PROJECT ON

CREDIT RISK MANAGEMENT WITH REFERENCE TO RBI

SUBMITTED BY

ZAID QURASHI MOHD. ISLAM

ROLL NO: 68


T.Y.BMS (SEMESTER-V)

*2014-2015*


UNDER THE GUIDENCE OF

PROF. DHARIN SHAH


SUBMITTED TO

UNIVERSITY OF MUMBAI


NIRMALA MEMORIAL FOUNDATION COLLEGE OF COMMERCE
AND SCIENCE


90 FEET ROAD, ASHA NAGAR, THAKUR COMPLAX,
KANDIVALI (E), MUMBAI - 400101










DECLARATION

I ZAID QURASHI MOHD. ISLAM of T.Y.BMS. (Bachelor degree of
Management Studies Semester V) hereby declare that I have completed the
CREDIT RISK MANAGEMENT WITH REFERENCE TO RBI in the
academic year 2014 2015


The information submitted is true and original to best of my knowledge.

























________________ ____________
Date of Submission Signature of
Student





CERTIFICATE


This is to certify that the project titled as CREDIT RISK MANAGEMENT
WITH REFERENCE TO RBI has been completed by ZAID QURASHI
MOHD. ISLAM of T.Y.BMS. (Semester-V) examination in academic year 2014-
2015.

The information submitted is true and original to the best of knowledge.


















__________________ __________________
(Dr. T. P. Madhu Nair) (Prof. Poonam Kakkad)
Principal Program Coordinator



_______________ _______________
(Prof. Dharen Shah) External Examiner
Project Guide





ACKNOWLEDGEMENT

I would like to extend my gratitude to Prof. Dharen Shah for providing guidance
and support during the course of project. She has been a great help through the
making of the project. I would like to thank the University of Mumbai for giving
me the opportunity to work on such a relevant topic.
I would also like to thank the college faculty and the librarian and the Principal Dr.
T. P. Madhu Nair for their help and other who are indirectly responsible for the
completion of this project. In addition I would like to take this opportunity to thank
our BMS Coordinator Prof. Poonam Kakkad for being there always to guide me
for extending her full support.














Date: _______________
Signature of Student




PREFACE
When financial institutions, investors, or other lending facilities allow individuals
and businesses to borrow money, they risk the chance that the borrower will
default on the loan or credit line. Credit risk management is a means of reducing
credit risk by employing a variety of strategies meant to prevent or at least offset
losses due to default. There are many different strategies employed in credit risk
management, including purchasing credit insurance, diversifying lending, reducing
available credit, and charging fees to partially offset costs. Nearly every major
financial organization in operation relies on a combination of credit risk
management tactics to prevent loss from borrower default. With lines of credit, one
of the most commonly employed strategies for credit risk management is to reduce
spending limits to help prevent financial over-extension. For instance, if a person
has a credit card with a $2000 US Dollar (USD) limit, the bank may initially
impose a transaction limit of $200 USD. This prevents the borrower from maxing
out the card in one go and then defaulting. Once a borrower has developed a
proven track record of regular repayment, the bank may believe that the credit risk
is reduce and remove transaction limits or increase the total amount of the credit
line.
Credit insurance is purchased by banks and large lending institutions to cover
losses by default. The bank generally pays insurance premiums just as a person
would for health or car insurance, but may often pass these premiums on to
customers through fees and charges. In case of default, the insurance will be able
to step in and cover the bank's losses. Credit insurance exists to help the bank out
of trouble, though not, it should be noted, the borrower.
One credit risk management strategy relies on the diversification of available
credit. Risking a smaller amount of money in many different areas, such as for
house loans, auto loans, and credit cards, may be safer than putting all available
resources into a single area. If a market crashes, institutions that have invested
solely in that market may be crushed in the wake. Institutions that have a
diversified portfolio may be more likely to survive a crashing market.
Credit risk management is a complicated subject that often requires excellent
professional advice. Many financial institutions, both large and small, employ risk
management specialists to assess risk and design and monitor a comprehensive



plan for protection against credit risk. Economists, market analysts, and even
accountants may be able to find gainful employment in the risk management field.


INDEX











































INTRODUCTION

What is Credit risk?

Credit Risk is the potential that a bank borrower/counter party fails to meet the
obligations on agreed terms. There is always scope for the borrower to default
from his commitments for one or the other reason resulting in crystallization of
credit risk to the bank. These losses could take the form outright default or
alternatively, losses from changes in portfolio value arising from actual or
perceived deterioration in credit quality that is short of default. Credit risk is
inherent to the business of lending funds to the operations linked closely to market
risk variables. The objective of credit risk management is to minimize the risk and
maximize banks risk adjusted rate of return by assuming and maintaining credit
exposure within the acceptable parameters.
Credit risk consists of primarily two components, viz Quantity of risk, which is
nothing but the outstanding loan balance as on the date of default and the quality of
risk, viz, the severity of loss defined by both Probability of Default as reduced by
the recoveries that could be made in the event of default. Thus credit risk is a
combined outcome of Default Risk and Exposure Risk. The elements of Credit
Risk is Portfolio risk comprising Concentration Risk as well as Intrinsic Risk and
Transaction Risk comprising migration/down gradation risk as well as Default
Risk. At the transaction level, credit ratings are useful measures of evaluating
credit risk that is prevalent across the entire organization where treasury and credit
functions are handled. Portfolio analysis help in identifying concentration of credit
risk, default/migration statistics, recovery data, etc. In general, Default is not an
abrupt process to happen suddenly and past experience dictates that, more often
than not, borrowers credit worthiness and asset quality declines gradually, which
is otherwise known as migration. Default is an extreme event of credit migration.
Off balance sheet exposures such as foreign exchange forward can tracks, swaps
options etc are classified in to three broad categories such as full Risk, Medium
Risk and Low risk and then translated into risk Neighed assets.
Risk Management.
Risk Management is a discipline at the core of every financial institution and
encompasses all the activities that affect its risk profile. It involves identification,
measurement, monitoring and controlling risks to ensure that
a) The individuals who take or manage risks clearly understand it.



