Project report on Risk management in insurance sector

1.1 BACKGROUND
The following table provides an overview of the major risks that can be managed by financial
instruments with corresponding classes of instruments as per different project types.
Risk Nature of Risk FRM Instruments
Risks associated with Large Scale Projects
Project Developm ent/ Pre-construction Phase
Feasibility analysis indicates project not
Concept to feasible/viable Grants, Contingent
implementation Regulatory clearances delayed/denied Grants (GEF)
Financial closure not achieved
Construction Phase
Time overrun
Insurance –
Construction/
Cost overrun
Project does not meet technical specifications Construction All
Completion Risk Changes to project assumptions make the project Risks (CAR/EAR)
unviable
Surety bonds -
Counterparty Risk that the Construction Contractor does not Performance
Risk perform as per contract guarantees
Liquidation damages
Operating Phase
Performance
Technical performance
InsuranceManaging the facility
Risk
Physical damage to the facility
Counterparty Risk that the O & M Contractor does not perform
Surety bonds -
Performance
Risk as per contract guarantees
Liquidation damages
Fuel Supply Intermittent/Irregular fuel supply Weather Insurance/
Risk Derivatives
Credit Risk
Related to default by off taker i.e. inability of the Guarantees
off-taker/ utility running to meet their payment Credit derivatives
obligations.
Generic – All Phases
Financial Risk
Fluctuations in interest rate, currency exchange Standard derivative
rate, etc products
Currency inconvertibility
Political Risk
Insurance
Expropriation
Political Risk MFI Guarantees
Political violence
Export Credit
Breach of contract
guarantees
Force Majeure Natural Catastrophe Insurance
Risk Man-made interruptions – war, strike, etc Catastrophe bonds

Risks associated with small scale projects
Project Developer
Development
Lack of start- up capital
Guarantee FundsProject sponsors with limited track records, poor
(Credit) Risk
credit history
End User
Risks of
physical
Theft/damage to the facility Micro-insurancedamage
including theft
Credit Risk Poor financial credibility of end users
Guarantees
Credit lines
Risks associated with Carbon Financed projects
Market Risk
Demand Risk – uncertainty on evolution of CER Standard derivative
markets post 2012 products to hedge
Price risk – linked to demand risk against price
Insurance – carbon
CER delivery Project fails to generate projected CERs. This is delivery guarantee,
Risk linked to the intermittent nature of resource supply permit delivery
guarantee
1.2 AVAILABILITY SURVEY
• Secure contracts (such as PPA, EPC contract, O&M agreement and Fuel supply
agreement), equipment warranties, insurance products and various national government
guarantees are the most utilized risk management instruments to facilitate the
construction and operation of renewable energy projects in the focus countries.
Naturally, the underlying business case for generating renewable energy (tariff
structures, and privatization etc) will determine RE investments in the first case.
• Non-insurance financial instruments (with the exception of weather and credit
derivatives) are generally used only to hedge the financial market risk (currency and
interest rate) component of large-scale RE project finance deals once terms are in
place. However, most of the difficulties in RE finance arrive at the front end of a deal
when there is the greatest amount of uncertainty.
• The risk management products available from the multilaterals (such as Partial Credit
Guarantees) are better understood by market participants. However, there appears to be
little enthusiasm amongst project financiers interviewed for working alongside
multilaterals unless there is a guiding strategic motive or large profit incentive.
• Local developing country insurers have generally limited expertise to write renewable
energy business. However, where foreign insurers have access to developing country
markets most traditional products relevant to RE projects – Property,
Construction/Erection all risks; Business interruption, Machinery Breakdown etc- are
available for mature RET projects. However, foreign insurer’s access to local insurance
market is restricted by local insurance regulations.

• With over USD2 billion of combined capacity of about 20 insurance companies
participating in this survey, in theory sufficient capacity is available to meet the
insurance requirements of the renewable energy industry. However in reality there are
still a number of technical underwriting concerns and barriers associated with for
example technology performance risks and the harsh offshore locations, which can
restrict / limit participation.
• The ability to deploy insurance capacity in developing countries is also hampered by
local insurance regulations which restrict foreign market access. Insurance availability
in developing countries is restricted by a lack of adequate financial, legal and service
infrastructure as well as lack of credit worthy local insurers, restrictive local insurance
regulations and limited distribution channels.
• As most renewable technologies (with the exception of onshore wind) are perceived
to be prototypical in nature the limited data on commercial operating history presents a
huge challenge to the insurance industry who are unable to accurately model future loss
projections and price risk in an economic and sustainable manner. Further practical
evaluation of the scope for improving actuarial data and technical risk information flow
and studies into new risk based pricing methodologies would serve as useful
interventions in catalyzing new thinking for RE projects in insurance market.

2.1 INTRODUCTION
Risk: The meaning of ‘Risk’ as per Webster’s comprehensive dictionary is “a chance of
encountering harm or loss, hazard, danger” or “to expose to a chance of injury or loss”. Thus,
something that has potential to cause harm or loss to one or more planned objectives is called
Risk. The word risk is derived from an Italian word “Risicare” which means “To Dare”. It is an
expression of danger of an adverse deviation in the actual result from any expected result. Banks
for International Settlement (BIS) has defined it as- “Risk is the threat that an event or action will
adversely affect an organization’s ability to achieve its objectives and successfully execute its
strategies.
Risk can also be termed as peril or hazard. Peril is a cause of loss or a situation of serious and
immediate danger. e.g. - fire, windstorm, theft, flood, collusion, etc. Hazard is a chance of suffering
from danger or peril which may increase profitability of loss.
There are four types of hazard:
– This is a danger likely to happen due to the physical characteristics of an
object, which increases the chance of loss. For example defective wiring in a building which
enhances the chance of fire.
– It is an increase in the probability of loss due to dishonesty or character defects
of an insured person. For example, Burning of unsold goods that are insured in order to increase
the amount of claim is a moral hazard.
– It is an attitude of carelessness or indifference to losses, because the losses
were insured. For example, careless acts like leaving a door unlocked which makes it easy for a
burglar to enter, or leaving car keys in an unlocked car increase the chance of loss.
– It is the severity of loss which is increased because of the regulatory
framework or the legal system. For example actions by government departments restricting the
ability of insurers to withdraw due to poor underwriting results or a new environment law that
alters the risk liability of an organization.
2.2 RISK AS REALITY
Risk is inherent in all activities. It is a normal condition of existence. Risk is the potential for a
negative future reality that may or may not happen. Risk is defined by two characteristics of a
possible negative future event: probability of occurrence (whether something will happen), and
consequences of occurrence (how catastrophic if it happens). If the probability of occurrence is
not known then one has uncertainty, and the risk is undefined.
Risk is not a problem. It is an understanding of the level of threat due to potential problems. A
problem is a consequence that has already occurred.

In fact, knowledge of a risk is an opportunity to avoid a problem. Risk occurs whether there is an
attempt to manage it or not. Risk exists whether you acknowledge it, whether you believe it,
whether if it is written down, or whether you understand it. Risk does not change because you
hope it will, you ignore it, or your boss’s expectations do not reflect it. Nor will it change just
because it is contrary to policy, procedure, or regulation. Risk is neither good nor bad. It is just
how things are. Progress and opportunity are companions of risk. In order to make progress, risks
must be understood, managed, and reduced to acceptable levels.
2.3. DEGREE OF RISK
Degree of risk refers to the intensity of objective risk, which is the amount of uncertainty in a
given situation. It can be assessed by finding the difference between expected loss and actual
loss. The formula used is
Degree of risk = loss Expected loss actual and expected the between Difference
Degree of risk is measured by the probability of adverse deviation. If the probability of the
occurrence of an event is high, then greater is the likelihood of deviation from the outcome that
is hoped for and greater the risk, as long as the probability of loss is less than one. In the case of
exposures in large numbers, estimates are made based on the likelihood of the number of losses
that will occur. With regard to aggregate exposures the degree of risk is not the probability of a
single occurrence but it is the probability of an outcome which is different from that expected or
predicted. Therefore insurance companies make predictions about the losses that are expected to
occur and formulate a premium based on that.
2.4 CERTAINTY, RISK AND UNCERTAINTY
Certainty is when there is no doubt of the outcome of an event. But uncertainty is when there is
doubt in the achievement of the desired outcome and the potential deviation in the outcome is
called risk. The uncertainty in an event arises because of the knowledge which is not sufficient to
predict the outcome with certainty. Uncertainty implies that the person does not have thorough
knowledge and hence can only make a vague assessment about an objective risk situation.
Uncertainty is a perceptual phenomenon that exists in different degrees to different people. It can
be represented on a straight line called continuum. This continuum can be divided into different
levels of uncertainty.

