Governance in Financial Institutions (GFI)

98th BPE

Module-E: Risk Management and Controls

ERMF, Risk Scanning and emerging Risks, Risk Appetite, Risk Culture, Managing Material
Risks, Appropriate implementation of 03 (three) lines of defense, Strength and Independent
functioning of 2nd line functions and Internal Audit, Regulatory compliance,
5.1. What do you mean by enterprise risk Management (ERM)? Describe the types of
enterprise risk.
Enterprise Risk Management (ERM) is a term used in business to describe risk management
methods that firms use to identify and mitigate risks that can pose problems for the enterprise.
Enterprise Risk Management (ERM) is a way to effectively manage risk across the organization
through the use of a common risk management framework.
There are multiple areas of classification that can help organizations clarify and sort risks. They
are as follows:
Compliance Risks: Threats that fall under the compliance category can be defined as risks or
opportunities that are in relation to laws and regulations. Any risk that is a violation of legal
guidelines should be classified as a compliance risk.
Financial Risks: The financial risk category encompasses risks or opportunities to an
organization in relation to monetary resources and cash flow. Funds, investments, and fraud are
all risks within this category. Financial risks are essential in enterprise risk management. They
heavily affect every aspect of a company.
Hazard & Safety Risks: Potential threats that may compromise the health and wellbeing of
employees in the workplace should be classified under the hazard and safety risk category.
Accidental injuries, geopolitical tension, and natural disasters are all safety risks to be assessed.
Organizations must identify hazard risks in order to put into place control measures and treatment
plans.
Operational & Strategic Risks: The classification of operational and strategic risks are similar in
nature, and thus able to be sorted into the same category. Strategic threats are risks that are
caused by external circumstances; such as shifts in consumer demand or technological changes.
Operational risks refer to day-to-day internal workings that may fail; such as data breaches and
human error in performance. Both internal and external risks should be recognized and analyzed.
Reputational Risks: Risks related to reputation encompass all other categories of enterprise risk,
this is because a damaged reputation is most often a result of failure to address a risk listed
above. Executive management, customer service, product quality, accounting, and operations can
all be risks that result in reputational ramifications. Negative media is the most significant risk
across all aspects of an organization and can be very difficult to control once it is publicized.
cÖktœ G›Uvic«vBR wi¯‥ g¨v‡bR‡g›U (ERM) ej‡Z Kx ‡evS? G›Uvic«vBR SyuwKi c«Kvi¸wj eY©bv Kiæb|
G›Uvic«vBR wi¯‥ g¨v‡bR‡g›U (ERM) nj e¨emvq SyuwK e¨e¯’vcbv c×wZ hvi gva¨‡g †Kvb cÖwZôv‡bi Rb¨ mgm¨v •Zix
Ki‡Z cv‡i G ai‡bi SyuwK¸wj wPwýZ Kiv Ges c«kwgZ Kiv nq| G›Uvic«vBR wi¯‥ g¨v‡bR‡g›U (ERM) nj GKwU mvaviY
SyuwK e¨e¯’vcbv KvVv‡gv hv e¨env‡ii gva¨‡g Kvh©Kifv‡e †Kvb c«wZôvb SyuwK e¨e¯’vcbv K‡i _v‡K|
†Kvb cÖwZôv‡bi SyuwK¸wj wb¤œiƒc n‡Z cv‡it
Kgcøv‡qÝ SuywKt Kgcøv‡qÝ Gi AvIZvaxb ûgwK¸‡jv‡K AvBb I c«weav‡bi mv‡_ m¤úwK©Z SyuwK ev my‡hvM wn‡m‡e msÁvwqZ
Kiv ‡h‡Z cv‡i| AvBwb wb‡`©wkKv j“Nb K‡i Ggb ‡h‡Kv‡bv SyuwK‡K Kgcøv‡qÝ SyuwK wn‡m‡e ‡k«Yxe× Kiv nq|
Avw_©K SyuwKt Avw_©K SyuwK wefvM Avw_©K ms¯’vb Ges bM` c«evn m¤úwK©Z SyuwK ev my‡hvM¸wj‡K AšÍfy³
© K‡i| Znwej,
wewb‡qvM, Ges RvwjqvwZ GB ‡k«Yxi SyuwKi g‡a¨ c‡o| Avw_©K SyuwK GKwU ‡Kv¤úvwbi c«wZwU w`K‡K e¨vcKfv‡e c«fvweZ
K‡i|
wec` I wbivcËv SyuwKt Kg©‡¶‡Î Kg©KZ©v Kg©Pvix‡`i ¯^v¯’¨ I my¯’Zvi Rb¨ m¤¢ve¨ ûgwK¸wj‡K wec` Ges wbivcËv SyuwK
wefv‡Mi Aax‡b ‡k«Yxe× Kiv nq| `yN©UbvRwbZ AvNvZ, f~-ivR‣bwZK D‡ËRbv, Ges c«vK…wZK wech©q¸wj g~j¨vqb Kiv G
Md. Mizanur Rahman, Cell: 01870478713 1
 Governance in Financial Institutions (GFI)
98th BPE
mg¯Í n‡jv wbivcËv SyuwK| ms¯’v¸wj‡K Aek¨B wec¾bK SyuwK¸wj wPwýZ Ki‡Z n‡e hv‡Z wbqš¿Y e¨e¯’v Ges wPwKrmv
cwiKíbv¸wj Kvh©Ki Kiv hvq|
Acv‡ikbvj Ges ‡K․kjMZ SyuwKt Acv‡ikbvj Ges ‡K․kjMZ SyuwKi ‡k«wYweb¨vm g~jZt GKB iKg| ‡K․kjMZ ûgwK
evwn¨K cwiw¯’wZ Øviv m…ó SyuwK; ‡hgb ‡fv³v Pvwn`vi cwieZ©b ev c«hyw³MZ cwieZ©b| Kvh©¶g SyuwK¸wj c«wZw`‡bi Af¨šÍixY
KvR¸wj‡K ‡evSvq hv e¨_© n‡Z cv‡i; ‡hgb Z_¨ j“Nb Ges Kg©¶gZvq gvbe ÎywU| Af¨šÍixY Ges evwn¨K Dfq SyuwKB
¯^xK…wZ Ges we‡kølY Ki‡Z n‡e|
mybvgMZ SyuwKt L¨vwZi mv‡_ m¤úwK©Z SyuwK¸wj G›Uvic«vBR SyuwKi Ab¨vb¨ mg¯Í wefvM‡K AšÍfy³ © K‡i, KviY Dc‡ii †h
†Kvb SzuwK †gvKv‡ejvq e¨_© n‡j Zv mybvgMZ SuywKi Kvib n‡q `uvovq| Gw·wKDwUf g¨v‡bR‡g›U, Kv÷gvi mvwf©m, ‡c«vWv±
‡KvqvwjwU, A¨vKvDw›Us Ges wµqvKjvc meB SyuwK n‡Z cv‡i hvi d‡j mybvgMZ c«fve c‡o| ‡bwZevPK wgwWqv GKwU
c«wZôv‡bi mg¯Í w`K Ry‡o me‡P‡q D‡jøL‡hvM¨ SyuwK Ges GwU c«Pv‡ii c‡i wbqš¿Y Kiv Lye KwVb n‡Z cv‡i|
5.2. What are the components of ERM?
Financial experts have identified the follwing components of an Enterprise Risk Management
Framework for Banks:
Code of conduct: An organization‘s core values and code of conduct play a major role in defining
risk aptitude. The aptness to know when to take a calculated risk and when to go the extra mile
really matters in a dynamic business environment. A sound work culture sets the tone for
employees‘ work standards and the ability to deal with risks.
Setting objective and goals: Organizations set a mission and vision to ensure that everyone works
towards a common goal. When these objectives are embedded across the enterprise, all the
employees become aware of respective roles and responsibility. These common businesses act as
a guidebook while forming the risk management plan.
Identify: The first component is to identify areas of risk. In this step, organizations must review
their entire portfolio. Risk identification is first step to risk management in financial institutions.
This includes: stress test scenario, disaster test, risk modeling, risk ownership, strategic plan.
Assess: The most desirable way to mitigate loss is a strong risk assessment. Assessment of
inherent and residual risk levels can help determine the appropriate steps to reduce these risks
within a defined risk appetite. Inherent risk is the risk posed by omission or error and is due to
some factor other than a failure of internal control measures. The banks need to review the risk
inherent in their products and services, customers and entity base, and geographical locations.
Then, risk is to be quantified by calculating and assigning risk scores. Mitigating controls are
controls designed to reduce the bank‗s inherent risks to an acceptable level. Residual risk is the
risk level or volume that remains after risk controls have reduced inherent risks.
Response: Proper response is needed by putting the appropriate control mechanisms in place to
mitigate areas of high risk. Banks that implement a well-structured risk management
infrastructure will reduce risk across all of their points. A financial institution‘s ability to counter
its threats is a major factor for investors. Because of loan losses, a bank without a proper credit
risk management system will see lower profits. Some strategies to counter this threat are Credit
risk policies, origination/acquisition standards for loans, loan administration and investment
portfolio management.
Checks and balances: Checks and balances are necessary to ensure that the response activities are
carried out according to the policies. The company‗s ethics and values are as important as risk
mitigation measures. If any employee deviates from the defined laws, it will not go unnoticed. As
a part of the framework and risk management strategy, the board of directors must clarify the
roles and responsibilities with transparency. This documentation must also include the internal
control measures in case of unethical behavior.
Information and communication: Communication is the essence of any business. Especially in
the digitally advanced world, it holds immense value. In risk management, every employee must
Md. Mizanur Rahman, Cell: 01870478713 2
 Governance in Financial Institutions (GFI)
98th BPE
be capable of identifying potential risks and communicating it to the managers and stakeholders.
This process will ensure that no risk is overlooked. To do so, companies should invest in training
programs to help their employees learn all about risk assessment and identification. Ultimately,
that will give an exponential rise in efficiency level.
Monitoring: Talking about the risk management framework, we live in the age of market
volatility, and the fast-paced, changing trends put forth various types of risks. These changing
trends also change the nature of the risks apprehended to encounter. Organizations must,
therefore, monitor and review the strategy at regular intervals. This will keep everyone informed
on what is working favourably or unfavourably.
cÖktœ ERM Gi Dcv`vb¸‡jv wK wK?
Avw_©K we‡klÁiv e¨vs‡Ki Rb¨ GKwU G›Uvic«vBR wi¯‥ g¨v‡bR‡g›U ‡d«gIqv‡K©i wbgœwjwLZ Dcv`vb¸wj wPwýZ K‡i‡Qbt
AvPiYwewat GKwU c«wZôv‡bi g~j¨‡eva Ges AvPiYwewa SyuwKi ‡hvM¨Zv wba©vi‡Y c«avb f~wgKv cvjb K‡i| KLb SyuwK wb‡Z
n‡e Ges KLb AwZwi³ c_ ‡h‡Z n‡e Zv Rvbvi `¶Zv GKwU MwZkxj e¨emvwqK cwi‡e‡k mwZ¨B ¸iæZ¡c~Y©| GKwU fvj
Kv‡Ri ms¯‥…wZ Kg©x‡`i Kv‡Ri gvb Ges SyuwK ‡gvKv‡ejvi ¶gZv e„w× K‡i|
D‡Ïk¨ Ges j¶¨ wba©viYt c«‡Z¨‡K GKwU mvaviY j‡¶¨i w`‡K KvR K‡i Ges Zv wbwðZ Kivi Rb¨ ms¯’v¸wj GKwU wgkb
Ges `…wófw½ wba©viY K‡i| hLb GB D‡Ïk¨¸wj G›Uvic«vBR Ry‡o Qwo‡q ‡`qv nq, ZLb mg¯Í Kg©KZ©v Kg©Pvix wbR wbR
f~wgKv Ges `vwqZ¡ m¤ú‡K© m‡PZb nb| SyuwK e¨e¯’vcbv cwiKíbv ‣Zwi Kivi mgq GB mvaviY welq¸wj GKwU wb‡`©wkKv
wnmv‡e KvR K‡i|
wPwýZKibt SyuwK e¨e¯’vcbvi c«_g avc nj SyuwKi ‡¶Î¸wj wPwýZ Kiv| GB av‡c, ms¯’v¸wj‡K Aek¨B Zv‡`i m¤ú~Y©
‡cvU©‡dvwjI ch©v‡jvPbv Ki‡Z n‡e| Gi g‡a¨ i‡q‡Q: ‡÷«m cix¶vi `…k¨, `y‡h©vM cix¶v, SyuwK g‡Wwjs, SyuwKi gvwjKvbv,
‡K․kjMZ cwiKíbv|
g~j¨vqbt ¶wZ Kgv‡bvi me‡P‡q Kvw“LZ Dcvq nj GKwU kw³kvjx SyuwK g~j¨vqb e¨e¯’v| AšÍwb©wnZ Ges Aewkó SyuwK ¯Í‡ii
g~j¨vqb GKwU msÁvwqZ SyuwK ¶yav g‡a¨ GB SyuwK n«vm Kivi Rb¨ Dchy³ c`‡¶c wba©viY Ki‡Z mvnvh¨ Ki‡Z cv‡i|
AšÍwb©wnZ SyuwK n'j ev` ev ÎywU Øviv m…ó SyuwK Ges Af¨šÍixY wbqš¿Y e¨e¯’vi e¨_©Zv e¨ZxZ Ab¨ wKQyi Rb¨ m…ó SyuwK|
e¨vsK¸wj‡K Zv‡`i cY¨ I cwi‡lev, M«vnK Ges mËvi wfwË Ges ‡f․MwjK Ae¯’v‡bi AšÍwb©wnZ SyuwK ch©v‡jvPbv Ki‡Z n‡e|
Zvic‡i, SyuwKi ‡¯‥vi MYbv Ges eivÏ K‡i SyuwKi cwigvY wba©viY Ki‡Z n‡e| e¨v‡¼i AšÍwb©wnZ SyuwK¸wj‡K GKwU M«nY‡hvM¨
¯Í‡i n«vm Kivi Rb¨ c«kwgZ wbqš¿Y¸wj nj wbqš¿b| Aewkó SyuwK nj SyuwKi gvÎv ev AvqZb hv SyuwK wbqš¿‡Yi d‡j
AšÍwb©wnZ SyuwK n«vm Kivi c‡iI _v‡K|
c«wZwµqvt D‛P SyuwKi ‡¶Î¸wj c«kwgZ Kivi Rb¨ Dchy³ wbqš¿Y e¨e¯’v ¯’vcb K‡i h_vh_ c«wZwµqv †`Lv‡bv c«‡qvRb|
e¨vsK¸wj GKwU myMwVZ SyuwK e¨e¯’vcbv cwiKvVv‡gv ev¯Íevqb Kivi gva¨‡g me †ÿ‡Î SyuwK n«vm Ki‡Z cvi‡e| GKwU Avw_©K
c«wZôv‡bi ûgwK ‡gvKv‡ejv Kivi ¶gZv wewb‡qvMKvix‡`i Rb¨ cÖavb †`Lvi welq| FY ‡jvKmv‡bi Kvi‡Y, mwVK ‡µwWU
wi¯‥ g¨v‡bR‡g›U wm‡÷g Qvov GKwU e¨vs‡Ki jvf Kg n‡e| GB ûgwK ‡gvKv‡ejvi wKQy ‡K․kj nj ‡µwWU wi¯‥ cwjwm,
‡jv‡bi D™¢e/AwaM«n‡Yi gvb, ‡jvb A¨vWwgwb‡÷«kb Ges Bb‡f÷‡g›U ‡cvU©‡dvwjI g¨v‡bR‡g›U|
‡PK Ges e¨v‡jÝt bxwZ Abyhvqx c«wZwµqv Kvh©µg Pvjv‡bv n‡‛Q wKbv Zv wbwðZ Kivi Rb¨ ‡PK Ges e¨v‡jÝ c«‡qvRb|
‡Kv¤úvwbi ‣bwZKZv Ges g~j¨‡eva SyuwK c«kgb e¨e¯’vi g‡ZvB ¸iæZ¡c~Y©| ‡Kvb Kg©Pvix msÁvwqZ AvBb ‡_‡K wePz¨Z n‡j,
Zv D‡cÿv Kiv hv‡e bv| KvVv‡gv Ges SyuwK e¨e¯’vcbv ‡K․k‡ji GKwU Ask wnmv‡e, cwiPvjbv cl©`‡K Aek¨B ¯^‛QZvi mv‡_
f~wgKv Ges `vwqZ¡¸wj ¯úó Ki‡Z n‡e| GB WKy‡g‡›Uk‡b Aek¨B A‣bwZK AvPi‡Yi ‡¶‡Î Af¨šÍixY wbqš¿Y e¨e¯’v
AšÍf©y³ Ki‡Z n‡e|
Z_¨ Ges ‡hvMv‡hvMt ‡hvMv‡hvM ‡h ‡Kv‡bv e¨emvi mvivsk| we‡kl K‡i wWwRUvjfv‡e DbœZ we‡k¦ Gi g~j¨ Acwimxg| SyuwK
e¨e¯’vcbvq, c«‡Z¨K Kg©Pvix‡K Aek¨B m¤¢ve¨ SyuwK wPwýZ Ki‡Z Ges g¨v‡bRvi Ges ‡÷K‡nvìvi‡`i mv‡_ ‡hvMv‡hvM Ki‡Z
m¶g n‡Z n‡e| GB c«wµqvwU wbwðZ Ki‡e ‡h ‡KvbI SyuwK D‡c¶v Kiv n‡e bv| GwU Kivi Rb¨, ‡Kv¤úvwb¸wj‡K Zv‡`i
Kg©x‡`i SyuwK g~j¨vqb Ges mbv³KiY m¤ú‡K© mg¯Í wKQy wkL‡Z mvnvh¨ Kivi Rb¨ c«wk¶Y ‡c«vM«vg¸wj‡Z wewb‡qvM Kiv
DwPZ| ‡kl ch©šÍ, GwU `¶Zvi ¯Í‡i GKwU m~PKxq e…w× ‡`‡e|
ch©‡eÿYt SyuwK e¨e¯’vcbv KvVv‡gv m¤ú‡K© K_v ej‡j, Avgiv evRv‡ii Aw¯’iZvi hy‡M evm Kwi Ges `ªæZ MwZkxj,
cwieZ©bkxj c«eYZv wewfbœ ai‡bi SyuwK c«Kvk K‡i| GB cwieZ©bkxj c«eYZv¸wj m¤§yLxb nIqvi Rb¨ aiv cov SyuwKi
c«K…wZI cwieZ©b K‡i| ms¯’v¸wj‡K Aek¨B wbqwgZ weiwZ‡Z ‡K․kjwU ch©‡e¶Y I ch©v‡jvPbv Ki‡Z n‡e| GwU wK AbyK~j

Md. Mizanur Rahman, Cell: 01870478713 3

 Governance in Financial Institutions (GFI)
98th BPE
ev c«wZK~jfv‡e KvR Ki‡Q ‡m m¤ú‡K© mevB‡K AewnZ ivL‡e|
5.3. Describe the benefits of maintaining effective ERM.
Benefits of maintaining effective ERM are as follows:
Ensures compliance: ERM helps a business to remain compliant, to mitigate loss, support
growth, and improve profitability. Implementing an ERM throughout an organization has the
power to create a cultural shift, placing greater emphasis on proactive risk management and long-
term rather than short-term success.
See Risk as Opportunity: ERM looks at risk with a holistic approach, considering how to treat
and exploit risk. It helps to think about how to use risk as an opportunity. This can involve
increasing competitive positions or taking better advantage of the market. Since ERM helps to
identify risks ahead, the managers are also not blindsided by risk events.
Better Decisions: The risk data received from ERM is vital to decision making at management
levels. Data includes the status of risk factors, possible new risks, and strategies to combat or
work with risk.
Change the Risk Culture: Once process of considering possible risks to business begins, the
company becomes more aware of possible future risks. This insight changes the culture of
organization‗s management, encouraging open discussion about how to mitigate risk.
cÖktœ Kvh©Ki ERM eRvq ivLvi myweav eY©bv Kiæb|
Kvh©Ki ERM eRvq ivLvi myweav¸wj wbgœiƒct
wbqgvPvi wbwðZ Kivt ERM GKwU e¨emv‡K wbqgbxwZi g‡a¨ _vK‡Z, ¶wZ Kgv‡Z, cÖe…w× Ki‡Z Ges ‡ewk jvf Ki‡Z
mvnvh¨ K‡i| GKwU c«wZôv‡bi me©Î ERM c«‡qvM Kiv GKwU mvs¯‥…wZK cwieZ©b ‣Zwi Kivi ¶gZv iv‡L, ¯^í‡gqv`x
mvd‡j¨i cwie‡Z© mwµq SyuwK e¨e¯’vcbv Ges `xN©‡gqv`xi Dci ‡ewk ‡Rvi ‡`q|
SyuwK‡K my‡hvM wn‡m‡e ‡`Lvt ERM GKwU mvgwM«K `…wófw½i mv‡_ SyuwK‡K ‡`‡L, Kxfv‡e SyuwKi ‡gvKv‡ejv Ges Kv‡R
jvMv‡Z nq Zv we‡ePbv K‡i| GwU Kxfv‡e SyuwK‡K GKwU my‡hvM wnmv‡e e¨envi Kiv hvq ‡m m¤ú‡K© wPšÍv Ki‡Z mnvqZv
K‡i| G‡Z c«wZ‡hvwMZvg~jK Ae¯’vb evov‡bv ev evRv‡ii AviI fv‡jv myweav ‡bIqvi my‡hvM •Zwi nq| ‡h‡nZy ERM
mvg‡bi SyuwK kbv³ Ki‡Z mvnvh¨ K‡i, ZvB g¨v‡bRviivI SyuwKc~Y© NUbvi Øviv wec‡` c‡o bv|
fv‡jv wm×všÍ MÖn‡Yi my‡hvMt ERM ‡_‡K c«vß SyuwKi Z_¨ e¨e¯’vcbv ¯Í‡i wm×všÍ ‡bIqvi Rb¨ ¸iæZ¡c~Y©| Z_¨ SyuwKi
KviY¸wji Ae¯’v, m¤¢ve¨ bZyb SyuwK Ges SyuwK ‡gvKv‡ejv ev KvR Kivi ‡K․kj AšÍf©y³ K‡i|
SyuwK ms¯‥…wZi cwieZ©bt GKevi e¨emvi m¤¢ve¨ SyuwK we‡ePbv Kivi c«wµqv ïiæ n‡j, ‡Kv¤úvwb m¤¢ve¨ fwel¨‡Zi SyuwK m¤ú‡K©
AviI m‡PZb n‡q I‡V| GB AšÍ`„wó c«wZôv‡bi e¨e¯’vcbvi ms¯‥…wZ‡K cwieZ©b K‡i, Kxfv‡e SyuwK Kgv‡bv hvq ‡m m¤ú‡K©
‡Lvjv‡gjv Av‡jvPbv‡K DrmvwnZ K‡i|
5.4. Write down the weakness of ERM in FIs.
Despite ERM‗s expanded focus, the worldwide financial crisis was a risk apparently not foreseen
by risk managers. Even if some quarters foresaw it, their cautionary note had no impact. Vern
Grose, chairman of Omega Systems Group, Inc., indicates five specific shortcomings of ERM -
all of which will need to be addressed if ERM is to use effectively, that include:
Lack of the Framework: ERM lacks the framework it recommends. It has no defined process that
assures total management of risk. Instead, it often focuses on the sensational and obvious issues
ignoring the mundane and routine matters. We may consider Enron and Worldcom - companies
that spent millions on risk management services but never addressed the risks of accounting and
financial reporting.
Reactive instead of Proactive: There is no recognized and endorsed ERM process for foreseeing
and identifying risks prior to experiencing their associated losses. This deficiency forces ERM to
be reactive instead of proactive – waiting for a loss before implementing countermeasures against

Md. Mizanur Rahman, Cell: 01870478713 4

 Governance in Financial Institutions (GFI)
98th BPE
it. Reactive management is always inefficient and expensive, as because every loss is much more
costly than if it had been foreseen and controlled.
Discards the Wisdom of Insiders: Consultants in financial institutions have always claimed that
they know how best to manage risk. So the management have fallen victim to engaging experts
from outside, who do not know many inside issues of an organization. This keeps them
vulnerable to risks which the outsiders do not know about. Risks can only be managed or reduced
by those who work inside the organization – but unfortunately these people are rarely involved in
the ERM process even though they have the greatest knowledge and understanding of those risks.
Doesn‘t Calculate Mitigation Costs: Generally, ERM measures risk in only two dimensions
severity and likelihood. With little doubt, this short-sighted approach almost guarantees that
management will not get involved in addressing it. It may become assigned to a list or a group of
similar risks or be classified within a zone of interest. But without a mitigation price tag,
management will ignore it. Ignoring mitigation cost assures ignored risk.
Failure to Rank Risks: There are never enough resources in any organization to mitigate every
identified risk. So allocating resources to manage risk according to their gravity is a prime
concern for the management. Investment decision for risk control, prioritazation of risk in order
of importance, allocating limited resources for risk control – such diversity in complexity arises
as the ERM function do not rank risk. Thus, risk identification itself may even be manipulated to
favor or influence resource allocation decisions.
cÖktœ Avw_©K cÖwZôv‡b ERM-Gi `ye©jZv ‡jL|
ERM-Gi µgea©gvb ‡dvKvm m‡Ë¡I, wek¦e¨vcx Avw_©K m¼U GKwU SyuwK wQj hv SyuwK cwiPvjK‡`i Øviv `…k¨Z c~e©vfvwmZ
nqwb| GgbwK hw` wKQy gnj GwU c~e©vfvm ‡`q, Zv‡`i mZK©Zvg~jK ‡bv‡Ui ‡Kvb c«fve wQj bv| Omega Systems
Group, Inc.-Gi ‡Pqvig¨vb fvb© ‡M«vR, ERM-Gi cvuPwU mywbw`©ó ÎæwUi Bw½Z w`‡q‡Qb - ERM Kvh©Kifv‡e e¨envi
Ki‡Z n‡j ‡m¸wji me¸wj‡K mgvavb Ki‡Z n‡e, hvi g‡a¨ i‡q‡Qt
‡d«gIqv‡K©i Afvet ERM Gi mycvwikK…Z KvVv‡gvi Afve i‡q‡Q| GwUi ‡Kvb msÁvwqZ c«wµqv ‡bB hv SyuwKi m¤ú~Y©
e¨e¯’vcbv wbwðZ K‡i| cwie‡Z©, GwU c«vqkB RvMwZK Ges iæwUb welq¸wj‡K D‡c¶v K‡i D‡ËRbvc~Y© Ges my¯úó
welq¸wj‡Z ‡dvKvm K‡i| Avgiv Gbib Ges Iqvì©Kg we‡ePbv Ki‡Z cvwi - ‡h ‡Kv¤úvwb¸wj SyuwK e¨e¯’vcbv cwi‡levi
Rb¨ wgwjq wgwjqb LiP K‡i‡Q wKš‘ A¨vKvDw›Us Ges Avw_©K c«wZ‡e`‡bi SyuwK¸wj‡K KL‡bvB mgvavb K‡iwb|
AMÖMvgxi cwie‡Z© c«wZwµqvkxjt ¶wZi m¤§yLxb nIqvi Av‡M SyuwK¸wj c~e©vfvm Ges mbv³ Kivi Rb¨ ‡KvbI ¯^xK…Z Ges
Aby‡gvw`Z ERM c«wµqv ‡bB| GB NvUwZ BAviGg‡K mwµ‡qi cwie‡Z© c«wZwµqvkxj n‡Z eva¨ K‡i - Gi weiæ‡× cvëv
e¨e¯’v c«‡qvvM Kivi Av‡M ¶wZi Rb¨ A‡c¶v K‡i| c«wZwµqvkxj e¨e¯’vcbv me©`v A`¶ Ges e¨qeûj, KviY c«wZwU ¶wZ
c~e©vfvwmZ Ges wbqwš¿Z nIqvi ‡P‡q A‡bK ‡ewk e¨qeûj|
Af¨š—ixY Ávb‡K Kv‡R bv jvMv‡bvt Avw_©K c«wZôv‡bi civgk©`vZviv me©`v `vwe K‡i‡Qb ‡h Zviv Kxfv‡e SyuwK cwiPvjbv
Ki‡Z nq Zv Rv‡bb| ZvB g¨v‡bR‡g›U evB‡i ‡_‡K we‡klÁ‡`i wb‡qvM †`qv n‡‛Q SuywK Kgv‡bvi Rb¨, hviv c«wZôv‡bi
A‡bK wfZ‡ii welq Rv‡bb bv| wfZ‡ii ARvbv SyuwKi Rb¨ cÖwZôvb SyuwKc~Y© ‡_‡K hv‡‛Q hv ewnivMZiv Rv‡b bv| SyuwK¸wj
ïaygvÎ ZvivB cwiPvjbv ev n«vm Ki‡Z cv‡i hviv ms¯’vi Af¨šÍ‡i KvR K‡i - wKš‘ `yf©vM¨ekZ GB ‡jv‡Kiv Lye KgB ERM
c«wµqvi mv‡_ RwoZ _v‡K hw`I Zv‡`i ‡mB SyuwK¸wj m¤ú‡K© me©vwaK Ávb Ges ‡evSvi _v‡K|
SyuwK c«kgb LiP we‡ePbv bv Kivt mvaviYZ, ERM ïaygvÎ `ywU gvÎvi Z_v ZxeªZv Ges m¤¢vebvi g‡a¨ SyuwK cwigvc K‡i|
GB A`~i`k©x c×wZwUB e‡j ‡`q ‡h e¨e¯’vcbv GwU ‡gvKv‡ejvq RwoZ n‡e bv| GwU GKwU ZvwjKv ev Abyiƒc SyuwKi GKwU
MÖæ‡c eivÏ Kiv n‡Z cv‡i ev AvM«‡ni GKwU A‡ji g‡a¨ ‡k«Yxe× Kiv ‡h‡Z cv‡i| wKš‘ GKwU c«kgb g~j¨ ev LiP wba©vib
Qvov, e¨e¯’vcbv GwU D‡c¶v Ki‡e| c«kgb LiP D‡c¶v Kiv A_© n‡‛Q SyuwK e¨e¯’vcbv D‡cÿv Kiv|
SyuwKi †kÖYxµg Ki‡Z e¨_©t c«wZwU wPwýZ SyuwK Kgv‡bvi Rb¨ ‡KvbI ms¯’vq ch©vß ms¯’vb ‡bB| ZvB gvÎvbyhvqx SyuwK
e¨e¯’vcbvi Rb¨ m¤ú` eivÏ Kiv e¨e¯’vcbvi Rb¨ GKwU c«avb D‡Ø‡Mi welq| SyuwK wbqš¿‡Yi Rb¨ wewb‡qv‡Mi wm×všÍ, ¸iæZ¡
Abymv‡i SyuwKi AM«vwaKvi, SyuwK wbqš¿‡Yi Rb¨ mxwgZ ms¯’vb eivÏ - RwUjZvi GB ai‡bi ‣ewPÎ ‡`Lv ‡`q KviY ERM
dvskb SyuwK‡K ‡kÖYxµg wba©vib K‡i bv| GBfv‡e, SyuwK kbv³KiY wb‡RB GgbwK m¤ú` eiv‡Ïi wm×v‡šÍi c‡¶ ev c«fvweZ
Kivi Rb¨ e¨envi Kiv ‡h‡Z cv‡i|

Md. Mizanur Rahman, Cell: 01870478713 5

 Governance in Financial Institutions (GFI)
98th BPE
5.5. What are the key requirements of ERM?
Implementing ERM program requires dedicated staff and resources. International management
consultancy firm McKinsey & Company highlighted few key capabilities for successful
implementation of ERM. It mentions the following factors:
Risk insight and transparency: Risk transparency should include factors such as market threats,
potential operational crises, and legal issues. Ideally, the business should work to be as proactive
as possible—instead of looking at current and past risks, it should consider those scenarios that
could happen in the future.
Risk appetite and strategy: Establishing a certain risk appetite and strategy requires leadership to
help create a risk- appetite statement, which is then incorporated into every level of the
organization. Next, risk- appetite metrics can help to set the strategy, guiding the business as a
whole.
Risk-related decisions and processes: Through a successful ERM program, risk becomes
embedded in all levels of the organization and guides the company‗s processes and decisions.
This includes mergers and acquisitions, compliance and conduct, and people and performance
management.
Risk organization and governance: This segment involves questioning and identifying where
financial responsibility for risk lies, as well as the structure and staffing of the risk organization.
Also, effective ERM requires dedicated resources. Successful organizations will prioritize risk
management by creating a chief risk officer position, as well as leaders from each department
who will take ownership of risk.
Risk culture and performance transformation: Here, the organization should take steps to
introduce programs and initiatives that reinforce a strong risk culture. This is where the ERM
program lays out specific actions, identifies team members, and sets milestones to help managing
risk, as well as monitor it over time.
cÖktœ ERM Gi g~j c«‡qvRbxqZv¸‡jv wK wK?
ERM ‡c«vM«vg ev¯Íevq‡bi Rb¨ wb‡ew`Z Kg©x Ges ms¯’vb c«‡qvRb| B›Uvib¨vkbvj g¨v‡bR‡g›U Kbmvj‡UwÝ dvg© g¨vKwKb‡m
A¨vÛ ‡Kv¤úvwb ERM-Gi mdj ev¯Íevq‡bi Rb¨ K‡qKwU g~j ¶gZv Zy‡j a‡i‡Q hv wbgœiƒct
SyuwKi AšÍ`©„wó I ¯^‛QZvt SyuwKi ¯^‛QZvi g‡a¨ evRv‡ii ûgwK, m¤¢ve¨ Acv‡ikbvj msKU Ges AvBwb mgm¨v¸wji g‡Zv
welq¸wj AšÍf©y³ Kiv DwPZ| Av`k©fv‡e, e¨emvwU‡K hZUv m¤¢e mwµq n‡Z KvR Kiv DwPZ - eZ©gvb Ges AZx‡Zi
SyuwK¸wj ‡`Lvi cwie‡Z©, fwel¨‡Z NU‡Z cv‡i Ggb cwiw¯’wZ¸wj we‡ePbv Kiv DwPZ|
SyuwKi ¶yav Ges ‡K․kj: GKwU wbw`©ó SyuwKi ¶yav Ges ‡K․kj c«wZôvi Rb¨ e¨e¯’vcbv KZ…©cÿ GKwU SyuwK-¶yav wee…wZ ‣Zwi
Ki‡e ev Ki‡Z mvnvh¨ Ki‡e, hv msMV‡bi c«wZwU ¯Í‡i AšÍf©y³ Kiv n‡e| cieZ©x, SyuwK-¶yav ‡gwU«· ‡K․kj wba©viY Ki‡Z
mvnvh¨ Ki‡Z cv‡i, mvgwM«Kfv‡e e¨emvwqK w`K wb‡`©kbv ‡`q|
SyuwK-m¤úwK©Z wm×všÍ Ges c«wµqvt GKwU mdj ERM ‡c«vM«v‡gi gva¨‡g, SyuwK ms¯’vi mg¯Í ¯Í‡i hy³ n‡q hvq Ges
‡Kv¤úvwbi c«wµqv Ges wm×všÍ¸wj‡K MvBW K‡i| Gi g‡a¨ GKÎxKiY Ges AwaM«nY, m¤§wZ Ges AvPiY Ges gvbyl Ges
Kg©¶gZv e¨e¯’vcbv AšÍf³©y i‡q‡Q|
SyuwK msMVb Ges kvmb: GB wefv‡M c«kœ Kiv Ges SyuwKi Rb¨ Avw_©K `vqe×Zv ‡Kv_vq i‡q‡Q Zv wPwýZ Kiv, ‡mBmv‡_
SyuwKc~Y© ms¯’vi KvVv‡gv Ges ÷vwds RwoZ| GQvovI, Kvh©Ki ERM Gi Rb¨ DrmM©xK…Z ms¯’vb c«‡qvRb| mdj ms¯’v¸wj
GKwU c«avb SyuwK Kg©KZ©v c` ‣Zwi K‡i SyuwK e¨e¯’vcbv‡K AM«vwaKvi ‡`‡e, ‡mBmv‡_ c«wZwU wefv‡Mi ‡bZviv hviv SyuwKi
gvwjKvbv ‡b‡eb|
SyuwK ms¯‥…wZ Ges Kg©¶gZv iƒcvšÍit GLv‡b, ms¯’vi DwPZ GKwU kw³kvjx SyuwK ms¯‥…wZ‡K kw³kvjx K‡i Ggb ‡c«vM«vg Ges
D‡`¨vM c«eZ©‡bi Rb¨ c`‡¶c ‡bIqv| GLv‡bB ERM ‡c«vM«vg wbw`©ó wµqv wba©viY K‡i, `‡ji m`m¨‡`i kbv³ K‡i, Ges
SyuwK e¨e¯’vcbvq mvnvh¨ Kivi Rb¨ gvBjdjK ‡mU K‡i, ‡mBmv‡_ mg‡qi mv‡_ mv‡_ GwU wbix¶Y K‡i|
5.6. What is Enterprise Risk Management Framework?
Md. Mizanur Rahman, Cell: 01870478713 6
 Governance in Financial Institutions (GFI)
98th BPE
The Enterprise Risk Management Framework (ERMF) is a comprehensive approach to identify,
assess, monitor and manage risk based on the organization's risk appetite within the context of
risk environment. The ERMF is designed to support the achievement of the organization's
priorities as presented in the Strategic Plan. This framework helps banks to establish and
maintain effective risk management practices to protect their assets, reputation and customers.
cÖktœ G›Uvic«vBR wi¯‥ g¨v‡bR‡g›U ‡d«gIqvK© wK?
G›Uvic«vBR wi¯‥ g¨v‡bR‡g›U ‡d«gIqvK© (ERMF) nj SyuwKi cwi‡e‡ki ‡c«¶vc‡U ‡Kvb cÖwZôv‡bi SyuwK ¶yavi Dci wfwË
K‡i SyuwK mbv³Kib, g~j¨vqb, wbix¶Y Ges cwiPvjbv Kivi GKwU e¨vcK c×wZ| ERMF ‡K․kjMZ cwiKíbvq Dc¯’vwcZ
cÖwZôv‡bi AM«vwaKv‡ii AR©b‡K mg_©b Kivi Rb¨ ‣Zwi Kiv nq| GB KvVv‡gvwU e¨vsK¸wj‡K Zv‡`i m¤ú`, mybvg Ges
M«vnK‡`i i¶v Kivi Rb¨ Kvh©Ki SyuwK e¨e¯’vcbv Abykxjb ¯’vcb I eRvq ivL‡Z mvnvh¨ K‡i|
5.7. What are the challenges in adopting enterprise risk management?
ERM is not a simple project to implement like many others and has to overcome multiple challenges.
The challenges are like lack of proper support from top management, insufficient resource to meet the
cost and train professionals, inadequate knowledge in risk management etc. Whereas integration of
market risk management, credit risk management, liquidity risk management and operational risk
with other risks is a difficult step which requires significant efforts, time and costs to improve.
Financial and banking consultant Seshagiri Rao Vaidyula and Jayaprakash Kavala pointed out few
challenges being faced by the banks in this regard.
Improving efficiency: Achieving greater efficiencies in the risk and control processes, improving
coordination, unifying and streamlining approaches.
Challenging regulatory environment: Ever changing regulatory demands, high degree of regulatory
scrutiny, variation of regulations across jurisdictions, preparing to Operationlize / compliance with
Basel III
Keeping pace with business growth and complexity: Rapid business growth, competitive intensity,
M&A activity, global expansion, increasing product complexity, increasing customer expectations.
Attracting and retaining talent: Shortage of good talent in competitive markets, especially in
specialized areas or emerging geographies
Managing Change: Dealing with people and organizational issues as new processes demand new
methods of work
Fear of compliance failures and emerging risks: Fear of compliance failures despite best efforts, due
to human error or unanticipated events; identifying and preparing for future risks.
cÖktœ G›Uvic«vBR SyuwK e¨e¯’vcbv M«n‡Yi ‡¶‡Î P¨v‡jĸwj Kx Kx?
ERM Ab¨ A‡bK wKQzi g‡Zv ev¯Íevq‡bi Rb¨ GKwU mnR c«Kí bq Ges GKvwaK P¨v‡jÄ AwZµg Ki‡Z n‡e| P¨v‡jĸwj nj
kxl© e¨e¯’vcbvi h_vh_ mnvqZvi Afve, LiP ‡gUv‡Z Ges ‡ckv`vi‡`i c«wk¶‡Yi Rb¨ Ach©vß m¤ú`, SyuwK e¨e¯’vcbvq Ach©vß
Ávb BZ¨vw`| evRvi SyuwK e¨e¯’vcbv, FY SyuwK e¨e¯’vcbv, Zvij¨ SyuwK e¨e¯’vcbv Ges Ab¨vb¨ SyuwKi mv‡_ Acv‡ikbvj SyuwKi
GKÎxKiY GKwU KwVb KvR hvi DbœwZi Rb¨ D‡jøL‡hvM¨ c«‡Póv, mgq Ges LiP c«‡qvRb|
Avw_©K I e¨vswKs civgk©`vZv ‡kkvwMwi ivI ‣e`¨yjv Ges RqcÖKvk Kvfvjv GB wel‡q e¨vsK¸wji G›Uvic«vBR SyuwK e¨e¯’vcbvq
K‡qKwU P¨v‡j‡Äi K_v D‡jøL K‡i‡Qb hv wb¤œiƒct
`¶Zvi DbœwZ: SyuwK I wbqš¿Y c«wµqvq AwaKZi `¶Zv AR©b, mgš^‡qi DbœwZ, GKxf~ZKiY Ges c×wZi myweb¨¯ÍKiY|
wbqš¿K cwi‡e‡ki P¨v‡jÄ: wbqš¿K Pvwn`vi wbZ¨ cwieZ©b, D‛P gvÎvi wbqš¿K wbix¶Y, wewa-weav‡bi wfbœZv, e¨v‡mj-3 Gi mv‡_
Lvc LvIqv‡bv|
e¨emvi e…w× Ges RwUjZvi mv‡_ Zvj wgwj‡q Pjv: `ªæZ e¨emvwqK e…w×, Zxeª cÖwZ‡hvwMZv, wek¦e¨vcx m¤ú«mviY, c‡Y¨i RwUjZv
e…w×, M«vn‡Ki c«Z¨vkv e…w×|
cÖwZfv AvK…ó Kiv Ges a‡i ivLv: c«wZ‡hvwMZvg~jK evRv‡i we‡kl K‡i we‡klvwqZ GjvKv ev D`xqgvb ‡f․‡MvwjK A‡j fv‡jv
cÖwZfvi NvUwZ|
cwieZ©‡bi mv‡_ Lvc LvIqv‡bv: bZyb c«wµqvi bZyb c×wZi Pvwn`v wnmv‡e ‡jv‡K‡`i Ges mvsMVwbK mgm¨v¸wji mv‡_ ‡gvKvwejv
Kiv

Md. Mizanur Rahman, Cell: 01870478713 7

 Governance in Financial Institutions (GFI)
98th BPE
Awf‡hvM e¨e¯’vcvq e¨_©Zv Ges D`xqgvb SyuwKi fq: gvbweK ÎywU ev AcÖZ¨vwkZ NUbvi Kvi‡Y m‡e©vËg c«‡Póv m‡Ë¡I Awf‡hvM
e¨e¯’vcbvq e¨_©Zvi fq; fwel¨‡Zi SzuwK kbv³KiY Ges Zv †gvKv‡ejvi cÖ¯‘wZ|
5.8. Define emerging risks with their characteristics.
Emerging risk (ER) is a new or unforeseen risk that hasn‘t yet been contemplated. This is a risk
that does not exist in the radar, and its potential for harm or loss is not fully known. In other
words, emerging risks are risks which may develop or which already exist that are difficult to
quantify and may have a detrimental impact on an organization in the future. Identifying,
investigating and monitoring emerging risks is a necessity for large organizations. This is a huge
challenge; failure to do it can result in fines, losses, and reputational damage. That‘s why
financial institutions need to utilize new technologies to help them improve their emerging risk
strategy.
Institute of Risk Management (IRM) has identified characteristics of ER as under:
Ambiguous: The risk itself is difficult to define.
Chaotic: Emerging risks are constantly changing.
Complex: Emerging risks can affect a large number of factors simultaneously.
Time-horizon can change: Emerging risks sometimes seem a long way off, but the time-horizon
can change
Uncertain: The lack of knowledge about what an emerging risk will become and how it will play
out makes them difficult to consider with certainty.
Uncontrollable: Emerging risks are often external to the organization, and outside direct control,
so the need is to adapt and respond, rather than to control.
Volatile: Significant changes in the risk within a short period.
cÖktœ ‣ewkó¨ mn D`xqgvb SyuwK msÁvwqZ Kiæb|
D`xqgvb SyuwK nj GKwU bZyb ev Ac«Z¨vwkZ SyuwK hv GLbI wPšÍv Kiv nqwb| GwU Ggb GKwU SyuwK hv ivWv‡i ‡bB Ges Gi
¶wZ ev ¶wZi m¤¢vebv m¤ú~Y©iƒ‡c Rvbv hvqwb| Ab¨ K_vq, D`xqgvb SyuwK¸wj Ggb SyuwK hv weKvk n‡Z cv‡i ev hv
BwZg‡a¨B we`¨gvb hv cwigvc Kiv KwVb Ges fwel¨‡Z GKwU ms¯’vi Dci ¶wZKviK c«fve ‡dj‡Z cv‡i| D`xqgvb
SyuwK¸wj wPwýZ Kiv, Z`šÍ Kiv Ges ch©‡e¶Y Kiv eo ms¯’v¸wji Rb¨ cÖ‡qvRb| GwU GKwU wekvj P¨v‡jÄ; GwU Ki‡Z bv
cvi‡j Rwigvbv, ¶wZ Ges mybvg ¶wZ n‡Z cv‡i| GB Kvi‡Y Avw_©K c«wZôvb¸wj‡K Zv‡`i D`xqgvb SyuwK ‡K․kj DbœZ
Ki‡Z mvnvh¨ Kivi Rb¨ bZyb c«hyw³ e¨envi Ki‡Z n‡e|
Bbw÷wUDU Ad wi¯‥ g¨v‡bR‡g›U (IRM) wbgœiƒc D`xqgvb SyuwKi ‣ewkó¨ wPwýZ K‡i‡Qt
A¯úót SyuwK‡K msÁvwqZ Kiv KwVb|
wek…“Ljt D`xqgvb SyuwK µgvMZ cwiewZ©Z n‡‛Q|
RwUjt D`xqgvb SyuwK GKB mv‡_ A‡bK¸wj KviY‡K c«fvweZ Ki‡Z cv‡i|
mgqKvj cwieZ©b n‡Z cv‡it D`xqgvb SyuwK KLbI KLbI A‡bK `~‡i e‡j g‡b nq, wKš‘ Gi mgqKvj cwieZ©b n‡q Kv‡Q
P‡j Avm‡Z cv‡i|
AwbwðZt GKwU D`xqgvb SyuwK Kx n‡e Ges GwU Kxfv‡e Kvh©Ki n‡e ‡m m¤ú‡K© Áv‡bi Afve Zv‡`i wbwðZfv‡e we‡ePbv
Kiv KwVb K‡i ‡Zv‡j|
Awbqwš¿Z: D`xqgvb SyuwK¸wj c«vqkB ms¯’vi evwn¨K Ges mivmwi wbqš¿‡Yi evB‡i, ZvB wbqš¿‡Yi cwie‡Z© c«‡qvRb gvwb‡q
‡bIqv Ges c«wZwµqv Rvbv‡bv|
cwieZ©bkxjt Aí mg‡qi g‡a¨ SyuwK‡Z D‡jøL‡hvM¨ cwieZ©b|
5.9. Discuss the categories of emerging risks.
The IRM identifies three categories of emerging risks:
1. A new risk in a known context: Risks that emerge in the external environment and impact the
organization‗s existing activities. For example, if it is known that regulations under which a bank
is operating will change next year.

