Risk Management - Priorities for the Indian Banking Sector1

http://www.rbi.org.in/scripts/BS_SpeechesView.aspx?Id=456

The new decade is predicted to be more transformational than the first decade of this millennium for the
Indian economy and the Indian financial system. If the last ten years have seen transformation in terms of consistently
higher growth rates, adoption of core banking solutions, transformation in the payments systems and greater
integration with the global economy, the coming decade will see unprecedented volume of business for the Indian
financial system as it tries to meet the challenges and requirements of rapid and inclusive growth. Information
Technology (IT) has made it possible for banks to deal with large numbers and such growth in volume and value of
business will obviously imply huge challenges for risk management, which in turn will have to depend on human
resources and IT in dealing with the new normal- a theme so apt for this conference.

2. The major challenge is, clearly, having the human resources of the right kind and numbers and the ability to retain
skilled personnel. From having personnel to deliver banking services to the poorest, to having the expertise to deliver
sophisticated financial products and adopt consistent risk management practices across the organisation, will be the
key to managing huge organisations optimally.

3. If one of the reasons for the global financial crisis was that the financial sector grew out of sync with the real sector
in the advanced economies, in India the position is different in that the financial system has to ensure that it meets the
requirements of the growing real sector. Risk is inherent in banking as banks essentially trade in risk in the process of
maturity transformation. Therefore, banks cannot afford to be risk avoiders. At the same time ‘banker’s prudence’,
something that is critical to safety of the depositors’ funds, has to be the underlying philosophy at all times. The risk
return relationship has to be optimally balanced for welfare enhancing outcomes.

4. The crisis has thrown up some critical issues relevant to risk management policies:
• The business model matters. Banks that were extremely aggressive in the trading books were clearly more affected.
Those that had a fair degree of traditional banking were less affected.
• There has to be an intuitive approach to risk. Despite huge growth in leverage and huge expansion of ‘on’ and ‘off-
balance’ sheet items, complex risk models threw up measures of risk that seemed to be quite capable of being
absorbed. There was obviously a clear limitation to these models especially in times of stress. The inadequacies
stemmed from two perspectives –
(a) Use of past data without adequately factoring in the data from acute periods of stress and
(b) The presumption that the highly sophisticated mathematical models could be as successful as they are in
physical sciences.
The latter presumption is clearly wrong inasmuch as financial events are heavily influenced by largely
unpredictable or irrational human behaviour which models cannot capture. Nevertheless, these are useful when
considered as one of the inputs supplemented by stress/ scenario analysis and informed judgement. The other
aspect which causes serious concern is that the comprehension of these models remains confined to a small
group of Quants and it becomes very difficult for the top management and boards to comprehend the actual risk
undertaken by the organisation. These lessons will have to be kept in view now that some of the banks will move
towards advanced approaches.
• Pricing of risk is important. There is a temptation to under-price risk whenever there is excess liquidity and pressure
to generate profits. Pricing below cost can be risky and the risk cost is very often not captured adequately.
Moreover, this gives rise to asset price bubbles with attendant implications.
• While credit, market and operational risk are captured in the capital framework under Pillar I of Basel II, liquidity risk,
concentration risks, strategic risk, reputation risk and risks arising out of securitisation, off balance sheet vehicles,
valuation practices need to be recognised. Banks’ Boards need to focus on all these risks and set firm wide limits
on the principal risks relevant to the banks’ activities. Banks should focus on robust stress testing. Compensation
packages should also form part of risk management policies.
• This crisis has also highlighted the importance of internal controls, good corporate governance and risk
management. As shown in the Senior Supervisors Group Report on Risk Management, some banks with strong
risk management systems weathered the current crisis much better than many banks that had poor or inadequate
risk management systems.
• For banks that are part of financial conglomerates, the process of risk management must focus on intra group
exposures and transactions as also group wide exposures to sectors and borrowers.
• The new element recognised in this crisis is that even while sound risk management policies are observed at the firm
level there could be systemic risks over which individual banks have no control and this calls for risk management
at the systemic level – viz. ensuring financial stability by financial regulators and policy makers.

5. I will now turn to the key areas where banks need to focus while planning their businesses for higher growth,
keeping in view the on-going international regulatory initiatives. The Basel Committee has brought out on December
17, 2009, two consultative documents containing key proposals that will be taken up for an impact study before
adoption. These proposals cover raising quality and coverage of capital to ensure loss absorbency on a going and
gone concern basis, greater stress on Tier-I and common equity component, introduction of leverage ratio, measures

1
to deal with pro cyclicality such as capital buffers and forward looking provisioning, introduction of minimum liquidity
ratios and enhanced capital for trading book securitisations and counterparty credit exposures.

6. While our assessment is that Indian banks will be generally able to meet these enhanced requirements, it is useful
to see on a rough and ready basis what the present position is in this regard. Our assessment shows that:
• The common equity component as percent of total assets stood at 7 per cent in March 2009 for Indian banking
sector as against a range of 3 per cent to 4 per cent for large international banks. Total CRAR is 13.75 percent
with Tier I at 9.4 per cent. Thus Indian banks are in a position to meet the growth requirements currently and have
reasonable period to plan and raise required capital for future growth.
• The leverage ratio for Indian banks including credit equivalents of off-balance sheet) was about 17 per cent in March
2009 and can be considered reasonable.
• While the SLR has stood us in good stead, banks would do well to assess their liquidity risk against the more
calibrated liquidity ratios put out in the consultative document such as the proposed short term liquidity coverage
ratio and long term net stable funding ratio. This should be a regular exercise for banks that have significant share
of bulk deposits and CDs.
• The Basel proposals for forward looking provisioning are based on advanced approaches using through the cycle
PDs etc. In India, banks are yet to adopt advanced approaches. The gross NPAs for the banking sector have
increased from 2.4 per cent as on March 31, 2008 to 2.6 per cent as on September 30, 2009. In the context of the
rising NPAs and the likely slippages in the restructured accounts, we had introduced the 70 per cent provisioning
coverage ratio for NPAs as a forward looking requirement. Most banks currently meet this ratio. For standard
assets, in alignment with the Basel proposals for forward looking provisioning, more work needs to be done based
on sectoral trends and measurements of estimated loss based on something like the Spanish dynamic
provisioning model.
• In the case of capital for trading book and counterparty exposures, while some enhancements have been made for
forex derivatives, more work will be required for counterparty exposures and other derivatives. Nevertheless,
looking at the interest rate risk for the entire balance sheet rather than the trading book alone, duration gap
analysis could be a useful tool for managing interest rate risk.

