ERM Chapter 10 Embedding ERM in Banking

ISO 31000:2018 6 Minutes
https://preteshbiswas.com/wp-content/uploads/2025/03/Embedding-ERM-in-Banking-1.wav

Enterprise risk management, according to COSO, refers to the culture, skills, and practices that organizations integrate with their strategy development and implementation to handle risks while generating, maintaining, and enhancing value. It connects with and spans across all areas of risk management within an organization. Various risk management methods exist within organizations, tailored to specific regulatory or operational needs, such as those related to Information Technology; Health, Safety, Security, Environment, and Social factors; Portfolios, Programmes, and Projects; Insurance; Banking; Supply Chain; and Legal domains.

Enterprise Risk Management (ERM) in banking follows the same fundamental principles as in other industries, aiming to manage uncertainties that may impact the achievement of objectives. However, banks face unique challenges that require additional considerations. This section highlights several critical factors specific to the banking sector, but first, we provide a high-level overview of a bank’s core functions and key risks.The following additional considerations are dealt with in the coming lessons:

  • Conduct risk.
  • Banking categorisation of risks.
  • Basel and national regulation and the requirement for reserves against risk.
  • Banks can use their own risk calculation models in certain cases.

Banks usually follow risk categories set by regulators. This helps make reporting to regulators and the public consistent. The main risks are:

TypeDescription
StrategicUncertainties that may affect or may be created by an organisation’s business strategy and strategic objectives.
CreditThe risk of loss due to counterparty default. It is restricted to default or situations where the counterparty can but refuses to make payment when due.
MarketThe risk of loss due to adverse economic changes in market conditions, rates or prices or fluctuations in volatility. Market risk includes price risk, volatility risk, interest rate risk and foreign exchange risk, among others.
LiquidityThe risk of not having adequate funds available to meet financial commitments as they fall due. This may be caused by local or foreign economic conditions, a reduction in the firm’s credit rating, or situations where the firm is interested in trading an asset but cannot do so because nobody in the market wants to trade that asset.
OperationalThe risk of loss, direct or indirect, resulting from inadequate or failed internal processes, people, and systems or from external events. They are typically sub categorised as follows:   Internal fraud – for example, an inappropriately authorised payment.External fraud – for example, supplying incorrect data to gain insurance cover.Employment practices and workplace safety – for example, fines resulting from harassment, discrimination, or constructive dismissal.Clients, products, and business practices – for example, a fine for a breach data protection rules.Damage to physical assets – for example, cost of repairing a building.Business disruption and system failures for example, an IT failureExecution, delivery and process management for example, a service complaint.

Risk management is highly interconnected, requiring operational risk managers to collaborate with those overseeing other risk categories and justify why certain risks should fall under operational risk management. Even with clearly defined boundaries between risk types, situations may arise that are not covered by existing definitions, necessitating coordination with other risk disciplines. Some key boundary considerations include:

  • Credit Risk: Falls under operational risk if it arises from fraud in lending, procedural failures, inadequate collateral, flawed credit models, or improper loan sales practices.
  • Market Risk: Considered an operational risk if it stems from transactional errors, limit breaches, fraud, or inadequate collateral.
  • Liquidity Risk: Managed as an operational risk if it results from non-economic factors such as forecasting errors, mismatched investment strategies, model failures, or timing issues.
  • Insurance Risk: Becomes an operational risk if caused by failure to follow policies, errors in actuarial modelling, or inadequate documentation.
  • Strategic Risk: Considered operational risk when stemming from poor strategic decisions, weak corporate governance, incomplete due diligence, incorrect advice, or insufficient management oversight.

Basel III

The primary objective of bank regulation is to ensure that banks hold sufficient reserves (risk capital) to absorb financial shocks and remain solvent, maintaining the stability of the banking system. Regulation is continuously evolving, with much of it based on the Basel Committee on Banking Supervision (often referred to as Basel regulation). Established in 1974, this framework is widely accepted globally and continues to develop in response to past banking failures. Updates and regulatory changes can be monitored at www.bis.org.

The Three Pillars of Basel Regulation

  1. Pillar 1 – Capital Requirements:
    • Defines how much risk capital banks must hold based on risk-weighted assets (RWAs).
    • Covers credit, market, and operational risks.
    • Outlines acceptable methods for calculating RWAs and eligible capital.
  2. Pillar 2 – Supervisory Review:
    • Requires banks to conduct an Internal Capital Adequacy Assessment Process (ICAAP) to evaluate their capital adequacy and risk profile.
    • Regulators assess ICAAP reports, often referred to as Risk and Control Self-Assessment (RCSA), and may challenge banks’ conclusions.
  3. Pillar 3 – Transparency and Disclosure:
    • Mandates banks to disclose their risk management framework, risk exposures, and capital adequacy to external stakeholders.
    • Requires the publication of a Pillar 3 Disclosure Report at least once a year.

