On organization, training, assignment of responsibilities, delegation of authority
Although Vietinbank has issued a code of professional ethics, regularly propagated and disseminated to staff the importance of risk management, including risk management, the organization of training and assignment of responsibilities have not been implemented evenly for staff throughout the bank. Many staff at branches and transaction offices are still not fully aware of the importance and responsibility of themselves in risk management in general and risk management in particular. The first control circle is primarily responsible for risk management in the bank's business operations, but staff at branches and transaction offices are not fully aware of the importance of risk management, and still have a subjective attitude, thinking that risk management is the work of the Head Office and specialized departments, and focal units. This is a weakness in raising awareness for staff at business units at Vietinbank.
Training is organized regularly but has not brought high efficiency as well as created motivation for employees to participate because it is not linked to the inspection, assessment and evaluation regime as well as reasonable encouragement, incentives and rewards. This is one of the factors that reduces the effectiveness of risk management. Internal training does not have standards to accurately assess the level of effectiveness and does not focus on training by hiring external consultants. This is a barrier that limits Vietinbank in updating and absorbing modern knowledge, catching up with the trend of risk management in the world.
Staff training has only stopped at providing professional training for each position of each staff member, but has not expanded, implemented training, and supplemented professional knowledge of other related positions for QLRRTN staff and other staff to enhance risk recognition capacity for all staff members.
Maybe you are interested!
-
System of Documents and Internal Regulations on Operational Risk Management of Vietnam Joint Stock Commercial Bank for Industry and Trade -
Credit risk management at Vietnam International Commercial Joint Stock Bank - Hanoi Branch - 12 -
Credit risk management for personal loans at Nam A Commercial Joint Stock Bank - Quang Ninh Branch - 13 -
Credit risk management at Military Commercial Joint Stock Bank, Hue Branch - 12 -
Interest rate risk management at Vietnam Joint Stock Commercial Bank for Industry and Trade - 32
Especially for SKRRTN in Vietinbank and the entire system of Vietnamese commercial banks, there have been no training sessions, exchanges, or systematization to understand the motives, causes, methods, and loss assessment, while the training form is mainly theoretical and rigid, making it difficult for officers and employees to access.
The decentralization of risk management and transaction limits has not been linked to the rights and responsibilities of officers and employees, so it has not really been effective, especially for the first line of defense. This can easily lead to a situation where branch officers and employees lower their own responsibility in performing their duties and in detecting and preventing risk.
Regarding organizational work, Vietinbank has not implemented staff rotation according to the correct procedures and has not had a training plan suitable for staff rotation. The issue of responsibility associated with benefits has not been given due attention at Vietinbank, and there is no public and transparent salary mechanism associated with assigned benefits and responsibilities.
In addition, Vietinbank staff have not been properly trained in compliance and professional ethics. This is the cause of risks when handling work because staff intentionally do not follow procedures and regulations, take advantage of loopholes in procedures and regulations to gain benefits, causing damage to the bank.
The functions and tasks of some departments/divisions and units are still overlapping, lacking coordination, making it difficult to handle work and shifting responsibilities. Typically, the responsibility and assignment of work of the focal unit at the Head Office is to manage operational risks in the business activities of the Branch, so these focal units will better understand the causes, forms and ways to prevent operational risk events arising in the business activities of the bank. However, the development of policies and procedures for operational risk management belongs to the responsibility of the second line of defense. Without close and effective coordination between these two lines of defense, operational risk management will not achieve the expected results.
2.4.2.2. Compliance with regulations and operational risk management procedures
On the internal document system, procedures and regulations on environmental management
Firstly, although up to now, Vietinbank's internal document system, procedures and regulations on risk management are quite diverse and cover most activities, but because research and development have only been focused on implementation in recent years, more time and feedback from branches are needed to complete them.
for synchronization and high efficiency, especially in general, there is still a lack of specific direction and strategy. Some documents have just been developed and issued but must be adjusted immediately after that because at some points, when implementing, the branch still encounters difficulties. The internal document system of the Bank is still unclear and difficult for the Bank's officers and employees to look up during the operation.
Second, Vietinbank has not issued specific standards for each position and title, especially for key leadership positions and departmental leaders. The lack of specific regulations on this set of standards leads to risks in organizational and personnel work because the positions and titles recruited may not meet the job requirements.
