Credit risk refers to the probability of loss due to a borrower’s failure to make

payments on any type of debt. Credit risk management is the practice of mitigating
losses by assessing borrowers’ credit risk – including payment behavior and
affordability. This process has been a longstanding challenge for financial
institutions.
Continued global economic crises, ongoing digitalization, recent developments in
technology and the increased use of artificial intelligence in banking have kept credit
risk management in the spotlight. As a result, regulators continue to demand
transparency and other improved capabilities in this space. They want to know that
banks have a thorough knowledge of customers and their associated credit risk.

Challenges to successful credit risk management

 Inefficient data management. An inability to access the right data when it’s needed
causes problematic delays.
 No groupwide risk modelling framework. Without it, banks can’t generate complex,
meaningful risk measures and get a big picture of groupwide risk.
 Constant rework. Analysts can’t change model parameters easily, which results in too
much duplication of effort and negatively affects a bank’s efficiency ratio.
 Insufficient risk tools. Without a robust risk solution, banks can’t identify portfolio
concentrations or re-grade portfolios often enough to effectively manage risk.

Best Practices for Credit Risk Management

1. Evaluate data sources

Credit risk models produce data that is backed by accuracy and logic. However, new sources
of data that are always rapidly emerging. Always lookout for data that is relevant to improve
decision-making.
2. Keep a tab on your risk analysis model
While models are dependent on current data sets, they’re accompanied by changing
contexts. This is why traditional credit scorecard models will soon be outdated. ML-based
models are used to operate based on predictions. However, to prevent model degradation,
model monitoring tools are often used to identify issues in the Machine Learning (ML)
model.

3. Credit risk monitoring in real-time

It’s key for banks to monitor borrower profiles periodically. For instance, if a borrower makes
timely payments, his credit limit can be increased. Whereas payment terms may have to be
restructured for borrowers who often indulge in late payments. The more recent your data,
the better your credit-related decisions.
4. Outline a credit risk policy
Set policies help avoid cases of bad debt and financial risk. These policies also help define
processes internally such as scope of responsibilities for every team, terms of sale, debt
collection process, and payment terms externally.
What is the credit risk management process?
When a borrower applies for a loan, the lender must evaluate their reliability to make future
monthly payments. Beyond requests for information on a borrower’s current financial
situation and income, many lenders will also want to see their borrowing and payment
history.
Inc. Magazine described this as a borrower’s creditworthiness. It’s a deep look at past
behaviours and current debts to determine how likely a borrower is to maintain a new loan.
In addition to this personal information, lenders will consider the size of the requested loan
and the commitment length.
Combined, these factors paint a picture of the borrower that helps lenders understand the
risk level of a loan. While this has long been the traditional credit risk management process,
it fails to acknowledge additional internal and external factors that could affect the risk of a
loan.

