1.0 Introduction

1.1 Definition of Risk

Risk is defined as an outcome of uncertainty on the intended objectives or expected results in an activity or entity's future events. Risk can be positive or negative, though there is a general trend to focus on the potential damage that is probable in a future activity or event. Risk management is considered as identification, valuation and prioritization of the risk perceived which requires coordination and application of economic resources to minimize, control the possibility of risk and monitor the impact of a fateful event in order to maximize opportunities realization. Risk may result from uncertainties in financial markets, failures in a particular project, legal liability, natural causes, accidents, others may emanate from poor management of credit as well as adversary's attack. The definition of risk in finance may be termed as different and broader in the sense that the term refers to possibility that our returns on investment may perhaps be different from the anticipated returns (Abkowitz 2008, p. 124). Thus the risk therefore comprises of both lower returns and higher returns referred to as downside risk and upside risk, consecutively both of which come under consideration when measuring risk. For example, when an investor is buying any asset, the expectation is to earn some estimated returns from the investment and in most cases the actual returns are different from the expected amount forming the source of risk in that particular investment.

It's generally argued that, risk is symmetric such that an upside risk would always create an opportunity and potential for a downside risk which is supported by the modified variance called semi-variance though the two are said to give an incomplete view of risk. To balance between the risks whose occurrence in terms of probability is higher or lower is at times difficult (Frost & Porter 2003, p. 136). It's even possible for an organization to fail to identify a 100% probable risk due to poor or lack of required capacity and ability to identify that risk, or even due to poor and ineffective procedures in operation, this introduce the idea of intangible risk management. Risk has a diverse effect in an organization in that it tends it reduces staff productivity, lowers cost effectiveness, product quality, and lowers a brand value and the quality of earnings as well as earning an organization a bad reputation.

1.2: Risk Management

There are different standard of risk management including the ISO standards, standards developed by actuarial societies as well as project management institutes. The various methods vary depending on the context of risk management i.e. whether the risk managed is in engineering perspective, health actuarial statistics, financial portfolios, industrial activities or in project management (Murphy 2008, p. 96). These risk management standards though they give a variety of estimates and decisions in risk management they are however criticized of limited measurable progress on risk. There exist a wide gap between the available theory on risk management standards and the logic structures employed in financial models due to implementation difficulties and also the interdependence of the various methods and derived models. This makes it difficult to construct a meaningful and relevant risk management framework from the various logic structures like financial structure, economic structure, operational, strategic and operation information structure. Political, intellectual difficulties in addition to conflicting goals pose considerable challenges in coming up with a corporate risk objective function. The other challenge to risk management is resource allocation; the opportunity cost of risk management, resources devoted to risk reduction and management that may otherwise be invested in alternative more profitable activities. It's noted that risk management reduces an entity's spending as well as the negative consequences of risks.

Risk management involves identification of risks, analyzing their characteristics and their threats to the entities' assets as the very first step in risk management (Bartlett et al 2001, p. 213). This is followed by assessment of critical assets vulnerability to the identified threats after when we can determine the risk as well as the expected outcome of the risks on the specific assets. The other step in risk management involves identifying the various ways of reducing the risks and prioritizing the possible risk reduction measures based on identified strategy.

2.0 Risk Management Framework

The ISO 31000:2009 identifies the following principles and generic guidelines in risk management which every project or business leader must be aware of in practice for effective risk management. This saves managers and their teams from unnecessary problems as well as preparing them from unavoidable incidences (Frenkel et al 2005, p. 147). The management of risk frame work recognizes twelve principles of risk management which are not prescriptive but rather provide a helpful guidance to organizations in the development of organization policies, processes and strategies. One of the fundamental principles is that organizations are different in context and therefore the managers involved should consider the specific organizations context so as to identify risks as well as risk management strategies appropriately. Organization context refers to the political, technological, economic as well as the social aspect, legal backdrop and organization's environment.

2.1 Integration of Risk Management

According to Alexander (2003, p. 221), common sources of risks include stakeholders of the system or project carried out, project employees, poor capital or assets monitoring operations in any financial institutions, among others. Identified threats in risk analysis are mostly integrated such that an identified risk threat may have a wide range of entities like stakeholders, customers or government regulatory/legislative bodies. For instance stakeholders withdrawal from a particular project may affect the project funding while it could also affect the projects information privacy, it's therefore good to consider the integration on risk sources. The method of risk identification chosen is normally dependent on culture, business practice and the established compliance procedures (Jobst 2007, p. 123).

The most common methods of risk identification include of objectives-based method of identifying risk whereby objectives are set and anything that endangers fulfillment of those objectives becomes a risk on itself (Chorafas 2004, p. 115). Scenarios may be created as alternative ways of the objectives achievement through analyzing the forces involved and anything that triggers undesired scenario is identified as risk. This method of risk identification is referred to as scenario-based method of risk identification. The various risks sources may be broken down based on existing knowledge of best practices and taxonomy whereby a questionnaire is compiled and by analyzing the various answers to the questions risk managers are able to identify risks. The other method of risk identification includes checking the common list of risks to a particular situation. In identifying risks threats one can start with risk threats and examine their impact on the exposed resources or can take a set of resources and examine the threats involved (Jobst 2007, p. 146).

2.2 Business Line Accountability

Management of risk framework also recognizes that, it's easy for managers and their teams to become familiar and internalized, thereby forgetting the stakeholder's role in business practice and procedures. It's crucial to identify individual stakeholder as well as management stakeholder's identity and role in risk management for successful business practices procedures. As such the stakeholders are notified of the probable risk and its impact of that risk on the stakeholders' level of investment so as to raise appropriate concerns since the stakeholders' plays a vital role in an organization through their influence to the externals of an organization. In the same way, the existence of risk is based on the organization's activities and objectives (Frenkel et al 2005, p. 124). For instance, while rain is a negative risk to a picnic activity, it's a positive risk to a drought hit farmland and at the same time a non-risk to submarine occupants. It's therefore important that a risk manager or specialist understands the organizations objectives so as to tailor-make an appropriate approach to risk management.

According to Murphy (2008, p. 117), operational procedures, policies and strategies under risk management framework covers clear guidelines and/ or templates as based on the professional experience of the risk managers or specialists depending on the organizations portfolio and management backgrounds. This means that, best practices ought to ensure that the right individuals are deployed in risk management so as to learn from others experiences, mistakes and lessons. Another importance principle in risk management is the representation and transmission of data to the relevant staff, stakeholders for a successful risk management. This is possible if the right structure and templates provided by the management of risk framework are followed in managing the content, participation and frequency in the communication of risk. Clear definition of the risk managers /specialist's roles and responsibilities is fundamental to the best practice in risk management (Hussain 2000, p. 143). These individual roles within and outside the particular entity are transparent in order to enhance accountability of the involved individuals and ensure that their responsibilities are well covered. In order to ensure that responsibilities are well undertaken, it's then important to come up with a support structure that provides guidelines, information as well as training and managing on the funds set aside for entity's/project's risk management (Bartlett et al 2001, p. 136). This may be in form of a standard approach to risk management or a centralized team of risk management that follows the organizations best practice guidelines in identifying, reporting and risk review.

2.3 Contingency planning

While risk identification plays an important first step in risk management, it's not always easy to reduce or eliminate risks in advance operational risk level involving large capital base. In such circumstances Citigroup Bank finds it fit to pre-define and quantify forewarning indicators which triggers individual alerts the responsible individuals of the risk imminent. This enhances a thorough and approach and preparedness of the risk situation. Regular review of the already identified risks enhances the establishment of early warning indicators and makes risk managers sensitive to new and unidentified risks thus enabling effectiveness of the organizations policies (Abkowitz 2008, p. 214). Every risk mitigation strategy requires a thorough consideration in order to identify barriers to the strategy's' implementation. To identify these barriers the risk managers' roles and accountability needs to be established within an appropriate budget which allows for adequate induction, training, work tools and techniques as well as regular assessment of the employed approach.

2.4 Independent review

It's also important to ensure an enabling culture that is Supportive to the responsible individuals since management of risk may underpin other aspects of the organization's activity. A supportive culture enables individuals to confidently raise discussions in the risk management thereby enhancing review of the employed approach as well as the competences of the individual deployed. Drawn from Citigroup Bank, the management appoints different individual or entity to do the re-evaluation and ensure that up-to-date policies and procedures are at work. Best practices of risk management are integral to organizations policies, processes and procedure as well as add value to the organization. They are possible to re-evaluate so as to enhance continual upgrading and enhancement.

3.0 Risk Evaluation/Assessment

Risks identified must have their potential determined in terms of severity to loss and their occurrence possibility and frequency in case of common risks. This must as well be quantified and it can be simple while in many cases it's complex. Assessment process becomes vital in make the most probable and intellect statistics which many have referred to as educated guesses, which will guide the risk specialists in implementation of the conclude plan of risk management. Risk assessment entails all those operational procedures undertaken by Citigroup Bank in either quantitatively or qualitatively (Hussain 2000, p. 118). In quantitative risk assessment the magnitude of the potential loss (L), probability of the occurrence (P) of the loss must be determined and determining the two forms a fundamental difficulty in risk assessment, this is because there is a high possibility that an error exists in the two concepts and this can be hard in a situation where one is having scarce resources and particularly time to conduct the process especially in determination of the risk impact on specific assets since one must first consider the assets value.

