PROJECT ON
CREDIT RISK MANAGEMENT WITH REFERENCE TO RBI
SUBMITTED BY
ZAID QURASHI MOHD. ISLAM
ROLL NO: 68
T.Y.BMS (SEMESTER-V)
*2014-2015*
UNDER THE GUIDENCE OF
PROF. DHARIN SHAH
SUBMITTED TO
UNIVERSITY OF MUMBAI
NIRMALA MEMORIAL FOUNDATION COLLEGE OF COMMERCE AND SCIENCE
90 FEET ROAD, ASHA NAGAR, THAKUR COMPLAX,KANDIVALI (E), MUMBAI -
400101
DECLARATION
I ZAID QURASHI MOHD. ISLAM of T.Y.BMS. (Bachelor degree of
Management Studies Semester V) hereby declare that I have completed
the CREDIT RISK MANAGEMENT WITH REFERENCE TO RBI in the academic
year 2014 2015
The information submitted is true and original to best of my
knowledge.
________________ ____________Date of Submission Signature of
Student
CERTIFICATE
This is to certify that the project titled as CREDIT RISK
MANAGEMENT WITH REFERENCE TO RBI has been completed by ZAID QURASHI
MOHD. ISLAM of T.Y.BMS. (Semester-V) examination in academic year
2014-2015.
The information submitted is true and original to the best of
knowledge.
__________________ __________________(Dr. T. P. Madhu Nair)
(Prof. Poonam Kakkad) Principal Program Coordinator
_______________ _______________ (Prof. Dharen Shah) External
Examiner Project Guide
ACKNOWLEDGEMENT
I would like to extend my gratitude to Prof. Dharen Shah for
providing guidance and support during the course of project. She
has been a great help through the making of the project. I would
like to thank the University of Mumbai for giving me the
opportunity to work on such a relevant topic.I would also like to
thank the college faculty and the librarian and the Principal Dr.
T. P. Madhu Nair for their help and other who are indirectly
responsible for the completion of this project. In addition I would
like to take this opportunity to thank our BMS Coordinator Prof.
Poonam Kakkad for being there always to guide me for extending her
full support.
Date: _______________ Signature of Student
PREFACE When financial institutions, investors, or other lending
facilities allow individuals and businesses to borrow money, they
risk the chance that the borrower will default on the loan or
credit line. Credit risk management is a means of reducing credit
risk by employing a variety of strategies meant to prevent or at
least offset losses due to default. There are many different
strategies employed in credit risk management, including purchasing
credit insurance, diversifying lending, reducing available credit,
and charging fees to partially offset costs. Nearly every major
financial organization in operation relies on a combination of
credit risk management tactics to prevent loss from borrower
default. With lines of credit, one of the most commonly employed
strategies for credit risk management is to reduce spending limits
to help prevent financial over-extension. For instance, if a person
has a credit card with a $2000 US Dollar (USD) limit, the bank may
initially impose a transaction limit of $200 USD. This prevents the
borrower from maxing out the card in one go and then defaulting.
Once a borrower has developed a proven track record of regular
repayment, the bank may believe that the credit risk is reduce and
remove transaction limits or increase the total amount of the
credit line. Credit insurance is purchased by banks and large
lending institutions to cover losses by default. The bank generally
pays insurance premiums just as a person would for health or car
insurance, but may often pass these premiums on to customers
through fees and charges. In case of default, the insurance will be
able to step in and cover the bank's losses. Credit insurance
exists to help the bank out of trouble, though not, it should be
noted, the borrower. One credit risk management strategy relies on
the diversification of available credit. Risking a smaller amount
of money in many different areas, such as for house loans, auto
loans, and credit cards, may be safer than putting all available
resources into a single area. If a market crashes, institutions
that have invested solely in that market may be crushed in the
wake. Institutions that have a diversified portfolio may be more
likely to survive a crashing market. Credit risk management is a
complicated subject that often requires excellent professional
advice. Many financial institutions, both large and small, employ
risk management specialists to assess risk and design and monitor a
comprehensive plan for protection against credit risk. Economists,
market analysts, and even accountants may be able to find gainful
employment in the risk management field.
INDEX
INTRODUCTION
What is Credit risk?
Credit Risk is the potential that a bank borrower/counter party
fails to meet the obligations on agreed terms. There is always
scope for the borrower to default from his commitments for one or
the other reason resulting in crystallization of credit risk to the
bank. These losses could take the form outright default or
alternatively, losses from changes in portfolio value arising from
actual or perceived deterioration in credit quality that is short
of default. Credit risk is inherent to the business of lending
funds to the operations linked closely to market risk variables.
The objective of credit risk management is to minimize the risk and
maximize banks risk adjusted rate of return by assuming and
maintaining credit exposure within the acceptable parameters.Credit
risk consists of primarily two components, viz Quantity of risk,
which is nothing but the outstanding loan balance as on the date of
default and the quality of risk, viz, the severity of loss defined
by both Probability of Default as reduced by the recoveries that
could be made in the event of default. Thus credit risk is a
combined outcome of Default Risk and Exposure Risk. The elements of
Credit Risk is Portfolio risk comprising Concentration Risk as well
as Intrinsic Risk and Transaction Risk comprising migration/down
gradation risk as well as Default Risk. At the transaction level,
credit ratings are useful measures of evaluating credit risk that
is prevalent across the entire organization where treasury and
credit functions are handled. Portfolio analysis help in
identifying concentration of credit risk, default/migration
statistics, recovery data, etc. In general, Default is not an
abrupt process to happen suddenly and past experience dictates
that, more often than not, borrowers credit worthiness and asset
quality declines gradually, which is otherwise known as migration.
Default is an extreme event of credit migration. Off balance sheet
exposures such as foreign exchange forward can tracks, swaps
options etc are classified in to three broad categories such as
full Risk, Medium Risk and Low risk and then translated into risk
Neighed assets. Risk Management.Risk Management is a discipline at
the core of every financial institution and encompasses all the
activities that affect its risk profile. It involves
identification, measurement, monitoring and controlling risks to
ensure thata) The individuals who take or manage risks clearly
understand it.b) The organizations Risk exposure is within the
limits established by Board of Directors.c) Risk taking Decisions
are in line with the business strategy and objectives set by BOD.d)
The expected payoffs compensate for the risks takene) Risk taking
decisions are explicit and clear.f) Sufficient capital as a buffer
is available to take riskThe acceptance and management of financial
risk is inherent to the business of banking and banks roles as
financial intermediaries. Risk management as commonly perceived
does not mean minimizing risk; rather the goal of risk management
is to optimize risk-reward trade -off. Notwithstanding the fact
that banks are in the business of taking risk, it should be
recognized that an institution need not engage in business in a
manner that unnecessarily imposes risk upon it: nor it should
absorb risk that can be transferred to other participants. Rather
it should accept those risks that are uniquely part of the array of
banks services. In every financial institution, risk management
activities broadly take place simultaneously at following different
hierarchy levels..a) Strategic level: It encompasses risk
management functions performed by senior management and BOD. For
instance definition of risks, ascertaining institutions risk
appetite, formulating strategy and policies for managing risks and
establish adequate systems and controls to ensure that overall risk
remain within acceptable level and the reward compensate for the
risk taken.b) Macro Level: It encompasses risk management within a
business area or across business lines. Generally the risk
management activities performed by middle management or units
devoted to risk reviews fall into this category.c) Micro Level: It
involves On-the-line risk management where risks are actually
created. This is the risk management activities performed by
individuals who take risk on organizations behalf such as front
office and loan origination functions. The risk management in those
areas is confined to following operational procedures and
guidelines set by management. Expanding business arenas,
deregulation and globalization of financial activities emergence of
new financial products and increased level of competition has
necessitated a need for an effective and structured risk management
in financial institutions. A banks ability to measure, monitor, and
steer risks comprehensively is becoming a decisive parameter for
its strategic positioning. The risk management framework and
sophistication of the process, and internal controls, used to
manage risks, depends on the nature, size and complexity of
institutions activities. Nevertheless, there are some basic
principles that apply to all financial institutions irrespective of
their size and complexity of business and are reflective of the
strength of an individual bank's risk management practices.
