Loading in 2 Seconds...
Loading in 2 Seconds...
Risk Management for Banks: Challenges and Opportunities Corporate Governance Program for Directors of Indian Banks Mumbai, India December 16, 2005 Mark Lawrence, Ph.D. Former Chief Risk Officer, Australia and New Zealand Banking Group, Melbourne, Australia firstname.lastname@example.org
ANZ • Established in 1835 • Strong positions: • Australian “Bank of the Year” six years in a row • New Zealand’s largest bank • The leading Australian bank in Asia • The leading bank in the South Pacific • 31,000 people serving more than 5 million customers across 27 countries • Strong performance: • Assets exceed US$210 billion (Sept 2005), Cost/Income ratio 45.6% • 10 year average total shareholder return 24% (2005: 33%) • 2005 Profit After Tax US$2.3 billion, Return on Equity 17.5% • Non-Performing Loans/Avge. Net Advances 0.26% (2005) • Net Specific Provisions/Avge. Net Advances 0.15% (2005) • Overall staff satisfaction 85% positive • Market capitalization exceeds US$32 billion today • Rated AA-
Example: the Risk Management “journey” – ANZ built its risk management capability over more than a decade • Prior to 1994 No formal combined “Risk Management” function, but ANZ had a credit “workout” area, separate Retail and Corporate Credit Risk Management functions, and an operational risk function; Rudimentary risk grading and pricing processes; no risk-based capital allocation • 1995 Credit risk unit formed, with a particular emphasis on handling actual and prospective property portfolio. First credit risk grading models built – Probability of Default, Loss Given Default • 1996–97 Board Risk Management Committee supersedes the Credit Committee; Regulatory Compliance framework implemented; Economic Capital for credit risk; Economic Value Added (“EVA”) models implemented for compensation • 1999 Market and Operational Risk capability strengthened • 2000 Operational Risk economic capital model developed and implemented; Creation of dedicated Retail Risk function • 2001 Basel II project commenced • 2002 Substantial Risk Management capability embedded in consumer businesses • 2003 Increased focus on the management of project risks; Formal Risk Management involvement in Strategy • 2004 Specialised Technology Risk function created; Group Compliance framework enhanced Source:“The ANZ Risk Management Framework”, CRO presentation to investors, 27 July 2004 http://www.anz.com/aus/shares/presentations/speeches/2004.asp
Agenda (I): Risk Management Best Practices • The Importance of Risk Management for Banks • Risk Management Objectives and Fundamentals • Principal Risk Categories: Credit, Market, Operational Risk • Risk Governance and Functional Risk Management Organisation • Risk Measurement: • Expected and Unexpected Loss • The Role of “Economic” or “Risk” Capital • Balancing Risk and Return • Role of the Chief Risk Officer • Risk Management For Competitive Advantage
The Need for Risk Management The Consequences The Drivers • Increased Complexity • Increased Governance • Increased Transparency • Globalising Standards • New Regulation: Basel II (2004) • Risk Management for • Competitive Advantage Performance, Losses, Competition Market Scrutiny, Technology
The “Vicious Cycle” of Risk Take Uneconomic Risks Drive Growth Aggressively Incur Large Losses Lose Market Share/Profits Clamp Down on Lending/Risk Taking Forego Economic Risks
Some principles about banking and risk Since the future is uncertain, you can’t generate returns without taking risk: • Capital and expenses come first, and are certain – revenues come later (and are uncertain) • You can’t divorce the level of risk from the expected level of return - the higher the desired return, the more risk you must be willing to take • Half the time you can expect the mean return or more, and half the time, the mean return or less • Diversification is necessary to lower the average total risk
Some principles about banking and risk (Cont.) • That said, banks need to be low-risk: • Society relies on the effective functioning of the banking system • The system is based on confidence and trust • The main source of funding is customer deposits • Banks are the main mechanism for domestic and international payments • Main vehicle for storing non-real estate wealth • (Australian banks raise most of the country’s external debt) • … hence the importance of reputation and confidence • * Reputation follows behaviour; thus need to build and sustain trust
Some principles about banking and risk (Cont.) There is a limit to the level of risk a commercial bank can take • Fundamentally, businesses depend on their ability to fund themselves and generate cash • Companies go bust when they run out of cash. They run out of cash when they are not viable economically, or lose confidence • Failure usually happens when you get the basics wrong, not the subtleties • The amount of risk that is acceptable is fundamentally determined by the need to raise funding (and, where applicable, to preserve credit ratings) • Banking is a cyclical business: • Leveraged to the economic cycle • High operating leverage – fixed costs around 50% of revenues (Australia) • In Australia, average margins on assets and liabilities are very low – less than 2.50%, so financial risk tolerance must also be low – 97.5%, 99.97% confidence levels are used in risk measurement
