SignUp
SignIn
SignIn
SignIn

Welcome to Banking Quest

RISK BASED SUPERVISION AND RBIA

March 12, 2023, 5:40 a.m.

Prof(Dr.) Kembai Srinivasa Rao, Adjunct Professor at Institute of Insurance and Risk Management & ex Director, NIBSCOM

GIST OF DISCUSSIONS WILL CENTRE AROUND 

  • Background and need for supervision of regulated entities by RBI 
  • Infrastructure of regulation of banks in RBI 
  • CAMELS model – how it was working its way 
  • Need for RBS
  • How RBS evolved 
  • RBIA – how it has evolved and what it is ? 
  • Assessment basis in RBIA 
  • Branch level action based on RBIA 
  • Merits of RBI, expansion of its scope to NBFCs/Urban cooperative banks 

 EXPANSION OF SCOPE OF BANKING SUPERVISION 

  • Reserve Bank of India has been entrusted with the responsibility of supervising the Indian banking system under various provisions of the Banking Regulation Act, 1949 and RBI Act, 1934. 
  • Prior to 1993, the supervision and regulation of commercial banks was handled by the Department of Banking Operations & Development (DBOD). In December 1993 the Department of Supervision was carved out of the DBOD with the objective of segregating the supervisory role from the regulatory functions of RBI. 

 OFFSITE SUPERVISION (OSMOS)

  • As a part of the supervisory strategy, an off-site monitoring system for surveillance over banks was operationalized in RBI in March 1996. 
  • As a tool for “early warning signals' ' the Offsite Surveillance and Monitoring System (OSMOS) plays a key role in identification of risks and monitoring banks on a continuous basis. 
  • OSMOS consists of a set of 28 structured returns that capture prudential and statistical information of banks at periodical intervals. 
  • The information gathered is populated into the OSMOS database , enabling the offsite supervisor to undertake prudential analysis of the bank's Capital, Assets, Earnings, Liquidity, etc. on both solo and consolidated basis. 

 FORMATION OF DEPARTMENT OF BANKING SUPERVISION – DBS IN 1997 

  • Department of Supervision in June 1997 led to the formation of an exclusive Financial Institutions Division within the DoS which was entrusted with both supervision and regulation over all India development financial institutions. 
  • Later, the Department of Supervision was split into Department of Banking Supervision (DBS) and Department of Non-Banking Supervision (DNBS) on July 29, 1997 with the latter being entrusted with the task of focused regulatory and supervisory attention towards the NBFC segment.

 ROLE OF DBS 

  1. Preparing independent inspection programmes for different institutions. 
  2. Undertaking scheduled and special on-site inspections, off-site surveillance, ensuring follow up and compliance.
  3. Determining the criteria for the appointment of statutory auditors and special auditors and assessing audit performance and disclosure standards. 
  4. Dealing with financial sector frauds. 
  5. Exercising supervisory intervention in the implementation of regulations which includes – recommendation for removal of managerial and other persons, suspension of business, amalgamation, merger/winding up, issuance of directives and imposition of penalties.

 WHAT SHOULD BE THE SUPERVISORY APPROACH 

  • According to the Core Principles for Effective Banking Supervision prescribed by Basel Committee on Banking Supervision (BCBS), an effective system of banking supervision requires the supervisor to develop and maintain a forward-looking assessment of the risk profile of individual banks and banking groups, proportionate to their systemic importance. 
  • The supervisory system should be able to identify, assess and address risks emanating from banks and the banking system as a whole; have a framework in place for early intervention; and have plans in place, in partnership with other relevant authorities, to take action to resolve banks in an orderly manner if they become non-viable.” 

 RISK BASED SUPERVISION – I

  • Reserve Bank of India (RBI) has embarked on a process to move towards a risk based supervision approach from the earlier transaction-centric CAMELS for commercial banks and CALCS (capital adequacy, asset quality, compliance, systems and controls) approaches for foreign
  • Risk Based Supervision (RBS) envisaged the monitoring of banks by allocating supervisory resources and focusing supervisory attention according to the riskiness of each banking institution.