Credit Risk Management Process
Managing credit risk
Credit risk arises from the potential that an obligor is either
unwilling to perform on an obligation or its ability to perform
such obligation is impaired resulting in economic loss to the
bank.In a banks portfolio, losses stem from outright default due to
inability or unwillingness of a customer or counter party to meet
commitments in relation to lending, trading, settlement and other
financial transactions. Alternatively losses may result from
reduction in portfolio value due to actual or perceived
deterioration in credit quality. Credit risk emanates from a banks
dealing with individuals, corporate, financial institutions or a
sovereign. For most banks, loans are the largest and most obvious
source of credit risk; however, credit risk could stem from
activities both on and off balance sheet.In addition to direct
accounting loss, credit risk should be viewed in the context of
economic exposures. This encompasses opportunity costs, transaction
costs and expenses associated with a non-performing asset over and
above the accounting loss. Credit risk can be further sub
categorized on the basis of reasons of default. For instance the
default could be due to country in which there is exposure or
problems in settlement of a transaction. Credit risk not
necessarily occurs in isolation. The same source that endangers
credit risk for the institution may also expose it to other risk.
For instance a bad portfolio may attract liquidity problem.
PRINCIPLES OF CREDIT RISK MANAGEMENT
A. Establishing an appropriate credit risk environmentPrinciple
1: The board of directors should have responsibility for approving
and periodically reviewing the credit risk strategy and significant
credit risk policies of the bank. The strategy should reflect the
banks tolerance for risk and the level of profitability the bank
expects to achieve for incurring various credit risks.Principle 2:
Senior management should have responsibility for implementing the
credit risk strategy approved by the board of directors and for
developing policies and procedures for identifying, measuring,
monitoring and controlling credit risk. Such policies and
procedures should address credit risk in all of the banks
activities and at both the individual credit and portfolio
levels.Principle 3: Banks should identify and manage credit risk
inherent in all products and activities. Banks should ensure that
the risks of products and activities new to them are subject to
adequate procedures and controls before being introduced or
undertaken, and approved in advance by the board of directors or
its appropriate committee.
B. Operating under a sound credit granting processPrinciple 4:
Banks must operate under sound, well-defined credit-granting
criteria.These criteria should include a thorough understanding of
the borrower or counterparty, as well as the purpose and structure
of the credit, and its source of repayment.Principle 5: Banks
should establish overall credit limits at the level of individual
borrowers and counterparties, and groups of connected
counterparties that aggregate in a comparable and meaningful manner
different types of exposures, both in the banking and trading book
and on and off the balance sheetPrinciple 6: Banks should have a
clearly-established process in place for approving new credits as
well as the extension of existing credits.Principle 7: All
extensions of credit must be made on an arms-length basis. In
particular, credits to related companies and individuals must be
monitored with particular care and other appropriate steps taken to
control or mitigate the risks of connected lending.
C. Maintaining an appropriate credit administration, measurement
and monitoring process.Principle 8: Banks should have in place a
system for the ongoing administration of their various credit
risk-bearing portfolios.Principle 9: Banks must have in place a
system for monitoring the condition of individual credits,
including determining the adequacy of provisions and
reserves.Principle 10: Banks should develop and utilise internal
risk rating systems in managing credit risk. The rating system
should be consistent with the nature, size and complexity of a
banks activities.Principle 11: Banks must have information systems
and analytical techniques that enable management to measure the
credit risk inherent in all on- and off-balance sheet activities.
The management information system should provide adequate
information on the composition of the credit portfolio, including
identification of any concentrations of risk.Principle 12: Banks
must have in place a system for monitoring the overall composition
and quality of the credit portfolio.Principle 13: Banks should take
into consideration potential future changes in economic conditions
when assessing individual credits and their credit portfolios, and
should assess their credit risk exposures under stressful
conditions.
D. Ensuring adequate controls over credit riskPrinciple 14:Banks
should establish a system of independent, ongoing credit review and
the results of such reviews should be communicated directly to the
board of directors and senior management.Principle 15: Banks must
ensure that the credit-granting function is being properly managed
and that credit exposures are within levels consistent with
prudential standards and internal limits. Banks should establish
and enforce internal controls and other practices to ensure that
exceptions to policies, procedures and limits are reported in a
timely manner to the appropriate level of management.Principle 16:
Banks must have a system in place for managing problem credits and
various other workout situations.E. The role of
supervisorsPrinciple 17: Supervisors should require that banks have
an effective system in place to identify, measure, monitor and
control credit risk as part of an overall approach to risk
management.Supervisors should conduct an independent evaluation of
a banks strategies, policies, practices and procedures related to
the granting of credit and the ongoing management of the portfolio.
Supervisors should consider setting prudential limits to restrict
bank exposures to single borrowers or groups of connected
counterparties.
Components of credit risk managementA typical Credit risk
management framework in a financial institution may be broadly
categorized into following main components.a) Board and senior
Managements Oversightb) Organizational structurec) Systems and
procedures for identification, acceptance, measurement, monitoring
and control risks.
Board and Senior Managements OversightIt is the overall
responsibility of banks Board to approve banks credit risk strategy
and significant policies relating to credit risk and its management
which should be based on the banks overall business strategy. To
keep it current, the overall strategy has to be reviewed by the
board, preferably annually. The responsibilities of the Board with
regard to credit riskManagement shall, interalia, include:a)
Delineate banks overall risk tolerance in relation to credit risk.
