rbidocuments on rm in banks

8/8/2019 RBIdocuments on RM in Banks

1/16

Risk Management - Priorities for the Indian Banking Sector1

http://www.rbi.org.in/scripts/BS_SpeechesView.aspx?Id=456

The new decade is predicted to be more transformational than the first decade of this millennium for theIndian economy and the Indian financial system. If the last ten years have seen transformation in terms of consistentlyhigher growth rates, adoption of core banking solutions, transformation in the payments systems and greaterintegration with the global economy, the coming decade will see unprecedented volume of business for the Indianfinancial system as it tries to meet the challenges and requirements of rapid and inclusive growth. Information

Technology (IT) has made it possible for banks to deal with large numbers and such growth in volume and value ofbusiness will obviously imply huge challenges for risk management, which in turn will have to depend on humanresources and IT in dealing with the new normal- a theme so apt for this conference.

2. The major challenge is, clearly, having the human resources of the right kind and numbers and the ability to retainskilled personnel. From having personnel to deliver banking services to the poorest, to having the expertise to deliversophisticated financial products and adopt consistent risk management practices across the organisation, will be thekey to managing huge organisations optimally.

3. If one of the reasons for the global financial crisis was that the financial sector grew out of sync with the real sectorin the advanced economies, in India the position is different in that the financial system has to ensure that it meets therequirements of the growing real sector. Risk is inherent in banking as banks essentially trade in risk in the process ofmaturity transformation. Therefore, banks cannot afford to be risk avoiders. At the same time bankers prudence,something that is critical to safety of the depositors funds, has to be the underlying philosophy at all times. The riskreturn relationship has to be optimally balanced for welfare enhancing outcomes.

4. The crisis has thrown up some critical issues relevant to risk management policies: The business model matters. Banks that were extremely aggressive in the trading books were clearly more affected.

Those that had a fair degree of traditional banking were less affected. There has to be an intuitive approach to risk. Despite huge growth in leverage and huge expansion of on and off-

balance sheet items, complex risk models threw up measures of risk that seemed to be quite capable of beingabsorbed. There was obviously a clear limitation to these models especially in times of stress. The inadequaciesstemmed from two perspectives (a) Use of past data without adequately factoring in the data from acute periods of stress and(b) The presumption that the highly sophisticated mathematical models could be as successful as they are in

physical sciences.The latter presumption is clearly wrong inasmuch as financial events are heavily influenced by largelyunpredictable or irrational human behaviour which models cannot capture. Nevertheless, these are useful whenconsidered as one of the inputs supplemented by stress/ scenario analysis and informed judgement. The otheraspect which causes serious concern is that the comprehension of these models remains confined to a smallgroup ofQuants and it becomes very difficult for the top management and boards to comprehend the actual riskundertaken by the organisation. These lessons will have to be kept in view now that some of the banks will movetowards advanced approaches.

Pricing of risk is important. There is a temptation to under-price risk whenever there is excess liquidity and pressureto generate profits. Pricing below cost can be risky and the risk cost is very often not captured adequately.Moreover, this gives rise to asset price bubbles with attendant implications.

While credit, market and operational risk are captured in the capital framework under Pillar I of Basel II, liquidity risk,concentration risks, strategic risk, reputation risk and risks arising out of securitisation, off balance sheet vehicles,

valuation practices need to be recognised. Banks Boards need to focus on all these risks and set firm wide limitson the principal risks relevant to the banks activities. Banks should focus on robust stress testing. Compensationpackages should also form part of risk management policies.

This crisis has also highlighted the importance of internal controls, good corporate governance and riskmanagement. As shown in the Senior Supervisors Group Report on Risk Management, some banks with strongrisk management systems weathered the current crisis much better than many banks that had poor or inadequaterisk management systems.

For banks that are part of financial conglomerates, the process of risk management must focus on intra groupexposures and transactions as also group wide exposures to sectors and borrowers.

The new element recognised in this crisis is that even while sound risk management policies are observed at the firmlevel there could be systemic risks over which individual banks have no control and this calls for risk managementat the systemic level viz. ensuring financial stability by financial regulators and policy makers.

5. I will now turn to the key areas where banks need to focus while planning their businesses for higher growth,keeping in view the on-going international regulatory initiatives. The Basel Committee has brought out on December17, 2009, two consultative documents containing key proposals that will be taken up for an impact study beforeadoption. These proposals cover raising quality and coverage of capital to ensure loss absorbency on a going andgone concern basis, greater stress on Tier-I and common equity component, introduction of leverage ratio, measures

1
http://www.rbi.org.in/scripts/BS_SpeechesView.aspx?Id=456http://www.rbi.org.in/scripts/BS_SpeechesView.aspx?Id=456


2/16

to deal with pro cyclicality such as capital buffers and forward looking provisioning, introduction of minimum liquidityratios and enhanced capital for trading book securitisations and counterparty credit exposures.

6. While our assessment is that Indian banks will be generally able to meet these enhanced requirements, it is usefulto see on a rough and ready basis what the present position is in this regard. Our assessment shows that: The common equity component as percent of total assets stood at 7 per cent in March 2009 for Indian banking

sector as against a range of 3 per cent to 4 per cent for large international banks. Total CRAR is 13.75 percentwith Tier I at 9.4 per cent. Thus Indian banks are in a position to meet the growth requirements currently and havereasonable period to plan and raise required capital for future growth.

The leverage ratio for Indian banks including credit equivalents of off-balance sheet) was about 17 per cent in March2009 and can be considered reasonable. While the SLR has stood us in good stead, banks would do well to assess their liquidity risk against the more

calibrated liquidity ratios put out in the consultative document such as the proposed short term liquidity coverageratio and long term net stable funding ratio. This should be a regular exercise for banks that have significant shareof bulk deposits and CDs.

