The role of banking risk in shaping banks' accounting policies

The dynamics of modern business are causing changes in banking systems around the world. The development of financial markets is increasingly pushing the deposit-credit activity of banks into the background. With the expansion of banking operations based on the collection of fees and commissions, the process of transformation of traditional banks into modern forms of organization and operation was initiated. Modern banking operations are accompanied by increasing and more complex risks, which brings to the fore the issues of regulation, as well as the issues of identifying, monitoring and managing the risks to which banks are exposed.

The process of globalization and internationalization of the financial market has led to an increase in the scope of risks and the creation of new types of business risks, which was influenced by several factors. Increasingly present numerous risks call into question individual banking transactions, because they affect the increase in uncertainty of the outcome of banking and other transactions.

The focus of the bank control process is increasingly moving towards the control of the risk to which banks are exposed in their operations, while taking timely corrective measures, if necessary. In this way, banks are free to enter into businesses that will bring them an acceptable return, provided they hold a sufficient level of capital to cover their exposure to risk in those businesses and provided that, according to the current Banking Law, they can perform such business.

Risks become an inseparable component of economic activity, so banks must be trained to respond to market changes in the best possible way. Every bank faces different types of risks in its operations that can negatively affect its operations. All the bank's resources may be exposed to the risk of reduction or disappearance, and hence the bank's interest to manage all these risks, to reduce them to a minimum, and in the case of their materialization, to compensate them from reserves or in some other way, so as not to financially endanger the bank's operations. Therefore, risk management is an integral part of the bank's business management, and constant work in this area is needed to avoid failure that can seriously threaten the business.

The work analyzes the risks that modern banks have to deal with in their daily operations, how these risks affect their operations, ways of adequately dealing with all the challenges that business brings in today's times in itself, as well as familiarization with the legal regulations of our banking system and banking operations. Risks in banking, their analysis and strategy related to their management represent one of the key factors in the business of every bank. The fact that we are living in a time of great changes leads us to deal more seriously with this issue, because as everything around us changes, so will the risks. This is the main reason why risk management is becoming an increasingly topical topic, where new moments worthy of attention can arise every day. The importance of this research lies in a better understanding of the problems that the risks entail, as well as an attempt to lead the same way through certain policies, procedures and strategies, as well as harmonization with the appropriate legislation and regulations, whereby the adoption of those regulations aims to strengthen the stability and security of the banking sector, and thus the stability of the entire banking system of Serbia. The fact that certain decisions of the National Bank of Serbia are aimed precisely at risk management shows how important risk is.

Risk and types of risk in banking business

Risk is a multifaceted, multidimensional and complex concept that is a daily part of the life and work of all individuals and economic entities, but as a scientific field in economics, it has a rather short history.

Banks, as financial intermediaries, provide services, assuming different intermediation risks, such as credit risk, liquidity risk or interest rate risk. These risks are largely related, one event related to a certain group of risks can cause the appearance of other types of risks. Therefore, the management of the bank pays great attention to the problems of identification, measurement and control of the risks to which the given bank is exposed in its operations.

Risk management is a central part of the bank's strategic management. It is a deve-lopmental and continuous process that permeates the entire organizational structure of the bank. Methodologically and systematically treats all risks related to the bank's operations in the past, present and, especially, in the future.

In the conditions of global banking operations, there are numerous risks that call into question individual banking operations, collection or, in the last case, a change that increases the uncertainty of the outcome of the transaction and, as a whole, increases the uncertainty of the bank's income. With the development of investment banking and the process of globalization of the financial system, there has been an additional increase in the risk that banks face in their operations.

Banking business operates with the constant presence of various forms of risk. As risk is inevitable in banking, hence the fact that the work of banks consists in continuous overcoming of risk. By reducing the risk to an acceptable level, the possibility of potential losses for shareholders, depositors and other creditors of the bank is reduced.

There are several definitions of risk, but in general, risk represents any uncertain fact in financial operations, the realization of which has a direct or indirect impact on the result and position of the bank. Risk in banking could be defined as the possibility that the invested funds will not earn the expected rate or level of return, i.e. that there will be a loss in the specific business.

Economists, statisticians, bankers, insurance companies - each of them sees risk in their own way. Risk is defined, among other things, as: possibility of loss, probability of loss, uncertainty, deviation of actual from expected results or probability of any outcome that is not expected.

So, although there is no general definition of risk, there are common elements, namely uncertainty and loss.

The following five factors have a decisive influence on the risk of bank operations in modern conditions (Finger et al., 2018):

T – technology risk - with the development of technology, there has been a massive use of electronics in banks in terms of hardware and software, from processing information to processing requests from clients and their accounts.

R – the riskofchanges in regulations - represents the risk that arises from changes in laws and other regulations that can directly negatively affect the bank's ability to earn or indirectly on its ability to adapt to changes in regulations.

I – interest rate risk - the risk that occurs due to changes in interest rates, which in modern conditions of high level of competition on the financial market are given to commercial banks, because individual banks do not have a dominant influence on them, but are formed on the market.

