Basic concepts to Risk management

CHAPTER-3

RISK MANAGEMENT

BASIC CONCEPTS AND TECHNIQUES

In this chapter we discuss the basic risk concepts and issues related to risk management. After defining and identifying different risks, we describe the risk management process. Risk management process is a comprehensive system that includes creating an appropriate risk management environment, maintaining an efficient risk measurement, mitigating, and monitoring process, and establishing an adequate internal control arrangement. After outlining the basic idea of the risk management process and system, we discuss the main elements of the management process for specific risks. The latter part of the section examines the risks involved in Islamic financial institutions. We review the nature of traditional risks for Islamic financial institutions and point out some specific risks that Islamic banks face. We then discuss the risks inherent in different Islamic modes of financing.

3.1 INTRODUCTION

Risk arises when there is a possibility of more than one outcome and the ultimate outcome is unknown. Risk can be defined as the variability or volatility of unexpected outcomes. It is usually measured by the standard deviation of historic outcomes. Though all businesses face uncertainty, financial institutions face some special kinds of risks given their nature of activities. The objective of financial institutions is to maximize profit and shareholder value-added by providing different financial services mainly by managing risks. There are different ways in which risks are classified. One way is to distinguish between business risk and financial risks. Business risk arises from the nature of a firm’s business. It relates to factors affecting the product market. Financial risk arises from possible losses in financial markets due to movements in financial variables (Jorion and Khoury 1996, p. 2). It is usually associated with leverage with the risk that obligations and liabilities cannot be met with current assets (Gleason 2000, p. 21).

Another way of decomposing risk is between systematic and unsystematic components. While systematic risk is associated with the overall market or the economy, unsystematic risk is linked to a specific asset or firm. While the asset-specific unsystematic risk can be mitigated in a large diversified portfolio, the systematic risk is nondiversifiable. Parts of systematic risk, however, can be reduced through the risk mitigation and transferring techniques.

To understand the underlying principle of risk management, we use Oldfield and Santomero (1997) classification of risks. Accordingly, financial institutions face the following three types of risks: risks that can be eliminated, those that can be transferred to others, and the risks that can be managed by the institution. Financial intermediaries would avoid certain risks by simple business

Practices and will not take up activities that impose risks upon them. The practice of financial institutions is to take up activities in which risks can be efficiently managed and shift risks that can be transferred.

Risk avoidance techniques would include the standardization of all business-related activities and processes, construction of diversified portfolio, and implementation of an incentive-compatible scheme with accountability of actions. Some risk that banks face can be reduced or eliminated by transferring or selling these in well-defined markets. Risk transferring techniques include, among others, use of derivatives for hedging, selling or buying of financial claims, changing borrowing terms, etc.

There are, however, some risks that cannot be eliminated or transferred and must be absorbed by the banks. The first is due to the complexity of the risk and difficulty to separate it from asset. The second risk is accepted by the financial institutions as these are central to their business. These risks are accepted because the banks are specialized in dealing with them and get rewarded accordingly. Examples of these risks are the credit risk inherent in banking book activities and market risks in the trading book activities of banks.

There is a difference between risk measurement and risk management. While risk measurement deals with quantification of risk exposures, risk management refers to “the overall process that a financial institution follows to define a business strategy, to identify the risks to which it is exposed, to quantify those risks, and to understand and control the nature of risks it faces” (Cumming and Hirtle 2001, p. 3). Before we discuss the risk management process and measurement techniques, we give an overview of the risks faced by financial institutions and the evolution of risk management.

3.2 RISKS FACED BY FINANCIAL INSTITUTIONS

The risks that banks face can be divided into financial and non-financial ones. Financial risk can be further partitioned into market risk and credit risk. Non-financial risks, among others, include operational risk, regulatory risk, and legal risk. The nature of some of these risks is discussed below.

3.2.1 Market Risk

Is the risk originating in instruments and assets traded in well-defined markets? Market risks can result from macro and micro sources. Systematic market risk result from overall movement of prices and policies in the economy. The unsystematic market risk arises when the price of the specific asset or instrument changes due to events linked to the instrument or asset. Volatility of prices in various markets gives different kinds of market risks. Thus market risk can be classified as equity price risk, interest rate risk, currency risk, and commodity price risk. As a result, market risk can occur in both banking and trading books of banks. While all of these risks are important, interest rate risk is one of the major risk that banks have to worry about. The nature of this risk is briefly explained below.

