ARM WINTER 2018

Q1. Briefly discuss the FIVE fundamental principles of Operational Risk Management, as per SBP’s
guidelines? (5 Marks)
There are 6 fundamental principles that all institutions, regardless of their size or complexity, should address in
their approach to operational risk management.
a) Ultimate accountability for operational risk management rests with the board, and the level of risk that the
organization accepts, together with the basis for managing those risks, is driven from the top down by those
charged with overall responsibility for running the business.
b) The board and executive management should ensure that there is an effective, integrated operational risk
management framework. This should incorporate a clearly defined organizational structure, with defined roles
and responsibilities for all aspects of operational risk management/monitoring and appropriate tools that
support the identification, assessment, control and reporting of key risks.
c) Board and executive management should recognize, understand and have defined all categories of
operational risk applicable to the institution. Furthermore, they should ensure that their operational risk
management framework adequately covers all of these categories of operational risk, including those that do
not readily lend themselves to measurement.
d) Operational risk policies and procedures that clearly define the way in which all aspects of operational risk
are managed should be documented and communicated. These operational risk management policies and
procedures should be aligned to the overall business strategy and should support the continuous improvement
of risk management.
e) All business and support functions should be an integral part of the overall operational risk management
framework in order to enable the institution to manage effectively the key operational risks facing the
institution.
f) Line management should establish processes for the identification, assessment, mitigation, monitoring and
reporting of operational risks that are appropriate to the needs of the institution, easy to implement, operate
consistently over time and support an organizational view of operational risks and material failures.

Q2. The senior management of ‘ABC’ Bank is considering to implement an Operational Risk Management
Framework and have asked you to provide the guidance with respect to key elements for a successful
implementation. Explain in detail at least FIVE key elements that are a prerequisite for the successful
implementation in this regard? (10 Marks)
The bank should develop, implement and maintain Operational Risk Management Framework which should be
integrated into bank’s overall risk management processes. The framework should be documented, duly
approved by the board and at the minimum should:
i. Define the terms “operational risk” and “operational loss”.
ii. Identify governance structure, reporting lines, responsibilities and accountabilities.
iii. Describe various risk assessment tools and modus operandi on the effective use of these tools.
iv. Describe the bank’s accepted operational risk appetite and tolerance levels, and thresholds limits for
inherent and residual risks with approved risk mitigation/ transfer strategies.
v. Define bank’s approach for establishing and monitoring thresholds/ exposure limits for inherent and residual
risk exposure.
vi. Describe risk reporting mechanism and appropriate hierarchy level at which the reporting would be
escalated.
vii. Provide common definition/ classification terminology to ensure consistency of risk identification, exposure
ratings and risk management objectives.
viii. Describe process of independent review and assessment of operational risk by Audit or independent
qualified personnel.
ix. Define process of updating the framework on an ongoing basis and whenever a material change in the
operational risk profile of the bank occurs.

Q3. Explain, how Enterprise Risk Management System may add value in the presence of traditional Risk
Management System? List down at least THREE critical factors for a successful ERM Initiative? (5 Marks)
1. Commitment and support from top management 2. Communication
3. Culture 4. Organization Structure. 5. Trust
6. Information Technology (IT) 7. Training

Q4. A. Describe the importance of stress testing program in commercial banks. Explain the governance
process of stress testing framework for banks in light of guidance by SBP. (5 Marks)
Stress Testing is an integral part of an institution’s risk management framework and helps risk managers in
variety of ways. Specifically, stress testing:
 Provides a useful base for communication of key risks across the organization;
 Supplements other risk measures by providing a complementary perspective on various risks;
 Indicates how much capital might be needed to absorb losses if worst‐case scenarios materialize;
 Provides forward looking assessment of risks and facilitates capital allocation and liquidity management;
 Helps development of risk mitigation or contingency plans across a range of stress conditions;
 Enables management to set limits for risk tolerance and redesign their risk strategies if required;
 Adds value to the risk analysis when combined with other statistical measures like value‐at‐risk models by
particularly focusing on tail events;
 Highlights the limitations of models and historical data by exhibiting the impact of extreme yet plausible
shocks which models using normal conditions fail to capture; and
 Helps in Internal Capital Adequacy Assessment Program (ICAAP), by providing information on how much
capital, in addition to the minimum capital requirement under Pillar‐I of the Basel‐II regime, is adequate
for an institution.
The governance of stress testing framework at banks/DFIs shall, at the minimum, comprise of the following:
 The Board shall take the responsibility of establishing a robust stress testing program, while the senior
management shall design and implement the program;
 The senior management shall actively engage in the entire stress testing process and ensure appropriate
designing, effective implementation, and its contribution into risk mitigation strategies of the institution;
 Senior management should ensure the documentation of policies and procedures governing the stress
testing framework and its periodic review to ensure its continuous relevance for the institution;
 The stress testing program shall not only comply with regulatory stress testing requirements but also be
capable of conducting additional tests covering various risk types and severities for internal consumption;
 The banks/DFIs should establish an appropriate stress testing infrastructure with adequate IT systems
and resources in place, which should be periodically updated for its continued effectiveness;
 The key responsibility of implementing a sound stress testing program rests with the head of risk
management; and
Senior management should take suitable action based on stress results and incorporate stress testing outputs
into the institution’s strategic and business decision‐making process and capital allocation.

