Risk management Governance

Transcription

1 Risk management Governance Risk management in the Group is made by means of a transversal and multi-domestic control model, wherein the Board of Directors (BoD) is ultimately responsible for risk management, which is supervised by its Audit Committee. The following figure shows the risk management Governance model: Day to day management Risk management and control policy Risks measuring, monitoring and control Board of Directors Supervisory responsibilities at Group level Risk Assessment Committee Audit Committee Executive Committee Executive responsibilities at Group level Group CALCO Group Treasurer Risk Commission (and sub-commissions) Group Risk Officer Executive responsibilities at Entity level CALCO Local Executive Commission/Board of Directors Risk Control Commission Local Risk Officer The following paragraphs present a brief description of the risk management bodies. Audit Committee The Audit Committee is responsible for the supervision of (i) management, financial reporting and qualitative measures aimed at fine-tuning the Group s internal control systems; (ii) the Group s risk management policy; (iii) the Group s compliance policy; and (iv) the Group s internal audit activity, including ensuring the independence of the Group s certified accountant. The Audit Committee is also responsible for providing recommendations to the Board of Directors regarding selection of the Group s external auditor, including the services to be provided. The Audit Committee s responsibilities also include receiving notice from shareholders, employees or others regarding irregularities in the Group s control procedures and ensuring that these issues are followed up by the Group s internal audit department or by the Client Ombudsman. The Audit Committee also issues opinions on loans or any other contracts that the Bank or any company of the Group enters into with members of its governing bodies, with shareholders owning more than 2% of the Bank s share capital or with entities that, under the terms of the General Regulations for Credit Institutions and Financial Companies, are related to any of the above. The Audit Committee receives the reports of Internal Audit, Certified Accountant and External Auditor reports and holds regular meetings with the Executive Committee member responsible for the Group s financial reporting, with the Group Risk Officer, with the Compliance Officer and with the Head of the Internal Audit Division. 1

2 Risk Assessment Committee The Risk Assessment Committee includes non-executive members of the Board of Directors and has the following responsibilities: Follow-up on overall levels of credit risk, market risk, liquidity and operational risk, and ensuring that these risks are compatible with the objectives, financial resources and strategies approved for the development of the Group s activity. Advise the Board of Directors on matters related to the definition of risk strategy, capital and funding management and management of market risk. Risk Commission The Group s Risk Commission is responsible for monitoring the Group s overall risk levels (credit, market, liquidity and operational risk) and ensuring that these risk levels are compatible with the objectives, available financial resources and strategies approved for the development of the Group s operations. The Risk Commission includes all the members of the Executive Committee, the Group Risk Officer, the Compliance Officer and heads of the Audit Division, the Treasury and Markets Division, the Planning and Budget Control Division, the Rating Division, the Research Office, the Assets and Liabilities Management Division and the Credit Division. Credit Risk Monitoring Sub-Commission The credit risk monitoring sub-commission has the following duties and responsibilities: - Monitoring the evolution of credit exposure and credit underwriting process; - Monitoring the evolution of the portfolio quality and of the main risk and performance indicators; - Monitoring counterparty risk and concentration risk with respect to the largest exposures; - Monitoring the impairment evolution and the main cases of individual impairment analysis; - Performance analysis of credit recovery processes; - Monitoring real estate portfolio divestments; - Proposals for the definition of policies and rules on loans concession; - Monitoring the PD ( Probability of Default ) and LGD models; - Monitoring the models underlying the impairment assessment; and - Monitoring the automatic decision-making and credit recovery processes. Pension Funds Risk Sub-Commission The mission statement of this specialised Sub-commission is monitoring the performance and risk of the Bank s Pension Funds (the Defined Benefits Fund and the Complementary Fund) and the establishment of adequate investment policies and their respective hedging strategies. Capital Assets and Liabilities Commission (CALCO) The Group CALCO is in charge of managing the overall capital of the Group, managing the Group s assets and liabilities and defining liquidity management strategies at the Group level. Specifically, the Group CALCO is in charge of the structural management of market and liquidity risks, including the following aspects: - Monitoring and managing market risks associated with the assets and liabilities structures; - Planning and proposals relating to capital allocation; and - Proposals for the definition of adequate policies for market and liquidity risk management, at the Group s level. 2