C – customer risk - risk related to the possibility that the bank's client will be taken over by competing banks. There, the bank's biggest clients are at the greatest risk, over which there is often a real market war between the banks, on whose deposits and placements the bank depends the most.

K – risk ofcapital adequacy - risk of solvency - if it turns out to be real that the previous risks have materialized, this can lead to the risk that solvency is threatened, i.e. capital adequacy of a commercial bank. Thus, the bank enters the zone of non-compliance with the (international) standards of banking operations that are incorporated into the national legislation.

Any uncertainty and unplanned and sudden occurrence in certain business activities of the bank can be defined as a risk. However, the definit- ion of risk itself must be narrower, bearing in mind that banks operate with specific goods (money), so banking risk can be defined as the probability of loss arising as a result of the effect of uncertain events in bank operations. In modern conditions, due to very dynamic changes in the economic environment and the environment in which banks operate, the bank's exposure to risk increases.

There are various possibilities of risk sharing in banking operations. Given the large number of sources of risk, grouping and dividing risks is not a simple task. Bearing in mind the fact that from the bank's point of view, it is important that the risk is always linked to the functional operation of the bank, then it is usual to observe banking risks always from a functional approach, i.e. risk binding for certain global activities of the bank. This approach enables a rough division of banking risks depending on the subject and purpose of the research.

Factors that influence the occurrence of risks faced by a business entity and its business activities are (Rado-vanović et al., 2024):

• -    external, - internal, - mixed.

The risks to which a business entity is exposed are determined by the industry in which the company ope- rates, the external environment and the internal structure and organizational culture.

The bank is exposed to numerous risks, the most important of which are credit risk, liquidity risk, interest rate risk and foreign exchange risk, but there are also other risks such as operational risk, country risk, exposure risk and investment risk, etc.

Risk management strategy of the bank

Risk management is an essential component of the competitiveness of every business entity, including banks as financial institutions. Money is a "goods" that the bank manages and disposes of, i.e. "trades". With that, it can be said that money is a market category.

The bank is obliged to establish a comprehensive and reliable risk management system, which is included in all its business activities and which ensures that its risk profile is always in accordance with the already established risk appetite. The risk management system must be proportionate to the nature, scope and complexity of the bank's operations, i.e. its risk profile and to include appropriate strategy, policies, procedures for identifying and assessing risks, appropriate internal organization, appropriate information system.

The bank should have the ability to assess the probability that the risky event will materialize, that it will affect the bank's operations, and to assess its consequences if it occurs. It is necessary for the bank to react adequately, taking appropriate preventive measures to prevent, or if the risky event has already occurred, to minimize its impact on the bank's operations. In order to successfully deal with risk, a bank must have the organization, human resources and reserved funds.

The risk management sector is in the function of maintaining risk within a tolerant framework of action, for which it is essential to ensure (Hurley et al., 2014):

• -    reliable information and accurate reports on the threat, occurrence or effect of risk,

• -    measuring the effect of risk in monetary equivalent – expressed through a reduction in the bank's earnings or through damages caused to the bank's assets,

• -    adequate strategies, programs and plans to prevent and suppress the effect of each risk through appropriate business policies, procedures and standards.

The bank accepts risk and operates with its consequences, considering that it manages and disposes of other people's funds (stakeholders). It limits the effect of risk by setting exposure control limits or applies one of the previously mentioned strategies. It also manages the business policy of diversification of individual and total risk.

The bank allocates reserve funds to cover possible losses both in a specific business and in general, if it enters into business taking responsibility for risks. What will be the amount of funds intended to cover the risk of the bank's overall operations depends on the bank's financial capacity.

In their operations, banks use standard risk assessment methods, which provide information about the bank's overall strength, financial and operational weaknesses or adverse trends, problems or worsening conditions, and about risk management practices.

The risk management strategy is transferred to the responsibility of the risk mana-gement committee of the board of directors, as well as to the director or manager of the risk management function. Certainly, an adequate Framework for identification, measurement, monitoring and control of risks should be documen- ted by the manager of the risk management structure. In this way, it provides conditions for the consistent application of strategy, policies and procedures along all business units that should assume the risk of financial institutions.

The risk management framework in financial institutions should be critically evaluated and adjusted in accordance with the overall risk profile and risk appetite of financial institutions, as well as with existing external and internal regulations. The risk management function in banks covers all sources of materially treated risk in all portfolios and business operations, but adequate supervision is carried out along all business units, i.e. line.

• -    business units that provide risk - first level, responsible for identification, assessment and minimization of risk in relation to a given level of utility, i.e. yield,

• -    risk management function – second level, responsible for identifying, monitoring, controlling and quantifying risks, for creating a methodology and mechanism for risk management, coordination and assistance in

terms of measuring the performance of business units and

• -    internal audit - the third level, which provides an independent assessment of risk management at the level of financial institutions.