B. Assume that the outstanding exposure of performing borrowers of a GEF bank on January 01, 2018 at the
start of the quarter was Rs. 115 billion. By the end of the quarter i.e., March 31st, out of these Rs. 110
billion, Rs. 7 billion of loans were repaid, Rs. 3 billion loans defaulted. On April 01, 2018 outstanding
exposure of the performing loans is increased to Rs. 110 billion due to new loans booked during the last
quarter. During the June quarter, out of this Rs. 110 billion, Rs. 8 billion were repaid and Rs. 5 billion stand
defaulted by June 30th. Required: Calculated the default rate for first two quarters of the year 2018. (5
Marks)

Q5. A. Describe the differences between the risk of expected and unexpected losses that a commercial bank
has to deal with. (2 Marks)
Expected losses are those that the bank knows with reasonable certainty will occur (e.g., the expected default
rate of corporate loan portfolio or credit card portfolio) and are typically reserved for in some manner.
Unexpected losses are those associated with unforeseen events (e.g. losses experienced by banks in the
aftermath of nuclear tests, Losses due to a sudden down turn in economy or falling interest rates). Banks rely
on their capital as a buffer to absorb such losses.

B. Discuss the significance of managing the above risks with example. (3 Marks)
The outcome of an action or event could bring up adverse impacts. Such outcomes could either result in a
direct loss of earnings / capital or may result in imposition of constraints on bank’s ability to meet its business
objectives. Such constraints pose a risk as these could hinder a bank's ability to conduct its ongoing business or
to take benefit of opportunities to enhance its business. The significance is:
a) The individuals who take or manage risks clearly understand it.
b) The organization’s Risk exposure is within the limits established by Board of Directors.
c) Risk taking Decisions are in line with the business strategy and objectives set by BOD.
d) The expected payoffs compensate for the risks taken
e) Risk taking decisions are explicit and clear.
f) Sufficient capital as a buffer is available to take risk
 Q6. Briefly discuss the following tools for identification/assessment of operational risk? (5 Marks)
i. Risk and Control Self-Assessment (RCSA) ii. Key Risk Indicators (KRIs) iii. Loss Data Management
i. Risk and Control Self-Assessment (RCSA) Risk and control self assessment (RCSA) is a process through which
operational risks and the effectiveness of controls are assessed and examined. The objective is to provide
reasonable assurance that all business objectives will be met. The primary objectives of RCSA are to ensure:
 The reliability and integrity of information.
 Compliance with policies, plans, procedures, laws, regulations and contracts.
 The safeguarding of assets.
 The economic and efficient use of resources.
 The accomplishment of established objectives and goals for operations or programs.

ii. Key Risk Indicators (KRIs) Key Risk Indicators (KRIs), are measurable indicators which can be termed as early
warning signals, provide information regarding increased current or potential level of operational risk exposure
to help institution measure and manage emerging risks by identifying risk symptoms. The indicators ensure
that the risk monitoring is focused on the key risks to which an institution is exposed.
6 Developing Key Risk Indicators to Strengthen Enterprise Risk Management, Research commissioned by
COSO, December 2010
The selected KRIs should contain the following characteristics;
i. Be effective in tracking an important risk.
ii. Must have the predictive power to prevent a future loss i.e. leading KRIs are more desired.
iii. Be practical and easy to collect i.e. measurable and quantifiable.
iv. Track at least one aspect of risk profile i.e. risk cause, event, effect and control.
v. Can serve as a mean to express risk appetite.

iii. Loss Data Management It is an operational risk identification and assessment technique. The collection and
analysis of bank’s own loss data can provide vital information to management and provide basis for
operational risk management and mitigation. However, most of the banks do not have documented history of
operational losses. Therefore as a first step, banks need to set up a system for consistent and comprehensive
loss data gathering. Bank’s internal loss data would mostly comprise of high frequency and low severity events
with very few large losses. Such a database may not be relevant for quantitative modeling. However by
studying trends of internal losses, banks can improve the efficiencies of its processes and internal controls.
Hence, banks need to assess the depth of their data collection which may be used for risk management and/or
risk quantification model.

