Abstract
Object: To study the essence and features of the main types of banking risks; to identify the conceptual foundations of the model of integrated risk management for STBs. It is important to note that integrated risk management system assumes strategic decision-making that will contribute to the achievement of the bank’ s overall corporate goals, i.e. the bank needs to embed the risk management system in its overall strategy.
Methods: Systematic, structural methods of analysis, a logical and integrated approach to process assessment, systematization, and classification.
Findings: The parameters of a conceptual model of integrated risk management system for second-tier banks have been identified. In particular, classification of banking risks and its diversification has been revised to improve the performance of risk operations and business processes, including using the principle of coverage and modeling.
Conclusions: While implementing their activities, second-tier banks face various types of risks different from each other in various factors and at the same time closely interrelated with each other. In some cases, risk types may relate to different elements due to their interrelation and interdependence. Since risks are increasingly an integral part of the activities of any bank, and more so, they interact with each other, in today’s volatile environment, they become one of the most important factors affecting the bank’s sustainability and financial results. Identification of the parameters of the integrated risk management system’s conceptual model contributes to strategic decision-making that will, in turn, support achieving the bank’s overall corporate goals.
An integrated approach to risk management ensures an increase in the quality of strategic planning and budgeting, full coverage of risks, a unified risk management policy, a unified risk database, and a positive synergistic effect.
For the organization of integrated risk management in banks, the culture of risk is just as vital. The key to understanding why something is wrong in banks is to understand the norms and expectations within the bank itself regarding what is normal for its staff.
The bank’s “culture” is related to its staff, its everyday work, individual beliefs in the bank and its management. Risk management embraces a culture of risk that deals with articulation, communication, measurement, and managing risks. However, it also separately considers the risk of behavior aimed at identifying and eliminating risk in the development or improvement of a banking product, sales methods and behavior that may affect customers.
The risk culture is now internationally recognized as an integral part of banking risk management. The financial crisis of recent years has revealed poor risk management practices and obvious shortcomings in internal control structures, but also revealed shortcomings in many financial institutions’ risk attitude. Risk culture assessment is therefore a key component of the cultural awareness agenda.
A well-defined risk management infrastructure plays an important role in the bank’s integrated risk management as well. This includes management and departments responsible for risk management, as well
* Responsible author:
E-mail address: Gumnaz@mail.ru as conditions and norms for the organization of the risk management process. Here, an essential role is assigned to ensuring effective communication links between risk management participants and monitoring the bank’s risk management process.
The process of the bank’s integrated risk management consists of certain stages, which are a cyclical process. The first step in the risk management process in the bank is to reveal (identify) possible risks. Risks are associated with events that, if they occur, will cause problems for banking. Therefore, risk identification can be started with the source of the problem or with the problem itself.
Risk identification requires knowledge of the bank’s activities, the market in which it operates, the legal, social, economic, political, and other conditions in which it operates, its financial strengths and weaknesses, its vulnerability to unplanned losses of the management system and the business mechanism by which it operates. Any failure at this stage to determine the risk can lead to serious losses for the bank since risk identification provides the basis for risk management.
One cannot but agree with the opinion that the unstable growth of the financial market and fierce competition between banks contributing to the emergence of new risks requires them to build an adequate risk management system (Rehman et al., 2019).
It should also be noted that in this case, a large role is assigned to the developed classification of banking risks.
So, risk identification requires their classification. There are many system-forming features, under which this task can be addressed. The economic literature mainly classifies the risks according to the following criteria: the period of occurrence, the main causes for occurrence, duration, the type of asset and liability, foreseeability, impacts and implications, the level of influence, etc.
J. Fraser and B. Simkins subdivide each risk type into the corresponding main subtypes, i.e., they divide credit risk further into counterparty credit risk, sovereign credit risk, international credit risk, and so forth (Fraser et al. 2010).
According to V.V. Sklyarenko, several classification features can be distinguished, according to which types of risks can be distinguished as well. For example, on a factor basis, risks are divided into market risks, credit risks, liquidity loss risks, operational, and external event risks (Javalgi et al.,1989).
