Risk Management Day 3

8/8/2019 Risk Management Day 3

1/84

Risk ManagementDay 3


2/84

Objective

To know aboutthe theoretical

aspects relatingto risk

management


3/84

Syllabus Day 3

Risk Management:

Methodology of Risk Management, Insurance Cover, Ten Steps of Making risk management work, Ten attributes of a World-Class Risk Management

Culture, Enterprise Risk Management, Integrated risk management, Risk management in Banking


4/84

COSO

Internal Control Framework

An Overview


5/84

COSO Definition of Internal Control

Internal control is a process, effected by an entitys board of directors,

management and other personnel, designed to provide reasonable assurance

regarding the achievement of objectives in the following categories:

Reliability of financial reporting

Compliance with applicable laws and regulations

Effectiveness and efficiency of operations


6/84

COSO Internal Controls KeyConcepts

Internal control is aprocess. It is a means to an end, not an end in itself.

Internal control is effected by

people. Its not merely policy manuals and forms,

but people at every level of an organization.

Internal control can be expected to provide only reasonable assurance, not

absolute assurance, to an entitys management and board.

Internal control is geared to the achievement ofobjectives in one or more

separate but overlapping categories.


7/84

Business Risk Management


8/84

Risk Management Architecture


9/84

Risk Management Architecture


10/84

Risk Management Is An

Individual Decision

No one "right" decision

The "right" decision depends on the

characteristics of the

operation and

individual decision-maker

Risk

Revenue

1

2

3


11/84

Prioritizing Which Risks to

Address First

Probability of

Happening

Potential

Impact

Act if costeffective

No actionrequired

Immediate action

Actionrequired

Small Catastrophic

High

Low


12/84

Risk Management

Risk Management is the Identification,

Analysis and Economic Control of those

RISKS which can Threaten the Assets(Property, Human) or the Earning

Capacity of an Enterprise


13/84

Process of Risk Management`

Risk Identification

Risk Measurement

Risk Control

Risk Transfer

Risk Financing

Risk Retention


14/84

Risk Assessment

Financial ImpactP

ro

bab

ilit

yVery High Risk

High RiskLow Risk

Medium Risk

FINANCIAL IMPACT:Threshold Limit to be decidedbased onSize of the corporate

PROBABILITY OFOCCURRENCE:

Organization history & IndustryExperienceto be considered


15/84

Handling Risk

Risk Levels

Low & Medium Normal Monitoring at the operational level

High Close control of all potential contributing factors by the RiskManagement Team

Very High Risks of this level should be actively tracked for decisions bythe Risk Management Committee.


16/84

Risk Management

Risk management is present in all aspects of life;

it is about everyday trade off between an

expected reward and potential danger

In the business world, often the risk is associatedwith some variability in financial outcomes.

However the notion of risk much larger.

Risk management is an attempt to identify,

measure, monitor and manage uncertainty


17/84


18/84

Risk Management Process

Identify risk and risk management goals

Gather relevant and comprehensive data to determine and

extent and nature of risk exposures

Analyse the risk exposures

Construct a risk management plan comprising appropriate

risk treatment methods

Implement the plan

Monitor the plan and outcome of the implementation


19/84

Seven Challenges for Risk

Management Confusion regarding the concept of risk. Completely avoidable human errors in subjective

judgments of risk. Entirely ineffectual but popular subjective

scoring methods. Misconceptions that block the use of better,

existing methods. Recurring errors in even the most sophisticated

models. Institutional factors. Unproductive incentive structures.


20/84

Enterprise Risk Management-

COSO Definition -

a process, effected by an entitys board of

directors, management and other

personnel, applied in strategy-setting and

across the enterprise, designed to identifypotential events that may affect the entity,

and manage risks to be within its risk

appetite, to provide reasonable assuranceregarding the achievement of entity

objectives.


21/84

What is Risk Management

a process and a means to an end, not an end in itself; effected by people and involving people at every level of the

organization;

applied in strategy setting and at every level across theenterprise and taking an entity level portfolio view of risks;

designed to identify events that potentially affect the entity

and manage risk within its risk appetite; provides reasonable assurance to an entitys management

and board;

also geared to the achievement of objectives in one or moreseparate and overlapping categories.


22/84

Risk Management

Risk refers to the uncertainty that surrounds future

events and outcomes. It is the expression of the

likelihood and impact of an event with the potential to

influence the achievement of an organizations

objectives.