The Basel proposals for forward looking provisioning are based on advanced approaches using through the cyclePDs etc. In India, banks are yet to adopt advanced approaches. The gross NPAs for the banking sector haveincreased from 2.4 per cent as on March 31, 2008 to 2.6 per cent as on September 30, 2009. In the context of therising NPAs and the likely slippages in the restructured accounts, we had introduced the 70 per cent provisioningcoverage ratio for NPAs as a forward looking requirement. Most banks currently meet this ratio. For standardassets, in alignment with the Basel proposals for forward looking provisioning, more work needs to be done basedon sectoral trends and measurements of estimated loss based on something like the Spanish dynamic

provisioning model. In the case of capital for trading book and counterparty exposures, while some enhancements have been made forforex derivatives, more work will be required for counterparty exposures and other derivatives. Nevertheless,looking at the interest rate risk for the entire balance sheet rather than the trading book alone, duration gapanalysis could be a useful tool for managing interest rate risk.

7. Let me next turn to the areas where banks need to be sensitive to risk: While overall, credit growth in the banking sector has been slower in the current year, certain sectors like real estate,

infrastructure and NBFCs have seen higher rates of growth. Credit to commercial real estate (CRE) has fallen inthe half year ended September 2009 evidencing higher risk perception. However credit to NBFCs andinfrastructure continues to be high. While the country needs infrastructure financing of significant magnitude,banks that essentially mobilise short term resources do face risk on account of ALM, large size exposures andsome risks beyond their control such as implementation hurdles. The emergence of long term investors such as

pension and insurance funds, development of corporate bond market, and single name CDS may help in de-risking to a certain extent banks exposures to infrastructure. A phenomenon that RBI has brought to attention of banks recently is the large investments by banks into debt

oriented mutual funds. MFs have invested large amounts in bank CDs. Banks that have a significant part of theirliabilities in form of CDs have to be sensitive to the rollover risk. Equally, banks that have large investments inMFs have to be sensitive to the liquidity risk in the event of the need for sudden redemption by large investors atthe same time. This distortion -whereby MFs are apparently acting as intermediaries in what should otherwisehave been intermediated in the interbank market - is something that needs to be addressed. Besides there areconcerns about the direction of flow of resources through MF intermediation.

In the case of lending to NBFCs engaged in micro finance treated as priority sector lending by banks, there is a riskthat multiple lending and high interest rates could lead to deterioration in asset quality. As originator of these loansno longer have stake in them, banks would do well to assess the credit quality of these loans by better oversight atthe grass root level on a sample basis.

While banks have been diversifying their operations and are into new businesses, it is necessary to recognise thereputation risk, especially when promoting VCFs and other such funds. As is now well known, internationally manybanks had previously offloaded certain items from their balance sheet to specialised investment vehicles. Duringthe market crunch the banks had to take back those assets on their balance sheets.

Securitisation of assets by banks in India during the year ended March 31, 2009 showed a decline of about 30% overthe previous year. This might affect the profitability of banks which have been undertaking securitisation activity asone of the main business lines. However, the securitisation activity may pick up once the retail loan segment startsgrowing again. RBI would shortly issue guidelines on minimum retention requirement and minimum holding periodfor securitisable loans.

While hedging or remaining unhedged is the prerogative of the borrowers, banks must remember that the unhedgedposition of their borrowers can quickly translate into severe stress on their asset quality and hence it is absolutelynecessary that the unhedged position of the corporates are closely monitored and this is built into the credit andother rating assessment of the borrowers while extending facilities to them.

Excess liquidity in the system has once again led to the familiar phenomenon of sub PLR short-term lending; bankswould do well to recognise re-pricing and rollover risk.

To remove the credit information asymmetry, RBI has taken long term steps inasmuch as it has issued in-principleauthorisation for setting up four credit information companies. This may take some time to become operational. Itmust however be recognised that the system will function only to the extent timely and accurate information is

2


3/16

made available and made use of. I understand that these are not happening both in providing information to CIBILas well as making full use of the range of information available particularly for corporate credit.

While introduction of technology in banking has increased the speed and accuracy of service delivery, it has alsoincreased banks vulnerability to cyber frauds. Banks need to put in place appropriate control mechanisms toprevent such frauds.

It is necessary for the banks now to take technology from the core banking solution to a higher level to build upadequate MIS capability. Unless this is done, risk management cannot be of the highest order and banks will notbe able to meet the challenge of an increasingly sophisticated financial system.

In the area of housing loans, teaser rates are increasingly being offered which is a cause for concern. I hope banks

are ensuring that borrowers are well aware of the implications of such rates and the appraisal takes into accountrepaying capacity of the borrowers when the rates become normal. Current experience worldwide has called for robust stress testing practices in the banks. Stress testing alerts bank

management to adverse unexpected outcomes related to a variety of risks and provides an indication of howmuch capital might be needed to absorb losses should large shocks occur. In India, banks should not take stresstesting exercise a mere compliance requirement but accord due importance to it to facilitate the development ofrisk mitigation or contingency plans across a range of stressed conditions.

8. To conclude, Indian banking system which has shown resilience in withstanding the global crisis is well placed tomeet the requirements of the rapid inclusive growth. Even in the new paradigm under Basel, the system is well placedin terms of capital and liquidity. Strong HR and sound risk management practices will stand the banks in good steadwhile they strive to meet the challenges of the next decade.Thank you.

1 Opening remarks of Smt. Usha Thorat, Deputy Governor, Reserve Bank of India at the Panel Discussion on Risk Management: Priorities for theIndian Banking Sector chaired by her at BANCON- Indian Banking Conclave 2009-10 on January 12, 2010 at Mumbai.

+++++

Changing Paradigms in Risk Management1

http://rbidocs.rbi.org.in/rdocs/Speeches/PDFs/73020.pdf

The world of finance has always had an intuitive understanding of risk. The risksthat emerge from the increased variety and complexities of banking business, aswell as from the various new drivers of growth has pushed the contours of risk

management in banks much beyond what would probably have existed in themore traditional forms of banking activity of accepting deposits and lending inrelatively stable environments. Internationally, the last two decades or so havewitnessed significant changes in the profile of the banking sector, as well thenature of risk management in banks. What perhaps has changed the nature ofrisk management, particularly are, inter-alia, advances in technology that haveaided quantitative approaches to risk management, like models etc., and theincreasing volumes of transactions in derivatives and other structured productsthat are so complex that they are often labeled exotic. India too has respondedto this change, tempered with a gradualist, non disruptive approach, that hasstood us in good stead over the years.

In my brief remarks today, I intend to first, highlight few of the broader and more

general issues currently engaging the financial risk management fraternity andthen, move to the Indian context in this regard.

