Sr. No.

TOPICSPAGE No.

1. INTRODUCTION

Objective of the study

Scope of the study

Limitation of the study

2. DEFINITION OF RISK

What is risk

What is risk management? Does it eliminate risk?

Risk in banking

3. TOPOLOGY OF RISK

Market risk

Credit risk

Operational risk

4. AN IDEALISED BANK OF THE FUTURE

5.STUDY OF OPERATIONAL RISK AT PUNJAB NATIONAL BANK

6. REFERENCES

OBJECTIVES

To study broad outline of management of credit, market and operational risks

associated with banking sector .

Though the risk management area is very wide and elaborated, still the project

covers whole subject in concise manner.

The study aims at learning the techniques involved to manage the various types

of risks, various methodologies undertaken. The application of the techniques

involves us to gain an insight into the following aspects:

An overview of the risks in general.

An insight of the various credit, market and operational risks

attached to the banking sector

The methodology related to the management of operational risk

followed at PNB.

Tools applied in for measurement and management of various

types of risks.

Having an insight into the practical aspects of the working of

various departments.

2

SCOPE OF THE STUDY

The report seeks to present a comprehensive picture of the various risks inherent

in the bank. The risks can be broadly classified into three categories:

Credit risk

Market risk

Operational risk

Within each of these broad groups, an attempt has been made to cover as

comprehensively as possible, the various sub-groups

The computation of capital charge for market risk will also be taken practically as

also the assigning the ratings for individual borrowers. PNB is also under the key

process of testing and implementation of Reuters "KONDOR" software for its

VaR calculations and other aspects of market risk.

LIMITATION OF THE STUDY

1. The major limitation of this study shall be data availability as the data is

proprietary and not readily shared for dissemination.

2. Due to the ongoing process of globalization and increasing competition, no

one model or method will suffice over a long period of time and constant up

gradation will be required. As such the project can be considered as an overview

3

of the various risks prevailing in Punjab National Bank and in the Banking

Industry.

3. Each bank, in conforming to the RBI guidelines, may develop its own methods

for measuring and managing risk.

4. The concept of risk management implementation is relatively new and risk

management tools can prove to be costly.

5. Out of the various ways in which risks can be managed, none of the method is

perfect and may be very diverse even for the work in a similar situation for the

future.

6. Due to ever changing environment , many risks are unexpected and the

remedial measures available are based on general experience from the past.

7. Selection of methods depends on the firms expectations as well as the risk

appetite. Also risks can only be minimized not completely erased.

4

INTRODUCTION

The significant transformation of the banking industry in India is clearly

evident from the changes that have occurred in the financial markets, institutions

and products. While deregulation has opened up new vistas for banks to

argument revenues, it has entailed greater competition and consequently greater

risks. Cross- border flows and entry of new products, particularly derivative

instruments, have impacted significantly on the domestic banking sector forcing

banks to adjust the product mix, as also to effect rapid changes in their

processes and operations in order to remain competitive to the globalized

environment. These developments have facilitated greater choice for consumers,

who have become more discerning and demanding compelling banks to offer a

broader range of products through diverse distribution channels. The traditional

face of banks as mere financial intermediaries has since altered and risk

management has emerged as their defining attribute.

Currently, the most important factor shaping the world is globalization. The

benefits of globalization have been well documented and are being increasingly

recognized. Integration of domestic markets with international financial markets

has been facilitated by tremendous advancement in information and

communications technology. But, such an environment has also meant that a

problem in one country can sometimes adversely impact one or more countries

instantaneously, even if they are fundamentally strong.

There is a growing realisation that the ability of countries to conduct

business across national borders and the ability to cope with the possible

downside risks would depend, interalia, on the soundness of the financial

5

system. This has consequently meant the adoption of a strong and transparent,

prudential, regulatory, supervisory, technological and institutional framework in

the financial sector on par with international best practices. All this necessitates a

transformation: a transformation in the mindset, a transformation in the business

processes and finally, a transformation in knowledge management. This process

is not a one shot affair; it needs to be appropriately phased in the least disruptive

manner.

The banking and financial crises in recent years in emerging economies

have demonstrated that, when things go wrong with the financial system, they

can result in a severe economic downturn. Furthermore, banking crises often

impose substantial costs on the exchequer, the incidence of which is ultimately

borne by the taxpayer. The World Bank Annual Report (2002) has observed that

the loss of US $1 trillion in banking crisis in the 1980s and 1990s is equal to the

total flow of official development assistance to developing countries from 1950s

to the present date. As a consequence, the focus of financial market reform in

many emerging economies has been towards increasing efficiency while at the

same time ensuring stability in financial markets.

From this perspective, financial sector reforms are essential in order to

avoid such costs. It is, therefore, not surprising that financial market reform is at

the forefront of public policy debate in recent years. The crucial role of sound

financial markets in promoting rapid economic growth and ensuring financial

stability. Financial sector reform, through the development of an efficient financial

system, is thus perceived as a key element in raising countries out of their 'low

level equilibrium trap'. As the World Bank Annual Report (2002) observes, ‘ a

robust financial system is a precondition for a sound investment climate, growth

and the reduction of poverty ’.

6

Financial sector reforms were initiated in India a decade ago with a view to

improving efficiency in the process of financial intermediation, enhancing the

effectiveness in the conduct of monetary policy and creating conditions for

integration of the domestic financial sector with the global system. The first phase

of reforms was guided by the recommendations of Narasimham Committee.

The approach was to ensure that ‘the financial services industry operates

on the basis of operational flexibility and functional autonomy with a view

to enhancing efficiency, productivity and profitability'.

The second phase, guided by Narasimham Committee II, focused on

strengthening the foundations of the banking system and bringing about

structural improvements. Further intensive discussions are held on

important issues related to corporate governance, reform of the capital

structure, (in the context of Basel II norms), retail banking, risk

management technology, and human resources development, among

others.

Since 1992, significant changes have been introduced in the Indian

financial system. These changes have infused an element of competition in the

financial system, marking the gradual end of financial repression characterized

by price and non-price controls in the process of financial intermediation. While

financial markets have been fairly developed, there still remains a large extent of

segmentation of markets and non-level playing field among participants, which

contribute to volatility in asset prices. This volatility is exacerbated by the lack of

liquidity in the secondary markets. The purpose of this paper is to highlight the

need for the regulator and market participants to recognize the risks in the

financial system, the products available to hedge risks and the instruments,

including derivatives that are required to be developed/introduced in the Indian

system.

7

The financial sector serves the economic function of intermediation by

ensuring efficient allocation of resources in the economy. Financial

intermediation is enabled through a four-pronged transformation mechanism

consisting of liability-asset transformation, size transformation, maturity

transformation and risk transformation.

Risk is inherent in the very act of transformation. However, prior to reform

of 1991-92, banks were not exposed to diverse financial risks mainly because

interest rates were regulated, financial asset prices moved within a narrow band

and the roles of different categories of intermediaries were clearly defined. Credit

risk was the major risk for which banks adopted certain appraisal standards.

Several structural changes have taken place in the financial sector since

1992. The operating environment has undergone a vast change bringing to fore

the critical importance of managing a whole range of financial risks. The key

elements of this transformation process have been

1. The deregulation of coupon rate on Government securities.

2. Substantial liberalization of bank deposit and lending rates.

3. A gradual trend towards disintermediation in the financial system in the

wake of increased access of corporates to capital markets.