RISK BASED SUPERVISION – II - DEBUT OF RBS 

  • An attempt was made by the RBI in 2002 to introduce it but due to the lack of appropriate data and control systems it could not be implemented. 
  • A High Level Steering Committee (HLSC) for Review of Supervisory Processes for Commercial Banks was constituted by the Governor, Reserve Bank of India on August 3, 2011 under Dr. K.C. Chakrabarty, Deputy Governor RBI as its Chairman. 
  • The HLSC recommended implementation of Risk Based Supervision (RBS) to focus on evaluating both present and future risks, identifying incipient problems and facilitating prompt intervention/ early corrective action.
  • It was also proposed to replace the prevalent compliance-based and transaction-testing approach (CAMELS) which is more in the nature of a point in time assessment. 

RISK BASED SUPERVISION – III 

  • The RBS process also covers assessment of the Bank’s management of those risks along with its financial vulnerability to potential adverse experiences. 
  • This process is forward looking with a focus on evaluating both present and future risks, identifying incipient problems and facilitating prompt intervention.

RISK BASED SUPERVISION – III 

  • Risk Based Supervision (RBS) which focuses on evaluating both present and future risks, identifying incipient problems and facilitates prompt intervention/ early corrective action should be the approach for bank supervision as against the present compliance-based and transaction testing approach (CAMELS) which is more in the nature of a point in time assessment. 
  • RBS benefits the bank supervisor by optimizing its use of supervisory resources and also helps the regulated entities in improving their risk management systems, oversight and controls.

RISK BASED SUPERVISION - IV

  • In a risk-based supervisory framework, both onsite examination and off-site surveillance feed into one another as they are mutually interdependent. 
  • RBS is, therefore, designed and implemented as a process encompassing both on-site examination and off-site surveillance of banks
  • The effectiveness of a risk based supervisory process is fundamentally incumbent upon a robust off-site surveillance mechanism. 
  • The essential attributes of a strong Off-site supervisory process would include being extensive, proactive and dynamic. With technology firming its roots into the banking domain, gathering data is made possible that made off-site supervision possible.

RBS STEPS AND TOOLS USED IN THE SUPERVISORY REVIEW AND EVALUATION PROCESS (SREP) 

Steps 

Risk Based Tools 

Understanding the bank 

Bank Profile 

Assessing risks faced by the bank for supervisory purpose 

Risk Assessment / Matrix 

Scheduling and Planning Supervisory Activities 

Planning for supervisory actions / interventions 

Defining Examination Activities, on-site reviews and on- going monitoring 

Onsite Inspection – objective, scope, etc 

Inspection Procedure 

Onsite Inspection, conduct of Supervisory Review and Evaluation Process (SREP), offsite continuous supervision. 

Reporting findings and recommendations and follow-up 

Inspection Reports, Updating of the bank Profile. 

MERITS OF RISK BASED SUPERVISION 

  1. Improved understanding of the risk profiles of banks, their business and of the quality of management; 
  2. Early identification of emerging risks at individual banks and on a sectoral basis i.e. the risk contagion; 
  3. Enable to indicate the direction of risks, possible to anticipate future scenarios and hence a forward-looking capability to initiate supervisory measures where needed; 
  4. Optimum utilization of the supervisory resources with a greater focus on material risks and risk management processes at banks. 

RISK BASED INTERNAL AUDIT (RBIA)

  • It an independent and effective internal audit function in a financial entity that provides vital assurance to the Board and its senior management regarding the quality and effectiveness of the entity’s internal control, risk management and governance framework.
  • The essential requirements for a robust internal audit function include, inter alia, sufficient authority, proper stature, independence, adequate resources and professional competence.

WHAT RBIA DOES 

  • The risk-based internal audit undertakes an independent risk assessment solely for the purpose of formulating the risk-based audit plan keeping in view the inherent business risks of an activity/location and the effectiveness of the control systems for monitoring the inherent risks of the business activity.

POLICY FOR RBIA 

  • Under RBIA, the focus will shift from the present system of full-scale transaction testing to risk identification, prioritization of audit areas and allocation of audit resources in accordance with the risk assessment. 
  • Banks will, therefore, need to develop a well defined policy, duly approved by the Board, for undertaking risk-based internal audit. 
  • The policy should include the risk assessment methodology for identifying the risk areas based on which the audit plan would be formulated. 
  • The policy should also lay down the maximum time period beyond which even the low risk business activities/locations should not remain unaudited.