Ensure that banks overall credit risk exposure is maintained at
prudent levels and consistent with the available capitalc) Ensure
that top management as well as individuals responsible for credit
risk management possess sound expertise and knowledge to accomplish
the risk management functiond) Ensure that the bank implements
sound fundamental principles that facilitate the identification,
measurement, monitoring and control of credit risk.e) Ensure that
appropriate plans and procedures for credit risk management are in
place.The very first purpose of banks credit strategy is to
determine the risk appetite of the bank. Once it is determined the
bank could develop a plan to optimize return while keeping credit
risk within predetermined limits. The banks credit risk strategy
thus should spell outa) The institutions plan to grant credit based
on various client segments and products, economic sectors,
geographical location, currency and maturityb) Target market within
each lending segment, preferred level of
diversification/concentration.c) Pricing strategy.It is essential
that banks give due consideration to their target market while
devising credit risk strategy. The credit procedures should aim to
obtain an indepth understanding of the banks clients, their
credentials & their businesses in order to fully know their
customers.The strategy should provide continuity in approach and
take into account cyclic aspect of countrys economy and the
resulting shifts in composition and quality of overall credit
portfolio. While the strategy would be reviewed periodically and
amended, as deemed necessary, it should be viable in long term and
through various economic cycles.The senior management of the bank
should develop and establish credit policies and credit
administration procedures as a part of overall credit risk
management framework and get those approved from board. Such
policies and procedures shall provide guidance to the staff on
various types of lending including corporate, SME, consumer,
agriculture, etc. At minimum the policy should includea) Detailed
and formalized credit evaluation/ appraisal process.b) Credit
approval authority at various hierarchy levels including authority
for approving exceptions.c) Risk identification, measurement,
monitoring and controld) Risk acceptance criteriae) Credit
origination and credit administration and loan documentation
proceduresf) Roles and responsibilities of units/staff involved in
origination and management of credit.g) Guidelines on management of
problem loans. In order to be effective these policies must be
clear and communicated down the line. Further any significant
deviation/exception to these policies must be communicated to the
top management/board and corrective measures should be taken. It is
the responsibility of senior management to ensure effective
implementation of these policies.
Organizational Structure. To maintain banks overall credit risk
exposure within the parameters set by the board of directors, the
importance of a sound risk management structure is second to none.
While the banks may choose different structures, it is important
that such structure should be commensurate with institutions size,
complexity and diversification of its activities. It must
facilitate effective management oversight and proper execution of
credit risk management and control processes. Each bank, depending
upon its size, should constitute a Credit Risk Management Committee
(CRMC), ideally comprising of head of credit risk management
Department, credit department and treasury. This committee
reporting to banks risk management committee should be empowered to
oversee credit risk taking activities and overall credi t risk
management function. The CRMC should be mainly responsible fora)
The implementation of the credit risk policy / strategy approved by
the Board.b) Monitor credit risk on a bank-wide basis and ensure
compliance with limits approved by the Board.c) Recommend to the
Board, for its approval, clear policies on standards for
presentation of credit proposals, financial covenants, rating
standards and benchmarks.d) Decide delegation of credit approving
powers, prudential limits on large credit exposures, standards for
loan collateral, portfolio management, loan review mechanism, risk
concentrations, risk monitoring and evaluation, pricing of loans,
provisioning, regulatory/legal compliance, etc. Further, to
maintain credit discipline and to enunciate credit risk management
and control process there should be a separate function independent
of loan origination function. Credit policy formulation, credit
limit setting, monitoring of credit exceptions / exposures and
review /monitoring of documentation are functions that should be
performed independently of the loan origination function. For small
banks where it might not be feasible to establish such structural
hierarchy, there should be adequate compensating measures to
maintain credit discipline introduce adequate checks and balances
and standards to address potential conflicts of interest. Ideally,
the banks should institute a Credit Risk Management Department
(CRMD). Typical functions of CRMD include:a) To follow a holistic
approach in management of risks inherent in banks portfolio and
ensure the risks remain within the boundaries established by the
Board or Credit Risk Management Committee.b) The department also
ensures that business lines comply with riskparameters and
prudential limits established by the Board or CRMC.c) Establish
systems and procedures relating to risk identification, Management
Information System, monitoring of loan / investment portfolio
quality and early warning. The department would work out remedial
measure when deficiencies/problems are identified.The Department
should undertake portfolio evaluations and conduct comprehensive
studies on the environment to test the resilience of the loan
portfolio. Notwithstanding the need for a separate or independent
oversight, the front office or loan origination function should be
cognizant of credit risk, and maintain high level of credit
discipline and standards in pursuit of business
opportunities.Systems and Procedures
Measuring credit risk
The measurement of credit risk is of vital importance in credit
risk management.A number of qualitative and quantitative techniques
to measure risk inherent in credit portfolio are evolving. To start
with, banks should establish a credit risk rating framework across
all type of credit activities. Among other things, the rating
framework may, incorporate:
Business Risko Industry Characteristicso Competitive Position
(e.g. marketing/technological edge)o ManagementFinancial Risko
Financial conditiono Profitabilityo Capital Structureo Present and
future Cash flows
Internal Risk Rating.Credit risk rating is summary indicator of
a banks individual credit exposure. An internal rating system
categorizes all credits into various classes on the basis of
underlying credit quality. A well-structured credit rating
framework is an important tool for monitoring and controlling risk
inherent in individual credits as well as in credit portfolios of a
bank or a business line. The importance of internal credit rating
framework becomes more eminent due to the fact thathistorically
major losses to banks stemmed from default in loan portfolios.
While a number of banks already have a system for rating individual
credits in addition to the risk categories prescribed by SBP, all
banks are encouraged to devise an internal rating framework. An
internal rating framework would facilitate banks in a number of
ways such asa) Credit selectionb) Amount of exposurec) Tenure and
price of facilityd) Frequency or intensity of monitoringe) Analysis
of migration of deteriorating credits and more accurate computation
of future loan loss provisionf) Deciding the level of Approving
authority of loan.The Architecture of internal rating system.The
decision to deploy any risk rating architecture for credits depends
upon two basic aspectsa) The Loss Concept and the number and
meaning of grades on the rating continuum corresponding to each
loss concept*.b) Whether to rate a borrower on the basis of point
in time philosophy or through the cycle approach.Besides there are
other issues such as whether to include statutory grades in the
scale, the type of rating scale i.e. alphabetical numerical or
alpha-numeric etc. SBP does not advocate any particular credit risk
rating system; it should be banks own choice. However the system
should commensurate with the size, nature and complexity of their
business as well as possess flexibility to accommodate present and
future risk profile of the bank, the anticipated level of
diversification and sophistication in lending activities. A rating
system with large number of grades on rating scale becomes more
expensive due to the fact that the cost of obtaining and analyzing
additional information for fine gradation increase sharply.
However, it is important that there should be sufficient gradations
to permit accurate characterization of the under lying risk profile
of a loan or a portfolio of loansThe operating Design of Rating
System.As with the decision to grant credit, the assignment of
ratings always involve element of human judgment. Even
sophisticated rating models do not replicate experience and
judgment rather these techniques help and reinforce subjective
judgment. Banks thus design the operating flow of the rating
process in a way that is aimed promoting the accuracy and
consistency of the rating system while not unduly restricting the
exercise of judgment. Key issues relating to the operating design
of a rating system include what exposures to rate; the
organizations division of responsibility for grading; the nature of
ratings review; the formality of the process and specificity of
formal rating definitions.What Exposures are rated? Ideally all the
credit exposures of the bank should be assigned a risk rating.
However given the element of cost, it might not be feasible for all
banks to follow. The banks may decide on their own which exposure
needs to be rated. The decision to rate a particular loan could be
based on factors such as exposure amount, business line or both.
