Risk Management a current challenge in Banking

Priam Kasturiratna
kasturi@sampath.lk
4th Annual Conference on Information Technology Governance 18th & 19th September 2008, Colombo Sri Lanka

Risk Management a current challenge in Banking

Changes taking place in the Banking and Financial Services Industry

Challenges to Banks setting-up Risk Management frameworks

Factors Driving Banking and Financial Service Industry

Risk Based Laws & Regulations Technology Standardisation Financial Service Innovations Competition Volatility in Energy & Commodity Markets Climate Change & Global Warming

Country Specific Conditions

Changing Social & Behavioural Patterns Emerging Risk Types

Risk Based Laws and Regulations

Laws and Regulations act as a key driver shaping the Banking industry, while generating more complexity in operations as well as in Managing Risk

Worldwide

Basel II Anti Money Laundering (AML) and Know Your Customer (KYC) Sarbanes Oxley Act

Sri Lanka
Prevention of Money Laundering Act, No. 5 of 2006 Financial Transactions Reporting Act, No. 6 of 2006 Companies Act, No. 07 of 2007 Directions, circulars and guidelines issued by Central Bank of Sri Lanka, including Basel II compliance directives.

Technology
Technology has been at the foundation of the rapid growth and innovations in Financial Services since 1980s Dr John Lee identifies six major drivers behind Technology Investments in Banking and Financial Services industry. Dynamic IT Transformation Support Organic Growth Developing new and IT enabled revenues Defend Revenue sources Cost Optimisation Industrialised Banking
Introduction of Technology Changes Processes, Opens up new risk exposures inherent with the technologies adopted

Standardisation of Controls and Business Mechanisms

Three drivers silently operating to standardise the way Banking is conducted.
1.

2.

3.

Regulatory cooperation among Governments, Professional bodies, and International organisations. Cross border Laws and regulations like Basel II, AML Compliance, Know Your Customer regulations, Laws on Electronic Commerce, Sarbanes Oxley etc. Banks/Financial Service providers adapting to systems (software/hardware) offered by major global systems service providers.

Financial Service Innovations

Why Innovations are coming up in Banking/Financial Services?

Changing customer needs/wants Changing technologies Thinning market share and profitability

Ability to adapt to changing needs of its clientele, and continuous innovation have become core competencies of the industry. Bankers have emulated many non traditional concepts into the business, and accept higher risk levels to generate returns that keep their stakeholders happy.

Financial Service Innovations

E-commerce/Mobile technologies

Propelled by Changing lifestyles Most aggressively promoted retail product group Rising number of high net worth clients Increasing savings levels of middle/upper middle income earners Ageing population investing retirement benefits/savings.

Wealth Management and Retail Investing Services

Financial Service Innovations

Islamic Banking

Singaporean and Malaysian initiatives in progress to establish Islamic Banking Islamic Financial Services Board of Malaysia has developed a framework for capital treatment of Islamic products & regulatory convergence with Basel II The swift pace of economic development of Middle Eastern and other predominantly Muslim countries, combined with strong commodity exports from many of these nations, has fuelled demand for the development of a raft of funding instruments and investment products that comply with Islamic Sharia law. Monetary Authority of Singapore estimates that global Islamic Financing market is worth USD 300 billion, and growing at a rate of 15% every year
Pamela Tang

Competition among Service Providers

Competition from Non traditional financial service providers

Trying to attract clients from traditional banking institutions

Telecommunications Retailing Real Estate Automotive Plantation sector companies have come out with many alternative financial service products with appeal.

Not bound by regulations applicable to banks Usually gives more benefits to clients Higher margins compared to Banks

Competition among Service Providers

Competition has affected Profitability of the industry Outsourcing has reduced this burden a little bit, but at the same time exposing the banks to higher levels of operational risk. Locally operating Banks are threatened Market entry by Global Banks Global players in the market offer branded products across the geographical boundaries More demand cross border services from growing financial needs beyond local boundaries

With respect to increasing globalisation, what weve seen here in Australia with the recent arrival of private equity into Australia is the way the market can be changed by a global rather than a local trend. Australian banks arent very big in global terms. So what is not a challenge for risk professionals worldwide is a challenge for risk professionals in Australian banks
Michael Hamar, Group chief risk officer, National Australia Bank

Volatility in Energy and Commodity Markets

Food & energy crisis

Increased Cost of Living High impact to middle/lower income groups

Increased Operational expenses for Banks & all other organisations

increasing operational expenses of banks will directly affect bottom lines increased credit risk due to contraction of borrowers repaying power

