Question

Nick Leeson’s adolescence was spent at Watford, UK where he attended high school. After that, he began to work at Coutts & Company and then spent two years at Morgan Stanley, taking up a position as an operation assistant. The experience allowed him to become familiar with the financial markets. Leeson then joined Barings. Founded in 1762 by Johann Barings, the Barings Bank was part of England’s history and even the Queen of England was among its clients. Barings was later considered one of the most prestigious financial institutions in the world. Leeson quickly made an impression within the respected establishment.

In 1990, at the age of 25, Leeson was appointed manager of the Singapore operation to oversee the “futures” operation in SIMEX (Singapore International Monetary Exchange). Leeson quickly became a well-known operator of the derivative market on the SIMEX. From 1992, Leeson made trades that brought in huge contributions for Barings - up to 10% of the bank’s profits at the end of 1993. The profits instilled confidence in the directors who lacked knowledge in subtle trading techniques and financial markets. He became a star within the organisation, earning unlimited trust from the headquarters. He enjoyed unlimited freedom within the Singapore office: he was head of the dealing desk (front office) but he also supervised the back office.

Leeson was in fact losing money and was hiding his losses in an error account, Z88888. He claimed that the account had been opened in order to correct an error made by an inexperienced member of the team. At the same time, Leeson withheld documents from auditors of the bank. By the end of 1994, his total losses amounted to almost half of the capital of Barings. On January 16th, 1995, with the aim of "recovering" his losses, he took even more risky positions. However, the unexpected earthquake of Kobé shattered his strategy. As a result, the losses amounted to more than double the bank’s capital which the bank were unable to absorb. Leeson decided to flee Singapore and was later arrested in Europe. He was extradited back to Singapore and sentenced to 6.5 years of imprisonment. In March 1995, the bank was bought by a Dutch insurance company at a very low price.

1. Are there any problems with the internal control system of Barings? Explain.

2. Are there any problems with corporate governance in Barings? Explain.

3. What is risk management? Why is it needed? What should be the risk management strategy of an international bank like Barings?

4. What are the major risks faced by an international bank? What are the major risks involved in this case?

5. Explain risk appetite, risk tolerance and risk profile.

6. What are the responsibilities of the internal audit function regarding risk management? Who (or which function in an organization) should ultimately be held responsible for risk management in a listed company?

7. Outline the risk management regulatory requirements imposed to international banks after the Barings case.

Answer 1

Answer 1:- Are there any problems with the internal control system of Barings?

BARINGS – A CASE STUDY IN RISK MANAGEMENT AND INTERNAL CONTROL

In 1995 Britain’s oldest merchant bank of two hundred years came to a dramatic and fatal halt. The bank wasBarings. The demise of the bank was brought about as a result of the actions of a derivative trader, NickLeeson, stationed in Singapore. Without a careful and considered review one may be tempted to concludethat the blame rests solely at his door step. The analytical mind, may however ask: how is it possible that thisone man was able to cripple a financial giant? What was the role of senior management in this situation anddid they contribute to the demise? How effective were the internal control systems and was the Singaporeoperations managed effectively?The answer to these and similar questions would be indeed interesting and insightful in analyzing the debaclethat Baring proved to be. Reported on very widely in the nineteen- nineties, this bank collapse still holdssignificant lessons for those involved in the management of financial institutions. The objective here is not toprove definitively the exact cause of the collapse but to show, by way of a very narrow discussion, how certaindeficiencies in internal controls and risk management systems impacted the bank and ultimately led to itscollapse

When Barings collapsed it had a capital of approximately $600 million. Contrast this with notional futuresposition of Japanese equity and interest rates of $27 billion, Nikkei 225 equity contracts of $20 billion and putand call options with nominal values of over $6 billion that the bank held. Given the level of capital it isincomprehensible that the bank could have created this level of exposure. It is certainly worth asking wherewere the mechanism and limits that should ordinarily be in place to signal that its capital was at severe risk.In an analysis (see http://newrisk.ifci.ch) on the incident the author stated: “Numerous reports have come outover the last three years (back in the nineties) with recommendations on best practices in risk management.Barings violated almost every [such] recommendation. Because its management singularly failed toinstitute a proper managerial, financial and operational control system, the firm did not catch on, in time, towhat Leeson was up to. Since the foundations for effective controls were weak, it is not surprising that thefirm's flimsy system of checks and balances failed at a number of operational and management levels and inmore than one location