The methods applied in operational risk assessment differ depending on business practice whether it's in financial sector or public heath sector, among other considerations (Alexander 2003, p. 163), For instance when making financial decisions the losses mat be expressed in terms of dollars while this is not possible in public or environment sector which must depend on the country's current situation and therefore be expressed n that particular country's currency. In auditing, the auditor's assessment of risk is a vital stage in obtaining understanding of Citigroup Bank operational issues, and the perceived environment. This determines whether the auditor accepts or even declines Citigroup Bank's bid to engage in the undertaking. There are numerous risk assessment formulas but one of the most common methods applied is the product of the rate of risk occurrence and the event's impact which is expressed as:

{Risk = Rate of Occurrence of risk x event's impact}.

According to Citigroup Bank's financial research analysts it's evident that, financial benefits associated with operational risk management largely depends on the risk assessment frequency and have little dependence on the risk assessment formula employed. It's important to present risk assessment findings in financial terms and the risk analysis as based on cost-benefit analysis on assets concerned. There is an emphasis on quantitative risk assessments which critiques argue that there is an overly ignorance on qualitative assessment of risks where some non-quantifiable data may be dropped based on quantitative preference (Greuning & Sonja 2009, p. 231). For instance in auditing, there could be theoretical basis of ineffective client's internal controls which can not be quantified and such may greatly impact the auditor report. Quantitative assessment gives effective decision making is always worth to express the underlying assumptions and the employed methodologies in data collection and application (Bartlett et al 2001, p. 133).However, we should not overlook quantitative judgment but instead adopt qualitative measures in scenarios where it's impossible to quantitatively assess risk.

3.1: Potential risk treatments

After identifying and assessing risks, risk management techniques need to be embarked on. There are various risk management techniques which include of sharing whereby risks are transferred from one party to another ( e.g. through insurance while the term transfer is mistaken because insurance offers post event compensation and do not necessarily take up the loss from the policy holder. Another common technique is risk avoidance whereby an activity that is perceived to be carrying a risk is avoided so that one does not have to take the liability that comes with the particular activity. Risk reduction is also another technique which involves reduction of the negative impact of risk which means optimizing the results of a particular risk wholly or partially. Outsourcing is a common way of risk reduction if the entity's capacity to reduce risks is high (Murphy 2008, p.248). For instance, Citigroup Bank usually outsources some of production materials, software development to another company while managing other operations such that the firm is able to give more efforts to developing business with little or no worries n the manufacturing processes.

Risk retention is also a viable risk management strategy but commonly applied in small risks since in such a case its argued that the cost of insuring a risk are more than the total sustained loss. Where risk are neither avoided nor shared they are retained. This includes losses emanating from catastrophes like war which appear unmanageable or in scenarios where the chance for a large loss is small (Bartlett et al 2001, 253). Hazards prevention is also a common way of managing risks whereby if the elimination of hazard is deemed too costly or taking too long, the alternative can be risk mitigation.

4.00 Creating a risk management plan

In measuring risks its imperative to choose suitable controls or countermeasures which are possible if the Risk management techniques are being approved by the management before being applied (Hussain 2000, p. 228). For instance where a risk is touching on organization image or financial management it should have the top management view and approval on mitigation before the appropriate department can undertake necessary steps. Risk management plan should apply competent security controls in risk management and should have a well outlined schedule to control the implementation. Such a risk treatment plan should document the various decisions made on the identified risk, techniques applicable and control objectives and standards (Chorafas 2004, p. 143).

4.10 Review and evaluation of the plan

The plans chosen in risk management at its initial level are rarely perfect and as such it's the practice and experience that necessitate important changes and allow different decisions and techniques as per Citigroup Bank risk operational criterion. Risk analysis and management are updated occasionally in order to evaluate the previous control measures and their applicability and effectiveness and as well evaluate changes in the risk levels. In financial sector risk management is a combination of market risk, credit risk, interest rate risk, operational risk and risks involved on asset liability management (Abkowitz 2008, p. 143). As applied to corporate finance, risk management is the technique for measuring, monitoring and controlling the financial or operational risk on a firm's balance sheet. This is one of the areas of focus by auditors especially in an interim audit whereby the auditors are able to evaluate and review risk management techniques and plans at the initial part of the auditing work.

Improper assessment and prioritization it can lead to time wastage whereby people engage in dealing with risks that are unlikely to arise. This means diverting resources which earn profit if applied elsewhere in the entity. At the same time, if risk management processes are prioritized too much the intended project may never get started or may take too long to complete especially where a project is suspended until the operational risk management is complete (Cernauskas & Tarantino 2009, 263). It's advisable to run risk management beside the normal business practice.

5.00 Managing credit risk

The relationship accrued to Citigroup Bank's operational risk and credit related risk cannot be underestimated. While operational risk largely affects the Bank's capital/Asset framework, the constituent gap between current assets and the perceived capital value attached to these assets is bridged under effective credit as well as operational related risk management. Credit risk arises when a creditor/obligor fail to fulfill their obligation either because they are unwilling to commit to such obligation or due to impairment of his ability to perform the obligation which results to outright financial loss, thus affecting Banks ability in responding to operational contingencies (Jobst 2007, p. 214). In this case the obligor refers a party who hold either direct or indirect obligation to a particular entity or financial institutions. In most cases losses incurred by financial institutions especially banks result from customers default on loans/credit following their inability or reluctance to commit them regarding the financial institutions lending, trading and many other financial transactions.

Losses may as well result from a decline in portfolio value following an actual or apparent drop in credit quality (Chorafas 2004, 144). Credit risks in financial institutions originate from its deals with clients who may comprise of sovereign, corporate, other financial institutions and individuals. The main source of losses in most banks emanate from loans as the most obvious cause for credit risk though they as well arise from activities on and off balance sheet. Credit risk is reflected as a direct accounting loss and is usually viewed in the economic context as encompassing of expenses on various assets, opportunity and transaction costs. It can also be categorized based on the reasons for default for example if it's a general problem in a country's economy regarding the settlement of transactions. According to Frenkel et al (2005, p. 331), its imperative to realize that credit risk does not occur in isolation from other risks and that the same sources for credit risk would as well result to other risks like a liquidity problem in an institution.

5.10 Components of credit risk management

There are three main components that are used to categorize a typical framework for credit risk management which include of oversight by the board and the management, the structure organization as well as the applied procedures and systems in the identification, measurement acceptance of risks and their monitoring and control.

5.1.1 Oversight by the board and the management

This refers to the boards overall responsibility to approve the institutions strategy and applicable policies in credit risk and credit risk management which are mostly based on the overall business practice and strategy which should always be reviewed and preferably annually. The board and management have various responsibilities in credit management which include the delineation of the Citigroup Bank's overall risk tolerance concerning the credit risk. It's the role of the board and management to ensure prudent levels of the institutions credit risk exposure, which are consistent with the available capital for the institutions. The staff and the top management deployed on institutions credit management should have relevant expertise and acquaintance so that the function of risk management can be accomplished, so that they can implement the institutions fundamental principles in the facilitation of risk identification up to its monitoring and control procedures (Hoffman 2002, p. 163). The board should also be out to ensure that suitable plans and measures for the management of credit risk are put in place.

5.1.2 Credit Risk Strategy

An institutional credit strategy is determined by its risk appetite, when this is determined it can enable the board and the management to maximize institutions' returns and maintain the credit risk at predetermined level (Greuning & Sonja 2009, p. 312). The credit strategy reflects Citigroup Bank's ability to grant credit on the basis of market segment and its products as well as economic sectors, currency used and the institutions geographical location. Each segment are targeted and given the best level of credit risk diversification and concentration.

5.1.3 Pricing strategy

Citigroup Bank undertakes necessary operational procedures in assessing target market when developing their credit risk strategy. The policies and procedures applied in this arise from an in-depth knowledge of the institutions clients, clients businesses and their credentials. The policies and procedures considered in the overall Citigroup Bank credits risk management guides the staff in lending at corporate level, SME, consumer and agricultural sector. These policies should have the credit evaluation and appraisal comprehensive and formalized and also comprise of the staff at hierarchy levels, where the approval includes the relevant authority in case of any exceptions (Chorafas 2004, 268). It's the policies and procedures applicable to the institution's credit management strategy that determines the identification of credit risks, acceptance criteria, how to monitor and control those risk. Relevant procedures and administration are put in place and the roles of various units and staff are clear. For effective strategy the policies and procedures put in place are communicated and the top Citigroup Bank's management. Later the board is informed of any substantial deviation so that necessary operational risk measures are taken on time. It's the work of the senior/top managers to spearhead implementation of the chosen policies and procedures. The approach for Credit risk strategy should allow for continuity by considering the country's economic cycles which is reflected by the economy and the possible shifts in the quality and composition of the credit portfolio (Abkowitz 2008, 321.

5.2.0 Organization Structure

Whiles such a strategy need occasional review it are feasible in long term. While institutions may chose different risk management structures, its imperative that the chosen structure be commensurate with the size of the institution, its complexity and activity diversification to ensure a sound structure in risk management. Such a structure would facilitate board and management's oversight as well as allow for proper execution of the various processes involved in the credit risk management (Frost & Porter 2003, p. 334).