I. Some general perspectives on risk management

Quantification of risk and model risk: As mentioned earlier, significantdevelopments in the area of quantification of risk, has shifted focus to statisticalaspects of risk management, especially to risk modeling and other computationaltechniques of risk measurement. During the last decade there has been aproliferation of academic research on the use of VaR for market risk assessment.Such models have to be used with some care and serious examination of thedata used, especially the use of historical data for forecasting future scenarios,the assumptions behind the models, estimation errors etc. Further, if intraday

positions are not captured it would expose banks to such risks.

Similarly in respect of Credit Risk, there is no single best practice model forcredit risk capital assessment, although the Basel 2 Internal Rating Basedmethodology provides a portfolio model. Bank managements will have to focus

3
http://rbidocs.rbi.org.in/rdocs/Speeches/PDFs/73020.pdfhttp://rbidocs.rbi.org.in/rdocs/Speeches/PDFs/73020.pdf


4/16

on the determinants of credit risk factors, the dependency between risk factors,the integration of credit risk to market risk, data integrity issues like consistencyof data over long periods, accuracy and so on.

Institutions are already mapping events to operational loss categories andbuilding warehouses of operational risk data for implementation of AdvancedMeasurement Approaches. Many data availability and reliability issues still needresolving. An internal loss experience for the important (low frequency, highseverity) operational risk types is rare and any relevant data are likely to be in the

form of risk self-assessments and/or external loss experiences.Extreme events and stress testing: One of the key roles of the risk managementprocess is to manage extreme events, such as those associated with the tails ofstatistical distributions and could have probability of occurrence as low as onepercent. These are low probability but high loss instances associated withextreme operational events such as rogue trading or accounting fraud. Theimportance of stress testing to assess the impact of not only these events butalso the impact of various scenarios is engaging the attention of riskmanagement personnel, academicians and bankers alike

Risk based capital and back-testing: An important reason as to why thequantitative techniques have received so much attention, is not because of the

intellectual satisfaction it can give to the academician but a rather mundanereason that it can be used to convince the regulator that given the risks asmeasured by these techniques the amount of capital required could be far lessthan that may be stipulated under broad brush, standardized techniques. Animmediate linkage between the risk models, the quantum of risk that is measuredby use of these models and the capital that is required to support these risksimmediately emerge. Estimates of capital being sufficient to meet the risk can beonly as good as the models are and the credibility of the models would ultimatelydepend upon their actual performance. Back testing the models to gauge andreduce the variance between the deviations of the actual numbers from thoseprojected are largely relied upon to give a degree of comfort to both managementof banks and supervisors alike.

II. Indian Perspective

Internationally, there has been a continuous coordinated effort under the aegis ofinstitutions like the BIS to evolve best practices in risk management in banks andthese have gradually come to be accepted as some sort of internationalstandards for banks across the world to benchmark themselves to. At theregulatory and supervisory level also, there has been an effort to achieveconvergence to the best practices set out by the BCBS after duly allowing fornational characteristics and feasibility. Banks have responded to this initiativewith varying levels of effectiveness.

It was in October 1999, that the Reserve Bank issued guidelines on RiskManagement in banks setting out its expectations from banks; the guidelines

adopted an integrated approach to risk management. Even earlier, in February1999, banks were advised to set up an asset liability management framework tomanage liquidity and interest rate risk. In this context, I would like to makefollowing observations:

a) The need to accelerate the speed at which banks have been movingtowards establishment of risk management systems

b) The need to achieve convergence with regulatory and supervisoryexpectations/requirements while deciding on the sophistication of methodsto be adopted.

c) Developing appropriate risk management architecture, MIS and skill

enhancement

d) The need to integrate risk management process with capital planningstrategies

4


5/16

The current business environment, with its pointed emphasis on corporategovernance, is making it critical for banks to explain their risk profiles publiclywith greater clarity and detail than ever before. Risk is still a complex andtechnical subject, so achieving transparency will not be easy. Internalconstituents, analysts, ratings agencies, investors, and regulators all havevarying levels of understanding of advanced risk measurement techniques. Allwill require continuing education before the market as a whole reaches acommon understanding of risk. In particulars, direct stakeholders in anytransaction need to be aware of the risks involved. For the third pillar of Basle II

(Market Discipline) to be efficacious, it is important that the stakeholders areaware of the risks involved in the banks transactions and the systems in place tomanage the risks. In this context, the importance of an appropriateness policy forbanks offering various products to the corporate clients can't be overemphasised.

The risk management systems developed by banks would include a lot ofattention of top management to the suitability of IT structure including issues ofconnectivity, designing an MIS format that is risk focused, setting up anorganization to manage risk that ensures segregation of risk assessment fromoperations, frequent review of risk management systems to ensure there is noslippage and last but not the least, to develop appropriate skills within theorganization. In this context, it must be kept in view that risk management is notthe sole concern of the risk management department but rather a culture that

pervades the whole organization with specific support from the top management.

III. Recent initiatives in risk management

In India, over the years various steps have been taken to strengthen the RiskManagement Architecture, both at the bank specific level as well as a broadersystemic level.

ALM Guidelines: Most banks have put in place an ALM framework. Howeverthere is lot to be done to internalize this framework as a part of the overall riskperceptions of the bank and the capital planning strategy of the bank. Issues indata infirmity still remain to some extent. In many cases, the ALCOs roleremains confined to deciding on interest rates of the bank. This is partly due to

lack of decision support system available to the ALCO. Availability of impact andscenario analysis of changes in yield structures would be a significant enablingfactor.

The Reserve Bank has recently issued draft guidelines to banks with theobjective of graduating from the current maturity ladder approach prevalent inmost banks to a duration gap approach. The later approach makes it possible forbanks to calculate the modified duration of assets and liabilities, the duration gapand duration of equity. The concept of duration of equity gives banks, subject tocertain limitations, a single number indicating the impact of a one per centchange of interest rate on its capital, captures the interest rate risk and therebyhelps move a step forward towards assessment of risk based capital/economiccapital.

