Lyubov Nisenboim Director of Corporate Governance, Risk Management and Compliance, PricewaterhouseCoopers
Magazine "Consultant", No. 13 for 2011

Many companies spend huge amounts of money on projects to improve business efficiency, but the result still leaves much to be desired. How to maximize the efficiency of investments and current operations? What is the role of risk management in the process of company management? How to build a business in which risk management is an integral part of all processes performed by company employees?

Implementing an effective risk management system can make a company more resilient to risk. However, for such a system to work, it is very important to clearly understand and effectively allocate roles and responsibilities within the company, which will facilitate managerial decision-making based on complete information about risks.

Only by relying on this solid foundation can companies effectively deal with risk factors.

In response to increased shareholder scrutiny, most Russian companies have created separate risk management departments. This significantly raised the status of risk management in the eyes of management and the board of directors, but new problems also appeared.

When responsibility for risk management is transferred to a separate functional function, other business units usually step down from this function. In this regard, some risks inevitably fall out of sight, which can lead to devastating consequences.

PwC held the second business breakfast for risk managers and specialists in the field on the topic "Risk Management is Everyone's Responsibility". More than 60 people took part in the event.

Figure 1. What is the level of senior management support for risk management in your company?

The main question posed to the participants was how risk management activities can be organized so that they become part of the daily work of every employee of the company. They shared their experience in strengthening the so-called three lines of defense in the interaction model in the risk management system, and also discussed the roles and responsibilities for each of the lines of defense.

Risk management is everyone's responsibility

Risk management is not a new process for Russian companies. Many of them implement comprehensive risk management systems that are in no way inferior to the best world practices. The companies that have benefited the most from the implementation argue that creating a company-wide approach to risk management can often require a review of the roles and responsibilities of managers and employees, and sometimes the entire organizational structure of the enterprise.

According to a PwC survey of global CEOs, the majority of CEOs at this rank plan to make significant changes to risk management, rather than any other element of their corporate strategy, organizational or operating model. However, when we asked participants at the risk management business breakfast about the actual level of management support within the boundaries of the risk management system in their companies, only 35% described the current level of support as sufficient.

During the discussion, the participants noted the importance of the participation of management in the development of the risk management system and the formation of a company culture that determines the sequence of actions of employees and the adoption of certain decisions in their daily activities, taking into account existing risks.

However, for the effective functioning of the risk management system, management support alone is not enough. It is necessary to establish an interaction model that would clearly articulate and delineate roles and responsibilities in the risk management system. The board of directors and senior management of the company should oversee the implementation and effective operation of the three lines of defense. This model defines the functions, duties and responsibilities of business units, risk management and control functions and internal audit functions within the risk management system.

Raising a risk management culture, or Three lines of defense

First line of defense

How to strengthen the responsibility of management and structural units?

Management and business units form the first line of defense through controls designed to ensure that risk management is integrated into the company's decision-making and key business operations. Structural divisions are the owners of risks and are responsible for identifying, analyzing, managing, reducing the level of risks and reporting on key risks.

Figure 2. What is the level of involvement of structural divisions in the risk management process in your company?

When asked about the involvement of structural units in the risk management process, only a quarter of the participants answered that structural units in their organization are actively involved in this process, i.e. they really identify risks in a timely manner, prepare the necessary reports and implement measures to manage them. And while many employees may be reluctant to respond to requests from the risk management function, it is worth noting that the level of employee involvement in the risk management process is significantly higher than before.

Interesting conclusions are drawn by the results of participants' voting on the issue of how the roles and responsibilities are fixed within the framework of the risk management system in their companies. In most companies, where business units are reluctant to take responsibility for risk management or are passive in this process, these roles and responsibilities within the risk management system are either not documented at all or documented in a risk management policy or regulation, the existence of which many The employees don't even know. Often this is one of the main reasons why business units are inactive or reluctant to participate or do not fully understand their role in risk management. As the practice of working with large Russian organizations shows, these roles and responsibilities within the risk management system are rarely spelled out in job descriptions. Only 21% of respondents answered that they are documented and implemented.

Figure 3. How are the roles and responsibilities within the risk management system in your company defined?

Second line of defense

What is the role of a modern risk management unit?

These divisions explain the corporate concept of risk and set standards for risk management, including associated processes, technology and culture. These authoritative, independent, centralized units should monitor the activities of other structural units within the boundaries of the risk management system and analyze the risk information received from them. The functions of a typical risk management function include advising, coordinating, supporting and training company employees in the area of ​​risk management.

If the competence of this unit includes responsibility for the timely identification, assessment of risks and risk management, the risk management system will not function effectively. When we asked what the role of a modern risk management function really should be, the following functions were listed:

• development and implementation of a methodological approach to risk management;
• coordination of the company's actions in the field of risk management;
• advising and methodological support of the company's divisions on risk management issues;
• coordination and preparation of risk reporting;
• training employees on risk management;
• monitoring the implementation of the risk management action plan by structural units, coordinating work with the internal audit service;
• development and implementation of measures to improve the risk management system.

The third line of defense, or How to organize an independent assessment of the results of risk management?

The organization's third line of defense includes internal auditors and the board of directors. The internal audit service gives an independent opinion that the company manages risk properly and its risk management system is effective. The Board of Directors accepts this opinion as a guide to action and allocates the necessary resources to the internal audit service. Under the supervision of the audit committee, the internal audit function evaluates risk management resources, reviews corporate governance procedures, assesses corporate governance performance, and tests problem escalation procedures.

Figure 4. Which measure to strengthen the risk management system can bring the greatest benefit to your company?

The board of directors sets the tone for the risk management process, assesses and approves the level of risk an organization is prepared to take, taking into account the strategic goals and objectives in the field of risk management (“risk appetite”). The Audit, Risk Management and Remuneration Committees assist the Board of Directors in providing overall oversight of the effectiveness of the organization's risk management system.

During the discussion in the groups, the participants of the business breakfast pointed out the importance of interaction between internal auditors, the risk management department, management and the board of directors. However, they stressed that the lack of clear separation of responsibilities between internal audit staff and risk management, which is often part of the internal audit function, can hinder this.

Summary and next steps

To wrap up the discussion, we asked participants what they thought would be the most beneficial measure for the company. More than a third of all participants felt that it was the interaction between risk management and other business units that could bring the greatest benefit to the organization. A quarter of participants noted that securing accountability within the risk management system through the implementation of KPIs can also benefit the organization and strengthen a risk-based culture.

It should be added that only the cumulative implementation of all the proposed measures can bring real benefits to organizations in the Russian market.

At events held by PwC, the question of the benefits and benefits of implementing integrated risk management systems is raised quite often. The opinions of the leaders themselves and employees of the relevant departments seemed very interesting to us.

Forty percent of participants noted that over the past year, the implementation of a risk management system has contributed to strengthening the corporate image of their companies. According to another third of the participants, this system helps to increase the efficiency and transparency of reporting for shareholders. Both of these options point to intangible benefits from the implementation of a risk management system, which, of course, also brings certain benefits to the company.

Figure 5. Which measure to strengthen the risk management system can bring the most benefits in your company?

However, from the introduction of a risk management system, first of all, they expect tangible results related to a real reduction in uncertainty, loss prevention and cost reduction. Only 19% of participants noted exactly this benefit (15% reduction in financing costs and 4% reduction in insurance premiums). Does this result mean that the risk management system does not create benefits for companies operating in Russia that can be measured in money? Rather, it may be dictated by the fact that organizations do not always clearly articulate the goals of implementing a risk management system and, accordingly, it is not always possible to measure these benefits.

Ministry of Education and Science of the Russian Federation

NOVOSIBIRSK STATE UNIVERSITY

ECONOMY AND MANAGEMENT "NINH"

Institute

department

TO PROTECTION

Department head

17.06.2015

THESIS

In the specialty of higher professional education

Management in an organization

Management of risks

Contractor, _____________________ (A.A. Akulova)

Student gr. MOP1LI (signature, date)

Scientific adviser _____________________

(signature, date)

Standard control passed ______________________

(signature, date)

Novosibirsk 2015

Content

Introduction

Today, risk is an integral characteristic of banking. It plays a decisive role in shaping the financial performance of banks, serves as an important characteristic of the quality of banks' assets and liabilities, and thus should be used in a comparative analysis of their financial condition, position in the banking services market.

Risks are everywhere and always, so no matter what we do, assessing our decisions in terms of risks is important and necessary in any case. Even when it comes to personal affairs and plans, the risks must be weighed. Of course, in the financial sector, risks come to the fore, because huge amounts of information circulate here and a huge number of decisions are made. One of the most important tasks of risk management is the development and implementation in daily processes of decision-making tools - risk assessment models. These models are based primarily on statistics. Therefore, Sberbank is an absolute paradise for any mathematician-modeler, because the amount of customer data is unprecedented. Now more than 600 models of various levels of complexity have been introduced into the process and are working. It is very important that the model not only exist, but also be used in real processes, helping to make risk-weighted decisions. All models work and show high predictive ability.

Sberbank has implemented the “classic” concept of three lines of risk protection. The first line of defense is those employees who directly communicate with customers or with documents. The first line of defense is not just big words. A lot depends on the professionalism and responsibility of these people - after all, it is they who see the “live” client and “real” documents. The second line of defense is risk management. More than 4,000 employees now work in the Risks block — these are underwriters in all business lines (people who carry out independent risk assessment) and methodologists. The third line of defense is the internal audit service, which regularly reviews all processes and procedures in the bank, including risk management processes.

The main banking risk, especially in Russian practice, is credit risk. Managing this risk is a key factor in determining the effectiveness of the bank. This is the risk of non-repayment or untimely repayment of the loan to the asset holder, who in this case will suffer financial losses. It defines relevance topics of the thesis.

The amount of credit risk can be influenced by both macro- and microeconomic factors. In an environment where the economy is unstable, legislation is imperfect, and in many cases contradictory, it is very important to have an effective credit risk management system. Therefore, the bank must develop a credit policy, a documented scheme of organization and a system of control over credit activities.

The object of study is the Novosibirsk branch 8047/0386 of Sberbank of Russia OJSC.

The purpose of this work is to study the theoretical foundations and analyze credit risks in an organization using the example of the Internal Structural Unit of Sberbank of Russia OJSC No. 8047/0386 (hereinafter referred to as VSP)

To achieve this goal, it is necessary to solve the following tasks:

1. Consider the theoretical foundations of credit risk;

2. Show credit risk management system;

3. Analyze the credit risk analysis methodology;

4. Present an analysis of credit risk management using the example of VSP 8047/0386;

5. Analyze the main shortcomings in credit risk management;

6. Determine areas for improving credit risk management.

In the final qualifying work, methods were used: the method of system analysis, the method of participant observation, the method of document analysis.

The practical significance of the work lies in the fact that the results obtained during the study and the conclusions based on them can be directly used in the work of VSP 8047/0386 of Sberbank of Russia OJSC, with successful adaptation and identification of a real economic effect, it is possible to spread this practice throughout the branch networks of JSC Sberbank of Russia.

1. THEORETICAL FOUNDATIONS OF CREDIT RISKS

1.1 Nature and structure of credit risks

Credit operations of commercial banks are one of the most important types of banking activities. In the financial market, lending retains its position as the most profitable asset of credit institutions, although the most risky. Credit risk, therefore, has been and remains the main type of banking risk.

Credit risk is the risk of default on credit obligations to a third party credit institution, which also means that payments may be delayed or not paid at all, which, in turn, may lead to cash flow problems and adversely affect the bank's liquidity. Despite innovations in the financial services sector, credit risk is still the main cause of banking problems. More than 80% of the content of the balance sheets of the bank is usually devoted to this particular aspect of risk management. The danger of this type of risk arises when carrying out loan and other equivalent operations, which are reflected on the balance sheet, and may also be of an off-balance sheet nature.