5.2.1 Committee for Credit Risk Management

Every financial institution should constitute a committee for credit risk management which should ideally comprise of the head of the credit risk management, the treasury and some staff from the credit department. Since credit risk is one part of various risks that an institution may be exposed to, such a committee should report to the institution's risk management committee with the authority and power to oversee the various activities undertaken by the credit risk management staff and the committee (Hussain 2000, p. 236). The committee for credit management is in position to implement the credit risk policies and procedures as proved by the set board. As drawn from the findings, Citigroup Bank's committee ensures compliance in the monitoring of the credit risk on a wide basis as approved and can also recommend clear credit risks policies regarding financial covenants, credit rating standards as well as the benchmarks. It's the work of the committee for credit risk management to decide those who are delegated to the powers for approving for credit, set limits regarding the institution's credit exposure, come up with loan review mechanisms and pricing, portfolio management as well as legal compliance through out the credit management function (Frenkel et al 2005, p. 227).

5.2.2 Loan Origination Function

There exists separate function conducting functions such as formulation of credit policy, setting credit limits, monitoring credit exceptions and reviewing documentation, as necessitated by Citigroup Bank's Oversight board. It may not be viable to establish a hierarchical structure for a small financial institution but such an institution should establish measures to compensate for this so that credit discipline is maintained through ample checks and balances as well as relevant standards that address conflicts of interest. Ideally Citigroup Bank establishes a committee in charge of credit risk management that gives a holistic approach to the management of risks that the institution is exposed to, and ensures that the risks encountered are within an established boundary as set by board or the committee. The credit department ensures that line of business practice are compliant with parameters and the established prudential limits as well as remedial measures where problems and deficiencies have been identified. The institutions portfolio should occasionally be evaluated through comprehensive study of the business environment that seeks to test the loans resilience (Frost & Porter 2003, p. 244). The loan origination function is aware of the credit risk and able to maintain standards and credit discipline at high level.

5.3.0 Applicable Systems and Procedures

5.3.1 Originating the Credit

Citigroup Banks lending committee assesses the clients risk profile before allowing for more credit to ensure that it's operating within a sound level of credit, and that the perceived growth of the existing and new credit is within the target market and the institutions lending strategy. According to Alexander (2003, p. 332), the kind of assessment conducted may involve the borrower's business/industry and the existing macro-economic factors, assessment of the intended purpose for the credit and possible source of repayment so as to determine the borrower's capacity to repay and as well the borrower's credit repayment history are considered. In credit assessment it's important to consider the terms, conditions and covenants surrounding the credit to be lent, and ensures adequate collaterals which are enforceable (Hoffman 2002, p. 203).

In case Citigroup Banks is establishing new relationship, the client's integrity, reputation as well as legal capacity is given a serious consideration before the lender can assume the liability. It advisable that the lending institution familiarize itself with the borrower before it can consider entering the relationship so as to enhance confidence that it's dealing with a sound entity as regards reputation and credit worthiness. As drawn Citigroup bank's operations, it's evident that consideration of the reputation alone of the borrower should not form the basis of lending. Under Structuring of the credit facilities the borrower's cash flow amount and time as well as financial position and intended purpose of the credit are appraised (Frost & Porter 2003, 309). In pricing the credit facility it's important to consider the trade off of risk reward such that the price has charged covers all the credit related costs, as such policies and conditions enacted should have the capacity to protect lending institution's interest.

The other relevant part for the lending institutions are ensuring that the borrower has used the credit for the intended purpose while any utilization of the funds outside the purpose that was greed on should revoke the lending institution to determine credit worthiness implications. This is especially important where the borrower is a corporate with various companies and the lending institution should classify the various entities and carry out credit assessment on them as a group. In most cases of loan syndication such assessment and analysis are conducted by a lead institution, although this is good, the participants should however conduct their own analysis independent of the lead institution (Abkowitz 2008, p. 208).

One of the key focuses in lending are on the obligor's ability to service his debt. Although the collaterals act as a buffer that provides protection against default, they should not be over relied on and the emphasis is on borrower's ability to repay the funds. The collateral documents are safely kept in a fireproof place and given dual control while physical checks are regularly conducted. Establishing the institution's credit exposure limits as regards to single and group obligors is paramount in credit risk management. As such every financial institution should develop its own exposure limit which are based on obligor's credit strength, a genuine need for funds and economic conditions as well as risk tolerance set by the institution (Chorafas 2004, p. 276). The institution should set relevant limits for the various activities and products, economic sectors and industries' as well as various geographical areas to enhance spread of risk. The credit limits set as per Citigroup Bank considerations is occasionally reviewed and especially so where the credit strength of the obligor is deteriorating and if the credit limits are amplified, the increase are validated.

5.3.2 Credit Administration

Citigroup Bank's credit risk management works effectively with an established function that primarily deals with credit administration supporting and controlling credit extension and maintenances. Such a function should have such operations such as documentation so that relevant documents like loan agreements, title transfer of collaterals and guarantees are completed and compliant with the terms and conditions approved (Cernauskas & Tarantino 2009, p. 274. The other role of Citigroup Bank's credit administration function is credit disbursement which is effected after the covenants are completed and the collateral holdings receipted and the relevant authorities are engaged in case of exceptions. It's the Citigroup Bank's administration function's role to keep track of the borrower's compliance regarding the credit terms in order to identify any irregularity, evaluate the collateral as well as monitor the repayments to ensure that it's timeliness. Such operational measures are informed of non-repayment and late repayment` and records update as necessitated by the oversight board. Maintenance of credit files should follow procedural guidelines so that information of borrowers' correspondence and financial health and loan repayment is easily accessed by those working at credit desk (Hoffman 2002, p286). This information is well organized so that it's available to internal and/ or external auditors for review (Greuning & Sonja 2009, p. 332). It may not be viable for small sized institutions to ser up credit administration function but those performing credit risk management functions should work hand in hand with top managers when originating and approving credit.

5.6.0 Measuring Credit Risk

Credit risk measurement is very important in the management of credit risk and this requires the Citigroup Bank to have an established framework of risk rating across its credit activities. The rating framework comprises of the industry characteristics and competitive position which is mostly determined by the industry's marketing and technological development. In financial risk the framework should incorporate the financial condition, capital structure, cash flow and profitability.

5.6.1 Rating Internal Risks

This is a risk rating system that classifies various credit risks based on the credit quality established under various operational procedures under credit department. This forms an important risk monitoring and controlling tool which is eminent in Citigroup Bank's branches where most losses emanate from loan defaults. Internal system of credit risk rating helps a financial institution to facilitate credit selection, the amount of credit risk exposure, pricing of the facility, and determining the required frequency in monitoring the credit among other aspects of credit facilitation (Vanden-Brink 2002, p. 298). The ratings are uniformly applied and for this to be enhanced the staff ought to be trained adequately while the external ratings, guidelines and model are the main input. The developed ratings should also be adequately tested before they are adopted and this is done when designing the ratings and over the system's life to ensure that the systems applicability to the portfolio of a particular institution.

5.7.0 Credit Risk Monitoring & Control

This refers to continual monitoring of an entity's credits and obligor's exposures that are off-balance sheet as well as the overall institution's portfolio. This are conducted on daily basis and remedial measures taken in case of deterioration as per financial instructions risk operations trends (Frost & Porter 2003, p. 287). This enables an institution to ascertain its loans servicing in accordance with the terms of a particular facility, overall evaluation of risk profile and compliance with established regulatory limits. Every financial institution should have an explicit procedural guideline that guides credit risk monitoring in relation to individuals roles and responsibilities, site visits, collaterals examination, loans deterioration and frequency of monitoring and control task (Bartlett et al 2001, p. 285). In determining loans credit quality, the obligor's financial standing health plays a major role in determining his repayment capacity.

Indicators of financial performance such as profitability, equity, liquidity and leverage are analyzed and due consideration given to the industry risk (Cernauskas & Tarantino 2009, p. 231 The position of the borrower and factors like regulatory policies, accounts are conducted in order to reveal credit quality in case of an existing borrower, so that their accounts within any Citigroup Bank, repayment history are determined. Citigroup Bank keeps on reassessing the collateral values depending on the nature of collaterals; if the loan was granted to buy shares, such a loan are frequently reviewed while a residential mortgage may occasionally be reviewed.

5.7. 1 Risk Review

Independent mechanism are established to run the process of credit risk management and every facility other than those whose management o\is on portfolio basis, be reviewed annually and frequent in cases where the obligor is not familiar. Risk review results are submitted to the management/board that can use the information to assess the process of credit administration. Such a review should come after the obligors financial standing is identified together with the impact of exceptions if any, on the borrower's credit worthiness (Jobst 2007, p. 365). According to Citigroup risk procedures, such undertakings are done on single and group basis.

5.7.2 Delegation Authority

After Citigroup Banks has established various roles and responsibilities concerning credit risk management, the overall lending structure are established so that the sanctioning authority can be delegated to the credit committee and the senior management, and every authority given to the staff are commensurate with their experience, ability, personal character and integrity. According to Frost & Porter (2003, p. 156), the lending power should depend on the borrower's risk ratings on a more effective checks and balance system. The lending authority given to the staff is occasionally reviewed and where the authority has been granted the loan originating function, measures are taken to ensure adherence.

