畢博上海銀行咨詢Final Deliverables LoanRvw112699.doc

hanvit bank risk review process 11/16/99 prepared by kpmg, llp this document is proprietary and confidential to hanvit bank and kpmg, llp. unauthorized duplication is prohibited. hanvit bank risk review process _ kpmg draft 2 table of contents the hanvit bank risk review function.4 overview.4 objectives of hanvit bank risk review.5 summary of elements of the risk review function6 goals of hanvit bank risk review6 risk review personnel7 qualifications 7 independence.7 characteristics of risk review.7 frequency of risk reviews.7 scope of risk reviews.8 depth of reviews.8 review of findings and follow-up9 workpaper and report distribution.9 risk review in anticipation of external examinations9 information systems support .9 risk review distinguished from credit review10 sampling methods for risk review10 risk review as a pipeline of loans for workout or problem loan departments.11 department composition.13 organization evaluate the portfolio for credit quality, performance, collectibility, and collateral sufficiency; to identify relevant trends affecting the collectibility of the loan portfolio and isolate potential problem areas; to evaluate the activities of lending personnel to assure that bank officers and staff are operating in conformance with established guidelines; to assess the adequacy of, and adherence to, loan policies and procedures, and to monitor compliance with relevant governmental or banking supervisory agency laws and regulations; assure that lending policies, practices, procedures, and internal controls for commercial and industrial loans are adequate, to provide essential information for determining the adequacy of the alll; to provide the board of directors and senior management with an objective assessment of the overall portfolio quality; and to provide management with information related to credit quality that can be used for financial and regulatory reporting purposes. hanvit bank should maintain a written risk review policy that is reviewed and approved at least annually by the board of directors. policy guidelines should include a written description of the overall borrower and facility risk grading process, and establish responsibilities for the various risk review functions. the policy will generally address the following items: qualifications of risk review personnel, independence of risk review personnel, frequency, scope and depth of reviews, risk rating, authority to require corrective action, review of findings and follow-up; and workpaper and report distribution, reporting procedures to the audit committee of the board of directors. hanvit bank risk review process _ kpmg draft 6 summary of elements of the risk review function various elements of the hanvit bank risk review function are summarized below. additional detail is provided in this document. goals of hanvit bank risk review loan policy physical inspection of collateral in the form of machinery and direct collection of the required documents from borrower hanvit bank risk review process _ kpmg draft 21 examination of credit files there should be one (1) credit file “of record“ which is the official bank repository of all information relating to a borrower or loan. the physical location of the credit file will depend on the level of approval required for the loan. credit files for borrowers whose total loans are within the branch officer lending limit, should be located at the branch office. they should be subject to the same information, security and restricted access requirements as files physically located at the headquarters location. it is suggested that copies of important credit files (for major loan accounts) even though under the rm or branch manager authority, should be kept at headquarters. the bank should determine what will constitute an important or major account however, it should be an account at the upper range of the officers lending authority or an account which has shown difficulties in the past. credit files should have all documents as required by the banks credit policy manual, and which are needed for credit review, risk review or bank examination purposes. rms, branch office managers, business analysts, credit review officers and other bank personnel must be directed to deposit all materials in the credit file and to comply with all requests for documents by the risk review officer. loan administration processes subject to risk review among the commercial loan administration and monitoring functions which should be reviewed by risk review are: compliance with pertinent credit policies clearly outline standard and special monitoring requirements for all loans, with special monitoring requirements identified by loan type, size and industry where applicable. this provides a standardized methodology to assist with underwriting and review. assurance of ongoing loan monitoring process should include elements to ensure that ongoing loan monitoring is occurring according to policy. this will help manage on-going credit risk and enable responsiveness to adverse changes. adherence to appropriate credit review cycle monitoring of various aspects of loans should occur on a regular and clearly defined basis. this should include rm and cro reviews as well as risk review. this process should be adapted as required to dynamic changes in the economy and/or adverse changes in borrower condition. credit file review and updating information gathered must be analyzed, monitoring reports must be updated and appropriate staff must receive copies of necessary reports. this ensures that analysis is meaningful and that timely reports occur which will prompt the bank to take action as required. timeliness all information received must