4. Blurring of distinction between activities of financial institutions.

5. Greater integration among the various segments of financial markets and

their increased order of globalisation, diversification of ownership of public

sector banks.

6. Emergence of new private sector banks and other financial institutions,

and,

7. The rapid advancement of technology in the financial system.

8

DEFINITION OF RISK

What is Risk?

"What is risk?" And what is a pragmatic definition of risk? Risk means

different things to different people. For some it is "financial (exchange rate,

interest-call money rates), mergers of competitors globally to form more powerful

entities and not leveraging IT optimally" and for someone else "an event or

commitment which has the potential to generate commercial liability or damage

to the brand image". Since risk is accepted in business as a trade off between

reward and threat, it does mean that taking risk bring forth benefits as well. In

other words it is necessary to accept risks, if the desire is to reap the anticipated

benefits.

Risk in its pragmatic definition, therefore, includes both threats that can

materialize and opportunities, which can be exploited. This definition of risk is

very pertinent today as the current business environment offers both challenges

and opportunities to organizations, and it is up to an organization to manage

these to their competitive advantage.

What is Risk Management - Does it eliminate risk?

Risk management is a discipline for dealing with the possibility that some

future event will cause harm. It provides strategies, techniques, and an approach

to recognizing and confronting any threat faced by an organization in fulfilling its

mission. Risk management may be as uncomplicated as asking and answering

three basic questions:

9

1. What can go wrong?

2. What will we do (both to prevent the harm from occurring and in the

aftermath of an "incident")?

3. If something happens, how will we pay for it?

Risk management does not aim at risk elimination, but enables the

organization to bring their risks to manageable proportions while not severely

affecting their income. This balancing act between the risk levels and profits

needs to be well-planned. Apart from bringing the risks to manageable

proportions, they should also ensure that one risk does not get transformed into

any other undesirable risk. This transformation takes place due to the inter-

linkage present among the various risks. The focal point in managing any risk will

be to understand the nature of the transaction in a way to unbundle the risks it is

exposed to.

Risk Management is a more mature subject in the western world. This is

largely a result of lessons from major corporate failures, most telling and visible

being the Barings collapse. In addition, regulatory requirements have been

introduced, which expect organizations to have effective risk management

practices. In India, whilst risk management is still in its infancy, there has been

considerable debate on the need to introduce comprehensive risk management

practices.

Objectives of Risk Management Function

Two distinct viewpoints emerge –

One which is about managing risks, maximizing profitability and creating

opportunity out of risks

And the other which is about minimising risks/loss and protecting

corporate assets.

The management of an organization needs to consciously decide on

whether they want their risk management function to 'manage' or 'mitigate' Risks.

10

Managing risks essentially is about striking the right balance between risks

and controls and taking informed management decisions on opportunities

and threats facing an organization. Both situations, i.e. over or under

controlling risks are highly undesirable as the former means higher costs

and the latter means possible exposure to risk.

Mitigating or minimising risks, on the other hand, means mitigating all risks

even if the cost of minimising a risk may be excessive and outweighs the

cost-benefit analysis. Further, it may mean that the opportunities are not

adequately exploited.

In the context of the risk management function, identification and

management of Risk is more prominent for the financial services sector and less

so for consumer products industry. What are the primary objectives of your risk

management function? When specifically asked in a survey conducted, 33% of

respondents stated that their risk management function is indeed expressly

mandated to optimise risk.

Risks in Banking

Risks manifest themselves in many ways and the risks in banking are a

result of many diverse activities, executed from many locations and by numerous

people. As a financial intermediary, banks borrow funds and lend them as a part

of their primary activity. This intermediation activity, of banks exposes them to a

host of risks. The volatility in the operating environment of banks will aggravate

the effect of the various risks. The case discusses the various risks that arise due

to financial intermediation and by highlighting the need for asset-liability

management; it discusses the Gap Model for risk management.

Typology of Risk Exposure

11

Based on the origin and their nature, risks are classified into various

categories. The most prominent financial risks to which the banks are exposed to

taking into consideration practical issues including the limitations of models and

theories, human factor, existence of frictions such as taxes and transaction cost

and limitations on quality and quantity of information, as well as the cost of

acquiring this information, and more.

12

FINANCIAL RISKS

MARKETRISK

LIQUIDITY RISK

OPERATIONAL RISK

HUMAN FACTOR RISK

CREDIT RISK LEGAL & REGULATORY RISK

FUNDING LIQUIDITY RISK

TRADING LIQUIDITY RISK

TRANSACTION RISK

PORTFOLIO CONCENTRATION

ISSUE RISK ISSUER RISK COUNTERPARTY RISK

EQUITY RISK INEREST RATE RISK

CURRENCY RISK

COMMODITY RISK

1. MARKET RISK

Market risk is that risk that changes in financial market prices and rates

will reduce the value of the bank’s positions. Market risk for a fund is often

measured relative to a benchmark index or portfolio, is referred to as a “risk of

tracking error” market risk also includes “basis risk,” a term used in risk

management industry to describe the chance of a breakdown in the relationship

between price of a product, on the one hand, and the price of the instrument

used to hedge that price exposure on the other. The market-Var methodology

attempts to capture multiple component of market such as directional risk,

convexity risk, volatility risk, basis risk, etc.

2. CREDIT RISK

Credit risk is that risk that a change in the credit quality of a counterparty

will affect the value of a bank’s position. Default, whereby a counterparty is

unwilling or unable to fulfill its contractual obligations, is the extreme case;

however banks are also exposed to the risk that the counterparty might

downgraded by a rating agency.

Credit risk is only an issue when the position is an asset, i.e., when it

exhibits a positive replacement value. In that instance if the counterparty

defaults, the bank either loses all of the market value of the position or, more

commonly, the part of the value that it cannot recover following the credit event.

13

TRADING RISK

GAP RISK

GENERAL MARKET RISK

SPECIFIC RISK

However, the credit exposure induced by the replacement values of derivative

instruments are dynamic: they can be negative at one point of time, and yet

become positive at a later point in time after market conditions have changed.

Therefore the banks must examine not only the current exposure, measured by

the current replacement value, but also the profile of future exposures up to the

termination of the deal.

3. LIQUIDITY RISK

Liquidity risk comprises both

Funding liquidity risk

Trading-related liquidity risk.

Funding liquidity risk relates to a financial institution’s ability to raise the

necessary cash to roll over its debt, to meet the cash, margin, and collateral

requirements of counterparties, and (in the case of funds) to satisfy capital

withdrawals. Funding liquidity risk is affected by various factors such as the

maturities of the liabilities, the extent of reliance of secured sources of funding,

the terms of financing, and the breadth of funding sources, including the ability to

access public market such as commercial paper market. Funding can also be

achieved through cash or cash equivalents, “buying power ,” and available credit

lines.

Trading-related liquidity risk, often simply called as liquidity risk, is the risk

that an institution will not be able to execute a transaction at the prevailing

market price because there is, temporarily, no appetite for the deal on the other

side of the market. If the transaction cannot be postponed its execution my lead

to substantial losses on position. This risk is generally very hard to quantify. It

may reduce an institution’s ability to manage and hedge market risk as well as its

capacity to satisfy any shortfall on the funding side through asset liquidation.

