Importance of Management of Operational risk in Banks

In the wake of the recent announcement of Reserve Bank of India on the restrictions imposed on the YES BANK regarding cash withdrawal of more than Rs. 50000/- after the recent collapse of Punjab & Maharashtra Co-operative Bank, the management of operational risk has assumed greater importance to prevent such unsavory incidents inconveniencing the public creating panic among them affecting the public confidence and trust in the banking industry.  New Capital Adequacy Framework requires banks to hold capital explicitly towards operational risk. An effective operational risk management requires a strong operational management culture, efficacious internal control and reporting, the contingency planning. Reserve Bank of India has already issued guidelines on operational risk and its preamble is brought out here under.

Definition of operational risk.

“Operational risk has been defined by the Basel Committee on Banking Supervision 1 as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk. This definition is based on the underlying causes of operational risk. It seeks to identify why a loss happened and at the broadest level includes the breakdown by four causes: people, processes, systems and external factors”.

“The Basel Committee has identified the following types of operational risk events as having the potential to result in substantial losses:

• Internal fraud. For example, intentional misreporting of positions, employee theft, and insider trading on an employee’s own account.
• External fraud. For example, robbery, forgery, cheque kiting, and damage from computer hacking.
• Employment practices and workplace safety. For example, workers compensation claims, violation of employee health and safety rules, organised labour activities, discrimination claims, and general liability.
• Clients, products and business practices. For example, fiduciary breaches, misuse of confidential customer information, improper trading activities on the bank’s account, money laundering, and sale of unauthorised products.
• Damage to physical assets. For example, terrorism, vandalism, earthquakes, fires and floods.
• Business disruption and system failures. For example, hardware and software failures, telecommunication problems, and utility outages.
• Execution, delivery and process management. For example: data entry errors, collateral management failures, incomplete legal documentation, and unauthorized access given to client accounts, non-client counterparty mis-performance, and vendor disputes”.

Relevance of Operational risk function

In the wake of ever-increasing operational loss of large magnitude world wide have led to view operational risk management as an integral part of risk management portfolio. Apart from the existing management of specific operational risk of prevention of fraud, maintaining the integrity of internal controls, reduce errors in transaction processing, etc etc., operational risk management has become a comprehensive practice comparable to the management of credit and market risks. In other words, operational risk management means the ‘identification, assessment and / or measurement, monitoring and control / mitigation’ of the risk connected with operations.

The Board of Directors of each bank shall be responsible for approving and periodically reviewing the credit risk strategy and significant credit risk policies.

Credit Risk Policy

(i) A credit risk policy document approved by the bank’s Board which should include risk identification, risk measurement, risk grading/ aggregation techniques, reporting and risk control/ mitigation techniques, documentation, legal issues and management of problem loans, should be made available to all in the bank.

(ii) Credit risk policies should also define target markets, risk acceptance criteria, credit approval authority, credit origination/ maintenance procedures and guidelines for portfolio management.

(iii) The credit risk policies approved by the Board should be communicated to branches/controlling offices. All dealing officials should clearly understand the bank’s approach for credit sanction and should be held responsible and accountable for complying with established policies and procedures.

(iv) Implementing the credit risk policy approved by the Board shall be the prerogative and the responsibility of the senior management of the bank.

Credit Risk Strategy

(i) Each bank should develop, with the approval of its Board, its own credit risk strategy or plan that establishes the objectives guiding the bank’s credit-granting activities and adopt necessary policies / procedures for conducting such activities. This strategy should spell out clearly the organisation’s credit appetite and the acceptable level of risk-reward trade-off for its activities.

(ii) The strategy would, therefore, include a statement of the bank’s willingness to grant loans based on the type of economic activity, geographical location, currency, market, maturity and anticipated profitability. This would necessarily translate into the identification of target markets and business sectors, preferred levels of diversification and concentration, the cost of capital in granting credit and the cost of bad debts.

(iii) The credit risk strategy should provide continuity in approach as also take into account the cyclical aspects of the economy and the resulting shifts in the composition/ quality of the overall credit portfolio. This strategy should be viable in the long run and through various credit cycles.

(iv) Senior management of a bank shall be responsible for implementing the credit risk strategy approved by the Board.

Organisational Structure

“Sound organizational structure is sine qua non for successful implementation of an effective credit risk management system. The organizational structure for credit risk management should have the following basic features:

(i) The Board of Directors should have the overall responsibility for management of risks. The Board should decide the risk management policy of the bank and set limits for liquidity, interest rate, foreign exchange and equity price risks.

(ii) The Risk Management Committee will be a Board level Subcommittee including CEO and heads of Credit, Market and Operational Risk Management Committees. It will devise the policy and strategy for integrated risk management containing various risk exposures of the bank including the credit risk. For this purpose, this Committee should effectively coordinate between the Credit Risk Management Committee (CRMC), the Asset Liability Management Committee and other risk committees of the bank, if any. It is imperative that the independence of this Committee is preserved. The Board should, therefore, ensure that this is not compromised at any cost. In the event of the Board not accepting any recommendation of this Committee, systems should be put in place to spell out the rationale for such an action and should be properly documented. This document should be made available to the internal and external auditors for their scrutiny and comments. The credit risk strategy and policies adopted by the committee should be effectively communicated throughout the organisation.

(iii) Each bank may, depending on the size of the organization or loan/ investment book, constitute a high-level Credit Risk Management Committee (CRMC). The Committee should be headed by the Chairman/CEO/ED, and should comprise of heads of Credit Department, Treasury, Credit Risk Management Department (CRMD) and the Chief Economist. The functions of the Credit Risk Management Committee should be as under:

(a) Be responsible for the implementation of the credit risk policy/ strategy approved by the Board.

(b) Monitor credit risk on a bank wide basis and ensure compliance with limits approved by the Board.

(c) Recommend to the Board, for its approval, clear policies on standards for presentation of credit proposals, financial covenants, rating standards and benchmarks,

(d) Decide delegation of credit approving powers, prudential limits on large credit exposures, standards for loan collateral, portfolio management, loan review mechanism, risk concentrations, risk monitoring and evaluation, pricing of loans, provisioning, regulatory/legal compliance, etc”.

Simultaneously, each bank should also set up Credit Risk Management Department (CRMD), independent of the Credit Administration Department. The CRMD should consist of:

(i) Measure, control and manage credit risk on a bank-wide basis within the limits set by the Board/ CRMC.

(ii) Enforce compliance with the risk parameters and prudential limits set by the Board/ CRMC.

(iii) Lay down risk assessment systems, develop MIS, monitor quality of loan/ investment portfolio, identify problems, correct deficiencies and undertake loan review/audit. Large banks could consider separate set up for loan review/audit.

(iv) Be accountable for protecting the quality of the entire loan/ investment portfolio. The Department should undertake portfolio evaluations and conduct comprehensive studies on the environment to test the resilience of the loan portfolio”.

A comprehensive training programme is to be implemented to all executives and employees and make them understand the importance of implementing the risk management programme diligently, sincerely and honestly and without grounds for complacency for effective execution of risk management. Periodical knowledge audit of the employees of all categories should be undertaken to test their knowledge level, analytical ability, assessment capacity, logical conclusions, decision making capability and crisis management ability and to make further improvements for the veritable realisation of the objectives of the risk management programmes.

(The author invites comments from readers and he can be contacted through his e-mail trrk1941@gmail.com)