Risk Assessment System

Transcription

1 Risk Assessment System The Risk Assessment System (RAS) is a tool used for internal supervisory purposes and it provides a useful aid to the supervisor to carry out a structured and practical step-by-step application of the Supervisory Review and Evaluation Process (SREP) under the Pillar II of the Capital Requirements Directive. The main benefits that arise from an effective use of a Risk Assessment System can be summarised in the following: It provides a structured risk-based approach for the regulation of financial institutions It provides a framework for comparison between different institutions It contributes to the effective organisation and managing of the supervisory function and the optimisation of use of the supervisory resources It provides the basis for dialogue with the management of the banks It provides uniformity and can form the basis of a more effective communication between different supervisors and, especially, between home and host supervisors. Overview of the framework The RAS is a structured process that aims to evaluate the bank by breaking down to the various risks it faces and assessing each of these risks separately. It consists of the steps described below: 1. Identification of material group companies and material business units/activities. In order to carry out an assessment of the bank s risks and controls, the supervisor needs a breakdown of the organisation s activities to the material business units where risks are actually taken and where controls are actually applied. Hence, the starting point in the process ought to be an analysis of the organisational structure of the bank. 1

2 In the case where the bank is a parent company in a consolidated group, it first needs to be determined which group companies constitute material group companies. For that, the following financial and non-financial criteria should be considered in order to establish whether the group companies are material or not: Financial criteria: Turnover represents 10% or more of the parent company. Expenses represent 10% or more of the parent company. Pre-tax profit or losses represent 10% or more of the parent company. Capital represent 10% or more of the parent company. Total assets represent 10% or more of the parent company. Non-Financial criteria: Strategic importance of the subsidiary company. Rapid expansion of activities into new markets / products. Reputational risk. For any other reason that the Central Bank considers the unit to be significant. Once the material group companies have been established, the next step would be to identify the material business units within each group company. The business units can be divided into two broad distinguishable categories: (i) (ii) Business lines (e.g. corporate banking, credit cards, treasury operations), and Management functions (e.g. Board of Directors, risk-management function, internal audit). For all the business units considered, the same financial and non-financial criteria used in the case of group companies above are applied, in order to assess their relative impact and to establish whether they are material or not. 2

3 2. Weighting of material group companies and material business units Once the material group companies and business units have been established, then these are weighted based on criteria set by the supervisor, such as their contribution to total earnings. The following three-point scale is recommended: Weight Large contribution 4 Medium contribution 2 Small contribution 1 The supervisor is allowed the flexibility to override the above criteria of contribution to total earnings and, where necessary, increase the weights. For example, small units operating in a remote location from the head-office, may be moved to the medium category and be attached a weight of 2 despite their small contribution to total earnings. 3. Risk categories and control risks The next step in the process would be to identify within each material group company and each material business unit, the risk categories and control risks which will be assessed in order to evaluate the risks and controls present. The various risk categories arise from the underlying nature of the business, its external environment, the business decisions taken, and the bank s ability to provide suitable products and services to its customers. High risk categories on their own may not pose a thread to the viability of the organisation where strong controls that mitigate the risks undertaken exist. Hence, it is important to assess and attach a rating to all the risk categories and control risks involved. The main risk categories to be considered should include the following: 3

4 a. Strategic risk The current or prospective risk to earnings and capital arising from changes in the business environment and from adverse business decisions, improper implementation of decisions, or lack of responsiveness to changes in the business environment. b. Credit risk - The current or prospective risk to earnings and capital arising from a counterparty s failure to meet the terms of any contract with the institution or its failure to perform as agreed. c. Market risk - The current or prospective risk to earnings and capital arising from adverse movements in bond prices, security or commodity prices, or foreign exchange rates in the trading book. This risk can arise from market-making, dealing and position-taking in bonds, securities, currencies, commodities or derivatives. It, also, includes foreign exchange risk, defined as the current or prospective risk to earnings and capital arising from adverse movements in currency exchange rates. d. Liquidity risk - current or prospective risk to earnings and capital arising from the institution s inability to meet its liabilities when they fall due. e. Operational risk The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This risk includes IT, legal and compliance risk. Control risks represent the mechanisms the bank has in place in order to mitigate its exposure to the various risk categories described above. Hence, where the institution identifies, assesses, monitors and manages effectively the risks it faces, its overall risk is reduced. On the other hand, in the case where the control risks are not sound and adequate, the institution faces increased risk. The control risk groups that should be examined are analysed below: a. Board and Management The members of the Board and Management of the bank should be fit and proper and have the ultimate responsibility to run the 4

