Managing risk in the financial sector

Risk Management is a hot topic in the financial sector especially in the light of the recent losses of some multinational corporations. Rapid changes in business condition, restructuring of organisations to cope with ever-increasing competition, development of new products, emerging markets and increase in cross border transactions along with the complexity of transactions has exposed financial institutions to new risk dimensions. Thus the concept of risk has captured growing importance in modern financial society.

By facilitating transactions and making credit and other financial products available, the financial sector is a crucial building block for private as well as public sector development. In its broadest definition, it includes everything from banks, stock exchanges, and insurers, to credit unions, microfinance institutions and moneylenders. As an efficient service provider, the financial sector simultaneously fulfils an important function in the overall economy. Various types of financial institutions actively working in financial sectors include Banks, DFIs, Micro Finance Banks, Leasing Companies, Modarabas, Assets Management Company, Mutual Funds, etc.

Thus today’s operating environment demands a systematic and more integrated risk management approach.

Risk

Risk by default has two components; uncertainty and exposure. If both are not present, there is no risk. The definition of risk in the context of financial services has been explained as, “Financial risk in a banking organisation is a possibility that the outcome of an action or event could bring up adverse impacts. Such outcomes could either result in a direct loss of earnings/capital or may result in the imposition of constraints on a bank’s ability to meet its business objectives. Such constraints pose a risk as these could hinder a bank’s ability to conduct its ongoing business or to take benefit of opportunities to enhance its business.”

Types of risks:

Risks are usually defined by the adverse impact on the profitability of several distinct sources of uncertainty. More or less all financial institutions have to manage the following faces of risks:

1. Credit Risk
2. Market Risk
3. Liquidity Risk
4. Operational Risk
5. Country Risk
6. Legal Risks
7. Compliance Risk
8. Reputational Risk

Broadly speaking there are four risks as per Risk Management Guidelines which apply to the Financial Sector. These risks are elaborated here:

1. Credit risk: This is the risk incurred in case of a counter-party default. It arises from lending activities, investing activities and buying and selling financial assets on behalf of others. This risk is associated with financing transactions i.e.: Default in repayment by the borrower and Default in obliging the commitment by another Financial Institution in case of syndicated arrangements. It is the most critical risk in banking and one that must be managed carefully. It is also the risk that requires the most subjective judgment despite constant efforts to improve and quantify the credit decision process.
2. Market risk: Market risk is defined as the volatility of income or market value due to fluctuations in underlying market factors such as currency, interest rates, or credit spreads. For commercial banks, the market risk of the stable liquidity investment portfolio arises from mismatches between the risk profile of the assets and their funding. This risk involves interest rate risk in all of its components: equity risk, exchange risk and commodity risk.
3. Liquidity risk: Liquidity risk is defined as the risk of not being able to meet its commitments or not being able to unwind or offset a position by an organisation in a timely fashion because it cannot liquidate assets at reasonable prices when required.
4. Operational risk: This risk results from inadequacies in the conception, organisation, or implementation of procedures for recording any events concerning the bank’s operations in the accounting system/information systems.

Need for risk management and monitoring:

There are several reasons as to why there is so much emphasis given to risk management in the Financial Sector nowadays. Some of them are listed below: –

1. In the present structure of joint-stock companies, wherein owners are not the managers, hence risks increase; therefore proper tools are required to achieve the desired results by covering the risks.
2. The financial sector has come out of simple deposit and lending functions.
3. The world has become very complex so the financial transactions and instruments.
4. An increase in the number of cross-border transactions carries risks.
5. Emerging markets
6. Terrorism Remittances

Risk monitoring in the financial sector is a very crucial part of risk management. Risk Monitoring is important in the financial sector due to the following reasons:

1. Deals with third-party money
2. Much riskier sector than trading and manufacturing
3. Historical problems faced by banks (stuck portfolio that is a credit risk)
4. The bankruptcy of Barings Bank due to short selling / long position that is a market risk
5. Operational risk, although it does not have an immediate impact, but important for the continuity and progress of the organisation
6. The appetite for financial institutions to take risk

Components of a risk management framework

A risk management framework has five components. First, the risk is identified, and then it is Assessed to classify, seek a solution and manage, after assessing quick Response and implementation of the solution the last phase is Monitoring the risk management progress and Learning from this experience that such a problem never occurs again. The whole process is to be well Communicated during the entire process of risk management if it is to be managed efficiently.