Climate Change and Global Warming

Climate change will cause enormous extra costs for Germany in the future. In case the global mean temperature rises up to 4.5 degrees Celsius by 2100 as predicted by the latest IPCC report, in case no measures are taken - the German economy might face an additional burden of up to 800 billion Euros by 2050.
German Institute for Economic Research (DIW)

The UK Financial Services Authority has cited climate change as presenting a considerable risk to the financial services sector in its annual Financial Risk Outlook report

Country Specific Conditions Sri Lanka

Higher Market Risk - Volatility of interest and exchange rates Inflation Rates over 20% Unstable political situation in the north and east

restricts healthy business growth poses security threats to every type of venture Could affect Credit, Operational and Market Risk of banks Need for strong Business Continuity Plans has become more critical Higher Anti Money Laundering & Terrorist Financing Risk (Foreign Remittances, top earner for the country) GSP plus Rising cost of living Issues in transportation, power etc. Stagnating land & housing markets Changes in educational system Restrictions in some of the overseas job markets

Pending issues in the country

Changing Social and Behavioural Patterns

25 years back and TODAY

Response to a criminal or terrorist activity Bank authorising a transaction on the strength of an email. PC to PC free calls to a foreign country
Home Office balanced stress-less job Busy Executive with six figure income

Epidemics, hunger and poverty loosing their place as major threats to human life

Food and water contamination - a silent killer Stress, Mental and physical health issues are common mans topics
Hackers White Collar Crimes Bribery, Corruption Email, Chat

Increased Cross border activities

Emerging Risk Types

Operational Risk
Anti Money Laundering Business Continuity Planning Counterparty failures Corporate Frauds

Arms and drug trade

Human trafficking
Bribery and corruption

Reputation Management

Emerging Risk Types

Reputational Risk
Reputational Risk will only manifest itself after the damage to the firms name has already been done.

Sustainability Risk
Organisations are trying to minimize negative environmental impacts in order to ensure long term profitability and growth potential. Sustainable Investment Research Analyst Network (SIRAN), a nonprofit organization made up of analysts whose firms are devoted to sustainability issues, reported that 86 of the 100 largest publicly traded U.S. companies now note their sustainability efforts in their annual reports. Sarah Varney

If, as many believe, CSR is moving to the centre of banking activities in the US as in Europe, then increasing investor and media focus on corporate responsibility should probably be a concern for risk managers.
Peter Madigan

Factors Driving Banking and Financial Service Industry

Risk Based Laws & Regulations Technology Standardisation Financial Service Innovations Competition Volatility in Energy & Commodity Markets Climate Change & Global Warming

Country Specific Conditions

Changing Social & Behavioural Patterns Emerging Risk Types

Risk Management Current Challenges in the Industry

The Challenges
Top Management Commitment and Support
Increased Responsibilities & Involvement from Board of Directors

Integrating Risk Management into Business

Business Manager & Risk Manager

Setting-up Organisational Structures

Training to maintain Risk Management Capabilities

HR aspects of Risk Management

Risk Management and ICT

Collecting Data & Managing Data Quality

Auditing Risk Frameworks

The Challenges
YES, Managing Risk is a key concern for us. BUT WHO WILL BEAR THE ADDITIONAL COST OF IT

From the day the board of directors and top management becomes seriously committed to Risk Management, Board of directors, Top management and everyone else will look forward to Risk Managers response, and assistance in performing their functions.
It takes two minutes more, to open an account under New Risk Control Procedure. Customers are not happy, it takes longer to finish days work !@#$%^&*(!

Getting Top Management Commitment and Support

Risk Management affects all employees, all processes across the bank Therefore it is unlikely to be successful without sponsorship from the top
Starting

from commitment to high level of corporate governance, top management sponsorship shall extend to treating Risk Management as a serious aspect positively contributing to the organisation Demonstrating their commitment openly Working with Risk Manager to implement Risk Management within the bank Accepting the ultimate responsibility for Risk Management within the bank. Allocation of sufficient Resources

Receiving good level of sponsorship could take a number of months and sometimes years

Getting Top Management Commitment and Support

Senior management buy-in is definitely required. It is a necessity, but not sufficient condition. In addition there should be buy-in from individual departments and individual business heads. It is a complex area, because it looks at human behaviour- it is really a juxtaposition of human behaviour and risk management
Ravi Varadachari

Increased Responsibilities and Involvement from Board of Directors

Directive on Corporate Governance (No 11 of 2007)

Appoint a Board Level Sub Committee on Risk Management Develop Risk Management expertise within the board Ensure that Risk Management framework is on a sound footing All officers are updated with current changes in the banking industry worldwide.
Establishes joint & personal liability of directors for ensuing risk is managed in a sound manner

Companies Act 6 of 2007

Directors will be responsible, and increasingly involved in directing top management to making sure that the organisation & directors themselves are protected against risks & liabilities.

