GYANPRATHA – ACCMAN Journal of Management, Volume 5 Issue 1 2013

A Study of Enterprise Risk Management in Banks *Shalini Srivastav

Abstract Risk is defined as the probability of any unexpected happening and as a result of which there is probability of suffering a loss. Risk is the uncertainty and uncertainty is inherent in every business and more so in Banking. . Banks in the process of acting as intermediaries are confronted with various kinds of financial and non-financial risks , which are Credit Risk, Market Risk, and Operational Risk etc. Risks are as old as banks themselves. The business of Banking is thus, business of Risk Management. Enterprise risk management (ERM) is a relatively new discipline that focuses on identifying, analyzing, monitoring, and controlling all major risk classes (e.g., credit, market, liquidity, operational risk).. Operational risk management (ORM) is a subset of ERM that focuses on identifying, analyzing, monitoring, and controlling operational risk. The purpose of this paper is to explain what enterprise risk management is and how operational risk management fits into the ERM framework.

Keywords: Enterprise Risk, Operational Risk, Banking System, Risk Management, Corporate Governance.

*Assistant Professor, ACCMAN Institute of Management

GYANPRATHA – ACCMAN Journal of Management, Volume 5 Issue 1 2013

Introduction: Enterprise Risk Management is the discipline, by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organizations short- and long-term value to stakeholders. The enterprise risks are all the material risks the enterprise encounters. The main risks of banks are typically market risk , operational risk , credit risk , liquidity risk and business risks. It is important that these are measured and monitored frequently so that the enterprise constantly knows it risks and how these change. It is also important that the risks are prioritized with regard to frequency and severity. Fig.1

ERM : Risks , capital and value creation

GYANPRATHA – ACCMAN Journal of Management, Volume 5 Issue 1 2013

As per this figure, for studying Enterprise Risk measurement, it is important to understand the Economic Capital. Economic capital entails deep knowledge about the topic risk measures; risk modeling, risk integration and this must be executed based on the risk bearing capacity of the bank. Risk and capital management is merely the foundation of ERM and to truly reap the full benefits of the bank running an ERM framework it must take a step further to run the bank such that it consciously utilize risk to drive value creation in the bank. What is the risk assessment? Risk assessment is the identification and analysis of both quantitative and qualitative risks to the achievement of business objectives forms a basis for determining how risks should be managed. Risk is assessed on an inherent and residual basis, allowing an entity to understand the extent to which potential events might impact objectives from two perspectives: likelihood and impact. Enterprise Risk Management is not a "One-Size-Fits-All" approach. The table below depicts three stages of ERM Programs. At each stage, the Risk Assessment requirements vary. The key is to determine the degree of maturity that is right for your company

GYANPRATHA – ACCMAN Journal of Management, Volume 5 Issue 1 2013

Source: http://www.eisneramper.com/Review/W10-Risk-Assessment.aspx

Recent Financial Crisis: The Banks worldwide should take a cue from the recent battering that many of the financial services companies have faced in the last 12 months. Although the banks have already adopted and implemented Basel II norms and established enterprise risk management programs, most of them were unsuccessful in understanding how the market forces have influenced their “Risk Appetite” and their risk management systems were not robust enough to identify and report on how the risk culture is being influenced by the internal and external forces. For instance, Banks and other investors continued to purchase newer types of investments without having the proper infrastructure in place to identify and manage the risks. This is a classic example of trading risk mismanagement. More over, In reality,, the risk management function is always seen as a non‐contributing asset, which is in place to meet the some regulatory requirements. his had lead to underestimating the role of risk management in the growth and sustenance of an organization which resulted in a secondary role of risk function and consideration of risks in decision making. It is obvious that in most of the banks the business gets priority over risks, and decisions were made by overlooking the controls to mitigate the risks. The learning that comes out of this episode is that the risk management practices have to be more rigorously & seriously followed and the banking industry should put up the necessary resources to constantly improve on the guidelines

Enterprise Risk Management In Banks: Risk management in banking sector is in limelight especially after the recent turbulence that has impacted the very existence of banking sector as a viable industry. The journey of risk management started way back in early 1800’s, where the banks had recognized the significance of the role of risk management and had adapted the same by creating a risk function in their organizations. From there onwards, the risk function in the banks has evolved over a period of time and reached to a stage where the need felt to have a common criteria to measure & quantify the risks so that a

GYANPRATHA – ACCMAN Journal of Management, Volume 5 Issue 1 2013 comparative analysis of the banks can be performed and made available to the stakeholders. This development has lead to introduction of BASEL Norms by BIS Committee.

