OF

STRATEGIC MANAGEMENT
ON
CORPORATE STRATEGY: H. IGOR ANSOFF

SUBMITTED TO: SUBMITTED BY:

Dr. Pushpinder Gill Mehdeep Kaur
MBA-2(A)
58

Defining Risk:
Risk in financial institutions is the possibility that the outcome of an action or event could bring
up adverse impacts. Such outcomes could either result in a direct loss of earnings / capital or may
result in imposition of constraints on bank’s ability to meet its business objectives. Such
constraints pose a risk as these could hinder a bank's ability to conduct its ongoing business or to
take benefit of opportunities to enhance its business.

Types of Risks
Expected losses are those that the bank knows with reasonable certainty will occur (e.g., the
expected default rate of corporate loan portfolio or credit card portfolio) and are typically
reserved for in some manner.
Unexpected losses are those associated with unforeseen events (e.g. losses experienced by banks
in the aftermath of nuclear tests, Losses due to a sudden down turn in economy or falling interest
rates). Banks rely on their capital as a buffer to absorb such losses.

Risks are usually defined by the adverse impact on profitability of several distinct sources of
uncertainty. While the types and degree of risks an organization may be exposed to depend upon
a number of factors such as its size, complexity business activities, volume etc, it is believed that
generally the banks face Credit, Market, Liquidity, Operational, Compliance / legal / regulatory
and reputation risks. Before overarching these risk categories, given below are some basics about
risk Management and some guiding principles to manage risks in banking organization.

Risk Management.
Risk Management is a discipline at the core of every financial institution and encompasses all the
activities that affect its risk profile. It involves identification, measurement, monitoring and
controlling risks to ensure that
a) The individuals who take or manage risks clearly understand it.
b) The organization’s Risk exposure is within the limits established by Board of Directors.
c) Risk taking Decisions are in line with the business strategy and objectives set by BOD.
d) The expected payoffs compensate for the risks taken
e) Risk taking decisions are explicit and clear.
f) Sufficient capital as a buffer is available to take risk

The acceptance and management of financial risk is inherent to the business of banking and
banks’ roles as financial intermediaries. Risk management as commonly perceived does not mean
minimizing risk; rather the goal of risk management is to optimize risk-reward trade -off.
Notwithstanding the fact that banks are in the business of taking risk, it should be recognized that
an institution need not engage in business in a manner that unnecessarily imposes risk upon it:
nor it should absorb risk that can be transferred to other participants. Rather it should accept
those risks that are uniquely part of the array of bank’s services.

In every financial institution, risk management activities broadly take place simultaneously at
following different hierarchy levels.
.
a) Strategic level: It encompasses risk management functions performed by senior
management and BOD. For instance definition of risks, ascertaining institutions risk
appetite, formulating strategy and policies for managing risks and establish adequate
systems and controls to ensure that overall risk remain within acceptable level and the
reward compensate for the risk taken.

b) Macro Level: It encompasses risk management within a business area or across business
lines. Generally the risk management activities performed by middle management or units
devoted to risk reviews fall into this category.

c) Micro Level: It involves ‘On-the-line’ risk management where risks are actually created.
This is the risk management activities performed by individuals who take risk on
organization’s behalf such as front office and loan origination functions. The risk
management in those areas is confined to following operational procedures and guidelines
set by management.
Expanding business arenas, deregulation and globalization of financial activities emergence of
new financial products and increased level of competition has necessitated a need for an effective
and structured risk management in financial institutions. A bank’s ability to measure, monitor,
and steer risks comprehensively is becoming a decisive parameter for its strategic positioning.
The risk management framework and sophistication of the process, and internal controls, used to
manage risks, depends on the nature, size and complexity of institutions activities. Nevertheless,
there are some basic principles that apply to all financial institutions irrespective of their size and
complexity of business and are reflective of the strength of an individual bank's risk management
practices.

Risk Management framework.

A risk management framework encompasses the scope of risks to be managed, the
process/systems and procedures to manage risk and the roles and responsibilities of individuals
involved in risk management. The framework should be comprehensive enough to capture all
risks a bank is exposed to and have flexibility to accommodate any change in business activities.
An effective risk management framework includes

a) Clearly defined risk management policies and procedures covering risk identification,
acceptance, measurement, monitoring, reporting and control.

b) A well constituted organizational structure defining clearly roles and responsibilities of

individuals involved in risk taking as well as managing it. Banks, in addition to risk management
functions for various risk categories may institute a setup that supervises overall risk
management at the bank. Such a setup could be in the form of a separate department or bank’s
Risk Management Committee (RMC) could perform such function. The structure should be such
that ensures effective monitoring and control over risks being taken. The individuals responsible
for review function (Risk review, internal audit, compliance etc) should be independent from risk
taking units and report directly to board or senior management who are also not involved in risk
taking.
 c) There should be an effective management information system that ensures flow of
information from operational level to top management and a system to address any
exceptions observed. There should be an explicit procedure regarding measures to be
taken to address such deviations.

The framework should have a mechanism to ensure an ongoing review of systems, policies and
procedures for risk management and procedure to adopt changes.

