Banking risk management: CRO plays crucial role

The culture of risk management began in Bangladesh after the adoption of Basel I capital accords in 1996 by the Bangladesh Bank (BB).

However, Basel I considered credit risk as the only risk. Later, risks like operational, market and liquidity types have come along the way. The BB in 2003 issued five risk management guidelines - Credit Risk Management Guidelines (CRM), Asset Liability Management Guidelines (ALM), Anti-Money Laundering Guidelines (AML), Internal Control Compliance Guidelines (ICC) and Foreign Exchange Management (FEM) guidelines to streamline the risk management culture in Bangladesh's banking sector. BB's Information & Communication Technology (ICT) Risk Management Guidelines in 2006 were followed by its Environmental & Social Risk Management Guidelines. Finally, by issuing the Risk Management Guidelines for banks in 2012, the BB embedded risk management culture in the banking sector of the country.

Bangladesh's banking sector began to gain momentum soon after privatisation of some banks in the late seventies and the beginning of first generation private commercial banks (PCBs) in the early eighties. The emergence of second generation PCBs in mid-nineties prompted a more competitive market with regard to customer services and state-of-the-art technology in banking. The entrance of third and finally fourth generation PCBs further intensified competition in the sector - especially through mobilisation of deposits and procuring creditworthy borrowers. Eventually, a lot of risk issues came along the way, including the risks mentioned earlier.

Risk management functions in a bank may, therefore, include, but are not limited, to the following:

n Identifying material, individual, aggregate and emerging risks;

n Assessing these risks and measuring the bank's exposure to these;

n Supporting the board in its implementation, review and approval of the enterprise-wide risk governance framework that includes the bank's risk culture, risk appetite, risk appetite statement (RAS) and risk limits;

n Ongoing monitoring of the risk-taking activities and risk exposures to ensure they are in line with the board-approved risk appetite, risk limits and corresponding capital or liquidity needs (i.e. capital planning);

n Establishing an early warning or trigger system for breaches of the bank's risk appetite or limits;

n Influencing and, when necessary, challenging material risk decisions; and

n Reporting to senior management and the board or risk committee, as appropriate, on all these items, including, but not limited to, proposing appropriate risk-mitigating actions.

To accommodate risk management functions in the banks, BB initiated steps to implement the functional designation of 'Chief Risk Officer (CRO)' as per Basel II accords and instructed the banks to appoint appropriate professionals in such positions. To understand the role and responsibilities of a CRO, we may refer to the Basel documents called 'Principles for Enhancing Corporate Governance issued in 2010' (revised later in 2015 under Basel III) which include, among others, the following:

n As per Basel III, banks must have an effective independent risk management function under the direction of a CRO with sufficient stature, independence, resources and access to the Board.

n The independent risk management function is responsible for overseeing risk-taking activities across the organisation.

n The independent risk management function (bank-wide and within subsidiaries) should have authority within the organisation to oversee the bank's risk management activities.

n While it is common for risk managers to work closely with individual business units, the risk management function should be sufficiently independent of the business units and should not be involved in revenue generation. This independence is an essential component of an effective risk management function, as is having access to all business lines with potential to generate material risk for the bank, relevant risk-bearing subsidiaries and affiliates.

n The risk management function needs to have sufficient personnel who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines. Staff members should have the ability and willingness to effectively challenge business lines regarding all aspects of risk arising from the bank's activities.

n The CRO has the primary responsibility for overseeing the development and implementation of the bank's risk management function.

n The CRO is responsible for supporting the Board in its development of the bank's risk appetite and RAS and for translating the risk appetite into a risk-limit structure. The CRO, together with the management, should be actively engaged in the process of setting risk measures and limits for various business lines and monitoring their performance related to risk-taking and limit adherence.

n The CRO's responsibilities also include managing and participating in key decision-making processes (e.g. strategic planning, capital and liquidity planning, new products and services, compensation design and operation etc).

n The CRO should have the organisational stature, authority and the necessary skills to oversee the bank's risk management activities while also being independent from other executive functions.

n The CRO should have access to any information necessary to perform his/her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines and there should be no "dual hatting" (i.e. occupying two designations and taking care of responsibilities for both at the same time).

n While formal reporting lines may vary across banks, the CRO should report and have direct and regular access to the Board or its risk committee without impediment. The CRO should have the ability to meet with the Board or risk committee in absence of Executive Directors.

n Appointment, dismissal and other changes to the CRO position should be approved by the Board or its risk committee. If the CRO is removed from his/her position, this should be disclosed publicly along with the reasons for the dismissal. The CRO's performance, compensation and budget should be reviewed and approved by the risk committee or the Board.

If we observe the roles and responsibilities of CRO as per the Basel documents, we find discrepancies between theory and practice. Due to regulatory bindings, most Bangladeshi banks delegate the role of CRO to an existing DMD or equivalent official - but they do not perform their duties as per the recommendations of Basel documents as outlined above. Bangladeshi CROs perform their duties in such a way that overrides the standard practice. They perform the financial and/or business roles as well as the role of CRO, which is hampering the CROs' freedom. They are not in a position to challenge the management for accepting or rejecting a risk due to lack of independence and organisational structure.

If the banks want to effectively use the CROs, they need to establish risk management functions that may include the following:

n Establish a language system to discuss and categorise risk;

n Develop a "big picture" view of risk exposure and focus on the most important one;

n Centralise ownership of process and decentralise decision making;

n Drive process from the top and clearly define roles and responsibilities;

n Quantify risk exposure and the costs and benefits of managing risks;

n Embed IT systems to facilitate the risk-management process;

n Embed a risk-management culture.

In short, it can be viewed that embedding risk management culture in banking sector through CROs may help the other business units of the bank to attain a sustainable growth and avoid liquidity crises and credit crunches as was experienced by the world in 2007-2008. The recent liquidity surplus followed by sudden liquidity crunch in Bangladesh could have been avoided if proper risk management culture was practised in the country.

A few banks already have strong risk management culture in place. Others should follow suit and strengthen the position of CRO. This will eventually foster sustainable growth of the banking sector in the country.

Sheikh Talibur Rahman, email: [email protected] and Md. Mojammel Hoque, email: [email protected]

are bankers associated

with private banks.