3.2.2 Interest Rate Risk

Is the exposure of a bank’s financial condition to movements in interest rates. Interest rate risk can arise from different sources. Repricing risk arises due to timing differences in the maturity and re pricing of assets, liabilities and off-balance sheet items. Even with similar repricing characteristics, basis risk may arise if the adjustment of rates on assets and liabilities are not perfectly correlated. Yield curve risk is the uncertainty in income due to changes in the yield curve. Finally instruments with call and put options can introduce additional risks.

3.2.3 Credit Risk

Is the risk that counterparty will fail to meet its obligations timely and fully in accordance with the agreed terms. This risk can occur in the banking and trading books of the bank. In the banking book, loan credit risk arises when counterparty fails to meet its loan obligations fully in the stipulated time. This risk is associated with the quality of assets and the probability of default. Due to this risk, there is uncertainty of net-income and market value of Equity arising from non-payment and delayed payment of principal and interest.

Similarly, trading book credit risk arises due to a borrower’s inability or unwillingness to discharge contractual obligations in trading contracts. This can result in settlement risk when one party to a deal pays money or delivers assets before receiving its own assets or cash, thereby, exposing it to potential loss. Settlement risk in financial institutions particularly arises in foreign-exchange transactions. While a part of the credit risk is diversifiable, it cannot be eliminated completely.

3.2.4 Liquidity Risk

Arises due to insufficient liquidity for normal operating requirements reducing the ability of banks to meet its liabilities when it falls due. This risk may result from either difficulties in obtaining cash at reasonable cost from borrowings (funding or financing liquidity risk) or sale of assets (asset liquidity risk). One aspect of asset-liability management in the banking business is to minimize the liquidity risk. While funding risk can be controlled by proper planning of cash-flow needs and seeking newer sources of funds to finance cash shortfalls, the asset liquidity risk can be mitigated by diversification of assets and setting limits of certain illiquid products.

3.2.5 Operational Risk

Is not a well-defined concept and may arise from human and technical errors or accidents. It is the risk of direct or indirect loss resulting from inadequate or failed internal processes, people, and technology or from external events. While people risk may arise due to incompetence and fraud, technology risk may result from telecommunications system and program failure. Process risk may occur due to various reasons including errors in model specifications, inaccurate transaction execution, and violating operational control limits.[1] Due to problems arising from inaccurate processing, record keeping, system failures, compliance with regulations, etc., there is a possibility that operating costs might be different from what is expected affecting the net income adversely.

3.2.6 Legal Risks

Relate to risks of unenforceability of financial contracts. This relates to statutes, legislation, and regulations that affect the fulfillment of contracts and transactions. This risk can be external in nature (like regulations affecting certain kind of business activities) or internal related to bank’s management or employees (like fraud, violations of laws and regulations, etc.). Legal risks can be considered as a part of operational risk (BCBS, 2001a). Regulatory risk arises from changes in regulatory framework of the country.

3.3 RISK MANAGEMENT: BACKGROUND AND EVOLUTION

Though business activities have been always exposed to risks, the formal study of managing risk started in the later half of the last century. Markowitz’s (1959) seminal paper first indicated that portfolio selection was a problem of maximizing its expected return and minimizing the risks. A higher expected return of a portfolio (measured by the mean) can result only from taking more risks. Thus, investors’ problem was to find the optimal risk-return combination. His analysis also points out the systematic and unsystematic components of risk. While the unsystematic component can be mitigated by diversification of assets, the systematic component has to be borne by the investor. Markowitz’s approach, however, faced operational problems when a large number of assets are involved.

Sharpe’s (1964) Capital Asset Pricing Model (CAPM) introduces the concepts of systematic and residual risks. Advances in this model include Single-Factor Models of Risk that estimates the beta of an asset. While residual (firm specific) risk can be diversified, beta measures the sensitivity of the portfolio to business cycles (an aggregate index). The dependence of CAPM on a single index to explain the risks inherent in assets is too simplistic. Arbitrage Pricing Theory proposed by Ross (1976) suggests

Arbitrage Pricing Theory proposed by Ross (1976) suggests that multiple factors affect the expected return of an asset. The implication of the Multiple Factor Model is that the total risk is the sum of the various factor related risks and residual risk. Thus, a multiple of risk-premia can be associated with an asset giving the respective factor-specific betas. Though the Multiple Factors Model is widely accepted, there is however, no consensus regarding the factors that affect the risk of an asset or the way it is estimated. There are three approaches in which this model can be implemented. While the Fundamental Factors model estimates the factor specific risk- premia assuming the respective factor-specific betas as given, the macroeconomic model assumes the risk premier as given and estimates the factor-specific betas. Statistical models attempt to determine both the risk-premia and betas simultaneously.