14

4. OPERATIONAL RISK

It refers to potential losses resulting from inadequate systems,

management failure, faulty control, fraud and human error. Many of the recent

large losses related to derivatives are the direct consequences of operational

failure. Derivative trading is more prone to operational risk than cash transactions

because derivatives are, by heir nature, leveraged transactions. This means that

a trader can make very large commitment on behalf of the bank, and generate

huge exposure in to the future, using only small amount of cash. Very tight

controls are an absolute necessary if the bank is to avoid huge losses.

Operational risk includes” fraud,” for example when a trader or other

employee intentionally falsifies and misrepresents the risk incurred in a

transaction. Technology risk, and principally computer system risk also fall into

the operational risk category.

5. LEGAL RISK

Legal risk arises for a whole of variety of reasons. For example,

counterparty might lack the legal or regulatory authority to engage in a

transaction. Legal risks usually only become apparent when counterparty, or an

investor, lose money on a transaction and decided to sue the bank to avoid

meeting its obligations. Another aspect of regulatory risk is the potential impact of

a change in tax law on the market value of a position.

6. HUMAN FACTOR RISK

Human factor risk is really a special form of operational risk. It relates to

the losses that may result from human errors such as pushing the wrong button

on a computer, inadvertently destroying files, or entering wrong value for the

parameter input of a model.

15

MARKET RISK

What is Market Risk?

Market Risk may be defined as the possibility of loss to a bank caused by

changes in the market variables. The Bank for International Settlements (BIS)

defines market risk as “the risk that the value of 'on' or 'off' balance sheet

positions will be adversely affected by movements in equity and interest rate

markets, currency exchange rates and commodity prices". Thus, Market Risk is

the risk to the bank's earnings and capital due to changes in the market level of

interest rates or prices of securities, foreign exchange and equities, as well as

the volatilities of those changes. Besides, it is equally concerned about the

bank's ability to meet its obligations as and when they fall due. In other words, it

should be ensured that the bank is not exposed to Liquidity Risk. Thus, focus on

the management of Liquidity Risk and Market Risk, further categorized into

interest rate risk, foreign exchange risk, commodity price risk and equity price

risk. An effective market risk management framework in a bank comprises risk

identification, setting up of limits and triggers, risk monitoring, models of analysis

that value positions or measure market risk, risk reporting, etc.

Types of market risk

16

Interest rate risk:

Interest rate risk is the risk where changes in market interest rates might

adversely affect a bank's financial condition. The immediate impact of changes in

interest rates is on the Net Interest Income (NII). A long term impact of changing

interest rates is on the bank's networth since the economic value of a bank's

assets, liabilities and off-balance sheet positions get affected due to variation in

market interest rates. The interest rate risk when viewed from these two

perspectives is known as 'earnings perspective' and 'economic value'

perspective, respectively.

Management of interest rate risk aims at capturing the risks arising from

the maturity and repricing mismatches and is measured both from the earnings

and economic value perspective.

Earnings perspective involves analyzing the impact of changes in

interest rates on accrual or reported earnings in the near term. This is

measured by measuring the changes in the Net Interest Income (NII) or

Net Interest Margin (NIM) i.e. the difference between the total interest

income and the total interest expense.

Economic Value perspective involves analyzing the changes of

impact on interest on the expected cash flows on assets minus the

expected cash flows on liabilities plus the net cash flows on off-balance

sheet items. It focuses on the risk to networth arising from all repricing

mismatches and other interest rate sensitive positions. The economic

value perspective identifies risk arising from long-term interest rate gaps.

The management of Interest Rate Risk should be one of the critical

components of market risk management in banks. The regulatory restrictions in

the past had greatly reduced many of the risks in the banking system.

17

Deregulation of interest rates has, however, exposed them to the adverse

impacts of interest rate risk. The Net Interest Income (NII) or Net Interest Margin

(NIM) of banks is dependent on the movements of interest rates. Any

mismatches in the cash flows (fixed assets or liabilities) or repricing dates

(floating assets or liabilities), expose bank's NII or NIM to variations. The earning

of assets and the cost of liabilities are now closely related to market interest rate

volatility

Generally, the approach towards measurement and hedging of IRR varies

with the segmentation of the balance sheet. In a well functioning risk

management system, banks broadly position their balance sheet into Trading

and Banking Books. While the assets in the trading book are held primarily for

generating profit on short-term differences in prices/yields, the banking book

comprises assets and liabilities, which are contracted basically on account of

relationship or for steady income and statutory obligations and are generally held

till maturity. Thus, while the price risk is the prime concern of banks in trading

book, the earnings or economic value changes are the main focus of banking

book.

Equity price risk:

The price risk associated with equities also has two components” General

market risk” refers to the sensitivity of an instrument / portfolio value to the

change in the level of broad stock market indices.” Specific / Idiosyncratic” risk

refers to that portion of the stock’s price volatility that is determined by

characteristics specific to the firm, such as its line of business, the quality of its

management, or a breakdown in its production process. The general market risk

cannot be eliminated through portfolio diversification while specific risk can be

diversified away.

Foreign exchange risk:

18

Foreign Exchange Risk maybe defined as the risk that a bank may suffer

losses as a result of adverse exchange rate movements during a period in which

it has an open position, either spot or forward, or a combination of the two, in an

individual foreign currency. The banks are also exposed to interest rate risk,

which arises from the maturity mismatching of foreign currency positions. Even in

cases where spot and forward positions in individual currencies are balanced, the

maturity pattern of forward transactions may produce mismatches. As a result,

banks may suffer losses as a result of changes in premia/discounts of the

currencies concerned.

In the forex business, banks also face the risk of default of the

counterparties or settlement risk. While such type of risk crystallization does not

cause principal loss, banks may have to undertake fresh transactions in the

cash/spot market for replacing the failed transactions. Thus, banks may incur

replacement cost, which depends upon the currency rate movements. Banks

also face another risk called time-zone risk or Herstatt risk which arises out of

time-lags in settlement of one currency in one center and the settlement of

another currency in another time-zone. The forex transactions with

counterparties from another country also trigger sovereign or country risk (dealt

with in details in the guidance note on credit risk).

The three important issues that need to be addressed in this regard are:

1. Nature and magnitude of exchange risk

2. Exchange managing or hedging for adopted be to strategy>

3. The tools of managing exchange risk

Commodity price risk:

The price of the commodities differs considerably from its interest rate risk

and foreign exchange risk, since most commodities are traded in the market in

which the concentration of supply can magnify price volatility. Moreover,

19

fluctuations in the depth of trading in the market (i.e., market liquidity) often

accompany and exacerbate high levels of price volatility. Therefore, commodity

prices generally have higher volatilities and larger price discontinuities.

Treatment of Market Risk in the Proposed Basel Capital

Accord

The Basle Committee on Banking Supervision (BCBS) had issued

comprehensive guidelines to provide an explicit capital cushion for the price risks

to which banks are exposed, particularly those arising from their trading activities.

The banks have been given flexibility to use in-house models based on VaR for

measuring market risk as an alternative to a standardized measurement

framework suggested by Basle Committee. The internal models should, however,

comply with quantitative and qualitative criteria prescribed by Basle Committee.

Reserve Bank of India has accepted the general framework suggested by

the Basle Committee. RBI has also initiated various steps in moving towards

prescribing capital for market risk. As an initial step, a risk weight of 2.5% has

been prescribed for investments in Government and other approved securities,

besides a risk weight each of 100% on the open position limits in forex and gold.