be acted upon in a prompt fashion. this will quickly mitigate existing and potential problems including possible loan losses. tracking mechanisms systems or processes that support a standardized approach to assessment and monitoring. these can include reports, queries, and risk rating capabilities early identification of credit quality the ability to identify factors that indicate actual and/or potential weaknesses that may prevent further deterioration in credit quality and possible losses. hanvit bank risk review process _ kpmg draft 22 this increases the options available for resolution and opportunities to improve credit quality and minimize loan losses early response to identified problems the ability to respond to identified problems with the appropriate tools. delinquencies time lapse for notification of violation of covenants and conditions by monitoring staff monitoring completed by required date policy and other exceptions to the monitoring process discovered by risk review, audit, external examiners and others exceptions/exclusions to monitoring/covenants the function should be independent of line management. the similarity of compliance functions with other non-audit functions like risk management and risk review is clear. the fact that these functions are not audit per-se, does not diminish the requirement for independence. examples of the consequences of a breakdown in internal controls functions can be found in writings related to the collapse of the barings investment bank. extracts from the report to the board of banking supervision inquiry into the circumstances of the collapse of barings, published by the bank of england in july 1995, state: 14.1barings collapse was due to the unauthorized and ultimately catastrophic activities of, it appears, one individual (leeson) that went undetected as a consequence of a failure of management and other internal controls of the most basic kind. 14.2management and directors of all financial institutions will draw lessons for themselves. however, we would emphasize the following five significant lessons of the barings case, which we discuss later in this section, to which particular attention needs to be paid: (a) management teams have a duty to understand fully the businesses they manage; (b) responsibility for each business activity has to be clearly established and communicated; (c) clear segregation of duties is fundamental to any effective control system; (d) relevant internal controls, including independent risk management, have to be established for all business activities,- (e) top management and the audit committee have to ensure that significant weaknesses, identified to them by internal audit or otherwise, are resolved quickly; 14.3the failings at barings were not a consequence of the complexity of the business, but were primarily a failure on the part of a number of individuals to do their jobs properly. these articles outline specific lessons related to be learned from that collapse. these include: management teams have the duty to implement proper check and balance controls in the operations of the businesses they manage. 14.10management must demonstrate in their everyday actions their belief in, and insistence on, the operation of strong and relevant controls throughout the institution. hanvit bank risk review process _ kpmg draft 37 responsibility for each business activity has to be clearly established and communicated. 14.12whatever form of organizational structure is chosen by an institution, clearly defined lines of responsibility and accountability covering all activities must be established and all managers and employees informed of the reporting structure. the identification of accountability extends beyond profit performance to encompass risks, clients, support operations and personnel issues. clear segregation of duties is fundamental to any effective control system. 14.17clear segregation of duties is a fundamental principle of internal control in all businesses and has long been recognized as the first line of protection against the risk of fraudulent or unauthorized activities. in the exceptional case of segregation of duties not being feasible due, for example, to the small size of the operation, controls must be established such that they compensate for the increased risks this brings, including close and regular scrutiny by internal audit. management should also be wary of situations where it is apparent that only one individual is able to field all the key questions about a particular activity. relevant internal controls, including independent risk management, have to be established for all business activities. 14.19a breakdown in, or absence of, internal controls at a basic and fundamental level enabled leeson to conduct unauthorized activities without detection. 14.23a number of industry studies have strongly advocated the establishment within a financial institution of an independent risk management function overseeing all activities, including trading activities, and covering all aspects of risk. we support this view. it is recommended that risk management be managed by separate units within the risk management department. the idea of spreading risk management functions for different risk types across different departments is not recommended as was concluded by the bank of england report on the barings collapse. their conclusions were: 14.25unlike the situation at barings, where group treasury and risk focused on market and credit risk, an independent risk management function should oversee all types of risk. these other risks include: liquidity risk, concentration risk, operational risk, legal or documentation risk and reputation risk. additional documents and policies produced by the basle committee on banking supervision25 are equally instructive on the topic of adequate and independent controls such as risk management and risk review. 