(20 kb)
Risk Based Supervision- Follow up of Risk Management Systems in Banks

Ref. RBI.No.269-2004
DBS.CO.PP.BC. 14 /11.01.005/2003-04

June 26, 2004

All Scheduled Commercial Banks
(excluding RRBs)

Dear sir,

Risk Based Supervision- Follow up of Risk Management Systems in Banks

As you are aware, guidelines on Risk Management Systems (RMS) were issued to banks for implementation vide circular DBOD No. BP (SC) BC 98/ 21.04.098 / 99 DATED October 7, 1999. In order to evaluate the steps taken by banks in implementing these guidelines, banks were required, vide DBOD circular No. BP. SC. BC. 59/21.04.103/2000-01 dated December 26, 2000, to send to the Regional Offices of DBS a quarterly progress report on the implementation of these guidelines based on a set of questionnaire which was forwarded to banks vide circular DBOD No. BP. SC. BC. 002/ 21.04.103/2000-01 dated July 7, 2000.

2. Further, as part of putting in place an institutional mechanism in banks for moving over to risk-based supervision (RBS), banks were advised, vide circular DBS. CO./ RBS/58/36.01.002/ 2001-02 dated August 13, 2001 to take specific steps for (a) setting up Risk Management Architecture (b) adoption of Risk Based Internal Audit (RBIA), (c) strengthening of Management Information System and Information Technology Support (d) addressing HRD issues and, (e) setting up of Compliance Units to monitor regulatory and supervisory compliance. Also, a guidance note on Risk Based Internal Audit, being one of the five areas specified above, was issued to banks vide circular DBS. CO. PP. BC.10/11/01.005/2002-03 dated December 27, 2002 advising them to submit a quarterly report on the progress made in implementation of Risk Based Internal Audit.

3. The system of reporting by banks in respect of the progress achieved in implementation of the guidelines on Risk Management Systems and Risk Based Supervision as also Risk Based Internal Audit has since been reviewed. In order to monitor the progress achieved by banks in respect of the above three areas in a focused manner as also to bring about uniformity in reporting by banks, a revised structured format (containing three sections, one each for RMS, RBS and RBIA) has been devised and the same is enclosed.

4. Banks are advised to submit, henceforth, a single report, on a quarterly basis, in the above mentioned revised format to the respective Regional Offices of Department of Banking Supervision.

5. Kindly acknowledge receipt.

Yours faithfully,

(G. Gopalakrishna)
Chief General Manager-in-Charge

Revised format for reporting progress in implementation of Risk Management System/ ALM, Risk Based Supervision and Risk Based Internal Audit

Part I - Risk management system/ALM*- Progress made during the quarter ended

A. Action points fully implemented

Action point/ risk management area

Details of implementation


B. Action points partially implemented/ not implemented

Action point/ risk management area

Time frame for implementation

Details of steps taken during the last quarter
(If no progress during the quarter, the same to be specified)

Details of measures proposed to be taken to adhere to the time frame


*Please refer to circulars (i) DBOD.BP.SC.BC.002/ dated July 7, 2000 and (ii) DBOD. No .BP(SC).BC.59/21.04.103/2000-01 dated December 26, 2000. All the action points/ risk management areas specified in these circulars are to be categorized into A and B.


Part II- Preparedness for Risk Based Supervision(RBS)* –Progress Report for the quarter ended-

Action Points

Progress made upto the quarter-end

Remaining Gaps

1. Put in place a institutional mechanism to direct and monitor the progress in implementation of risk based supervision :

(a) setting up Risk Management Architecture

(b) adoption of Risk Based Internal Audit,

(c) strengthening of Management Information System and Information Technology

(d) addressing HRD issues and,

(e) setting up of Compliance Units to monitor regulatory and supervisory compliance.


2. Name & designation of the officer who is the head of the above institutional mechanism.


3. Are the institutional mechanisms set up to attend to the requirements of RBS kept separate and distinct from the institutional mechanism attending to risk management functions.


4. Whether Quarterly review reports on RBS placed before the Board of Directors along with progress report on risk management systems.


5. Action/ steps taken for building up of an inventory of skilled and trained personnel to attend to risk management and RBS functions.


6. Persons trained in risk management, risk based supervision and risk focused internal audit should be positioned in appropriate places.

6.1 Arrangements for maintaining data base on training and placement of officials to be indicated.


* Please refer Circulars (i) DBS. CO/ RBS/58/36.01.002/2001-02 dated August 13, 2001 on ‘Move towards Risk Based Supervision of banks-Discussion Paper"

(ii) DBS. No. RBS. BC.3/36.01.12/2002-03 dated September 5, 2002 on ‘Risk Based Supervision of banks-Institutional Mechanism.