RBI has also prescribed detailed operating guidelines for Asset-Liability

Management System in banks. As the ability of banks to identify and measure

market risk improves, it would be necessary to assign explicit capital charge for

market risk. While the small banks operating predominantly in India could adopt

the standardized methodology, large banks and those banks operating in

international markets should develop expertise in evolving internal models for

measurement of market risk.

20

The Basle Committee on Banking Supervision proposes to develop capital

charge for interest rate risk in the banking book as well for banks where the

interest rate risks are significantly above average ('outliers'). The Committee is

now exploring various methodologies for identifying 'outliers' and how best to

apply and calibrate a capital charge for interest rate risk for banks. Once the

Committee finalizes the modalities, it may be necessary, at least for banks

operating in the international markets to comply with the explicit capital charge

requirements for interest rate risk in the banking book. As the valuation norms on

banks' investment portfolio have already been put in place and aligned with the

international best practices, it is appropriate to adopt the Basel norms on capital

for market risk. In view of this, banks should study the Basel framework on

capital for market risk as envisaged in Amendment to the Capital Accord to

incorporate market risks published in January 1996 by BCBS and prepare

themselves to follow the international practices in this regard at a suitable date to

be announced by RBI.

The Proposed New Capital Adequacy Framework

The Basel Committee on Banking Supervision has released a Second

Consultative Document, which contains refined proposals for the three pillars of

the New Accord - Minimum Capital Requirements, Supervisory Review and

Market Discipline. It may be recalled that the Basel Committee had released in

June 1999 the first Consultative Paper on a New Capital Adequacy Framework

for comments. However, the proposal to provide explicit capital charge for market

risk in the banking book which was included in the Pillar I of the June 1999

21

Document has been shifted to Pillar II in the second Consultative Paper issued in

January 2001. The Committee has also provided a technical paper on evaluation

of interest rate risk management techniques. The Document has defined the

criteria for identifying outlier banks. According to the proposal, a bank may be

defined as an outlier whose economic value declined by more than 20% of the

sum of Tier 1 and Tier 2 capital as a result of a standardized interest rate shock

(200 bps.)

The second Consultative Paper on the New Capital Adequacy framework

issued in January, 2001 has laid down 13 principles intended to be of general

application for the management of interest rate risk, independent of whether the

positions are part of the trading book or reflect banks' non-trading activities. They

refer to an interest rate risk management process, which includes the

development of a business strategy, the assumption of assets and liabilities in

banking and trading activities, as well as a system of internal controls. In

particular, they address the need for effective interest rate risk measurement,

monitoring and control functions within the interest rate risk management

process. The principles are intended to be of general application, based as they

are on practices currently used by many international banks, even though their

specific application will depend to some extent on the complexity and range of

activities undertaken by individual banks. Under the New Basel Capital Accord,

they form minimum standards expected of internationally active banks. The

principles are given in Annexure II.

CREDIT RISK

What is Credit Risk?

Credit risk is defined as the possibility of losses associated with diminution

in the credit quality of borrowers or counterparties. In a bank's portfolio, losses

22

stem from outright default due to inability or unwillingness of a customer or

counterparty to meet commitments in relation to lending, trading, settlement and

other financial transactions. Alternatively, losses result from reduction in portfolio

value arising from actual or perceived deterioration in credit quality. Credit risk

emanates from a bank's dealings with an individual, corporate, bank, financial

institution or a sovereign. Credit risk may take the following forms

In the case of direct lending: principal/and or interest amount may not be

repaid;

In the case of guarantees or letters of credit: funds may not be

forthcoming from the constituents upon crystallization of the liability;

In the case of treasury operations: the payment or series of payments due

from the counter parties under the respective contracts may not be

forthcoming or ceases;

In the case of securities trading businesses: funds/ securities settlement

may not be effected;

In the case of cross-border exposure: the availability and free transfer of

foreign currency funds may either cease or the sovereign may impose

restrictions.

Types of Credit Rating

Credit rating can be classified as:

2. External credit rating.

3. Internal credit rating

23

External credit rating:

A credit rating is not, in general, an investment recommendation

concerning a given security. In the words of S&P,” A credit rating is S&P's

opinion of the general creditworthiness of an obligor, or the creditworthiness of

an obligor with respect to a particular debt security or other financial obligation,

based on relevant risk factors.” In Moody's words, a rating is, “ an opinion on the

future ability and legal obligation of an issuer to make timely payments of

principal and interest on a specific fixed-income security.”

Since S&P and Moody's are considered to have expertise in credit rating

and are regarded as unbiased evaluators, there ratings are widely accepted by

market participants and regulatory agencies. Financial institutions, when required

to hold investment grade bonds by their regulators use the rating of credit

agencies such as S&P and Moody's to determine which bonds are of investment

grade.

The subject of credit rating might be a company issuing debt obligations.

In the case of such “issuer credit ratings” the rating is an opinion on the obligor’s

overall capacity to meet its financial obligations. The opinion is not specific to any

particular liability of the company, nor does it consider merits of having

guarantors for some of the obligations. In the issuer credit rating categories are

a) Counterparty ratings

b) Corporate credit ratings

c) Sovereign credit ratings

The rating process includes quantitative, qualitative, and legal analyses.

The quantitative analyses. The quantitative analysis is mainly financial analysis

and is based on the firm’s financial reports. The qualitative analysis is concerned

with the quality of management, and includes a through review of the firm’s

competitiveness within its industry as well as the expected growth of the industry

and its vulnerability to technological changes, regulatory changes, and labor

relations.

24

Internal credit rating:

A typical risk rating system (RRS) will assign both an obligor rating to each

borrower (or group of borrowers), and a facility rating to each available facility. A

risk rating (RR) is designed to depict the risk of loss in a credit facility. A robust

RRS should offer a carefully designed, structured, and documented series of

steps for the assessment of each rating.

The following are the steps for assessment of rating:

a) Objectivity and Methodology:

The goal is to generate accurate and consistent risk rating, yet also to

allow professional judgment to significantly influence a rating where it is

appropriate. The expected loss is the product of an exposure (say, Rs. 100) and

the probability of default (say, 2%) of an obligor (or borrower) and the loss rate

given default (say, 50%) in any specific credit facility. In this example,

The expected loss = 100*.02*.50 = Rs. 1

A typical risk rating methodology (RRM)

a. Initial assign an obligor rating that identifies the expected probability of

default by that borrower (or group) in repaying its obligations in normal

course of business.

b. The RRS then identifies the risk loss (principle/interest) by assigning

an RR to each individual credit facility granted to an obligor.

The obligor rating represents the probability of default by a borrower in

repaying its obligation in the normal course of business. The facility rating

represents the expected loss of principal and/ or interest on any business credit

facility. It combines the likelihood of default by a borrower and conditional

severity of loss, should default occur, from the credit facilities available to the

borrower.

25

Credit Risk Management

In this backdrop, it is imperative that banks have a robust credit risk

management system which is sensitive and responsive to these factors. The

effective management of credit risk is a critical component of comprehensive risk

management and is essential for the long term success of any banking

organization. Credit risk management encompasses identification, measurement,

monitoring and control of the credit risk exposures.

Building Blocks of Credit Risk Management:

In a bank, an effective credit risk management framework would comprise

of the following distinct building blocks:

Policy and Strategy

Organizational Structure

Operations/ Systems

Policy and Strategy

The Board of Directors of each bank shall be responsible for approving

and periodically reviewing the credit risk strategy and significant credit risk

policies.