These operations include:

granted and received credits (loans);

placed and attracted deposits;

other placed funds, including claims for receipt (return) of debt securities, shares and promissory notes provided under a loan agreement;

discounted bills;

payment by a credit institution to a beneficiary under bank guarantees not recovered from the principal;

monetary claims of a credit institution under financing transactions against the assignment of a monetary claim (factoring);

the credit institution's claims under the rights acquired under the transaction (assignment of the claim);

credit institution's claims on mortgages purchased on the secondary market;

credit institution's claims under transactions of sale (purchase) of financial assets with deferred payment (delivery of financial assets);

claims of a credit institution to payers under paid letters of credit (in terms of uncovered export and import letters of credit);

requirements for the counterparty to return funds under the second part of the transaction for the acquisition of securities or other financial assets with the obligation to sell them back if the securities are unquoted;

claims of a credit institution (lessor) against a lessee under financial lease (leasing) operations.

The effectiveness of risk assessment and management is largely determined by its classification.

Acceptance of credit risks is the basis of banking, and their management is traditionally considered the main problem of the theory and practice of banking management. The following types of credit risks can be distinguished: Direct credit risk; Conditional risk of lending; The risk of non-fulfillment by the counterparty of the terms of the contract; Issuance and placement risk; clearing risk. Consider the classification features of credit risks in table 1.1

Table 1.1 - Classification features of credit risks

Depending on the scope of the factors, internal and external credit risks are distinguished; from the degree of connection of factors with the activity of the bank - credit risk, dependent or independent of the activity of the bank.

There are also the following risk groups:

Group of "risks associated with the borrower": the risk of default by the borrower of its obligations; country (region) risk; the risk of limiting the transfer of funds; concentration risk.

Group of "Internal risks": risks of non-payment of principal and interest; borrower replacement risk relates primarily to capital market transactions; credit risk.

The bank credit risk factor is the cause of possible losses in the value of the bank's assets, which determines their nature and scope. The study of bank credit risk factors should be approached comprehensively, highlighting the reasons that are in the field of the bank's credit policy, the economic activity of the borrower and the general economic condition of the industry, region, state as a whole.

Thus, in general, it is obvious that credit risk is caused by the probability of non-fulfillment by banks' counterparties of their obligations, which, as a rule, manifests itself in the non-repayment (in full or in part) of the principal and interest on it within the terms established by the agreement.

In general, banking risks are divided into four categories: financial, operational, business and extraordinary risks. Financial risks, in turn, include two types of risks: pure and speculative. Pure risks mean the possibility of a loss or a zero result. Speculative risks are expressed in the possibility of obtaining both positive and negative results.

Financial banking risks include:

Losses incurred by the credit institution as a result of non-fulfilment, untimely or incomplete fulfillment by the debtor of financial obligations to the credit institution in accordance with the terms of the contract.

These financial liabilities may include the obligations of the debtor for:

loans received, including interbank loans (deposits, loans), other placed funds, including claims for receipt (return) of debt securities, shares and promissory notes provided under a loan agreement;

promissory notes accounted for by the credit institution;

bank guarantees under which the funds paid by the credit institution have not been reimbursed;

financing transactions against the assignment of a monetary claim (factoring);

the rights (claims) acquired by the credit institution under a transaction (assignment of a claim);

mortgages acquired by a credit institution in the secondary market;

transactions of sale (purchase) of financial assets with deferred payment (delivery of financial assets);

letters of credit paid by a credit institution (including uncovered letters of credit);

return of funds (assets) under a transaction for the acquisition of financial assets with the obligation of their reverse alienation;

requirements of a credit institution (lessor) for financial lease (leasing) operations.

A characteristic feature of credit risk is that it arises not only in the process of granting a loan and receiving interest on it, but also in connection with other balance sheet and off-balance sheet obligations, such as guarantees, acceptances and investments in securities.

The concentration of credit risk manifests itself in the provision of large loans to an individual borrower or a group of related borrowers, and also as a result of the affiliation of the debtors of a credit institution either to certain sectors of the economy or to geographical regions or in the presence of a number of other obligations that make them vulnerable to the same economic factors.

Credit risk increases when lending to persons related to a credit institution, i.e. granting loans to individual individuals or legal entities that have real opportunities to influence the nature of decisions made by the credit institution on the issuance of loans and on lending conditions, as well as persons whose decision-making can be influenced by the credit institution.

Credit risk, i.e. the risk that the debtor will not be able to make interest payments or repay the principal amount of the loan in accordance with the terms specified in the loan agreement is an integral part of banking. Credit risk means that payments may be delayed or not paid at all, which in turn could lead to cash flow problems and adversely affect the bank's liquidity. Despite innovations in the financial services sector, credit risk is still the main cause of banking problems. More than 80% of the content of bank balance sheets is usually devoted to this particular aspect of risk management.

Because of the dangerous consequences of credit risk, it is important to conduct a comprehensive review of the bank's ability to assess, administer, oversee, control, execute and recover loans, advances, guarantees and other lending instruments. A general review of credit risk management includes an analysis of the bank's policies and practices.

This analysis should also determine the adequacy of the financial information received from the borrower, which was used by the bank when making a decision to grant a loan. The risks associated with each loan should be reassessed periodically as they tend to change.

Operational risk is the risk of direct or indirect losses from illegal and erroneous internal processes of the bank or external events.

Events within the VSP include:

Ineffectiveness / inefficiency of the processes of the bank's divisions;

Failures, downtime of IT systems;

Unintentional errors or deliberate violations by personnel.

The external events of the VSP include:

Natural disasters;

Changes in regulatory requirements;

Actions of third parties.

Three fundamentally different approaches are used to determine the size of operational risk:

BIA (Basic Indicator Approach) - approach based on a basic indicator: the calculation of operational risk is based on the dependence on the organization's income - the average gross income for 3 years is taken and included in capital with a 10-fold increase.

SA (Standardized Approach) - a standardized approach: depends on the amount of income in the context of activities (table 1.2).

Table 1.2 - Line of business ratio

AMA (Advanced Measurement Approaches) - an advanced approach to assessing operational risks: operational risk is calculated based on data on incurred and potential losses; takes into account the organization's work in the field of operational risk management. The AMA provides more accurate estimates that reflect the amount of expected and unforeseen losses for a given organization.

The choice of approach remains with the bank. As information and technology advances, banks can move from a simple BIA approach to a more complex AMA, and develop their own approach.

It is important to manage operational risk by all divisions of the bank, since operational risk is not specific and is realized in all processes of the bank, and losses from the realization of operational risk can be very significant and even catastrophic.

Table 2.1 - Stages of operational risk management

These stages (Table 2) of identifying operational risks and managing them involve a complete analysis of all conditions for the functioning of the bank for the presence or prospect of operational risks, their assessment by various methods (approaches), as well as their monitoring, control and minimization of operational risks.

The management of various operational risks is associated with the factors influencing these risks, as well as methods for obtaining assessments, statistical data that contribute to more accurate tracking of the causes and consequences of actions that led to the emergence of operational risks.

The consequences of operational risks associated with the illegal issuance of cards and the commission of fraudulent actions with them are (Table 3): an increase in the level of customer dissatisfaction, refusal to cooperate, a decrease in market share, and a decrease in bank income.

Table 3.1 - Manifestation of operational risk in remote customer service channels

Currently, the most widely used remote channel for servicing bank customers is Mobile Banking (MB), a service provided by Sberbank of Russia OJSC, which allows you to get information about all card transactions, as well as make payments, transfers and other operations using mobile phone anytime, anywhere.

The MB service is popular with customers, but it also comes with operational risks.

The main reasons for clients to apply for unauthorized debiting of funds from a credit card using the MB service are:

Illegal connection of the "MB" service to the client's card.

Untimely deactivation of the service when the phone is lost or the number is changed.

Fraudulent activities (presumably through the personal account of mobile operators and online stores, malicious viruses).

According to VSP 8047/0386 "Sberbank of Russia" for the period from 04/01/2014 to 04/31/2015, the number of customer requests for the "MB" service is 56, the peak of requests occurred in April 2015. – 13. An analysis of 56 appeals was carried out - 98% of them are related to unauthorized debiting of funds from credit cards through MB, the amount of damage amounted to 153,355 rubles.

At the beginning of the second quarter of 2015, the number of fraudulent activities with credit cards through the MB service increased by 2.6 times compared to the same period of the previous year. The growth of precedents associated with the "MB" service is primarily due to an increase in the number of users.

After analyzing the dynamics of requests from bank customers, we can conclude that there is an increase in dissatisfaction and distrust in the banking system, which increases its financial and reputational damage, therefore, a program of measures is needed that will include the following measures:

Increasing attention to information security issues, developing an information security system, a corporate anti-virus system, training IT personnel capable of monitoring information flows and their safety.

Improving the IT literacy of employees and customers of the bank. The introduction of information technology should be accompanied by training and advanced training courses for bank employees, who, in turn, should inform customers about the possibilities and dangers of the systems used.

Improving methods for determining operational risk, identifying individual approaches.

business risk - this is one of the main characteristics of the activities of a commercial enterprise in conditions of uncertainty and the possibility of adverse consequences in case of failure.

Extraordinary risks - include all types of exogenous risks that jeopardize the bank's operations or may undermine its financial condition and capital adequacy. Among such risks are political events (for example, the fall of the government), the spread of a chain reaction of the crisis as a result of bank failure or stock market crash, the crisis of the banking system, natural disasters, civil wars. In most cases, extreme risks are unpredictable until the very last moment. Therefore, the bank has no other means of counteracting these risks, other than maintaining additional reserve capital. The line between emergency and systemic (country) risk is often very blurry.

1.2 Principles and methods of credit risk management

The risk management system satisfies the following basic principles:

Risk awareness. The risk management process affects every employee in organizations. Decisions to conduct any operation are made only after a comprehensive analysis of the risks at the level of organizations arising from such an operation. Employees of organizations that perform transactions exposed to risks are aware of the risk of transactions and carry out the identification, analysis and assessment of risks before performing transactions. Organizations have regulatory documents that regulate the procedure for performing all operations subject to risks. Conducting new banking operations in the absence of regulatory, administrative documents or relevant decisions of collegiate bodies regulating the procedure for their completion is not allowed.Separation of powers.Organizations have implemented management structures in which there is no conflict of interest: at the level of the organizational structure, divisions and employees are separated, which are responsible for conducting operations exposed to risks, accounting for these operations, managing and controlling risks.

Risk control. The Bank's management, collegial bodies of the Bank regularly receive information about the level of accepted risks and facts of violations of the established risk management procedures, limits and restrictions. At the level of the organization, an internal control system operates that allows effective control over the functioning of the risk management system of each department.The need to provide "three lines of defense".Establish collective responsibility for risk-taking actions:

Risk acceptance (1st line of defense): Business units should strive to achieve the optimal combination of return and risk, follow the set development goals and the ratio of return and risk, monitor risk-taking decisions, take into account the risk profiles of clients when making transactions/transactions , implement and manage business processes and tools, participate in risk identification and assessment processes, comply with the requirements of internal regulatory documents, including in terms of risk management;

Risk management (2nd line of defense): Risk and Finance functions - develop risk management standards, principles, limits and restrictions, monitor the level of risks and prepare reports, check the compliance of the risk level with risk appetite, advise, model and aggregate the overall risk profile ;

Audit (3rd line of defense): function of internal and external audit - they conduct an independent assessment of the compliance of risk management processes with established standards, an external assessment of risk-taking decisions.

