Risk Management for Banking

Risks in Financial Institutions

Lecturer: Claudio Vallar
School of Economics and Finance
 What is Risk?

Definition: Risk is a quantifiable likelihood of a loss

This definition encapsulates several key aspects:

• RISK - variability that can be quantified in terms of probabilities. The focus of risk is on
potential negative outcomes. To quantify these probabilities, we need to differentiate
different risk types).

• UNCERTAINTY - variability that cannot be quantified

• RISK MANAGEMENT – understanding risk involves identifying, analysing, evaluating,

and mitigating risks to minimize potential losses
 Type of Risks

• Risk can be grouped depending on different types of business environments.

• Grouping the risks is essential for the financial and business institutions to factor
into specific risks while managing them.

• Each type of risk needs different skills to manage it.

 What risks are financial institutions exposed to?
Risks are primarily driven by two sources, which are:

External that a financial institution

(to the organisation) has no control over

Internal that can be controlled to

(to the organisation) the organisation

Figure 1 summarises some of the key risk categories and demonstrates how various
internal and external factors impact the firm resulting in specific risk exposures.
(Note: that the list of risk categories presented in Figure 1 is by no means exhaustive, as types of risks a firm is exposed to vary greatly with the
nature of the firm’s activities, structure and environment it operates in)
What risks are financial institutions exposed to?
 Types of Risk
Financial Institution Risk

Financial Non -Financial

Market Risk Credit Risk Liquidity Risk Operational Risk Other Non-Financial Risks
Risks Risks

Cyber Risk and IT

Equity Price Risk Default Risk Reputational Risk
Risk

Financial Crime
Interest Rate Risk Downgrade Risk Model Risk
Risk

Exchange Rate
Personnel Risk Climate Risk
Risk

Third Party
Commodity Risk Management Legal Risk
Risk

Compliance or
Regulatory Risk
Note that risk can flow form one type to another
 Market Risk
Market risk is the risk of losses on financial investments caused by adverse price
movements; such as changes in equity prices or commodity prices, interest rate moves or
foreign exchange fluctuations.

Equity Price Risk – This is the risk that is associated with the volatility in the stock prices.
Price risk is depending on:
• Systematic risk: variability due to changes in economic information (e.g., changes in
GDP) . This risk cannot be done away with by diversification.
• Unsystematic Risk or Specific Firm: it is the component of volatility determined by
firm-specific characteristics. This can be done away with by diversification.
 Market Risk

Interest Rate Risk – It arises from fluctuations in the market interest rates, which may
cause a decline in the value of interest-rate-sensitive portfolios. For example, if rates were
to increase and a bank's deposits repriced sooner than its loans, it could result in the bank
paying out more interest on deposits than the interest it is receiving from loans.

Foreign Exchange Risk – Due to operations that involve foreign currencies, imperfectly
hedged positions in certain currencies may arise, which may cause exposure to exchange
rates.

Commodity Price Risk – the volatility associated with the prices of commodities.
 Credit Risk
Credit risk is the risk associated with a counterparty not fulfilling its contractual
obligations is the credit risk. For example, the default on a credit card loan is the scenario
in which credit risk materializes for a credit card company.

Credit risk can be further classified into:

Bankruptcy Risk – The risk associated with a borrower’s inability to clear his debt leading
to a takeover of his collateralized assets.
Downgrade Risk – The risk that there might be a decline in the borrower’s credit ratings
because of a drop in his creditworthiness.
 Liquidity Risk
Liquidity risk refers to the potential difficulty an entity may face in meeting its short-term
financial obligations due to an inability to convert assets into cash without incurring a
substantial loss.

Funding liquidity risk is associated with the risk that a firm will not be able to settle its
obligations immediately when they are due. Funding liquidity risk can be managed by
holding highly liquid assets like cash.

Market liquidity risk is associated with an entity's inability to execute transactions at

prevailing market prices due to insufficient market depth or disruptions.
 Operational Risks
Operational Risk refers to the risk that arises from operational weaknesses like
management failure, faulty controls, and inadequate systems.

Cyber Risk – The risk of a cyber attach of data breach on an organisation.

Financial Crime Risk – The risk deriving from any kind of criminal conduct relating to
money or to financial markets; such as: fraud, tax evasion, misuse of information in a
financial market, corruption, money laundering.

Personnel Risk - It is the risk that can happen because of the actions or decisions of
individuals working in the financial institution.
 Other Non-Financial Risks
Model Risk – The financial model used to measure quantitative information fails or
performs inadequately.

Reputational Risk – the risk losing consumer or stakeholder trust due to a negative
perception of the financial institution. The institution must also follow ethical practice.

Climate Risk – the risk due to natural disasters and how their economic impact.

Political and Economic Climate Risk – Risk associated to political developments such as
changes in the government's majority, tax laws, economic uncertainty, …
 Other Non-Financial Risks

Regulatory Risk - Governments introducing new financial regulations, designed to, for
example, streamline regulatory reporting standards, the way financial instruments are
advertised and traded, or introduce additional financial resiliency (such as additional
capital requirements).

