Banking Compliance Professional CBCP PDF

Summary

This document covers the definitions of risk and risk management in banking, including the importance of risk management for banking operations, as well as aspects of risk assessments and types of risks.

Full Transcript

01.Risk Definition & Policies In simple terms, Risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environment), often focusing on...

01.Risk Definition & Policies In simple terms, Risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environment), often focusing on negative, undesirable consequences. Business risk is defined as the possibility of occurrence of any unfavourable event that has the potential to minimise gains and maximise loss of a business. In simple words, business risks are those factors that increase the chances of losses in a business and reduce opportunities of profit. Risks and Risk Management in Banks Banking risk management is the process of a bank identifying, evaluating, and taking steps to mitigate the chance of something bad happening from its operational or investment decisions. This is especially important in banking, as banks are responsible for creating and managing money for others. Typically, risk teams separate fraud and compliance operations, resulting in separate teams for fraud risk management, responsible for managing risk associated with fraud operations, and compliance risk management, responsible for managing risk associated with compliance operations. The Importance of Risk Management in Banking Banks are cornerstone institutions of national and global financial systems. So while they are allowed to have some degree of risk, they are typically afforded much less risk than other industries. This is because if they fail, it slows or halts the creation and exchange of money, which has far-reaching impacts on the rest of the economy. Some specific reasons for the importance of risk management in the banking sector are that it helps banks to: a) Avoid wasting or needlessly losing the money they need to stay in business b) Avoid disruptions to their operations Page 10 of 369 c) Maintain confidence from investors and customers to continue doing business with them d) Comply with laws and regulations to avoid paying non-compliance fines The Risk Management Process The risk management process in banking typically involves six components: Identification: Defining the nature of financial risks, including where they originate from and why they pose a threat to the bank. Assessment and Analysis: Evaluating how likely a risk will pose a threat to the bank, and how grave that threat will likely be. This helps a bank prioritize which risks deserve the most attention. There are two types of risk assessments: Qualitative Risk Assessment and Quantitative Risk Assessment. Qualitative Risk Assessment Risk assessments are inherently qualitative – while we can derive metrics from the risks, most risks are not quantifiable. For instance, the risk of climate change that many businesses are now focusing on cannot be quantified as a whole, only different aspects of it can be quantified. There needs to be a way to perform qualitative risk assessments while still ensuring objectivity and standardization in the assessments throughout the enterprise. Quantitative Risk Assessment Finance related risks are best assessed through quantitative risk assessments. Such risk assessments are so common in the financial sector because the sector primarily deals in numbers – whether that number is the money, the metrics, the interest rates, or any other data point that is critical for risk assessments in the financial sector. Quantitative risk assessments are easier to automate than qualitative risk assessments and are generally considered more objective. Mitigation: Designing and implementing bank policies and processes that limit the chance that risks will become threats, and that minimize the damage threats may cause. Page 11 of 369 Monitoring: Gathering data on threat prevention and incident response to determine how well a bank risk management strategy is working. This also involves researching emerging risk trends to determine if a bank’s risk management framework needs (or will need) updating. Cooperation: Establishing relationships between enterprise risks and mitigation strategies across different areas of the bank’s operations to create a more centralized and coordinated threat response system. Reporting: Documenting and reviewing information related to the bank’s risk management efforts to gauge their effectiveness. This is also used to track how the bank’s overall risk profile changes over time. These components need to be carried out together - and repeated regularly - in order to give banks as much protection against risk as possible. Types of Risk Management in Banking Bank risk management has a number of different threat areas to cover. The challenge isn’t just how many different types of risk there are though, it’s also about how much control an organization actually has over these factors. To help organizations navigate the different types of banking risk management areas to analyze, we’ll explore each in detail below. 1. Credit Risk Credit risk is one of the most common types of risk for banks. Put simply, it’s the risk of a bank lending money to a customer and not having it paid back. This can decrease the amount of assets a bank has available to meet its financial obligations. It can also cost the bank extra money if it deploys methods of trying to recoup the money it’s owed. Mitigation of Credit Risk Mitigating credit risk boils down to knowing two things. First is the bank’s overall financial position, in terms of how much in losses it can take while still being able to operate effectively. Page 12 of 369 Second is knowing a specific customer—understanding their financial history and situation, as well as their general financial behaviour, to evaluate the amount of risk they pose of defaulting on a loan. A bank can then tailor a customer’s lending agreement to have tighter or looser terms, depending on their level of risk. 2. Market Risk Also known as systematic risk, market risk is the chance that an adverse