b) The organizations Risk exposure is within the limits established by Board of
Directors.
c) Risk taking Decisions are in line with the business strategy and objectives set by
BOD.
d) The expected payoffs compensate for the risks taken
e) Risk taking decisions are explicit and clear.
f) Sufficient capital as a buffer is available to take risk
The acceptance and management of financial risk is inherent to the business of
banking and banks roles as financial intermediaries. Risk management as
commonly perceived does not mean minimizing risk; rather the goal of risk
management is to optimize risk-reward trade -off. Notwithstanding the fact that
banks are in the business of taking risk, it should be recognized that an institution
need not engage in business in a manner that unnecessarily imposes risk upon it:
nor it should absorb risk that can be transferred to other participants. Rather it
should accept those risks that are uniquely part of the array of banks services. In
every financial institution, risk management activities broadly take place
simultaneously at following different hierarchy levels.
.
a) Strategic level: It encompasses risk management functions performed by senior
management and BOD. For instance definition of risks, ascertaining institutions
risk appetite, formulating strategy and policies for managing risks and establish
adequate systems and controls to ensure that overall risk remain within acceptable
level and the reward compensate for the risk taken.
b) Macro Level: It encompasses risk management within a business area or across
business lines. Generally the risk management activities performed by middle
management or units devoted to risk reviews fall into this category.
c) Micro Level: It involves On-the-line risk management where risks are actually
created. This is the risk management activities performed by individuals who take
risk on organizations behalf such as front office and loan origination functions.
The risk management in those areas is confined to following operational
procedures and guidelines set by management. Expanding business arenas,
deregulation and globalization of financial activities emergence of new financial
products and increased level of competition has necessitated a need for an effective
and structured risk management in financial institutions. A banks ability to
measure, monitor, and steer risks comprehensively is becoming a decisive
parameter for its strategic positioning. The risk management framework and
sophistication of the process, and internal controls, used to manage risks, depends
on the nature, size and complexity of institutions activities. Nevertheless, there are
some basic principles that apply to all financial institutions irrespective of their



size and complexity of business and are reflective of the strength of an individual
bank's risk management practices.




Credit Risk Management Process



Managing credit risk

Credit risk arises from the potential that an obligor is either unwilling to perform
on an obligation or its ability to perform such obligation is impaired resulting in
economic loss to the bank.
In a banks portfolio, losses stem from outright default due to inability or
unwillingness of a customer or counter party to meet commitments in relation to
lending, trading, settlement and other financial transactions. Alternatively losses
may result from reduction in portfolio value due to actual or perceived
deterioration in credit quality. Credit risk emanates from a banks dealing with
individuals, corporate, financial institutions or a sovereign. For most banks, loans
are the largest and most obvious source of credit risk; however, credit risk could
stem from activities both on and off balance sheet.
In addition to direct accounting loss, credit risk should be viewed in the context of
economic exposures. This encompasses opportunity costs, transaction costs and



expenses associated with a non-performing asset over and above the accounting
loss. Credit risk can be further sub categorized on the basis of reasons of default.
For instance the default could be due to country in which there is exposure or
problems in settlement of a transaction. Credit risk not necessarily occurs in
isolation. The same source that endangers credit risk for the institution may also
expose it to other risk. For instance a bad portfolio may attract liquidity problem.


PRINCIPLES OF CREDIT RISK MANAGEMENT

A. Establishing an appropriate credit risk environment
Principle 1:
The board of directors should have responsibility for approving and
periodically reviewing the credit risk strategy and significant credit risk
policies of the bank. The strategy should reflect the banks tolerance for
risk and the level of profitability the bank expects to achieve for
incurring various credit risks.
Principle 2:
Senior management should have responsibility for implementing the
credit risk strategy approved by the board of directors and for
developing policies and procedures for identifying, measuring,
monitoring and controlling credit risk. Such policies and procedures
should address credit risk in all of the banks activities and at both the
individual credit and portfolio levels.
Principle 3:
Banks should identify and manage credit risk inherent in all products
and activities. Banks should ensure that the risks of products and
activities new to them are subject to adequate procedures and controls
before being introduced or undertaken, and approved in advance by the
board of directors or its appropriate committee.


B. Operating under a sound credit granting process
Principle 4:



Banks must operate under sound, well-defined credit-granting
criteria.These criteria should include a thorough understanding of the
borrower or counterparty, as well as the purpose and structure of the
credit, and its source of repayment.
Principle 5:
Banks should establish overall credit limits at the level of individual
borrowers and counterparties, and groups of connected counterparties
that aggregate in a comparable and meaningful manner different types of
exposures, both in the banking and trading book and on and off the
balance sheet
Principle 6:
Banks should have a clearly-established process in place for approving
new credits as well as the extension of existing credits.
Principle 7:
All extensions of credit must be made on an arms-length basis. In
particular, credits to related companies and individuals must be
monitored with particular care and other appropriate steps taken to
control or mitigate the risks of connected lending.



C. Maintaining an appropriate credit administration, measurement and
monitoring process.
Principle 8:
Banks should have in place a system for the ongoing administration of
their various credit risk-bearing portfolios.
Principle 9:
Banks must have in place a system for monitoring the condition of
individual credits, including determining the adequacy of provisions and
reserves.
Principle 10: Banks should develop and utilise internal risk rating
systems in managing credit risk. The rating system should be consistent
with the nature, size and complexity of a banks activities.
Principle 11:



Banks must have information systems and analytical techniques that
enable management to measure the credit risk inherent in all on- and off-
balance sheet activities. The management information system should
provide adequate information on the composition of the credit portfolio,
including identification of any concentrations of risk.
Principle 12:
Banks must have in place a system for monitoring the overall
composition and quality of the credit portfolio.
Principle 13:
Banks should take into consideration potential future changes in
economic conditions when assessing individual credits and their credit
portfolios, and should assess their credit risk exposures under stressful
conditions.


D. Ensuring adequate controls over credit risk
Principle 14:
Banks should establish a system of independent, ongoing credit review
and the results of such reviews should be communicated directly to the
board of directors and senior management.
Principle 15:
Banks must ensure that the credit-granting function is being properly
managed and that credit exposures are within levels consistent with
prudential standards and internal limits. Banks should establish and
enforce internal controls and other practices to ensure that exceptions to
policies, procedures and limits are reported in a timely manner to the
appropriate level of management.
Principle 16:
Banks must have a system in place for managing problem credits and
various other workout situations.
E. The role of supervisors
Principle 17:
Supervisors should require that banks have an effective system in place
to identify, measure, monitor and control credit risk as part of an overall



approach to risk management.Supervisors should conduct an
independent evaluation of a banks strategies, policies, practices and
procedures related to the granting of credit and the ongoing management
of the portfolio. Supervisors should consider setting prudential limits to
restrict bank exposures to single borrowers or groups of connected
counterparties.



Components of credit risk management
A typical Credit risk management framework in a financial institution may be
broadly categorized into following main components.
a) Board and senior Managements Oversight
b) Organizational structure
c) Systems and procedures for identification, acceptance, measurement, monitoring
and control risks.