Leeson engaged from the very beginning in dubious trading, accounting and reporting practices, designed toconceal losses he was incurring. His biggest downfall came after the 1995 Kobe earthquake in Japan, which lefthim holding a number of call options which were basically worthless coupled with put options he sold whichwere becoming very valuable to their holders. The instruments were transacted prior to the earthquake withstrike (agreed) prices in the range of 18,000 to 20,000 points on the Nikkei 225 average. Subsequent to theearthquake the average fell to below 17,000 points (the agreed sales price of 18,000 to 20,000 being morebeneficial to the holders than the market level of below 17,000) putting Barings in a disadvantageous position.To cover his tracks over the years he used an “error account” to hide the true nature of his contracts inaddition to reporting erroneous profits to senior management in London (Barings head office). BetweenJanuary 1993 and December 1995 the reported profit on trading activities was represented to beapproximately GBP 54 million. However, results of the investigation which followed the collapse showed thesame period actually produced a loss of over GBP 827 million. This is an important point because at stagesover this same period the Singapore operations was reported as being responsible for as much as twentypercent of the bank’s overall published profits.

The management of Barings, a substantial and well respected organization, committed an almost criminalblunder when it failed to ensure that there was adequate segregation between various functions of theSingapore operations thereby undermining the effectiveness of any controls that would have been put inplace. Leeson was in charge of -the dealing desk and also had control over the back office operations. Thisprovided him with ample opportunity to falsify the reporting aspect of the business and bypass criticalregulatory and compliance requirements. Any useful internal control system must recognize and acknowledgethe potential for fraud or errors should there be inadequate segregation of duties. Segregation of duties is alsocritical to ensuring the accuracy and integrity of information. The utility of an effectively designed system ofcontrols and implemented control activities is significantly lessen where incompatible duties are vested inthe same individual. While the controls within Barings systems may have been appropriately designed theiroperational effectiveness was always going to be defective. The lack of segregation actually amplified theexact risks that management would have intended to mitigate in the first place by creating the facility forsignificant override. The lesson here is that in the development of a risk management and internal controlsystem one should always respect the time tested fundamentals necessary for effective internal controls.Failure to do so will put any institution at a heighten risk for irregularities. The implications are veryprofound especially in the case of financial institutions

Having implemented an internal control system it is essential that there are mechanism in place formonitoring and assessing its effectiveness. It was reported that Barings internal audit team told seniormanagement that the control of both the front and back offices was an excessive concentration of power,citing that there is a significant risk for override of controls. Management, however, despite indicating that thepractice would cease with immediate effect, failed to follow through on that promise. Their failure toimplement remedial measures only served to further exacerbate the identified weakness. Baringsmanagement’s failure to put into operation the auditors’ recommendation, which considering the facts werewell founded, contributed significantly to the eventual collapse of the bank. Together with being in charge ofthe two offices, Leeson had cheque signing authority, authority to sign off on trading reconciliations and wasresponsible for vetting bank reconciliations. The fact that the Singapore trading operations precipitated thefailure of the bank, given the foregoing is not surprising. While it could be argued successfully that it was theKobe earthquake and its adverse impact on the Japanese capital markets which trigger the timing of thecollapse the point can also be made that with sufficient time and with the continued laxness on the part ofmanagement the bank would very likely have suffered significant losses even if it did not ultimately collapse.The lack of discipline in the internal systems had provided very fertile soil in which the seeds of instability werealready sown. The continued ineptness on senior management provided all the other essential elementswhich led to the germination of a financial disaster.