25 the basle committee on banking supervision is a committee of banking supervisory authorities which was established by the central bank governors of the group of ten countries in 1975. it consists of senior representatives of banking supervisory authorities and central banks from belgium, canada, france, germany, italy, japan, luxembourg, netherlands, sweden, switzerland, united kingdom and the united states. it usually meets at the bank for international settlements in basle, where its permanent secretariat is located. hanvit bank risk review process _ kpmg draft 38 a 1997 paper entitled, core principles for effective banking supervision,26 outlines a comprehensive set of core principles for effective banking supervision (the basle core principles). these principles have been endorsed by the g-10 central bank governors. in developing the principles, the basle committee has worked closely with non-g-10 supervisory authorities. the document was prepared in a group containing representatives from the basle committee and from chile, china, the czech republic, hong kong, mexico, russia and thailand. nine other countries (argentina, brazil, hungary, india, indonesia, korea, malaysia, poland and singapore) were also closely associated with the work. the drafting of the principles benefited moreover from broad consultation with a larger group of individual supervisors, both directly and through the regional supervisory groups. included in these broad principles, are specific discussions related to risk management and the separation of relevant functions within a bank. these are principles 13 and 14 which state: 13. banking supervisors must be satisfied that banks have in place a comprehensive risk management process (including appropriate board and senior management oversight) to identify, measure, monitor and control all other material risks and, where appropriate, to hold capital against these risks. 14. banking supervisors must determine that banks have in place internal controls that are adequate for the nature and scale of their business. these should include clear arrangements for delegating authority and responsibility; separation of the functions that involve committing the bank, paying away its funds, and accounting for its assets and liabilities; reconciliation of these processes; safeguarding its assets; and appropriate independent internal or external audit and compliance functions to test adherence to these controls as well as applicable laws and regulations.27 in september 1998, the basle committee published an additional paper entitled framework for internal control systems in banking organizations.28 this paper outlined, among other things, the objectives and major elements of internal control systems, and listed some examples of supervisory lessons learned from internal control failures.29 the paper states in part: 1.the basle committee has studied recent banking problems in order to identify the major sources of internal control deficiencies. the problems identified reinforce the importance of having bank directors and management, internal and external auditors, and bank supervisors focus more attention on strengthening internal control systems and continually evaluating their effectiveness. several recent cases demonstrate that inadequate internal controls can lead to significant losses for banks. 2.the types of control breakdowns typically seen in problem bank cases can be grouped into five categories: 26 core principles for effective banking supervision, basle committee on banking supervision, september 1997. 27 core principles for effective banking supervision, basle committee on banking supervision, september 1997, 5-6, (emphasis added). 28 framework for internal control systems in banking organizations, basle committee on banking supervision, september 1998. 29 ibid. appendix ii. hanvit bank risk review process _ kpmg draft 39 lack of adequate management oversight and accountability, and failure to develop a strong control culture within the bank. the absence or failure of key control structures and activities, such as segregation of duties, approvals, verifications, reconciliations, and reviews of operating performance. lack of segregation of duties in particular has played a major role in the significant losses that have occurred at banks. inadequate or ineffective audit programs and monitoring activities. as was noted in the paper, in reviewing major banking losses caused by poor internal control, supervisors typically find that these banks failed to observe certain key internal control principles. of these, segregation of duties, was most frequently overlooked by banks that experienced significant losses from internal control problems. the basle committee called segregation of duties one of the pillars of sound internal control systems. it found that often, senior management assigned a highly regarded individual to responsibility for supervision of two or more areas with conflicting interests. additional readings are available however hanvit bank should take direction from the korea fsc. kpmgs understanding that the fsc fully supports the independence of both risk management and the risk review function from the operational departments whose activities they will be required to review. hanvit bank risk review process _ kpmg draft 40 appendix 2 - suggested topics for inclusion in risk review analysis the suggested review items for risk review analysis listed below are derived from suggested topics of banking supervisory authorities in other countries. based on the determination of an