Third, Vietinbank has not issued regulations on rotation associated with staff training. This is one of the limitations not only of Vietinbank. Lack of training regulations associated with staff rotation causes rotated staff to not have enough knowledge and skills to undertake tasks in new positions, leading to risks in staff organization.
Fourth, some internal documents, procedures and regulations of Vietinbank are still duplicated and overlapped in content and the terms used in the documents are not consistent. The bank's internal documents and regulations still have many unreasonable and loose points, leading to the situation where staff take advantage to gain benefits, causing SKRRTN from internal fraud.
Fifth, although Vietinbank has issued a document clearly defining the roles and responsibilities of individuals and relevant departments in risk management, this document only stops at a general level and does not specifically address the financial responsibilities and compensation responsibilities of individuals and units that directly or indirectly cause operational risk events that cause losses to the bank.
Sixth, Vietinbank has not yet built into its internal audit charter specific contents related to risk management activities with full and clear contents such as the purpose and scope of internal audit; requirements for internal audit to comply with, internal audit working process with
internal and external units of the bank, with the State management agency. Due to the limitations of this inspection and supervision mechanism, the self-inspection and supervision of the Bank's risk management activities are not really effective.
Finally, Vietinbank has not yet had any regulations requiring new products to be assessed for operational risks and approved by the Risk Assessment Council when proposed. This is a shortcoming not only at Vietinbank but also at most other commercial banks. This makes the identification, assessment and control of operational risks slower and more passive.
About the QLRRTN process
Firstly, regarding the reporting work: (1) Regarding time: Some branches have not entered data on time compared to regulations. (2) Regarding quality: The reporting data of some branches is incomplete, leading to the risk identification work not fully detecting potential risks. Units periodically report RRTN to the RRTN Management Department but have not invested properly, in a reactive and cover-up manner, leading to the RRTN management list still lacking in promoting it as a useful reference source. All of these affect the statistical reporting of RRTN during the period and the calculation and measurement of the nature of RRTN, so measures to monitor and minimize are not applied accurately.
Due to overlapping processes and regulations, there are many loopholes, so the criteria for Vietinbank to identify risks are not close to reality, leading to unrecognized risks. In addition, due to the need to develop products and operations that are increasingly complex, for newly arising risks, Vietinbank has not yet provided timely criteria for risk identification, so there are still risks that are missed. In addition, the new QLRRTN reporting system is only statistical, does not have dashboard data analysis, and is not closely linked to business activities.
Second , Vietinbank has not yet had any regulations on the need for operational risk assessment for new products when proposed and must be approved by the operational risk assessment council. This is a shortcoming not only at Vietinbank but also at most banks.
other joint stock commercial banks. This makes the identification, assessment and control of operational risks slower and more passive.
Not only that, the assessment of RRTN for current banking products at Vietinbank has not been implemented, supplemented and completed. With a large portfolio of banking products, the implementation processes for each product are relatively complex, diverse with many different stages, the assessment, development of indicators, and signs of RRTN for each product is a necessary requirement. However, to do this, the bank needs to invest resources, time and effort.
Third, for risk measurement and assessment, the RCSA Self-Assessment and Control Effectiveness Programs are still organized by the Risk Management Department, which prepares documents, guides units to implement and reports results. Business and operational units have not yet promoted their pioneering role in risk management, and have not truly "self-aware" of their risks. Although the contents of operational risk management at the bank have been documented and implemented quite specifically, however, at the first layer of defense, direct business and operational units are still passive in applying them.
Fourth, Internal Audit has not yet fully performed its role as the third line of defense. The fact is that because operational risk management is a very new field, Internal Audit personnel at the Bank have not been fully equipped with in-depth knowledge and skills in this field, especially understanding of relevant best practices and standards in the world. In addition, Internal Audit performs independence and compliance checks but cannot check the accuracy of operational risk reporting data due to lack of authority.
Finally, the requirements for risk management in general and the standards in Basel II in particular are high-level academic knowledge, some of which are quite abstract. Therefore, despite efforts to research and learn, Vietinbank has not yet implemented some of Basel II's requirements such as scenario analysis, comparative analysis, etc.
2.4.2.3. Suitability, diversity and effectiveness of risk management tools and risk prevention measures
Although Vietinbank has applied risk management tools according to international practices such as LDC, RCSA, KRI, BCM, etc., in reality, Vietinbank has not yet developed a system of documents specifically regulating these tools. The application of the above tools is regulated in relevant documents, which are general in nature about the risk management process. This can be said to be a major shortcoming of Vietinbank because the content of applying risk management tools has only been mentioned at a very general level, specifically:
Firstly, although the business continuity plan (BCM) at Vietinbank has been established, its application level is still sketchy and low frequency, making this tool not really effective as expected.