FUNCTIONAL INDEPENDENCE FOR RBIA 

  • The Internal Audit Department should be independent from the internal control process in order to avoid any conflict of interest and should be given an appropriate standing within the bank to carry out its assignments. 
  • It should not be assigned the responsibility of performing other accounting or operational functions. 
  • The management should ensure that the internal audit staff perform their duties with objectivity and impartiality. 
  • Normally, the internal audit head should report to the Board of Directors/Audit Committee of the Board

WHO IS RESPONSIBLE FOR IMPLEMENTING RBIA

  • The Board of Directors and top management will be responsible for having in place an effective risk-based internal audit system and ensure that its importance is understood throughout the bank. 
  • The success of the internal audit function depends largely on the extent of reliance placed on it by the management for guiding the bank's operations. 

RISK BASED AUDIT PLAN 

  • The RBIA undertakes risk assessment solely for the purpose of formulating the risk-based audit plan. 
  • The risk assessment would, as an independent activity, cover risks at various levels (corporate and branch; the portfolio and individual transactions, etc.) as also the processes in place to identify, measure, monitor and control the risks. 
  • The internal audit department should devise the risk assessment methodology, with the approval of the Board of Directors, keeping in view the size and complexity of the business undertaken by the bank.  

AUDIT PROGRAM SHOULD PROVIDE 

  1. Objective, independent reviews and evaluations of bank activities, internal controls, and management information systems (MIS). 
  2. Adequate documentation of tests, findings, and any corrective actions. 
  3. Help in maintaining or improving the effectiveness of bank risk management processes, controls, and corporate governance. 
  4. Reasonable assurance about the accuracy and timeliness with which transactions are recorded and the accuracy and completeness of financial and regulatory reports. 
  5. Validation and review of management actions to address material weaknesses

RISK ASSESSMENT PROCESS SHOULD INCLUDE 

  • Identification of inherent business risks in various activities undertaken by the bank. 
  • Evaluation of the effectiveness of the control systems for monitoring the inherent risks of the business activities (`Control risk’). 
  • Drawing up a risk-matrix for taking into account both the factors viz., inherent business risks and control risks. 

 RISK CLASSIFICATION – HIGH, MEDIUM AND LOW  

  • The basis for determination of the level (high, medium, low) and trend (increasing, stable, decreasing) of inherent business risks and control risks should be clearly spelt out. 
  • The risk assessment may make use of both quantitative and qualitative approaches. While the quantum of credit, market, and operational risks could largely be determined by quantitative assessment, the qualitative approach may be adopted for assessing the quality of controls in various business activities. 

RISK ASSESSMENT METHODOLOGY – PARAMETERS 

  • Previous internal audit reports and compliance ·
  • Proposed changes in business lines or change in focus · 
  • Significant change in management / key personnel 
  • Results of latest regulatory examination report 
  • Reports of external auditors · 
  • Industry trends and other environmental factors · 
  • Time lapsed since last audit · 
  • Volume of business and complexity of activities · 
  • Substantial performance variations from the budget 

RBS RATING FRAMEWORK -I 

  • It is envisaged that the proposed supervisory rating would measure the ‘net risk’ in a bank. 
  • This rating would convey a sense about the ‘riskiness’ of the bank as perceived by the supervisor. The Rating grades are
    1. Good (A)- Probability of failure is well below the supervisory risk appetite 
    2. Satisfactory (B)- Probability of failure is within the acceptable supervisory risk appetite. 
    3. Unsatisfactory(C)- The bank would have a probability of failure marginally higher than the supervisory comfort. 

RBS RATING FRAMEWORK – II 

    1. Poor (D)- The bank has a high probability of failure and would need to not only raise additional capital but also restructure its business to bring down the inherent risks in the business. 
    2. Very Poor (E)The bank with this rating is no longer a viable entity and would need to be wound up or merged/amalgamated with another bank. 

OVERALL RBIA ASSESSMENT SHOULD FACTOR BUSINESS RISK AND CONTROL RISK OF THE UNIT 

  • Inherent business risks indicate the intrinsic risk in a particular area/activity of the bank and could be grouped into low, medium and high categories depending on the severity of risk. 
  • Control risks arise out of inadequate control systems, deficiencies/gaps and/or likely failures in the existing control processes. 
  • The control risks could also be classified into low, medium and high categories. 
  • The categorization of bank business is meant to ensure that the oversight is well aligned to the riskiness of the business. 
  • In the overall risk assessment both the inherent business risks and control risks should be factored in. 

COMPOSITE ASSESSMENT OF BUSINESS RISK VS CONTROL RISK – I 

A – High Risk- Although the control risk is low, this is a High Risk area due to high inherent business risks. 

