As the government moves to spur economic growth, and lending to the private sector picks up, banks’ internal risk management assumes more importance. Possible lapses can potentially compromise prudent banking.

Internal risk management, different from managing market risk, focuses on how efficiently a bank or development financial institution (DFI) handles the issues that can potentially weaken mandatory risk management practices under the central bank’s guidelines.

Last week, the State Bank of Pakistan (SBP) waived the exposure limit of banks and DFIs for financing government-initiated housing schemes. The exposure limit requires that housing finance to a single party must not exceed 10 per cent of advances and investment (minus investment in government securities) of banks and DFIs.

“Now that the SBP has done away this requirement in the case of housing finance to government-initiated housing schemes, banks’ internal risk management will be crucial in keeping the entire exercise transparent,” says a local banker.

“The same is true in the case of the prime minister’s business loan scheme, even though loaning under this scheme is range-bound, and the appraisal procedure of loan applications isn’t too loose.”

Addressing a conference in February 2013, SBP Governor Yaseen Anwar had elaborated on the links between banks’ internal risk management and operational risks, which cover a wide spectrum of risk management, including credit, market and liquidity risks. “Business line management is the first line of defence against operational risks,” he had remarked.

“This constitutes the core of internal risk management,” says the head of a local bank, while recalling that the central bank issued a new set of guidelines for internal risk management following Mr Anwar’s February speech. By and large, those guidelines cover most of the concerns that fall under Basel II reporting requirements.

“Our board of directors now actively monitor how the bank management is complying with operational risk management requirements. And top management oversees business line management to see whether line managers in different areas of banking keep track of relevant risk management issues, i.e. those related to credit risk, liquidity risk, market risk and operation risk etc.”

Enhanced standards of internal audits also help meet the objectives of banks’ internal risk management, and by extension, operational risk management. Weaker internal audits not only conceal potential operational risks, but also block the development of internal risk management.

“There are innumerable instances of sub-standard internal audits that keep a lid on pointers to deteriorating loan performance, over-exposure to certain clients and sectors, mismatch in loan-deposit structure etc,” says the head of operations of a large local bank.

Only recently were banks asked to document details about deposits under a new code to check money laundering, besides making it possible to track sources of export earnings in greater detail.

After the global financial crisis that began in late 2007, central banks around the globe are now focusing on sound risk management in financial institutions, including internal risk management.

In line with this trend, the SBP issued two comprehensive sets of guidelines for banks and DFIs in 2013. The second one, issued in September, provides a clue to increasing the need of ‘going into details’ to ensure internal risk management. Banks and DFIs have received a five-page questionnaire from the SBP that serves as a specimen of what key questions they must answer to see if their internal risk management is OK.

One of the questions requires the respondents to answer whether their internal control system ensures (a) segregation of duties, (b) existence of cross checking, (c) more than one person’s authorisation, (d) dual controls, (e) joint custody of keys, and (f) safeguards for access to or use of sensitive assets or records.

Another one bluntly asks: “Does the bank/DFI possess a mechanism that promptly identifies and reports, in writing, to management or board of directors internal control deficiencies?”

“Identifying and fixing threats of frauds and forgeries and avoiding operational hits like a run-on-deposits or increase in bad loans or becoming vehicles of money laundering are broader objectives that banks are expected to meet. Internal risk management is just one supporting factor in overall risk management and compliance with SBP guidelines,” says a senior executive of the state-run National Bank.

Bankers say like in all areas of banking, the role of information technology is central to risk management as well. Most financial institutions nowadays are focused on improving their information management systems (IMS).

“In electronic banking, consumer financing, client servicing — and more importantly, in front and back-office treasury operations — IMS improvement is a must to augment internal controls,” says the treasurer of one of the top five banks.

But beyond controls and risk management, the presence of and adherence to a strong code of conduct is also vital. Last week, the SBP introduced a code of conduct for treasuries of banks, DFIs and primary dealers or the financial institutions that act as market makers for government debt securities.

Bankers say the move is well-timed, while admitting that the free-fall of the rupee in recent months was not only because of deteriorating external sector indicators, but also due to weaker conduct of treasury departments of some banks.

Follow Dawn Business on X, LinkedIn, Instagram and Facebook for insights on business, finance and tech from Pakistan and across the world.

Opinion

Editorial

‘Talks over hostility’
Updated 02 Jul, 2026

‘Talks over hostility’

THE recent appeal endorsed by civil society members from Pakistan and India, urging the prime ministers of both...
Lahore tragedy
02 Jul, 2026

Lahore tragedy

THE death of 14 children in the roof collapse of a private tuition centre in Lahore has plunged the entire country...
Data policy
02 Jul, 2026

Data policy

THE draft ‘Data Governance Policy’, released by the IT ministry recently, is a welcome step towards modernising...
PIA’s privatisation
Updated 01 Jul, 2026

PIA’s privatisation

THE management control of PIA has finally been transferred to a consortium comprising private investors and the ...
Rights beyond rulings
01 Jul, 2026

Rights beyond rulings

THE Supreme Court’s recent ruling that jewellery, bridal gifts and dowry articles given to a bride remain her...
Asia left behind
01 Jul, 2026

Asia left behind

ALARMING regression has been witnessed in the Asian teams at the FIFA World Cup. A record nine representatives from...