Uncertainty is zero Uncertainty is
very high at this level
At level zero, the exposure to uncertainty is zero and at the right extremity the exposure to
uncertainty is 100%.
Level 0 (certainty) – There is no uncertainty at this level. The outcome of an event is known in
certain. Events that come under the law of nature such as laws of physics and chemistry fall in
this category.
Level 1 (objective probability) – Lowest level of uncertainty, events occurring in this level are
categorized by the likelihood of their occurrence. For example tossing of a coin, has an
established fact that there are two outcomes either heads or tails, each with a probability 0.5.
Level 2 (subjective probability) – In this level, the degree of uncertainty increases. The outcomes
of the events in this level are known but assigning probabilistic values to these outcomes is
difficult. Probability is assigned with respect to a person, scenario or circumstances. Therefore it
is referred to as subjective probability.
Level 3 (complete uncertainty) – The degree of uncertainty is the highest here. The outcomes of
the events in this level are difficult to predict and hence the probability of occurrence is not
known.
2.5 CLASSIFICATION OF RISK .
Risks are classified or grouped into a similar category in the insurance industry to quantify risk
and define the insurance premium to be charged. Classification of risks also helps in placing
individual risks with similar expectations of loss in a group or class of risks. By classifying we
can also estimate risks from probabilities associated with occurrence, timing and magnitude of
events.
2.5.1 Pure and speculative risk
Pure risks are defined as situation in which there are only two outcomes that is the possibility of
loss or no loss to an organization but no gain – the event either happens or does not happen.
When this risk happens, the chance of making any profit is very badly low. Few examples of
pure risk are earthquake, theft, accident, fire etc. A car may or may not meet with an accident. If
an insurance policy is bought for the car, then if accident occurs the insurance company incurs
loss but on the contrary if accident does not occur there is no gain to the insured.
Speculative risks describe situations in which there is a possibility of gain as well as loss. The
element of gain is inherent or structured based on the situation. Few examples are gambling on
Certainty Uncertainty

horses, investing in a stock market, merging with an organisation. Thus most of the speculative
risks are business related and some speculative risks are optional and can be avoided if desired.
The distinguishing characteristics of pure and speculative risks which is of importance to
insurers are the following:
Insurance is meant to assure us against losses that arise as pure risk, but not to outcomes that lead
to both loss and gain. Moreover a particular type of risk may appear speculative for the insurance
company but a pure risk for the organisation.
important to insurers since it predicts future loss experience. An exception is the example of
gambling, where the casino operators apply the law of large numbers in a most efficient way.
nt
advantages to the economy. For example speculative activity in the stock market may lead to
more efficient allocation of capital. The same does not apply to pure risk. A fire, flood,
earthquake cannot benefit the society.
insurable, the discussion on risk is skewed towards pure risks only.
º Property risk.
º Personal risk.
º Liability risk.
º Loss of income risk.
Property risk
This is a risk to a person in possession of the property which faces loss because of some
unforeseen events. Property includes both movable and immovable possessions. Movable assets
are personal assets like personal computer, any appliance. Immovable assets are land, building
which suffers loss due to natural calamities. Property risk is further divided into direct and
indirect loss.
– A direct loss is defined as a physical damage due to a given calamity or peril in a
direct way. For example, if an office building is damaged by fire, the damage incurred in the
direct way is the direct loss.
– The additional expense incurred due to the destruction of the property is the
indirect loss. Thus in addition to the physical damage after a fire, the office would lose profits for
several months because of reconstruction. The loss of profits is a consequential loss as a
consequence of the damage incurred.
Personal risk
Personal risks are risks that directly affect the individual’s income. This may either be loss of
earned income or extra expenditure or depletion of financial assets. There are four major types of
personal risks:

Risk of premature death – Premature death occurs when the bread earner of a family dies with
unfulfilled financial obligations. Therefore this can cause financial problems only if the deceased
has dependents to support. There are four costs which results from this. First, the present value of
the family’s share of the deceased breadwinner’s future earnings is lost. Secondly, additional
expenses like funeral expenses, uninsured medical bills, inheritance taxes can result. Thirdly, due
to insufficient income, the family of the deceased has trouble in making ends meet. Finally,
intangible costs due to loss of role model, guidance, and counseling result.
Risk of insufficient income during old age – The risk arises when retired people do not have
sufficient income after their retirement and it leads to social insecurity. Retired people need to
have financial assets from which they can draw income or have access to other sources like
private pension.
Risk of poor health – The sudden disability of a person to earn income for living happens to be a
disadvantage or sudden risk to that person. The risk of poor health includes payment of medical
bills and the loss of earned income. The loss of earned income is a financial insecurity if the
disability is severe. Employee benefits may be lost or reduced, savings are depleted and extra
care must be taken for the disabled person.
Risk of unemployment – This risk is due to socio-economic factors resulting in financial
insecurity. Unemployment results due to business cycle down swings, technology and structure
changes in the economy and imperfections in the labor market.
Liability risk
This risk arises to a person when there is a possibility of an unintentional damage caused by him
to another person because of negligence. Therefore this risk arises when one’s activity causes
adversity to another person. For example, construction of factories or dams which results in
dislocating number of villagers. This risk arises due to government regulations and acts. It is
quite different from the other risks as there is no maximum upper limit to the amount of the loss.
A lien can be placed on one’s income and financial assets to satisfy legal judgment and the cost
of legal defense could be huge.
Loss of income risk
This risk is due to an indirect loss from a certain given risk. For example if a firm is not able to
operate due to legal issues or destruction by peril, it takes time to resume its normal operations.
Therefore in this period, production stoppage will lead to loss of income.

2.5.2 Fundamental and particular risk
This classification is based on the people who are affected by the event. Those risks which affect
an entire economy or a large group within the economy are termed as fundamental risks. For
example, cyclic unemployment, epidemics, drought, political and economic changes, and
terrorist attacks of recent times affect a large group of people and hence these are fundamental
risks. On the other hand, losses that arise out of individual events and are felt by particular
individuals and not by a community or a group is termed as particular risks. Examples are
burning of a house or an automobile accident.
The distinction between a fundamental and a particular risk is that an individual or a concern can
have control over particular risk but fundamental risks can hardly be controlled. Social insurance
and government insurance compensates for the loss incurred by a fundamental risk but in case of
particular risk an individual or a particular enterprise bears the burden of loss.
2.5.3 Static and dynamic risk
Based on the nature of the environment, risks are classified as static and dynamic. Static risks are
those which happen within a stable environment and are constant over an observed period of
time. They have a regular pattern of occurrence and can be reasonably predicted. Dynamic risks
arise from changes in the environment like economic, social, technological and political changes.
They are generally less predictable because they do not occur in any degree of regularity.
Static risks are immune to the changes in the environment. Dynamic risk resembles speculative
risk and static risk resembles pure risk.
2.5.4 Enterprise risk
This is a risk which includes all major risks faced by a business firm. It encompasses risks such
as pure risk, speculative risk, strategic risk, operational risk and financial risk. We already
studied about pure and speculative risks. Strategic risk is when an organization is uncertain about
its goals and objectives. Operational risks may result due to a firm’s business operations.
Financial risk is when there is uncertainty of loss because of changes in interest rates, foreign
exchange rates and value of money.
Enterprise risk plays a vital role in commercial risk management, which is a process in an
organization to treat all minor and major risks. Major risks can be addressed by bringing them all
together and treating them as one single program. By doing so, the firm can offset one risk
against another and also if some risks are negatively correlated overall risk can significantly be
reduced.

CHAPTER-3
INTRODUCTION OF RISK
MANAGEMENT

3.1 RISK MANAGEMENT
RISK MANAGEMENT DEFINITION : “IDENTIFICATION, ANALYSIS & ECONOMIC CONTROL
OF THOSE RISKS WHICH CAN THREATEN THE ASSETS OR THE EARNING CAPACITY OF AN
ENTERPRISE”
Risk management underscores the fact that the
survival of an organization depends heavily on
its capabilities to anticipate and prepare for the
change rather than just waiting for the change
and react to it. The objective of risk management
is not to prohibit or prevent risk taking activity,
but to ensure that the risks are consciously taken with full knowledge, purpose and clear
understanding so that it can be measured and mitigated. It also prevents an institution from
suffering unacceptable loss causing an institution to suffer or materially damage its competitive
position. Functions of risk management should actually be bank specific dictated by the size and
quality of balance sheet, complexity of functions, technical/ professional manpower and the
status of MIS in place in that bank.
Risk management: It is the identification, assessment, and prioritization of risks (defined in ISO
31000 as the effect of uncertainty on objectives, whether positive or negative) followed by
coordinated and economical application of resources to minimize, monitor, and control the
probability and/or impact of unfortunate events or to maximize the realization of opportunities.
Risks can come from uncertainty in financial markets, project failures (at any phase in design,
development, production, or sustainment life-cycles), legal liabilities, credit risk,
accidents, natural causes and disasters as well as deliberate attack from an adversary, or events of
uncertain or unpredictable root-cause. Several risk management standards have been developed
including the Project Management Institute, the National Institute of Standards and Technology,
actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to
whether the risk management method is in the context of project management,
security, engineering, industrial processes, financial portfolios, actuarial assessments, or public
health and safety.
Risk management process ensures that risk management is regularly monitored and that there are
mechanisms that alert the management of the entity about arising risks or changes in already
managed risks and that the appropriate control devices in order to minimize them are identified.