Setting-up Organisational Structures

Independent

Lines of Defence Reporting lines and procedures Proper Delegation of Risk Decision Making Authority Placement of Risk Managers at appropriate hierarchical level
Board of Directors Risk Management Committees Top Management Risk Management
Internal Audit External Audit

Business Units 2 3 1 Regulators are increasingly seeking formal internal control assurances from regulated entities. Organisations should formally assess their risk and controls on an ongoing basis. At least once a year, management within each of the three lines of defence should formally attest or provide assurance on the capability maturity of the enterprise risk management framework as it relates to risks within their scope of authority
Mario Micallef

Managing HR for Risk Management

Getting the correct person for the job

Do we have sufficient number of competent Risk Managers to cater to all banks? Risk Managers may be reluctant to accept the standardised remuneration packages offered by traditional banks Not many banks are ready to offer premium pay levels to Risk Managers Risk Managers leaving for better prospects is common.

In much worst scenarios, some banks may find that the headhunted Risk Manager does not perform to the expectations

Finding Data Analysis, Documentation and Communication Skills

What

Bad analysis could do

create

more risk bad documentation could misinterpret the risk end up in a trash bin with disrespect.

Most sought after skills

Problem analysis Good use of econometrics Technical Writing & Documentation skills Communication/public relations skills

Assessing a prospective Risk Manager

Clear cut benchmarks or Industry Certifications ???? What could be of use

Financial Risk Management Information Security Business Continuity Planning Project Management Undergraduate and Masters Level qualifications are some of the useful benchmarks.

What experience is necessary or could help?

Banking Auditing Information Technology Project Management Econometrics Statistical Data analysis Legal, Technical Writing Organisational Re-structuring

When it comes to selections, irrespective whether it is Credit, Market, Operational Risk, or Anti Money Laundering Compliance, banks use a combination of existing qualifications, career history, and a substantial amount of guesswork to assess suitability of an individual for a Risk Management position.

Retaining Good Risk Managers, Job Satisfaction and Remuneration

Career/Workplace Challenges faced by Risk Managers

Improper hierarchical placement of the Risk Manager Conflicting interests

Risk Manager not having sufficient authority and independency Being overruled by the superiors lacking understanding on risk principals or conflict of interest

Lack of Senior Management Sponsorship Risk Manager could be taken as a threat by peers/superiors Managing internal resistance. Feeling that they are underpaid in the local market Lack of training and development opportunities Career path problems

Retaining Good Risk Managers, Job Satisfaction and Remuneration

What determines Remuneration for Sri Lankan Risk Managers

Decision makers understanding on the contribution from a Risk Manager towards business success General pay levels of the organisation Whether there is a strong lobby of Risk Managers in the market The bargaining power of the prospective individual

Increased demand for experienced (Risk and Compliance) staff has pushed up salaries significantly. There has been a year on year increase for compliance professionals, particularly at the junior end, which has seen a 25-30% increase in the basic salary. Temporary staff can earn upwards of 300 Sterling Pounds a day.
Victoria Pennington

Retaining Good Risk Managers, Job Satisfaction and Remuneration

Building long run Risk Expertise Core banking Lending Treasury Investments Econometrics Social sciences Technical Writing Information & Communication Technology Card Business ecommerce Legal Project Management Auditing Information Security Business Process ReEngineering

A banks board of directors and top management needs to display & act with their strategic vision, foresight, and long range planning capabilities for building a strong Risk Management Team over a number of years.

Collecting Data & Managing Data Quality

Risk Management relies heavily on

unearthing trends or possibilities through econometrics large volumes of organised and dependable data pertaining to events over a number of years are a necessity for reliable results

Historical data becomes a critical success factor once a bank completes setting up its basic Risk Management framework and wants to move up towards advanced Risk Management approaches with regulator approval. Banks need to recognise this early, and start data cleansing and collection without delay. Whether available data is usable for a particular model or system

evaluate what systems or mechanisms that they are going to use for data analysis Data requirements may vary according to the future plans

Data cleansing will also need taking important actions/decisions, model testing with available data, expertise to interpret the results and refine data collection process.