Integration of Risk Management

Risks must not be viewed and assessed in isolation, not only because a single transaction might
have a number of risks but also one type of risk can trigger other risks. Since interaction of
various risks could result in diminution or increase in risk, the risk management process should
recognize and reflect risk interactions in all business activities as appropriate. While assessing
and managing risk the management should have an overall view of risks the

Risk Evaluation/Measurement.
Until and unless risks are not assessed and measured it will not be possible to control risks.
Further a true assessment of risk gives management a clear view of institution’s standing and
helps in deciding future action plan. To adequately capture institutions risk exposure, risk
measurement should represent aggregate exposure of institution both risk type and business line
and encompass short run as well as long run impact on institution. To the maximum possible
extent institutions should establish systems / models that quantify their risk profile, however, in
some risk categories such as operational risk, quantification is quite difficult and complex.
Wherever it is not possible to quantify risks, qualitative measures should be adopted to capture
those risks. Whilst quantitative measurement systems support effective decision-making, better
measurement does not obviate the need for well-informed, qualitative judgment. Consequently
the importance of staff having relevant knowledge and expertise cannot be undermined. Finally
any risk measurement framework, especially those which employ quantitative techniques/model,
is only as good as its underlying assumptions, the rigor and robustness of its analytical
methodologies, the controls surrounding data inputs and its appropriate application

Independent review.
One of the most important aspects in risk management philosophy is to make sure that those who
take or accept risk on behalf of the institution are not the ones who measure, monitor and
evaluate the risks. Again the managerial structure and hierarchy of risk review function may vary
across banks depending upon their size and nature of the business, the key is independence. To be
effective the review functions should have sufficient authority, expertise and corporate stature so
that the identification and reporting of their findings could be accomplished without any
hindrance. The findings of their reviews should be reported to business units, Senior
Management and, where appropriate, the Board.

Contingency planning.
Institutions should have a mechanism to identify stress situations ahead of time and plans to deal
with such unusual situations in a timely and effective manner. Stress situations to which this
principle applies include all risks of all types. For instance contingency planning activities
include disaster recovery planning, public relations damage control, litigation strategy,
responding to regulatory criticism etc. Contingency plans should be reviewed regularly to ensure
they encompass reasonably probable events that could impact the organization. Plans should be
tested as to the appropriateness of responses, escalation and communication channels and the
impact on other parts of the institution.

The Risks of Financial Institutions

Over the last twenty years, the consensus view of systemic risk in the financial system that
emerged in response to the banking crises of the 1930s and before has lost much of its
relevance. This view held that the main systemic problem is runs on solvent banks leading
to bank panics. But financial crises of the last two decades have not fit the mold. A new
consensus has yet to emerge, but financial institutions and regulators have considerably
broadened their assessment of the risks facing financial institutions. The dramatic rise of
modern risk management has changed how the risks of financial institutions are measured
and how these institutions are managed. However, modern risk management is not without
weaknesses that will have to be addressed.

Banks constantly deal with money and face a number of risks involving how much money they
have in their accounts, to whom they are issuing loans and when these loans are being paid back.
These risks can cause the bank to go out of business if not handled correctly, and bank
employees can face criminal charges if money is mishandled or lost.

 Repaying Creditors
Banks often use their clients' invested or deposited money to issue loans or make other types of
investments designed to make money for the bank. The bank pays their clients for renting their
money by giving them a small percentage of the interest rate the bank charges for loans.
However, if every bank client wanted to withdraw his money at the same time, a bank with
insufficient funds available would not be able to pay the money back to its all customers or
creditors. This could cause a bank to fail. This creditor panic is known as a run on a bank, and it
was a major reason America was sent into the Great Depression of the 1930s. At that time, there
was no system in place to ensure everyone would receive a certain amount of money back.

 Being Paid by Debtors

Banks regularly loan money to people or businesses, charging the borrower interest on the loan
and requiring monthly payments while allowing the borrower an extended period to pay back the
loan. The banks make money based on interest rates they charge and other fees. However, the
bank may lose money if the loan is not paid back. While a bank can destroy someone's credit and
take legal action against the borrower, the loan remains a financial risk. This is why banks need
knowledgeable and perceptive loan officers to decide who should be issued loans.
  Human or Electronic Error
Banks operate like other companies, which means electronic equipment and human judgment are
involved. Errors can be made, sometimes for large sums of money that can be costly to the bank.
For example, according to a 2009 report on the ABC News website, a couple in New Zealand
obtained $8 million in a bank error and fled the country, essentially stealing the money and
costing the bank a large amount of money. While this rarely happens, banks are vulnerable to this
type of risk.

Types of risks faced by financial Institutions

There are number of risks that an MFI has to face these risks could be of delinquencies, frauds,
staff turnover, interest rate changes, liquidity, regulatory etc.

But all these risks can broadly be classified into four major categories;

1. Credit risk
2.Operational risk
3. Market risk and
4. Strategic risk

• Credit Risk
Credit risk arises from the potential that an obligor is either unwilling to perform on an
obligation or its ability to perform such obligation is impaired resulting in economic loss to
the bank.
In a bank’s portfolio, losses stem from outright default due to inability or unwillingness of a
customer or counter party to meet commitments in relation to lending, trading, settlement and
other financial transactions. Alternatively losses may result from reduction in portfolio value due
to actual or perceived deterioration in credit quality. Credit risk emanates from a bank’s dealing
with individuals, corporate, financial institutions or a sovereign. For most banks, loans are the
largest and most obvious source of credit risk; however, credit risk could stem from activities
both on and off balance sheet.
In addition to direct accounting loss, credit risk should be viewed in the context of economic
exposures. This encompasses opportunity costs, transaction costs and expenses associated with a
non-performing asset over and above the accounting loss.