The Risk Management Standards (RMS) offer a fairly complete representation of the risk classification. These were proposed by the Institute of Risk Management (IRM), the Association of Insurance and Risk Managers in Industry and Commerce (Airmic), and the Federation of European Risk Management Associations (FERMA) (Risk Management Standard, 2017). The classification they offer identifies the main categories of risks, which can be combined according to the following: financial, strategic, operational risks, emergency risks – while also determining external and internal risk drivers for individual risks. Furthermore, financial risks include interest rates, currency, and loans; strategic risks include market demand, competition, and industry changes; operational risks include regulatory changes and risk culture; emergency risks include natural disasters and the environment.
An important drawback of the risk classification proposed by the Basel Committee is that it lacks risk categorization and does not consider threat levels. In particular, it places credit risk on the same level as operational risk, which firstly, belongs to a completely different category of risks by nature, and secondly, contains a much higher level of threats since it includes several risk groups.
GARP (Generally Accepted Risk Principles) when classifying risks denotes the following types of risks: credit risk, market risk, portfolio concentration risk, liquidity risk, operational risk, and business event risk (Corporate Metrics Technical Document, 1999).
This classification is more fitting because it distributes the risks of banks into categories of their main activities. The same character can be given to the classification of banking risks presented by the World Bank: financial, operational, business, and emergency risks (Medvedev, 2009).
The most complete classification of banking risks is presented by B.I. Lisak, who used various classification criteria (Lisak, 2003). However, for risk assessment in the integrated risk management system, such classification is rather inconvenient and does not reflect the contribution of each risk category to the overall totality of the bank’s integral risk indicator.
The following research uses systematic, structural methods of analysis, a logical and integrated approach to process assessment, systematization, and classification.
When developing the classification of banking risks, we need to consider the specifics of banking activities. The specificity of banking risks lies in their consistency implying that most of the bank’s resources are attracted, therefore the level of financial leverage is high. This means that when the financial condition of the bank worsens, a chain reaction of non-payments between economic entities snowballs immediately.
While implementing their activities, second-tier banks face types of risks different from each other in various factors while being closely interrelated (Volkova, 2011). In some cases, risk types may relate to different elements due to their interrelation and interdependence. Since risks are increasingly an integral part of the activities of any bank, and more so, they interact with each other in today’s volatile environment, they become one of the most important factors affecting the bank’s sustainability and financial results. In the world’s largest banks’ risk management practice, this component of the total risk is given the highest priority (Integrated Risk Management: Implementation Guide). In view of this, building a classification of risks based on the possibility of their impact on the financial results and reputation of the bank makes total sense. Accordingly, we propose the following classification of banking risks (Figure 1).
The above risk classification is subject to further supplementation and expansion since diversification of banking operations is in constant dynamic development. With the emergence of new and expansion of the range of banking products provided, the types of risks expand, mutate, and transform as well. The rapid
growth of information technologies and, as a consequence, the dependence of activities on them has recently contributed to the special development of types of banking risks, since, on the one hand, they significantly facilitate the provision of many banking products and reduce costs, and on the other, create platforms for the emergence of new risk types.
The logic of constructing this exact banking risk classification is based on:
First, the initial division of banking risks into external and internal allows for tracking the sources of their occurrence and identification of the causes of growth as a negative factor.
Second, such classification allows systematization of bank risks into certain categories to assess the degree of the impact of the corresponding group of risks (e.g. financial, non-financial, balance sheet, off- balance-sheet, etc.) on the bank’s financial result or reputation.
Third, grouping risks into categories allows assessment of each risk as an integrated set. Each category and type of risk is assessed as a single management object, as a single aggregate, thus allowing development of a model and algorithm for managing bank risks.
Fourth, modern banks must manage many regulatory requirements with the frequency demanded by regulatory authorities. At the same time, they need to make risk management processes more accessible, efficient, sustainable, and reproducible. The only way to achieve this is to combine several risk data streams into specific groups. The presented grouping allows, on the one hand, to simplify the risk assessment, and on the other, to consider all the NBK requirements.
Fifth, such risk classification allows for a clear definition of the place of each of them in the general system of banking activities and determination of the most effective methods of managing the corresponding category of risks, since each risk is characterized by both applicable and inapplicable risk management methods.
