risk management in bank project

7/30/2019 RISK MANAGEMENT IN BANK pROJECT

1/62

A

REPORT ONMANAGEMENT

RESEARCH PROJECT

RISK

MANAGEMENT

IN BANKS

SUBMITTED TO: SUBMITTED BY:PROF. DEVESH KUMAR VIKAS BHARGAV

FACULTY & MRP GUIDES 04 BS 2570

IBS, CHANDIGARH.

1


2/62

INDEX

Synopsis.3

Objective4

Limitations.4

Methodology.5

Schedule5

References.5

Introduction..6

Banking services...8

Risk management11

Credit risk20

Risk management in ICICI Bank34

Risk management in State Bank Of India...... 58

2


3/62

SYNOPSIS

Risk management is the process of measuring, or assessing risk and then developing

strategies to manage the risk. In general, the strategies employed include transferring therisk to another party, avoiding the risk, reducing the negative affect of the risk, andaccepting some or all of the consequences of a particular risk. Financial riskmanagement, on the other hand, focuses on risks that can be managed using tradedfinancial instruments. Regardless of the type of risk management, all large corporationshave risk management teams and small groups and corporations practice informal, if notformal, risk management.

In ideal risk management, a prioritization process is followed whereby the risks with thegreatest loss and the greatest probability of occurring are handled first, and risks withlower probability of occurrence and lower loss are handled later. In practice the process

can be very difficult, and balancing between risks with a high probability of occurrencebut lower loss vs. a risk with high loss but lower probability of occurrence can often bemishandled.

Risk management also faces a difficulty in allocating resources properly. This is the ideaofopportunity cost. Resources spent on risk management could be instead spent on moreprofitable activities. Again, ideal risk management spends the least amount of resourcesin the process while reducing the negative effects of risks as much as possible.

Risk management in banks

With growing competition and fast changes in the operating environment impacting thebusiness potentials, banks are compelled to constantly monitor and review their approachto ``credit'', the main earning asset in the balance sheet. With compulsions at peer level inthe international standards, the Reserve Bank of India as the central bank has beenemphasizing, in the recent years, on risk management and recently, issued a timelywarning to bank managements to focus on the efforts for installing effectivesystems forcontrol of risks, through calling for certification regarding compliance on these aspects.

The first circular of RBI introducing ALM (Asset Liability Management) for banks asmandatory, was issued in September 1998; given the history of banking in India and thecomfort of insulated economy, awareness on the relative implications is yet to perceivewhile the RBI itself is administering the relative regulatory measures in phases. It is notsimply the banking industry but change in the environment, like the legal structure,market imperfections including the depth of the market and tax structure, need to keeppace for the requirements. However, bank managements are yet to grapple with what isbefore them while towards the exercise, the first step namely establishing a data base isbeing initiated.

3
http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Measurement&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Risk+assessment&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Risk&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Strategy&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Financial+risk+management&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Financial+risk+management&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Loss&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Probability&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Opportunity+cost&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Measurement&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Risk+assessment&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Risk&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Strategy&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Financial+risk+management&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Financial+risk+management&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Loss&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Probability&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Opportunity+cost&gwp=8&curtab=2222_1


4/62

Pertaining to risk management in credit portfolio, it is not as though banks are notconscious of the various risk elements - in fact, all these phraseologies are repeated allover from time to time in different context. Such comprehension requires to be translatedinto practice by evolving systems for control/administration.

So, this project comprises understanding the procedure of the risk management carried bythe banks in order to maintain their assets and liability position and also to compete wellin the market in lieu of guidelines provided by the RBI .In this study we would do studyvarious risks such as credit risk, market risk, liquidity risk and operational risk as well.This project would describe how banks work against these risks and try to minimize it inorder to maximize the profit margin. Also the banks management and various

departments in regard to manage these kinds of risks. We would also study theguidelines provided by RBI in regard to Risk Management procedure that to be followedby Nationalized and Private Banks also NBFCs.

In the project we would describe the risk management process that been carried by banks

and also ALM structure in order to control upon assetsliability position in the banks inorder to keep eye on liquidity position of banks and also wewould see which tools ormethods are being used by banks in order to control risk and maximize profitability.

OBJECTIVE

1. To study and analyze the Risk Management procedure in Banks.2. To study different types of tools such as VAR.3. To study the guidelines provided by RBI.4. To check Assets-Liability position of the Banks.5. To study the liquidity position of the Banks.

LIMITATIONS

If risks are improperly assessed and prioritized, time can be wasted in dealing with risk oflosses that are not likely to occur. Spending too much time assessing and managingunlikely risks can divert resources that could be used more profitably. Unlikely events do

occur, but if the risk is unlikely enough to occur, it may be better to simply retain the risk,and deal with the result if the loss does in fact occur.

Prioritizing too highly the Risk management processes it could potentially keep anorganization from ever completing a project or even getting started. This is especiallytrue if other work is suspended until the risk management process is considered complete.

4


5/62

So the limitation of the project would be as follows:-

1. To assure whether the data would be accurate or not.2. To see whether the tools which will be used for analysis would be correct

or not.

3. Different methods of each Bank to control Risk

PROPOSED METHODOLOGY

The methodology that would be used in the project as follows:-

Sample Size: - Two Banks.Sampling Method: - Random Sampling Technique.

Research Methodology: - Personal Meeting With Banks Personnel for collecting Dataand analyzing the process of Risk Management.

SCHEDULE

PARTICULARS SCHEDULED DATE

Meeting with Banks 12th of December 2005

Collecting and Analysis of Process 20th of January 2006

Preparation of Final Report 18th of March 2006

REFRENCES

1. Risk Management in Banks by ICMR press.2. RBI Guidelines and Journals.3. www.google.co.in4. www.bambooweb.com

5. www.rbi.org.co.in6. www.icicibank.com7. www.sbi.co.in8. www.infoscouts.com9. www.kpmg.com

5
http://www.google.co.in/http://www.bambooweb.com/http://www.rbi.org.co.in/http://www.icicibank.com/http://www.sbi.co.in/http://www.infoscouts.com/http://www.google.co.in/http://www.bambooweb.com/http://www.rbi.org.co.in/http://www.icicibank.com/http://www.sbi.co.in/http://www.infoscouts.com/


6/62

INTRODUCTION

Banking, the business of providing financial services to consumers and businesses. Thebasic services a bank provides are checking accounts, which can be used like money to

make payments and purchase goods and services; savings accounts and time deposits thatcan be used to save money for future use; loans that consumers and businesses can use topurchase goods and services; and basic cash management services such as check cashingand foreign currency exchange. Four types of banks specialize in offering these basicbanking services: commercial banks, savings and loan associations, savings banks, andcredit unions.

A broader definition of a bank is any financial institution that receives, collects, transfers,pays, exchanges, lends, invests, or safeguards money for its customers. This broaderdefinition includes many other financial institutions that are not usually thought of asbanks but which nevertheless provide one or more of these broadly defined banking

services. These institutions include finance companies, investment companies,investment banks, insurance companies, pension funds, security brokers and dealers,mortgage companies, and real estate investment trusts. This article, however, focuses onthe narrower definition of a bank and the services provided by banks in Canada and theUnited States. (For information on other financial institutions, see Insurance; InvestmentBanking; and Trust Companies.)

