High level principles for risk management



Similar documents
Principles for An. Effective Risk Appetite Framework

PRINCIPLES FOR THE MANAGEMENT OF CONCENTRATION RISK

Key functions in the system of governance Responsibilities, interfaces and outsourcing under Solvency II

System of Governance

Guidelines on the Application of the Supervisory Review Process under Pillar 2 (CP03 revised)

GUIDELINES ON CORPORATE GOVERNANCE FOR LABUAN BANKS

Supervisory Policy Manual

Issued on: 1 March Risk Governance

Terms of Reference - Board Risk Committee

EIB Group Risk Management Charter

Audit, Risk Management and Compliance Committee Charter

Guidance on the management of interest rate risk arising from nontrading

Insurance Guidance Note No. 14 System of Governance - Insurance Transition to Governance Requirements established under the Solvency II Directive

PART B INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (ICAAP)

11/12/2013. Role of the Board. Risk Appetite. Strategy, Planning and Performance. Risk Governance Framework. Assembling an effective team

Basel Committee on Banking Supervision

The Internal Capital Adequacy Assessment Process (ICAAP) and the Supervisory Review and Evaluation Process (SREP)

An Overview of Basel II s Pillar 2

Managing Risk at Bank of America Corporation. Overview

EBA Guidelines on Internal Governance

CEBS Guidelines for the Operational Functioning of Supervisory Colleges (GL 34)

SUPERVISION GUIDELINE NO. 9 ISSUED UNDER THE AUTHORITY OF THE FINANCIAL INSTITUTIONS ACT 1995 (NO. 1 OF 1995) RISK MANAGEMENT

Application for a Banking Authority Foreign Bank Branches Prudential Statement J2

SUPERVISORY AND REGULATORY GUIDELINES: PU GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS

Solvency II Detailed guidance notes

Guideline. Operational Risk Management. Category: Sound Business and Financial Practices. No: E-21 Date: June 2016

STRESS TESTING GUIDELINE

EBA Guidelines on Internal Governance (GL 44)

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

Solvency Assessment and Management: Pillar II Sub Committee Governance Task Group Discussion Document 81 (v 3)

Direct Line Insurance Group plc (the Company ) Board Risk Committee (the Committee ) Terms of Reference

A Guide to Corporate Governance for QFC Authorised Firms

Statement of Guidance: Outsourcing All Regulated Entities

Guideline on risk management and other aspects of internal control in stock exchange

NOTICE 158 OF 2014 FINANCIAL SERVICES BOARD REGISTRAR OF LONG-TERM INSURANCE AND SHORT-TERM INSURANCE

S t a n d a r d 4. 4 c. M a n a g e m e n t o f m a r k e t r i s k. Regulations and guidelines

HSBC FINANCE CORPORATION CHARTER OF THE RISK COMMITTEE

NORTHERN TRUST CORPORATION BUSINESS RISK COMMITTEE CHARTER

Eclipx Group Limited Risk Management Policy

Code Banken. 9 september 2010

Final Draft Guidance on Audit Committees

CRO Forum Paper on the Own Risk and Solvency Assessment (ORSA): Leveraging regulatory requirements to generate value. May 2012.

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS.

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

Deriving Value from ORSA. Board Perspective

Pursuant to Article 95, item 3 of the Constitution of Montenegro I hereby pass the ENACTMENT PROCLAIMING THE LAW ON BANKS

14 December 2006 GUIDELINES ON OUTSOURCING

January 6, The financial regulators 1

Basel Committee on Banking Supervision

Guideline. Category: Sound Business and Financial Practices. No: E-18 Date: December 2009

Risk appetite How hungry are you?

RS Official Gazette, No 51/2015

ICAAP Required Capital Assessment, Quantification & Allocation. Anand Borawake, VP, Risk Management, TD Bank anand.borawake@td.com

CONSULTATION PAPER CP 41 CORPORATE GOVERNANCE REQUIREMENTS FOR CREDIT INSTITUTIONS AND INSURANCE UNDERTAKINGS

Central bank corporate governance, financial management, and transparency

Bank of America NA Dublin Branch Market Discipline. Basel II - Disclosures

Market and Liquidity Risk Assessment Overview. Federal Reserve System

Interagency Guidance on Funds Transfer Pricing Related to Funding and Contingent Liquidity Risks. March 1, 2016

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994

NOVEMBER 2010 (REVISED)

Mapping of outsourcing requirements

Insurance Groups under Solvency II

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Basel Committee on Banking Supervision. Standards. Interest rate risk in the banking book

From ICAAP/ORSA to ERM: Board and Senior Management Oversight. Leon Bloom, Partner, Deloitte & Touche LLP lebloom@deloitte.ca

