Risk Assessment

Definition of Risk

The uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk is measured in terms of consequences and likelihood.

Risk Management

Risks are perceived as any thing or event that could stand in the way of the organization achieving its objectives. Hence, risk management is not about being risk averse. Risk management is not aimed at avoiding risks. Its focus is on identifying, evaluating, controlling and mastering risks. Risk management also means taking advantage of opportunities and taking risks based on an informed decision and analysis of the outcomes.

Risk Assessment

Every organization, and all of its activities and entities faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives.

Risk Assessment

This forms the basis for determining how the risks should be managed. Because economic, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.

Objectives

Objectives must be established before management can identify risks to their achievement and take necessary actions to manage the risks. Objective setting can be highly structured or informal. The objectives may be explicit or implied. At the highest level, objectives often are represented by the banks mission or value statements.

Objectives

These global objectives are linked and integrated with more specific objectives established for various "activities" and entities such as head office groups, branches, controlling offices etc.

Objectives

Despite the diversity of objectives, certain broad categories can be established: Operations objectives Financial reporting objectives Compliance objectives

Risk Factors

External Factors:

Economic changes Changes in competitors and their strategies New or changed legislation or regulations Technological developments Natural catastrophes

Risk Factors

Internal Factors:

New personnel New or revamped information systems Changes in management responsibilities Incompetent people given key responsibilities Poor human resource policies resulting in increased staff turnover and low morale

Risk Analysis

After risks have been identified they must be evaluated. This process, which may be more or less formal, usually includes:

Estimating the significance of a risk Assessing the likelihood (or probability and frequency) of the risk occurring Considering how the risk should be managed; that is, an assessment of actions that could be taken and their relative costs to mitigate such risk.

Risk Rating Guide

Rating Criteria

Guideline for Assessment

Importance to the bank Complexity of operations IT dependence

How critical are these operations to achieving banks goals. Assessment of complexity and transparency of business activity and results. Complexity of IT systems and their impact on operations.

Risk Rating Guide (2)

Rating Criteria

Guideline for Assessment

Quality, Experience and integrity of personnel

Materiality

Are personnel in handling sensitive matters of significance affecting the bank competent, experience and honest. Volumes and values of transactions processed in each area

Risk Rating Guide (3)

Rating Criteria

Guideline for Assessment

Record of Control

Opportunity of fraud

History of control problems/issues as per IA and other reports. History of fraud and potential exposures for fraudulent activities considering the weaknesses in controls (consider all components of internal control).

Risk Rating Guide (4)

Rating Criteria

Guideline for Assessment

Political/ Public/Regulatory issues Managements Risk perceptions Changes to systems and business.

Are problems likely to become major public issue/ or of serious importance to SBP. Managements opinion of key risk areas. All major changes affect control structure, and therefore usually classified as high risk.

Risk Management

Managing change requires a constant assessment of risk and the impact on internal controls. All of the above factors create circumstances demanding special attention.

Banking Risks

Break-downs in Risk Management Systems.

Lapses in risk control often leads to substantial financial losses for a bank. Barings, Morgan Grenfell Asset Management, Daiwa, Sumitomo Corporation are some of the significant examples who lost huge money as a result of failure in their control systems. In Pakistan, Mehran Bank, Bankers Equity, Indus Bank and more recently Prudential Commercial Bank are some of the examples of failures because of break-down in risk management systems, that cost shareholders as well as deposit holders enormous amount of money.

Break-downs in Risk Management Systems.

Massive, and sometimes unanticipated corporate failures, catastrophes and debacles, natural and man-made, recent accounting and reporting irregularities and deficiencies clearly highlight the importance of risk management systems. Tall buildings disappear in an instant and entire multi-billion dollar shareholder value of a company evaporates. The conditions highlighted above underscore the need and the importance of risk management in corporate governance.

What Is the Banks Philosophy Towards Financial Risks?

Only the BOD can assess and allocate the risk bearing capacity of the bank, which in turn depends on the risk culture of the entity. The board must state clearly the banks risk philosophy regarding financial risks. Once this is stated in black and white, the banks senior management will be able to work out the banks risk bearing capacity and formulate significant policies relating to the management and control of financial risks.

How Can the Board Foster a Risk Management Culture Within the Bank?