Banking services are extremely important in a free market economy such as that found inCanada and the United States. Banking services serve two primary purposes. First, bysupplying customers with the basic mediums-of-exchange (cash, checking accounts, andcredit cards), banks play a key role in the way goods and services are purchased. Without

these familiar methods of payment, goods could only be exchanged by barter (trading onegood for another), which is extremely time-consuming and inefficient. Second, byaccepting money deposits from savers and then lending the money to borrowers, banksencourage the flow of money to productive use and investments. This in turn allows theeconomy to grow. Without this flow, savings would sit idle in someones safe or pocket,money would not be available to borrow, people would not be able to purchase cars orhouses, and businesses would not be able to build the new factories the economy needs toproduce more goods and grow. Enabling the flow of money from savers to investors iscalled financial intermediation, and it is extremely important to a free market economy.

a) Commercial Banks

Commercial banks are so named because they specialize in loans to commercial andindustrial businesses. Commercial banks are owned by private investors, calledstockholders, or by companies called bank holding companies. The vast majority ofcommercial banks are owned by bank holding companies. (A holding company is acorporation that exists only to hold shares in another company.) In 1984, 62 percent ofbanks were owned by holding companies. In 2000, 76 percent of banks were owned byholding companies. The bank holding company form of ownership became increasingly

6


7/62

attractive for several reasons. First, holding companies could engage in activities notpermitted in the bank itselffor example, offering investment advice, underwritingsecurities, and engaging in other investment banking activities. But these activities werepermitted in the bank if the holding company owned separate companies that offer theseservices. Using the holding company form of organization, bankers could then diversify

their product lines and offer services requested by their customers and provided by theirEuropean counterparts. Second, many states had laws that restricted a bank from openingbranches to within a certain number of miles from the banks main branch. By setting upa holding company, a banking firm could locate new banks around the state and thereforeput branches in locations not previously available.

Commercial banks are for profit organizations. Their objective is to make a profit. Theprofits either can be paid out to bank stockholders or to the holding company in the formof dividends, or the profits can be retained to build capital (net worth). Commercial bankstraditionally have the broadest variety of assets and liabilities. Their historical specialtieshave been commercial lending to businesses on the asset side and checking accounts for

businesses and individuals on the liability side. However, commercial banks also makeconsumer loans for automobiles and other consumer goods as well as real estate(mortgage) loans for both consumers and businesses.

b) Savings and Loan Associations

Savings and loan associations (SLAs) are usually owned by stockholders, but they can beowned by depositors as well. (If owned by depositors, they are called mutuals.) If stockowned, the goal is to earn a profit that can either be paid out as a dividend or retained toincrease capital. If owned by depositors, the objective is to earn a profit that can be usedeither to build capital or lower future loan rates or to raise future deposit rates for the

depositor-owners. Until the early 1980s, regulations restricted SLAs to investing in realestate mortgage loans and accepting savings accounts and time deposits (savingsaccounts that exist for a specified period of time). As a result, historically SLAs havespecialized in savings deposits and mortgage lending.

c) Savings Banks

Traditional savings banks, also known as mutual savings banks (MSBs), have nostockholders, and their assets are administered for the sole benefit of depositors. Earningsare paid to depositors after expenses are met and reserves are set aside to insure thedeposits. During the 1980s savings banks were in a great state of flux, and many began to

provide the same kinds of services as commercial banks.

7


8/62

BANKING SERVICES

Commercial banks and thrifts offer various services to their customers. These servicesfall into three major categories: deposits, loans, and cash management services.

a) Deposits

There are four major types of deposits: demand deposits, savings deposits, hybridchecking/savings deposits, and time deposits. What distinguishes one type from anotherare the conditions under which the deposited funds may be withdrawn.

A demand deposit is a deposit that can be withdrawn on demand at any time and in anyamount up to the full amount of the deposit. The most common example of a demanddeposit is a checking account. Money orders and travelers checks are also technicallydemand deposits. Checking accounts are also considered transaction accounts in thatpayments can be made to third partiesthat is, to someone other than the depositor or the

bank itselfvia check, telephone, or other authorized transfer instruction. Checkingaccounts are popular because as demand deposits they provide perfect liquidity(immediate access to cash) and as transaction accounts they can be transferred to a thirdparty as payment for goods or services. As such, they function like money.

Savings accounts pay interest to the depositor, but have no specific maturity date onwhich the funds need to be withdrawn or reinvested. Any amount can be withdrawn froma savings account up to the amount deposited. Under normal circumstances, customerscan withdraw their money from a savings account simply by presenting their passbookor by using their automated teller machine (ATM) card. Savings accounts are highlyliquid. They are different from demand deposits, however, because depositors cannot

write checks against regular savings accounts. Savings accounts cannot be used directlyas money to purchase goods or services.

The hybrid savings and checking account allows customers to earn interest on theaccount and write checks against the account. These are called either negotiable order ofwithdrawal (NOW) accounts, or money market deposit accounts, which are savingsaccounts that allow a maximum of three third-party transfers each month.

Time deposits are deposits on which the depositor and the bank have agreed that themoney will not be withdrawn without substantial penalty to the depositor before aspecific date. These are frequently called certificates of deposits (CDs). Because of a

substantial early withdrawal penalty, time deposits are not as liquid as demand or savingsdeposits nor can depositors write checks against them. Time deposits also typicallyrequire a minimum deposit amount.

8


9/62

b) Loans

Banks and thrifts make three types of loans: commercial and industrial loans, consumerloans, and mortgage loans. Commercial and industrial loans are loans to businesses orindustrial firms. These are primarily short-term working capital loans (loans to finance

the purchase of material or labor) or transaction or longer-term loans (loans to purchasemachines and equipment). Most commercial banks offer a variable rate on these loans,which means that the interest rate can change over the course of the loan. Whether a bankwill make a loan or not depends on the credit and loan history of the borrower, theborrowers ability to make scheduled loan payments, the amount of capital the borrowerhas invested in the business, the condition of the economy, and the value of the collateralthe borrower pledges to give the bank if the loan payments are not made.

Consumer loans are loans for consumers to purchase goods or services. There are twotypes of consumer loans: closed-end credit and open-end credit.

Closed-end credit loans are loans for a fixed amount of money, for a fixed period of time(usually not more than five years), and for a fixed purpose (for example, to buy a car).Most closed-end loans are called installment loans because they must be repaid in equalmonthly installments. The item purchased by the consumer serves as collateral for theloan. For example, if the consumer fails to make payments on an automobile, the bankcan recoup the cost of its loan by taking ownership of the car.

Open-end credit loans are loans for variable amounts of money up to a set limit. Unlikeclosed-end loans, open-end credit does not require a borrower to specify the purpose ofthe loan and the lender cannot foreclose on the loan. Credit cards are an example of open-end credit. Most open-end loans carry fixed interest ratesthat is, the rate does not vary

over the term of the loan. Open-end loans require no collateral, but interest rates or otherpenalties or fees may be chargedfor example, if credit card charges are not paid in full,interest is charged, or if payment is late, a fee is charged to the borrower. Open-end creditinterest rates usually exceed closed-end rates because open-end loans are not backed bycollateral.

Mortgage loans or real estate loans are loans used to purchase land or buildings such ashouses or factories. These are typically long-term loans and the interest rate charged canbe either a variable or a fixed rate for the term of the loan, which often ranges from 15 to30 years. The land and buildings purchased serve as the collateral for the loan.

c) Cash Management and Other Services

Although deposits and loans are the basic banking services provided by banks and thrifts,these institutions provide a wide variety of other services to customers. For consumers,these include check cashing, foreign currency exchange, safety deposit boxes in whichconsumers can store valuables, electronic wire transfer through which consumers cantransfer money and securities from one financial institution to another, and credit life

9


10/62

insurance which automatically pays off loans in the event of the borrowers death ordisability.

In recent years, banks have made their services increasingly convenient throughelectronic banking. Electronic banking uses computers to carry out transfers of money.