Risk management is a systematic approach to setting

the best course of action under uncertainty by

identifying, assessing, understanding, acting on and

communicating risk issues


23/84

Eight Components of ERM

Internal Environment

Objective Setting:

Event Identification

Risk Assessment Risk Response

Control Activities

Information and Communication Monitoring


24/84

Internal Environment

This component reflects an entitys enterprise risk

management philosophy, riskappetite, board

oversight, commitment to ethical values, competence

and development of people, and assignment of

authority and responsibility. It encompasses the tone

at the top of the enterprise and influences the

organizations governance process and the risk and

control consciousness of its people .


25/84

Objective Setting

Strategic: high-level goals,aligned/supporting the mission/vision;

Operations: effectiveness and efficiency of

the entitys operations; Reporting: internal/external reporting of

financial/non-financial risk;

Compliance: compliance with applicablelaws and regulations.


26/84

Event Identification

Management identifies potential events that

may positively or negatively affect an entitys

ability to implement its strategy and achieve its

objectives and performance goals. Potentiallynegative events represent risks that provide a

context for assessing risk and alternative risk

responses. Potentially positive events represent

opportunities, which management channels backinto the strategy and objective-setting

processes.


27/84

Risk assessment

Management considers qualitative and

quantitative methods to evaluate the

likelihood and impact of potential events,

individually or by category, which mightaffect the achievement of objectives over

a given time horizon


28/84

Risk response

Management considers alternative risk

response options and their effect on risk

likelihood and impact as well as the

resulting costs versus benefits, with thegoal of reducing residual risk to desired

risk tolerances. Risk response planning

drives policy development

OUTCOME OF RISK & CONTROL


29/84

LOW RISK

LOW IMPACT

LOW RISK

HIGH IMPACT

HIGH RISK

HIGH IMPACT

IMPACTIMPACT

HIGH RISK

LOW IMPACT

LOW HIGH

LOW

HIGH

OUTCOME OF RISK & CONTROL

EVALUATION = Risk Prioritization

LIKELIHOODLIKELIHOOD


30/84

Control activities

Management implements policies and

procedures throughout the organization, at

all levels and in all functions, to help

ensure that risk responses are properlyexecuted


31/84

Information and communication

The organization identifies, captures andcommunicates pertinent information frominternal and external sources in a form

and timeframe that enables personnel tocarryout their responsibilities. Effectivecommunication also flows down, acrossand up the organization. Reporting is vital

to risk management and this componentdelivers it


32/84

Monitoring

Ongoing activities and/or separate

evaluations assess both the presence and

functioning of enterprise risk management

components and the quality of theirperformance over time


33/84

How to Address the RISKS

Avoid - ceasing to operate in that area of activity.

Transfer - transfer an element of the risk to a

third party

Mitigate - to mitigate either the likelihood

or the impact of the risk (Diversification)

Accept after considering cost / likely benefits.(As the price of doing the business)

Changing face of risk


34/84

Changing face of risk

managementRisk management is not just about avoiding downside. Its about realising potential

opportunities and achieving objectives.Failure to manage risk compromises a

companys ability to succeed, turning strategic goals into own goals.


35/84

May consist of either a design or operating deficiency:

A design deficiency exists when:

A necessary control is missing OR

An existing control is not properly designed so that even when thecontrol is operating as designed the control objective is not always met

An operating deficiency exists when:

A properly designed control is not operating as designed OR

The person performing the control does not possess the necessaryauthority or qualifications to perform the control effectively

Range from inconsequential internal control deficiencies to materialweaknesses

Definition of Internal Control

Deficiency


36/84

An internal control deficiencythat could

adversely affect the entitys ability to

initiate, record, process and report

financial data consistent with theassertions of management in the financial

statements

Could arise from a single deficiency or anaggregation of deficiencies

Definition of Significant

Deficiency


37/84

A significant deficiency in one or more of

the internal control components that

alone or in the aggregate precludes the

entitys internal control from reducing to

an appropriately low level the risk that

material misstatements in the financial

statements will not be prevented ordetected in a timely manner

Definition of Material

Weakness


38/84

Who is Responsible for the Design and

Effectiveness of Internal Controls?Management is responsible for the control

design and assessment of internal controls

within their areas of responsibility. Thisresponsibility cannot be delegated or

outsourced.