B – Very High Risk- The high inherent business risk coupled with medium control risk makes this a Very High Risk area 

C – Extremely High Risk – Both the inherent business risk and control risk are high which makes this an Extremely High Risk area. This area would require immediate audit attention, maximum allocation of audit resources besides ongoing monitoring by the bank’s top management. 

D – Medium Risk – Although the control risk is low this is a Medium Risk area due to medium inherent business risks. 

COMPOSITE ASSESSMENT OF BUSINESS RISK VS CONTROL RISK – II

E – High Risk – Although the inherent business risk is medium this is a High Risk area because of control risk also being medium. 

F – Very High Risk – Although the inherent business risk is medium, this is a Very High Risk area due to high control risk. 

G – Low Risk – Both the inherent business risk and control risk are low.
H – Medium Risk - The inherent business risk is low and the control risk is medium.
I – High Risk – Although the inherent business risk is low, due to high control risk this becomes a High Risk area. 

WHAT THE BANK/BRANCHES SHOULD DO TO MANAGE RISKS IN BUSINESS AND CONTROL RISKS 

  • The banks should also analyse the inherent business risks and control risks with a view to assess whether these are showing a stable, increasing or decreasing trend.
  •  Illustratively, if an area falls within cell ‘B’ or ‘F’ of the Risk Matrix and the risks are showing an increasing trend, these areas would also require immediate audit attention, maximum allocation of audit resources besides ongoing monitoring by the bank’s top management (as applicable for cell ‘C’). 
  • The Risk Matrix should be prepared for each business activity/location.  

RBIA - FREQUENCY – HIGH RISK BRANCHES AT FREQUENT INTERVALS 

  • The annual audit plan, approved by the Board, should include the schedule and the rationale for audit work planned. 
  • It should also include all risk areas and their prioritization based on the level and direction of risk. 
  • Illustratively, the areas or activities identified as high, very high or extremely high risk (based on risk matrix) may be audited at shorter intervals as compared to medium or low risk areas, which may be audited at longer intervals subject to regulatory guidelines, as applicable. 

PURPOSE OF RBIA IS TO ASSESS ADEQUACY AND EFFECTIVENESS OF RISK MANAGEMENT 

  • The primary focus of risk-based internal audit will be to provide reasonable assurance to the Board and top management about the adequacy and effectiveness of the risk management and control framework in the banks’ operations.
  • While examining the effectiveness of the control framework, the risk-based internal audit should report on proper recording and reporting of major exceptions and excesses. 
  • Transaction testing would continue to remain an essential aspect of risk-based internal audit. 
  • The extent of transaction testing will have to be determined based on the risk assessment. 

LOGICALLY – SURVEILLANCE IS A FUNCTION OF VULNERABILITY 

  • Illustratively, the bank should undertake 100 per cent transaction testing if an area falls in cell “C- Extremely High Risk” of the risk matrix. 
  • The bank may also consider 100 per cent transaction testing if an area falls in cell “B- Very High Risk” or “F- Very High Risk”, and the risks are showing an increasing trend. 
  • The banks may also consider transaction- testing with an element of surprise in respect of low risk areas which would be audited at relatively longer intervals.

BRANCHES SHOULD EXERCISE DUAL CONTROL 

  • The line management – First line of defence of the bank should understand business risk well and be able to possess the skills to more or less quantify risk in the best possible manner. There could be no standard process as the business topography is different in different kinds of branches or locations. 
  • Even if a high business is entertained, the branch should be able to keep a high control to ensure that the resultant risk to the branch is manageable in the overall risk architecture of the bank 
  • High business risk with high controls could go well 
  • Medium Business Risk with high control is well positioned 
  • Low business risk with high control is the best option 
  • But in a practical sense, managing the equation between business risk and control risk and ensuring sustainability not to warrant extra capital is needed. 

SCOPE OF RBIA EXTENDED TO NBFC AND UCB

  • In 2021, it was decided to mandate RBIA framework for the following Non-Banking Financial Companies (NBFCs) and Primary (Urban) Co-operative Banks (UCBs):
  • All deposit taking NBFCs, irrespective of their size;
  • All Non-deposit taking NBFCs (including Core Investment Companies) with asset size of ₹5,000 crore and above; and
  • All UCBs having asset size of ₹500 crore and above1

Comments (0)

Please login to post a comment