Generally corporate and commercial exposures are subject to
internal ratings and banks use scoring models for consumer retail
loans.The rating process in relation to credit approval and review.
Ratings are generally assigned /reaffirmed at the time of
origination of a loan or its renewal /enhancement. The analysis
supporting the ratings is inseparable from that required for credit
appraisal. In addition the rating and loan analysis process while
being separate are intertwined. The process of assigning a rating
and its approval / confirmation goes along with the initiation of a
credit proposal and its approval. Generally loan origination
function (whether a relationshipManager or credit staff) *
initiates a loan proposal and also allocates a specific rating.
This proposal passes through the credit approval process and the
rating is also approved or recalibrated simultaneously by approving
authority. The revision in the ratings can be used to upgrade the
rating system and related guidelines.How to arrive at ratings The
assignment of a particular rating to an exposure is basically an
abbreviation of its overall risk profile. Theoretically ratings are
based upon the major risk factors and their intensity inherent in
the business of the borrower as well as key parameters and their
intensity to those risk factors. Major risk factors include
borrowers financial condition, size, industry and position in the
industry; the reliability of financial statements of the borrower;
quality of management; elements of transaction structure such as
covenants etc. A more detail on the subject would be beyond the
scope of these guidelines, however a few important aspects area)
Banks may vary somewhat in the particular factors they consider and
the weight they give to each factor.b) Since the rater and reviewer
of rating should be following the same basic thought, to ensure
uniformity in the assignment and review of risk grades, the credit
policy should explicitly define each risk grade; lay down criteria
to be fulfilled while assigning a particular grade, as well asthe
circumstances under which deviations from criteria can take
place.c) The credit policy should also explicitly narrate the roles
of different parties involved in the rating process.d) The
institution must ensure that adequate training is imparted to staff
to ensure uniform ratingse) Assigning a Rating is basically a
judgmental exercise and the models, external ratings and written
guidelines/benchmarks serve as input.f) Institutions should take
adequate measures to test and de velop a risk rating system prior
to adopting one. Adequate validation testing should be conducted
during the design phase as well as over the life of the system to
ascertain the applicability of the system to the
institutionsportfolio. Institutions that use sophisticated
statistical models to assign ratings or to calculate probabilities
of default, must ascertain the applicability of these models to
their portfolios. Even when such statistical models are found to be
satisfactory, institutions should not use the output of such models
as the sole criteria for assigning ratings or determining the
probabilities of default. It would be advisable to consider other
relevant inputs as well.Ratings review The rating review can be
two-fold:a) Continuous monitoring by those who assigned the rating.
The Relationship Managers (RMs) generally have a close contact with
the borrower and are expected to keep an eye on the financial
stability of the borrower. In the event of any deterioration the
ratings are immediately revised /reviewed. Secondly the risk review
functions of the bank or business lines also conduct periodical
review of ratings at the time of risk review of credit
portfolio.Risk ratings should be assigned at the inception of
lending, and updated at least annually. Institutions should,
however, review ratings as and when adverse events occur. A
separate function independent of loan origination should review
Risk ratings. As part of portfolio monitoring, institutions should
generate reports on credit exposure by risk grade. Adequate trend
and migration analysis should also be conducted to identify any
deterioration in credit quality. Institutions may establish limits
for risk grades to highlight concentration in particular rating
bands. It is important that the consistency and accuracy of ratings
is examined periodically by a function such as an independent
credit review group For consumer lending, institutions may adopt
credit-scoring models for processing loan applications and
monitoring credit quality. Institutions should apply the above
principles in the management of scoring models. Where the model is
relatively new, institutions should continue to subject credit
applications to rigorous review until the model has
stabilized.Credit Risk Monitoring & Control Credit risk
monitoring refers to incessant monitoring of individual credits
inclusive of Off-Balance sheet exposures to obligors as well as
overall credit portfolio of the bank. Banks need to enunciate a
system that enables them to monitor quality of the credit portfolio
on day-to-day basis and take remedial measures as and when any
deterioration occurs. Such a system would enable a bank to
ascertain whether loans are being serviced as per facility terms,
the adequacy of provisions, the overall risk profile is within
limits established by management and compliance of regulatory
limits. Establishing an efficient and effective credit monitoring
system would help senior management to monitor the overall quality
of the total credit portfolio and its trends. Consequently the
management could fine tune or reassess its credit strategy /policy
accordinglyBefore encountering any major setback. The banks credit
policy should explicitly provide procedural guideline relating to
credit risk monitoring. At the minimum it should lay down procedure
relating toa) The roles and responsibilities of individuals
responsible for credit risk monitoringb) The assessment procedures
and analysis techniques (for individualloans & overall
portfolio)c) The frequency of monitoringd) The periodic examination
of collaterals and loan covenantse) The frequency of site visitsf)
The identification of any deterioration in any loanGiven below are
some key indicators that depict the credit quality of a loan:a.
Financial Position and Business Conditions. The most important
aspect about an obligor is its financial health, as it would
determine its repayment capacity. Consequently institutions need
carefully watch financial standing of obligor. The Key financial
performance indicators on profitability, equity, leverage and
liquidity should be analyzed. While making such analysis
dueconsideration should be given to business/industry risk,
borrowers position within the industry and external factors such as
economic condition, government policies, regulations. For companies
whose financial position is dependent on key management personnel
and/or shareholders, for example, in small and medium enterprises,
institutions would need to pay particular attention to the
assessment of the capability and capacity of the
management/shareholder(s).b. Conduct of Accounts. In case of
existing obligor the operation in the account would give a fair
idea about the quality of credit facility. Institutions should
monitor the obligors account activity, repayment history and
instances of excesses over credit limits. For trade financing,
institutions should monitor cases of repeat extensions of due dates
for trust receipts and bills.c. Loan Covenants. The obligors
ability to adhere to negative pledges and financial covenants
stated in the loan agreement should be assessed, and any breach
detected should be addressed promptly.d. Collateral valuation.
Since the value of collateral could deteriorate resulting in
unsecured lending, banks need to reassess value of collaterals on
periodic basis. The frequency of such valuation is very subjective
and depends upon nature of collaterals. For instance loan granted
against shares need revaluation on almost daily basis whereas if
there is mortgage of a residential property the revaluation may not
be necessary as frequently. In case of credit facilities secured
against inventory or goods at the obligors premises, appropriate
inspection should be conducted to verify the existence and
valuation of the collateral. And if such goods are perishable or
such that their value diminish rapidly (e.g. electronic
parts/equipments), additional precautionary measures should be
taken.External Rating and Market Price of securities such as TFCs
purchased as a form of lending or long-term investment should be
monitored for any deterioration in credit rating of the issuer, as
well as large decline in market price. Adverse changes should
trigger additional effort to review the creditworthiness of the
issuer.