Responsibility for Internal

Controls


39/84

COSO Internal Control Framework

1. Consists of three objectives:

Effectiveness and efficiency of operations

Reliability of financial reporting Compliance with applicable laws and

regulations

1. Consists of five components: Control environment Risk assessment

Control activities Information/Communication Monitoring

1. Requires an entity level focus and an activity

level focus

MONITORING

INFORMATION AND

COMMUNICATION

CONTROL ACTIVITIES

RISK ASSESSMENT

CONTROL ENVIRONMENT

OPE

RATIONS

FINA

NCIAL

R

EPORT

ING

COMPLIANC

E

UNIT

A

UNITB

ACTIVITY

1

ACTIVITY

2

ACTIVITY

3

The COSO Frameworks Three

Dimensions Provide Criteria forEvaluating Internal Controls


40/84

Control Environment

CONTROL ENVIRONMENT

OPE

RATIONS

FINA

NCIAL

REPO

RTIN

G

COMPLIANC

E

The control environment sets the tone of the organization,

influencing the control consciousness of its people. It is the

foundation for all other components of internal control, providing

discipline and structure.

Control environment factors include:

Integrity and ethical values

Commitment to competence

Board of Directors or Audit Committee

Management philosophy and operating style

Organizational structure

Assignment of authority and responsibility

Human resource policies and procedures


41/84

Control Environment

CONTROL ENVIRONMENT

OPE

RATIONS

FINA

NCIAL

REPO

RTIN

G

COMPLIANC

E

Risks to integrity and ethical values for financial reporting practices:

Incentives

Pressure to meet unrealistic performance targets, particularly for shortterm results

High performance-dependent rewards

Upper and lower cutoffs on bonus plan

Temptations

High decentralization with top management

unaware of actions taken at lower organizationallevels

Weak internal control functions does not detectand report improper behavior

Penalties for improper behavior are insufficientto deter temptations


42/84

Risk Assessment

RISK ASSESSMENT

OPE

RATIONS

FINA

NCIAL

REPO

RTING

COMPLIANC

E

Risk assessment is the identification

and analysis of relevant risks to

achievement of the objectives, forminga basis for determining how the risks

should be managed.


43/84

Risk Assessment

RISK ASSESSMENT

OPE

RATIONS

FINA

NCIAL

REPO

RTING

COMPLIANC

E

Objectives (i.e. assertions) must be established prior to the identification

of risks to their achievement and to take necessary actions to manage the

risks. By setting objectives, both at entity and activity

levels, prior to a risk assessment, a company

can determine the critical success factors; thendetermine the risks to the critical success

factors.

A risk assessment usually includes:

Estimating the significance of a risk

Assessing the likelihood (orfrequency) of the risk occurring

Consideration of how the risk shouldbe managed

RISK ASSESSMENT

OPE

RATIONS

FINA

NCIAL

REPO

RTING

COMPLIANC

E


44/84

Control Activities

CONTROL ACTIVITIES

OPE

RATIONS

FINA

NCIAL

REPO

RTIN

G

COMPLIANC

E

Control activities are the policies and procedures that help ensure

management directives are carried out. They help to ensure that necessary

actions are taken to address risks to achievement of the entity's objectives.

Control activities occur throughout the organization, at all levels and in all

functions.Control activities include:

Approvals

Authorizations

Verifications

Reconciliations

Reviews of operating performance

Security of assets

Segregation duties

CONTROL ACTIVITIES

OPE

RATIONS

FINA

NCIAL

REPO

RTING

COMPLIANC

E


45/84

Control Classification

Preventive controls focus on preventingerrors or exceptions. Such preventive

controls are Standard policies and procedures

Proper segregation of duties

Authorization levels/approvals

Detective controls are designed to identifyan error or exception after it hasoccurred. Such detective controls are:

Exception reports

Reconciliations

Periodic audits

Internal controls can be classified as either Preventive or Detective.

CONTROL ACTIVITIES

OPE

RATIONS

FINA

NCIAL

REPO

RTIN

G

COMPLIANC

E

CONTROL ACTIVITIES

OPE

RATIONS

FINA

NCIAL

REPO

RTING

COMPLIANC

E


46/84


47/84

Control Activities

CONTROL ACTIVITIES

OPE

RATIONS

FINA

NCIAL

REPO

RTIN

G

COMPLIANC

E

During an evaluation, you should consider

not only whether established control

activities are relevant to the risk-

assessment process, but also whether they

are being applied properly.

