Enterprise-Wide Risk

The Missing Link in Indian Financial Institutions

Ram Garg

JB BODA GROUP

10 February 2011 Issue 1.1

indemnity insurance market in India.

A similar situation was prevailing insouth east Asian markets until a decadeago. However, all of that changed in theearly 2000s, thanks to willingness ofbanking institutions to transfer risk tothe insurance market.

Indian banks are plagued with crime(internal amd external) related losses,yet the current crisis caught littleattention from banks as well asregulators.

Citibank India's fraud case in Delhicaught many eyes due to the highamount involved in it, but suchinstances are not rare but common inthe banking industry. Industry veteranstalked about the need for tighteroperational risk management for banksin India.

However, risk management has its ownlimitations and operational risks cannotbe eliminated but only reduced (SeeFigure 1).

The role of insurance has been verywell recognized by Basel II. Indianbanks are required to give dueconsideration to improve operations inthe wider context, and also to fullyintegrate risk definition, data collection,risk assessment and management,capital allocation, governancemechanisms and insurance programmanagement.

Operational risk insurance policies such

As a rule of thumb

in risk

management,

risks with

potential

catastrophic or

significant loss

should not be

retained.

The business environment forIndian banking institutions isbecoming increasingly complex

and competitive due to widespreaddistribution network across country.Indian banks are exposed to additionaloperational risks associated with largenumber branches across country.

The Basel II capital adequacyframework reinforced integrated riskmanagement practice in key areas -Credit, Market and Operational Risk.

Indian banks' risk management practicewas largely focused on credit andmarket risk until recently andoperational risk received requisite

attention only over the last five to sevenyears. As a result, most banks have setup a dedicated operational riskmanagement team or department inconjunction with the credit and marketrisk departments.

Basel II defines operational risks in abroad range and systematic manner.This article focuses on how banks cantransfer their increased operational riskthrough well established andsophisticated insurance productsavailable in the market.

Until now, Indian banking institutionstook little interest in operational riskinsurance products. They have beensecuring either peril-specific insurancepolicies such as money and cash intransit or restrictive and old-agedBankers Indemnity policy. Bankinginstitutions seldom took insuranceseriously and the buying function wasleft to either procurement department orfinance department. Indian banks’preoccupation with the cost of coverageobscured two real issues - quality ofproduct and adequacy of coverage.

Indian banks, therefore, should beasking not only "how much does itcost?" but, more importantly, "whatdoes it cover?"

India's erratic and clogged judicialsystem further discouraged bankinginstitutions to approach court for claimsettlement in case of denial of a claim.Therefore, combination of variousfactors resulted in collapse of bankers

bank then should also conduct audit toinsure that these controls are followed.

Once risks have been identified andinternal controls are implemented, therisk manager must decide the mostappropriate action for residual risks.Possible actions may includeimplementing additional controls tominimize residual risk, transfer toinsurance market, and simply retain itor any combination of these options.There are many factors that influencethis decision.

As a rule of thumb in risk management,risks with potential catastrophic orsignificant loss should not be retained.

Risks events that occur repeatedly andare predictable may not be viable totransfer out and therefore, bank maydecide to retain them (See Figure 2).

The bank's board must determine itsrisk appetite or risk retention capacity.It should at least perform an annualreview of the bank's risk managementand insurance program. Theresponsibility for risk managementrests with the board of directors andmanagement.

After the bank decides to insure aparticular risk, an expert insurance

Although the degree of sophisticationin each of those stages will varydepending on bank, the thought anddecision making processes thatcharacterize each stage should be wellestablished in every bank if costs, andlosses are to be minimized.

In establishing a sound operational riskmanagement and insurance program,bank management first must identify itsrisk exposure in each of its processes.This is the most important of the threesteps. It requires a review of all aspectsof the bank's present and prospectiveoperations. As new products aremarketed or fixed assets acquired, theymust be evaluated to determine whatrisks they present.

Once identified, risks need then beanalyzed to estimate their severity. Oneway is to examine the bank's historicalloss data. This information should beavailable within the bank. Internal datamay be looked in conjunction withexternal data or industry loss data.

A bank's first defenses againstoperational losses are its policies,procedures, and internal controls. Thesesystems and guidelines are integralparts of the risk management program.They must be communicated to, andunderstood by, all bank employees. The

as Banker's Indemnity, ComputerCrime, D&O and Financial Institutionsprofessional indemnity are complex innature and coverage depends on policyform being used by insurer and theircapabilities to understand claim issues.