event outside the banking industry itself will negatively affect a bank’s investments. This could be from an issue in a single industry—such as the US housing market collapse in 2008—or from a general national or international economic downturn. Other types of crises, such as political instability or natural disasters, can also increase market risk. Mitigation of Market Risk In some cases, market risk can be mitigated by diversifying a bank’s investment portfolio. However, there are other times where this strategy won’t work because a crisis will affect multiple interdependent industries. Some other tactics that can work include investing in staple industries (such as utilities or consumer packaged goods), employing a long-term investing strategy, or keeping more of a bank’s assets in liquid form. 3. Operational Risk Operational risk refers to risks incurred based on how a bank is run from day to day. For example, if employees are poorly trained, they may make more errors that cost the bank time and money to correct. Or if the bank has an inadequate IT infrastructure, its systems may break down, disrupting services to customers. A component of operational risk is cybersecurity risk. This is how likely cybercriminals are to successfully attack a bank’s digital systems. The resulting theft or destruction of digital money or sensitive information can significantly hinder a bank’s ability to operate effectively. It can also put customers and stakeholders at risk. Page 13 of 369 Mitigation of Operational Risk Operational risk can be limited in a few ways. One is to hire the right people and properly train them on both the bank’s processes and its ethical culture. Another is to secure the bank’s tech stack, including thoroughly vetting third-party service providers, as well as staying up-to-date with cybersecurity threats and trends. Automating processes with technology—such as customer onboarding—can help reduce human error. Implementing feedback and data collection programs can help address any updates needed as the bank’s risk profile changes over time. 4. Reputational Risk Reputational risk refers to the risk that a bank will lose confidence from its investors and customers, and thus lose funding or business (respectively). It’s basically a side effect of any other risk a bank encounters, but that doesn’t mean it’s any less threatening. It can be caused directly by the bank’s business practices or employee conduct, or indirectly by the bank being associated with a person or group that has a negative reputation. For example, reputational risk might result from a client receiving poor customer service from the bank and then telling others about it—either through word of mouth or on social media. Or a news outlet may publish a story revealing corruption among some of a bank’s management staff. Mitigation of Reputational Risk Minimizing reputational risk starts with defining the bank’s core ethical values. Develop these in concert with stakeholders, and conduct proper training on them so employees understand how they are expected to conduct themselves. A bank should also research its reputation in news outlets and on social media, addressing concerns and taking responsibility for mistakes whenever appropriate. Reputation management software can help with this. The bank should also develop a contingency plan in case a reputation-affecting incident occurs. Page 14 of 369 It should focus on quick and transparent communication, outlining what controls are being used to help minimize the damage, as well as how the bank will determine what it will do differently in the future to avoid the same mistake happening again. A bank may want to hire a public relations firm, or use specialized reputation management software, to assist with this and other reputational risk management processes. 5. Liquidity Risk Liquidity risk refers to the chance that a bank will run out of physical money, including if it can’t convert its other assets into cash fast enough. Thus, it becomes unable to meet its short-term obligations to creditors or customers. A recent trend that threatens to elevate banks’ liquidity risk is an increase in the number of bank runs. A bank run happens when rumours that a bank may fail in the near future cause its customers to panic. They then try to withdraw as much cash as possible from the bank before they potentially lose access to their money. Bank runs rapidly decrease the amount of liquid assets a bank has available to meet its short-term debts. So while rumours of the bank failing may not have been completely accurate, the bank run still causes a spike in the bank’s liquidity risk. This makes it much more likely that the bank actually will fail. Especially if they result in bank failures in this way, bank runs can also damage overall consumer confidence in the entire financial system. This can lead to a domino effect of further bank runs, and potentially more bank failures as a consequence. To make matters worse, with the advent of the internet, bank runs are becoming more threatening than ever. Rumours of a bank’s financial troubles can spread very quickly over online communications, especially social networks. And the ability to make electronic funds transfers means that customers can withdraw money almost instantaneously without actually setting foot in a bank, making it difficult for the bank to control how fast it’s drained of available cash. Page 15 of 369 Mitigation of Liquidity Risk Banks can manage their liquidity risk by more regularly forecasting their cash flow—that is, how fast liquid assets are coming into a bank versus leaving it. Part of this is understanding the potential risks associated with the different ways a bank is funded, from investing to customers. A bank should also have a contingency funding plan (CFP) in place to address liquidity shortfalls. Banks can also conduct stress tests—creating hypothetical risk scenarios that would cause a loss of liquidity, and estimating how much liquidity would be lost in each instance. This can allow a bank to create baseline liquidity rates, helping to ensure it has enough working capital in the event of a crisis. 