The risk management strategy in financial institutions predetermines the analytical framework of risk management, which includes all risks to which financial institu-tions are exposed, defining the tendency to accept certain risks, determining the capacity and profile of acceptable risks, defining the scope of risks to be managed, processes, procedures that are applied, as well as all other business segments and individuals participating in the creation of the strategy, i.e. Framework for risk management. In addition, it includes abilities, knowledge, skills, tools and methodology for risk management, a created internal control system, modern IT support, capital adequacy and an organized reporting system. In the strategy defined in this way, the Risk Management Framework should be comprehensive from the point of view of the organizational and management structure, and especially it should be flexible in order to be able to adapt to any change in business goals and activities in any situation (Mitrović et al., 2024).

The risk management strategy provides conditions for effective management of all risks. This is all the more so, as only one financial transaction can cause several types of risk, i.e. one type of risk can initiate other risks. As the interaction of different risks can cause an increase or decrease in risk, a risk management strategy usually recognizes and expresses in a certain way the interaction of all business activities. The applied strategy, during risk management and analysis, provides the mana-gement with a clear attitude towards the risks to which the financial institution is exposed. In order to successfully implement a risk management strategy, a financial institution must have an appropriate organizational structure that enables effective monitoring of the interdependence of risks at all levels of financial institutions. In other words, all business lines are equally responsible for the risks they take (Inđić et al., 2023).

If an adequate risk management strategy is not applied, they will not be able to be analyzed, evaluated and settled, therefore they will not be controlled either, which is a serious problem for every bank. Only by applying an adequate strategy, an accurate management risk assessment is obtained, where the bank is located and helps to define future activities and plans from the point of view of risk exposure and acceptability. In order to determine the overall exposure of financial institutions to risks, it is necessary to measure different types of risks and according to product and service lines, in such a way as to include their short-term, medium-term and long-term goals and impacts on the operations of financial institutions.

The term and concept of bank risk management

In modern conditions, the bank operates in the environment of other banks, clients and the economy as a whole, which introduces elements of risk into banking operations, while it should be borne in mind that the dynamics of changes in society and the economy, in modern conditions, are very accelerated, which represents a source of various risks for banking operations.

The risks that every bank faces are inevitable. They must be evaluated, controlled and financially, to the maximum extent possible, neutralized so as not to endanger the bank's operations. Risk management is coordinated with the size and organizational structure of the bank, the scope of activities and the types of work it performs (Savić et al., 2023).

The general goal of risk management is to optimize the trade-off between risk and return. In this sense, the focus of banking risks is the management of credit and market risks, on which the solvency risk, as the definitive risk of the bank, crucially depends. Interest and currency risks are integral components of market risk. Liquidity risk is a specific banking risk that modern banks can ultimately manage through the financial market, provided they have a strong solvency position and high credibility on that basis.

In principle, risk management has two main goals - avoiding bank insolvency and maximizing the rate of return on capital with a correction for risk. If the bank's risks were underestimated, it would have a negative impact on the bank's solvency and profitability, i.e. actual losses would push the rate of return on equity below expected levels. Underestimation of credit and market risks in the modern environment in which banks operate today endangers bank solvency, bearing in mind that, in modern conditions, solvency can change significantly faster than in traditional bu-siness conditions (Sassen et al., 2016).

Risk management is a process in which managers identify, assess, monitor and control risks associated with the bank's business activities, i.e. financial institution whe-re they work. In large financial institutions, risk management is used to identify all risks associated with certain business activities and to aggregate risk information so that exposure can be assessed on a comprehensive basis.

Risk management is a relatively new discipline and developed from insurance business, because in the management of insurance business it was noticed that the tra-ditional way - through compensation of damages -cannot successfully minimize business risk in any activity. Risk management at banks implies a complex mechanism that combines risk protection contracting with insurance companies with measures of the bank's internal risk management policy.

Risk management is a continuous and evolving process that flows through organizational strategy and the implementation of that strategy. It represents a dynamic process. The goal of risk management is twofold (Penjišević et al., 2024):

• -    preservation of the bank's assets and funds and

• -    protection of potential profits from losses.

The risk management system includes (Armour, 2012):

• -    strategy and policies for risk management, as well as procedures for identifying and measuring, i.e. risk assessment and risk management,

• -    appropriate internal organization, i.e. organizational structure of the bank,

• -    an effective and efficient process of managing all risks to which the bank is exposed or may be exposed in its operations,

• -    adequate system of internal controls,

• -    appropriate information system,

• -    an adequate internal capital adequacy assessment process.

Determination of goals - risk management program, where it is precisely decided what the business entity expects from that program. The primary goal is to preserve the efficiency of the business entity. A secondary goal is to protect employees from injury. Other goals are related to cost reduction, socially responsible behavior, good public relations, etc.

• -    financial resources (own and others),

• -    human resources and

• -    responsibility.

Risk identification is the phase of risk management in which, in addition to the specification of risks in the general classification system and the definition of subjects, the cause-and-effect relationships of individual risks are determined. Risk identification deals with risk perception, which refers to the ability to perceive a potential situation in which damage occurs, that is, to notice a risk that can be an active cause of damage, as well as to notice dangers that can increase the effect of that risk.