Credit risk: Another important issue is that bank resources and supervisoryresources have concentrated on credit risk modeling of commercial and industrialportfolios, with relatively fewer resources devoted to risk quantification in theretail credit area2. The possible reasons could be (i) from a systemic perspective,it makes economic sense to devote more resources to evaluating the risk factorsof larger loans (ii) there is a long history of ratings agency evaluations forpublicly traded firms which , along with the extensive data available for publiclytraded firms, provided an extremely useful benchmark for the development ofquantification methods for commercial portfolios.

However, despite this commercial side emphasis, retail credit is asubstantial part of the risk borne by the banking industry, and can not be ignored.

Recognizing this, over the last decade or so, the industry and academia havedevoted significant resources to developing more sophisticated credit-scoringmodels for measuring this risk. Like their counterparts on the commercial side,these models also rely heavily on quantitative analysis.

5


6/16

Derivatives: There has been a spurt of derivatives exposures in the off balancesheet exposures. The composition of derivatives portfolio of the banking systemhas also undergone a significant transformation. Forward foreign exchangecontracts which accounted for around 80% of total derivatives in March 2002declined steadily and stood at almost 43% in March 2006 while the share ofinterest rate contracts went up from 19% to 54% during the same period. Foreigncurrency options have recorded noticeable increase during the last year. Theshare of single currency interest rate swaps in total derivatives of the bankingsystem has risen sharply from 15% in March 2002 to 53% in March 2006.

The risks arising on account of OBS activities of banks are controlledthrough a combination of both banks internal risk management and controlpolicies and risk mitigation mechanism imposed by the regulators. The boardapproved internal control policies covering various aspects of management ofrisks arising both on and off balance sheet exposures constitute the first line ofdefence to the bank. Holding of minimum defined regulatory capital for all OBSexposures, collection of periodic supervisory data and incorporating transparencyand disclosure requirements in bank balance sheet are some of the majorregulatory initiatives undertaken to control and monitor OBS exposures of thebanking system.

The rapid proliferation of derivatives exposures inevitably poses achallenge on account of the downside risks associated with them, if not managed

properly. There are issues relating to use of structured products, valuation,counterparty related issues, risk management and reporting issues and last butnot the least, training and skill development. While derivatives facilitate riskhedging and risk transfer to institutions more willing to bear the risks, thetendency of participants to use derivatives to assume excessive leverage, andlack of prudential accounting guidelines are matters of concern.One of the features of in the Indian derivative market relates toconcentration risk in respect of both the market makers (banks) and thecorporates. The combined share of top 15 banks has steadily grown from around74% in March 2002 to 82% of total OBS exposures of the banking system inMarch 2006, of which 62% is accounted for by foreign banks. Concentration ofknowledge is another risk which results in the concentration of derivative activityamong few players.

RBI has been stressing on the need to carry out due diligence regardingcustomer appropriateness and suitability of products before offering derivativeproducts to their customers. There is need to use risk mitigation techniques suchas collaterals and netting to reduce systemic risks and evolve appropriateaccounting guidelines.

RBI has also issued two separate draft guidelines, one forvaluation/accounting of investment portfolio in general and the second relating toderivatives. The proposed guidelines attempt to put in place fair value accountingnorms for derivatives broadly in line with IAS 39, the international accountingstandard for valuation and accounting for financial instruments. For investments,the proposed framework envisages a symmetrical treatment for unrealized gains

and losses, with gains for HFT being reflected in the Profit and loss account. ForAFS, however, a gain or loss on subsequent measurement shall be reflected inUnrealised gain/ loss on AFS portfolio. Similarly for derivatives, all valuationgains and losses are proposed to be routed either through the P&L (for less than90 days) and or through a new account titled ' Unrealised gains/losses onderivatives' (90 days and more), somewhat similar to AFS portfolio. The idea is tobring all derivative transactions 'on-balance sheet' as against 'off-balance sheet'as is being done currently.

Further, in order to address all issues related to derivatives in acomprehensive manner, we are now in the process of harmonizing the regulatoryprescriptions based on generic principles rather than approving specific products.

Stress Testing: The Governor in his Monetary Policy for 2006-07 had stressedthe need for banks to have robust stress testing process for assessment ofcapital adequacy given various possible events like economic downturns,industrial downturns, market risk events and sudden shifts in liquidity conditions.Similarly exposures to sensitive sectors and high risk category of assets would

6


7/16

have to be subjected to more frequent stress tests based. Stress tests wouldenable banks to assess the risk more accurately and, thereby, facilitate planningfor appropriate capital requirements.Subsequently RBI has issued draft guidelines on stress testing. Theseguidelines cover all major risk areas viz. market risks, credit risks, operationalrisks and liquidity funding risk. Banks are required to identify an appropriaterange of realistic adverse circumstances and events in which the identified riskcrystallises and estimate the financial resources needed by it under each of thecircumstances to : a) meet the risk as it arises and for mitigating the impact of

manifestation of that risk; b) meet the liabilities as they fall due; and c) meet theminimum CRAR requirements. It may be pertinent to note that the banks havebeen advised to apply stress tests at varying frequencies dictated by theirrespective business requirements, relevance and cost.

Financial Conglomerates: There is increasingly a need to extend the frameworkof risk management to the group wide level, particularly among financialconglomerates. The rapid expansion of financial services, both in terms ofvolumes and variety have, as it is, posed a challenge for financial stability. This ismade all the more difficult by the organisational dimension which perhapsprovides scope for regulatory arbitrage. While this could appear beneficial to theorganisation in the short run, it only hightens systemic risk that in turn exposesthe institution to externalities which have a cost. There has been entry of some

banks into other financial segments like merchant banking, insurance andseveral new players have emerged who have a diversified presence acrossmajor segments of financial sector. Some of the non-banking institutions in thefinancial sector can acquire proportions large enough to have a systemic impact.It has, therefore, become necessary not only for the supervisor to have aconglomerate approach to regulation and supervision but also for banksthemselves to put in place risk management systems at global levels i.e for thewhole organizational as a whole, rather than only the bank level. The risksassociated with conglomeration may include:

1. The moral hazard associated with the Too-Big-To-Fail position of manyfinancial conglomerates;2. Contagion or reputation effects on account of the 'holding out'

phenomenon;3. Concerns about regulatory arbitrage, non-arms length dealings, etc.arising out of Intra-group Transactions and Exposures (ITEs) bothfinancial and non-financial

It is in this context that the issue of integrated risk management, at the enterprisewide as well as group wide level, acquires significance. RBI has put in place aframework for oversight of financial conglomerates, along with SEBI and IRDA.Half-yearly discussions have also been initiated with the Chief Executive Officersof the designated entities of the conglomerates to address outstanding issues/supervisory concerns.

