Risk management in Indian Banks Banking system in India adopted successfully the 1988 version since 1992, as part

of its financial sector reform process. The achievement of Indian banks in this regard is more creditable as they had to cope simultaneously with the prudential accounting norms introduced for the first time. At present the Indian banking system, both private and public sector on an average commands a capital adequacy of 11%, with a minimum regulatory prescription of 9% as against international norm of only 8%, perhaps to take care of the inadequacies, if any, in our accounting, payment and valuation systems. The Indian banking system is now better prepared to face the rigor and adopt the revised version (Basel II). Most of the PSBs are capital market fit for mobilizing capital from the market and less dependent on government. Profitability levels are improved and somewhat stabilized if not reached international standards. Return on assets are almost stabilized around 1%, with NIM in a deregulated interest rate scenario, around 2.75% mark. Operational efficiency is also improving thanks to the increasing adoption of Information Technology and HRD intervention, with the operational expenditure to working funds ratio coming down substantially. Risk management systems though still long way to go, has made a substantial progress both in credit as well as market risk mainly triggered by several initiatives taken by the RBI. An Overview of Risk Management in Indian Banks Risk is chance of (Unfavorable) deviation from the expected result. Profit is the reward for the risk. Risk is uncertainty and leads to either favorable or adverse impact. Risk is not only less visible but also less tangible unlike income or returns and hence not easy to capture, measure or manager. Bank is basically a risk machine, which takes risk, transfers risk and embeds risk. Bank is basically a high-risk player due to unusually high debt-equity ratio and hence is highly regulated all over the world Thus a bank is a risk not only for itself but also for all others in the market. In the words of Mr. Narayanamurthy, Chief Mantor, Infosys: o Best is to do. o Next Best is to do with unintentional mistake. o Work is not to do at all. Hence, biggest risk to a Bank is Bank not taking any risk. Risk Management Process:

o Risk Management comprises the following steps: i) Risk identification. ii) Risk Measurement (EL, UL). iii) Risk Policies and Procedures. iv) Risk Analysis and Monitoring v) Risk Reporting vi) Risk Verification and Audit. o Board approves risk management policy and senior management implements its. o Risk Management is basically a top down process. o Operationalization of risk management Establishing a risk management function independently from business areas and operating it (especially the market risk) as a controlling or monitoring function to assure the Senior Management and Board that risk is being assessed effectively and policies, procedures and standards set are being adhered to. Types of Bank Risks: i) Balance sheet risk or Business risk ii) Delivery (Operational Risk) or Consequential Risk iii) Other less tangible risk Reputational, Image, Legal, Technology, Management, Knowledge, Culture etc. Natural calamity, External events, Disturbances etc. o o o

Balance Sheet Risk Credit Risk (CCO) Market Risk (CFO) Credit Risk Counter Party Risk or Individual Loan Risk. Portfolio risk Transaction Risk Intrinsic Risk Concentration Risk Market Risk (Price Risk) Liquidity Risk Interest Rate Risk Currency (Forex) Risk Commodity Risk Equity Risk Price Risk Measurement of Risk The main principle or approach of risk measurement is: Measure the variation of a target variable like interest margin, income, earnings or market value etc generated by a random parameter like interest rate, forex rate, market price or such other market parameters. Commonly used measurement indicators are: Sensitivity Volatility Downside Risk

Sensitivity (Elasticity) A measure of direction as well as magnitude of deviation in the target variable on account a unit change in the random parameter.

For example: i) Duration and Bond Prices. ii) Default Rate of Credit and Credit Losses (Credit Rating) o Volatility Volatility is measured through statistical parameters like Variance or Standard Deviation of random variable around its mean. While mean is average of the values of random variables weighted by their frequency (probability) of occurrences. Volatility of a random variable is computed through two measures: i) Period of Observations (Horizon) ii) Frequency of Observations (Frequency)

o i)