7. Let me next turn to the areas where banks need to be sensitive to risk:
• While overall, credit growth in the banking sector has been slower in the current year, certain sectors like real estate,
infrastructure and NBFCs have seen higher rates of growth. Credit to commercial real estate (CRE) has fallen in
the half year ended September 2009 evidencing higher risk perception. However credit to NBFCs and
infrastructure continues to be high. While the country needs infrastructure financing of significant magnitude,
banks that essentially mobilise short term resources do face risk on account of ALM, large size exposures and
some risks beyond their control such as implementation hurdles. The emergence of long term investors such as
pension and insurance funds, development of corporate bond market, and single name CDS may help in de-
risking to a certain extent banks exposures to infrastructure.
• A phenomenon that RBI has brought to attention of banks recently is the large investments by banks into debt
oriented mutual funds. MFs have invested large amounts in bank CDs. Banks that have a significant part of their
liabilities in form of CDs have to be sensitive to the rollover risk. Equally, banks that have large investments in
MFs have to be sensitive to the liquidity risk in the event of the need for sudden redemption by large investors at
the same time. This distortion -whereby MFs are apparently acting as intermediaries in what should otherwise
have been intermediated in the interbank market - is something that needs to be addressed. Besides there are
concerns about the direction of flow of resources through MF intermediation.
• In the case of lending to NBFCs engaged in micro finance treated as priority sector lending by banks, there is a risk
that multiple lending and high interest rates could lead to deterioration in asset quality. As originator of these loans
no longer have stake in them, banks would do well to assess the credit quality of these loans by better oversight at
the grass root level on a sample basis.
• While banks have been diversifying their operations and are into new businesses, it is necessary to recognise the
reputation risk, especially when promoting VCFs and other such funds. As is now well known, internationally many
banks had previously offloaded certain items from their balance sheet to specialised investment vehicles. During
the market crunch the banks had to take back those assets on their balance sheets.
• Securitisation of assets by banks in India during the year ended March 31, 2009 showed a decline of about 30% over
the previous year. This might affect the profitability of banks which have been undertaking securitisation activity as
one of the main business lines. However, the securitisation activity may pick up once the retail loan segment starts
growing again. RBI would shortly issue guidelines on minimum retention requirement and minimum holding period
for securitisable loans.
• While hedging or remaining unhedged is the prerogative of the borrowers, banks must remember that the unhedged
position of their borrowers can quickly translate into severe stress on their asset quality and hence it is absolutely
necessary that the unhedged position of the corporates are closely monitored and this is built into the credit and
other rating assessment of the borrowers while extending facilities to them.
• Excess liquidity in the system has once again led to the familiar phenomenon of sub PLR short-term lending; banks
would do well to recognise re-pricing and rollover risk.
• To remove the credit information asymmetry, RBI has taken long term steps inasmuch as it has issued in-principle
authorisation for setting up four credit information companies. This may take some time to become operational. It
must however be recognised that the system will function only to the extent timely and accurate information is

2
 made available and made use of. I understand that these are not happening both in providing information to CIBIL
as well as making full use of the range of information available particularly for corporate credit.
• While introduction of technology in banking has increased the speed and accuracy of service delivery, it has also
increased banks’ vulnerability to cyber frauds. Banks need to put in place appropriate control mechanisms to
prevent such frauds.
• It is necessary for the banks now to take technology from the core banking solution to a higher level to build up
adequate MIS capability. Unless this is done, risk management cannot be of the highest order and banks will not
be able to meet the challenge of an increasingly sophisticated financial system.
• In the area of housing loans, teaser rates are increasingly being offered which is a cause for concern. I hope banks
are ensuring that borrowers are well aware of the implications of such rates and the appraisal takes into account
repaying capacity of the borrowers when the rates become normal.
• Current experience worldwide has called for robust stress testing practices in the banks. Stress testing alerts bank
management to adverse unexpected outcomes related to a variety of risks and provides an indication of how
much capital might be needed to absorb losses should large shocks occur. In India, banks should not take stress
testing exercise a mere compliance requirement but accord due importance to it to facilitate the development of
risk mitigation or contingency plans across a range of stressed conditions.

8. To conclude, Indian banking system which has shown resilience in withstanding the global crisis is well placed to
meet the requirements of the rapid inclusive growth. Even in the new paradigm under Basel, the system is well placed
in terms of capital and liquidity. Strong HR and sound risk management practices will stand the banks in good stead
while they strive to meet the challenges of the next decade.
Thank you.

1
Opening remarks of Smt. Usha Thorat, Deputy Governor, Reserve Bank of India at the Panel Discussion on ‘Risk Management: Priorities for the
Indian Banking Sector” chaired by her at ‘BANCON- Indian Banking Conclave 2009-10’ on January 12, 2010 at Mumbai.

+++++

Changing Paradigms in Risk Management1

http://rbidocs.rbi.org.in/rdocs/Speeches/PDFs/73020.pdf

The world of finance has always had an intuitive understanding of risk. The risks
that emerge from the increased variety and complexities of banking business, as
well as from the various new drivers of growth has pushed the contours of risk
management in banks much beyond what would probably have existed in the
more traditional forms of banking activity of accepting deposits and lending in
relatively stable environments. Internationally, the last two decades or so have
witnessed significant changes in the profile of the banking sector, as well the
nature of risk management in banks. What perhaps has changed the nature of
risk management, particularly are, inter-alia, advances in technology that have
aided quantitative approaches to risk management, like models etc., and the
increasing volumes of transactions in derivatives and other structured products
that are so complex that they are often labeled “exotic”. India too has responded
to this change, tempered with a gradualist, non disruptive approach, that has
stood us in good stead over the years.

In my brief remarks today, I intend to first, highlight few of the broader and more
general issues currently engaging the financial risk management fraternity and
then, move to the Indian context in this regard.