Credit Risk Policy

26

1. Every bank should have a credit risk policy document approved by the

Board. The document should include risk identification, risk measurement,

risk grading/ aggregation techniques, reporting and risk control/ mitigation

techniques, documentation, legal issues and management of problem

loans.

2. Credit risk policies should also define target markets, risk acceptance

criteria, credit approval authority, credit origination/ maintenance

procedures and guidelines for portfolio management.

3. The credit risk policies approved by the Board should be communicated to

branches/controlling offices. All dealing officials should clearly understand

the bank's approach for credit sanction and should be held accountable for

complying with established policies and procedures.

4. Senior management of a bank shall be responsible for implementing the

credit risk policy approved by the Board.</P< LI>

Credit Risk Strategy

1. Each bank should develop, with the approval of its Board, its own credit

risk strategy or plan that establishes the objectives guiding the bank's

credit-granting activities and adopt necessary policies/ procedures for

conducting such activities. This strategy should spell out clearly the

organization’s credit appetite and the acceptable level of risk-reward

trade-off for its activities.

2. The strategy would, therefore, include a statement of the bank's

willingness to grant loans based on the type of economic activity,

geographical location, currency, market, maturity and anticipated

profitability. This would necessarily translate into the identification of target

markets and business sectors, preferred levels of diversification and

27

concentration, the cost of capital in granting credit and the cost of bad

debts.

3. The credit risk strategy should provide continuity in approach as also take

into account the cyclical aspects of the economy and the resulting shifts in

the composition/ quality of the overall credit portfolio. This strategy should

be viable in the long run and through various credit cycles.

4. Senior management of a bank shall be responsible for implementing the

credit risk strategy approved by the Board.

Organizational Structure

Sound organizational structure is sine qua non for successful

implementation of an effective credit risk management system. The

organizational structure for credit risk management should have the following

basic features:

1. The Board of Directors should have the overall responsibility for

management of risks. The Board should decide the risk management

policy of the bank and set limits for liquidity, interest rate, foreign

exchange and equity price risks.

The Risk Management Committee will be a Board level Sub committee

including CEO and heads of Credit, Market and Operational Risk Management

Committees. It will devise the policy and strategy for integrated risk management

containing various risk exposures of the bank including the credit risk. For this

purpose, this Committee should effectively coordinate between the Credit Risk

28

Management Committee (CRMC), the Asset Liability Management Committee

and other risk committees of the bank, if any. It is imperative that the

independence of this Committee is preserved. The Board should, therefore,

ensure that this is not compromised at any cost. In the event of the Board not

accepting any recommendation of this Committee, systems should be put in

place to spell out the rationale for such an action and should be properly

documented. This document should be made available to the internal and

external auditors for their scrutiny and comments. The credit risk strategy and

policies adopted by the committee should be effectively

Operations / Systems

Banks should have in place an appropriate credit administration, credit risk

measurement and monitoring processes. The credit administration process

typically involves the following phases:

1. Relationship management phase i.e. business development.

2. Transaction management phase covers risk assessment, loan pricing,

structuring the facilities, internal approvals, documentation, loan

administration, on going monitoring and risk measurement.

3. Portfolio management phase entails monitoring of the portfolio at a macro

level and the management of problem loans

4. On the basis of the broad management framework stated above, the

banks should have the following credit risk measurement and monitoring

procedures:

5. Banks should establish proactive credit risk management practices like

annual / half yearly industry studies and individual obligor reviews,

periodic credit calls that are documented, periodic visits of plant and

29

business site, and at least quarterly management reviews of troubled

exposures/weak credits

Credit Risk Models

A credit risk model seeks to determine, directly or indirectly, the answer to

the following question: Given our past experience and our assumptions about the

future, what is the present value of a given loan or fixed income security? A credit

risk model would also seek to determine the (quantifiable) risk that the promised

cash flows will not be forthcoming. The techniques for measuring credit risk that

have evolved over the last twenty years are prompted by these questions and

dynamic changes in the loan market.

The increasing importance of credit risk modeling should be seen as the

consequence of the following three factors:

1. Banks are becoming increasingly quantitative in their treatment of credit

risk.

2. New markets are emerging in credit derivatives and the marketability of

existing loans is increasing through securitization/ loan sales market."

3. Regulators are concerned to improve the current system of bank capital

requirements especially as it relates to credit risk.

Importance of Credit Risk Models

Credit Risk Models have assumed importance because they provide the

decision maker with insight or knowledge that would not otherwise be readily

available or that could be marshalled at prohibitive cost. In a marketplace where

margins are fast disappearing and the pressure to lower pricing is unrelenting,

30

models give their users a competitive edge. The credit risk models are intended

to aid banks in quantifying, aggregating and managing risk across geographical

and product lines. The outputs of these models also play increasingly important

roles in banks' risk management and performance measurement processes,

customer profitability analysis, risk-based pricing, active portfolio management

and capital structure decisions. Credit risk modeling may result in better internal

risk management and may have the potential to be used in the supervisory

oversight of banking organizations.

RBI Guidelines on Credit Risk New Capital Accord:

Implications for Credit Risk Management

The Basel Committee on Banking Supervision had released in June 1999

the first Consultative Paper on a New Capital Adequacy Framework with the

intention of replacing the current broad-brush 1988 Accord. The Basel

Committee has released a Second Consultative Document in January 2001,

which contains refined proposals for the three pillars of the New Accord -

Minimum Capital Requirements, Supervisory Review and Market Discipline.

The Committee proposes two approaches, for estimating regulatory

capital. viz.,

1. Standardized and

2. Internal Rating Based (IRB)

Under the standardized approach, the Committee desires neither to

produce a net increase nor a net decrease, on an average, in minimum

31

regulatory capital, even after accounting for operational risk. Under the Internal

Rating Based (IRB) approach, the Committee's ultimate goals are to ensure that

the overall level of regulatory capital is sufficient to address the underlying credit

risks and also provides capital incentives relative to the standardized approach,

i.e., a reduction in the risk weighted assets of 2% to 3% (foundation IRB

approach) and 90% of the capital requirement under foundation approach for

advanced IRB approach to encourage banks to adopt IRB approach for providing

capital.

The minimum capital adequacy ratio would continue to be 8% of the risk-

weighted assets, which cover capital requirements for market (trading book),

credit and operational risks. For credit risk, the range of options to estimate

capital extends to include a standardized, a foundation IRB and an advanced IRB

approaches.

RBI Guidelines for Credit Risk Management Credit Rating

Framework

A Credit-risk Rating Framework (CRF) is necessary to avoid the limitations

associated with a simplistic and broad classification of loans/exposures into a

"good" or a "bad" category. The CRF deploys a number/ alphabet/ symbol as a

primary summary indicator of risks associated with a credit exposure. Such a

rating framework is the basic module for developing a credit risk management

system and all advanced models/approaches are based on this structure. In spite

of the advancement in risk management techniques, CRF is continued to be

used to a great extent. These frameworks have been primarily driven by a need

to standardize and uniformly communicate the "judgment" in credit selection

procedures and are not a substitute to the vast lending experience accumulated

by the banks' professional staff.

Broadly, CRF can be used for the following purposes:

32

1. Individual credit selection, wherein either a borrower or a particular

exposure/ facility is rated on the CRF

2. Pricing (credit spread) and specific features of the loan facility. This would

largely constitute transaction-level analysis.