ARM SUMMER 2019

Q1. Management of XYZ bank is concerned with the rise of recent interest rates. Highlight the impact of
rising interest rates on Banks’s financial statements. (5 Marks)
Interest rate risk arises when there is a mismatch between positions, which are subject to interest rate
adjustment within a specified period. The bank’s lending, funding and investment activities give rise to interest
rate risk. The immediate impact of variation in interest rate is on bank’s net interest income, while a long term
impact is on bank’s net worth since the economic value of bank’s assets, liabilities and off-balance sheet
exposures are affected. Consequently there are two common perspectives for the assessment of interest rate
risk
a) Earning perspective: In earning perspective, the focus of analysis is the impact of variation in interest rates
on accrual or reported earnings. This is a traditional approach to interest rate risk assessment and obtained by
measuring the changes in the Net Interest Income (NII) or Net Interest Margin (NIM) i.e. the difference
between the total interest income and the total interest expense.
b) Economic Value perspective: It reflects the impact of fluctuation in the interest rates on economic value of a
financial institution. Economic value of the bank can be viewed as the present value of future cash flows. In
this respect economic value is affected both by changes in future cash flows and discount rate used for
determining present value. Economic value perspective considers the potential longer-term impact of interest
rates on an institution.

Q2. List down the early warning Indicators of Liquidity Risk. (At least FIVE indicators). (5 Marks)
a) A negative trend or significantly increased risk in any area or product line.
b) Concentrations in either assets or liabilities.
c) Deterioration in quality of credit portfolio.
d) A decline in earnings performance or projections.
e) Rapid asset growth funded by volatile large deposit.
f) A large size of off-balance sheet exposure. g) Deteriorating third party evaluation about the bank
Q3. Calculate expected return based on probability distribution of one-year return. (5 Marks)
Possible Return % Probability of Occurrence
10 0.3
50 0.2
-05 0.05
30 0.4
15 0.05
∑=1

Answer:
Possible Return % Probability of Occurrence Expected Return
10 0.3 10x0.3=3
50 0.2 50x0.2=10
-05 0.05 -05x0.05= - 0.25
30 0.4 30x0.4=12
15 0.05 15x0.05=0.75
25.50%

Q4. Define the following: (5 Marks)

A. Significance of Stress Testing as a Risk Management tool
As Discussed Earlier

B. Minimum Capital Requirement (2 Marks)

In Pakistan, banks, Development Finance Institutions (DFIs) and Microfinance Banks (MFBs) are required to
comply with the following two capital standards. A brief description of each of the standards is as under: MCR
& CAR
1. Minimum Capital Requirement (MCR): MCR is the absolute amount of paid-up capital / assigned capital (net
of losses) required to be maintained by each bank, DFI and MFB as determined by SBP from time to time and it
includes the following elements:
 Fully paid-up common share capital or assigned capital (for foreign bank operating in branch mode)
 Balance in Share Premium Account
 Reserve for Issue of Bonus Shares
 Any other type of instrument approved by the SBP
Less
 Negative General Reserves/Discount on Shares Issuance
 Accumulated Losses
All the existing locally incorporated banks are required to maintain MCR of Rs 10 billion. Branches of foreign
banks are required to maintain assigned capital (net of losses) of Rs. 3 billion (if operating with 5 branches or
less), Rs. 6 billion (if operating with 6 - 50 branches) and Rs. 10 billion (if operating with more than 50
branches). DFIs are required to maintain an MCR of Rs. 6 billion.
Similarly, for MFBs, the MCR has been set at Rs. 1,000 million, Rs. 500 million, Rs 400 million and Rs 300 million
for operating at national level, provincial level, regional and district level respectively.

C. Tier 1 Capital (2 Marks)

D. Tier 2 Capital (1 Mark)
Under the Basel Accord, a bank has to maintain a certain level of cash or liquid assets as a ratio of its risk-
1
weighted assets. The Basel Accords are a series of three sets of banking regulations that help to ensure
financial institutions have enough capital on hand to handle obligations. The Accords set the capital adequacy
ratio (CAR) to define these holdings for banks.
 Tier 1 capital is the primary funding source of the bank.
 Tier 1 capital consists of shareholders' equity and retained earnings.
 Tier 1 capital is a bank's core capital and includes disclosed reserves—that appears on the bank's financial
statements—and equity capital. This money is the funds a bank uses to function on a regular basis and
forms the basis of a financial institution's strength.
 Tier 2 capital includes revaluation reserves, hybrid capital instruments and subordinated term debt,
general loan-loss reserves, and undisclosed reserves.
  Tier 2 capital is considered less reliable than Tier 1 capital because it is more difficult to accurately
calculate and more difficult to liquidate.
Tier 2 capital is a bank's supplementary capital. Undisclosed reserves, subordinated term debts, hybrid
financial products, and other items make up these funds.