For example, automated teller machines (ATMs) enable bank customers to withdrawmoney from their checking or savings accounts by inserting an ATM card and a privateelectronic code into an ATM. The ATMs enable bank customers to access their money 24hours a day and seven days a week wherever ATMs are located, including in foreigncountries. Banks also offer debit cards that directly withdraw funds from a customersaccount for the amount of a purchase, much like writing a check. Banks also useelectronic transfers to deposit payroll checks directly into a customers account and toautomatically pay a customers bills when they are due. Many banks also use the Internetto enable customers to pay bills, move money between accounts, and perform otherbanking functions.

For businesses, commercial banks also provide specialized cash management and creditenhancement services. Cash management services are designed to allow businesses tomake efficient use of their cash. For example, under normal circumstances a businesswould sell its product to a customer and send the customer a bill. The customer wouldthen send a check to the business, and the business would then deposit the check in thebank. The time between the date the business receives the check and deposits the check inthe bank could be several days or a week. To eliminate this delay and allow the businessto earn interest on its money sooner, commercial banks offer services to businesseswhereby customers send checks directly to the bank, not the business. This practice isreferred to as lock box services because the payments are mailed to a secure post officebox where they are picked up by bank couriers for immediate deposit.

Another important business service performed by banks is a credit enhancement.Commercial banks back up the performance of businesses by promising to pay the debtsof the business if the business itself cannot pay. This service substitutes the credit of thebank for the credit of the business. This is valuable, for example, in international tradewhere the exporting firm is unfamiliar with the importing firm in another country and is,therefore, reluctant to ship goods without knowing for certain that the importer will payfor them. By substituting the credit of a foreign bank known to the exporters bank, theexporter knows payment will be made and will ship the goods. Credit enhancements arefrequently called standby letters of credit or commercial letters of credit.

10


11/62

Defining Risk

For the purpose of these guidelines financial risk in banking organization is possibilitythat the outcome of an action or event could bring up adverse impacts. Such outcomescould either result in a direct loss of earnings / capital or may result in imposition ofconstraints on banks ability to meet its business objectives. Such constraints pose a riskas these could hinder a bank's ability to conduct its ongoing business or to take benefit ofopportunities to enhance its business.

Regardless of the sophistication of the measures, banks often distinguish betweenexpected and unexpected losses. Expected losses are those that the bank knows withreasonable certainty will occur (e.g., the expected default rate of corporate loan portfolioor credit card portfolio) and are typically reserved for in some manner. Unexpectedlosses are those associated with unforeseen events (e.g. losses experienced by banks inthe aftermath of nuclear tests, Losses due to a sudden down turn in economy or fallinginterest rates). Banks rely on their capital as a buffer to absorb such losses.

Risks are usually defined by the adverse impact on profitability of several distinct sourcesof uncertainty. While the types and degree of risks an organization may be exposed todepend upon a number of factors such as its size, complexity business activities, volumeetc, it is believed that generally the banks face Credit, Market, Liquidity, Operational,Compliance / legal /regulatory and reputation risks. Before overarching these riskcategories, given below are some basics about risk Management and some guidingprinciples to manage risks in banking organization.

Risk Management.

Risk Management is a discipline at the core of every financial institution andencompasses all the activities that affect its risk profile. It involves identification,measurement, monitoring and controlling risks to ensure that

a) The individuals who take or manage risks clearly understand it.

b) The organizations Risk exposure is within the limits established by Boardof Directors.

c) Risk taking Decisions are in line with the business strategy and objectivesset by BOD.

d) The expected payoffs compensate for the risks taken

e) Risk taking decisions are explicit and clear.

f) Sufficient capital as a buffer is available to take risk

11


12/62

The acceptance and management of financial risk is inherent to the business of bankingand banks roles as financial intermediaries. Risk management as commonly perceiveddoes not mean minimizing risk; rather the goal of risk management is to optimize risk-reward trade -off. Notwithstanding the fact that banks are in the business of taking risk, itshould be recognized that an institution need not engage in business in a manner that

unnecessarily imposes risk upon it: nor it should absorb risk that can be transferred toother participants. Rather it should accept those risks that are uniquely part of the array ofbanks services.

In every financial institution, risk management activities broadly take placesimultaneously at following different hierarchy levels.

a) Strategic level: It encompasses risk management functions performed by seniormanagement and BOD. For instance definition of risks, ascertaining institutions riskappetite, formulating strategy and policies for managing risks and establish adequatesystems and controls to ensure that overall risk remain within acceptable level and thereward compensate for the risk taken.

b) Macro Level: It encompasses risk management within a business area or acrossbusiness lines. Generally the risk management activities performed by middlemanagement or units devoted to risk reviews fall into this category.

c) Micro Level: It involves On-the-line risk management where risks are actuallycreated. This is the risk management activities performed by individuals who take risk onorganizations behalf such as front office and loan origination functions. The riskmanagement in those areas is confined to following operational procedures andguidelines set by management.

Expanding business arenas, deregulation and globalization of financial activitiesemergence of new financial products and increased level of competition has necessitateda need for an effective and structured risk management in financial institutions. A banksability to measure, monitor, and steer risks comprehensively is becoming a decisiveparameter for its strategic positioning.

The risk management framework and sophistication of the process, and internal controls,used to manage risks, depends on the nature, size and complexity of institutions activities.Nevertheless, there are some basic principles that apply to all financial institutionsirrespective of their size and complexity of business and are reflective of the strength ofan individual bank's risk management practices.

Board and senior Management oversight.

a) To be effective, the concern and tone for risk management must start at the top. Whilethe overall responsibility of risk management rests with the BOD, it is the duty of seniormanagement to transform strategic direction set by board in the shape of policies andprocedures and to institute an effective hierarchy to execute and implement those

12


13/62

policies. To ensure that the policies are consistent with the risk tolerances of shareholdersthe same should be approved from board.

b) The formulation of policies relating to risk management only would not solve thepurpose unless these are clear and communicated down the line. Senior management has

to ensure that these policies are embedded in the culture of organization. Risk tolerancesrelating to quantifiable risks are generally communicated as limits or sub-limits to thosewho accept risks on behalf of organization. However not all risks are quantifiable.Qualitative risk measures could be communicated as guidelines and inferred frommanagement business decisions.

c) To ensure that risk taking remains within limits set by senior management/BOD, anymaterial exception to the risk management policies and tolerances should be reported tothe senior management/board who in turn must trigger appropriate corrective measures.These exceptions also serve as an input to judge the appropriateness of systems andprocedures relating to risk management.

d) To keep these policies in line with significant changes in internal and externalenvironment, BOD is expected to review these policies and make appropriate changes asand when deemed necessary. While a major change in internal or external factor mayrequire frequent review, in absence of any uneven circumstances it is expected that BODre-evaluate these policies every year.

Risk Management framework.

A risk management framework encompasses the scope of risks to be managed, theprocess/systems and procedures to manage risk and the roles and responsibilities ofindividuals involved in risk management. The framework should be comprehensive

enough to capture all risks a bank is exposed to and have flexibility to accommodate anychange in business activities. An effective risk management framework includes

a) Clearly defined risk management policies and procedures covering risk identification,acceptance, measurement, monitoring, reporting and control.

b) A well constituted organizational structure defining clearly roles and responsibilities ofindividuals involved in risk taking as well as managing it. Banks, in addition to riskmanagement functions for various risk categories may institute a setup that supervisesoverall risk management at the bank. Such a setup could be in the form of a separatedepartment or banks Risk Management Committee (RMC) could perform such

function*. The structure should be such that ensures effective monitoring and controlover risks being taken. The individuals responsible for review function (Risk review,internal audit, compliance etc) should be independent from risk taking unitsand report directly to board or senior management who are also not involvedin risk taking.

c) There should be an effective management information system that ensures flow ofinformation from operational level to top management and a system to address any

13


14/62

exceptions observed. There should be an explicit procedure regarding measures to betaken to address such deviations.

d) The framework should have a mechanism to ensure an ongoing review of systems,policies and procedures for risk management and procedure to adopt changes.