5.8.0 Problem Credits Management

In order to identify problem loans in advance, the institution should come up with a system such that once a particular loan is recognized as a problem a remedial process is started. These are outlined in the credit risk policy. Where the institution has a substantial credit risk problems the work out function are isolated from credit origination function so that the work out function is given on relevant resources, expertise and focus to improve the collection of credit (Abkowitz 2008, p. 278). The basic elements to problem loan management include negotiation and consistent follow up. To implement the relevant remedial measures the work out function should give proactive effort in dealing with the borrower so that there is frequent follow up and up to date follow up actions which are recorded.

Section B:

1.0 Operational risk framework

Capital charge for various risks should involve various approaches in the management's effort to accommodate industrial variations in risk management and business practices. Most of the operational risk techniques as well as other risks in most institutions are still at their early development stage though they are striving to advance and this makes it difficult to measure those risks. One of the common approaches in operational risk management is that of Basic Indicator whereby the capital charged against the operational risk is linked with the gross income for the whole institution. Some banks use the standardized approach which involves use of various financial indicators; this approach is a bit complex due to the use of various indicators and business lines in determining the capital charge. Internal approach in the measurement of operational risk requires an institution to break down its activities and specialize in business lines which incorporates the individual institution's loss in determining the capital charge (Chorafas 2004, p. 145). This allows the individual institution, a bank for instance to drive its own capital charge by determining and assessing the operational loss through a supervisory assessment kind of framework which eventually help's the bank in distribution of losses, specifying its business lines and types of risks.

The specific framework to be followed by Citigroup Bank will depend on its ability to follow a given criteria as discussed later in the paper. However whichever approach that an institution chooses should be able to reduce the capital charge in each step of progression, this is because sophisticating the risk management and taking a precision in risk measurement methods should reward the management by reducing the capital required to cover the operational risk, (Hussain 2000, p. 98). The scope of the chosen framework should primarily focus on the operational risk involved in various other risks and guide the management in developing suitable techniques for measurement, monitoring and mitigation of the operational risks.

1.1.0 Definition of Operational Risk

A common definition for operational risk is any risk that involves direct or indirect loss that emanates from ineffective or inadequate internal control systems, people or external measures. This does not include risks that are strategic and induced by an institution's reputation. Its viewed that the cost incurred in fixing a given operational risk problem which may include payment to third parties as well as write downs should be included in the calculations to determine the incurred loss in the operational risk. According to Jackie (2006, p. 218), there are various other types of losses incurred which should be included in the capital charge like contingent losses, near misses and latent losses, it's therefore imperative that further analysis be done to see how such losses can be addressed. However costs incurred in enhancing the preventive measures, improving the controls, facilitating quality assurance and investing in new internal control systems should not be included.

1.1.1 Operational Risk losses

Operational risk losses refer to the financial impact related to an operational event featured in an institution's financial statements in accordance with the accounting principles (GAAP). This includes all expenses linked to an operational event but excludes opportunity costs, revenue which is foregone and costs incurred in investment programs. Operational risk losses are normally characterized by various event factors. These factors include; (i) internal and external frauds which refer to any action intended to defraud, thwart policy, law or regulations, or embezzle a property by parties in an event or even third parties. (ii) Employment practices and safety at workplace; this refer to actions which are inconsistent with health, employees safety agreements and laws. (iii) Damage to physical assets emanating from natural disasters or any other event. (IV) Business disruption and failures of internal systems. (v) Failure to execute transactions, deliver or manage business processes (Chorafas 2004, p. 143).

1.1.2 Direct vs. Indirect Losses

It proves difficult to have these distinctions in business practice due to possibility of ambiguity in categorizing the costs and losses, in most scenarios there is cases of omission and double counting and this challenges the committee or management in determining the scope of capital charge. It's therefore vital that such a committee or management seeks guidance on how to specify the various events and losses. According to Walker (2001, p. 189), this requires them to include legal risk by reviewing the business practice which can be done through a survey. Loss that is prevalent and indicated by the institution's profit and loss account gives a potential base in determining the scope of capital charge and the approaches to be given in the operational risks.

1.1.3 Expected vs. Unexpected Losses

The capital charge set aside for the operational risk should be able to cover all unexpected losses meaning from the operational risk and this is so especially in banking risks. The expected losses should be covered by the provisions. The accounting principles applicable in many countries allow provisions for only those losses or events which have already occurred and do not allow a comprehensive approach in setting such provisions especially where they are set to cover the operational risks. The general accounting standard require estimation tests be done to determine probable losses before setting the provisions or booking for any contingencies. Such provisions which are based on such accounting standards do not bear much in managing expected losses in operational risks (Chorafas 2004, p. 174). It's important that regulators design a provisions' concept that is more forward looking. In some cases contingent reserves are provided to cover for operational risks, these may include costs arising from lawsuits due to breakdown of controls. However there is other high frequency looses which have low severity for instance credit card fraud whose occurrence reduces on institutional income since there are no provisions set to cover them.

The modern practice in pricing the operational risks show a discrepancy and explicit pricing method is uncommon. It's however not clear whether pricing can sufficiently deal operational losses without reserving policies that are effective. In banking activities where there is high incidence of expected, operational risk losses deducted from their income like fraud losses emanating from credit cards, their situation is normally different since it may require the capital charges to be calibrated to expected losses or add some imprecision to the unexpected losses (Chorafas 2004, p.164 ).

The assumption in this approach is that banks can regularly deduct their losses and that their financial income is sufficient to cover all the expected losses. Against such reasoning, the capital charge can be calibrated for the operational risk losses; both the expected and unexpected losses but provisions and deduction of losses should be recognized as a capital cushion with the balances of the identified provisions and contingencies reducing on the minimum capital required at the end of the period as long as they have been disclosed. Capital concept should be forward looking and only part of the provisions or contingencies need to be recognized in reducing the required capital. Where there are prevalent annual deductions of an institution's actual operational losses, the capital charge for the specified list of banking activities may only be based on unexpected losses, (Hussain 2000). Recognizing the provisions and deduction of losses in a more feasible or desirable depends whether there is a sound degree of clarity in the approaches applied in defining the acceptability of provisions and contingencies in various countries

2.0 Key areas of operational risks

There are various areas in an institution where operational risks may emanate. These include institutional use of automated technology which transforms risks from manual errors to risks of system failure due to increased dependence on worldwide integrated systems, production of new and extremely complex products, development of e-banking business transactions and associated business applications which expose an institution to new risks. Another cause for increased operational risk is the increased acquisitions, mergers and franchises which challenge the reliability and viability of newly integrated systems as institutions emerge to be large volume providers creating the need for better internal controls as well as backup systems. The newly developed risk mitigation techniques also maximize an institutions exposure to operational risk. Another cause for the increased operational risk is the great outsourcing arrangements which mitigate some risks while increasing others (Walker 2001, p. 234).

2.1.0 Important Considerations

2.1.1 Capital requirement framework

Citigroup Bank's minimum capital requirements, business practice discipline and process of supervisory review play a vital rule in capital framework for operational risks. In determining the eligibility of a given capital assessment technique, the various requirements for risk measurement and management should be qualitatively and quantitatively determined. This requires rigorous control to limit the operational risk exposure and enhance prudent management (Jackie 2006, p. 256).

2.1.2 Supervisory Review Process

Any qualitative judgment by the supervisors should be based on adequate environment control in the bank. This way the supervisory review process remains an integral part of the capital framework. It's important for Citigroup Bank to assess the required economic capital so that they are able to sustainably support possible risks. This assessment process should be reviewed by supervisors. If the capital assessment procedure is ineffective, supervisors should review the bank's inputs and possible assumptions drawn in the internal operational risk methodologies by focusing on the bank's wide framework of capital allocation and thereby advise the bank to promptly rectify the situation (Walker 2001, p. 223).

2.1.3 Market Discipline

Market discipline helps to promote the safety and soundness of institutions especially banks and other financial institutions by reinforcing the capital regulation and supervisory efforts. One of the important roles played by market discipline is imposing strong incentives on institutions which enable them to safely conduct their business in a sound and a more efficient way. It also givens them an incentive to uphold strong capital base which cushions against probable losses that may in future arise from its exposure to risk. Disclosure of the information on management processes, operational risk control and applied regulatory techniques in capital allocation by banks help promote the market discipline. Such disclosures require to be keenly assessed since some institutions may disclose their information based on operational risk assessment and administration but such disclosures in the long term become integrated in the institution's criteria to employ internal approaches (Jackie 2006, p. 121).

2.1.4 The continuum concept

The above three methods used in determining capital charges to cover the operational risks continually increase the sophistication and sensitivity of risks. This requires detailed criteria to work as guidance to supervisors in determining whether a particular approach is qualifies to be used by the institution. Where an institution qualifies the criteria set by the supervisors it should be permitted to use the approach regardless of its previous approach. To enhance innovation it's advisable that some of the institutions business lines be given a standardized approach (Hussain 2000, p. 145).

