Welcome to Banking Quest

Session Coverage

• To understand the concept of Risk Based Supervision(RBS) and Risk Based Internal Audit of Banks(RBIA)
• To understand the risk assessment process
• To understand the audit planning process 

 “The key to an organization's success is to manage risks effectively”

 CAMELS : 

INTERNAL AUDIT

"Internal audit is a dynamic profession involved in helping organizations achieve their objectives. It is concerned with evaluating and improving the effectiveness of risk management, control and governance processes in an organization ."

Assurance, advice and insight like all professions, internal audit has its own skills and qualifications.

 Code of Ethics

The Code of Ethics lays down the principles of Integrity, Objectivity, Confidentiality and Competency, which internal auditors must abide by In order to promote and uphold the ethical culture within the profession

 NEED FOR RISK MANAGEMENT IN BANKS

Effective risk management in Banks  is crucial because of 

• The evolvement of  financial  instruments and  markets
• Basel Capital  Accord  Requirements  under which capital  maintained by a  bank will be more  closely aligned to  the risks  undertaken
• Reserve Bank's  move towards risk-  based supervision  (RBS) of banks

 RISK GOVERNANCE MODEL - 3 LINES OF DEFENSE APPROACH

 First line - 

• Front Office / Line Management on-going activity

Second line -

• Risk Management , Compliance, on-going activity

Third line -

• Internal Audit Risk-based periodic activity, independent of both line of defenses. 

 RISK BASED INTERNAL AUDIT

RBI issued a Guidance Note on Risk  Based Internal Audit (RBIA) in  December, 2002 on the basis of  the recommendations of  PricewaterhouseCoopers(PwC),  London circulated as a discussion  paper to the banks in August, 2001  for moving towards the RBS/RBIA .

 Why RBIA ?

• Changing Banking  Landscape - 
• Increasing incidence of Failure of Banks /Lack of oversight
• Unconventional business requirements – outsourcing, IT and digitalization
• Stringent norms prescribed by supervisors / regulators /BCBS capital norms
• Increased complexity in Financial Instruments ,  Markets
• Supervisors dependence on sound internal audit function
• Plays Role in effectiveness of internal control function 
• Evaluates adequacy and effectiveness of risk management procedure and internal control systems in the bank.
• Provides high quality counsel to the Management

 Scope of Risk Based Internal Audit

• Risk Management procedure and Risk Assessment Methodology. 
• Critical evaluation of internal control
• Review and Report on control environment 
• Offer remedies 
• Assess risk at branch level, corporate level and overall risk.

 SALIENT FEATURES OF RBIA

• Audit Policy – approved by board
• Audit Plan – for each activity / location / unit
• Risk identification and assessment , Audit Prioritisation , allocation of resources
• Transaction Testing vis a vis Risk Based Audit
• Functional Independence , No conflict of Interest, objective and impartial assessment
• Management and Board is responsible for effective RBIA system

 RBIA-MINIMUM REQUIREMENTS

• Process of identification and management of risks
• Control environment in various areas
• Gaps in control mechanism which might lead to frauds  Identification of fraud prone areas
• Data integrity, reliability and integrity of MIS  Internal, regulatory and statutory compliance  Budgetary control and performance reviews
• Transaction testing/verification of assets to the extent considered necessary
• Monitoring compliance with the risk-based internal audit report
• Variation in the assessment of risks under the audit plan vis-à-vis the risk based internal audit.

 OTHER IMPORTANT POINTS

• Communication channels to encourage reporting of negative and sensitive findings
• Serious deficiencies and Significant issues posing a threat to  the bank’s business to be reported immediately
• Periodic Performance review to include evaluation of effectiveness of RBIA
• Internal Audit Department to be provided with appropriate  resources
• Due diligence to be conducted for outsourcing of RBIA

 RISK MANAGEMENT COMMITTEE/DEPARTMENT VS. RBIA

 RMC/RMD focuses  on

• Identification of risks
• Monitoring of risks
• Measurement of risks
• Development of policies  and procedures
• Use of risk management  models

 RBIA Undertakes an independent  risk assessment solely for  formulating the risk-based audit  plan keeping in view

• The inherent  business risks of an  activity/location
• The effectiveness of  the control systems  for monitoring the  inherent risks of the  business activity

 TRADITIONAL V/S RISK BASED AUDIT APPROACH

 Traditional Approach

• Evaluates compliance
• Identifies breaches of procedural adherence
• Identifies non-compliance with governmental  authority regulations
• Reactive

 Risk Based Approach

• Evaluates risks
• Identifies risks associated with achieving quality
• objectives
• Identifies operational inefficiencies leading to higher  risks
• Proactive

 AUDIT ACTIVITIES

• AUDIT PLANNING
• PRE-AUDIT PLANNING
• AUDIT EXECUTION & RISK ASSESSMENT
• AUDIT REPORT
• AUDIT RECTIFICATION PROCESS

 AUDIT PLANNING 

AUDIT PERIODICITY - Based on Risk assessment of each branch , areas of activity and location. e.g.  