Q5. A. Why Integration of Risk Management is important for an organization? (3 Marks)

Risk management objective is to identify risks, causes that generated them and establish appropriate control
device to reduce its level, but using the lowest cost. By implementing an integrated risk management system
shall ensure:
 strategy development, objective setting and risk management mechanisms considering the risk appetite.
The organization will define its development strategy to the risks they face and how to manage, taking
into account the limit of the appetite to which it may be exposed. The objectives are dependent on the
planned development requirements and performance levels established, but should be considered the
risks to the objectives and the costs necessary to manage these risks.
 evelopment of a framework for the level of response to risk. This involves performing analysis and
diagnostics, in order to determine the level of risk to which the organization can be exposed and
considering the results obtained, to proceed with the acceptance, treatment, and avoiding or risk
transfer.
 improving the expertise to identify events that threaten the organization and establishing decisions with
efficiency and effectiveness. Applying an integrated risk management process will allow evaluation of the
risks, by providing a link between the objectives, functional departments of the organization and
components of risk assessment. Making this process will help increase the expertise in knowing events
facing the organization, the nature of the risks threatening the objectives and nature of opportunities.
 identifying and managing risks that affect the achievement of objectives and the set planned results and
not risks of every operation or activity achieved. Integrated risk management system, is not fragmented,
to ensure identification and risk assessment, in isolation, only at the operation or action, but is a system
for identifying and addressing risks to the target integrated. This ensures that by implementing a single
control measures to be managed more risks. It also allows knowledge of risks affecting achievement,
which ensures that decisions are based and to consider the risk exposures.
 identifying opportunities following monitoring events and their capitalization with benefits in increasing
efficiency and effectiveness of the activities. Integrated risk management system takes into account the
analysis and evaluation, events that may affect achievement of objectives. These can be negative events
that are risks and positive events that are opportunities.
 appropriate use of capital. Knowledge of risks the organization is facing in achieving objectives, allowing
management to guide decisions to those activities where the risks are well managed, thus ensuring better
use of available resources.

B. State the reasons of interest rate risk. (2 Marks)

Interest rate risk occurs due to (1) differences between the timing of rate changes and the timing of cash flows
(re-pricing risk); (2) changing rate relationships among different yield curves effecting bank activities (basis
risk); (3) changing rate relationships across the range of maturities (yield curve risk); and (4) interest-related
options embedded in bank products (options risk).

Q6. Explain risk management strategies which can be applied in the case of unsecured financing products.
(10 marks)
For consumer lending, institutions may adopt credit-scoring models for processing loan applications and
monitoring credit quality. Institutions should apply the above principles in the management of scoring models.
Where the model is relatively new, institutions should continue to subject credit applications to rigorous
review until the model has stabilized.
For consumer loans, institutions may dispense with the need to perform credit review for certain products.
However, they should monitor and report credit exceptions and deterioration.
The four types of risk mitigating strategies include risk avoidance, acceptance, transference and limitation.
 Avoid: In general, risks should be avoided that involve a high probability impact for both financial loss and
damage.
 Transfer: Risks that may have a low probability for taking place but would have a large financial impact should
be mitigated by being shared or transferred, e.g. by purchasing insurance, forming a partnership, or
outsourcing.
 Accept: With some risks, the expenses involved in mitigating the risk is more than the cost of tolerating the
risk. In this situation, the risks should be accepted and carefully monitored.
 Limit: The most common mitigation strategy is risk limitation, i.e. businesses take some type of action to
address a perceived risk and regulate their exposure. Risk limitation usually employs some risk acceptance and
some risk avoidance.

ARM WINTER 2019

Q2. The senior management of ‘ABC’ Bank is considering to implement an Operational Risk Management
Framework and have asked you to provide the guidance with respect to key elements for a successful
implementation. Explain in detail the key elements that are a prerequisite for the successful implementation
in this regard. (Any five) (10 Marks)
As Discussed Earlier

Q3. Explain risk management strategies which can be applied in the case of unsecured financing products.
(10 Marks)
As Discussed Earlier

Q4. A. Why integration of risk management is important for an organization? (03 Marks)
As Discussed Earlier

B. State the reasons of interest rate risk. (02 Marks)

As Discussed Earlier

Q5. List down the early warning indicators of Liquidity Risk. (05 Marks)
As Discussed Earlier