The Barings incident clearly provides an insight into the importance of effectively managing the risk posed bythe operations of a bank or some unit thereof. In hindsight Barings management seems to have had totaldisregard or just did not understand the concept of to the allocation of resources commensurate with the riskposed by the business activities being undertaken. For example it was noted that senior management’sresponse to the recommendation of placing a suitable experience person to run the back office was that therewas not sufficient work for a fulltime treasury and risk manager even if compliance duties were incorporatedin the function. The response reeks of juvenile innocence or reckless and arrogant irresponsibility. Even if thereason cited was accurate, given the high profitability of the Singapore unit together with the nature of theproducts being traded, derivatives, senior management’s approach should have been guided by the principleof implementing controls sufficient to mitigate and manage the risk consistent with the bank’s risk appetite.They should have been guided to some extent by the fact that very high profits are generally generated byrisky activities. The blatant lack of action though makes one consider whether the bank did not in fact have anunlimited appetite for the type of risk they were exposed to through the Singapore operations and thereforedoing nothing was highly consistent with their outlook. Failure to implement effective risk managementsystems can and does have catastrophic implications for an organization.

The persons with direct responsible for oversight of the trading activities categorically failed to honor theirresponsibilities by ensuring that they fully understood the activities Leeson was engaged in and thereby be in aposition to intelligently implement the requisite control mechanism to manage the risks posed. Interestinglythe approved strategy which Leeson should have been guided by was simple arbitrage between futurescontracts. This was clearly defined as a low risk strategy. The stated risk level was however, clearlyincompatible with high level the reported profitability being enjoyed by the Singapore unit. Anyone in amanagement and oversight position has an explicit duty and is obligated to ensure that they fully understandexactly what they are responsible for. Without a high level of understanding management and by extensionthe board was impotent in effectively discharging their fiduciary duty and their responsibility to theshareholders of the institution. One pointed observation which was made asked the question, if thissupposedly low risk strategy employed by Leeson was so lucrative why is it that there weren’t other bettercapitalized banks taking the same approach. One of connections it appears that the management failed tomake was the relationship between risk and return. A low risk strategy ought not to have provided the highlevel of profits reported. Profits should have been more moderate. Not only did they fail to understand thebusiness, it also appears that they were ignorant to certain basic risk management principles. Becausemanagement did not understand what was happening they were unable to assess, rationally and objectivelythe pro and the cons the information presented to them. They were unable to effectively challenge reportedresult or probe in a manner sufficient to elicit the answers which, all things being equal, would provideinformation to assess the efficacy of what was being represented to them. Or, management was plain negligent, satisfied by the high level of reported profits they may have resolved no to “disturb” the gooselaying golden eggs. Whichever position is correct ought not to have been. Any management group whichoperates in a similar manner does not deserve the privilege of leading an organization

Within any organization, especially a bank or other financial institution, it is critical that all the significant risksof any business activity being undertaken are identified and assessed in a proactive and consistent manner. Itis said that hindsight is twenty-twenty and therefore just about anyone can comment after the fact. Thequestion, however, is what the prudent, knowledgeable person would have done or ought to have done in thesame situation. Had senior management implemented the recommendations made by the auditors, the bankwould have had in place a risk manager who would ordinarily ensure that the appropriate mechanisms are putin place to safeguard the viability of the bank. An effective and experience risk manager would likely haveidentified the critical risks involved in the management of the derivative trading activities. Very importantlyalso there would have been the creation of a clear line of demarcation between the trading activities carriedout by the front office and the check and balance created by the back office. This would arguable lead to thecorrect or at least more accurate positions being reported. With accurate information senior managementwould then have been in a position to assess the various exposures against its capital. An assessment, forexample, of their risk weighted capital, using this information, would have undoubtedly indicated that thebank was undercapitalize and heading for trouble. Accurate information would have provided the correctsignal to management indicating that the requisite limits have been breached and that restrictions areimmediately needed to be imposed on its Singapore trading activities to protect the adequacy of its capitaland by extension the bank’s solvency.

Answer 2:-corporate governance in Barings

Barings Bank was a very old traditional British bank. In the 1980s and early 1990s the banking industry was going through a period of change as a result of deregulation. British banks had previously been very tightly controlled but gradually the British government allowed British banks to enter into new markets.

In the early 1990s, Barings expanded into “new” products such as options and futures trading. Nick Leeson, a British banker, was given the new Singapore branch to manage.
In trading operations, the bank has a front office where the trades are organised and a back office, where the trades are recorded and accounted for. There should always be segregation of duties between those trading and those accounting for the trades. This should stop fraudulent traders doing one thing and recording another.

However, at Barings, Leeson had total control of both the front office and the back office. He controlled how his trades were being recorded.