Integration of Risk Management

Risks must not be viewed and assessed in isolation, not only because a single transactionmight have a number of risks but also one type of risk can trigger other risks. Sinceinteraction of various risks could result in diminution or increase in risk, the riskmanagement process should recognize and reflect risk interactions in all businessactivities as appropriate. While assessing and managing risk the management should havean overall view of risks the institution is exposed to. This requires having a structure inplace to look at risk interrelationships across the organization.

Business Line Accountability.

In every banking organization there are people who are dedicated to risk managementactivities, such as risk review, internal audit etc. It must not be construed that riskmanagement is something to be performed by a few individuals or a department.Business lines are equally responsible for the risks they are taking. Because linepersonnel, more than anyone else, understand the risks of the business, such a lack ofaccountability can lead to problems.

Risk Evaluation/Measurement.

Until and unless risks are not assessed and measured it will not be possible to control

risks. Further a true assessment of risk gives management a clear view of institutionsstanding and helps in deciding future action plan. To adequately capture institutions riskexposure, risk measurement should represent aggregate exposure of institution both risktype and business line and encompass short run as well as long run impact on institution.To the maximum possible extent institutions should establish systems / models thatquantify their risk profile, however, in some risk categories such as operational risk,Quantification is quite difficult and complex. Wherever it is not possible to quantifyrisks, qualitative measures should be adopted to capture those risks. Whilst quantitativemeasurement systems support effective decision-making, better measurement does notobviate the need for well-informed, qualitative judgment. Consequently the importance ofstaff having relevant knowledge and expertise cannot be undermined. Finally any risk

measurement framework, especially those which employ quantitative techniques/model,is only as good as its underlying assumptions, the rigor and robustness of its analyticalmethodologies, controls surrounding data inputs and its appropriate application

14


15/62

Independent review.

One of the most important aspects in risk management philosophy is to make sure thatthose who take or accept risk on behalf of the institution are not the ones who measure,monitor and evaluate the risks. Again the managerial structure and hierarchy of risk

review function may vary across banks depending upon their size and nature of thebusiness, the key is independence.To be effective the review functions should have sufficient authority, expertise andcorporate stature so that the identification and reporting of their findings could beaccomplished without any hindrance. The findings of their reviews should be reported tobusiness units, Senior Management and, where appropriate, the Board.

Contingency planning.

Institutions should have a mechanism to identify stress situations ahead of time and plansto deal with such unusual situations in a timely and effective manner. Stress situations towhich this principle applies include all risks of all types. For instance contingencyplanning activities include disaster recovery planning, public relations damage control,litigation strategy, responding to regulatory criticism etc. Contingency plans should bereviewed regularly to ensure they encompass reasonably probable events that couldimpact the organization. Plans should be tested as to the appropriateness of responses,escalation and communication channels and the impact on other parts of the institution.

Steps in the risk management process

Identification

A first step in the process of managing riskis to identify potential risks. Risks are aboutevents that, when triggered, will cause problems. Hence, risk identification can start withthe source of problems, or with the problem itself.

Source analysis Risk sources may be internal or external to the system that is the

target of risk management. Examples of risk sources are: stakeholders of aproject, employees of a company or the weather over an airport.

Problem analysis Risks are related to fear. For example: the fear of losing

money, the fear of abuse of privacy information or the fear of accidents andcasualties. The fear may exist with various entities, most important with

shareholder, customers and legislative bodies such as the government.

When either source or problem is known, the events that a source may trigger or theevents that can lead to a problem can be investigated. For example: stakeholderswithdrawing during a project may endanger funding of the project; privacy informationmay be stolen by employees even within a closed network; lightning striking a B747during takeoff may make all people onboard immediate casualties.

15
http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Risk&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Risk&gwp=8&curtab=2222_1


16/62

The chosen method of identifying risks may depend on culture, industry practice andcompliance. The identification methods are formed by templates or the development oftemplates for identifying source, problem or event. Common risk identification methodsare:

Objectives-based Risk Identification Organizations and project teams haveobjectives. Any event that may endanger achieving an objective partly orcompletely is identified as risk. Objective-based risk identification is at the basisof COSO's Enterprise Risk Management - Integrated Framework

Scenario-based Risk Identification In scenario analysis different scenarios are

created. The scenarios may be the alternative ways to achieve an objective, or ananalysis of the interaction of forces in, for example, a market or battle. Any eventthat triggers an undesired scenario alternative is identified as risk.

Taxonomy-based Risk Identification The taxonomy in taxonomy-based risk

identification is a breakdown of possible risk sources. Based on the taxonomy andknowledge of best practices, a questionnaire is compiled. The answers to thequestions reveal risks.

Common-risk Checking In several industries lists with known risks are

available. Each risk in the list can be checked for application to a particularsituation. An example of known risks in the software industry is the CommonVulnerability and Exposures list found at http://cve.mitre.org/.

Assessment

Once risks have been identified, they must then be assessed as to their potential severityof loss and to the probability of occurrence. These quantities can be either simple tomeasure, in the case of the value of a lost building, or impossible to know for sure in thecase of the probability of an unlikely event occurring. Therefore, in the assessmentprocess it is critical to make the best educated guesses possible in order to properly

prioritize the implementation of the risk management plan.

Possible actions available

Once risks have been identified and assessed, all techniques to manage the risk fall intoone or more of these four major categories: (Dorfman, 1997)

16
http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdfhttp://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Scenario+analysis&gwp=8&curtab=2222_1http://cve.mitre.org/http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdfhttp://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Scenario+analysis&gwp=8&curtab=2222_1http://cve.mitre.org/


17/62

Avoidance

Reduction (aka Mitigation)

Retention (aka Acceptance)

Transfer

Ideal use of these strategies may not be possible. Some of them may involve trade offsthat are not acceptable to the organization or person making the risk managementdecisions.

Risk avoidance

Includes not performing an activity that could carry risk. An example would be notbuying a property or business in order to not take on the liability that comes with it.Another would be not flying in order to not take the risk that the airplane were to behijacked. Avoidance may seem the answer to all risks, but avoiding risks also meanslosing out on the potential gain that accepting (retaining) the risk may have allowed. Not

entering a business to avoid the risk of loss also avoids the possibility of earning theprofits.

Risk reduction

Involves methods that reduce the severity of the loss. Examples include sprinklersdesigned to put out a fire to reduce the risk of loss by fire. This method may cause agreater loss by water damage and therefore may not be suitable. Halon fire suppressionsystems may mitigate that risk, but the cost may be prohibitive as a strategy.

Modern software development methodologies reduce risk by developing and delivering

software incrementally. Early methodologies suffered from the fact that they onlydelivered software in the final phase of development; any problems encountered in earlierphases meant costly rework and often jeopardized the whole project. By developing inincrements, software projects can limit effort wasted to a single increment. A currenttrend in software development, spearheaded by the Extreme Programming community, isto reduce the size of increments to the smallest size possible, sometimes as little as oneweek is allocated to an increment.

Risk retention

Involves accepting the loss when it occurs. True self insurance falls in this category. Risk

retention is a viable strategy for small risks where the cost of insuring against the riskwould be greater over time than the total losses sustained. All risks that are not avoidedor transferred are retained by default. This includes risks that are so large or catastrophicthat they either cannot be insured against or the premiums would be infeasible. Waris anexample since most property and risks are not insured against war, so the loss attributedby war is retained by the insured. Also any amounts of potential loss (risk) over theamount insured is retained risk. This may also be acceptable if the chance of a very large

17
http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Property&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Liability&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Fixed-wing+aircraft&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Hijacking&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Sprinkler&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Fire&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Haloalkane&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Strategy&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Extreme+Programming&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Self+insurance&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=War&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Property&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Liability&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Fixed-wing+aircraft&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Hijacking&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Sprinkler&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Fire&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Haloalkane&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Strategy&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Extreme+Programming&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Self+insurance&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=War&gwp=8&curtab=2222_1


18/62

loss is small or if the cost to insure for greater coverage amounts is so great it wouldhinder the goals of the organization too much.