3. Portfolio-level analysis.

4. Surveillance, monitoring and internal MIS

Assessing the aggregate risk profile of bank/ lender. These would be relevant for

portfolio-level analysis. For instance, the spread of credit exposures across

various CRF categories, the mean and the standard deviation of losses occurring

in each CRF category and the overall migration of exposures would highlight the

aggregated credit-risk for the entire portfolio of the bank.

OPERATIONAL RISK

What is Operational Risk?

Operational risk is the risk associated with

operating a business. Operational risk covers such a wide area that it is useful to

subdivide operational risk into two components:

Operational failure risk.

Operational strategic risk.

Operational failure risk arises from the potential for failure in the course

of operating the business. A firm uses people, processes and technology to

achieve the business plans, and any one of these factors may experience a

failure of some kind. Accordingly, operational failure risk can be defined as the

risk that there will be a failure of people, processes or technology within the

33

business unit. A portion of failure may be anticipated, and these risks should be

built into the business plan. But it is unanticipated, and therefore uncertain,

failures that give rise to key operational risks. These failures can be expected to

occur periodically, although both their impact and their frequency may be

uncertain.

The impact or severity of a financial loss can be divided into two

categories:

An expected amount

An unexpected amount.

The latter is itself subdivided into two classes: an amount classed as severe, and

a catastrophic amount. The firm should provide for the losses that arise from the

expected component of these failures by charging expected revenues with a

sufficient amount of reserves. In addition, the firm should set aside sufficient

economic capital to cover the unexpected component, or resort to insurance.

Operational strategic risk arises from environmental factors, such as a new

competitor that changes the business paradigram, a major political and

regulatory regime change, and earthquakes and other such factors that are

outside the control of the firm. It also arises from major new strategic initiatives,

such as developing a new line of business or re-engineering an existing business

line. All business rely on people, processes and technology outside their

business unit, and the potential for failure exists there too, this type of risk is

referred to as external dependency risk.

34

Figure: Two Broad Categories of Operational Risk

Operational RiskOperational failure risk (Internal operational risk)

The risk encountered in pursuit of a particular strategy due to:

People Process Technology

Operational strategic risk (External operational risk)

The risk of choosing an inappropriate strategy in response to environmental factor, such as

Political Taxation Regulation Government Societal Competition, etc.

The figure above summarizes the relationship between operational failure risk

and operational strategic risk. These two principal categories of risk are also

sometimes defined as “internal” and “ external” operational risk.

Operational risk is often thought to be limited to losses that can occur in

operating or processing centers. This type of operational risk, sometimes referred

as operations risk, is an important component, but it by no means covers all of

the operational risks facing the firm. Our definition of operational risk as the risk

associated with operating the business means significant amounts of operational

risk are also generated outside the processing centers.

Risk begins to accumulate even before the design of the potential

transaction gets underway. It is present during negotiations with the client

(regardless of whether the negotiation is a lengthy structuring exercise or a

routine electronic negotiation.) and continues after the negotiation as the

transaction is serviced.

A complete picture of operational risk can only be obtained if the bank’s

activity is analyzed from beginning to end. Several things have to be in place

before a transaction is negotiated, and each exposes the firm to operational risk.

The activity carried on behalf of the client by the staff can expose the institution

35

to “people risk”. “People risk” are not only in the form of risk found early in a

transaction. But they further rely on using sophisticated financial models to price

the transaction. This creates what is called as Model risk which can arise

because of wrong parameters like input to the model, or because the model is

used inappropriately and so on.

Once the transaction is negotiated and a ticket is written, errors can occur

as the transaction is recorded in various systems or reports. An error here may

result in the delayed settlement of the transaction, which in turn can give rise to

fines and other penalties. Further an error in market risk and credit risk report

might lead to the exposures generated by the deal being understated. In turn this

can lead to the execution of additional transactions that would otherwise not have

been executed. These are examples of what is often called as “process risk”

The system that records the transaction may not be capable of handling

the transaction or it may not have the capacity to handle such transactions. If any

one of the step is out-sourced, then external dependency risk also arises.

However, each type of risk can be captured either as people, processes,

technology, or an external dependency risk, and each can be analyzed in terms

of capacity, capability or availability

Who Should Manage Operational Risk?

The responsibility for setting policies concerning operational risk remains

with the senior management, even though the development of those policies may

be delegated, and submitted to the board of directors for approval. Appropriate

policies must be put in place to limit the amount of operational risk that is

assumed by an institution. Senior management needs to give authority to change

the operational risk profile to those who are the best able to take action. They

must also ensure that a methodology for the timely and effective monitoring of

36

the risks that are incurred is in place. To avoid any conflict of interest, no single

group within the bank should be responsible for simultaneously setting policies,

taking action and monitoring risk.

Policy Setting

The authority to take action generally rests with business management,

which is responsible for controlling the amount of operational risk taken within

each business line. The infrastructure and the governance groups share with

business management the responsibility for managing operational risk.

The responsibility for the development of a methodology for measuring

and monitoring operational risks resides most naturally with group risk

management functions. The risk management function also needs to ensure the

proper operational risk/ reward analysis is performed in the review of existing

businesses and before the introduction of new initiatives and products. In this

regard, the risk management function works very closely with, but independent

from, business management, infrastructure, and other governance group

Senior management needs to know whether the responsibilities it has

delegated are actually being tended to, and whether the resulting processes are

37

Internal Audit

Senior Management

Business Management Risk Management

Legal

Operations

Information Technology

Finance

Insurance

effective. The internal audit function within the bank is charged with this

responsibility.

Key to Implementing Bank-wide Operational Risk Management:

The eight key elements are necessary to successfully implement a bank-

wide operational risk management framework. They involve setting policy and

identifying risk as an outgrowth of having designed a common language,

constructing business process maps, building a best measurement methodology,

providing exposure management, installing a timely reporting capability,

performing risk analysis inclusive of stress testing, and allocating economic

capital as a function of operational risk.

EIGHT KEY ELEMENTS TO ACHIEVE BEST OPERATIONAL RISK

MANAGEMENT.

38

1. Policy

Best Practice

2.Risk Identification

3. Business Process

4. Measuring Methodology

8. Economic Capital

7. Risk Analysis

6. Reporting

5. Exposure Management

1. Develop well-defined operational risk policies. This includes explicitly

articulating the desired standards for the risk measurement. One also needs

to establish clear guidelines for practices that may contribute to a reduction of

operational risk.

2. Establish a common language of risk identification. For e.g., the term “people

risk” includes a failure to deploy skilled staff. “Technology risk” would include

system failure, and so on.

3. Develop business process maps of each business. For e.g., one should

create an “operational risk catalogue” which categories and defines the

various operational risks arising from each organizational unit in terms of

people, process, and technology risk. This catalogue should be tool to help

with operational risk identification and assessment.

Types of Operational Failure Risk

1. People Risk 1. Incompetancy.

2. Fraud.

2. Process Risk

Model Risk

TR

OCR

1. Model/ methodology error

2. Mark-to-model error.

1. Execution error.

2. Product complexity.

3. Booking error.

4. Settlement error.

1. Exceeding limits.

2. Security risk.

39

3.Volume risk.

3. Technology Risk 1. System failure.

2. Programming error.

3. Information risk.

4. Telecommunications failure.

4. Develop a comprehensible set of operational risk metrics. Operational risk

assessment is a complex process. It needs to be performed on a firm-wide

basis at regular intervals using standard metrics. In early days, business and

infrastructure groups performed their own assessment of operational risk.

