Risk Management

Nilesh Bakhle, Vice President, Persistent Systems

Any ongoing enterprise faces business risks on multiple fronts. The Identification, Mitigation and Monitoring of Risks us­ing a combination of People, Process and Technology is arried out by a process called Risk Management. Some examples of Risks are as follows.

Credit Risk: Credit Risk assesses credit worthiness of a customer/vendor/business. For an individual, Credit Risk would be the ability of the customer to service the loan and get an understanding of the net worth. For a corporate, Credit Risk would mean consolidation of risk across its various entities and subsidiaries, many of which could be based overseas.

IT Risk: IT systems are subject to multiple types of risk. External attacks target the IT network from outside the organization (viruses, data theft, Denial of Service, etc.), while internal attacks are more about compromising or by passing security controls (maker/checker).

Regulatory Risk: In today’s world, the cost of non-compliance with appropriate regulations, whether the organization is a Bank, Healthcare provider, etc. is pro­hibitive. Some organizations have been fined billions of dollars and hence, or­ganizations are seeking to strengthen and tighten internal controls to ensure that Regulatory Risk is contained.

Addressing the entire gamut of risks is beyond the scope of this arti­cle and we will re­strict ourselves to Financial Institu­tions and even within that Banks, which do business with Individuals and Corporates – Retail, Wholesale and Private Banks.

Some risks associated with Banks with their impact on People, Process and Technology are listed below.


The Maker/Checker principle dictates that a minimum of two employees, (typically the authorizer being a higher ranking officer with increased entitlements) is required to complete a financial transaction like For­eign Exchange deals, Money Market placements, Mort­gages, etc (mortgages may need multiple levels of ap­proval with different specialization). Teller based cash withdrawals and Payments are usually two tiered, with amounts below a specified amount not requiring dual authorization. The People part requires separation of responsibilities, the process part defines it as part of the Bank’s Standard Operating Procedure (SOP) and IT systems are required to en­force it. Maker/Checker applies to transac­tional systems.

Internal Audit

Banks typically have an Internal Control Unit (ICU) which is responsible for Opera­tional compliance with the Bank’s Standard Operating Procedure. ICU usually is an au­dit function, i.e. its function is not to prevent fraud but rather to de­tect it. Incidences of fraud detection may lead to higher enforcement or even changes to the SOP.

Internal Con­trols typically apply to the Bank’s opera­tional systems.

Finance is usually externally audited through an accounting firm which is used to certify the company’s finan­cial position.

Compliance with Regulations such as Basel

Banking and Capital Markets regu­lators are tightening their reporting norms. While this has been an on­going process, it has become accel­erated post the 2007-08 Mortgage/ Credit meltdown. As a consequence of this, the regulators have been levying fines ranging into billions of dollars. Given the high cost of non-compliance, Financial Institutions have formed units to handle external regulatory risks.

Another example of Regulatory requirements is various rules regard­ing payments, locally within the country as well as cross border pay­ments.


IT systems need to be configurable and rule based in order to adapt to changing regulations, to detect and if possible prevent fraudulent fund transfers. Banks are getting better at identifying suspicious transac­tions and flagging them in near real-time. A more pattern based and machine learning based processing system can also detect related trans­actions. These are typically used for laundering drug money or for terrorist funding.

Another classic example of con­figurable systems is the change in ATM withdrawal limits as well as Bank deposit limits during the de­monetization initiative in India. If systems were not configurable then the amount of effort required to change the various systems would have been far higher than was the case.

In conclusion, we can see that en­terprises face risks on multiple fronts and having an appropriate Risk Management Framework is neces­sary to identify, manage and moni­tor Risks.