Collecting Data & Managing Data Quality

As per Global Data Management Survey of Australian, US and UK companies, it was highlighted that, A high proportion of respondents are not very comfortable in the quality of their data Most organisations still view data quality management as an IT issue, rather than an issue for senior management, the managing director or corporate board Confidence in shared (industry) data from third parties has eroded

Therefore, it is necessary to recognise the challenges early, plan ahead, and act early.

Integrating Risk Management Tasks into Business

Incorporate Risk Management Components in to

Policies Standards Procedures Guidelines

Support of board of directors, top management, operations, human resources, and training

broad knowledge of the existing business processes knowledge of Risk Management substantial efforts in planning, documentation, and training

The initial years on this process will be more of managing a project than risk management. It would take a few years to complete the process, and to obtain organisation wide support for new way of conducting daily business functions.

Business Manager vs. Risk Manager

How does a Risk Manager Add Value to business processes ?

Risk Management adds control tasks into the business process lifecycles.

Processes become longer and time consuming May need more resources Customer delays could occur Training may be needed

Business Manager vs. Risk Manager

Add Value to Business vs. hampering business

Success of the Risk Manager depends in getting buy-in from the other stakeholders Depends identifying thin margin between support & obstruction Clear communication of expected business benefits Public relations and communication are not just preferred skills, they are core competencies of any good Risk Manager.
Risk Managers true function would be to add business value by ensuring higher predictability of business outcomes. Both Risk Managers and Business Managers need to assist each other in a successful business.

Training to maintain Risk Management Capabilities

Periodic Training is crucial for Risk Managers, Board of Directors and top management Constant update knowledge on worldwide developments in a number of fields

Banking industry Overall business environment Technical developments/ICT New risk types Financial, Economic, technical & Social, etc etc Trends

What could be risk training, continuous knowledge maintenance ?

Theoretical knowledge development Exposure to the industry practices, counterparties Knowledge sharing and exposure among local and global counterparts

Risk Management and ICT

ICT is a vital factor that influences everything in banking The volume and nature of transaction monitoring and analysis needed cannot be done without ICT It is impossible to keep up with the worldwide developments in Risk Management without ICT support

From an organisational perspective, every bank must evaluate their IT system needs for Risk Management from early days of planning.

Many local banks have chosen not to become the first movers in investing on IT systems. Whilst there is some validity in this approach, it could be a mistake not to prepare, as one day every bank will find it impossible to move on to advanced approaches in Risk Management without IT systems.

Auditing Risk Frameworks

Internal and Systems Auditors, as an independent line of defence could contribute immensely to identify loopholes not detected by Risk Managers. Audits, a Regulatory Requirement & a Best Practise.
Key Steps in formulation a Risk Audit Programme
1. Gaining a formal understanding of the key process & company objectives that may affect the operations of the process.
2. Brainstorming risk scenarios before identifying process risks 3. Identifying managements risk tolerance levels for various process risks 4. Assessing the risk infrastructure to evaluate the sustainability of the existing risk management activities. Paul J Sobel

Auditing Risk Frameworks

Banks face two key challenges in the initial phase

1.

Engaging an auditor with

Banking Systems literacy Exposure to Risk Management, Anti Money Laundering & Business Continuity Planning

2.

Rearranging existing Internal Audit framework into Risk Audits

Auditing the banks Risk Framework is not to be taken lightly, it is urgent, and a must for true progress.

Risk Management a current challenge in Banking

What drives present & future of Banking and Financial Services Industry
Risk Based Laws & Regulations Volatility in Energy & Commodity Markets Climate Change & Global Warming Country Specific Conditions

Challenges faced by Banks setting-up Risk Management frameworks

Top Management Commitment and Support Integrating Risk Management into Business

Technology

Increased Responsibilities & Involvement from BOD

Business & Risk Managers

Standardisation

Setting-up Structures

Training

Financial Service Innovations

Changing Social & Behavioural Patterns

HR aspects

Risk Management and ICT

Competition

Emerging Risk Types

Collecting Data & Managing Data Quality

Auditing Risk Frameworks

Conclusions the Objective

What drives Banking industry & Risk Management Underlying challenges in implementing Risk Management Frameworks The Objective

Understand & appreciate the ground realities in Risk Management & be prepared for expected challenges Realise the areas where involvement of the complete organisation, proactive action and top level vision is needed, Initiate a healthy discussion as to how Sri Lankan Banks could manage Risk in a better, structured manner

Thank you