Section C

1.0 Operational risk management Methods/Approaches: The Case of Citigroup Banks

1.1.0 Standardized Approach

This enables the institution to progress on the continuum and piecemeal basis which reinforces the new framework's evolutionary nature. Once an institution has chosen a more advanced approach, it should not retreat to its previous simpler approaches; rather it should capture relevant risks in each business line (Greuning & Sonja 2009, p. 225).

1.1.1 Constant Industry Liaison

There should be constant industrial liaison characterized by continued dialogue and work development among the risk management team of various players; firms, industry groups and organizations in their effort to incorporate their operational risks into their capital framework. This helps clarify various issues as to loss definitions and standards applied in data collection and enhance the internal control systems that support the internal control approach to operational risk management. In regard to Data, a continued industrial liaison helps to develop operational risk databases that are codified and centralized by use of consistent risk categories, loss definitions, and business lines. It also helps ensure that the operational data collected and reported is clean without which capital charge calibration would be difficult and capital allocation would not be risk sensitive. Collaboration by the various players helps develop operational risk framework that is risk sensitive (Jackie 2006, p. 219).

2.0 Approaches to Capital Assessment in Operational risk Management

There are various approaches to the assessment of capital for operational risk which have different qualifying standards; both qualitative and quantitative. A research done on banking supervision (on a small sample of banks) by the Basel Committee showed that the operational risk accounts covers up to an average of 20 % of a banks' economic capital. The committee used the figure to determine the multiplication factor for provisions and also in calibration.

2.1.0 Basic Indicator Approach

This is the most common approach where allocation of capital for operational risk is done using the gross income as a single indicator which is taken as a surrogate for an institutions exposure to operational risk. In this case the capital held by an institution for operational risk is a fixed percentage which is multiplied by the institution's gross income. This approach is simple to implement and is therefore universally applicable across financial institutions to determine the capital charge. However its responsiveness to the particular needs and characteristics of an institution is limited and while it is suitable for small institutions whose variety of business activities is simple, internal corporations' banks or those institutions whose operational risk is substantial prefer to use a more advanced approach. Capital calibration in this approach is similar to that of standardized approach. To enhance movement towards a more sophisticated approach it's advisable to set a higher percentage. The current provisional estimates are 30% which is based on a calibration for active international banks, though this figure should be cautiously treated since it's calibrated on a limited data amount and on a 20% capital proportion for operational risks. This approach is mainly used by smaller banks at domestic level while it's more appropriate to use a wider sample base.

2.1.1 Qualifying Criteria to use BI Approach

Additional standards have been se to ensure integrity of the approach chosen, data quality and appropriate control environment. Citigroup bank can use this approach, in fact the method can be applied by any financial institutions; all banks despite its complexity and there is no criteria for its application. Every institution apply this approach is however required to adhere to sound practices in operation risk control as per supervisory guidance.

2.2.0 Standardized Approach

This is a more refined approach in the assessment of capital for operational risk. The difference between this approach and that of Basic Indicator Approach is that an institution's business activities are divided into standardized business lines and business units which act as indicators and are able to reflect different risk profiles across institutions as revealed by the wide business activities. These Business line and business units reflect those built up in industrial initiative aimed at collecting the internal loss data in a steady manner. This requires businesses to be categorized appropriately to avoid distortions and arbitrage. Below is a sample of business lines and activity groups.

Business Lines vs. Activity Groups

Business Line/Unit

1st Level

2nd Level

Activity group

Investment Companies

Corporate Finance

Corporate finance

Privatizations, mergers, underwriting, acquisitions, Government debt and equity

Government/ Municipalities

Advisory services

Merchant style of banking


Fixed Income, equity, credit funding, foreign exchanges, commodities, credit,




market segmenting


Banking sector

Agency services

Corporate trusts

Depository Receipts & Securities lending


Corporate agencies

Paying agents & issuers

Retail banking

Credit card services

Credit cards to merchants/Commercial & Corporate, private labels and retail

Private banking

Private banking services; lending and deposits, trust and estates, advice on investment

Retail banking

Retail banking services; lending and deposits, trust and estates

Settlement & payments

External customers

Payments, collections and funds transfer

Commercial banking

Commercial bankers

Project finance, export finance, real estate, trade finance, leasing, guarantees, bills of exchange

The capital charge in standardized approach is across the various business lines by summing up their capital charges. One of the basic motivations of this approach is that most institutions are yet to develop a firm-wide internal loss data on the various risk types ad business lines. The other thing is that most institutions are unable to demonstrate any causal relationship that can be drawn between loss experience and indicators. Another challenge to the implementation f this approach is that most institutions are not willing to invest in internal loss data collection for the various business lines especially if such business lines are related with operational risk that is deemed to be immaterial. The approach however has helped encourage development of more advanced approaches to operational risk management.

2.2.1 Qualifying criteria for Standardized Approach

In addition to following a sound practice of operational risk control, there are some standards that should be met for an institution to be eligible to apply the standardized approach.

2.2.2 Effective risk management and control

Citigroup bank have an independent risk control function that is well designed, covering implementation and operational risk review, an audit function, effective reporting systems, intervention of board of directors and management in the risk control and a suitable system of risk management documentation. The operation risk control should have an established framework for operational risk measurement that covers key inputs and the internal audit should carry out regular reviews of the process of operational risk management

2.2.3 Measurement and validation

The reporting systems embarked on should be able to generate data required in determining the capital charge so that the results can act as guidance to management reporting. The ability to gather loss data and monitor loss events acts as a basis for measurement and management of operational risks. It's also a pre-requisite for progress to more sophisticated regulatory approaches. In order to map the current business lines and activity groups into a standardized approach, the institutions should develop a specific documented criterion. The framework should be reviewed regularly and necessary adjustments regarding change of business activities and risk types done appropriately (Chorafas 2004, p. 270).

2.2.4 Business Units Business Lines

Some of the common business lines and business units used in this approach include;

Business unit

Business line



Commercial banking

The annual average assets

Settlement and payments

Throughput for annual payments

Retail banking

Annual average assets


Trade and Sales

Gross income

Corporate finance

Gross income


Asset management

The sum of all the funds managed

Retail brokerage

Gross income

With the business lines specialized, Citigroup bank's capital charge is determined as a product of the broad financial indicator that represents for instance banks, and then all the activities involved in a given line are calibrated to a desired standard. The total capital charge is given by capital charge for the different business lines. This approach provides a basis for movement towards further sophisticated approaches which are necessary for better risk management.

2.3.0 Internal Risk Measurement Approach (IRM)

This approach provides discretion to individual institutions to use their internal loss data though the method employed in calculating the capital required is determined and uniformly set by the operational risk supervisors. In this approach the supervisors set qualitative and quantitative standards to enhance data quality, adequate internal control and integrity in the approach chosen. This gives institutions incentive to collect internal loss data in a step by step manner. This forms a critical part in the evolutionary path and enables institutions to move towards more sophisticated approach. The challenge to this approach is that most institutions do not have the enough data at industry level that can enable them to calibrate capital charge using this approach; most industries are at the level of developing relevant data that is necessary for calibrating the capital charge by use of internal risk measurement approach. Acceptability of this approach depends on supervisors' satisfaction that institutions and industries have adequate data which should be gathered for a number of years is critical in the implementation of this approach, (Greuning & Sonja 2009, p. 216).

2.3.1 Structure of Internal Measurement Approach

The operational risk capital charge is then determined by categorizing the business lines and defining the operational loss types applied across the business lines. The exposure indicator in each business line is determined by the supervisor as a proxy for the risk amount in that business line. The expected loss is determined as a product of the probability of a loss event (PE), operational risk exposure indicator (EI) and the loss given that event (LPE). The expected loss arrived at could be translated into capital charge by use of a factor (Gamma Term). To get the overall capital charge for that industry, you add all the capital charges arrived at in different business lines. To validate the supervisory review process the various institutions within a give industry should supply their expected loss components i.e. the operational risk exposure indicator, probability of loss event occurrence, and the loss attached to that event and not just the computed expected loss. These components enable the supervisors to adjust for unexpected loss by use of the Gama Term and achieve a desired standard of soundness (Philippe 2009, p. 167).

2.3.2 Key issues in Internal risk measurement method

To implement the internal risk measurement method there are key issues that require examining by the supervisors in consultation with a chosen industry. One of the key issues is that the components of the operational risk loss in the various business lines must be harmonized as a pre-requisite so that the method can be consistently be implemented. These should be defined in terms of the components of direct loss and those of indirect loss, the chosen holding period,, the captured historical losses and their observation period, judgment made of on the collected data and consolidation (Costa 2004, p, 190).

Calibrating the capital charge requires use of the industry's wide distribution which depends on the collection of data and its consolidation as well as the applied confidence limits. This gives emphasis on the need to accelerate industry's effort to collect loss data through processes that are supervisory guided. Also the used historical loss over a given observation period may not necessarily reflect the institution's risk profile particularly where the institution does not incur substantial losses in the chosen observation period. The multiplication factor (Gamma term) whose determination is based on the wide loss distribution of the industry is applied in the transformation of the expected loss into capital charge for each of the risk types. The challenge is that a particular institution's risk profile is not always the same as that of the given industry. This may be addressed by use of risk profile index (RPI) to adjust the capital charge arrived at where the risk profile index reflects the gap between an institution's risk profile and that of the industry. The deviation of the individual institution risk profile from that of industry may be examined and used in arriving at the Gamma term and this way the supervisors or risk managers may be able to determine the cost and benefits of using the risk profile index. Also, further work is required to determine if the expected loss is related to the unexpected loss, the external data could be examined to verify if a relationship exist in each risk type and business line though this may raise data and conceptual concern (Chorafas 2004, p. 321).