(Meaning: Designed effectively and

operating effectively)


48/84

Information and Communication

When evaluating the information and communication of an entity, one

should consider:Information

Obtaining external and internal information andprovide management with necessary reports

on the entitys performance relative toestablished objectives.

Provide information to the right people insufficient detail and on time to enable them to

carry out their responsibilities effectively and

efficiently.

Communication Adequacy of communication across the

organization and the completeness and

timeliness of information.

Openness and effectiveness of channels withcustomers, suppliers and other external parties

for communicating information.

INFORMATION AND

COMMUNICATION

OPERA

TIONS

FIN

ANCIAL

REP

ORT

ING

COM

PLIANC

E


49/84

INFORMATION AND

COMMUNICATION

OPE

RATIONS

FINA

NCIAL

REPO

RTING

COMPLIANC

E

Pertinent information must be identified, captured

and communicated in a form and timeframe that

enables people to carry out their responsibilities.

Information systems produce reports, containing

operational, financial and compliance relatedinformation, that make it possible to run and control

the business. Information Information is needed at all levels of an organization to run the

business, and move toward achievement of the entitys objectives in all categories.

This will include:

Operational reports to management to ensure effective and efficient use ofresources

Financial reports detailing the performance of the company used by companymanagement and external parties.

Communication Communication must take place, dealing with expectations,responsibilities and other important matters.

Information and Communication


50/84

Monitoring

MONITORING

OPE

RATIONS

FINA

NCIAL

REPO

RTING

COMPLIANC

E Monitoring is the process of assessment by

appropriate personnel of the design and operation of

controls on a suitably timely basis, and taking

necessary actions.

It applies to all activities within an organization, and

sometimes to outside contractors as well. This may

include outsourced cash collections (lockbox),

outsourced payment processing (A/P through

Shared Services Center) or waste management

(compliance with EPA regulations).

Monitoring can be done in two ways:

1.Ongoing Activities

2.Separate Evaluations


51/84

Monitoring

MONITORING

OPE

RATIONS

FINA

NCIAL

REPO

RTING

COMPLIANC

E

Two ways to do monitoring:

1. Ongoing Activities Activities to monitor the effectiveness of internal controls in

the ordinary course of operations. These include regular management and

supervisory activities, comparisons, reconciliations and other routine actions.

Example - Data recorded by information systems are compared with physical

assets. Finished product inventories are examined periodically and counts are

then compared with accounting records and differences reports.

2. Separate Evaluations Evaluations of internal controls performed by

management and/or internal audit. Controls addressing higher-priority risks and

those most critical to reducing a given risk will tend to be evaluated more often.


52/84

Internal Controls


53/84

Internal Control Defined

Internal controls are the policies and procedures

that, when implemented effectively and efficiently,help minimize or reduce the impact of risk on a

company or business process to an acceptable

level.

Si ifi t C t l


54/84

Controls over initiating, recording, processing and reporting significantaccount balances, classes of transactions and disclosures, and the relatedassertions embodied in financial statements

Antifraud programs and controls

Controls, including general controls, on which other significant controls aredependent

Each significant control in a group of controls that functions together toachieve a control objective

Controls over significant routine and nonsystematic transactions (such asaccounts involving judgments and estimates)

Controls over the period-end financial reporting process, including controlsover procedures used to:

Enter transaction totals into the general ledger

Initiate, record and process journal entries in the general ledger

Record recurring and nonrecurring adjustments to the financialstatements

Significant Controls


55/84

Integrated Risk Management

It is diagnostic.

It is designed to support optimal

investment.

It is transaction cost based.

It is inclusive.

It is coordinated but discriminating.


56/84

Risk Management in Banking


57/84

WHAT IS RISK

Every action has a reaction

If reaction is for our benefit; no worry and no risk

If it is against our interest only we are worried

and that is risk Risk is therefore possibility of a negative result

for our actions

Could be due to us or beyond us


58/84

RISK Contd

Risk is supposed to have been derivative of

risicare which means to dare

Daring is to take steps recognising the potential

for loss Extent of this behaviour is taker specific

More risk is taken in view of potential for higher

yield


59/84

RISK Contd

Due to risk either , profits and capital may

grow multifold or business may be wiped

out

Nevertheless we cannot be risk

free/averse banker like a ship in a port

Banking is therefore risk management


60/84

RISK Contd

Return is therefore related to risk

Returns from businesses are to be

adjusted for risks for comparability-this is

RAROC


61/84

BANKING BUSINESS

Business is broadly divided into on balance

sheet and off balance sheet activities.