Md. Mizanur Rahman, Cell: 01870478713 8

 Governance in Financial Institutions (GFI)
98th BPE
2. A known risk in a new context: The management of a risk may need to change if a new
venture is started. For example, a commercial bank is going for an investment banking and
brokerage wing.
3. A new risk in a new context: Risks not previously considered because the risk is new to the
organization.
In fact, ER is difficult to manage as the responsibilities of risk ownership is complex and unclear.
So, one probable solution can be to translate the vagueness of an ER into an organizational risk
that they are more familiar with, e. g., regulatory, strategic and operational risks. This makes it
easier to take action to tackle the risk.
cÖktœ D`xqgvb SyuwKi ‡k«YxwefvM Av‡jvPbv Ki|
IRM D`xqgvb SyuwK‡K wZbwU fv‡M wPwýZ K‡it
1. cwiwPZ ‡c«¶vc‡U GKwU bZyb SyuwKt evwn¨K cwi‡e‡k D™¢~Z SyuwK Ges ms¯’vi we`¨gvb Kvh©µg‡K c«fvweZ K‡i|
D`vniY¯^iƒc, hw` GwU Rvbv hvq ‡h GKwU e¨vsK ‡h c«weav‡bi Aax‡b KvR Ki‡Q Zv c‡ii eQi cwiewZ©Z n‡e|
2. GKwU bZyb ‡c«¶vc‡U GKwU cwiwPZ SyuwKt GKwU bZyb D‡`¨vM ïiæ n‡j SyuwKi e¨e¯’vcbv cwieZ©b Ki‡Z n‡Z cv‡i|
D`vniY¯^iƒc, GKwU evwYwR¨K e¨vsK wewb‡qvM e¨vswKs Ges ‡e«vKv‡iR kvLvi Rb¨ hv‡‛Q|
3. GKwU bZyb ‡c«¶vc‡U GKwU bZyb SyuwKt SyuwK¸wj Av‡M we‡ePbv Kiv nqwb KviY SyuwKwU ms¯’vi Rb¨ bZyb|
c«K…Zc‡¶, D`xqgvb SyuwK cwiPvjbv Kiv KwVb KviY SyuwKi gvwjKvbvi `vwqZ¡¸wj RwUj Ges A¯úó| myZivs, GKwU m¤¢ve¨
mgvavb n‡Z cv‡i GKwU D`xqgvb SyuwKi A¯úóZv‡K GKwU mvsMVwbK SyuwK‡Z Abyev` Kiv hv Zviv AviI ‡ewk cwiwPZ,
‡hgb - wbqš¿K, ‡K․kjMZ Ges Acv‡ikbvj SyuwK| GwU SyuwK ‡gvKv‡ejvq c`‡¶c ‡bIqv mnR K‡i ‡Zv‡j|
5.10. What is risk appetite? Describe the benefits of articulating risk appetite.
Risk appetite can be defined as 'the amount and type of risk that an organisation is willing to take
in order to meet their strategic objectives'. Organisations will have different risk appetites
depending on their sector, culture and objectives. A range of appetites exist for different risks and
these may change over time.
Benefits of Articulating Risk Appetite:
A well-developed risk appetite statement and process can help:
a company better manage and understand its risk exposure
management make informed risk-based decisions
management allocate resources and understand risk/benefit trade-offs
improve transparency for investors, stakeholders, regulators and credit rating agencies.
cÖktœ SyuwK ¶yav wK? SyuwKi ¶yav c«Kv‡ki myweav¸wj eY©bv Kiæb|
SyuwKi ¶yav n‡jv IB cwigvb SuywK hv †Kvb cÖwZôvb Zvi ‡K․kjMZ D‡Ïk¨ c~i‡Yi Rb¨ MÖnb Ki‡Z B‛QyK| cÖwZôv‡bi ‡m±i,
ms¯‥…wZ Ges D‡Ïk¨¸wji Dci wbf©i K‡i wewfbœ SyuwKi ¶yav _vK‡e| wewfbœ SyuwKi Rb¨ wewfbœ ai‡bi ¶yav we`¨gvb Ges
G¸‡jv mg‡qi mv‡_ mv‡_ cwiewZ©Z n‡Z cv‡i|
SyuwKi ¶yav c«Kv‡ki myweavt
GKwU my-weKwkZ SyuwK ¶yav wee…wZ Ges c«wµqvt
GKwU ‡Kv¤úvwb AviI fvjfv‡e cwiPvjbv Kiv Ges Zvi SyuwKi G·‡cvRvi †bqvi †ÿ‡Î mvnvh¨ Ki‡Z cv‡i
SyuwK ev SuywKi gvÎv wba©vib K‡i Zv MÖn‡b e¨e¯’vcbv KZ…©cÿ‡K mvnvh¨ Ki‡Z cv‡i
m¤ú` eivÏ Kiv Ges SyuwK/myweav ‡U«W-Ad Kivi †ÿ‡Î e¨e¯’vcbv KZ…©cÿ‡K mvnvh¨ Ki‡Z cv‡i
wewb‡qvMKvix, ‡÷K‡nvìvi, wbqš¿K Ges ‡µwWU ‡iwUs G‡Rwݸwji Rb¨ ¯^‛QZv Dbœq‡b mnvqZv Ki‡Z cv‡i|
5.11. Write down the risk appetite framework and how risk appetite statement should be
developed?
The science of developing and adopting a risk appetite framework (RAF) is still evolving at

Md. Mizanur Rahman, Cell: 01870478713 9

 Governance in Financial Institutions (GFI)
98th BPE
banks all over the world. Some banks have adopted a high-level, brief, and qualitative statement
of RAF, while others have made it complex, lengthy, and quantitative. Risk appetite is the
cornerstone of a successful risk management framework.
Risk appetite framework should include the following criteria:
Be reviewed and approved by the board of directors at least annually;
Be in line with the organization‘s strategy, objectives and key stakeholders‘ demands;
Cover all key risks discussing risk preferences both in terms of risks that are sought out and
risks that should be minimized;
Clearly document risks as part of a risk register, including risk-specific definitions, risk
owner, how and how often each risk will be measured, assumptions related to each risk,
judgment on severity and likelihood, and speed at which risks could manifest;
Recognize that losses occur and are part of business but include loss tolerances that are
reflective of overall business objectives;
Reflect the human and technological resources needed to measure and manage the bank‗s
risks in a timely fashion.
Developing Risk Appetite Statement:
Developing a risk appetite statement is a complex endeavor and is both art and science. The steps
in its development include:
Start with the bank‘s overall strategic and financial objectives.
Consider annual reports and financial statements, regulatory requirements, Peerngroup and
industry-wise growth, bank‗s own portfolio growth, trend of NPL, profitability and capital,
liquidity position, risk management culture and practices etc.
Determine the bank‗s risk profile.
Set tolerances for exposures and potential losses in consultation with the business line and
related departments.
Get board approval and communicate it throughout the organization.
In preparing Risk Appetite Statement (RAS), banks are required to set the loan growth target in
line with its strategic objectives and mention it in both absolute amount and percentage form. For
example, if a bank wants to make 20% loan growth in a particular year to achieve its strategic
planning/objective, it should state the percentage of loan growth along with increased amount of
loans. In this regard, banks have to mention at least previous three years‘ real performance along
with the current year risk appetite, tolerance and limit. The expected loan growth/amount is also
to be distributed in each sector, industry and regional area under the head of Risk Appetite, Risk
Tolerance and Risk Limit/Threshold. Risk appetite should be measurable and subject to time
consideration for periodic review and must have risk treatments. In case of interim review (if
necessary), the revised appetite statement shall have to be approved by the board of directors and
submitted to DOS of BB and communicated throughout the organization. However, repeated
review of risk appetite statement is discouraged.
cÖktœ SyuwK ¶yav KvVv‡gv wjLyb Ges Kxfv‡e SyuwKi ¶yav wee…wZ ‣Zwi Kiv DwPZ?
GKwU SyuwK ¶yav KvVv‡gv •Zwi Ges M«nY Kivi c×wZ GLbI we‡k¦i e¨vsK¸wj‡Z weKwkZ n‡‛Q| wKQy e¨vsK SyuwK ¶yav
KvVv‡gv ‣Zwii D‛P-¯Í‡ii, msw¶ß, Ges ¸YMZ c×wZ M«nY K‡i‡Q, Ab¨iv GwU‡K RwUj, `xN© Ges cwigvYMZ K‡i‡Q| SyuwK
¶yav GKwU mdj SyuwK e¨e¯’vcbv KvVv‡gvi wfwË|
SyuwK ¶yav KvVv‡gv‡Z wbgœwjwLZ gvb`Û AšÍfy³
© nIqv DwPZt
AšÍZ evwl©K wfwˇZ cwiPvjbv cl©` Øviv ch©v‡jvPbv Ges Aby‡gvw`Z n‡e;
cÖwZôv‡bi ‡K․kj, D‡Ïk¨ Ges g~j ‡÷K‡nvìvi‡`i `vwei mv‡_ m½wZc~Y© _vK‡e;
SyuwKi cQ›`¸wj wb‡q Av‡jvPbv K‡i mg¯Í c«avb SyuwK¸wj‡K Kfvi K‡i SyuwK¸wj‡K n«vm Kiv DwPZ;
SyuwK ‡iwR÷v‡ii Ask wnmv‡e ¯úófv‡e bw_fy³ Ki‡Z n‡e, hvi g‡a¨ _vK‡e SyuwK-wbw`©ó msÁv, SyuwKi gvwjK, Kxfv‡e
Md. Mizanur Rahman, Cell: 01870478713 10
 Governance in Financial Institutions (GFI)
98th BPE
Ges KZ mgq ci ci c«wZwU SyuwK cwigvc Kiv n‡e, c«wZwU SyuwKi mv‡_ m¤úwK©Z Abygvb, Zxe«Zv Ges m¤¢vebv Abyaveb
Ges SyuwK cÖKv‡ki wbqgvewj;
¶wZ‡K e¨emvi Ask wnmv‡e †bqv Z‡e ¶wZi mnbkxjZv wba©viY Kiv;
mgqgZ e¨vs‡Ki SyuwK cwigvc I cwiPvjbvi Rb¨ c«‡qvRbxq gvbe I c«hyw³MZ ms¯’vb¸wj‡K mnvqZv †bqv|
SyuwK ¶yav wee…wZ ‣Zixi Dcvqt
SyuwKi ¶yav wee…wZ ‣Zwi Kiv GKwU RwUj c«‡Póv Ges Gi weKv‡ki c`‡¶c¸wj wb¤œiƒct
e¨vs‡Ki mvgwM«K ‡K․kjMZ Ges Avw_©K D‡Ïk¨¸wj w`‡q ïiæ Ki‡Z n‡e
evwl©K c«wZ‡e`b Ges Avw_©K wee…wZ, wbqš¿Y ms¯’vi Pvwn`v, mg‡MvÎxq cÖwZôv‡bi e…w×, e¨vs‡Ki wbR¯^ ‡cvU©‡dvwjI
e…w×, GbwcG‡ji c«eYZv, jvfRbKZv Ges g~jab, Zvij¨ Ae¯’vb, SyuwK e¨e¯’vcbv ms¯‥…wZ Ges Abykxjb BZ¨vw`
we‡ePbv Ki‡Z n‡e
e¨vs‡Ki SyuwK ‡c«vdvBj wba©viY Ki‡Z n‡e|
e¨emvwqK jvBb Ges mswkøó wefv‡Mi mv‡_ civgk© K‡i G·‡cvRvi Ges m¤¢ve¨ ¶wZi Rb¨ mnbxq gvÎv wbav©ib Ki‡Z
n‡e|
‡ev‡W©i Aby‡gv`b Ges Zv mviv c«wZôv‡b Qwo‡q w`‡Z n‡e|
SyuwK ¶yav wee…wZ cÖ¯Z‘ Kivi Rb¨, e¨vsK¸wj‡K Zvi ‡K․kjMZ D‡Ïk¨¸wji mv‡_ mvgÄm¨ ‡i‡L FY e…w×i j¶¨ wba©viY
Ki‡Z n‡e Ges GwU m¤ú~Y© cwigvY Ges kZvsk Dfq AvKv‡i D‡jøL Ki‡Z n‡e| D`vniY¯^iƒc, hw` GKwU e¨vsK Zvi
‡K․kjMZ cwiKíbv/D‡Ïk¨ AR©‡bi Rb¨ GKwU wbw`©ó eQ‡i 20% FY c«e…w× Ki‡Z Pvq, Z‡e GwU‡K F‡Yi e…w×i cwigvY
mn FY e…w×i kZvsk D‡jøL Kiv DwPZ| GB wel‡q, e¨vsK¸wj‡K eZ©gvb eQ‡ii SyuwKi ¶yav, mnbkxjZv Ges mxgvi mv‡_
Kgc‡¶ c~e©eZ©x wZb eQ‡ii ev¯Íe Kg©¶gZv D‡jøL Ki‡Z n‡e| c«Z¨vwkZ FY e…w×/cwigvY c«wZwU ‡m±i, wkí Ges AvÂwjK
GjvKvq SyuwK ¶yav, SyuwK mnbkxjZv Ges SyuwK mxgv/‡_«k‡nv‡ìi Aax‡b weZiY Kiv n‡e| SyuwKi ¶yav cwigvc‡hvM¨ Ges
ch©vqµwgK ch©v‡jvPbvi Rb¨ mgq we‡ePbv mv‡c‡¶ nIqv DwPZ Ges SyuwKi cwigvb wba©vib Kiv Avek¨K| AšÍe©Z©xKvjxb
ch©v‡jvPbvi ‡¶‡Î (hw` c«‡qvRb nq), ms‡kvwaZ ¶yavi wee…wZwU cwiPvjbv cl©‡`i Øviv Aby‡gvw`Z n‡Z n‡e Ges evsjv‡`k
e¨vs‡Ki DOS-G Rgv w`‡Z n‡e Ges cÖwZôv‡bi mKj ch©v‡q Rvwb‡q w`‡Z n‡e| hvB‡nvK, SyuwK ¶yav wee…wZ evievi
ch©v‡jvPbv Ki‡Z wbiærmvwnZ Kiv nq|
5.12. What do you mean by risk culture? How is it developed? Write the impact of risk culture
on risk management.
Risk culture is a term describing the values, beliefs, knowledge, attitudes and understanding about
risks and risk taking. For FIs, risk culture is their norms, attitudes, and behavior related to risk
awareness, risk-taking, and risk management and controls that shape decision on risks. It influences
the decisions of employers and employees during their day-to-day activities, even when they are not
consciously analyzing and weighing risks. It also has a bearing on the risks they assume. Basel‘s
Principles for the Sound Management of Operational Risk defines risk culture as - the combined set
of individual and corporate values, attitudes, competencies and behavior that determine a firm‘s
commitment to and style of operational risk management.
Every banking institution should develop an integrated and institution-wide risk culture, based on a
full understanding of the risks it faces and how they are managed, considering risk tolerance and
appetite. Since the business of banks involves risk taking, it is fundamental that risks are
appropriately managed. A sound and consistent risk culture throughout a financial institution is a key
element of effective risk management.
A bank should develop its risk culture through policies, examples, communication, and training of
staff regarding their responsibilities for risk. Every member of the bank should be fully aware of his
or her responsibility regarding risk management. Risk management should not be confined to risk
specialists or to control functions. Business and operational units, under the oversight of the
management body, should be primarily responsible for managing risk on day-to-day basis,
considering risk tolerance and risk appetite, and in line with bank‘s risk policies and procedures.
Risk culture and its impact on effective risk management must be a major concern for the board and
senior management. A sound risk culture encourages effective risk management, promotes sound
risk-taking and ensures that risk-taking activities beyond the institution‘s risk appetite are recognized,