Therefore, risk identification is the process of identifying the exposure of a business entity to uncertainties. The risk description aims to present the identified risk in a structured format, most often using a table.

In risk identification, a combined approach is applied - client know- ledge, risk analysis questionnaires, diagrams, analysis of financial statements, historical review of work, case studies, etc.

The basic classification of risks in relation to the operations of a business entity is:

• -    critical risk – leads to bankruptcy of the business entity,

• -    an important risk - leads to jeopardizing the liquidity of the business entity, but the negative effects can be abstracted (either by increasing efforts to collect due debts of the debtor or by a loan from a commercial bank) and

• -    unimportant risk - does not threaten the liquidity and solvency of the business entity, i.e. its effects do not significantly affect the operations of the business entity.

Risk assessment – represents the general process of risk analysis and assessment. The company's experts determine the potential loss and the probability of loss occurrence.

Risk analysis consists of the identification, description and assessment of risks. Risk assessment can be qualitative, quantitative and semi-quantitative in terms of the probability of occurrence of a risk event and possible consequences.

The obtained results of the risk analysis can be used to obtain a risk profile that gives a significance rating for each risk and provides an instrument for defining priorities in risk regulation.

After the risk analysis process is completed, the assessed risk is compared with the risk criteria established by the bank. Risk evaluation is important for making deci-sions about the importance of risk for a business entity and whether a certain risk should be regulated or accepted.

It is important for the company to establish a system of internal and external reporting on the existence of risks, whereby internal reporting is intended for the needs of management, various organizational parts of the business entity and employees, while external reporting implies regular reporting to the company's stakeholders.

Consideration of alternatives and selection ofmeans for risk management – podrazumeva dva rešenja:

• -    risk control - is aimed at minimizing the risk of loss to which the business entity is exposed and

• -    risk financing - implies the harmonization of available funds intended for the regulation of losses, which arise from the risks that remain after the application of risk control techniques.

Regulation (mitigation) of risk is the process of selecting and implementing measures to modify risk. Each system of risk regulation aims at effective and efficient business operations of the business entity, effective internal control and business compliance with valid legal regulations and business practices.

- risk control methods are avoidance, prevention and risk reduction, that is. loss prevention and control, as well as minimizing various losses if they occur.

• •    The risk avoidance method means that the person does not want to accept the risk. This is achieved by not engaging in action that may lead to risk and is a negative approach to risk management.

• •    The risk reduction method implies the application of modern prevention methods. Prevention represents a set of activities aimed at preventing the occurrence of a harmful event and, if it occurs, the consequences are as small as possible.

• -    risk financing methods include risk retention and transfer. Retention may be associated with specific allocations in the budget

to cover uninsured losses and may be supported by fundraising. The transfer can be realized through contractual provisions, through bonds, pre-contracts, so-called. uninsured transfer, through insurance, etc.

• •    The risk retention method is a common method of dealing with risk, when a person takes no action, whether consciously or not, to avoid, reduce or transfer risk. Low amount and low potential loss risks should be retained.

• •    The risk transfer method implies that the risk can be transferred from one person to another, if that person is more willing to bear the risk (loss insurance process, where an individual protects himself from the risk of loss by buying or selling an asset that is estimated to have no loss).

• •    don't risk more than you can afford to lose - it's about risk that something has to be done about - transferred or avoided. The rule does not say what should be done with that risk, because it is about the occurrence

of maxi-mum possible losses, the potential size of which cannot be reduced, and can be covered from bank loans or cash reserves of the business entity or from cash flow,

• •    keep in mind the possibility of chance - the risk should not be transferred, because the probability of loss, i.e. the potential size of the loss if it occurs, very high. The essence is to determine the probability of loss and to make a decision accordingly and

don't risk a lot for a little - the actual degree of retention of each individual risk consists in looking at the ratio of costs and benefits. It is essential to find a reasonable relationship between costs and benefits.

Application of the decision – administrative procedure of application of the decision related to retention or transfer of risk with or without reserves, i.e. formation of money funds.

Assessment and re-examination – an ongoing function of the risk management manager. It implies constant evaluation and correction of the operationalization of risk management, bearing in mind that, over time, the risk may change, ie. disappear or a new risk may arise. Also, errors may occur during risk management and should be corrected.

Monitoring and controlling the risk management process means that effective risk management involves a certain reporting and control structure to ensure that risk is timely identified and assessed, and that appropriate controls are implemented in response to a risk event.

Good management of a business entity requires that the business entity adopts a methodical approach to risk management that protects the interests of share-holders, ensures that the Executive Board fulfills its obligations aimed at realizing the strategy, building the value of the business entity and improving the performance of the business entity. It also ensures that adequate management controls are in place and functioning satisfactorily.