Today, self-assessment has been discredited. Sophisticated financial

institutions are trying to develop objective measures of operational risk that

build significantly more reliability into the quantification of operational risk.

5. Decide how to manage operational risk exposure and take appriate action to

hedge the risks. The bank should address the economic question of th cost-

benefit of insuring a given risk for those operational risks that can be insured.

6. Decide how to report exposure.

7. Develop tools for risk analysis, and procedures for when these tools should

deploped. For e.g., risk analysis is typically performed as part of a new

product process, periodic business reviews, and so on. Stress testing should

be a standard part of risk analysis process. The frequency of risk assessment

should be a function of the degree to which operational risks are expected to

change over time as businesses undertake new initiatives, or as business

circumstances evolve. This frequency might be reviewed as operational risk

measurement is rolled out across the bank a bank should update its risk

assessment more frequently. Further one should reassess whenever the

operational risk profile changes significantly.

8. Develop techniques to translate the calculation of operational risk into a

required amount of economic capital. Tools and procedures should be

40

developed to enable businesses to make decisions about operational risk

based on risk/reward analysis.

Four-Step Measurement Process For Operational Risk

Clear guiding principle for the operational risk measurement process

should be set to ensure that it provides an appropriate measure of operational

risk across all business units throughout the bank. This problem of measuring

operational risk can be best achieved by means of a four-step operational risk

process. The following are the four steps involved in the process:

1. Input.

2. Risk assessment framework.

3. Review and validation.

4. Output.

1. Input:

The first step in the operational risk measurement process is to gather the

information needed to perform a complete assessment of all significant

operational risks. A key source of this information is often the finished product of

other groups. For example, a unit that supports the business group often

publishes report or documents that may provide an excellent starting point for the

operational risk assessment.

Sources of Information in the Measurement Process of Operational

Risk :The Inputs (for Assessment)

Likelihood of Occurrence Severity

Audit report Management interviews

Regulatory report Loss history

Management report

Expert opinion

41

Business Recovery Plan

Business plans

Budget plans

Operations plans

For example, if one is relying on audit documents as an indication of the

degree of control, then one needs to ask if the audit assessment is current and

sufficient. Have there been any significant changes made since the last audit

assessment? Did the audit scope include the area of operational risk that is of

concern to the present risk assessment? As one diligently works through

available information, gaps often become apparent. These gaps in the

information often need to be filled through discussion with the relevant managers.

Typically, there are not sufficient reliable historical data available to

confidently project the likelihood or severity of operational losses. One often

needs to rely on the expertise of business management, until reliable data are

compiled to offer an assessment of the severity of the operational failure for each

of the risks. The time frame employed for all aspects of the assessment process

is typically one year. The one-year time horizon is usually selected to align with

the business planning cycle of the bank.

2. Risk Assessment Framework

The input information gathered in the above step needs to be analyzed

and processed through the risk assessment framework. Risk assessment

framework includes:

1. Risk categories:

The operational risk can be broken down into four headline risk categories

like the risk of unexpected loss due to operational failure in people, process

and technology deployed within the business

42

Internal dependencies should each be reviewed according to a set of factors.

We examine these 9nternal dependencies according to three key

components of capability, capacity and availability.

External dependencies can also be analyzed in terms of the specific type of

external interaction.

2. Connectivity and interdependencies

The headline risk categories cannot be viewed in isolation from one another.

One needs to examine the degree of interconnected risk exposures that cut

across the headline operational risk categories, in order to understand the full

impact of risk.

3. Change, complexity, compliancy:

One may view the sources that drive the headline risk categories as falling

under the broad categories of “Change” refers to such items as introducing

new technology or new products, a merger or acquisition, or moving from

internal supply to outsourcing, etc. “Complexity’ refers to such items as

complexity of products, process or technology. “ Complacency” refer to

ineffective management of the business.

4. Net likelihood assessment

The likelihood that an operational failure might occur within the next year

should be assessed, net of risk mitigants such as insurance, for each

identified risk exposure and for each of the four headline risk categories.

Since it is often unclear how to quantify risk, this assessment can be rated

along five point likelihood continuum from very low, low, medium, high and

very high.

5. Severity assessment

Severity describes the potential loss to the bank given that an operational

risk failure has occurred. It should be assessed for each identified risk

exposure.

43

6. Combined likelihood and severity into the overall Operational

Risk Assessment

Operational risk measures are constrained in that there is not usually a

defensible way to combine the individual likelihood of loss and severity

assessments into overall measure of operational risk within a business unit.

To do so, the likelihood of loss would need to be expressed in numerical

terms. This cannot be accomplished without statistically significant historical

data on operational losses.

7. Defining Cause and Effect:

Loss data are easier to collect than data associated with the cause of loss.

This complicates the measurement of operational risk because each loss is

likely to have several causes. This relationship between these causes, and

the relative importance of each, can be difficult to assess in an objective

fashion.

3. Review and validation:

Once the report is generated. First the centralised operational risk

management group (ORMG) reviews the assessment results with senior

business unit management and key officers, in order to finalize the proposed

operational risk rating. Second, one may want an operational risk rating

committee to review the assessment – a validation process similar to that

followed by credit rating agencies. This takes the form of review of the individual

risk assessments by knowledgeable senior committee personnel to ensure that

the framework has been consistently applied across businesses, that there has

been sufficient scrutiny to remove any imperfections, and so on. The committee

should have representation from business management, audit, and functional

areas, and be chaired by risk management unit.

4. Output

44

The final assessment of operational risk will be formally reported to

business management, the centralised risk-adjusted return on capital (RAROC)

group, and the partners in corporate governance such as internal audit and

compliance. The output of the assessment process has two main uses:

1. The assessment provides better operational risk information to

management for use in improving risk management decisions.

2. The assessment improves the allocation of economic capital to better

reflect the extent of the operational riskier, being taken by a business unit.

3. The over all assessment of the likelihood of operational risk & severity of

loss for a business unit can be shown as:

Mgmt. Attention

Severity of Loss ($)

A business unit may address its operational risks in several ways. First, one can

invest in business unit. Second, one can avoid the risk by withdrawing from

business activity. Third, one can accept and manage risk through effective

monitoring and control. Fourth, one can transfer risk to another party. Of course,

not all-operational risks are insurable, and in that case of those that are insurable

the required premium may be prohibitive. The strategy and eventually the

decision should be based on cost benefit analysis.

45

Medium Risk

High Risk

Medium Risk

Low Risk

An Idealized Bank Of The Future

The efficient bank of the future will be driven by a single analytical risk

engine that draws its data from a single logical data repository. This engine will

power front-, middle-, and back-office functions, and supply information about

enterprise-wide risk. The ability to control and manage risk will be finely tuned to

meet specific business objectives. For example, far fewer significantly large

losses, beyond a clearly articulate tolerance for loss, will be incurred and the

return to risk profile will be vastly improved.

With the appropriate technology in place, financial trading across all asset

classes will move from the current vertical, product-oriented environment (e.g.,

swaps, foreign exchange, equities, loans, etc.) to a horizontal, customer-oriented

environment in which complex combinations of asset types will be traded.

46

There will be less need for desks that specialize in single product lines.

The focus will shift to customer needs rather than instrument types. The

management of limits will be based on capital, set in such a manner so as to

maximize the risk-adjusted return on capital for the firm.