The role of the internal audit is to conduct assessments on all components and financial and
accounting activities or activities with financial implications and to track how public funds are
used, namely if they are used efficiently and effectively and weather the financial information
given to the management is appropriate and can contribute to achieving the planned results.
The strategies to manage risk typically include transferring the risk to another party, avoiding the
risk, reducing the negative effect or probability of the risk, or even accepting some or all of the
potential or actual consequences of a particular risk.
In ideal risk management, a prioritization process is followed whereby the risks with the greatest
loss (or impact) and the greatest probability of occurring are handled first, and risks with lower
probability of occurrence and lower loss are handled in descending order. In practice the process
of assessing overall risk can be difficult, and balancing resources used to mitigate between risks
with a high probability of occurrence but lower loss versus a risk with high loss but lower
probability of occurrence can often be mishandled.
3.2 PRINCIPLES OF RISK MANAGEMENT
The International Organization for Standardization (ISO) identifies the following principles of
risk management:
Risk management should:
 create value – resources expended to mitigate risk should be less than the consequence of
inaction, or (as in value engineering), the gain should exceed the pain
 be an integral part of organizational processes

 be part of decision making process
 explicitly address uncertainty and assumptions
 be systematic and structured
 be based on the best available information
 be tailor able
 take human factors into account
 be transparent and inclusive
 be dynamic, iterative and responsive to change
 be capable of continual improvement and enhancement
 be continually or periodically re-assessed
3.3 FACTORS OF RISKS
The risks are measured by the factors hampering business growth. If the profitability potential
outweighs risk, then the organisation proceeds with the business operations else it is halted.
The risks arise due to innumerable factors. They are broadly classified into two types. They are:
Internal risks – It refers to the risks arising from the events within the business organisations.
These risks can be forecasted and their probability of occurrence can be determined. Hence it can
be controlled to an appreciable extent. The various factors determining internal risks are:
o Human factors – The employees form an important cause for internal risks. Sometime they
result in strikes and lock outs by unions, negligence and dishonesty towards work, accidents or
deaths, incompetence of the manager. The suppliers most of the time fails to supply materials on
time and default payments by debtors may adversely affect the business organisation.
o Technological factors – It refers to the unpredicted changes in production or distribution
techniques. The technological advancements results in higher quality products which insists the
organisations to adopt new technology. Hence the organisations practicing traditional techniques
might face risk of losing the market for its inferior quality products.
o Physical factors – It refers to the failure of business machinery and equipment, fire or theft in
the industry, damages in goods transit. This factor results in loss or damage to the organisation’s
property.
External risks – It refers to the risks arising due to the events occurring outside the
organisation. These events are generally uncontrolled and hence the resulting risks and their
probability of occurrences cannot be forecasted and determined accurately. The various factors
determining external risks are:
o Economic factors – It forms the major cause for external risks. The changes in the prevailing
market conditions results economic factors. It includes changes in demand for product, price
fluctuations, changes in consumer’s preferences and output of trade cycles. The various
conditions like increased product competition, inflationary tendency in economy, unemployment,

and fluctuations in world economy may adversely affect the business organisation. Such risks
caused due to economy changes are known as dynamic risks.
These risks are less predictable and may not result in losses because it contains an element of
gain to the organisation.
o Natural factors – It refers to the natural calamities over which the organisation has little or no
control. It results from events like earthquake, flood, cyclone, famine. Such events may cause
loss of life or property to the organisation.
o Political factors – It plays an important role in functioning of long and short term business. It
occurs due to the political changes in government, communal violence, civil wars. The changes
in government policies and regulations may affect the position and profits of an organisation.
The risks are inevitable and hence it cannot be eliminated completely but can be controlled
through proper preventive and corrective measures of risk management.
3.4 RISK CATEGORIES
3.4.1 Credit risk
Credit risk comprises counterparty risk, settlement risk and concentration risk. These risk types
are defined as follows:
to meet its financial and/or contractual obligations to the group. This risk type has three
components:
• primary credit risk, which is the exposure at default (EAD) arising from lending and related
banking product activities including their underwriting;
• pre-settlement credit risk, which is the EAD arising from unsettled forward and derivative
transactions. This risk arises from the default of the counterparty to the transaction and is
measured as the cost of replacing the transaction at current market rates; and
• issuer risk, which is the EAD arising from traded credit and equity products including their
primary market underwriting.
k is the risk of loss to the group from settling a transaction where value is
exchanged, but where it fails to receive all or part of the counter value.
-up of
exposure to, among others, a single counterparty or counterparty segment, an industry, a market,
a product, a financial instrument or type of security, a country or geography, or a maturity. This
concentration typically exists where a number of counterparties are engaged in similar activities
and have similar characteristics, which could result in their ability to meet contractual obligations
being similarly affected by changes in economic or other conditions.

3.4.1.1 Tools of Credit Risk Management.
The instruments and tools, through which credit risk management is carried out, are detailed
below:
a) Exposure Ceilings: Prudential Limit is linked to Capital Funds – say 15% for individual
borrower entity, 40% for a group with additional 10% for infrastructure projects undertaken by
the group, Threshold limit is fixed at a level lower than Prudential Exposure; Substantial
Exposure, which is the sum total of the exposures beyond threshold limit should not exceed
600% to 800% of the Capital Funds of the bank (i.e. six to eight times).
b) Review/Renewal: Multi-tier Credit Approving Authority, constitution wise delegation of
powers, Higher delegated powers for better-rated customers; discriminatory time schedule for
review/renewal, Hurdle rates and Bench marks for fresh exposures and periodicity for renewal
based on risk rating, etc are formulated.
c) Risk Rating Model: Set up comprehensive risk scoring system on a six to nine point scale.
Clearly define rating thresholds and review the ratings periodically preferably at half yearly
intervals. Rating migration is to be mapped to estimate the expected loss.
d) Risk based scientific pricing: Link loan pricing to expected loss. High-risk category
borrowers are to be priced high. Build historical data on default losses. Allocate capital to absorb
the unexpected loss. Adopt the RAROC framework.
e) Portfolio Management : The need for credit portfolio management emanates from the
necessity to optimize the benefits associated with diversification and to reduce the potential
adverse impact of concentration of exposures to a particular borrower, sector or industry.
Stipulate quantitative ceiling on aggregate exposure on specific rating categories, distribution of
borrowers in various industry, business group and conduct rapid portfolio reviews. The existing
framework of tracking the non-performing loans around the balance sheet date does not signal
the quality of the entire loan book. There should be a proper & regular on-going system for
identification of credit weaknesses well in advance. Initiate steps to preserve the desired portfolio
quality and integrate portfolio reviews with credit decision-making process.
f) Loan Review Mechanism : This should be done independent of credit operations. It is also
referred as Credit Audit covering review of sanction process, compliance status, review of risk
rating, pick up of warning signals and recommendation of corrective action with the objective of
improving credit quality. It should target all loans above certain cut-off limit ensuring that at
least 30% to 40% of the portfolio is subjected to LRM in a year so as to ensure that all major
credit risks embedded in the balance sheet have been tracked. This is done to bring about
qualitative improvement in credit administration. Identify loans with credit weakness. Determine
adequacy of loan loss provisions. Ensure adherence to lending policies and procedures. The

focus of the credit audit needs to be broadened from account level to overall portfolio level.
Regular, proper & prompt reporting to Top Management should be ensured.
Credit Audit is conducted on site, i.e. at the branch that has appraised the advance and where the
main operative limits are made available. However, it is not required to visit borrowers
factory/office premises.
3.4.2 Country risk
Cross-border transfer risk, herein referred to as country risk, is the uncertainty that a client or
counterparty, including the relevant sovereign, will be able to fulfil its obligations to the group
outside the host country due to political or economic conditions in the host country.
The management of country risk is delegated by the GCC to the group country risk management
committee (GCRC), a subcommittee of GROC. The GCRC recommends country risk appetite
for individual countries and ensures, through compliance with the country risk standard, that
country risk is effectively governed, identified, measured, managed, controlled and reported in
the group.
An internal rating model is used to determine the rating of each country in which the group has
an exposure. The model inputs are continually updated to reflect economic and political changes
in countries. The country risk model output provides an internal risk grade which is calibrated to
a 1 to 25 rating scale. Reviews of all countries to which the group is exposed are conducted
annually. In determining ratings, the group’s network of operations, country visits and external
sources of information are used extensively.
3.4.3 Liquidity risk
Liquidity risk arises when the group, despite being solvent, cannot maintain or generate
sufficient cash resources to meet its payment obligations as they fall due, or can only do so at
materially disadvantageous terms.
This type of event may arise where counterparties who provide the bank with funding withdraw
or do not roll over that funding, or as a result of a generalised disruption in asset markets which
results in normally liquid assets becoming illiquid.
Group unencumbered surplus liquidity

3.4.3.1 Liquidity Gap Report
A liquidity gap is the difference between the due balances of assets and liabilities over time.
At any point of time, a positive gap between assets and liabilities is equivalent to shortage of
cash. The marginal gap refers to the difference between the changes of assets and liabilities over
time. A positive marginal gap means that the change in the values of assets exceeds that of
liabilities. The gap profile changes as and when new assets and liabilities are added. The gap
profile is represented either in the form of tables or charts. All the assets and liabilities are
accounted in liquidity gap report and it is dependent on the dates of maturity and the actual date.
3.4.3.2 Alternative scenarios
Alternative scenario method is used to calculate the adequate liquidity in banks. Depending on
the behaviour of cash flow the alternative scenario calculates a banks’ liquidity in different
conditions.
There are three scenarios for a bank that provides useful benchmarks. They are:
� Going concern
� Bank specific crisis
� General market crisis
A bank should try to account for any major liquidity changes (positive or negative) that could
occur in these scenarios.