Combination of centralized and decentralized approaches to risk management. Sberbank combines centralized and decentralized risk management approaches. The authorized collegial bodies of the Bank for risk management determine the requirements, restrictions, limits, methodology in terms of risk management for territorial banks and organizations. Territorial banks carry out risk management within the limits and powers established for them by authorized bodies and/or officials.

Formation of high level1 risk committees.

High-level dedicated committees make risk management decisions;

The system of committees is formed taking into account the structure of the Group's business model.The need to ensure the independence of the risk function.

Ensuring the independence of the relevant divisions for risk assessment and analysis from the divisions performing operations/transactions subject to risks;

Inclusion of the Risk function in the decision-making process at all levels, involvement of the Risk function both in the high-level strategic decision-making process and in risk management at the operational level; - Ensuring the independence of the validation function.

The use of information technology.

The risk management process is based on the use of modern information technologies. Organizations use information systems to identify, analyze, evaluate, manage and control risks in a timely manner.

Continuous improvement of risk management systems.Organizations are constantly improving all elements of risk management, including information systems, procedures and methods, taking into account strategic objectives, changes in the external environment, and innovations in the world risk management practice.

Management of the bank's activities, taking into account the accepted risk.The organization assesses the adequacy of the capital at its disposal (available to it), that is, internal capital (hereinafter IC) to cover accepted and potential risks. Internal procedures for assessing capital adequacy (hereinafter - ICAAP) also include capital planning procedures based on the established development strategy of the bank, business growth targets and the results of a comprehensive current assessment of these risks, stress testing of the bank's stability in relation to internal and external risk factors. The Group identifies priority areas for the development and allocation of capital using the analysis of risk-adjusted performance indicators of individual divisions and lines of business. The Group includes risk metrics in the consolidated Business Plans.

Limitation of accepted risks by setting limits within the framework of the established system of limits.The Group has a system of limits and restrictions that makes it possible to ensure an acceptable level of risk for the organization's aggregated positions. The bank's limit system has a multi-level structure:

The overall limit for the bank, which is set based on the risk appetite determined in accordance with the risk management strategy;

Limits on types of risks material for the Group (for example, limits on credit and market risks);

Limits for member organizations of the Group, structural subdivisions of member organizations of the Group responsible for taking risks that are significant for the Group;

Limits for individual borrowers (counterparties), for trading portfolio instruments, etc.
Methodology for identification, evaluation and managementrisks in divisions is formed on the basis of the unity of methodological approaches used within Sberbank.

To manage credit risk, the following management methods are used, which are presented in fig. one.

Rice. 1 - Credit risk management methods

The main methods of credit risk management include:

1) methods for quantitative risk assessment;

2) methods to prevent the occurrence of credit risks;

3) methods for reducing credit risks.

Quantitative analysis involves the calculation of the numerical values ​​of individual risks and the risk of the object as a whole, an assessment of the possible consequences of risky measures is given, and a system of measures to prevent them is developed.

Quantification methods include: probabilistic, indirect, analytical, statistical, scoring, expert and combined methods.

1. Statistical methods

1.1. Estimation of execution probability.

The essence of this method is to calculate the share of completed and non-executed decisions in the total amount of decisions made, which makes it possible to assess the probability of the execution of any decision.

1.2. Analysis of the probable distribution of the flow of payments.

With a known probability distribution for each element of the payment flow, possible deviations of the values ​​of the payment flows from the expected ones are estimated. The stream with the least variation is considered the least risky.

1.3. decision trees.

Usually used to analyze the risks of events that have a foreseeable or reasonable number of development options.

1.4. Simulation modeling of risks.

This method involves conducting computer experiments with mathematical models. It is used in cases where real experiments are unreasonable, costly, or not feasible in practice. If the information is insufficient, then the missing actual data are replaced by the values ​​obtained during the simulation experiment (i.e., computer generated).

1.5. Risk Metrics technology.

Used to assess the risk of the securities market. The degree of risk impact on an event is carried out by calculating the maximum possible potential change in the price of a portfolio consisting of a different set of financial instruments with a given probability and for a given period of time.

The main advantages of statistical methods include the ability to take into account various risk factors and scenarios. The main disadvantage of these methods is the need to use probabilistic characteristics in them.

2. Analytical methods

2.1. Sensitivity analysis.

This method involves the study of the dependence of some resulting indicator on the variation of the values ​​of the indicators involved in its determination.

2.2. A method for adjusting the discount rate for risk.

This method is most often used in practice. It consists in adjusting some basic discount rate, which is considered risk-free. The adjustment is made by adding the required risk premium.

2.3. Method of equivalents.

This method allows you to adjust the expected values ​​of the payment stream by introducing special reduction factors (a) in order to bring the expected receipts to the values ​​of payments, the receipt of which is practically beyond doubt and the values ​​of which can be reliably determined.

2.4. scripting method.

It is, in fact, a more advanced method of sensitivity analysis. It allows you to combine the study of the sensitivity of the resulting indicator with the analysis of probabilistic estimates of its deviations.

Analytical methods are mainly used in risk assessment of investment projects.

3. Method of expert assessments.

The method is based on conducting a survey of several independent experts, for example, in order to assess the level of risk or determine the influence of various factors on the level of risk. Then the received information is analyzed and used to achieve the goal.

Credit scoring is a system for assessing the creditworthiness (credit risks) of a person based on numerical statistical methods. As a rule, it is used in consumer (store) express lending for small amounts. Scoring consists in assigning points by filling out a certain questionnaire developed by credit risk assessors and underwriters. According to the results of the points scored, the system makes a decision to approve or refuse to issue a loan.

Data for scoring systems is obtained from the probabilities of loan repayments by individual groups of borrowers obtained from the analysis of the credit history of thousands of people. It is believed that there is a correlation between certain social data (the presence of children, attitudes towards marriage, the presence of higher education) and the borrower's conscientiousness.

Credit scoring is a simplified system for analyzing a borrower, which makes it possible to reduce the requirements for the qualification of a loan officer involved in reviewing loan applications and increase the speed of their consideration.

The methods of preventing the occurrence of credit risks include - assessment of the borrower's creditworthiness and credit monitoring.

Under the assessment of the borrower's creditworthiness is understood both the ability to fully and on time pay off their debt obligations, and the readiness (presence of desire) of a person to repay their debts in a timely manner and in full.

Credit monitoring is the bank's control over the use and repayment of a loan. The Bank regularly monitors the intended use of the loan, the fulfillment of other conditions of the agreement.

Methods for reducing credit risks are conventionally divided into:

Conditionally active methods (diversification of the portfolio of loans and risks, setting lending limits, monitoring the quality of the loan portfolio, managing problem loans, credit derivatives)

Conditionally passive methods (compliance with credit risk standards, collateral, insurance)

Conditionally active-passive methods (formation of a reserve for possible losses on loans)

1.3Analysis of the state of risk management in Sberbank of Russia

Sberbank of Russia is a leader in the retail banking market. Permanent stability, financial stability, fulfillment of all its obligations to customers, flexible interest rate policy allow maintaining the confidence of the population, ensuring a steady inflow of funds into deposits. The Bank promptly responds to fluctuations in the financial market by improving existing products and introducing new products that take into account the needs of various customer groups.

Along with accepting deposits, the Bank serves the economically active population and pensioners, paying them income. In accordance with the legislative acts of the Russian Federation, the branches of the Bank pay out preliminary compensation for the deposits of citizens entitled to receive it. Along with traditional forms of servicing the population, Sberbank of Russia is actively introducing and developing modern banking technologies. AS SBERKART's own settlement system is being developed on the basis of advanced technologies using microprocessor cards.

Purposeful work of Sberbank of Russia on organization of comprehensive services for legal entities contributed to the formation of a stable client base of the Bank and attraction of new corporate clients for servicing.

The clients of VSP 8047/0386 are enterprises of all sectors of the economy, of any form of ownership - from small businesses to leading Russian enterprises, various financial institutions and government institutions. Most of the largest Russian corporations and companies are serviced and financed by the Bank, including OAO Rostelecom, divisions of OAO Gazprom, OAO NK Lukoil, OAO TNK, OAO Sibneft, ZAO Severnaya Neft, OAO Transneft, OAO Severstal, etc.

The Bank services the Pension Fund of Russia, the Ministry of Fuel and Energy, subdivisions of the Ministry of Defense of the Russian Federation, the Ministry of Internal Affairs of the Russian Federation, the Ministry of Emergency Situations of the Russian Federation, the State Customs Committee, bailiffs of the Ministry of Justice of Russia, special accounts of project implementation groups within the framework of cooperation between the Russian Federation and the IBRD and the EBRD.

Cooperation with the constituent entities of the Russian Federation is being improved in the sphere of servicing the budgetary and financial structure of the regions. The Bank's branches service over 76,000 accounts of local government departments and legal entities financed from local budgets.

The Bank's own cash collection service has been established and operates for comprehensive customer service. The circle of large clients from the number of exporters and importers serviced by the Bank has noticeably expanded. Foreign trade documentary operations conducted by the Bank for its clients are actively developing.

The Bank remains one of the leading operators in the Russian market of bonds denominated in foreign currency - OVGVZ and Eurobonds of Russian issuers.

Being the leading operator both in the Russian Trading System (RTS) and the Moscow Interbank Currency Exchange (MICEX), and having an extensive branch network, the Bank promptly fulfilled customer orders for the purchase and sale of securities, both on the Moscow stock market and throughout Russia.

The Bank occupies a leading position in terms of the total amount of investments in the Russian economy, in terms of the maximum amount of loans provided per borrower, as well as in terms of the terms for which loans are issued.

In order to meet the needs of its customers in modern credit products, the Bank offered various types of loans, including overdraft, promissory notes, credit lines on favorable terms for customers; provided all types of bank guarantees, including guarantees for the proper performance of the contract, return of the advance, customs, etc.

The Bank actively financed projects related to the construction and reconstruction of housing, business centers, shops and other commercial construction projects.

Particular attention was paid to the creation of banking products for lending, taking into account the industry specifics of lending enterprises.

Thanks to the introduction of a new banking product - lending to enterprises that mine gold and silver - in 14 regions of Russia: Krasnoyarsk, Primorsky, Altai Territories, Bashkortostan, Buryatia, Sakha (Yakutia), Tyva, Sverdlovsk, Novosibirsk, Khabarovsk, Chita, Irkutsk, Amur, Magadan regions - the volume of these operations has increased significantly.

The Bank is implementing a strategy to increase the volume of long-term investment lending to Russian enterprises, thus ensuring the development of the Russian economy.

Traditionally focusing on the retail banking market, Sberbank is dynamically increasing the volume of lending to individuals.

To stimulate domestic production, loans for the purchase of Russian durable goods are issued to the population at lower interest rates.

The Bank's prudent credit policy and purposeful work with problem loans ensured a significant reduction in overdue loans.

The main direction of lending is industry, which accounts for 39.47% of loans, this shows the main strategy of the credit policy pursued by Sberbank, but the second place can be taken by construction, trade and intermediary activities and commercial banks, which together account for 30.33%. Least of all attention is paid to agriculture, since this industry has the most difficult situation and the lowest possibility of repaying a loan.

The volume of operations with precious metals for individuals has significantly expanded. Sale of gold measured bars to the population is carried out in the branches of the Bank located in 37 regions of Russia.

Its role in the field of banknote operations, in meeting the needs of its customers and commercial banks in cash and foreign currency has increased.

The circle of restricted convertible currencies, in which the Bank carried out conversion operations and met the needs of customers, expanded.

As collateral for a loan, the Bank may either insure the risk of non-repayment of the loan, or require the borrower to insure its liability under the loan agreement.

