Risk

Management
Page - 1
 What are the Risks?
• Risk is an inherent part of the work done by banks.
• Other than the obvious risks, such as financial risk, the
banking domain is subject to a host of other risks.

There are various Types of Risks

• Financial Risks –
o Financial risk is an inherent part of the investment and
applies to businesses, governments, individuals, and even
financial markets.
o It represents the chance that the parties involved
(shareholders, investors, or other financial stakeholders)
will lose money.

• Reputational Risk –
o Banks run a lot on trust - from regulators, the market, and its
customers.
o This trust is mainly begotten over time and becomes a part of
the bank’s reputation
o Any small action or inaction not done appropriately will expose
to Reputational risk

• Credit Risk
o The chance that a borrower won't repay their loan
is called credit risk.
o Banks check and monitor borrowers' ability to
repay to manage this risk.
o To reduce risk, banks use collateral and set credit
limits for borrowers.

Page - 2
 • Regulatory Exposure -
o CASS, GDP, GDPR, Banks have to abide by several regulations
set by the country they are in as well as the countries they provide
services to.
o These regulations differ as per region, nature of business,
product, and so on. Whenever a bank does not report or report on
time on certain regulatory requirements or does not meet the
regulatory standard for a type of transaction (such as CASS
rules), they are at regulatory risk.
o This can lead to substantial fines and/or losing the license to
operate out of the country/region.

• Operational risk -
o Summarizes the chances and uncertainties a
company faces in the course of conducting its
daily business activities, procedures, and systems.
o Operational risk is heavily dependent on the
human factor: mistakes or failures due to actions
or decisions made by a company's employees.

Common Operational Risks -

• Typo errors - Types incorrect numbers instead of
10,000 instead of lakh, buy back can cost the bank.
• Mailing error - Mails someone else instead of the
client.
• Regulatory impacts -Regulatory impact analysis
(RIA) is a systemic approach to assessing the
positive and negative effects of proposed and
existing regulations and non-regulatory alternatives.
As employed in OECD countries it encompasses a
range of methods.
• Privacy risk/ breach - A privacy breach could increase your risk of identity theft. That's when
someone uses your personal information — like your Social Security number or bank account
information — to commit crimes in your name.
• Procedural error - Procedural error in risk management of investment banking operations refers
to situations where there is a misinterpretation or confusion about the established procedures and
policies related to managing risks within an investment bank. This can occur when there are
inconsistencies or gaps in the communication or implementation of risk management policies and
procedures. It can also occur when there is a lack of clarity around the roles and responsibilities
of different individuals or departments within the bank regarding risk management. Such
misunderstandings can lead to inadequate or ineffective risk management, which can result in
financial losses, reputational damage, and regulatory sanctions for the investment bank.

Page - 3
 • Cyber Risk & Role of Technology -
o Cyber risk is the potential exposure to loss or harm stemming
from an organization’s information or communications
systems.
o Cyber-attacks, or data breaches, are two frequently reported
examples of cyber risk. However, cybersecurity risk extends
beyond damage and destruction of data or monetary loss and
encompasses theft of intellectual property, productivity losses,
and reputational harm.

• Data Privacy –
o Data privacy is the protection of personal data from those
who should not have access to it and the ability of
individuals to determine who can access their personal
information.
o Data of client is used only for official purposes e.g. aadhar
card
o Data related to office (Excel file)
o Impact of Data Privacy -
▪ JPMorgan was hit with $200 million in fines for
letting employees use WhatsApp to evade regulators'
reach.
▪ The SEC announced Friday that JPMorgan
Securities admitted to bookkeeping failures and
agreed to pay $125 million to settle the charges.

• Phishing –
o Phishing is a method of cyberattack that attempts to trick
victims into clicking on fraudulent links in emails. The
link typically takes the victim to a seemingly legitimate
form that asks them to type in their usernames,
passwords, account numbers, or other private
information. This information is then sent directly to
scammers, and the victim may be none the wiser.
o For example, an email may state that your bank account
has been locked and request that you click a link to regain
access. In truth, that link will lead to a fraudulent form
that simply collects your information, such as your online
banking username and password. The scammers can then
log in to your account and steal your money.

Page - 4
 • Smishing -
o Smishing is a kind of fraud similar to phishing, except that it
comes in the form of a text message. A smishing text will often
contain a fraudulent link that takes victims to a form that's used
to steal their information. The link may also download malware
such as viruses, ransomware, spyware, or adware onto the
victim's device.
o These smishing text messages may appear to be urgent requests
sent from a bank or parcel delivery service, for example.

• Vishing -
o Fraudulent calls or voicemails fall under the category of "vishing."
Scammers call potential victims, often using pre-recorded robocalls,
pretending to be a legitimate company to solicit personal information from
a victim.
o Perhaps you get a call about your car's extended warranty. If you answer
this call and get connected to an alleged agent, you may be asked to
provide information such as:
▪ First and last name
▪ Address
▪ Driver's license number
▪ Social Security number
▪ Credit card information
o Some scammers may also record your voice and ask a question you're
likely to answer with "Yes." They can then use this recording to pretend to
be you on the phone to authorize charges or access your financial accounts.

• Spear Phishing -
o It is a potent variant of phishing, a malicious
tactic that uses emails, social media, instant
messaging, and other platforms to get users to
divulge personal information or perform actions
that cause network compromise, data loss, or
financial loss. While phishing tactics may rely
on shotgun methods that deliver mass emails to
random individuals, spear phishing focuses on
specific targets and involves prior research.
o A typical spear phishing attack includes an email
and attachment. The email includes information
specific to the target, including the target's name
and rank within the company. This social
engineering tactic boosts the chances that the

Page - 5
victim will carry out all the actions necessary for infection, including opening the email and
the included attachment.

• Social Engineering -
o Social engineering is a manipulation technique
that exploits human error to gain private
information, access, or valuables. In cybercrime,
these “human hacking” scams tend to lure
unsuspecting users into exposing data, spreading
malware infections, or giving access to restricted
systems.
o Example - Social engineering attacks are a type
of cybercrime wherein the attacker fools the target
through impersonation. They might pretend to be
your boss, your supplier, someone from our IT
team, or your delivery company. Regardless of
who they're impersonating, their motivation is
always the same — extracting money or data.

How to manage
Operational risks?
• At an Individual Level :
Manage risks by -
o Following policies &
procedures
o Segregating duties
o Automating
o Knowledge sharing
o Performing Risk cause
analysis of issues
o Upskilling on domain knowledge
o Being Attentive & alert

Page - 6
Self-Notes

Page - 7