I. Some general perspectives on risk management

Quantification of risk and model risk: As mentioned earlier, significant

developments in the area of quantification of risk, has shifted focus to statistical
aspects of risk management, especially to risk modeling and other computational
techniques of risk measurement. During the last decade there has been a
proliferation of academic research on the use of VaR for market risk assessment.
Such models have to be used with some care and serious examination of the
data used, especially the use of historical data for forecasting future scenarios,
the assumptions behind the models, estimation errors etc. Further, if intraday
positions are not captured it would expose banks to such risks.

Similarly in respect of Credit Risk, there is no single ‘‘best practice’’ model for
credit risk capital assessment, although the Basel 2 ‘‘Internal Rating Based’’
methodology provides a portfolio model. Bank managements will have to focus

3
on the determinants of credit risk factors, the dependency between risk factors,
the integration of credit risk to market risk, data integrity issues like consistency
of data over long periods, accuracy and so on.

Institutions are already mapping events to operational loss categories and

building warehouses of operational risk data for implementation of Advanced
Measurement Approaches. Many data availability and reliability issues still need
resolving. An internal loss experience for the important (low frequency, high
severity) operational risk types is rare and any relevant data are likely to be in the
form of risk self-assessments and/or external loss experiences.

Extreme events and stress testing: One of the key roles of the risk management
process is to manage extreme events, such as those associated with the tails of
statistical distributions and could have probability of occurrence as low as one
percent. These are low probability but high loss instances associated with
extreme operational events such as rogue trading or accounting fraud. The
importance of stress testing to assess the impact of not only these events but
also the impact of various scenarios is engaging the attention of risk
management personnel, academicians and bankers alike

Risk based capital and back-testing: An important reason as to why the

quantitative techniques have received so much attention, is not because of the
intellectual satisfaction it can give to the academician but a rather mundane
reason that it can be used to convince the regulator that given the risks as
measured by these techniques the amount of capital required could be far less
than that may be stipulated under broad brush, standardized techniques. An
immediate linkage between the risk models, the quantum of risk that is measured
by use of these models and the capital that is required to support these risks
immediately emerge. Estimates of capital being sufficient to meet the risk can be
only as good as the models are and the credibility of the models would ultimately
depend upon their actual performance. Back testing the models to gauge and
reduce the variance between the deviations of the actual numbers from those
projected are largely relied upon to give a degree of comfort to both management
of banks and supervisors alike.

II. Indian Perspective

Internationally, there has been a continuous coordinated effort under the aegis of
institutions like the BIS to evolve best practices in risk management in banks and
these have gradually come to be accepted as some sort of international
standards for banks across the world to benchmark themselves to. At the
regulatory and supervisory level also, there has been an effort to achieve
convergence to the best practices set out by the BCBS after duly allowing for
national characteristics and feasibility. Banks have responded to this initiative
with varying levels of effectiveness.

It was in October 1999, that the Reserve Bank issued guidelines on Risk
Management in banks setting out its expectations from banks; the guidelines
adopted an integrated approach to risk management. Even earlier, in February
1999, banks were advised to set up an asset liability management framework to
manage liquidity and interest rate risk. In this context, I would like to make
following observations:

a) The need to accelerate the speed at which banks have been moving
towards establishment of risk management systems

b) The need to achieve convergence with regulatory and supervisory

expectations/requirements while deciding on the sophistication of methods
to be adopted.

c) Developing appropriate risk management architecture, MIS and skill

enhancement

d) The need to integrate risk management process with capital planning

strategies

4
The current business environment, with its pointed emphasis on corporate
governance, is making it critical for banks to explain their risk profiles publicly
with greater clarity and detail than ever before. Risk is still a complex and
technical subject, so achieving transparency will not be easy. Internal
constituents, analysts, ratings agencies, investors, and regulators all have
varying levels of understanding of advanced risk measurement techniques. All
will require continuing education before the market as a whole reaches a
common understanding of risk. In particulars, direct stakeholders in any
transaction need to be aware of the risks involved. For the third pillar of Basle II
(Market Discipline) to be efficacious, it is important that the stakeholders are
aware of the risks involved in the banks’ transactions and the systems in place to
manage the risks. In this context, the importance of an appropriateness policy for
banks offering various products to the corporate clients can't be overemphasised.

The risk management systems developed by banks would include a lot of

attention of top management to the suitability of IT structure including issues of
connectivity, designing an MIS format that is risk focused, setting up an
organization to manage risk that ensures segregation of risk assessment from
operations, frequent review of risk management systems to ensure there is no
slippage and last but not the least, to develop appropriate skills within the
organization. In this context, it must be kept in view that risk management is not
the sole concern of the risk management department but rather a culture that
pervades the whole organization with specific support from the top management.

III. Recent initiatives in risk management

In India, over the years various steps have been taken to strengthen the Risk
Management Architecture, both at the bank specific level as well as a broader
systemic level.

ALM Guidelines: Most banks have put in place an ALM framework. However
there is lot to be done to internalize this framework as a part of the overall risk
perceptions of the bank and the capital planning strategy of the bank. Issues in
data infirmity still remain to some extent. In many cases, the ALCO’s role
remains confined to deciding on interest rates of the bank. This is partly due to
lack of decision support system available to the ALCO. Availability of impact and
scenario analysis of changes in yield structures would be a significant enabling
factor.

The Reserve Bank has recently issued draft guidelines to banks with the
objective of graduating from the current maturity ladder approach prevalent in
most banks to a duration gap approach. The later approach makes it possible for
banks to calculate the modified duration of assets and liabilities, the duration gap
and duration of equity. The concept of duration of equity gives banks, subject to
certain limitations, a single number indicating the impact of a one per cent
change of interest rate on its capital, captures the interest rate risk and thereby
helps move a step forward towards assessment of risk based capital/economic
capital.

Credit risk: Another important issue is that bank resources and supervisory
resources have concentrated on credit risk modeling of commercial and industrial
portfolios, with relatively fewer resources devoted to risk quantification in the
retail credit area2. The possible reasons could be (i) from a systemic perspective,
it makes economic sense to devote more resources to evaluating the risk factors
of larger loans (ii) there is a long history of ratings agency evaluations for
publicly traded firms which , along with the extensive data available for publicly
traded firms, provided an extremely useful benchmark for the development of
quantification methods for commercial portfolios.

