

materialize and opportunities, which can be exploited. This definition of risk is very

pertinent today as the current business environment offers both challenges and

opportunities to organizations, and it is up to an organization to manage these to their

competitive advantage.

What is Risk Management - Does it eliminate risk?



Risk management is a discipline for dealing with the possibility that some future

event will cause harm. It provides strategies, techniques, and an approach to recognizing

and confronting any threat faced by an organization in fulfilling its mission. Risk

management may be as uncomplicated as asking and answering three basic questions:

1. What can go wrong?

2. What will we do (both to prevent the harm from occurring and in the aftermath of

an "incident")?

3. If something happens, how will we pay for it?

Risk management does not aim at risk elimination, but enables the organization to

bring their risks to manageable proportions while not severely affecting their income.

This balancing act between the risk levels and profits needs to be well-planned. Apart

from bringing the risks to manageable proportions, they should also ensure that one risk

does not get transformed into any other undesirable risk. This transformation takes place

due to the inter-linkage present among the various risks. The focal point in managing any

risk will be to understand the nature of the transaction in a way to unbundle the risks it is

exposed to.

Risk Management is a more mature subject in the western world. This is largely a

result of lessons from major corporate failures, most telling and visible being the Barings

collapse. In addition, regulatory requirements have been introduced, which expect

organizations to have effective risk management practices. In India, whilst risk

management is still in its infancy, there has been considerable debate on the need to

introduce comprehensive risk management practices.

Objectives of Risk Management Function

Two distinct viewpoints emerge –

One which is about managing risks, maximizing profitability and creating

opportunity out of risks



And the other which is about minimising risks/loss and protecting corporate

assets.

The management of an organization needs to consciously decide on whether they

want their risk management function to 'manage' or 'mitigate' Risks.

Managing risks essentially is about striking the right balance between risks and

controls and taking informed management decisions on opportunities and threats

facing an organization. Both situations, i.e. over or under controlling risks are

highly undesirable as the former means higher costs and the latter means possible

exposure to risk.

Mitigating or minimising risks, on the other hand, means mitigating all risks even

if the cost of minimising a risk may be excessive and outweighs the cost-benefit

analysis. Further, it may mean that the opportunities are not adequately exploited.

In the context of the risk management function, identification and management of

Risk is more prominent for the financial services sector and less so for consumer products

industry. What are the primary objectives of your risk management function? When

specifically asked in a survey conducted, 33% of respondents stated that their risk

management function is indeed expressly mandated to optimise risk.

Risks in Banking

Risks manifest themselves in many ways and the risks in banking are a result of

many diverse activities, executed from many locations and by numerous people. As a

financial intermediary, banks borrow funds and lend them as a part of their primary

activity. This intermediation activity, of banks exposes them to a host of risks. The

volatility in the operating environment of banks will aggravate the effect of the various

risks. The case discusses the various risks that arise due to financial intermediation and

by highlighting the need for asset-liability management; it discusses the Gap Model for

risk management.

Typology of Risk Exposure



Based on the origin and their nature, risks are classified into various categories.

The most prominent financial risks to which the banks are exposed to taking into

consideration practical issues including the limitations of models and theories, human

factor, existence of frictions such as taxes and transaction cost and limitations on quality

and quantity of information, as well as the cost of acquiring this information, and more.


FINANCIAL RISKS

MARKETRISK

LIQUIDITY RISK

OPERATIONAL RISK

HUMAN FACTOR RISK

CREDIT RISK LEGAL & REGULATORY RISK

FUNDING LIQUIDITY RISK

TRADING LIQUIDITY RISK

TRANSACTION RISK

PORTFOLIO CONCENTRATION

ISSUE RISK ISSUER RISK COUNTERPARTY RISK


1. MARKET RISK

Market risk is that risk that changes in financial market prices and rates will

reduce the value of the bank’s positions. Market risk for a fund is often measured relative

to a benchmark index or portfolio, is referred to as a “risk of tracking error” market risk

also includes “basis risk,” a term used in risk management industry to describe the chance

of a breakdown in the relationship between price of a product, on the one hand, and the

price of the instrument used to hedge that price exposure on the other. The market-Var

methodology attempts to capture multiple component of market such as directional risk,

convexity risk, volatility risk, basis risk, etc.

2. CREDIT RISK

Credit risk is that risk that a change in the credit quality of a counterparty will

affect the value of a bank’s position. Default, whereby a counterparty is unwilling or

unable to fulfill its contractual obligations, is the extreme case; however banks are also

exposed to the risk that the counterparty might downgraded by a rating agency.

Credit risk is only an issue when the position is an asset, i.e., when it exhibits a

positive replacement value. In that instance if the counterparty defaults, the bank either

loses all of the market value of the position or, more commonly, the part of the value that

it cannot recover following the credit event. However, the credit exposure induced by the

replacement values of derivative instruments are dynamic: they can be negative at one


EQUITY RISK INEREST RATE RISK

CURRENCY RISK

COMMODITY RISK

TRADING RISK

GAP RISK

GENERAL MARKET RISK

SPECIFIC RISK


point of time, and yet become positive at a later point in time after market conditions

have changed. Therefore the banks must examine not only the current exposure,

measured by the current replacement value, but also the profile of future exposures up to

the termination of the deal.

3. LIQUIDITY RISK

Liquidity risk comprises both

Funding liquidity risk

Trading-related liquidity risk.

Funding liquidity risk relates to a financial institution’s ability to raise the

necessary cash to roll over its debt, to meet the cash, margin, and collateral requirements

of counterparties, and (in the case of funds) to satisfy capital withdrawals. Funding

liquidity risk is affected by various factors such as the maturities of the liabilities, the

extent of reliance of secured sources of funding, the terms of financing, and the breadth

of funding sources, including the ability to access public market such as commercial

paper market. Funding can also be achieved through cash or cash equivalents, “buying

power ,” and available credit lines.

Trading-related liquidity risk, often simply called as liquidity risk, is the risk that

an institution will not be able to execute a transaction at the prevailing market price

because there is, temporarily, no appetite for the deal on the other side of the market. If

the transaction cannot be postponed its execution my lead to substantial losses on

position. This risk is generally very hard to quantify. It may reduce an institution’s ability

to manage and hedge market risk as well as its capacity to satisfy any shortfall on the

funding side through asset liquidation.

4. OPERATIONAL RISK

It refers to potential losses resulting from inadequate systems, management

failure, faulty control, fraud and human error. Many of the recent large losses related to

derivatives are the direct consequences of operational failure. Derivative trading is more



prone to operational risk than cash transactions because derivatives are, by heir nature,

leveraged transactions. This means that a trader can make very large commitment on

behalf of the bank, and generate huge exposure in to the future, using only small amount

of cash. Very tight controls are an absolute necessary if the bank is to avoid huge losses.

Operational risk includes” fraud,” for example when a trader or other employee

intentionally falsifies and misrepresents the risk incurred in a transaction. Technology

risk, and principally computer system risk also fall into the operational risk category.

5. LEGAL RISK

Legal risk arises for a whole of variety of reasons. For example, counterparty

might lack the legal or regulatory authority to engage in a transaction. Legal risks usually

only become apparent when counterparty, or an investor, lose money on a transaction and

decided to sue the bank to avoid meeting its obligations. Another aspect of regulatory risk

is the potential impact of a change in tax law on the market value of a position.

6. HUMAN FACTOR RISK

Human factor risk is really a special form of operational risk. It relates to the

losses that may result from human errors such as pushing the wrong button on a

computer, inadvertently destroying files, or entering wrong value for the parameter input

of a model.



MARKET RISK

What is Market Risk?

Market Risk may be defined as the possibility of loss to a bank caused by changes

in the market variables. The Bank for International Settlements (BIS) defines market risk

as “the risk that the value of 'on' or 'off' balance sheet positions will be adversely affected

by movements in equity and interest rate markets, currency exchange rates and

commodity prices". Thus, Market Risk is the risk to the bank's earnings and capital due to

changes in the market level of interest rates or prices of securities, foreign exchange and

equities, as well as the volatilities of those changes. Besides, it is equally concerned about

the bank's ability to meet its obligations as and when they fall due. In other words, it

should be ensured that the bank is not exposed to Liquidity Risk. Thus, focus on the

management of Liquidity Risk and Market Risk, further categorized into interest rate risk,

foreign exchange risk, commodity price risk and equity price risk. An effective market

risk management framework in a bank comprises risk identification, setting up of limits

and triggers, risk monitoring, models of analysis that value positions or measure market

risk, risk reporting, etc.

Types of market risk

Interest rate risk:



Interest rate risk is the risk where changes in market interest rates might adversely

affect a bank's financial condition. The immediate impact of changes in interest rates is

on the Net Interest Income (NII). A long term impact of changing interest rates is on the

bank's networth since the economic value of a bank's assets, liabilities and off-balance

sheet positions get affected due to variation in market interest rates. The interest rate risk

when viewed from these two perspectives is known as 'earnings perspective' and

'economic value' perspective, respectively.

Management of interest rate risk aims at capturing the risks arising from the

maturity and repricing mismatches and is measured both from the earnings and economic

value perspective.

Earnings perspective involves analyzing the impact of changes in interest

rates on accrual or reported earnings in the near term. This is measured by

measuring the changes in the Net Interest Income (NII) or Net Interest Margin

(NIM) i.e. the difference between the total interest income and the total interest

expense.

Economic Value perspective involves analyzing the changes of impact

on interest on the expected cash flows on assets minus the expected cash flows on

liabilities plus the net cash flows on off-balance sheet items. It focuses on the risk

to networth arising from all repricing mismatches and other interest rate sensitive

positions. The economic value perspective identifies risk arising from long-term

interest rate gaps.

The management of Interest Rate Risk should be one of the critical components of

market risk management in banks. The regulatory restrictions in the past had greatly

reduced many of the risks in the banking system. Deregulation of interest rates has,

however, exposed them to the adverse impacts of interest rate risk. The Net Interest

Income (NII) or Net Interest Margin (NIM) of banks is dependent on the movements of

interest rates. Any mismatches in the cash flows (fixed assets or liabilities) or repricing



dates (floating assets or liabilities), expose bank's NII or NIM to variations. The earning

of assets and the cost of liabilities are now closely related to market interest rate volatility

Generally, the approach towards measurement and hedging of IRR varies with the

segmentation of the balance sheet. In a well functioning risk management system, banks

broadly position their balance sheet into Trading and Banking Books. While the assets

in the trading book are held primarily for generating profit on short-term differences in

prices/yields, the banking book comprises assets and liabilities, which are contracted

basically on account of relationship or for steady income and statutory obligations and

are generally held till maturity. Thus, while the price risk is the prime concern of banks in

trading book, the earnings or economic value changes are the main focus of banking

book.

Equity price risk:

The price risk associated with equities also has two components” General market

risk” refers to the sensitivity of an instrument / portfolio value to the change in the level

of broad stock market indices.” Specific / Idiosyncratic” risk refers to that portion of the

stock’s price volatility that is determined by characteristics specific to the firm, such as

its line of business, the quality of its management, or a breakdown in its production

process. The general market risk cannot be eliminated through portfolio diversification

while specific risk can be diversified away.

Foreign exchange risk:

Foreign Exchange Risk maybe defined as the risk that a bank may suffer losses as

a result of adverse exchange rate movements during a period in which it has an open

position, either spot or forward, or a combination of the two, in an individual foreign

currency. The banks are also exposed to interest rate risk, which arises from the maturity

mismatching of foreign currency positions. Even in cases where spot and forward

positions in individual currencies are balanced, the maturity pattern of forward



transactions may produce mismatches. As a result, banks may suffer losses as a result of

changes in premia/discounts of the currencies concerned.

In the forex business, banks also face the risk of default of the counterparties or

settlement risk. While such type of risk crystallization does not cause principal loss,

banks may have to undertake fresh transactions in the cash/spot market for replacing the

failed transactions. Thus, banks may incur replacement cost, which depends upon the

currency rate movements. Banks also face another risk called time-zone risk or Herstatt

risk which arises out of time-lags in settlement of one currency in one center and the

settlement of another currency in another time-zone. The forex transactions with

counterparties from another country also trigger sovereign or country risk (dealt with in

details in the guidance note on credit risk).

The three important issues that need to be addressed in this regard are:

1. Nature and magnitude of exchange risk

2. Exchange managing or hedging for adopted be to strategy>

3. The tools of managing exchange risk

Commodity price risk:

The price of the commodities differs considerably from its interest rate risk

and foreign exchange risk, since most commodities are traded in the market in

which the concentration of supply can magnify price volatility. Moreover,

fluctuations in the depth of trading in the market (i.e., market liquidity) often

accompany and exacerbate high levels of price volatility. Therefore, commodity

prices generally have higher volatilities and larger price discontinuities.

Treatment of Market Risk in the Proposed Basel Capital Accord



The Basle Committee on Banking Supervision (BCBS) had issued comprehensive

guidelines to provide an explicit capital cushion for the price risks to which banks are

exposed, particularly those arising from their trading activities. The banks have been

given flexibility to use in-house models based on VaR for measuring market risk as an

alternative to a standardized measurement framework suggested by Basle Committee.

The internal models should, however, comply with quantitative and qualitative criteria

prescribed by Basle Committee.

Reserve Bank of India has accepted the general framework suggested by the Basle

Committee. RBI has also initiated various steps in moving towards prescribing capital for

market risk. As an initial step, a risk weight of 2.5% has been prescribed for investments

in Government and other approved securities, besides a risk weight each of 100% on the

open position limits in forex and gold. RBI has also prescribed detailed operating

guidelines for Asset-Liability Management System in banks. As the ability of banks to

identify and measure market risk improves, it would be necessary to assign explicit

capital charge for market risk. While the small banks operating predominantly in India

could adopt the standardized methodology, large banks and those banks operating in

international markets should develop expertise in evolving internal models for

measurement of market risk.

The Basle Committee on Banking Supervision proposes to develop capital charge

for interest rate risk in the banking book as well for banks where the interest rate risks are

significantly above average ('outliers'). The Committee is now exploring various

methodologies for identifying 'outliers' and how best to apply and calibrate a capital

charge for interest rate risk for banks. Once the Committee finalizes the modalities, it

may be necessary, at least for banks operating in the international markets to comply with

the explicit capital charge requirements for interest rate risk in the banking book. As the

valuation norms on banks' investment portfolio have already been put in place and

aligned with the international best practices, it is appropriate to adopt the Basel norms on

capital for market risk. In view of this, banks should study the Basel framework on



capital for market risk as envisaged in Amendment to the Capital Accord to incorporate

market risks published in January 1996 by BCBS and prepare themselves to follow the

international practices in this regard at a suitable date to be announced by RBI.

The Proposed New Capital Adequacy Framework

The Basel Committee on Banking Supervision has released a Second Consultative

Document, which contains refined proposals for the three pillars of the New Accord -

Minimum Capital Requirements, Supervisory Review and Market Discipline. It may be

recalled that the Basel Committee had released in June 1999 the first Consultative Paper

on a New Capital Adequacy Framework for comments. However, the proposal to

provide explicit capital charge for market risk in the banking book which was included in

the Pillar I of the June 1999 Document has been shifted to Pillar II in the second

Consultative Paper issued in January 2001. The Committee has also provided a technical

paper on evaluation of interest rate risk management techniques. The Document has

defined the criteria for identifying outlier banks. According to the proposal, a bank may

be defined as an outlier whose economic value declined by more than 20% of the sum of

Tier 1 and Tier 2 capital as a result of a standardized interest rate shock (200 bps.)

The second Consultative Paper on the New Capital Adequacy framework issued

in January, 2001 has laid down 13 principles intended to be of general application for the

management of interest rate risk, independent of whether the positions are part of the

trading book or reflect banks' non-trading activities. They refer to an interest rate risk

management process, which includes the development of a business strategy, the

assumption of assets and liabilities in banking and trading activities, as well as a system



of internal controls. In particular, they address the need for effective interest rate risk

measurement, monitoring and control functions within the interest rate risk management

process. The principles are intended to be of general application, based as they are on

practices currently used by many international banks, even though their specific

application will depend to some extent on the complexity and range of activities

undertaken by individual banks. Under the New Basel Capital Accord, they form

minimum standards expected of internationally active banks. The principles are given in

Annexure II.

CREDIT RISK

What is Credit Risk?

Credit risk is defined as the possibility of losses associated with diminution in the

credit quality of borrowers or counterparties. In a bank's portfolio, losses stem from

outright default due to inability or unwillingness of a customer or counterparty to meet

commitments in relation to lending, trading, settlement and other financial transactions.

Alternatively, losses result from reduction in portfolio value arising from actual or

perceived deterioration in credit quality. Credit risk emanates from a bank's dealings with

an individual, corporate, bank, financial institution or a sovereign. Credit risk may take

the following forms

In the case of direct lending: principal/and or interest amount may not be repaid;

In the case of guarantees or letters of credit: funds may not be forthcoming from

the constituents upon crystallization of the liability;

In the case of treasury operations: the payment or series of payments due from the

counter parties under the respective contracts may not be forthcoming or ceases;

In the case of securities trading businesses: funds/ securities settlement may not

be effected;



In the case of cross-border exposure: the availability and free transfer of foreign

currency funds may either cease or the sovereign may impose restrictions.

Types of Credit Rating

Credit rating can be classified as:

2. External credit rating.

3. Internal credit rating

External credit rating:

A credit rating is not, in general, an investment recommendation concerning a

given security. In the words of S&P,” A credit rating is S&P's opinion of the general

creditworthiness of an obligor, or the creditworthiness of an obligor with respect to a

particular debt security or other financial obligation, based on relevant risk factors.” In

Moody's words, a rating is, “ an opinion on the future ability and legal obligation of an

issuer to make timely payments of principal and interest on a specific fixed-income

security.”

Since S&P and Moody's are considered to have expertise in credit rating and are

regarded as unbiased evaluators, there ratings are widely accepted by market participants

and regulatory agencies. Financial institutions, when required to hold investment grade

bonds by their regulators use the rating of credit agencies such as S&P and Moody's to

determine which bonds are of investment grade.

The subject of credit rating might be a company issuing debt obligations. In the

case of such “issuer credit ratings” the rating is an opinion on the obligor’s overall

capacity to meet its financial obligations. The opinion is not specific to any particular

liability of the company, nor does it consider merits of having guarantors for some of the

obligations. In the issuer credit rating categories are

a) Counterparty ratings



b) Corporate credit ratings

c) Sovereign credit ratings

The rating process includes quantitative, qualitative, and legal analyses. The

quantitative analyses. The quantitative analysis is mainly financial analysis and is based

on the firm’s financial reports. The qualitative analysis is concerned with the quality of

management, and includes a through review of the firm’s competitiveness within its

industry as well as the expected growth of the industry and its vulnerability to

technological changes, regulatory changes, and labor relations.

Internal credit rating:

A typical risk rating system (RRS) will assign both an obligor rating to each

borrower (or group of borrowers), and a facility rating to each available facility. A risk

rating (RR) is designed to depict the risk of loss in a credit facility. A robust RRS should

offer a carefully designed, structured, and documented series of steps for the assessment

of each rating.

The following are the steps for assessment of rating:

a) Objectivity and Methodology:

The goal is to generate accurate and consistent risk rating, yet also to allow

professional judgment to significantly influence a rating where it is appropriate. The

expected loss is the product of an exposure (say, Rs. 100) and the probability of default

(say, 2%) of an obligor (or borrower) and the loss rate given default (say, 50%) in any

specific credit facility. In this example,

The expected loss = 100*.02*.50 = Rs. 1

A typical risk rating methodology (RRM)

a. Initial assign an obligor rating that identifies the expected probability of

default by that borrower (or group) in repaying its obligations in normal

course of business.



b. The RRS then identifies the risk loss (principle/interest) by assigning an RR to

each individual credit facility granted to an obligor.

The obligor rating represents the probability of default by a borrower in repaying

its obligation in the normal course of business. The facility rating represents the expected

loss of principal and/ or interest on any business credit facility. It combines the likelihood

of default by a borrower and conditional severity of loss, should default occur, from the

credit facilities available to the borrower.

Risk Rating Continuum (Prototype Risk Rating System)

RISK RR Corresponding Probable

S&P or Moody's Rating

Sovereign 0 Not Applicable

Low 1 AAA

2 AA Investment Grade

3 A

4 BBB+/BBB

Average 5 BBB-

6 BB+/BB

7 BB-

High 8

9

10

B+/B

B-

CCC+/CCC

Below Investment

Grade

11 CC-

12 In Default



The steps in the RRS (nine, in our prototype system) typically start with a

financial assessment of the borrower (initial obligor rating), which sets a floor on the

obligor rating (OR). A series of further steps (four) arrive at the final obligor rating. Each

one of steps 2 to 5 may result in the downgrade of the initial rating attributed at step 1.

These steps include analyzing the managerial capability of the borrower (step 2),

examining the borrower’s absolute and relative position within the industry (step 3),

reviewing the quality of the financial information (step 4) and the country risk (step 5).

The process ensures that all credits are objectively rated using a consistent process to

arrive at the accurate rating.

Additional steps (four, in our example) are associated with arriving at a final facility

rating, which may be above OR below the final obligor rating. These steps include

examining third-party support (step 6), factoring in the maturity of the transaction (step

7), reviewing how strongly the transaction is structured. (step 8), and assessing the

amount of collateral (step 9).

b) Measurement of Default Probability and Recovery Rates.

Credit rating systems can be compared to multivariate credit scoring systems to

evaluate their ability to predict bankruptcy rates and also to provide estimates of the

severity of losses. Altman and Saunders (1998) provide a detailed survey of credit risk

management approaches. They compare four methodologies for credit scoring:

1. The linear probability model

2. The logit model

3. The probit model

4. The discriminant analysis model

The logit model assumes that the default probability is logistically distributed, and

applies a few accounting variables to predict the default probability. The linear

probability model is based on a linear regression model, and makes use of a number of

accounting variables to try to predict the probability of default. The multiple discriminant

analysis (MDA), proposed and advocated by Aitman is based on finding a linear function



of both accounting and market based variables that best discriminates between two

groups: firms that actually defaulted and firms that did not default.

The linear models are based on empirical procedures. They are not found in

theory of the firm OR any theoretical stochastic processes for leveraged firms.

Credit Risk Management

In this backdrop, it is imperative that banks have a robust credit risk management

system which is sensitive and responsive to these factors. The effective management of

credit risk is a critical component of comprehensive risk management and is essential for

the long term success of any banking organization. Credit risk management encompasses

identification, measurement, monitoring and control of the credit risk exposures.

Building Blocks of Credit Risk Management:

In a bank, an effective credit risk management framework would comprise of the

following distinct building blocks:

Policy and Strategy

Organizational Structure

Operations/ Systems

Policy and Strategy

The Board of Directors of each bank shall be responsible for approving and

periodically reviewing the credit risk strategy and significant credit risk policies.

Credit Risk Policy

1. Every bank should have a credit risk policy document approved by the Board. The

document should include risk identification, risk measurement, risk grading/

aggregation techniques, reporting and risk control/ mitigation techniques,

documentation, legal issues and management of problem loans.



2. Credit risk policies should also define target markets, risk acceptance criteria,

credit approval authority, credit origination/ maintenance procedures and

guidelines for portfolio management.

3. The credit risk policies approved by the Board should be communicated to

branches/controlling offices. All dealing officials should clearly understand the

bank's approach for credit sanction and should be held accountable for complying

with established policies and procedures.

4. Senior management of a bank shall be responsible for implementing the credit

risk policy approved by the Board.</P< LI>

Credit Risk Strategy

1. Each bank should develop, with the approval of its Board, its own credit risk

strategy or plan that establishes the objectives guiding the bank's credit-granting

activities and adopt necessary policies/ procedures for conducting such activities.

This strategy should spell out clearly the organization’s credit appetite and the

acceptable level of risk-reward trade-off for its activities.

2. The strategy would, therefore, include a statement of the bank's willingness to

grant loans based on the type of economic activity, geographical location,

currency, market, maturity and anticipated profitability. This would necessarily

translate into the identification of target markets and business sectors, preferred

levels of diversification and concentration, the cost of capital in granting credit

and the cost of bad debts.

3. The credit risk strategy should provide continuity in approach as also take into

account the cyclical aspects of the economy and the resulting shifts in the

composition/ quality of the overall credit portfolio. This strategy should be viable

in the long run and through various credit cycles.



4. Senior management of a bank shall be responsible for implementing the credit

risk strategy approved by the Board.

Organizational Structure

Sound organizational structure is sine qua non for successful implementation of

an effective credit risk management system. The organizational structure for credit risk

management should have the following basic features:

1. The Board of Directors should have the overall responsibility for management of

risks. The Board should decide the risk management policy of the bank and set

limits for liquidity, interest rate, foreign exchange and equity price risks.

The Risk Management Committee will be a Board level Sub committee including

CEO and heads of Credit, Market and Operational Risk Management Committees. It will

devise the policy and strategy for integrated risk management containing various risk

exposures of the bank including the credit risk. For this purpose, this Committee should

effectively coordinate between the Credit Risk Management Committee (CRMC), the

Asset Liability Management Committee and other risk committees of the bank, if any. It

is imperative that the independence of this Committee is preserved. The Board should,

therefore, ensure that this is not compromised at any cost. In the event of the Board not

accepting any recommendation of this Committee, systems should be put in place to spell

out the rationale for such an action and should be properly documented. This document

should be made available to the internal and external auditors for their scrutiny and

comments. The credit risk strategy and policies adopted by the committee should be

effectively

Operations / Systems

Banks should have in place an appropriate credit administration, credit risk

measurement and monitoring processes. The credit administration process typically

involves the following phases:



1. Relationship management phase i.e. business development.

2. Transaction management phase covers risk assessment, loan pricing, structuring

the facilities, internal approvals, documentation, loan administration, on going

monitoring and risk measurement.

