RBI has introduced Risk-based Supervision as a system of random and more frequent inspections based on the risk profile of individual banks, replacing the regular annual inspection

The RBS approach essentially entails the allocation of supervisory resources and paying supervisory attention in accordance with the risk profile of each institution. The approach is expected to optimize utilisation of supervisory resources and minimize the impact of crisis situation in the financial system. The RBS process essentially involves continuous monitoring and evaluation of the risk profiles of the supervised institutions in relation to their business strategy and exposures. This assessment will be facilitated by the construction of a Risk matrix for each institution.

To facilitate smooth transition towards the new approach in supervision, RBI also issued guidelines to the commercial Banks listing the preparatory steps numbering five to be implemented at their respective level. One out of the five of the aforesaid step is "Adoption of Risk focused Internal Audit".

Emphasing the need for Risk Based Internal Audit RBI points out as under:

1. The evolvement of financial instruments and markets has enabled banks to undertake varied risk exposures. In the context of these developments and the progressive deregulation and liberalisation of the Indian financial sector, having in place effective risk management and internal control systems has become crucial to the conduct of banking business. This is also significant in view of proposed introduction of the New Basel Capital Accord under which capital maintained by a bank will be more closely aligned to the risks undertaken and Reserve Bank's proposed move towards risk-based supervision (RBS) of banks. Under the proposed RBS approach, the supervisory process would seek to leverage the work done by internal auditors of banks. In this regard, the discussion paper on `Move towards risk-based supervision of banks' dated August 13, 2001 may be referred. Part II of the discussion paper clearly identifies five significant areas for action on the part of banks, including putting in place risk-based internal audit system by December 2002, to facilitate a smooth switchover to RBS.

2. A sound internal audit function plays an important role in contributing to the effectiveness of the internal control system. The audit function should provide high quality counsel to management on the effectiveness of risk management and internal controls including regulatory compliance by the bank. Historically, the internal audit system in banks has been concentrating on transaction testing, testing of accuracy and reliability of accounting records and financial reports, integrity, reliability and timeliness of control reports, and adherence to legal and regulatory requirements. However, in the changing scenario such testing by itself would not be sufficient. There is a need for widening as well as redirecting the scope of internal audit to evaluate the adequacy and effectiveness of risk management procedures and internal control systems in the banks.

3. To achieve these objectives, banks will have to gradually move towards risk-based internal audit which will include, in addition to selective transaction testing, an evaluation of the risk management systems and control procedures prevailing in various areas of a bank's operations. The implementation of risk-based internal audit would mean that greater emphasis is placed on the internal auditor's role in mitigating risks. While focusing on effective risk management and controls, in addition to appropriate transaction testing, the risk-based internal audit would not only offer suggestions for mitigating current risks but also anticipate areas of potential risks and play an important role in protecting the bank from various risks.

4. The functions of the Risk Management Committee/ Department (RMC/RMD) and the role of risk-based internal audit need to be distinguished. The RMC/RMD focuses on areas such as identification, monitoring and measurement of risks, development of policies and procedures, use of risk management models, etc. The risk-based internal audit, on the other hand, undertakes an independent risk assessment solely for the purpose of formulating the risk-based audit plan keeping in view the inherent business risks of an activity/location and the effectiveness of the control systems for monitoring the inherent risks of the business activity. It needs to be emphasized that while formulating the audit plan, every activity/location of the bank, including the risk management function, should be subjected to risk assessment by the risk-based internal audit.

Under risk-based internal audit, the focus will shift from the present system of full-scale transaction testing to risk identification, prioritization of audit areas and allocation of audit resources in accordance with the risk assessment. Banks will, therefore, need to develop a well defined policy, duly approved by the Board, for undertaking risk-based internal audit. The policy should include the risk assessment methodology for identifying the risk areas based on which the audit plan would be formulated. The policy should also lay down the maximum time period beyond which even the low risk business activities/locations should not remain unaudited.

The Internal Audit Department should be independent from the internal control process in order to avoid any conflict of interest and should be given an appropriate standing within the bank to carry out its assignments. It should not be assigned the responsibility of performing other accounting or operational functions. The management should ensure that the internal audit staff perform their duties with objectivity and impartiality. Normally, the internal audit head should report to the Board of Directors/Audit Committee of the Board¹.