Going concern/general market conditions
The going concern/general market conditions scenario is helpful for banks in establishing a
standard for the normal business behaviour. Banks use general market conditions to handle the
deposit and other debts. With the help of general market conditions the banks avoid the impact of
temporary constraints and manage their NFRs. Due to this concern, the banks never face a very
large need of cash to be paid on any given day.
Bank specific crisis
The bank specific crises are liquidity crises for individual banks. The crises remain restricted to
the banks and provide a sort of worst-case benchmark. The main idea in bank specific crisis is
that, the banks liabilities cannot be replaced or rolled over. The banks must pay the liabilities at
the time of maturity. If a bank can survive these types of worst-cases, then the bank can survive
any kind of small problems.
General market crisis
The general market crises are the ones under which liquidity affects every bank in more than one
market. Some banks might think that the nation’s Central bank would ensure that the key markets
would continue to function in some form. For bank management, the scenario represents a
second type of "worst-case". While surveying the liquidity profile of entire banking sector, the
Central bank might find this scenario to be of particular interest. The combined results will
suggest the size of the total liquidity buffer in the banking system. The result also suggests the
likely distribution of liquidity problems among large institutions.
A bank needs to assign the time for cash flow for each category of asset. The decision about the
exact time and size of cash flows is an essential part of the construction of the maturity ladder
under every situation.
3.4.3.3 Assumptions in preparation of gap report in terms of assets, liabilities and off
balance sheet items
Since the future liquidity position of a firm cannot always be predicted based on the factors,
assumptions play an important role in determining the continuing due to the rapidly changing
banking markets. But the number of assumptions to be made should be limited. The assumptions
can be made based on three aspects. They are assets, liabilities, and off-balance sheet assets.
Assets
Assets are nothing but any item of economic value owned by an individual or corporation.
Assumptions regarding a bank’s future stock of assets include their possible marketability and
use an asset as a guarantee of existing assets which could increase flow of cash and others.
To determine the marketability of an asset, the method segregates the assets into three categories
according to their degree of relative liquidity:
� The highly liquid group of assets consists of components such as interbank loans, cash and
securities. Some of the assets might instantaneously be converted into cash at existing market
values under almost any situation whereas others, such as interbank loans might lose liquidity in
a common crisis.

� A less liquid group of assets consists of bank's saleable loan portfolio. The assignment here is
to develop assumptions about a reasonable plan for the clearance of a bank's assets. Some assets,
while marketable, might be viewed as unsaleable within the time frame of the liquidity analysis.
� The least liquid group of assets consist of basically unmarketable assets such as loans that are
not capable of being readily sold, bank premises and investments in subsidiaries.
Because of the difference in the banks internal asset-liability management, different banks can
allot the same assets to different groups on maturity ladder.
While categorising the assets, banks should take care of the effects on the asset’s liquidity under
the various conditions. Under normal conditions, there may be assets which are much liquid then
during a time of crisis. Therefore a bank may classify the assets according to the type of scenario
it is forecasting.
Liabilities
To check the cash flows occurring due to a bank's liabilities, a bank should first examine the
behaviour of its liabilities under normal business situations. This would include forming:
� The level of roll-overs of deposits and other liabilities remain normal.
� The actual maturity of deposits with non-contractual maturities, such as demand deposits and
others; the normal growth in new deposit accounts.
While examining the cash flow arising from a bank's liabilities during the two crisis scenario, a
bank would look at four basic questions. The first two questions represent the proceedings in the
flow of cash that tend to reduce the cash outflows planned directly from contractual maturities.
The four questions are as follows:
� What are the different sources of funding that are likely to stay with a bank under any
situation, and can the count of these sources be increased?
Other than the liabilities identified from this step, a bank's capital and term liabilities that are not
maturing within the prospect of the liquidity analysis provide a liquidity buffer.
The total liabilities identified in the first category may be assumed to stay with the bank even
when it’s a worst scenario. Some core deposits generally remain with a bank because retail and
small scale industry depositors may rely on the public-sector security net to shield them from
occurring loss, or because the cost of changing banks, especially for some business services that
include transactions accounts, is unaffordable in the very short term.
� What are the sources of funding that can be estimated to run off gradually if problems occur,
and at what rate? Is deposit pricing a way for controlling the rate of runoff?
The second category consists of liabilities that have chances of staying back with the bank during
the period of slight difficulties and can be used during crisis. Liabilities, includes core deposits
that are not already included in the first category. In some countries, other than core deposits,
some of the interbank deposits and government funding remains with the bank even though they
are considered volatile .for these kinds of cash flows a bank's very own past experience related to
liabilities and the experiences of other such firms with similar problems may come handy. And
help in creating a time table.

� Which maturing liabilities can be estimated to run off instantly at the first warning of trouble?
The third category consists of the maturing liabilities that remained, including some without
contractual maturities, such as wholesale deposits. Under each case, this approach adopts a
conservative stand and assumes that these remaining liabilities will be paid back at as early as
possible before the maturity date, especially when there is high crisis, as such money may flow
to government securities and other safe refuges.
Factors such as diversification and relationship building are considered important during the
evaluation of the degree of the outflow of funds and a bank's capacity to replace funds.
Nevertheless, in a general market crisis, sometimes high scale firms may find that they receive
larger than the usually got wholesale deposit inflows, even though there are no cash inflows
existing for other firms in the market.
� Does the bank have a reliable back-up facility?
For example, small banks in local areas may also have credit lines that they can bring down to
offset cash discharges. These facilities are rarely found in larger banks but however it depends on
the assumptions made on the bank’s liabilities. Such facilities usually need to undergo many
changes but only to a limit, especially in a bank specific crisis.
Off balance sheet item
A bank should also examine the availability of sufficient cash flows from its off balance sheet
activities (other than the loan commitments already considered), even if they are not a portion of
the bank’s recent liquidity analysis.
In addition, the Contingent liabilities, such as letters of credit and financial guarantees, represent
potentially significant cash outflow for a bank, but are usually not dependent on a bank's
condition. A bank may be able to create a "normal" level of out flow of cash on a regulatory
basis, and then estimate the possibility a raise in these flows during periods of stress. However, a
general market crisis may generate a considerable increase in the total invocation of letters of
credit because of an increase in defaults and liquidations in the market.
Other possible sources of cash outflows are swaps, written Over-The-Counter (OTC) options,
and forward foreign exchange rate contracts. For instance, consider that a bank has a large swap
book; it would then want to study the circumstances under which it could become a net payer,
and whether or not the total net pay-out is significant.
Consider another situation wherein a bank acts as a swap market-maker, with a possibility that in
a bank-specific or general market crisis, customers with in-the-money swaps (or a net in-the-
money swap position) would try to reduce their credit exposure to the bank by requesting the
bank to buy the swaps back. Similarly, a bank would like to review its written OTC options book
and any warrants that are due, along with hedges if any against these positions, since certain
types of crises sometimes arouse an increase in early exercises or requests that the banks should
buy the offer back. These activities could result in an unexpected cash loss, if hedges can neither
be quickly liquidated to generate cash nor provide insufficient cash.

Other assumptions
Until now the discussion was centered on the assumption about the behaviour of the specific
instrument under different scenarios. At the time of looking the components exclusively, there
might be some of the factors that might have a major impact on the cash flows.
The need for liquidity arises from business activities. The banks too need excess funds to support
extra operations.
For example, the majority of the banks provide clearing services to financial institutions and
correspondent banks. These institutions generate a major sum of cash inflow and cash outflows
and unpredicted variations in these services can reduce a bank’s funds to a large extent.
The other expenses such as rent and salary however are not given much importance in the
analysis of the bank’s liquidity. But they can be sources of cash outflows in some cases.
3.4.4 Market risk
This is the risk of a change in the actual or effective market value or earnings of a portfolio of
financial instruments caused by adverse movements in market variables such as equity, bond and
commodity prices; currency exchange and interest rates; credit spreads; recovery rates and
correlations; as well as implied volatilities in all of the above.
3.4.5 Operational risk
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people
and systems or from external events. This includes information and legal risk but excludes
reputational and strategic risk.
3.4.5.1 Responsibility and approach to operational risk management
Operational risk is recognized as a distinct risk category which the group manages within
acceptable levels through sound operational risk management practices. The group’s approach to
managing operational risk is to adopt practices that are fit for purpose to suit the organizational
maturity and particular business environments.
Executive management defines the operational risk appetite at a business unit and group level.
This operational risk appetite supports effective decision making and is central to embedding risk
management in business decisions and reporting.
3.4.6 Business risk
Business risk relates to the potential revenue shortfall compared to the cost base due to strategic
and/or reputational reasons. From an economic capital perspective, business risk capital

requirements are calculated as the potential loss arising over a one-year timeframe, within a
certain level of confidence, as implied by the group’s chosen target rating. The group’s ability to
generate revenue is impacted by, among others, the external macroeconomic environment, its
chosen strategy and its reputation in the markets in which it operates.
Economic capital by risk type
June
2010
Rm
December
2009
Rm
Credit risk 28 597 31 336
Equity risk 1 865 1 293
Market risk 1 768 1 747
Operational risk 6 814 6 965
Business risk 1 817 1 504
Interest rate risk in the
banking book
1 620 1 917
Banking activities –
economic capital
42 481 44 762
Available financial
resources
86 830 81 503
Capital coverage ratio 2,04 1,82
3.4.7 Reputational risk
Reputational risk results from damage to the group’s image among stakeholders, which may
impair its ability to retain and generate business. Such damage may result from a breakdown of
trust, confidence or business relationships.
3.4.8 Insurance risk
This is the risk that future claims and related expenses will exceed the allowance for expected
claims and expenses, as determined through measuring policyholder liabilities and in reference
to product pricing principles. Insurance risk arises due to uncertainty regarding the timing and
amount of future cash flows from insurance contracts, whether due to variations in mortality,
morbidity or withdrawal rate, or due to deviations from investment performance assumptions in
the case of life products, and claims incidence and severity assumptions in the case of short-term
insurance products.