Board and Senior Managements Oversight
It is the overall responsibility of banks Board to approve banks credit risk
strategy and significant policies relating to credit risk and its management which
should be based on the banks overall business strategy. To keep it current, the
overall strategy has to be reviewed by the board, preferably annually. The
responsibilities of the Board with regard to credit risk
Management shall, interalia, include:
a) Delineate banks overall risk tolerance in relation to credit risk. Ensure that
banks overall credit risk exposure is maintained at prudent levels and consistent
with the available capital
c) Ensure that top management as well as individuals responsible for credit risk
management possess sound expertise and knowledge to accomplish the risk
management function
d) Ensure that the bank implements sound fundamental principles that facilitate the
identification, measurement, monitoring and control of credit risk.
e) Ensure that appropriate plans and procedures for credit risk management are in
place.
The very first purpose of banks credit strategy is to determine the risk appetite of
the bank. Once it is determined the bank could develop a plan to optimize return
while keeping credit risk within predetermined limits.
The banks credit risk strategy thus should spell out



a) The institutions plan to grant credit based on various client segments and
products, economic sectors, geographical location, currency and maturity
b) Target market within each lending segment, preferred level of
diversification/concentration.
c) Pricing strategy.
It is essential that banks give due consideration to their target market while
devising credit risk strategy. The credit procedures should aim to obtain an indepth
understanding of the banks clients, their credentials & their businesses in order to
fully know their customers.
The strategy should provide continuity in approach and take into account cyclic
aspect of countrys economy and the resulting shifts in composition and quality of
overall credit portfolio. While the strategy would be reviewed periodically and
amended, as deemed necessary, it should be viable in long term and through
various economic cycles.
The senior management of the bank should develop and establish credit policies
and credit administration procedures as a part of overall credit risk management
framework and get those approved from board. Such policies and procedures shall
provide guidance to the staff on various types of lending including corporate,
SME, consumer, agriculture, etc. At minimum the policy should include
a) Detailed and formalized credit evaluation/ appraisal process.
b) Credit approval authority at various hierarchy levels including authority for
approving exceptions.
c) Risk identification, measurement, monitoring and control
d) Risk acceptance criteria
e) Credit origination and credit administration and loan documentation procedures
f) Roles and responsibilities of units/staff involved in origination and management
of credit.
g) Guidelines on management of problem loans.
In order to be effective these policies must be clear and communicated down the
line. Further any significant deviation/exception to these policies must be
communicated to the top management/board and corrective measures should be
taken. It is the responsibility of senior management to ensure effective
implementation of these policies.

Organizational Structure.
To maintain banks overall credit risk exposure within the parameters set by the
board of directors, the importance of a sound risk management structure is second
to none. While the banks may choose different structures, it is important that such
structure should be commensurate with institutions size, complexity and



diversification of its activities. It must facilitate effective management oversight
and proper execution of credit risk management and control processes.
Each bank, depending upon its size, should constitute a Credit Risk Management
Committee (CRMC), ideally comprising of head of credit risk management
Department, credit department and treasury. This committee reporting to banks
risk management committee should be empowered to oversee credit risk taking
activities and overall credi t risk management function. The CRMC should be
mainly responsible for
a) The implementation of the credit risk policy / strategy approved by the Board.
b) Monitor credit risk on a bank-wide basis and ensure compliance with limits
approved by the Board.
c) Recommend to the Board, for its approval, clear policies on standards for
presentation of credit proposals, financial covenants, rating standards and
benchmarks.
d) Decide delegation of credit approving powers, prudential limits on large credit
exposures, standards for loan collateral, portfolio management, loan review
mechanism, risk concentrations, risk monitoring and evaluation, pricing of loans,
provisioning, regulatory/legal compliance, etc.
Further, to maintain credit discipline and to enunciate credit risk management and
control process there should be a separate function independent of loan origination
function. Credit policy formulation, credit limit setting, monitoring of credit
exceptions / exposures and review /monitoring of documentation are functions that
should be performed independently of the loan origination function. For small
banks where it might not be feasible to establish such structural hierarchy, there
should be adequate compensating measures to maintain credit discipline introduce
adequate checks and balances and standards to address potential conflicts of
interest. Ideally, the banks should institute a Credit Risk Management Department
(CRMD). Typical functions of CRMD include:
a) To follow a holistic approach in management of risks inherent in banks portfolio
and ensure the risks remain within the boundaries established by the Board or
Credit Risk Management Committee.
b) The department also ensures that business lines comply with riskparameters and
prudential limits established by the Board or CRMC.
c) Establish systems and procedures relating to risk identification, Management
Information System, monitoring of loan / investment portfolio quality and early
warning. The department would work out remedial measure when
deficiencies/problems are identified.



The Department should undertake portfolio evaluations and conduct
comprehensive studies on the environment to test the resilience of the loan
portfolio.
Notwithstanding the need for a separate or independent oversight, the front office
or loan origination function should be cognizant of credit risk, and maintain high
level of credit discipline and standards in pursuit of business opportunities.
Systems and Procedures

Measuring credit risk

The measurement of credit risk is of vital importance in credit risk management.
A number of qualitative and quantitative techniques to measure risk inherent in
credit portfolio are evolving. To start with, banks should establish a credit risk
rating framework across all type of credit activities. Among other things, the rating
framework may, incorporate:

Business Risk
o Industry Characteristics
o Competitive Position (e.g. marketing/technological edge)
o Management
Financial Risk
o Financial condition
o Profitability
o Capital Structure
o Present and future Cash flows

Internal Risk Rating.
Credit risk rating is summary indicator of a banks individual credit exposure. An
internal rating system categorizes all credits into various classes on the basis of
underlying credit quality. A well-structured credit rating framework is an important
tool for monitoring and controlling risk inherent in individual credits as well as in
credit portfolios of a bank or a business line. The importance of internal credit
rating framework becomes more eminent due to the fact that
historically major losses to banks stemmed from default in loan portfolios. While a
number of banks already have a system for rating individual credits in addition to
the risk categories prescribed by SBP, all banks are encouraged to devise an
internal rating framework. An internal rating framework would facilitate banks in a
number of ways such as
a) Credit selection



b) Amount of exposure
c) Tenure and price of facility
d) Frequency or intensity of monitoring
e) Analysis of migration of deteriorating credits and more accurate computation of
future loan loss provision
f) Deciding the level of Approving authority of loan.
The Architecture of internal rating system.
The decision to deploy any risk rating architecture for credits depends upon two
basic aspects
a) The Loss Concept and the number and meaning of grades on the rating
continuum corresponding to each loss concept*.
b) Whether to rate a borrower on the basis of point in time philosophy or
through the cycle approach.
Besides there are other issues such as whether to include statutory grades in the
scale, the type of rating scale i.e. alphabetical numerical or alpha-numeric etc. SBP
does not advocate any particular credit risk rating system; it should be banks own
choice. However the system should commensurate with the size, nature and
complexity of their business as well as possess flexibility to accommodate present
and future risk profile of the bank, the anticipated level of diversification and
sophistication in lending activities.
A rating system with large number of grades on rating scale becomes more
expensive due to the fact that the cost of obtaining and analyzing additional
information for fine gradation increase sharply. However, it is important that there
should be sufficient gradations to permit accurate characterization of the under
lying risk profile of a loan or a portfolio of loans
The operating Design of Rating System.
As with the decision to grant credit, the assignment of ratings always involve
element of human judgment. Even sophisticated rating models do not replicate
experience and judgment rather these techniques help and reinforce subjective
judgment. Banks thus design the operating flow of the rating process in a way that
is aimed promoting the accuracy and consistency of the rating system while not
unduly restricting the exercise of judgment. Key issues relating to the operating
design of a rating system include what exposures to rate; the organizations
division of responsibility for grading; the nature of ratings review; the formality of
the process and specificity of formal rating definitions.
What Exposures are rated?
Ideally all the credit exposures of the bank should be assigned a risk rating.
However given the element of cost, it might not be feasible for all banks to follow.
The banks may decide on their own which exposure needs to be rated. The



