Risk Management In Large Bank Plc: Types Of Traditional Risks, Necessary Short-term Changes And New Risks
Very Large UK Bank Plc (referred as “the bank”) has a wide geographical across the world. They also have diverse operations, ranging from retail banking to a global investment banking unit. Meaning that the bank has a diversified product offering and the scope of taking variety of risk in order to maximise profits.
Prior to the expectation, I should conduct a check or an organisational review in terms of:
- A careful review of the organisation structure, credit risk committee structure, credit risk assessment of counterparties and customers.
- Recommendation of credit limits for counterparties and customers
- A detailed consideration on the credit policy implemented
- Analysis of credit scoring model and system to evaluate the effectiveness of credit risk assessment for loan, controls and capital adequacy.
- The practice of stress testing which link to provisioning and impairment.
- Understand the business and lending direction of the organisation
a) Below are the key points related to the approach and structure to risk in the bank. Other areas that could have been covered included business continuity planning, sovereign risk and credit risk policy.
1. Credit Risk
Due to the substantial retail network based in UK, USA and Western Europe, I would expect the Bank to have credit risk management team in each business unit, that the business risk directors reporting to their respecting Head of Business line and also to the Chief Risk Officer.
I would expect there is also a group risk function providing business direction, monitoring and challenge of credit risk taking.
I would expect there is credit risk policies implemented, that larges credit exposures would be approved by the Credit Committee under Group Risk.
Of course, due diligence requirement for individual and comparing customer is the basic beginning for credit risk management and counterparty risk.
The approach also extended to market and product of which the counterparties are trading with, at this stage, normally credit rating agencies plays an important part in this. I would also expect they risk management approach is under regular review, that risk is dynamic which should subject to ongoing monitoring and review.
2. Internal and external Audit
Due to the size and fragmented structure of the organisation (corporate and institutional banking spans 50 different countries). I would expect the bank to have a strong internal audit function.
The internal audit function will report directly to the non-executive directors and given an unbiased opinion on the controls and risk management framework across the organisation.
Without a strong internal audit function in place the board would not have sufficient visibility on the effectiveness of the risk management framework across the bank, which could lead to control breaches (such as fraud and dishonesty).
I would expect there to be constant dialogue and meetings between the board and internal audit to ensure that internal audit were investigating the areas that the board were most concerned about.
Due to the global diversity of the bank, I would also expect internal audit to utilize external consultants to assist them in certain areas (such as banking regulations in new jurisdictions) where they have insufficient knowledge and experience.
3. Interest rate risk
Since the bank is involves in large and active investment arm dealing in all the major world financial centres including a selection of bonds, derivatives, financial instruments and wholesale funds, I would expect the bank is using direct or synthetic models to control the interest rate risk.
The direct approach would involve restructuring the balance sheet by changing the contractual characteristics of assets and liabilities to achieve a desired duration or maturity gap.
The synthetic method would rely on the use of financial instruments, mainly derivatives, such as interest rate swaps, futures and options and other customised over the counter (OTC) derivatives to alter the balance sheet risk exposure.
I would expect the bank to specify goals for either market value or book value of bank’s net interest income. The purpose of doing this, is for the bank to measure the risk exposure and formulate the strategies in order to minimize or mitigate the risk.
4. Market Risk (systematic risk)
Systematic risk is the risk that markets generally will fall, because of a sudden switch in market sentiment, or a major change in the economy or in government policy.
Therefore, I would expect the Bank is adopting hedging to mitigate and manage on market risk.
Hedging is described as any activity which offsets or mitigates a risk in taking a position in a market. There are many financial instruments to accomplish this, such as insurance policies, forward contracts, swaps, options, many types of over the counter (OTC) and derivative products and future contracts.
Further, I would expect the bank to perform stress testing which enables the bank to assess the impact on its business of significant but likely changes to its business, this will enable the board to understand the risks they are running and take action if necessary. Such mitigation strategies will relate to the type of risk being stress tested; for market risk there is hedging to consider, for positions it could be closed out if their uncertainties cause a problem.
5. Legal risk
Legal risk is the exposures to fines, penalties or punitive damages resulting from supervisory actions, as well as private settlement.
Therefore, I would expect the bank in order to managing legal risk, the bank will need to assess the full picture of regulatory compliance and make sure that it has an effective legal risk management function overlapping or perhaps also empowered with its regulatory compliance function.