Credit risk can be further sub-categorized on the basis of reasons of default. For instance the
default could be due to country in which there is exposure or problems in settlement of a
transaction.

Credit risk not necessarily occurs in isolation. The same source that endangers credit risk for the
institution may also expose it to other risk. For instance a bad portfolio may attract liquidity
problem.

Measuring credit risk.

The measurement of credit risk is of vital importance in credit risk management. A number of
qualitative and quantitative techniques to measure risk inherent in credit portfolio are evolving.
To start with, banks should establish a credit riskrating framework across all type of credit
activities. Among other things, the rating framework may, incorporate:

Business Risk
• Industry Characteristics
• Competitive Position (e.g. marketing/technological edge)
• Management
Financial Risk
• Financial condition
• Profitability
• Capital Structure
• Present and future Cash flows
Internal Risk Rating.
Credit risk rating is summary indicator of a bank’s individual credit exposure. An internal rating
system categorizes all credits into various classes on the basis of underlying credit quality. A
well-structured credit rating framework is an important tool for monitoring and controlling risk
inherent in individual credits as well as in credit portfolios of a bank or a business line. The
importance of internal credit rating framework becomes more eminent due to the fact that
historically major losses to banks stemmed from default in loan portfolios. While a number of
banks already have a system for rating individual credits in addition to the risk categories
prescribed by SBP, all banks are encouraged to devise an internal rating framework. An internal
rating framework would facilitate banks in a number of ways such as:

a) Credit selection
b) Amount of exposure
c) Tenure and price of facility
d) Frequency or intensity of monitoring
e) Analysis of migration of deteriorating credits and more accurate computation of future loan
loss provision
f) Deciding the level of Approving authority of loan.

Systems and Procedures

Credit Origination.
Banks must operate within a sound and well-defined criteria for new credits as well as the
expansion of existing credits. Credits should be extended within the target markets and lending
strategy of the institution. Before allowing a credit facility, the bank must make an assessment of
risk profile of the customer/transaction. This may include

a) Credit assessment of the borrower’s industry, and macro economic factors.

b) The purpose of credit and source of repayment.
c) The track record / repayment history of borrower.
d) Assess/evaluate the repayment capacity of the borrower.
e) The Proposed terms and conditions and covenants.
f) Adequacy and enforceability of collaterals.
g) Approval from appropriate authority

In case of new relationships consideration should be given to the integrity and repute of the
borrowers or counter party as well as its legal capacity to assume the liability. Prior to entering
into any new credit relationship the banks must become familiar with the borrower or counter
party and be confident that they are dealing with individual or organization of sound repute and
credit worthiness. However, a bank must not grant credit simply on the basis of the fact that the
borrower is perceived to be highly reputable i.e. name lending should be discouraged.

While structuring credit facilities institutions should appraise the amount and timing of the cash
flows as well as the financial position of the borrower and intended purpose of the funds. It is
utmost important that due consideration should be given to the risk reward trade –off in granting
a credit facility and credit should be priced to cover all embedded costs. Relevant terms and
conditions should be laid down to protect the institution’s interest.

Institutions have to make sure that the credit is used for the purpose it was borrowed. Where the
obligor has utilized funds for purposes not shown in the original proposal, institutions should
take steps to determine the implications on creditworthiness. In case of corporate loans where
borrower own group of companies such diligence becomes more important. Institutions should
classify
such connected companies and conduct credit assessment on consolidated/group basis.

In loan syndication, generally most of the credit assessment and analysis is done by the lead
institution. While such information is important, institutions should not over rely on that. All
syndicate participants should perform their own independent analysis and review of syndicate
terms.

Managing credit risk

Institution should not over rely on collaterals / covenant. Although the importance of collaterals
held against loan is beyond any doubt, yet these should be considered as a buffer providing
protection in case of default, primary focus should be on obligor’s debt servicing ability and
reputation in the market.

Limit setting
An important element of credit risk management is to establish exposure limits for single
obligors and group of connected obligors. Institutions are expected to develop their own limit
structure while remaining within the exposure limits set by State Bank of Pakistan. The size of
the limits should be ba sed on the credit strength of the obligor, genuine requirement of credit,
economic conditions and the institution’s risk tolerance. Appropriate limits should be set for
respective products and activities. Institutions may establish limits for a specific industry,
economic sector or geographic regions to avoid concentration risk.

Sometimes, the obligor may want to share its facility limits with its related companies.
Institutions should review such arrangements and impose necessary limits if the transactions are
frequent and significant

Credit limits should be reviewed regularly at least annually or more frequently if obligor’s credit
quality deteriorates. All requests of increase in credit limits should be substantiated.