Modern risk management processes and strategies have adopted features of the above mentioned theories and adopted many tools to analyze risk. An important element of management of risk is to understand the risk-return tradeoff. Investors can expect a higher rate of return only by increasing the risks. As the objective of financial institutions is to increase the net income of the Shareholders, managing the resulting risks created to achieve this becomes an important function of these institutions. They do this by efficiently diversifying the unsystematic risks and reducing and transferring the systematic risk.

There are two broad approaches to quantify risk exposures facing financial institutions. One way is to measure risks in a segmented way (e.g., GAP analysis to measure interest rate risk and Value at Risk to assess market risks). The other approach is to measure risk exposure in a consolidated way by assessing the overall firm level risk (e.g., Risk adjusted rate of return, RAROC for firm level aggregate risk).[2]

3. 4 RISK MANAGEMENT: The Process And System

Though main elements of risk management include identifying, measuring, monitoring, and managing various risk exposures,[3] these cannot be effectively implemented unless there is a broader process and system in place. The overall risk management process should be comprehensive embodying all departments/sections of the institution so as to create a risk management culture. It should be pointed out that the specific risk management process of individual financial institutions depends on the nature of activities and the size and sophistication of an institution. The risk management system outlined here can be a standard for banks to follow. A comprehensive risk management system should encompass the following three components.[4] We outline the basic concept of the risk management process and system in this section.

3.4.1 Establishing Appropriate Risk Management Environment and Sound

Policies and Procedures

This stage deals with the overall objectives and strategy of the bank towards risk and its management policies. The board of directors is responsible for outlining the overall objectives, policies and strategies of risk management for any financial institution. The overall risk objectives should be communicated throughout the institution. Other than approving the overall policies of the bank regarding risk, the board of directors should ensure that the management takes the necessary actions to identify, measure, monitor, and control these risks. The board should periodically be informed and review the status of the different risks the bank is facing through reports.

Senior management is responsible to implement these broad specifications approved by the board. To do so, the management should establish policies and procedures that would be used by the institution to manage risk. These include maintaining a risk management review process, appropriate limits on risk taking, adequate systems of risk measurement, a comprehensive reporting system, and effective internal controls. Procedures should include appropriate approval processes, limits and mechanisms designed to assure the bank’s risk management objectives are achieved. Banks should clearly identify the individuals and/or committees responsible for risk management and define the line of authority and responsibility. Care should be taken that there is adequate separation of duties of risk measurement, monitoring and control functions.

Furthermore, clear rules and standards of participation should be provided regarding position limits, exposures to counterparties, credit and concentration. Investment guidelines and strategies should be followed to limit the risks involved in different activities. These guidelines should cover the structure of assets in terms of concentration and maturity, asset-liability mismatching, hedging, securitization, etc.

3.4.2. Maintaining an Appropriate Risk Measurement, Mitigating, and Monitoring Process

Banks must have regular management information systems for measuring, monitoring, controlling and reporting different risk exposures. Steps that need to be taken for risk measurement and monitoring purposes are establishing standards for categorization and review of risks, consistent evaluation and rating of exposures. Frequent standardized risk and audit reports within the institution are also important. The actions needed in this regard are creating standards and inventories of risk based assets, and regularly producing risk management reports and audit reports. The bank can also use external sources to assess risk, by using either credit ratings, or supervisory risk assessment criterion like CAMELS.

Risks that banks take up must be monitored and managed efficiently. Banks should do stress testing to see the effects on the portfolio resulting from different potential future changes. The areas a bank should examine are the effects of downturn in the industry or economy and market risk events on default rates and liquidity conditions of the bank. Stress testing should be designed to identify the conditions under which a bank’s positions would be vulnerable and the possible responses to such situations. The banks should have contingency plans that can be implemented under different scenarios.

3.4.3 Adequate Internal Controls

Banks should have internal controls to ensure that all policies are adhered to. An effective system of internal control includes an adequate process for identify and evaluating different kinds of risks and having sufficient information systems to support these. The system would also establish policies and procedures and their adherence are continually reviewed. These may include conducting periodic internal audits of different processes and producing regular independent reports and evaluations to identify areas of weakness. An important part of internal control is to ensure that the duties of those who measure, monitor, and control risks are separated. Finally, an incentive and accountability structure that is compatible with reduced risk taking on part of the employees is also an important element to reduce overall risk. A prerequisite of these incentive-based contracts is accurate reporting of the bank’s exposures and internal control system. An efficient incentive compatible structure would limit individual positions to acceptable levels and encourage decision makers to manage risks in a manner that is consistent with the banks goals and objectives.