I would expect the senior management is leading in order to ensure the effective legal risk management process is in place. It has to keep a close eye on what its peers in the market are doing and has to have full support and positive leadership from the board.
As with all risk issues, I would expect the bank to carry out a review on a regular basis and therefore there will be the requirement for internal audit to cross-check that legal risk is being managed efficiently.
In view of the bank has expand the business world widely, I would expect the bank need to keep a sound legal footing, as the organisation is depend largely on the business culture, environment and the tone provided from the top of the board. It is very important the line managers to maintain on legal awareness, and recognising the threats and implications from external.
6. Specific risk implications of the investment bank
I would expect the bank to have a strong focus on managing the inherent risks in the banking division. History has shown how investment banks can collapse (such as Merrill Lynch and Lehman Brothers). As such, risk management must be very clearly defined and monitored in this area.
For example, I would expect there to be strict controls on the traders within the investment bank, such as stop-loss limits, Value at Risk (VaR) limits, counterparty limits and Greeks limits.
Particular attention would also be paid to capital adequacy requirements to ensure that the bank has sufficient capital should the investment bank incur large losses.
Finally, I would expect there to be controls in place to prevent rogue traders from executing trades that fall outside of their mandates, such as a mandatory two-week block holiday each year.
7. People risk
The bank has a large number of staff worldwide based in UK, Europe and North America, I would expect the bank has proper controls in prevention of inadequate staff allocated to supporting the product, the bank is expected to undertake resourcing assessment and recruit staff pre-launch. Beside than this, ongoing assessment of volumes and resourcing requirements to be undertaken.
There is also a risk if insufficient training for staff selling the product, I would expect the bank undertake pre-launch staff skills assessment and implement training programme pre-lanch. Repeat training regularly once in place.
To prevent for staff fraud, I would expect the bank to undertake employment screening checks, segregation of duties enforced with rigorous checking of all payments. All transactions should subject o audit trails. Besides, regular process audits should undertaken at least once a year.
b) The short-term changes that I consider necessary are:
1. Information security
Information security is related to the practice of information protection from manipulation, modification, disclosure, destruction, unauthorised access and use. The importance of this is to protect customer personal data, banking records, transactions and account balance. There are a series of standards relating to information security for ISO 2700, of which emphasizing that having a good information security measures in place is essential and is based on three basic principles of confidentiality, integrity and available. Such as guidelines on password protection, disable on printing function on confidential documents, limitation on sharing information with third parties like sending email, using encrypted password to protect sensitive date.
Below are preventive actions that I would suggest should be taken as soon as possible:
• Individual education
Increasing on education on cyber crime prevention techniques is essential such as choosing strong, secure passwords and do not share them, update computer security regularly, secure all networks, protect sensitive data using encryption.
• Policy planning
This framework is based on five core functions of identify, protect, detect, respond and recover. These provide an overview that how a company is geared to deal with the risk according to the guidelines and best practices.
• Cyber incident planning
A common response from companies when dealing with prevention is building a strong firewall, update the latest anti-virus software, running scans to detect malware. Mckinsey suggests that a cyber incident response plan should contain six parts which is Incident taxonomy, Data-classification frameworks, Performance objectives, Definition of response-team operating models, Identification and remediation of failure modes, Key tools for using during incident response.
2. Three lines of defence model
This model is one of the PRA approach that safeguarding the internal control of an organisation.
• First line of defence
This indicated the controls implemented in an organisation in order to track on its day-to-day business transactions or activities.
The controls are designed into systems and processes, with the assumptions of that it is sufficient to mitigate risk, compliance requirement which to ensure adequate control is in place. I would suggest that this the bank also should have adequate managerial and supervisory controls in place to ensure compliance, to prevent inadequacy of process and unexpected events.
• Second line of defence
This indicated that the committees and functions are implemented in order to oversee the effectiveness of the operation.
The committees also serve as advisory and monitoring functions on risk management and compliance.
These functions is reported to the board committee such as audit and risk in the third line defence of an organisation. I would suggest that the competence of the committee member should be meeting “fit and proper” requirement by the bank as second line is re-enforced by the advisory and monitoring functions of risk management and compliance. I would suggest that the duties include monitoring on the risk registers, undertakes regular reviews of these risks in conjunction with line management, providing compliance advices including regulatory principles, rules and guidance and prevention of regulatory risk.