Some principles about banking and risk (Cont.) To be successful, banks must remain successful and viable at every point on the economic cycle… • If you take all the opportunities on the way up… • … you get all the losses on the way down! • History shows that banks periodically get it materially wrong (eg early 1990’s in USA, UK, Australia and elsewhere) • … but recent advances in risk management (especially credit risk) have borne fruit, e.g. very few bank failures in the USA, UK and Europe during the recent economic downturn of 2001 - 2002
Some principles about banking and risk (Cont.) • Fundamentally the level of risk is determined by: • the decision to be in a business, • the extent to which you participate, • the capability and culture of the organisation, and • the quality of the people you put in charge of the business • This governs 80% of the outcome • The balance is in how this is executed Note:Culture is a dominant factor in risk outcomes, including incentives/compensation *** Strong leadership from the top on risk matters is essential, to ensure a strong “risk culture”
Core Objectives of Risk Management • Maintenance of solvency: constrain losses to within acceptable levels at all points through the economic cycle • Ensure risks are transparent and well understood, both internally and externally (owners and shareholders must understand the risks they are investing in) • Ensure risks taken are consistent with organisational capability and appetite • Today:Risk Management as a foundation for sustainable growth and a source of competitive advantage
Components of an Effective Risk Management Process • Risk Governance • Risk Identification • Risk Measurement • Risk Management: Policy and Process • Risk Reporting • Policy and Process Compliance (Internal Audit)
Specific Risk Types • Credit Risk • The risk that a financial institution makes a loss as a result of less than full payment of an obligation • Market Risk • Risk of loss due to changes in market prices or variables • Operational Risk • Historically: “Other risks” • More precisely (Basel II definition): “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events”
Typical “Economic” or “Risk” Capital Allocation Market Risk 5 - 25% Credit Risk 50 - 65% Operational and Business Risks 10 - 30%
Fundamental Importance of Credit Risk • The largest risk for most banks (operational risk largest risk for some) • Assessing and managing credit risk is a core competency of banks, and a key driver of bank performance • Very significant advances in credit risk measurement have occurred over the past ten years, including development of sophisticated models for estimation of “Probability of Default” (PD) and “Loss Given Default” (LGD), for corporate, banks, small business and consumers Significantlyimproved ability to manage credit risk on a portfolio basis by more sophisticated banks But data limitations are significant in many markets • These models actually work: most successful Australian banks now have non-performing loans (90 days in arrears) less than 0.5% of lending assets (ANZ less than 0.3%)
Market Risk • Market Risk is the risk of loss due to changes in market prices or variables, eg: • Interest Rates • Exchange Rates • Equity Prices • Option “Implied Volatilities” (for derivatives) • Credit Spreads • Commodity Prices • Principal points of Impact: • Balance Sheet – managing the interest rate mismatch between assets and liabilities • Traded Market Risk • Currency translation risk for offshore operations
The Importance of Operational Risks Deregulation & globalisation of financial services Activities of Banks (& their risk profiles) more diverse & complex Growing sophistication of financial technology • Recent experience in advanced banking markets makes it clear that risks other than credit and market risks can be substantial: • Barings • Enron/Worldcom • 9/11 • Allfirst (Allied Irish - Baltimore) • Life insurance & pension mis-selling in UK • “Spitzer” issues - Underwriting/research conflicts + Mutual fund scandals (etc) • Environmental (e.g. New Orleans)
Whichever way you look, operationally we are becoming more complex and inter-dependent…. Statutory, Regulatory & Contractual Business strategy Economic, Cultural & Political Partnering, alliances, outsourcing & JVs Diversification Globalisation Technology Concentration