6. Compliance Risk Bank compliance risk involves the risks a bank takes by not fully complying with applicable government laws or industry regulations. These can include punitive fines, civil lawsuits, criminal charges, and even economic sanctioning. Compliance risk includes a component of reputational risk, as well. Banks exposed as being non-compliant often lose the trust of their investors and customers, which hurts their ability to make money. They can also cause a downturn in overall consumer and investor trust in the entire banking industry or financial system. Mitigation of Compliance Risk A bank can manage compliance risk by having employees on staff familiar with applicable laws and regulations—for most organizations, this is an AML compliance officer. It’s also essential to equip them with the right tools to automate processes where possible, quantify and analyze activity patterns, and keep on top of any other obligations. One of these obligations should be to understand the other types of risks that a bank faces, as well as assess how likely they are and how impactful they would be. This allows a bank to identify areas of residual risk where it may not entirely be meeting compliance requirements, and strengthen controls there. Page 16 of 369 Finally, a bank should make compliance part of its overall culture. This means educating employees outside of the compliance and risk management teams on what laws and regulations the bank has to comply with, and why they can play important roles in ensuring this happens. It can also mean proactively addressing reputational risk. A bank can do this by summarizing what it’s doing (in a practical sense) to remain compliant, and how that protects the interests of customers and other stakeholders. 7. Legal Risk Legal risk is the possibility of financial or reputational loss, or operational disruption, that can result from not following laws, regulations, or contractual obligations. It can also include the risk of court action, whether domestic, European, or international, or the risk of penalties for not complying with legal requirements. Some types of legal risks include – Disputes and Regulatory Risks Legal risk can arise from a lack of awareness or understanding of how the law applies to a business, its relationships, processes, products, and services. It can also be caused by ambiguity in the law, or reckless indifference to it. To minimize legal risks, companies can: Seek legal advice, Use written contracts, and Minimize confusion in case of litigation. 8. Interest Rate Risk Changes in interest rates affect bond prices and, as a result, debt mutual fund returns. Bond prices decline when interest rates rise, and vice versa. This is referred to as interest rate risk. 9. Currency Risk or Exchange-Rate Risk Currency risk, or exchange-rate risk, arises from the change in the price of one currency in relation to another. Investors or firms holding assets in another country are subject to currency risk. Page 17 of 369 Best Practices for Banking Risk Management In addition to the tips above for managing specific types of banking risks, there are certain things a bank can do to have an overall more effective risk management program. Here are some examples. Establish a finance institution-wide risk governance framework This is another way of saying that it’s important to involve everyone who works at the bank—not just risk and compliance team employees—in the bank’s risk management operations. Department leaders should brainstorm with their teams, and then collaborate with executives, to develop an overall risk profile for the bank. This should be shared among all bank stakeholders so they understand what risks a bank faces and why it’s important to control them. The identified risks should then be delegated to the appropriate departments. Team leaders should work to develop risk management strategies, and ensure that they’re properly understood and implemented, within each department. Decentralizing banking risk management like this helps to make it an institution- wide priority while limiting confusion over risk management roles in banking. Prioritize identity verification & authentication for everyone who interacts with the bank People not dealing honestly with a bank can drastically increase the risks it faces. That’s why a bank should make a point of investing in identity verification and authentication techniques for both customers—whether individuals or businesses—and its own employees. These are especially important during onboarding (whether gaining new clients or hiring new staff), but they should be applied regularly afterwards to ensure everyone is acting in their own capacity. Know Your Customer (KYC) helps to ensure individuals aren’t impersonating others to cheat the system, or acting unlawfully to another party’s benefit. Know Your Business (KYB) is essential for knowing who’s really in charge of a business, and making sure the business itself is legitimate (and not, say, a shell company used simply to hide illicit dealings). Page 18 of 369 Know Your Employee (KYE) is important for ensuring all bank employees are acting in the bank’s best interests, as many risks can be caused by employees misusing privileged information—including sharing it with illegitimate outside parties. Automate tasks related to risk management, like transaction monitoring for banks Checking transactions to see if they pose a threat to a bank or its stakeholders is a tedious—if not impractical—process to do manually. Not only does this cost extra time and money, but it can also actually introduce more risk in the form of human error. The key is to balance between being able to catch transactions (or patterns of them) that are likely risky, and filtering out false positives that unnecessarily take up a risk management team’s time. Transaction Monitoring helps with this in two ways. First, it looks beyond strictly monetary data streams to other activities that may be deemed suspicious. This allows banks to create more complete and accurate risk profiles for customers and transactions. Second, it employs machine learning in banking risk management to create “alert scores”. These are ratings based on a customer’s