When members of Leeson’s team made a few mistakes, Leeson did not want his staff to be blamed so he hid their mistakes in an account (88888). He could do this because of the lack of segregation of duties which allowed him to trade and then to record those trades. Additionally, there was a lack of understanding of the trades being entered into both by the UK directors and the auditors.

Leeson used the bank’s money to gamble on the markets, making speculative trades. The 88888 account was used to hide any losses. By the end of 1994, losses in that account amounted to more than £200 million.

The bank allowed him more money to continue trading, although it was unlikely they knew what he was doing.

The fraud reached a climax in January 1995 when he gambled that the Japanese stock exchange, the Nikkei, would not move significantly overnight. Unfortunately the Kobe earthquake hit Japan and the stock exchange fell significantly. Leeson aimed to recoup losses by betting that the stock exchange would recover quickly. It didn’t and Leeson knew that millions were going to be lost and he fled. By the time the bank understood the position he had created it was too late and he had created a massive loss exceeding £800m. This was big enough to wipe out Barings bank. The bank was eventually sold for £1.

The bank was wiped out by one trader because the directors didn’t understand the business they were in or what Leeson was doing. There was a serious lack of internal control over the operations. Again, there was too much control in one person’s hands and to some extent the auditors failed to properly understand the situation at the bank.

Answer 3- Risk manangement

Risk management refers to the practice of identifying potential risks in advance, analyzing them and taking precautionary steps to reduce/curb the risk. Description: When an entity makes an investment decision, it exposes itself to a number of financial risks.

Needs for Risk Management

1. A risk management plan helps companies identify risk

It is important for a business to identify potential risks. When a business is aware of the potential risks that are associated with their business, it is easier to take steps to avoid them. Knowing the risks makes it possible for the managers of the business to formulate a plan for lessening the negative impact of them. Also, once the risks are identified, managers will be able to analyze them and make a logical decision regarding how to deal with them. According to the Huffington Post, there are four main types of risk about which a business needs to be aware.

Market risk is the risk that is associated with the potential for the value of the assets of a business to decrease in due to external factors such as interest rates, foreign exchange rates, and commodity prices.
Credit risk refers to the losses that occur when a debt that is owed is not paid to the company.
Operational risk refers to the potential of business losses that occur due to inadequate actions or failures on the part of the business or external factors. Some reasons for operational risk include the following:
Internal fraud
External fraud
Employment practices
Client and business practices
Business continuity practices
Reputational risk develops from the possibility of damage to the company’s reputation due to both internal and external factors.
2. Having a risk management plan is fiscally prudent

Businesses that have risk management plans in place can more easily be financially prepared when a problem arises. Often, lenders will be more willing to increase credit limits or extend loans to companies that have a risk management plan in place.

3. A risk management plan protects a company’s resources

A risk management plan not only identifies risks, it also makes it possible for a company to prioritizes them. This allows a company to plan for the risks and respond to them more quickly and appropriately. This course of action saves the company time, money, and physical resources and allows workers to spend more time working at tasks that are related to the business.

4. A risk management plan improves a company’s brand

When a company is proactive and creates a risk management plan, it sends a positive message about the business. Employees feel confident that they are working for a resourceful and responsible company, and customers have assurance they are doing business with a company that is proactive and professional. Overall, having a risk management plan shows that a company is reputable and holds itself to a high standard.

5. A risk management plan can help a company discover reusable information

Risk management requires a collaborative effort and involves many people. The information that is gathered and learned through the process of developing a risk management plan can be applied to situations that arise well after the plan was developed. Therefore, those who are impacted by the plan do not need to start from scratch whenever an issue needs to be resolved.

6. Risk management plans and insurance

Every risk management plan that is created should include insurance as one of its elements. Part of creating a risk management plan is determining how to reduce the impact a risk will have on a company. Having appropriate insurance in place is one way to help defray the effect of negative risks. Some examples of businesses insurance that is helpful to include in a risk management plan include:

Day spa and salon insurance can cover a salon owner in the event a client’s hair or scalp is damaged during a processing treatment.
Tattoo shop insurance can cover a shop owner in the event an artist makes an irreparable mistake during a tattooing.
Performers insurance covers a performer if an audience member is injured during a performance
Martial arts studio insurance protects a studio owner if a student is injured during instruction.
Camp insurance can protect a camp owner if anyone is injured on the camp’s premises.

risk management strategy of an international bank like Barings

Banks to develop a risk management framework that can:

Maintain data integrity
Banks should prevent identity theft and data leakage by applying the principles of least privilege and deft error handling. External electronic devices like pen drives and camera phones should be restricted as far as possible. Firewalls should be in put in place and constantly updated to prevent malware or spyware from infecting the system.