Successful risk management makes businesses more flexible, with the ability to respond to environmental changes, improves the probability of achieving strategic goals, provides investors with an adequate relationship between risk and return, makes risk bearable, improves capital allocation and reduces the cost of its use. Therefore, risk management in the modern environment requires a comprehensive and integrated approach to risk management in companies. It is carried out by the board of directors, management and other professional staff, who apply the strategy that defines risk management, define goals, the required organizational structure and the targeted risk profile of the company.

Operationalization of risk management through accounting policies

The bank, as an institution that is exposed to risks, is obliged to identify, assess and measure the risks to which it is exposed in its operations. It is also obliged to have a special organizational unit in its operations that deals with risk management.

• -    credit risk,

• -    liquidity risk,

• -    interest and currency risk and other market risks,

• -    operational risk,

• -    risks related to the country of origin of the person to whom the bank is exposed,

• -    risks of the bank's exposure to one person or a group of related persons,

• -    risks of the bank's investments in other legal entities and in fixed assets.

The Bank, in its own acts, prescribes procedures for the identification, measurement and assessment of risks, as well as risk management. These acts contain the following provisions and procedures (Hemed, 2022):

• -    provisions ensuring the functional and organizational separation of risk management activities and regular business activities,

• -    procedures for identification, measurement and risk assessment,

• -    risk management procedures,

• -    procedures that ensure the control and consistent application of all the bank's internal risk management procedures,

• -    procedures for regular reporting to bank authorities and regulatory bodies.

Credit risk is one of the most important risks to which a bank is exposed. The great importance of credit risk management stems from the potential danger that a large number of loan beneficiaries will not be able to properly fulfill their obligations, which can lead the bank to a certain state of insolvency. That is why there is a great responsibility of bankers, primarily those employed in the credit department, to mo-nitor the effect of all factors that affect the quality of the bank's loan portfolio and to respond in a timely manner to adverse trends that can lead to bank bankruptcy.

In terms of liquidity risk, the bank manages its assets and liabilities so that it can meet its due obligations at any time and can permanently fulfill its obligations. In the function of effective liquidity risk management, it is prescribed that the bank's competent authority adopts and implements a liquidity management policy that inclu-des: planning the inflow and outflow of funds, monitoring liquidity and adopting appropriate measures to prevent and eliminate the causes of illiquidity. The NBS prescribes the method of determining the bank's liquidity levels, including the critically low level of liquidity. Due to the importance of the bank's liquidity risk and the organization's way of managing that risk, in 2000 the Basel Committee for Banking Supervision issued a document called "Sound Practices For Managing Liqu-idity in Banking Organizations", which includes the principles that every banking organization should respect and incorporate into its liquidity risk management policy and procedures.

In relation to foreign exchange and interest rate risk management, the bank is obliged to harmonize the volume and structure of assets in order to enable efficient management of market risks, to establish special policies and procedures for identifying market risks and managing those risks

Interest rate risk management is an important and organized activity in the business of every bank. This risk is of great importance for the bank, because changes in interest rates on the assets and liabilities side affect the amount of the interest margin in a positive or negative sense. The most important role in the management of interest rate risk is played by the Board for asset and liability management in the bank.

Foreign exchange risk arises due to a change in the exchange rate, i.e. this risk for the bank is the risk of recording a loss due to changes in exchange rates. Therefore, foreign exchange (currency) risk management is of great importance for the succe-ssful operation of the bank. The foreign exchange risk indicator is the ratio between the bank's total open foreign exchange position and the bank's capital. The bank is obliged to maintain the relationship between assets and liabilities so that its total open foreign exchange position at the end of each working day does not exceed 20% of its capital (Kerezan, 2016). If this indicator is above the allowed criteria for two consecutive days, the bank is obliged to inform the NBS about it. Foreign exchange risk management implies the effort of the management of a commercial bank to balance positions in the balance sheet on the asset side with positions on the liability side, according to the currencies that are on the balance sheet. Apart from the policy of balancing individual balance sheet items, the policy of compensation through transactions on the financial derivatives market is also effective.

Operational risk is a complex and widespread risk, considering that it is found in all business activities of the bank and that the causes that lead to it are not always visible. It can manifest itself independently or synergistically with other types of risk that are more easily discernible. Operational risk is not always documented and is the result of (un)professional behavior of management and bank employees. Operational risk management means managing the organization of work and business, personnel resources and technical support in the bank, in accordance with current regulations and adopted business practices.

The risks of the country of origin of the person to whom the bank is exposed imply negative effects that may arise on the financial result and capital of the bank due to the inability of the bank to collect claims due to reasons that are a consequence of the political, economic or social conditions in the country of origin of that person. The bank is obliged to establish an adequate country risk management system that includes risk identification, risk measurement, monitoring, control, determination of authority and responsibility, regular information system and improvement of the system. The bank is obliged to determine and periodically change country risk exposure limits individually by country of origin of the debtor and on a regional basis, as well as to determine the appropriate level of value corrections and provisions by country.

