Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Enterprise-Wide Risk - The Missing Link in Indian Financial Institutions

An article on Indian banking industry's operational risk management practice and how insurance could have been used to mitigate some of risks.

  • Login to see the comments

  • Be the first to like this

Enterprise-Wide Risk - The Missing Link in Indian Financial Institutions

  1. 1. Enterprise-Wide Risk The Missing Link in Indian Financial Institutions Ram Garg JB BODA GROUP 10 February 2011 Issue 1.1 indemnity insurance market in India. A similar situation was prevailing in south east Asian markets until a decade ago. However, all of that changed in the early 2000s, thanks to willingness of banking institutions to transfer risk to the insurance market. Indian banks are plagued with crime (internal amd external) related losses, yet the current crisis caught little attention from banks as well as regulators. Citibank India's fraud case in Delhi caught many eyes due to the high amount involved in it, but such instances are not rare but common in the banking industry. Industry veterans talked about the need for tighter operational risk management for banks in India. However, risk management has its own limitations and operational risks cannot be eliminated but only reduced (See Figure 1). The role of insurance has been very well recognized by Basel II. Indian banks are required to give due consideration to improve operations in the wider context, and also to fully integrate risk definition, data collection, risk assessment and management, capital allocation, governance mechanisms and insurance program management. Operational risk insurance policies such As a rule of thumb in risk management, risks with potential catastrophic or significant loss should not be retained. T he business environment for Indian banking institutions is becoming increasingly complex and competitive due to widespread distribution network across country. Indian banks are exposed to additional operational risks associated with large number branches across country. The Basel II capital adequacy framework reinforced integrated risk management practice in key areas - Credit, Market and Operational Risk. Indian banks' risk management practice was largely focused on credit and market risk until recently and operational risk received requisite attention only over the last five to seven years. As a result, most banks have set up a dedicated operational risk management team or department in conjunction with the credit and market risk departments. Basel II defines operational risks in a broad range and systematic manner. This article focuses on how banks can transfer their increased operational risk through well established and sophisticated insurance products available in the market. Until now, Indian banking institutions took little interest in operational risk insurance products. They have been securing either peril-specific insurance policies such as money and cash in transit or restrictive and old-aged Bankers Indemnity policy. Banking institutions seldom took insurance seriously and the buying function was left to either procurement department or finance department. Indian banks’ preoccupation with the cost of coverage obscured two real issues - quality of product and adequacy of coverage. Indian banks, therefore, should be asking not only "how much does it cost?" but, more importantly, "what does it cover?" India's erratic and clogged judicial system further discouraged banking institutions to approach court for claim settlement in case of denial of a claim. Therefore, combination of various factors resulted in collapse of bankers
  2. 2. bank then should also conduct audit to insure that these controls are followed. Once risks have been identified and internal controls are implemented, the risk manager must decide the most appropriate action for residual risks. Possible actions may include implementing additional controls to minimize residual risk, transfer to insurance market, and simply retain it or any combination of these options. There are many factors that influence this decision. As a rule of thumb in risk management, risks with potential catastrophic or significant loss should not be retained. Risks events that occur repeatedly and are predictable may not be viable to transfer out and therefore, bank may decide to retain them (See Figure 2). The bank's board must determine its risk appetite or risk retention capacity. It should at least perform an annual review of the bank's risk management and insurance program. The responsibility for risk management rests with the board of directors and management. After the bank decides to insure a particular risk, an expert insurance Although the degree of sophistication in each of those stages will vary depending on bank, the thought and decision making processes that characterize each stage should be well established in every bank if costs, and losses are to be minimized. In establishing a sound operational risk management and insurance program, bank management first must identify its risk exposure in each of its processes. This is the most important of the three steps. It requires a review of all aspects of the bank's present and prospective operations. As new products are marketed or fixed assets acquired, they must be evaluated to determine what risks they present. Once identified, risks need then be analyzed to estimate their severity. One way is to examine