Techniques and Tools for Credit Risk Management

1. Credit approving authority

Banks can create a multi-tier credit approving system where officers review the loan before
sanctioning it. It reduces the chances of any new credit risk. To maximize this benefit, banks
can create a grid of officers who operate on multiple levels of the organization, i.e., regional
offices, zonal offices, head offices, etc.
Additionally, the grid/committee could oversee the sanction of high-value loans by carefully
assessing borrower creditworthiness. To ensure the best quality of credit decisions, banks
must review them periodically.
2. KYC
KYC (Know Your Customer) is a practice that is mandatorily executed by banks and financial
institutions to rule out the possibilities of money laundering and terrorist financing. Under
this process, banks collate and verify all the information there is about a borrower. Banks
digitally onboard customers with e-KYC mechanisms that use the Unique Identity Number
(UID) issued by the Indian Government
3. Prudential limits
Banks can set up prudential limits on various KPIs such as debt-equity and profitability ratio,
debt service coverage ratio, and other important ratios. Further, they must ensure that the
loan policy mentions the most permissible deviation that can be allowed from these KPIs.
Based on the concentration risk, banks can also reduce their credit exposures to individuals
who enjoy credit facilities excess of their capital threshold.
Even while lending to industries, banks can set limits for every sector. Based on the stress on
each segment, banks can adjust the exposure and lend with reduced credit risk. They can do
this by limiting new advances against assets that experience high price volatility and, hence,
credit risk. While lending to distressed sectors, banks must adequately back their credit by
collateral and strategic considerations. Prudential limits must be reviewed periodically. It will
factor in other market-related issues and improve credit risk management.
4. Credit risk rating
Rating borrower creditworthiness is standard practice across all financial institutions.
However, banks can also create a separate credit risk scoring/rating method for internal
purposes. Credit risk rating will help banks and loan officers understand individual credit
behavior better and the overall risk within their portfolio. The rating can be designed on
various quantitative and qualitative factors such as:
 Financial analysis
 Projections
 Financial ratios; and
 Other operating parameters
Banks can improve their rating mechanism by weighing these ratios based on years. It will
give a higher degree of importance to near-term developments and make ratings more
accurate. In addition to this, separate scales for rating can be devised for different borrowers
to personalize credit risk assessment and improve the system’s flexibility. To ensure that
these rating models remain relevant and consistent, they should be frequently revised. It
enables banks to identify variations that could cause any future credit losses, and address
them quickly.
5. Risk pricing
Pricing your loan products based on risk categories of borrowers is important to curb credit
risks. Generally, borrowers with less than average credit history or weak financials are
categorized as high-risk individuals and subjected to high interest rates.
To ensure higher accuracy, banks should price credit risks based on the expected probability
of default. Internationally, large banks have implemented the Risk-Adjusted Return on
Capital (RAROC) framework, which adjusts the interest rates based on the expected loss on
loans from the start itself. The banks then allocate some capital to cover the losses incurred
on the prospective loan.
The RAROC framework helps banks in effective credit risk management and provides better
loan pricing to borrowers.
6. Analytics for credit risk detection and control
Through AI and ML, banks can now analyse customer credit history to foresee changes in
their credit behaviour. Banks can detect any change in the risk profile of the customer and
make effective credit decisions.
This real-time insight into customer behaviour will allow banks to take proactive measures. It
will help them design effective credit frameworks and install policies to reduce credit risks.
Data analytics can also be applied to simulate stressful environments for lending processes
and identify credit weaknesses.
7. Portfolio management
Appropriate credit risk rating/pricing can enable better portfolio management. Banks must
identify patterns in the migration of borrowers based on the change in their credit quality.
The data provides them with insights to identify the quality of their loan books and take
corrective actions if necessary. Additionally, banks can also:
 Create credit ceilings based on borrower ratings to limit credit exposure.
 Understand the rating-wise distribution of borrowers in various industries.
 Limit exposure to segments based on the pros, cons, and current financial state. In
case the industry is going through a period of stress, banks can increase the quality
standards required to borrow from them.
 Design and undertake stress tests to identify weaknesses in their credit
administration, policies, and tools to improve their credit risk management process.
8. Loan review mechanism
An LRM (Loan Review Mechanism) is a great tool to understand the quality of loan books
and bring qualitative improvements in credit-related decision-making. LRM can help banks
identify large value loans that can potentially develop credit weakness and create a
proactive approach to credit risk management. Additionally, LRMs are also very helpful in:
 Identifying adequacy of and adherence to loan policies, procedures.
 Checking compliance with government laws.
 Supporting existing credit risk management infrastructure.

Calculation and Formula

To gauge creditworthiness, lenders use a system called “The 5Cs of Credit Risk.”
1. Credit history: Lenders look into borrowers’ credit scores and check their
backgrounds.
2. Capacity to repay: To ascertain borrowers’ repayment ability, lenders rely on the
debt-to-income ratio. It indicates efficiency in paying off debts from earnings.
3. Capital: Lenders determine every borrower’s net worth. It is computed by
subtracting overall liabilities from total assets.
4. Conditions of loan: It is important to determine if the terms and conditions suit a
particular borrower.
5. Collateral: Lenders assess the value of collateral submitted by
borrowers. Collateralization mitigates lenders’ risk.
One of the simplest methods for calculating the expected loss due to credit risk is given
below:
Expected Loss=PD×EAD×LGD
Here, PD refers to ‘the probability of default.’ And EAD refers to ‘the exposure at default’;
the amount that the borrower already repays is excluded in EAD. LGD here, refers to loss
given default. If LGD is not given, it is calculated as ‘1 – recovery percentage.’

Credit Risk Example

Let us assume that a bank lends $1000,000 to XYZ Ltd. But soon, the company experiences
operational difficulties—resulting in a liquidity crunch.
Now, determine the expected loss that could be caused by a credit default. The loss given
default is 38%; the rest can be recovered from the sale of collateral (building).
Solution:
Given,
Exposure at default (EAD) = $1000,000
Probability of default (PD) = 100% (as the company is assumed to default the full amount)
Loss given default (LGD) = 38%
The expected loss can be calculated using the following formula:
Expected Loss = PD × EAD × LGD
Expected Loss = 100% × 1000000 × 38%
Expected Loss = $380000
Thus, the bank expects a loss of $380,000.
Operational risk management

Operational risk is the risk of loss as a result of ineffective or

failed internal processes, people, systems, or external events
which can disrupt the flow of business operations. These
operational losses can be directly or indirectly financial. For
example, a poorly trained employee may directly lose the
company a sales opportunity, or a company’s reputation can
suffer indirectly from poor customer service.