The International Organisation for Standardisation (ISO) has defined risk management as the identification, analysis, evaluation, treatment (control), monitoring, review and communication of risk. These activities can be applied in a systematic or ad hoc manner. The presumption is that the systematic application of these activities will result in improved decision-making and, most likely, improved outcomes.

Risk management structure

Depending on the structure and operations of an organisation, financial risk management can be implemented in different ways. Risk management structure defines the different layers of an organisation at which risk is identified and managed. Although there are different layers or levels at which risk is managed there are three layers that are common to all. i.e.

Risk Management

For managing risk, there are certain basic principles that are to be followed by every organisation:

1. Corporate level Policies
2. Risk management strategy
3. Well-defined policies and procedures by senior management
4. Dissemination, implementation and compliance of policies and procedures
5. Accountability of individuals heading various functions/ business lines
6. Independent Risk review function
7. Contingency plans
8. Tools to monitor risks

Institutions can reduce some risks simply by researching them. A bank can reduce its credit risk by getting to know its borrowers. A brokerage firm can reduce market risk by being knowledgeable about the markets it operates in.

Functionally, there are four aspects of financial risk management. Success depends on:

1. A positive corporate culture: No one can manage risk if they are not prepared to take a risk. While the individual initiative is critical, it is the corporate culture that facilitates the process. A positive risk culture is one that promotes individual responsibility and is supportive of risk-taking.
2. Actively observed policies and procedures: Used correctly, procedures are a powerful tool of risk management. The purpose of policies and procedures is to empower people. They specify how people can accomplish what needs to be done. The success of policies and procedures depends critically upon a positive risk culture.
3. Effective use of technology: The primary role technology plays in risk management is risk assessment and communication. Technology is employed to quantify or otherwise summarise risks as they are being taken. It then communicates this information to decision-makers, as appropriate.
4. Independence or risk management professionals: To get the desired outcome from risk management, risk managers must be independent of risk-taking functions within the organisation. Enron’s experience with risk management is instructive. The firm maintained a risk management function staffed with capable employees. Lines of reporting were reasonably independent in theory, but less so in practice.

Internal controls

Para one on the first page of the ‘Guidelines on Internal Controls’ issued by SBP provides:

“Internal Control refers to policies, plans and processes as affected by the Board of Directors and performed on a continuous basis by the senior management and all levels of employees within the bank. These internal controls are used to provide reasonable assurance regarding the achievement of organisational objectives. The system of internal controls includes financial, operational and compliance controls.”

The current official definition of internal control was developed by the Committee of Sponsoring Organisation (COSO) of the Treadway Commission. In its influential report, Internal Control-Integrated Framework, the Commission defines internal control as follows:

Internal control is a process, effected by an entity’s Board of Directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
• This definition reflects certain fundamental concepts:
  • Internal control is a process. It is a means to an end, not an end in itself.
  • Internal control is affected by people. It is not policy manuals and forms, but people at every level of an organisation.
  • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.

Internal control should assist and never impede management and staff from achieving their objectives. The control must be taken seriously. A well-designed system of internal control is worse than worthless unless it is complied with since the assembling of control will be likely to convey a false sense of assurance. Controls are there to be kept, not avoided. For instance, exception reports should be followed up. Senior management should set a good example of control compliance. For instance, physical access restrictions to secure areas should be observed equally by senior management as by junior personnel.

Components of Internal Controls

Components of internal control also depend upon the structure of the business unit and the nature of its operation. The COSO Report describes the internal control process as consisting of five interrelated components that are derived from and integrated with the management process. The components are interrelated, which means that each component affects and is affected by the other four. These five components, which are the necessary foundation for an effective internal control system, include:

1. Control Environment: The control environment, an intangible factor and the first of the five components is the foundation for all other components of internal control, providing discipline and structure and encompassing both technical competence and ethical commitment.
2. Risk Assessments: Organisations exist to achieve some purpose or goal. Goals, because they tend to be broad, are usually divided into specific targets known as objectives. A risk is anything that endangers the achievement of an objective. Risk assessments are done to determine the relative potential for loss in programs and functions and to design the most cost-effective and productive internal controls.
3. Control Activities: Control activities mean the structure, policies, and procedures, which an organisation establishes so that identified risks do not prevent the organisation from reaching its objectives. Policies, procedures, and other items like job descriptions, organisational charts and supervisory standards, do not, of course, exist only for internal control purposes. These activities are basic management practices.
4. Information and Communication: Organisations must be able to obtain reliable information to determine their risks and communicate policies and other information to those who need it. Information and communication, the fourth component of internal control, articulates this factor.
5. Monitoring: Life is changing; internal controls are no exception. Satisfactory internal controls can become obsolete through changes in external circumstances. Therefore, after risks are identified, policies and procedures put into place, and information on control activities communicated to staff, superiors must then implement the fifth component of internal control, monitoring.

Even the best internal control plan will be unsuccessful if it is not followed. Monitoring allows the management to identify whether controls are being followed before problems occur. In the same way, management must review weaknesses identified by audits to determine whether related internal controls need revision.

Tools for Monitoring of Risk

Management Information System

M.I.S. or Management Information System is the collection and analysis of data to support management’s decision for the achievement of objectives mentioned in the policies and procedures and the control of various risks therein.

It is this area i.e. M.I.S, where I.T. can play a vital and effective role as with the help of I.T. large information may be analysed efficiently and with accuracy, so that effective decisions may be taken by the management without the loss of any time.

Asset-Liability Management Committee (ALCO)

In most cases, day-to-day risk assessment and management is assigned to a specialised committee, such as an Asset-Liability Management Committee (ALCO). The duties of key elements of the risk management process should be adequately separated to avoid potential conflicts of interest – in other words, a financial institution’s risk monitoring and control functions should be sufficiently independent of its risk-taking functions. Larger or more complex institutions often have a designated, independent unit responsible for the design and administration of balance sheet management, including interest rate risk. Given today’s widespread innovation in banking and the dynamics of markets, banks should identify any risks inherent in a new product or service before it is introduced, and ensure that these risks are promptly considered in the assessment and management process.

Corporate Governance Principles

Corporate governance relates to how the business of the organisation is governed, including setting corporate objectives and an institution’s risk profile, aligning corporate activities and behaviours with the expectation that the management will operate safely, running day-to-day operations within an established risk profile, while protecting the interests of depositors and other stakeholders. It is defined by a set of relationships between the institution’s management, its board, its shareholders, and other stakeholders.

The key elements of sound corporate governance in a bank include:

1. A well-articulated corporate strategy against which the overall success and the contribution of individuals can be measured.
2. Setting and enforcing clear assignment of responsibilities, decision-making authority and accountabilities that are appropriate for the bank’s risk profile.
3. A strong financial risk management function (independent of business lines), adequate internal control systems (including internal and external audit functions), and functional process design with the necessary checks and balances.
4. Corporate values, codes of conduct and other standards of appropriate behaviour, and effective systems used to ensure compliance. This includes special monitoring of a bank’s risk exposures where conflicts of interest are expected to appear (e.g., relationships with affiliated parties).
5. Financial and managerial incentives to act in an appropriate manner are offered to the board, management and employees, including compensation, promotion and penalties. (i.e., compensation should be consistent with the bank’s objectives, performance, and ethical values).
6. Transparency and appropriate information flow internally and to the public.

Tools mentioned above can be utilised in identifying and managing different risks in the following manner:

Credit Risk

It is managed by setting prudent limits for exposures to an individual transaction, counterparties and portfolios. Credit limits are set by reference to credit rating established by Credit Rating Agencies, methodologies established by Regulators and as per the Board’s direction.

• Monitoring of per-party exposure
• Monitoring of group exposure
• Monitoring of the bank’s exposure to contingent liabilities
• Bank’s exposure to clean facilities
• Analysis of the bank’s exposure product-wise
• Analysis of concentration of bank’s exposure in various segments of the economy
• Product profitability reports

Market

Financial Institutions should also have an adequate system of internal controls to oversee the interest rate risk management process. A fundamental component of such a system is a regular, independent review and evaluation to ensure the system’s effectiveness and, when appropriate, to recommend revisions or enhancements.