3.4.9 Legal risk
Legal risk arises where:
in the countries in which it operates;
nd
legal proceedings being instituted against it.
Although the group has processes and controls in place to manage its legal risk, failure to
manage risks effectively could result in legal proceedings impacting the group adversely, both
financially and reputational.
3.4.10 Foreign- Exchange Risk
Foreign exchange risk occurs during the change of investments value occurring due to the
changes in currency exchange rates. It refers to the probability of loss occurring due to an
adverse movement in foreign exchange rates. For example – Consider an investor residing in
United States purchases a bond denominated in Japanese Yen. By this the investor experiences
decline in rate of return at which the Yen exchanges for dollars.

The three types of foreign exchange risk or exposure are:
n risk – It is the possibility of affecting future transactions of the organisation due to
the changes in currency exchange rates.
– It measures the impact of changes in exchange rate risk on the organisation’s
cash flows and earnings.
– It measures the impact of changes in exchange rate of organisation’s
financial statements. It is also known as accounting exposure.
Foreign exchange risk management policies
Well defined policies, set forth the objectives of the bank’s foreign exchange risk management
strategy and its parameters. The foreign exchange risk management policies include the
following:

� A statement of forex risk principles and objectives - Before setting up the foreign exchange
risk limits and management controls it is necessary for banks to decide the goals of foreign
exchange risk management plan and in particular, readiness of the bank to assume risk.
Therefore, the objective of foreign exchange risk management is to manage the influence of
exchange rate changes within self-imposed limits after considering a wide range of possible
foreign exchange rate scenarios.
� Limits of forex risks - Risk limits are established according to the relationship between the
foreign exchange position and the capital, or according to the foreign exchange volume which
includes total cash and the number of transactions. The foreign exchange risk limits cover the
following:
- The currencies in which the institution is permitted to experience risk exposure.
- The level of foreign currency exposure that the bank is willing to assume.
� Delegation of authority - Clearly defined levels of delegated authority helps in ensuring that a
bank’s foreign exchange positions does not surpass the limits established under the foreign
exchange risk management policies. The delegation of authority needs to be clearly recognized,
and must include the following:
- The absolute and/or incremental authority to be delegated.
- The units, entities, positions or committees to whom authority is being delegated.
- The ability of receivers to further delegate authority.
- The restrictions placed on the use of delegated authority
The various methods to reduce foreign exchange risks are:
– The best way to manage foreign exchange risk
is by balancing foreign currency holdings or expected revenue with futures or forwards.
– The foreign currencies contain options which allow the buyers to buy or sell
financial assets at a specified price and time. The process to hedge foreign currency with options
is similar to hedging futures and forwards, which minimizes the risk of loss in currency trade.
– It refers to the exchange of future income streams in different currencies.
The organizations’ use swaps sparingly for portions of their foreign holdings.
– The method of depositing foreign currency in foreign banks
creates gain in interest rate. When the exchange rate increases, the value of foreign currency also
increases.
3.4.11 Environmental risk
The organisations must be able to monitor certain risks with respect to their daily operations. The
organisations must identify the specific risk that is concerned with local and global
environments. The various factors causing environmental risks include accidents, assaults, and

natural events like earthquake, volcano, tornado, floods, and famine. Hence the organizations
must induce environmental risk management which helps in implementing a system of metrics to
prevent the environmental problems.
The organizations must emphasize the process of environmental risk management which
includes certain protocols to manage the uncertainties within the organizational operations. The
procedures must be applied in daily activities and overall infrastructure assessments to eliminate
the damages caused in the organisation. The first step is to ensure whether the environmental risk
management is effective within the organisation to identify the most critical assets. It is also
important for the organizations to determine whether the assets are hampering the long term
stability of the environment and their impact on the business. For example if a company uses
large amount of paper then the threat of decline in tree growth arises. Hence the organisation
must devise recycle paper program method to solve the problem.
The organisation must assess the environment of the specific region in which it desires to make
investments. The environmental forecasts are necessary as far as there are no physical hindrances
to the organisation. Environmental issues can have significant impact on a company’s stock
price.
Raising awareness and training will be an ongoing element of managing environmental risk and
identifying opportunities and business solutions to global environmental and social concerns.
3.4.12 Interest rate risk
Interest rate risk occurs due to the change in absolute level of interest rates causing variations in
the value of investments. Such changes usually affect the securities like shares, bonds, mutual
funds or money market instruments and can be reduced by diversifying or hedging techniques.
The evaluation of interest rate risk should consider illiquid hedging products or strategies, and
potential impact on fee income which are sensitive to changes in interest rates. They are
classified into the following:
Term structure risk (yield curve risk) – It arises from the variations in the movement of
interest rates across maturity spectrum. It consists of changes in relationship between interest
rates of various maturities of similar market. The changes in relationships occur when the shape
of yield curve for a market flattens, steepens, or becomes inverted during interest rate cycle. The
yield curve variations can emphasize a bank’s risk position by increasing the effect of maturity
mismatches.
Basis risk – It occurs due to the changes in relationship between interest rates for different
market sectors.
Options risk – It arises when bank or bank customer gains privileges to alter the level and
timing of cash flows of asset, liability or off balance sheet instruments. The option holder has the
rights to buy or sell the financial instruments over a specified period of time. But the option
holder faces limited downside risks (amount paid for option) and unlimited upside reward. The

option seller faces unlimited downside risk (option exercised during the time of disadvantage)
and limited upside reward (retaining premium).
3.4.12.1 Factors Affecting Interest Rate
Interest rate is the amount claimed by a lender from a borrower for the use of the borrowed
money. Interest is an opportunity cost in terms of a lender’s perspective and is the cost of capital
according to a borrower’s perception.
Interest rate is a vital component in market assessments and so it is an important economic
indicator. Interest rate is important to companies as well as governments because it is an
important constituent of the capital cost.
The following are the factor that influences the level of market interest rate:
– Inflation is defined as an increase in the typical price level of goods and
services in an economy over a period of time. Inflation reduces the procuring power of a
currency. So people with excess funds claim higher interest rates, as they want to protect their
investment returns against the unfavorable conditions of higher inflation.
– The central bank of a country controls the money supply in
the economy through its monetary policy. In India, the monetary policy of RBI focuses at the
price stability and economic growth. If RBI loosens its monetary policy then the interest rate gets
reduced which leads to higher inflation. Whereas, if RBI strengthens its monetary policy then
interest rate increases, this thereby limits the inflation. Repo rate is used by RBI to inject or
remove liquidity from the monetary system.
– If the economic growth of an economy improves then the
demand for money goes up. It ultimately compels the interest rates to move forward.
– If global liquidity is high then the domestic liquidity of a country will also
be high which ultimately reduces the pressure on interest rates.
– Foreign investor demand for debt securities influences the
interest rate. Higher inflows of foreign capital lead to increase in domestic money supply which
in turn leads to higher liquidity and lower interest rates.
– Making timely mortgage or rent payment is very important. Late
payments on credit cards, car payments and other bills affect the interest rate.
– The higher the debt to income ratio, the higher will be the interest rate.

– The interest rate depends upon the type of property owned by an individual.
The less risky is the property, the better the interest rate proposed.
– The amount of money the borrower borrows makes a difference in the interest
rate.
– Many lenders offer reduced paperwork alternatives. These
alternatives increase the suitability of getting a loan for the consumer. It also increases the risks
for the lender.
– Varying property states have different regulations and requirements that
results in fluctuating business costs. These costs are often passed to the consumer in the form of
an interest rate for the lenders.
– Budgetary deficit and increased borrowing programme of the Government
will lead to increase in interest rates as the demand for funds increases. With increase in interest
rates, costs go up and this will result in inflation
3.4.12.2 Methods To Reduce Interest Rate Risks :
Diversifying maturities – The rate of return is usually not fixed across all maturity dates.
Usually long term securities pay higher return than short term dated securities. Hence these
factors can be hedged by spreading fixed income investments across entire yield curve from
short term dated maturities to long term bonds. Doing this effectively will provide expectations
about future interest rate movements.
Buy fixed or floating swaps – The swaps is an agreement to exchange capital streams from
assets to qualities within a period of time. The fixed or floating swaps allow the fixed rate debtor
to exchange capital stream debt of identical maturity by paying floating interest rate. Hence, if
the interest rate rises, then the debtors receive difference in interest revenues through swaps.
Use real interest rate strategy – It is important to analyse the presence of risk. One way to
determine is by using real interest rate, the nominal interest rate (interest earned on a high yield
savings account) minus rate of inflation.
– Rate of inflation
indicator can provide investor with information to diversify across various maturities

Figure : Yield Curve Indicating High Interest Rate Risk
The rising line indicates the steeper curve and the falling line indicates flatter curve
3.5 ELEMENTS OF RISK MANAGEMENT
Risk management is an organized method for identifying and measuring risk and for selecting,
developing, and implementing options for the handling of risk. It is a process, not a series of
events. Risk management depends on risk management planning, early identification and
analysis of risks, continuous risk tracking and reassessment, early implementation of corrective
actions, communication, documentation, and coordination.
As depicted in Figure all of the parts are interlocked to demonstrate that after initial planning the
parts begin to be dependent on each other.