…resulting in greater focus on Operational Risk by financial services providers, government & others… • Financial Services (Banks, Insurance Companies, Fund Managers) • Specialist Operational Risk functions • Framework, policy, measurement and monitoring • Capital allocation for operational risk – now happening • Loss, event and near-miss data collection & analysis • Extensive, ‘what if’ scenario analysis • Business continuity testing and crisis management training • Executive and Board Risk Committees • Government • Consumer protection • Corporate Governance • Basel II • Sarbanes Oxley • Standards & Guidelines • Others • Sustainability • Reputation indices • Rating Agencies
…and a consensus definition of Operational Risk • “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events“ • This (Basel II) definition includes legal risk but excludes strategic and reputational risk • More specifically, losses may result from: • fraud or forgery • failure to comply with policies, procedures, laws and regulations • a breakdown in the availability or integrity of services, systems and information • reputational damage
Risk Governance Example:Board and Executive Risk Committee Structure Board Board Risk Management Committee Board Audit Committee Principal Executive Risk Committees Credit & Trading Risk Committee (CTC) Asset & Liability Committee (GALCO) Operational Risk Executive Committee (OREC) Project & Initiative Review Committee (PIRC) • Policy • Major Lending Decisions • Asset Writing Strategies • Portfolio • Trading Risk • Balance Sheet and Liquidity Risk • Payments/ operational risks • Physical and Information Security • Compliance • Project risk • Project governance • Project priorities
Risk Governance Example (Cont.) • The Board is responsible for setting the overall corporate governance strategy • The Risk Management Committee ("RMC") is a Board committee focused on the review of risks in the business. Comprised of Non-Executive Directors, it is responsible for overseeing, monitoring and reviewing the Group’s risk management principles, policies, strategies, processes and controls including those for credit, market, operational, liquidity and reputational risks. The RMC authorizes the Group’s limits frameworks, and delegates limits to the Executive Risk Committees*. • The Executive Risk Committees are the senior executive management committees responsible for the oversight of various risks. Their role is to oversee the management of significant risks and support the RMC in respect of its duties. Members include CEO, CFO, Chief Risk Officer (CRO), Business Unit Heads and Risk Management staff • The Internal Audit function is independent from the Risk Management function, and provides independent assurance regarding the effectiveness of the risk management framework and controls. * See example RMC Charter at:http://www.anz.com/australia/aboutanz/corporateinformation/corpgovpolicy/
Risk Management Functional Model (Example) Group Centre Business Units • Central Risk Governance • Governance & Framework • Risk and Compliance Strategy and Policy • Risk Measurement methodology & models (development, validation and approval) - Internal Credit Rating Tools - Expected Loss + Economic Capital models (all risks) • Risk and Compliance systems design & assurance • Risk and Compliance Reporting for Board/Market/ Regulatory/Rating Agency and other requirements • Portfolio Analysis and Response • Emerging risk identification and response • Market Risk reporting and limit compliance • Risk and Compliance Review • Transaction approval > risk threshold (fn of size & complexity) • Specific BU Risk Functions • Operational Risk mgmt & compliance • Credit Process support • Asset writing strategies • BU-specific risks • BU risk reporting • Transaction Approval < risk threshold • Risk data entry and quality assurance ** Key Q: where should Risk “Shared Services” be located?** Cultural considerations will drive the outcome here! Why go to the Centre?- Centre of Excellence- Efficiency/avoid duplicationWhy go to the Business Units?- BU Ownership and Accountability- BU control over Cost? (vs cost allocation from centre) • Risk “Shared Services” • Asset Recovery • Risk systems development and operations • Divisional asset quality reporting • Compliance Review and Support • Group Investigations • Payments Risk, Information Security • Business Continuity & Crisis Mgmt • Insurance
Example: Central Risk Management Structure Chief Executive Officer Chief Risk Officer Wholesale Credit Risk Retail Credit Risk Operational & Technology Risk Market Risk Compliance Basel II Implementation RM Chief Operating Officer
How is this effective? • Strong “risk culture” across the Group, driven by the Board and CEO • Partnership between Group Risk Management (GRM) and the Business Units • Clarity of roles and accountabilities for risk management, with a clear separation of duties • Open and transparent communication and escalation of risk issues • “bad news must travel quickly” Business Units Group Risk Management • Fully accountable for risk outcomes in their business • Within the central framework set by GRM, BUs are accountable to the Group for the realisation of returns, whilst delivering these within the articulated risk appetite • Dual reporting of Business Unit Risk Heads to BU Managing Director and CRO • Independent group • Global accountability to the CEO and Board for the effectiveness of the Group's risk management framework, including risk policy, and for the risk governance of the total group portfolio