Prevent unauthorized transactions into the system
A robust authentication system will prevent system compromise and fraud. Apart from recognized legitimate agents, no one else must be allowed to execute transactions within the bank. The code developed must ensure that there is no provision for a guest account to be created. Strong password policies should be implemented with strong encryption. An automatic system log-off should be used to prevent unauthorized users from accessing an unguarded system.

Prevent unauthorized changes to the software
Unauthorized modifications to the bank software lead to fraudulent practices and render the system weak. A robust change management system that allows only authorized changes should be implemented. Every change should be tracked and monitored. In case of suspected fraud, the change management system must leave a clear audit trail that traces every change in the system.

Ensure system back-up
Basel II mandates that the system must be available always. System back-up plans should be put in place. The system must be able to withstand high loads and perform at optimal speeds. It is impractical to revert to manual calculation in case of system downtime or failure. So it is extremely crucial to have in place contingencies that can handle unexpected system downtime and failures.

Implement business continuity/disaster recovery plans
In a business environment characterized by natural disasters, vandalism, terrorist attacks, epidemics and technological failures, it is imperative to implement an effective business continuity plan. Banks should develop a recovery strategy that targets technical systems, management and employees. The awareness around BCP plans should be raised and mock drills conducted. Effective crisis communication tools should also be developed.

Developing a risk management framework can be extremely challenging. Banks need to analyze risk reports and risk heat maps, assess and test controls, and choose the appropriate risk mitigating strategy. Adequate capital then has to be allocated. The whole process can be costly in terms of money, time, effort, technology and personnel required.

For best results, the risk management framework should be integrated across the entire value chain. This is not only complex and costly, it also requires management approval.

What banks need is a single platform that centralizes, streamlines and automates compliance and IT risk management.

Answer4- major risks faced by an international bank? What are the major risks involved in this case?

1. Credit Risk
One of the most significant threats faced by banks is credit risk. In simpler words, credit risk is defined as the inability of a borrower or a counter party to meet the contractual obligations. In other words, when a borrower fails to pay the appropriate amount to the lender due to any financial crisis. The banks have suffered huge losses in the past from credit risks, and are still prone to such losses.

Although credit losses are primarily defined by the inability of the borrower to repay loans to the lenders, it also includes the delay in payments of the borrower. That means if any borrower does not make timely payments, then such types of cases also come under credit risks.

What Can Be Done?
Such types of losses commonly occur due to borrower insolvency. Hence, banks should conduct proper research before granting the loans and should only sanction loans to individuals and businesses that are not likely to run out of their income during the payment period.

2. Market Risk
Market risks are defined as the risks involved in the fall of a company’s share or decrease in the value of the stock of third-party companies where the bank has invested. We all know that apart from sanctioning loans, the banks also hold a certain amount of shares in the market. In that case, if by any means, the share price of the banks decreases, then they will suffer huge losses, and these types of losses generally come under market risk.

The market risks can vary depending upon the type of commodity a bank holds. For instance, if a bank holds foreign exchange then they’re exposed to a Forex risk, in the case of gold, silver, or real estate, they are exposed to commodity risks, etc. similar is the case with equity risk.

What Can Be Done?
To mitigate market risks, banks usually leverage hedging contracts. They use contracts like forwards, options and swaps, and many more, to completely eliminate the various market risks.

3. Business Risk

Business risks are a significant result of credit risk. To put it simply, when a bank fails to generate profits during a specific period, then it is called business risk. Many times, a business takes a loan from a bank and then fails to repay it. In such a scenario, the banks face losses due to business risk.

The result of business loss is either being acquired by some other banks, or collapse in big banks. Examples of such banks that suffered huge losses due to the wrong business strategy are Washington Mutual and Lehman Brothers.