One of the types of insurance of economic risks is the allocation of reserves for possible losses on loans. The reserve for possible losses for each loan is created on the day of its issuance. Its size is set as a percentage of its amount, depending on which risk group the loan belongs to.

There are 5 risk groups of loans: a reserve of at least 2% of their amount is created for group 1, 5% for group 2, 30% for group 3, 75% for group 4, and 100% for group 5.

Table 2.1 - Classification of loans by risk groups

2. ORGANIZATION OF THE PERSONNEL DEVELOPMENT SYSTEM ON THE EXAMPLE OF OAO SBERBANK OF RUSSIA VSP 8047/0386

2.1 General characteristics O AO "Sberbank of Russia"

Sberbank of Russia is the largest bank in the Russian Federation and the CIS. Its assets make up more than a quarter of the country's banking system (27%), and its share in banking capital is at the level of 26%. According to The Banker magazine (July 1, 2012), Sberbank ranked 43rd in terms of core capital (Tier 1 capital) among the largest banks in the world.

Founded in 1841, Sberbank of Russia today is a modern universal bank that meets the needs of various customer groups in a wide range of banking services. Sberbank occupies the largest share in the deposit market and is the main creditor of the Russian economy

Sberbank of Russia has a unique branch network, which currently includes 18 regional banks and more than 19,100 branches throughout the country. Subsidiary banks of Sberbank of Russia operate in Kazakhstan, Ukraine, Belarus and Turkey.

Full name of the bank: JSC "Sberbank of Russia"

License number 1481

The founder and main shareholder of the Bank is the Central Bank of the Russian Federation (Bank of Russia).

Sberbank OJSC is an organization with a vertical management structure, i.e. has several levels of control. By type, this is a functional structure.

The functional organizational structure is the division of the organization into separate elements, each of which has its own clearly defined, specific task and responsibilities, i.e. The model provides for the division of personnel into groups, depending on the specific tasks that employees perform.

The management of Sberbank of Russia is based on the principle of corporatism in accordance with the Corporate Governance Code approved by the annual General Meeting of Shareholders of the Bank in June 2002.

Services provided by OJSC Sberbank of Russia include:

For legal entities:

1) settlement and cash services;

2) opening and maintaining correspondent accounts "Loro";

3) lending;

4) operations with securities;

5) conversion operations;

6) bank cards;

7) collection;

8) remote service;

9) trade finance and documentary operations;

10) operations with precious metals;

11) depositary service;

12) banking operations;

13) rental of safes.

For individuals:

1) deposits and compensation on deposits;

2) lending;

3) operations with securities;

4) utility bills;

5) bank cards;

6) currency exchange and non-trading operations;

7) operations with precious papers;

8) money transfers;

9) receipt of wages;

10) depositary service;

11) settlement checks;

12) rental of safes.

One of the main competitive advantages of Sberbank of Russia is its extensive client base. The bank's cooperation with all customer groups allows it to successfully manage resources and minimize financial risks. Attracting funds from the population, OJSC Sberbank of Russia forms a stable source of lendingenterprises of various sectors of the economy.

The main competitors of the bank are:

Gazprombank

VTB 24

Alfa Bank

Raiffeisenbank

Rosbank, etc.

The main objectives of the enterprise:

Like the goal of any commercial organization, the main goal of Sberbank is to make a profit.

4. Development of measures to reduce risks at the enterprise

3. Development of measures to reduce risks at the enterprise

3.1 Financial risk management methods at Sberbank

Currently, a number of methods for assessing financial risk are used, which can be divided into:

Statistical;

Analytical;

Method of analogies;

Method of expert assessments and expert systems.

Statistical methods used for risk assessment are dispersion, regression and factor analysis. The advantages of this class of methods include a certain universality. Their disadvantages stem from the very essence of statistical research - the need to have a large database, the complexity and ambiguity of the findings, certain difficulties in the analysis of time series, etc. For the purposes of calculating business risks, these methods are used relatively rarely. Recently, however, the method of cluster analysis has gained some popularity, with the help of which it is possible to obtain data suitable for use.

Analytical methods are used most often. Their advantage is that they are quite well developed, easy to understand and operate with simple concepts. These methods include: discount method, cost recovery analysis, production break-even analysis, sensitivity analysis, sustainability analysis.

When using the discounting method, the discount rate is adjusted for the risk factor, which is obtained by the method of expert assessments. The disadvantage of the method is that the measure of risk is determined subjectively.

The application of the cost recovery method is to calculate the payback period of the project.

The break-even method is similar to the cost recovery method, only unlike the first one, it determines the break-even point of the project, i.e. the break-even method is the boundary for the payback method.

Application of the sensitivity analysis method of factors on the resulting technical and economic indicators of the investment project. The sensitivity calculation method is close to one of the statistical methods - the factor analysis method. It also determines the degree of influence of various factors on the resulting indicator.

The method of sustainability analysis determines the change in the main economic indicators of the project with an unfavorable change in various factors. For example, the amount of possible profit is investigated when prices for raw materials and materials necessary for the production of a product change. Under the sustainability in the economy is meant the ability of some economic system to maintain its performance after the impact on it of adverse factors.

analogy method. The name of this method indicates that the forecast of the financial condition of the project, the risk of its implementation are determined in accordance with some similar project that was implemented earlier. It is assumed that the economic system within which the project is being implemented also behaves in a similar way.

Method of expert assessments and expert systems. Although these two methods are combined in one section, they are fundamentally different methods.

The method of expert assessments is based on the intuition and practical knowledge of specially selected people - experts. In the course of the work, experts are surveyed (various survey methods can be used) and on the basis of this survey a forecast of the investment project is built. With proper selection of experts and optimal organization of their work, this is one of the most accurate and reliable methods. The difficulty lies in the mechanism for selecting experts and organizing their work - eliminating conflict situations between experts, determining the rating of each expert, correctly posing the research question, etc.

Unlike the method of expert assessments, which is based on the intuition of experts, the method of expert systems is based on specially software and mathematical software for computers. This method has been developed relatively recently. Its software includes a database, a knowledge base, an interface. The database contains all kinds of information about the object of study. The knowledge base contains rules that describe various situations that arise during the evolution of the object under study. An interface is a system of communications, special software that allows a person working with an expert system to ask questions on a subject of interest to him and receive answers simulated by a computer. Currently, expert systems are developing rapidly. These are computer programs that simulate the actions of a human expert in solving problems of a narrow subject area based on the accumulated knowledge that makes up the knowledge base.

The main disadvantage of all these risk calculation methods is that they operate with specific, deterministic values ​​of risk coefficients. The coefficients are calculated either by the method of expert estimates, or in some other way. Their consideration excludes the random component of the process of evolution of the economic situation in the market of goods and services. However, ignoring this component sometimes leads to incorrect results. Thus, for a correct assessment of the risk of financial and economic activity, it is necessary to investigate not only the deterministic change in the market situation, but also its stochastic change. From deterministic models, one should move on to probabilistic models for predicting the market situation.

3.2 Diversification as a financial risk management tool

One of the most effective risk management techniques is diversification.

Diversification is understood as the process of allocating investment funds among various investment objects that are not directly related to each other, in order to reduce the degree of risk and loss of income. Diversification is the most reasonable and relatively less costly way to reduce the degree of financial risk.

Diversification is expressed in the ownership of many risky assets, instead of concentrating all investments in only one of them. Therefore, diversification limits our exposure to risk associated with a single type of asset.

Diversification is the dispersion of investment risk. However, it cannot reduce investment risk to zero. This is due to the fact that entrepreneurship and investment activities of an economic entity are influenced by external factors that are not related to the choice of specific objects of capital investment, and, therefore, they are not affected by diversification.

External factors affect the entire financial market, i.e. they affect the financial activities of all investment institutions, banks, financial companies, and not on individual business entities.

External factors include the processes taking place in the country's economy as a whole, military operations, civil unrest, inflation and deflation, changes in the discount rate of the Bank of Russia, changes in interest rates on deposits, loans in commercial banks, etc. The risk posed by these processes cannot be reduced by diversification.

Thus, risk consists of two parts: diversifiable and non-diversifiable risk. Consider them in Figure 4.1.

In the figure, the value of AB shows the amount of total risk, which consists of diversifiable risk (AK) and non-diversifiable risk (KB).

Risk volume, rub.

0

Number of risk dissipation objects, units

Rice. - Dependence of the volume (or degree) of risk on diversification

The given graphic dependence shows that the expansion of capital investment objects, i.e. spreading risk, from 5 to 15 allows you to easily and significantly reduce the amount of risk from the value of OR1 to the value of OR2.

Diversifiable risk, also called unsystematic, can be eliminated by dissipating it, i.e. diversification. Non-diversifiable risk, also called systematic risk, cannot be reduced by diversification.

Moreover, studies show that the expansion of capital investment objects, i.e. risk dispersion, allows you to easily and significantly reduce the amount of risk. Therefore, the focus should be on reducing the degree of non-diversifiable risk.

Diversification involves the inclusion in the financial scheme of assets of different properties. The more of them, the more significant (because of mutual compensation of risks-avoidances) their joint influence on risk limitation due to large numbers.

The use by the firm of a diversified portfolio approach in the securities market allows you to minimize the likelihood of not receiving income. For example, the purchase by an investor of shares of five different joint-stock companies instead of shares of one company increases the probability of receiving an average income by 5 times and, accordingly, reduces the degree of risk by 5 times.

The diversification effect is, in essence, the only reasonable rule for working in the financial and other markets. The same effect is embodied in folk wisdom - "do not put all your eggs in one basket." The principle of diversification says that it is necessary to carry out various, unrelated operations, then the efficiency will be averaged, and the risk will definitely decrease.

When comparing, after what happened, the size of the profits received by investors with diversified investments, and those who did not, it turns out that the representatives of the second group received the largest incomes. But among them and most of all those who suffered the most significant losses. If you have diversified your investments, then your chances of getting into both groups are reduced.

Of course, everyone wants to hit the biggest jackpot and be known as a genius. But to do this, you have to make a decision based on assumptions, the result of which will be either a big profit or a big loss. Perhaps it is better to choose a middle option.

The principle of diversification is applied not only to averaging operations carried out simultaneously, but in different places (spatial averaging), but also carried out sequentially in time, for example, when repeating one operation over time (averaging over time).

A reasonable strategy is to buy shares in a stable company on January 20th of each year. The inevitable fluctuations in the stock price of this company are averaged out due to this procedure, and this manifests the effect of diversification.

Theoretically, the effect of diversification is only positive - the efficiency is averaged, and the risk is reduced.

3.3 Financial risk insurance

The most important and most common method of risk reduction is risk insurance.

The essence of insurance is expressed in the fact that the investor is ready to give up part of the income, just to avoid risk, i.e. he is willing to pay to reduce the risk to zero.

Insurance is characterized by the intended purpose of the created monetary fund, the expenditure of its resources only to cover losses in predetermined cases; the probabilistic nature of the relationship; return of funds. Insurance as a risk management method means two types of actions: 1) redistribution of losses among a group of entrepreneurs exposed to the same type of risk (self-insurance); 2) seeking help from an insurance company.

Insurance seems to be the most profitable measure in terms of risk reduction, if not for the insurance payment. Sometimes, the insurance payment is a significant part of the sum insured and is a substantial amount.

Insurance is a set of economic relations between its participants regarding the formation of a targeted insurance fund at the expense of cash contributions and using it to compensate for damages and pay insurance amounts.

Most (but not all) pure risks are insured, while speculative risks are generally not insured.

An uninsurable risk is a risk that most insurance companies avoid insuring because the likelihood of losses associated with it is almost unpredictable. Insurance companies are always reluctant, to say the least, to consider cooperation in cases where the risk is related to government stocks or the general economic situation. Uncertain factors such as changing legislation and economic fluctuations are outside the scope of insurance.

Uninsurable risks include:

Market risks (factors that may lead to loss of property or income, such as: seasonal or cyclical price changes, consumer indifference, fashion changes, etc.);

Political risks (danger of such events as: change of government, war, restrictions on free trade, unreasonable or excessive taxes, restrictions on the free trade of currency, etc.);

Production risks (danger of such factors as: non-economic operation of equipment, shortage of raw materials, etc.);

Personal risks (unemployment, poverty due to divorce, etc.)

Sometimes, uninsurable risks become insurable when enough data is collected to accurately estimate future losses.

An insured risk is a risk for which the level of acceptable losses is easily determined, and therefore the insurance company is ready to reimburse them.

Insured risks include:

Property risks - the risk of disaster losses that lead to a direct loss of property, to an indirect loss of property.

Personal risks - the risk of losses as a result of: premature death, disability, old age.

Risks associated with legal liability - the risk of losses due to the use of a car, stay in a building, occupation, production of goods, professional errors.

Insurance involves paying a premium or premium (the price you pay for insurance) to avoid loss.

In accordance with the current legislation, financial risk insurance is understood as a set of types of insurance that provide for the obligations of the insurer for insurance payments in the amount of full or partial compensation for loss of income (additional expenses) caused by the following events:

a) stoppage of production or reduction of production as a result of specified events;

b) job loss;

c) unforeseen expenses;

d) non-fulfillment of contractual obligations by the counterparty of the insured person who is the creditor under the transaction;

e) court costs (expenses) incurred by the insured person;

f) other events.

There are two types of risk insurance:

1 - Self-insurance, when the company creates a certain reserve of funds, from which possible losses are covered;

2 - Appeal to the insurance company, firm.

The market leader in insurance of financial risks of large Russian business is RESO-Garantia, Ingosstrakh, ROSNO and AlfaStrakhovanie.

In foreign insurance practice, credit insurance often affects various areas of activity and is intertwined with other types of insurance. Depending on the location and causes of credit risk, the following types of credit insurance can be distinguished:

Consumer credit insurance;

Commercial (commodity, trade) credit insurance;

Bank loan insurance;

Export credit insurance;

Promissory note insurance.

I was very interested in bank loan insurance, which I decided to study in more detail.

Bank loan insurance is divided into two types:

Credit risk insurance.

Borrower liability insurance for non-repayment of the loan.

The object subject to insurance, according to the first type, is the responsibility of all or individual borrowers (individuals or legal entities) to the bank for the timely and full repayment of loans and interest on loans within the period specified in the insurance contract. The policyholder is faced with a choice: to insure the amount of the issued loan with interest or only the amount of the principal debt; insure the liability of all borrowers to whom loans were previously issued, or the liability of each individual. As a rule, in modern Russian conditions, in conditions of unstable economic situation, it is advisable to insure the loan amount with interest for each borrower separately. However, one should take into account the fact that when all loans are insured, the liability of the insurance organization becomes automatic, and a preferential tariff rate is established under such agreements.

The insurance contract for the risk of non-repayment of loans is concluded between insurance companies (insurers) and banks, as well as other credit organizations (insurants). Under the insurance contract, the insurer pays the insured compensation in the amount of 50% to 90% of the amount of the loan not repaid by the borrower and interest on it.

The liability of the insurer arises if the insured has not received the amount stipulated by the loan agreement within a certain time after the due date of payment stipulated by the loan agreement (according to the rules of insurance companies, from 10 to 20 days), or the period established by the bank if the borrower fails to fulfill the terms of the loan agreement. The specific limit of the insurer's liability and the term for the onset of his liability shall be established by the insurance contract.

The insurance contract is concluded on the basis of a written application of the insured and a reference-calculation, drawn up in 2 copies. At the same time, the insured presents:

A copy of the loan agreement together with all related documents;

Documents confirming the possibility of lending, i.e. credit security;

A copy of the conclusion on the feasibility study of the project for the development of production or the conduct of a commercial operation and other documents that may be essential for judging the degree of risk;

Copies of constituent documents, registration certificate, financial statements of the borrower and other documents at the request of the insurance company.

The insurance company, prior to concluding an insurance contract, examines the submitted documents in order to ascertain whether there are guarantees for the return of funds by the borrower on the loan received and to ensure the financial stability of insurance operations. If it is established that the loan is issued without sufficient guarantees, the insurer may set a higher tariff rate or even refuse to conclude an insurance contract with the bank or set a period after which the credit institution is obliged to return to the insurer an amount in the amount of the balance of the borrower's debt under the loan agreement in in accordance with the special conditions of the insurance contract.

The insurer, on the basis of the submitted documents, calculates insurance payments for each borrower individually and as a whole under the insurance contract, based on the amount of outstanding debt and established tariff rates. Insurance payments on short-term loans (issued for a period of less than one year) are paid at a time; for long-term loans provided at a time, the annual amount of payments is paid in one or two terms.

The loan default risk agreement shall enter into force on the day following the day of payment of the first insurance payment.

The sum insured is established in proportion to the percentage of liability of the insurer determined in the insurance contract, based on the entire amount of the debt to be returned under the terms of the contract.

The insurance period for the risk of non-repayment of individual loans is set based on the terms of the loan repayment. When insuring all issued loans, the insurance contract for the risk of non-repayment of loans is concluded for one year.

The tariff rate depends on a number of factors:

The period of use of the loan;

Loan amounts and interest rates;

risk level;

Type of security.

And in each case is determined by the insurance company. In accordance with the opinion of experts who determine the final degree of risk, when setting the rate, it is possible to use decreasing or increasing coefficients. When using an appropriate adjustment factor, the tariff rate is determined by multiplying the base rate by the factor. For example, when concluding an insurance contract for the risk of non-repayment of a loan issued for 3 months, given the lack of collateral and the possible declaration of the debtor insolvent, it is possible to apply the maximum size of the multiplying coefficient (for example, 5.0). With a basic tariff rate of 1.2, the final tariff rate will be 6% (1.2 x 5).

Unlike insurance of non-repayment of loans, a contract of insurance of liability of borrowers for non-repayment of a loan is concluded between an insurance company (insurers) and enterprises and organizations (insureds). The object of insurance is the borrower's liability to the bank that issued the loan for the timely and full repayment of the loan, or for the repayment of loans, including interest on the use of the loan. The main terms and conditions of borrowers' liability insurance for non-repayment of loans are generally similar to the rules and conditions of insurance of the risk of non-repayment of loans. The insurance contract is concluded on the basis of a written application of the insured, drawn up in 2 copies. Simultaneously with the application, the policyholder submits a copy of the loan agreement and a certificate of the loan repayment terms. The insurer, on the basis of the submitted documents, calculates insurance payments based on the sum insured and the established tariff rates. Insurance premiums must be paid in a lump sum.

In accordance with the Civil Code of the Russian Federation, contractual liability can only be insured by the creditor party.

The liability of the insurance organization arises if the insured did not return to the creditor bank the amount stipulated by the loan agreement within three days after the due date of payment provided for by the loan agreement, without the fact of its prolongation (extension). Not all of the borrower's liability is subject to insurance, but a certain part of it (from 50 to 90%).

The rest of the responsibility rests with the insured. The sum insured is established in proportion to the percentage of liability of the insurer determined in the insurance contract, based on the entire amount of the debt to be repaid under the loan agreement.

When concluding insurance contracts for the risk of non-repayment of loans with banks and insurance contracts for the liability of borrowers for non-repayment of loans with enterprises and organizations, regardless of their organizational and legal form, insurance companies must take into account the financial condition and reputation of the borrower in terms of its solvency.

There are many methods for analyzing the financial situation of a client. In the practice of American banks, the "5C" system is used, where the criteria for selecting customers are indicated by words starting with the letter "si":

Character - the nature of the borrower (his reputation, degree of responsibility, willingness and desire to repay the debt). The bank seeks to obtain a psychological portrait of the borrower, using for this a personal interview with him, a dossier from his personal archive, consultations with other banks and firms, and other available information.

Capacity - financial capabilities, i.e. the ability to repay the loan (determined by a thorough analysis of its income and expenses and the prospects for changing them in the future).

Capital - capital, property. The Bank pays great attention to the share capital of the company, its structure, correlation with other items of assets and liabilities, as well as securing a loan -

Collateral (collateral), its sufficiency, quality and degree of collateral realizability in case of loan default.

Conditions - general economic conditions. General conditions that determine the business climate in the country and affect the position of both the bank and the borrower: the state of the economic situation, the presence of competition from other manufacturers of a similar product, taxes, prices for raw materials, etc.

One of the goals of bank loan officers is to quantify (quantify) the specified criteria in relation to each specific case. Based on this, a balanced decision will be made regarding the creditworthiness of the borrower, the expediency of issuing a loan to him, the price and non-price terms of this loan, etc.

Under the risk-return dilemma, borrowers with weaker financial positions (and therefore more risk-averse) must pay more for a loan than more reliable borrowers.

Insurance of financial investments. Financial investments are the purchase of assets in the form of securities, both equity and debt, which will bring the investor not only profit, but also guarantee him a certain level of investment security. A stable gradation of riskiness and profitability of securities is established in a developed financial market. It is believed, for example, that the most risky are speculative ordinary shares, which, however, bring the owner an income of 15-20%. The category of high-risk securities also includes ordinary shares of fast-growing companies (income 10-12%).

Securities with moderate risk include ordinary shares that are highly quoted on the stock exchange (the income on them is 8-10%), securities of mutual investment funds with a balanced portfolio - income 7-8%, convertible shares with a fixed dividend - 6-10% , convertible bonds - bring income to their owner 5-10%.

Securities with a low degree of risk include municipal and government bonds that bring their owner an income of less than 4-6%.

The purpose of insurance is to protect investments from possible losses arising from unfavorable, unpredictable changes in market conditions and deterioration of other conditions for investment activities. It is subdivided according to the nature of insurance risks into insurance against political and commercial risks. Political risk insurance contracts are concluded when making investments in foreign countries. It is characterized by the impossibility of a mathematical assessment of the probability of occurrence of insured events and extremely high damage. Therefore, private insurers, with rare exceptions, do not deal with this insurance.

Such insurance is carried out mainly by the state insurance structures of the investor country and international financial organizations. At present, three state organizations (in the USA, Germany and Japan) account for 80% of the total volume of transactions carried out within the framework of national state investment risk insurance programs.

One of the specialized state agencies that insure the property interests of investors against political risks is established in 1969. US government Overseas Private Investment Corporation (OPIC). OPIC's activities cover US investments in 140 developed countries and emerging market economies.

A feature of the insurance system within the framework of OPIC is that a mandatory prerequisite for concluding an agreement with a specific investor is the conclusion of a bilateral intergovernmental agreement on promoting investment. Thus, only after the signing of such an agreement between the US and Russia in 1992, OPIC got the opportunity to participate in the insurance of non-commercial risks of US investors investing in Russia. Over the past three years, the corporation has supported 125 investment projects, which are estimated at $ 3 billion, for the implementation of 40 business projects.

Investment activity insurance against commercial risks is carried out, as a rule, by private insurance companies. The purpose of such insurance is to protect investments from possible losses arising from unfavorable, unpredictable changes in market conditions and deterioration of other conditions for doing business.

The sum insured as the limit of liability under the contract can be determined in several ways:

In the amount of the amount of investments invested in the acquisition of shares, other securities, etc.;

In the amount of the sum of investments and the standard profit, which can be set at the level provided by the risk-free investment of capital.