Credit Administration.
Ongoing administration of the credit portfolio is an essential part of the credit process. Credit
administration function is basically a back office activity that support and control extension and
maintenance of credit. A typical credit administration unit performs following functions:

a. Documentation. It is the responsibility of credit administration to ensure completeness of

documentation (loan agreements, guarantees, transfer of title of collaterals etc) in
accordance with approved terms and conditions. Outstanding documents should be
tracked and followed up to ensure execution and receipt.
b. Credit Disbursement. The credit administration function should ensure that the loan
 application has proper approval before entering facility limits into computer systems.
Disbursement should be effected only after completion of covenants, and receipt of
collateral holdings. In case of exceptions necessary approval should be obtained from
competent authorities.
c. Credit monitoring. After the loan is approved and draw down allowed, the loan should
be continuously watched over. These include keeping track of borrowers’ compliance
with credit terms, identifying early signs of irregularity, conducting periodic valuation of
collateral and monitoring timely repayments.
d. Loan Repayment. The obligors should be communicated ahead of time as and when the
principal/markup installment becomes due. Any exceptions such as non-payment or late
payment should be tagged and communicated to the management. Proper records and
updates should also be made after receipt.
e. Maintenance of Credit Files. Institutions should devise procedural guidelines and
standards for maintenance of credit files. The credit files not only include all
correspondence with the borrower but should also contain sufficient information
necessary to assess financial health of the borrower and its repayment performance. It
need not mention that information should Managing credit risk be filed in organized way
so that external / internal auditors or SBP inspector could review it easily.
f. Collateral and Security Documents. Institutions should ensure that all security
documents are kept in a fireproof safe under dual control. Registers for documents should
be maintained to keep track of their movement. Procedures should also be established to
track and review relevant insurance coverage for certain facilities/collateral. Physical
checks on security documents should be conducted on a regular basis.
While in small Institutions it may not be cost effective to institute a separate credit administrative
set-up, it is important that in such institutions individuals performing sensitive functions such as
custody of key documents, wiring out funds, entering limits into system, etc., should report to
managers who are independent of business origination and credit approval process.

• Market Risk
It is the risk that the value of on and off-balance sheet positions of a financial institution will be
adversely affected by movements in market rates or prices such as interest rates, foreign
exchange rates, equity prices, credit spreads and/or commodity prices resulting in a loss to
earnings and capital.

Financial institutions may be exposed to Market Risk in variety of ways. Market risk exposure
may be explicit in portfolios of securities / equities and instruments that are actively traded.
Conversely it may be implicit such as interest rate risk due to mismatch of loans and deposits.
Besides, market risk may also arise from activities categorized as off-balance sheet item.
Therefore market risk is potential for loss resulting from adverse movement in market risk
factors such as interest rates, forex rates, equity and commodity prices. The risk arising from
these factors have been discussed on following pages.

Interest rate risk:

Interest rate risk arises when there is a mismatch between positions, which are subject to interest
rate adjustment within a specified period. The bank’s lending, funding and investment activities
give rise to interest rate risk. The immediate impact of variation in interest rate is on bank’s net
interest income, while a long term impact is on bank’s net worth since the economic value of
bank’s assets, liabilities and off-balance sheet exposures are affected. Consequently there are two
common perspectives for the assessment of interest rate risk

a) Earning perspective: In earning perspective, the focus of analysis is the impact of variation in
interest rates on accrual or reported earnings. This is a traditional approach to interest rate risk
assessment and obtained by measuring the changes in the Net Interest Income (NII) or Net
Interest
Margin (NIM) i.e. the difference between the total interest income and the total interest expense.

b) Economic Value perspective: It reflects the impact of fluctuation in the interest rates on
economic value of a financial institution. Economic value of the bank can be viewed as the
present value of future cash flows. In this respect economic value is affected both by changes in
future cash flows and discount rate used for determining present value. Economic value
perspective considers the potential longer-term impact of interest rates on an institution.
Sources of interest rate risks:
Interest rate risk occurs due to
(1) differences between the timing of rate changes and the timing of cash flows (re-pricing
risk); (2) changing rate relationships among different yield curves effecting bank activities (basis
risk);
(3) changing rate relationships across the range of maturities (yield curve risk);
(4) interest-related options embedded in bank products (options risk).

Foreign Exchange Risk:

It is the current or prospective risk to earnings and capital arising from adverse movements in
currency exchange rates. It refers to the impact of adverse movement in currency exchange rates
on the value of open foreign currency Managing market risk position. The banks are also
exposed to interest rate risk, which arises from the maturity mismatching of foreign currency
positions. Even in cases where spot and forward positions in individual currencies are balanced,
the maturity pattern of forward transactions may produce mismatches. As a result, banks may
suffer losses due to changes in discounts of the currencies concerned. In the foreign exchange
business, banks also face the risk of default of the counter parties or settlement risk. While such
type of risk crystallization does not cause principal loss, banks may have to undertake fresh
transactions in the cash/spot market for replacing the failed transactions. Thus, banks may incur
replacement cost, which depends upon the currency rate movements. Banks also face another
risk called time-zone risk, which arises out of time lags in settlement of one currency in one
center and the settlement of another currency in another time zone. The forex transactions with
counter parties situated outside Pakistan also involve sovereign or country risk.