Banks hold Economic Capital for “Unexpected Loss” Conceptual Framework: • Risk models employed to quantify economic risk are used to allocate “economic” or “risk” capital - the amount of capital needed to support an organisation’s risk-taking activities • Risk capital allocation systems are typically based on institutional estimates of their loss distributions for the relevant risk types • Economic capital allocated to a particular activityreflects that activity’s marginal risk contribution to the organisation, taking into account diversification (where possible). Probability of loss Potential catastrophic ‘unexpected loss’ against which it is too expensive to hold capital Expected level of loss (cost of doing business) Zero losses ‘Unexpected loss’ for which capital should be held Applications: • Measure risk-adjusted profitability and ensure efficient usage of shareholder funds • Portfolio risk management in the setting of limits & reporting of portfolio credit quality
The “risk spectrum” RISKS Not Modelled Modelled Market Operational Business/Strategic Reputational Credit ECONOMIC CAPITAL FOR ALL THESE RISKS ? Underwriting Tax Liquidity Enterprise Value • Downside Risk is mostly here • Regulators & Debt Holders focus on this side because concerned about protection from default and systemic risk • Executives often delegate management of these to Risk Managers, who try to quantify them • Upside rewards are here • Equity Holders (& Managers with Equity stakes) very concerned about these • Executives often manage these themselves!
“RAROC” Method of Pricing Loans for Risk ComponentExampleSource Cost of Funds 6.00% Funds Transfer Pricing Systems Loan Loss Provision 0.53% Credit Risk Models Direct Expense 0.15% Indirect Expense 0.15% Product Cost Accounting Systems Overhead 0.10% Total charges beforecapital charge 6.93%Capital Charge 0.45% Total Required “Breakeven” Loan Rate 7.38% Capital calculation Allocated equity/loan = 6.7% Opportunity cost of equity = 12% (“hurdle rate”) FTP Benefit = 6% After tax capital charge = 0.067x (0.12 - 0.06) = 0.4% Tax Rate (imputation-adjusted) = 0.108 Pre-tax capital charge = 0.4%/0.892 = 0.45%
Balancing Risk and Return The key is to find the right balance between risk and return: • This is one of the key responsibilities of the Board and CEO • Fundamentally the taking and management of risk for a return is a business line function • The mission is to stay within the “expected” loss rate, which is built into business plans, pricing and margins • However, invariably businessmen, including bankers are on balance, optimistic… • Since uncertainty and business “fade” increases with time, higher discount rates are needed for future cash flows, and this rarely happens… • Therefore need for Board, CEO and Chief Risk Officer to maintain a balanced perspective • Supported by objective advice and control by professional risk managers • Governed by the Board, and its Risk Management and Audit Committees
The Role of the Chief Risk Officer (CRO) • Understand the business! • Understand the risks: • Identification, assessment, measurement, mitigation/response, policy, monitoring, reporting… • Understand (and shape) the risk strategy and appetite of the organisation • Understand the needs of all stakeholders: Board, CEO, Executive Management, Regulators, Rating Agencies, Investors, Staff, Customers, Community • Ensure agreement re: expectations of the CRO role, and how risk management performance will be measured • CRO is “Chief Transparency Officer” – need to ensure “bad news travels” – high level of integrity required
The Opportunity… To create and position Risk Management in our organisations as a source of distinction and competitive advantage, underpinning sustainable performance and growth
Agenda (II): Basel II • Basel II – What is it? • Impact of Basel I • Key Changes in Basel II • Implementation Challenges • Operational Risk Capital • Pillar 3 • Home/Host Issues and Challenges • Basel II Implementation: Key Next Steps For India • Conclusion
Basel II - what is it? • The method for determining the minimum amount of regulatory capital a bank should hold is set by the “Basel Committee”, a sub-committee of the Bank for International Settlements, and is known as the “Basel Capital Accord”, implemented in 1988. • A new framework has been developed over the past 6 years that is commonly known as Basel II. These new proposals are designed to replace the 1988 Accord with a more “risk sensitive” regulatory capital framework. • The key objective of Basel II is to improve stability of the global financial system by encouraging improved risk management practices and requiring banks to hold a level of capital which is commensurate with their risk profile.