One of the objectives of developing a business continuity plan is to develop Disaster Response Plans, Business Maintenance and Recovery Plans, Technology Recovery Plans from Disasters and to conduct annual drills for these plans. However, Vietinbank does not have the above specific plans and the level of drills is only very limited.
In addition, these response and drill plans have not been communicated and disseminated to all bank employees, showing that BCM is only a formal tool in risk management at Vietinbank.
Second, the application of the Key Risk Indicator (KRI) tool still reveals many shortcomings such as: Specific risk indicators have not been fully established in all operations, KRI management has many limitations, automatic monitoring to collect data and analyze warnings as soon as the set threshold is reached, reporting of KRI implementation results is not really timely and the quality of the staff implementing KRI management is also a problem of the Bank.
Third, Vietinbank has not yet implemented RRTN insurance measures. RRTN insurance is one of the effective ways for banks to share and transfer risks to third parties. The financial burden of banks will be reduced when there is sharing from insurance companies. This is also the operating trend of
large banks in the world. However, in recent years, Vietinbank has not been able to implement insurance contracts for RRTN, this is a limitation not only for Vietinbank but also for most commercial banks in Vietnam.
Fourth, Vietinbank implemented the calculation of RRTN capital relatively late, so it has not proactively made provisions for possible losses. The late calculation of RRTN capital shows that the bank's RRTN management work still has limitations, which can lead to passivity in overcoming due to the lack of financial reserves as well as affecting the financial plan when SKRRTN occurs. While many other joint stock commercial banks have implemented the calculation of RRTN capital as soon as the State Bank's guidance was issued, Vietinbank has only applied the calculation of RRTN capital since 2019.
2.4.2.4. Some other limitations
About IT systems
Vietinbank's IT system still has some limitations such as not meeting the requirements of large-capacity data output due to low transmission speed and capacity. The system sometimes has errors during use, leading to interruptions in business operations and not providing timely data.
In addition, the RRTN signal set changes frequently, making it difficult to evaluate and compare with the previous period. The change in the RRTN signal set is not updated regularly in the database, causing the IT system to become overloaded, and the system's memory software running speed to decrease.
The IT system has not yet effectively supported the description and prediction of scenarios for SKRRTN, so this work still needs to be done manually by Vietinbank staff. On the other hand, the security of the IT system also reveals some limitations in protecting customer information such as password disclosure, loss of account control when customers log in and use services on the web platform.
About information disclosure
Vietinbank has not yet fully and promptly disclosed information to allow market participants to assess whether the bank has implemented good risk management. Information on risk management has not been systematically disclosed by the bank.
systematic and public through channels such as the bank's website or in reports of the board of directors. Reporting is only done internally within the bank, to competent authorities and to the State Bank. Information on risk management is provided incompletely through unofficial channels. This is also a weakness of the bank in publicizing and making information on risk management transparent.
2.4.3. Causes of limitations
In-depth study and analysis of the limitations in Vietinbank's risk management work, the researcher pointed out two groups of subjective and objective causes leading to the remaining problems, specifically as follows:
2.4.3.1. Objective causes
The Complexity of Basel II
The Basel Accords were enacted to encourage the adoption of common approaches and standards without attempting to interfere with the supervisory techniques of member countries. Accordingly, the objectives of Basel II are: To improve the quality and stability of the international banking system; To create and maintain a level playing field for banks operating internationally; To promote the adoption of more rigorous practices in the field of risk management.
It can be seen that the Basel II criteria are built on the survey experience from developed economies, where the banking industry has a long history and has achieved great achievements in its operations. Meanwhile, the Vietnamese banking industry is still quite young, the level of development is still low compared to the above countries, the internal factors of the economy are not strong enough. Therefore, when applying the Basel II criteria to risk management in general and operational risks in particular in the operations of banks in Vietnam, there are still many difficulties, in which, the difference in level can be considered the main cause.
The State Bank's decision to apply Basel II standards to the management of the operations of Vietnamese commercial banks without taking into account changes to suit the actual development level and potential of the domestic financial and banking market is one of the reasons why risk management work is still lagging behind.