Downside Risk or Ultimate Risk There can be three measure of risk: Expected Loss Average i.e. Mean (Provisions) e.g. Annual Expected Loan Loss

ii) Unexpected Loss Standard Deviation (Capital Charge) o Potential variability of expected loss over a period of time. o They average out to zero over long period of time. However, bank cannot wait of survive for such long time without covering such losses immediately (Capital Charge) iii) Stress Loss or Exceptional Loss Worst-case scenario i.e. unusual event that is difficult to measure. o Normal distribution is a statistical tool commonly used to indicate all the above types of losses. It is a bell-shaped curve of a variable whose distribution is constructed once the mean and standard deviation are known. o i) book. ii) o Risk Management method is normally two types: The accounting method (EAR i.e., Earnings at Risk) Useful for banking The economic or market value (Value at Risk) Useful for Trading book. Three ways of measure Risk: Stress Testing Indicates how much the bank could afford to lose (Short Value at Risk indicates how much the bank is likely to lose (Short Scenario Analysis Positioning the bank to face major catastrophes in Medium Term)

a) term) b) term) c) the market (Long or o

Utility of measuring risk:

 Provides management valuable information on risk exposure levels. Enables setting limits / exposures both for operational and prudential purposes. Helps in resource allocation through Return risk ratio basis. Helps in performance evaluation of trading units, players/dealers, products (risk adjusted performance). Facilitates regulatory compliances, provisioning, capital allocation besides cost-pricing decisions. o Risk & Capital Linkage:

Bank risks Business risks & operational or dumb risks. Bank risk result in expected losses (EL), Unexpected losses (EL) and exceptional losses or stress loss (SL). Expected is the average, unexpected is deviation from the avearage. Regulatory prescriptions say that provide (risk premium) for expected losses, take care of unexpected losses through capital charge and (build strength over a period of time) face exceptional losses as and when it occurs as the last one can neither be priced nor capital charge is feasible. To expand the business, the capital is either internally generated continuously (ploughing-back) or externally mobilized periodically. Next comes the asset base which gives the profit margin and hence the shift to asset driven banking in the post-reform scenario. o Other related issues in Credit Risk Management:

Scope for expanding business (or) balance sheet size, inter-alia, lies more in credit expansion with proper credit policy, strategy and credit management system in place besides effective delivery structure. Loan granting culture should give way for proactive asset selection culture and system i.e., selecting the borrower rather than borrower selecting the bank. Delivery of Credit with a vast network of branches brings in its own problems: Whether to combine or not the three major elements of credit management i.e., marketing, appraisal and finally the disbursal and operations at branch level due to possible & inherent conflict of interest (Three-in-one System). Delegation of Loaning powers shall be risk based or hierarchy based? Specialized vis--vis universal branches. Skewed attention levels for credit risk at branches when compared to operational risk. Pricing of loan assumes critical importance in a deregulated and competitive market scenario. Pricing involves cost of debt funds, capital funds, risk premium, service cost and finally profit margin. Too little focused research in product development and delivery style and system, which led to imitation products, proliferation of products etc. Audit and vigilance systems may have to change their approach to encourage credit culture in the organization without any leniency on even minim malafide cases. Their effectiveness lies in segregating quickly the bonafide and malafide cases.

 Organizational Culture must exhibit sufficient tolerance levels for bonafide judgmental errors. Performance evaluation in credit area should be portfolio based from growth, risk and return point of view. New interest margins net of provisions i.e., risk adjusted spreads shall also be kept in view in this context. o Market Risk Management:

Most important and potential risk the banks need to guard always The Bank can become bankrupt overnight (e.g. : Barings Bank, Nedungadi Bank). Implied measurement of market value of net worth of a bank. Easily visible and measurable if all the assets and liabilities are marked to market. Useful in the context of measuring the Economic Value Added (EVA) by bank or while assessing shareholder value. In India, it is centralized portfolio with funds and treasury managers operating mostly in metro centers. Due to centralization, it is less understood subject in the banks even at senior levels. It may not be exaggeration of we say that in a bank one person handles half the balance-sheet while rest of the bank handles the other half of the Banks balance sheet. Remained dormant due to fixed rate regimes in the Pre-reform era. RBI has brought Indian Banks at part with international standards by introducing Basel Committee standards for assessing market risk for arriving at risk weighted assets for computing CAR. o Asset-Liability Management (ALM)

At the instance of RBI, all banks in India are adopting ALM mainly to manage liquidity and interest rate risks. RBI issued detailed guidelines in this regard. Interest rate risk is the most important risk being managed under ALM. Taking position about interest scenario and asset-liability gap are crucial elements in this context. Gap model and graduating to duration model are advocated for measuring interest rate risk under ALM especially for banking book. For trading book in investments and forex portfolios etc VaR is ideal tool. o Rule of Risk Management