the bank's historical loss data. This information should be available within the bank. Internal data may be looked in conjunction with external data or industry loss data. A bank's first defenses against operational losses are its policies, procedures, and internal controls. These systems and guidelines are integral parts of the risk management program. They must be communicated to, and understood by, all bank employees. The as Banker's Indemnity, Computer Crime, D&O and Financial Institutions professional indemnity are complex in nature and coverage depends on policy form being used by insurer and their capabilities to understand claim issues. In India, market agreement wording of Banker's Indemnity has been the mainstay of banks' legacy insurance programs. As widely understood, the policy covers employee dishonesty, robbery, losses in transit, forgery, ATM, and counterfeit money. People are the biggest asset as well as source of threat for banking institutions. A customer deals with a bank officer in daily banking activities and therefore, the officer gets into a position in which there is risk of breach of trust, including criminal. The Citibank India fraud is a case of criminal breach of trust by bank employee and similar to the offence of embezzlement. Since an employee caused losses to the customer and bank, a standard banker's blanket bond policy should have covered the losses subject to other details of investigation. Operational Risk Management (ORM): Insurance an Integral Part ORM in a banking institution, which includes risk mitigation through insurance, is intended to minimize the costs associated with assuming certain types of risk and providing prudent protection. It deals with pure risks that are characterized by chance occurrence and that may only result in a financial loss. ORM does not address speculative risks that afford the opportunity for either financial gain or loss. There are three stages in risk management: 1. risk identification and analysis, 2. risk control, and 3. risk action. 11February 2011 Issue 1.1 ERM Journal Figure 1
  3. 3. broader categories of risk, so-called blended policies. Insurance specialists have managed to redesign blended policies combining two or more individual insurance policies to eliminate any overlapping and increase scope of coverage. However, these developments have been noticed only in few banks yet. Cyber Security: Provides much wider coverage than ECC. It aims to address new risks emerging from wider use of technology by banks. Financial Institutions Professional Indemnity (FIPI): Provides cover against liabilities to third parties for claims arising out of employee negligence while providing professional services (e.g. investment advice) to clients. Directors and Officers Liability (D&O): Covers the personal assets of directors against claims arising from legal actions arising from the performance of their duties. Employment Practices Liability (EPL) Terrorism Cover Unauthorized Trading: A relatively new product covering losses similar to the notorious events experienced at Barings. General Liability: Covers public liability, employer's liability, motor fleet liability etc. In addition, recent developments have brought to the market coverage for broker should be appointed to develop appropriate insurance program with insurers/reinsurers. There are a number of insurance policies available to cover operational risk perils for a bank. Here is a brief description of them. These covers described here in this document may be found under different names in different market. Insurance for financial institutions covering operational risks come in a number of forms and more new types of coverage are being developed. The present market offers peril-specific coverage - that means cover is available separately for specific categories of risk. Some of the policies currently in the market include: Bankers Blanket Bond (BBB): Provides cover against dishonesty or default on part of an employee as well as fraud and forgery. Some policies have a broader coverage including damage to physical property, counterfeit currency, and trading losses. Electronic Computer Crime (ECC): Provides cover against computer failure, viruses, data transmission problems, forged electronic funds transmissions etc. 12 February 2011 Issue 1.1 ERM Journal Figure 2 Ram Garg is a finance professional with over 10 years experience in financial services industry including insurance broking experience, 7 of which are in ASEAN region. He began his career with NY head quartered Stern Stewart & Co. in Mumbai specialising in corporate finance consultancy and moved in year 2003 to join Jardine Lloyd Thompson Asia regional team in Singapore where he provided financial and professional risk reinsurance broking services to clients across Asia region including Singapore, Malaysia, Thailand, Indonesia, South Korea, Philippines, India and Pakistan. He has extensively focused on Financial Institutions across Asia region and serviced a number of large banking clients on Basel II compliance, particularly on operational risk management and risk transfer programs. He has undertaken a number of formal independently risk consultancy projects. In year 2009 he joined J B Boda group in Singapore to develop Financial line business with special focus on Financial Institutions across Asia and Middle East region. Ram is a CFA from CFA Institute USA, MBA from University of Wales UK, and BBA from Indore University India.