Risk review
The institutions must establish a mechanism of independent,
ongoing assessment of credit risk management process. All
facilities except those managed on a portfolio basis should be
subjected to individual risk review at least once in a year. The
results of such review should be properly documented and reported
directly to board, or its subcommittee or senior management without
lending authority. The purpose of such reviews is to assess the
credit administration process, the accuracy of credit rating and
overall quality of loan portfolio independent of relationship with
the obligor.Institutions should conduct credit review with updated
information on the obligors financial and business conditions, as
well as conduct of account. Exceptions noted in the credit
monitoring process should also be evaluated for impact on the
obligors creditworthiness. Credit review should also be conducted
on a consolidated group basis to factor in the business connections
among entities in a borrowing group.As stated earlier, credit
review should be performed on an annual basis, however more
frequent review should be conducted for new accounts where
institutions may not be familiar with the obligor, and for
classified or adverse rated accounts that have higher probability
of default.For consumer loans, institutions may dispense with the
need to perform credit review for certain products. However, they
should monitor and report credit exceptions and
deterioration.Delegation of Authority.Banks are required to
establish responsibility for credit sanctions and delegate
authority to approve credits or changes in credit terms. It is the
responsibility of banks board to approve the overall lending
authority structure, and explicitly delegate credit sanctioning
authority to senior management and the credit committee. Lending
authority assigned to officers should be commensurate with the
experience, ability and personal character. It would be better if
institutions develop risk-based authority structure where lending
power is tied to the risk ratings of the obligor. Large banks may
adopt multiple credit approvers for sanctioning such as credit
ratings, risk approvals etc to institute a more effective system of
check and balance. The credit policy should spell out the
escalation process to ensure appropriate reporting and approval of
credit extension beyond prescribed limits. The policy should also
spell out authorities for unsecured credit (while remaining within
SBP limits), approvals of disbursements excess over limits and
other exceptions to credit policy.In cases where lending authority
is assigned to the loan originating function, there should be
compensating processes and measures to ensure adherence to lending
standards. There should also be periodic review of lending
authority assigned to officers.Managing problem creditsThe
institution should establish a system that helps identify problem
loan ahead of time when there may be more options available for
remedial measures. Once the loan is identified as problem, it
should be managed under a dedicated remedial process. A banks
credit risk policies should clearly set out how the bank will
manage problem credits. Banks differ on the methods and
organization they use to manage problem credits. Responsibility for
such credits may be assigned to the originating business function,
a specialized workout section, or a combination of the two,
depending upon the size and nature of the credit and the reason for
its problems. When a bank has significant credit-related problems,
it is important to segregate the workout function from the credit
origination function. The additional resources, expertise and more
concentrated focus of a specialized workout section normally
improve collection results. A problem loan management process
encompass following basic elements.a. Negotiation and follow-up.
Proactive effort should be taken in dealing with obligors to
implement remedial plans, by maintaining frequent contact and
internal records of follow-up actions. Often rigorous efforts made
at an early stage prevent institutions from litigations and loan
lossesb. Workout remedial strategies. Sometimes appropriate
remedial strategies such as restructuring of loan facility,
enhancement in credit limits or reduction in interest rates help
improve obligors repayment capacity. However it depends upon
business condition, the nature of problems being faced and most
importantly obligors commitment and willingness to repay the loan.
While such remedial strategies often bring up positive results,
institutions need to exercise great caution in adopting such
measures and ensure that such a policy must not encourage obligors
to default intentionally. The institutions interest should be the
primary consideration in case of such workout plans. It needs not
mention here that competent authority, before their implementation,
should approve such workout plan.c. Review of collateral and
security document. Institutions have to ascertain the loan
recoverable amount by updating the values of available collateral
with formal valuation. Security documents should also be reviewed
to ensure the completeness and enforceability of contracts and
collateral/guarantee.d. Status Report and Review Problem credits
should be subject to more frequent review and monitoring. The
review should update the status and development of the loan
accounts and progress of the remedial plans. Progress made on
problem loan should be reported to the senior management"Credit
Risk Management: Policy Framework for Indian Banks"Cool Avenues
Knowledge Management Team, a knowledge management portal on various
topics also have written about the credit risk management framework
for Indian banks. According to them in this article, Risk is
inherent in all aspects of a commercial operation and covers areas
such as customer services, reputation, technology, security, human
resources, market price, funding, legal, regulatory, fraud and
strategy. However, for banks and financial institutions, credit
risk is the most important factor to be managed. Credit risk is
defined as the possibility that a borrower or counterparty will
fail to meet its obligations in accordance with agreed terms.
Credit risk, therefore, arises from the banks' dealings with or
lending to a corporate, individual, another bank, financial
institution or a country. Credit risk may take various forms, such
as: in the case of direct lending, that funds will not be repaid;
in the case of guarantees or letters of credit, that funds will not
be forthcoming from the customer upon crystallization of the
liability under the contract; in the case of treasury products,
that the payment or series of payments due from the counterparty
under the respective contracts is not forthcoming or ceases; in the
case of securities trading businesses, that settlement will not be
effected; in the case of cross-border exposure, that the
availability and free transfer of currency is restricted or ceases.
The more diversified a banking group is, the more intricate systems
it would need, to protect itself from a wide variety of risks.
These include the routine operational risks applicable to any
commercial concern, the business risks to its commercial borrowers,
the economic and political risks associated with the countries in
which it operates, and the commercial and the reputational risks
concomitant with a failure to comply with the increasingly
stringent legislation and regulations surrounding financial
services business in many territories. Comprehensive risk
identification and assessment are therefore very essential to
establishing the health of any counterparty. Credit risk management
enables banks to identify, assess, manage proactively, and optimise
their credit risk at an individual level or at an entity level or
at the level of a country. Given the fast changing, dynamic world
scenario experiencing the pressures of globalisation,
liberalization, consolidation and disintermediation, it is
important that banks have a robust credit risk management policies
and procedures which is sensitive and responsive to these changes.
The quality of the credit risk management function will be the key
driver of the changes to the level of shareholder return. Industry
analysts have demonstrated that the average shareholder return of
the best credit performance US banks during 1989 - 1997 was 56%
higher than their peers.
They have mentioned the Credit security on certain
parameters.That are-
Building Blocks on Credit Risk
In any bank, the corporate goals and credit culture are closely
linked, and an effective credit risk management framework requires
the following distinct building blocks: - Strategy and Policy
This covers issues such as the definition of the credit
appetite, the development of credit guidelines and the
identification and the assessment of the credit risk.