Risk Metrics Group, USA: 1) There is no return without risk (Rewards go to those who take risk). 2) Be transparent (Risk should be fully understood) 3) Seek Experience (Risk is measured and managed by people, not mathematical models) 4) Know what you dont know (Question the assumptions you make) 5) Communicate (Risk should be discussed openly)

6) Diversify (Multiple risks will produce more consistent rewards) 7) Show Discipline (A consistent and rigorous approach will beat a constantly change strategy) 8) Use Common sense (It is better to be approximately right, than to be precisely wrong) 9) Return is only half the equation (Decisions should be made only by considering the risk and return of possibilities) In the words of Walter Wriston, Ex. Chariman Citi Group: All of Life is the Management of Risk and not its elimination Risk Management is seeking security in an increasingly volatile world Bank is an insurance company for financial risks In the words of Chairman, Federal Reserve Board, USA We must all guard against a situation in which the designers of financial strategies (traders) lack experience to evaluate attendant risks and their experienced senior mangers are too embarrassed to admit that they do not understand the new strategies. Basel II implementation in India - The Challenges Risk management functions are in place in most banks and financial institutions. However, it appears to be motivated more by compliance to regulatory requirements, rather than an internal recognition for optimizing the risk return trade-off. Moreover, only a handful of banks are doing risk management in the sense of assessing, positioning and modulating the risks not only at the macro level but also at the micro level, that is at the level of transaction. Firstly, there needs to be a keen awareness of the risks at the transaction level on the part of even the lowest functionary involved in the financial transaction in order that the bank or the financial institution gets compensated for the amount of risk it is assuming by performing a certain transaction. This implies embedding a risk culture across all activities of an institution. As Governor Mr. Bimal Jalan had pointed out in this address to bankers, ultimately risk management is a culture that has to develop from within the internal management systems of the Banks For instance, a staff member accepting a fixed deposit needs to be as much aware of the implications of his transaction to the risk profile of the bank as the Risk Manager at the Head Office. In the absence of such kind of ground level appreciation of the risks in concrete particularities, risk management becomes more a ritual to be completed than a meaningful exercise in increasing the sophistication and capabilities of the business. The second issue is operationalisation of the risk function. Each bank has a unique risk profile depending upon multiple factors including scale of business,

geographical focus/ break-up, segmental focus/ break-up, risk profile, products offered, organizational culture, underwriting / control environment and growth rate. A risk solution designed for one institution or geography cannot therefore be indiscriminately applied to another institution. The procedures, the techniques and the methods available for risk management are varied and manifold. Each institution needs to choose the right technique which is required by its own business profile and which are also cost-effective, subject, however, to the legal and regulatory requirements. It is in this area of adaption of the Western techniques that there is a serious difficulty as such techniques may not be applicable mutates mutandis to the Indian scenario because of the difference of the behavioral dimensions and the environmental differences. Therefore, the more difficult route of developing indigenous models using the available statistical techniques needs to be adopted by the banks in order to do risk management in a meaningful way at the micro level. In fact, depending on the need, banks may like to develop credit scoring models for each sector, if not for each activity, being financed to achieve greater accuracy and reliability based on indigenous data on the institutions customer profile and their characteristics. While some of the banks seem to have made a beginning by introducing internally determined rating grades, there is a lot of ground that needs to be covered in this regard. Third, it might be beneficial to the banks to approach risk management as a multilayered task within the organization, for instance, at the macro level and the micro level. Risk management at the macro level will be effective if detailed data is available in a consistent format covering the all of the institutions lines of business and geographies, typically in a centralized database, regarding all of the transactions of the bank. It is well known that the risks are inherent in various transactions of the bank and though for the purpose of understanding we prepare taxonomy of the risks, they cannot be disentangled in reality and keep manifesting in different forms in different circumstances. Therefore, there is a need to develop a centralized database of all the transactions, so that banks can analyze various risks and the interconnections between the various risks. Apart from the availability of data, there is a need for sophisticated analytics relevant to the institutions circumstances. It is well known that risks have multiple dimensions. Financial risk manifests in various dimensions. Though they are classified into various categories, defined and dealt with in segmented manner, they overlap and, often, represent different stages of business. For instance, a bank may not be in a position to handle adverse clearing on account of liquidity mismanagement. We are aware that liquidity constraints of this bank could translate into a counter party risk for the institutions on the other side of the transaction. Thus, investment transactions and foreign exchange transactions all have counter party risk and credit risk embedded in them. Likewise, a floating rate credit facility of a corporate may be hit by raising interest rates, which may adversely affect the corporates capacity to repay the loan. Therefore, what began as a market risk may culminate into a credit risk as far as the bank is concerned. Though, for the purpose of analysis and appreciation, banking risks are classified into various specific risks like liquidity