Risk measurement
Accurate and timely measurement of market risk is necessary for proper risk management and
control. Market risk factors that affect the value of traded portfolios and the income stream or
value of non-traded portfolio and other business activities should be identified and quantified
using data that can be directly observed in markets or implied from observation or history. While
there is a wide range of risk measurement techniques ranging from static measurement
techniques (Gap analysis) to highly sophisticated dynamic modeling (Monte Carlo Simulation),
the banks may employ any technique depending upon the nature size and complexity of the
business and most important the availability and integrity of data. Banks may adopt multiple risk
measurement methodologies to capture market risk in various business activities; however
management should have an integrated view of overall market risk across products and business
lines. The measurement system ideally should

a) Assess all material risk factors associated with a bank's assets, liabi lities, and Off Balance
sheet positions.
b) Utilize generally accepted financial concepts and risk measurement techniques.
c) Have well documented assumptions and parameters. It is important that the assumptions
underlying the system are clearly understood by risk managers and top management.

Risk Control.
Bank’s internal control structure ensures the effectiveness of process relating to market risk
management. Establishing and maintaining an effective system of controls including the
enforcement of official lines of authority and appropriate segregation of duties, is one of the
management’s most important responsibilities. Persons responsible for risk monitoring and
control procedures should be independent of the functions they review. Key elements of internal
control process include internal audit and review and an effective risk limit structure.

Audit
Banks need to review and validate each step of market risk measurement process. This review
function can be performed by a number of units in the organization including internal
audit/control department or ALCO support staff. In small banks, external auditors or consultants
can perform the function. The audit or review should take into account.

a) The appropriateness of bank’s risk measurement system given the nature, scope and
complexity of bank’s activities
b) The accuracy or integrity of data being used in risk models.
c) The reasonableness of scenarios and assumptions
d) The validity of risk measurement calculations.

Risk limits
As stated earlier it is the board that has to determine bank’s overall risk appetite and exposure
limit in relation to its market risk strategy. Based on these tolerances the senior management
should establish appropriate risk limits. Risk limits for business units, should be compatible with
the institution’s strategies, risk management systems and risk tolerance. The limits should be
approved and periodically reviewed by the Board of Directors and/or senior management, with
changes in market Conditions or resources prompting a reassessment of limits. Institutions need
to ensure consistency between the different types of limits.

a) Gap Limits: The gap limits expressed in terms of interest sensitive ratio for a given time
band aims at managing potential exposure to a bank’s earnings / capital due to changes in
interest rates. Setting such limits is useful way to limit the volume of a bank’s repricing
exposures and is an adequate and effective method of communicating the risk profile of
the bank to senior management. Such gap limits can be set on a net notional basis (net of
asset / liability amounts for both on and off balance sheet items) or a duration-weighted
basis, in each time band. (Duration is the weighted average term to maturity of a
security’s cash flow. For instance a Rs 100 5 year 8% (semi Annual) coupon bond having
yield of 8% will have a duration of 4.217 years as already explained in the footnotes).
b) Factor Sensitivity Limits: The factor sensitivity of interest rate position is calculated by
discounting the position using current market interest rate and then using the current
market interest rate increase or decrease by one basis point. The difference in the two
values known as factor sensitivity is the potential for loss given one basis point change in
interest rate. Banks may introduce such limits for each time band as well as total exposure
across all time bands. The factor sensitivity limit or PV01 limit measures the change in
portfolio present value given one basis point fluctuation in underlying interest rate.

Banks also need to set limits, including operational limits, for the different trading desks and/or
traders which may trade different products, instruments and in different markets, such as
different industries and regions. Limits need to be clearly understood, and any changes clearly
communicated to all relevant parties. Risk Taking Units must have procedures that monitor
activity to ensure that they remain within approved limits at all times.

Limit breaches or exceptions should be made known to appropriate senior management without
delay. There should be explicit policy as to how such breaches are to be reported to top
management and the actions to be taken.

• Liquidity Risk
Liquidity risk is the potential for loss to an institution arising from either its inability to meet its
obligations or to fund increases in assets as they fall due without incurring unacceptable cost or
losses.
Liquidity risk is considered a major risk for banks. It arises when the cushion provided by the
liquid assets are not sufficient enough to meet its obligation. In such a situation banks often meet
their liquidity requirements from market. However conditions of funding through market depend
upon liquidity in the market and borrowing institution’s liquidity. Accordingly an institution
short of liquidity may have to undertake transaction at heavy cost resulting in a loss of earning or
in worst case scenario the liquidity risk could result in bankruptcy of the institution if it is unable
to undertake transaction even at current market prices.

Banks with large off-balance sheet exposures or the banks, which rely heavily on large corporate
deposit, have relatively high level of liquidity risk. Further the banks experiencing a rapid growth
in assets should have major concern for liquidity.