3. Portfolio management phase entails monitoring of the portfolio at a macro level

and the management of problem loans

4. On the basis of the broad management framework stated above, the banks should

have the following credit risk measurement and monitoring procedures:

5. Banks should establish proactive credit risk management practices like annual /

half yearly industry studies and individual obligor reviews, periodic credit calls

that are documented, periodic visits of plant and business site, and at least

quarterly management reviews of troubled exposures/weak credits

Credit Risk Models

A credit risk model seeks to determine, directly or indirectly, the answer to the

following question: Given our past experience and our assumptions about the future,

what is the present value of a given loan or fixed income security? A credit risk model

would also seek to determine the (quantifiable) risk that the promised cash flows will not

be forthcoming. The techniques for measuring credit risk that have evolved over the last

twenty years are prompted by these questions and dynamic changes in the loan market.

The increasing importance of credit risk modeling should be seen as the

consequence of the following three factors:

1. Banks are becoming increasingly quantitative in their treatment of credit risk.

2. New markets are emerging in credit derivatives and the marketability of existing

loans is increasing through securitization/ loan sales market."



3. Regulators are concerned to improve the current system of bank capital

requirements especially as it relates to credit risk.

Importance of Credit Risk Models

Credit Risk Models have assumed importance because they provide the decision

maker with insight or knowledge that would not otherwise be readily available or that

could be marshalled at prohibitive cost. In a marketplace where margins are fast

disappearing and the pressure to lower pricing is unrelenting, models give their users a

competitive edge. The credit risk models are intended to aid banks in quantifying,

aggregating and managing risk across geographical and product lines. The outputs of

these models also play increasingly important roles in banks' risk management and

performance measurement processes, customer profitability analysis, risk-based pricing,

active portfolio management and capital structure decisions. Credit risk modeling may

result in better internal risk management and may have the potential to be used in the

supervisory oversight of banking organizations.

RBI Guidelines on Credit Risk New Capital Accord: Implications for

Credit Risk Management

The Basel Committee on Banking Supervision had released in June 1999 the first

Consultative Paper on a New Capital Adequacy Framework with the intention of

replacing the current broad-brush 1988 Accord. The Basel Committee has released a

Second Consultative Document in January 2001, which contains refined proposals for the

three pillars of the New Accord - Minimum Capital Requirements, Supervisory Review

and Market Discipline.

The Committee proposes two approaches, for estimating regulatory capital. viz.,



1. Standardized and

2. Internal Rating Based (IRB)

Under the standardized approach, the Committee desires neither to produce a

net increase nor a net decrease, on an average, in minimum regulatory capital, even after

accounting for operational risk. Under the Internal Rating Based (IRB) approach, the

Committee's ultimate goals are to ensure that the overall level of regulatory capital is

sufficient to address the underlying credit risks and also provides capital incentives

relative to the standardized approach, i.e., a reduction in the risk weighted assets of 2% to

3% (foundation IRB approach) and 90% of the capital requirement under foundation

approach for advanced IRB approach to encourage banks to adopt IRB approach for

providing capital.

The minimum capital adequacy ratio would continue to be 8% of the risk-

weighted assets, which cover capital requirements for market (trading book), credit and

operational risks. For credit risk, the range of options to estimate capital extends to

include a standardized, a foundation IRB and an advanced IRB approaches.

RBI Guidelines for Credit Risk Management Credit Rating Framework

A Credit-risk Rating Framework (CRF) is necessary to avoid the limitations

associated with a simplistic and broad classification of loans/exposures into a "good" or a

"bad" category. The CRF deploys a number/ alphabet/ symbol as a primary summary

indicator of risks associated with a credit exposure. Such a rating framework is the basic

module for developing a credit risk management system and all advanced

models/approaches are based on this structure. In spite of the advancement in risk

management techniques, CRF is continued to be used to a great extent. These

frameworks have been primarily driven by a need to standardize and uniformly



communicate the "judgment" in credit selection procedures and are not a substitute to the

vast lending experience accumulated by the banks' professional staff.

Broadly, CRF can be used for the following purposes:

1. Individual credit selection, wherein either a borrower or a particular exposure/

facility is rated on the CRF

2. Pricing (credit spread) and specific features of the loan facility. This would

largely constitute transaction-level analysis.

3. Portfolio-level analysis.

4. Surveillance, monitoring and internal MIS

Assessing the aggregate risk profile of bank/ lender. These would be relevant for

portfolio-level analysis. For instance, the spread of credit exposures across various CRF

categories, the mean and the standard deviation of losses occurring in each CRF category

and the overall migration of exposures would highlight the aggregated credit-risk for the

entire portfolio of the bank.

OPERATIONAL RISK

What is Operational Risk?

Operational risk is the risk associated with operating a

business. Operational risk covers such a wide area that it is useful to subdivide

operational risk into two components:

Operational failure risk.

Operational strategic risk.



Operational failure risk arises from the potential for failure in the course of

operating the business. A firm uses people, processes and technology to achieve the

business plans, and any one of these factors may experience a failure of some kind.

Accordingly, operational failure risk can be defined as the risk that there will be a failure

of people, processes or technology within the business unit. A portion of failure may be

anticipated, and these risks should be built into the business plan. But it is unanticipated,

and therefore uncertain, failures that give rise to key operational risks. These failures can

be expected to occur periodically, although both their impact and their frequency may be

uncertain.

The impact or severity of a financial loss can be divided into two categories:

An expected amount

An unexpected amount.

The latter is itself subdivided into two classes: an amount classed as severe, and a

catastrophic amount. The firm should provide for the losses that arise from the expected

component of these failures by charging expected revenues with a sufficient amount of

reserves. In addition, the firm should set aside sufficient economic capital to cover the

unexpected component, or resort to insurance.

Operational strategic risk arises from environmental factors, such as a new

competitor that changes the business paradigram, a major political and regulatory regime

change, and earthquakes and other such factors that are outside the control of the firm. It

also arises from major new strategic initiatives, such as developing a new line of business

or re-engineering an existing business line. All business rely on people, processes and

technology outside their business unit, and the potential for failure exists there too, this

type of risk is referred to as external dependency risk.



The figure above summarizes the relationship between operational failure risk and

operational strategic risk. These two principal categories of risk are also sometimes

defined as “internal” and “ external” operational risk.

Operational risk is often thought to be limited to losses that can occur in operating

or processing centers. This type of operational risk, sometimes referred as operations risk,

is an important component, but it by no means covers all of the operational risks facing

the firm. Our definition of operational risk as the risk associated with operating the

business means significant amounts of operational risk are also generated outside the

processing centers.