Q6. Management of XYZ Bank is concerned with the rise of recent interest rate. Highlight the impact of
rising interest rates on Bank’s financial statements. (05 Marks)
Interest rate risk arises when there is a mismatch between positions, which are subject to interest
rate adjustment within a specified period. The bank’s lending, funding and investment activities give
rise to interest rate risk. The immediate impact of variation in interest rate is on bank’s net interest
income, while a long term impact is on bank’s net worth since the economic value of bank’s assets,
liabilities and off-balance sheet exposures are affected.
Through these two channels, interest rate risk can impact the financial condition of banks in many
ways.
 The Value Interest Rate Risk. The value of a financial instrument throughout its life reflects market
prices. For example, a fixed-rate mortgage of 3.5 percent has a higher value when market interest rates
are 2.5 percent than when market rates are 5 percent. This variability reflects what investors are willing
to pay for that mortgage at the current market interest rate, should the bank wish to sell the loan in the
open market. Therefore, some of the bank’s assets are affected by market interest rates, declining in
value when market interest rates go up. When this happens, it shrinks the capital banks have on hand to
absorb losses on their market-priced assets. Not all bank assets are affected by this kind of risk. In
particular, whatever the bank plans on holding till maturity is not affected.
 Opportunity Cost. Interest rate risk might lead a bank to be locked into a lower-rate investment than
the market interest rate. For example, if a bank holds a 30-year mortgage with a fixed-rate of 3.5 percent
and 28 years remaining on it and mortgage rates rise to 4.5 percent, the bank is foregoing the extra 1
percent it could have earned if it was not locked into the mortgage. (Economists refer to the foregone
return on this alternative investment as the opportunity cost). If that same bank had instead made an
adjustable-rate mortgage (ARM), its opportunity cost would be close to zero. The interest rate on the
ARM is periodically adjusted to reflect market rates.
 Income Interest Rate Risk. Generally, liabilities, which fuel a bank’s expenses, can be repriced much
faster than assets. Bank profitability is expected to fall when interest rates go up because expenses
reflect market interest rates faster than revenues.
All these factors combined have an effect on the market value of banks and their capital levels, which in turn
can affect the financial stability of the whole financial system.

Q7. Calculate the expected return based probability distribution of one – year return. (05 Marks)
Possible Return % Probability of Occurrence
10 0.3
 50 0.2
-05 0.05
30 0.4
15 0.05
∑=1

As Discussed Earlier

ARM SUMMER 2020

Q2. Briefly explain the basic elements of a Problem Loan Management Process. (05 Marks)
 Identify early problem loans, ensure they are managed by the most appropriate resources and ensure
additional exposure incurred is controlled to the advantage of the bank.
 Identify and assess credit problems and evaluate the bank’s position to facilitate recovery strategy
development.
 Maximize recoveries through development of appropriate action plans.
 Gain approval of strategies and action plans.
 Monitor recovery strategies to identify and address problems before they occur.

Q3. In light of Enterprise Technology Governance and Risk Management Framework for FIs, briefly explain the
details of comprehensive testing programs that an FI establishes, in order to validate the effectiveness of its
Information Security environment. (06 Marks)
Q4. A Contingency Funding Plan is imperative for the survival of any financial/ business organization in case
of Liquidity Crises. In light of Risk Management Guidelines for Banks and DFIs, briefly state the importance,
uses and scope of Contingency Funding Planning for any Financial Institution. (06 Marks)
Importance: Contingency funding plans (CFP) are required of all financial institutions, regardless of size or
complexity, and should clearly establish a strategy for addressing liquidity shortfalls in emergency situations. In
banking, liquidity risk offers a fast path to trouble. Deterioration in asset quality may be the most common
banking affliction, but the ensuing decline normally transpires over a long period of time. Poor liquidity
management, however, can sink the bank quickly with only a small push in the wrong direction. A CFP is
valuable because the acts of building and maintaining it provide a continually updated risk assessment tool in
addition to a crisis control guide.
Scope: A CFP is a comprehensive plan that delineates policies to manage a range of stress events, establishes
responsibility and articulates clear implementation and escalation procedures. contingency funding plans
should address the following:
 Identify stress events
 Assess levels of severity and timing
 Assess funding sources and needs
 Identify potential funding sources
 Establish liquidity event management processes
 Develop risk mitigation action plans
 Establish a monitoring framework for contingency events
 Require stress testing
Uses: the objective of the contingency planning process is not to predict the future. Rather, the CFP’s great
value lies in its utility both as a crisis management document and a regular deep dive into the bank’s liquidity
profile. As an assessment tool, the contingency planning process provides additional insight into the
community bank’s liquidity strengths and weaknesses beyond the bank’s normal reporting activities. In this
role, the CFP serves as a comprehensive evaluation, which complements ongoing asset/liability monitoring.
This endeavor can provide new risk mitigation knowledge that management can use to protect the bank both
in an emergency and in the day-to-day competitive arena.