Need of ERM in Banks:  Capital relief or consolidating solvency from using ERM Having advanced risk models and an enterprise approach will massively free up capital and ultimately increase bottom-line profits. Alternatively to using the freed up capital in business lines it can be used to consolidate the solvency ratio.  Risk as value-driver Traditionally a defensive posture has been exercised towards risks, often viewed as situations to be minimized or avoided. Increasingly, banks recognize the opportunistic and value-creating potential of risk. While avoidance and minimizing remain legitimate strategies for dealing with certain risks, by certain banks at certain times, there is also the opportunity to swap, keep and actively pursue other risks because of confidence in the banks special ability to exploit those risks.  Portfolio perspective Modern portfolio theory provides a framework for thinking about the collective risk of a group of financial instruments and an individual instrument’s contribution to the collective risk. With ERM, these concepts have been generalized beyond financial risks to include risks of all kinds. A number of principles follow from this thinking: -

Portfolio risk is not the simple sum of the individual risk elements, i.e. total risk < sum of all risks.

-

To understand portfolio risk, one must understand the individual elements and their interaction.

-

The risk of the enterprise is relevant to the key risk decisions facing that organization.

 More – and more complicated – risks Greater recognition of the variety and increased number of risks that meet banks. The advance of technology, the pace of business, globalization, increasing financial sophistication all contribute to the growing number of and complexity of risks. Recognize

GYANPRATHA – ACCMAN Journal of Management, Volume 5 Issue 1 2013 the importance of all risks, and their interactions, not just familiar risks, or the ones that are easy to quantify.  Quantification Growing tendency to quantify risks. Advances in technology and expertise have made quantification easier, even for the infrequent, unpredictable risks that have historically been difficult to quantify.  External pressure Regulators, rating agencies, stock exchanges, investors and corporate governance bodies have come to insist that company senior management take greater responsibility for managing risks on an enterprise-wide scale.

Categories of Risk in ERM Plan There is no master list of categories that we can use for our project. It changes from project to project, industry to industry and, company to company. Nonetheless, to get you started in the right direction, below are some broad categories that can be used in a majority of the projects that we may encounter in our life. 1. Internal, 2. External, 3. Environmental, 4. Economic , 5. Political , 6. Market ,7. Process , 8.Third-Party ,9. Business, 10. Operations, 11. Organizational ,12. Infrastructure, 13. Culture , 14.Technology ,15. Human Resources, 16. Legal ,17. Financial,18. Project Management, 19. Security.

Process of Enterprise Risk Management: The following steps in the risk management process which are based on those originally based in risk management standards describe seven main steps :  Establish Context  Identify risks  Analyze /quantify risks  Integrating risks

GYANPRATHA – ACCMAN Journal of Management, Volume 5 Issue 1 2013  Assessing / prioritizing risks  Treating /Exploiting risks

The risk management process involves: 1. Establishing Context: This includes an understanding of the current conditions in which the organization operates on an internal, external and risk management context. 2. Identifying Risks: This includes the documentation of the material threats to the organization’s achievement of its objectives and the representation of areas that the organization may exploit for competitive advantage. 3. Analyzing/Quantifying Risks: This includes the calibration and, if possible, creation of probability distributions of outcomes for each material risk. 4. Integrating Risks: This includes the aggregation of all risk distributions, reflecting correlations and portfolio effects, and the formulation of the results in terms of impact on the organization’s key performance metrics. 5. Assessing/Prioritizing Risks: This includes the determination of the contribution of each risk to the aggregate risk profile, and appropriate prioritization. 6. Treating/Exploiting Risks: This includes the development of strategies for controlling and exploiting the various risks. 7. Monitoring and Reviewing: This includes the continual measurement and monitoring of the risk environment and the performance of the risk management strategies.