5 business and protect the interests of the shareholders and other stakeholders. The evaluation of the effectiveness of the Board and Management is governed, also, by the relevant guideline of the Central Bank of Cyprus. b. Organisation and internal governance It constitutes a responsibility of management. It is mainly concerned with setting the institution s business objectives and its appetite to risk, how the business of the institution is organised, how responsibilities and approval authorities are allocated, how reporting lines are set up and what information they include, and how the system of internal control is organised. c. Internal control The management of the bank is responsible for ensuring that the institution has in place the three independent functions that constitute an efficient system of internal control. These functions are risk control, compliance and internal audit. The risk control function ensures that risk policies are complied with and it includes the following: Credit risk management Operational risk management Interest rate risk management Foreign exchange risk management Liquidity management The compliance function identifies and assesses compliance risk, that is, the risk to capital and earnings arising from violation or non-compliance of laws, rules, regulations, prescribed practices or ethical standards. The internal audit function is an instrument employed by management to ensure that the quality of the other two, that is, the risk control function and the compliance function is adequate. The risk categories mentioned above will not be always applicable for all material companies or business units examined. Hence, the supervisor is required to select the relevant risk categories to be included in the assessment. The same consideration could also apply, but more rarely, in the case of the control risks. 5

6 4. Risk elements and control risks The final step in the disagregation process is to break the risk categories further down to the risk elements. The latter compose the sources of risk within each particular risk category, and they should cover the whole spectrum of possible risks within each risk category. For example, the risk elements in relation to the market risk category could include risk appetite, exposure, interest rate risk, foreign exchange risk and trends. Each of these elements should be assessed and their impact on the overall risk of the institution be evaluated. For each of the risk elements, a list of risk indicators is compiled, which describe the various attributes associated with each particular risk element. The risk indicators provide the supervisor with a useful tool in order to evaluate all the risk elements and compose a rating in accordance with the risk involved. A similar approach is followed in the case of the control elements. The latter constitute the various tools and procedures within each particular control risk group, that, when used in an efficient and orderly manner, mitigate the overall risk faced by the bank. For example, the control elements in relation to Board and Management could include corporate governance and management quality. As it was the case described for the risk elements, a list of indicators is compiled, which describes the attributes associated with each particular control element. In carrying out the assessment of the risk and control elements, the supervisor, apart from his professional judgement, can draw information from a wide range of sources to help assess the risks and mitigating controls of the institutions. There include: Information available from on-site inspections. Mandatory periodic reports required by the supervisor, such as reports on large exposures, country risk exposures, provisions, non-performing loans, etc. Interviews with senior personnel of the bank. Internal management reports. 6

7 Internal minutes of various management and committee meetings, such as Board, ALCO, Audit Committee. Reports of the external auditors. A more detailed analysis of the rating system follows on section Aggregate Scores As explained earlier, the aim of the Risk Assessment System (RAS) is to provide a risk based approach in the evaluation of the bank. For that, all risk and controls areas examined are evaluated and rated using a bottom-up approach. That is, the assessment starts from the risk and control elements based on the evaluation of the risk indicators. Subsequently, the results are aggregated to form the ratings for the various risk categories and control risk groups. From that, the risk scores are aggregated in the material business units followed by the material subsidiaries. Hence, first, the risk and control elements are rated in accordance with the evaluation of the risk indicators, using a four-graded scale. Subsequently, the various risk and control elements considered (for example, credit exposure, default probability, concentration, key products and markets, etc) are aggregated in order to come up with a score for the particular risk category (credit risk) or control risk. It is noted that, different weights are assigned for risk categories and for control risks to illustrate the fact that where strong and efficient controls exist, the overall level of risk involved (and, hence, the rating) decreases. On the other hand, in the cases where the controls present are insufficient, the level of risk involved (and, hence, the rating) is higher. This is, also, in line with the key principles on RAS suggested by the Committee of European Banking Supervisors (CEBS) regarding the Application of the Supervisory Review Process under Pillar 2 which state that: High risks are assigned a relatively higher weight than low risks Weak controls are assigned a relatively higher weight than strong controls The requirement for controls increases as the level of inherent risk rises 7

8 As a result, it is suggested that the following scores should be used for the risk categories and control groups during the assessment of the material business unit: Risk Category: Score: Control risk: Score: Low risk 1 Strong control 0,5 Fair risk 2 Satisfactory control 2 Material risk 3 Moderate control 3,5 High risk 4 Weak control 5 The risk categories and control groups are then aggregated to a common score for the material business units using the following formula: Score = (1/n* (Σ assessment j n )) 1/n Where: Score = score for risk category / control risk / material business unit considered n = total number of items assessment j = the outcome of the assessment of item i The next step would be to aggregate all the material business units to a common score for the material subsidiaries identified or, in the cases where there are no material subsidiaries, for the bank as a whole. In doing so, the supervisor should apply different weights for different business units, as different business units and different subsidiaries have different impact on the bank as a whole. The weights suggested on section 2 should be applied based on the criteria set by the supervisor in relation to the effect of each unit. Hence, the aggregate score is described by the formula below: Aggregate score = Σ (weight i * (score i) n Σ (weights) 1/n 8