Interest rate risk should be monitored on a consolidated basis, including the exposure of subsidiaries. The institution’s board of directors has ultimate responsibility for the management of interest rate risk. The board approves the business strategies that determine the degree of exposure to risk and provides guidance on the level of interest rate risk that is acceptable to the institution, on the policies that limit risk exposure, and on the procedures, lines of authority, and accountability related to risk management. The board also should systematically review risk, in such a way as to fully understand the level of risk exposure and to assess the performance of management in monitoring and controlling risks in compliance with board policies. Reports to senior management should provide aggregate information and a sufficient level of supporting detail to facilitate a meaningful evaluation of the level of risk, the sensitivity of the bank to changing market conditions, and other relevant factors.

The Asset and Liability Committee (ALCO) plays a key role in the oversight and coordinated management of market risk. ALCOs meet monthly. Investment mandates and risk limits are reviewed regularly, usually annually to ensure that they remain valid.

Risk Management and Risk Budgets

A risk budget establishes the tolerance of the board or its delegates to income or capital loss due to market risk over a given horizon, typically one year because of the accounting cycle. (Institutions that are not sensitive to annual income requirements may have a longer horizon, which would also allow for a greater degree of freedom in portfolio management.). Once an annual risk budget has been established, a system of risk limits needs to be put in place to guard against actual or potential losses exceeding the risk budget. There are two types of risk limits, and both are necessary to constrain losses within the prescribed level (the risk budget).

The first type is stop-loss limits, which control cumulative losses from the mark-to-market of existing positions relative to the benchmark. The second is position limits, which control potential losses that could arise from future adverse changes in market prices. Stop-loss limits are set relative to the overall risk budget. The allocation of the risk budget to different types of risk is as much an art as it is a science, and the methodology used will depend on the set-up of the individual investment process. Some of the questions that affect risk allocation include the following:

• What are the significant market risks of the portfolio?
• What is the correlation between these risks?
• How many risk-takers are there?
• How is the risk expected to be used over the course of a year?

Compliance with stop-loss limits requires frequent, if not daily, performance measurement. Performance is the total return of the portfolio less the total return of the benchmark. The measurement of performance is a critical statistic for monitoring the usage of the risk budget and compliance with stop-loss limits. Position limits also are set relative to the overall risk budget, and are subject to the same considerations discussed above. The function of position limits, however, is to constrain potential losses from future adverse changes in prices or yields.

Liquidity Risk

The Basel Committee has established certain quantitative standards for internal models when they are used in the capital adequacy context.

1. Allocation of capital into various types of business after taking into account the operational risks i.e. disruption of business activity, which has especially increased due to excessive EDP usage
2. Allocation of the capital is also made amongst various products i.e. long-term, short-term, consumer, corporate etc. considering the risks involved in each product and its life cycle to avoid any liquidity crunch for which gap analysis is made. This is the job of ALCO
3. For instance Contingent liabilities not more than 10 times of capital,
4. Fund-based not more than 6 times of capital
5. Capital market operations not more than 1 time of capital
6. However, these limits cannot exceed the regulations.
7. Parameters of controls
   • Regulatory Requirements
   • Board’s directions
   • Prudent practices

For liquidity management organisations are compelled to hold reserves for unexpected liquidity demands. The ALCO has responsibility for setting and monitoring liquidity risk limits. These limits are set by Regulatory Bodies and under the Board’s directions keeping in mind the market condition and past experience.

The Basel Accord comprises a definition of regulatory capital, measures of risk exposure, and rules specifying the level of capital to be maintained in relation to these risks. It introduced a de facto capital adequacy standard, based on the risk-weighted composition of a bank’s assets and off-balance-sheet exposures that ensures that an adequate amount of capital and reserves is maintained to safeguard solvency. The 1988 Basel Accord primarily addressed banking in the sense of deposit-taking and lending (commercial banking under US law), so its focus was a credit risk.

In the early 1990s, the Basel Committee decided to update the 1988 accord to include bank capital requirements for market risk. This would have implications for non-bank securities firms.

Thus, the formula for determining capital adequacy can be illustrated as follows:

= Tier I + Tier 2 + Tier 3 *- 8% .

Risk-weighted Assets + (Market Risk Capital Charge x 12.5)

Operational Risk

To manage this risk documented policies and procedures are established. In addition, regular training is provided to ensure that staffs are well aware of the organisation’s objective, statutory requirements.

• Reporting of major/ unusual/ exceptional transactions with respect to ensuring the compliance of the principles of KYC and Anti-money laundering measure
• Analysis of system problems