Q5. List down the key elements of Liquidity Risk Policy, as mentioned under Risk Management Guidelines
for Commercial Banks and DFIs issued by SBP. (05 Marks)
Liquidity risk is the risk that a business will not have sufficient cash to meet its financial commitments in a
timely manner. Without proper cash flow management and sound liquidity risk management, a business will
face a liquidity crisis and ultimately become insolvent. As businesses go about the process of measuring and
managing liquidity risk, they need to be on alert for common sources of that risk. Those sources include:
1. Lack of Cash Flow Management 2. Inability to Obtain Financing
3. Unexpected Economic Disruption 4. Unplanned Capital Expenditures 5. Profit Crisis
Measuring Liquidity Risk
One of the key elements of measuring and managing liquidity risk is the ability to identify the warning signs of
a liquidity crisis. Beyond the identification of these signs, a business must also be able to measure risk
magnitude so that it can take immediate and appropriate action to stop a downward spiral.
There are several ways of measuring liquidity risk, namely:
1. Analysis of Financial Ratios
a) Quick Ratio measures how well a business can meet its short-term financial obligations.
b) Current Ratio measures the ability to use short-term assets to repay short-term obligations.
c)Quick Ratio vs. Current Ratio Quick ratio is preferred over current ratio
2. Cash Flow Forecasting
3. Capital Structure Management
a) Debt-to-Equity Ratio measures the total liabilities of a business in relation to its shareholder equity.
b) DuPont Analysis measures the rate of returns generated by invested equity (i.e., common stock).
i) Operating efficiency ii) Asset use efficiency iii) Financial leverage iv) Interest Coverage Ratio

Q6. Segregate/ classify the following categories of operational risks into People Risk, Process Risk, System
Risk and External Risk. (08 Marks)
Capacity risk  Lack of knowledge/skills  Employment law
 Programming errors  oL ss of key personnel  System capacity
 Employee misdeed  Physical security  Reporting error
 Transaction error  Theft Employee error
 System failure  Natural disaster  Security breach
 Terrorist

 People Risk – People risk is the risk of financial losses and negative social performance related to
inadequacies in human capital and the management of human resources. This encompasses the inability to
attract, manage, motivate, develop, and retain competent resources and often results in human errors,
fraud, or other unethical behavior, both internal and external to the institution.
 Process Risk – Process risk is the risk of financial losses and negative social performance related to failed
internal business processes within every aspect of the business. This can include product design flaws and
internal project failures.
 Systems Risk – Systems risk is the risk of financial losses and negative social performance related to failed
internal systems. This encompasses inter-branch connectivity, management information and core banking
systems, information technology systems, power backup systems, and other technical systems.
 External Events Risk – External events risk is the risk of financial losses and negative social performance
related to the occurrence of external events typically outside of an MFI’s control. This encompasses both
natural disasters such as hurricanes, flooding, earthquakes, and fires, as well as man-made events such as
civil disruptions, war, robberies, arson, road blockades, and terrorist attacks.
 Legal and Compliance Risk – Legal and compliance risk is the risk of financial losses and negative social
performance related to non-compliance with internal and external regulations and laws. This encompasses
non-compliance with microfinance regulations, anti-money laundering (AML) requirements, tax laws, human
resource laws, mandatory vehicle registration, internal codes of ethical conduct, and other regulations.

Q7. The Three-Tiered Risk Management System refers to front office, middle office and back office in
Banking/ trading organizations. SBP in its “Risk Management guidelines for Commercial banks & DFIs” has
also referred the role of Middle office under organizational setup for Market Risk Management. Briefly
describe the role / functions of Middle Office in a Bank. (05 Marks)
The risk management functions relating to treasury operations are mainly performed by middle office. The
concept of middle office has recently been introduced so as to independently monitor, measure and analyze
risks inherent in treasury operations of banks. Besides the unit also prepares reports for the information of
senior management as well as bank’s ALCO. Basically the middle office performs risk review function of day-to-
day activities. Being a highly specialized function, it should be staffed by people who have relevant expertise
and knowledge. The methodology of analysis and reporting may vary from bank to bank depending on their
degree of sophistication and exposure to market risks. These same criteria will govern the reporting
requirements demanded of the Middle Office, which may vary from simple gap analysis to computerized VaR
modeling. Middle Office staff may prepare forecasts (simulations) showing the effects of various possible
changes in market conditions related to risk exposures. Banks using VaR or modeling methodologies should
ensure that its ALCO is aware of and understand the nature of the output, how it is derived, assumptions and
variables used in generating the outcome and any shortcomings of the methodology employed. Segregation of
duties should be evident in the middle office, which must report to ALCO independently of the treasury
function. In respect of banks without a formal Middle Office, it should be ensured that risk control and analysis
should rest with a department with clear reporting independence from Treasury or risk taking units, until
normal Middle Office framework is established.