Steps in the ORM Process

While there are different versions of the ORM process steps, Operational Risk Management
is generally applied as a five-step process. All five steps are critical, and all steps should be
implemented.
Image: Steps in the ORM Process

Image source: PWC Operational Risk Management

Step 1: Risk Identification
Risks must be identified so these can be controlled. Risk identification starts with
understanding the organization’s objectives. Risks are anything preventing the organization
from achieving its objectives. Asking “What could go wrong?” is a great way to begin
brainstorming and identifying risks.
Step 2: Risk Assessment
Risk assessment is a systematic process for rating risks based on likelihood and impact. The
outcome of the risk assessment is a prioritized listing of known risks, along with the risk
owner and risk mitigation plan, also known as a risk register. It may not be possible or
advisable for an organization to address all identified risks — thus, prioritization is critical for
the management of operational risk and points project teams at the most significant risks.
This risk assessment process may look similar to the risk assessment done by internal audit,
and should, in fact, be informed by prior audit reports and findings.
Step 3: Risk Mitigation
The risk mitigation step involves developing and choosing a path for controlling specific risks.
In the Operational Risk Management process, there are four options for addressing potential
risk events: transfer, avoid, accept, and mitigate.
1. Transfer: Transferring shifts the risk to another organization. The two most common
means for transferring are outsourcing and insuring. When outsourcing,
management cannot completely transfer the responsibility for controlling risk.
Insuring against the risk ultimately transfers some of the financial impacts of the risk
to the insurance company. A good example of transferring risk occurs with cloud-
based software companies. When a company purchases cloud-based software, the
contract usually includes a clause for data breach insurance. The purchaser is
ensuring the vendor can pay for damages in the event of a data breach. At the same
time, the vendor will also have their data center provide SOC reports showing there
are sufficient controls in place to minimize the likelihood of a data breach.
2. Avoid: Avoidance prevents the organization from entering into a risk-rich situation or
environment. For example, when choosing a vendor for a service, the organization
could choose to accept a vendor with a higher-priced bid if the lower-cost vendor
does not have adequate references.
3. Accept: Based on the comparison of the risk to the cost of control, management
could accept the risk and move forward with the risky choice. As an example, there is
the risk an employee will burn themselves if the company installs new coffee makers
in the break room. The benefit of employee satisfaction from new coffee makers
outweighs the risk of an employee accidentally burning themselves on a hot cup of
coffee, so management accepts the risk and installs the new appliance.
4. Mitigate: Mitigating risks involves implementing action plans and controls that
reduce the likelihood of the risk and/or the impact it would have if the risk were
realized. For example, if an organization allows employees to work from home, there
is a risk of data leakage due to the transmission of data across the public internet. To
mitigate this risk, management might implement a VPN service and have remote
users access the business network through VPN only. This would reduce the
likelihood of data leakage, thereby mitigating the risk.
We’ve mentioned a few times that very few risks can be completely eliminated. Noting the
residual risk — the risk remaining after mitigation — is an equally important part of the risk
mitigation phase of ORM.
Step 4: Control Implementation
Once risk mitigation decisions are made, action plans are formed, and residual risk is
captured, the next step is implementation. Controls should be designed specifically to
address and mitigate the risk in question. The control rationale, objective, and activity
should be formally documented so the controls can be clearly communicated and executed.
Controls might take the form of a new process, an additional approver, or built-in controls
that prevent end users from making errors or performing malicious activities. Whenever
possible, controls should be designed to be preventive, rather than detective or corrective.
With risk management and medicine, it seems the best cure is prevention. That said, it may
be impossible to prevent a risk from occurring, which is where detective controls come into
play. Detecting anomalies and then correcting them may be sufficient to mitigate certain
risks.
Most likely, your organization already has some controls in place to combat risks. It’s still
wise to review those controls on an annual basis (at minimum) and determine whether
additional controls are needed if there are gaps in the control, or if the control is sufficient to
address the risk and requires no changes.
Step 5: Monitoring
Since controls may be performed by people who make mistakes, or the environment could
change, controls should be monitored. Control monitoring involves testing the control for
appropriateness of design, and operating effectiveness. Any exceptions or issues should be
raised to management with action plans established.
Within the monitoring step in Operational Risk Management, some organizations, especially
in financial services, have adopted continuous monitoring or early warning systems built
around key risk indicators (KRIs). Key risk indicators are metrics used by organizations to
provide an early signal of increasing risk exposure in various areas of the enterprise. KRIs
designed around ratios monitored by business intelligence applications are how banks can
manage operational risk, but the concept can be applied across all industries. KRIs can be
designed to monitor nearly any potential risk and send a notification. As an example, a
company could design a key risk indicator around customer satisfaction scores. Falling
customer satisfaction scores could indicate customer service representatives are not being
trained or that the training is ineffective.
Calculation of operational risk:
Advanced measurement approach (AMA)
With the AMA model, banks can create their own empirical model to quantify the capital
required for operational risk.
An AMA framework should include the use of four quantitative elements for its
development: internal loss data, external data, scenario and business environment analysis,
or internal control factors.
Among the AMA models, there are three different types of methodologies: internal
measurement approach (IMA), loss distribution approach (LDA) and scorecards.