Thuswise, let us consider the presented classification. All banking risks are initially grouped into two components, endogenous and exogenous, or internal and external. Endogenous risks are directly related to the bank’s activities while exogenous risks are independent of the bank’s operations. Exogenous risks are present at all times and have a significant impact on the bank’s activities. These risks are beyond the bank’s control and can arise at any time (Alisheva, 2016). However, the bank can foresee them and create a safety cushion for itself.
In turn, exogenous risks are divided into systemic and non-systemic risks. Systemic risk is associated with the general state of the economy; it cannot be excluded, since it is the risk of the entire system. In fact, these are the very financial crises that cover all subjects and all sides of the financial market. Non-systemic risks can be considered as separate components of market risks, each of which can be envisaged in the bank’s activities. The impact of each such risk is individual for each bank and depends on the organization of internal risk management. This group of risks includes risks of legislative changes, legal risks, natural disaster risks, regulatory risks, interest rate, currency, inflation, etc. In this case, interest rate risk implies possible losses as a result of changes in market interest rates. For instance, the National Bank reduces the refinancing rate or vice versa. Currency risk arises due to constant fluctuations in exchange rates. In the event of an unfavorable change in a certain exchange rate, the bank may incur corresponding losses.
The endogenous risks are divided into financial and non-financial risks. Banks are used to taking on financial risks since banking itself is financial in nature, that is, financial risks are prerequisites for their business models. However, non-financial risks, whether due to non-compliance with regulatory requirements, misconduct, technological or operational issues, sometimes cause much more problems. Financial risks are directly related to the bank’s operations and are divided into balance sheet and off-balance sheet risks based on the category of banking operations. This category of risks is the most subject to analysis and control and is the most basic for the bank, since all factors, both external and internal, affect the bank’s operations and have a direct impact on financial risks.
Since the bank’s balance sheet is its main form of reporting, it is advisable to distinguish the category of balance sheet and off-balance (out-of-balance) sheet risks. Risks associated with transactions reflected in the bank’s balance sheet belong to the category of balance sheet banking risks. Off-balance sheet items are a term for assets or liabilities not reflected in the bank’s balance sheet. Despite that fact, they are still the bank’s assets and liabilities. As a rule, off-balance sheet items do not belong to or are not a direct obligation of the bank. For instance, when loans are securitized and sold as investments, the secured debt is often not accounted for in the bank’s books. Or operations to provide guarantees, acceptances, credit lines, intermediary and trust transactions where the bank does not invest its own funds, get recorded on off-balance sheet accounts. Such operations can be both passive (attracting sources) and active (placing bank funds). If the bank conducts off-balance sheet transactions related to remuneration, they become active or passive (counteractive or counter-passive).
It makes perfect sense to divide balance sheet risks into active and passive ones based on the operations performed by the bank. The risks of active operations are associated with the bank’s activities for the placement of funds.
It should be noted that in this category, currency risk implies risks associated specifically with the bank’s foreign exchange transactions, transactions with foreign currency securities, foreign currency loans, etc. Interest rate risk in this category also has a different meaning, i.e. it is associated with the risk of not receiving accrued interest on invested assets, deposits in other banks, etc. These are internal risks and are directly related to the activities and policies of the bank itself, not the whole market.
Banks receive a significant part of their income through lending to the economy. In this regard, the largest share and attention is taken by credit risks of banks, which, in turn, can be divided into credit risks of corporate and retail customers, risks of consumer, mortgage, etc. lending, and others depending on the types of loans issued by the bank.
Owing to effective credit risk management, banks not only support the viability and profitability of the business but also contribute to systemic stability and efficient capital allocation in the economy (Bessis, 2015). In the absence of control, small lending issues can cause large losses for the bank.
Investment risks include the risks of real, portfolio, and intellectual investments. Portfolio risks, i.e. risks of investing in securities, occupy a significant share in this category.
The category of passive balance sheet risks incorporates risks on the bank’s liabilities and insufficient equity. The bank’s obligation risks primarily lie in potential difficulties with the resource provision of active operations. Most often, this kind of risk is faced by the banks that focus on the deposit base of several specific investors or groups of companies. The risks of deposit operations may mean the impossibility to provide resources for active operations. In addition to the risks associated with deposit operations, the category of passive risks includes all those related to the bank’s passive operations: Interbank loans, repo operations, etc. These may be the risks of withdrawal of funds from customer accounts, irrational structure of obligations, and others.