What Can Be Done?
Although there are no sure-shot methods of eliminating the business risk, the adoption of the right strategy might do the work.

4. Compliance Risk
When a bank does not follow proper regulatory standards put down by the financial institutions, then such type of risk is known as Compliance risk. These are usually a not much greater risk but surely have some significant outcomes. When a bank does not comply with proper regulation formed by the banking institutions in their certain branch, then they face financial and legal losses.

The banks get severely affected by these losses and suffer loss in their daily banking targets. They had to bear legal penalties and might face significant challenges by the regulatory committee.

What Can Be Done?
To mitigate such types of risks, the banks should formulate, regulate, and manage all the regulations and compliance policies across all their branches.

5. Security Risk
Now that’s a considerable risk that has been on the top of the list for the global market, irrespective of their domains. Cybersecurity has been impacting the financial industry for quite a few years, and the problem is still prevalent in the banking sector. We witnessed many cases where hackers penetrated the security layers of some big banks and stole a large sum out of it.

Banking institutions are still making considerable investments in the security aspect to make their customer’s data and their systems more secure than ever. The industry is leveraging the latest technological advancements of AI, ML, Blockchain, big data, etc. to yield positive results in terms of security.

What Can Be Done?
The banks need to invest in top-notch fintech software and mobile apps that are way more secure and impenetrable. They should keep their private information safe using a technologically advanced electronic medium.

6. Operational Risk
When there is a failure in the internal processes of the bank due to inefficient systems, then it is termed as operational risk. We all know that banks have to perform a wide array of banking operations like daily transactions, cross-border transfers, cash deposits, and much more. However, there are times when the internal systems or the central system slows down.

In such a scenario, the bank faces losses due to operational risk. Not only that, when there are some other mistakes like payment transfer in the wrong account, or execution of an incorrect order, etc. also falls under operational risk. It is noteworthy here that banks do not directly get affected because of the operational risks.

What Can Be Done?

The operational risks can be minimized by automating the workflows so that the human interventions reduce. Also, the banks should use software from a trustworthy development company to ensure smooth operations.

7. Reputational Risk
Reputational risk is a significant result of the operational risk and, to some extent, the security risk. In other words, when a company fails to provide security to their customers, or when they perform inefficiently in processing their requests, then they suffer loss in users. People began spreading rumors about the bank, and the bank’s image gets spoiled.

The news channels interrogate the people and make false perspectives about the banks. In such a scenario, the daily revenue of the bank drastically reduces, and hence they suffer huge losses. They lose their stellar reputation in the global market, and their profits decrease.

What Can Be Done?
The banks should ensure smooth functioning and should provide safety and security to all of its customers. They should never participate in any unfair practices and should ensure customer satisfaction in every possible way.

8. Liquidity Risk
Liquidity risks arise because of the increase in the non-profitable assets in the bank. That is, if there is an increase in the credit losses and losses due to business risk, then liquidity risk arises. Due to the rise in the liquidity risk, the bank becomes insufficient to meet the obligations if any depositor comes to withdraw its money.

Looking back in history, the losses due to liquidity risk was a significant concern of all the banks at that time. However, the present-day scenario has been completely changed. Now the banks have new regulations of keeping a minimum amount of reserved cash to mitigate liquidity risk. That implies that the depositors can be paid even during the time of credit for business loss.

What Can Be Done?
The banks should follow proper regulations of the central banks and should keep a minimum requisite amount in the banks to eliminate the chances of losses due to liquidity risk.

9. Systematic Risk
Whenever there are some external issues involved with the bank like employee’s strike, market fluctuation, non-stability of the government, and so on, then it is termed as Systematic risk. The systematic uncertainty is beyond the control of management since it entirely depends on the various external factors.

The losses due to systematic risks are unpredictable and cannot be wholly avoided. Banks suffer huge losses due to systematic risk and may have to write off certain assets to compensate for their losses.

What Can Be Done?
The systematic risks are entirely unpredictable, and so they cannot be eliminated. However, with smart skills, they can be minimized up to a certain extent.

10. Moral Hazard
Moral hazard is an entirely new type of risk when compared to the other mentioned risks. It came to light recently in the global market. The moral hazard occurs when a bank takes some risk, even when they know that someone else has to bear the losses. In other words, when a bank invests in a risky business, and it backfires, then it is the taxpayers who have to bear all the losses.