 RISK ASSESSMENT PROCESS

Risk  Assessment  Process  includes

• Identification of inherent  business risks in various  activities
• Evaluation of the effectiveness  of the control systems
• Drawing up a risk-matrix for  taking into account both the  factors viz., inherent business  risks and control risks.

 RISK MATRIX EXPLAINED

A – High Risk- Although the control risk is low, this is a High Risk area due to high inherent business risks.

B – Very High Risk- The high inherent business risk coupled with medium control risk makes this a Very  High Risk area

C – Extremely High Risk – Both the inherent business risk and control risk are high which makes this an  Extremely High Risk area. This area would require immediate audit attention, maximum allocation of  audit resources besides ongoing monitoring by the bank’s top management.

D – Medium Risk – Although the control risk is low this is a Medium Risk area due to medium inherent  business risks.

 E – High Risk – Although the inherent business risk is medium this is a High Risk area because of control risk also being medium.

F – Very High Risk – Although the inherent business risk is medium, this is a Very High Risk area due to  high control risk.

 G – Low Risk – Both the inherent business risk and control risk are low.

 H – Medium Risk - The inherent business risk is low and the control risk is medium.

 I – High Risk – Although the inherent business risk is low, due to high control risk this becomes a High Risk area.

 DETERMINING LEVEL AND TREND OF RISK

 RISK ASSESSMENT RATINGS

 Based on the level and direction of risk, the Risk assessment ratings could be any of the fifteen as shown below: 

 Closure of Audit Report

In view of revised process for closure of Audit Cycle as conveyed by Govt. of India/ Ministry of Finance, the system of closure of Internal Audit Report over and above submission of Rectification Certificate was introduced with effect from 01.01.2013. Controlling Authorities, in addition to submission of RC to respective competent authorities, are now required to submit, FACC (The Final Audit Compliance cum Closure Certificate) within  one month after  receipt of RC. Thus, the acceptance  of FACC by competent authority will tantamount to the closure of Audit Cycle. 

 OUTSOURCED RBIA-IMPORTANT POINTS

 Effective functioning of outsourced RBIA responsibility of the Board/Top Management.

 Due diligence on the necessary expertise to be undertaken before entering into  arrangement.

• Scope and frequency of work to be performed
• Manner and frequency of reporting to the bank
• Manner of determining damages for errors, omissions and negligence by the vendor.
• Arrangements for incorporation of need based changes in the terms
• Reports to be the Bank’s Property
• Work Papers
• Storage locations and provision
• Reasonable and timely access to employees
• Immediate and full access to supervisors

 All work to be documented and reported to the top management through the internal audit department.

 RISK BASED SUPERVISION (RBS)

• 2000-01 : RBI decided to have overall plan for moving towards Risk Based Supervision System with the assistance of International Consultant.
•  PWC, London was engaged to undertake stock of current regulatory and supervisory regime and prepare a blue print for transition to Risk Based Supervision.
•  Discussion paper released on 13th August 2001 and feedback was sought by 30th Sept 2001

THE REVAMPED RBS FRAMEWORK

SPARC - Supervisory Programme  for Assessment of Risk and Capital

• More off-site oriented
• Need based, risk based, focused on site  inspections

 Started in 2013 with 29 Banks

 How RBS will improve Supervisory Role of RBI

• Supervisory attention based on Risk Profile of each bank. Bank poses risk to itself and to the system
• Risk Profile of the Bank determines supervisory program
  •  Off site surveillance
  •  On site inspections 
  •  Structured meetings with Banks
  •  Commissioned External Audit
  •  Specific Supervisory Direction to Bank
  •  Monitorable Action Plan (MAP)
  •  New Policy Notices
  •  Enforcement Action

 What Banks need to do for RBS??