Risk transfer

Means causing another party to accept the risk, typically by contract or by hedging.Insurance is one type of risk transfer that uses contracts. Other times it may involvecontract language that transfers a risk to another party without the payment of aninsurance premium. Liability among construction or other contractors is very oftentransferred this way. On the other hand, taking offsetting positions in derivative securitiesis typically how firms use hedging to financial risk management: financially manage risk.

Some ways of managing risk fall into multiple categories. Risk retention pools aretechnically retaining the risk for the group, but spreading it over the whole groupinvolves transfer among individual members of the group. This is different fromtraditional insurance, in that no premium is exchanged between members of the group up

front, but instead losses are assessed to all members of the group.

Create the plan

Decide on the combination of methods to be used for each risk

Implementation

Follow all of the planned methods for mitigating the effect of the risks. Purchaseinsurance policies for the risks that have been decided to be transferred to an insurer,avoid all risks that can be avoided without sacrificing the entity's goals, reduce others,

and retain the rest.

Review and evaluation of the plan

Initial risk management plans will never be perfect. Practice, experience, and actual lossresults, will necessitate changes in the plan and contribute information to allow possibledifferent decisions to be made in dealing with the risks being faced.

18
http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Contract&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Hedging&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Insurance&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Insurance&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Derivative+security&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Contract&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Hedging&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Insurance&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Insurance&gwp=8&curtab=2222_1http://www.answers.com/main/ntquery?method=4&dsid=2222&dekey=Derivative+security&gwp=8&curtab=2222_1


19/62

Limitations

If risks are improperly assessed and prioritized, time can be wasted in dealing with risk oflosses that are not likely to occur. Spending too much time assessing and managingunlikely risks can divert resources that could be used more profitably. Unlikely events do

occur, but if the risk is unlikely enough to occur, it may be better to simply retain the risk,and deal with the result if the loss does in fact occur.

Prioritizing too highly the Risk management processes itself could potentially keep anorganization from ever completing a project or even getting started. This is especiallytrue if other work is suspended until the risk management process is considered complete.

19


20/62

Managing credit risk

Credit risk arises from the potential that an obligor is either unwilling to perform on

an obligation or its ability to perform such obligation is impaired resulting in economic

loss to the bank.

In a banks portfolio, losses stem from outright default due to inability or unwillingnessof a customer or counter party to meet commitments in relation to lending, trading,settlement and other financial transactions. Alternatively losses may result from reductionin portfolio value due to actual or perceived deterioration in credit quality. Credit riskemanates from a banks dealing with individuals, corporate, financial institutions or asovereign. For most banks, loans are the largest and most obvious source of credit risk;however, credit risk could stem from activities both on and off balance sheet.

In addition to direct accounting loss, credit risk should be viewed in the context ofeconomic exposures. This encompasses opportunity costs, transaction costs and expensesassociated with a non-performing asset over and above the accounting loss.

Credit risk can be further sub-categorized on the basis of reasons of default. For instancethe default could be due to country in which there is exposure or problems in settlementof a transaction.

Credit risk not necessarily occurs in isolation. The same source that endangers credit riskfor the institution may also expose it to other risk. For instance a bad portfolio may attractliquidity problem.

Components of credit risk management

A typical Credit risk management framework in a financial institution may be broadlycategorized into following main components.

a) Board and senior Managements Oversight

b) Organizational structure

c) Systems and procedures for identification, acceptance, measurement, monitoring andcontrol risks.

Board and Senior Managements Oversight

It is the overall responsibility of banks Board to approve banks credit risk strategy andsignificant policies relating to credit risk and its management which should be based onthe banks overall business strategy. To keep it current, the overall strategy has to bereviewed by the board, preferably annually. The responsibilities of the Board with regardto credit risk management shall, interalia, include :

20


21/62

a) Delineate banks overall risk tolerance in relation to credit risk.

b) Ensure that banks overall credit risk exposure is maintained at prudent levels andconsistent with the available capital

c) Ensure that top management as well as individuals responsible for credit riskmanagement possess sound expertise and knowledge to accomplish the risk managementfunction

d) Ensure that the bank implements sound fundamental principles that facilitate theidentification, measurement, monitoring and control of credit risk.

e) Ensure that appropriate plans and procedures for credit risk management are in place.

The very first purpose of banks credit strategy is to determine the risk appetite of thebank. Once it is determined the bank could develop a plan to optimize return whilekeeping credit risk within predetermined limits. The banks credit risk strategy thus

should spell out

a) The institutions plan to grant credit based on various client segments and products,economic sectors, geographical location, currency and maturity

b) Target market within each lending segment, preferred level of diversification/concentration.

c) Pricing strategy.

It is essential that banks give due consideration to their target market while devisingcredit risk strategy. The credit procedures should aim to obtain an in depth understanding

of the banks clients, their credentials & their businesses in order to fully know theircustomers.

The strategy should provide continuity in approach and take into account cyclic aspect ofcountrys economy and the resulting shifts in composition and quality of overall creditportfolio. While the strategy would be reviewed periodically and amended, as deemednecessary, it should be viable in long term and through various economic cycles.

The senior management of the bank should develop and establish credit policies andcredit administration procedures as a part of overall credit risk management frameworkand get those approved from board. Such policies and procedures shall provide guidance

to the staff on various types of lending including corporate, SME, consumer, agriculture,etc. At minimum the policy should include

21


22/62

a) Detailed and formalized credit evaluation/ appraisal process.

b) Credit approval authority at various hierarchy levels including authority for approvingexceptions.

c) Risk identification, measurement, monitoring and control

d) Risk acceptance criteria

e) Credit origination and credit administration and loan documentation procedures

f) Roles and responsibilities of units/staff involved in origination and management ofcredit.

g) Guidelines on management of problem loans.

In order to be effective these policies must be clear and communicated down the line.

Further any significant deviation/exception to these policies must be communicated to thetop management/board and corrective measures should be taken. It is the responsibility ofsenior management to ensure effective implementation of these policies.

Organizational Structure.

To maintain banks overall credit risk exposure within the parameters set by the board ofdirectors, the importance of a sound risk management structure is second to none. Whilethe banks may choose different structures, it is important that such structure should becommensurate with institutions size, complexity and diversification of its activities. Itmust facilitate effective management oversight and proper execution of credit risk

management and control processes.

Each bank, depending upon its size, should constitute a Credit Risk ManagementCommittee (CRMC), ideally comprising of head of credit risk management Department,credit department and treasury. This committee reporting to banks risk managementcommittee should be empowered to oversee credit risk taking activities and overall creditrisk management function. The CRMC should be mainly responsible for

a) The implementation of the credit risk policy / strategy approved by the Board.

b) Monitor credit risk on a bank-wide basis and ensure compliance with limits approvedby the Board.

c) Recommend to the Board, for its approval, clear policies on standards for presentationof credit proposals, financial covenants, rating standards and benchmarks.

d) Decide delegation of credit approving powers, prudential limits on large creditexposures, standards for loan collateral, portfolio management, loan review mechanism,risk concentrations, risk monitoring and evaluation, pricing of loans, provisioning,regulatory/legal compliance, etc.