However, despite this commercial side emphasis, retail credit is a

substantial part of the risk borne by the banking industry, and can not be ignored.
Recognizing this, over the last decade or so, the industry and academia have
devoted significant resources to developing more sophisticated credit-scoring
models for measuring this risk. Like their counterparts on the commercial side,
these models also rely heavily on quantitative analysis.

5
Derivatives: There has been a spurt of derivatives exposures in the off balance
sheet exposures. The composition of derivatives portfolio of the banking system
has also undergone a significant transformation. Forward foreign exchange
contracts which accounted for around 80% of total derivatives in March 2002
declined steadily and stood at almost 43% in March 2006 while the share of
interest rate contracts went up from 19% to 54% during the same period. Foreign
currency options have recorded noticeable increase during the last year. The
share of single currency interest rate swaps in total derivatives of the banking
system has risen sharply from 15% in March 2002 to 53% in March 2006.
The risks arising on account of OBS activities of banks are controlled
through a combination of both banks’ internal risk management and control
policies and risk mitigation mechanism imposed by the regulators. The board
approved internal control policies covering various aspects of management of
risks arising both on and off balance sheet exposures constitute the first line of
defence to the bank. Holding of minimum defined regulatory capital for all OBS
exposures, collection of periodic supervisory data and incorporating transparency
and disclosure requirements in bank balance sheet are some of the major
regulatory initiatives undertaken to control and monitor OBS exposures of the
banking system.

The rapid proliferation of derivatives exposures inevitably poses a

challenge on account of the downside risks associated with them, if not managed
properly. There are issues relating to use of structured products, valuation,
counterparty related issues, risk management and reporting issues and last but
not the least, training and skill development. While derivatives facilitate risk
hedging and risk transfer to institutions more willing to bear the risks, the
tendency of participants to use derivatives to assume excessive leverage, and
lack of prudential accounting guidelines are matters of concern.
One of the features of in the Indian derivative market relates to
concentration risk in respect of both the market makers (banks) and the
corporates. The combined share of top 15 banks has steadily grown from around
74% in March 2002 to 82% of total OBS exposures of the banking system in
March 2006, of which 62% is accounted for by foreign banks. Concentration of
knowledge is another risk which results in the concentration of derivative activity
among few players.

RBI has been stressing on the need to carry out due diligence regarding
customer appropriateness and suitability of products before offering derivative
products to their customers. There is need to use risk mitigation techniques such
as collaterals and netting to reduce systemic risks and evolve appropriate
accounting guidelines.

RBI has also issued two separate draft guidelines, one for
valuation/accounting of investment portfolio in general and the second relating to
derivatives. The proposed guidelines attempt to put in place fair value accounting
norms for derivatives broadly in line with IAS 39, the international accounting
standard for valuation and accounting for financial instruments. For investments,
the proposed framework envisages a symmetrical treatment for unrealized gains
and losses, with gains for HFT being reflected in the Profit and loss account. For
AFS, however, a gain or loss on subsequent measurement shall be reflected in
‘Unrealised gain/ loss on AFS portfolio’. Similarly for derivatives, all valuation
gains and losses are proposed to be routed either through the P&L (for less than
90 days) and or through a new account titled ' Unrealised gains/losses on
derivatives' (90 days and more), somewhat similar to AFS portfolio. The idea is to
bring all derivative transactions 'on-balance sheet' as against 'off-balance sheet'
as is being done currently.

Further, in order to address all issues related to derivatives in a

comprehensive manner, we are now in the process of harmonizing the regulatory
prescriptions based on generic principles rather than approving specific products.

Stress Testing: The Governor in his Monetary Policy for 2006-07 had stressed
the need for banks to have robust stress testing process for assessment of
capital adequacy given various possible events like economic downturns,
industrial downturns, market risk events and sudden shifts in liquidity conditions.
Similarly exposures to sensitive sectors and high risk category of assets would

6
have to be subjected to more frequent stress tests based. Stress tests would
enable banks to assess the risk more accurately and, thereby, facilitate planning
for appropriate capital requirements.
Subsequently RBI has issued draft guidelines on stress testing. These
guidelines cover all major risk areas viz. market risks, credit risks, operational
risks and liquidity funding risk. Banks are required to identify an appropriate
range of realistic adverse circumstances and events in which the identified risk
crystallises and estimate the financial resources needed by it under each of the
circumstances to : a) meet the risk as it arises and for mitigating the impact of
manifestation of that risk; b) meet the liabilities as they fall due; and c) meet the
minimum CRAR requirements. It may be pertinent to note that the banks have
been advised to apply stress tests at varying frequencies dictated by their
respective business requirements, relevance and cost.

Financial Conglomerates: There is increasingly a need to extend the framework

of risk management to the group wide level, particularly among financial
conglomerates. The rapid expansion of financial services, both in terms of
volumes and variety have, as it is, posed a challenge for financial stability. This is
made all the more difficult by the organisational dimension which perhaps
provides scope for regulatory arbitrage. While this could appear beneficial to the
organisation in the short run, it only hightens systemic risk that in turn exposes
the institution to externalities which have a cost. There has been entry of some
banks into other financial segments like merchant banking, insurance and
several new players have emerged who have a diversified presence across
major segments of financial sector. Some of the non-banking institutions in the
financial sector can acquire proportions large enough to have a systemic impact.
It has, therefore, become necessary not only for the supervisor to have a
“conglomerate” approach to regulation and supervision but also for banks
themselves to put in place risk management systems at global levels i.e for the
whole organizational as a whole, rather than only the bank level. The risks
associated with conglomeration may include:

1. The moral hazard associated with the ‘Too-Big-To-Fail’ position of many

financial conglomerates;
2. Contagion or reputation effects on account of the 'holding out'
phenomenon;
3. Concerns about regulatory arbitrage, non-arm’s length dealings, etc.
arising out of Intra-group Transactions and Exposures (ITEs) both
financial and non-financial

It is in this context that the issue of integrated risk management, at the enterprise
wide as well as group wide level, acquires significance. RBI has put in place a
framework for oversight of financial conglomerates, along with SEBI and IRDA.
Half-yearly discussions have also been initiated with the Chief Executive Officers
of the designated entities of the conglomerates to address outstanding issues/
supervisory concerns.