9 Where: Aggregate score = aggregate risk score of material business unit or material subsidiary weight i = relative importance of score i score i = risk category score, control group score n = total number of items considered The above procedure can also be used to carry out a parallel aggregation for the different risk groups within the organisation. This will enable the supervisor to create a risk profile for each of the institution s critical units, such as for the different business units, as well as for the bank as a whole. The chart below shows how the risk elements within the credit risk group are aggregated to business units and to the whole bank. BANK A SUBSIDIARY A SUBSIDIARY B SUBSIDIARY C BUSINESS UNIT 1 BUSINESS UNIT 2 BUSINESS UNIT 3 BUSINESS UNIT 4 BUSINESS UNIT 5 STRATEGY RISK MARKET RISK LIQUIDITY RISK CREDIT RISK OPERATIONAL RISK INTERNAL CONTROLS ORGANISATION MANAGEMENT RISK APPETITE KEY PRODUCTS EXPOSURE RECOVERY RATE CONCENTRATION CORRELATION DEFAULT PROBABILITY TRENDS 9

10 6. Evaluation of results As explained earlier, the effective use of the RAS will provide the supervisor with a useful tool to evaluate the risk inherent in the bank under examination. Moreover, as the framework will be applied in a consistent manner, and the principles adopted for the calculation of the aggregate risk score will be the same for all banks, it will provide, also, a useful tool for the comparison of the inherent risk between different banks. In addition, it will assist the planning process of the supervision, as it offers guidance to the supervisor to allocate sufficient resources where necessary, such as to the material business units or the material subsidiaries which have been assessed to be the more risky ones. The results of the RAS can be discussed with the senior management of the bank. Hence, it could offer the management of the bank useful assistance as to the areas that need to take corrective measures in order to improve the bank s risk profile. In addition, it will provide qualitative feedback to the management of the bank about the adequacy of its risk management and internal controls. The efficient application of the RAS will, also, enable the supervisor to impose, where necessary, prudential measures against the institution. Such measures could include the requirement for the institution to improve its internal control and risk management framework, restrict its business or network operations, or take action to reduce the inherent risk in its activities, products and systems. Moreover, the supervisor may require from the bank additional capital in cases where the overall rating exceeds a defined limit, indicating an increased level of risk. It should be stressed, however, that the supervisor should exercise judgement and not apply an automatic capital add-on. A holistic approach should be followed taking into account his experience with the institution, and, also, discuss the issue with the management of the bank. 10

11 7. Other issues a. Analysis of business environment In addition to the risk categories and control risks analysed before, the supervisor should also carry out an assessment of the business environment in which the bank operates. The factors affecting the business environment are not rated as it was the case with the risk categories and control risks. Instead, such an analysis will assist the supervisor to get a better understanding of the risk profile of the bank examined, by considering external factors that may have a direct or indirect impact on the bank s risks and controls. Business operating environment risks can arise from a broad range of external developments. There is no exhaustive list as to what such events or developments should be included, but the following list is given as an indication: Any legal or political reasons that could affect the bank, such as changes in regulatory environment, increasing litigation costs. Any socio-demographic conditions that could affect the bank, such as ageing population, customer loyalty. Any major impact on the bank caused by changes in technology. Any economic issues that could have an impact on the bank, such as inflation, recession. Any effect on the bank caused by changes in the competitiveness of the environment, such as increasing competition and the effect on profit margins. b. Quality assurance In order for the results of the RAS to be consistent and useful, it is of paramount importance to maintain a high level of quality in the framework. Hence, quality assurance plays a significant role in the overall risk assessment process, and it can be maintained with the following elements: 11

12 There should be a regular review of the risk assessment process. In that respect, quality assurance panel may be used consisting of experienced supervisors. The objective of the panel would be to ensure that all relevant risks are captured in the assessment, and that consistency is applied between the risk assessment of different institutions. In order to enhance the consistency and comparability of the risk assessment system, it would be desirable for two supervisors to perform the various steps of the risk analysis (the four eyes principle). An audit trail should be maintained, so that changes in the assessment should be traced back to the responsible officer. c. Frequency The frequency of the re-assessment will depend on the risk profile of the particular institution. However, it is advisable that the most critical banks within the banking system to be assessed once a year. 12