22


23/62

Further, to maintain credit discipline and to enunciate credit risk management and controlprocess there should be a separate function independent of loan origination function.Credit policy formulation, credit limit setting, monitoring of credit exceptions / exposuresand review /monitoring of documentation are functions that should be performedindependently of the loan origination function. For small banks where it might not befeasible to establish such structural hierarchy, there should be adequate compensatingmeasures to maintain credit discipline introduce adequate checks and balances andstandards to address potential conflicts of interest. Ideally, the banks should institute aCredit Risk Management Department (CRMD). Typical functions of CRMD include:

a) To follow a holistic approach in management of risks inherent in banks portfolio andensure the risks remain within the boundaries established by the Board or Credit RiskManagement Committee.

b) The department also ensures that business lines comply with risk parameters andprudential limits established by the Board or CRMC.

c) Establish systems and procedures relating to risk identification, ManagementInformation System, monitoring of loan / investment portfolio quality and early warning.The department would work out remedial measure when deficiencies/problems areidentified.

d) The Department should undertake portfolio evaluations and conduct comprehensivestudies on the environment to test the resilience of the loan portfolio.

Notwithstanding the need for a separate or independent oversight, the front office or loanorigination function should be cognizant of credit risk, and maintain high level of credit

discipline and standards in pursuit of business opportunities.

Systems and Procedures

Banks must operate within a sound and well-defined criteria for new credits as well as theexpansion of existing credits. Credits should be extended within the target markets andlending strategy of the institution. Before allowing a credit facility, the bank must makean assessment of risk profile of the customer/transaction. This may include

a) Credit assessment of the borrowers industry, and macro economic factors.

b) The purpose of credit and source of repayment.

c) The track record / repayment history of borrower.

d) Assess/evaluate the repayment capacity of the borrower.

e) The Proposed terms and conditions and covenants.

f) Adequacy and enforceability of collaterals.

23


24/62

g) Approval from appropriate authority

In case of new relationships consideration should be given to the integrity and repute ofthe borrowers or counter party as well as its legal capacity to assume the liability. Prior toentering into any new credit relationship the banks must become familiar with theborrower or counter party and be confident that they are dealing with individual ororganization of sound repute and credit worthiness. However, a bank must not grantcredit simply on the basis of the fact that the borrower is perceived to be highly reputablei.e. name lending should be discouraged.

While structuring credit facilities institutions should appraise the amount and timing ofthe cash flows as well as the financial position of the borrower and intended purpose ofthe funds. It is utmost important that due consideration should be given to the risk rewardtrade off in granting a credit facility and credit should be priced to cover all embeddedcosts. Relevant terms and conditions should be laid down to protect the institutions

interest.

Institutions have to make sure that the credit is used for the purpose it was borrowed.Where the obligor has utilized funds for purposes not shown in the original proposal,institutions should take steps to determine the implications on creditworthiness. In case ofcorporate loans where borrower own group of companies such diligence becomes moreimportant. Institutions should classify such connected companies and conduct creditassessment on consolidated/group basis.

In loan syndication, generally most of the credit assessment and analysis is done by thelead institution. While such information is important, institutions should not over rely on

that. All syndicate participants should perform their own independent analysis and reviewof syndicate terms.

Institution should not over rely on collaterals / covenant. Although the importance ofcollaterals held against loan is beyond any doubt, yet these should be considered as abuffer providing protection in case of default, primary focus should be on obligors debtservicing ability and reputation in the market.

Limit setting

An important element of credit risk management is to establish exposure limits for single

obligors and group of connected obligors. Institutions are expected to develop their ownlimit structure while remaining within the exposure limits set by State Bank of Pakistan.The size of the limits should be based on the credit strength of the obligor, genuinerequirement of credit, economic conditions and the institutions risk tolerance.Appropriate limits should be set for respective products and activities. Institutions mayestablish limits for a specific industry, economic sector or geographic regions to avoidconcentration risk.

24


25/62

Some times, the obligor may want to share its facility limits with its related companies.Institutions should review such arrangements and impose necessary limits if thetransactions are frequent and significant

Credit limits should be reviewed regularly at least annually or more frequently if

obligors credit quality deteriorates. All requests of increase in credit limits should besubstantiated.

Credit Administration.

Ongoing administration of the credit portfolio is an essential part of the credit process.Credit administration function is basically a back office activity that support and controlextension and maintenance of credit. A typical credit administration unit performsfollowing functions:

a. Documentation. It is the responsibility of credit administration to ensurecompleteness of documentation (loan agreements, guarantees, transfer of title ofcollaterals etc) in accordance with approved terms and conditions. Outstandingdocuments should be tracked and followed up to ensure execution and receipt.

b. Credit Disbursement.The credit administration function should ensure that the loanapplication has proper approval before entering facility limits into computer systems.Disbursement should be effected only after completion of covenants, and receipt ofcollateral holdings. In case of exceptions necessary approval should be obtained fromcompetent authorities.

c. Credit monitoring. After the loan is approved and draw down allowed, the loanshould be continuously watched over. These include keeping track of borrowerscompliance with credit terms, identifying early signs of irregularity, conducting periodicvaluation of collateral and monitoring timely repayments.

d. Loan Repayment.The obligors should be communicated ahead of time as and whenthe principal/markup installment becomes due. Any exceptions such as non-payment orlate payment should be tagged and communicated to the management. Proper records andupdates should also be made after receipt.

e. Maintenance of Credit Files. Institutions should devise procedural guidelines andstandards for maintenance of credit files. The credit files not only include all

correspondence with the borrower but should also contain sufficient informationnecessary to assess financial health of the borrower and its repayment performance. Itneed not mention that information should be filed in organized way so that external /internal auditors or SBP inspector could review it easily.

f. Collateral and Security Documents. Institutions should ensure that all securitydocuments are kept in a fireproof safe under dual control. Registers for documents shouldbe maintained to keep track of their movement.

25


26/62

Procedures should also be established to track and review relevant insurance coverage forcertain facilities/collateral. Physical checks on security documents should be conductedon a regular basis.

While in small Institutions it may not be cost effective to institute a separate creditadministrative set-up, it is important that in such institutions individuals performingsensitive functions such as custody of key documents, wiring out funds, entering limitsinto system, etc., should report to managers who are independent of business originationand credit approval process.

Measuring credit risk.

The measurement of credit risk is of vital importance in credit risk management. Anumber of qualitative and quantitative techniques to measure risk inherent in creditportfolio are evolving. To start with, banks should establish a credit risk ratingframework across all type of credit activities. Among other things, the rating framework

may, incorporate:

Business Risk

o Industry Characteristicso Competitive Position (e.g. marketing/technological edge)o Management

Financial Risk

o Financial conditiono Profitability

o Capital Structureo Present and future Cash flows

Internal Risk Rating.

Credit risk rating is summary indicator of a banks individual credit exposure. An internalrating system categorizes all credits into various classes on the basis of underlying creditquality. A well-structured credit rating framework is an important tool for monitoring andcontrolling risk inherent in individual credits as well as in credit portfolios of a bank or abusiness line. The importance of internal credit rating framework becomes more eminentdue to the fact that historically major losses to banks stemmed from default in loan

portfolios. While a number of banks already have a system for rating individual credits inaddition to the risk categories prescribed by SBP, all banks are encouraged to devise aninternal rating framework. An internal rating framework would facilitate banks in anumber of ways such as

a) Credit selection

b) Amount of exposure

26


27/62

c) Tenure and price of facility

d) Frequency or intensity of monitoring

e) Analysis of migration of deteriorating credits and more accurate computation of future

loan loss provision

f) Deciding the level of Approving authority of loan.

The Architecture of internal rating system.

The decision to deploy any risk rating architecture for credits depends upon two basicaspects

a) The Loss Concept and the number and meaning of grades on the rating continuum

corresponding to each loss concept*.

b) Whether to rate a borrower on the basis of point in time philosophy or through thecycle approach.