3 The Group CALCO is chaired by the member of the Executive Committee responsible for the financial area and a further four members of the Executive Committee are also members of this body. The other members of the Group CALCO are appointed by the Board of Directors Executive Committee. Group Risk Officer The Group Risk Officer is responsible for the risk control function for all entities of the Group. In order to ensure the monitoring and transversal alignment of concepts, practices and objectives, the Group Risk Officer is responsible for keeping the Risk Commission informed on the general level of risk and for proposing measures to improve the internal control environment and to implement the approved limits. The Group Risk Officer has the power to veto any decision that is not subject to the approval of the BoD or of the Executive Committee and that may have an impact on the Group's risk level (for example: the launch of new products or alterations to processes). In order to comply with its mission, the functions of the Group Risk Officer include: Supporting the definition of risk management policies and methodologies for the identification, assessment, control, monitoring, mitigation and reporting of the different types of risk; Proposing and implementing a set of measurements applicable to the different types of risk; Ensuring the existence of a body of rules and procedures to support risk management; Controlling, on an ongoing basis, the evolution of different risks and compliance with the applicable policies, regulations and limits; Ensuring the existence of an effective IT platform and a database for robust and complete risk management; Participating in all the decisions of relevance to risk and with an impact on the internal control system, having the authority to enforce compliance with the Group s regulations and objectives relative to risk; Preparing information on risk management to be disclosed internally and to the market. The Group Risk Officer is appointed by the BoD and supports the work of the Risk Commission. 3

4 The risk management function, types of risk and its control/management Notice No. 5/2008 of the Bank of Portugal sets the system (or function) risk management as an integral part of financial institutions internal control system, designed to identify, assess, monitor and control all risks that might influence the strategy and the objectives defined by the institution, ensuring compliance as well as the actions necessary to respond appropriately to unwanted deviations. The Group meets with a risk management system that complies with these provisions, and manages all types of risk defined also in Notice No. 5/2008, grouped as follows: Credit risk; Market risks (including the management and control of market risk, interest-rate risk and the exchange rate risk); Liquidity risk; Operational risk (which includes the management and control of information systems risk and compliance risk); Other risks (strategic risk, reputation risk and Pension Fund risk). On the other hand, it is important to note that the Group also manages the business continuity theme, in two aspects of contingency planning against the extremely serious events which might affect very significantly or even call into question the very survival of the institution: the DRP (Disaster Recovery Plan) and PCN (Continuity Management Policy). Then briefly describes the main features and approaches concerning the control and management of these strands of risk. Credit risk The Bank is endowed with a suitable management structure of credit risk, which covers the risk analysis, the decision of granting credit, monitoring of credit operations and credit recovery (in non-compliance or won). Credit risk assessment is done through a set of rating systems and models, adapted to the various business segments, which assign an internal notation representing Customers of their creditworthiness, and is used a single scale of degrees of risk (Rating Masterscale), common to all segments. It is the control unit of templates (integrated in the Risk Group Office) the monitoring and independent validations of credit risk models, being in the first case also monitored and validated rating systems themselves, in which the models concerned integrate. The structure of monitoring and validation implemented involves still responsible models (Model Owners), responsible for systems of rating (Rating System Owners), the validation Committee, the Commission of risk and Audit Management. On the other hand, each credit operation is assigned a credit rating the "Protection Level" that takes into account the characteristics of the operation, in particular, with the side of the value assigned to the operation and the relationship between this value and the value of the claim. In this sense, the Bank complies fully with the principles of Basel II, credit risk evaluating customer and each transaction in concrete. To discharge the regulatory capital requirements relative to their activities in Portugal, the Bank uses, with the permission of the Bank of Portugal, methodologies based on internal ratings above (IRB Internal Ratings Based). Granting this authorization by the Supervisor is the result of the 4

5 adequacy of the processes and database systems dedicated to the identification, evaluation, monitoring and control of credit risk. The monitoring of Group s credit risk is done monthly, through several indicators of the quality of loan portfolio, the Risk Office (the structure headed by the Group Risk Officer) responsible for regular reporting of such data, including, for example, the figures for impairment and loss ratio present in the portfolio. The reporting is done internally to the organs of administration and supervision and also externally, complying with the regulations in force on these matters. There are also structures independent of each other, dedicated to credit analysis (5 units of analysis, integrated into the Directorate of credit) and the recovery of credit (2 directions of recovery and the direction of Litigation), which are defined, in organizational terms, according to the different segments of customers or business. Regarding the internal notation, the same Customer is the sole responsibility of a specific structure and independent of the other (the direction of Rating) although, for retail customers, this evaluation is done by automatic models. Finally, with regard to the decision to grant credit, this function is ensured by different levels of decision-making, clearly defined and prioritized by the internal rules on the basis of the amounts and types of credit operations concerned. Market risks For market risks of trading (Trading Book), the Bank uses an integrated measure of market risks that allows monitoring of all risk sub-typologies deemed relevant. This measure is part of the evaluation of the following risk types: generic, risk, risk-specific risk and non-linear risk goods. For the daily measurement of generic risk market on the interest rate risk, currency risk, risk and price risk of Credit Default Swaps (CDS) - is used a model of VaR (Value-at-risk). In addition to the discharge of the VaR, aiming at the identification of concentrations of risk not captured by this metric, and also to test other possible dimensions of loss, the Group continually tests a wide range of scenarios (stress scenarios) effort on the trading book, analyzing the results of stress tests. In addition, to ensure that the internal model of VaR is appropriate to assess the risks involved in the positions taken, be carried out in various validations over time, with different scopes and frequencies, including the backtesting, the estimation of diversification s effects and analysis of risk factors scope. Note that use of the VaR internal model to calculate the capital requirements for market generic risk group (with respect to its activity in Portugal) was approved by the Bank of Portugal. With regard to the specific risk and the risk of the goods, these are measured through the methodologies standard defined in the applicable regulations (under Basel II), with a corresponding change of timeframe considered. The Treasury positions are measured daily and intra-diary based on the metrics defined for the various types of market risk, monitoring, risk levels incurred. These levels are controlled from a set of prudential limits defined internally reflecting the risk appetite of the group. Any exceeding these limits requires their ratification. There are also limits on stop-loss for these positions, defined on the basis of that set of boundaries, aimed at limiting, quarterly and annual basis, the maximum losses accumulated in these portfolios. Evaluation of interest rate risk caused by operations of the banking book (Banking Book) is carried out through a process of sensitivity analysis to the risk, held every month, for the universe of operations in the consolidated balance sheet of the group. The variations of market interest rates take effect at the level of the financial margin of the group, both in terms of short and medium/long-term, affecting the economic value of same in a long-term perspective. The main risk factors arising from the mismatch of repricing of portfolio positions (repricing risk) and the risk of variation in the level of market interest rates (yield curve risk). 5