Danske Bank Group's Remuneration Policy, March 2016

Corporate Governance Code for Banks

EBA/GL/2012/06 22 November Guidelines. on the assessment of the suitability of members of the management body and key function holders

AUDIT COMMITTEE TERMS OF REFERENCE

Guidelines on preparation for and management of a financial crisis

Risk management systems of responsible entities

Implementation of Solvency II: The dos and the don ts

Final Report. Guidelines on the management of interest rate risk arising from non-trading activities EBA/GL/2015/ May 2015

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

Solvency II for Beginners

ZAG BANK BASEL II & III PILLAR 3 DISCLOSURES. December 31, 2014

INTERNAL CAPITAL ADEQUACY ASSESSMENT

1. Introduction Process for determining the solvency need Definitions of main risk types... 9

Risk Management Policy

Fund Management Companies Guidance

Capital Adequacy: Advanced Measurement Approaches to Operational Risk

GUIDE TO BANKING SUPERVISION

Standard Chartered Bank (Thai) PCL & its Financial Business Group Pillar 3 Disclosures 30 June 2015

CONSULTATION PAPER Proposed Prudential Risk-based Supervisory Framework for Insurers

NATIONAL BANK OF ETHIOPIA MICROFINANCE INSTITUIONS SUPERVISION DIRECTORATE. RISK MANAGEMENT GUIDLEIES for MICROFINANCE INSTITITTIONS (FINAL)

6/8/2016 OVERVIEW. Page 1 of 9

Measurement of Banks Exposure to Interest Rate Risk and Principles for the Management of Interest Rate Risk respectively.

Guidance Note: Stress Testing Class 2 Credit Unions. November, Ce document est également disponible en français

Recognised Investment Exchanges. Chapter 2. Recognition requirements

Guideline on risk management and other aspects of internal control in central securities depository

Basel Committee on Banking Supervision. Principles for sound stress testing practices and supervision

Risk management report

Risk Management Programme Guidelines

Regulation for Establishing the Internal Control System of an Investment Management Company

Transcription:

16 February 2010 High level principles for risk management Background and introduction 1. In their declaration of 15 November 2008, the G-20 leaders stated that regulators should develop enhanced guidance to strengthen institutions risk management practices, in line with international best practices, and encourage financial firms to re-examine their internal controls and implement strengthened policies for sound risk management 1. 2. The EU Economic and Financial Committee (EFC) has transposed the G-20 recommendations into its EU Work Plan Following G-20 Declaration and Action Plan which repeats the call for CEBS to develop enhanced guidance to strengthen banks' risk management practices, in line with international best practices, and encourage financial firms to re-examine their internal controls and implement strengthened policies for sound risk management. 3. In response to this request, CEBS has conducted an analysis of existing risk management guidelines with the objective of identifying possible gaps in coverage and other areas where updates to the guidelines would be desirable. The report submitted to the 2009 March meeting of the EFC provided a roadmap for improving existing CEBS guidelines and enhancing their implementation. 4. According to the results of the CEBS analysis, EU and international supervisory bodies have produced a comprehensive set of guidelines covering all major aspects of risk management. However, the coverage of the guidelines is somewhat fragmented, with most guidelines focussing on narrow areas. Furthermore, not all aspects of risk management are covered in CEBS guidelines. In particular, there are gaps in the areas of: (i) governance and risk culture; (ii) risk appetite and risk tolerance; (iii) the role of the Chief Risk Officer and risk management functions; (iv) risk models and integration of risk management areas; and (v) new product approval policy and process. 1 G20 declaration of 15 November 2008, http://www.g20.org/documents/g20_summit_declaration.pdf

5. To overcome this deficiency, CEBS has decided to consolidate all its principles and guidelines addressing risk management issues in a comprehensive guidebook that covers all aspects of risk management, following the structure of Annex V of the Capital Requirements Directive 2. Such a consolidation (not to be confused with the simple compilation of texts provided in the current CEBS Electronic Guidebook 3 ) will eliminate overlaps and achieve comprehensive coverage of the topic of risk management in one place. 6. To introduce the consolidation of existing principles and guidelines on risk management, CEBS has decided to develop a set of overarching high level principles on risk management which would serve as a stand-alone document but could also be expanded upon in CEBS s guidelines on specific topics (in the form of references to existing risk management principles as formulated in CEBS standards and guidelines). 7. The high-level principles proposed in the current paper should be considered both by institutions and supervisors within the supervisory review framework under Pillar 2. In other words, they should be implemented by institutions as part of the ICAAP and reviewed by supervisors as part of the SREP. Supervisors should implement the High-level-principles into their procedures by 31 December 2010. 8. The high-level principles for risk management are aimed mainly at large and complex institutions. However, according to the principle of proportionality, they can be adapted to any institution under review, taking into account its size, nature, and complexity 4. High level principles for risk management Governance and risk culture 9. A strong institution-wide risk culture is one of the key elements for effective risk management. One of the prerequisites for creating this risk culture is the establishment of a comprehensive (covering all risk types, business lines and relevant risks) and independent risk management function 5 under the direct responsibility of the Chief Risk Officer (CRO), or the senior management if a CRO is not appointed, following the principle of proportionality. 2 In this paper, all references to the Capital Requirements Directive (CRD) are references to Directive 2006/48/EC. 3 See http://www.c-ebs.org/publications/compendium-of-guidelines.aspx 4 According to the principle of proportionality, guidelines for institutions and supervisors are to be applied in a proportionate manner to reflect the nature, scale and complexity of the activities of the institutions (see CEBS Guidelines on the Application of the Supervisory Review Process under Pillar 2). 5 Some supervisors may also refer to this function as risk control function. 2