IV. To conclude, at the systemic level, efforts have been made to create an
enabling environment for all market participants in terms of regulation,
infrastructure and instruments. In this context, let me mention about two recent
legislative developments that may have far reaching impact on the financial
markets in India. One is the promulgation of the RBI (Amendment) Act, 2006. A
major issue of concern in the OTC derivatives market in India was the issue of
legality. While the Securities Contract Regulation Act, 1956 gave specific legal
recognition to derivative instruments traded in the exchanges, there was no
explicit legal recognition of OTC derivatives in India. As legal clarity is a basic
requirement for the healthy development of any market, legality of OTC
derivatives was provided by an appropriate amendment to the RBI Act, with
retrospective effect. RBI has also been now empowered to regulate the interest
rate and forex OTC derivatives market. The second legislative development
pertains to the enactment of Government Securities Bill. The substantive
changes brought about in the Government Securities Act are that it provides for
hypothecation, pledge and lien of government securities, maintenance of records
in electronic form and most importantly, enables STRIPing of Government
securities.

7
 Further, during the last few months, few liberalization measures have been
introduced in securities market, that would surely have a bearing on the risk
management practices in the market, the most important being introduction of
'when issued' trading and short selling in the G-Sec markets in a limited way.
Currently the when issued trading is limited to reissuances only. We are
examining extending this to new issuances also, as requested by market
participants.

What has developed incrementally over the years is now being consolidated and
once the regulations, infrastructure and appropriate accounting standards
stabilize, several other initiatives like credit derivatives could be considered.

1 Special Address by Smt. Shyamala Gopinath, Deputy Governor at the FICCI-IBA Conference
on "Global Banking: Paradigm Shift", September 27, 2006, Mumbai.

2 "Credit Risk Modeling: The Federal Reserve Bank of Philadelphia's Perspective" Anthony M. Santomero, President, Federal
Reserve Bank of Philadelphia
+++++
http://www.rbi.org.in/scripts/PublicationReportDetails.aspx?ID=546

INDIA’S FINANCIAL SECTOR AN ASSESSMENT Volume IV

Advisory Panel on Financial Regulation and Supervision

(Committee on Financial Sector Assessment March 2009)

Chapter III
Assessment of Adherence to Basel Core Principles

Box 3.1: Basel Core Principles

The Basel Core Principles comprise 25 principles that need to be in place for a regulatory and supervisory
system to be effective. The principles relate to the following:-
Principle 1: Objectives, independence, powers, transparency and co-operation
Principle 2 to 5: Licensing and structure
Principle 2: Permissible activities
Principle 3: Licensing criteria
Principle 4: Transfer of significant ownership
Principle 5: Major acquisitions
Principle 6 to 18: Prudential requirements and risk management
Principle 6: Capital adequacy
Principle 7: Risk management process
Principle 8: Credit risk
Principle 9: Problem assets, provisions and reserves
Principle 10: Large exposure limits
Principle 11: Exposure to related parties
Principle 12: Country and transfer risks
Principle 13: Market risk
Principle 14: Liquidity risk
Principle 15: Operational risk
Principle 16: Interest rate risk in banking book
Principle 17: Internal control and audit
Principle 18: Abuse of financial services
Principles 19 to 21: Methods of ongoing supervision
Principle 19: Supervisory approach
Principle 20: Supervisory techniques
Principle 21: Supervisory reporting

8
 Principle 22: Accounting and disclosures
Principle 23: Corrective and remedial powers of supervisors
Principles 24 and 25: Consolidated supervision and cross border banking
Principle 24: Consolidated supervision
Principle 25: Home-host relationship

4.2 Summary Assessment of Commercial Banks

For the purpose of this assessment, the 25 Basel Core Principles for regulation and supervision of institutions have
been broadly categorised as under:

(i) Objectives, autonomy and resources (Principle 1)

(ii) Licensing criteria (Principles 2-5)
(iii) Prudential requirements and risk management (Principles 6-18)
(iv) Methods of ongoing supervision (Principles 19-21)
(v) Accounting and disclosure (Principle 22)
(vi) Corrective remedial powers (Principle 23)
(vii) Consolidated and Cross border banking (Principles 24-25)

The summary assessment of adherence to Basel Core Principles in respect of regulation and supervision of
commercial banks under the above mentioned broad categories is given below.

Table 8: Summary Assessment of Commercial Banks

S No. Principle C LC MNC NC
Objectives, autonomy and resources
1 Objectives independence, powers, transparency and co- √
operation
Licensing criteria
2 Permissible activities √
3 Licensing criteria √
4 Transfer of significant ownership √
5 Major acquisitions √
Prudential requirements and risk management
6 Capital adequacy √
7 Risk management process √
8 Credit risk √
9 Problem assets, provisions and reserves √
10 Large exposure limits √
11 Exposure to related parties √
12 Country and transfer risk √
13 Market risk √
14 Liquidity risk √
15 Operational risk √
16 Interest rate risk in banking book √
17 Internal control and audit √
18 Abuse of financial services √
Methods of ongoing supervision
19 Supervisory approach √
20 Supervisory techniques √
21 Supervisory reporting √
22 Accounting and disclosure √
23 Corrective and remedial powers of supervisors √
Consolidated supervision and cross-border banking
24 Consolidated supervision √
25 Home host relationship √
Total 7 11 6 1
C- Compliant, LC-Largely Compliant, MNC- Materially Non-Compliant, NC-Non-Compliant

4.3 Recommendations

In light of the gaps observed in its assessment of adherence to Basel Core Principles on the regulation of commercial
banks, the Panel has made certain recommendations to strengthen the regulation and supervision of these entities.