In this case, the amount of insurance compensation is calculated as the difference between the sum insured and the actual financial result from the insured investments, i.e. the insured is compensated for losses if, after a certain period, the insured investments do not give the expected payback due to an insured event.

One of the varieties of insurance of financial investments against commercial risks is insurance of financial obligations. Its terms provide for the provision by the insurer of guarantees that certain financial obligations stipulated in the process of concluding a business transaction, to which the borrower and investor are parties, will be fulfilled. Insurance of financial obligations is considered a special type of guarantee that provides insurance protection against risks associated with financial transactions.

Guarantee is the area of ​​business activity in which banks, special agencies and insurers can operate. At the same time, in each country there are peculiarities in the legal regulation of such operations. So, for example, in France and Japan issuance of guarantees is a monopoly of banks, while in the United States their issuance by banks is limited.

The Civil Code of the Russian Federation separates guarantee agreements and bank guarantees. Under a guarantee agreement, the guarantor undertakes to be responsible to the creditor of another person for the fulfillment by the latter of his obligations in full or in part (Articles 971 - 979 of the Civil Code of the Russian Federation).

In accordance with the bank guarantee agreement, the guarantor gives, at the request of another person (principal), a written obligation to pay the principal's creditor (beneficiary) in accordance with the terms of the obligation given by the guarantor, a sum of money upon presentation by the beneficiary of a written demand for its payment (Article 368 of the Civil Code of the Russian Federation). At the same time, banks, other credit institutions and insurance organizations have the right to issue bank guarantees.

The emergence and rapid development of types of insurance of financial obligations in the insurance markets of developed countries is due to the fact that private and small corporate investors often do not have sufficient knowledge to conduct their own in-depth analysis of the risk of investment investments and at the same time are interested in investments with the least risk.

Among the types of insurance of financial obligations, insurance can be distinguished: bonds and other securities; loans for short-term trade transactions and long-term investments; mortgage bonds; payments for renting, leasing, etc.; payment of the cost of the supplied equipment; car loans.

According to the duration of contracts, all types of insurance are usually divided into short-term (with a period of up to 8 years), medium-term (concluded for a period of 8 to 30 years) and long-term.

One of the features of this insurance is that during its implementation, the insurer sets the task of ensuring almost break-even operations (i.e., not allowing the payment of insurance compensation), since the applied tariff rates provide that the probability of occurrence of insured events and the amount of losses from them must be minimal. In this regard, insurers carry out a careful selection of policyholders and objects accepted for insurance, guided primarily by the principle of prudence.

3.4 Hedging financial risk with derivatives

Hedging is used in banking, exchange and commercial practice to refer to various methods of insuring currency risks. So, in the book by Dolan E. J. et al. “Money, Banking and Monetary Policy”, this term is defined as follows: “Hedging is a system for concluding futures contracts and transactions, taking into account probable future changes in exchange rates and pursuing the goal avoid the adverse effects of these changes. In the domestic literature, the term "hedging" began to be used in a broader sense as risk insurance against adverse price changes for any inventory items under contracts and commercial transactions involving the supply (sale) of goods in future periods.

The contract, which serves to insure against the risks of changes in exchange rates (prices), is called a "hedge". An entity that performs hedging is called a "hedger". There are two hedging operations: hedging for an increase; down hedging.

Hedging for an increase, or hedging with a purchase, is an exchange transaction for the purchase of futures contracts (options). An upward hedge is used in cases where it is necessary to insure against a possible increase in prices (rates) in the future. It allows you to set the purchase price much earlier than the actual product was purchased. Suppose that the price of a commodity (exchange rate or securities) increases after three months, and the commodity will be needed precisely after three months. To compensate for losses from the expected price increase, it is necessary to buy now at today's price a futures contract related to this product and sell it in three months at the moment when he buys the product. Since the price of the commodity and the futures contract associated with it changes proportionally in the same direction, the previously purchased contract can be sold at a higher price by almost the same amount as the price of the commodity has increased by that time. Thus, a hedger who hedges up is insuring himself against a possible price increase in the future.

Downward hedging, or hedging by sale, is an exchange transaction with the sale of a futures contract. A hedger who hedges down expects to sell a commodity in the future, and therefore, by selling a futures contract or option on the exchange, he insures himself against a possible price decline in the future. Suppose that the price of a commodity (exchange rate, securities) decreases after three months, and the commodity will need to be sold after three months. To compensate for the expected losses from a price decrease, the hedger sells a futures contract today at a high price, and when selling his commodity three months later, when the price of it has fallen, he buys the same futures contract at a lower (almost the same) price. Thus, a short hedge is used when a commodity needs to be sold at a later date.

A hedger seeks to reduce the risk caused by market price uncertainty by buying or selling futures contracts. This makes it possible to fix the price and make income or expenses more predictable. However, the risk associated with hedging does not disappear. It is taken over by speculators, i.e. entrepreneurs who take a certain, pre-calculated risk.

Speculators in the futures market play a big role. By taking on risk in the hope of making a profit when playing on the price difference, they act as a price stabilizer. When buying futures contracts on the stock exchange, the speculator pays a guarantee fee, which determines the amount of the speculator's risk. If the price of the goods (exchange rate, securities) has decreased, then the speculator who bought the contract earlier loses an amount equal to the guarantee fee. If the price of the commodity has risen, the speculator returns the amount equal to the guarantee fee and receives additional income from the difference in the prices of the commodity and the purchased contract.

When a firm wishes to hedge against a particular risk, there is no direct way to do so. The task of the financial manager in such cases is to develop new financial instruments and methods, using existing ones to find this way. This process is called "financial engineering".

Corporate financial management often involves buying and selling derivatives. A derivative security is a financial asset that is a derivative of another financial asset.

There are two types of derivative securities:

Futures contracts (commodity, currency, %, index, etc.) - futures;

Freely tradable or stock options.

Futures contracts - a standard exchange contract for the sale and purchase of an exchange-traded asset at a certain point in the future at a price set by the parties to the transaction at the time of its conclusion.

Futures contracts belong to the class of future purchase agreements. The salient features of a futures contract are:

Exchange character, i.e. an exchange contract developed on this exchange and rotating only on it;

Standardization in all parameters, except for the price;

Full guarantee from the exchange that all obligations stipulated by the futures contract will be fulfilled;

The presence of a special mechanism for the early termination of obligations under the contract by any of the parties.

A freely tradable or exchange option is a standard exchange contract for the right to buy or sell an exchange asset or a futures contract at the strike price before a specified date with the payment of a certain amount of money for this right, called a premium. If options are concluded on the exchange, then, as for futures contracts, the conditions for their conclusion are standardized in all respects, except for the option price. There are two types of options commonly used in exchange practice:

call option - giving the right, but not obliging to buy a futures contract, commodity or other value at a given price, allowing, after paying a small premium, to receive unlimited profit from price increases;

put option - giving the right, but not obliging to sell a futures contract or other value at a given price, allowing, after paying a small premium, to receive unlimited profit from price reductions.

Financial engineering often involves the creation of new derivatives, as well as the combination of existing derivatives to perform specific hedging tasks. In a world where prices are stable and change very slowly, financial engineering would not be so necessary. However, the industry is currently booming.

Thus, hedging is a form of insurance against possible losses by concluding a balancing transaction. As in the case of insurance, hedging requires the diversion of additional resources. Perfect hedging involves the complete elimination of the possibility of obtaining any profit or loss on a given position by opening an opposite or compensating position. This "double guarantee" against both profits and losses distinguishes perfect hedging from classical insurance.

4.5 Risk management service at Sberbank of Russia

Risk management is a management system for an organization, an enterprise, which aims to reduce risk, prevent unacceptable risk; represents an organic part of financial management.

Risk is the danger of unforeseen losses of expected profit, income or property, cash, other resources due to an accidental change in the conditions of economic activity, unfavorable circumstances.

There are many types of risks. At the same time, banking risks differ in certain specifics and classification principles.

In order to organize risk management work, Sberbank has established a professional Risk Management Service, which is independent of front-office divisions motivated by business performance. The work of the Risk Management Service is structured in such a way as to ensure the internal balance of the Bank's business in all areas of work.

The purpose of risk management activities is to improve financial performance, increase profitability, maintain liquidity and capital adequacy. The Bank in its risk management activities is guided by the “Risk Management Policy at OAO Sberbank of Russia”, approved by the Management Board of Sberbank of Russia.

MODEL OF "THREE LINES OF DEFENSE"

The model improves the understanding of risk management and control through the separation of roles and responsibilities. Its underlying premise is that effective risk management and control requires the oversight and direction of senior management and the board of directors within three distinct groups (or lines of defense) within an organization (see Figure 18). The responsibilities of each of the groups (or "lines") are as follows:

• 1. ownership and management risk and control (the first line is operational management).
• 2. tracking risk and control system operation to support management (risk management, control and compliance functions defined by management).
• 3. providing independent confirmation the board and top management of the effectiveness of risk management and control systems (internal audit).

Figure 18. Relationship between goals, vision and model

Each of the three lines plays an important role in defining the conceptual framework for managing an organization. If each of the three lines performs its role effectively, then this increases the likelihood of the organization successfully achieving its goals.

Each person in the organization is responsible for internal control, but to ensure that key responsibilities are properly performed, the Model clarifies the definition of specific roles and responsibilities. If the organization properly builds the structure of the three lines, and they work effectively, then this will ensure that there are no vulnerabilities and unnecessary duplication of activities, and also guarantees effective risk management and control. The Board of Directors will be able to receive objective information about the organization's most serious risks - and how management minimizes such risks.

The model provides a flexible structure that can be used in addition to Conceptual foundations. The divisions of each line of defense will differ from organization to organization, and some divisions may be combined or divided along lines of defense (see Figure 19). For example, in some organizations, second line compliance teams may be involved in the development of first line controls, while other parts of the second line focus primarily on monitoring the performance of such controls.

The implementation of the internal control principles (from 1 to 17) set out in the COSO framework for each line of defense are reflected in Appendix 5 of this publication.

Figure 19. Model of sin lines of defense 1 .

1 Three lines of defense in effective risk management and control. Institute of Internal Auditors, 2013.

Regardless of the structure of the three lines of defense created by a particular organization, there are several basic principles used in the Model:

• 1. The first line of defense rests with business process owners whose activities create and/or manage risks that may help or hinder the achievement of the organization's objectives. It involves identifying the right risks. The first line owns the risks, and is responsible for developing and using the organization's controls to manage those risks.
• 2. The second line is provided to support management through consulting, process improvement and monitoring of management performance, along with the first line, in order to ensure effective risk management and control. The units of the second line of defense are separate from the first line of defense, but are under the control and direction of senior management and usually perform some management functions. The second line is indispensable for performing a management and/or oversight function in relation to many aspects of risk management.
• 3. The third line provides confirmation to senior management and the board of how the efforts of the first and second lines meet the expectations of the board of directors and senior management. The third line of defense usually cannot perform managerial functions in order to protect its objectivity and organizational independence. In addition, the third line reports directly to the council. As such, the third line has no managerial function, which separates it from the second line of defense.

The goal of any organization is to achieve its goals. The realization of such goals includes seizing opportunities, striving for growth, accepting and managing risks - all for the development of the organization. Failure to accept appropriate risks, manage and control them appropriately, may hinder the achievement of the organization's objectives. There is and always will be a contradiction between the two lines of activity "create enterprise value" and "preserve enterprise value". Conceptual Foundations provide for the establishment of a risk assessment and control framework to ensure their proper regulation and management. The model contains guidance on creating an organizational structure, distribution of roles and responsibilities between parties, which will increase the effectiveness of risk management and control.