Besides there are other issues such as whether to include statutory grades in the scale, thetype of rating scale i.e. alphabetical numerical or alpha-numeric etc. SBP does notadvocate any particular credit risk rating system; it should be banks own choice. Howeverthe system should commensurate with the size, nature and complexity of their business aswell as possess flexibility to accommodate present and future risk profile of the bank, theanticipated level of diversification and sophistication in lending activities.

A rating system with large number of grades on rating scale becomes more expensive dueto the fact that the cost of obtaining and analyzing additional information for finegradation increase sharply. However, it is important that there should be sufficientgradations to permit accurate characterization of the under lying risk profile of a loan or aportfolio of loans

The operating Design of Rating System.

As with the decision to grant credit, the assignment of ratings always involve element ofhuman judgment. Even sophisticated rating models do not replicate experience andjudgment rather these techniques help and reinforce subjective judgment. Banks thus

design the operating flow of the rating process in a way that is aimed promoting theaccuracy and consistency of the rating system while not unduly restricting the exercise ofjudgment. Key issues relating to the operating design of a rating system include whatexposures to rate; the organizations division of responsibility for grading; the nature ofratings review; the formality of the process and specificity of formal rating definitions.

27


28/62

What Exposures are rated?

Ideally all the credit exposures of the bank should be assigned a risk rating. Howevergiven the element of cost, it might not be feasible for all banks to follow. The banks maydecide on their own which exposure needs to be rated. The decision to rate a particular

loan could be based on factors such as exposure amount, business line or both. Generallycorporate and commercial exposures are subject to internal ratings and banks use scoringmodels for consumer / retail loans.

The rating process in relation to credit approval and review.

Ratings are generally assigned /reaffirmed at the time of origination of a loan or itsrenewal /enhancement. The analysis supporting the ratings is inseparable from thatrequired for credit appraisal. In addition the rating and loan analysis process while beingseparate are intertwined. The process of assigning a rating and its approval / confirmationgoes along with the initiation of a credit proposal and its approval. Generally loanorigination function (whether a relationship manager or credit staff) * initiates a loanproposal and also allocates a specific rating. This proposal passes through the creditapproval process and the rating is also approved or recalibrated simultaneously byapproving authority. The revision in the ratings can be used to upgrade the rating systemand related guidelines.

How to arrive at ratings

The assignment of a particular rating to an exposure is basically an abbreviation of itsoverall risk profile. Theoretically ratings are based upon the major risk factors and theirintensity inherent in the business of the borrower as well as key parameters and theirintensity to those risk factors. Major risk factors include borrowers financial condition,

size, industry and position in the industry; the reliability of financial statements of theborrower; quality of management; elements of transaction structure such as covenantsetc. A more detail on the subject would be beyond the scope of these guidelines, howevera few important aspects are

a) Banks may vary somewhat in the particular factors they consider and the weight theygive to each factor.

b) Since the rater and reviewer of rating should be following the same basic thought, toensure uniformity in the assignment and review of risk grades, the credit policy shouldexplicitly define each risk grade; lay down criteria to be fulfilled while assigning a

particular grade, as well as the circumstances under which deviations from criteria cantake place.

c) The credit policy should also explicitly narrate the roles of different parties involved inthe rating process.

d) The institution must ensure that adequate training is imparted to staff to ensure uniformratings

28


29/62

e) Assigning a Rating is basically a judgmental exercise and the models, external ratingsand written guidelines/benchmarks serve as input.

f) Institutions should take adequate measures to test and develop a risk rating system priorto adopting one. Adequate validation testing should be conducted during the design phase

as well as over the life of the system to ascertain the applicability of the system to theinstitutions portfolio.

Institutions that use sophisticated statistical models to assign ratings or to calculateprobabilities of default, must ascertain the applicability of these models to theirportfolios. Even when such statistical models are found to be satisfactory, institutionsshould not use the output of such models as the sole criteria for assigning ratings ordetermining the probabilities of default. It would be advisable to consider other relevantinputs as well.

Ratings review

The rating review can be two-fold:

a) Continuous monitoring by those who assigned the rating. The Relationship Managers(RMs) generally have a close contact with the borrower and are expected to keep an eyeon the financial stability of the borrower. In the event of any deterioration the ratings areimmediately revised /reviewed.

b) Secondly the risk review functions of the bank or business lines also conduct periodicalreview of ratings at the time of risk review of credit portfolio.

Risk ratings should be assigned at the inception of lending, and updated at least annually.

Institutions should, however, review ratings as and when adverse events occur. Aseparate function independent of loan origination should review Risk ratings. As part ofportfolio monitoring, institutions should generate reports on credit exposure by riskgrade. Adequate trend and migration analysis should also be conducted to identify anydeterioration in credit quality. Institutions may establish limits for risk grades to highlightconcentration in particular rating bands. It is important that the consistency and accuracyof ratings is examined periodically by a function such as an independent credit reviewgroup

For consumer lending, institutions may adopt credit-scoring models for processing loanapplications and monitoring credit quality. Institutions should apply the above principles

in the management of scoring models. Where the model is relatively new, institutionsshould continue to subject credit applications to rigorous review until the model hasstabilized.

Credit Risk Monitoring & Control

Credit risk monitoring refers to incessant monitoring of individual credits inclusive ofOff-Balance sheet exposures to obligors as well as overall credit portfolio of the bank.

29


30/62

Banks need to enunciate a system that enables them to monitor quality of the creditportfolio on day-to-day basis and take remedial measures as and when any deteriorationoccurs. Such a system would enable a bank to ascertain whether loans are being servicedas per facility terms, the adequacy of provisions, the overall risk profile is within limitsestablished by management and compliance of regulatory limits. Establishing an efficient

and effective credit monitoring system would help senior management to monitor theOverall quality of the total credit portfolio and its trends. Consequently the managementcould fine tune or reassess its credit strategy /policy accordingly before encountering anymajor setback. The banks credit policy should explicitly provide procedural guidelinerelating to credit risk monitoring. At the minimum it should lay down procedure relatingto

a) The roles and responsibilities of individuals responsible for credit risk monitoring

b) The assessment procedures and analysis techniques (for individual loans & overallportfolio)

c) The frequency of monitoring

d) The periodic examination of collaterals and loan covenants

e) The frequency of site visits

f) The identification of any deterioration in any loan

Given below are some key indicators that depict the credit quality of a loan:

a.

Financial Position and Business Conditions.The most important aspect about

an obligor is its financial health, as it would determine its repayment capacity.Consequently institutions need carefully watch financial standing of obligor. The Keyfinancial performance indicators on profitability, equity, leverage and liquidity should beanalyzed. While making such analysis due consideration should be given tobusiness/industry risk, borrowers position within the industry and external factors such aseconomic condition, government policies, regulations. For companies whose financialposition is dependent on key management personnel and/or shareholders, for example, insmall and medium enterprises, institutions would need to pay particular attention to theassessment of the capability and capacity of the management/shareholder(s).

b. Conduct of Accounts. In case of existing obligor the operation in the accountwould give a fair idea about the quality of credit facility. Institutions should monitor theobligors account activity, repayment history and instances of excesses over credit limits.For trade financing, institutions should monitor cases of repeat extensions of due datesfor trust receipts and bills.

30


31/62

c. Loan Covenants. The obligors ability to adhere to negative pledges and financialcovenants stated in the loan agreement should be assessed, and any breach detectedshould be addressed promptly.

d. Collateral valuation. Since the value of collateral could deteriorate resulting in

unsecured lending, banks need to reassess value of collaterals on periodic basis. Thefrequency of such valuation is very subjective and depends upon nature of collaterals. Forinstance loan granted against shares need revaluation on almost daily basis whereas ifthere is mortgage of a residential property the revaluation may not be necessary asfrequently. In case of credit facilities secured against inventory or goods at the obligorspremises, appropriate inspection should be conducted to verify the existence andvaluation of the collateral. And if such goods are perishable or such that their valuediminish rapidly (e.g. electronic parts/equipments), additional precautionary measuresshould be taken.