transaction history, the bank’s case history, and other factors that indicate how likely a suspicious activity alert will be a true positive. This allows a bank’s risk management team to better prioritize which alerts actually warrant a manual investigation. Keep up with both individual cases and overall financial risk reporting When incidents happen that present heightened risk to the bank, it’s important to not try and deal with them as a single group. Compartmentalize them based on the relevant information, and then delegate them to separate teams or team members. This allows for handling more incidents at once, while still allowing each team to have greater focus on data analysis and pattern visualization for each incident. This is a strategy known as case management. With that said, it’s also helpful to write and file reports regarding incidents on a fairly regular basis. Page 19 of 369 This serves two purposes. First, it reduces compliance risk by demonstrating what practical steps the bank is taking to address risk. Second, when taken together, these reports help paint a picture of a bank’s overall risk management profile— where it faces the most (and least) risk, and how effective its controls are in mitigating certain types of risk. Continually Assess, Analyse, and Act on Risk Metrics Risk management in the banking sector—or anywhere else, for that matter—isn’t a static process. A bank’s staff or clientele can grow and change. New technological standards get developed, which can lead to both better security and new avenues for risk. And new regulatory requirements are put in place to address the evolving landscape of threats to banks. That’s why the risk management process in the banking sector has to be dynamic. Banks need to assess how well their current controls are handling risk, and what areas of risk may need further attention. They also need to look at what risks they may face in the near future, and determine if their systems are capable of adapting to properly manage those risks. Above all, though, a bank has to take action—creating and updating risk management plans based on its analysis and implementing governance structures to ensure all employees are on board and doing their part. Manage Banking Risk Today and Tomorrow The future of risk management in banking will likely shift more and more to digital spaces, as customers demand faster and more convenient ways to bank. The emergence of Decentralized Virtual Currencies, Neobanks, and Banking as a Service (BaaS) functions will likely prompt banking regulatory changes in an attempt to address the potential for such technologies to be exploited by cybercrime. Every risk needs to be eliminated or contained as much as possible. Page 20 of 369 Risk Management Risk management is an important business practice that helps businesses identify, evaluate, track, and improve the risk mitigation process in the business environment. Risk management is practiced by the business of all sizes; small businesses do it informally, while enterprises codify it. Businesses want to ensure stability as they grow. Managing the risks that are affecting the business is a critical part of this stability. Not knowing about the risks that can affect the business can result in losses for the organization. Being unaware of a competitive risk can result in loss of market share, being unaware of financial risk can result in financial losses, being aware of a safety risk can result in an accident, and so on. Businesses have dedicated risk management resources; small businesses may have just one risk manager or a small team while enterprises have a risk management department. People who work in the risk management domain monitor the organization and its environment. They look at the business processes being followed within the organization and they look at the external factors which can affect the organization one way or the other. A business that can predict a risk will always be at an advantage. A business that can predict a financial risk will limit its investments and focus on strengthening its finances. A business that can assess the impact of a safety risk can devise a safe way to work which can be a major competitive advantage. If we think of the business world as a racecourse then the risks are the potholes which every business on the course must avoid if they want to win the race. Risk management is the process of identifying all the potholes, assessing their depth to understand how damaging they can be, and then preparing a strategy to avoid damages. A small pothole may simply require the business to slow down while a major pothole will require the business to avoid it completely. Knowing the severity of a risk and the probability of risk helps businesses allocate their resources effectively. If businesses understand the risks that affect them then they will know which risks need the most attention and resources and which ones the business can disregard. Page 21 of 369 Risk management allows businesses to act proactively in mitigating vulnerabilities before any major damage is incurred. There are different types of risk management strategies and solutions for different types of risks. Importance of Risk Management Risk management is important because it tells businesses about the threats in their operating environment and allows them to pre-emptively mitigate risks. In the absence of risk management, businesses would face heavy losses because they would be blindsided by risks. Risk Management Evaluation Any business that wants to maximize its risk management efficiency needs to focus on risk management evaluations. These evaluations and assessments help businesses truly understand their own capabilities, strengths, and vulnerabilities. More evaluations result in more insights about where the business needs to improve its risk management framework. It can be difficult to carry out these evaluations manually, but risk management solutions and technology can simplify the evaluation and assessment workflow. It is important to do an evaluation before making any major changes to the risk management framework. @@@ Page 22 of 369

Use Quizgecko on...
Browser
Browser