N.B. the risks mentioned in these slides are just some of the risks a financial institution faces.
Risk Management for Banking
Risk Management
Lecturer: Claudio Vallar
School of Economics and Finance
 What is Risk Management?

• Risk management is the practice of using processes, methods and tools for quantifying
and managing risks.

• It is a logical process or approach that seeks to minimize and control a risk type a
financial institution is exposed to.

• Risk management focuses on identification of possible risks, evaluation of what risks

should be dealt with (cost-benefit analysis) and implementation of strategies designed
to address (manage impacts) of these risks.
 Risk Management Process
Risk management process is dynamic in nature, as such it is designed to take into account
the information obtained from previous iterations of the processes already implemented.

Identify
Risk

Oversee,
Measure
Audit &
Realign Risk

Manage and
Control Risk
 Risk Management Process – Five Steps
1. Identify risks and risk tolerances - Identify the risk and the frequency of the risk
occurrence. Understand how and where the risk will potentially impact.

2. Measure risks - Measure the risk and respective impact. Risk oversight by dedicated
risk management functions, carried out by risk type.

3. Manage and Control risks - Introduce controls that will manage the risk within the
framework of the regulatory requirements, risk appetite and policy of the business.
Risk policies and appropriate corporate governance should be in place and up-to-date
in order to mitigate the risk.

4. Oversee, audit, and realign the risk management process - Integral part of sound
firm management and should be owned by respective business units.
Risk Management for Banking
Risk Management Framework
Lecturer: Claudio Vallar
School of Economics and Finance
 Summary

In this section we will discuss:

o The process by which an institution recognizes and detects different risks

o How risk is ranked and the use of Risk Heat Map

o Risk Appetite and Risk Culture

o The role of Board of Directors

o The Three Lines of Defence Model

 Risk Identification
• Risk identification is the process by which a company recognizes and detects different
risks to which it is exposed through the normal course of conducting its business.

• This process requires a detailed knowledge of the organisation, the market in which it
operates, the legal, social, political and cultural environment, as well as the
development of a sound understanding of strategic and operational objectives of the
organisation.

• Risk identification should be approached in a methodical way.

• Financial institutions whose risk profiles remain unchanged or change infrequently over
time and lacking risk-identification processes can be exposed to stale risks.
 Risk Identification (II)

• Who should carry out the risk identification?

Whilst risk identification can be carried out by outside consultants (e.g. big four), an in-
house approach with well communicated, consistent and co-ordinated processes is likely
to be more effective. In-house ownership of the risk management process is essential.

• What risk identification techniques can be used?

There are several risk identification techniques that are used in practice such as
brainstorming sessions, surveys, audits, reports, historical data, scenarios. It is also
important to consider the interdependencies and correlations among different risks, as
well as the potential impact and likelihood of each risk.
 Risk Identification – Workshops and Brainstorming
Workshop and brainstorming: collection and sharing of ideas at workshops to discuss the
events that could impact the objectives, core processes or key dependencies

Advantages:
Consolidated opinions from all parties affected. Greater interaction resulting in greater
variety of ideas.

Disadvantages:
Senior management dominates discussions. Possibility of issues being missed if incorrect
or not all people are involved.
 Risk Identification – Surveys
Surveys and checklists: use of structured questionnaires and checklists to collect
information that will assist with the recognition of the significant risks.

Advantages:
Consistent structure guarantees consistency. Greater involvement than in a workshop.

Disadvantages:
Approach is not flexible and may result in some risks being missed. Questions are based on
past / historical knowledge.
 Risk Identification – Audits
Inspections and audits: physical inspections of premises and activities and audits of
compliance with established systems and procedures.

Advantages:
Physical evidence forms the basis of opinion. Audit approach gives rise to a consistent and
transparent structure.

Disadvantages:
Inspections are most suitable for pure risk types. Audit approach tends to focus on
historical / past experience.
 Risk Identification – Flowcharts and Dependency Analysis
Flowcharts and Dependency Analysis: analysis of the processes and operations within the
organisation to identify critical components that are key to the successful performance of
the organisation.

Advantages:
Useful output that may be used in other parts of the firm. Analysis produces better
understanding of the entire processes.

Disadvantages:
Difficult to use for strategic risks. May be very detailed and time consuming.
 Risk Ranking

• Once risks have been identified, the financial institution needs to rate these risks, so that
the risks could be prioritised and dealt with accordingly.

• The main methodology on how ranking risks is to identify the likelihood of an event
associated with the risk against the financial impact if the event occurs.

• The use of these two metrics is demonstrated using a risk matrix or HEAT map.
Heat Map

Important steps to decide:

▪ What risk is low and what risk is high
▪ The tolerance level
▪ Re-evaluation interval

Advantages:
▪ Picture of the risk health of the institution
▪ Risk to prioritise
▪ It helps interdepartmental communication
 Heat Map - Purposes
Purpose and Benefits of a Risk Heat Map:

1. Visualization: Provides a clear and intuitive visual representation of the risk landscape,
making it easier to understand and communicate risks to stakeholders.