In turn, the risks of insufficient equity capital may be as follows: The risk of failure to ensure its minimum size, an irrational ratio of fixed and additional capital, the risk of incorrect calculation of the amount of capital, the risk of non-compliance with the bank’s capital standards, and others directly related to capital adequacy.
If everything is clear with financial risks as it is completely the bank’s activity, the role of non-financial risks seems somewhat limited. Many banks underestimate the impact of non-financial risks on the bank’s operations as a whole. However, whether due to non-compliance with regulatory requirements, misconduct, technological, or operational problems, non-financial risk can have a huge impact on banking activities and lead to undesirable financial consequences. For example, in the period from 2008 to 2012, the ten largest banks in the world lost about $200 billion as a result of litigation, compensation claims and operational failures (Kaminski et al., 2016). The danger of non-financial risks lies in the fact that even if a bank can prevent or hedge against financial risk, the reasons for the emergence of new non-financial risks are not entirely clear, what exactly they will be associated with, etc.
We identified reputational, strategic, operational, fraud risk, compliance risk, as well as chain reaction risk, cyber risk, model risk, talent risk, and complacency risk as non-financial risks.
Reputational risk is a threat or danger to the bank’s image or reputation. Reputational risk can arise in several ways: directly as a result of the actions of the bank itself, indirectly due to the actions of one employee or more, or through other peripheral parties, such as joint business partners. In addition to good governance practices and transparency, banks should be socially responsible to avoid or minimize reputational risk. Reputational risk is a hidden danger that can threaten the survival of the largest and most successful banks. The biggest issue with reputational risk is that it can literally come out of nowhere.
In addition to various forms of risk, banks also face risk arising from changes in strategic decisions and the business environment (e.g. competitors who enter the market or changing customer requirements). This form of risk is usually called strategic risk. A specific example of this type of risk is the impact that the entry of online banks has had on the profitability of existing traditional banks. Credit and market risks relate to asset losses (e.g. losses on loans and market positions) while strategic risk and operational risk are associated with a decrease in income as a result of strategic or operational events (e.g. losses affecting the income statement due to fraud in the case of operational risk or losses over a destructive competitor in the case of strategic risk). Accordingly, the practice of risk management in banks requires identification and classification of these risks, as well as development of strategies to reduce these identified risks.
Compliance risk, which is often overlooked because it is combined with operational risk and transaction processing, is a risk to profit or capital arising from violation or non-compliance with laws, rules and regulations, code of conduct, customer relationship rules, or ethical standards. It covers all laws, reasonable ethical standards, and contractual obligations. Compliance risk also arises in situations where the laws or regulations governing certain banking products or the activities of the bank’s customers may seem ambiguous or unverified. This risk exposes the bank to legal sanctions, compensation for losses, limitation of business opportunities, reputation losses, franchise value decrease, reduction of opportunities associated with extensions and terminations of contracts.
We consider the risk of a chain reaction (contagion risk), talent and complacency risk as an addition to the general classification of banking risks, which were not previously presented by the authors involved in banking risk classification since these risks have become the most relevant for worldwide banks in recent decades. Until recently, the economic literature has not been considered such new banking risks as talent risk and complacency risk at all.
The growing dependence of banks on models requires that risk managers better understand and manage model risk. Increased data availability and advances in computing, modeling, and algorithms have expanded the use of models. However, errors in suboptimal models can cause incorrect decision-making and increase the risks of banks. Some banks have suffered losses related to the model risk, although most of these cases are not publicly reported. For instance, one large US bank suffered losses of $6 billion, which was partly due to the risk of the VaR model (i.e., the operator’s lack of modeling experience, lack of back-testing and operational problems in the model) (Kopecki et al., 2014).
Model errors occur due to data quality issues, conceptual validity, technical or implementation errors, correlation or temporal inconsistencies, and volatility uncertainty. To reduce and eliminate the model risk, the bank needs to validate the model, constantly monitor its application and improve it in accordance with market changes.
The risks and opportunities that digital technologies, devices, and media bring are obvious. Cyber risk has never been an issue exclusive to the IT team, although they undoubtedly play a vital role in the bank’s activities. Cyber risk means any risk of financial loss, harm, or damage to the bank’s reputation as a result of any failure in its information technology systems. Internet banking is another reason for the growth of cyber risks. The desire of banks to reduce costs, attract customers providing them with wide and comprehensive access to their services leads to an increase in dependence on new information technologies, which increases the various possibilities of cyber risks in the banking sector.