OrganisationThis would entail the establishment of competencies and
clear accountabilities for managing the credit
risk.Operations/SystemsMIS requirements of the senior and middle
management, and the development of tools and techniques will come
under this domain.Strategy and PolicyIt is essential that each bank
develops its own credit risk strategy or enunciates a plan that
defines the objectives for the credit-granting function. This
strategy should spell out clearly the organizations credit appetite
and the acceptable level of risk - reward trade-off at both the
macro and the micro levels. The strategy would therefore, include a
statement of the bank's willingness to grant loans based on the
type of economic activity, geographical location, currency, market,
maturity and anticipated profitability. This would necessarily
translate into the identification of target markets and business
sectors, preferred levels of diversification and concentration, the
cost of capital in granting credit and the cost of bad debts.The
policy document should cover issues such as organizational
responsibilities, risk measurement and aggregation techniques,
prudential requirements, risk assessment and review, reporting
requirements, risk grading, product guidelines, documentation,
legal issues and management of problem loans. Loan policies apart
from ensuring consistency in credit practices, should also provide
a vital link to the other functions of the bank. It has been
empirically proved that organisations with sound and
well-articulated loan policies have been able to contain the loan
losses arising from poor loan structuring and perfunctory risk
assessments. The credit risk strategy should provide continuity in
approach, and will need to take into account the cyclical aspects
of any economy and the resulting shifts in the composition and
quality of the overall credit portfolio. This strategy should be
viable in the long run and through various credit cycles.An
organizations risk appetite depends on the level of capital and the
quality of loan book and the magnitude of other risks embedded in
the balance sheet. Based on its capital structure, a bank will be
able to set its target returns to its shareholders and this will
determine the level of capital available to the various business
lines.Keeping in view the foregoing, a bank should have the
following in place: - 1. Dedicated policies and procedures to
control exposures to designated higher risk sectors such as capital
markets, aviation, shipping, property development, defense
equipment, highly leveraged transactions, bullion etc. 2. Sound
procedures to ensure that all risks associated with requested
credit facilities are promptly and fully evaluated by the relevant
lending and credit officers. 3. Systems to assign a risk rating to
each customer/borrower to whom credit facilities have been
sanctioned. 4. a mechanism to price facilities depending on the
risk grading of the customer, and to attribute accurately the
associated risk weightings to the facilities. 5. Efficient and
effective credit approval process operating within the approval
limits authorized by the Boards. 6. Procedures and systems which
allow for monitoring financial performance of customers and for
controlling outstanding within limits. 7. Systems to manage problem
loans to ensure appropriate restructuring schemes. A conservative
policy for the provisioning of non-performing advances should be
followed. 8. a process to conduct regular analysis of the portfolio
and to ensure on-going control of risk concentrations. Credit
Policies and ProceduresThe credit policies and procedures should
necessarily have the following elements: Banks should have written
credit policies that define target markets, risk acceptance
criteria, credit approval authority, credit origination and
maintenance procedures and guidelines for portfolio management and
remedial management. Banks should establish proactive credit risk
management practices like annual / half yearly industry studies and
individual obligor reviews, periodic credit calls that are
documented, periodic plant visits, and at least quarterly
management reviews of troubled exposures/weak credits. Business
managers in banks will be accountable for managing risk and in
conjunction with credit risk management framework for establishing
and maintaining appropriate risk limits and risk management
procedures for their businesses. Banks should have a system of
checks and balances in place around the extension of credit which
are: An independent credit risk management function Multiple credit
approvers An independent audit and risk review function The Credit
Approving Authority to extend or approve credit will be granted to
individual credit officers based upon a consistent set of standards
of experience, judgment and ability. The level of authority
required to approve credit will increase as amounts and transaction
risks increase and as risk ratings worsen. Every obligor and
facility must be assigned a risk rating. Banks should ensure that
there are consistent standards for the origination, documentation
and maintenance for extensions of credit. Banks should have a
consistent approach toward early problem recognition, the
classification of problem exposures, and remedial action. Banks
should maintain a diversified portfolio of risk assets in line with
the capital desired to support such a portfolio. Credit risk limits
include, but are not limited to, obligor limits and concentration
limits by industry or geography. In order to ensure transparency of
risks taken, it is the responsibility of banks to accurately,
completely and in a timely fashion, report the comprehensive set of
credit risk data into the independent risk system.
Organizational StructureA common feature of most successful
banks is to establish an independent group responsible for credit
risk management. This will ensure that decisions are made with
sufficient emphasis on asset quality and will deploy specialised
skills effectively. In some organisations, the credit risk
management team is responsible for the management of problem
accounts, and for credit operations as well. The responsibilities
of this team are the formulation of credit policies, procedures and
controls extending to all of its credit risks arising from
corporate banking, treasury, credit cards, personal banking, trade
finance, securities processing, payment and settlement systems,
etc. This team should also have an overview of the loan portfolio
trends and concentration risks across the bank and for individual
lines of businesses, should provide input to the Asset - Liability
Management Committee of the bank, and conduct industry and sectoral
studies. Inputs should be provided for the strategic and annual
operating plans. In addition, this team should review credit
related processes and operating procedures periodically.It is
imperative that the independence of the credit risk management team
is preserved, and it is the responsibility of the Board to ensure
that this is not allowed to be compromised at any time. Should the
Board decide not to accept any recommendation of the credit risk
management team and then systems should be in place to have the
rationale for such an action to be properly documented. This
document should be made available to both the internal and external
auditors for their scrutiny and comments. The credit risk strategy
and policies should be effectively communicated throughout the
organisation. All lending officers should clearly understand the
bank's approach to granting credit and should be held accountable
for complying with the policies and procedures.Keeping in view the
foregoing, each bank may, depending on the size of the organization
or loan book, constitute a high level Credit Policy Committee also
called Credit Risk Management Committee or Credit Control
Committee, etc. to deal with issues relating to credit policy and
procedures and to analyse, manage and control credit risk on a bank
wide basis. The Committee should be headed by the Chairman/CEO/ED,
and should comprise heads of Credit Department, Treasury, Credit
Risk Management Department (CRMD) and the Chief Economist. The
Committee should, inter alia, formulate clear policies on standards
for presentation of credit proposals, financial covenants, rating
standards and benchmarks, delegation of credit approving powers,
prudential limits on large credit exposures, asset concentrations,
standards for loan collateral, portfolio management, loan review
mechanism, risk concentrations, risk monitoring and evaluation,
pricing of loans, provisioning, regulatory/legal compliance, etc.
Concurrently, each bank may also set up Credit Risk Management
Department (CRMD), independent of the Credit Administration
Department. The CRMD should enforce and monitor compliance of the
risk parameters and prudential limits set by the CPC. The CRMD
should also lay down risk assessment systems, monitor quality of
loan portfolio, identify problems and correct deficiencies, develop
MIS and undertake loan review/audit. Large banks may consider
separate set up for loan review/audit. The CRMD should also be made
accountable for protecting the quality of the entire loan
portfolio. The Department should undertake portfolio evaluations
and conduct comprehensive studies on the environment to test the
resilience of the loan portfolio.Operations / SystemsBanks should
have in place an appropriate credit administration, measurement and
monitoring process. The credit process typically involves the
following phases: - 1. Relationship management phase i.e. business
development. 2. Transaction management phase: cover risk
assessment, pricing, structuring of the facilities, obtaining
internal approvals, documentation, loan administration and routine
monitoring and measurement. 3. Portfolio management phase: entail
the monitoring of the portfolio at a macro level and the management
of problem loans. Successful credit management requires experience,
judgement and a commitment to technical development. Each bank
should have a clear, well-documented scheme of delegation of
limits. Authorities should be delegated to executives depending on
their skill and experience levels. The banks should have systems in
place for reporting and evaluating the quality of the credit
decisions taken by the various officers. The credit approval
process should aim at efficiency, responsiveness and accurate
measurement of the risk. This will be achieved through a
comprehensive analysis of the borrower's ability to repay, clear
and consistent assessment systems, a process which ensures that
renewal requests are analyzed as carefully and stringently as new
loans and constant reinforcement of the credit culture by the top
management team. Commitment to new systems and IT will also
determine the quality of the analysis being conducted. There is a
range of tools available to support the decision making process.