Key Principles of Basel Supervision

  1. Capital Adequacy Assessment: Banks must evaluate their capital needs based on their risk profile and maintain an appropriate capital strategy.
  2. Regulatory Oversight: Supervisors review banks’ capital assessments and ensure compliance with regulatory capital ratios.
  3. Capital Buffer Expectation: Regulators expect banks to operate above minimum capital requirements and may demand additional reserves.
  4. Early Intervention: Supervisors should take proactive measures to prevent capital deficiencies and require prompt corrective actions when necessary.

Implementation and Emerging Challenges

Each country implements banking regulations based on the Basel framework. In the UK, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) oversee compliance. A key regulatory challenge is the rapid evolution of banking, particularly with the rise of cryptocurrencies and digital banks. While the same regulatory principles apply, these innovations introduce greater complexity and heightened operational risk.

Use of internal models

The risk a bank faces and the corresponding risk capital it must maintain are determined using either a standardized formula or the bank’s own internal models. Examples of these models are illustrated in discussions of internal models. To utilize internal models, a bank must adhere to certain overarching principles:

  • Senior management must comprehend the internal model, which should align with the bank’s business framework.
  • The model should aid and validate decision-making processes and be thoroughly and uniformly embedded within the risk-management system, addressing a broad enough range of risks to be effective for both risk management and decision-making purposes.
  • Additionally, the model should enhance the bank’s risk-management framework.

Many banks employ the Value at Risk (VaR) model to calculate market risk. VaR estimates the potential loss in a portfolio over a specific timeframe within a set confidence level, assuming typical market conditions and no trading activity. It offers a probabilistic answer to questions like, “What’s the most we might lose tomorrow (or over a week, month, or year)?” For instance, it might indicate a certain percentage chance that losses won’t exceed a specific amount over a given number of days. However, VaR doesn’t reflect the maximum possible loss. At a 95% confidence level, for example, losses will exceed VaR on 5 out of 100 business days, and on those days, the actual loss could far exceed the VaR figure—sometimes dramatically, as seen in the 2008 financial crisis when losses reached up to 100 times the VaR estimate. This prompted regulators to refine VaR-based risk capital calculations by introducing Expected Shortfall (ES), which measures the average loss exceeding VaR over the same period and confidence level. While ES, like VaR, doesn’t cap potential maximum loss, it typically yields a higher estimate.

Conduct risk revolves around two core aspects:

  1. Ensuring equitable outcomes for customers, such as avoiding the mis-selling of products, and
  2. Preserving market stability by refraining from actions that could disrupt the fair functioning of the banking market, like the Lehman Brothers collapse.

Since the 2008 financial crisis, regulators worldwide have sharpened their scrutiny of conduct within banks and insurers. The UK’s Financial Conduct Authority (FCA) provides insight into its focus on conduct risk frameworks, stating that given the recurring nature of conduct risks and related challenges in recent years, it expects firms to include a conduct risk framework in their Regulatory Business Plan. This should outline a structured approach to identifying conduct risks inherent to the firm’s operations. The FCA is particularly interested in:

  • How the firm defines conduct risk,
  • The tools it uses to detect such risks,
  • The role of the first line of defense and business units in identifying conduct risks, and
  • How conduct risk identification aligns across various business segments.

To strengthen conduct risk oversight, the UK regulator has established rules for individuals and senior managers in banks:

For Individuals:

  • Rule 1: Act with integrity.
  • Rule 2: Exercise due skill, care, and diligence.
  • Rule 3: Be transparent and cooperative with the FCA, the Prudential Regulation Authority (PRA), and other regulators.

For Senior Managers:

  • Rule 1: Ensure the business areas you oversee are effectively managed.
  • Rule 2: Take reasonable steps to ensure compliance with applicable regulatory requirements and standards in your areas of responsibility.
  • Rule 3: Delegate responsibilities to suitable individuals and oversee their execution properly.
  • Rule 4: Promptly share any information that the FCA or PRA would reasonably expect to be informed about.

The Banking Banana Skins 2021 (2015 ranking in brackets):

  1. Crime (2)
  2. Macro-economic environment (1)
  3. Technology risk (4)
  4. Security risk (-)
  5. Credit risk (7)
  6. Quality of risk management (6)
  7. Business model (10)
  8. Business practices (8)
  9. Reputation (12)
  10. Sustainability (24)
  11. Corporate governance (19)
  12. Culture (-)
  13. Political risk (5)
  14. International trade (-)
  15. Interest rates (14)
  16. Regulation (3)
  17. Management incentives (20)
  18. Pricing of risk (9)
  19. People risk (22)
  20. Liquidity (18)
  21. Compliance risk (-)
  22. Capital availability (13)
  23. Currency (17)

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply