Risk management is cultural. Organizations that have cultural imperatives for transparency and accountability control and manage risks better.
People today want to understand how financial institutions manage risks and ensure uninterrupted service to customers. They want to learn about the risk management initiatives of financial institutions. This is partly because of recent events in the financial industry that have made the industry a regular daily news topic. There are many reasons behind the current state of the financial sector in Bangladesh. But it has done one good thing — it has created a general interest and awareness about the functioning of the financial industry in Bangladesh.
I wanted to understand this as well — how financial institutions ensure stability and uninterrupted service to customers through various risk management initiatives. To that end, I sat down with risk management veteran Muhammad Sazzad Hossain, Group Head of Enterprise Risk Management at IDLC Finance Limited to understand how risk management works at financial institutions, and the frameworks financial institutions use to deliver smooth service regardless of circumstances.
In this article, we examine how organizations like IDLC Finance use frameworks like Business Continuity Plans (BCP) and Enterprise Risk Management (ERM) to control and manage risks and deliver excellent customer experience.
It is important to note here that having risk management policies and framework is one thing and enforcing them is an entirely different thing. Because of the mandate of regulatory bodies such as the Bangladesh Bank, financial institutions are required to maintain such risk management initiatives. But enforcing them, as we will see in this discussion, is a matter of governance and culture. Organizations that have strong corporate governance practices and a culture of transparency and accountability generally do better in managing risks. Let’s take a look.
Enterprise risk management (ERM) can be viewed broadly from two angles. On the one end, there are financial risks such as credit risks, solvency risks, liquidity risks, etc. On the other hand, there are operational risks such as delivering timely services to customers, ensuring uninterrupted service even during emergencies, managing technical disruptions, dealing with man-made and natural disasters, and so on. Enterprise risk management deals with all these aspects of an organization.
The purpose of ERM is the prevention of risks from happening. For instance, credit risks happen when you lend to individuals or organizations that run the risk of defaults. When you actively manage credit risk you can prevent such events from happening. You put together policies, checks and balances, and essential frameworks to reduce the risks of defaults. Those are preventative measures.
Despite the best efforts still, risks can happen because you can’t foresee many events. In those instances, ERM ensures that you develop organizational learning from those events to develop future preventative measures for similar events. Financial institutions have strict guidelines and policies around liquidity and solvency. A strong ERM department ensures that those guidelines are maintained all the time without exception.
ERM also deals with customer service during emergencies and operational challenges through initiatives like business continuity plans (BCP). Simply put, operational risks happen when an organization faces challenges to keep its business open due to various operational challenges. It can be natural or man-made disasters. It can be technical challenges or political instability or other challenges. In those situations, businesses ensure that their operation continues and customers get uninterrupted services through the implementation of BCP.
Financial organizations use frameworks and models to effectively implement ERM and BCP across organizations. Regulatory bodies such as Bangladesh Bank in the case of financial institutions have various guidelines and requirements that require financial institutions to run these risk management initiatives.
Risk management is cultural. Organizations that have cultural imperatives for transparency and accountability control and manage risks better.
Enterprise risk management covers broadly two areas. One is operational risk management (ORM) and financial risk management (FRM). Both ORM and FRM make up the ERM department.
“ORM deals with people, processes, systems, and external events-related risks”, explains Mr. Muhammad Sazzad Hossain. “For instance, COVID is an external event that significantly affected the industry. Operational risk management also covers several major risks such as ICT operation risks, process risks that include diagnosing processes of the entire company, monitoring the processes, and risk diagnoses across the organization. FRM, on the other hand, looks after credit risk, market risk, liquidity risk, legal compliance risk, environmental risk, etc.”
Bangladesh Bank mandated in 2013 that Financial Institutions should have a separate Risk Management Forum (RMF) & Risk Analysis Unit (RAU) which resulted in independent risk management (credit risk, market risk, liquidity risk, operational risk, reputational risk etc.) roles across financial organizations in the subsequent years. It has later been expanded by the introduction of enterprise risk management.
Risk management is not a passive role. It is not limited to just understanding and diagnosing, it also monitors the risks and implementation of the initiatives to tackle these initiatives across organizations.
Organizations usually have separate units for ICT operation risks, monitoring, governance, process risk analysis, etc. Usually, a separate unit for incident analysis reviews and analyzes incidents in the organization and produces reports and recommendations to understand their root causes and solve these problems. For example, when a customer service failure happens, and the customer complains, this unit investigates what went wrong and provides a report with recommendations to prevent the same thing from happening in the future.