The bank's exposure risks include the risk of exposure to one person or a group of related persons, as well as the risks of the bank's exposure to a person related to the bank. Management of exposure risks is carried out in accordance with legal restrictions.

The bank's investment risk include the risks of its investments in other legal entities and in fixed assets and investment real estate. The bank's investment risk management is also carried out in accordance with the legal limitations of these investments based on the Law.

The responsibility of the bank's Board of Directors in relation to risk management is to, if necessary, and at least once a year, consider already established procedures for identifying, measuring and assessing risks, as well as for risk management for each type of risk.

The bank's executive board is obliged to analyze the effectiveness of the application of appropriate procedures for risk management at least quarterly and submit a report on this to the bank's board of directors.

The bank's board for monitoring the bank's operations (auditing board) is obliged to report to the Board of Directors at least once a month about its activities and about the identified irregularities, as well as to propose a way to eliminate them, i.e. ways to improve policies and procedures for risk management and implementation of internal control systems (COSO, 2014).

The bank's asset and liability management committee monitors the bank's exposure to risks arising from its balance sheet liabilities and claims, as well as off-balance sheet items, at least once a month. It proposes measures for managing interest rate risk and liquidity risk (Savić et al., 2024).

In order to ensure adequate IT support for the risk management system, banks are required to establish an information system that will provide a database that is necessary for the timely and continuous management of risks to which they are exposed in business, compliance with the limits of prudent business operations in banks established by regulation, as well as deviations from the policies and proce-dures established by the bank's Board of Directors.

Regulatory aspects of risk management and their implications for banks' accounting policies in Serbia

Regulation helps improve the security of the banking industry. Recent regulations had a decisive influence on the development of the organizational part that deals with risk management. The supervisory framework sets limits and guidelines that encourage risk management and stimulate the development of internal risk management mo-dels within banks. International regulation under the auspices of the Basel Committee contributed to the promotion of a more precise definition of risk, the development of a more adequate methodology for their measurement and the introduction of the concept of "risk capital". At the same time, the regulations that set the minimum required capital represent a strong incentive for improving the methodology of risk measurement and control at banks. This proves another special hypothesis.

The problem of regulation lies in the differences between the goals of the banks and the goals of the authorities that prescribe the regulation. In order to make the world of finance safer, a lot of time has been spent globally in the last thirty years to set uniform business standards. The world of finance turned to the strengthening of corporate governance, the introduction of international accounting and reporting standards, as well as the preparation of the New Basel Framework (Basel II).

New laws and by-laws can generate unpredictable bank behavior with the aim of banks avoiding them. With its New Framework (2006 Revised Framework) for required minimum capital, the Basel Committee on Banking Supervision - BCBS - wants to alleviate some of the shortcomings associated, now with the already former regime, under the Basel I agreement (Basel Committee, 2019).

In the Banking Law, three segments indicate that we are getting closer to complying with the Basel II rules (Aspal et al., 2019):

• -    the part that refers to the regulation of minimum capital adequacy in banks in relation to risk-weighted assets (minimum 8%, and according to the previous and current law 12%), but also to the right of national controllers to determine this quantitative standard selectively in relation to individual banks, depending on their risk profile,

• -    introduction of operational risk in the process of determining the riskiness of the bank's credit portfolio and

• -    the part that refers to the control function of the National Bank of Serbia.

Adopted amendments to the Law on Banks in Article 28 of the Law, which governs the way of managing the risks to which the bank is exposed in its operations, have been harmonized with the principles and recommendations of the Basel Committee for the Control of Banks (Basel II) and the tendencies of comparative banking legislation, so that the new paragraph 3 of this article prescribes that the bank is obliged to ensure the functional and organizational separation of risk management activities and regular business activities of the bank.

What is not done by the Law can be regulated by accompanying bylaws -decisions, because the National Bank of Serbia is authorized to do so in the Law.

The introduction of Basel II in Serbia was completed by the package of regulations adopted by the Executive Board of the National Bank of Serbia in June 2011. This package of regulations, which aligns the rules for calculating bank capital adequacy and risk management with Basel II, i.e. six decisions published in the "Official Gazette of the RS", no. 45/2011 and 46/2011, namely:

• -    Decision on the adequacy of the bank's capital (with attachments) which implemented pillar I,

• -    Decision on bank risk management, which implemented pillar II,

• -    Decision on publication of bank data and information, which implemented pillar III,

• -    Decision on the control of the banking group on a consolidated basis,

• -    Decision on reporting on the capital adequacy of the bank and

• -    Decision on bank reporting.

The adoption of these regulations aims to strengthen the stability and security of the banking sector, and thus the stability of the entire banking system of Serbia, the improve- ment of the supervisory function through the development of the concept of risk-based supervision and harmonization with the relevant regulations of the European Union (Capital Requirements Directive - CRD). Those regulations have been applied since December 31, 2011, except for the provisions related to the recognition of suitability of credit ratings assigned by rating agencies and which have been applied since September 1, 2011, as well as certain provisions for which a transitional period for full implementation is prescribed.