In India, market agreement wording ofBanker's Indemnity has been themainstay of banks' legacy insuranceprograms. As widely understood, thepolicy covers employee dishonesty,robbery, losses in transit, forgery, ATM,and counterfeit money.

People are the biggest asset as well assource of threat for bankinginstitutions. A customer deals with abank officer in daily banking activitiesand therefore, the officer gets into aposition in which there is risk of breachof trust, including criminal.

The Citibank India fraud is a case ofcriminal breach of trust by bankemployee and similar to the offence ofembezzlement. Since an employeecaused losses to the customer and bank,a standard banker's blanket bond policyshould have covered the losses subjectto other details of investigation.

Operational Risk Management

(ORM): Insurance an Integral

Part

ORM in a banking institution, whichincludes risk mitigation throughinsurance, is intended to minimize thecosts associated with assuming certaintypes of risk and providing prudentprotection. It deals with pure risks thatare characterized by chance occurrenceand that may only result in a financialloss. ORM does not addressspeculative risks that afford theopportunity for either financial gain orloss.

There are three stages in riskmanagement:

1. risk identification and analysis, 2. risk control, and3. risk action.

11February 2011 Issue 1.1

ERM Journal

Figure 1

broader categories of risk, so-calledblended policies. Insurance specialistshave managed to redesign blendedpolicies combining two or moreindividual insurance policies toeliminate any overlapping and increasescope of coverage. However, thesedevelopments have been noticed onlyin few banks yet.

� Cyber Security: Provides muchwider coverage than ECC. It aims toaddress new risks emerging fromwider use of technology by banks.

� Financial Institutions ProfessionalIndemnity (FIPI): Provides coveragainst liabilities to third parties forclaims arising out of employeenegligence while providingprofessional services (e.g.investment advice) to clients.

� Directors and Officers Liability(D&O): Covers the personal assetsof directors against claims arisingfrom legal actions arising from theperformance of their duties.

� Employment Practices Liability(EPL)

� Terrorism Cover

� Unauthorized Trading: A relativelynew product covering losses similarto the notorious events experiencedat Barings.

� General Liability: Covers publicliability, employer's liability, motorfleet liability etc.

In addition, recent developments havebrought to the market coverage for

broker should be appointed to developappropriate insurance program withinsurers/reinsurers.

There are a number of insurancepolicies available to cover operationalrisk perils for a bank. Here is a briefdescription of them. These coversdescribed here in this document may befound under different names in differentmarket. Insurance for financialinstitutions covering operational riskscome in a number of forms and morenew types of coverage are beingdeveloped. The present market offersperil-specific coverage - that meanscover is available separately forspecific categories of risk. Some of thepolicies currently in the market include:

� Bankers Blanket Bond (BBB):Provides cover against dishonestyor default on part of an employee aswell as fraud and forgery. Somepolicies have a broader coverageincluding damage to physicalproperty, counterfeit currency, andtrading losses.

� Electronic Computer Crime (ECC):Provides cover against computerfailure, viruses, data transmissionproblems, forged electronic fundstransmissions etc.

12 February 2011 Issue 1.1

ERM Journal

Figure 2

Ram Garg is a finance

professional with over 10 years

experience in financial services

industry including insurance

broking experience, 7 of which

are in ASEAN region.

He began his career with NY

head quartered Stern Stewart

& Co. in Mumbai specialising

in corporate finance

consultancy and moved in year

2003 to join Jardine Lloyd

Thompson Asia regional team

in Singapore where he

provided financial and

professional risk reinsurance

broking services to clients

across Asia region including

Singapore, Malaysia, Thailand,

Indonesia, South Korea,

Philippines, India and Pakistan.

He has extensively focused on

Financial Institutions across

Asia region and serviced a

number of large banking

clients on Basel II compliance,

particularly on operational risk

management and risk transfer

programs.

He has undertaken a number

of formal independently risk

consultancy projects. In year

2009 he joined J B Boda group

in Singapore to develop

Financial line business with

special focus on Financial

Institutions across Asia and

Middle East region. Ram is a

CFA from CFA Institute USA,

MBA from University of Wales

UK, and BBA from Indore

University India.