The ERM department is usually responsible for reviewing standard operating procedures (SOP) for an organization. When you are running an organization, SOPs are important. They dictate how an organization operates, how to make critical decisions and what are inviolable rules, etc. The ERM department reviews these SOPs for an entire organization.
“We have some 58 units/departments in IDLC Group. All these units have SOPs. Each unit designs its own SOPs but we review them,” explains Mr. Sazzad. “Having a grasp of SOPs allows the ERM department to understand the operational mechanics of the organization, identify potential sources of risks, and empowers it to ensure check and balance.”
IDLC has a strong practice of corporate governance. The NBFI has built a culture and practices that facilitate transparency and accountability. On top of everything, it has consistently invested in building a strong ERM operation.
“When we started formal operational risk management operations at IDLC in 2018, we had a membership of the Institute of Operational Risks (IOR), the largest global body of ops risk management,” says Mr. Sazzad, indicating the importance his organization puts in risk management. “When we got the responsibility for the business continuity plan, we got another membership at the business continuity institute UK, the largest BCP body in the world. These memberships help us to adopt global best practices. IDLC has had a BCP policy since 2017 and we do at least one drill every year.”
ERM is an evolving field in the financial industry in Bangladesh. Multinational organizations such as SCB have played a pioneering role in bringing the practice early into the industry. Today, almost all local financial organizations have the structure for ERM. Bangladesh Bank has pushed for greater risk management initiatives over the years. Bangladesh Bank has a revised guideline in 2018 that offers guidelines to banks around risk management. For NBFIs, the guideline came in 2013. Financial institutions are required to submit a quarterly risk management report to Bangladesh Bank.
While the discipline has grown in adoption and matured in practice, Mr. Sazzad suggests the discipline has a long way to go compared to global standards in the field. “It is an evolving discipline. There are guidelines now. Financial institutions are showing willingness and curiosity to execute it. While it will take time, we are on the right direction”, adds Mr. Sazzad.
The other important part of integrated enterprise risk management is the business continuity plan (BCP). As the name suggests, BCP helps organizations manage business disruptions.
Financial institutions are susceptible to various risks such as pandemics, man-made disasters, fires, earthquakes, and so on. Such disasters can lead to severe operational disruption and sometimes threaten the solvency and business continuity of the institution which could adversely impact customer experience and the financial system as a whole. Therefore, BCP has become increasingly important. When you want to implement BCP, you need to have a full-fledged management-approved policy and it must be communicated across the organization to everyone that tells them what is their role in an emergency when it disrupts the regular operation.
Bangladesh Bank introduced a guideline in May 2015 around this called ICT security for banks and NBFI, which offers detailed guidelines around business continuity that financial institutions must have a clear BCP, which must be tested and reviewed at least once a year to ensure effectiveness.
Bangladesh Bank has a rating called CAMEL rating that measures the business soundness of an organization. One of the things CAMEL rating considers is BCP. BASEL Committee gave a revised guideline titled “Revisions to the Principles for the Sound Management of Operational Risk” in March 2021. Of the twelve principles they mentioned, one principle is related to BCP which says banks should have BCP in place to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruptions. It also recommended that BCP should be linked with the bank's operational risk management framework. BASEL Committee is a global committee of banking supervisory authorities that was established by the central bank governors of the Group of Ten countries in 1974. The group has since expanded multiple times.
This is interesting because as we discussed earlier, operational risk management is a detailed role where you monitor all types of risks in your organization from processes to people to systems to external events. When you do so, you have an understanding of what's going on across the organization, and when you tag it with BCP, it gets easier to manage the BCP. Because you have a thorough knowledge of the organization and risks across the organization.
BCP is necessary for an organization so that it can limit its losses in the event of extraordinary challenges. Without BCP it can be challenging to serve your customers when you face some disaster situation.
“IDLC has tried to adopt the BASEL guidelines as best as we can both in terms of operational risk management and BCP”, explains Mr. Sazzad. “BASEL introduced another guideline for BCP in 2006 called high-level principles for business continuity. We have tried to implement the best practices from that guideline as well. In fact, we have integrated BCP with ERM even before the BASEL recommendation.”
BCP is everywhere. All kinds of organizations maintain BCP. Many people call it an emergency plan and others call it by different names. Organizations also run BCP drills to simulate emergencies and check readiness for emergencies. Once you have a BCP plan then you can do the drill.