The 1988 Basel Accord – “Basel I” • Two main objectives lay behind the adoption of a single capital standard for internationally active banks: • To help strengthen the soundness and stability of the Banking system by encouraging banking organisations to boost their capital positions • By adopting a standard approach across banks in different countries it would act to reduce competitive inequalities • The structure was intended to: • Make regulatory capital more sensitive to risk profiles among banking organisations • Take off-balance sheet exposures into account when assessing capital adequacy • Lower the disincentives to hold liquid, low risk assets.
The Impact of Basel I • The Basel Committee Study of 1999 into the impact of Basel I, suggests that: • Relatively weakly capitalised banks improved their capital ratios, and overall capital levels increased in most countries. • Bank regulatory capital pressures during cyclical downturns in the US and Japan may have limited bank lending in these periods and contributed to economic weakness in some sectors • Banks have learnt to exploit the broad-brush nature of the Basel I requirements – in particular the limited relationship between actual risk and the regulatory capital charge. For a number of banks this has started to undermine the meaningfulness of the requirements. • Mixed conclusions as to whether the uniform nature of the regulatory capital charge within asset class may induce banks to substitute towards riskier assets in the class – thus leading to a rise in the riskiness of the banks’ portfolios. (There are clearly other considerations that may influence this position eg. bank risk appetite, market disciplines, regulatory and rating agency influences etc.)
Basel II: The Three Pillars Basel II consists of three mutually reinforcing pillars: Pillar 1: Minimum Capital Requirements Pillar 1 provides the calculation methods that will be used to determine the minimum amount of regulatory capital a bank must hold in the three major types of risks a banking operation faces - credit risk, market risk and operational risk. A menu of approaches is available to measure: Credit Risk (Standardised, Foundation internal ratings based approach and Advanced internal ratings based approach - the latter two requiring the application of sophisticated and rigorous credit risk modelling capabilities) Operational Risk (Basic Indicator, Standardised and Advanced measurement approaches). The requirement to hold regulatory capital for operational risk is a material new requirement. Market Risk (Standardised and Internal models approach). This element is almost completely unchanged in the new framework following its overhaul in 1996.
Basel II: The three Basel Pillars (cont.) Pillar 2: The Supervisory Review Process Pillar 2 requires regulators to ensure each bank has sound internal processes in place to assess the adequacy of its capital (based on a thorough evaluation of the risks), with the supervisor placing considerable emphasis on the effectiveness and robustness of a bank’s internal risk management capability. Pillar 3: Market Discipline Pillar 3 aims to bolster market discipline through enhanced disclosure of risk information to the market. More detail will be disclosed to the market on the types of loans a bank carries, the rate at which loans default and how well credit rating tools predict these defaults. Market participants will have more information to better understand bank risk profiles and the adequacy of bank capital positions.
The Basel II Approaches to Credit and Operational Risk Capital Credit Risk Capital Standardised Internal Rating Based (IRB) - Advanced Internal Ratings Based (IRB) - Foundation Allows application of internally developed rating systems (default probabilities) with greater recognition of physical collateral. Minor modifications to the current (Basel I) Accord, allowing the use of external ratings and some collateral recognition. Internally determined default probabilities, loss given default and exposure at default factors can be used, subject to very stringent criteria. Operational Risk Capital Basic Indicator Approach Standardised Approach for Operational Risk Advanced Measurement Approaches A range of advanced capital assessment techniques will be allowed, subject to a set of stringent qualifying criteria. A similar calculation based on a % of gross income using distribution factors across eight Basel-defined business lines. A coarse calculation based upon a straight percentage (15%) of gross income.
