Ref. RBI.No.269-2004 DBS.CO.PP.BC. 14
/11.01.005/2003-04 June 26, 2004 All Scheduled Commercial
Banks (excluding RRBs) Dear sir, Risk Based Supervision-
Follow up of Risk Management Systems in Banks As
you are aware, guidelines on Risk Management Systems (RMS) were issued to banks
for implementation vide circular DBOD No. BP (SC) BC 98/ 21.04.098 / 99 DATED
October 7, 1999. In order to evaluate the steps taken by banks in implementing
these guidelines, banks were required, vide DBOD circular No. BP. SC. BC. 59/21.04.103/2000-01
dated December 26, 2000, to send to the Regional Offices of DBS a quarterly progress
report on the implementation of these guidelines based on a set of questionnaire
which was forwarded to banks vide circular DBOD No. BP. SC. BC. 002/ 21.04.103/2000-01
dated July 7, 2000. 2. Further,
as part of putting in place an institutional mechanism in banks for moving over
to risk-based supervision (RBS), banks were advised, vide circular DBS. CO./ RBS/58/36.01.002/
2001-02 dated August 13, 2001 to take specific steps for (a) setting up Risk Management
Architecture (b) adoption of Risk Based Internal Audit (RBIA), (c) strengthening
of Management Information System and Information Technology Support (d) addressing
HRD issues and, (e) setting up of Compliance Units to monitor regulatory and supervisory
compliance. Also, a guidance note on Risk Based Internal Audit, being one of the
five areas specified above, was issued to banks vide circular DBS.
CO. PP. BC.10/11/01.005/2002-03 dated December 27, 2002 advising them to submit
a quarterly report on the progress made in implementation of Risk Based Internal
Audit. 3. The system of reporting
by banks in respect of the progress achieved in implementation of the guidelines
on Risk Management Systems and Risk Based Supervision as also Risk Based Internal
Audit has since been reviewed. In order to monitor the progress achieved by banks
in respect of the above three areas in a focused manner as also to bring about
uniformity in reporting by banks, a revised structured format (containing three
sections, one each for RMS, RBS and RBIA) has been devised and the same is enclosed. 4.
Banks are advised to submit, henceforth, a single report, on a quarterly basis,
in the above mentioned revised format to the respective Regional Offices of Department
of Banking Supervision. 5. Kindly
acknowledge receipt. Yours faithfully,
(G.
Gopalakrishna) Chief General Manager-in-Charge
Revised
format for reporting progress in implementation of Risk Management System/ ALM,
Risk Based Supervision and Risk Based Internal Audit Part
I - Risk management system/ALM*- Progress made during the quarter ended A.
Action points fully implemented
Action
point/ risk management area | Details
of implementation | | |
B.
Action points partially implemented/ not implemented
Action
point/ risk management area | Time
frame for implementation | Details
of steps taken during the last quarter (If no progress during the quarter,
the same to be specified) |
Details of measures proposed to
be taken to adhere to the time frame | | | | |
*Please refer to circulars
(i) DBOD.BP.SC.BC.002/21.04.103.2000-01 dated July 7, 2000 and (ii) DBOD. No .BP(SC).BC.59/21.04.103/2000-01
dated December 26, 2000. All the action points/ risk management areas specified
in these circulars are to be categorized into A and B.
Part
II- Preparedness for Risk Based Supervision(RBS)* –Progress Report for the quarter
ended-
Action
Points | Progress
made upto the quarter-end | Remaining
Gaps | 1.
Put in place a institutional mechanism to direct and monitor the progress in implementation
of risk based supervision : (a) setting up Risk Management
Architecture (b) adoption of Risk Based Internal Audit,
(c) strengthening of Management Information System and
Information Technology (d) addressing HRD issues and, (e)
setting up of Compliance Units to monitor regulatory and supervisory compliance.
| | |
2.
Name & designation of the officer who is the head of the above institutional
mechanism. | | |
3.
Are the institutional mechanisms set up to attend to the requirements of RBS kept
separate and distinct from the institutional mechanism attending to risk management
functions. | | |
4.
Whether Quarterly review reports on RBS placed before the Board of Directors along
with progress report on risk management systems. | | |
5.
Action/ steps taken for building up of an inventory of skilled and trained personnel
to attend to risk management and RBS functions. | | |
6.
Persons trained in risk management, risk based supervision and risk focused internal
audit should be positioned in appropriate places. 6.1 Arrangements
for maintaining data base on training and placement of officials to be indicated. | | |
* Please refer Circulars
(i) DBS. CO/ RBS/58/36.01.002/2001-02 dated August 13, 2001 on ‘Move towards Risk
Based Supervision of banks-Discussion Paper" (ii) DBS.
No. RBS. BC.3/36.01.12/2002-03 dated September 5, 2002 on ‘Risk Based Supervision
of banks-Institutional Mechanism.