3.5 MANAGEMENT PROCESSES OF SPECIFIC RISKS

As mentioned above the total risk of an asset can be assigned to different sources. Given the general guidelines of risk management process above, in this section we give details of risk management processes for specific risks faced by bank

3.5.1. Credit Risk Management[5]

The board of directors should outline the overall credit risk strategies by indicating the bank’s willingness to grant credit to different sectors, geographical location, maturity, and profitability. In doing so it should recognize the goals of credit quality, earnings, growth, and the risk-reward tradeoff for its activities. The credit risk strategy should be communicated throughout the institution.

The senior management of the bank should be responsible to implement the credit risk strategy approved by the board of directors. This would include developing written procedures that reflect the overall strategy and ensure its implementation. The procedures should include policies to identify, measure, monitor, and control credit risk. Care has to be given to diversification of portfolio by setting exposure limits on single counterparty, groups of connected counterparties, industries, economic sectors, geographical regions, and individual products. Banks can use stress testing in setting limits and monitoring by considering business cycles, interest rate and other market movements. Banks engaged in international credit need to assess the respective country risk.

Banks should have a system for ongoing administration of various credit risk-bearing portfolios. A proper credit administration by a bank would include an efficient and effective operation related to monitoring documentation, contractual requirements, legal covenants, collateral, etc., accurate and timely reporting to management, and compliance with management policies and Procedures and applicable rules and regulations.

Banks must operate under sound, well-defined credit-granting criteria to enable a comprehensive assessment of the true risk of the borrower or counterparty to minimize the adverse selection problem. Banks need information on many factors regarding the counterparty to which they want to grant credit. These include, among others, the purpose of the credit and the source of repayment, the risk profile of the borrower and its sensitivity to economic and market developments, borrower’s repayment history and current capacity to repay, enforceability of the collateral or guarantees, etc.

Banks should have a clear and formal evaluation and approval process for new credits and extension of existing credits. Each credit proposal should be subject to careful analysis by a credit analyst so that information can be generated for internal evaluation and rating. This can be used for appropriate judgments about the acceptability of the credit.

Granting credit involves accepting risks as well as producing profits. Credit should be priced so that it appropriately reflects the inherent risks of the counterparty and the embedded costs. In considering the potential credit, the bank needs to establish provisions for expected loss and hold adequate capital to absorb the unexpected losses. Banks can use collateral and guarantees to help Mitigate risks inherent in individual transactions. Note, however, that collateral cannot be a substitute for comprehensive assessment of a borrower and strength of the repayment capacity of the borrower should be given prime importance.

Banks should identify and manage credit risk inherent in all of its assets and activities by carefully reviewing the risk characteristics of the asset or activity. Special care is needed particularly when the bank embarks on new activities and assets. In this regard, adequate procedures and controls need to be taken to identify the risks in new asset or activity. Banks must have analytical Techniques and information systems to measure credit risk in all on- and off balance sheet activities. The system should be able to provide information on sensitivities and concentrations in the credit portfolio. Banks can manage portfolio issues related to credit through loan sales, credit derivatives, securitization, and involvement in secondary loan markets.

Banks must have a system for monitoring individual credits, including determining the adequacy of provisions and reserves. An effective monitoring system would provide the bank, among others, the current financial condition of the counterparty. The system would be able to monitor projected cash-flow and the value of the collateral to identify and classify potential credit problems. While monitoring the overall composition and quality of the portfolio, a bank should not only take care about the concentrations with respect to counterparty’s activities but also the maturity.

Banks should develop internal risk rating systems to mange credit risk. A well-structured internal rating system can differentiate the degree of credit risk in different credit exposures of a bank by categorizing credits into various gradations in risk. Internal risk ratings are important tool in monitoring and controlling credit risk as periodic ratings enable banks to determine the overall characteristics of the credit portfolio and indicates any deterioration in credit risk. Deteriorating credit can then be subject to additional monitoring and supervision.

A bank should have independent ongoing credit reports for the board of directors and senior management to ensure that the bank’s risk exposures are maintained within the parameters set by prudential standards and internal limits. Banks should have internal controls to ensure that credit policies are adhered to. These may include conducting periodic internal audits of the credit risk

Processes to identify the areas of weakness in the credit administration process. Once the problem credits are identified, banks should have a clear policy and system for managing problem credits. The banks should have effective workout programs to manage risk in their portfolio.