9
These are as under:

4.3.1 Constitution of Bank Boards

As per Section 10A(2)(b) of the Banking Regulation Act, 1949, directors5 on a bank’s board should not have
substantial interest in a company or firm. As per Section 5(ne) of the Banking Regulation Act, 1949, substantial
interest6 means a paid-up amount exceeding Rs. 5 lakh or 10 per cent of the paid-up capital of the company,
whichever is less. The low amount of Rs. 5 lakh acts as a constraint for having directors with requisite expertise on
banks’ boards.

The Panel recommends that these guidelines need to be reviewed and the limits defining ‘substantial interest’ revised
upwards so that banks can attract individuals with requisite expertise on their boards.

4.3.2 Internal Capital Adequacy Assessment Process (ICAAP)

The Board of banks have been advised to have approved policy on the Internal Capital Adequacy Assessment
Process (ICAAP) and to allocate capital as per the assessment. But progress in this regard is limited to a parallel run
of the revised framework. The Internal Capital Adequacy Assessment Process is yet to be implemented.

The Panel expects that this would be implemented consequent to the full migration of commercial banks to the
Revised International Capital Framework (Basel II) as stipulated by the Basel Committee on Banking Supervision (The
Panel notes that the Reserve Bank has since issued guidelines on the internal capital adequacy assessment process
as part of the supervisory review process under Pillar II of Basel II which is currently applicable to banks with overseas
operations and foreign banks. The guidelines would be applicable to all other banks from March 31, 2009).

4.3.3 Risk Modelling

In terms of the extant guidelines, the use of internal models for risk management is not specifically mandated.
Consequently, there is no system of periodic validation and independent testing of models and systems in the banks.

The Panel feels that a rigorous model-building exercise is needed. This will enable them to adopt a more advanced
Internal Rating Based (IRB) approach in respect of credit risk and an Advanced Measurement Approach (AMA) for
operational risk. If a bank intends to take recourse to the IRB or AMA approach for assessing credit and operational
risks respectively, it should have appropriate forward looking models in place which should be validated periodically.
The Panel recognises the need for capacity building in respect of banks and the Reserve Bank as the prime
precondition in this regard.

4.3.4 Credit Risk

The Reserve Bank has issued detailed guidelines on credit risk management in October 2002 which includes putting
in place policies and processes for identification, measurement, monitoring and control of credit risk. However, the
guidelines do not require that banks’ credit risk management policies / strategies should also include counterparty
credit risk arising through various financial instruments.

The Panel recommends issuance of suitable guidelines on credit risk to include counterparty risk arising through
various financial instruments.
5
This is applicable to only 51 per cent directors having specialised qualification.
6
Substantial interest in SSIs are excluded.

4.3.5 Provisioning for Sub-standard Loans

(i) The Reserve Bank has issued detailed guidelines on income recognition and asset provisioning. As per extant
guidelines, provisioning is not done on an individual basis in respect of the substandard category of NPAs.

The Panel feels that keeping in view the cost of compliance, the present stipulations could continue for the present.
However, considering the very large number of low value NPAs which are substandard, if at all provisioning has to be
done individual account-wise, a cut-off level should be set above which all accounts can be provided for individually.
This cut-off level above which all substandard assets have to be provisioned for may be lowered in a phased manner.

(ii) As per extant guidelines on provisioning, banks are required to make up to two per cent provision on standard
assets, while NBFCs do not need to make any provision on standard assets.

The Panel recommends a review of norms be made to reduce the possibility of regulatory arbitrage across categories
of financial institutions.

10
4.3.6 Exposure to the Capital Market

Globally, capital market exposure is measured based on risk and not quantitative limits. However, in India capital
market exposure cannot exceed 40 per cent of the net worth, and the limit for lending to individuals is Rs.10 lakh
(Rs.20 lakh in demat form) which appears to be low. Further, a uniform margin of 50 per cent is applied on all
advances/financing of IPOs/ issue of guarantees on behalf of stockbrokers and market makers.

The Panel recommends a review of these limits periodically keeping in view the associated risks arising out of such
exposures.

4.3.7 Liquidity Risk

(i) The Reserve Bank has issued detailed guidelines on liquidity risk and banks have a liquidity management strategy
in place. However, the effect of other risks on banks’ overall liquidity strategy is not covered in the guidelines.

The Panel feels that the enhancement of knowledge and quantitative skills in the banking industry is an essential pre-
requisite for analysing contagion risk. The banking sector is at a stage where it has initiated the implementation of
simple and standardised risk management techniques. An impact analysis of other risks on liquidity at this juncture
would therefore appear premature. The Panel also recognises the existence of diverse risk management techniques
across the banking sector. It recommends that the implementation of contagion risk management techniques be
undertaken in a phased manner. To begin with, it could be mandated for those banks that are in possession of
appropriate skill sets. The Panel also recommends that banks should initially concentrate on knowledge and
quantitative skill enhancement and fix a reasonable timeframe, say two years, before undertaking such forward
-looking analysis of contagion risk.

(ii) The extant guidelines on liquidity risk issued by the Reserve Bank are confined to the rupee balance sheets of
banks.

The Panel recommends that the Reserve Bank should consider issuing guidelines on liquidity risk which would also
cover foreign exposures of banks.

4.3.8 Operational Risk

Though various aspects relating to operational risk are covered sufficiently in the Annual Financial Inspection reports
for commercial banks, there is no reporting mechanism in place whereby the supervisor is kept informed of
developments affecting operational risk in banks on an ongoing basis.

The Panel recommends that the Reserve Bank should put in place a mechanism whereby banks are required to report
developments affecting operational risk to the supervisor.

4.3.9 Interest rate risk in Banking Book

Commercial banks have migrated to Basel II guidelines in phases beginning March 31, 2008. The identification,
measurement, monitoring and control of interest rate risk in banking books is part of the stipulations mandated in Pillar
II of the Revised Capital Framework and is not mandated at present.

The Panel recommends that the issuance of guidelines relating to the management of interest rate risk in banking
books, post-migration to Basel II could be based on the modified duration approach for the measurement of interest
rate risk in banking books as suggested by the Basel Committee (The Panel notes that Reserve Bank has since
issued guidelines on interest rate risk in banking books as part of the supervisory review process under Pillar II of
Basel II which is currently applicable to banks with overseas operations and foreign banks. The guidelines would be
applicable to all other banks from March 31, 2009).