Part III- Risk Based Internal Audit* –Progress Report for the
quarter ended- (*Please refer circular DBS.CO.PP.BC.10/11.01.005/2002-03
dated December 27, 2002)
Action
Points | Progress
achieved Upto the quarter-end |
Remaining gaps |
- Strategy
for implementation of RBI guidelines
| | |
- Whether a
Task Force comprising senior executives with the responsibility of chalking out
an action plan for switching over to risk-based internal audit has been constituted.
| | |
(a) Whether Task
Force has identified transitional and change management issues (b) steps initiated
to address the above and (c) periodicity of reporting to the Board of directors
and the date of last reporting. | | |
Policy for
risk-based internal audit | | |
- Whether a
well-defined policy, duly approved by the Board, for undertaking risk-based internal
audit has been adopted.
- The policy should include (i) the risk assessment
methodology for identifying the risk areas based on which the audit plan would
be formulated (ii) the maximum time period beyond which even the low risk business
activities/ locations should not remain unaudited.
| | |
Functional
independence | | |
- The
Internal Audit Department (IAD) should be independent from the internal control
process and should not be assigned the responsibility of performing other accounting
or operational functions.
- The date of latest
reporting by the IAD to the Board /Audit Committee.
| | |
Risk
assessment | | |
- Whether
business risks and control risks are evaluated and classified into low, medium
and high categories.
| | |
Whether
a risk-matrix is drawn up for each business activity/location, taking into account
both the above factors. | | |
An
analysis of business risks and control risks should be done to assess the trend
(stable, increasing or decreasing). | | |
Whether
IAD has devised the risk assessment methodology incorporating size and complexity
of the business with approval of the Board. | | |
What
is the mechanism stipulated for keeping the internal audit function informed of
all developments such as introduction of new products, changes in reporting lines,
changes in accounting practices/policies etc. Is
the risk assessment undertaken on a yearly basis.Is
the risk assessment updated periodically, taking into account changes in business
environment, activities etc. Date of last review. | | |
Had
an independent risk assessment system instituted/ set up in the IAD. | | |
Audit
Plan | | |
- The
annual audit plan, approved by the Board, should include the schedule and the
rationale for audit work planned.
- The plan should
include all risk areas and their prioritization based on the level and direction
of risk.
| | |
Scope
| | |
- Whether
the bank is preparing the Risk Audit Matrix ? If so, whether it is being used
for prioritizing the audit work to give greater attention to areas mentioned in
the risk-based internal audit guidelines (para 6.1 of the guidelines)?
- The
scope of risk-based internal audit should be determined for different risk levels
such as low, medium, high, very high and extremely high and should, at the minimum,
review/report the following aspects:
- process by which risks are identified and managed
in various areas;
- the control environment in
various areas;
- gaps, if any, in control mechanism
which might lead to frauds, identification of fraud prone areas;
- data
integrity, reliability and integrity of MIS;
- internal,
regulatory and statutory compliance;
- budgetary
control and performance reviews;
- transaction
testing/verification of assets to the extent considered necessary
- monitoring
compliance with the risk-based internal audit report
- variation, if any, in the assessment of risks under
the audit plan vis-à-vis the risk-based internal audit.
| | |
- The
risk-based internal audit report should include comments on proper recording and
reporting of major exceptions and excesses.
- Whether
the bank has framed a policy with regard to the level of transaction testing in
respect of the various levels and trends of risk?
| | |
The
scope of risk-based internal audit should include: -
a review of the systems in place for ensuring compliance with money laundering
controls.
- identification of potential
inherent business risks and control risks.
| | |
- Communication
| | |
- All
serious deficiencies/ sensitive findings identified by risk-based internal audit
staff should be reported to the appropriate level of management immediately.
- All
significant issues posing a threat to the bank’s business should be promptly brought
to the notice of the Board / Audit Committee / top management.
| | |
Performance
evaluation | | |
- The
IAD should conduct periodical reviews, annually or more frequently, of the risk-based
internal audit undertaken by it vis-à-vis the approved audit plan. The
performance review should include an evaluation of the effectiveness of risk-based
internal audit in mitigating identified risks.
- The
Board /Audit Committee should periodically assess the performance of the risk-based
internal audit (Date of last review).
| | |
Audit
resources | | |
- The
IAD should be provided with appropriate resources and staff with requisite skills.
- What are the arrangements in place for training
staff periodically?
| | |
Outsourced
internal audit arrangements | | |
- Does
the contract governing outsourcing of internal audit specify-
- the scope and frequency of work to be performed by
the vendor
- the manner and frequency of reporting
to the bank
- the manner of determining the cost
of damages arising from errors, omissions and negligence on the part of the vendor
- the arrangements for incorporation of changes
in the terms of contract, should the need arise
- the
procedure/locations for safe keeping the work papers
- all
work papers should be available to the bank when required
- the
employees authorized by the bank have reasonable and timely access to the work
papers
- the supervisors are to be granted immediate
and full access to related work papers
- Is
the work done by the vendor documented and reported to the top management through
the IAD.
- Whether a contingency plan to mitigate
any discontinuity in audit coverage on account of a sudden termination of the
outsourcing arrangement drawn up.
| | |
|