Risk planning
Risk Planning is the continuing process of developing an organized, comprehensive approach to
risk management. The initial planning includes establishing a strategy; establishing goals and
objectives; planning assessment, handling, and monitoring activities; identifying resources, tasks,
and responsibilities; organizing and training risk management IPT members; establishing a
method to track risk items; and establishing a method to document and disseminate information
on a continuous basis.
Risk Assessment
Risk assessment consists of identifying and analyzing the risks associated with the life cycle of
the system.
Risk identification activities establish what risks are of concern. These activities include:
• Identifying risk/uncertainty sources and drivers,
• Transforming uncertainty into risk,
• Quantifying risk,
• Establishing probability, and
• Establishing the priority of risk items.
After identifying the risk items, the risk level should be established. One common method is
through the use of a matrix such as shown in Figure 15-5. Each item is associated with a block in
the matrix to establish relative risk among them.
On such a graph risk increases on the diagonal and provides a method for assessing relative risk.
Once the relative risk is known, a priority list can be established and risk analysis can begin.

Fig: Risk Matrix
Risk identification efforts can also include activities that help define the probability or
consequences of a risk item, such as:
• Testing and analyzing uncertainty away,
• Testing to understand probability and consequences, and
• Activities that quantify risk where the qualitative nature of high, moderate, low estimates are
insufficient for adequate understanding
Analysis Activities
Risk analysis activities continue the assessment process by refining the description of identified
risk event through isolation of the cause of risk, determination of the full impact of risk, and the
determination and choose of alternative courses of action. They are used to determine what risk
should be tracked, what data is used to track risk, and what methods are used to handle the risk.
Risk analysis explores the options, opportunities, and alternatives associated with the risk. It
addresses the questions of how many legitimate ways the risk could be dealt with and the best
way to do so. It examines sensitivity, and risk interrelationships by analyzing impacts and
sensitivity of related risks and performance variation. It further analyzes the impact of potential
and accomplished, external and internal changes.
Risk analysis activities that help define the scope and sensitivity of the risk item include finding
answers to the following questions:
• If something changes, will risk change faster, slower, or at the same pace?

• If a given risk item occurs, what collateral effects happen?
• How does it affect other risks?
• How does it affect the overall situation?
• Development of a watch list (prioritized list of risk items that demand constant attention by
management) and a set of metrics to determine if risks are steady, increasing, or decreasing.
• Development of a feedback system to track metrics and other risk management data.
• Development of quantified risk assessment.
Risk Handling
Once the risks have been categorized and analyzed, the process of handling those risks is
initiated. The prime purpose of risk handling activities is to mitigate risk. Methods for doing this
are numerous, but all fall into four basic categories:
• Risk Avoidance,
• Risk Control,
• Risk Assumption, and
• Risk Transfer.
Monitoring and Reporting
Risk monitoring is the continuous process of tracking and evaluating the risk management
process by metric reporting, enterprise feedback on watch list items, and regular enterprise input
on potential developing risks. (The metrics, watch lists, and feedback system are developed and
maintained as an assessment activity.) The output of this process is then distributed throughout
the enterprise, so that all those involved with the program are aware of the risks that affect their
efforts and the system development as a whole.

CHAPTER-4
PROCESS OF RISK
MANAGEMENT

4.1 PROCESS OF RISK MANAGEMENT
Risk management is a process designed and established by management and implemented by the
entire staff within the finance and accounting department. This process consists of: defining the
risk strategy; identifying and evaluating risks; cost control; monitoring; reviewing and reporting
situation of the risks.
The process should not be linear, risk management may have impact on other risks as well and
measures identified as being effective in limiting a risk and keeping it within acceptable limits
may prove beneficial in controlling other risks.
According to the standard ISO 31000 , the process of risk management consists of several
steps as follows:
4.1.1. Risk identification :
“How can the assets be or earning capacity of an organization can be threatened?”
Risks are about events that, when triggered, cause problems or benefits. Hence, risk
identification can start with the source of our problems and those of our competitors
(benefit), or with the problem itself.
 Source analysis - Risk sources may be internal or external to the system that is the target
of risk management (use mitigation instead of management since by its own definition
risk deals with factors of decision-making that cannot be managed).
Examples of risk sources are: stakeholders of a project, employees of a company or the
weather over an airport.

 Problem analysis - Risks are related to identified threats. For example: the threat of losing
money, the threat of abuse of confidential information or the threat of human errors,
accidents and casualties. The threats may exist with various entities, most important with
shareholders, customers and legislative bodies such as the government.
When either source or problem is known, the events that a source may trigger or the events
that can lead to a problem can be investigated. For example: stakeholders withdrawing
during a project may endanger funding of the project; confidential information may be stolen
by employees even within a closed network; lightning striking an aircraft during takeoff may
make all people on board immediate casualties.
The chosen method of identifying risks may depend on culture, industry practice and
compliance. The identification methods are formed by templates or the development of
templates for identifying source, problem or event. Common risk identification methods are:
 Objectives-based risk identification- Organizations and project teams have objectives.
Any event that may endanger achieving an objective partly or completely is identified as
risk.
 Scenario-based risk identification - In scenario analysis different scenarios are created.
The scenarios may be the alternative ways to achieve an objective, or an analysis of the
interaction of forces in, for example, a market or battle. Any event that triggers an
undesired scenario alternative is identified as risk – see Futures Studies for methodology
used by Futurists.
 Taxonomy-based risk identification - The taxonomy in taxonomy-based risk
identification is a breakdown of possible risk sources. Based on the taxonomy and
knowledge of best practices, a questionnaire is compiled. The answers to the questions
reveal risks.
 Common-risk checking- In several industries, lists with known risks are available. Each
risk in the list can be checked for application to a particular situation.
 Risk charting - This method combines the above approaches by listing resources at risk,
threats to those resources, modifying factors which may increase or decrease the risk and
consequences it is wished to avoid. Creating a matrix under these headings enables a
variety of approaches. One can begin with resources and consider the threats they are
exposed to and the consequences of each. Alternatively one can start with the threats and
examine which resources they would affect, or one can begin with the consequences and
determine which combination of threats and resources would be involved to bring them
about.

4.1.2.Risk assessment:
Once risks have been identified, they must then be assessed as to their potential severity of
impact (generally a negative impact, such as damage or loss) and to the probability of
occurrence. These quantities can be either simple to measure, in the case of the value of a lost
building, or impossible to know for sure in the case of the probability of an unlikely event
occurring. Therefore, in the assessment process it is critical to make the best educated decisions
in order to properly prioritize the implementation of the risk management plan.
Even a short-term positive improvement can have long-term negative impacts. Take the
"turnpike" example. A highway is widened to allow more traffic. More traffic capacity leads to
greater development in the areas surrounding the improved traffic capacity. Over time, traffic
thereby increases to fill available capacity. Turnpikes thereby need to be expanded in a
seemingly endless cycles. There are many other engineering examples where expanded capacity
(to do any function) is soon filled by increased demand. Since expansion comes at a cost, the
resulting growth could become unsustainable without forecasting and management.
The fundamental difficulty in risk assessment is determining the rate of occurrence since
statistical information is not available on all kinds of past incidents. Furthermore, evaluating the
severity of the consequences (impact) is often quite difficult for intangible assets. Asset valuation
is another question that needs to be addressed. Thus, best educated opinions and available
statistics are the primary sources of information. Nevertheless, risk assessment should produce
such information for the management of the organization that the primary risks are easy to
understand and that the risk management decisions may be prioritized. Thus, there have been
several theories and attempts to quantify risks. Numerous different risk formulae exist, but
perhaps the most widely accepted formula for risk quantification is:
 Rate (or probability) of occurrence multiplied by the impact of the event equals risk
magnitude
The above formula can also be re-written in terms of a Composite Risk Index, as follows:
Composite Risk Index = Impact of Risk event x Probability of Occurrence
The impact of the risk event is commonly assessed on a scale of 1 to 5, where 1 and 5 represent
the minimum and maximum possible impact of an occurrence of a risk (usually in terms of
financial losses). However, the 1 to 5 scale can be arbitrary and need not be on a linear scale.
The probability of occurrence is likewise commonly assessed on a scale from 1 to 5, where 1
represents a very low probability of the risk event actually occurring while 5 represents a very
high probability of occurrence. This axis may be expressed in either mathematical terms (event
occurs once a year, once in ten years, once in 100 years etc.) or may be expressed in "plain
english" (event has occurred here very often; event has been known to occur here; event has been
known to occur in the industry etc.). Again, the 1 to 5 scale can be arbitrary or non-linear
depending on decisions by subject-matter experts.
The Composite Index thus can take values ranging (typically) from 1 through 25, and this range
is usually arbitrarily divided into three sub-ranges. The overall risk assessment is then Low,