These are: Traditional techniques such as financial analysis.
Decision support tools such as credit scoring and risk grading.
Portfolio techniques such as portfolio correlation analysis. The
key is to identify the tools that are appropriate to the bank.
Banks should develop and utilize internal risk rating systems in
managing credit risk. The rating system should be consistent with
the nature, size and complexity of the bank's activities. Banks
must have a MIS, which will enable them to manage and measure the
credit risk inherent in all on- and off-balance sheet activities.
The MIS should provide adequate information on the composition of
the credit portfolio, including identification of any concentration
of risk. Banks should price their loans according to the risk
profile of the borrower and the risks associated with the loans
RBIRisk Management in RBI
As a financial intermediary, RBI is exposed to risks that are
particular to its lending and trading businesses and the
environment within which it operates. RBIs goal in risk management
is to ensure that it understands measures and monitors the various
risks that arise and that the organization adheres strictly to the
policies and procedures which are established to address these
risks. As a financial intermediary, RBI is primarily exposed to
credit risk, market risk, liquidity risk, operational risk and
legal risk.
RBI has a central Risk, Compliance and Audit Group with a
mandate to identify, assess, monitor and manage all of RBIs
principal risks in accordance with well-defined policies and
procedures. The Head of the Risk, Compliance and Audit Group
reports to the Executive Director responsible for the Corporate
Center, which does not include any business groups, and is thus
independent from RBIs business units. The Risk, Compliance and
Audit Group coordinate with representatives of the business units
to implement RBIs risk methodologies.
Committees of the board of directors have been constituted to
oversee the various risk management activities. The Audit Committee
of RBIs board of directors provides direction to and also monitors
the quality of the internal audit function. The Risk Committee of
RBIs board of directors reviews risk management policies in
relation to various risks including portfolio, liquidity, interest
rate, off-balance sheet and operational risks, investment policies
and strategy, and regulatory and compliance issues in relation
thereto. The Credit Committee of RBIs board of directors reviews
developments in key industrial sectors and RBIs exposure to these
sectors.
The Asset Liability Management Committee of RBIs board of
directors is responsible for managing the balance sheet and
reviewing the asset-liability position to manage RBIs market risk
exposure. The Agriculture & Small Enterprises Business
Committee of RBIs board of directors, which was constituted in June
2003 but has not held any meetings to date, will, in addition to
reviewing RBIs strategy for small enterprises and agri-business,
also review the quality of the agricultural lending and small
enterprises finance credit portfolio. As shown in the following
chart, the Risk, Compliance and Audit Group is organized into six
subgroups:
Credit Risk Management, Market Risk Management, Analytics,
Internal Audit, Retail Risk Management and Credit Policies and
Reserve Bank of India Inspection. The Analytics Unit develops
proprietary quantitative techniques and models for risk
measurement
CREDIT RISK MANAGEMENT IN COMMERCIAL BANKS
Risk Management in HDFC Bank
HDFC Bank has formulated a Risk Management Framework. The Risk
Management Committee (RMC) apprises the Audit Committee and the
board of the risk assessment and mitigation mechanisms of the
Corporation. The RMC comprises the Executive Director as
chairperson and senior management heading key functional areas as
members of the committee. During the year, the Audit Committee and
the board reviewed the efficacy of the Risk Management Framework,
the key risks associated with the business of the Corporation and
the measures in place to mitigate the same.
The audit committee formulated a Risk Management Framework. The
Risk Management Committee (RMC) apprises the Audit Committee and
the board of the risk assessment and mitigation mechanisms of the
Corporation. The RMC comprises the Executive Director as
chairperson and senior management heading key functional areas as
members of the committee. During the year, the Audit Committee and
the board reviewed the efficacy of the Risk Management Framework,
the key risks associated with the business of the Corporation and
the measures in place to mitigate the same.
Risk Management through ALM techniqueThere are three different
but related ways of managing financial risks. The first is to
purchase insurance. But this is viable only for certain type of
risks such as credit risks, which arise if the party to a contract
defaults. The second approach refers to asset liability management
(ALM). This involves careful balancing of assets and liabilities.
It is an exercise towards minimizing exposure to risks by holding
the appropriate combination of assets and liabilities so as to meet
earnings target of the firm. The third option, which can be used
either in isolation or in conjuction with the first two options, is
hedging. It is to an extent similar to ALM. But while ALM involves
on-balance sheet positions, hedging involves off-balance sheet
positions. Products used for hedging include futures, options,
forwards and swaps. It is ALM, which requires the most attention
for managing the financial performance of banks. Asset-liability
management can be performed on a per-liability basis by matching a
specific asset to support each liability. Alternatively, it can be
performed across the balance sheet. With this approach, the net
exposure of the banks liabilities is determined, and a portfolio of
assets is maintained, which hedges those exposures.
Asset-liability analysis is a flexible methodology that allows
the bank to test interrelationships between a wide variety of risk
factors including market risks, liquidity risks, actuarial risks,
management decisions, uncertain product cycles, etc. However, it
has the shortcoming of being highly subjective. It is up to the
bank to decide what mix would be suitable to it in a given
scenario. Therefore, successful implementation of the risk
management process in banks would require strong commitment on the
part of the senior management to integrate basic operations and
strategic decision making with risk management. The scope of ALM
function can be described as follows: Liquidity risk management.
Management of market risks. Trading risk management. Funding and
capital planning Profit planning and growth projection. The
objective function of the risk management policy in financial
entities is two fold. It aims at profitability through price
matching while ensuring liquidity by means of maturity matching.
Price matching aims to maintain interest spreads by ensuring that
deployment of liabilities will be at a rate more than the costs.
This exercise would indicate whether the institution is in a
position to benefit from rising interest rates by having a positive
gap (assets > liabilities) or whether it is in a position to
benefit from declining interest rates by a negative gap
(liabilities > assets). The gap between the interest rates (on
assets/liabilities) can therefore be used as a measure of interest
rate sensitivity. These spreads can however, be achieved if
interest rate movements are known with accuracy. Similarly,
grouping assets/liabilities based on their maturity profile ensures
liquidity. The gap is then assessed to identify future financing
requirements. However, there are often maturity mismatches, which
may to a certain extent affect the expected results.