decision to rate a particular loan could be based on factors such as exposure
amount, business line or both. Generally corporate and commercial exposures are
subject to internal ratings and banks use scoring models for consumer retail loans.
The rating process in relation to credit approval and review.
Ratings are generally assigned /reaffirmed at the time of origination of a loan or its
renewal /enhancement. The analysis supporting the ratings is inseparable from that
required for credit appraisal. In addition the rating and loan analysis process while
being separate are intertwined. The process of assigning a rating and its approval /
confirmation goes along with the initiation of a credit proposal and its approval.
Generally loan origination function (whether a relationship
Manager or credit staff) * initiates a loan proposal and also allocates a specific
rating. This proposal passes through the credit approval process and the rating is
also approved or recalibrated simultaneously by approving authority. The revision
in the ratings can be used to upgrade the rating system and related guidelines.
How to arrive at ratings
The assignment of a particular rating to an exposure is basically an abbreviation of
its overall risk profile. Theoretically ratings are based upon the major risk factors
and their intensity inherent in the business of the borrower as well as key
parameters and their intensity to those risk factors. Major risk factors include
borrowers financial condition, size, industry and position in the industry; the
reliability of financial statements of the borrower; quality of management;
elements of transaction structure such as covenants etc. A more detail on the
subject would be beyond the scope of these guidelines, however a few important
aspects are
a) Banks may vary somewhat in the particular factors they consider and the weight
they give to each factor.
b) Since the rater and reviewer of rating should be following the same basic
thought, to ensure uniformity in the assignment and review of risk grades, the
credit policy should explicitly define each risk grade; lay down criteria to be
fulfilled while assigning a particular grade, as well as
the circumstances under which deviations from criteria can take place.
c) The credit policy should also explicitly narrate the roles of different parties
involved in the rating process.
d) The institution must ensure that adequate training is imparted to staff to ensure
uniform ratings
e) Assigning a Rating is basically a judgmental exercise and the models, external
ratings and written guidelines/benchmarks serve as input.
f) Institutions should take adequate measures to test and de velop a risk rating
system prior to adopting one. Adequate validation testing should be conducted



during the design phase as well as over the life of the system to ascertain the
applicability of the system to the institutions
portfolio.
Institutions that use sophisticated statistical models to assign ratings or to calculate
probabilities of default, must ascertain the applicability of these models to their
portfolios. Even when such statistical models are found to be satisfactory,
institutions should not use the output of such models as the sole criteria for
assigning ratings or determining the probabilities of default. It would be advisable
to consider other relevant inputs as well.
Ratings review
The rating review can be two-fold:
a) Continuous monitoring by those who assigned the rating. The Relationship
Managers (RMs) generally have a close contact with the borrower and are
expected to keep an eye on the financial stability of the borrower. In the event of
any deterioration the ratings are immediately revised /reviewed.
Secondly the risk review functions of the bank or business lines also conduct
periodical review of ratings at the time of risk review of credit portfolio.
Risk ratings should be assigned at the inception of lending, and updated at least
annually. Institutions should, however, review ratings as and when adverse events
occur. A separate function independent of loan origination should review Risk
ratings. As part of portfolio monitoring, institutions should generate reports on
credit exposure by risk grade. Adequate trend and migration analysis should also
be conducted to identify any deterioration in credit quality. Institutions may
establish limits for risk grades to highlight concentration in particular rating bands.
It is important that the consistency and accuracy of ratings is examined
periodically by a function such as an independent credit review group
For consumer lending, institutions may adopt credit-scoring models for processing
loan applications and monitoring credit quality. Institutions should apply the above
principles in the management of scoring models. Where the model is relatively
new, institutions should continue to subject credit applications to rigorous review
until the model has stabilized.
Credit Risk Monitoring & Control
Credit risk monitoring refers to incessant monitoring of individual credits
inclusive of Off-Balance sheet exposures to obligors as well as overall credit
portfolio of the bank. Banks need to enunciate a system that enables them to
monitor quality of the credit portfolio on day-to-day basis and take remedial
measures as and when any deterioration occurs. Such a system would enable a
bank to ascertain whether loans are being serviced as per facility terms, the
adequacy of provisions, the overall risk profile is within limits established by



management and compliance of regulatory limits. Establishing an efficient and
effective credit monitoring system would help senior management to monitor the
overall quality of the total credit portfolio and its trends. Consequently the
management could fine tune or reassess its credit strategy /policy accordingly
Before encountering any major setback. The banks credit policy should explicitly
provide procedural guideline relating to credit risk monitoring. At the minimum it
should lay down procedure relating to
a) The roles and responsibilities of individuals responsible for credit risk
monitoring
b) The assessment procedures and analysis techniques (for individualloans &
overall portfolio)
c) The frequency of monitoring
d) The periodic examination of collaterals and loan covenants
e) The frequency of site visits
f) The identification of any deterioration in any loan
Given below are some key indicators that depict the credit quality of a loan:
a. Financial Position and Business Conditions. The most important aspect about an
obligor is its financial health, as it would determine its repayment capacity.
Consequently institutions need carefully watch financial standing of obligor. The
Key financial performance indicators on profitability, equity, leverage and liquidity
should be analyzed. While making such analysis due
consideration should be given to business/industry risk, borrowers position within
the industry and external factors such as economic condition, government policies,
regulations. For companies whose financial position is dependent on key
management personnel and/or shareholders, for example, in small and medium
enterprises, institutions would need to pay particular attention to the assessment of
the capability and capacity of the management/shareholder(s).
b. Conduct of Accounts. In case of existing obligor the operation in the account
would give a fair idea about the quality of credit facility. Institutions should
monitor the obligors account activity, repayment history and instances of excesses
over credit limits. For trade financing, institutions should monitor cases of repeat
extensions of due dates for trust receipts and bills.
c. Loan Covenants. The obligors ability to adhere to negative pledges and
financial covenants stated in the loan agreement should be assessed, and any
breach detected should be addressed promptly.
d. Collateral valuation. Since the value of collateral could deteriorate resulting in
unsecured lending, banks need to reassess value of collaterals on periodic basis.
The frequency of such valuation is very subjective and depends upon nature of
collaterals. For instance loan granted against shares need revaluation on almost



daily basis whereas if there is mortgage of a residential property the revaluation
may not be necessary as frequently. In case of credit facilities secured against
inventory or goods at the obligors premises, appropriate inspection should be
conducted to verify the existence and valuation of the collateral. And if such goods
are perishable or such that their value diminish rapidly (e.g. electronic
parts/equipments), additional precautionary measures should be taken.
External Rating and Market Price of securities such as TFCs purchased as a form
of lending or long-term investment should be monitored for any deterioration in
credit rating of the issuer, as well as large decline in market price. Adverse changes
should trigger additional effort to review the creditworthiness of the issuer.





