Categories of risk used by regulatory agencies for ascertaining the effectiveness of the bank’s identification, measurement, monitoring and controlling of risk across all products, services and activities.
Compliance (Legal) Risk:
Compliance risk is the current and prospective risk to earnings or capital arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies and procedures or ethical standards. Compliance risk also arises in situations where the laws or rules governing certain bank products or activities of the bank’s clients may be ambiguous or untested. This risk exposes the institution to fines, civil money penalties, payment of damages and the voiding of contracts. Compliance risk can lead to diminished reputation, reduced franchise value, limited business opportunities, reduced expansion potential and lack of contract enforceability.
Credit risk is the current and prospective risk to earnings or capital arising from an obligor’s failure to meet the terms of any contract with the bank or otherwise perform as agreed. Credit risk is found in all activities where success depends on counterparty, issuer or borrower performance. It arises any time bank funds are extended, committed, invested or otherwise exposed through actual or implied contractual agreements, whether reflected on or off the balance sheet.
Foreign Exchange Risk:
Foreign Exchange risk is the current and prospective risk to capital or earnings arising from the conversion of a bank’s financial statements from one currency to another. It refers to the variability in accounting values for a bank’s equity accounts that results from variations in exchange rates which are used in translating carrying values and income streams in foreign currencies to U.S. dollars.
Liquidity risk is the current and prospective risk to earnings or capital arising from a bank’s inability to meet its obligations when they come due without incurring unacceptable losses. Liquidity risk includes the inability to manage unplanned decreases or changes in funding sources. Liquidity risk also arises from the failure to recognize or address changes in market conditions that affect the ability to liquidate assets quickly and with minimal loss in value. Market Risk and Interest Rate Risk are factors in liquidity risk.
Market (Price) Risk:
Market risk is the current and prospective risk to earnings and capital arising from adverse movements in market rates or prices such as interest rates, foreign exchange rates or equity prices. Repricing risk, basis risk, yield curve risk and options are the types of risk to be considered. Interest Rate Risk considerations should include the effect of a change in interest rates on both the bank’s accrual earnings and the market value of portfolio equity.
Operational risk is the current and prospective risk to earnings and capital arising from poor customer service, processing errors and the inability to efficiently deliver products or services due to weaknesses in systems, processes or people. Additionally, policies and procedures and forms that are absent, out-of-date, poorly drafted, overlooked or not used can lead to operational exposure.
Reputation risk is the current and prospective impact on earnings and capital arising from negative public opinion. This affects the institution’s ability to establish new relationships or services or continue servicing existing relationships. This risk may expose the institution to litigation, financial loss or a decline in its customer base. Reputation risk exposure is present throughout the organization and includes the responsibility to exercise an abundance of caution in dealing with customers and the community.
Strategic risk is the current and prospective impact on earnings or capital arising from poor business decisions, improper implementation of decisions, weak corporate governance or lack of responsiveness to industry changes. This risk is a function of the compatibility of an institution’s strategic goals, the business strategies developed to achieve those goals, the resources deployed against these goals and the effectiveness of implementation. The resources needed to carry out business strategies are both tangible and intangible. They include communication channels, operating systems, delivery networks and managerial capacities and capabilities and a strong “Tone at the Top” attitude.
Transactional risk is the current and prospective risk to earnings and capital arising from fraud, error, and the inability to deliver products or services, maintain a competitive position, and manage information. Risk is inherent in efforts to gain strategic advantage, and in the failure to keep pace with changes in the financial services marketplace. Transaction risk is evident in each product and service offered. Transaction risk encompasses product development and delivery, transaction processing, systems development, computing systems, complexity of products and services, and the internal control environment.
Technology risk is the current and prospective risk to earnings and capital arising from the failure to identify, measure, control and monitor technological activities. The institution should: 1) plan for use of technology; 2) assess the risk associated with technology; 3) decide how to implement the technology; and, 4) establish a process to measure and monitor the risk that is taken on. The risk identification and management process for technology-related risks is not complete without consideration of the overall IT environment in which the technology resides. Management may need to consider risks associated with IT environments from two different perspectives: 1) if the IT function is decentralized, and business units manage the risk, then management should coordinate risk management efforts through common organization-wide expectations; and, 2) if the IT department is a centralized function that supports business lines across shared infrastructure, management should centralize their IT risk management efforts.
Vendor risk is the current and prospective risk to earnings and capital arising from the bank’s use of third parties to achieve its strategic goals when that party performs functions on the bank’s behalf; when it provides products and services that the bank does not originate; and, when it “franchises” the bank’s attributes by lending its name or regulated entity status to products and services originated by others or activities predominantly conducted by others. Third-party relationships should be subject to the same risk management, security, privacy and other consumer protection policies that would be expected if the bank were conducting the activities directly.