The Basel Committee was established at the end of 1974 by the governors of the central banks of the G-10 member countries, at the location of the Bank for International Settlements. The committee meets regularly four times a year. The members of the Committee are representatives of: Belgium, Canada, Germany, Italy, Japan, Luxembourg, the Netherlands, Spain, Sweden, Switzerland, Great Britain and the United States of America (BIS 2004).

The function of the Basel Committee is to formulate general standards and guide-lines of supervision and to propose examples of best banking practices in the expectation that legislative bodies in individual countries will take measures for their implementation so that they best match the specificities of the domicile system.

In 1988, the Committee decided to introduce a system for measuring capital ade-quacy, popularly known as the Basel Accord (Basel I) . Until 1992, this system enabled the implementation of a framework for measuring credit risk, whereby the mini-mum standard of capital adequacy is 8%. Since 1998, Basel I has been implemented in all countries where internationally active banks operate (over 100 countries). In 1996, the Committee published an addendum to the 1998 Capital Agreement, which, in addition to credit risk, extends its focus to capital requirements that cover the bank's exposure to market risk (Ekinci & Poyraz, 2019).

The revised capital agreement (Basel II) was officially adopted on June 26, 2004 by the members of the Committee. The goal was to adopt Basel II in national legislation by the end of 2006. It is also planned to implement the most advanced approaches for measuring the required level of capital from the end of 2007. This document presents a new set of standards for determining minimum capital adequacy for banks.

With the development of technology, risk management methodologies and the financial markets themselves, the capital agreement of 1988 has become less useful for many banks, primarily because it does not allow differentiation of financial institutions and their level of riskiness. Many leading banks have developed significantly more advanced control and management techniques, primarily through the improvement of internal processes and the application of the most advanced risk measurement techniques and sophisticated risk management methods.

The main difference between the original and the revised capital agreement refers to the fact that Basel II calculates capital adequacy by reflecting specific risks specific to a particular bank and at the same time gives an initiative to improve the risk management process. Basel II consists of three pillars that complement each other and present the agreement as one logical unit, which should con- tribute to increasing the overall stability of the security of financial systems. They are (Raphael, 2013):

Pillar I – minimum level of capital for credit, market and operational risk,

Pillar II – function of supervision (supervision),

Pillar III – market discipline.

Pillar I establishes models of minimum capital requirements for credit, market and operational risk in order to enable banks and supervisors to choose the most acceptable. Since the fact is that banks are exposed to different types of risk and different intensities of risk, the same measurement method does not give appropriate results. This standard proposes several options for calculating the necessary capital to cover these risks, depending on the adopted acts of the regulatory authorities, the attitude or permission of the supervisor, technological equipment and the availability and training of the bank's personnel. Banks have at their disposal three basic risk exposure quantification models within the framework of capital adequacy (which differ in their sensitivity to risk and level of sophistication), namely:

• -    base indicator approach (BIA), - standardized approach (TSA) and

• -    advanced measurement approach (AMA).

• -    the principle of internal capital adequacy assessment (ICAAP),

• -    supervision principle (SREP),

• -    capital above the minimum level and

• -    supervisor intervention.

Pillar III promotes the strengthening of market discipline through the establishment of a system of mandatory disclosure of business data that will enable market participants to make a proper assessment of the basic indicators of the operations of financial institutions such as: capital, risk exposure, risk management process and, finally, determining the capital adequacy of a particular bank. In this way, market participants can better understand the risk profile of a bank and the adequacy of the level of capital it holds as a cover for a certain level of risk. Disclosure rules are based on compliance with the principle of materiality, which means that if some information is omitted or misrepresented, it may change or influence the already made assessment or decision of the user of that information. As a rule, the obligation to disclose data is semi-annual, unless that data is already disclosed in the form of some other reports whose frequency is higher.

The Basel agreement is not at all simple, and all banks will have neither the knowledge nor the technical capabilities to implement it in the short term, nor the financial ones, because the costs for implementing Basel II are high. In addition, costs will be incurred during system maintenance. However, all this does not mean that they should not adhere to the adopted strategy on the implementation of the standard and do everything to one day fully implement it. It is also a fact that Basel II is not a finished product and there are many other jobs that need to be done before starting its implementation. The first step is the drafting and adoption of regulations and with them detailed instructions or methodologies on implementation, which will oblige all banks, both large and small, both banks with foreign capital and banks with domestic capital. Then follows the testing of banks in terms of readiness for the implementation of Basel II. This is followed by the preparation of banks for the implementation of Basel II, which includes the education of employees, the establishment of an adequate IT system that will provide the necessary data and be a support model for the management of certain risks, as well as the definition of different policies and procedures for risk management. The last step is to resolve issues that practice proves to be controversial for the further development of banks' operations based on the principles of quality risk management. The successful application of new principles largely depends on personnel who have the relevant knowledge and skills to implement the new standards.