Risk review

The institutions must establish a mechanism of independent, ongoing assessment
of credit risk management process. All facilities except those managed on a
portfolio basis should be subjected to individual risk review at least once in a year.
The results of such review should be properly documented and reported directly to
board, or its subcommittee or senior management without lending authority. The
purpose of such reviews is to assess the credit administration process, the accuracy
of credit rating and overall quality of loan portfolio independent of relationship
with the obligor.
Institutions should conduct credit review with updated information on the obligors
financial and business conditions, as well as conduct of account. Exceptions noted
in the credit monitoring process should also be evaluated for impact on the
obligors creditworthiness. Credit review should also be conducted on a
consolidated group basis to factor in the business connections among entities in a
borrowing group.
As stated earlier, credit review should be performed on an annual basis, however
more frequent review should be conducted for new accounts where institutions
may not be familiar with the obligor, and for classified or adverse rated accounts
that have higher probability of default.
For consumer loans, institutions may dispense with the need to perform credit
review for certain products. However, they should monitor and report credit
exceptions and deterioration.
Delegation of Authority.



Banks are required to establish responsibility for credit sanctions and delegate
authority to approve credits or changes in credit terms. It is the responsibility of
banks board to approve the overall lending authority structure, and explicitly
delegate credit sanctioning authority to senior management and the credit
committee. Lending authority assigned to officers should be commensurate with
the experience, ability and personal character. It would be better if institutions
develop risk-based authority structure where lending power is tied to the risk
ratings of the obligor. Large banks may adopt multiple credit approvers for
sanctioning such as credit ratings, risk approvals etc to institute a more effective
system of check and balance. The credit policy should spell out the escalation
process to ensure appropriate reporting and approval of credit extension beyond
prescribed limits. The policy should also spell out authorities for unsecured credit
(while remaining within SBP limits), approvals of disbursements excess over limits
and other exceptions to credit policy.
In cases where lending authority is assigned to the loan originating function, there
should be compensating processes and measures to ensure adherence to lending
standards. There should also be periodic review of lending authority assigned to
officers.
Managing problem credits
The institution should establish a system that helps identify problem loan ahead of
time when there may be more options available for remedial measures. Once the
loan is identified as problem, it should be managed under a dedicated remedial
process.
A banks credit risk policies should clearly set out how the bank will manage
problem credits. Banks differ on the methods and organization they use to manage
problem credits. Responsibility for such credits may be assigned to the originating
business function, a specialized workout section, or a combination of the two,
depending upon the size and nature of the credit and the reason for its problems.
When a bank has significant credit-related problems, it is important to segregate
the workout function from the credit origination function. The additional resources,
expertise and more concentrated focus of a specialized workout section normally
improve collection results.
A problem loan management process encompass following basic elements.
a. Negotiation and follow-up. Proactive effort should be taken in dealing with
obligors to implement remedial plans, by maintaining frequent contact and internal
records of follow-up actions. Often rigorous efforts made at an early stage prevent
institutions from litigations and loan losses
b. Workout remedial strategies. Sometimes appropriate remedial strategies such as
restructuring of loan facility, enhancement in credit limits or reduction in interest



rates help improve obligors repayment capacity. However it depends upon
business condition, the nature of problems being faced and most importantly
obligors commitment and willingness to repay the loan. While such remedial
strategies often bring up positive results, institutions need to exercise great caution
in adopting such measures and ensure that such a policy must not encourage
obligors to default intentionally. The institutions interest should be the primary
consideration in case of such workout plans. It needs not mention here that
competent authority, before their implementation, should approve such workout
plan.
c. Review of collateral and security document. Institutions have to ascertain the
loan recoverable amount by updating the values of available collateral with formal
valuation. Security documents should also be reviewed to ensure the completeness
and enforceability of contracts and collateral/guarantee.
d. Status Report and Review Problem credits should be subject to more frequent
review and monitoring. The review should update the status and development of
the loan accounts and progress of the remedial plans. Progress made on problem
loan should be reported to the senior management
"Credit Risk Management: Policy Framework for Indian Banks"
Cool Avenues Knowledge Management Team, a knowledge management portal on
various topics also have written about the credit risk management framework for
Indian banks. According to them in this article, Risk is inherent in all aspects of a
commercial operation and covers areas such as customer services, reputation,
technology, security, human resources, market price, funding, legal, regulatory,
fraud and strategy. However, for banks and financial institutions, credit risk is the
most important factor to be managed. Credit risk is defined as the possibility that a
borrower or counterparty will fail to meet its obligations in accordance with agreed
terms. Credit risk, therefore, arises from the banks' dealings with or lending to a
corporate, individual, another bank, financial institution or a country. Credit risk
may take various forms, such as:
in the case of direct lending, that funds will not be repaid;
in the case of guarantees or letters of credit, that funds will not be
forthcoming from the customer upon crystallization of the liability under the
contract;
in the case of treasury products, that the payment or series of payments due
from the counterparty under the respective contracts is not forthcoming or
ceases;
in the case of securities trading businesses, that settlement will not be
effected;



in the case of cross-border exposure, that the availability and free transfer of
currency is restricted or ceases.
The more diversified a banking group is, the more intricate systems it would
need, to protect itself from a wide variety of risks. These include the routine
operational risks applicable to any commercial concern, the business risks to
its commercial borrowers, the economic and political risks associated with
the countries in which it operates, and the commercial and the reputational
risks concomitant with a failure to comply with the increasingly stringent
legislation and regulations surrounding financial services business in many
territories. Comprehensive risk identification and assessment are therefore
very essential to establishing the health of any counterparty.
Credit risk management enables banks to identify, assess, manage
proactively, and optimise their credit risk at an individual level or at an
entity level or at the level of a country. Given the fast changing, dynamic
world scenario experiencing the pressures of globalisation, liberalization,
consolidation and disintermediation, it is important that banks have a robust
credit risk management policies and procedures which is sensitive and
responsive to these changes.
The quality of the credit risk management function will be the key driver of
the changes to the level of shareholder return. Industry analysts have
demonstrated that the average shareholder return of the best credit
performance US banks during 1989 - 1997 was 56% higher than their peers.


They have mentioned the Credit security on certain parameters.That are-
Building Blocks on Credit Risk

In any bank, the corporate goals and credit culture are closely linked, and an
effective credit risk management framework requires the following distinct
building blocks: -
Strategy and Policy

This covers issues such as the definition of the credit appetite, the development of
credit guidelines and the identification and the assessment of the credit risk.