10. The management body is responsible for overseeing senior management and also for establishing sound business practices and strategic planning. It is therefore of the utmost importance that the management body in carrying out both its management and supervisory functions has collectively a full understanding of the nature of the business and its associated risks. The members responsible for those functions need a level of understanding commensurate with their responsibilities. This includes adequate understanding of those areas of business undertaken by the institution for which they are not directly accountable. At least some members of the management body or, where relevant, the audit committee (or equivalent) should have had practical experience in the area of financial markets or from their background business activities obtained sufficient professional experience directly linked to this type of activity. 11. Every member of the organisation must be fully aware of his responsibilities relating to the identification and reporting of relevant risks and of other roles within the organisation and the associated responsibilities to these roles. The risk culture must extend across all of the organisation s units and business lines and encompass all relevant risks, both financial and non-financial (e.g. reputational risk). Risk policies must be formulated based on a comprehensive view of all business units, and risks must be evaluated not only from the bottom up but also across business lines. 12. Institutions must implement a consistent risk culture and establish sound risk governance supported by an appropriate communication policy, all of which must be adapted to the size and complexity of the organisation and the risk profile of the institution or banking group. 13. The governance of risk (e.g. responsibilities, risk tolerance and risk appetite etc.) must be documented and updated as appropriate. The staff shall be informed appropriately about the risk governance arrangements taking into account their information needs given their roles within the institution. The risk management framework must be subject to independent review. Risk appetite and risk tolerance 14. The level of risks that institutions are willing to take is constrained by regulation and supervision, given that the social cost of any institutional failure (official support measure) would typically exceed the limited downside risk for the institution s shareholders and management. Risk appetite and risk tolerance depend not only on intrinsic risk aversion, but also on the current financial situation of the institution and its strategic direction. To assure the safety of deposits, this regulatory constraint takes, in particular, the form of capital and liquidity requirements. 15. Institutions express their risk appetite and risk tolerance in a variety of forms, including setting a target credit rating or a target rate of return on equity (sometimes, but not always accompanied by a target limit on the variance of that return). It is important both that institutions set such 3

targets, and that the targets be consistent with one another, 6 as well as being consistent with the institution s obligation to maintain the risk to depositors within the constraints implied by capital and liquidity regulation. 16. In setting a risk appetite and risk tolerance level, the institution has to take all relevant risks to the institution into account, including those arising from off-balance sheet transactions.. 17. The management body and senior management are responsible for setting the institution s risk appetite and risk tolerance at a level which is commensurate with its sound operation and the strategic goals of the institution. 18. The respective roles of the management body and senior management in the oversight of risks should be clearly and explicitly defined. The management body should be responsible for setting the institution s risk appetite and tolerance level - and for reassessing that level regularly - taking into account the information (e.g. technical analysis with regard to the risk tolerance) provided by the risk management function or, where relevant, by the audit committee (or equivalent). 19. Senior management should be responsible for risk management on a day-to-day basis, under the oversight of the management body. Because of the volatile nature of banking business and the economic environment, risk measurement should be regularly reviewed and scrutinised against the institution s strategic goals and risk appetite and risk tolerance. In particular, senior management should ensure that the institution sets trading, credit, liquidity, and other risk limits that are consistent with the institution overall risk appetite and risk tolerance, even in a stressed economic environment. To this end institutions must have processes in place to ensure risks are kept within the limits and overall limits remain consistent with the overall risk appetite and risk tolerance. The role of Chief Risk Officer and the risk management function 20. The institution should appoint a person responsible for the risk management function across the entire organisation, and for coordinating the activities of other units relating to the institution s risk management framework. Normally this person is the Chief Risk Officer (CRO). However, when the institution s characteristics in particular its size, organisation, and the nature of its activities do not justify entrusting such responsibility to a specially appointed person, the person responsible for internal control can be made responsible for risk management as well. 21. The CRO (or equivalent) should have sufficient independence and seniority to enable him or her to challenge (and potentially veto) the 6 For example, supervisors can legitimately question how a bank can simultaneously achieve a high rate of return on equity and a narrow variance around that target rate of return. They may also question how a high target rate of return on equity can be consistent with maintaining a high credit rating throughout the business cycle. 4