Liquidity risk may not be seen in isolation, because financial risk are not mutually exclusive and
liquidity risk often triggered by consequence of these other financial risks such as credit risk,
market risk etc. For instance, a bank increasing its credit risk through asset concentration etc may
be increasing its liquidity risk as well. Similarly a large loan default or changes in interest rate
can adversely impact a bank’s liquidity position. Further if management misjudges the impact on
liquidity of entering into a new business or product line, the bank’s strategic risk would increase.
Early Warning indicators of liquidity risk.
An incipient liquidity problem may initially reveal in the bank's financial monitoring system as a
downward trend with potential long-term consequences for earnings or capital. Given below are
some early warning indicators that not necessarily always lead to liquidity problem for a bank;
however these have potential to ignite such a problem. Consequently management needs to
watch
carefully such indicators and exercise further scrutiny/analysis wherever it deems appropriate.
Examples of such internal indicators are:

a) A negative trend or significantly increased risk in any area or product line.

b) Concentrations in either assets or liabilities.
c) Deterioration in quality of credit portfolio.
d) A decline in earnings performance or projections.
e) Rapid asset growth funded by volatile large deposit.
f) A large size of off-balance sheet exposure.
g) Deteriorating third party evaluation about the bank

A liquidity risk management involves not only analyzing banks on and off-balance sheet
positions to forecast future cash flows but also how the funding requirement would be met. The
later involves identifying the funding market the bank has access, understanding the nature of
those markets, evaluating banks current and future use of the market and monitor signs of
confidence erosion.

The formality and sophistication of risk management processes established to manage liquidity
risk should reflect the nature, size and complexity of an institution’s activities. Sound liquidity
risk management employed in measuring, monitoring and controlling liquidity risk is critical to
the viability of any institution. Institutions should have a thorough understanding of the factors
that could give rise to liquidity risk and put in place mitigating controls.
Liquidity Risk Strategy:
The liquidity risk strategy defined by board should enunciate specific policies on particular
aspects of liquidity risk management, such as:

a. Composition of Assets and Liabilities. The strategy should outline the mix of assets and
liabilities to maintain liquidity. Liquidity risk management and asset/liability
management should be integrated to avoid steep costs associated with having to rapidly
reconfigure the asset liability profile from maximum profitability to increased liquidity.
b. Diversification and Stability of Liabilities. A funding concentration exists when a
single decision or a single factor has the potential to result in a significant and sudden
withdrawal of funds. Since such a situation could lead to an increased risk, the Board of
Directors and senior management should specify guidance relating to funding sources and
ensure that the bank have a diversified sources of funding day-to-day liquidity
requirements. An institution would be more resilient to tight market liquidity conditions if
its liabilities were derived from more stable sources. To comprehensively analyze the
stability of liabilities/funding sources the bank need to identify:

• Liabilities that would stay with the institution under any circumstances;
• Liabilities that run-off gradually if problems arise; and
• That run-off immediately at the first sign of problems.
c. Access to Inter-bank Market. The inter-bank market can be important source of
liquidity. However, the strategies should take into account the fact that in crisis situations
access to interbank market could be difficult as well as costly.

The liquidity strategy must be documented in a liquidity policy, and communicated throughout
the institution. The strategy should be evaluated periodically to ensure that it remains valid.

The institutions should formulate liquidity policies, which are recommended by senior
management/ALCO and approved by the Board of Directors (or head office). While specific
details vary across institutions according to the nature of their business, the key elements of any
liquidity policy include:

General liquidity strategy (short- and long-term), specific goals and objectives in relation to
liquidity risk management, process for strategy formulation and the level within the institution it
is approved;
• Roles and responsibilities of individuals performing liquidity risk management functions,
including structural balance sheet management, pricing, marketing, contingency planning,
management reporting, lines of authority and responsibility for liquidity decisions;
• Liquidity risk management structure for monitoring, reporting and reviewing liquidity;
• Liquidity risk management tools for identifying, measuring, monitoring and controlling
liquidity risk (including the types of liquidity limits and ratios in place and rationale for
establishing limits and ratios);
• Contingency plan for handling liquidity crises.

To be effective the liquidity policy must be communicated down the line throughout in the
organization. It is important that the Board and senior management/ALCO review these policies
at least annually and when there are any material changes in the institution’s current and
prospective liquidity risk profile. Such changes could stem from internal circumstances (e.g.
changes in business focus) or external circumstances (e.g. changes in economic conditions).
Reviews provide the opportunity to fine tune the institution’s liquidity policies in light of the
institution’s liquidity management experience and development of its business. Any significant
or frequent exception to the policy is an important barometer to gauge its effectiveness and any
potential impact on banks liquidity risk profile.

Institutions should establish appropriate procedures and processes to implement their liquidity
policies. The procedural manual should explicitly narrate the necessary operational steps and
processes to execute the relevant liquidity risk controls. The manual should be periodically
reviewed and updated to take into account new activities, changes in risk management
approaches and systems.
Liquidity Risk Management Process
Besides the organizational structure discussed earlier, an effective liquidity risk management
include systems to identify, measure, monitor and control its liquidity exposures. Management
should be able to accurately identify and quantify the primary sources of a bank's liquidity risk in
a timely manner. To properly identify the sources, management should understand both existing
as well as future risk that the institution can be exposed to. Management should always be alert
for new sources of liquidity risk at both the transaction and portfolio levels.

Key elements of an effective risk management process include an efficient MIS, systems to
measure, monitor and control existing as well as future liquidity risks and reporting them to
senior management.

Management Information System.

An effective management information system (MIS) is essential for sound liquidity management
decisions. Information should be readily available for dayto- day liquidity management and risk
control, as well as during times of stress. Data should be appropriately consolidated,
comprehensive yet succinct, focused, and available in a timely manner. Ideally, the regular
reports a bank generates will enable it to monitor liquidity during a crisis; managers would
simply have to prepare the reports more frequently. Managers should keep crisis monitoring in
mind when developing liquidity MIS. There is usually a trade -off between accuracy and
timeliness. Liquidity problems can arise very quickly, and effective liquidity management may
require daily internal reporting. Since bank liquidity is primarily affected by large, aggregate
principal cash flows, detailed information on every transaction may not improve analysis.