I would suggest that for the committee should report their work and findings to board’s audit committee or a board risk committee in the third line.
• Third line of defence
This indicated the independent assessment done by the board audit committee, contents of NED and functioned as internal audit for a Bank.
I would suggest that this third line role acts as internal audit that cover all aspects of both the first and second lines of defence. The findings from these audits are reported to all three lines including accountable line management, the executive and oversight committees and the board audit committee.
I would suggest that the effectiveness of internal audit who identify the weakness in both the first and second lines is very important, and failure to do so may lead to significant loss to the organisation.
Hedging is a position in placed in the market in order to offset exposure to price fluctuations in some opposite position in another market with the goal of minimising one’s exposure to unwanted market risk. There are many specific financial vehicles to accomplish this, including insurance policies, forward contracts, swaps, options, many types of over the counter (OTC) and derivative products and future contracts.
For instance, one of the techniques of hedging is to buy protected put options. Such products allow an investor to sell stocks at a fixed price until the options expires and this is a hedging strategy that protects the investor against the loss of value if the stock price should drop below a certain threshold. The price of establishing an option position requires the payment of a premium much like an insurance policy.
c) Risk management in 21st century has become more challenging and dynamic mainly due to uncertainties, which mainly affected by few risks identified as below:
1. Political Risk
Uncertainty of regulation in global political issues such as trade war between Chinese and American, Brexit issues in Europe, that UK is leaving European Union, heightening tension on these countries. The outcome of these uncertainties are volatile especially in financial markets. Therefore, it is a vital for risk manager to improve and upgrade their risk management strategies and tools in order to mitigate those potential risks. For example like:
- Trade war between Chinese and American
- Brexit between UK and European Union
- Trade war between Japan and Korea
2. Regulatory regime
The Basel III proposals sought to strengthen the regulatory regime applying to credit institutions especially in minimum requirement for the bank to meet the capital. The proposal is aim to create an international standard for banking regulators to control how much capital banks need to put aside to guard against the types of financial and operational risk banks. Of which the proposer believes that it could help to protect the financial system from the types of problems that might arise for instance a bank run or bank collapse.
The two measures addressing liquidity management are known as the Liquidity Coverage Ratio and the Net Stable Funding Ratio. Besides, Basel III also addressing derivatives and securities and increasing the capital charges for all organisations involved in the marketplace.
After all, stress testing is applied under Basel III which enables trade capture and exposure aggregation by counterparty, regular stress testing of market risk factors. They are also suggesting that the stress testing to be performed monthly, to address to all counterparties and also a reduction of exposure to concentrations of directional sensitivities.
3. Cyber Crime
Cyber security has come to the concern since the arisen of smart phone, online shopping and internet banking. The banking system is one of the main target for cyber crime.
In Malaysia cyber crime has caused RM67mil lost for year 2019, as loses reported due to online scam, phishing, identity theft, and data breaches. Cyber crime not only causing lost to individual but also is a risk to countries such as disruption to utilities, infiltration of the financial system, risk to companies include the loss of intellectual property and business confidential information, reputational damage and additional cost of securing networks, insurance and recovery from cyber-attacks.
To prevent it, there are preventive methods from people to technology:
- Prevention – preventive actions taken such as choosing strong, secure passwords and do not share them, protect sensitive data using encryption and etc. in order to increase the awareness, education needs to start as soon as possible.
- Policy planning – preventive actions like the companies need to have an up to date cyber security plan. US has introduced cyber security framework in 2014 which provide a set of standards and best proactive to enable a company to manage the cyber security risks, consists of identify, protect, detect, respond and recover.
Therefore, risk management is constant improving over the time based on the situation as risks are dynamic, there are improvements to be made in risk management in order to enhance the resilience of financial institutions and to promote global financial stability, the four most important practices were:
- Effective firm-wide risk identification and analysis
- Consistent application of independent and rigorous valuation practices across the firm
- Effective management of funding liquidity, capital and the balance sheet
- Informative and responsive risk measurement and management reporting.
- Bailey. T., Brandley.J. and Kaplan. J (2013) How good is your cyber incident response plan? [Online]. Available from: https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/how-good-is-your-cyberincident-response-plan [Accessed on 29 November 2019]