Q8. A. Why Integration of Risk Management is important for an organization? (03 Marks)
B. State the reasons of Interest Rate Risk. (02 Marks)
A. Risks must not be viewed and assessed in isolation, not only because a single transaction might have a
number of risks but also one type of risk can trigger other risks. Since interaction of various risks could result in
diminution or increase in risk, the risk management process should recognize and reflect risk interactions in all
business activities as appropriate. While assessing and managing risk the management should have an overall
view of risks the institution is exposed to. This requires having a structure in place to look at risk
interrelationships across the organization.
B. Interest rate risk arises when there is a mismatch between positions, which are subject to interest rate
adjustment within a specified period. The bank’s lending, funding and investment activities give rise to interest
rate risk. The immediate impact of variation in interest rate is on bank’s net interest income, while a long term
impact is on bank’s net worth since the economic value of bank’s assets, liabilities and off-balance sheet
exposures are affected. Consequently there are two common perspectives for the assessment of interest rate
risk a) Earning perspective: In earning perspective, the focus of analysis is the impact of variation in interest
rates on accrual or reported earnings. This is a traditional approach to interest rate risk assessment and
obtained by measuring the changes in the Net Interest Income (NII) or Net Interest Margin (NIM) i.e. the
difference between the total interest income and the total interest expense. b) Economic Value perspective: It
reflects the impact of fluctuation in the interest rates on economic value of a financial institution. Economic
value of the bank can be viewed as the present value of future cash flows. In this respect economic value is
affected both by changes in future cash flows and discount rate used for determining present value. Economic
value perspective considers the potential longer-term impact of interest rates on an institution.

ARM WINTER 2020

Q1. A. According to the Risk Management Guidelines for Commercial Banks & DFIs, credit administration
function in a Bank/ FI is basically a back office that support and control extension and maintenance of a
credit. Briefly explain any FOUR the functions of the credit administration unit. (10 Marks)
A typical credit administration unit performs following functions:
a. Documentation. It is the responsibility of credit administration to ensure completeness of documentation
(loan agreements, guarantees, transfer of title of collaterals etc) in accordance with approved terms and
conditions. Outstanding documents should be tracked and followed up to ensure execution and receipt.
b. Credit Disbursement. The credit administration function should ensure that the loan application has proper
approval before entering facility limits into computer systems. Disbursement should be effected only after
completion of covenants, and receipt of collateral holdings. In case of exceptions necessary approval should be
obtained from competent authorities.
c. Credit monitoring. After the loan is approved and draw down allowed, the loan should be continuously
watched over. These include keeping track of borrowers’ compliance with credit terms, identifying early signs
of irregularity, conducting periodic valuation of collateral and monitoring timely repayments.
d. Loan Repayment. The obligors should be communicated ahead of time as and when the principal/markup
installment becomes due. Any exceptions such as non-payment or late payment should be tagged and
communicated to the management. Proper records and updates should also be made after receipt.
e. Maintenance of Credit Files. Institutions should devise procedural guidelines and standards for maintenance
of credit files. The credit files not only include all correspondence with the borrower but should also contain
sufficient information necessary to assess financial health of the borrower and its repayment performance. It
need not mention that information should be filed in organized way so that external / internal auditors or SBP
inspector could review it easily.
f. Collateral and Security Documents. Institutions should ensure that all security documents are kept in a
fireproof safe under dual control. Registers for documents should be maintained to keep track of their
movement. Procedures should also be established to track and review relevant insurance coverage for certain
facilities/collateral. Physical checks on security documents should be conducted on a regular basis.

B. Briefly explain any TWO key elements to develop an effective risk management framework in the light of
Risk Management Guidelines for Commercial Banks and DFIs by SBP. (5 Marks)
An effective risk management framework includes
a) Clearly defined risk management policies and procedures covering risk identification, acceptance,
measurement, monitoring, reporting and control.
b) A well constituted organizational structure defining clearly roles and responsibilities of individuals involved
in risk taking as well as managing it. Banks, in addition to risk management functions for various risk categories
may institute a setup that supervises overall risk management at the bank. Such a setup could be in the form
of a separate department or bank’s Risk Management Committee (RMC) could perform such function. The
structure should be such that ensures effective monitoring and control over risks being taken. The individuals
responsible for review function (Risk review, internal audit, compliance etc) should be independent from risk
taking units and report directly to board or senior management who are also not involved in risk taking.
c) There should be an effective management information system that ensures flow of information from
operational level to top management and a system to address any exceptions observed. There should be an
explicit procedure regarding measures to be taken to address such deviations.
d) The framework should have a mechanism to ensure an ongoing review of systems, policies and procedures
for risk management and procedure to adopt changes.