BCP plans and drills help an organization to understand the preparedness of an organization to continue its business and service during any unforeseen crisis such as natural calamities, strikes, fires, accidents, etc. BCP not only makes an organization compliant with prevailing regulations but also helps assess readiness to deliver critical services to customers during crises.
How BCP works is fascinating. Mr. Sazzad offers an overview of how it works in practice.
“In a company, all services are not critical”, says Mr. Sazzad. “Moreover, in an emergency situation, you wouldn't be able to give all the services. You have to optimize to keep your essential services on. To do that the first thing you have to do is identify the essential process for all services. This is where the integration between BCP and ERM comes to bear fruits. As we discussed earlier, ERM usually reviews SOPs across an organization. Since as a department ERM knows all the processes a company has as a manager of SOPs, ERM can identify the essential services, and identify the people who deliver these services more efficiently. After identifying these essential operational aspects, ERM put together an essential team, which is called skeleton team (ST), and we make sure that they can come to work/do their work when an emergency happens”.
Mr. Sazzad goes on to explain how BCP works in practice at IDLC. “We have some 359 employees of IDLC in this building — a sub-office of IDLC located in the Motijheel area of Dhaka. That is almost 22% of our total manpower. We have some 40 branches. We have a total of ~1,666 employees. Not all of these 359 employees are involved in delivering essential services. We have identified that we can run the essential operation with about 37% of the total employees who sit in this building.” So the first thing you do is identify essential people and processes to keep your operation functional and deliver optimal services to your customers.
What happens in an emergency, people don't know what to do. If there is a fire in your office, you run downstairs but what happens after that? Do you leave, try to help, or wait? You don't know. But when you have BCP, you are trained to operate during an emergency. Companies usually run BCP drills once every year to check preparedness and train people. “We usually run a BCP drill once every year,” says Mr. Sazzad. “It is similar to fire and other similar drills you see.”
Companies usually have a BCP manager who is the key responsible person for BCP operation. For instance, at IDLC Mr. Sazzad is the group BCP manager apart from his ERM role.
What generally happens is that when an emergency happens in one of your locations — a branch or an office, you move your ST team to a new location (recovery site) from where you deliver services to customers. “For instance, we moved 131 people from this location in our last drill,” explains Mr. Sazzad. “We wanted to see whether we can keep the essential services on with the ST team. We found out that we could. The purpose of BCP is not perfection but to ensure you are able to function and deliver services.”
I asked Mr. Sazzad to give us a behind-the-scenes look into how BCP works in practice because while the idea appears simple on paper, it has to be a complex process. You need involvement from across organizations and that too within a short team. Unless you have an organization-wide framework to execute BCP, it is more likely to fail. In response, Mr. Sazzad offers me an example of a BCP drill his organization ran recently.
“I told you why we need BCP and that IDLC has a plan that we started in 2017, which we review every year, '' says Mr. Sazzad. “Now how do we execute it? If I give you an example of our drill, it will be easier for you to grasp it.”
While drills are not real events, the purpose of a drill is to simulate real events. Organizations usually maintain a calendar for BCP drills, in which management informs the responsible unit beforehand about when a drill will happen. It is a confidential date. Otherwise, it will not be a drill.
IDLC runs a quarterly BCP health check where it checks technical health, whether there are enough working PCs in each of these locations, whether people will be able to perform several essential tasks when they come to work, etc. The ERM team usually knows alternative locations for different locations. ERM also maintains a database of people who take responsibility in place of whom during an emergency. Regardless of whether there is a drill or not, quarterly readiness checks are there to ensure the company is ready for emergencies all the time.
The other important thing about BCP is the call tree. When management approves a drill, the call tree for BCP is activated early in the morning. For instance, if the office hour is 10:00 am, the call tree goes live at 7:00 am to test whether employees are ready that early. The CEO activates the call tree and lets the core BCP team know, which includes the management team and a few other operations heads know about the drill. After the activation, messages are sent organization-wide with details about the drill and emergency/recovery location. But all employees don’t go to the recovery site. For instance, if Gulshan is assigned as a recovery site for a certain branch, everyone wouldn't go to Gulshan. Everyone would know but only the ST team will go. IDLC also has a work-from-home option where some people will work from home. The ERM team maintains a list of people who will work from home based on their preference and the IDLC IT team activates the process for them in the morning. For the people who move to a new work site, they have dedicated desks in those locations called BCP owner desks where there are people on regular days but not on drill days.