2. Prioritization: Helps in prioritizing risks by highlighting those with the highest likelihood
and impact, enabling more effective allocation of resources.

3. Risk Assessment: Facilitates the assessment and comparison of multiple risks, allowing
decision-makers to focus on the most critical areas.

4. Monitoring: Aids in the ongoing monitoring of the risk environment, allowing

organizations to track changes in risk levels over time.
 Heat Map – Expected Losses
Heat map-type risk matrices are implicitly based on the expected value theory of risk, in
which expected loss (EL) is the product of probability of the risk occurring (PD) and risk
impact (RI):

EL = PD x RI
EL = PD x LGD x EAD

where EL = expected loss

PD = Probability of the risk occurring (between 0 and 1.0)
I = Loss given default
EAD = Exposure at default
 Heat Map - Expected Losses- Example
Consider the following example:
• A borrower wants to buy a house for £ 500,000.
• The lender, that is, the bank, funds 80% of the purchase (i.e., £ 400,000).
• By now, the borrower has repaid £ 40,000, so the outstanding balance is £ 360,000.
• Based on previous years data one in four homeowners have defaulted (i.e., PD =25%).
• If the borrower defaults, the bank can sell the house immediately for £ 342,000 meaning the
remaining loss would be £18,000, and loss given default would be £18,000 / £360,000 = 5%

What is the expected loss that the bank is exposed to?

EL = PD x LGD x EAD = 0.25 x 0.05 x £360,000 = £4,500

 Risk Appetite
Risk appetite is defined within the financial institution as the amount and type of risk that
the institution is prepared to seek, accept or tolerate in delivering its strategy.

The firm’s risk appetite is comprised of two key things:

I. A formal document called the risk appetite statement which outlines the aggregate
level and types of risk that a financial institution is willing to accept or avoid to achieve
its business objective

II. Mechanisms that link the risk appetite statement to the day-to-day risk management
operations which include risk-specific statements and a detailed firm risk policy.
 Risk Appetite and Risk Management Decisions
The attitude of the organisation to risk will depend on the sector, nature and maturity of
the marketplace it operates in, corporate strategy and culture, as well as the attitude to
risk of the senior management.

All organisations are ought to determine the following factors:

• risk exposure – the risk already taken by the financial institution.
• risk capacity – the resources that the firm can risk.
• risk appetite – how much the financial institution is willing to risk.
Risk appetite should be below total risk capacity but above risk profile.
 Risk Management Framework – Board of Directors
Key aspects of the risk management framework, including governance, structure, risk
management tools and organisation’s culture.

Board of Directors
The senior management and the Board of directors must define the risk appetite and communicate
that to stakeholders in the following ways:

• Using the value at risk (VaR) to specify the maximum loss the firm is prepared to tolerate at a
given level of confidence for a given period of time;

• Stating how the risk is treated: which risks are accepted, rejected, mitigated, and the tools used
in risk management;

• Constantly evaluating the possible scenarios, the firm might find itself by using stress testing.
Risk Management Framework – Three Lines of Defence Model
A three lines of defence model is used in assuring the effective management of risk and
helping banks in meeting regulatory requirements.
 First Line of Defence
• The first line of defence is the functions that own and manage risk

• This is formed by managers and staff who are responsible for identifying and managing
risk as part of their accountability for achieving objectives.

• Key Functions:

• Risk Identification and Management: Recognizing risks in operational processes and

implementing appropriate controls.

• Control Implementation: Executing internal controls to prevent or mitigate risks.

• Monitoring and Reporting: Continuously monitoring activities and reporting on risk

and control effectiveness.
 Second Line of Defence
• The second line of defence is the functions oversees and specialised in compliance and
management of risk.

• Key Functions:

• Policy and Framework Development.

• Risk Oversight: Monitoring the effectiveness of practices and controls implemented by

the first line are consistent with the organization's risk appetite and regulatory
requirements.

• Support and Guidance: Providing tools, methodologies, to help manage risks.

• Compliance Monitoring: Ensuring adherence to laws, regulations, and internal policies.

 Third Line of Defence
• The third line of defence is functions that provide independent assurance.

• This is provided by internal audit.

• Key Functions:

• Independent Assurance: Conducting audits to assess the effectiveness of risk

management and control processes across the organization.

• Evaluation of Controls: Reviewing the implementation and effectiveness of internal

controls and risk management practices.

• Reporting and Recommendations: Reporting findings to senior management and the

board of directors and recommending improvements to enhance risk management and
controls.
 Why is the Three Lines of Defence Model used?
Benefits of the Three Lines of Defence Model:

▪ Clear Roles and Responsibilities: Defines clear roles and responsibilities for managing
and overseeing risks, enhancing accountability and transparency.

▪ Enhanced Risk Management: Strengthens risk management practices by ensuring risks

are managed at multiple levels within the organization.

▪ Improved Governance: Supports effective governance by providing independent

assurance on the adequacy of risk management and control processes.

▪ Regulatory Compliance: Helps organizations meet regulatory requirements by

demonstrating a robust risk management framework.