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://www.allbest.ru/

Kozyreva Nadezhda

The article presents definitions and approaches in terms of building, within the framework of the concept of three lines of defense (defense), the activities of control functions, paying special attention to the compliance function, the internal control service and the risk management system. The author, describing the role of control services, pays special attention to the fact that, participating in the common business of the company, each control function must clearly understand its role, without interfering with the “creative” process that every business lives.

Keywords: compliance, effectiveness of risk management and internal control systems, COSO concept, risk management, financial control, quality control.

To give up risk is to give up creativity.

A. S. Pushkin

The last decade has seen a tightening of regulatory requirements in most global financial markets, with a particular focus on the effectiveness of risk management and internal control systems. Potential negative consequences from the realization of risks, such as loss of business reputation, financial losses and more serious - administrative or criminal liability of responsible persons and suspension of activities, any business will consider undesirable, and company leaders interested in sustainable long-term development, understanding the real situation of risks who can prevent this will be ready to take adequate and timely action. Thus, it is the management itself, interested in preserving the value of the business, increasing its sustainability and efficiency, that must identify and reduce the consequences of the impact of risks on financial results. The most effective way to do this is to build an integrated compliance risk management system based on the “three lines of defense”.

The internal control system is a complex and large-scale phenomenon. Let's consider all the main components of the system based on banking practice, as well as on the example of the COSO concept.

According to Regulations of the Bank of Russia No. 242-P dated December 16, 2003 “On the Organization of Internal Control in Credit Institutions and Banking Groups”:

Internal control is an activity carried out by a credit institution (its management bodies, divisions and employees) and aimed at achieving the following goals:

efficiency and effectiveness of financial and economic activities in the course of banking operations and other transactions, the effectiveness of asset and liability management, including ensuring the safety of assets, banking risk management;

reliability, completeness, objectivity and timeliness of the preparation and presentation of financial, accounting, statistical and other reports (for external and internal users), as well as information security (protection of the interests (goals) of a credit institution in the information sphere, which is a set of information, information infrastructure, entities that collect, form, disseminate and use information, as well as systems for regulating the relations that arise in this case);

compliance with regulatory legal acts, standards of self-regulatory organizations (for professional participants in the securities market), constituent and internal documents of a credit institution;

the exclusion of the involvement of a credit institution and the participation of its employees in the implementation of illegal activities, including the legalization (laundering) of proceeds from crime,

and financing of terrorism, as well as the timely submission of information to state authorities and the Bank of Russia in accordance with the legislation of the Russian Federation.

Basel Committee on Banking Supervision in its paper “The Internal Control System in Banks: Fundamentals of Organization” (Basel Committee on Banking Supervision, Basel, September 1998. URL : http :// www . bis . org / public / bcbs 40. pdf ) defines internal control as a process carried out by the board of directors, management and employees at all levels. This is not only and not so much a procedure or policy that is carried out in a certain period of time, but a process that is constantly going on at all levels within the bank. The board of directors and management are responsible for creating an appropriate culture that facilitates the effective exercise of internal control and for monitoring its effectiveness on an ongoing basis; however, everyone in the organization should also be involved in this process. The implementation of internal control pursues the following main objectives:

6) production and financial efficiency of activities (production and financial goals);

7) reliability, completeness and timeliness of financial and management information (information purposes);

8) compliance with applicable laws and regulations (compliance goals).

So, it is obvious that the internal control system pursues not only the achievement of compliance goals, but also production, financial and informational ones. This process should include all the risks assumed by banks and operate at all levels within the organization.

Visually, the internal control system, including both goals and constituent components and levels of the organization, is also presented in the COSO concept 1 .

Under internal control, the COSO concept refers to the process carried out by the board of directors, management and other employees to provide sufficient confidence in relation to the achievement of the company's goals, namely:

Operational efficiency;

Reliability of reporting;

Compliance with the law.

The model of the COSO internal control system is presented in the form of a multifaceted cube, which in the initial version of the concept consisted of five interrelated components (control environment,

Developed by the Committee of Sponsoring Organizations -- COSO.

risk assessment, control procedures, information and communication, monitoring), and subsequently with the publication of the Conceptual Framework for Organizational Risk Management (ERM COSO) was transformed into eight components with the addition of goal setting, event definition and risk response components (Fig. 1).

Rice. one. Model COSO ERM

internal control compliance risk

The essence of the model is to demonstrate the relationship between the components of the internal control system and objectives. The internal control system aims to achieve objectives that include four categories:

e strategic goals - high-level goals, correlated with the mission / vision of the organization;

e operational goals -- efficient and effective use of resources;

e goals in the field of reporting - reliability of reporting;

Its compliance objectives are compliance with applicable laws and regulations.

From the point of view of the compliance function, the main direction of compliance control is to ensure compliance with the last goal of the above model. While the goals in the field of reporting are usually in the area of ​​responsibility of financial control, and strategic and operational goals are shared by all participants in the organization.

So, given the diversity of tasks, components and levels of the organization, how to effectively organize an internal control system, including compliance risk management? How to optimally coordinate the work of the units that make up the second line of defense?

Organization of the internal control system and the scope of responsibility of the compliance service

Best practice provides for an organizational model of internal control, consisting of three lines of defense and, accordingly, three levels of control. There is first-level control - these are the procedures that are carried out on a daily basis directly by the owners of business processes. There are functions that make up the control of the second level - these can be risk management, compliance, financial control, quality control, etc. And there is a third level - internal audit, which exercises independent control with direct subordination to the audit committee.

Rice. 2. Three lines of defense model

Business process managers have the best understanding of threats and risks across their functions and form the first line of defense in internal control, directly responsible for managing their risks and achieving business performance. The second line of defense is control functions accountable to management (risk management, compliance and financial control, information security, etc.). These functions ensure the availability of unified approaches and methodologies for managing risks and threats, including tools such as:

Use of integrated risk assessment approaches;

Scenario analysis and stress testing;

Monitoring of key risk indicators;

Development of plans for anti-crisis management and restoration of financial stability.

The third line of defense is an independent and accountable to shareholders through the audit committee and the supervisory board, the internal audit service, the global goal of which is an independent, periodic assessment of the effectiveness of internal control and risk management systems (the previous two lines of defense).

All three lines of defense are designed to ensure timely identification and response to risks. Management that understands this will normally respond to the risks identified by both the first and second and third lines of defense. Nevertheless, in practice, each of the listed lines can painfully perceive the risks identified by other lines as a kind of threat to their own effectiveness. Thus, one of the main tasks of the management of any bank or other organization is to ensure the constructive interaction of all three lines of defense and the corresponding corporate culture, where each employee is aware of the risks and understands his role in the process of managing them.

Scope of responsibility of the compliance service

Each bank may have its own list of processes controlled by the compliance service. Although, as Russian and foreign experience shows, there is a basic set of such processes:

Economic sanctions;

Transactions with affiliates;

Conflicts of interest;

Market manipulation and insider trading;

Activities related to the regulation of securities;

Anti-corruption compliance;

Code of Conduct and Ethics.

In addition, the area of ​​attention may include such processes as interaction with supervisory and regulatory authorities, work with customer complaints, compliance with the standards of responsible banking business and protection of the rights of customers / investors, control over work with outsourcing, suppliers and intermediaries, protection of personal data, protection of competition. In addition, the compliance service should actively participate in the process of introducing new bank products and other initiatives and have the necessary authority to comprehensively assess compliance risks in the decision-making process.

This list generally corresponds to Chapter 4.1 of Regulation 242-P, which establishes requirements for the internal control service (compliance service) and describes its functions, the main of which is the comprehensive management of regulatory risk. Drawing a parallel with the COSO model, regulatory risk management, including the processes of identification, analysis, assessment, control, monitoring and reporting, is designed to ensure the fulfillment of the set compliance goals, namely compliance with regulatory legal acts, standards of self-regulatory organizations (for professional participants in the securities market) , constituent and internal documents of the bank. At the same time, it is important to note that, of course, one person is not responsible for compliance goals.ish l compliance service, even from the point of view of the second line of defense. All business unit managers must ensure that their activities comply with internal rules and policies, as well as legal requirements. Moreover, for specialized compliance areas such as tax compliance, labor compliance, intellectual property, environmental protection, there are separate divisions (tax department, human resources department, etc.) with the appropriate expertise to ensure compliance with the requirements. But at the same time, it turns out that the head of the internal control service (compliance service), even if he is not directly responsible for such separate compliance areas, must coordinate the work of the overall system of compliance control and compliance risk management at the bank level. Moreover, the main compliance risks should be included in the monitoring and testing plans carried out by the internal control service. Thus, service experts should be well acquainted with the general banking methodology and legal requirements in all major areas, and not just key areas of compliance, such as insider knowledge, anti-corruption and AML / CFT.

As noted earlier, compliance goals are just one component of the internal control system, which also has other goals (strategic, operational and reporting). The participants in such a system, as we see from the model of three lines of defense, are all employees of the company and management bodies. All divisions of the second line of defense constitute the backbone of the internal control system, as they determine the rules and procedures, the general culture of behavior for the first line of defense and are the main mechanism for monitoring the effectiveness of the internal control system. It turns out that the main "colleagues on the second line" for the internal control service are:

Financial control (chief accountant);

Security (including information security);

Risk management;

AML/CFT (if there is a division separate from compliance);

Other control functions.

It is very important to pay attention to the last point. Each bank may have its own structure for the distribution of powers and responsibilities. The list of participants in the internal control system and, in particular, the second line of defense is not closed. Moreover, some departments may simultaneously be the first line of defense for some processes and the second line of defense for others. In practice, in order to build not a formal system, but a real one, it is recommended to designate in detail the responsibility of all departments in terms of their role on the second line. For example, lawyers may be responsible for monitoring changes in regulations, the IT department for ensuring information security, the operations department for implementing a business continuity plan, the finance department for financial control over the accuracy of reporting, etc. The more players on the second line, the higher the risks of functionality duplication, the use of different approaches to risk assessment and information vacuum. Moreover, compliance goals cannot be taken out of the context of other goals and risk management of the bank as a whole. Effective management of compliance risks, as well as other types of risks, optimizes the capital of the bank and releases the created reserves for possible losses, such as penalties or out-of-court settlement of losses.

Therefore, it is very important to correctly establish the interaction of all involved functions and organize the necessary exchange of information.

So, who should still be responsible for coordinating the work of an effective system of internal control? Obviously, this is not an internal audit. It is also obvious that the coordinator should be part of the second line of defense, since it is here that approaches, methodology and rules are determined and control over the execution of processes is carried out. And if in the case of a small organization it is possible to get by with the presence of a formal coordinator (head of the internal control service), then the wider the list of compliance risks and the more areas of activity in the bank, the more urgent the problem of real coordination of work. Large banks sometimes have a separate internal control unit, which is mainly focused on risk assessment and testing (reviews) of control procedures, and a separate compliance unit, which is responsible for working on the main areas of compliance mentioned earlier. But even with such a model, it makes sense to have a single sponsor of a sufficiently high level, with appropriate powers, who would not only be the main referee on the second line of defense in terms of internal control, but could also organize the work of all departments smoothly and efficiently, minimizing unnecessary costs , "pulling the blanket", knocking out separate budgets and resources for identical tasks - all that is so common in any organization.

Let's take a closer look at the role of the head of the internal control service, or, as we called him above, the main referee on the second line of defense. What does it mean to coordinate internal control work? Of course, the head of the internal control service cannot be an expert in all processes and control the effectiveness of all control mechanisms. But he must set the rules of the game and clearly allocate the roles and responsibilities of each participant.