Modern banks are under growing pressure on almost all fronts every year due to digital technologies, new competition, overvalued business models and growing consumer expectations of banking products (services). They increasingly have to innovate, become more flexible, use advanced analytics to support cost minimization and revenue growth, and establish partnerships with organizations that perform certain types of banking operations, which may also be their competitors.
Risk and compliance are keys to banks’ activities and are crucial to their business models, however, the so-called talent risk exists in today’s changing market and it is increasing in banking.
While the banking industry has a long history of compliance with legislation and regulations, many banks are experiencing difficulties today because they lag far behind the dynamics of changes in the modern financial market, especially in the period of globalization. Risk management practices are constantly evolving, and the complexity of compliance requirements creates a demand for employees with special skills. All of this makes it harder than ever for banks to attract and retain talented risk management specialists to the extent that human capital management is perhaps just equally important, if not more than financial capital management.
Compliance risk (the risk of self-complacency) is one of the most dangerous ones in modern banking practice. However, modern practice does not consider it at all and does not pay it due attention. However, self-complacency based on relatively short-term indicators is perhaps the most significant risk for banks today. Although the market continues to change rapidly, a stable series of positive financial results leads many bank executives into a false sense of comfort. Meanwhile, consumer demands are growing and alternatives to traditional banking seem increasingly preferable. A good example of this is the recession of 2008, partly caused by the mistaken belief that the status quo would continue and the housing market would never fall.
According to the time of occurrence, risks are divided into retrospective (past), current, and prospective (future) risks. Based on the analysis of retrospective risks, this division allows prediction of the possibility of occurrence and characteristics of current and prospective risks.
The development of an integrated risk management system in the bank simultaneously creates two more main risks: the risk that the mutual influence of risks will be incorrectly assessed and the risk of an imbalance in the risk management system hierarchy. The first risk option is associated with the fact that an integrated approach to risk management in banks requires an assessment and consideration of the mutual influence of risks on each other, especially on the financial result and reputation of the bank. Since all the bank’s operations are interconnected, such an assessment makes perfect sense. However, there may be a problem of how to do this, how to assess this impact, because the activities of each bank are unique in their own way and the interdependence of risks that exists in one bank cannot be similar to that in another. There is always a risk that this mutual influence will either be underestimated or overestimated.
One of the important stages of integrated risk management is the identification and assessment of risks. The existence of a huge number of different risk assessment methods in the world today is a well-known fact. However, as practice and the financial crisis of 2007—2008 shows, many of them are inapplicable to banking risks, since, as mentioned above, banking risks have completely different nature and origin due to the specific features of the banking activity itself.
The main directions for banking risk assessment are established by the National Bank in prudential standards mandatory for second-tier banks. However, this does not mean that banks cannot set their own limits and standards. Moreover, banks should develop individual limits based on the bank’s development strategy and search for new methods of risk assessment, although only after validating various methods.
The system of integrated risk management in banks needs to determine the relationship between different categories of risks in their totality. It should be noted that all banking transactions are sequential and closely interrelated with each other. Since the bank, unlike companies, operates mostly at the cost of attracted funds, its risks are two-sided. The funds raised flow smoothly into the active bank operations, and besides the operational risks, there are risks of profitability of funding activities. At this stage, it is important to assess how the risk categories affect each other and what is the relationship between them: Is it direct or reverse? The bank needs to have an inverse relationship, because in this case, with the growth of some risks, the other ones will decrease, providing a kind of compensation for the growth of risks in the bank’s total aggregate.
The next stage of integrated risk management in banks is high-quality managerial decision-making. The provided reports on risks divided into the appropriate categories and types act as sources for making appropriate decisions by the bank’s management. The quality of decisions made primarily depends on the quality of risk reports, which, in turn, depend on the effectiveness of building an integrated risk management system. As mentioned earlier, this system includes not only an organizational structure for risk assessment and monitoring but also a risk culture, as well as a well-established feedback system.