Md. Mizanur Rahman, Cell: 01870478713 11

 Governance in Financial Institutions (GFI)
98th BPE
assessed, reported, and addressed in a timely manner. Weaknesses in risk culture are often the root
cause for occurrence of significant risk events, financial institution failures, and financial crisis.
cÖktœ SyuwK ms¯‥…wZ ej‡Z Kx ‡evS? GUv wKfv‡e weKwkZ nq? SyuwK e¨e¯’vcbvi Dci SyuwK ms¯‥…wZi c«fve ‡jL|
‡Kvb GKwU cÖwZôv‡bi g~j¨‡eva, wek¦vm, Ávb, `…wófw½ Ges SyuwK I SyuwK M«nY m¤ú‡K© avibv cÖ`vb‡KB SyuwK ms¯‥…wZ e‡j|
Avw_©K cÖwZôv‡bi †ÿ‡Î, SyuwK ms¯‥…wZ nj SyuwK m‡PZbZv, SyuwK M«nY, Ges SyuwK e¨e¯’vcbvi mv‡_ m¤úwK©Z wbqgKvbyb,
`…wófw½ I AvPiY Ges SyuwKi wel‡q wm×všÍ ‡bIqvi wbqš¿Y e¨e¯’v| GwU wb‡qvvMKZ©v Ges Kg©Pvix‡`i ‣`bw›`b wµqvKjv‡ci
mgq Zv‡`i wm×všÍ¸wj‡K c«fvweZ K‡i| GwU Zv‡`i Abygvb SyuwKi DciI c«fve ‡d‡j| Acv‡ikbvj wi‡¯‥i mvDÛ
g¨v‡bR‡g‡›Ui Rb¨ ev‡m‡ji bxwZ SyuwK ms¯‥…wZ‡K wb‡¤œv³fv‡e msÁvwqZ K‡i - e¨w³MZ Ges K‡c©v‡iU gvb, g‡bvfve,
`¶Zv Ges AvPi‡Yi mw¤§wjZ ‡mU hv GKwU dv‡g©i c«wZkÖæwZ Ges Acv‡ikbvj SyuwK e¨e¯’vcbvi cš’v wba©viY K‡i|
SyuwK mnbkxjZv Ges ¶yav we‡ePbv K‡i c«wZwU e¨vswKs c«wZôv‡bi SyuwKi m¤§yLxb nIqv Ges Kxfv‡e ‡m¸wj cwiPvjbv Kiv
nq ‡m m¤ú‡K© m¤ú~Y© aviYvi wfwˇZ GKwU mgwš^Z Ges c«wZôvb-e¨vcx SyuwK ms¯‥…wZ M‡o Zyj‡Z n‡e| ‡h‡nZy e¨vs‡Ki
e¨emvq SyuwK RwoZ, ZvB SyuwK¸wj h_vh_fv‡e cwiPvjbv Kiv cÖ‡qvRb| GKwU Avw_©K c«wZôvb Ry‡o GKwU mymsMZ Ges
mvgÄm¨c~Y© SyuwK ms¯‥…wZ Kvh©Ki SyuwK e¨e¯’vcbvi GKwU g~j Dcv`vb|
GKwU e¨vs‡Ki DwPZ SyuwKi Rb¨ Zv‡`i `vwqZ¡ m¤ú‡K© bxwZ, D`vniY, ‡hvMv‡hvM Ges Kg©x‡`i c«wk¶‡Yi gva¨‡g Zvi SyuwK
ms¯‥…wZ M‡o ‡Zvjv| SyuwK e¨e¯’vcbvi e¨vcv‡i e¨vs‡Ki c«‡Z¨K m`m¨‡K Zvi `vwqZ¡ m¤ú‡K© cy‡ivcywi m‡PZb n‡Z n‡e| SyuwK
e¨e¯’vcbv SyuwK we‡klÁ‡`i ev dvskb wbqš¿‡Y mxgve× Kiv DwPZ bq| e¨e¯’vcbv KZ©„c‡ÿi ZË¡veav‡b e¨emvwqK Ges
Acv‡ikbvj BDwbU¸wj, SyuwK mnbkxjZv Ges SyuwKi ¶yav we‡ePbv K‡i Ges e¨vs‡Ki SyuwK bxwZ Ges c×wZi mv‡_ mvgÄm¨
‡i‡L c«wZw`‡bi wfwˇZ SyuwK cwiPvjbvi Rb¨ c«v_wgKfv‡e `vqx nIqv DwPZ|
SyuwK ms¯‥…wZ Ges Kvh©Ki SyuwK e¨e¯’vcbvi Dci Gi c«fve Aek¨B ‡evW© Ges wmwbqi g¨v‡bR‡g‡›Ui Rb¨ GKwU c«avb D‡ØM
n‡Z n‡e| GKwU mwVK SyuwK ms¯‥…wZ Kvh©Ki SyuwK e¨e¯’vcbv‡K DrmvwnZ K‡i, mwVK SyuwK M«nY‡K DrmvwnZ K‡i Ges wbwðZ
K‡i ‡h c«wZôv‡bi SyuwKi ¶yavi evB‡i SyuwK M«n‡Yi Kvh©µg¸wj‡K ¯^xK…Z, g~j¨vqb Kiv, wi‡cvU© Kiv Ges mgqgZ mgvavb
Kiv nq| SyuwK ms¯‥…wZi `ye©jZv¸wj c«vqkB D‡jøL‡hvM¨ SyuwKc~Y© NUbv, Avw_©K c«wZôv‡bi e¨_©Zv Ges Avw_©K msK‡Ui g~j
KviY|
5.13. Why risk culture can be failed?
McKinsey identifies ten factors with example and arranged those in four groups which can
indicate the reasons for risk culture failure in particular organization. Out of the four factors (1)
Transparancy of risk contains (a) communication (b) tolerance and (c) level of insight (2)
Acknowledgement of risk contains (a) confidence (b) challenge and (c) Openness, (3)
Responsiveness to risk contains (a) level of care and (b) speed of response while Respect for risk
contains (a) cooperation and (b) adhereance to rules.
cÖktœ ‡Kb SyuwK ms¯‥…wZ e¨_© n‡Z cv‡i?
g¨vKwKbwm D`vniY mn `kwU KviY wPwýZ K‡i‡Qb Ges ‡m¸wj‡K PviwU MÖæ‡c mvwR‡q‡Qb hv wbw`©ó ms¯’vq SyuwK ms¯‥…wZ
e¨_©Zvi KviY¸wj wb‡`©k Ki‡Z cv‡i| PviwU Kvi‡Yi g‡a¨ (1) SyuwKi ¯^‛QZvi g‡a¨ i‡q‡Q (K) ‡hvMv‡hvM (L) mnbkxjZv
Ges (M) Avf¨šÍixb e¨e¯’vcbv (2) SyuwKi ¯^xK…wZi g‡a¨ i‡q‡Q - (K) AvZ¥wek¦vm (L) P¨v‡jÄ Ges (M) ‡Lvjv‡gjvZv, (3)
SyuwKi c«wZ c«wZwµqvkxjZvi g‡a¨ i‡q‡Q (K) e¨emv¯’vcbvi ¯Íi Ges (L) mvov †`qvi MwZ Ges (4) SyuwKi ¸iæZ¡ cÖ`v‡bi
g‡a¨ i‡q‡Q (K) mn‡hvwMZv Ges (L) wbqg ‡g‡b Pjv|
5.14. What are the material risks?
The followings are the matarial risks which can be managed or minimized adopting various
measures.
Credit Risk: Credit risk refers to the probability of loss due to a borrower‘s failure to make
payments on any type of debt. Credit risk management is the practice of mitigating losses by
understanding the adequacy of a bank‘s capital and loan loss reserves at any given time – a
process that has long been a challenge for financial institutions.
Market Risk: Market risk mostly occurs from a bank‘s activities in capital markets. It is due to
the unpredictability of equity markets, commodity prices, interest rates, and credit spreads. Banks
are more exposed if they are heavily involved in investing in capital markets or sales and trading.
Commodity prices also play a role because a bank might have invested in companies that

Md. Mizanur Rahman, Cell: 01870478713 12

 Governance in Financial Institutions (GFI)
98th BPE
produce commodities.
Liquidity Risk: Liquidity risk refers to the ability of a bank to access cash to meet funding
obligations. Obligations include allowing customers to take out their deposits. The inability to
provide cash in a timely manner to customers can result in a snowball effect. If a bank delays
providing cash for a few of their customer for a day, other depositors may rush to take out their
deposits as they lose confidence in the bank.Liquidity risk can be mitigated through conscious
financial planning and analysis and by forecasting cash flow regularly, monitoring and
optimizing net working capital and managing existing credit facilities.
Interest Rate Risk: Interest rate risk in bank refers to the current or prospective risk to the bank's
capital and earnings arising from adverse movements in interest rates that affect the bank's
banking book positions. When interest rates change, the present value and timing of future cash
flows change. In other words, it is the probability of a decline in the value of an asset resulting
from unexpected fluctuations in interest rates.
Operational Risk: Operational risk is the risk of loss due to errors, interruptions, or damages
caused by people, systems, or processes. The operational type of risk is low for simple business
operations such as retail banking and asset management, and higher for operations such as sales
and trading. Losses that occur due to human error include internal fraud or mistakes made during
transactions.
Information Technology Risk: Technology risk arises from the use of computer systems in the
day-to-day conduct of the bank's operations, reconciliation of books of accounts, and storage and
retrieval of information and reports. The risk can occur due to the choice of faulty or unsuitable
technology and adoption of untried or obsolete technology.
Legal Risk: Legal risk was defined as part of operational risk by the Basel II accord in 2003. It
includes the risk of financial or reputational loss resulting from any type of legal issue. This
could include a lack of awareness or misunderstanding of the way laws and regulations apply to a
business. But companies can take action to reduce this risk. So for example, a corporation may
require all its employees to undergo health and safety raining in order to reduce its legal risk
from compensation claims. Legal risk can be reduced largely by appointing exclusive legal
experts to review regulatory and litigation risk likely to arise from operation or a product launch.
Such a specialized expert can examine the procedure or product and provide a report on potential
regulatory violations and lawsuit risks.
Compliance Risk: Compliance risk is the current and prospective risk of damage to the
organization‗s business model or objectives, reputation and financial soundness arising from non-
adherence with regulatory requirements of the regulators and/or expectations of key stakeholders
such as customers, employees and society as a whole.
Reputation Risk: Reputational risk is the risk that the bank might be exposed to negative
comment and opinion due to the contravention of applicable regulatory requirements. This can
occur through negative publicity in the news or social media, public sanction by regulators or by
word of mouth on the part of staff, competitors, customers and other stakeholders.
Strategic Risk: Strategic risk refers to the events or decisions that could potentially stop an
organization from achieving its goals. It also refers to the danger of an organization‗s strategic
choices being incorrect, or not responding effectively to changing environments.
cÖktœ e¯‘MZ SyuwK wK wK?
wbgœwjwLZ¸wj nj e¯‘MZ SyuwK hv wewfbœ e¨e¯’v M«n‡Yi gva¨‡g n«vm Kiv ‡h‡Z cv‡i|
FY SuywKt ‡µwWU wi¯‥ ej‡Z FYM«nxZvi ‡h‡Kv‡bv ai‡bi FY cwi‡kv‡a e¨_©Zvi Kvi‡Y ¶wZi m¤¢vebv‡K ‡evSvq| ‡µwWU
wi¯‥ g¨v‡bR‡g›U nj ‡h‡Kvb mg‡q e¨vs‡Ki g~ja‡bi ch©vßZv Ges ‡jvb jm wiRv‡f©i ch©vßZv ‡evSvi gva¨‡g ‡jvKmvb
Kgv‡bvi GKwU cÖwµqv hv Avw_©K c«wZôvb¸wji Rb¨ `xN©w`b a‡i GKwU P¨v‡jÄ n‡q `uvwo‡q‡Q|
evRvi SyuwKt evRv‡ii SyuwK ‡ewkifvMB cyuwRevRv‡i GKwU e¨vs‡Ki Kvh©µg ‡_‡K N‡U| GwU g~jab evRvi, c‡Y¨i `vg, my‡`i
nvi Ges ‡µwWU ‡¯ú«‡Wi AwbðqZvi Kvi‡Y N‡U _v‡K| cyuwRevRv‡i wewb‡qvM ev weµq I ‡jb‡`‡b e¨vcKfv‡e RwoZ