Part III- Risk Based Internal Audit* –Progress Report for the quarter ended-

(*Please refer circular DBS.CO.PP.BC.10/11.01.005/2002-03 dated December 27, 2002)

Action Points

Progress achieved Upto the quarter-end

Remaining gaps

  1. Strategy for implementation of RBI guidelines
  1. Whether a Task Force comprising senior executives with the responsibility of chalking out an action plan for switching over to risk-based internal audit has been constituted.
  • (a) Whether Task Force has identified transitional and change management issues (b) steps initiated to address the above and (c) periodicity of reporting to the Board of directors and the date of last reporting.
  • Policy for risk-based internal audit
    1. Whether a well-defined policy, duly approved by the Board, for undertaking risk-based internal audit has been adopted.
    2. The policy should include (i) the risk assessment methodology for identifying the risk areas based on which the audit plan would be formulated (ii) the maximum time period beyond which even the low risk business activities/ locations should not remain unaudited.

  • Functional independence

    1. The Internal Audit Department (IAD) should be independent from the internal control process and should not be assigned the responsibility of performing other accounting or operational functions.
    2. The date of latest reporting by the IAD to the Board /Audit Committee.

  • Risk assessment

    1. Whether business risks and control risks are evaluated and classified into low, medium and high categories.

  • Whether a risk-matrix is drawn up for each business activity/location, taking into account both the above factors.

  • An analysis of business risks and control risks should be done to assess the trend (stable, increasing or decreasing).

  • Whether IAD has devised the risk assessment methodology incorporating size and complexity of the business with approval of the Board.

  • What is the mechanism stipulated for keeping the internal audit function informed of all developments such as introduction of new products, changes in reporting lines, changes in accounting practices/policies etc.
  • Is the risk assessment undertaken on a yearly basis.
  • Is the risk assessment updated periodically, taking into account changes in business environment, activities etc. Date of last review.
  • Had an independent risk assessment system instituted/ set up in the IAD.

  • Audit Plan

    1. The annual audit plan, approved by the Board, should include the schedule and the rationale for audit work planned.
    2. The plan should include all risk areas and their prioritization based on the level and direction of risk.

  • Scope

    1. Whether the bank is preparing the Risk Audit Matrix ? If so, whether it is being used for prioritizing the audit work to give greater attention to areas mentioned in the risk-based internal audit guidelines (para 6.1 of the guidelines)?
    2. The scope of risk-based internal audit should be determined for different risk levels such as low, medium, high, very high and extremely high and should, at the minimum, review/report the following aspects:

      • process by which risks are identified and managed in various areas;
      • the control environment in various areas;
      • gaps, if any, in control mechanism which might lead to frauds, identification of fraud prone areas;
      • data integrity, reliability and integrity of MIS;
      • internal, regulatory and statutory compliance;
      • budgetary control and performance reviews;
      • transaction testing/verification of assets to the extent considered necessary
      • monitoring compliance with the risk-based internal audit report

      • variation, if any, in the assessment of risks under the audit plan vis-à-vis the risk-based internal audit.

      1. The risk-based internal audit report should include comments on proper recording and reporting of major exceptions and excesses.
      2. Whether the bank has framed a policy with regard to the level of transaction testing in respect of the various levels and trends of risk?

  • The scope of risk-based internal audit should include:
    • a review of the systems in place for ensuring compliance with money laundering controls.
    • identification of potential inherent business risks and control risks.
    1. Communication

    1. All serious deficiencies/ sensitive findings identified by risk-based internal audit staff should be reported to the appropriate level of management immediately.
    2. All significant issues posing a threat to the bank’s business should be promptly brought to the notice of the Board / Audit Committee / top management.

  • Performance evaluation

    1. The IAD should conduct periodical reviews, annually or more frequently, of the risk-based internal audit undertaken by it vis-à-vis the approved audit plan. The performance review should include an evaluation of the effectiveness of risk-based internal audit in mitigating identified risks.
    2. The Board /Audit Committee should periodically assess the performance of the risk-based internal audit (Date of last review).

  • Audit resources

    1. The IAD should be provided with appropriate resources and staff with requisite skills.
    2. What are the arrangements in place for training staff periodically?

  • Outsourced internal audit arrangements
    1. Does the contract governing outsourcing of internal audit specify-

    • the scope and frequency of work to be performed by the vendor
    • the manner and frequency of reporting to the bank
    • the manner of determining the cost of damages arising from errors, omissions and negligence on the part of the vendor
    • the arrangements for incorporation of changes in the terms of contract, should the need arise
    • the procedure/locations for safe keeping the work papers
    • all work papers should be available to the bank when required
    • the employees authorized by the bank have reasonable and timely access to the work papers
    • the supervisors are to be granted immediate and full access to related work papers

      1. Is the work done by the vendor documented and reported to the top management through the IAD.
      2. Whether a contingency plan to mitigate any discontinuity in audit coverage on account of a sudden termination of the outsourcing arrangement drawn up.