Medium or High, depending on the sub-range containing the calculated value of the Composite
Index. For instance, the three sub-ranges could be defined as 1 to 8, 9 to 16 and 17 to 25.
Note that the probability of risk occurrence is difficult to estimate, since the past data on
frequencies are not readily available, as mentioned above. After all, probability does not imply
certainty.
Likewise, the impact of the risk is not easy to estimate since it is often difficult to estimate the
potential loss in the event of risk occurrence.
Further, both the above factors can change in magnitude depending on the adequacy of risk
avoidance and prevention measures taken and due to changes in the external business
environment. Hence it is absolutely necessary to periodically re-assess risks and intensify/relax
mitigation measures, or as necessary. Changes in procedures, technology, schedules, budgets,
market conditions, political environment, or other factors typically require re-assessment of risks.
4.1.3. Create a risk management plan
Select appropriate controls or countermeasures to measure
each risk. Risk mitigation needs to be approved by the
appropriate level of management. For instance, a risk
concerning the image of the organization should have
top management decision behind it whereas IT management
would have the authority to decide on computer virus risks.
The risk management plan should propose applicable and effective security controls for
managing the risks. For example, an observed high risk of computer viruses could be mitigated
by acquiring and implementing antivirus software. A good risk management plan should
contain a schedule for control implementation and responsible persons for those actions.
According to ISO/IEC 27001, the stage immediately after completion of the risk
assessment phase consists of preparing a Risk Treatment Plan, which should document the
decisions about how each of the identified risks should be handled. Mitigation of risks often
means selection of security controls, which should be documented in a Statement of
Applicability, which identifies which particular control objectives and controls from the
standard have been selected, and why.
4.1.4. Implementation
Implementation follows all of the planned methods for mitigating the effect of the risks.
Purchase insurance policies for the risks that have been decided to be transferred to an insurer,
avoid all risks that can be avoided without sacrificing the entity's goals, reduce others, and
retain the rest.

4.1.5. Review and evaluation of the plan
Initial risk management plans will never be perfect. Practice, experience, and actual loss results
will necessitate changes in the plan and contribute information to allow possible different
decisions to be made in dealing with the risks being faced.
Risk analysis results and management plans should be updated periodically. There are two
primary reasons for this:
1. to evaluate whether the previously selected security controls are still applicable and
effective
2. to evaluate the possible risk level changes in the business environment. For example,
information risks are a good example of rapidly changing business environment.
4.2 ACTIVITIES TO RISK ASSESSMENT:
4.2.1 Activity One: Look for the hazards:
It is necessary for you to stand back from the activity, and look afresh at what could cause harm.
It is important to concentrate on the significant hazards. These are hazards which harm or affect
several people. It might be a good idea to ask others what they think; they may have noted things
that were not immediately obvious to you.
4.2.2 Activity Two: Decide who might be harmed and how?
These could be young people taking part (or waiting to do so), the instructors, others supervising
the activity, those in the area of the activity or casual observers. In identifying the hazards (Step
One) you have already identified the potential of how these people might be harmed.
4.2.3 Activity Three: Evaluate the risk and decide whether existing precautions are
adequate or whether more should be done:
You have already identified the hazards. Now consider the likelihood of each of these hazards
causing harm. This will determine whether or not you need to do more to reduce the risk. It is
possible that even after all reasonable precautions have been taken some degree of risk will
remain. What you have to decide, for each significant hazard, is whether the remaining risk is
high, medium, or low.

For some activities you have to ask yourself if everything has been done to comply with the law -
and, in our context, the requirements also of Policy, Organization and Rules. Everything
reasonably practicable must be done to reduce and control the risk. Your aim is to minimize risks
by adding such precautions as may be necessary. Likewise, the competence of instructors/leaders
and adherence to good practice play a vital role in the provision of safe activities. There are
many ways in which risks can be minimized. This might be a change in venue, additional
training, an increased staff/participant ratio and properly equipped participants. Likewise, plans
may have to be modified during the activity, based on an on-going risk assessment. Later in this
fact sheet, we will relate this to typical Scout activities.
4.2.4 Activity Four: Record your findings:
You must inform those who will be taking part in the activity of your findings and what action
should be taken. The recording of your findings might vary depending upon circumstances. A
risk assessment for the use of a permanent climbing tower on a campsite should be a document
that each instructor has to read (and sign) prior to the start of each session. It should cover the
points you have identified in Steps one-three above. The risk assessment must be suitable and
effective and must show that
 A proper check was made.
 You decided who might be affected.
 You dealt with all the significant hazards, taking into account potential users.
 The precautions are reasonable, and the remaining risk is judged acceptable.
The recording of the assessment should be in a format which is easily read - don’t write a book!
Risk assessments are not operating procedures -they inform and determine key aspects of the
operating procedures. At the campsite your risk assessment may have determined that no more
than 30 people may be admitted to the swimming pool at any one time due to the size of the pool
and the need to avoid overcrowding.
This assessment will then be reflected in the pool’s operating procedure and a requirement
placed on the lifeguard and those controlling bookings for the pool to count. A risk assessment

for a day in the hills or on water that you have not visited before cannot be formalized in exactly
the same way. In these cases, refer to the examples later in the fact sheet
.
4.2.5 Activity Five: Review your assessment and revise it if necessary:
In all cases, it is good practice to review your risk assessments from time to time, to ensure that
the precautions are still working effectively. If there are any significant changes, review and
revise the assessments to take account of the new hazard. For those risk assessments for a
Composite, and activities on site, it is important to ensure that when carrying out a risk
assessment the date is also set for the next review. Make sure that all relevant documentation is
changed.

CHAPTER-5
NEED AND ITS IMPORTANCE
IN FINANCE

5.1 THE IMPORTANCE OF FINANCIAL AND ACCOUNTING ACTIVITIES WITHIN
THE ORGANIZATION
The financial and accounting function represents a specialized activity within the organization
through which the measurement, evaluation, knowledge, management and control of assets,
liabilities and equity can be performed, as well as the outcomes obtained from the economic
activity of an organization. Financial and accounting activities ensure chronological and
systematic recording, processing, publication and preservation of information regarding financial
position, financial performance and cash flow for both the domestic needs of the
organization as well as for external users.
Information provided by the financial and accounting system refers to the performance of
income and expenditure budgets, budget execution outcomes, assets under management, asset
outcomes and cost of approved programs.
Also, financial and accounting operations present the situation concerning propriety and assets,
namely inventory, calculation, analysis and control of assets denominated in currency, it
provides control of operations, processing procedures as well as the accuracy of accounting data
provided to users.
The content and range of the financial and accounting activities include:
- the existence of material and financial means;
- movement and transformation of material and financial means within the economic operations
and processes
- determination of the final outcome of movements and transformations in a value expression.
Carrying out any economic activity by an organization or entity imposes the preparation and
existence of financial and book-keeping records which represent the consignment made in a
specific order, based on set principles, of any conducted economic activity or operation.
According to the nature of the data and the manner in which they are obtained, processed and
represented, financial and book-keeping records take three distinct forms: technical and
operational records, accounting records and statistical records, which reflect the overall situation
of the organization.
Activities carried out within the financial and accounting function can be grouped as followed:
- financial activities which refer to the establishment and use of financial resources;
- accounting activities, which relate to preparation of accounting records that reflect the
existence, movement and transformation of assets in a value expression. These ensure the
integrity of the assets and give a foundation to management decisions.
Finance and book-keeping performed within an organization is key because it reflects any asset
operation and in the same time provides a series of data which are used by the management in
decision making, as well as a series of users, depending on concerns.
Under these conditions ensuring effective management of financial and accounting hazards is
essential for limiting errors and fraud, waste and uneconomical activity. Implementation of an

effective risk management system on financial and accounting activities contributes to increasing
business performance and overall performance across the entire organization, given the
interfering of this function with all other functions within the organization .
5.2 THE NEED FOR RISK MANAGEMENT IN FINANCIAL AND ACCOUNTING
ACTIVITIES
The achieving business objectives or obtaining expected results is burdened by the uncertainty of
the nature of the threats, which may become both performance barriers and opportunities. At any
time, events or situations may arise, actions or inactions, which result in failure of targets or
which can become opportunities to be exploited.
The need for risk management stems from the fact that uncertainty is a reality and a reaction to
this uncertainty is a permanent preoccupation. Therefore, the acquisition of a risk management
system, widely accepted across the organization, becomes indispensable to financial and
accounting activities.
Implementing a risk management system in the financial and accounting activity is necessary
due to the following:
- Risk management requires change in management style – managers must deal with both the
consequences of events that occurred and to devise and implement measures that are likely to
reduce risks so that the organization can carry out it’s activities in good conditions;
- Risk management facilitates effectiveness and efficiency in terms of achieving objectives –
knowledge of threats enables risk rating based on the probability of materialisation, the
magnitude of the impact and the costs necessary for implementing measures for reducing or
limiting unwanted effects.
- Risk management provides appropriate conditions for a healthy internal control – ensuring the
functioning of internal control involves a complex set of management measures in order to
obtain reasonable assurance that objectives will be achieved.
Risk management involves identifying risks associated to developed activities and establishing
means to respond to them, by putting into practice adequate internal control devices to mitigate
the possibility of them occurring or the consequences in case the risk already materialized. The
process must be coherent and convergent, integrated to the objectives, activities and operations
carried out under the financial and accounting structure.
Also, staff members, regardless of their hierarchical level, should be aware of the importance of
risk management in achieving their objectives and implement monitoring and control based on
principles of efficiency and effectiveness.
Financial and accounting officers must periodically analyze the risk of their activities, develop
appropriate plans in order to limit the possible consequences of such risks and determine actions
necessary for implementing the objectives of the plans.