The board must clearly allocate management responsibilities among various senior managers to promote and ensure management accountability for risk control. Senior members must be made to realize that their jobs are on the line if there are major failures in control. The board must insist that senior managers place control issues at a par with other strategic business matters. Management accountability for internal controls can also be encouraged through comprehensive annual assessments and reporting on the risk management systems.

Key Risks Associated With Banking Activities

Credit Risk. Country or transfer risk. Replacement risk. Settlement risk. Market risk. Modeling risk. Interest rate risk. Currency risk. Liquidity risk. Operational risk. Legal and documentary risk. Regulatory risk. Fiduciary risk. Reputation risk.

Credit Risk
The risk that a customer or counter-party will not settle an obligation for full value, either when due or at any time thereafter. Credit risk, particularly from commercial lending, may be considered the central element of risk in banking operations. Credit risk arises from lending to individuals, companies, banks and governments. It also exists in assets other than loans, such as investments, balances due from other banks and in off-balance sheet commitments. Credit risk also appears in the form of country risk, replacement risk and settlement risk.

 The above document issued by the Basel Committee on Banking Supervision sets out 17 principles to address five main areas: Establishing an appropriate credit risk environment; Operating under sound credit granting process; Maintaining an appropriate credit administration, measurement and monitoring process; Ensuring adequate controls over credit risk; and Role of Supervisors.

Principles for the management of Credit Risk

Country or Transfer Risk

The risk of foreign customers and counterparties failing to settle their obligations due to economic, political and social factors of the foreign country and external to the customer or counter-party.

This means the This means the risk of counterrisk of counter-

End User: End User:

Replacement Risk
The risk of failure of a customer or counter-party to perform the terms of a contract. This failure creates the need to replace the failed transaction with another at the current market price. This may result in a loss to the bank equivalent to the difference between the contract price and the current market price.

Settlement Risk
The risk that one side of a transaction will be settled without value being received from the customer or counter-party. This will result in the loss to the bank of the full principal amount.

Market Risk
The risk of loss arising from adverse changes in market conditions, including interest rates, foreign exchange rates, equity and commodity prices and from movements in market prices of investments.

Modeling Risk
The risk associated with the imperfections and subjectivity of valuation models used to determine the values of assets or liabilities.

Interest Rate Risk

The risk of loss arising from the sensitivity of earnings to future movements in interest rates.

Currency Risk
The risk of loss arising from future movements in the exchange rates applicable to foreign currency assets, liabilities, rights and obligations.

Liquidity Risk
The risk of loss arising from the possibility of the bank not having sufficient funds to meet its obligations, from the banks inability to access capital markets to raise required funds or from the banks inability to unwind a position at market prices because of inadequate market depth or disruptions in the market place.

Operational Risk
The risk that deficiencies in information systems or internal controls will result in unexpected losses. Operational risk is associated with: human error, particularly when dealing with complex transactions; system failures due to inability to cope with volumes or nature of trading; and inadequate procedures and controls.

Operational Risk Arises Out Of:

(OR-1)

The need to process high volumes of transactions accurately within short time-frames. This need is almost always addressed through the use of large-scale use of CIS, with the resultant risks of: failure to process executed transactions within required time-frames, causing an inability to receive or make payments for those transactions; wide-scale error arising from a breakdown in internal control; loss of data arising from system failure; corruption of data arising from unauthorized interference with the system; and. exposure to market risks arising from lack of reliable up-todate financial information.

Operational Risk Arises Out Of:

(OR-2)

The conduct of operations in a number of locations with a resultant geographic dispersion of transaction processing and internal controls. As a result: control breakdowns may occur and remain undetected and uncorrected because of the physical separation between management and those who handle the transactions.

Operational Risk Arises Out Of:

(OR-3)

The need to monitor and manage significant exposures which can arise over short time-frames. The process of clearing transactions may cause a significant build-up of receivables and payables during a day, most of which are completed by the end of the day. This is ordinarily referred to as intra-day payment risk. The nature of these exposures can arise from transactions with customers and counter-parties and can include interest rate, currency and market risks.

Operational Risk Arises Out Of:

(OR-4)

The dealing in large volumes of monetary items, including cash, negotiable instruments and transferable customer balances, with the resultant risk of loss arising from theft and fraud by employees or other parties.

Operational Risk Arises Out Of:

(OR-5)

The use of high gearing (that is, high debt-toequity ratios), which results in the exposure to: the risk of significant erosion of capital resources as a result of a relatively small percentage loss in asset value; and. the risk of being unable to obtain the funds required to maintain operations at a reasonable cost as a result of a loss of depositor confidence.