Although the central bank has been tracking the banks and their operations very carefully, some of them still take dreadful risks when not under the regulatory oversight. They get to indulge in the illegal practices and create an imbalance on the taxpayers when their planning fails.

What Can Be Done?
The central bank should pay more attention to the activities of the banks to eliminate the losses caused by moral hazards. The banks should also not indulge in risky businesses and should follow the proper path.

To Conclude
In this article, we discussed the top ten risks faced by the banking industry with the growing digitalization. Not to say, all these risks are faced by every bank of the world at some time or the other. And the best way to combat all these mentioned risks and losses due to these risks is to opt for a more secure financial solution.

Answer 5-Explain risk appetite, risk tolerance and risk profile.

As the financial crisis continues to unfold – and explanations are offered – it is clear that more
robust enterprise-wide risk management will be the result. Many industry participants and observersanticipate that regulatory and rating agency scrutiny will accelerate at an unprecedented rate.Further, insurer and reinsurer shareholders and Boards of Directors are likely to demand that risk bemeasured and managed as it relates directly to capital on an enterprise-wide basis, particularly asan integral part of the corporate governance process.
Advancing the ERM dialogue can help insurers make value-accretive decisions through the
improved deployment of capital. A thorough understanding of the basic concepts of enterprise-widerisk is fundamental to the implementation of ERM disciplines, establishing risk management parameters, and integrating this knowledge into the process of making strategic business decisions. As aresult, insurance and reinsurance firms will not only be better prepared to respond to the internaland external questions relating to risk and capital, but (perhaps more importantly), they could benefitby establishing hedging or reinsurance strategies to drive capital efficiencies and maximize stablerisk-adjusted returns.

We will address three core aspects of the emerging ERM and capital management dialogue:
1) We will offer a framework for defining common terminology: distinguishing Risk Profile, Risk
Appetite, and Risk Tolerance. Currently there are no consistent, overarching definitions of
commonly used risk terms. Greater clarity in this area is fundamental to a proper understanding
of the concepts involved.
2) We will offer a framework for discussing risk tolerance, including best practices.
3) We will present the results of Guy Carpenter’s initial risk tolerance benchmarking study, which willallow us to advise our clients about their own circumstances and the general context of the marketsin which they operate.

Risk Profile, Risk Appetite, and Risk Tolerance
The definitions and use of Risk Profile, Risk Appetite, and Risk Tolerance vary considerably inprofessional articles and position papers across the (re)insurance industry. To properly considerthe dynamic tradeoff between risk and return we provide the following definitions.

Risk Profile: the broad parameters a firm considers in executing its business strategy in its
chosen market space.
Risk Appetite: the level of uncertainty a company is willing to assume given the correspondingreward associated with the risk. A company with a high risk appetite would be a companyaccepting more uncertainty for a higher reward, while a company with a low risk appetite wouldseek less uncertainty, for which it would accept a lower return.
Risk Tolerance: a stated amount of risk a company is willing and/or able to keep in executing itsbusiness strategy – in other words, the limits of a company’s capacity for taking on risk.

Example
RT Co. is a large, reasonably well-capitalized national multi-line writer with profit and growth goalstypical of those of similar insurers. Using the definitions above, RT Co.’s Risk Profile can bethought of in terms of the market space in which it wants to participate (e.g., lines and classesof business) and the corresponding management decisions (i.e., risk selection, claims handlingprocesses/back office, distribution channels, expense structure, and strategic execution).Alternatively, part of RT Co.’s Risk Profile is the market space in which it does not want toparticipate, such as aggressive asset strategies or international expansion.
Consistent with its Risk Profile, RT Co. evaluates how much profit potential is available and
the cost of mitigating uncertainty to develop its Risk Appetite. For example, after analysis, a
“moderate” Risk Appetite maybe defined by RT Co. as:
■ A target return on equity of 10 percent
■ Retention of net catastrophic risk less than or equal to its peers
■ Avoidance of excessive underwriting volatility, asset risk, or operational risk
Given the risk appetite of RT Co., it establishes a set of Risk Tolerances to properly articulate its
capacity for assuming risks. For example, RT Co., may express its risk tolerances as follows:
■ High probability of maintaining an A rating
■ Quarterly impact from non-catastrophe underwriting results not greater than 10 percent
of forecasted earnings
■ Net 1:100 probable maximum loss (PML) limited to 10 percent of capital
■ Net 1:250 PML limited to 15 percent of capital
■ Remote chance of asset loss greater than 10 percent of capital in any one year
To further clarify the concept of Risk Appetite, the following chart shows the basic tradeoff betweenrisk and reward, where the willingness to bear risk increases the potential profit while increasing thepossibility of a decrease in surplus (capital).