The Board of Directors and top management will be responsible for having in place an effective risk-based internal audit system and ensure that its importance is understood throughout the bank. The success of internal audit function depends largely on the extent of reliance placed on it by the management for guiding the bank's operations.

As indicated above, the risk-based internal audit undertakes risk assessment solely for the purpose of formulating the risk-based audit plan. The risk assessment would, as an independent activity, cover risks at various levels (corporate and branch; the portfolio and individual transactions, etc.) as also the processes in place to identify, measure, monitor and control the risks. The internal audit department should devise the risk assessment methodology, with the approval of the Board of Directors, keeping in view the size and complexity of the business undertaken by the bank.

The risk assessment process should, inter alia, include the following :-

1. Identification of inherent business risks in various activities undertaken by the bank.

2. Evaluation of the effectiveness of the control systems for monitoring the inherent risks of the business activities (`Control risk').

3. Drawing up a risk-matrix for taking into account both the factors viz., inherent business risks and control risks. An illustrative risk-matrix is shown as a box item.

4. The basis for determination of the level (high, medium, low) and trend (increasing, stable, decreasing) of inherent business risks and control risks should be clearly spelt out. The risk assessment may make use of both quantitative and qualitative approaches. While the quantum of credit, market, and operational risks could largely be determined by quantitative assessment, the qualitative approach may be adopted for assessing the quality of controls in various business activities. In order to focus attention on areas of greater risk to the bank, an activity-wise and location-wise identification of risk should be undertaken.

5. The risk assessment methodology should include, inter alia, the following parameters:

6. Previous internal audit reports and compliance

7. Proposed changes in business lines or change in focus

8. Significant change in management / key personnel

9. Results of latest regulatory examination report

10. Reports of external auditors

11. Industry trends and other environmental factors

12. Time lapsed since last audit

13. Volume of business and complexity of activities

14. Substantial performance variations from the budget

For the risk assessment to be accurate, it will be necessary to have in place proper MIS and data integrity. The internal audit function should be kept informed of all developments such as introduction of new products, changes in reporting lines, changes in accounting practices/policies etc. The risk assessment should invariably be undertaken on a yearly basis. The assessment should also be periodically updated to take into account changes in business environment, activities and work processes, etc.

The banks may prepare a Risk Audit Matrix as shown below:

Inherent business risks indicate the intrinsic risk in a particular area/activity of the bank and could be grouped into low, medium and high categories depending on the severity of risk.

Control risks arise out of inadequate control systems, deficiencies/gaps and/or likely failures in the existing control processes. The control risks could also be classified into low, medium and high categories.

In the overall risk assessment both the inherent business risks and control risks should be factored in. The overall risk assessment as reflected in each cell of the risk matrix is explained below:

1. High Risk: Although the control risk is low, this is a High Risk area due to high inherent business risks.

2. Very High Risk: The high inherent business risk coupled with medium control risk makes this a Very High Risk area

3. Extremely High Risk: Both the inherent business risk and control risk are high which makes this an Extremely High Risk area. This area would require immediate audit attention, maximum allocation of audit resources besides ongoing monitoring by the bank�s top management.

4. Medium Risk: Although the control risk is low this is a Medium Risk area due to medium inherent business risks.

5. High Risk: Although the inherent business risk is medium this is a High Risk area because of control risk also being medium.

6. Very High Risk: Although the inherent business risk is medium, this is a Very High Risk area due to high control risk.

7. Low Risk: Both the inherent business risk and control risk are low.

8. Medium Risk: The inherent business risk is low and the control risk is medium.

9. High Risk: Although the inherent business risk is low, due to high control risk this becomes a High Risk area.

The banks should also analyse the inherent business risks and control risks with a view to assess whether these are showing a stable, increasing or decreasing trend. Illustratively, if an area falls within cell �B� or �F� of the Risk Matrix and the risks are showing an increasing trend, these areas would also require immediate audit attention, maximum allocation of audit resources besides ongoing monitoring by the bank�s top management (as applicable for cell �C�). The Risk Matrix should be prepared for each business activity/location.

All banks need to put in place an independent risk assessment system in the internal audit department for focusing on the material risk areas and prioritizing the audit work. The methodology may range from a simple analysis of why certain areas should be audited more frequently than others in the case of small sized banks undertaking traditional banking business, to more sophisticated assessment systems in large sized banks undertaking complex business activities.