4.3.10 Notification of adverse information

The Panel observes that there are no guidelines issued by the Reserve Bank which explicitly provide for the
supervisor to ensure that banks notify the Reserve Bank as soon as they become aware of any material information
which may negatively affect the fitness and propriety of a board member or a member of the senior management. At
present this is being done on a voluntary basis.

The Panel recommends that the Reserve Bank issue specific guidelines in this regard that mandate banks to notify
the Reserve Bank as soon as they become aware of any material information which may negatively affect the fitness
and propriety of a Board member or a member of the senior management.

11
4.3.11 Appropriate skills in the back-office of the Bank Treasury

Though the Reserve Bank has issued guidelines periodically on the segregation of duties and responsibilities in the
front office, mid-office and back office for treasury operations, it is not being determined whether there is an
appropriate balance of skills and resources in back office and control functions relative to the front office. Though this
aspect is looked into during the on-site inspection of banks, there is no specific mandate in the inspection manual in
this regard.

The Panel recommends that the Reserve Bank issue appropriate guidelines to banks stressing the maintenance of
such a balance by banks. It also recommends the incorporation in the inspection manual of a suitable provision
mandating on-site inspectors to specifically comment on this aspect in their reports.

4.3.12 Risk-Based Supervision

The current supervisory mechanism consists of monitoring banks through on-site inspections and off-site returns
obtained from them, and through periodic meetings with bank officials. The on-site supervisory mechanism adopted by
the Reserve Bank is CAMELS (Capital Adequacy, Asset Quality, Management, Earnings, Liquidity and Systems and
Control) approach for domestic banks and CALCS (Capital Adequacy, Asset Quality, Liquidity, Compliance and
Systems and Control) for foreign banks. These banks are rated on the CAMELS/CALCS model based on the on-site
inspection by the Reserve Bank. However, the CAMELS/CALCS rating does not clearly reflect the risk profile of the
bank, and does not pinpoint the risks where the bank might be vulnerable or areas of risk where the bank has
mitigating mechanisms to take care of the risks. Though a parallel run of Risk Based Supervision (RBS) is in progress
for select banks, it is not yet mandated as a supervisory mechanism.

The Panel recommends a quicker adoption of the techniques and methodology of RBS. This will appropriately profile
the bank, highlighting the risks and vulnerabilities it faces. Based on its assessment, the supervisory cycle for banks
can then be determined. The Panel also recommends a further strengthening of off-site surveillance which is a pre-
condition for the effective adoption of techniques and methodology of RBS.

4.3.13 Qualitative Disclosure

The Reserve Bank has issued detailed guidelines on accounting and disclosure norms and it is also satisfied that
banks maintain adequate records drawn up in accordance with these accounting policies. However, though extant
guidelines do require qualitative disclosure on risk management aspects, they are yet to be implemented.

The Panel recommends that there should be expeditious implementation of guidelines regarding qualitative
disclosures, concurrent with full migration to Basel II. (The Panel notes that guidelines have since been issued
mandating Indian banks with foreign operations and foreign banks to have formal Board approved disclosure policy
from March 31, 2008 and for others from March 31, 2009).

4.3.14 Prompt Corrective Action

A concept Prompt Corrective Action (PCA) framework has been introduced by the Reserve Bank whereby it can
initiate a set of actions against banks based on trigger points relating to the CRAR, Net NPA Ratio and Return on
Assets. While the PCA framework has prescribed broad triggers, there is no specified timetable for initiating the
mandatory actions and the discretionary actions.

The Panel feels that the guidelines on the PCA framework should provide for an appropriate timeline for initiating
mandatory and discretionary actions to follow the identified triggers. If necessary, this could be finalised in consultation
with the Government.

4.3.15 Consolidated Supervision

The Reserve Bank has issued a circular in February 2003 on consolidated accounting to facilitate consolidated
supervision. Accordingly, banks that have subsidiaries are required to file consolidated financial statements and half-
yearly consolidated prudential returns to the Reserve Bank. Though the Reserve Bank has the power to define the
range of activities of the consolidated group, it does not have the power to cause inspections of any entity within the
banking group which is not under its regulatory purview. The Panel recognises that the insertion of Section 29(A)
(Power in respect of associated enterprise) in the Banking Regulation Act (Amendment) Bill 2005 would empower the
Reserve Bank to conduct consolidated supervision. The Panel recommends expeditious passage of the Amendment
Bill in Parliament.
+++++

12
DOCUMENTS from other sources

http://onlineassociate.net/doc/Bank-Risk-Assessment/

Federal Financial Institutions Examination Council, US (FFIEC) IS Examination Handbook

RISK ASSESSMENT QUESTIONNAIRES

Purpose: To establish a risk rating for systems in a bank, and then rank the system by risk.

Sources: Concepts obtained from FFIEC IS Examination Handbook, OCC Bulletin 98-3, and OCC Bulletin
99-9.

Methodology: Collect responses from business and IT areas using the two questionnaires shown below.
Use the Reference Chart shown below to understand how the information collected in the questionnaires
can be used to assign risk ratings on the Risk Chart. Using a numeric risk rating that makes sense in your
environment (we use a scale of 1-5, with 5 being a high risk) assign a numeric rate to row item. When you
have completed a chart for each system within your environment, you will be able to rank the systems by
risk exposure.