Based on management decisions, the bank builds its further development strategy. Strategic planning is paramount for the development of the bank’s activities. A well-executed strategic planning process allows banks to determine direction by setting goals and objectives used to assess progress across the bank.Planning and information exchange can also be supported by compliance with ethical standards (Nurgaliyeva, 2020).
Strategic planning also allows banks to take the initiative, better understand the opportunities and threats around the corner. Proactivity can improve differentiation compared to competitors and ensure efficient deployment of resources. Finally, the strategic plan increases operational efficiency, helps to increase market share and profitability, and makes the banking business more sustainable in the long term.
Strategic planning of the bank’s activities once again creates the need for a step-by-step process of integrated risk management from the very beginning. Setting the bank’s strategic objectives necessitates identification of existing and potential risks that the bank will have to face when carrying out new banking operations or improving old banking products.
Risk appetite, the definition of which determines the vector of further development of the bank’s activities, is of high importance in the bank’s development strategy. Thus, risk appetite and its role in banking, as well as in the integrated risk management system in particular, need deeper and detailed study.
- Rehman, Z.U., Muhammad, N., Sarwar, B., & Raz, M.A. Impact of risk management strategies on the credit risk faced by commercial banks of Balochistan // Financial Innovation, 2019. — Vol. 5, No. 1. — P. 1–13.
- Fraser J, Simkins B.J. Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives. — JolmWiley & Sons, Inc., Hoboken, New Jersey, 2010. — Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives– Essishial Perspectives, 2010. — 221 p.
- Alisheva D.E., Nurgaliyeva A.M. Modern approaches to the content of the concept integrated risk management system in banks // Scientific Journal “Reports of the National Academy of Sciences of the Republic of Kazakhstan”, 2019. — No. 6. — P. 73–80.
- Javalgi R. G., Armacost R. L., Hosseini J. C. Using the analytic hierarchy process for bank management: Analysis of consumer bank selection decisions //Journal of Business Research, 1989. — Vol. 19, No. 1. — P. 33–49.
- Federation of European Risk Management Associations. Risk Management Standard, 2017.
- Corporate Metrics Technical Document. Risk Metrics Group. April 1999
- https://www.msci.com/documents/10199/8af520af–3e63–44b2–8aab–fd55a989e312
- Медведев И.В. Риски в финансово–банковской сфере: классификация, методы расчета // Экономика и управление, 2009. — № 3/6 (44). — С. 85–91.
- Лисак Б.И. Интегрированный риск–менеджмент в банках. Алматы: Экономика, 2013. — 892 с.
- Волкова, О.Б. Инновационные подходы к управлению банковскими рисками // Вестник Чувашского университета. — 2011. — № 1. — С. 344–347.
- Andrew G. Integrated Risk Management: Implementation Guide https://docplayer.net/217320864-Integrated-risk- management.html.
- Alisheva D. E. External risks External risks of Kazakhstan banks// Materials of the XII International scientific and practical conference, “Fundamental and applied science 2016”, October 30 — November 7, 2016 on Economic science. Vol. l. — pp. 3–7.
- J.Bessis Risk Management in Banking, 2015. — 376 p. // Retrieved from https://www.wiley.com/en–
- us/Risk+Management+in+Banking%2C+4th+Edition–p–9781118660195.
- Piotr Kaminski, Daniel Mikkelsen, Thomas Poppensieker, Anke Raufub. Nonfinancial risk: A growing challenge for the bank, July 2016. Retrieved from https://www.mckinsey.com/business–functions/risk/our–insights/nonfinancial– risk–a–growing–challenge–for–the–bank
- Dawn Kopecki, Michael J. Moore. “JPMorgan switches risk model again after whale loss”. Bloomberg Business, April 12, 2013. Retrieved from https://www.bloomberg.com/news/articles/2013–04–12/jpmorgan–switches–risk–model– again–after–whale–loss
- Nurgaliyeva Aliya, M., Syzdykova Elmira, Z., Gumar Nazira, A., Lambekova Aigerim, N., Khishauyeva Zhanat, T. The role of management accounting techniques in determining the relationship between purchasing and supplier management: A case study of retail firms in Kazakhstan Uncertain Supply Chain Management, 2020. — Vol. 8, No. 1. — pp. 149–164. Retrieved from http://www.growingscience.com/uscm/Vol8/uscm_2019_24.pdf