On balance sheet activities are banking book

(deposits & advances) and trading book(investments)

Banking book has no market risk

Risks common to both books are credit,

operational


62/84


63/84

RISK MANAGEMENT

Identification

Measurement Sensitivity

Volatility

Downside potential Pricing covering

Cost of resources

Cost of operations

Risk premium

Capital charge

Monitoring and control

Mitigation Transferring


64/84

MARKET RISK

Has a component of credit risk in addition to

price, liquidity and interest rate risks

Liquidity risk can also be due to markets

RISK IN INVESTMENTS IS MEASURED THROBPV, MODIFIED DURATION, var AND YIELD

AND PRICE VOLATILITIES

MONITORING & CONTROL AND


65/84

MONITORING & CONTROL AND

MITIGATION

Monitoring

Policy guidelines for various activities

Caps for transaction sizes, stop loss limits,

guidelines on portfolio sizes both type andindustry, exposure norms

Mitigation through derivatives


66/84


67/84


68/84

Components of Bank Balance Sheet

Liabilities Capital

Reserves and Surplus

Deposits

Borrowings

Other Liabilities


69/84

Components of Bank Balance Sheet

Assets

Cash and Balances with RBI

Bal with Banks, Money at Call and Short

notices Investments

Advances

Fixed Assets Other Assets


70/84

Banks Profit and Loss

Income

- Interest Earned

- Other Income

Expenses

- Interest Paid

- Operating Expenses

- provisions- Taxes


71/84

Risk in Banking Business

Three major heads for the purposes of

Risk Management

Banking Book

Trading Book

Off Balance Sheet Exposures


72/84

Banking Business

Characteristics of Assets and Liabilities They are normally held till maturity

Accrual system of accounting is adopted

Since Assets and Liabilities are held tillmaturity their mismatch may lead to cashin flow (excess) or cash shortage at aparticular point of time. This is normallydenoted as Liquidity Risk


73/84

Banking Book

Due to change in interest rates assets and

liabilities are subject to interest rate risks or re-

pricing

Assets side of the balance sheet generatescredit risk arising from defaults in payment of

interest or installments by the borrowers

Banking book also suffers from Operational Risk


74/84

Trading Book

The trading book includes all the assets

that are held with the intention of trading,

which are marketable.

These assets are classified as Held forTrading

These assets are subjected to Market Risk

and marked to market (MTM)


75/84

Off Balance Sheet Exposures

Off Balance Sheet exposure is contingent innature e.g. Letter of Credit , Bank Guarantees

A contingent exposure may become fund based

exposure in Banking Book or Trading Book Thus these exposures may have liquidity,

interest rate, market, credit or default risks and

operational risks


76/84


77/84

Balance Sheet Risk

Credit Risk

Concentration Risks (Industry / Geographic)

Intrinsic Risks (Credit Card, Merchant Banking)

Market Risk Interest Rate Risk

Liquidity Risk

Currency Risk

Commodities Risk


78/84

Interest rate Risk

Price Risk

Reinvestment Risk

Gap Risk

Yield Curve Risk

Basis Risk


79/84


80/84

C di Ri k


81/84

Credit Risk

Credit risk is the possibility of losses associatedwith changes in credit profiles of borrowers orthird parties

It involves the inability or unwillingness of a

borrower to meet the obligations Credit Risk is made up of

Transaction Risk Concentration , Intrinsic

Portfolio risk Downgrade , Default

O ti l Ri k


82/84

Operational Risk

Credit Risk and Market risks emanatefrom Operational Risk

Operational risk is the risk of direct and

indirect loss resulting from inadequate orinefficient internal processes people and

system or from external events.

C dit Ri k M t


83/84

Credit Risk Management

Credit risk is the potential loss arising out of theinability or unwillingness of a customer or

counter party to meet its commitments in relation

to lending, trading, hedging, settlement and

other financial transactions.

Philosophy behind credit risk management is

Higher the Risk higher is the expected reward

C dit i k t


84/84

Credit risk management

The CRM framework includes:

Policies and procedures

Organization structure for effective credit

management Credit risk rating framework

Documents

Risk Management Day 3