Rice. 3

First, you need to implement an internal control policy or regulation, as well as a number of other interrelated policies, such as a compliance risk management policy, a code of ethics, etc. These high-level documents should clearly distribute roles and responsibilities not only between different levels of protection, but also between subdivisions on the second line. Further, the owners of specific second line destinations create and implement separate standards and procedures that must be observed on the first line. At the same time, it is necessary to introduce and clearly consolidate control mechanisms both on the first and second lines of defense. And the audit periodically independently checks the built system or its elements.

The head of the internal control service, in addition to coordinating the functioning of the system as a whole, should also analyze its effectiveness and the need for change.

Thus, it is necessary to evaluate at least two lines of defense in terms of the sufficiency of resources, including human (expertise and experience) and IT resources, the timeliness of identifying risks and their escalation, the effectiveness of information exchange and monitoring. Understand where there are “weak spots” or redundant controls and how you can increase the stability of the system. And finally, define an internal control strategy, how to measure the effectiveness of the system on the basis of specific indicators and metrics, not only based on the need to minimize risks, but also on operational efficiency.

In conclusion, let's think in an everyday way, what is compliance, internal control system, risk management and why is it needed? To some extent, compliance is present in all aspects of our lives, including the life of any organization. Where there are actions and there is a process, there are certain controls. A good example is parenting. When your child leaves for summer camp, you check to see if everything you need is in your suitcase, and you probably remind him of certain things (brush your teeth, change socks, etc.) and you do this not because it is very pleasant for you, but because want to ensure a comfortable and healthy stay for the child in the camp throughout the shift. But any control can also be redundant. So, if you come to the camp every other day and check on how the child is doing there, this may prevent him from getting the full benefit of this process and achieving his goals. Thus, building control, meeting requirements, compliance, and risk management are by and large familiar and natural for us. But it is important that everyone participates in this process, clearly understanding their role, while not interfering with the “creative process” that every business lives.

Literature

1. Colbert J. L., Bowen P. L. Comparison of Internal Controls: COBIT, SAC, COSO and SAS 55/78 // Audit and Control Journal. - 1996. - No. IV. -- 26-35.

2. IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control, January 2013. URL: http://www.theiia.org/chapters/pubdocs/278/PP_Three_Lines_of_Defense.pdf

3. The COSO Financial Controls Framework 1992. Retrieved from the Committee of Sponsoring Organizations of the Treadway Commission's Internal Control: http://www.sox-online.com/coso_cobit_coso_framework.html

Hosted on Allbest.ru

Similar Documents

Essence, tasks, structure and purpose of internal control. The place and role of internal control in the system of accounting and management at the enterprise. Characteristics of the accounting system as an integral part of the internal control system at the enterprise.

thesis, added 02/15/2016


Basic concepts of the theory of risk and internal control. Classification and varieties of risks, criteria for their measurement. Study and evaluation of the client's accounting and internal control system. Reliability of the control environment and customer controls.

abstract, added 12/22/2012


Internal control as a system of measures organized by management, methods used in its implementation. Goals of the organization of the internal control system. Objects of internal control. The content of the introductory part of the act, the grounds for its preparation.

abstract, added 02/16/2011


The concept and history of the development of hermeneutics. Hermeneutic principles of personnel management at the enterprise. Using the hermeneutic approach on the example of PJSC "Sberbank of Russia". Internal control system. Organization of management and information.

term paper, added 10/22/2016


General characteristics of the activities of LLC "ProfLeader". Trading company management system. Organizational structure of management. Value orientations and motives of employees of the enterprise. Organization of internal control in management, the procedure for conducting an audit.

practice report, added 04/20/2015


Key investor risks and information disclosure. The concept, goals, objectives and rules of the Due Diligence procedure. Evaluation of the system of internal control of sales at the level of prerequisites for compiling information about the object of investment on the example of LLC "Stealth".

thesis, added 03/31/2011


Organization of control over the activities of subordinates. Features of personnel management. Control as a type of management activity, its types and methods. The system of internal control for the implementation of the general educational program of preschool education.

term paper, added 10/21/2014


Control as a function of management (the scope of the management process). Concept and essence, stages of control. The role and functions of control in economic management. Characteristics of effective control. Types of control: preliminary, current, final.

term paper, added 09/04/2014


Characteristics of ways to protect information in the enterprise. The study of information of an internal, external and special nature, necessary for the creation and use of a protection system at the micro level. Information interaction with security services.

abstract, added 06/10/2010


Basic concepts in the field of control. The value of quality control, its place in conformity assessment. Tests, their purpose and classification. Characteristics of state, departmental and internal quality control of products and services, their stages.

The organization of the internal control service largely determines the efficiency of the business processes of the enterprise, since it not only checks the accuracy of accounting data, but also minimizes the risks of the company.

IFRS accounting should be evaluated by internal controllers, because with the help of reliable data, it is possible to achieve the goals set by the company's management, for example, enter an IPO, attract investments, etc. Let's consider the features of organizing internal control at an enterprise using this article.

The importance of internal control can hardly be overestimated, since often on the basis of internal control (or audit) procedures already carried out, an external audit is also carried out, the results of which are provided to external reporting users.

Foreign experience in organizing an internal control system

The so-called model of three lines of defense of internal control has become widespread and popular (see figure). The idea of ​​this model is that the system of internal control in an enterprise can be organized in different ways, depending on the stage of its development.

In Russia, the approach of three lines of defense in building an internal control system is only gaining ground. Currently, due attention is not paid to the organization of the internal control service, especially in medium-sized companies. The internal control service is rather associated with checking the availability and use of assets, liquidating debts, as well as checking the quality of accounting (financial) statements and optimizing taxes and fees. In our opinion, this format of the organization of the internal control service needs to be revised, since the concept of internal control is more extensive and includes the analysis and assessment of the operating efficiency of the enterprise, as well as the assessment of the quality of risk management.

When organizing an internal control service at an enterprise, one should also take into account the COSO "ERM" standards (the COSO standard that was in effect before that differs from COSO "ERM" in the latter's focus on managing the company's risks and improving the reliability of reporting). Coso is a private organization in the United States, created to provide guidance to the management personnel of organizations in terms of internal control, risk management, elimination of financial reporting fraud, etc. The value of developing an internal control model for this organization is that, by comparing their data with it, organizations will be able to evaluate their own internal control system.

Features of the organization of an effective internal control service

There are also difficulties that companies may encounter when setting up an internal control service at an enterprise, in particular, these are:

• incomplete or partial access to the necessary information;
• insufficient confidence in the activities of the internal control service;
• lack of funds for the organization of the internal control system at the enterprise, in particular, for the maintenance of the staff;
• differences between Russian and international auditing standards, etc.

The first problem can be solved by ensuring effective interaction of the internal control service with other divisions of the company with the support of the company's management.

A very important task of the internal control (audit) division is to increase the confidence in its activities on the part of employees of other divisions and company management. Often, internal control, audit, and compliance specialists are perceived by other employees as specialists who perform “unnecessary” work and distract them from their main work. This situation is not conducive to improving the quality of audits. Each company solves this problem on its own, but all methods used should be aimed at creating a friendly atmosphere within the company between its employees.

The problem of insufficient trust in the activities of the internal control service is solved by increasing confidence in the specialists of such a service (moreover, ensuring effective interaction between the company's divisions can also increase trust). The following factors are also important for increasing the credibility of internal controllers:

• professional qualities and competence;
• the significance and quality of the information received by controllers.

Thus, internal control specialists should ideally have an auditor's certificate, extensive work experience, and be well versed in accounting and tax accounting, IFRS. In addition, specialists of this kind must constantly improve their skills.

As for the significance and quality of the information received by internal controllers, this item affects not only the efficiency of the company's accounting work, but also the management decision-making by its management. The significance and quality of work is achieved through the preparation of working documentation for auditors (see the table below), objectivity and completeness of the audit of accounting.

Description of the Three Lines of Defense Model for Risk Management

The next problem that may arise when setting up an internal control service is the company's lack of funds for these purposes. It should be noted that at present the organization of internal control is not a whim of the company, but a requirement of the time, because the correction of errors may take more time. Depending on the size and type of activity of the company, you can choose the optimal number of specialists. For a small company, one or two specialists will be enough; you can also use the services of outsourcing companies. In any case, it is advisable to evaluate the possible costs in advance and choose the most acceptable option for the company.

There are differences between Russian and international standards, both accounting and auditing, therefore, if the company's activities are to be assessed in terms of international standards, one should think about attracting internal control specialists of the appropriate level and qualifications.

The most important stage in the work of the internal control service is the control over adjustments to IFRS. Checked operations can be conditionally divided into standard (typical), non-standard and verification of risks to which the business may be exposed.

Complicated areas of accounting that require attention are also the valuation of assets and liabilities, the reflection of reserves, the preparation of notes for reporting, the verification of data provided by the branches of the organization.

The most complex valuation approach offered by IFRS is fair value measurement. If funds are available, it is best to contact a professional appraiser, but if the company does not have such a financial opportunity, then you can independently determine the fair value.

IFRS offers several options for determining fair value depending on the type of asset: value in the main (previously active) market, value for similar assets, present value, etc. When checking the determination of fair value, the internal control specialist must check the documentation of the determination of fair value asset, as well as the objectivity and reliability of the results. The opinion of users of financial statements can be largely influenced by information disclosed in the notes to financial statements. The scope and scope of disclosures should be carefully considered and agreed with the company's management.

Attention to yourself also requires the accrual of reserves. The procedure for their accounting is regulated not only by IAS 37 “Provisions, Contingent Assets and Contingent Liabilities”, but also, depending on the specifics of the company’s activities, by IAS 11 “Work Contracts”, Interpretation IFRIC (IFRIC) 6 “Liabilities, arising in connection with participation in a specialized market - waste electrical and electronic equipment.

In order to organize an effective internal control service, it is also necessary to normalize the work of other departments, in particular the IFRS department, double-check methodological materials, including accounting policies, for errors and inconsistencies in accounting data. The workflow schedule is also important - if the data submitted to the internal control service is delayed, its work will also be performed much more slowly.

Other departments of the company must be involved in the process to ensure coordinated work. The peculiarity of internal control operations is that control considers not only individual areas (accounting, business combination operations) of the company's activities, but also entire business processes, as well as all of the company's activities.

Thus, a properly organized system of internal control at the enterprise is important for improving the efficiency of the company.

Assessment of possible risks

Opinion

Svetlana Roganova , leading accountant of Eldorado company

Good Internal Control Practices

In our opinion, the most effective method of carrying out the activities of the internal control service is to use the approach based on three lines of defense. If this foreign experience is correctly adopted in Russia, the risk that a company, for example, will make mistakes in its financial statements, will be small. This method is based on data validation on three fronts. The peculiarity of the approach is that if one of the lines does not notice an error, then it will be leveled on the next line of defense. The work of the third line of defense is the most responsible, since it is necessary to check the data of the first two.

The difficulty in the practical implementation of the project lies in the correct distribution of specialists along the three lines of defense. Our suggestion: include the accounting department, the reporting department in the first line of defense, the internal control service, the department responsible for risks, the compliance service (if any) in the second line, and the internal audit service in the third line. External auditors will act as the final authority for data verification.

Despite the fact that for many companies it is quite expensive to maintain an internal control service and at the same time also an internal audit, for a large business this is a real need at the present time, otherwise, due to the large amount of information, it is very easy not to notice an error or not take into account the corresponding risk. The internal audit service should be higher in rank than the internal control service and exercise control over the work of the latter. In addition, services can help each other in methodological support, in conducting mutual quality control, and dividing areas of responsibility. With this approach, you can reduce the cost of external audit. Internal controllers should also closely interact with the company's management and resolve emerging issues in conjunction - the efficiency of the internal control service in this case will increase significantly.