Organisation
This would entail the establishment of competencies and clear accountabilities for
managing the credit risk.
Operations/Systems
MIS requirements of the senior and middle management, and the development of
tools and techniques will come under this domain.
Strategy and Policy
It is essential that each bank develops its own credit risk strategy or enunciates a
plan that defines the objectives for the credit-granting function. This strategy
should spell out clearly the organizations credit appetite and the acceptable level
of risk - reward trade-off at both the macro and the micro levels.
The strategy would therefore, include a statement of the bank's willingness to grant
loans based on the type of economic activity, geographical location, currency,
market, maturity and anticipated profitability. This would necessarily translate into
the identification of target markets and business sectors, preferred levels of
diversification and concentration, the cost of capital in granting credit and the cost
of bad debts.
The policy document should cover issues such as organizational responsibilities,
risk measurement and aggregation techniques, prudential requirements, risk
assessment and review, reporting requirements, risk grading, product guidelines,
documentation, legal issues and management of problem loans. Loan policies apart
from ensuring consistency in credit practices, should also provide a vital link to the
other functions of the bank. It has been empirically proved that organisations with
sound and well-articulated loan policies have been able to contain the loan losses
arising from poor loan structuring and perfunctory risk assessments.
The credit risk strategy should provide continuity in approach, and will need to
take into account the cyclical aspects of any economy and the resulting shifts in the
composition and quality of the overall credit portfolio. This strategy should be
viable in the long run and through various credit cycles.
An organizations risk appetite depends on the level of capital and the quality of
loan book and the magnitude of other risks embedded in the balance sheet. Based
on its capital structure, a bank will be able to set its target returns to its
shareholders and this will determine the level of capital available to the various
business lines.
Keeping in view the foregoing, a bank should have the following in place: -



1. Dedicated policies and procedures to control exposures to designated higher
risk sectors such as capital markets, aviation, shipping, property
development, defense equipment, highly leveraged transactions, bullion etc.
2. Sound procedures to ensure that all risks associated with requested credit
facilities are promptly and fully evaluated by the relevant lending and credit
officers.
3. Systems to assign a risk rating to each customer/borrower to whom credit
facilities have been sanctioned.
4. a mechanism to price facilities depending on the risk grading of the
customer, and to attribute accurately the associated risk weightings to the
facilities.
5. Efficient and effective credit approval process operating within the approval
limits authorized by the Boards.
6. Procedures and systems which allow for monitoring financial performance
of customers and for controlling outstanding within limits.
7. Systems to manage problem loans to ensure appropriate restructuring
schemes. A conservative policy for the provisioning of non-performing
advances should be followed.
8. a process to conduct regular analysis of the portfolio and to ensure on-going
control of risk concentrations.
Credit Policies and Procedures
The credit policies and procedures should necessarily have the following elements:
Banks should have written credit policies that define target markets, risk
acceptance criteria, credit approval authority, credit origination and
maintenance procedures and guidelines for portfolio management and
remedial management.
Banks should establish proactive credit risk management practices like
annual / half yearly industry studies and individual obligor reviews, periodic
credit calls that are documented, periodic plant visits, and at least quarterly
management reviews of troubled exposures/weak credits.
Business managers in banks will be accountable for managing risk and in
conjunction with credit risk management framework for establishing and
maintaining appropriate risk limits and risk management procedures for their
businesses.
Banks should have a system of checks and balances in place around the
extension of credit which are:
o An independent credit risk management function



o Multiple credit approvers
o An independent audit and risk review function
The Credit Approving Authority to extend or approve credit will be granted
to individual credit officers based upon a consistent set of standards of
experience, judgment and ability.
The level of authority required to approve credit will increase as amounts
and transaction risks increase and as risk ratings worsen.
Every obligor and facility must be assigned a risk rating.
Banks should ensure that there are consistent standards for the origination,
documentation and maintenance for extensions of credit.
Banks should have a consistent approach toward early problem recognition,
the classification of problem exposures, and remedial action.
Banks should maintain a diversified portfolio of risk assets in line with the
capital desired to support such a portfolio.
Credit risk limits include, but are not limited to, obligor limits and
concentration limits by industry or geography.
In order to ensure transparency of risks taken, it is the responsibility of
banks to accurately, completely and in a timely fashion, report the
comprehensive set of credit risk data into the independent risk system.

Organizational Structure
A common feature of most successful banks is to establish an independent group
responsible for credit risk management. This will ensure that decisions are made
with sufficient emphasis on asset quality and will deploy specialised skills
effectively. In some organisations, the credit risk management team is responsible
for the management of problem accounts, and for credit operations as well. The
responsibilities of this team are the formulation of credit policies, procedures and
controls extending to all of its credit risks arising from corporate banking, treasury,
credit cards, personal banking, trade finance, securities processing, payment and
settlement systems, etc. This team should also have an overview of the loan
portfolio trends and concentration risks across the bank and for individual lines of
businesses, should provide input to the Asset - Liability Management Committee
of the bank, and conduct industry and sectoral studies. Inputs should be provided
for the strategic and annual operating plans. In addition, this team should review
credit related processes and operating procedures periodically.



It is imperative that the independence of the credit risk management team is
preserved, and it is the responsibility of the Board to ensure that this is not allowed
to be compromised at any time. Should the Board decide not to accept any
recommendation of the credit risk management team and then systems should be in
place to have the rationale for such an action to be properly documented. This
document should be made available to both the internal and external auditors for
their scrutiny and comments.
The credit risk strategy and policies should be effectively communicated
throughout the organisation. All lending officers should clearly understand the
bank's approach to granting credit and should be held accountable for complying
with the policies and procedures.
Keeping in view the foregoing, each bank may, depending on the size of the
organization or loan book, constitute a high level Credit Policy Committee also
called Credit Risk Management Committee or Credit Control Committee, etc. to
deal with issues relating to credit policy and procedures and to analyse, manage
and control credit risk on a bank wide basis. The Committee should be headed by
the Chairman/CEO/ED, and should comprise heads of Credit Department,
Treasury, Credit Risk Management Department (CRMD) and the Chief Economist.
The Committee should, inter alia, formulate clear policies on standards for
presentation of credit proposals, financial covenants, rating standards and
benchmarks, delegation of credit approving powers, prudential limits on large
credit exposures, asset concentrations, standards for loan collateral, portfolio
management, loan review mechanism, risk concentrations, risk monitoring and
evaluation, pricing of loans, provisioning, regulatory/legal compliance, etc.
Concurrently, each bank may also set up Credit Risk Management Department
(CRMD), independent of the Credit Administration Department. The CRMD
should enforce and monitor compliance of the risk parameters and prudential limits
set by the CPC. The CRMD should also lay down risk assessment systems,
monitor quality of loan portfolio, identify problems and correct deficiencies,
develop MIS and undertake loan review/audit. Large banks may consider separate
set up for loan review/audit. The CRMD should also be made accountable for
protecting the quality of the entire loan portfolio. The Department should
undertake portfolio evaluations and conduct comprehensive studies on the
environment to test the resilience of the loan portfolio.
Operations / Systems



Banks should have in place an appropriate credit administration, measurement and
monitoring process. The credit process typically involves the following phases: -
1. Relationship management phase i.e. business development.
2. Transaction management phase: cover risk assessment, pricing, structuring
of the facilities, obtaining internal approvals, documentation, loan
administration and routine monitoring and measurement.
3. Portfolio management phase: entail the monitoring of the portfolio at a
macro level and the management of problem loans.
Successful credit management requires experience, judgement and a commitment
to technical development. Each bank should have a clear, well-documented scheme
of delegation of limits. Authorities should be delegated to executives depending on
their skill and experience levels. The banks should have systems in place for
reporting and evaluating the quality of the credit decisions taken by the various
officers. The credit approval process should aim at efficiency, responsiveness and
accurate measurement of the risk. This will be achieved through a comprehensive
analysis of the borrower's ability to repay, clear and consistent assessment systems,
a process which ensures that renewal requests are analyzed as carefully and
stringently as new loans and constant reinforcement of the credit culture by the top
management team.
Commitment to new systems and IT will also determine the quality of the analysis
being conducted. There is a range of tools available to support the decision making
process. These are:
Traditional techniques such as financial analysis.
Decision support tools such as credit scoring and risk grading.
Portfolio techniques such as portfolio correlation analysis.
The key is to identify the tools that are appropriate to the bank.