System Name ________________

Risk Chart
Risk Factors Explanation Rating
1. Quantity of Risk
Transaction Dollar Exposure
Transaction Volume
Complexity of Hardware and Software
Volume and Risk exposures relative to internal control
exceptions
Potential for financial loss due to: error or fraud; competitive
disadvantage; incomplete information; operational disruption;
or personnel factors (experience / staffing/ turnover).
Out-sourcing (Controls over external activities)
Internet or other new business activities
2. Quality of Risk
Separation of Risk Taking and Risk Management
responsibilities
Ongoing Risk Identification and Risk Measurement Systems to
monitor risk
Policies for oversight responsibility of the systems and Policies
for Systems Development and Policies for Change
Management
Monitoring Systems Capacity
Assuring the Integrity and Security of Systems
Documenting System (programming) History
Effective Internal Accounting Controls
Effective Recovery Planning, Training & Testing
Other Risks Which Are Identified by the Auditor

Reference Chart (Risk Chart with References to the Questionnaires)

13
 Risk Factors Expla Rating Source (Where the
- risk is mentioned)
nation IT Risk Busines
Questi s Area
onnair Questio
e nnaire
Item Item

1. Quantity of Risk
Transaction Dollar Exposure 2 FFIEC IS Exam
Handbook page 2-2
Transaction Volume 2 FFIEC IS Exam
Handbook page 2-2
Complexity of Hardware and Software 3 4, 12 FFIEC IS Exam
Handbook page 2-2
Volume and Risk exposures relative to 6, 8 3 FFIEC IS Exam
internal control exceptions Handbook page 2-2
Potential for financial loss due to: error 4, 6 1, 3, 5, FFIEC IS Exam
or fraud; competitive disadvantage; 10 Handbook page 2-2
incomplete information; operational
disruption; or personnel factors
(experience / staffing/ turnover).
Out-sourcing (Controls over external 1 6 FFIEC IS Exam
activities) Handbook page 2-3
Internet or other new business activities 8 12 FFIEC IS Exam
Handbook page 2-3

2. Quality of Risk
Separation of Risk Taking and Risk 8, 16 FFIEC IS Exam
Management responsibilities Handbook page 2-3
Ongoing Risk Identification and Risk 8, 9 13, 14, FFIEC IS Exam
Measurement Systems to monitor risk 15 Handbook pages 2-3
to 2-4
Policies for oversight responsibility of 4, 7 1, 15 OCC 98-3 (p. 11, 12)
the Systems and Policies for Systems
Development and Policies for Change
Management
Monitoring Systems Capacity 5 1 FFIEC IS Exam
Handbook pages 2-
3, 2-4
Assuring the Integrity and Security of 4 7, 9, 15 FFIEC IS Exam
Systems Handbook page 2-4
Documenting System (programming) 2 FFIEC IS Exam
History Handbook page 2-4
Effective Internal Accounting Controls 8 FFIEC IS Exam
Handbook page 2-4
Effective Recovery Planning, Training & 6 10, 11 OCC 99-9, OCC 98-
Testing 3 (p. 11, 12)
Other Risks Which Are Identified by the
Auditor
System Name ________________

BUSINESS AREA QUESTIONNAIRE

1. Does the capacity and functionality of this system support the Bank’s strategic objectives?

14
2. What are the high risk conditions in your area? Please quantify the potential dollar exposure related
to misuse or errors connected to operating this system. How many “transactions” are created in
your area using this system (please define your answer in the time frame which you judge to be
most meaningful, daily, weekly, quarterly, etc.)?

3. What are the primary controls you use to monitor business processed through this system? Which
of these do you consider to be high risk? Are the controls effective (i.e., timely accurate,
meaningful, etc.)? Have there been any control exceptions this year which were not caught by this
systems controls?

4. How many changes to this system have been implemented this year (both hardware and software)?

5. How would you rate the potential for financial loss due to any of the following:
Human error or fraud: low medium high
Competitive disadvantage: low medium high
Incomplete information: low medium high
Operational disruption: low medium high
Please provide reasonable details regarding your responses:

6. Is the development or administration of this system outsourced? Do you feel that control over the
outsourcing arrangements are adequate to provide safe and efficient services?

7. Who in your department is in charge of monitoring the security of this system? Who is the backup?
To whom are security problems reported?

8. Does the system support your requirements for: administrative controls (e.g., transaction controls,
limit controls, accounting controls, etc.); and due diligence assessments?

9. Is IT support for this system adequate?

10. Are the Bank’s training support and user documentation for this system adequate?

11. When was the last business recovery test which involved this system? Was this system described
in the recovery test plans, logs, and sign-offs from that test? Are there output samples from this
system which were made during that test?

12. Are new systems or significant system changes planned for the remainder of this year, or next
year?

13. What are the most significant threats to this system? Would they include some of the following:
denial or disruption of systems services, unauthorized monitoring of systems services, disclosure of
proprietary or private information, modification or destruction of related computer capabilities (i.e.,
programming codes, networks, databases), and the manipulation of computer, or communications
services resulting in fraud, financial loss or other criminal violations?

14. Does this system support your departmental goals to comply with banking reporting requirements
and regulations, customer privacy, and other compliance-related business objectives.

15. What would be the best way to improve security or quality for this system?

15
16. Do you have risk taking and/or risk management responsibility? If so, how are the separation risk king
and risk management responsibilities enforced or monitored by the system? Is this an effective
control?

System Name ________________

IT Questionnaire
1. How many years experience does the IT staff have supporting this system? How many people are
qualified to support this system? If system support outsourced, please state the vendor name and contact
information here.

2. How would you rate the systems documentation for this system? Poor, average, great?

3. How often was this system changed last year? No changes, fewer than six changes, six or more
changes?

4. What are the IT controls for assuring the security of this system? Do they address risks (identified
in OCC 99-9) such as, entering data incorrectly, changing data, deleting data, destroying data or
programs with logic bombs, “crashing” systems, holding data hostage, destroying hardware or
facilities? Who is in charge of monitoring the security of this system? Who is the backup?
To whom are security problems reported?

5. What are the IT controls for assuring the systems capacity, and the integrity or quality of this
system?
Who is in charge of monitoring the integrity or quality of this system? Who is the backup?
To whom are integrity or quality problems reported?

6. What are the IT controls for assuring the continuity and rapid recovery of this system?
When was the last recovery test for this system?
Is this system described in the recovery test plans, logs, and sign-offs from that test? Are there
output samples from this system which were made during that test?

7. Are significant system changes planned for the remainder of this year or in the next year?

8. What are the most significant threats to this system? Would they include some of the following (as
noted in OCC 99-9): denial or disruption of systems services, unauthorized monitoring of systems
services, disclosure of proprietary, or private information, modification or destruction of related
computer capabilities (i.e., programming codes, network databases), and the manipulation of
computer, or communications services resulting in fraud, financial loss or other federal criminal
violation?

9. What would be the best way to improve security or quality for this system?

16