Risk begins to accumulate even before the design of the potential transaction gets

underway. It is present during negotiations with the client (regardless of whether the


Figure: Two Broad Categories of Operational Risk

Operational Risk

Operational failure risk (Internal operational risk)

The risk encountered in pursuit of a particular strategy due to:

People Process Technology

Operational strategic risk (External operational risk)

The risk of choosing an inappropriate strategy in response to environmental factor, such as

Political Taxation Regulation Government Societal Competition, etc.


negotiation is a lengthy structuring exercise or a routine electronic negotiation.) and

continues after the negotiation as the transaction is serviced.

A complete picture of operational risk can only be obtained if the bank’s activity

is analyzed from beginning to end. Several things have to be in place before a transaction

is negotiated, and each exposes the firm to operational risk. The activity carried on behalf

of the client by the staff can expose the institution to “people risk”. “People risk” are not

only in the form of risk found early in a transaction. But they further rely on using

sophisticated financial models to price the transaction. This creates what is called as

Model risk which can arise because of wrong parameters like input to the model, or

because the model is used inappropriately and so on.

Once the transaction is negotiated and a ticket is written, errors can occur as the

transaction is recorded in various systems or reports. An error here may result in the

delayed settlement of the transaction, which in turn can give rise to fines and other

penalties. Further an error in market risk and credit risk report might lead to the

exposures generated by the deal being understated. In turn this can lead to the execution

of additional transactions that would otherwise not have been executed. These are

examples of what is often called as “process risk”

The system that records the transaction may not be capable of handling the

transaction or it may not have the capacity to handle such transactions. If any one of the

step is out-sourced, then external dependency risk also arises. However, each type of risk

can be captured either as people, processes, technology, or an external dependency risk,

and each can be analyzed in terms of capacity, capability or availability

Who Should Manage Operational Risk?

The responsibility for setting policies concerning operational risk remains with

the senior management, even though the development of those policies may be delegated,

and submitted to the board of directors for approval. Appropriate policies must be put in

place to limit the amount of operational risk that is assumed by an institution. Senior

management needs to give authority to change the operational risk profile to those who



are the best able to take action. They must also ensure that a methodology for the timely

and effective monitoring of the risks that are incurred is in place. To avoid any conflict of

interest, no single group within the bank should be responsible for simultaneously setting

policies, taking action and monitoring risk.

Policy Setting

The authority to take action generally rests with business management, which is

responsible for controlling the amount of operational risk taken within each business line.

The infrastructure and the governance groups share with business management the

responsibility for managing operational risk.

The responsibility for the development of a methodology for measuring and

monitoring operational risks resides most naturally with group risk management


Internal Audit

Senior Management

Business Management Risk Management

Legal

Operations

Information Technology

Finance

Insurance


functions. The risk management function also needs to ensure the proper operational risk/

reward analysis is performed in the review of existing businesses and before the

introduction of new initiatives and products. In this regard, the risk management function

works very closely with, but independent from, business management, infrastructure, and

other governance group

Senior management needs to know whether the responsibilities it has delegated

are actually being tended to, and whether the resulting processes are effective. The

internal audit function within the bank is charged with this responsibility.

Key to Implementing Bank-wide Operational Risk Management:

The eight key elements are necessary to successfully implement a bank-wide

operational risk management framework. They involve setting policy and identifying risk

as an outgrowth of having designed a common language, constructing business process

maps, building a best measurement methodology, providing exposure management,

installing a timely reporting capability, performing risk analysis inclusive of stress

testing, and allocating economic capital as a function of operational risk.

EIGHT KEY ELEMENTS TO ACHIEVE BEST OPERATIONAL RISK

MANAGEMENT.


1. Policy

Best Practice

2.Risk Identification

3. Business Process

8. Economic Capital

7. Risk Analysis


1. Develop well-defined operational risk policies. This includes explicitly

articulating the desired standards for the risk measurement. One also needs to

establish clear guidelines for practices that may contribute to a reduction of

operational risk.

2. Establish a common language of risk identification. For e.g., the term “people

risk” includes a failure to deploy skilled staff. “Technology risk” would include

system failure, and so on.

3. Develop business process maps of each business. For e.g., one should create an

“operational risk catalogue” which categories and defines the various operational

risks arising from each organizational unit in terms of people, process, and

technology risk. This catalogue should be tool to help with operational risk

identification and assessment.

Types of Operational Failure Risk

1. People Risk 1. Incompetancy.

2. Fraud.

2. Process Risk

Model Risk

TR

1. Model/ methodology error

2. Mark-to-model error.

1. Execution error.

2. Product complexity.

3. Booking error.


4. Measuring Methodology6. Reporting

5. Exposure Management


OCR 4. Settlement error.

1. Exceeding limits.

2. Security risk.

3.Volume risk.

3. Technology Risk 1. System failure.

2. Programming error.

3. Information risk.

4. Telecommunications failure.

4. Develop a comprehensible set of operational risk metrics. Operational risk

assessment is a complex process. It needs to be performed on a firm-wide basis at

regular intervals using standard metrics. In early days, business and infrastructure

groups performed their own assessment of operational risk. Today, self-

assessment has been discredited. Sophisticated financial institutions are trying to

develop objective measures of operational risk that build significantly more

reliability into the quantification of operational risk.

5. Decide how to manage operational risk exposure and take appriate action to hedge

the risks. The bank should address the economic question of th cost-benefit of

insuring a given risk for those operational risks that can be insured.

6. Decide how to report exposure.

7. Develop tools for risk analysis, and procedures for when these tools should

deploped. For e.g., risk analysis is typically performed as part of a new product

process, periodic business reviews, and so on. Stress testing should be a standard

part of risk analysis process. The frequency of risk assessment should be a

function of the degree to which operational risks are expected to change over

time as businesses undertake new initiatives, or as business circumstances evolve.

This frequency might be reviewed as operational risk measurement is rolled out

across the bank a bank should update its risk assessment more frequently. Further

one should reassess whenever the operational risk profile changes significantly.



8. Develop techniques to translate the calculation of operational risk into a required

amount of economic capital. Tools and procedures should be developed to enable

businesses to make decisions about operational risk based on risk/reward analysis.

Four-Step Measurement Process For Operational Risk

Clear guiding principle for the operational risk measurement process should be set

to ensure that it provides an appropriate measure of operational risk across all business

units throughout the bank. This problem of measuring operational risk can be best

achieved by means of a four-step operational risk process. The following are the four

steps involved in the process:

1. Input.

2. Risk assessment framework.

3. Review and validation.

4. Output.

1. Input:

The first step in the operational risk measurement process is to gather the

information needed to perform a complete assessment of all significant operational risks.

A key source of this information is often the finished product of other groups. For

example, a unit that supports the business group often publishes report or documents that

may provide an excellent starting point for the operational risk assessment.