RISK MANAGEMENT GROUPS AND SUBGROUPS OF HDFC
Managing Director and CEOAudit/ Risk/ Credit/Agriculture&
Small Enterprises BusinessCommittee of the Board
Executive Director/Corporate CenterHead Risk Compliance &
Audit GroupAnalyticsInternal Audit
Retail Risk ManagementMarket Risk ManagementCredit RisK
ManagementCredit Policies (RBI)
Risk Management of Standard Chartered Bank
Standard Chartered is the world's leading emerging markets bank
headquartered in London. It offers both consumer and wholesale
banking services. The bank employs 30,000 people in over 500
locations in more than 50 countries including the Asia Pacific
Region, South Asia, the Middle East, Africa, the United Kingdom and
the Americas. The world-wide IT infrastructure features 5,000
servers and 35,000 desktops. IT supports 600 different
applications.The main business problem is that it needs an
effective method for tackling critical security problems quickly
and efficiently in a high risk high profile environment. Further,
developing an effective, global, risk-driven approach to security
in a highly distributed enterprise is on the agenda.Standard
Charterers Requirements Prioritise patching effectively Detect
vulnerabilities quickly Integrate easily with existing proprietary
security approach SolutionQualysGuard Enterprise to automate the
network discovery, scanning, patching and verification process
Why Qualys? Accuracy Ease of global deployment Scalability Value
for money Integration with established security operations
The stakes are very high indeed. With our many large and complex
interconnections to the outside world, it's vital to carry out
effective patch management. Our aim is to achieve the right level
of security through implementing an appropriate risk-based
strategy. This cannot be achieved without a clear and accurate
understanding of what needs patching and ensuring that it remains
reliably patched. We use QualysGuard as a dynamic tool to underpin
this processThe aim is to achieve the right level of security on
our global networks. This means a clear and accurate understanding
of what needs patching and ensuring that it remains reliably
patched. We rely upon QualysGuard to underpin this process.Being
able to report on remediation and response plans has also helped us
meet strict financial compliance requirements. QualysGuard reports
give me and my security team an instant overview of the overall
level of health of security in my organisation.
Standard Chartered's Need for Vulnerability ManagementSecurity
monitoring in an environment like Standard Chartered's requires the
capability to cover diverse IT platforms - including both Windows
and Linux - and many applications and services. Its goal was to
consolidate these ad-hoc efforts into one cohesive, global process
with clear visibility, follow through and accountability.Before the
introduction of enterprise vulnerability management, Standard
Chartered's network topology and system configurations were
unknown. Local operating teams performed only occasional scanning
with various tools. Spot audits were made through penetration-
testing and there was no rigorous methodology to assess exposure
and take corrective action.The bank evaluated four alternatives
including tools from Foundscan, ISS, Vigilante and X-Force but
eventually, it selected QualysGuard on six clear criteria: Scanning
accuracy, deployability, scalability, ease-of-use, integration
capabilities and overall cost effectiveness."It was the only
solution which met our demands without compromise, giving the bank
a reliable, centralised method for protecting our critical assets
worldwide. Their experience of rolling out QualysGuard has been
remarkably painless. Working with our integration team in both
London and Singapore, the service has been consistently high.
The role of Vulnerability Management at Standard CharteredBy
introducing vulnerability management, Standard Chartered gained a
clear picture of the exposure with common standards worldwide. The
company has been able to quickly prioritise remediation; get
security and operating teams to work together smoothly and
effectively and empowered outsourcing vendors to meet specific
security service level agreements.Many major viruses have the
ability to recur and creep insidiously back into the network
causing considerable problems; another reason why on-going scanning
is important.Although Standard Chartered Bank was not hit the first
time round by SQL Slammer, it did manage to infect the network a
number of months later due to difficulties in restoring patched
server builds after operational problems. Our IDS engines and
QualysGuard enabled the Bank to pinpoint rapidly the source of the
problem and close it down, avoiding major infection.Reports Help to
Improve Risk Management and to Address Regulatory
RequirementsQualysGuard's easily accessible reports provide a clear
audit trail for fixing vulnerabilities. Delivered on a monthly
basis to the bank's operational risk committee, they have enabled
Standard Chartered to improve its risk management methodology and
address regulatory requirements that impact financial
institutions.
These reports help the security group support the front-line
production operations team more effectively to patch and maintain
the security of the whole network. They allow centralised
management by checking the patch management performance, tracking
patching actions to completion and distributing tasks to the
relevant geographic support group. Regulatory pressures and
increased exposure are driving more complex requirements for
managing security risk. The vulnerability management strategy
gained the bank ability to view and act upon security risk as it
pertains to our organisation's assets.The reports also enable
management to justify the investments we need and further define
the security strategy. Today, the bank really can deploy our
security manpower much more effectively in both preparing and
responding to security incidents.Standard Chartered Bank, an
international bank that provides interest rate derivatives products
for corporate customers globally, is expanding its Sun Microsystems
technology infrastructure in four offices worldwide as it
implements a more sophisticated, object-oriented global derivatives
trading system.
Risk Management in Union Bank
Risk is inherent part of Banks business. Effective Risk
Management is critical to any Bank for achieving financial
soundness. In view of this, aligning Risk Management to Banks
organizational structure and business strategy has become integral
in banking business. Over a period of year, Union Bank of India
(UBI) has taken various initiatives for strengthening risk
management practices. Bank has an integrated approach for
management of risk and in tune with this, formulated policy
documents taking into account the business requirements / best
international practices or as per the guidelines of the national
supervisor. These policies address the different risk classes viz.,
Credit Risk, Market Risk and Operational Risk. The issues related
to Credit Risk are addressed in the Policies stated below; Loan
Policy Credit Monitoring Policy Real Estate Policy Credit Risk
Management Policy Collateral Risk Management Policy Recovery Policy
Treasury Policy
The Policies and procedures for Market Risks are articulated in
the ALM Policy and Treasury Policy.
The Operational Risk Management involves framework for
management of operational risks faced by the Bank. The issues
related to this risk is addressed by;
Operational Risk Management Policy Business Continuity Policy
Outsourcing Policy Disclosure Policy
Besides, the above Board mandated Policies, Bank has detailed
Internal Control Principles communicated to the business lines for
ensuring adherence to various norms like Anti-Money Laundering,
Information Security, Customer complaints, Reconciliation of
accounts, Book-keeping etc. Oversight MechanismOur Board of
Directors has the overall responsibility of ensuring that adequate
structures, policies and procedures are in place for risk
management and that they are properly implemented. Board approves
our risk management policies and also sets limits by assessing our
risk appetite, skills available for managing risk and our risk
bearing capacity. Board has delegated this responsibility to a
sub-committee: the Supervisory Committee of Directors on Risk
Management & Asset Liability Management. This is the Apex body
/ Committee is responsible for supervising the risk management
activities of the Bank. Further, Bank has the following separate
committees of top executives and dedicated Risk Management
Department: Credit Risk Management Committee (CRMC): This Committee
deals with issues relating to credit policies and procedure and
manages the credit risk on a Bank-wide basis Asset Liability
Management Committee (ALCO): This Committee is the decision-making
unit responsible for balance sheet planning and management from the
angle of risk-return perspective including management of market
risk Operational Risk Management Committee (ORMC): This Committee
is responsible for overseeing Banks operational risk management
policy and process Risk Management Department of the Bank provides
support functions to the risk management committees mentioned above
through analysis of risks and reporting of risk positions and
making recommendations as to the level and degree of risks to be
assumed. The department has the responsibility of identifying,
measuring and monitoring the various risk faced the bank, assist in
developing the policies and verifying the models that are used for
risk measurement from time to time