Banks should develop and utilize internal risk rating systems in managing credit
risk. The rating system should be consistent with the nature, size and complexity of
the bank's activities.
Banks must have a MIS, which will enable them to manage and measure the credit
risk inherent in all on- and off-balance sheet activities. The MIS should provide
adequate information on the composition of the credit portfolio, including



identification of any concentration of risk. Banks should price their loans
according to the risk profile of the borrower and the risks associated with the loans















RBI
Risk Management in RBI

As a financial intermediary, RBI is exposed to risks that are particular to
its lending and trading businesses and the environment within which it
operates. RBIs goal in risk management is to ensure that it understands
measures and monitors the various risks that arise and that the
organization adheres strictly to the policies and procedures which are
established to address these risks. As a financial intermediary, RBI is
primarily exposed to credit risk, market risk, liquidity risk, operational
risk and legal risk.

RBI has a central Risk, Compliance and Audit Group with a mandate to
identify, assess, monitor and manage all of RBIs principal risks in
accordance with well-defined policies and procedures. The Head of the
Risk, Compliance and Audit Group reports to the Executive Director
responsible for the Corporate Center, which does not include any
business groups, and is thus independent from RBIs business units. The



Risk, Compliance and Audit Group coordinate with representatives of
the business units to implement RBIs risk methodologies.

Committees of the board of directors have been constituted to oversee
the various risk management activities. The Audit Committee of RBIs
board of directors provides direction to and also monitors the quality of
the internal audit function. The Risk Committee of RBIs board of
directors reviews risk management policies in relation to various risks
including portfolio,
liquidity, interest rate, off-balance sheet and operational risks,
investment policies and strategy, and regulatory and compliance issues
in relation thereto. The Credit Committee of RBIs board of directors
reviews developments in key industrial sectors and RBIs exposure to
these sectors.


The Asset Liability Management Committee of RBIs board of directors
is responsible for managing the balance sheet and reviewing the asset-
liability position to manage RBIs market risk exposure. The Agriculture
& Small Enterprises Business Committee of RBIs board of directors,
which was constituted in June 2003 but has not held any meetings to
date, will, in addition to reviewing RBIs strategy for small enterprises
and agri-business, also review the quality of the agricultural lending and
small enterprises finance credit portfolio.
As shown in the following chart, the Risk, Compliance and Audit Group
is organized into six subgroups:

Credit Risk Management, Market Risk Management, Analytics, Internal
Audit, Retail Risk Management and Credit Policies and Reserve Bank of
India Inspection. The Analytics Unit develops proprietary quantitative
techniques and models for risk measurement























CREDIT RISK MANAGEMENT IN COMMERCIAL BANKS


Risk Management in HDFC Bank

HDFC Bank has formulated a Risk Management Framework. The Risk
Management Committee (RMC) apprises the Audit Committee and the
board of the risk assessment and mitigation mechanisms of the
Corporation. The RMC comprises the Executive Director as chairperson
and senior management heading key functional areas as members of the
committee. During the year, the Audit Committee and the board
reviewed the efficacy of the Risk Management Framework, the key risks
associated with the business of the Corporation and the measures in
place to mitigate the same.
The audit committee formulated a Risk Management Framework. The
Risk Management Committee (RMC) apprises the Audit Committee and
the board of the risk assessment and mitigation mechanisms of the
Corporation. The RMC comprises the Executive Director as chairperson



and senior management heading key functional areas as members of the
committee. During the year, the Audit Committee and the board
reviewed the efficacy of the Risk Management Framework, the key risks
associated with the business of the Corporation and the measures in
place to mitigate the same.





Risk Management through ALM technique
There are three different but related ways of managing financial risks.
The first is to purchase insurance. But this is viable only for certain
type of risks such as credit risks, which arise if the party to a
contract defaults.
The second approach refers to asset liability management (ALM).
This involves careful balancing of assets and liabilities. It is an
exercise towards minimizing exposure to risks by holding the
appropriate combination of assets and liabilities so as to meet
earnings target of the firm.
The third option, which can be used either in isolation or in
conjuction with the first two options, is hedging. It is to an extent
similar to ALM. But while ALM involves on-balance sheet
positions, hedging involves off-balance sheet positions. Products
used for hedging include futures, options, forwards and swaps.
It is ALM, which requires the most attention for managing the financial
performance of banks. Asset-liability management can be performed on
a per-liability basis by matching a specific asset to support each liability.
Alternatively, it can be performed across the balance sheet. With this
approach, the net exposure of the banks liabilities is determined, and a
portfolio of assets is maintained, which hedges those exposures.








Asset-liability analysis is a flexible methodology that allows the bank to
test interrelationships between a wide variety of risk factors including
market risks, liquidity risks, actuarial risks, management decisions,
uncertain product cycles, etc. However, it has the shortcoming of being
highly subjective. It is up to the bank to decide what mix would be
suitable to it in a given scenario. Therefore, successful implementation
of the risk management process in banks would require strong
commitment on the part of the senior management to integrate basic
operations and strategic decision making with risk management.
The scope of ALM function can be described as follows:
Liquidity risk management.
Management of market risks.
Trading risk management.
Funding and capital planning
Profit planning and growth projection.
The objective function of the risk management policy in financial
entities is two fold. It aims at profitability through price matching while
ensuring liquidity by means of maturity matching. Price matching aims
to maintain interest spreads by ensuring that deployment of liabilities
will be at a rate more than the costs. This exercise would indicate
whether the institution is in a position to benefit from rising interest rates
by having a positive gap (assets > liabilities) or whether it is in a
position to benefit from declining interest rates by a negative gap
(liabilities > assets). The gap between the interest rates (on
assets/liabilities) can therefore be used as a measure of interest rate



sensitivity. These spreads can however, be achieved if interest rate
movements are known with accuracy.
Similarly, grouping assets/liabilities based on their maturity profile
ensures liquidity. The gap is then assessed to identify future financing
requirements. However, there are often maturity mismatches, which may
to a certain extent affect the expected results.

