COSO ERM Framework: The COSO "Enterprise Risk Management-Integrated Framework" published in 2004 defines ERM as a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, which is designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. The COSO ERM Framework has seven Components and four objectives categories

GYANPRATHA – ACCMAN Journal of Management, Volume 5 Issue 1 2013  Objective Setting  Event Identification  Risk Assessment  Risk Response  Control Activities  Information and Communication  Monitoring

The four objectives categories - additional components highlighted - are:  Strategy - high-level goals, aligned with and supporting the organization's mission  Operations - effective and efficient use of resources  Financial Reporting - reliability of operational and financial reporting  Compliance - compliance with applicable laws and regulations.

Typical Risk Functions in Implementing A ERM Program:  Strategic planning - identifies external threats and competitive opportunities, along with

strategic initiatives to address them.  Marketing - understands the target customer to ensure product/service alignment with

customer requirements.  Compliance & Ethics - monitors compliance with code of conduct and directs fraud

investigations.  Accounting / Financial compliance - directs the Sarbanes-Oxley Section 302 and 404

assessment, which identifies financial reporting risks.  Law Department - manages litigation and analyzes emerging legal trends that may

impact the organization.  Insurance - ensures the proper insurance coverage for the organization.  Treasury - ensures cash is sufficient to meet business needs, while managing risk related

to commodity pricing or foreign exchange.  Operational Quality Assurance - verifies operational output is within tolerances.

GYANPRATHA – ACCMAN Journal of Management, Volume 5 Issue 1 2013  Operations management - ensures the business runs day-to-day and that related barriers

are surfaced for resolution.  Credit - ensures any credit provided to customers is appropriate to their ability to pay.  Customer service - ensures customer complaints are handled promptly and root causes

are reported to operations for resolution.  Internal audit - evaluates the effectiveness of each of the above risk functions and

recommends improvements.

Conclusion: ERM as a process is a long and arduous journey. It’s a never ending process and the risk convergence journey can be divided into three broad phases of coordination, alignment and integration. The initial convergence program is mainly focused on streamlining of basic activities, including developing a common risk language and framework, identifying and reducing redundancy, and sharing data. The banks which have embarked on the process find silo infrastructures, people’s natural resistance to embracing major operational changes, and inflexibility of existing legacy systems. A successful ERM process would ensure that risk taken by bank is compensated by commensurate level of reward and the bank is completely aware of the amount of risk that it wants to take on. Many banks are now looking at ERM to integrate risk and control processes and create a common framework for assessing and monitoring all kinds of risks. An integrated model helps in delivering tangible benefits in terms of costs associated with compliance and gives better picture of risk being faced by the bank. The risk management process becomes more robust because of common data structure and a common technology architecture supporting the entire process.

References:

GYANPRATHA – ACCMAN Journal of Management, Volume 5 Issue 1 2013 1. Introducing

Enterprise

Risk

Management,

by

Morten

Virenfeldt

,www.tools4risk.com 2. http://wiki.answers.com/Q/What_are_the_four_categories_of_risk_in_an_Enterpr ise_Risk_Manageme nt_PLan#ixzz26nQAl1KH 3. http://www.eisneramper.com/Review/W10-Risk-Assessment.aspx 4. http://www.wipro.com/documents/insights/whitepaper/enterprise_risk_manageme nt_for_banks.pdf 5. http://wiki.answers.com/Q/What_is_the_role_of_enterprise_risk_management_in _banks 6. http://www.issa.org/events/event_details.asp?id=238341 7. http://www.bankersaccuity.com/info/creditrisk/?cmpid=PSC|BRSK|BASUB2012-EMEA-adwd-Banking_Risk&campaignid=701200000004cD 8. http://poole.ncsu.edu/vol2/erm/ee/i/weblogs/researchdocuments/AICPA_ERM_Research_Study_2012_Final_Submission_July_16,_20 12.p. 9. http://www1.gsm.pku.edu.cn/stat/public_html/ifirm/reports/ARMI%20White%20 Paper%20Final%A3%A8James's%20paper%201).pdf 10. http://www.issa.org/events/event_details.asp?id=238341 11. http://www.smslp.com/knowledge/enterprise-risk-management/ 12. http://www.ey.com/IN/en/Newsroom/News-releases/Published-editorial---ERMin-the-time-of-financial-crisis