Md. Mizanur Rahman, Cell: 01870478713 13

 Governance in Financial Institutions (GFI)
98th BPE
_vK‡j e¨vsK¸wj GB SyuwKi m¤§yLxb †ekx nq| c‡Y¨i `vgI evRvi SyuwK‡Z GKwU f~wgKv cvjb K‡i KviY e¨vsK cY¨
Drcv`bKvix ‡Kv¤úvwb¸wj‡Z wewb‡qvM Ki‡Z cv‡i|
Zvij¨ SyuwKt Zvij¨ SyuwK A‡_©i eva¨evaKZv c~i‡Yi Rb¨ GKwU e¨vs‡Ki bM` UvKv mieivn Kivi ¶gZv‡K ‡evSvq| ZvQvov
M«vnK‡`i Pvwn`vgZ Zv‡`i Avgvb‡Zi UvKv ‡dir cÖ`vbI Zvij¨ SyuwKi GKwU cÖavb Ask| M«vnK‡`i Pvwn`vgZ Zv‡`i
Avgvb‡Zi UvKv mgqgZ c«`vb Ki‡Z A¶g n‡j Zv e¨vcKfv‡e GKwU ‡bwZevPK cÖfve c‡o| hw` GKwU e¨vsK Zv‡`i wKQz
M«vnK‡K GKw`‡bi Rb¨ bM` c«`vb Ki‡Z wej¤^ K‡i, Z‡e Ab¨vb¨ AvgvbZKvixiv Zv‡`i AvgvbZ Zy‡j wb‡Z Qy‡U ‡h‡Z cv‡i
KviY Zviv e¨vs‡Ki c«wZ Av¯’v nvwi‡q ‡d‡j| fvj Avw_©K cwiKíbv MÖnY I we‡kølY, we`¨gvb FYmyweavmg~n ch©v‡jvPbv Kiv
Ges wbqwgZ bM` c«ev‡ni c~e©vfvm w`‡q Zvij¨ SyuwK Kgv‡bv ‡h‡Z cv‡i|
gybvdv/my‡`i nv‡ii SyuwKt e¨vs‡Ki g~ja‡bi eZ©gvb ev m¤¢ve¨ SyuwK Ges my‡`i nv‡ii c«wZK~j MwZwewa ‡_‡K D™¢~Z Avq e¨vs‡K
gybvdv ev my‡`i nv‡ii SyuwK m„wó K‡i| hLb my‡`i nvi cwieZ©b nq, ZLb eZ©gvb g~j¨ Ges fwel¨‡Zi bM` c«ev‡ni mgq
cwieZ©b nq| Ab¨ K_vq, GwU my‡`i nv‡i Ac«Z¨vwkZ IVvbvgvi d‡j GKwU m¤ú‡`i g~j¨ n«v‡mi m¤¢vebv _v‡K|
cwiPvjbv SyuwKt Acv‡ikbvj wi¯‥ nj gvbyl, wm‡÷g ev c«wµqvi Kvi‡Y m„ó ÎywU, evav ev ¶wZi Kvi‡Y cwiPvjbv SyuwK m„wó
nq| wi‡UBj e¨vswKs Ges A¨v‡mU g¨v‡bR‡g‡›Ui g‡Zv mvaviY e¨emvwqK Kvh©µ‡gi Rb¨ cwiPvjbv SyuwK Kg Ges weµq Ges
‡U«wWs‡qi g‡Zv Kvh©µ‡gi Rb¨ D‛PZi| gvby‡li fy‡ji Kvi‡Y ‡h ¶wZ nq Zvi g‡a¨ Af¨šÍixY RvwjqvwZ ev ‡jb‡`‡bi mgq
Kiv fyj AšÍf©y³|
Z_¨c«hyw³ SyuwKt Kw¤úDUvi wm‡÷‡gi e¨envi ‡_‡K c«wZw`‡bi e¨vs‡Ki Kvh©µg cwiPvjbv, wnmvemg~‡ni mgš^qmvab Ges
Z_¨ I c«wZ‡e`b msi¶Y I cybiæ×vi Kivi †ÿ‡Î c«hyw³MZ SyuwKi D™¢e nq| ÎywUc~Y© ev Abychy³ c«hyw³i cQ›` Ges
Ac«‡qvRbxq ev Ac«PwjZ c«hyw³ M«n‡Yi Kvi‡Y SyuwK NU‡Z cv‡i|
AvBwb SyuwKt 2003 mv‡j e¨v‡mj-3 Pyw³i gva¨‡g AvBwb SyuwK‡K Acv‡ikbvj SyuwKi Ask wnmv‡e msÁvwqZ Kiv n‡qwQj|
G‡Z ‡h‡Kv‡bv ai‡bi AvBwb mgm¨vi Kvi‡Y Avw_©K ev mybvgMZ ¶wZi SyuwK AšÍfy©³ i‡q‡Q| Gi g‡a¨ m‡PZbZvi Afve ev
e¨emvi ‡¶‡Î AvBb I c«weavb c«‡hvR¨ Dcvq m¤ú‡K© fyj ‡evSveywS AšÍf©y³ _vK‡Z cv‡i| wKš‘ ‡Kv¤úvwb¸‡jv GB SyuwK
Kgv‡Z e¨e¯’v wb‡Z cv‡i| myZivs D`vniY¯^iƒc, GKwU K‡c©v‡ikb ¶wZc~iY `vwe ‡_‡K Zvi AvBwb SyuwK n«vm Kivi Rb¨ Zvi
mg¯Í Kg©Pvix‡`i ¯^v¯’¨ Ges wbivcËv wbwðZ Ki‡Z cv‡i| Acv‡ikb ev cY¨ j ‡_‡K D™¢~Z SyuwK ch©v‡jvPbv Kivi Rb¨
AvBb we‡klÁ wb‡qvM K‡i AvBwb SyuwK A‡bKvs‡k Kgv‡bv ‡h‡Z cv‡i| GKRb we‡klÁ cÖPwjZ c×wZ ev cY¨ cix¶v Ki‡Z
cv‡ib Ges m¤¢ve¨ wbqš¿K j“Nb Ges gvgjvi SyuwK m¤ú‡K© GKwU c«wZ‡e`b c«`vb Ki‡Z cv‡ib|
wbqgvPvi SyuwKt wbqgvPvi SyuwK nj c«wZôv‡bi e¨emv‡qK g‡Wj ev D‡Ïk¨, L¨vwZ Ges Avw_©K ¶wZi eZ©gvb Ges m¤¢ve¨ SyuwK
hv wbqš¿K‡`i Pvwn`v ev M«vnK, Kg©Pvix‡`i g‡Zv g~j ‡÷K‡nvìvi‡`i Z_v mvgwMÖKfv‡e mgv‡Ri c«Z¨vkv c~ib bv Kivi
Kvi‡Y D™¢~Z nq|
L¨vwZ SyuwKt wbqš¿Kms¯’vi wbqgbxwZ j“N‡bi Kvi‡Y e¨vsK ‡bwZevPK gšÍe¨ Ges gZvg‡Zi m¤§yLxb n‡Z cv‡i Ggb SyuwK‡K
mybvgMZ SyuwK e‡j| GwU msev` ev ‡mvk¨vj wgwWqv‡Z ‡bwZevPK c«Pv‡ii gva¨‡g, wbqš¿K‡`i Øviv Rbmvavi‡Yi Aby‡gv`b ev
÷vd, c«wZ‡hvMx, M«vnK Ges Ab¨vb¨ ‡÷K‡nvìvi‡`i gy‡Li K_vi gva¨‡g NU‡Z cv‡i|
‡K․kjMZ SyuwK: ‡K․kjMZ SyuwK ej‡Z Ggb NUbv ev wm×všÍ¸wj‡K ‡evSvq hv m¤¢ve¨fv‡e GKwU ms¯’v‡K Zvi j¶¨ AR©‡b
evav w`‡Z cv‡i| GwU GKwU ms¯’vi ‡K․kjMZ cQ›`¸wj fyj nIqvi, ev cwiewZ©Z cwi‡e‡k Kvh©Kifv‡e mvov bv ‡`Iqvi
wec`‡KI wb‡`©k K‡i|
5.15. How can material risk be managed in bank and financial institutions?
For ensuring successful risk management across the organization, the following features should,
at least, be present in the bank:
a) Submission of consolidated report to the board and senior management team incorporating
different types of risks, risk mitigation measures, comparison of risk levels with limits, the level
of capital required for absorbing large losses, and suggestions for restoring capital;
b) Consistency between the risks taken by the management and the risks perceived by the board;
c) Active, firm-wide risk management approach that includes all business lines;
d) Development of in-house expertise relying on various sources/factors including market data,
credit ratings, published analyses, etc.;
e) Alignment of treasury functions with risk management;
f) Active management of contingent liabilities;
g) Use of both firm-specific and market-wide stress scenarios for liquidity management;
Md. Mizanur Rahman, Cell: 01870478713 14
 Governance in Financial Institutions (GFI)
98th BPE
h) Efficient and effective management of asset and liability;
i) The stress testing result under consideration to understand the impact of adverse scenario on
the bank‘s profitability or capital;
j) Independent risk management functions with sufficient authority, logistic support and
continuous communication with business lines;
k) Experienced and expert personnel for performing risk management activities;
l) Importance on the risk management officials‘ opinion.
cÖktœ e¨vsK I Avw_©K c«wZôv‡b e¯‘MZ SyuwK Kxfv‡e wbqš¿Y Kiv hvq?
‡Kvb cÖwZôv‡b we‡kl K‡i e¨vs‡K mdj SyuwK e¨e¯’vcbv wbwðZ Kivi Rb¨ wbgœwjwLZ ‣ewkó¨¸wj Dcw¯’Z _vKv DwPZt
K) ‡evW© Ges wmwbqi g¨v‡bR‡g›U wU‡gi Kv‡Q wewfbœ ai‡Yi SyuwK, SyuwK c«kg‡bi e¨e¯’v, mxgvi mv‡_ SyuwKi gvÎvi Zyjbv, eo
¶wZ ‡kvl‡Yi Rb¨ c«‡qvRbxq cyuwRi ¯Íi Ges g~jab cybiæ×v‡ii Rb¨ civgk© mgwš^Z GKwU c«wZ‡e`b Rgv ‡`Iqv;
L) e¨e¯’vcbvi M…nxZ SyuwK Ges ‡ev‡W©i Øviv Abyf~Z SyuwKi g‡a¨ mvgÄm¨Zv;
M) mwµq, `„p I we¯Í…Z SyuwK e¨e¯’vcbv c×wZ hv mg¯Í e¨emvwqK jvBb AšÍf©y³ K‡i;
N) evRv‡ii Z_¨, ‡µwWU ‡iwUs, c«KvwkZ we‡kølY BZ¨vw` mn wewfbœ Drm/KviY¸wji Dci wbf©i K‡i Af¨šÍixY `¶Zvi
weKvk;
O) SyuwK e¨e¯’vcbvi mv‡_ ‡U«Rvwi dvskb¸wji mgš^qmvab;
P) Avbylw½K `vqe×Zvi mwµq e¨e¯’vcbv;
Q) Zvij¨ e¨e¯’vcbvi Rb¨ `…p I wbw`©ó Ges evRvi-Dc‡hvMx c×wZi e¨envi;
R) m¤ú` I `vq-`vwq‡Z¡i `¶ I Kvh©Ki e¨e¯’vcbv;
i) e¨vs‡Ki gybvdv ev g~ja‡bi Dci c«wZK~j cwiw¯’wZi c«fve ‡evSvi Rb¨ we‡ePbvaxb ‡÷«m cix¶vi djvdj;
j) ch©vß KZ©…Z¡, jwRw÷K mnvqZv Ges e¨emvwqK jvB‡bi mv‡_ Awew‛Qbœ ‡hvMv‡hvM mn ¯^vaxb SyuwK e¨e¯’vcbv dvskb;
U) SyuwK e¨e¯’vcbv Kvh©µg m¤úv`‡bi Rb¨ AwfÁ Ges we‡klÁ Kg©x;
V) SyuwK e¨e¯’vcbv Kg©KZ©v‡`i gZvg‡Zi ¸iæZ¡|
5.16. What do we understand by three lines of defense? Elaborate the lines.
The three lines defense model includes:
1st line of defense: Business operations
2nd line of defense: Risk and control functions
3rd line of defense: Internaal audit
The first line of defense provides that the business and operation units of the institution have in
place effective processes to identify, assess, measure, monitor, mitigate, and report on their risks.
Each unit operates in accordance with the risk policies and delegated mandates. The units are
responsible for having skills, operating procedures, systems, and controls in place to ensure their
compliance with risk policies and mandates.
The second line of defense relates to the appropriate Internal Control framework put in place to
ensure effective and efficient operations, including the followings:
adequate control of risks;
prudent conduct of business;
reliability of financial and non-financial information reported or disclosed (both internally
and externally); and
compliance with laws, regulations, supervisory requirements, and the institution's internal
policies and procedures.
The Internal Control framework encompasses risk control function and compliance function, and
should cover the whole organization, including the activities of all business, support, and control
units. The risk management unit, headed by a Chief Risk Officer, has the responsibility for
recommending and monitoring the bank‘s risk appetite and policies, and for following up and
reporting on risk related issues across all risk types.