risks, credit risk, interest rate risk, foreign exchange risk, equity position risk, operation risk and legal risk. The issue in all these risks is to ensure that the bank has assumed the type of risk and the level of risk based on its loss-absorbing capacity and appetite for risks and adequate compensation for the risk assumed. Therefore, banks need to have an integrated approach to risk management. A sine qua non for this is an integrated information system. As is well known, risk management requires a lot of historical data to provide the basis for forecasting a building of models in respect of various activities. In order to take a view about the future, there is need to have sufficient historical data as well as appropriate techniques for analysis and skilled human resource. In the Indian context, the major handicap is the absence of data series, particularly regarding the transactions in individual loan accounts since such data as is available is not consistent enough to facilitate taking an integrated view of a particular financial entity, let alone for being used for preparing models. It may be noted in this context that the leading credit rating agencies in India do not rate the issuers of debt but provide rating for the issues. It is against this background that one stresses the need for the banks to go in for comprehensive computerization solutions to ensure that all of the banks data is available for viewing and monitoring and processing by those authorized for the purpose. The prerequisite for this is that banks should network all their branches and create a centralized data store that will serve as a warehouse for the bank for accessing the data for model building, model validation and risk management. The second major step would be to conduct all transactions in the electronic mode to ensure consistency, integrity and comparability of the various transactions across the banks and even across the industry. Establishment of the Credit Information Bureau in the recent past augurs well the extent that it enables the availability of data about the defaulters to the banks in the public domain. However, it might be useful to arrange for a detailed survey of the loans granted by the banks during the last decade so as to create an industry-wise database. Given the non-availability of significant amount of data either within the bank itself or in the public domain regarding the various banking transactions, it is imperative to undertake a detailed exercise to find out if the available data, or the databases within each of the banks can be used to build some preliminary models. Fourth, yet another requirement for establishing risk management system is trained and skilled manpower. Sophisticated risk management requires employees with knowledge and skills commensurate with the complexity of the policies, processes, models and systems required. A quantitative orientation across the organization also needs to be developed (in addition to emphasis on processes) so that all people are sensitized to the importance of the information, accuracy and consistency. Besides this general orientation, there is a need to have people who are well versed in analytics and are able to construct and periodically validate and refine models for the purpose of the bank. Apart from building models, there is a need for functional specialists with an information technology orientation who can operationalise these models in actual practice. This is a major challenge in most of the banks as the required human resources are rather scare.

Fifth, the Board of Directors and the management should be in a position to identify the risk appetite of the bank. Since the goal of a bank or financial institutions is maximization of the shareholder value, there is a need to ascertain and identify the stance of the shareholders in regard to the risks to be assumed by an organization. This can be done through greater disclosures to the shareholders and more meaningful discussions at the annual general meetings and by establishing a continuous interaction system with the shareholders. One quick way of identifying the shareholders preferences for the risk appetite is to make analysis of the share price movements before and after the bank had taken up certain new lines of business or types of activities. Perhaps, this is the reason why Basel Accord considers market discipline as a third pillar of supervision. Having determined the risk management policy and having provided for an integrated information network and requisite human resources, the management of bank will have to determine in concrete terms as to which are the line of business they would like to sow, on the basis of detailed analysis of the risk-return trade off of various activities as applicable to their operations. Sixth, for external credit rating agencies as well as for banks adopting the standardized approach to credit risk, the issue of issue ratings versus issuer ratings has gained importance, because most credit rating institutions in India have been rating the issues and not the issuers. While the new capital accord provides methodologies for accepting issuer ratings in lieu of issue rating, this is applicable on claims senior to the claims covered by the issue. There is also the challenge of rating large number of obligors across the nation; especially the new accord recommends banks use only solicited ratings. A moot point is whether the Indian rating industry has reached a stage of maturity that should encourage the national regulators to accord recognition to these rating entities for the purpose of computing capital adequacy in banks. Seventh, a key dimension of a Basel II initiative, given the size and complexity of the initiative, consists of preparing the organizational change. For an organization to metamorphose into an institution doing sophisticated risk management in a time bound manner involves changing policies, processes and systems and fundamentally reorienting the way business conducted. Setting up a communication systems to ensure employees are aware of organizational policies and priorities is as important as is an infrastructure for training employees in new tools, techniques and processes. The human resources group of the institution therefore requires being closely involved in the entire process at a strategic, tactical and operational level. The risk reporting infrastructure needs to developed in a manner that not only enables reporting in various formats and extent of detail to risk managers, regulators and shareholders, there needs to be adequate transparency in systems and traceability of transactions built in to support validation of such reports. This is essential on account of special requirements as a result of pillar two (supervisory review) and pillar three (market discipline transparency) within the new capital accord.

