The Bank of Ghana set out on a journey to evolve its risk management practices to meet the requirements of rapidly changing conditions back in March 2011. The aim was not only to raise internal standards of risk management, but also to protect the central bank from emerging risks such as information security and fraud.
Like many central banks, particularly in emerging markets, risk at the Ghanaian central bank historically was managed on an ad hoc basis in departmental siloes with little central co-ordination. That has now all changed, with its efforts to create a multi-function risk department winning praise from external auditors and being emulated as a model for other central banks in the region.
"Risks were previously managed from various departments in an unco-ordinated and silo-based fashion," says Gloria Quartey, chief risk officer at the Bank of Ghana. "However, with the establishment of the risk department, risk management moved to a defined level, where risk policies have been more clearly defined and articulated."
The risk management department is now staffed by 33 employees, split across five separate offices: enterprise risk management (ERM); vetting and verification; anti-money laundering and countering the financing of terrorism; information security management systems; and business continuity and strategic planning.
Risk culture transformed
Among the risk department's most significant achievements over the past two years has been to work with operational areas to develop a series of risk registers that spans 26 separate departments across the central bank and allows individual business functions to identify the biggest risks they face, as prescribed in the ERM policy. Significant risks are then mapped to a central risk dashboard, which is monitored by the risk department and is regularly reported to senior management and the board.
This approach has led to what Quartey describes as a "transformation in risk culture", as different business areas have the tools they need to manage risk in line with the conservative risk appetite set by the board. The framework was developed with reference to the International Organization for Standardization's ISO 3100 risk management principles, and has proved particularly beneficial in managing recent volatility in the Ghanaian cedi.
The risk register allows us to identify, evaluate and treat risks in line with the bank's centrally set risk acceptance criteria
Gloria Quartey, Bank of Ghana
"Foreign exchange fluctuation has been one of the major risks identified on the risk register of the bank, thus ensuring constant monitoring and appropriate mitigating measures are put in place," says Quartey.
"It allows the review of key management policies and procedures to stabilise the currency. Without this, the bank would not have been able to respond in the timely manner it did in early 2016. The risk register allows us to identify, evaluate and treat risks in line with the bank's centrally set risk acceptance criteria."
Ghana is currently part way through a three-year programme with the International Monetary Fund, under which the fund's extended credit facility (ECF) is being deployed to boost macroeconomic stability and growth in Ghana – a total of $465 million had been disbursed as at the end of September 2016.
The IMF has made regular visits to Ghana to review progress since the ECF programme was initiated in 2015, and the central bank has naturally been the focal point of those visits. Strong ERM across the central bank has been a key element of the IMF's conditions, but officials at the fund raised concerns in late 2015 that activities undertaken within the Bank of Ghana's subsidiaries could be a source of reputational risk to the bank.
Detailed assessments were subsequently made of the central bank's three subsidiaries – Ghana International Bank in London; Ghana Interbank Payment and Settlement Systems; and the Central Securities Depository in Ghana – and their potential impact on the Bank of Ghana's reputation.
Having developed a reputational risk assessment model, central bank officials spent time in each institution in mid-2016, interviewing key staff and reviewing policies and procedures. Remediation efforts were subsequently made for those issues that had been identified, most of which have now been completed.
"Reputation is a key risk for us as a central bank," says Quartey. "It is for this reason that the bank regularly reviews its policies, processes and procedures. We also take a keen interest in the activities and operations of our subsidiaries to ensure that our stakeholders are satisfied. We are looking to build even greater resilience into our reputational risk management in the coming years."
In other areas, the risk team has led the introduction of annual vulnerability assessment and penetration testing (VAPT), in line with international standards on cyber security. Last year's VAPT identified the need for infrastructural upgrades to improve the availability, integrity and confidentiality of information, which were duly undertaken, with the latest test under way at the start of 2017.
Quartey's department also played a lead role in the building of an emergency operating centre to house critical functions and recover data, ensuring business continuity in a crisis situation. Both information security and disaster recovery represent significant sources of concern in today's digital environment, and they have been high on the agenda of the central bank's risk department.
Trailblazer in sub-Saharan Africa
Its risk function may be less sophisticated than those of some of the G20 central banks, but the Bank of Ghana has been something of a trailblazer in sub-Saharan Africa, and a number of other central banks in the region have visited its offices in Accra to learn more about the framework and processes that have been developed. In particular, the Gambian and Sierra Leonean central banks have both used the Bank of Ghana's ERM framework as a model in building their own risk functions.
"We are very proud that colleagues in other African countries are coming to learn from us and improve their own risk management processes. We are still a fairly young and lean department, but have built capacity over the past year to allow us to quickly identify risks and put workable mitigants in place to address them," says Quartey.