Answer 6-the role of the internal audit function regarding risk management

1. Risk management concerns reducing the magnitude and likelihood of detrimental consequences while enhancing and making more likely the beneficial consequences that might arise from decisions.

Comment: I think risk management thought leadership has progressed further. It is now considered as enabling informed and intelligent decisions that help the organization to set and then execute on strategies. In other words, it enables decisions that lead to the achievement of enterprise objectives. It’s less about managing the risks (the consequences) and more about achieving objectives.

2. The focus of internal audit and other monitoring and review functions should be to provide assurance on the effectiveness of risk management and not just on the effectiveness of controls.

Comment: This is an important distinction. It is insufficient simply to say that internal controls are inadequate (or adequate), or even to say that there are high risk deficiencies. Internal audit needs to communicate their assessment of whether management is appropriately addressing the more significant risks to the achievement of (specific) objectives. But, see additional comments later.

3. Processes for the management of risk must be integrated into an organisation’s system of management to be effective.

Comment: Consideration of ‘what might happen’ should be integral to decision-making. See additional comments.

4. Internal Audit should no longer assess risks on behalf of the organisation. Their role is to assist decision-makers in arriving at the most appropriate treatment of risks and then the monitoring and review of risks and controls.

Comment: I have never believed that internal audit should be relied on to assess enterprise risks. I cannot understand why some say that internal audit should be expected to identify emerging risks. NO!! Those are management responsibilities. Internal audit’s role is assessing how management does them. Internal audit can assess whether management is ‘treating’ risks with adequate and effective controls.

5. Internal audit will obtain planning information for an audit (and for their annual audit plans) from the risk management process done by decision-makers who own and are accountable for the risks.

Comment: That should be both the current and future state. Management should have effective processes for identifying, assessing, and evaluating what might happen as an integral part of decision-making. Once internal audit has assessed those processes as reasonably effective, it should use them as input to its continuously updated (they should not be annual) audit planning activity.

6. ERM and the ISO 31000 risk management standard have evolved cooperatively and will be the basis for risk management in organizations.

Comment: ISO 31000:2017 is useful but not complete (in my opinion) as it barely touches decision-making. ERM needs to evolve into effective decision-making, aka effective management.

7. Effective risk management requires clear expressions of intent and mandate by the Board and top management.

Comment: Risk management is not a siloed activity. The board and top management should insist on informed and intelligent decision-making. That will drive everybody to quality consideration of ‘what might happen’.

8. Evolutionary modifications to the role and practice of internal audit will occur as part of continuous improvement of the framework for the management of risk.

Comment: Both need to continuously improve. Certainly, as risk management is transformed into informed and intelligent decision-making, internal audit needs to rethink its approach. See additional comments.

9. The maturity of risk management should be evaluated and reported on at least an annual basis.

Comment: Internal audit needs to provide its assessment to the board and top management of whether practices meet the needs of the organization, enabling informed and intelligent decisions. I cover this and the use of a maturity model in World-Class Risk Management. But, top management should first provide their formal assessment to the board.

10. Internal Audit has to update its roles and responsibilities to support continuous improvement of and implementation of more effective risk management.

Comment: Internal audit should provide assurance, advice, and insight to improve decision-making. It should remember not to penalize those working diligently to upgrade management’s processes, but instead encourage and be an evangelist for world-class practices.

who is responsible for risk management in a listed company

The US Securities and Exchange Commission (SEC) made it a legal requirement for listed companies to make proxy disclosures about a board's involvement in the oversight of risk management processes, and the investor-led International Corporate Governance Network said risk oversight should begin with a company's board