3.5.2. Interest Rate Risk Management[6]

The board of directors should approve the overall objectives, broad strategies and policies that govern the interest rate risk of a bank. Other than approving the overall policies of the bank regarding interest rate risk the board of directors should ensure that the management takes the necessary actions to identify, measure, monitor, and control these risks. The board should periodically be informed and review the status of interest rate risk the bank is facing through reports.

Senior management must ensure that the bank follows policies and procedures that enable the management of interest rate risk. These include maintaining an interest rate risk management review process, appropriate limits on risk taking, adequate systems of risk measurement, a comprehensive interest rate risk reporting system, and effective internal controls. Banks should be able to identify the individuals and/or committees responsible for interest rate risk management and define the line of authority and responsibility.

Banks should have clearly defined policies and procedures for limiting and controlling interest rate risk by delineating responsibility and accountability over interest rate risk management decisions and defining authorized instruments, hedging strategies and position taking opportunities. Interest rate risk in new products should be identified by carefully scrutinizing the maturity, re pricing or repayment terms of an instrument. The board should approve new hedging or risk management strategies before these are implemented.

Banks should have a management information system for measuring, monitoring, controlling and reporting interest rate exposures. Banks should have interest rate risk management systems that assess the effects of rate changes on both the earnings and economic value. These measurement systems should be able to utilize generally accepted financial concepts and risk management.

Techniques to assess all interest risk associated with a bank’s assets, liabilities, and off-balance sheet positions. Some of the techniques for measuring a bank’s interest risk exposure are GAP analysis, duration, and simulation. Possible stress tests can be undertaken to examine the effects of changes in the interest rate, changes in the slope of the yield curve, changes in the volatility of the market rates, etc. Banks should consider the “worse case” scenarios and ensure that appropriate contingency plans are available to tackle these situations.

Banks must establish and enforce a system of interest rate risk limits and risk taking guidelines that can achieve the goal of keeping the risk exposure within some self-imposed parameters over a range of possible changes in interest rates. An appropriate limit system enables the control and monitoring of interest rate risk against predetermined tolerance factors. Any violation of limits should be made known to senior management for appropriate action.

Interest rate reports for the board should include summaries of the bank’s aggregate exposures, compliance with policies and limits, results of stress tests, summaries of reviews of interest rate risk policies and procedures, and findings of internal and external auditors. Interest rate risk reports should be in details to enable senior management to assess the sensitivity of the institution to changes in the market conditions and other risk factors.

Banks should have adequate system of internal controls to ensure the integrity of their interest rate risk management process and to promote effective and efficient operations, reliable financial and regulatory reporting, and compliance with relevant laws, regulations, and institutional policies. An effective system of internal control for interest rate risk includes an adequate Process for identify and evaluating risk and having sufficient information systems to support these. The system would also establish policies and procedures and their adherence are continually reviewed. These periodic reviews would cover not only the quantity of interest rate risk, but also the quality of interest rate risk management. Care should be taken that there is adequate separation of duties of risk measurement, monitoring and control functions

3.5.3. Liquidity Risk Management[7]

As banks deal with other people’s money that can be withdrawn, managing liquidity is one of the most important functions of the bank. The senior management and the board of directors should make sure that the bank’s priorities and objectives for liquidity management are clear. Senior management should ensure that liquidity risk is effectively managed by establishing appropriate policies and procedures. A bank must have adequate information system to measure, monitor, control and report liquidity risk. Regular reports on liquidity should be provided to the board of directors and senior management. These reports should include, among others, the liquidity positions over particular time horizons.

The essence of liquidity management problem arises from the fact that there is a trade-off between liquidity and profitability and mismatch between demand and supply of liquid assets. While the bank has no control over the sources of funds (deposits), it can control the use of funds. As such, a bank’s liquidity position is given priority in allocating funds. Given the opportunity cost of liquid funds, banks should make all profitable investments after having sufficient liquidity. Most banks now keep protective reserves on top of planned reserves. While the planned reserves are derived from either regulatory requirements or forecasts, the amount of the protective reserve depends on the management’s attitude towards liquidity risk.