6 Furthermore although with less impact-there is the risk of unequal variations in different indexes with the same period of repricing (basis risk). In order to identify the exposure of the banking book group to these risks, monitoring the interest rate risk comes into consideration with the financial characteristics of positions recorded in information systems, being made a projection of their expected cash-flows according to repricing dates, calculating the impact on the economic value resulting from alternative scenarios of change on the corners of market interest rates. Liquidity risk The control of Group s liquidity risk, for short-term time horizons (up to 3 months), is carried out daily based on internally defined metrics the immediate liquidity indicator and the indicator of liquidity quarterly - which measure the maximum needs of taking funds which cumulatively can occur in their time horizons, considering the projected cashflows for periods of, respectively. As regards structural liquidity, the group carries out control over their profile through a regular monitoring on the part of its structures and management bodies, a set of indicators defined both internally and by the regulations, which aim to characterize the risk of liquidity, such as the transformation ratio of deposits to credit, liquidity gaps in the medium term and coverage ratios in financing of wholesale funding markets for highly liquid Assets (HLA-Highly Liquid Assets). Still under the management and control of liquidity risk, the group established a contingency plan of Capital and Liquidity (PCCL) which define priorities, responsibilities and specific measures to be taken in the event of a liquidity contingency situation. The PCCL sets as an objective, maintaining a framework of balanced capital and liquidity, establishing the need for a continuous monitoring of market conditions, as well as the triggers and action lines aimed at the timely decision-making before early adversity scenarios or verified. Operational risk For the management and control of this type of risk, the Group has been taking a growing and very relevant, a set of principles, practices and control mechanisms for clearly defined, documented and implemented, of which examples are the segregation of functions, the definition of lines of responsibility and their level of authorization, the definition of the limits of tolerance and risk exposure Ethics and codes of conduct, the key risk indicators (KRI-key risk indicators), the access controls (physical and logical) reconciliation activities, exception reports, contingency plans, insurance procurement and internal training on processes, products and systems. Thus, to an ever greater efficiency in the identification, evaluation, control and mitigation of operational risk exposures, the Group has been strengthening its risk management system operational and extends its scope to major overseas operations. The management of operational risk is based on a structure of processes end-to-end, defined for all subsidiaries of the group, benefiting thus from a more comprehensive perception of risks arising from an integrated view of activities along the chain of activities for each process. The set of processes defined for each entity is dynamic, being adjusted and differentiated on the basis of operational and business practices of each, to cover all relevant activities undertaken. In Portugal, for example, are set approximately 100 business processes and business support, which is made the management of operational risk. Responsibility for the management of processes has been assigned to process owners who have the task: characterize the captured operating losses in the context of their cases; perform a self-assessment of the risks (RSA risks self-assessment), under 20 sub-typologies set for the operational risk; identify and implement appropriate actions to mitigate risk exposures, contributing to the strengthening of internal control environment; 6

7 monitor risk indicators (KRI). The objective of the self-assessment of the risks is to promote the identification and mitigation (or even elimination) of current or potential risks, within each process. The classification of each risk is obtained through their placement in a matrix of tolerance, for three different scenarios, which enables you to: determine operational risk without considering the influence of existing controls (Inherent Risk); evaluate the influence of existing control environment in reducing the level of exhibitions (Residual risk); identify the impact of improvement opportunities in the most significant exhibitions reduction (objective risk). Recognition of the policy on the management and control of operational risk outlined resulted in approval of the Bank of Portugal on the use of the standardized approach (TSA) for the calculation of capital requirements for operational risk coverage. Business Continuity The Group has been to strengthen and refine its business continuity management, in order to ensure the continuity of the implementation of the major activities - business or business support - in the event of a disaster or major contingency. In the Group, this issue is addressed by means of two distinct but complementary aspects: the Disaster Recovery Plan (DRP), to the systems and infrastructure of communications and Business Continuity Plan (PCN), for people, facilities and equipment required for the minimal support of selected processes, considered as critical. For example, that in Portugal there are 36 critical processes covered by the PCN, which have involved 62 units of structure. The design of these plans and the management of this specific area, closely linked to operational risk, is regularized, promoted and coordinated by a specific structure, drive to transverse drive Group Business Continuity. In Portugal, Poland, Greece and Romania are defined and implemented NCPs, being already defined and approved, in Portugal, the strategy and regular exercise program, which covers all operational teams involved in critical processes. The program establishes training of all those units by the end of 2011, in exercises and simulations with increasing complexity and realism. The theme of business continuity is disclosed in terms of internal communication, being this example creating sites on the intranet of Millennium bcp dedicated to business continuity while one aspect of prevention and safety - and to the DRP. Other risks The risk strategy is managed at the highest level, by the Executive Board of Directors of Millennium bcp, and similar bodies in each subsidiary operate in line with the policies and strategies defined by the mother house. With regard to the risk of reputation, their management is done primarily by the Directorate of the Bank's Communication though, in the context of operational risk self-assessment (RSA) above, such exercises are also used to capture information on the impact on reputation that stems from the occurrence of operational risks evaluated. We noted that the Bank also fits in its risk management, relating to the Pension Fund defined benefit of BCP, which arises from the potential devaluation of the respective assets or decrease in the expected returns of the Fund involving the lodging of contributions envisaged. The regular monitoring of this risk and monitoring their management falls to the Sub - Committee monitoring the risk of pension fund. 7