Sources of Information in the Measurement Process of Operational Risk :The

Inputs (for Assessment)

Likelihood of Occurrence Severity

Audit report Management interviews

Regulatory report Loss history

Management report

Expert opinion

Business Recovery Plan



Business plans

Budget plans

Operations plans

For example, if one is relying on audit documents as an indication of the degree of

control, then one needs to ask if the audit assessment is current and sufficient. Have there

been any significant changes made since the last audit assessment? Did the audit scope

include the area of operational risk that is of concern to the present risk assessment? As

one diligently works through available information, gaps often become apparent. These

gaps in the information often need to be filled through discussion with the relevant

managers.

Typically, there are not sufficient reliable historical data available to confidently

project the likelihood or severity of operational losses. One often needs to rely on the

expertise of business management, until reliable data are compiled to offer an assessment

of the severity of the operational failure for each of the risks. The time frame employed

for all aspects of the assessment process is typically one year. The one-year time horizon

is usually selected to align with the business planning cycle of the bank.

2. Risk Assessment Framework

The input information gathered in the above step needs to be analyzed and

processed through the risk assessment framework. Risk assessment framework includes:

1. Risk categories:

The operational risk can be broken down into four headline risk categories like the

risk of unexpected loss due to operational failure in people, process and technology

deployed within the business



Internal dependencies should each be reviewed according to a set of factors. We

examine these 9nternal dependencies according to three key components of

capability, capacity and availability.

External dependencies can also be analyzed in terms of the specific type of external

interaction.

2. Connectivity and interdependencies

The headline risk categories cannot be viewed in isolation from one another. One

needs to examine the degree of interconnected risk exposures that cut across the

headline operational risk categories, in order to understand the full impact of risk.

3. Change, complexity, compliancy:

One may view the sources that drive the headline risk categories as falling under the

broad categories of “Change” refers to such items as introducing new technology or

new products, a merger or acquisition, or moving from internal supply to outsourcing,

etc. “Complexity’ refers to such items as complexity of products, process or

technology. “ Complacency” refer to ineffective management of the business.

4. Net likelihood assessment

The likelihood that an operational failure might occur within the next year should be

assessed, net of risk mitigants such as insurance, for each identified risk exposure and

for each of the four headline risk categories. Since it is often unclear how to quantify

risk, this assessment can be rated along five point likelihood continuum from very

low, low, medium, high and very high.

5. Severity assessment

Severity describes the potential loss to the bank given that an operational risk failure

has occurred. It should be assessed for each identified risk exposure.

6. Combined likelihood and severity into the overall Operational Risk Assessment

Operational risk measures are constrained in that there is not usually a defensible way

to combine the individual likelihood of loss and severity assessments into overall

measure of operational risk within a business unit. To do so, the likelihood of loss



would need to be expressed in numerical terms. This cannot be accomplished without

statistically significant historical data on operational losses.

7. Defining Cause and Effect:

Loss data are easier to collect than data associated with the cause of loss. This

complicates the measurement of operational risk because each loss is likely to have

several causes. This relationship between these causes, and the relative importance of

each, can be difficult to assess in an objective fashion.

3. Review and validation:

Once the report is generated. First the centralised operational risk management

group (ORMG) reviews the assessment results with senior business unit management and

key officers, in order to finalize the proposed operational risk rating. Second, one may

want an operational risk rating committee to review the assessment – a validation process

similar to that followed by credit rating agencies. This takes the form of review of the

individual risk assessments by knowledgeable senior committee personnel to ensure that

the framework has been consistently applied across businesses, that there has been

sufficient scrutiny to remove any imperfections, and so on. The committee should have

representation from business management, audit, and functional areas, and be chaired by

risk management unit.

4. Output

The final assessment of operational risk will be formally reported to business

management, the centralised risk-adjusted return on capital (RAROC) group, and the

partners in corporate governance such as internal audit and compliance. The output of the

assessment process has two main uses:

1. The assessment provides better operational risk information to management for

use in improving risk management decisions.

2. The assessment improves the allocation of economic capital to better reflect the

extent of the operational riskier, being taken by a business unit.

3. The over all assessment of the likelihood of operational risk & severity of loss for

a business unit can be shown as:



Mgmt. Attention

Severity of Loss ($)

Likelihood of Loss ($)

A business unit may address its operational risks in several ways. First, one can invest in

business unit. Second, one can avoid the risk by withdrawing from business activity.

Third, one can accept and manage risk through effective monitoring and control. Fourth,

one can transfer risk to another party. Of course, not all-operational risks are insurable,

and in that case of those that are insurable the required premium may be prohibitive. The

strategy and eventually the decision should be based on cost benefit analysis.

An Idealized Bank Of The Future

The efficient bank of the future will be driven by a single analytical risk engine

that draws its data from a single logical data repository. This engine will power front-,

middle-, and back-office functions, and supply information about enterprise-wide risk.

The ability to control and manage risk will be finely tuned to meet specific business


Medium Risk

High Risk

Medium Risk

Low Risk


objectives. For example, far fewer significantly large losses, beyond a clearly articulate

tolerance for loss, will be incurred and the return to risk profile will be vastly improved.

With the appropriate technology in place, financial trading across all asset classes

will move from the current vertical, product-oriented environment (e.g., swaps, foreign

exchange, equities, loans, etc.) to a horizontal, customer-oriented environment in which

complex combinations of asset types will be traded.

There will be less need for desks that specialize in single product lines. The focus

will shift to customer needs rather than instrument types. The management of limits will

be based on capital, set in such a manner so as to maximize the risk-adjusted return on

capital for the firm.

The firm’s exposure will be known and disseminated in real time. Evaluating the

risk of a specific deal will take into account its effect on the firm’s total risk exposure,

rather than simply the exposure of the individual deal.

Banks that dominate this technology will gain a tremendous competitive

advantage. Their information technology and trading infrastructure will be cheaper than

today’s by orders of magnitude. Conversely, banks that attempt to build this

infrastructure in-house will become trapped in a quagmire of large, expensive IT

departments-and poorly supported software.

The successful banks will require far fewer risk systems. Most of which will be

based on a combination of industry standard, reusable, robust risk software and highly

sophisticated proprietary analytics. More importantly, they will be free to focus on their

core business and offer products more directly suited to their customers’ desired return to

risk profiles.

Study of Operational Risk at Punjab National Bank

About Punjab National Bank

Established in 1895 at Lahore, undivided India, Punjab National Bank (PNB) has

the distinction of being the first Indian bank to have been started solely with Indian



capital.The bank was nationalised in July 1969 along with 13 other banks. From its

modest beginning, the bank has grown in size and stature to become a front-line banking

institution in India at present. It is a professionally managed bank with a successful track

record of over 110 years.