After identifying the weaknesses of the financial systems and the shortcomings of the Basel II standards, accumulated during the world financial and economic crisis, the process of amending these standards was started. The main goal of introducing Basel III standards is to improve the ability of the banking sector to absorb shocks arising from financial and banking pressures (thereby reducing the risk of their further transfer to the real sector), improving risk management and bank management in general, and increasing the transparency of bank operations. It is an expression of the commitment of the Committee to strengthen the regulatory framework of banks, the supervision of banks and the function of risk management in banks.

One of the main tasks of the new Basel III regulatory framework is to strengthen two complementary approaches that support the basic concept of bank stability: micro and macro prudential regulation.

Microprudential regulation at the level of the banking sector increases the level of resilience of banking institutions in a period of stress by means of the following regulations:

• -    higher and better quality of the bank's capital, with a much greater focus on common share capital to absorb losses,

• -    more comprehensive risk coverage in relation to capital market activities and

• -    supervision, risk management and standards on the data disclosure procedure.

Macroprudential policy uses prudential tools to limit systemic or financial risks, thereby limiting the occurrence of disruptions in the provision of key financial services that can have serious consequences for the real economy. The macroprudential approach introduces completely new elements into the regulatory framework:

• -    the capital buffer helps banks fight against credit gaps. Their function is protection in conditions of stress, i.e. its purpose is to absorb losses in financial crisis conditions,

• -    the introduction of leverage ratio, which represents the relationship between the bank's capital and exposure, which follows the accounting measure of exposure and

• -    introduction of two standards for liquidity coverage.

Basel III introduces an additional capital requirement, which allows banks to absorb potential losses in periods of negative effects or financial and economic pressures. In other words, banking systems will be able to withdraw capital in stressful situations, with the fact that the closer the bank's capital level is to the minimum requirement, the greater are the restrictions on profit distribution (less money available for paying dividends, bonuses and other compensations).

Conclusion

Banking, by its very nature, is a risky activity, so losses can appear in the banks' balance sheets, if the banks do not manage well all the risks they are exposed to. In addition, banks today face more and more types of risks and their manifestations. Given that the environment in which banks operate has changed significantly, the issue of banking risk management is becoming increasingly topical. Risk management in banking business has two main goals - avoiding bank insolvency and maximizing the rate of return on capital with a correction for risk.

Risk management is one of the key elements of banking management. During the last decades, the global economic crisis strongly influenced risk management to gain even more importance within the overall management of commercial banks. Credit risk is still the dominant risk in world banking, and the situation is similar in the Republic of Serbia. Liquidity risk, market, operational and other risks are also gaining impor- tance in world banking. However, credit risk is still the most important risk of the average commercial bank. The high level of non-performing loans is one of the most important modern challenges related to credit risk. In the banking sector of Serbia, the level of problem loans exceeds 20% of total loans for a long time.

In today's business conditions of banks, it is necessary to ensure two basic principles - business security and profit assurance. It is necessary to ensure security in the operations of banks, because in this way banks gain confidence in their work from clients, and this means that they are obliged to protect their interests and to continue their operations in continuity. If they did not operate in this way, the banks would be condemned to lose trust and clients, which would quickly lead such banks to a situation where their customers would be taken over by their competition and they would go bankrupt.

In modern business conditions, banks are inevitably faced with numerous risks and they are forced to organize their operations in order to protect against the negative effects of those risks. In order to achieve this protection, banks must have human resources that have the appropriate knowledge and skills to manage various types of risks, so that they can accept jobs with higher risks. In this regard, these personnel must be able to foresee the possibility of risks, to detect their symptoms and to prevent these risks from occurring, in order to reduce the losses that they could lead to.

Defining banking risks is necessary in the function of risk management, because in this way their content, manner and degree of influence on the bank's operations are emphasized. The presented banking risks and their definitions indicated how they affect the bank's performance and potential insolvency. In order to contribute to the better operation of the bank and to avoid losses and insolvency, it is necessary to look at the impact of those risks on the operation of the bank.

The task of every bank that takes risk management seriously involves identifying and evaluating the risks that occur in bank operations and developing an adequate strategy for their reduction based on a detailed analysis of the identified risks. The essence of risk management strategy no longer lies in the question of whether to take a risk or not, but how much risk a modern bank is able to take. It is of great importance for the bank to investigate all the risks that come from the environment and its operations, in order to determine the degree of risk that it can bear and control, ie. to reduce it to realistically acceptable limits

Risk management is a complex activity determined by numerous factors. Given that risks cannot be avoided, the question is how to manage them. The management process is determined by the organization and operationalization of management, which is also regulated by certain regulations. The organization assumes an appropriate organizational form of risk management and operational management. Ope-rationa-lization aims to find an adequate set of activities for each type of risk in order to reduce that risk to a minimum level.

The fact that certain decisions of the National Bank of Serbia are aimed precisely at risk management shows how important risk is. The bank's activity on risk management as one of the most important business functions, legal regulations and decisions of the National Bank of Serbia, which govern banking operations, oblige the formation of a special organizational unit for dealing with risks, a special classification of claims and special liquidity indicators.