IDLC has a structure to execute BCP. There are people across the organization who are responsible for BCP. There are committees and groups to carry out separate responsibilities. CEO informs the core BCP management group (CBMG). After that, there is the EBMG — extended BCP management group which is composed of department heads. EBMG then informs the unit BCP coordinators (UBC), who are trained by ERM trains. This distributed nature brings organization-wide buy-ins and makes effective execution feasible.
“In the entire company, we have 58 UBCs”, explains Mr. Sazzad. “Each department nominates a unit BCP coordinator on their behalf because you can't communicate with everyone in an emergency. Instead, you communicate with the UBCs and UBCs communicate with their team. When the call tree is activated by the CEO, I inform the entire organization about the drill. As a result, everyone in the organization knows that today is the day and services will be managed from an alternate site. Everyone is also notified about where they will receive the services from. The ones who work from home start doing so on time. That is the model.”
That’s an excellent overview of how BCP works for the people within the organization but what happens to the customers who receive services from that branch office? You have closed your office and moved your people to alternate locations to keep your service open but how do you inform customers and how do you serve walk-in customers?
Mr. Sazzad explains: “What we do is that we put two notices signed by the CEO downstairs of our branch saying that we have a drill today and we've moved the service location to this new location. We also put together a desk with personnel outside of the office premise to help walk-in customers for proper routing. We also put a car on standby to help customers commute to the new location when such help is needed. Overall, we make sure that customers don't suffer and get the service without any hassle.”
Governance is at the heart of well-run corporations. Strong governance makes it possible to minimize risks. Weak governance can turn beautiful policies ineffectual.
IDLC has over 65,000 customers excluding customers through its recently launched MFS deposit product where the company says it has over 300,000 customers. IDLC has been in the market for over 36 years. During this period, the company never faced a challenge in serving customers because of its strong ERM initiatives.
“During the COVID when there was a huge liquidity crunch in the entire industry, we did not face any challenges,” explains Mr. Sazzad. “Because we have managed our risks accordingly. We have strong corporate governance. We are a compliant organization and we maintain all the regulatory parameters to the T. We have been consistent about these issues all the time. That's why we never had and I hope will never have financial risk issues. On credit risk, which is also related to the health of a financial organization, we are one of the organizations in the industry with the lowest NPL. Our excellent credit rating is a strength for us as an organization that tells you how secure your money is with IDLC.”
There are market and foreign exchange risks, which are related to the market. There are macro and micro economic factors. “Our management and our risk management forums closely monitor these changes in the market so that we can prepare for any contingencies in the market and make sure of customer service,” says Mr. Sazzad. “There are technical and other risks that we always keep an eye on. Your credit risk is okay, but can you manage your operational risk well? Do you have control over systems, processes, people, and external event-related risks, these are important. It can be a threat to your entire organization.”
The other aspect of risk management is openness and constant learning. Every organization makes mistakes but you have to learn from your mistakes and design strategies to prevent the same mistakes from happening in the future.
“IDLC has a robust framework not only to manage credit and various financial risks but also an equally robust framework for managing operational risks,” says Mr. Sazzad. “We are probably one of the best in the industry in these areas. We set extremely high standards in these areas. We are now incorporating technology to better do these things. Our ERM team works closely with the senior leadership team and constantly shares findings and observations.”
IDLC has a 5 people ERM team with people from relevant fields who come with degrees in finance and accounting, and IT along with experience in audit. The company has built a distributed model of enterprise risk management. Operational risk management can’t be the responsibility of the CEO alone or the responsibility of the ERM team alone. It has to be baked into how an organization operates. To that end, IDLC runs annual training for its employees across organizations on various operational and business risks.
IDLC as an organization has built a name for its culture and excellent corporate governance practices. “Our management has established the culture,” says Mr. Sazzad. “We have unit operational risk managers (UORM) and branch operational risk managers (BORM) across organizations with double hatting role who help us to implement ERM throughout the organization.”
The company uses a framework similar to BCP for ERM where it has people from across the organizations who look after risk management operations. These responsibilities are not voluntary. They are included in the KPI of the individuals and are appraised every year. The portion related to ERM is appraised by the ERM Department. So the incentive is built into the system.
IDLC has toolkits for preparing monthly reports for unit operational risk managers & branch operational risk managers. They look into whether there are any risk events, loose events, or abnormal findings and send monthly reports to the ERM department. In addition to this, ERM team members conduct regular independent process risk analysis & incident analysis to identify and manage risk.