•  Banks to re-orient their organisational set up
•  Risk Management Architecture
•  Risk Focussed Internal Audit
•  Strong MIS
•  Set Up of Compliance Units
•  Skilled Manpower 
•  Training in Risk Management and RBIA
•  Good Corporate Governance
•  Policies and efficient processes
•  Responsibility and Accountability

 SPARC FRAMEWORK (Supervisory Program for Assessment of Risk and Capital)

• Assessment of Bank level Risk using Risk Discovery Process 
•  Integrated Risk and Impact Scoring Model is used to assess –
•  Bank’s Risk Failure Score
  •  Impact Failure Score
  •  Capital add on required by bank
  •  Supervisory Rating is awarded . Supervisory intervention/ intensity is decided
  •  Bank Risk Profile reviewed by quality assurance committee
  • Preliminary Risk Assessment Report (PRAR) is given to management followed by Risk Assessment Report (RAR)

 Stages of SPARC

Inherent Risk – using IRISc model capture unexpected losses and risk assessment of control gaps ( Governance & Oversight gaps, Control Gaps in inherent risk)

Off site data analytics using IRISc Model

On-site inspection for supervisory evaluation through 

• SREP (Supervisory Review and Evaluation Process)
• ICAAP (Internal Capital Adequacy Assessment Process)
• Assessment of Pillar I & II risk

Compliance Assessment 

• Business Risk – Operational Risk (compliance)
• Governance and Oversight function ( Board/ Sr Management/ Internal Audit)

 SPARC PROCESS

• Ensure expected losses are adequately provided & adjusted in the assessed capital 
• Measurement of unexpected losses- Aggregate Risk
• Assess whether unexpected losses have adequate  capital to sustain- distance from failure

 SPARC- OFF SITE analysis through TRANCHE submissions

• Banks to submit information quarterly / annual as per following THREE Tranche   
• TRANCHE 1, 1A TO 1F (Risk & Selected financial  parameters – 784 data points)
• TRANCHE 2, (Consists of 12 Risk related parameters – 386 data Points)
• TRANCHE 3, (Subjective / control gap parameters – 385 data points)
• TOTAL TRANCHE data POINTS (1555)

 ABOUT IRISc MODEL

• Integrated Risk and Impact Scoring Model
•  Assess risk of failure of bank by aggregating all types of risk categories(including subjective assessment), control gaps, bank level Governance and Oversight Gaps
•  Scorecard method is used to assess risk & capital ( 1 to 4 )
•  Data is used to identify significant risk metrics and their weightages, subjective assessment is made for other factors of inherent risk and control gaps.
• It is used to work out Aggregate Risk Score, Risk Failure Score, Supervisory rating , Additional Capital Required, Supervisory stance.

 SPARC – ON SITE Inspection  

• Supervisory Evaluation of Risks & Control Gaps

1) GOVERNANCE & OVERSIGHT

•    Board
•    Senior Management
•    Risk Governance
•    Internal Audit
•    Risk Culture  

 SPARC – ON SITE Inspection by SSM 

2) Business Risk

• Credit
• Market
• Liquidity
• Operational
• Other Pillar II

Observations about –

• Inherent Risk, 
• Policy Environment, 
• Risk Identification, 
• Control Gaps, 
• Monitoring & Review,
• Reporting   

 RBS – Inspection Report

• Coverage
• Regulatory Observations 
• Capital Assessment & Management – 
• ICAR, ICAAP & Stress Testing
• Compliance Assessment
• Conduct of Business 
• Customer Conduct
• Market Conduct
• Conduct Governance

 SUPERVISORY RATING

• The periodicity/intensity of on-site inspection of a bank would depend upon its  position on the Risk-Impact Index Matrix rather than its volume of business.
• Supervisory rating would be
• A reflection on the risk elements (inherent business risks and effectiveness of control).
• Aiming to determine the overall probability of failure of the bank in light of risks to which the bank is exposed, strength of control/governance and oversight framework in place and available capital.
• Based on the exercise, the bank would be apprised of the direction/trend of key risk  groups along with overall risk faced by it. Further, a risk mitigation plan, comprising  of need for improving controls, augmenting capital and/or restructuring business  would be given to the bank.
• The supervisory intervention including placing a bank under the Prompt Corrective  Action (PCA) framework, if required, would be based on the supervisory rating and  the risk-impact 

 SUPERVISORY RATINGS USED BY RBI

Good (A):

• Probability of failure well below the Supervisory Risk Appetite

Satisfactory (B):

• Probability of failure within the acceptable Supervisory Risk Appetite

Unsatisfactory (C):

• Probability of failure marginally higher than Supervisory Comfort

Poor (D):

• High probability of failure
• Need for additional capital & for restructuring business
• Placement under PCA Framework & monthly monitoring

Very Poor(E):

• Bank no longer a viable entity
• Need for winding up/merger/amalgamation