Liquidity management decisions have to be undertaken by considering all service areas and departments of the bank. Liquidity manager must keep track and coordinate the activities of all departments that raise and use funds in the bank. Decisions regarding the banks liquidity needs must be analyzed continuously to avoid both liquidity surplus and deficit. In particular, the liquidity manager should know in advance when large transactions (credit, deposits, and withdrawals) would take place to plan effectively for resulting liquidity surpluses or deficits.

A bank should establish a process of measuring and monitoring net funding requirements by assessing the bank’s cash inflows and outflows. The bank’s off-balance sheet commitments should also be considered. It is also important to assess the future funding needs of the bank. An important element of liquidity risk management is to estimate a bank’s liquidity needs. Several approaches have been developed to estimate the liquidity requirements of banks. These include the sources and uses of funds approach, the structure of funds approach, and the liquidity indicator approach.[8] A maturity ladder is a useful device to compare cash inflows and outflows for different time periods.

The deficit or surplus of net cash flows is a good indicator of liquidity shortfalls and excesses at different points in time. Unexpected cash flows can arise from some other sources. As more and more banks are engaged in off-balance sheet activities, banks should also examine the cash flows on this account. For example, contingent liabilities used in these accounts (like financial guarantees and options) can represent substantial sources of outflows of funds. After identifying the liquidity requirements, a series of worse case scenarios can be analyzed to estimate both possible bank specific shocks and economy-wide shock. The bank should have contingency funding plans of handling the liquidity needs during these crises. Possible responses to these shocks would include the speed with which assets can be liquidated and the sources of funds that banks can use in the crisis. If the bank is dealing with foreign currency, it should have a measurement, monitoring and control system for liquidity in active currencies.

Banks should have adequate internal controls over its liquidity risk management process that should be a part of the overall system of internal control. An effective system would create a strong control environment and have an adequate process of identifying and evaluating liquidity risk. It should have adequate information system that can produce regular independent reports and evaluations to review adherence to established policies and procedures.

The internal audit function should also periodically review the liquidity management process to identify any problems or weaknesses for appropriate action by the management.

3.5.4. Operational Risk Management[9]

The board of directors and senior management should develop the overall policies and strategies for managing operational risk. As operational risk can arise due to failures in people, processes, and technology, management of this risk is more complex. Senior management needs to establish the desired standards of risk management and clear guidelines for practices that would reduce operational risks. In doing so, care needs to be taken to include people, process, and technology risks that can arise in the institution.

Given the different sources in which operational risk can arise, a common standard for identification and management of these needs to be developed. Care needs to be taken to tackle operational risk arising in different departments/organizational unit due to people, process, and technology. As such a wide variety of guidelines and rules have to be spelled out. To do so, the Management should develop an ‘operational risk catalogue’ in which business process maps for each business/ department of the institution are outlined. For example, the business process for dealing with client or investor should be laid out. This catalogue will not only identify and assess operational risk but also can be used for transparency by the management and auditors.

Given the complexity of operational risk, it is difficult to quantify it. Most of the operational risk measurement techniques are simple and experimental. The banks, however, can gather information of different risks from reports and plans that are published within the institution (like audit reports, regulatory reports, management reports, business plans, operations plans, error rates, etc.). A careful review of these documents can reveal gaps that can represent potential risks. The data from the reports can then be categorized into internal and external factors and converted into likelihood of potential loss to the institution. A part of the operational risk can also be hedged. Tools for risk assessment, monitoring, and management would include periodic reviews, Stress testing, and allocation of appropriate amount of economic capital.

As there are various sources of operational risk, it needs to be handled in different ways. In particular, risk originating from people needs effective management, monitoring, and controls. These include establishing an adequate operating procedure. One important element to control operational risk is to have clear separation of responsibilities and to have contingency plans. Another significant element is to make sure that reporting systems are consistent, secure, and independent of business. The internal auditors play an important role in mitigating operational risk.

[1] For a list of different sources of operational risk see Crouhy et al. (2001, p. 487).

[2] For a discussion on adopting consolidated risk management from the supervisors’ and the banks perspectives see Cumming and Hirtle (2001).

[3] See (Jorion 2001, p. 3) for a discussion.

[4] These three components are derived from BCBS’s recommendations of managing specific Risks. See BCBS (1999 and 2001b).

[5] This section is based on the credit risk management process discussed in BCBS (1999).

[6]This section is based on the interest rate risk management process discussed in BCBS (2001)

[7] The discussion on Liquidity Risk Management is derived from BCBS (2000).

[8] For a discussion on these methods see Rose (1999).

[9] This part is based on BCBS (1998) and Crouhy, et.al. (2001, Chapter 13).