IV. To conclude, at the systemic level, efforts have been made to create an

enabling environment for all market participants in terms of regulation,infrastructure and instruments. In this context, let me mention about two recentlegislative developments that may have far reaching impact on the financialmarkets in India. One is the promulgation of the RBI (Amendment) Act, 2006. Amajor issue of concern in the OTC derivatives market in India was the issue oflegality. While the Securities Contract Regulation Act, 1956 gave specific legalrecognition to derivative instruments traded in the exchanges, there was noexplicit legal recognition of OTC derivatives in India. As legal clarity is a basicrequirement for the healthy development of any market, legality of OTCderivatives was provided by an appropriate amendment to the RBI Act, withretrospective effect. RBI has also been now empowered to regulate the interestrate and forex OTC derivatives market. The second legislative developmentpertains to the enactment of Government Securities Bill. The substantive

changes brought about in the Government Securities Act are that it provides forhypothecation, pledge and lien of government securities, maintenance of recordsin electronic form and most importantly, enables STRIPing of Governmentsecurities.

7


8/16

Further, during the last few months, few liberalization measures have beenintroduced in securities market, that would surely have a bearing on the riskmanagement practices in the market, the most important being introduction of'when issued' trading and short selling in the G-Sec markets in a limited way.Currently the when issued trading is limited to reissuances only. We areexamining extending this to new issuances also, as requested by marketparticipants.

What has developed incrementally over the years is now being consolidated and

once the regulations, infrastructure and appropriate accounting standardsstabilize, several other initiatives like credit derivatives could be considered.

1 Special Address by Smt. Shyamala Gopinath, Deputy Governor at the FICCI-IBA Conferenceon "Global Banking: Paradigm Shift", September 27, 2006, Mumbai.

2 "Credit Risk Modeling: The Federal Reserve Bank of Philadelphia's Perspective" Anthony M. Santomero, President, FederalReserve Bank of Philadelphia

+++++

http://www.rbi.org.in/scripts/PublicationReportDetails.aspx?ID=546

INDIAS FINANCIAL SECTOR AN ASSESSMENT Volume IVAdvisory Panel on Financial Regulation and Supervision

(Committee on Financial Sector Assessment March 2009)

Chapter IIIAssessment of Adherence to Basel Core Principles

Box 3.1: Basel Core Principles

The Basel Core Principles comprise 25 principles that need to be in place for a regulatory and supervisorysystem to be effective. The principles relate to the following:-

Principle 1: Objectives, independence, powers, transparency and co-operation

Principle 2 to 5: Licensing and structure

Principle 2: Permissible activities

Principle 3: Licensing criteria

Principle 4: Transfer of significant ownership

Principle 5: Major acquisitions

Principle 6 to 18: Prudential requirements and risk management

Principle 6: Capital adequacy

Principle 7: Risk management process

Principle 8: Credit risk

Principle 9: Problem assets, provisions and reserves

Principle 10: Large exposure limits

Principle 11: Exposure to related parties

Principle 12: Country and transfer risks

Principle 13: Market risk

Principle 14: Liquidity risk

Principle 15: Operational risk

Principle 16: Interest rate risk in banking book

Principle 17: Internal control and audit

Principle 18: Abuse of financial services

Principles 19 to 21: Methods of ongoing supervision

Principle 19: Supervisory approach

Principle 20: Supervisory techniques

Principle 21: Supervisory reporting

8
http://www.rbi.org.in/scripts/PublicationReportDetails.aspx?ID=546http://www.rbi.org.in/scripts/PublicationReportDetails.aspx?ID=546


9/16

Principle 22: Accounting and disclosures

Principle 23: Corrective and remedial powers of supervisors

Principles 24 and 25: Consolidated supervision and cross border banking

Principle 24: Consolidated supervision

Principle 25: Home-host relationship

4.2 Summary Assessment of Commercial Banks

For the purpose of this assessment, the 25 Basel Core Principles for regulation and supervision of institutions havebeen broadly categorised as under:

(i) Objectives, autonomy and resources (Principle 1)(ii) Licensing criteria (Principles 2-5)(iii) Prudential requirements and risk management (Principles 6-18)(iv) Methods of ongoing supervision (Principles 19-21)(v) Accounting and disclosure (Principle 22)(vi) Corrective remedial powers (Principle 23)(vii) Consolidated and Cross border banking (Principles 24-25)

The summary assessment of adherence to Basel Core Principles in respect of regulation and supervision ofcommercial banks under the above mentioned broad categories is given below.

Table 8: Summary Assessment of Commercial Banks

S No. Principle C LC MNC NC

Objectives, autonomy and resources1 Objectives independence, powers, transparency and co-

operation

Licensing criteria2 Permissible activities 3 Licensing criteria 4 Transfer of significant ownership 5 Major acquisitions

Prudential requirements and risk management6 Capital adequacy 7 Risk management process 8 Credit risk 9 Problem assets, provisions and reserves 10 Large exposure limits 11 Exposure to related parties 12 Country and transfer risk 13 Market risk 14 Liquidity risk 15 Operational risk 16 Interest rate risk in banking book

17 Internal control and audit 18 Abuse of financial services

Methods of ongoing supervision19 Supervisory approach 20 Supervisory techniques 21 Supervisory reporting 22 Accounting and disclosure 23 Corrective and remedial powers of supervisors

Consolidated supervision and cross-border banking24 Consolidated supervision 25 Home host relationship

Total 7 11 6 1

C- Compliant, LC-Largely Compliant, MNC- Materially Non-Compliant, NC-Non-Compliant4.3 Recommendations

In light of the gaps observed in its assessment of adherence to Basel Core Principles on the regulation of commercialbanks, the Panel has made certain recommendations to strengthen the regulation and supervision of these entities.