Management should develop systems that can capture significant information. The content and
format of reports depend on a bank's liquidity management practices, risks, and other
characteristics. However, certain information can be effectively presented through standard
reports such as "Funds Flow Analysis," and "Contingency Funding Plan Summary". These
reports should be tailored to the bank's needs. Other routine reports may include a list of large
funds providers, a cash flow or funding gap report, a funding maturity schedule, and a limit
monitoring and exception report. Day-to-day management may require more detailed
information, depending on the complexity of the bank and the risks it undertakes. Management
should regularly consider how best to summarize complex or detailed issues for senior
management or the board. Beside s other types of information important for managing day-to-
day activities and for understanding the bank's inherent liquidity risk profile include:

a) Asset quality and its trends.

b) Earnings projections.
c) The bank's general reputation in the market and the condition of the market itself.
d) The type and composition of the overall balance sheet structure.
e) The type of new deposits being obtained, as well as its source, maturity, and price.
As far as information system is concerned, various units related to treasury activities, the dealing,
the treasury operation & risk management cell/department should be integrated. Furthermore,
management should ensure proper and timely flow of information among front office, back
office and middle office in an integrated manner; however, their reporting lines should be kept
separate to ensure independence of these functions.

Liquidity Risk Measurement and Monitoring

An effective measurement and monitoring system is essential for adequate management of
liquidity risk. Consequently banks should institute systems that enable them to capture liquidity
risk ahead of time, so that appropriate remedial measures could be prompted to avoid any
significant losses. It needs not mention that banks vary in relation to their liquidity risk
(depending upon their size and complexity of business) and require liquidity risk measurement
techniques accordingly. For instance banks having large networks may have access to low cost
stable deposit, while small banks have significant reliance on large size institution deposits.
However, abundant liquidity does not obviate the need for a mechanism to measure and monitor
liquidity profile of the bank. An effective liquidity risk measurement and monitoring system not
only helps in managing liquidity in times of crisis but also optimize return through efficient
utilization of available funds. Discussed below are some (but not all) commonly used liquidity
measurement and monitoring techniques that may be adopted by the banks.
Internal Controls
In order to have effective implementation of policies and procedures, banks should institute
review process that should ensure the compliance of various procedures and limits prescribed by
senior management. Persons independent of the funding areas should perform such reviews
regularly. The bigger and more complex the bank, the more thorough should be the review.
Reviewers should verify the level of liquidity risk and management’s compliance with limits and
operating procedures. Any exception to that should be reported immediately to senior
management / board and necessary actions should be taken.

Monitoring and Reporting Risk Exposures

Senior management and the board, or a committee thereof, should receive reports on the level
and trend of the bank's liquidity risk at least quarterly. A recent trend in liquidity monitoring is
incremental reporting, which monitors liquidity through a series of basic liquidity reports during
stable funding periods but ratchets up both the frequency and detail included in the reports
produced during periods of liquidity stress. From these reports, senior management and the board
should learn how much liquidity risk the bank is assuming, whether management is complying
with risk limits, and whether management’s strategies are consistent with the board's expressed
risk tolerance. The sophistication or detail of the reports should be commensurate with the
complexity of the bank.

• Operational Risk
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people
and system or from external events.
Operational risk is associated with human error, system failures and inadequate procedures and
controls. It is the risk of loss arising from the potential that inadequate information system;
technology failures, breaches in internal controls, fraud, unforeseen catastrophes, or other
operational problems may result in unexpected losses or reputation problems. Operational risk
exists in all products and business activities.
Operational risk event types that have the potential to result in substantial losses includes Internal
fraud, External fraud, employment practices and workplace safety, clients, products and business
practices, business disruption and system failures, damage to physical assets, and finally
execution, delivery and process management.

The objective of operational risk management is the same as for credit, market and liquidity risks
that is to find out the extent of the financial institution’s operational risk exposure; to understand
what drives it, to allocate capital against it and identify trends internally and externally that
would help predicting it. The management of specific operational risks is not a new practice; it
has always been important for banks to try to prevent fraud, maintain the integrity of internal
controls, and reduce errors in transactions processing, and so on. However, what is relatively new
is the view of operational risk management as a comprehensive practice comparable to the
management of credit and market risks in principles. Failure to understand and manage
operational risk, which is present in virtually all banking transactions and activities, may greatly
increase the likelihood that some risks will go unrecognized and uncontrolled.

Operational Risk Management Principles.

