RISK LIBRARY

I-

Major Risk Category:

1) Environment Risk
2) Process Risk
3) Information for Decision Making Risk

II- Type of Risk

1) Environment Risk
1.1)
Competitor
1.2)
Technology Innovation
1.3)
Sensitivity
1.4)
Sovereign/Political
1.5)
Legal
1.6)
Regulatory
1.7)
Industry
1.8)
Financial Markets
1.9)
Catastrophic Loss
2) Process Risk
2.1) Operations Risk
2.2) Empowerment Risk
2.3) Information Processing/Technology Risk
2.4) Integrity Risk
2.5) Financial Risk
2.6) Product Pricing Risk
2.7) Contract Commitment Risk
2.8) Performance Measurement Risk
2.9) Alignment Risk
3) Information for Decision Making Risk -

Page 1 of 37

3.1)

PROCESS/OPERATIONAL DECISION MAKING RISK

3.1.1) Product Pricing Risk
3.1.2) Contract Commitment Risk
3.1.3) Performance Measurement Risk
3.1.4) Alignment Risk

3.2)

FINANCIAL AND BUSINESS DECISION MAKING RISK

3.2.1)
3.2.2)
3.2.3)
3.2.4)
3.2.5)
3.2.6)
3.2.7)

Budget and Planning Risk

Accounting Information Risk
Financial Reporting Evaluation Risk
Taxation Risk
Compensation and Benefit Risk
Investment Evaluation Risk
Regulatory Reporting Risk

3.3.1)
3.3.2)
3.3.3)
3.3.4)
3.3.5)
3.3.6)
3.3.7)
3.3.8)
3.3.9)

Environmental Scan Risk

Business Portfolio Risk
Valuation Risk
Business Portfolio Risk
Performance Measurement Risk
Organization Structure Risk
Resource Allocation Risk
Planning Risk
Product Life Cycle Risk

3.3)

III- Risk Definitions

Environment Risk

Page 2 of 37

Environment risk arises when there are external forces that could significantly change the fundamentals that drive Group's overall
objectives and strategies and, in the extreme, put any segment of the Group out of business.
Type of Risk

Definition/s

Environment risk

arises from failure to understand customer wants, failure to anticipate or react to actions of competitors, overdependence on vulnerable sources of income or funds etc. Management's assumptions about the business
environment provide a critical starting point for formulating and evaluating business strategies. If key managers
do not have a common understanding of the key environment risks, the Group's strategic objectives will not be
focused. Because the high stakes of strategic error, management must have assurance that the key
environmental assumptions on which its strategy is based are consistent with reality.

Competitor Risk

Actions of competitors or new entrants (conventional and otherwise), including newly

Banks, securities firms, insurance companies, asset management companies etc.), to
Group's competitive advantage or even its ability to dominate the market. These' actions
new products to the market, improve product quality, increasing productivity and
reconfiguring the value chain in the eyes of the customers.

Technological
Innovation Risk

The Group is not leveraging advancements in technology in its business model to achieve or sustain competitive
advantage or exposed to the action of competitors or substitutes that leverage technology to attain superior
quality, cost and /or time performance in their products, services and processes.

Sensitivity Risk

Over-commitment of resources and expected future cash flows threatens Group's capacity to withstand changes
in environment (e.g., interest rates, market demand, changes in regulations, etc.) forces beyond its control.

merged entities (e.g.

the market threaten
include introducing of
reducing costs, and

For example:

Unfavorable changes in competitor capabilities, interest rates, currency rates, inflation, capital markets,
international trade and other economic conditions that are closely tied to the business cycle can
adversely affect and threaten competitive advantage of the Group.

The Group's strategy to grow rapidly, expand geographically and invest in significant high risk lines of
business can increase its sensitivity exposure to unexpected economic, regulatory and market
developments.

Systemic risk for financial institutions is a form of sensitivity risk. It is the risk that financial difficulties in
one financial institution or a major market disruption will cause uncontrollable financial harm to other
institutions or prevent the effective operation of the financial system generally.
Sensitivity risk also results when the Group is too inflexible to change in response to changes in the
environment. If the Group's business processes cannot be aligned to satisfy customer wants and meet the
challenges of changing technological advances, unexpected competitor actions or other external environmental
changes, its ability to compete will be significantly affected.

Page 3 of 37

Type of Risk

Definition/s

Sovereign/Politic
al Risk

Adverse political actions in a country in which the Group has invested significantly or has entered into a
significant agreement with counterparty subject to the laws of that country threaten the Group's resources and
future cash flows.
For example, possible nationalization, expropriation of assets without compensation, currency blockage or other
restrictions could result in significant losses to the Group.
Sovereign risk is a reflection of a country's financial standing in the world community and, to some degree, a
function of the country's political stability and historical performance in meeting its international financial
obligations. The greater the probability a government may impose foreign exchange controls, thus making it
impossible for a counterparty or foreign subsidiary to honor its commitments, the greater is the sovereign risk.
For example:

Legal Risk

An institution may be barred from doing business in a country;

An issuer/obligor may be barred by its government from making interest and principal payments on its
debt;
Counterparty to a derivative contract (i.e., a swap) is barred by its government.

Changing laws (local and foreign in countries which Group has operations threaten the Group's capacity to
consummate important transactions, enforce contractual agreements or implement specific strategies and
activities.
Changes in laws and litigation claims and assessments can also result in increased
competitive pressures
and significantly affect the Group's ability to efficiently conduct business. For example, uncontrolled litigation,
and punitive damages (i.e. lender liability) can cause tremendous uncertainty in decision making and create
potentially unacceptable liabilities for businesses.

Regulatory Risk

Changing regulations (local and foreign countries in which the Group has operations) threaten the Group's
competitive position and its capacity to efficiently conduct business. This can result in increased competitive
pressures and significantly affect the Group's ability to efficiently conduct business. For example, regulators can
significantly change the rules of the marketplace and thrust entire industries into a vastly different competitive
environment (e.g., the ability of universal brokers to offer full range of specified financial services).

Industry Risk

Changes in opportunities and threats, capabilities of competitors, and other conditions affecting the financial
services industry threaten the attractiveness of the entire industry.
There are also other risks that can be broadly categorized under "industry risk" because they tend to affect
different industries in different ways:

Page 4 of 37

Type of Risk

Definition/s

Demographic Risk - The risks that demographic trends will affect the industry's customer base .and work
force.
Social/Cultural Risk - The way people live, work and behave as consumers can affect the industry's
products and services. For example, society's acclimatization to the internet will impact the delivery of
competitive products and services, etc.
Natural Disaster Risk - Severe weather, flooding, earthquakes and other natural disasters affect most
industries, some more directly than others. For example, weather affects market demand for gas and
electricity. Inclement weather that is out-of-season also adversely affects the citrus industry. This could
significantly impact the ability of the borrowers to pay their obligations.

Finally, there is the risk that an entire industry's public image will be tarnished or damaged due to negative
publicity. Factors that can affect the image include industry consolidation, failures, large derivative losses, etc.
Financial
Markets Risk

Exposure to changes in the earnings capacity or economic value as a result of changes in financial market
variables which affect income, expense or balance sheet values. For example:

The market price of financial instruments

(e.g., investment securities, foreign currency debt
instruments, or commodities)
Market rates which influence income and expenses (e.g., interest rates, currency rates)
An index (e.g., a stock market index) which can affect either the price of a financial instrument or the
value of a commercial transaction such as export sales

Financial market exposures can result in substantial losses if the exposures are unhedged or imperfectly hedged.
Financial markets risk can be incurred in a number of different ways. For example:

Yield Risk - Exposure to changes in earnings as a result of fluctuations of market factors (e.g., interest
rate changes, currency fluctuations, etc.) which affect income 'from unhedged assets or the cost of
unhedged liabilities (including executory contracts and other contingent exposures).

Price Risk - Exposure to changes in, earnings or net worth as a result of price level changes.

Credit Risk - The exposure to actual loss or opportunity losses as a result of deterioration in the ability of
a counterparty to honor its obligations and/or deterioration in the collateral value.

Liquidity Risk - Exposure to loss resulting from the inability to convert assets (e.g., investment
securities, receivables, inventories) to an equivalent cash value, or to raise unsecured funding, in a
timely and cost-effective manner.

Systemic Risk - Exposure to loss as a result of a major market disruption which adversely affects all
participants in that market (e.g., the inability to repatriate funds held in a foreign country due to the
failure of its financial markets and/or banking system).
Complexity Risk - Exposure to loss resulting from entering into complex transactions, the structure and pricing of
which are not completely understood.

Page 5 of 37

Type of Risk
Catastrophic
Loss Risk

Definition/s
A major disaster threatens the Group's or business unit's ability to sustain operations, provide essential products
and services or recover operating costs.
The inability to recover from such events in a world class manner could damage the Group's reputation, ability
to obtain capital, and investor relationships. There are two sources of catastrophic losses:

Uncontrollable - Disasters from war, terrorism, fire, earthquake, severe weather and flooding and other
similar events are completely beyond the control of the Group. However, their effects on the Group's
assets and operations can be managed.

Controllable - Environmental disasters, pervasive health and safety violations, incredibly high
litigation costs, huge losses from derivatives, massive business fraud, and significant losses in market
share because of failure to abandon strategies that no longer work can be as catastrophic in their effects
on a business as an uncontrollable disaster; however, the business activities that contribute to these
losses are within the control of the Group.
Breakdowns in any of these areas can threaten the very survival of the business. The risk of catastrophic losses
occurring overlaps with other business risks that relate more specifically to the potential for adverse events, i.e.,
Product/Service Delivery, Environmental, Health and Safety, and Derivative Risks.

PROCESS RISK
Process risk is the risk that business processes:

Page 6 of 37

Are not clearly defined;

Are poorly aligned with business strategies;
Do not perform effectively and efficiently in satisfying customer needs; and
Expose significant financial, physical and intellectual assets to unacceptable losses, risk taking, misappropriation or misuse.

The interdependencies of processes within a business/function/entity and with customers and suppliers are a contributing factor to
process risk. Deficient outputs from one business process are deficient inputs to another. Process risk includes:
Type of Risks
OPERATIONS
RISK

Definition
Operations risk is the risk that operations are inefficient and-ineffective in satisfying customers and achieving
Group's quality, cost and time objectives.
Customer
Satisfaction Risk

A lack of focus on customers threatens the capacity to meet or exceed customer

expectations. The consequences of dissatisfied customers are severe permanent loss of
repeat business, declining revenues, and loss of market share. Without a constant drive
towards customer satisfaction and continuous improvement, the Group will neither
understand nor accept the product characteristics or service elements necessary to
remain competitive and will fail to improve its products and processes. If the Group does not
focus on the root causes of customer dissatisfaction, long-term growth may be impossible
and survival doubtful.

Human
Resources Risk

The personnel responsible for managing and controlling a business process/function/entity/

business unit do not possess the requisite knowledge, skill and experience needed to ensure
that critical business objectives are achieved a significant business risks are reduced to an
acceptable level.

Product
Development
Risk

Inadequate product development threatens the Group's ability to (1) meet or exceed
customers' needs and wants consistently over the long-term; and/or (2) the product
profitability does not meet the minimum requirement of the management or the product is
not profitable. The Group's product development process creates products that:

Customers don't want or need.

Are priced at a level customers are not willing to pay
Meet a need but are late in reaching the market that a competitor reached first.
Are not profitable or do not meet the minimum required by the management to
meet shareholders' expectations.

The productivity of the product development process is significantly less than that of the
more innovative competitors who are able to achieve higher productivity through a stronger
customer focus, focused marketing, faster cycle time and longer product life.

Page 7 of 37

Type of Risks

Definition
Capacity Risk

Insufficient capacity threatens the Group's ability to meet customer demands, or excess
capacity threatens the Group's ability to generate competitive profit margins.
Capacity risk has several dimensions:

The effective productive capacity of the delivery channel is not fully utilized,
resulting in fixed costs spreading over fewer units and creating higher unit costs and
lower unit margins.
The effective productive capacity of the delivery channel is not adequate to fulfill
customer needs and demands, resulting in lost business.

Unnecessary activities also threaten the Group's capacity to produce and deliver goods or
services on a timely basis.
Compliance Risk

Non-compliance with customer requirements, prescribed internal Group policies and

procedures may result in lower quality, higher production costs, lost revenues, unnecessary
delays, penalties, fines, embarrassment, etc.
As a result of a flaw in design or operation or due to human error, oversight or indifference,
the Group's processes do not meet customer requirements the first time or do not comply
with prescribed procedures and policies, or contractual obligations. Compliance risk,
sometimes referred to as non-conformance risk, result in lower quality, higher costs, lost
revenues, unnecessary delays and potentially lack of contract enforceability and losing
customer confidence.
The risk of non-conformance also gives rise to product/service delivery risk because if it is
not detected and corrected before a product or service is delivered to the customer, a
product or performance failure results.
Compliance risk can lead to a diminished reputation, reduced business opportunities and
lessened expansion potential. It can also increase exposure to integrity risk (see "Integrity
Risk") or occur as a result of empowerment risk (see "Empowerment Risk").

Performance Gap
Risk

Inability to perform at world class levels in terms of quality, costs and/or cycle time due to
sub-par operating practices compared to that of the: competitors or recognized
standards/benchmarks threatens the demand for Group's products or services.
A business process does not perform at a world class level because the practices designed
into the process are not optimal. When compared to that of the competitors or best of class

Page 8 of 37

Type of Risks

Definition
performers, there is an unfavorable performance gap because of lower quality, higher costs,
or longer cycle times. When customers discover the alternatives provided by superior
performing competitors, they cease to purchase/acquire the Group's products/services.
One reason for the gap can be due to the elapsed time between the start and completion of
a business process (or activity within a process) which is too long because of redundant,
unnecessary and irrelevant steps. Cycle time can be measured for all operations, e.g.,
application, credit processing, funding and .monitoring, etc. Cycle time risk has many forms.
For example, Competitors using time as a strategic weapon can pose a formidable threat if
they significantly alter the cost structure of the value chain to the end user. Total cycle time
reduces the need to tie up cash, liberating funds for growth opportunities. For example:

Providing mortgage loans over the phone with electronic credit scoring:

Pre-approve retail

Pre-approve retail credit facilities for retail customers with access within 24
hour notification;

The use of technology to deliver products and services. For example, the use of
electronic home banking providing customer access to all accounts;

Providing no hassle, new transaction account set up. The ability to eliminate barriers
to establishing new relationships will provide institutions with a competitive
advantage.
Regulatory
Compliance Risk

Regulatory compliance risk arises from non-conformance with laws and regulations at the
international, country, state and local levels that apply to Group or any of its business units
and its business processes.
This risk also arises in situations where the laws or regulations governing certain products or
activities of the Group's clients may be ambiguous or untested. Regulatory compliance risk
exposes the Group to sanctions, fines and penalties and can lead to a diminished reputation,
reduced brand name value, limited business opportunities and lessened expansion
potential.

Business
Interruption Risk

Business interruptions stemming from the unavailability of sufficient funding, liquidity,

information technologies, skilled labor or other resources threaten the Group's or any of its
business unit's capacity to continue operations.
The Group's capability to continue critical operations and processes may be highly

Page 9 of 37

Type of Risks

Definition
dependent on availability of certain information technologies, skilled human (different from
the Human Resources risk that impedes the capability to-perform, the human related
Business Interruption Risk here is more detrimental. to the extent interrupting the business)
and other resources. If facilities, people with the requisite experience and skills and other
critical resources were not available or if critical information systems went down, the Group
would experience difficulty in continuing operations in the desired manner. Advanced
disaster recovery planning and testing is essential.
Business interruption can arise from accidents, weather, work stoppages, sabotage and
crisis, and results in dissatisfied customers and loss of revenue, profits and competitive
position. Business interruption attributable to a loss of critical information systems
is
described as "Availability Risk" under "Information Processing/Technology Risk".
Product /Service
Delivery Risk

Faulty or non-performing products or services expose the Group to customer complaints,

liability claims, litigation, and loss of revenues, market share and business reputation. The
Group's operations create risk of customers receiving inaccurate or untimely services. These
failures usually occur as customer complaints are not addressed on a timely basis. They can
significantly affect Group's reputation, future expansion, fraud prevention controls and
market share.

Health
Safety Risk

Failure to provide a safe working environment for its personnel exposes the Group to
compensation liabilities, loss of business reputation and other costs.

and

Personnel health and safety risks are significant if not controlled because they expose the
Group to potentially significant workers' compensation liabilities. Workers' compensation
laws, which vary from country to country, can result in severe financial losses if respective
operations do not strictly comply with them.
Costs associated with on site operating facility accidents have risen dramatically since the
1970s and have a far reaching impact on the employee, his or her family and friends, and
fellow employees. The negative publicity from highly visible human and other costs
associated with health and safety issues also can create reputation loss for bank Group. The
Group and their respective managers could find themselves criminally liable for failure to
monitor and provide a safe working environment for their employees.
Brand
Name
Erosion Gap Risk

Erosion of the brand name over time threatens the demand for the Group's products or
services. It is a risk that the brand name will lose its value over time to a business in
building and retaining demand for its products and services.
A brand name is a word, symbol or device - or any combination of these that identifies a
product or service and distinguishes that product or service from the products or services of

Page 10 of 37

Type of Risks

Definition
other financial services institutions. The risk can arise because of the occurrence of other
risks, e.g. Product/Services Delivery Risk, or the social appearance Group compared to other
competitors in the eyes of the community, or a combination of them,
Partnering Risk

Inefficient or ineffective alliance, joint ventures, affiliate and: other external

relationships affect the Group's capacity to compete; these uncertainties arise clue to
choosing the wrong partner, poor execution, taking more than is given (resulting in loss of a
partner) and failing to capitalize on partnering opportunities.
Many companies today are focusing on core competencies and core businesses. They are
realizing that it is very hard to be "all things to all people", particularly when fast reaction
and speed to market and opportunity are becoming increasingly important.
Partnering with other organizations to achieve the Group's objectives is emerging as a
strategic enabler and risk mitigation strategy. While partnering can take many forms legally
and structurally (literal partnerships, strategic alliances, cost-sharing arrangements, cobranding arrangements, etc.) the essence is establishing a relationship with another
organization that is perceived to benefit both. Partnering can be used to achieve any broad
objective; share risks, reduce cost, access new markets, enhance brand image, accelerate
R&D and learning, etc. Inefficient or ineffective alliance, joint .venture, affiliate and other
external relationships affect the Group's capability to compete. Partnering risk has several
dimensions:

EMPOWERMENT
RISK

Page 11 of 37

Choosing the wrong partner, potentially causing reputation risk and failure to
achieve objectives.
Executing
poorly with
a viable partner,
due to
cultural differences,
communications failures, etc.
Taking more than what is given, and losing a valuable partner relationship because
mutuality of interest is lost.
Failing to take advantage of an obvious opportunity to partner.

Empowerment risk is the risk that managers and employee:

Are not properly lead,

Do not know what to do (or how to do it) when they need to do it,
Exceed the boundaries of their defined authorities,
Do not have the resources, training and tools necessary to make effective decisions , or

Type of Risks

Definition

Are given incentives to do the wrong thing.

Leadership Risk

The Group's or any of its business unit's people are not being effectively led to do the right
things, which may result in a lack of direction customer focus, motivation to perform,
management credibility and trust throughout the organization.
Consequences of poor leadership include:

Lack of customer focus, resulting in business processes that are unresponsive to

rapidly changing customer requirements and ineffective in satisfying customer needs;
No clear sense of direction or future pull that motivates key people to stretch
themselves and take the risks to:
o
o
o
o
o
o

Learn and keep up with the pace of change

Develop new skills and competencies
Acquire new knowledge
Seek and find opportunities for new markets and products
Add new and different value to existing products and services and
Continuously improve business processes

Lack of management credibility and trust within the organization

Employees feel unappreciated, lack inspiration and enthusiasm, don't feel empowered
to act, do not really know what is expected of them and are too willing to accept
"business as usual"
People within the organization are ineffective in making cross-functional teams work
The organization is not sufficiently innovative to meet the competition.

Leadership is absolutely essential to successful business risk management, change

management, business process reengineering and continuous business process
improvement.

Authority/Limit
Risk

Ineffective lines of authority may cause managers or employees to do things they should
not do or fail to do things they should.
Failure to establish limits on personnel actions may cause managers or employees to
commit unauthorized or unethical acts, or to assume unauthorized or unacceptable
business risks.

Page 12 of 37

Type of Risks

Definition
For example, senior management and the Board either (1) does not approve a transaction
or decision or (2) does not specify the process and criteria by which the transaction or
decision is to be approved:
In defining the responsibilities and authorities of key employees, management does not
clarify the terms or boundaries of those responsibilities and authorities, e.g., what they
can not or should not do. Clear boundaries and limits, defined in accordance with a
business risk management strategy or prudent business policy, are important because
they create focus, restrict or preclude non-controllable business activities, place caps on
unacceptable risk taking and losses in high risk areas, clarify management's
authorization criteria, and define parameters for corporate conduct.
With respect to areas in which significant risks are taken or significant assets are
entrusted to a few specialists (e.g., derivatives and eBusiness), management does not
understand who is doing what, how often and why, and the extent and magnitude of the
risks the-experts assume on the Group's behalf.
Managers and employees are given responsibilities that are inconsistent with the
Group's objectives, strategy and ' prudent business risk management practice.
Managers and employees do not believe they are empowered to act, so they do not act
when action is clearly warranted. In these circumstances, fear and distrust may even be
widespread in the organization.
Outsourcing Risk

Outsourcing activities to third parties may result in the third parties not acting within the
intended limits of their authority or not performing in a manner consistent with the
organization's strategies, objectives and desired results. There are two elements of
outsourcing risk. First, there is the risk that outside not within their defined limits of
authority and do not perform in a manner consistent with the values, strategies and
objectives Group). Second, there is the risk that strategic business processes outsourced
ultimately create competition for the outsourcing business units. For example:

Page 13 of 37

TPAs may settle or negotiate claims, provide information technology services or other
services outside the limits established by the Group. There may be a risk that
transactions outside of the TPA's authority are consummated but not documented or
that limits on the service provider's authority have not been properly defined in the first
place.
The motivation and activities of a TPA may not be consistent with the strategic goals of
the Group. Emphasis or lack of emphasis on particular products, services or qualities of
the Group may limit the effectiveness of the TPA or minimize the Group's success.
If the Group contracts with the TPA without focusing upon the ultimate customer's value

Type of Risks

Definition

Performance
Incentives Risk

chain, the risk of the TPA competing for business increases significantly. For example,
outsourcing the mortgage origination and servicing function could allow the third party
processor to compete on similar products and service offerings.
The TPA and its staff are not held to the same conduct and behavioral standards as are
the employees of the Group. Employees of the TPA do not understand or are not
committed to same values, mission and strategies of the Group.

Unrealistic, misunderstood, subjective or non-actionable performance measures may cause

managers and employees to act in a manner inconsistent with the Group's objectives,
strategies and ethical standards, and with prudent business practices.
Managers and employees are monitored with performance measures that create incentives
to act in a manner that is inconsistent with the Group's business objectives, strategies,
ethical standards, and prudent business practice. Managers and employees do not believe
in, the performance measures used by the Group because they are not realistic,
understandable, objectively determinable, or actionable.
The Group's compensation system is not integrated with the performance measurement
system. As a result, employees are (or perceive that they are) compensated in a fashion
that is inconsistent with the Group's objectives, strategies, vision and values.

Change
Readiness Risk

The people within the Group are unable to implement process and product/service
improvements quickly enough to keep pace with changes in the marketplace. This may be
due to lack of skill sets, knowledge or a dynamic corporate culture.

Communications
Risk

Ineffective communication channels may result in messages that are inconsistent with
authorized responsibilities or established performance measures. Communications vertically
(top-down and bottom-up) or horizontally (cross-functional) within the Group are ineffective
and result in messages that are inconsistent with authorized responsibilities or established
measures. As a result, managers and employees:

Page 14 of 37

Are confused as to what the Group or business unit's mission, objectives and
strategies are.
Do not communicate upwards what senior managers need to know to stay in touch
with what is really happening in the business.
Do not receive timely direction/update or counsel from senior management so that
they feel they are unsupported and isolated.
Do not have or will not use an employee response program, such as a Hotline,
Helpline or Advice Line, to obtain advice and guidance from a responsible company
official before they act.

Type of Risks

Definition

INFORMATION
PROCESSING/
TECHONOLOGY
RISK

Information processing/technology risk is the risk that the information technologies used in the
business are not efficiently and effectively supporting the current and future needs of the business,
are not operating as intended, are compromising the integrity and reliability of data and information,
are exposing significant assets to potential loss or misuse, or threaten the Group or business unit's
ability to sustain the operation of critical business processes.
Relevance Risk

Irrelevant information created or summarized by an application system may adversely affect

decisions of the users.
Relevance risk is the risk that information is not relevant to the purposes for which it is
collected, maintained or distributed. This risk relates to the usability and timeliness of
information that is either created or summarized by an application system. Relevance risk
ties directly to "Information For Decision Making Risk" as it is the risk associated with not
getting "the right data/information to the right person/process/system at the right time to
allow the right action to be taken". This risk arises frequently from a failure to fully
understand information needs and a lack of attention to timeliness issues.

Integrity Risk

Loss of integrity in the management of the information system infrastructure may result in
unauthorized access to data, irrelevant data or untimely delivery of data, or loss of integrity
in the application systems that support the Group business processes may result in
unauthorized, incomplete or inaccurate processing of transactions. This risk encompasses
all of the risks associated with the authorization, completeness, and accuracy of
transactions as they are entered into processed by summarized by and reported on by the
various application systems deployed by the Group, or business unit. These risks
pervasively apply to each and every aspect of an application system used to support a
business process, and are present in multiple places and at multiple times throughout the
application systems, however they principally manifest themselves in the following
components of an application system:

Page 15 of 37

Do not work together cross-functionally to continuously improve processes and

satisfy customers' needs.

User Interface - Risks in this area generally relate to whether there are adequate
restrictions over which individuals are authorized to perform business/system functions
based on their job requirement and the need to enforce a reasonable segregation of
duties. Other risks in this area relate to the adequacy of preventive and/or detective
controls that ensure that only valid data can be entered into a system and that the data
is complete.
Processing - Risks in this area ..generally relate to whether there are adequate
preventive or detective balancing and reconciliation controls to ensure that data
processing has been complete and timely. This risk also encompasses risks associated

Type of Risks

Definition

with the accuracy and integrity of reports (whether or not they are printed) used to
summarize results and/or make business decisions.
Error Processing - Risks in this area generally relate to whether there are adequate
processes and other system methods to ensure that any data entry/processing
exceptions that are captured are adequately corrected and reprocessed accurately,
completely and on a timely basis.
Interface - Risks in this area generally relate to whether there are adequate preventive or
detective controls to ensure that data that has been processed and/or summarized is
adequately and completely transmitted to and processed by another application system
to which it feeds data/information.
Change Management - Risks in this area may be generally considered part, of
Infrastructure Risk, but they significantly impact application systems. These risks are
associated with inadequate change management processes including user involvement
and training as well as the process by which changes to any aspect of an application
system is both communicated and implemented.
Data - Risks in this area may also may be generally rooted from and considered part of
Infrastructure and/or Access Risks but they significantly impact application systems.
These risks are associated with inadequate data management controls including both
the security/integrity of processed data and the effective management of databases and
data structures.

Integrity can be lost because of programming errors (e.g.. good data is processed by
incorrect programs), processing errors (e.g., transactions are incorrectly processed more
than once against the same master file), or management/process errors (e.g., poor
management of the system maintenance process).
Access Risk

Failure to adequately restrict access to information (data or programs, in physical; form or

otherwise) may result in unauthorized knowledge and use of confidential; information, or
overly restricting access to information may preclude personnel from performing their
assigned responsibilities effectively and efficiently. Inappropriate people may be able to
access confidential information. Appropriate personnel may be denied access.. Access risk is
pervasive i.e. includes information for any purpose (e.g. read, copy, etc).

Access risk focuses on the risks associated with inappropriate access to systems, data or
information. It encompasses the risks of improper segregation of duties, risks associated
with. The integrity of data and databases, and risks associated with information
confidentiality, etc. Access risk can occur at any, or all, of the following five levels:

Page 16 of 37

Type of Risks

Definition

Network - The mechanism used to connect users within a processing environment. The
access risk in this area is driven by the risk of inappropriate access to the network itself.
Processing Environment - The host computer system where application systems and
related data are 'stored and processed from. The access risk in this area is driven by the
risk of inappropriate access to a processing environment and the program or data that
are stored in that environment.
Application System - The programs that are used by users to process information that is
relevant to their business processes. The access risk in this area is associated with
inappropriate segregation of duties that might occur if access to systems was granted to
person with no clear business need. For example, few people in a business unit should
require access to wire transfer authorization system.
Functional Access (within an application).
Field Level Access (within a function).

Existence of Access Risk relating to "failure to adequately restrict access" would mean the
existence of Integrity Risk but not the Access Risk relating to "overly restricting access". If
the Access Risk is rooted from the system infrastructure (i.e. logical security and security
administration), its existence would mean the existence of Infrastructure Risk. Because of its
pervasive and specific nature, and the given wider scope definition, it warrants itself a
separate risk category in the risk dictionary.
Availability Risk

Unavailability of important information when needed threatens the continuity of the Group's
critical operations and processes.
Includes risks such as loss of communications (e.g., cut cables, telephone system outage,
satellite loss), loss of basic processing capability (e.g., fire, flood, electrical outage) and
operational difficulties (e.g., disk drive breakdown, operator errors).
Availability risk focuses on three different levels of risk:
Risks that can be avoided by monitoring performance and proactively addressing
systems issues before a problem occur.
Risks associated with short-term disruptions to systems where restore/recovery
techniques can be used to minimize the extent of a disruption.
Risks associated with disasters that cause longer term disruptions in information
processing and which focus on controls such as backups and contingency planning.
The Group's capability to continue critical operations and processes may be highly
dependent on availability of certain information systems. If critical or important systems
went down for an unacceptable period, the Group would experience difficulty in continuing

Page 17 of 37

Type of Risks

Definition
operations. Critical and important information systems that are not available to sustain
operations can result in: loss of revenue, cash flow and profits; loss of competitive
advantage: dissatisfied customers and loss of market share; increased costs; loss of
employee morale; and even fines and sanctions.
Infrastructure
Risk

The risk that the Group does not have an effective information technology Infrastructure
(e.g., hardware, networks, software, people and processes) to effectively support the
current and future needs of the business in an efficient, cost-effective and well-controlled
fashion.
These risks are associated with the series of Information Technology (IT) processes used to
define, develop, maintain and operate an information processing environment (e.g.,
computer hardware, networks, etc.) and the associated application systems (e.g., loans,
deposits , etc.). The risks are generally considered within the context of the following core IT
processes:

Page 18 of 37

Organizational planning - The risk that:

o Information technology plans are not integrated with current and future business
plans resulting in inadequate decision making and planning.
o IT personnel are inadequately organized to meet the needs of the business.
o IT personnel are inadequately trained in current or future technologies.

Application system definition and deployment - The risk that:

o Efforts' to define user needs for new systems solutions are ineffective resulting in
an inaccurate or incomplete definition or design.
o Conceptual designs are not adequate resulting in "build versus buy" decisions that
are based on an incomplete understanding of the facts.
o Development efforts are not planned or managed resulting in wasted efforts,
significant cost overruns or possible abandonment.
o Purchased or developed systems do not have the appropriate internal
controls
to meet business user needs.
o Development efforts do not follow a consistent approach for confirming user
satisfaction and system functionality resulting in system solutions that do not work
or do not meet business needs.
o Untested or otherwise inappropriate changes are made to the production
environment resulting in a loss of system integrity and/or control.
o Implementation efforts do not adequately consider user training and other change
management efforts resulting in an ineffective implementation.

Logical security and security administration - The risk that inappropriate access is gained

Type of Risks

Definition

to critical systems, data or transactions (either by company personnel or outsiders)

resulting in either the loss of data/information integrity or disclosure and/or misuse 'of
confidential information.
Computer and network operations - The risk that computers and/or networks are not
effectively managed resulting in performance or capacity issues to business users. The
risk that critical processes performed by computers and/or network operations personnel
are not performed accordance with described procedures and time frames resulting in
incomplete or inaccurate information processing.
Data and database management - The risk that data and/or databases lack the integrity
needed to support business decisions or that end users do not understand
data
sufficiently to support their reporting and decision making needs.
Business/data centre recovery - The risk that systems, processes and data/information
cannot be restored following a disruption in a timely fashion to support the operating
needs of the business.

Lack of effective and well-controlled business processes in each of these areas are usually
the root cause of Access. Relevance, and Availability risks (see other information
processing/technology risks) and application systems process integrity risks (see Integrity
Risk).
ORGANISATIONA
L INTEGRITY
RISK

Organizational Integrity risk is the risk of management fraud, employee fraud, and illegal and unauthorized acts,
any or all of which could lead to reputation degradation in the marketplace or even financial loss. Its root cause is
different from the Integrity Risk under the Information Processing/Technology Risk as it is originated from human
or organizational behavior.
Management
Fraud Risk

Management fraud (e.g., intentional misstatement of financial statements) may adversely

affect external stakeholders' decisions. Management issues misleading financial statements
with intent to deceive the senior management, holding company, investing public and the
external auditors, or engages in bribes, kickbacks, influence payments and other schemes
for their own benefits or for the benefits of the business unit or the Group.

Employee
Risk

Fraudulent activities perpetrated by employees individually or in collusion with customers

or suppliers perpetrate fraud against the Group or business unit for personal gain (e.g.,
misappropriation of physical, financial or information assets) expose the Group to financial
loss. There is also potential for legal exposure, negative publicity (embarrassment) and an
adverse impact on operations (loss of confidence by customers, suppliers' or providers of
finance).
Illegal acts committed by managers or employees, individually or in collusion, placing the
Group, its directors and officers at risk to the consequences of their actions, e.g.,
imprisonment, fines, sanctions, suspension of business (in a country, with a particular

Fraud

Illegal Acts Risk

Page 19 of 37

Type of Risks

Definition
agency, with a specified class of customer or for a specified group of products), lost profits,
loss of customers and damage to reputation.
This risk will exist together with Compliance Risk if the illegal act in question is explicitly
prohibited by the internal policies/guidelines or external regulations/law provisions.
Unauthorized
Use Risk

Unauthorized use of the Group's physical, financial or information assets by employees or

others expose the organization to unnecessary waste of resources, and financial loss, i.e.:

Physical and financial assets are used for unauthorized or unethical purposes by
employees or others.
Information and proprietary assets (e.g., designs, processes, customer lists,
information and knowledge, formulas, pricing strategies and other trade secrets,
etc.) are compromised by industrial espionage, resulting in loss of competitive
advantage.

The existence of this risk may be rooted from the existence of Access Risk.
Reputation Risk

Damage to the Group's reputation exposes it to loss of customers, profits, employees and
the ability to compete, due to perceptions that it does not:

Deal fairly with customers, suppliers and stakeholders.

Know how to manage its business.

Loss of customers means the loss of future revenue streams. Loss of employees means the
loss of the talent, skills and expertise needed to run the business. Loss of ability to compete
may mean ultimately going out of business.
The existence of this risk may be due to the existence of other risks e.g. Customer
Satisfaction Risk, Business Interruption Risk and Integrity Risk
FINANCIAL RISK

Process risk in a financial context arises when operating policies and procedures do not adequately control
exposure to the financial markets. Process risk may result in outright losses or in opportunity costs because
financial operations do not support the objectives of the business in a cost-effective way.

Financial risks which must be managed fall into three broad

Page 20 of 37

Market Risk

Type of Risks

Definition

Liquidity Risk
Credit Risk

MARKET RISK

Market risk is the exposure of earnings or net worth to changes in market factors (e.g.
interest rates, currency rates, indices) which affect income, expense or balance sheet
values.
Unauthorized use of the Group's physical, financial or information assets by employees or
others expose the organization to unnecessary waste of resources, and financial loss, i.e.:

Physical and financial assets are used for unauthorized or unethical purposes by
employees or others.

Information and proprietary assets (e.g., designs, processes, customer lists,

information and knowledge, formulas, pricing strategies and other trade secrets,
etc.) are compromised by industrial espionage, resulting in loss of competitive
advantage.
The existence of this risk may be rooted from the existence of Access Risk.
Market risk is normally managed by the treasury function, although this may vary from
organization to organization. For example, the banking business has the treasury
department to manage dealing and investment securities, the insurance business has a
specialized investment department to manage asset price risk. While monitoring and
dealing with the existing securities, the treasury function may manage market risk as part of
its acquisition/trading operations of both existing and future securities in the portfolio.
Exposure to market risk is typically evaluated in terms of:

Volatility - A measure of the probability and magnitude of fluctuations in prices or

values from one time period to another. Volatility measures are tools for assessing
the impact of market risks on business performance (e.g. the sensitivity of interest
expense to changes in KLIBOR, LIBOR and the Prime Rate).

n general, risk increases as volatility increases. For example, short term interest rates are
typically more volatile than long term rates, while some currencies are substantially more
volatile than others.

Duration - The weighted average maturity of a set of cash flows (principal and all
interest payments), and an estimate of the sensitivity of those cash flows to
changes in market prices. Duration is typically used as a tool for assessing the risk
associated with the different economic lives of assets (revenues) and liabilities
(expenses). For example, duration can be used to estimate the potential

Page 21 of 37

Type of Risks

Definition
impact on net worth of funding long term assets with short or intermediate term
debt.
In general, financial risk increases with duration, i.e., the further in the future a bond
is paid out, the more volatile is its value. Market risk management needs to be
sensitive to:
Market risk management needs to be sensitive to:
Derivative
Risk

The risk that a derivative instrument does not achieve management's

business objectives. On the one hand, a derivative instrument intended to be
a hedge may be inappropriately structured and create a speculative
exposure. Alternatively, in the current environment, there is a significant risk
that derivatives are not used when their use would improve yields and/or
protect cash flows.

Modeling
Risk

Exposure to loss as a result of mis-measurement of price risk particularly for

commercial or financial exposures which require complete simulation
models or for which readily observable prices are not available Financial
models are only as reliable as their underlying assumptions.

Interest
Rate Risk

Significant movements in interest rates away from forecasts expose the

Group to higher borrowing costs and lower investment yields.
Interest rate risk includes:

Currency
Risk

The income risk that a future spot interest rate will deviate from an
expected value, resulting in:
o lower-than-expected investment yields, or
o higher-than-expected borrowing or deposit costs.
The valuation risk associated with holding a fixed-yield financial
instrument (e.g., hire purchase loans, zero coupon bonds) when market
yields change. Interest rate risk can result in reduced earnings in absolute
terms, or in a deterioration of the Group's competitive position in the
industry. There are different forms of interest rate risk (e.g., basis risk,
yield curve risk, spread risk, etc.) which are categorized and discussed
below under "Financial Instrument Risk". Because of the nature of its
business, changes in interest rates can adversely affect the cash flow.

Page 22 of 37

Type of Risks

Definition
Volatility in foreign exchange rates exposes the Group to economic and
accounting losses.
Currency risk is the exposure to fluctuations in exchange rates, and may
arise as a result of:
Business activities or operations in foreign markets.
Investment in securities issued by overseas entities.
Investment in securities which are denominated in a foreign currency.
Exposure to currency risk means that the Group or business unit is in a
position to experience an economic or accounting benefit if exchange rates
move in one direction or suffer an economic or accounting loss if exchange
rates move in the other.
Foreign currency risks are generally classified as economic, transaction and
translation risks:
Economic
Risk -

Currency exposure associated with future cash flows,

including:
Strategic
or The extent to which the Group's currency
Competitive
profile places it at a competitive advantage
Risk
or disadvantage in the event of significant
changes in exchange rates.
Strategic
exposures may substantially exceed known
transaction volumes, and may relate to
currencies in which the Group has no direct
cash flow exposure. To evaluate strategic
risk, it is necessary .to examine a broad
range of competitive practices, including the
number of customers in the industry, the
functional currency of industry competitors,
and market demand.
Net Monetary
Risk

Page 23 of 37

Exposure to exchange gains or losses on

monetary assets or liabilities of foreign
operations which are denominated in a
currency other than the functional currency
of that operation (e.g., U.S. debt held by
Hong Kong operations).
Net monetary

Type of Risks

Definition
exposures may have tax consequences in
the foreign country, as well as cash flow
consequences if assets or liabilities are
converted into the local currency.
Transaction
Risks

Translation
Risk

Page 24 of 37

Exposure to movements in exchange rates on specific cash

flows. The longer an exposure is outstanding, the greater the
risk of unfavorable currency movements. Transaction risks
include:
Firm
Commitment
Risk (including
dividends)

Exposure between contractual commitment

in a foreign currency and the date of
settlement.' For example, a contractual
commitment may require settlement of the
transaction in a foreign currency at a
specified or unspecified future date.
Transaction exposures are the effects of
currency movements on the Group's
outstanding firm commitments. This risk also
includes anticipated cash transfers over the
foreseeable future (generally within the next
12-18 months) from a subsidiary, branch or
business unit operating in a foreign country,
which creates currency exposure for both
the remitting entity and the parent.

Budget Risk

Exposure to income loss as a result of

currency rates which differ from the
assumptions included in the corporate
business plan.

Cash Flow Risk

Exposure to cash flow changes as a result of

foreign taxes on income in a foreign
currency which is not reflected in earnings in
the Group's home or reporting currency.

Exposure to adverse effects on the financial statements as a

result of currency fluctuations. The method of translating
foreign currency financial statements into the reporting
currency may significantly affect net margins, net asset and
liability positions, and net equity positions.

Type of Risks

Definition
Equity Risk

Equity risk is the exposure to fluctuations in the income stream from and/or
value of equity ownership in an incorporated entity as a result of investment
in shares of publicly traded entities, private placements, etc. It may arise as
a result of:

Commodit
y Risk

Investment in shares of publicly traded entities, including holdings in

a portfolio of equity securities.
Investment in private placements.
Investment holdings of debt convertible into equity.
Foreclosure of collateral.
Repayment of debts via issuance of equity shares by the obligors in
debt restructuring.

Commodity risk is considered either a financial markets risk or operational

risk depending on the industry.
As an operational risk, commodity risk is the exposure to fluctuations in
prices of commodity-based materials or products. Because commodities are,
at the margin, a substitute for money, commodity price risk is often
considered a financial markets risk.
Examples of commodity price risk from the perspective of a financial
institution:

When the Group chooses to invest in gold futures or options to

implement a diversification strategy for managing investment risk.
The lending exposure of secured agricultural loans to falling
commodity prices.

The exposure of derivatives/trading portfolios to changing prices of

underlying commodities (commodity futures contracts, commodity swaps,
etc.)
Financial
Instrument
Risk

Financial market risk can vary depending on the particular segment of the
market to which the holder of a financial instrument is exposed, or the way in
which the exposure is structured. These risks include:
Anticipated
Exposure Risk

Page 25 of 37

Financial exposure associated with future events which are

highly probable but not contractual, e.g. the impact of

Type of Risks

Definition
exchange .rate fluctuations on cash flows which are highly
certain, but for which no contractual commitments are in
place (e.g., profits from a business unit operating in a
foreign country). Typical exposures arise in conjunction with
interest rates associated with future borrowings or
investments.
Yield
Curve
Risk/Yield
Shape Risk

The yield curve describes the relationship between the

yields and the term to maturity of a financial instrument.
Yield Curve/Yield Shape Risk is the risk that .the slope of the
curve will change significantly from the Group's/business
unit's expectations at the time it planned its financial
strategies. Examples of yield curve risk include a steep
increase in the cost of forward currency hedges because of
increases in one year interest rates.

Basis
or
Spread Risk

Exposure to changes in the price/yield differential between

two financial markets or instruments (e.g., a change in the
risk premium on corporate bonds relative to treasuries of the
same maturity, or between two floating rate indexes).
In a corporate environment, basis risk often refers to the
residual financial risk that remains after a financial hedge
has been put in place. For example, in the case of interest
rate swaps, the basis is the difference between two floating
rate Indexes. Basis risk is the risk that the fluctuation in the
two indexes is less than perfectly correlated. Thus, the
Group may convert floating rate debt to fixed; basis risk
exists if the swap pays LIBOR, while the business unit's
funding strategy is based on U.S. CP rates.

Option Risk
(also referred
to is
Contingent or
At-Bid Risk)
Time Lag Risk

Page 26 of 37

Exposure to discontinuous changes in cash flows or income

as a result of option-type contracts which
may be
embedded in other financial instruments, or acquired on a
stand-alone basis.
Exposure to price changes from the time the decision to
Invest/borrow/buy/sell occurs and the execution of the
transaction.

Type of Risks

Definition
Reinvestment
/Refinancing
Risk

Exposure to changes in the general level of interest rates as

a result of a mismatch in the timing at which assets and
liabilities are funded, i.e., changes in the general level of
prices and yield between the initial investment to the date
at which the cash flows from are investment are due to be
reinvested.

Rollover Risk

Rollover risk describes exposure to an adverse' change in

the yields/prices available in a given market at a given
moment in time Rollover risk typically arises when borrower
or investor must reprice a significant cash flow on a single
date or within a very short period of time.
A hedging strategy in which all swaps are repriced on the
same day each quarter leaves the Group vulnerable to rate
swings due to market or financial news, or to dealer "qreed".
Rollover risk increases significantly if the repricing position
has a material impact on income or expense. Implementing
the hedging strategies by locking into massive positions
that roll over at predictable times to maintain hedging
coverage may expose the Group to traders who learn of this
strategy and use that knowledge to profit at the Group's
expense.

Derivative
Risk

Liquidity

The risk that a derivative instrument does not achieve

management's business objectives because:
o It is intended to be a hedge, but is inappropriately
structured and creates a speculative exposure.
o It is not used when its use would improve yields
and/or protect cash flows. This situation arises when a
currency, interest rate, commodity or equity exposure
should be hedged but is left exposed, resulting in
significant losses to the Group.

Liquidity risk is the exposure to loss as a result of the inability to meet cash flow
obligations in a timely and cost-effective manner.
Liquidity risk often arises as a result of an investment portfolio with a cash flow and/or
maturity profile which differs from the underlying cash flows dictated by the Group's or the

Page 27 of 37

Type of Risks

Definition
business unit's operating requirements and other obligations. Operating requirements,
debt service, capital expenditures and other cash outflows can require premature liquidation
of assets, which can lead to reduced yields and/or unplanned realized gains or losses.
Cash
Risk

Flow

The inability of the Group or business unit to fund its operational or

finance obligations which, in extreme cases, may lead to default or loss of
business. For example:

Opportunity
Cost Risk

The use of funds in a manner that leads to the loss of economic value,
including time value losses, transaction costs and other causes of loss of
value, including:

Concentratio
n Risk

The bank or the finance company or the merchant bank is unable

to meet its net funding requirements.
Changes in interest rates and economic conditions can adversely
affect the business that is highly leveraged increasing liquidity
risk.

Time value losses due to delays in investment of funds, etc. The

consequences of these delays could result in some subsidiaries
borrowing while others are investing.
Transaction costs due to inappropriate or inefficient management
of cast flows (e.g., the need to borrow high cost funds or sell
securities at a loss because of the failure to match the maturities
of short-term investments to settlement dates on operational or
financial obligations).
Other causes of loss of value, including indifference to yieldenhancement strategies and ineffective yield-curve management.
Earnings exposure when funds are invested in a manner that does
not generate sufficient returns to cover costs, profits and risk.
Investment losses result from the failure to obtain an adequate
return given the degree of risk which is incurred.

The risk of loss resulting from the inability to liquidate financial market
exposures a "thin" market. For example:
Use of financial products in which the Group or business unit has dominant
position (e.g., an excessive share of the open interest in financial futures
or commodity contract in a given month), so that exposure cannot be
liquidated without moving the market.

Page 28 of 37

Type of Risks

Definition

Credit Risk

Use of financial products in which there are unusual market

conditions (e.g. wide bid-ask spreads which create uncertainty as to
the true value).
Use of "proprietary" financial products which can only be closed out
offsetting contracts with the selling dealer, i.e., it may be difficult to
find a counterparty willing to enter into a transaction in a timely
manner.
Excessive reliance on a small number of funding sources which may
leave the Group or business unit vulnerable to predatory pricing or
inability to Obtain funds when needed.

Credit risk describes the exposure to actual loss or opportunity cost as a result of the default
or other failure to perform) by an economic or legal entity (the debtor Or obligor) with which
the Group does business.
Credit risk is the risk of toss arising because counterparties fail to perform according to their
contractual obligations. This is accentuated by position concentration with group of
counterparties and increases in importance with the sophistication and diversity of market
players.
Credit risk management is typically driven by requirements for control over the quality of
customer base. The Group's credit management and collection policy should appropriately
balance the trade-off between (a) maximizing service/loan volume and (b) minimizing loss
from uncollectible accounts. If this process for evaluating credit risk; does not work
effectively, it can constrain business growth or create unacceptable credit risks, including
excessive write-offs and collection costs.
Default Risk

Page 29 of 37

Default of a counterparty or obligor on a contract exposes the Group or

business unit to financial loss. Default Risk can be further analyzed into
the following:
Delivery
Risk

An entity which has taken credit facilities or deliver of

services defaults on the payment and/or goes into
bankruptcy.

Issuer Risk-

An entity which has issued debt securities held in an

operating surplus account or pension fund portfolio
defaults on the payment of maturing debt and/or goes into

Type of Risks

Definition
bankruptcy.
Counterpar
ty
or
Market
Risk

A trading partner is unable to fulfill obligation on a

contract (e.g. a swap or a forward commodity contract) on
which there is a positive mark-to-market value for the
defaulting party.
For example, counterparties agree to make periodic
payments to an intermediary institution pursuant to a
swap agreement. The agreement specifies the currencies
to be exchanged (which may or may not be the same), the
rate of interest applicable to each (which may be fixed or
floating), the timetable by which payments are to be
made, and other provisions defining the relationship
between
the
parties.
Swap
intermediaries
are
independently obligated to all their counterparties, e.g.,
even though a dealer may be viewed as an intermediary
between end users, its obligation to each end user
counterparty is independent of its obligations to the
others.
Some industrial company customers use derivatives to
hedge some business risk they do not want (such as the
risk 'of an increase in interest rates or a fall in the value of
a currency). The risk is passed on to a dealer, who, in turn,
may hedge it with a separate contract with another
dealer, an end user or a speculator who accepts (he risk.
These counterparties typically include other commercial
banks and merchant banks, other industrial companies,
insurers and other financial services firms, etc. If a
counterparty to a contract fails to perform its obligations
as defined under that contract, the dealer must seek a
replacement swap with terms identical to those of the
defaulted swap. If the dealer is unable to find a
replacement, it incurs a financial loss from the default.
Because of the size of most dealers (e.g., the big
commercial banks and the major securities firms), most
end-users consider the risk of dealer default negligible.

Page 30 of 37

Type of Risks

Definition
However, a crisis at a major dealer could trigger a market
disruption which would adversely affect all participants in
the market. See also Systematic Risk under Financial
Market Risk.
Concentration
Risk

The risk of excessive loss due to) inappropriate emphasis of sales

volume or Revenues on a single customer, industry, country or other
economic segment.

Settlement
Risk

Different settlement times between the capital markets of the group and
its counterparties expose the group to a short term risk of counterparty
default on obligations.
In a financial context, settlement risk - also called "delivery risk" - arises
when financial counterparties effect their payments to each other at
different times or in different locations. The first paying party is exposed
to the risk that the later paying party will fail to perform, due to delay,
system failure or default. In essence, one party performs its obligations
under the contract, but has not yet received value from its counterparty.
Settlement risk is typically short-term (less than 24 hours). For example,
(Hong Kong capital markets close for the day before the U.S. markets
open, resulting in delivery risk to the U.S. counterparty on a swap at the
time of the principal exchange. Settlement risk becomes default risk if a
counterparty defaults during the settlement cycle.

COLATERAL
RISK

This is the risk that the value of an asset provided as collateral for a
loan, lease or commitment may be partially or totally lost. For example:

Page 31 of 37

Significant declines in
real estate or equipment values and
economic activity in areas where the Group or business unit has
concentrated its loan portfolio can pose significant risks.
Collateral provided for a loan
declines in value or is lost
because unauthorized divestiture or use.
Collateral held by a third party declines in value or is lost
because the party goes out of business.
Collateral provided by a counterparty on the net amount by
which a swap with another party is out of the money.
Change in the legal status of borrowers (e.g. bankruptcy.)

INFORMATION FOR DECISION-MAKING RISK

Information for Decision Making Risk- Information for decision making risk is the risk that information used to support
strategic, operational and financial decisions is not relevant, timely or reliable.
Much decision making is acting on performance measures or the results of industry business process or financial analysis. If measures
have not been aligned with business strategies or are not realistic, understandable and actionable, they will not focus people on the
right things and will provide incentives for decisions that are inconsistent with the strategies. If the measures and other business
information used in decision making are not reliable or relevant, they either will be ignored or will drive the wrong behavior.
Type of Risks

Definition

PROCESS/
OPERATIONAL
DECISION MAKING
RISK

Operational information for decision making risk is the risk that information used to support operational
decisions is not relevant or reliable.
Product Pricing
Risk

Lack of relevant and/or reliable information supporting pricing decisions may result in prices or
rates that customers are unwilling to pay, do not cover development and other cost or do not
cover risk exposures assumed by the group or business unit.
There are many forms of pricing risk:

The Group's or business unit's price is more than that the customers willing to pay
because the Group's or business unit's pricing strategies not based on market research or
other systematically obtained customer driven information.
Products are priced in relation to market forces but are not profitable due to competitive
funding differences.
The Group's or business unit's pricing for certain products does not cover their production
and distribution costs because of inadequate product and distribution cost information.

The Group or business unit takes on foreign customers, maintains price lists or signs long-term
contracts and is exposed to currency risks because sales managers do not understand such risks
when making pricing decisions.
Contract
Commitment
Risk

Lack of relevant and/or reliable information concerning contractual commitments outstanding as

of a point in time may result in subsequent incremental contractual commitment decisions that
are not in the best interest of the Group.
The Group or business unit does not have relevant and/or reliable information that effectively
tracks contractual commitments outstanding at a point in time, so that the financial implications
of decisions to enter into incremental commitments can be appropriately considered by decision

Page 32 of 37

Type of Risks

Definition
makers.
Commitments embedded in contractual agreements include currency risk sharing arrangements.
Swaps, options, futures and other derivatives also create contractual commitment risk. If the risks
associated with these commitments are not understood and managed on an aggregate basis,
decision makers will be making operating decisions in isolation that may not be in the best
interest of the Group as a whole (i.e. they may accept risks they should reject or reject risks they
should accept).
Performance
Measurement
Risk

Process performance measures do not provide a reliable portrayal of business performance and
do not accurately reflect reality (i.e., they are not reliable information about reality because they
do not "tell the story" as to what is really happening within the processes of the business). The
measures do not provide relevant information for decision making because they are not:

Informative (e.g., they do not tell decision makers what is really happening and how
processes are performing).

Understandable.

Believable (e.g., they are not realistic)

Actionable (e.g., they are not controllable; there is nothing a decision maker
can do to change the process to influence the behavior of the measures).

Initiators of change (e.g., they do not stimulate continuous process improvement).

Alignment Risk

FINANCIAL
AND
BUSINESS
DECISION MAKING
RISK

Page 33 of 37

The objectives and performance measures of the Group's business processes are not aligned with
its overall business objectives and strategies. The objectives and measures do not focus people
on the right things and lead to conflicting uncoordinated activities.

Business reporting information for decision making risk is the risk that Information used to support
business decision is not relevant or reliable.
Budget
and
Planning Risk

Non existent, unrealistic, irrelevant or unreliable budget and planning information May cause
inappropriate financial and business conclusions and decisions. Budgets and business plans are
not:

Realistic.

Based on appropriate assumptions.

Based on cost drivers and performance measures.

Accepted by key managers.

Useful or used as a monitoring tool.

Aligned with longer term strategic objectives.

Type of Risks

Definition
Accounting
Information
Risk

Over-emphasis on financial accounting and/or actuarial information to manage the business may
result in the manipulation of outcomes to achieve financial targets at the expense of not meeting
customer satisfaction, quality and efficiency objectives.
Financial accounting information is used to manage business processes and is not properly
integrated with non-financial information focused on customer satisfaction, measuring quality,
customer/product profitability and increasing efficiency. The result is a myopic, short-term
fixation on manipulating the outputs of business processes to achieve financial targets, rather
than fulfilling customer expectations by controlling and improving processes and products.

Financial
Reporting
Evaluation Risk

Taxation Risk

Failure to accumulate relevant and reliable external and internal information to assess whether
adjustment to disclosure in financial statements are required may result in the issuance of
misleading financial reports to external stakeholders.
Financial reports issued to existing and prospective investors and lenders include material
misstatements or omit material facts, making them misleading. Financial reporting evaluation
risk usually results from failure to obtain relevant business information from external and internal
sources and assess whether adjustments to or disclosures in the financial statements are
required to fairly present financial position, results of operations and sources and uses of cash.
Failure to accumulate and consider relevant tax information may result in non-compliance with
tax regulations or adverse tax consequences that could have been avoided had transactions
been structured differently.
Taxation risk has two key elements:

Compliance with all tax regulations, payment and filing requirement.

Significant transactions of the entities in the Group have adverse tax consequences that
could have been avoided had they been structured differently.

Taxation risk has the element of Compliance Risk under Process-Operations Risk. However, due
to the peculiar nature of taxation-related risks, they are classified under Taxation Risk that can
include:

Compensation
and
Benefit

Page 34 of 37

Risk in relation to the deficiency or insufficient within the Group's internal processes in
collating relevant information for taxation purposes.
Failure to consider/use the information for tax compliance and tax benefit maximum
purposes

Allocation of assets to fund compensation and benefit obligations (i.e. pension plans, deferred
compensation plans, retiree medical plans) are insufficient to satisfy the obligations. The

Type of Risks

Definition
Risk

consequences of compensation and benefits risk include reputation risk, loss of morale, work
stoppages, litigation, and additional funding required of the group.

Investment
Evaluation Risk

Lack of relevant and/or reliable information supporting investment decisions and linking the
financial risks accepted to the capital at risk, may result in poor short or long-term investments.
Management does not have sufficient financial information to make informed short and long-term
investment decisions and link the risks accepted to the capital at Risk and the liquidity need of
the group or business unit.

Regulatory
Reporting Risk

Incomplete, inaccurate and/or untimely reporting of required financial information to regulatory

agencies may expose the Group to fines, penalties and sanctions.

Environment/strategic information for decision making risk are the risk that information used to support
strategic decisions is not relevant, timely or reliable.
Environmental
Scan Risk

Failure to monitor the external environment or formulation of unrealistic or erroneous

assumptions about environment risks may cause the Group to retain business strategies long
after they have become obsolete. Environmental scan risk arises when:

The Group does not have an effective process to obtain relevant information about the
external environment.

Key assumptions about the external environment are inconsistent with reality or are not
being monitored by the Group.
Failure to monitor and stay in touch with a rapidly changing environment will result in obsolete
business strategies.

Business
Portfolio Risk

Lack of relevant and reliable information that enables management to effectively prioritize its
products or balance its businesses in a strategic context may preclude a diversified organization
from maximizing its overall performance
For the diversified Group having multiple products and/or business units, there is an added
dimension to strategic information for decision making risk. Business portfolio risk is the .risk
that the Group will not maximize business performance by effectively prioritizing its products or
balancing its businesses in a strategic context.
This risk applies to evaluating both owned businesses (e.g., to decide whether to invest/grow,
maintain/harvest, or divest/liquidate) and prospective businesses (e.g., acquire, Joint venture, or
strategically align). Current trends in meeting customer residential lending needs are a good

Page 35 of 37

Type of Risks

Definition
example.
Valuation Risk

Lack of relevant and reliable valuation information may preclude owners or prospective owners
from making informed assessments of the value of the Group or any of its significant segments in
a strategic context.
Management and key decision makers are unable to reliably measure the value of specific
business or any of its significant segments in a strategic context. This risk affects the evaluation
of both owned businesses (e.g., to decide whether to invest/grow, maintain/harvest, or
divest/liquidate) and prospective businesses (e.g. acquire, joint venture, or strategically align).

Performance
Measurement
Risk

Non-existent, irrelevant or unreliable performance measures that are inconsistent with

established business strategies threaten the Group's ability to achieve its long-term strategies.

Organization
Structure Risk

Management lacks the information needed to assess the effectiveness of the Group's or business
units organizational structure, which threatens its capacity to Change or achieve its long-term
strategies.
The Group's or business unit's organizational structure does not support change the Group's or
business unit's primary business strategies. The Group's values and culture, its infrastructure and
how it defines responsibility, authorities and boundaries and limits have a significant effect on its
ability to govern and achieve its objectives. These risks are strategic because they affect the
Groups

Page 36 of 37

Allocation, deployment and development of resources.

Tax efficiency
Business process reengineering and business process/technology improvement efforts.
Identification, sourcing, measurement and control of business risks.
Measurement and monitoring of performance
Knowledge of customer needs and expectations.

Resource
Allocation Risk

The Group's resource allocation process does not establish and sustain competitive advantage or
maximize returns for shareholders.

Planning Risk

An unimaginative and cumbersome strategic planning process may result in irrelevant

information that threatens the Group's capacity to formulate viable business strategies. The
Group's business strategies are not:

Driven by creative and intuitive input, e.g., it is primarily a result of a formal time

Type of Risks

Definition

Product
Cycle Risk

Life

Lack of relevant and reliable information that enables management to manage the movement of
its product lines and the evolution of its industry along the life cycle threatens the Group's
capacity to remain competitive. The Group's approach to managing the movement of its product
lines and evolution of its industry along the life cycle (e.g., start-up, growth, maturity and
decline) has a significant effect on the ultimate success or failure of its business strategies. For
example, management can adopt:

Page 37 of 37

consuming process weighted down by hard data, extrapolation of past results, "number
crunching" and lengthy reports.
Based on current assumptions about the external environment, resulting in strategies
that are out-of-date and unfocused. Unrealistic assumptions about the industry and the
Group's own relative position can lead to ' strategic error. For example:
o Overestimating industry potential can lead to overbuilding capacity.
o Overrating the company's core capabilities can trigger a costly battle to gain
share against superior performing competitors.
Effectively programmed in the form of written plans, schedules, budgets, etc.
Communicated consistently and often throughout the Group.
Responsive to environmental change and organizational learning.

Either an inward or external focus to managing product life cycle costs.

A different strategic focus and operating style as the industry structure evolves from one
point within the cycle to another (e.g., from the growth stage to the maturity stage).
A different approach to leading and managing as operations expand significantly to avoid
straining existing processes and systems to the point where control breaks down.