It has the largest branch network in India - 4525 Offices including 432 Extension

Counters spread throughout the country. With its presence virtually in all the important

centres of the country, Punjab National Bank offers a wide variety of banking services

which include corporate and personal banking, industrial finance, agricultural finance,

financing of trade and international banking. Among the clients of the Bank are Indian

conglomerates, medium and small industrial units, exporters, non-resident Indians and

multinational companies. The large presence and vast resource base have helped the

Bank to build strong links with trade and industry.

Operational Risk

Punjab National Bank is exposed to many types of operational risk. Operational risk can

result from a variety of factors, including:

1. Failure to obtain proper internal authorizations,

2. Improperly documented transactions,

3. Failure of operational and information security procedures,

4. Computer systems,

5. Software or equipment,

6. Fraud,

7. Inadequate training and employee errors.

PNB attempts to mitigate operational risk by maintaining a comprehensive system of

internal controls, establishing systems and procedures to monitor transactions,

maintaining key back–up procedures and undertaking regular contingency planning.

I. Operational Controls and Procedures in Branches



PNB has operating manuals detailing the procedures for the processing of various

banking transactions and the operation of the application software. Amendments to these

manuals are implemented through circulars sent to all offices.

When taking a deposit from a new customer, PNB requires the new customer to complete

a relationship form, which details the terms and conditions for providing various banking

services.

Photographs of customers are also obtained for PNB’s records, and specimen signatures

are scanned and stored in the system for online verification. PNB enters into a

relationship with a customer only after the customer is properly introduced to PNB.

When time deposits become due for repayment, the deposit is paid to the depositor.

System generated reminders are sent to depositors before the due date for repayment.

Where the depositor does not apply for repayment on the due date, the amount is

transferred to an overdue deposits account for follow up.

PNB has a scheme of delegation of financial powers that sets out the monetary limit for

each employee with respect to the processing of transactions in a customer's account.

Withdrawals from customer accounts are controlled by dual authorization. Senior officers

have delegated power to authorize larger withdrawals. PNB’s operating system validates

the check number and balance before permitting withdrawals. PNB’s banking software

has multiple security features to protect the integrity of applications and data.

PNB gives importance to computer security and has s a comprehensive information

technology security policy. Most of the information technology assets including critical

servers are hosted in centralized data centers, which are subject to appropriate physical

and logical access controls.

II. Operational Controls and Procedures for Internet Banking

In order to open an Internet banking account, the customer must provide PNB with

documentation to prove the customer's identity, including a copy of the customer's

passport, a photograph and specimen signature of the customer. After verification of the



same, PNB opens the Internet banking account and issues the customer a user ID and

password to access his account online.

III. Operational Controls and Procedures in Regional Processing Centers &

Central Processing Centers

To improve customer service at PNB’s physical locations, PNB handles transaction

processing centrally by taking away such operations from branches. PNB has centralized

operations at regional processing centers located at 15 cities in the country. These

regional processing centers process clearing checks and inter-branch transactions, make

inter-city check collections, and engage in back office activities for account opening,

standing instructions and auto-renewal of deposits.

PNB has centralized transaction processing on a nationwide basis for transactions like the

issue of ATM cards and PIN mailers, reconciliation of ATM transactions, monitoring of

ATM functioning, issue of passwords to Internet banking customers, depositing post-

dated cheques received from retail loan customers and credit card transaction processing.

Centralized processing has been extended to the issuance of personalized check books,

back office activities of non-resident Indian accounts, opening of new bank accounts for

customers who seek web broking services and recovery of service charges for accounts

for holding shares in book-entry form.

IV. Operational Controls and Procedures in Treasury

PNB has a high level of automation in trading operations. PNB uses technology to

monitor risk limits and exposures. PNB’s front office, back office and accounting and

reconciliation functions are fully segregated in both the domestic treasury and foreign

exchange treasury. The respective middle offices use various risk monitoring tools such

as counterparty limits, position limits, exposure limits and individual dealer limits.

Procedures for reporting breaches in

limits are also in place.

PNB’s front office treasury operation for rupee transactions consists of operations in

fixed income securities, equity securities and inter-bank money markets. PNB’s dealers

analyze the market conditions and take views on price movements. Thereafter, they strike



deals in conformity with various limits relating to counterparties, securities and brokers.

The deals are then forwarded to the back office for settlement.

The inter-bank foreign exchange treasury operations are conducted through Reuters

dealing systems. Brokered deals are concluded through voice systems. Deals done

through Reuters systems are captured on a real time basis for processing. Deals carried

out through voice systems are input in the system by the dealers for processing. The

entire process from deal origination to settlement and accounting takes place via straight

through processing. The processing ensures adequate checks at critical stages. Trade

strategies are discussed frequently and decisions are taken based on market forecasts,

information and liquidity considerations. Trading operations are conducted in conformity

with the code of conduct prescribed by internal and regulatory guidelines.

The Treasury Middle Office Group, monitors counterparty limits, evaluates the mark-to-

market impact on various positions taken by dealers and monitors market risk exposure

of the investment portfolio and adherence to various market risk limits set up by the Risk,

Compliance and Audit Group.

PNB’s back office undertakes the settlement of funds and securities. The back office has

procedures and controls for minimizing operational risks, including procedures with

respect to deal confirmations with counterparties, verifying the authenticity of

counterparty checks and securities, ensuring receipt of contract notes from brokers,

monitoring receipt of interest and principal amounts on due dates, ensuring transfer of

title in the case of purchases of securities, reconciling actual security holdings with the

holdings pursuant to the records and reports any irregularity or shortcoming observed.

V. Audit

The Internal Audit Group undertakes a comprehensive audit of all business groups and

other functions, in accordance with a risk-based audit plan. This plan allocates audit

resources based on an assessment of the operational risks in the various businesses. The



Internal Audit group conceptualizes and implements improved systems of internal

controls, to minimize operational risk. The audit plan for every fiscal year is approved by

the Audit Committee of PNB’s board of directors. The Internal Audit group also has a

dedicated team responsible for information technology security audits. Various

components of information technology from applications to databases, networks and

operating systems are covered under the annual audit plan.

REFERENCES



Books:

Galai, Mark, Crouny , Risk Management, second edition.

Bhole L. M, Financial Institutions and Markets – Structure, Growth and

Innovations, fourth edition.

Gleason T .James, Risk. The new Management Imperative in Finance,

fourth edition

Saunders Anthony, Credit Risk Management, second edition.

Schleiferr Bell, Risk Management, third edition.

WEBSITES:

www.rbi.org

www.bis.com

www.iib.org

www.pnbindia.com

www.google.co.in


http://www.iib.org/

http://www.bis.com/