9


10/16

These are as under:

4.3.1 Constitution of Bank Boards

As per Section 10A(2)(b) of the Banking Regulation Act, 1949, directors5 on a banks board should not havesubstantial interest in a company or firm. As per Section 5(ne) of the Banking Regulation Act, 1949, substantialinterest6 means a paid-up amount exceeding Rs. 5 lakh or 10 per cent of the paid-up capital of the company,whichever is less. The low amount of Rs. 5 lakh acts as a constraint for having directors with requisite expertise onbanks boards.

The Panel recommends that these guidelines need to be reviewed and the limits defining substantial interest revisedupwards so that banks can attract individuals with requisite expertise on their boards.

4.3.2 Internal Capital Adequacy Assessment Process (ICAAP)

The Board of banks have been advised to have approved policy on the Internal Capital Adequacy AssessmentProcess (ICAAP) and to allocate capital as per the assessment. But progress in this regard is limited to a parallel runof the revised framework. The Internal Capital Adequacy Assessment Process is yet to be implemented.

The Panel expects that this would be implemented consequent to the full migration of commercial banks to theRevised International Capital Framework (Basel II) as stipulated by the Basel Committee on Banking Supervision (ThePanel notes that the Reserve Bank has since issued guidelines on the internal capital adequacy assessment process

as part of the supervisory review process under Pillar II of Basel II which is currently applicable to banks with overseasoperations and foreign banks. The guidelines would be applicable to all other banks from March 31, 2009).

4.3.3 Risk Modelling

In terms of the extant guidelines, the use of internal models for risk management is not specifically mandated.Consequently, there is no system of periodic validation and independent testing of models and systems in the banks.

The Panel feels that a rigorous model-building exercise is needed. This will enable them to adopt a more advancedInternal Rating Based (IRB) approach in respect of credit risk and an Advanced Measurement Approach (AMA) foroperational risk. If a bank intends to take recourse to the IRB or AMA approach for assessing credit and operationalrisks respectively, it should have appropriate forward looking models in place which should be validated periodically.The Panel recognises the need for capacity building in respect of banks and the Reserve Bank as the prime

precondition in this regard.

4.3.4 Credit Risk

The Reserve Bank has issued detailed guidelines on credit risk management in October 2002 which includes puttingin place policies and processes for identification, measurement, monitoring and control of credit risk. However, theguidelines do not require that banks credit risk management policies / strategies should also include counterpartycredit risk arising through various financial instruments.

The Panel recommends issuance of suitable guidelines on credit risk to include counterparty risk arising throughvarious financial instruments.5 This is applicable to only 51 per cent directors having specialised qualification.6 Substantial interest in SSIs are excluded.

4.3.5 Provisioning for Sub-standard Loans

(i) The Reserve Bank has issued detailed guidelines on income recognition and asset provisioning. As per extantguidelines, provisioning is not done on an individual basis in respect of the substandard category of NPAs.

The Panel feels that keeping in view the cost of compliance, the present stipulations could continue for the present.However, considering the very large number of low value NPAs which are substandard, if at all provisioning has to bedone individual account-wise, a cut-off level should be set above which all accounts can be provided for individually.This cut-off level above which all substandard assets have to be provisioned for may be lowered in a phased manner.

(ii) As per extant guidelines on provisioning, banks are required to make up to two per cent provision on standard

assets, while NBFCs do not need to make any provision on standard assets.

The Panel recommends a review of norms be made to reduce the possibility of regulatory arbitrage across categoriesof financial institutions.

10


11/16

4.3.6 Exposure to the Capital Market

Globally, capital market exposure is measured based on risk and not quantitative limits. However, in India capitalmarket exposure cannot exceed 40 per cent of the net worth, and the limit for lending to individuals is Rs.10 lakh(Rs.20 lakh in demat form) which appears to be low. Further, a uniform margin of 50 per cent is applied on alladvances/financing of IPOs/ issue of guarantees on behalf of stockbrokers and market makers.

The Panel recommends a review of these limits periodically keeping in view the associated risks arising out of suchexposures.

4.3.7 Liquidity Risk

(i) The Reserve Bank has issued detailed guidelines on liquidity risk and banks have a liquidity management strategyin place. However, the effect of other risks on banks overall liquidity strategy is not covered in the guidelines.

The Panel feels that the enhancement of knowledge and quantitative skills in the banking industry is an essential pre-requisite for analysing contagion risk. The banking sector is at a stage where it has initiated the implementation ofsimple and standardised risk management techniques. An impact analysis of other risks on liquidity at this juncturewould therefore appear premature. The Panel also recognises the existence of diverse risk management techniquesacross the banking sector. It recommends that the implementation of contagion risk management techniques be

undertaken in a phased manner. To begin with, it could be mandated for those banks that are in possession ofappropriate skill sets. The Panel also recommends that banks should initially concentrate on knowledge andquantitative skill enhancement and fix a reasonable timeframe, say two years, before undertaking such forward-looking analysis of contagion risk.

(ii) The extant guidelines on liquidity risk issued by the Reserve Bank are confined to the rupee balance sheets ofbanks.

The Panel recommends that the Reserve Bank should consider issuing guidelines on liquidity risk which would alsocover foreign exposures of banks.

4.3.8 Operational Risk

Though various aspects relating to operational risk are covered sufficiently in the Annual Financial Inspection reportsfor commercial banks, there is no reporting mechanism in place whereby the supervisor is kept informed ofdevelopments affecting operational risk in banks on an ongoing basis.

The Panel recommends that the Reserve Bank should put in place a mechanism whereby banks are required to reportdevelopments affecting operational risk to the supervisor.

4.3.9 Interest rate risk in Banking Book

Commercial banks have migrated to Basel II guidelines in phases beginning March 31, 2008. The identification,measurement, monitoring and control of interest rate risk in banking books is part of the stipulations mandated in PillarII of the Revised Capital Framework and is not mandated at present.

The Panel recommends that the issuance of guidelines relating to the management of interest rate risk in bankingbooks, post-migration to Basel II could be based on the modified duration approach for the measurement of interestrate risk in banking books as suggested by the Basel Committee (The Panel notes that Reserve Bank has sinceissued guidelines on interest rate risk in banking books as part of the supervisory review process under Pillar II ofBasel II which is currently applicable to banks with overseas operations and foreign banks. The guidelines would beapplicable to all other banks from March 31, 2009).