Md. Mizanur Rahman, Cell: 01870478713 15

 Governance in Financial Institutions (GFI)
98th BPE
The third line of defense consists of the bank‘s internal audit which performs independent
periodic reviews of the first two lines of defense, provides assurance and informs strengths and
potential weaknesses of the first two lines.
cÖktœ wZb ¯Íi c«wZi¶v Øviv Avgiv wK eywS? ¯Íi¸wji we¯ÍvwiZ eY©bv Kiæb|
wZb ¯Íi cÖwZi¶v g‡Wj ej‡Z wb¤œwjwLZ wZbwU ¯Í‡i SyuwK e¨e¯’vcbv‡K ‡evSvqt
c«wZi¶vi c«_g ¯Íit e¨emvwqK Kvh©µg
c«wZi¶vi 2q ¯Íit SyuwK Ges wbqš¿Y Kvh©µg
c«wZi¶vi 3q ¯Íi jvBbt Avf¨šÍixY wbix¶v
c«wZi¶vi c«_g ¯Íi GB wbðqZv c«`vb K‡i ‡h c«wZôv‡bi e¨emv Ges Acv‡ikb BDwbU¸wj‡Z Zv‡`i SyuwK mbv³KiY,
g~j¨vqb, cwigvc, wbix¶Y, c«kgb Ges wi‡cvU© Kivi Rb¨ Kvh©Ki c«wµqv i‡q‡Q| c«wZwU BDwbU SyuwK bxwZ Ges Awc©Z
g¨v‡ÛU Abyhvqx KvR Ki‡Q| SyuwK bxwZ Ges Av‡`‡ki mv‡_ Zv‡`i m¤§wZ wbwðZ Kivi Rb¨ BDwbU¸wj `¶Zv, Acv‡iwUs
c×wZ, wm‡÷g Ges wbqš¿‡Yi Rb¨ `vqx|
c«wZi¶vi wØZxq ¯ÍiwU wbgœwjwLZ¸wj mn Kvh©Ki Ges `¶ Acv‡ikb¸wj wbwðZ Kivi Rb¨ h_vh_ Af¨šÍixY wbqš¿Y
KvVv‡gvi mv‡_ m¤úwK©Zt
SyuwKi ch©vß wbqš¿Y;
e¨emvi weP¶Y AvPiY;
wi‡cvU© Kiv ev c«Kvk Kiv Avw_©K Ges A-Avw_©K Z‡_¨i wbf©i‡hvM¨Zv (Af¨šÍixY Ges evwn¨Kfv‡e); Ges
AvBb, c«weavb, ZË¡veav‡bi c«‡qvRbxqZv Ges c«wZôv‡bi Af¨šÍixY bxwZ I c×wZi mv‡_ m¤§wZ|
Avf¨šÍixY K‡›U«vj ‡d«gIqvK© SyuwK wbqš¿Y dvskb Ges m¤§wZ dvskb‡K AšÍfy³© K‡i Ges mg¯Í e¨emv, mg_©b Ges wbqš¿Y
BDwb‡Ui Kvh©Kjvc mn mgM« ms¯’v‡K Kfvi Kiv DwPZ| SyuwK e¨e¯’vcbv BDwbU, GKRb c«avb SyuwK Kg©KZ©vi ‡bZ…‡Z¡,
e¨vs‡Ki SyuwKi ¶yav Ges bxwZ¸wj mycvwik Ges ch©‡e¶‡Yi Rb¨ Ges mg¯Í SyuwKi aib Ry‡o SyuwK m¤úwK©Z mgm¨v¸wj
AbymiY Ges wi‡cvU© Kivi `vwqZ¡ i‡q‡Q|
c«wZi¶vi Z…Zxq jvBbwU e¨vs‡Ki Af¨šÍixY wbix¶v wb‡q MwVZ hv c«wZi¶vi c«_g `ywU jvB‡bi ¯^vaxb ch©vqµwgK ch©v‡jvPbv
K‡i, wbðqZv c«`vb K‡i Ges c«_g `ywU jvB‡bi kw³ Ges m¤¢ve¨ `ye©jZv¸wj Rvbvq|
5.17. Write down the importance of 2nd line functions?
The second line roles can focus on specific objectives of risk management, such as: compliance
with laws, regulations, and acceptable ethical behavior; internal control; information and
technology security; sustainability; and quality assurance. Alternatively, second line roles may
span a broader responsibility for risk management, such as enterprise risk management (ERM).
However, responsibility for managing risk remains a part of first line roles and within the scope
of management.
But the second line of defense is managerial and is responsible for oversight of the doers. They
also develop and implement risk management processes, policies and procedures. The second
line needs to be strong and independent because, the first line will be more effective when the
second line coordinates their activities. Doers can take pride in owning risk and being
accountable, which enhances their ability to lead.
The second line is also in a perfect position to see what‘s working and what isn‗t, and they have
the authority to make changes like adding controls to reduce risk. As they monitor the first line‘s
activities, the second line can provide input and deliver on the organization‘s risk management
strategy.
Thus, by strengthening the second line of defense - risk management function explores those
contents that are of fundamental importance for an efficient risk management.
cÖktœ 2q ¯Í‡ii wbivcËvi ¸iæZ¡ eY©bv Ki?
wØZxq ¯Í‡ii f~wgKv¸wj SyuwK e¨e¯’vcbvi wbw`©ó D‡Ïk¨¸wj‡Z ‡dvKvm Ki‡Z cv‡i, ‡hgb: AvBb, c«weavb, Ges M«nY‡hvM¨
‣bwZK AvPi‡Yi mv‡_ m¤§wZ; Af¨šÍixY wbqš¿Y; Z_¨ I c«hyw³ wbivcËv; ¯’vwqZ¡; Ges gv‡bi wbðqZv| weKífv‡e, wØZxq
mvwii f~wgKv SyuwK e¨e¯’vcbvi Rb¨ GKwU e…nËi `vwqZ¡ cvjb Ki‡Z cv‡i, ‡hgb G›Uvic«vBR SyuwK e¨e¯’vcbv| hvB‡nvK, SyuwK
e¨e¯’vcbvi `vwqZ¡ c«_g mvwii f~wgKvi GKwU Ask Ges e¨e¯’vcbvi my‡hv‡Mi g‡a¨B _v‡K| wKš‘ c«wZi¶vi wØZxq ¯ÍiwU
Md. Mizanur Rahman, Cell: 01870478713 16
 Governance in Financial Institutions (GFI)
98th BPE
e¨e¯’vcbvMZ Ges KZ©v‡`i ZË¡veav‡bi Rb¨ `vqx| Zviv SyuwK e¨e¯’vcbv c«wµqv, bxwZ Ges c×wZ¸wj weKvk Ges c«‡qvM
K‡i|
wØZxq jvBbwU kw³kvjx Ges ¯^vaxb nIqv `iKvi KviY, c«_g jvBbwU AviI Kvh©Ki n‡e hLb wØZxq jvBbwU Zv‡`i Kvh©µg
mgš^q Ki‡e| KvRKvixiv SyuwKi gvwjK nIqv Ges `vqe× nIqvi Rb¨ Me© Ki‡Z cv‡i, hv Zv‡`i ‡bZ…Z¡ ‡`Iqvi ¶gZv
evovq|
wØZxq jvBbwU Kx KvR Ki‡Q Ges Kx Ki‡Q bv Zv ‡`Lvi Rb¨ GKwU wbLyuZ Ae¯’v‡b i‡q‡Q Ges Zv‡`i SyuwK Kgv‡Z wbqš¿Y
‡hvM Kivi g‡Zv cwieZ©b Kivi ¶gZv i‡q‡Q| ‡h‡nZy Zviv c«_g jvB‡bi wµqvKjvc wbix¶Y K‡i, wØZxq jvBbwU BbcyU
c«`vb Ki‡Z cv‡i Ges ms¯’vi SyuwK e¨e¯’vcbvi ‡K․kj c«`vb Ki‡Z cv‡i|
GBfv‡e, c«wZi¶vi wØZxq jvBb‡K kw³kvjx Kivi gva¨‡g - SyuwK e¨e¯’vcbv dvskb ‡mB welqe¯‘¸wj‡K A‡š^lY K‡i hv
GKwU `¶ SyuwK e¨e¯’vcbvi Rb¨ ‡g․wjK ¸i‚Z¡c~Y©|
5.18. How the 2nd line functions can be strengthened?
The second line of defense is constituted of the basic infrastructure processes of support to the
first line of defense and the third line of defense. Processes of the second line of defense, as
elaborations of the basic functions, can be presented in the way that is suitable for the analysis of
the strengthening impact. Those have been mentioned by The Institute of Internal Auditors in
their global document:
Supporting management policies, defining roles and responsibilities, and setting goals for
implementation.
Providing risk management frameworks.
Identifying known and emerging issues.
Identifying shifts in the organization‗s implicit risk appetite.
Assisting management in developing processes and controls to manage risks and issues.
Providing guidance and training on risk management processes.
Facilitating and monitoring.
Implementation of effective risk management practices by operational management.
Alerting operational management to emerging issues and changing regulatory and risk
scenarios.
Monitoring the adequacy and effectiveness of internal control, accuracy and completeness of
reporting, compliance with laws and regulations, and timely remediation of deficiencies
A functionally independent corporate operational risk management function is the second line of
defence that, as a rule, complements the activities of business lines` operational risk
management. This second line of defence needs to be independent from risk generating business
lines and responsible for the design, maintenance, and ongoing development of operational risk
framework within the bank.
cÖktœ wKfv‡e 2q jvBb dvskb kw³kvjx Kiv ‡h‡Z cv‡i?
c«wZi¶vi wØZxq ¯ÍiwU c«wZi¶vi c«_g ¯Íi Ges c«wZi¶vi Z…Zxq ¯Í‡ii mg_©‡bi ‡g․wjK AeKvVv‡gv c«wµqv¸wji mgš^‡q
MwVZ| c«wZi¶vi wØZxq jvB‡bi c«wµqv¸wj, ‡g․wjK dvskb¸wji wek` weeiY wnmv‡e, kw³kvjxKiY c«fve we‡køl‡Yi Rb¨
Dchy³ Dcv‡q Dc¯’vcb Kiv ‡h‡Z cv‡i| `¨ Bbw÷wUDU Ad B›Uvibvj AwWUiiv Zv‡`i ‣ewk¦K bw_‡Z D‡jøL K‡i‡Q:
cwiPvjbvi bxwZ¸wj‡K mg_©b Kiv, f~wgKv Ges `vwqZ¡¸wj msÁvwqZ Kiv Ges ev¯Íevq‡bi Rb¨ j¶¨ wba©viY Kiv|
SyuwK e¨e¯’vcbv KvVv‡gv c«`vb|
cwiwPZ Ges D`xqgvb mgm¨v wPwýZ Kiv|
ms¯’vi Aš—wb©wnZ SyuwKi ¶yavq cwieZ©b¸wj wPwýZ Kiv|
SyuwK Ges mgm¨v¸wj cwiPvjbv Kivi Rb¨ c«wµqv Ges wbqš¿Y weKv‡k e¨e¯’vcbv‡K mnvqZv Kiv|
SyuwK e¨e¯’vcbv c«wµqv m¤ú‡K© wb‡`©wkKv Ges c«wk¶Y c«`vb|
myweav Ges ch©‡e¶Y

Md. Mizanur Rahman, Cell: 01870478713 17

 Governance in Financial Institutions (GFI)
98th BPE
Acv‡ikbvj g¨v‡bR‡g›U Øviv Kvh©Ki SyuwK e¨e¯’vcbv Abykxj‡bi ev¯Íevqb|
D`xqgvb mgm¨v¸wji Rb¨ Acv‡ikbvj g¨v‡bR‡g›U‡K mZK© Kiv Ges wbqš¿K Ges SyuwKi cwiw¯’wZ cwieZ©b Kiv|
Af¨š—ixY wbqš¿‡Yi ch©vßZv Ges Kvh©KvwiZv wbix¶Y, c«wZ‡e`‡bi wbf©yjZv Ges m¤ú~Y©Zv, AvBb I c«weav‡bi mv‡_
m¤§wZ Ges NvUwZ¸wji mgqgZ c«wZKvi
GKwU Kvh©Kixfv‡e ¯^vaxb K‡c©v‡iU Acv‡ikbvj wi¯‥ g¨v‡bR‡g›U dvskb nj c«wZi¶vi wØZxq jvBb hv GKwU wbqg wnmv‡e,
e¨emvwqK jvB‡bi Acv‡ikbvj wi¯‥ g¨v‡bR‡g‡›Ui Kvh©µg‡K cwic~iK K‡i| c«wZi¶vi GB wØZxq jvBbwU SyuwK m…wóKvix
e¨emvwqK jvBb ‡_‡K ¯^vaxb Ges e¨vs‡Ki g‡a¨ Acv‡ikbvj SyuwK KvVv‡gvi bKkv, i¶Yv‡e¶Y Ges Pjgvb Dbœq‡bi Rb¨
`vqx nIqv c«‡qvRb|
5.19. What do you mean by regulatory compliance?
Compliance refers to operating the bank in conformance with applicable laws, regulations,
policies, standards, guidelines, etc. applicable to all institutions in its category, and responding
fully and in a timely manner to supervisory criticism and orders to take corrective action issued
by applicable regulatory authorities or law enforcement bodies. In this context, compliance also
refers to preventive actions taken to mitigate compliance risk, which is the risk of legal or
regulatory sanctions, material financial loss, or loss to reputation as a result of failure to comply
with applicable rules.
cÖktœ wbqwš¿Z wbqgvPvi ej‡Z Kx ‡evS?
e¨vs‡Ki Rb¨ c«‡hvR¨ AvBb, c«weavb, bxwZ, gvb, wb‡`©wkKv BZ¨vw`i mv‡_ mvgÄm¨ ‡i‡L e¨vsK cwiPvjbv Kiv Ges c«‡hvR¨
wbqš¿K KZ©…c¶ ev AvBb c«‡qvMKvix ms¯’v¸wji Øviv RvwiK…Z mgv‡jvPbv Ges Av‡`‡ki c«wZ c~Y© Ges mgqgZ c«wZwµqv
Rvbv‡bvB n‡jv Kgcøv‡qÝ| GB ‡c«¶vc‡U, Kgcøv‡qÝ ej‡Z Kgcøv‡qÝ SyuwK Kgv‡bvi Rb¨ ‡bIqv c«wZ‡ivag~jK
c`‡¶c¸wj‡KI ‡evSvq, hv c«‡hvR¨ wbqg¸wj ‡g‡b Pj‡Z e¨_©Zvi d‡j AvBwb ev wbqš¿K wb‡lavÁv, e¯ÍMZ Avw_©K ¶wZ ev
L¨vwZi ¶wZi SyuwK|
5.20. What are the core principles of regulatory compliance?
The traditional compliance model for the banks was formulated with a different purpose, which
was limited to the legal functions. Banks used to make regulations and internal policies as an
advisory service with limited focus on actual risk identification and management.
Commonly, the managers create their own device to figure out what specific controls are
required to address regulatory requirements, which is a labor-intensive control activity with
uncertain effectiveness. Many banks still struggle with the fundamental compliance issues, such
as compliance literacy, accountability and risk culture.
Banking industry faces regulatory requirements and compliance challenges like:
Continuously changing regulations worldwide and thus the compliance function becomes
more demanding. Smaller banks with weak compliance culture need to enhance the skill and
number of their professionals and to improve their IT tools.
Basel III requires on the proper detection, measuring and reporting of risks. Emerging risks
are a perpetual threat. Risk functions of the banks need to be changed with innovation and
cost-efficiency.
Banks is surfacing scandals of money laundering, even without the knowledge of the errant
banks, although banks always remain liable for any case of money laundering.
Proper reporting is a demanding requirement for banks and each field of reporting has
different reporting standards, which makes the reporting projects more complicated and
challenging.
As banks have to handle large quantities of personal data and information, data storage,
management and secrecy remain a significant compliance project.
cÖktœ wbqš¿wZZ wbqgvPv‡ii g~j bxwZ¸wj Kx Kx?
e¨vsK¸wji Rb¨ c«_vMZ Kgcøv‡qÝ g‡WjwU GKwU wfbœ D‡Ïk¨ wb‡q c«Yqb Kiv n‡qwQj, hv AvBwb Kvh©vejxi g‡a¨ mxgve×
wQj| c«K…Z SyuwK mbv³KiY Ges e¨e¯’vcbvi Dci mxwgZ ‡dvKvm w`‡q e¨vsK¸wj GKwU Dc‡`óv cwi‡lev wnmv‡e c«weavb
Md. Mizanur Rahman, Cell: 01870478713 18
 Governance in Financial Institutions (GFI)
98th BPE
Ges Af¨šÍixY bxwZ ‣Zwi KiZ|
mvavibZ, g¨v‡bRviiv wbqš¿K c«‡qvRbxqZv ‡gvKv‡ejvi Rb¨ Zv‡`i wbR¯^ wWfvBm ‣Zwi K‡i hv AwbwðZ Kvh©KvwiZv mn
GKwU k«g-wbweo wbqš¿Y Kvh©Kjvc| A‡bK e¨vsK GLbI ‡g․wjK wbqgvPvi msµvšÍ mgm¨v¸wji mv‡_ jovB K‡i P‡j‡Q,
‡hgb m¤§wZ mv¶iZv, Revew`wnZv Ges SyuwK ms¯‥…wZ|
e¨vswKs wkí wb¤œwjwLZ wbqš¿K c«‡qvRbxqZv Ges wbqgvPv‡ii P¨v‡jÄ gy‡LvgywL nqt
µgvMZ wek¦e¨vcx c«weavb cwieZ©b n‡‛Q Ges GBfv‡e wbqgvPvi Av‡iv AviI †Rvi`vi n‡‛Q| `ye©j m¤§wZ ms¯‥…wZ mn
‡QvU e¨vsK¸wj‡K Zv‡`i ‡ckv`vi‡`i `¶Zv Ges msL¨v evov‡Z n‡e Ges Zv‡`i AvBwU miÄvg¸wj DbœZ Ki‡Z n‡e|
e¨v‡mj-3 Gi Rb¨ SyuwKi mwVK mbv³KiY, cwigvc Ges wi‡cvwU©s c«‡qvRb| D`xqgvb SyuwK GKwU wPi¯’vqx ûgwK|
D™¢veb Ges e¨q-`¶Zvi mv‡_ e¨vsK¸wji SyuwKi Kvh©vejx cwieZ©b Ki‡Z n‡e|
e¨vsK¸wj gvwb jÛvwis Gi ‡K‡j¼vwi¸wj c«Kvk Ki‡Q, GgbwK e¨vsK¸wji ARv‡šÍB gvwb jÛvwis n‡‛Q, hw`I
e¨vsK¸wj me©`v A_© cvPv‡ii ‡¶‡Î `vqe× _v‡K|
mwVK wi‡cvwU©s e¨vsK¸wji Rb¨ GKwU Pvwn`vc~Y© c«‡qvRbxqZv Ges wi‡cvwU©s‡qi c«wZwU ‡¶‡Îi wewfbœ wi‡cvwU©s gvb
i‡q‡Q, hv wi‡cvwU©s c«Kí¸wj‡K AviI RwUj Ges P¨v‡jwÄs K‡i ‡Zv‡j|
‡h‡nZy e¨vsK¸wj‡K c«Pyi cwigv‡Y e¨w³MZ ‡WUv Ges Z_¨ cwiPvjbv Ki‡Z nq, ZvB ‡WUv ‡÷v‡iR, e¨e¯’vcbv Ges
‡MvcbxqZv GKwU D‡jøL‡hvM¨ wbqgvPvi c«Kí wnmv‡e i‡q ‡M‡Q|
5.21. Describe the compliance requirements.
McKinsey and Company in the paper on the best practices Model for bank Compliance has
outlined the compliance requirements and issues to be addressed in a comprehensive manner.
The literature points out three core priciples to address the challenges:
1. Role of compliance and active ownership of the risk-and-control framework
In most cases banks need to transform the role of their compliance departments from that of an
adviser to one that puts more emphasis on active risk management and monitoring. In practice it
means expanding beyond offering advice on statutory rules, regulations, and laws and becoming
an active co-owner of risks to provide an independent oversight of the control framework.
Given this evolution, responsibilities of the compliance function are expanding rapidly to include
the following:
Generating practical perspectives on the applicability of laws, rules, and regulations across
businesses and processes.
Creating standards for risk materiality by defining material risk, tolerance levels, and risk
appetite.
Developing and managing a robust risk identification and assessment process and tools.
Developing and enforcing standards for an effective risk-mediation process like root-cause
analysis and performance tracking to ensure addressing the issues.
Establishing standards for training programs and incentives as per realities of each type of
job.
Ensuring that the front line effectively applies processes and tools that have been developed
by compliance
Performing a regular assessment of the state of the overall compliance program
Understanding the bank‗s risk culture and its strengths as well as potential shortcomings
1. Transparency into residual risk exposure and control effectiveness
The traditional practice of second line‘s engagement with the businessis not sufficient to create a
real and comprehensive transparency into material risk exposures and often becomes a merely
mechanical exercise.
First, the lack of an objective and clear definition of a ―high-risk process‖ frequently leaves this
decision to the discretion of business lines, which can lead to the omission of risks that are
critical from a compliance-risk standpoint but deemed less significant from a business standpoint.