2.3.3 Qualifying Criteria for Internal Measurement Approach

Under the internal measurement approach the supervisors standardize all the business lines, risk exposure indicators and the risk types and the individual institutions in that industry can use their internal loss data. However this approach requires the institutions to maintain some required standards (Jackie 2006, p. 178).

2.3.4 Effective risk management and control

This method should only be used by those institutions that have fully integrated internal measurement methodology in the making of major decisions in their business and in their day -to-day business practice. This is because the institutions must use their data and the measures arrived at in risk reports, management reports, allocation of internal capital and risk analysis, (Chorafas 2004, p. 173).

2.3.5 Measurement and validation

Institutions choosing to use this method should establish an infrastructure with loss database systems to support the reporting practices in internal loss. These systems should be consistent with the operational loss scope as defined by supervisors or risk managers in that industry, as such the institutions should have knowledgeable personnel that can use the systems gather necessary data from the sub-systems and various locations so that missing data can be explicitly identified. The loss database should be used over a number of years (as set by management/supervisors) for the specific business lines. It's important that the institutions establish a sound process of identifying the events to build the loss database and the best observation period for the historical loss experience that is appropriate and represents the institution's current and future business practice. The external sources of data should be identified and reviewed regularly to test for accuracy and its applicability. The supervisors should examine data collection, validation and assess the institution's environment for operational risk control to see if it's appropriate (Costa 2004, p. 184).

2.4.0 Business lines and loss types Approach

The business lines used in standard approach can be the same. However the operational risk in the business lines could then be divided further into loss types depending on an industry's current loss events. Applying multiple loss types enables institutions to address the differing characteristics as displayed by the loss types; however the loss types should be limited to a certain amount to allow for simplicity and further work should be done to specify indicators for each loss type in each business line. It's advisable that there be continuity between the approaches and that the indicators used in the standard approach be similar with those applied in the internal measurement approach.












Investment Banking

Sales & trading

Volume of trade

Volume of trade

Volume of trade

Volume of trade

Volume of trade

Value entity's fixed assets

Corporate finance

New deals volume

New deals volume

New deals volume

New deals volume

New deals volume

Value of entity's fixed assets

2.4.1 Parameters

Exposure indicator (EI) is a proxy to the size of operational risk exposure in given business line. This indicator as prescribed by the supervisors enhances consistency and comparability across institutions of the same industry, transparency and facilitates validation of the supervisory review process. Probability of a loss event (PE) refers to the possibility that loss event will occur. It could the number of transactions or number of loss events. The Loss given event (LGE) refers to the part of transaction that is expensed as loss if the event occurs (Walker 2001, p. 156). It could be defined as average loss amount or transaction amount (Philippe 2009, p. 275).

2.4.2 Risk weight and gamma (scaling factor)

The Expected Loss (EL) is converted into capital charge using the term ã which is a constant and is called the Gamma term. The term is defined as maximum amount of loss in a given period of a particular confidence interval (Jackie 2006, p. 186). It determined and set by the managers for the various business lines or loss types.

2.4.3 Correlations

According Chorafas (2004, p. 268), it's difficult to get a correlation across various business lines and loss types and the best and simple way is to get the capital charge as a simple summation of all the business lines. The calibration of the gamma factor should be systematically reduced in the internal risk approach as compared to standardized approach in order to attain activities average portfolio.

2.5.0 Loss Distribution Approach (LDA)

This is an advanced version of the internal risk approach whereby an institution determines two estimated distribution functions for every business line; on a single event impact and another one on event's frequency over a given period of one year. By use of the two distribution functions the institution can determine the distribution function probability of its cumulative operational loss. Simple summation of the VaR (Value at Risk) for every element of the business lines gives the capital charge. This approach involves assumptions and is thus subject to supervision criteria. The method may not be applicable in capital regulatory purposes and requires much validation. Some of the loop holes in this approach are that there is no consideration of the effects of correlation across the business lines though the approach allows for increased risk sensitivity (Costa 200, p. 224).

Some of the things that differentiate the approach from the internal risk measurement are that its objective is to assess the unexpected losses directly without an assumption on the link between expected and unexpected loss. The approach does not require the Gamma factor. Use of an institution's own methodology in operational risk management gives rise to comparability problems due to the differing outcomes that different approaches give rise to (Chorafas 2004, p. 156). This approach faces a challenge of data unavailability which challenges the performance of the various estimations.

2.5.1 Qualifying criteria

For banks and other institutions to qualify to use this approach they must follow the available approaches spectrum in order to be able to effectively use the more sophisticated approach in their systems and practices. Required additional standards include quality data and a good risk control environment.

3.0.0 The ‘Floor' Concept

As institutions move from one approach to a more advanced approach, the improvement in its risk management should be reflected by a reduction in the capital charge. This is obtained from the calibrated multiplication factors which include (á,â,ã) and also through a better control environment. According to Walker (2001, p. 332), its however important to set a floor below which the capital charge should not fall as an institution moves from a standardized to n internal risk measurement method, this can be done by setting a fixed percentage as capital charge in the standardized approach while specify the level of capital charge in internal risk approach for a given period of time, alternatively the floor could be set by use of minimum levels of elements used n the calculation of the Expected Loss as guided by the industry's wide loss data and distribution function. While the former is simple, it assumes that standardized gives a more reliable risk measure than internal risk approach. The latter approach depends on the judgment made by the supervisory while t benefits in that the data used in calculating the charge feeds into setting of the floor level.

4.0.0 Outsourcing

Outsourcing has currently increased business volume and functions. This is because outsourcing reduces fixed and current expenditure and compensates for lack of resources and required expertise. According to Jackie (2006, p. 348), institutions/ businesses that outsource should establish a clean break in the activities outsourced in order top ensure that the operational risk capital is reduced. This requires policies and controls to be established in order to assess stability and quality among the service providers and ensure that the risk transfer is effective.

5.0.0 Risk Transfer and Mitigation

There are various controls and programs by which institutions can reduce their exposure to operational risk so that they are able to mitigate operational risks and manage them as demonstrated by Walker (2001, p. 216). The controls should be chosen on the basis that its risk is reducing or at least transferring the risk to a different business sector.

5.1.0 Insurance

According to Hussain (2000, p. 182), this is one of the most common risk mitigation techniques whereby an insurance policy is taken to cover an institution exposure to operational risk. Some of the insurance products used by businesses include the professional liability insurance and the blanket bonds. The insurance helps institutions to externalize risks of frauds and physical loss of securities and particularly those losses that though their frequency maybe low, they have high severity losses (like processing losses). However an institution should not relieve itself the ultimate responsibility of operational risk management by overreliance on outside providers but should be able to monitor the providers' financial and operational performance. While Insurance offers a simple ad fast way of mitigating and managing risk, it sometimes may prove a shift for an operational risk to another form of risk where the insurance company's liquidity is questionable amongst other insurance issues like loss adjustment and avoid-ability. Some scenarios may face a limit in insurance product range that a particular institution may want; it's also unclear whether the insurance payouts should be included in the internal loss data.

6.0.0 Recent Industry Developments

According research done by the Risk Management Group of the Basel Committee, the quantification of internal loss data is yet to develop to favorable levels tough most institutions are embracing the need to manage their operational risks (Chorafas 2004, p. 331). The survey showed that the allocation of economic capital for operational risks range between 15-25% for most financial institutions, where Citigroup Bank was sampled. In most banks tracing the risk indicators is hard and most do not track even a single indicator and even where these indicators are tracked their use in risk management is unclear. Some of the common financial indicators for various business lines include:

6.1.0 Business Line Indicators (BLIs)

Business Line

Financial indicator

Retail banking

Annual average assets

Corporate Finance

Gross income

Retail brokerage

Gross income

Commercial banking

Annual average assets

Trading and sales

Gross income

Settlement & payments

Annual settlement throughput

Assets management

Funds under management

The other challenge revealed by the survey in operational risk management is that, more often than not Citigroup Bank do not carry out correlation tests for the identified indicators and the actual losses though this was not conclusive and one of the impediments in internal risk measurement is lack of data and other institutions are at the infant stage of trying to define operational risk and carry out data collection. The survey showed that few institutions can afford to use the internal methodology in regulating their capital allocation (Costa 2004, p. 178).

Development of rigorous standard approach that approves internal approaches to operational risk management is imperative in the effort to develop internal approaches that are viable. Few institutions include legal risks in their operational risks and most institutions have different views on the reflection of indirect losses as reputational losses.

7.0.0 Value at Risk (VaR)

Value at Risk (i.e.VaR) involves a risk measure linked to the risk loss particularly within financial assets portfolio. Normally this term is extensively used in the context of financial risk management or financial mathematics. When given a particular time horizon, probability or portfolio, VaR can be defined as the threshold value. For this to happen, there must be possibilities of mark to market losses within a given time limit exceeding the threshold value. Normally, this occurrence is taken to be the level of probability given. Nevertheless, an assumption must be made that no trading or normal market operations are occurring.

