Understanding the Risk Management Process :
Management develops controls and uses performance indicators to aid in managing key business and financial risks. An effective risk management
system in a bank generally requires the following:
Oversight and involvement in the control process by those charged with governance: Those charged with governance should approve the
documented risk management policies. The policies should be consistent with the bank’s business objectives and strategies, capital strength,
management expertise, regulatory requirements and the types and amounts of risk it regards as acceptable. Those charged with governance are also responsible for laying down the risk appetite and establishing a culture within the bank that emphasises commitment to internal controls and high ethical standards. Management is responsible for implementing the strategies and policies set by those charged with governance thereby ensuring that an adequate and effective system of internal control is established and maintained.
Identification, measurement and monitoring of risks: Risks that could significantly impact the achievement of bank’s goals should be identified,
measured and monitored against pre-approved limits and criteria in a Documented Risk Register. This function is usually performed by the bank’s Risk Committee or an independent risk management unit, which is also responsible for validating and stress testing the pricing and valuation models used by the front and back offices. Further, it also monitors risk management activities and evaluates the effectiveness of risk management models,
methodologies and assumptions used. The mid office, which is responsible for identifying, measuring and reporting the risk associated with the
transaction, within each function usually reports to the Risk Committee or the independent risk management unit. Thus, in this manner the bank’s management monitors the overall risks faced by the bank.
Control activities: A bank should have appropriate controls to manage its risks, including effective segregation of duties (particularly, between front and back offices), accurate measurement and reporting of positions, verification and approval of transactions, reconciliation of positions and
results, setting of limits, reporting and approval of exceptions, physical security and contingency planning. The following are certain common
questions /steps, which have to be kept in mind whilst undertaking / performing control activities:
RBI has directed banks vide its Master Direction No. RBI/FMRD/2016- 17/31 FMRD Master Direction No. 1/2016-17 on ‘Risk Management and Interbank Dealings’ dated July 5, 2016, the risk management framework and reporting requirements with respect to certain categories of transactions such as, forward contracts and hedging transactions entered into by the bank with residents, managing of assets and liabilities of the bank and hedging the same, hedging of Tier I capital in case of foreign banks, etc.
For every bank in India, certain risk management limits such as, the Net Open Position (‘NOP’) Limit and Aggregate Gap Limit (‘AGL’) are approved by the RBI after making an assessment of each bank’s overall risk appetite. Banks install checks in their daily processes to ensure that these limits are being adhered to at all times.
As part of regulatory reporting, banks are also required to report to the RBI a host of other risk management limits such as, single and group borrower limits (these limits give an indication of concentration risk), credit exposure for derivatives (this indicates the potential replacement cost of the derivative portfolio), capital market exposure of the bank, country risk exposure and exposure to sensitive sectors such as, real estate, etc.
Monitoring activities: Risk management models, methodologies and assumptions used to measure and manage risk should be regularly assessed and updated. This function may be conducted by the independent risk management unit. Internal auditing should test the risk management process periodically to check whether management policies and procedures are complied with and whether the operational controls are effective. Both the risk management unit and internal auditors should have a reporting line to those charged with governance and management that is independent of those on whom they are reporting.
Reliable information systems: Banks require reliable information systems that provide adequate financial, operational and compliance information on a timely and consistent basis. Those charged with governance and management require risk management information that is timely, accurate and easily understood and that enables them to assess the changing nature of the bank’s risk profile.