Md. Mizanur Rahman, Cell: 01870478713 19

 Governance in Financial Institutions (GFI)
98th BPE
This approach also suffers from inconsistencies. As an example, an account-opening process may
be deemed high risk in some retail units but not in others.
Second, the pursuit of documenting virtually ―all risks‖ and ―all controls‖ implies a significant
amount of work and actually limits the first line‗s ability to go deep on issues that truly matter,
producing lengthy qualitative inventories of risks and controls instead of identifying material risk
exposures and analyzing the corresponding process and control breakpoints and root causes.
3. Integration with the overall risk-management governance, regulatory affairs, and issue-
management process
Compliance risks are driven by the same underlying factors that drive other banking risks, but
their stakes are higher in the case of adverse outcomes. Therefore, it‗s only fitting that a modern
compliance framework needs to be fully integrated with the bank‗s operational-risk view of the
world.
Integrating the management of these risks offers tangible benefits. First, it ensures the enterprise
has a truly comprehensive view of its portfolio of risks and visibility into any systemic issues,
and that no material risk is left unattended.
Second, it lessens the burden on the business as well as on the control functions. Third, it
facilitates a risk-based allocation of enterprise resources and management actions on risk
remediation and investment in cross-cutting controls.
The following practical actions can help the FIs firmly integrate compliance into the overall risk-
management governance, regulatory affairs, and issue-management process:
Develop a single integrated inventory of operational and compliance risks
Develop and centrally maintain standardized risk, process, product, and control taxonomies
Coordinate risk assessment, remediation, and reporting methodologies and calendars
Define clear roles and responsibilities between risk and control functions at the individual
risk level to ensure there are no gaps or overlaps, particularly in ―gray areas‖ where
disciplines converge
Develop and jointly manage integrated training and communication programs
Establish clear governance processes and structures with mandates that span across risk and
support functions, and that ensure sufficient accountability, ownership, and involvement
from all stakeholders, even if issues cut across multiple functions
Consistently involve and timely align senior compliance stakeholders in determining action
plans, target end dates, and prioritization of issues and matters requiring attention
Establish a formal link and coordination processes with government affairs
cÖktœ AvPiYwewai c«‡qvRbxqZv eY©bv Kiæb|
e¨vsK Kgcøv‡q‡Ýi Rb¨ m‡e©vËg Abykxj‡bi g‡W‡ji M‡elYvc‡Î g¨vKwKbwm A¨vÛ ‡Kv¤úvwb AvPiYwewai c«‡qvRbxqZv Zz‡j
a‡i‡Qb Ges mgm¨v¸wj‡K GKwU we¯Í…Z c×wZ‡Z mgvav‡bi c×wZ eY©bv K‡i‡Qb| ‡mLv‡b wZwb P¨v‡jÄ ‡gvKv‡ejv Kivi
Rb¨ wZbwU g~j bxwZi eY©bv w`‡q‡Qbt
1. SyuwK-I-wbqš¿Y KvVv‡gv‡Z AvPiYwewa Ges mwµq gvwjKvbvi f~wgKv
‡ewkifvM ‡¶‡ÎB e¨vsK¸wj‡K Zv‡`i Kgcøv‡qÝ wWcvU©‡g‡›Ui f~wgKv‡K GKRb Dc‡`óvi ‡_‡K cwieZ©b Ki‡Z n‡e ‡hwU
mwµq SyuwK e¨e¯’vcbv Ges ch©‡e¶‡Yi Dci ‡ewk ‡Rvi ‡`q| ev¯Í‡e Gi A_© mswewae× wbqg, c«weavb Ges AvB‡bi Dci
civgk© c«`v‡bi evB‡i c«mvwiZ nIqv Ges wbqš¿Y KvVv‡gvi GKwU ¯^vaxb Z`viwK c«`v‡bi Rb¨ SyuwKi GKRb mwµq mn-
gvwjK nIqv|
GB weeZ©‡b, wbgœwjwLZ welqvewj AšÍf©y³ Kiv `iKvit
e¨emvwqK cÖwµqv‡Z AvBb, wbqg Ges c«weav‡bi c«‡hvR¨Zvi Dci e¨envwiK `…wófw½ ‣Zwi Kiv|
Dcv`vb SyuwK, mnbkxjZv gvÎv, Ges SyuwK ¶yav msÁvwqZ K‡i SyuwK Dcv`v‡bi Rb¨ gvb ‣Zwi Kiv|
GKwU kw³kvjx SyuwK mbv³KiY Ges g~j¨vqb c«wµqv Ges miÄvg¸wj weKvk Ges cwiPvjbv Kiv|
mgm¨v¸wji mgvavb wbwðZ Kivi Rb¨ g~j-KviY we‡kølY Ges Kg©¶gZv Uª¨vwKs‡qi g‡Zv Kvh©Ki SyuwK-ga¨¯’Zv
Md. Mizanur Rahman, Cell: 01870478713 20
 Governance in Financial Institutions (GFI)
98th BPE
c«wµqvi Rb¨ gvb¸wj weKvk Ges c«‡qvM Kiv|
c«wZwU ai‡Yi Kv‡Ri ev¯ÍeZv Abymv‡i c«wk¶Y ‡c«vM«vg Ges c«‡Yv`bvi Rb¨ gvb ¯’vcb Kiv|
wbwðZ Kiv ‡h d«›U jvBb Kvh©Kifv‡e c«wµqv Ges miÄvg¸wj c«‡qvM K‡i hv m¤§wZi Øviv ‣Zwi Kiv n‡q‡Q
mvgwM«K m¤§wZ ‡c«vM«v‡gi Ae¯’vi wbqwgZ g~j¨vqb Kiv
e¨vs‡Ki SyuwK ms¯‥…wZ Ges Gi kw³ Ges m¤¢ve¨ ÎywU¸wj ‡evSv
2. Aewkó SyuwK G·‡cvRvi Ges wbqš¿Y Kvh©KvwiZv g‡a¨ ¯^‛QZv
e¨emv‡qi mv‡_ wØZxq mvwii m¤ú…³Zvi HwZn¨MZ Abykxjb e¯‘MZ SyuwK G·‡cvRv‡i GKwU ev¯Íe Ges e¨vcK ¯^‛QZv ‣Zwi
Kivi Rb¨ h‡_ó bq Ges c«vqkB GwU GKwU wbQK hvwš¿K Abykxj‡b cwiYZ nq|
c«_gZ, GKwU "D‛P-SyuwKi c«wµWv"-Gi GKwU D‡Ïk¨g~jK Ges ¯úó msÁvi Afve c«vqkB GB wm×všÍwU‡K e¨emvwqK
jvB‡bi we‡ePbvi Dci ‡Q‡o ‡`qv, hv SyuwK¸wj‡K ev` w`‡Z cv‡i hv GKwU m¤§wZ-SyuwKi `…wó‡KvY ‡_‡K ¸iæZ¡c~Y© wKš‘
e¨emvwqK `…wó‡KvY ‡_‡K Kg Zvrch©c~Y© e‡j g‡b Kiv nq| GB c×wZwUI Am½wZ‡Z fyM‡Q| D`vniY wn‡m‡e, wKQy LyPiv
BDwb‡U A¨vKvD›U ‡Lvjvi c«wµqv‡K D‛P SyuwK wn‡m‡e MY¨ Kiv ‡h‡Z cv‡i wKš‘ Ab¨‡`i ‡¶‡Î bq|
wØZxqZ, Kvh©Z "mg¯— SyuwK" Ges "mg¯Í wbqš¿Y" bw_fy³ Kivi mvabv GKwU D‡jøL‡hvM¨ cwigvY KvR‡K ‡evSvq Ges
c«K…Zc‡¶ ¸iæZ¡c~Y© welq¸wji Mfx‡i hvIqvi c«_g mvwii ¶gZv‡K mxwgZ K‡i, hv Dcv`vb SyuwKi c«Kvk kbv³ Kivi
cwie‡Z© SyuwK I wbqš¿‡Yi `xN© ¸YMZ Bb‡fbUwi ‣Zwi K‡i Ges iæU wbqš¿‡Yi c«wµqv‡K wbqš¿Y K‡i|
3. mvgwM«K SyuwK-e¨e¯’vcbv kvmb, wbqš¿K welq Ges Bm¨y-e¨e¯’vcbv c«wµqvi mv‡_ GKxKiY
m¤§wZ SyuwK GKB AšÍwb©wnZ KviY¸wji Øviv PvwjZ nq hv Ab¨vb¨ e¨vswKs SyuwK¸wj‡K PvwjZ K‡i, wKš‘ c«wZK~j djvd‡ji
‡¶‡Î Zv‡`i Askx`vwiZ¡ ‡ewk| AZGe, GwU ïaygvÎ Dchy³ ‡h GKwU AvaywbK Kgcøv‡qÝ ‡d«gIqvK©‡K we‡k¦i e¨vs‡Ki
Acv‡ikbvj-SyuwKi `…wófw½i mv‡_ m¤ú~Y©iƒ‡c GKwÎZ Kiv c«‡qvRb|
GB SyuwK e¨e¯’vcbv GKwÎZ Kiv ev¯Íe myweav c«`vb K‡i| c«_gZ, GwU wbwðZ K‡i ‡h G›Uvic«vB‡Ri SyuwKi ‡cvU©‡dvwjI Ges
‡h‡Kvb c×wZMZ mgm¨v¸wji `…k¨gvbZvi GKwU mZ¨B we¯Í…Z `…wófw½ i‡q‡Q Ges ‡KvbI e¯ÍMZ SyuwK A‡h․w³K evwK ‡bB|
wØZxqZ, GwU e¨emvi cvkvcvwk wbqš¿Y dvsk‡bi Dci ‡evSv Kwg‡q ‡`q| Z…ZxqZ, GwU G›Uvic«vBR ms¯’vb¸wji GKwU
SyuwK-wfwËK eivÏ Ges SyuwKi c«wZKvi Ges µm-KvwUs wbqš¿Y¸wj‡Z wewb‡qv‡Mi e¨e¯’vcbvi wµqvKjvc‡K mnRZi K‡i|
wbgœwjwLZ e¨envwiK c`‡¶c¸wj Avw_©K cÖwZôvb¸wj‡K mvgwM«K SyuwK-e¨e¯’vcbv kvmb, wbqš¿K welqvejx Ges Bm¨y-
e¨e¯’vcbv c«wµqvi mv‡_ m¤§wZ‡K `…Xfv‡e GKxf~Z Ki‡Z mvnvh¨ Ki‡Z cv‡it
Acv‡ikbvj Ges Kgcøv‡qÝ SyuwKi GKwU GKK mgwš^Z ZvwjKv ‣Zwi Kiv
c«wgZ SyuwK, c«wµqv, cY¨ Ges wbqš¿Y U¨v‡·vbwg¸wj weKvk Ges ‡K›`«xqfv‡e eRvq ivLv
SyuwK g~j¨vqb, c«wZKvi, Ges wi‡cvwU©s c×wZ Ges K¨v‡jÛvi mgš^q Kiv
c…_K SyuwK ¯Í‡i SyuwK Ges wbqš¿Y dvsk‡bi g‡a¨ ¯úó f~wgKv Ges `vwqZ¡¸wj msÁvwqZ Kiv hv‡Z ‡KvbI dvuK ev Ifvij¨vc
bv _v‡K,
mgwš^Z c«wk¶Y Ges ‡hvMv‡hvM ‡c«vM«vg weKvk Ges ‡h․_fv‡e cwiPvjbv Kiv
SyuwK Ges mg_©b dvskb Ry‡o we¯Í…Z g¨v‡ÛU mn my¯úó kvmb c«wµqv Ges KvVv‡gv ¯’vcb Kiv Ges GwU mg¯Í ‡÷K‡nvìvi‡`i
KvQ ‡_‡K ch©vß Revew`wnZv, gvwjKvbv Ges m¤ú„³Zv wbwðZ K‡i, GgbwK GKvwaK dvskb Ry‡o mgm¨v¸wj ‡K‡U ‡M‡jI
Kg© cwiKíbv, Uv‡M©U mgvwßi ZvwiL, Ges g‡bv‡hv‡Mi c«‡qvRb Ggb welq¸wji AM«vwaKvi wba©vi‡Y wmwbqi Kgcøv‡qÝ
‡÷K‡nvìvi‡`i avivevwnKfv‡e RwoZ Ges mgqgZ Kv‡R jvMv‡bv
miKvix welq¸wji mv‡_ GKwU AvbyôvwbK wj¼ Ges mgš^q c«wµqv ¯’vcb Kiv

Md. Mizanur Rahman, Cell: 01870478713 21