CHAPTER-6
FRAMEWORK AND STRATEGIES
OF RISK MANAGEMENT

6.1 FRAMEWORK
6.1.1 Governance structure
Strong independent oversight is in place at all levels throughout the group.
The group audit committee (GAC) is responsible for:
financial matters, including assessing the integrity and effectiveness of accounting, financial,
compliance and other control systems; and
management and regulators.
The group risk and capital management committee (GRCMC) and the group credit committee
(GCC) provide, among other things, independent and objective oversight of risk and capital
management across the group by:
dequacy and effectiveness of the group’s risk
management control framework;
Various committees allow executive management and the board to evaluate the risks faced by the
group, as well as the effectiveness of the group’s management of these risks. These committees
are integral to the group’s risk governance structure.
The senior committees are set out in figure

Figure : Governance reporting structure
1
The board has delegated authority to these committees to act as nominated designated committees in respect of the
regulations.4 Standard Bank Group risk management report for the six months ended June 2010


Standard Bank
Group board
Management
committees
Group audit
committee
Group risk and
capital
management
committee
Group executive
committee
Board Committees
Group credit
committee
Global
Personal
&
Business
Banking
credit
committee
Group risk
oversight
committee
SBSA large
exposure
credit
committee
Global
Corporate
&
Investment
Banking
credit
committee
Group
capital
manage
ment
commit
tee
Group
Risk
compli
ance
commit
tee
Group
country
risk
managem
ent
committe
e
Transactio
n
review
committee
Group
operatio
nal risk
committ
ee
Group
asset
and
liability
commit
tee
Intragr
oup
exposu
re
commit
tee

approving and monitoring the group’s risk profile and risk tendency against risk appetite for
each risk type under normal and potential stress conditions.
Executive management oversight for all risk types at group level has been delegated by the group
executive committee to the group risk oversight committee (GROC). This committee considers
and, to the extent required, recommends for approval by the relevant board committees:
risk type;
ng, stress testing and scenario
analysis.
The GRCMC, GCC, GAC and GROC meet at least quarterly, with additional meetings
conducted when necessary. The group risk management subcommittees set out in figure report
directly to GROC and through GROC to the GRCMC, the GCC and GAC.
6.1.2 Approach and structure
The group’s approach to risk management is based on well established governance processes and
relies on both individual responsibility and collective oversight, supported by comprehensive
reporting. This approach balances strong corporate oversight at group level, beginning with
proactive participation by the group chief executive and the group executive committee in all
significant risk matters, with independent risk management structures within individual business
units.
Business unit heads are primarily responsible for managing risk within each of their businesses
and for ensuring that appropriate, adequately designed and effective risk management
frameworks are in place, and that these frameworks are compliant with the group’s risk
governance standards.
To ensure independence and appropriate segregation of responsibilities between business and
risk management, business unit chief risk officers and chief credit risk officers report
operationally to their respective business unit heads and functionally to either the group chief
risk officer or the group chief credit officer.
6.1.3 Risk governance standards, policies and procedures
The group has developed a set of risk governance standards for each major risk type to which it
is exposed. The standards set out and ensure alignment and consistency in the way in which we
deal with major risk types across the group, from identification to reporting.

All standards are applied consistently across the group and are approved by the GRCMC or the
GCC. It is the responsibility of executive management in each business unit to ensure that the
risk governance standards, as well as supporting policies and procedures, are implemented and
independently monitored by the risk management team in that particular business unit.
Compliance with risk standards is controlled through annual self-assessments conducted by
business units and group risk and review independently by the group internal auditors.
6.2 RISK MANAGEMENT STRATEGIES
Once risks have been identified and assessed, all techniques to manage the risk fall into one or
more of these major categories:
 Avoidance (eliminate, withdraw from or not become involved)
 Reduction (optimize – mitigate)
 Sharing (transfer – outsource or insure)
 Retention (accept and budget)
 Hedging
 Combination
Ideal use of these strategies may not be possible. Some of them may involve trade-offs that are
not acceptable to the organization or person making the risk management decisions. Another
source, from the US Department of Defense , Defense Acquisition University, calls these
categories ACAT, for Avoid, Control, Accept, or Transfer. This use of the ACAT acronym is
reminiscent of another ACAT (for Acquisition Category) used in US Defense industry
procurements, in which Risk Management figures prominently in decision making and planning.
6.2.1 Risk avoidance
This includes not performing an activity that could carry risk. An example would be not buying a
property or business in order to not take on the legal liability that comes with it. Another would
be not flying in order not to take the risk that the airplane were to be hijacked. Avoidance may
seem the answer to all risks, but avoiding risks also means losing out on the potential gain that
accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss
also avoids the possibility of earning profits. Increasing risk regulation in hospitals has led to
avoidance of treating higher risk conditions, in favor of patients presenting with lower risk.
6.2.2 Hazard prevention
Hazard prevention refers to the prevention of risks in an emergency. The first and most effective
stage of hazard prevention is the elimination of hazards. If this takes too long, is too costly, or is
otherwise impractical, the second stage is mitigation.

6.2.3 Risk reduction
Risk reduction or "optimization" involves reducing the severity of the loss or the likelihood of
the loss from occurring. For example, sprinklers are designed to put out a fire to reduce the risk
of loss by fire. This method may cause a greater loss by water damage and therefore may not be
suitable. Hal on fire suppression systems may mitigate that risk, but the cost may be prohibitive
as a strategy.
Acknowledging that risks can be positive or negative, optimizing risks means finding a balance
between negative risk and the benefit of the operation or activity; and between risk reduction and
effort applied. By an offshore drilling contractor effectively applying HSE Management in its
organization, it can optimize risk to achieve levels of residual risk that are tolerable.
Modern software development methodologies reduce risk by developing and delivering software
incrementally. Early methodologies suffered from the fact that they only delivered software in
the final phase of development; any problems encountered in earlier phases meant costly rework
and often jeopardized the whole project. By developing in iterations, software projects can limit
effort wasted to a single iteration.
Outsourcing could be an example of risk reduction if the outsourcer can demonstrate higher
capability at managing or reducing risks. For example, a company may outsource only its
software development, the manufacturing of hard goods, or customer support needs to another
company, while handling the business management itself. This way, the company can
concentrate more on business development without having to worry as much about the
manufacturing process, managing the development team, or finding a physical location for a call
center.
6.2.4 Risk sharing
Briefly defined as "sharing with another party the burden of loss or the benefit of gain, from a
risk, and the measures to reduce a risk."
The term of 'risk transfer' is often used in place of risk sharing in the mistaken belief that you can
transfer a risk to a third party through insurance or outsourcing. In practice if the insurance
company or contractor go bankrupt or end up in court, the original risk is likely to still revert to
the first party. As such in the terminology of practitioners and scholars alike, the purchase of an
insurance contract is often described as a "transfer of risk." However, technically speaking, the
buyer of the contract generally retains legal responsibility for the losses "transferred", meaning
that insurance may be described more accurately as a post-event compensatory mechanism. For
example, a personal injuries insurance policy does not transfer the risk of a car accident to the
insurance company. The risk still lies with the policy holder namely the person who has been in
the accident. The insurance policy simply provides that if an accident (the event) occurs
involving the policy holder then some compensation may be payable to the policy holder that is
commensurate to the suffering/damage.

Some ways of managing risk fall into multiple categories. Risk retention pools are technically
retaining the risk for the group, but spreading it over the whole group involves transfer among
individual members of the group. This is different from traditional insurance, in that no premium
is exchanged between members of the group up front, but instead losses are assessed to all
members of the group.
6.2.5 Risk retention
Involves accepting the loss, or benefit of gain, from a risk when it occurs. True self
insurance falls in this category. Risk retention is a viable strategy for small risks where the cost
of insuring against the risk would be greater over time than the total losses sustained. All risks
that are not avoided or transferred are retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or the premiums would be
infeasible. War is an example since most property and risks are not insured against war, so the
loss attributed by war is retained by the insured. Also any amounts of potential loss (risk) over
the amount insured is retained risk. This may also be acceptable if the chance of a very large loss
is small or if the cost to insure for greater coverage amounts is so great it would hinder the goals
of the organization too much.
6.2.6 Risk Hedging
Hedging is the practice of taking a position in one market to offset and balance against the risk
adopted by assuming a position in a contrary or opposing market or investment. The word hedge
is from Old English hecg, originally any fence, living or artificial. The use of the word as a verb
in the sense of "dodge, evade" is first recorded in the 1590s; that of insure oneself against loss, as
in a bet, is from 1670s.
The taking of an offsetting position in related assets so as to profit from relative price
movements. For example, an investor might purchase futures contracts on gold and sell futures
contracts on silver in the belief that gold will become relatively more valuable compared with
silver over the life of the contracts.

A hedge can be constructed from many types of financial instruments,
including stocks, exchange-traded funds, insurance, forward contracts, swaps, options, many
types of over-the-counter and derivative products, and futures contracts.
6.2.7 Risk Combination
The risk and uncertainty for a single task may well be known with reasonable accuracy with
respect to its cost and its proposed completion end date. Such as the risk is distributed over a
number of issuers instead of putting it on a single issuer. This reduces the chances of default. For
example it is better to have multiple suppliers instead of relying on a single supplier.

Project report on Risk management in insurance sector

Project report on Risk management in insurance sector

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Project report on Risk management in insurance sector

Similar to Project report on Risk management in insurance sector (20)

Recently uploaded

Recently uploaded (20)

Project report on Risk management in insurance sector