4.3.10 Notification of adverse information

The Panel observes that there are no guidelines issued by the Reserve Bank which explicitly provide for thesupervisor to ensure that banks notify the Reserve Bank as soon as they become aware of any material informationwhich may negatively affect the fitness and propriety of a board member or a member of the senior management. Atpresent this is being done on a voluntary basis.

The Panel recommends that the Reserve Bank issue specific guidelines in this regard that mandate banks to notifythe Reserve Bank as soon as they become aware of any material information which may negatively affect the fitnessand propriety of a Board member or a member of the senior management.

11


12/16

4.3.11 Appropriate skills in the back-office of the Bank Treasury

Though the Reserve Bank has issued guidelines periodically on the segregation of duties and responsibilities in thefront office, mid-office and back office for treasury operations, it is not being determined whether there is anappropriate balance of skills and resources in back office and control functions relative to the front office. Though thisaspect is looked into during the on-site inspection of banks, there is no specific mandate in the inspection manual in

this regard.

The Panel recommends that the Reserve Bank issue appropriate guidelines to banks stressing the maintenance ofsuch a balance by banks. It also recommends the incorporation in the inspection manual of a suitable provisionmandating on-site inspectors to specifically comment on this aspect in their reports.

4.3.12 Risk-Based Supervision

The current supervisory mechanism consists of monitoring banks through on-site inspections and off-site returnsobtained from them, and through periodic meetings with bank officials. The on-site supervisory mechanism adopted bythe Reserve Bank is CAMELS (Capital Adequacy, Asset Quality, Management, Earnings, Liquidity and Systems andControl) approach for domestic banks and CALCS (Capital Adequacy, Asset Quality, Liquidity, Compliance andSystems and Control) for foreign banks. These banks are rated on the CAMELS/CALCS model based on the on-site

inspection by the Reserve Bank. However, the CAMELS/CALCS rating does not clearly reflect the risk profile of thebank, and does not pinpoint the risks where the bank might be vulnerable or areas of risk where the bank hasmitigating mechanisms to take care of the risks. Though a parallel run of Risk Based Supervision (RBS) is in progressfor select banks, it is not yet mandated as a supervisory mechanism.

The Panel recommends a quicker adoption of the techniques and methodology of RBS. This will appropriately profilethe bank, highlighting the risks and vulnerabilities it faces. Based on its assessment, the supervisory cycle for bankscan then be determined. The Panel also recommends a further strengthening of off-site surveillance which is a pre-condition for the effective adoption of techniques and methodology of RBS.

4.3.13 Qualitative Disclosure

The Reserve Bank has issued detailed guidelines on accounting and disclosure norms and it is also satisfied that

banks maintain adequate records drawn up in accordance with these accounting policies. However, though extantguidelines do require qualitative disclosure on risk management aspects, they are yet to be implemented.

The Panel recommends that there should be expeditious implementation of guidelines regarding qualitativedisclosures, concurrent with full migration to Basel II. (The Panel notes that guidelines have since been issuedmandating Indian banks with foreign operations and foreign banks to have formal Board approved disclosure policyfrom March 31, 2008 and for others from March 31, 2009).

4.3.14 Prompt Corrective Action

A concept Prompt Corrective Action (PCA) framework has been introduced by the Reserve Bank whereby it caninitiate a set of actions against banks based on trigger points relating to the CRAR, Net NPA Ratio and Return onAssets. While the PCA framework has prescribed broad triggers, there is no specified timetable for initiating themandatory actions and the discretionary actions.

The Panel feels that the guidelines on the PCA framework should provide for an appropriate timeline for initiatingmandatory and discretionary actions to follow the identified triggers. If necessary, this could be finalised in consultationwith the Government.

4.3.15 Consolidated Supervision

The Reserve Bank has issued a circular in February 2003 on consolidated accounting to facilitate consolidatedsupervision. Accordingly, banks that have subsidiaries are required to file consolidated financial statements and half-yearly consolidated prudential returns to the Reserve Bank. Though the Reserve Bank has the power to define therange of activities of the consolidated group, it does not have the power to cause inspections of any entity within thebanking group which is not under its regulatory purview. The Panel recognises that the insertion of Section 29(A)(Power in respect of associated enterprise) in the Banking Regulation Act (Amendment) Bill 2005 would empower theReserve Bank to conduct consolidated supervision. The Panel recommends expeditious passage of the AmendmentBill in Parliament.

+++++

12


13/16

DOCUMENTS from other sources

http://onlineassociate.net/doc/Bank-Risk-Assessment/

Federal Financial Institutions Examination Council, US (FFIEC) IS Examination Handbook

RISK ASSESSMENT QUESTIONNAIRES

Purpose: To establish a risk rating for systems in a bank, and then rank the system by risk.

Sources: Concepts obtained from FFIEC IS Examination Handbook, OCC Bulletin 98-3, and OCC Bulletin99-9.

Methodology: Collect responses from business and IT areas using the two questionnaires shown below.Use the Reference Chart shown below to understand how the information collected in the questionnairescan be used to assign risk ratings on the Risk Chart. Using a numeric risk rating that makes sense in your

environment (we use a scale of 1-5, with 5 being a high risk) assign a numeric rate to row item. When youhave completed a chart for each system within your environment, you will be able to rank the systems byrisk exposure.