RISK MANAGEMENT GROUPS AND SUBGROUPS OF HDFC










Managing Director and CEO
Audit/ Risk/ Credit/Agriculture
& Small Enterprises Business
Committee of the Board
Executive Director/Corporate Center
Head Risk Compliance & Audit Group














Risk Management of Standard Chartered Bank

Standard Chartered is the world's leading emerging markets bank
headquartered in London. It offers both consumer and wholesale
banking services. The bank employs 30,000 people in over 500 locations
in more than 50 countries including the Asia Pacific Region, South Asia,
the Middle East, Africa, the United Kingdom and the Americas. The
world-wide IT infrastructure features 5,000 servers and 35,000 desktops.
IT supports 600 different applications.
The main business problem is that it needs an effective method for
tackling critical security problems quickly and efficiently in a high risk
high profile environment. Further, developing an effective, global, risk-
driven approach to security in a highly distributed enterprise is on the
agenda.
Standard Charterers Requirements
Retail Risk
Manageme
nt
Market Risk
Manageme
nt
Credit RisK
Managemen
t
Credit
Policies
(RBI)



Prioritise patching effectively
Detect vulnerabilities quickly
Integrate easily with existing proprietary security approach
Solution
QualysGuard Enterprise to automate the network discovery, scanning,
patching and verification process



Why Qualys?
Accuracy
Ease of global deployment
Scalability
Value for money
Integration with established security operations

The stakes are very high indeed. With our many large and complex
interconnections to the outside world, it's vital to carry out effective
patch management. Our aim is to achieve the right level of security
through implementing an appropriate risk-based strategy. This cannot be
achieved without a clear and accurate understanding of what needs
patching and ensuring that it remains reliably patched. We use
QualysGuard as a dynamic tool to underpin this process
The aim is to achieve the right level of security on our global networks.
This means a clear and accurate understanding of what needs patching
and ensuring that it remains reliably patched. We rely upon
QualysGuard to underpin this process.



Being able to report on remediation and response plans has also helped
us meet strict financial compliance requirements. QualysGuard reports
give me and my security team an instant overview of the overall level of
health of security in my organisation.




Standard Chartered's Need for Vulnerability Management
Security monitoring in an environment like Standard Chartered's
requires the capability to cover diverse IT platforms - including both
Windows and Linux - and many applications and services. Its goal was
to consolidate these ad-hoc efforts into one cohesive, global process with
clear visibility, follow through and accountability.
Before the introduction of enterprise vulnerability management,
Standard Chartered's network topology and system configurations were
unknown. Local operating teams performed only occasional scanning
with various tools. Spot audits were made through penetration- testing
and there was no rigorous methodology to assess exposure and take
corrective action.
The bank evaluated four alternatives including tools from Foundscan,
ISS, Vigilante and X-Force but eventually, it selected QualysGuard on
six clear criteria:
Scanning accuracy, deployability, scalability, ease-of-use, integration
capabilities and overall cost effectiveness.
"It was the only solution which met our demands without compromise,
giving the bank a reliable, centralised method for protecting our critical
assets worldwide. Their experience of rolling out QualysGuard has been
remarkably painless. Working with our integration team in both London
and Singapore, the service has been consistently high.








The role of Vulnerability Management at Standard Chartered
By introducing vulnerability management, Standard Chartered gained a
clear picture of the exposure with common standards worldwide. The
company has been able to quickly prioritise remediation; get security
and operating teams to work together smoothly and effectively and
empowered outsourcing vendors to meet specific security service level
agreements.
Many major viruses have the ability to recur and creep insidiously back
into the network causing considerable problems; another reason why on-
going scanning is important.
Although Standard Chartered Bank was not hit the first time round by
SQL Slammer, it did manage to infect the network a number of months
later due to difficulties in restoring patched server builds after
operational problems. Our IDS engines and QualysGuard enabled the
Bank to pinpoint rapidly the source of the problem and close it down,
avoiding major infection.
Reports Help to Improve Risk Management and to Address Regulatory
Requirements
QualysGuard's easily accessible reports provide a clear audit trail for
fixing vulnerabilities. Delivered on a monthly basis to the bank's
operational risk committee, they have enabled Standard Chartered to
improve its risk management methodology and address regulatory
requirements that impact financial institutions.





These reports help the security group support the front-line production
operations team more effectively to patch and maintain the security of
the whole network. They allow centralised management by checking the
patch management performance, tracking patching actions to completion
and distributing tasks to the relevant geographic support group.



Regulatory pressures and increased exposure are driving more complex
requirements for managing security risk. The vulnerability management
strategy gained the bank ability to view and act upon security risk as it
pertains to our organisation's assets.
The reports also enable management to justify the investments we need
and further define the security strategy. Today, the bank really can
deploy our security manpower much more effectively in both preparing
and responding to security incidents.
Standard Chartered Bank, an international bank that provides interest
rate derivatives products for corporate customers globally, is expanding
its Sun Microsystems technology infrastructure in four offices
worldwide as it implements a more sophisticated, object-oriented global
derivatives trading system.






Risk Management in Union Bank

Risk is inherent part of Banks business. Effective Risk Management is
critical to any Bank for achieving financial soundness. In view of this,
aligning Risk Management to Banks organizational structure and
business strategy has become integral in banking business. Over a period
of year, Union Bank of India (UBI) has taken various initiatives for
strengthening risk management practices. Bank has an integrated
approach for management of risk and in tune with this, formulated
policy documents taking into account the business requirements / best
international practices or as per the guidelines of the national supervisor.
These policies address the different risk classes viz., Credit Risk, Market
Risk and Operational Risk.
The issues related to Credit Risk are addressed in the Policies stated
below;



Loan Policy
Credit Monitoring Policy
Real Estate Policy
Credit Risk Management Policy
Collateral Risk Management Policy
Recovery Policy
Treasury Policy

The Policies and procedures for Market Risks are articulated in the ALM
Policy and Treasury Policy.

The Operational Risk Management involves framework for management
of operational risks faced by the Bank. The issues related to this risk is
addressed by;

Operational Risk Management Policy
Business Continuity Policy
Outsourcing Policy
Disclosure Policy

Besides, the above Board mandated Policies, Bank has detailed Internal
Control Principles communicated to the business lines for ensuring
adherence to various norms like Anti-Money Laundering, Information
Security, Customer complaints, Reconciliation of accounts, Book-
keeping etc.
Oversight Mechanism



Our Board of Directors has the overall responsibility of ensuring that
adequate structures, policies and procedures are in place for risk
management and that they are properly implemented. Board approves
our risk management policies and also sets limits by assessing our risk
appetite, skills available for managing risk and our risk bearing capacity.
Board has delegated this responsibility to a sub-committee: the
Supervisory Committee of Directors on Risk Management & Asset
Liability Management. This is the Apex body / Committee is responsible
for supervising the risk management activities of the Bank.
Further, Bank has the following separate committees of top executives
and dedicated Risk Management Department:
Credit Risk Management Committee (CRMC): This Committee
deals with issues relating to credit policies and procedure and
manages the credit risk on a Bank-wide basis
Asset Liability Management Committee (ALCO): This Committee
is the decision-making unit responsible for balance sheet planning
and management from the angle of risk-return perspective
including management of market risk
Operational Risk Management Committee (ORMC): This
Committee is responsible for overseeing Banks operational risk
management policy and process
Risk Management Department of the Bank provides support
functions to the risk management committees mentioned above
through analysis of risks and reporting of risk positions and
making recommendations as to the level and degree of risks to be
assumed. The department has the responsibility of identifying,
measuring and monitoring the various risk faced the bank, assist in
developing the policies and verifying the models that are used for
risk measurement from time to time