decision-making process of the institution. The CRO s position within the institution should permit him or her to communicate directly with the executive body concerning adverse developments that may not be consistent with the institution s risk appetite and tolerance and business strategy. When the executive body or the management body considers it necessary, the CRO should also report directly to the management body or, where appropriate, to the audit committee (or equivalent). 22. The CRO should have expertise (i.e. relevant skills and experience) which is relevant and appropriate to the institution s risk profile. The CRO should play a key role in enabling the management body and senior management to understand the institution s overall risk profile. 23. The risk management function should also have expertise which matches the institution s risk profile. It should play a key role in identifying, measuring, and assessing the overall risks faced by the institution. Its responsibilities should include overseeing and approving internal ratings systems and risk assessment models, and analysing the risks of new products and exceptional transactions. 24. The risk management function should be actively involved, at an early stage, in the elaboration of the institution s strategy and decision-making on business activities. 25. Institutions should ensure that the risk management function is independent from the operational units whose activities it reviews. Its position in the organisation should allow it to interact with these units in order to have access to the information necessary for the accomplishment of its mission. However, the risk management function should in all cases be carried out at arm's length from the decision-making function. 26. The management of risks should not be confined to the risk management function. It should be the responsibility of management and staff in all business lines and they should be aware of their accountability in this respect. 27. The management body and senior management should ensure that the allocation of resources to the risk management function is sufficient in amount and quality to allow it to fulfil its mission. These resources should be consistent with the institution s risk management and strategic objectives. They should include adequate personnel (with sufficient expertise and qualifications), data systems and support and access to the internal and external information deemed necessary for the fulfilment of the risk management function s mission. Risk models and integration of risk management areas 28. Institutions should identify and manage all relevant risks across all business lines at the portfolio and group levels, whatever the nature of the exposure (contractual or not, contingent or not, on- or off-balance sheet). 5

29. Institutions should avoid over reliance on any specific risk methodology or model. Modelling and risk management techniques should be only one part of the risk management system and should always be tempered by expert judgment. 30. Models that indicate that the institution stands to earn very high returns on economic capital may in fact point to a deficiency in the models (such as failure to take into account all relevant risks) rather than superior strategy or execution on the part of the institution. 31. Decisions which determine the level of risks taken should not only be based on quantitative information or model outputs but should also take into account the practical and conceptual limitations of metrics and models using a qualitative approach including expert judgment and critical analysis. Relevant macroeconomic environment trends and data should explicitly be addressed to identify their potential impact on exposures and portfolios. Such assessments should be formally integrated in material risk decisions. In particular, institutions must bear in mind that the results of stress testing exercises are highly dependent on the limitations and assumptions of the models, namely the severity and duration of the shock and the underlying risks. 32. Institutions should adopt an integrated treatment of all relevant risks. When new products or activities are launched, institutions should recognise the corresponding risks within their integrated risk management approach. 33. Regular and transparent communication mechanisms should be established within the organisation, so that the management body, senior management, business lines, the risk management function and other control functions can all share information about risk measurement, analysis and monitoring. 34. Internal procedures and information systems should be consistent throughout the institution and reliable so that all sources of relevant risks can be identified, measured, and monitored on an aggregated basis and also, to the extent necessary, by entity, business line, and portfolio. New product approval policy and process 35. Institutions should have in place an internally approved and welldocumented new product approval policy (NPAP) which addresses not only the development and approval of entirely new products but also significant changes in the features of existing products. 36. The new product approval policy should cover all aspects of the decision to enter new markets or deal in new products, including the definition of new product/market/business to be used in the organisation, the internal functions involved in the decision (possibly through an ad-hoc committee), and other issues involved in undertaking a new activity (pricing models, P&L, software, back and middle office, risk management tools, etc.). 6

37. New products, markets, and businesses should be analysed carefully and the institution should make sure that it possesses adequate internal tools and expertise to understand and monitor the risks associated with them. 38. The risk management function must participate in the process of approving new products or significant changes to existing products. It should also have a clear overview of the roll-out of new products (or significant changes to existing products) across different business lines and portfolios, and should have the power to require that changes to existing products go through the formal NPAP process. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information