System Name ________________Risk ChartRisk Factors Explanation Rating1. Quantity of RiskTransaction Dollar ExposureTransaction VolumeComplexity of Hardware and SoftwareVolume and Risk exposures relative to internal controlexceptionsPotential for financial loss due to: error or fraud; competitivedisadvantage; incomplete information; operational disruption;or personnel factors (experience / staffing/ turnover).Out-sourcing (Controls over external activities)Internet or other new business activities2. Quality of Risk

Separation of Risk Taking and Risk Management

responsibilitiesOngoing Risk Identification and Risk Measurement Systems tomonitor riskPolicies for oversight responsibility of the systems and Policiesfor Systems Development and Policies for ChangeManagementMonitoring Systems CapacityAssuring the Integrity and Security of SystemsDocumenting System (programming) HistoryEffective Internal Accounting ControlsEffective Recovery Planning, Training & Testing

Other Risks Which Are Identified by the Auditor

Reference Chart (Risk Chart with References to the Questionnaires)

13
http://onlineassociate.net/doc/Bank-Risk-Assessment/http://onlineassociate.net/doc/Bank-Risk-Assessment/


14/16

Risk Factors Expla-nation

Rating Source (Where therisk is mentioned)

IT RiskQuestionnaireItem

Business AreaQuestionnaireItem

1. Quantity of Risk

Transaction Dollar Exposure 2 FFIEC IS ExamHandbook page 2-2

Transaction Volume 2 FFIEC IS ExamHandbook page 2-2

Complexity of Hardware and Software 3 4, 12 FFIEC IS ExamHandbook page 2-2

Volume and Risk exposures relative tointernal control exceptions

6, 8 3 FFIEC IS ExamHandbook page 2-2

Potential for financial loss due to: error

or fraud; competitive disadvantage;incomplete information; operationaldisruption; or personnel factors(experience / staffing/ turnover).

4, 6 1, 3, 5,

10

FFIEC IS Exam

Handbook page 2-2

Out-sourcing (Controls over externalactivities)

1 6 FFIEC IS ExamHandbook page 2-3

Internet or other new business activities 8 12 FFIEC IS ExamHandbook page 2-3

2. Quality of Risk

Separation of Risk Taking and RiskManagement responsibilities

8, 16 FFIEC IS ExamHandbook page 2-3

Ongoing Risk Identification and RiskMeasurement Systems to monitor risk

8, 9 13, 14,15

FFIEC IS ExamHandbook pages 2-3to 2-4

Policies for oversight responsibility ofthe Systems and Policies for SystemsDevelopment and Policies for ChangeManagement

4, 7 1, 15 OCC 98-3 (p. 11, 12)

Monitoring Systems Capacity 5 1 FFIEC IS ExamHandbook pages 2-3, 2-4

Assuring the Integrity and Security ofSystems

4 7, 9, 15 FFIEC IS ExamHandbook page 2-4

Documenting System (programming)History

2 FFIEC IS ExamHandbook page 2-4

Effective Internal Accounting Controls 8 FFIEC IS ExamHandbook page 2-4

Effective Recovery Planning, Training &Testing

6 10, 11 OCC 99-9, OCC 98-3 (p. 11, 12)

Other Risks Which Are Identified by the

AuditorSystem Name ________________

BUSINESS AREA QUESTIONNAIRE1. Does the capacity and functionality of this system support the Banks strategic objectives?

14


15/16

2. What are the high risk conditions in your area? Please quantify the potential dollar exposure relatedto misuse or errors connected to operating this system. How many transactions are created inyour area using this system (please define your answer in the time frame which you judge to bemost meaningful, daily, weekly, quarterly, etc.)?

3. What are the primary controls you use to monitor business processed through this system? Which

of these do you consider to be high risk? Are the controls effective (i.e., timely accurate,meaningful, etc.)? Have there been any control exceptions this year which were not caught by thissystems controls?

4. How many changes to this system have been implemented this year (both hardware and software)?

5. How would you rate the potential for financial loss due to any of the following:Human error or fraud: low medium highCompetitive disadvantage: low medium highIncomplete information: low medium highOperational disruption: low medium high

Please provide reasonable details regarding your responses:

6. Is the development or administration of this system outsourced? Do you feel that control over theoutsourcing arrangements are adequate to provide safe and efficient services?

7. Who in your department is in charge of monitoring the security of this system? Who is the backup?

To whom are security problems reported?

8. Does the system support your requirements for: administrative controls (e.g., transaction controls,limit controls, accounting controls, etc.); and due diligence assessments?

9. Is IT support for this system adequate?

10. Are the Banks training support and user documentation for this system adequate?

11. When was the last business recovery test which involved this system? Was this system describedin the recovery test plans, logs, and sign-offs from that test? Are there output samples from thissystem which were made during that test?

12. Are new systems or significant system changes planned for the remainder of this year, or next

year?

13. What are the most significant threats to this system? Would they include some of the following:denial or disruption of systems services, unauthorized monitoring of systems services, disclosure ofproprietary or private information, modification or destruction of related computer capabilities (i.e.,programming codes, networks, databases), and the manipulation of computer, or communicationsservices resulting in fraud, financial loss or other criminal violations?

14. Does this system support your departmental goals to comply with banking reporting requirementsand regulations, customer privacy, and other compliance-related business objectives.

15. What would be the best way to improve security or quality for this system?

15


16/16

16. Do you have risk taking and/or risk management responsibility? If so, how are the separation risk kingand risk management responsibilities enforced or monitored by the system? Is this an effectivecontrol?

System Name ________________

IT Questionnaire

1. How many years experience does the IT staff have supporting this system? How many people are

qualified to support this system? If system support outsourced, please state the vendor name and contactinformation here.

2. How would you rate the systems documentation for this system? Poor, average, great?

3. How often was this system changed last year? No changes, fewer than six changes, six or morechanges?

4. What are the IT controls for assuring the security of this system? Do they address risks (identifiedin OCC 99-9) such as, entering data incorrectly, changing data, deleting data, destroying data or

programs with logic bombs, crashing systems, holding data hostage, destroying hardware orfacilities? Who is in charge of monitoring the security of this system? Who is the backup?To whom are security problems reported?

5. What are the IT controls for assuring the systems capacity, and the integrity or quality of thissystem?Who is in charge of monitoring the integrity or quality of this system? Who is the backup?To whom are integrity or quality problems reported?

6. What are the IT controls for assuring the continuity and rapid recovery of this system?

When was the last recovery test for this system?Is this system described in the recovery test plans, logs, and sign-offs from that test? Are thereoutput samples from this system which were made during that test?

7. Are significant system changes planned for the remainder of this year or in the next year?

8. What are the most significant threats to this system? Would they include some of the following (asnoted in OCC 99-9): denial or disruption of systems services, unauthorized monitoring of systemsservices, disclosure of proprietary, or private information, modification or destruction of relatedcomputer capabilities (i.e., programming codes, network databases), and the manipulation ofcomputer, or communications services resulting in fraud, financial loss or other federal criminalviolation?

9. What would be the best way to improve security or quality for this system?

rbidocuments on rm in banks

Documents