1.RISK MANAGEMENT
The Banking sector has a pivotal role in the development of an economy. It is the key driver of the economic growth of the country and has a dynamic role to play in converting the idle capital resources for their optimum utilization to attain maximum productivity. As risk is directly proportionate to return, the more risk a bank takes, it can expect to make more money. However, greater risk also increases the danger that the bank may incur huge losses and be forced out of business.
Banks, therefore, try to ensure that their risk-taking is informed and prudent. Thus, maintaining a trade-off between risk and return is the business of risk management. Moreover, risk management in the banking sector is a key issue linked to financial system stability.
Risk Management is complex. Risk identification and assessment are fundamental characteristics of an effective operational risk management system. Effective risk identification considers both internal factors and external factors. Sound risk assessment allows the bank to better understand its risk profile and target risk management resources and strategies most effectively.
2.DEFINITION OF RISK
A risk can be defined as an unplanned event with financial consequences resulting in loss or reduced earnings. An activity that may give profits or result in loss may be called a risky proposition due to uncertainty or unpredictability of the activity of trade in the future. In other words, it can be defined as the uncertainty of the outcome. In the simplest words, the risk may be defined as the possibility of loss. It may be financial loss or loss to the reputation/ image.
Although the terms risk and uncertainty are often used synonymously, there is a difference between the two. Uncertainty is the case when the decision-maker knows all the possible outcomes of a particular act but does not have an idea of the probabilities of the outcomes. On the contrary, the risk is related to a situation in which the decision-maker knows the probabilities of the various outcomes. In short, the risk is a quantifiable uncertainty.
3.RISK ASSESSMENT
In a risk assessment, a bank assesses the processes underlying its operations against a library of potential threats and vulnerabilities and considers their potential impact. Risk Control Self Assessments (RCSA), typically evaluates inherent risk (the risk before controls are considered), the effectiveness of the control environment, and residual risk (the risk exposure after controls are considered). Scorecards build on RCSAs by weighting residual risks to provide a means of translating the RCSA output into metrics that give a relative ranking of the control environment.
4.TYPES OF RISK
The risk may be defined as ‘possibility of loss’, which may be financial loss or loss to the image or reputation. Banks like any other commercial organization also intend to take the risk, which is inherent in any business. The major risks in banking business or ‘banking risks’, as commonly referred, are listed below –
5.RISK SOURCES
The risk register will therefore feed on different sources, being them internal, external, or ad hoc. Examples of ad-hoc risk assessments may result in:
6.RISK CONTROL SELF ASSESSMENTS - RCSA
Markets across the globe are experiencing a period of heightened strategic and operational risk – which is why comprehensive risk and control self-assessments (RCSAs) continue to be a crucial first step in mitigating these risks.
RCSA is the process by which organizations assess and examine operational risks and the effectiveness of controls used to circumnavigate them. It’s one of the easiest and most effective tools in the risk management arsenal, and the objective is simple: to provide firms with reasonable assurance that all business objectives are going to be met, and existing risk management protocols are sustainable and robust.
RCSA adds value by increasing an operating unit’s involvement in designing and maintaining control and risk systems, identifying risk exposures, and determining corrective action.
RCSA aims to integrate risk management practices and culture into the way staff undertake their jobs, and business units achieve their objectives.
RSCA allows the Risk Management department to identify risks and controls across the business. The RCSA processes typically allow to evaluate:
Banks and other financial institutions enjoy further benefits by utilizing RCSA techniques as part of an integrated risk management strategy. This is because a facilitated RCSA can vastly improve the control environment of banks by increasing awareness regarding organizational objectives and motivate personnel to more carefully design and implement operating control processes.
RCSA process must be performed across all activities and functions within a business that has the potential to pose an operational risk to the organization.
RCSA entities often identified for assessment include information technology (IT), retail banking, corporate banking, asset management, treasury, customer services, payments, financial control, and business development.
After identifying RCSA entities, an effective workflow starts by identifying the potential risks within each entity – and each risk must subsequently then be assessed by identifying existing controls that have already been created or assigned to mitigate the identified risk.
In terms of the identifiable operational risks around products or activities that need to be addressed, written audit reports, actual loss experience, and regulatory reviews are typically sufficient.
Following identification, risks should then be prioritized on a basis of high, medium, or low – while inherent risks and residual risks are segregated.
7.RISK REGISTER
The Risk Register is the main depository of key risks and controls identified across the organization’s departments and business units. These identified risks are the result of systematic (e.g. RCSA) or ad-hoc risk assessments performed at a given point in time across all departments or specifically for a business line. The characteristics and size of a risk register will depend fundamentally on the size of the company and the complexity of its business model.
The risk register must be closely monitored and constantly kept up to date. Risks and controls resulting from the RCSA are recorded in the firm’s risk register and owned by the business. Scorecards build on RCSAs by weighting residual risks to provide a means of translating the RCSA output into metrics that give a relative ranking of the control environment – these scorecards will include the quantification of the impact and likelihood of the risks occurring by using scoring methodologies. The RCSA process considers financial, client, legal & regulatory, and reputation when considering the risk impact.
The outcome of risk assessments (ad hoc, specific or process-driven) will result in a list of potential risks that the organization is exposed to. These identified risks, along with their scoring, their mitigation controls, and the controls scoring, will be must be stored in a structured and formal risk register.
Nowadays banks and other financially regulated firms take this topic very seriously and keep their risk register updated and ready to disclose to a regulator if that requirement arises.
The control identification process must include an assessment to discover whether the existing controls are working as intended. All attributes for the controls need to be documented, and a self-rating system should help stakeholders to bring these attributes together and determine the overall quality of a controlled environment.
8.ACTION POINTS
Where risk mitigating controls are scored low or weak, either in terms of design or performance, action points must be defined immediately and assigned to one or more owners.
A bank should have policies and procedures that address the process for review and approval of new products, activities, processes, and systems. The review and approval process should consider:
The approval process should also include ensuring that appropriate investment has been made for human resources and technology infrastructure before new products are introduced.
The implementation of new products, activities, processes, and systems should be monitored to identify any material differences to the expected operational risk profile and to manage any unexpected risks.
The key to a sustainable RSCA process is in how we use the data to identify changes in the risk profile of a specific process, and then use the RSCA to investigate these changes and determine what changes need to be made to the controls.
Risk managers need to take a critical look at our processes and question their effectiveness. We need to judge what we do by the benefit it provides our business leaders, not by some measure of assessments completed.
The RCSA has the potential to be a high-value investigative tool when implemented as part of a well-defined fully integrated risk management program used to investigate anomalies.
The risk management department must follow up on any action point in progress until completion since in the interim there might be a control in place which won’t be robust enough.
Ultimately, the head of the risk might block or condition a certain initiative if a risk mitigation control is not in place or found to be not robust enough.