Operational Risk Arises Out Of:

(OR-6)

The inherent complexity and volatility of the environment in which banks operate, resulting in the risk of inappropriate risk management strategies in relation to such matters as the development of new products and services.

Operational Risk Arises Out Of:

(OR-7)

The need to adhere to laws and regulations. The failure to do so could result in exposure to sanctions in the nature of fines or operating restrictions.

Legal and Documentary Risk

The risk that contracts are documented incorrectly or are not legally enforceable in the relevant jurisdiction in which the contracts are booked or where the counterparties operate.

Regulatory Risk
The risk of loss arising from failure to comply with regulatory or legal requirements in the relevant jurisdiction in which the bank operates.

Fiduciary Risk
The risk of loss arising from factors such as failure to maintain safe custody or negligence in the management of assets on behalf of other parties.

Reputation Risk
The risk of losing business/income due to negative public opinion and damage to reputation arising from failure to properly manage some of the above risks, or from involvement in improper or illegal activities by the bank or its senior management, such as money laundering or attempts to cover up losses.

Risk Concentrations
Banking risks increase with the degree of concentration of a banks exposure to any one customer, industry, geographic area or country. For example, a banks loan portfolio may indicate large concentrations of credits to highly specialized industries, such as real estate, shipping and natural resources. Assessing the relevant risks may require a knowledge of the business and reporting practices of these industries.

Related Party Risks

Banks may be subject to additional risks arising from the nature of their ownership. For example, an owner or group of owners might try to interfere in the allocation of credit. In a closely held bank the owners may have significant influence on the banks management affecting their independence and judgment. Auditors assess such special risk.

Ensuring Integrity of Risk Management Systems.

Internal and external auditors play an important role in the risk management process of the bank by risk auditing, i.e., Auditing and testing the risk management process and internal controls on periodic basis. They must make sure that the systems are robust. If they uncover weaknesses or if there have been significant changes in the product line or market circumstances, then they must risk audit these internal systems more frequently.

Managements Responsibilities for Effective Risk Management System 1. Oversight of the control process by the Board. 2. Identification, measurement and monitoring of Risks through an independent risk management unit. 3. Appropriate control activities. 4. Effective monitoring activities. 5. Reliable information system.

Basel Committee on Banking Supervision Guidance Documents on Developing Effective Risk Management System.

1. Core Principles Methodology. 2. Enhancing Corporate Governance Framework in Banking Organizations. 3. Framework for Internal Control Systems in Banking Organizations. 4. Principle for Management of Credit Risk. 5. Risk Concentration Principles.

Audit Risks

Audit Risk
The risk that the auditor may unknowingly fail to appropriately modify the opinion on financial statements that are materially misstated.

Auditors Risk
The exposure to loss or injury to professional career from litigation, adverse publicity, or other events arising in connection with financial statements audited and reported on.

Types of Audit Risks

Inherent Risks: The insusceptibility of an assertion to material misstatement in the financial statements in absence of internal controls. In most of the cases a direct link exist between control risk and inherent risk. Control Risk: The risk that material misstatement will not be detected / prevented on timely basis by operations management through internal controls.

Types of Audit Risks -Cont

Detection Risks: The risk that substantive audit procedures performed will not detect a material misstatement.

Control Risk

Appropriate Management oversight Clear job description and assignment Adequate / proper record keeping Segregation of duties Appropriate system of approval of transactions Physical safeguard over cash & liquid instruments Documentation of transactions Mandatory vacations

Managing Audit Risks

Audit Risk Assessment Module AR=IR X CR X DR Where, AR = Audit Risk IR = Inherent Risk CR = Control Risk DR = Detection Risk

Managing Audit Risks

The Auditor should plan the engagement so that audit risk will be at sufficiently low level before issuing an opinion on financial statement. The Risk assessment described above is purely for External Audit however, selective components or combinations of some components of this model can also be used by the internal auditors also.

Recommendations

Increase professional skepticism by questioning and critically assessing audit evidences. Assign more experience auditors who have the knowledge, skills and abilities commensurate with increased risk of the assignments. Consider significant accounting policies Modify the nature, timing and extent of audit procedures to obtain more reliable evidence and use increase sample size or more extensive analytical procedures.