“We have about 56 UORM across the organization who send us these reports monthly of the entire organization,” explains Mr. Sazzad. “Then our team sits down with all these reports, funnels them, and takes the important issues to different risk management forums within the IDLC. In order to make the entire thing effective you have to ensure ownership. We have done that. We have 40 branch managers across IDLC and subsidiaries, who provide a monthly report for their branches. So we know what's happening across the organization. We have established organization-wide control.”
Risk management should have organization-wide buy-in. It can’t be top-down. It has to be participatory. People from across the organization should have active participation in the process and should have incentives to enforce policies.
“I started my career in credit risk management,” says Mr. Sazzad. “I believe that if you want to understand risk and learn how to deal with risks, you have to work in the field and have the feel of how risk appears in reality. Having a theoretical understanding of risk management is one thing and seeing how it works, in reality, is a completely different thing. Applied understanding and knowledge are critical. You have to have an understanding of the prevailing rules in the country, the policy/guideline of your organization, and the nature of risk management in the industry.”
From my discussion with Mr. Sazzad what I gather is that culture and corporate governance are the two most important factors when it comes to risk management. Companies that have the right culture and proper governance manage risks better.
Mr. Sazzad agrees: “Risk management is a cultural phenomenon. You have to have the right culture. Strong governance. You have to have the right people who understand risk, are trained, and are empowered to make decisions. And you have to build transparency and accountability across the organization. Without the right culture, no good policies will work. You also need a strong MIS and robust system. IDLC is the first NBFI in the country to implement the core banking software in 2012. It has brought huge control on our overall operation.”
Every financial organization has a credit risk department, treasury unit, internal control, and compliance department. But you need an independent function outside of this which many banks call the risk management function under a chief risk officer (CRO). ERM is a concept where you monitor all the risks from an independent position. In many instances, we see that companies have the same people for operation and risk management. It creates a conflict of interest and misalignment of incentives. The maker and checker of a system can't be the same person. It has to be different people. You have all these departments and they have their policies but if you don't have an independent body outside of all these to manage your risk, you would not be able to manage your risk properly. Transparency will be lost.
“The role ERM plays at IDLC as a Department is that we work as a bridge across the organization”, explains Mr. Sazzad. “We work with every department in the organization. And organizations are not isolated bodies. Organizations are connected bodies. One problem in one department can affect every other department. So when you have a department that sees across the organization, it can help you better manage your risk.”
The second aspect is that you have to manage risk proactively. You can manage risks after they happen. You can audit, examine, and so on. The other approach is you can design processes and systems to ensure things don't happen in the first place.
That said, mistakes will happen regardless of your proactive actions. You have to build processes to document these bad incidents and glean lessons from them. In most instances when an incident happens we talk about it for a few days, we work on it, and then we forget. But that’s not how we should deal with risks. There is a thing called institutional memory where you document everything in your organization and generate knowledge from it. You have to learn from everything. ERM plays an important role in creating this institutional memory. They document and share these learnings across the organization through various initiatives.
“At IDLC, we are trying to align ourselves with global best practices,” says Mr. Sazzad. “I believe this function will add significant value to any organization and to the industry as well. IDLC is a resilient organization. We can keep our service on in any disruptive situation. We have organizational strength. We manage our business risk and operational risks well so that we can offer our customers excellent experiences regardless of challenging events. BCP allows us to do it.”
IDLC was founded in 1985. The company has been operating in Bangladesh for more than 36 years. The company says it sees financing much more than a monetary transaction. Every transaction has a purpose and for IDLC, that purpose is happiness. “If we want to ensure customer happiness, we have to provide uninterrupted service to our customers”, says Mr. Sazzad. “If you want to provide excellent service to your customers, it doesn't work if you offer that service during normal times, you have to provide the same quality service in a disruptive time. This is important.”
IDLC is currently in the process of integrating technology to run its ERM and BCP initiatives. “When you are talking about BCP, you are talking about a lot of people”, says Sazzad. “You need to notify a lot of people at once. You need to move people from one place to another. It takes complex communication management. Going forward, we want to manage this whole thing with systems and tech. That's another milestone for IDLC that we are getting into automation in these areas. Customer focus is a key value of IDLC and ERM and BCP play an important role in ensuring excellent customer service amid operational challenges.”
For any organization, risk management operations should be independent and autonomous with sufficient power to enforce policies and rules. Many organizations blur these boundaries causing disastrous outcomes.
Cover photo: Unsplash