Institutions need to prepare not only for capital calculation based on regulatory prescription, but also capital allocation among various lines of business, and capital attribution for risk adjusted profitability management. Basel II requires high standards of corporate governance on banks. Banks would need to create a committee overseeing the risk management process in the institution, and preferably designate a director specifically for risk management in line with global best practices. This also implies that the identified members of the board and senior management have the appropriate understanding of the banks risk management systems and processes and of issues surrounding the risk management function. All deviations from the banks approved policy must also be reported to the appropriate functionaries and deviations should be approved in a manner laid out in the banks risk management policies. The banks management must also periodically ensure that the risk management framework is functioning appropriately and issues in this relation need to be discussed. The board and senior management must have access to information to allow satisfactory fulfillment of their responsibilities in this regard. Challenges before the Supervisor Supervisor is omnipresent throughout Basel II as its role under supervisory review process both by way of on-site & off-site inspection. A few areas where supervisor faces challenges for implementation of Basel II are as under:

o Deciding National Priorities: Supervisor can not aim that all banks shall
start implementation simultaneously with advance approaches under all the risk areas. The supervisor has to exercise his discretion in allowing the banks to use various options available under the framework. RBI has decided to adopt sequential, graduated and structured approach in implementation of Basel II framework, starting with initial approaches with encouragement for moving towards advanced approaches.

o Increased Role of ECAI: The outsourcing of individual credit risk

assessments to ECAI would mean that supervisor needs to verify and validate the results generated. This takes the supervisory process beyond the boundaries of conventional supervision. In India, these rating agencies are limited in number and the penetration of rating culture is also limited. It is a challenge before the supervisor while implementing the standardized approach.

o Capacity Building: One of the biggest challenges is the need to improve

internal human resources in tune with the requirements particularly in the area of validation of models used by the banks for Credit, Market and Operational risks which calls for high level of expertise in the areas such as statistics, modeling technique, simulation etc. It would enable supervisor to discharge its role under Pillar 2. In India, since implementation of Basel II is with initial approaches, it gives some breather to RBI to build / develop capacity through training and

10

deputation of staff to other banks / financial institutions in India and abroad.

o Supervision of internal control: The focus of supervision is getting

shifted from Transaction verification to system checking. Banks while implementing Basel II and Risk Management have to put in place sound internal control mechanism in all areas of risk. Supervisor during AFI, through off-site supervision and through Pillar 2 supervisory process required to critically examine the internal controls.

o Co-ordination between home country and host country supervision:

Cross-boarder financial supervision is a challenge for the supervisors as they have to deal with country specific regulations. It calls for a high degree of co-ordination between the supervisors for proper assessment of risk. a large number of players both under Public and Private sectors spread over a vast geographical area, through very few banks qualify to be internationally active banks as per the accord. Besides, these banks are under different stages with regard to the level of computerization, implementation of risk management systems and built up of historical data.

o Specific challenges in Indian Context: Indian banking system consists of

Conclusion: o The prescriptions in the Accord are huge and meaningful and it is a culmination of experience in handling risks at different geographies and under different cultural regimes. The Pillar II and Pillar III support the implementation of the Basel Accord. Banks would typically be required to integrate the management of risks, returns and capital. The initial investment may represent a short-term challenge. Overtime, however, the improvements in Risk Management will/should drive/enhance risk culture, reduce volatility of all risks, lower provisions for bad debts, reduce operational losses and thereby improving the Organizational rating and efficiency. The crux of the Accord is that the Capital is not a proxy/substitute for Risk Management. Capital requirement is always proportionate to the perfection or appropriateness of Risk Management practices. It is actually the imperfection in the risk management practices that determinates the demand for capital. Final words: It is not strongest species that survive, nor the most intelligent, but the ones most responsive to change Charles Darwin.

11