The firm’s exposure will be known and disseminated in real time.

Evaluating the risk of a specific deal will take into account its effect on the firm’s

total risk exposure, rather than simply the exposure of the individual deal.

Banks that dominate this technology will gain a tremendous competitive

advantage. Their information technology and trading infrastructure will be

cheaper than today’s by orders of magnitude. Conversely, banks that attempt to

build this infrastructure in-house will become trapped in a quagmire of large,

expensive IT departments-and poorly supported software.

The successful banks will require far fewer risk systems. Most of which will

be based on a combination of industry standard, reusable, robust risk software

and highly sophisticated proprietary analytics. More importantly, they will be free

to focus on their core business and offer products more directly suited to their

customers’ desired return to risk profiles.

Study of Operational Risk at Punjab National Bank

About Punjab National Bank

Established in 1895 at Lahore, undivided India, Punjab National Bank

(PNB) has the distinction of being the first Indian bank to have been started

solely with Indian capital.The bank was nationalised in July 1969 along with 13

other banks. From its modest beginning, the bank has grown in size and stature

to become a front-line banking institution in India at present. It is a professionally

managed bank with a successful track record of over 110 years.

It has the largest branch network in India - 4525 Offices including 432

Extension Counters spread throughout the country. With its presence virtually in

47

all the important centres of the country, Punjab National Bank offers a wide

variety of banking services which include corporate and personal banking,

industrial finance, agricultural finance, financing of trade and international

banking. Among the clients of the Bank are Indian conglomerates, medium and

small industrial units, exporters, non-resident Indians and multinational

companies. The large presence and vast resource base have helped the Bank to

build strong links with trade and industry.

Operational Risk

Punjab National Bank is exposed to many types of operational risk. Operational

risk can result from a variety of factors, including:

1. Failure to obtain proper internal authorizations,

2. Improperly documented transactions,

3. Failure of operational and information security procedures,

4. Computer systems,

5. Software or equipment,

6. Fraud,

7. Inadequate training and employee errors.

PNB attempts to mitigate operational risk by maintaining a comprehensive

system of internal controls, establishing systems and procedures to monitor

transactions, maintaining key back–up procedures and undertaking regular

contingency planning.

I. Operational Controls and Procedures in Branches

PNB has operating manuals detailing the procedures for the processing of

various banking transactions and the operation of the application software.

Amendments to these manuals are implemented through circulars sent to all

offices.

48

When taking a deposit from a new customer, PNB requires the new customer to

complete a relationship form, which details the terms and conditions for providing

various banking services.

Photographs of customers are also obtained for PNB’s records, and specimen

signatures are scanned and stored in the system for online verification. PNB

enters into a relationship with a customer only after the customer is properly

introduced to PNB. When time deposits become due for repayment, the deposit

is paid to the depositor. System generated reminders are sent to depositors

before the due date for repayment. Where the depositor does not apply for

repayment on the due date, the amount is transferred to an overdue deposits

account for follow up.

PNB has a scheme of delegation of financial powers that sets out the monetary

limit for each employee with respect to the processing of transactions in a

customer's account. Withdrawals from customer accounts are controlled by dual

authorization. Senior officers have delegated power to authorize larger

withdrawals. PNB’s operating system validates the check number and balance

before permitting withdrawals. PNB’s banking software has multiple security

features to protect the integrity of applications and data.

PNB gives importance to computer security and has s a comprehensive

information technology security policy. Most of the information technology assets

including critical servers are hosted in centralized data centers, which are subject

to appropriate physical and logical access controls.

II. Operational Controls and Procedures for Internet Banking

In order to open an Internet banking account, the customer must provide PNB

with documentation to prove the customer's identity, including a copy of the

customer's passport, a photograph and specimen signature of the customer.

49

After verification of the same, PNB opens the Internet banking account and

issues the customer a user ID and password to access his account online.

III. Operational Controls and Procedures in Regional

Processing Centers & Central Processing Centers

To improve customer service at PNB’s physical locations, PNB handles

transaction processing centrally by taking away such operations from branches.

PNB has centralized operations at regional processing centers located at 15

cities in the country. These regional processing centers process clearing checks

and inter-branch transactions, make inter-city check collections, and engage in

back office activities for account opening, standing instructions and auto-renewal

of deposits.

PNB has centralized transaction processing on a nationwide basis for

transactions like the issue of ATM cards and PIN mailers, reconciliation of ATM

transactions, monitoring of ATM functioning, issue of passwords to Internet

banking customers, depositing post-dated cheques received from retail loan

customers and credit card transaction processing. Centralized processing has

been extended to the issuance of personalized check books, back office activities

of non-resident Indian accounts, opening of new bank accounts for customers

who seek web broking services and recovery of service charges for accounts for

holding shares in book-entry form.

IV. Operational Controls and Procedures in Treasury

PNB has a high level of automation in trading operations. PNB uses technology

to monitor risk limits and exposures. PNB’s front office, back office and

accounting and reconciliation functions are fully segregated in both the domestic

treasury and foreign exchange treasury. The respective middle offices use

various risk monitoring tools such as counterparty limits, position limits, exposure

limits and individual dealer limits. Procedures for reporting breaches in

limits are also in place.

50

PNB’s front office treasury operation for rupee transactions consists of operations

in fixed income securities, equity securities and inter-bank money markets.

PNB’s dealers analyze the market conditions and take views on price

movements. Thereafter, they strike deals in conformity with various limits relating

to counterparties, securities and brokers. The deals are then forwarded to the

back office for settlement.

The inter-bank foreign exchange treasury operations are conducted through

Reuters dealing systems. Brokered deals are concluded through voice systems.

Deals done through Reuters systems are captured on a real time basis for

processing. Deals carried out through voice systems are input in the system by

the dealers for processing. The entire process from deal origination to settlement

and accounting takes place via straight through processing. The processing

ensures adequate checks at critical stages. Trade strategies are discussed

frequently and decisions are taken based on market forecasts, information and

liquidity considerations. Trading operations are conducted in conformity with the

code of conduct prescribed by internal and regulatory guidelines.

The Treasury Middle Office Group, monitors counterparty limits, evaluates the

mark-to-market impact on various positions taken by dealers and monitors

market risk exposure of the investment portfolio and adherence to various market

risk limits set up by the Risk, Compliance and Audit Group.

PNB’s back office undertakes the settlement of funds and securities. The back

office has procedures and controls for minimizing operational risks, including

procedures with respect to deal confirmations with counterparties, verifying the

authenticity of counterparty checks and securities, ensuring receipt of contract

notes from brokers, monitoring receipt of interest and principal amounts on due

dates, ensuring transfer of title in the case of purchases of securities, reconciling

actual security holdings with the holdings pursuant to the records and reports any

irregularity or shortcoming observed.

51

V. Audit

The Internal Audit Group undertakes a comprehensive audit of all business

groups and other functions, in accordance with a risk-based audit plan. This plan

allocates audit resources based on an assessment of the operational risks in the

various businesses. The Internal Audit group conceptualizes and implements

improved systems of internal controls, to minimize operational risk. The audit

plan for every fiscal year is approved by the Audit Committee of PNB’s board of

directors. The Internal Audit group also has a dedicated team responsible for

information technology security audits. Various components of information

technology from applications to databases, networks and operating systems are

covered under the annual audit plan.

52

53