Q2. For effective management of operational risk, each Bank should establish an independent Operational
Risk Management Function. List down the key responsibilities of Operational Risk Management Function in
accordance with the Implementation of Operational Risk Management Framework issued by SBP. (5 Marks)
The function would assess, monitor and report operational risks as a whole and ensure that the management
of operational risk in the bank is carried out as per strategy and policy.
1. Risk Assessment and Quantification
2. Risk Management and Mitigation of Risks
3. Risk Monitoring.
4. Risk Reporting
5. Establishing Control Mechanism
6. Contingency planning

Q3. A. List down the key bank assessments for risk profiling of the customer before allowing a credit facility
in the light of Risk Management Guidelines for Commercial Banks and DFIs by SBP. (8 Marks)
Before allowing a credit facility, the bank must make an assessment of risk profile of the customer/transaction.
This may include
a) Credit assessment of the borrower’s industry, and macro economic factors.
b) The purpose of credit and source of repayment.
c) The track record / repayment history of borrower.
d) Assess/evaluate the repayment capacity of the borrower.
e) The Proposed terms and conditions and covenants.
f) Adequacy and enforceability of collaterals.
g) Approval from appropriate authority

B. According to the SBP’s Guidelines on Internal Credit Risk Rating System, briefly state any TWO regulatory
definitions of Obligor Rating Grades. (4 Marks)
The internal risk ratings should be based on a two tier rating system.
1. An obligor rating, based on the risk of borrower default and representing the probability of default by a
borrower or group in repaying its obligation in the normal course of business and that can be easily mapped to
a default probability bucket.
2. A facility rating, taking into account transaction specific factors, and determining the loss parameters in case
of default and representing loss severity of principal and/or interest on any business credit facility.
For obligor ratings, the banks/DFIs should have at least nine credit risk grades for non-defaulted borrowers and
three for defaulted borrowers. Facility ratings should be at least on six grades showing expected zero loss to
loss of full credit exposure. Banks/DFIs are free to have more than the prescribed rating grades, for both
obligor and facility ratings.
A bank must articulate in its credit policy the relationship between borrower grades in terms of the level of risk
each grade implies. Perceived and measured risk must increase as credit quality declines from one grade to the
next. The policy must articulate the risk of each grade in terms of both; description of the probability of default
risk typical for borrowers assigned the grade and the criteria used to distinguish that level of credit risk

Q4. According to the Enterprise Technology Governance and Risk Management Framework for Financial
Institutions, financial institutions shall achieve high system availability for critical systems which is
associated with maintaining adequate capacity, reliable performance, fast response time, scalability and
swift recovery capability. In this regards, Explain the key parameters of Disaster Recovery Plan. (8 Marks)
A disaster recovery plan is a part of your overall bank business continuity plan. It represents the processes and
procedures for recovering your technology infrastructure including your network, your document
management system, your core system, etc. It focuses solely on the technology that supports your bank
operations and the steps needed to return your technology to normal operations (as opposed to the recovery
of your bank’s business operations).
1. Create a disaster recovery team. The team will be responsible for developing, implementing, and
maintaining the DRP. A DRP should identify the team members, define each member’s responsibilities, and
provide their contact information. The DRP should also identify who should be contacted in the event of a
disaster or emergency. All employees should be informed of and understand the DRP and their responsibility if
a disaster occurs.
2. Identify and assess disaster risks. Your disaster recovery team should identify and assess the risks to your
organization. This step should include items related to natural disasters, man-made emergencies, and
technology related incidents. This will assist the team in identifying the recovery strategies and resources
required to recover from disasters within a predetermined and acceptable timeframe.
3. Determine critical applications, documents, and resources. The organization must evaluate its business
processes to determine which are critical to the operations of the organization. The plan should focus on
short-term survivability, such as generating cash flows and revenues, rather than on a long term solution of
restoring the organization’s full functioning capacity. However, the organization must recognize that there are
some processes that should not be delayed if possible. One example of a critical process is the processing of
payroll.
4. Specify backup and off-site storage procedures. These procedures should identify what to back up, by
whom, how to perform the backup, location of backup and how frequently backups should occur. All critical
applications, equipment, and documents should be backed up. Documents that you should consider backing
up are the latest financial statements, tax returns, a current list of employees and their contact information,
inventory records, customer and vendor listings. Critical supplies required for daily operations, such as checks
and purchase orders, as well as a copy of the DRP, should be stored at an off-site location.
5. Test and maintain the DRP. Disaster recovery planning is a continual process as risks of disasters and
emergencies are always changing. It is recommended that the organization routinely test the DRP to evaluate
the procedures documented in the plan for effectiveness and appropriateness. The recovery team should
regularly update the DRP to accommodate for changes in business processes, technology, and evolving
disaster risks.