Key changes in Basel II • The risk-weighting functions used to determine credit risk capital in the advanced approaches under Basel II provide a much more accurate measure of risk compared to the crude risk weights used in Basel I. However, concentration and diversification are not taken into account in the Pillar 1 formulae • Addresses the principal weaknesses of Basel I, in particular removing incentives to arbitrage the capital requirements through securitisation • Inclusion of a regulatory capital charge for operational risk • Advanced approaches require the embedding of risk management tools and systems in day-to-day bank management • Framework matches the entity in terms of its level of sophistication resulting in a more tailored approach commensurate with a bank’s risk profile
Key changes in Basel II (cont.) • Pillar 2 provides supervisors with a framework that enables a better understanding of the risks associated with a bank’s businesses – the new Accord places a far greater emphasis on assessing the appropriateness of internal risk management processes including risk management practices, governance frameworks, risk measurement philosophies and bank risk profiles. • Greater disclosure will help ensure banks maintain prudent lending standards and focus on improving and keeping pace with evolving risk management practices • While many of these changes are positive, “procyclicality” is an issue of material concern to many.
Basel I Risk Weights versus Basel II Basel I Basel II Remainder eg Personal/ Corporates 100% 600% 100% 80% 60% 40% 20% 0% 120% 100% 80% 60% 40% 20% 0% Mortgages 50% Risk Weights Risk Weights Risk weight sensitive to borrower’s credit risk Banks 20% Govt 0% Increasing default risk • The blunt risk weights and capital attribution of Basel I have been considerably refined (using complex formulae) in the IRB approaches in Basel II
Challenges faced by banks in implementing Basel II • Basel II is far more complex than its predecessor – the current Basel Accord - and considerably more comprehensive in its coverage. Some of the key issues Banks and regulators are facing as part of its implementation are: • Rigorous credit rating tool validation requirements • Insufficient data in certain products or geographic segments to meet the long-run “through the economic cycle” needs of Basel II • Obtaining business buy-in to Basel II – are the benefits worth the cost? • Managing the change process • Board involvement and Risk Governance requirements • IT systems developments, enhancements and integration • Implementation challenges for the new operational risk framework • Pillar 3 reporting under Basel II • Inconsistent application of Basel II across jurisdictions
Operational Risk Capital • Regulatory Capital for Operational Risk: • Basel I (1988 - now)- zero • Basel II (2008 onwards) - substantial!
Capital for Operational Risk: The Big Controversy! • How much capital should be held for Operational Risk? • ~20%? (Basel CP2, January 2001) • ~12%? (Final Basel Accord, June 2004) • (Other?) * The magnitude of this shift illustrates the difficulty of the measurement challenge!
Operational Risk: The Difficulty of Measurement • In recent years, we have seen the first serious attempts to measure operational risk… the birth of a new discipline! • The industry has made great progress, but difficult questions remain: • What are the principal determinants of the level of Operational Risk? • What are the key differences between Operational, Credit and Market Risks? Which statistical methods used to measure Credit and Market Risk are applicable to Op Risk? • When is historical loss experience a reliable guide to Operational Risk in the future? More generally, how can Operational Risk measures be made forward-looking? • What is the role of historical information, including loss data?
The Difficulty of Measurement (cont.) • The industry has made great progress, but difficult questions remain: • When is external information (including loss data) relevant? How should it be used? • How should specific operational scenarios be incorporated in the measurement of Operational Risk? • What about “Key Risk Indicators”? • How can we incorporate an assessment of the quality of operational processes and internal controls into the Op. Risk measurement process? How important is this? • What is the role of Senior Executive judgment in the Operational Risk measurement process? Where is the “right” balance between quantitative and qualitative factors? • How can unexpected loss and capital be measured?
The Difficulty of Measurement (cont.) • A great deal of effort has been expended on these issues… • … and Basel II (AMA) is providing strong impetus to these efforts • However, there is as yet NO consensus about the answers to these questions… “Let a thousand flowers bloom…”!!
The Difficulty of Measurement (cont.) • Key Question: What is the “right” way to measure Operational Risk? • How shall we recognise the answer to this question? • What criteria should we use? • A related question: How can Operational Risk measures be “validated”?(What does this mean, exactly?) • How do we satisfy Basel’s requirement for 99.9% confidence?