There are 6 fundamental principles that all institutions, regardless of their size or complexity,
should address in their approach to operational risk management.
a) Ultimate accountability for operational risk management rests with the board, and the level of
risk that the organization accepts, together with the basis for managing those risks, is driven from
the top down by those charged with overall responsibility for running the business.
b) The board and executive management should ensure that there is an effective, integrated
operational risk management framework. This should incorporate a clearly defined
organizational structure, with defined roles and responsibilities for all aspects of operational risk
management/monitoring and appropriate tools that support the identification, assessment, control
and reporting of key risks.
c) Board and executive management should recognize, understand and have defined all
categories of operational risk applicable to the institution. Furthermore, they should ensure that
their operational risk management framework adequately covers all of these categories of
operational risk, including those that do not readily lend themselves to measurement.
d) Operational risk policies and procedures that clearly define the way in which all aspects of
operational risk are managed should be documented and communicated. These operational risk
management policies and procedures should be aligned to the overall business strategy and
should support the continuous improvement of risk management.
e) All business and support functions should be an integral part of the overall operational risk
management framework in order to enable the institution to manage effectively the key
operational risks facing the institution.
f) Line management should establish processes for the identification, assessment, mitigation,
monitoring and reporting of operational risks that are appropriate to the needs of the institution,
easy to implement, operate consistently over time and support an organizational view of
operational risks and material failures.

Operational Risk Function

A separate function independent of internal audit should be established for effective management
of operational risks in the bank. Such a functional set up would assist management to understand
and effectively manage operational risk. The function would assess, monitor and report
operational risks as a whole and ensure that the management of operational risk in the bank is
carried out as per strategy and policy.

To accomplish the task the function would help establish policies and standards and coordinate
various risk management activities. Besides, it should also provide guidance relating to various
risk management tools, monitors and handle incidents and prepare reports for management and
BOD.

Risk Assessment and Quantification

Banks should identify and assess the operational risk inherent in all material products, activities,
processes and systems and its vulnerability to these risks. Banks should also ensure that before
new products, activities, processes and systems are introduced or undertaken, the operational risk
inherent in them is subject to adequate assessment procedures. While a number of techniques are
evolving, operating risk remains the most difficult risk category to quantify. It would not be
feasible at the moment to expect banks to develop such measures. However the banks could
systematically track and record frequency, severity and other information on individual loss
events. Such a data could provide meaningful information for assessing the bank’s exposure to
operational risk and developing a policy to mitigate / control that risk.

Risk Management and Mitigation of Risks

Management need to evaluate the adequacy of countermeasures, both in terms of their
effectiveness in reducing the probability of a given operational risk, and of their effectiveness in
reducing the impact should it occur. Where necessary, steps should be taken to design and
implement cost-effective solutions to reduce the operational risk to an acceptable level. It is
essential that ownership for these actions be assigned to ensure that they are initiated. Risk
management and internal control procedures should be established by the business units, though
guidance from the risk function may be required, to address operational risks. While the extent
and nature of the controls adopted by each institution will be di fferent, very often such measures
encompass areas such as Code of Conduct, Delegation of authority, Segregation of duties, audit
coverage, compliance, succession planning, mandatory leave, staff compensation, recruitment
and training, dealing with customers, complaint handling, record keeping, MIS, physical
controls, etc

Risk Monitoring.
An effective monitoring process is essential for adequately managing operational risk. Regular
monitoring activities can offer the advantage of quickly detecting and correcting deficiencies in
the policies, processes and procedures for managing operational risk. Promptly detecting and
addressing these deficiencies can substantially reduce the potential frequency and/or severity of a
loss. There should be regular reporting of pertinent information to senior management and the
board of directors that supports the proactive management of operational risk. Senior
Management should establish a programme to:
a) Monitor assessment of the exposure to all types of operational risk faced by the institution;

b) Assess the quality and appropriateness of mitigating actions, including the extent to which
identifiable risks can be transferred outside the institution; and

c) Ensure that adequate controls and systems are in place to identify and address problems before

they become major concerns. It is essential that:

i) Responsibility for the monitoring and controlling of operational risk should follow the same

type of organizational structure that has been adopted for other risks, including market and credit

risk;

ii) Senior Management ensure that an agreed definition of operational risk together with a

mechanism for monitoring, assessing and reporting it is designed and implemented; and

iii) This mechanism should be appropriate to the scale of risk and activity undertaken.

Operational risk metrics or “Key Risk Indicators” (KRIs) should be established for operational
risks to ensure the escalation of significant risk issues to appropriate management levels. KRIs
are most easily established during the risk assessment phase. Regular reviews should be carried
out by internal audit, or other qualified parties, to analyze the control environment and test the
effectiveness of implemented controls, thereby ensuring business operations are conducted in a
controlled manner.

Risk Reporting
Management should ensure that information is received by the appropriate people, on a timely
basis, in a form and format that will aid in the monitoring and control of the business. The
reporting process should include information such as:
• The critical operational risks facing, or potentially facing, the institution;

• Risk events and issues together with intended remedial actions;

• The effectiveness of actions taken;

• Details of plans formulated to address any exposures where appropriate;

• Areas of stress where crystallization of operational risks is imminent; and

 • The status of steps taken to address operational risk.

Establishing Control Mechanism.

Although a framework of formal, written policies and procedures is critical, it needs to be
reinforced through a strong control culture that promotes sound risk management practices.
Banks should have policies, processes and procedures to control or mitigate material operational
risks. Banks should assess the feasibility of alternative risk limitation and control strategies and
should adjust their operational risk profile using appropriate strategies, in light of their overall
risk appetite and profile. To be effective, control activities should be an integral part of the
regular activities of a bank.

Contingency planning
Banks should have in place contingency and business continuity plans to ensure their ability to
operate as going concerns and minimize losses in the event of severe business disruption.