External Rating and Market Price of securities such as TFCs purchased as a form of

lending or long-term investment should be monitored for any deterioration in credit ratingof the issuer, as well as large decline in market price. Adverse changes should triggeradditional effort to review the creditworthiness of the issuer.

Risk review

The institutions must establish a mechanism of independent, ongoing assessment of creditrisk management process. All facilities except those managed on a portfolio basis shouldbe subjected to individual risk review at least once in a year. The results of such reviewshould be properly documented and reported directly to board, or its sub committee orsenior management without lending authority. The purpose of such reviews is to assess

the credit administration process, the accuracy of credit rating and overall quality of loanportfolio Independent of relationship with the obligor.

Institutions should conduct credit review with updated information on the obligorsfinancial and business conditions, as well as conduct of account. Exceptions noted in thecredit monitoring process should also be evaluated for impact on the obligorscreditworthiness. Credit review should also be conducted on a consolidated group basisto factor in the business connections among entities in a borrowing group.

As stated earlier, credit review should be performed on an annual basis, however morefrequent review should be conducted for new accounts where institutions may not befamiliar with the obligor, and for classified or adverse rated accounts that have higherprobability of default.

For consumer loans, institutions may dispense with the need to perform credit review forcertain products. However, they should monitor and report credit exceptions anddeterioration.

31


32/62

Delegation of Authority.

Banks are required to establish responsibility for credit sanctions and delegate authorityto approve credits or changes in credit terms. It is the responsibility of banks board toapprove the overall lending authority structure, and explicitly delegate credit sanctioning

authority to senior management and the credit committee. Lending authority assigned toofficers should be commensurate with the experience, ability and personal character. Itwould be better if institutions develop risk-based authority structure where lending poweris tied to the risk ratings of the obligor. Large banks may adopt multiple credit approversfor sanctioning such as credit ratings, risk approvals etc to institute a more effectivesystem of check and balance. The credit policy should spell out the escalation process toensure appropriate reporting and approval of credit extension beyond prescribed limits.The policy should also spell out authorities for unsecured credit (while remaining withinSBP limits), approvals of disbursements excess over limits and other exceptions to creditpolicy.

In cases where lending authority is assigned to the loan originating function, there shouldbe compensating processes and measures to ensure adherence to lending standards. Thereshould also be periodic review of lending authority assigned to officers.

Managing problem credits

The institution should establish a system that helps identify problem loan ahead of timewhen there may be more options available for remedial measures. Once the loan isidentified as problem, it should be managed under a dedicated remedial process.

A banks credit risk policies should clearly set out how the bank will manage problemcredits. Banks differ on the methods and organization they use to manage problem

credits. Responsibility for such credits may be assigned to the originating businessfunction, a specialized workout section, or a combination of the two, depending upon thesize and nature of the credit and the reason for its problems. When a bank has significantcredit-related problems, it is important to segregate the workout function from the creditorigination function. The additional resources, expertise and more concentrated focus of aspecialized workout section normally improve collection results.

A problem loan management process encompass following basic elements.

a. Negotiation and follow-up. Proactive effort should be taken in dealing withobligors to implement remedial plans, by maintaining frequent contact and internal

records of follow-up actions. Often rigorous efforts made at an early stage preventinstitutions from litigations and loan losses

b. Workout remedial strategies. Some times appropriate remedial strategies suchas restructuring of loan facility, enhancement in credit limits or reduction in interest rateshelp improve obligors repayment capacity. However it depends upon business condition,the nature of problems being faced and most importantly obligors commitment andwillingness to repay the loan. While such remedial strategies often bring up positive

32


33/62

results, institutions need to exercise great caution in adopting such measures and ensurethat such a policy must not encourage obligors to default intentionally. The institutionsinterest should be the primary consideration in case of such workout plans. It needs notmention here that competent authority, before their implementation, should approve suchworkout plan.

c. Review of collateral and security document. Institutions have to ascertain theloan recoverable amount by updating the values of available collateral with formalvaluation. Security documents should also be reviewed to ensure the completeness andenforceability of contracts and collateral/guarantee.

d. Status Report and Review.Problem credits should be subject to more frequentreview and monitoring. The review should update the status and development of the loanaccounts and progress of the remedial plans. Progress made on problem loan should bereported to the senior management

33


34/62

INDUSTRIAL CREDIT & INVESTMENT CORPORATION

OF INDIA (ICICI)

Risk ManagementAs a financial intermediary, ICICI Bank is exposed to risks that are particular to itslending and trading businesses and the environment within which it operates. ICICIBanks goal in risk management is to ensure that it understands measures and monitorsthe various risks that arise and that the organization adheres strictly to the policies andprocedures which are established to address these risks.

As a financial intermediary, ICICI Bank is primarily exposed to credit risk, market risk,liquidity risk, operational risk and legal risk. ICICI Bank has a central Risk, Complianceand Audit Group with a mandate to identify, assess, monitor and manage all of ICICI

Banks principal risks in accordance with well-defined policies and procedures. The Headof the Risk, Compliance and Audit Group reports to the Executive Director responsiblefor the Corporate Center, which does not include any business groups, and is thusindependent from ICICI Banks business units. The Risk, Compliance and Audit Groupcoordinate with representatives of the business units to implement ICICI Banks riskmethodologies.

Committees of the board of directors have been constituted to oversee the various riskmanagement activities. The Audit Committee of ICICI Banks board of directorsprovides direction to and also monitors the quality of the internal audit function. The RiskCommittee of ICICI Banks board of directors reviews risk management policies inrelation to various risks including portfolio,liquidity, interest rate, off-balance sheet andoperational risks, investment policies and strategy, and regulatory and compliance issuesin relation thereto. The Credit Committee of ICICI Banks board of directors reviewsdevelopments in key industrial sectors and ICICI Banks exposure to these sectors. TheAsset Liability Management Committee of ICICI Banks board of directors is responsiblefor managing the balance sheet and reviewing the asset-liability position to manage ICICIBanks market risk exposure. The Agriculture & Small Enterprises Business Committeeof ICICI Banks board of directors, which was constituted in June 2003 but has not heldany meetings to date, will, in additionto reviewing ICICI Banks strategy for smallenterprises and agri-business, also review the quality of the agricultural lending and smallenterprises finance credit portfolio. For a discussion of these and other committees see''Management''.

As shown in the following chart, the Risk, Compliance and Audit Group is organized intosix subgroups:

34


35/62

Credit Risk Management, Market Risk Management, Analytics, Internal Audit, RetailRisk Management and Credit Policies and Reserve Bank of India Inspection. TheAnalytics Unit develops proprietary quantitative techniques and models for riskmeasurement.

35


36/62

The Risk, Compliance and Audit Group is also responsible for assessing the riskspertaining to international business, including review of credit policies and settingsovereign and counterparty limits.

Credit Risk

In our lending operations, we are principally exposed to credit risk. Credit risk is the riskof loss that may occur from the failure of any party to abide by the terms and conditionsof any financial contract with us, principally the failure to make required payments onloans due to us. We currently measure, monitor and manage credit risk for each borrowerand also at the portfolio level. We have a structured and standardized credit approvalprocess, which includes a well-established procedure of comprehensive credit appraisal.

Credit Risk Assessment Procedures for Corporate Loans

In order to assess the credit risk associated with any financing proposal, ICICI Bankassesses a variety of risks