The
Presidents/ Chief Executives
All
Banks/DFIs Guidelines
on Risk Management
As
you are well aware the financial institutions are exposed
to various risks in pursuit of their business objectives;
the nature and complexity of which has changed rapidly over
time. The failure to adequately manage these risks exposes financial
institutions not only to business losses, but may also render
them unsuccessful in achieving their strategic business objectives.
In the worst case, inadequate risk management may result in
circumstances so catastrophic in nature that financial institutions
cannot remain in business.
2)
Although rapid developments are taking place internationally
in this area, our banks have yet to come out with a solid
framework for risk management. Some of the banks have made
progress in this area, but they differ significantly in relation to the expertise, and the
sophistication of systems in place for risk management. In
some financial institutions, it has been considered primarily
in an operational sense, while others practice a more structured
approach towards risk management.
3)
In view of the forgoing and coincidental to global
recognition towards need of an effective risk management and
control systems in financial sector, State Bank of Pakistan
being cognizant of the importance of the subject, has prepared
guidelines on Risk Management by banks/DFIs, which are attached.
These guidelines, organized by risk
category, are designed to provide an overview of actions financial
institutions may take, and consequently, are not intended
to detail every control procedure that might be put in place.
4)
The guidelines contain a brief introduction to risk
management and a detailed elaboration of major risks that
financial institutions may be exposed to. Risk Management
encompasses risk identification, assessment, measurement,
monitoring and mitigating/controlling all risks inherent in
the business of banking. The basic principles relating to
risk management that are applicable to every financial institution,
irrespective of its size and complexity, include:
i)
The overall responsibility of risk management vests
in the Board of Directors, which shall formulate policies
in various areas of operations of the bank. The senior management
is, interalia, responsible for devising risk management strategy
and well-defined policies and procedures for mitigating/controlling
risks, which should be duly approved by the Board. The senior
management is also responsible for the dissemination, implementation,
and compliance of approved policies and procedures.
ii)
At operational level, risk assessment may be made
on portfolio or business line basis, however, at the top level
the management need to adopt a holistic approach in assessing
and managing risk profile of the bank.
iii)
Irrespective of a separate risk review or management
function individuals heading various business lines or units
are also accountable for the risk they are taking.
iv)
Wherever possible risks should be quantitatively
measured, reported, and mitigated.
v)
The risk review function should be independent
of those who approve and take risk. The review should include,
interalia, stress tests exposing the portfolio to unanticipated
movements in key variables or major systemic shocks.
vi)
Banks should have contingency plans for any unexpected
or worst case scenarios.
5)
The major risks to which the financial institutions
can be exposed to include credit, market, liquidity, and operational
risks. While the detailed guidelines for identifying, measuring,
monitoring, and mitigating /controlling these risks are attached,
a brief description of the same is given hereunder:
i)
Historically, Credit Risk has been the risk causing
major losses to banks operating in Pakistan. The Board of
Directors is responsible for formulating a well-defined Credit
Policy. The senior management needs to develop policies, systems
and procedures and establish an organizational structure to
measure, monitor and control credit risk, which should also
be duly approved by the board. The bank should also put in
place a well-designed credit risk management setup commensurate
with the size and complexity of their credit portfolio. The
loan origination function is of key importance, which necessitates
the need for proper analysis of borrower’s creditworthiness
and financial health. This aspect is reinforced by credit
administration function that not only ensures the activities
conform to bank’s policies and procedures, but also maintains
credit files, loan documents and monitors compliance of loan
covenants. The banks are encouraged to assign internal credit
ratings to individual credit exposures. The architecture of
such a rating system may vary among banks. The loan portfolio
should be monitored regularly and a report prepared at periodic
intervals both for the aggregate as well as sectoral and individual
loan level. Finally, banks are required to formulate a strategy
/ action plan to deal with problem loans.
ii)
Market risk is the possibility of loss due
to adverse movement in the interest rates, foreign exchange
rates, commodity prices or equity prices. Notwithstanding
the fact that the board and senior management should develop
the bank’s strategy and transform those strategies by establishing
policies and procedures for market risk management, a robust
risk management framework is an important element to manage
market risk. Such a framework includes an organizational setup
commensurate with the size and nature of business and system
and procedures for measurement, monitoring and mitigating/controlling
market risks. Ideally, the hierarchical structure includes
an ALCO (Asset Liability Committee) headed by the CEO of the
bank, which may provide updates to Board of Directors’ Sub-committee
on Risk Management. Further, banks should establish a mid
office between front office and back office functions. This
unit should manage risks relating to treasury operations and
report directly to senior management. There is a vast array
of methodologies to measure Market risk, ranging from static
gap analysis to sophisticated risk models. Banks may adopt
various techniques to measure market risk, as they deem fit.
Finally, the banks should ensure that they have adequate control
mechanisms and appropriate setup such as periodic risk reviews
/ audits etc to monitor market risk.
iii)
Liquidity risk is the possibility of loss due to
bank’s inability to fund their commitments without incurring
unacceptable costs. As the impact of such risk could be catastrophic,
the senior management needs to establish a mechanism to identify,
measure and mitigate/control liquidity risk. The senior management
should also establish an effective organizational structure
to continuously monitor bank’s liquidity. Generally, the bank’s
board constitutes a committee of senior management known as
ALCO to undertake the function. Key elements of sound liquidity
management process include an effective MIS, risk limits and
contingency funding plan.
iv)
Operational risk is the risk of loss due
to inadequate or failed internal processes, procedures, systems
and controls or from external events.
Besides establishing a tolerance level for operational
risk, the BOD needs to ensure that the senior management has
put in place adequate systems, procedures and controls for
all significant areas of operations. Further, the management
of the bank should effectively communicate laid down procedures
/ guidelines down the line and put in place a reasonable set
up to implement the same.
6)
Banks are encouraged to put in place an effective risk
management strategy based on the attached guidelines. These
guidelines are flexible in the sense that banks can adapt
them in line with the size and complexity of their business,
as against the Prudential Regulations which need to be fully
complied with at all times, for every transaction, both in
letter and spirit. The adoption of these guidelines will also
facilitate the banks in their preparation for the implementation
of New Basel Capital Accord in due course. Once the New Basel
Accord is introduced in Pakistan, these guidelines will converge
with the requirement of the Accord and will become enforceable
regulation. The banks are, therefore, encouraged to take necessary
steps for their implementation. The banks are also expected
to provide necessary training to their concerned staff in
risk management through Institute of Bankers or other training
institutions / experts having expertise in this area.
7).
The measures taken by the banks for implementation
of these guidelines will be communicated to this Department
in the form of a half yearly progress report within 30 days
from the end of each calendar half year i.e. 30th
June and 31st December of each year. The first
such report shall be submitted for the half year ending 31st
December 2003. The State Bank’s inspection team shall conduct
on-site verification of the progress so reported during their
routine inspection.
Please
acknowledge receipt.
|