For instance, if a set of stocks has 5% VaR of 1million dollars within one day, there will be some possibility that the stocks portfolio will decline in value by 1million dollars and above within a period of one day. However, this will be possible in assumption of lack of trading or normal market operations are in progress. Moreover a 1million dollar or more loss in the stocks portfolio is anticipated over one day. Consequently, losses exceeding VaR threshold is known to be VaR break.

VaR is widely used by Citigroup banks in measurement of the worst expected losses under the normal market conditions within a specified time intervals and confidence level. Generally, VaR answers the question of the quantity of losses given a percentage probability and over predetermined horizon. Similarly, VaR is the lowest quantile of probable losses which can occur in a given portfolio and a specified period. Major parameters used in VaR risk measurement include time period T and level of confidence called the quantile, q. However, time limits can differ from few hours within an active trading desk to even a year for pension fund. Normally, when the major goal of VaR is satisfaction of external regulatory requirement like within the banking institution in when evaluating their capital requirements, quantile is on average very tiny (Walker 2001, p. 216). For example it can even be 1% of the worst outcomes. Nevertheless, for internally used risk management model within a company operation, to manage the risk exposure the characteristic number is about 5%.

7.1.0 VaR History

Generally, concerns of operational risk management by regulators or financial executives have been in existence for a long period of time. Nevertheless, some concepts of VaR have been found in the retrospective analysis of such financial risk management. VaR emerged as a distinct concept in 1980s. The emergence of VaR was triggered by stock market crash in the year 1987. In this year, major initial financial crisis occurred and most academically trained experts were found to hold executive positions to facilitate extended survival of firms. However, the academic quant realized that there were recurring crises, approximately one or two in a decade.

As a result, many assumptions embedded in the statistical models which were being used fro investment management, trading or derivative pricing were overwhelmed. For this reason, many markets were adversely affected including those that could not be easily economically discerned. When such occurrences were included within the quantitive analysis, they took dominance of the results thereby leading to implementation of strategies which never worked. Exclusion of such events normally resulted to lower profitability levels compared to losses suffered during such crisis. As a result, institutions were at high risk of failing in their daily operations (Jackie 2006, p. 186).

Due to such uncontrollable risks, VaR was developed to act a systematic breakthrough to segregate excessive events. This was to be done through qualitatively studying the history over a long-term plus large market events right from daily market price movements. Price quantitive study was to be undertaken by use of short term data within specified markets. Nevertheless, abnormal markets and trading were excluded from VaR estimations so as to make VaR estimates observable. Consequently, this was later referred to as the risk management VaR Afterwards, risk measurement VaR was developed which was observed to be very extensive. VaR was thereby exposed beyond the relative small collection of quant.

7.1.1 Uses of VaR in Finance

To begin with, VaR is widely used in the management of risks within business operations. Secondly, organizations or financial institutions apply VaR in their measurements of risks to enable them determine the extents of risks within their daily operations. Thirdly, VaR is also applied in controlling finances and while making financial reports. Lastly, at times VaR can also be used within non-financial applications. In non-financial applications, VaR can be employed while back testing, economic capital, determination of expected shortfall and stress testing.

7.1.2 Reasons for VaR assumptions

Generally, when accounting for VaR, the mostly applied parameters include 1% or 5% probabilities. Similarly, the determination of VaR requires a time horizon of one day or two weeks. However, other combinations can also be applied. Assumptions such as no trading, normal markets or restriction of losses to measurements within daily accounts are applied to enable losses to be observable. Moreover, some extreme circumstances make it determination of losses impossible especially where market prices are not available or where institutions that bears losses breaks up.

Long term disaster impacts such as losing market confidence, lawsuits, employee morale decline or brand names impairment can be difficult to be phased out. Similarly, at such circumstances it may be difficult to make specific decisions in advance. However, VaR plays a great role in setting boundaries between extreme events and normal days. Institutions may therefore make losses above VaR amount but the losses will not be too frequent. Normally, although VaR often represents losses, conventionally VaR is reported as a positive value. However, negative VaR always imply high possibilities of profitability by the portfolio.

7.1.3 Varieties of VaR

Generally there are two major types of VaR, whereby one of them is used in risk management while the other is employed in risk management. Majorly, the two types are applied while controlling finances, making financial reports or when computing regulatory capital , under the case of Citigroup Bank. In risk management, VaR is applied as a system which is run periodically. The periods are usually made on daily basis whereby the published value is compared to price movement already computed, within the time limit given. Published VaR does not subsequently go through any adjustments (Chorafas 2004, p. 275).

In addition, no differences occur between breaks within VaR as a result of input errors, computation errors and market movements. Such input errors may include fraud, rogue trading or breakdowns from information technology while computation errors may include failure of timely VaR production. While accounting for risk management, frequents claim is normally made such that the VaR breaks frequency in the long term will be equalized to the specified probability. However, this must be done within the sampling error limits, independent VaR breaks and independency of VaR level. Risk management VaR is perfect for making tactical and short-term decisions in the present.

On the other hand, in risk measurement VaR is represented as a number not a system. In risk measurement, Bayesian probability claim is prepared, such that given beliefs of that particular time and the information given, subjective probability of the VaR break will be the specified level. Moreover, VaR adjustments are normally done after the fact in correcting inputs and computation errors is found, but unavailable information during such computation will not be incorporated. Risk measurement VaR is efficient in understanding the past while making medium term or strategic decisions for future.

7.1.4 VAR in Governance

VaR is widely applied in governance normally for endowments, pension plans or trusts. Fundamentally, trustees implement a selection of metrics for value-at-risk fro the whole pooled account plus the diversified parts which are individually managed. Alternatively to probability estimates, trustees simply characterize maximum levels of losses which are acceptable for each individual. As a result, the trustees get a simple metric for oversight and also there is an additional accountability level for managers. Managers are directed to manage although with further constraint to shun losses within an identified risk parameter (Walker 2001, p. 221). Application of VaR in governance gives additional relevance and also makes it less complicated in monitoring control for risk measurement. Similarly, the VaR application in this manner makes it more insightful as compared to Return Standard Deviation

7.2.0 Risk metric and risk measure

VaR is mainly used both for risk metric and risk measure. VaR risk measure identifies risk as a loss of mark-to-market within affixed portfolio and over a fixed time period while assuming normal markets. Moreover, in finance risk measures have many alternatives. In place of mark-to market which normally uses market prices in definition of loss, loss is frequently characterized as changes in the fundamental value. For instance, if a particular institution held a loan with a declining trend in market price due to increases in rates of interest, while no cash flow changes are observed, some systems will not recognize any loss.

Alternatively, instead of assuming a fixed amount of portfolio within a specified time horizon, several risk measures will incorporate the impacts of expected trading (Hussain 2000, p. 241). At the same time, the risk measures will put into considerations the expected holding duration of positions. Additionally, various risk measures will adjust to the possible impacts of abnormal market operations instead of completely excluding such impacts from the computations. VaR risk metric gives a summary of possible losses distribution by use of quantile which is point that has specified possibilities of greater losses. Other alternative metrics that can be applied in place of VaR include downside risk, standard deviation, expected shortfall or absolute deviation.

7.2.1 VaR risk management

VaR use in risk management is essential in systems improvement and modeling the forces of systems within an institution. VaR structured methodology helps to critically thin about risks. For this reason, institutions are able to confront their financial risks exposure thereby being able to propagate proper and efficient risk management procedures. Publishing VaR numbers of daily, on timely basis and within particular statistical properties gives the entire organization a highly rated objective standard. While employing VaR, incorrect reported, modeled or priced positions stand out effectively. Similarly, inaccurate data, untimely data or systems which are frequently down are brought to the light. In addition, every impact on profits or losses wrongly represented in other reports will also show up in inflated VaR or in excessive VaR breaks. Consequently, risk-taking institutions which do not compute VaR may evade disaster but institutions which cannot make VaR computations will not escape disasters.

Secondly, VaR is necessary in separating risks into two different regimes. Apparently within the VaR boundaries conventional statistical methodologies are presented very reliable. Moderately, short term or specific data can be employed in the analysis of the institutional risk management (Jackie 2006, p. 211). Moreover, probability estimations are essential since they provide satisfactory data useful in testing the estimates. Practically, an institution will have no real risk since summation of various independent observations which can predict the outcomes are available. Consequently, risk managers support productive risk taking within this regime since only a slight real cost is encountered. Nevertheless, outside VaR limit risk should be analyzed based on the stress testing in broad market data and in the long-term. Apparently, risk mangers should focus on ensuring good plans are built to minimize possible losses or to survive any already encountered losses.

7.2.2 VaR risk measurements

VaR is popular in its abilities to aggregate risks across the entire institution. Individual business units normally have risk measures which may include duration for specified income portfolio or use within an equity business. Generally, its hard to aggregate available results are varied time periods such as positions which have been marked at diverse time zones or trading at very high frequency while the business holds relatively illiquid positions. However, since each business contributes towards profits and losses in an addictive style. Similarly, various financial enterprises mark to market on daily basis. For this reason, ordinary to identify firm-wide risk by use of possible losses distribution within fixed positions in the future. VaR in risk measurement is normally reported along with other risk metrics. Moreover, VaR never depends on any assumption related to distribution probability of gains or losses in the future.

7.2.3 VaR Criticism

Since 1994, VaR has been presented as a controversial aspect whereby the major critical contentions. First, one of the major contentions claimed that VaR was ignorant of the 2500years experience so as to favor the untested models which were developed by non-traders. Secondly, VaR was represented to be full of charlatanism due to its claims on estimating risks related to rare events which practically was impossible. Thirdly, VaR was contentious because it provided false evidence. Additionally, VaR was observed to be exploited by business traders and this was also taken to be controversial. VaR was also charged with leading to extreme risk taking and financial institutions leverage. At the same time, VaR mainly focused on manageable risks adjacent to distribution center while ignoring the tails. Moreover, VaR was observed to be potentially catastrophic particularly when its application created counterfeit security implications among watchdogs and senior executives.

In addition, among the academics, the main complaint has been the fact that VaR is never sub addictive. Sub addictive means that taking a VaR of a collective portfolio could be larger as compared to the VaRs sum of portfolio components. For instance, a typical branch of a bank in USA is robbed approximately once every year. One branch of a bank has got approximately 0.004% possibility of being robbed in a particular day. Therefore, the robbery risk would not at any chance figure into a single day 1% Va. VaR in this case would mean the extents to which the institution should not worry about the risk occurrence. The institution should however take an initiative to insure their institution against such risks while at the same time obtaining advice from various insurers on precautions to be undertaken. Consequently, insurances aggregate risks which are beyond the ability of individual VaR limits. While doing such aggregations, the risks are brought into sufficient portfolio so as to acquire statistical predictability

Normally, as an institutions launches gets extra branches, the robbery risks within particular day rises within the magnitude order of VaR Consequently, at such points, there is a necessity for an institution to undertake internal stress tests along with analyzing the individual risk anticipated. As a result, the institution will minimize on the insurance and internal security expertise costs. However, for very huge banking institutions, robberies are more frequent. Losses as result of such occurrences are partly VaR computations and can be tracked statistically instead of tracking case by case. A substantial internal security department is responsible for prevention or control while the overall risk manager does the loss tracking jus as any other business cost. Similarly, as an institution enlarges, particular risks transform from low probability or predictability to losses that can be statically predictable within an individual impact.

7.2.4 VaR Abuse

Individuals who support the use of VaR have revealed that VaR has been abused for a lengthy period. To begin with, VaR has been presented as the worst case of loss or maximum tolerable loss while in fact 2 or 3 annual losses exceeding daily 1% VaR are expected. Secondly, VaR has been made to be the main control whereby the VaR reduction has been the main focus of the risk management. Nevertheless, risk managers must know that its more necessary to care about the repercussions of losses exceeding VaR Similarly, an assumption has been made that reasonable losses will be few than the multiple of VaR.

However, VaR point will entirely reveal that losses can be extremely huge such that they can be indefinable once the level goes beyond the VaR point. Moreover, according to risk managers, VaR will refer to losses level where guesses on future predictions are shun and preparations for any risks are undertaken. Another abuse to VaR is the VaR reporting before passing the back test. Consequently, without regarding ways of computing the VaR, the computation must have produced the breaks number correctly in the past. However, this computation procedure has been violated whereby VaR has been reported on the basis of unverified assumption whereby multivariate normal distribution is entirely followed.

7.2.5 Techniques of computing VaR

There are various methods that are paramount in the calculation of VaR whose efficiency differs from one formula to another. To begin with, historical formulation method has been found useful when the quantity of data is relatively small. Similarly, the method is useful where sufficient information of profit and loss distribution is not available (Vanden-Brink 2002, p. 196). The method is very effective in capturing all the current market crashes which is a very important feature in risk measurements. However, the method consumes too much time. Historical simulation is faced by one major challenge in distinguishing between additive and multiplicative market variables types. However, an assumption is made during the computations that all the changes are additive to simplify the scheme.

Secondly, variance covariance method is said to be the fastest while computing VaR Nevertheless, the method heavily relies on various assumptions related to market data distribution or portfolio linear approximation. Probably, this can be referred to be the best technique fro faster VaR estimations. However, when applying this method in non-linear portfolio, caution should be highly taken especially in circumstances where there is high convexity in bonds or options (Walker 2001, p. 193).

Thirdly, Monte Carlo method of simulation is known to very slow although it's probably the most dominant technique. Monte Carlo is a very flexible method allowing even for incorporation of historical observations with private information. To speed up calculations, variance reduction techniques should be employed. When using Monte Carlo approach, the assumption applied states that some information concerning market changes joint distribution are available. With such distribution, a huge number of scenarios plus price portfolio for every scenario are drawn randomly. A wealthy scenarios set will provide a good final value distribution approximation. Within this distribution, the lowest quartile is taken to be the VaR approximation. According to Frenkel et al (2005, p. 197), the method is flexible since it can allow on various dynamic improvements such that a small simulation set can be run repeatedly with subsequent additional of simulations where necessary. Nevertheless, the three methods are observed to have similar results in demonstrating risk measurements.

Section D

8.0.0 Recommendations

Citigroup bank's operational risk framework should include a self-regulating firm-wide function for operational risk management, management oversight for its business lines, and an independent function for testing and verifying. The framework must be founded on a proper regulatory definition of the operational risk as its baseline. The banks board of directors should oversee the operational risk framework and monitor the major changes in the framework; this requires well established management accountability on clearly stipulated roles in order to ensure that the resources allocated for operational risk management are well utilized (Hussain 2000, p. 176). The independent function for operational risk management should take the responsibility of overseeing the bank's operational risk framework in order to ensure that the chosen policies, procedures and processes in operational risk management are well adhered to and applied consistently through out the bank's departments. These policies must describe the main elements in the operational risk framework. The management function should also ensure timely reporting of any exposure to operational risks in the business lines and units, and loss data to the senior management and the board of directors. The business line management should take the role of ensuring consistent internal controls and application of the firm-wide policies in support to the senior management's effort to control and mange operational risks.

Citigroup bank should ensure that its internal controls exceed what is provided by agencies on minimum regulatory standards, this should be demonstrated by the bank's ability to maintain it's internal events data, gather external data that is relevant to the management of its operational risks, proper and timely assessment of its business environment as well as appropriate scenario analysis (Jackie 2006, P. 267). This would guide the bank in its choice for appropriate risk measurement approach that is best for its business model, in choosing the approach one of the key issues for Citigroup bank to consider is the assumptions behind the chosen approach.

According to (Greuning & Sonja 2009, p. 219), it's advisable that an institution has loss data for its operation risks for at least five years period, the data should cut across all the institutions business lines, geographical locations product types and events The management must also review the external data for banking industry so that they can understand the industry's experience.The bank's capital allocation for operational risk should be total loss expected and unexpected unless the bank can demonstrate the offset of the expected loss which should be consistent.

9.0.0 Conclusion

Most banks do not have operational risk policies and processes that allow their operational risk treatment across the various business lines to be consistent. Internal loss data is currently a major shortcoming for most banks including the Citigroup bank, and its therefore advisable that the bank embark on a less sophisticated approach in operational risk management as its seek to move to a more advanced approach. Most institutions do not document the ground for the chosen approach underpinning assumptions, assumptions behind the choice of inputs, distributions and the weighted quantitative and qualitative elements. According to (Jackie 2006), the management ought to document all those assumptions and show how the chosen approach account for dependence in terms of correlations across the business lines operational losses. Its advisable that Citigroup bank hold more than the industry's capital charge for operational risks which is currently 20%, in fact it advisable to hold at least twice the industry's average though some banks are believe to have their charges below that average.

As discussed through the various approaches, an institutions ability to meet the given standards determines its required capital framework to cover operational risk. It's advisable that Citigroup follows the approaches spectrum, moving from one approach to another as it demonstrates its precision in management, measurement and operational risk control, to the risk supervisors. Movement along the spectrum reduces capital framework. The banks should ensure that it has sufficient capital to cover all business risks so that they can develop better operational risk management techniques which can control, monitor and manage their risks. It's advisable that Citigroup bank develops an assessment process for their internal capital, and perhaps set capital targets that are proportionate with their risk profile and risk control environment.

Source: Essay UK - http://turkiyegoz.com/free-essays/finance/outcome-of-uncertainty.php

Not what you're looking for?


About this resource

This Finance essay was submitted to us by a student in order to help you with your studies.


No ratings yet!

  • Order a custom essay
  • Download this page
  • Print this page
  • Search again

Word count:

This page has approximately words.



If you use part of this page in your own work, you need to provide a citation, as follows:

Essay UK, Outcome of uncertainty. Available from: <http://turkiyegoz.com/free-essays/finance/outcome-of-uncertainty.php> [19-12-18].

More information:

If you are the original author of this content and no longer wish to have it published on our website then please click on the link below to request removal:

Essay and dissertation help


La Confrerie | Betternet VPN for Windows Premium v4 1 0 | Unit 9 Compromise and Secession