Module7: Enterprise Risk Management

 

Supervisory Review and Evaluation Process (SREP) and Internal Capital Adequacy Assessment Process (ICAAP)

Supervisory Review and Evaluation Process (SREP)

As per Basel guidelines, banks are required to maintain Capital to risk weighted asset ratio (CRAR) on an ongoing basis (other than Capital Conservation Buffer and Countercyclical Capital Buffer etc.) for Pillar-I Risks i.e. Credit Risk, Market Risk and Operational Risk.

But banks also face many other types of risks such as Liquidity Risk, Country Risk, Credit Concentration Risk, Model Risk, Strategic Risk, Reputation Risk etc for which no capital is prescribed but these risks are also equally important and required to be managed by the banks efficiently.

The objective of the SREP is to ensure that the bank has adequate capital to support all the risks in their business as also to encourage them to develop and utilise better risk management techniques for monitoring and managing their risks.

 

SREP and ICAAP address the following aspects:

•        The risks that are not fully captured by the minimum capital requirements prescribed under Pillar 1,

•        The risk that are not at all taken into account by the Pillar 1, and

•        The factors external to the bank

This would require a well defined Internal Assessment Process within the bank through which they assure the Regulator that adequate capital is held towards various risks to which they are exposed.

 

Internal Capital Adequacy Assessment Process (ICAAP)

 Banks are required to have a Board-approved policy on Internal Capital Adequacy Assessment Process (ICAAP) and to assess the capital requirement as per ICAAP.

 What Regulators want ?

§  Banks to develop and put in place, with the approval of their Boards, an ICAAP Document to commensurate with their size, level of complexity, risk profile and scope of operations.

§  Submission of ICAAP Document to Regulator

§  ICAAP Document to be reviewed at least once a year by the Regulator and independent review/validation by the Bank through an internal or external audit process.

Objectives of ICAAP

ICAAP is a bank’s internal process for

§  Assessing its overall capital adequacy in relation to its risk profile.

§  Strategy for maintaining capital levels both under normal and stressed scenarios.

What are the Objectives of ICAAP?

§  Banks to analyze that they have adequate capital to support all risks: Pillar 1 and Pillar2.

§  To encourage banks to develop and use better risk management techniques.

§  Enable comprehensive identification and assessment of all material risks in relation to their risk profile.

§  Analyze the Control mechanism in place .

Three Keys to Steps in ICAAP

Risk identification & Assessment.

ICAAP goes beyond regulatory requirements of minimum capital requirements and assesses capital considering Bank’s own risk profile. The material risk identification and assessment process aims at identifying existing and emerging risks for the bank, defining an approach for determining the materiality of risks and their assessment and understanding the capital requirements for the risks, material to the Bank.

II. Projection and Tolerance Setting:

1. Projection and Stress Testing (select and prioritize relevant Risk Scenarios)

2. Vulnerability of business and likelihood

3. Specification of Risk Appetite

4. Stake holder expectation: capital and earnings implications 

III. Management and Communication:

1.  Capital plan with respect to risk, strategic focus and business plan

2. Benchmark potential losses and Capital adequacy

3. Regular Monitoring and reporting

4. Management action 

5. Communication

Level 2 headings may be created by course providers in the future.

 

Significant Aspects of ICAAP:

Level 2 headings may be created by course providers in the future.

  ICAAP encompasses firm wide risk profile covering all material risks/ risk management principles:

Senior management shall understand the importance of taking an integrated, firm-wide perspective of a bank’s risk exposure, in order to support its ability to identify and react to emerging and growing risks in a timely and effective manner. The purpose of this guidance is to have enhanced firm-wide oversight and risk management system.

II.              Board oversight: Submission of the outcome of the ICAAP to the Board. The document shall be sufficiently detailed to enable the Board of Directors to evaluate the level and trend of risk exposures, adequacy of capital against the risk exposures and the plan for augmenting capital in case of additional requirement.

III.            Review of ICAAP Outcome: An interim review of ICAAP document should be conducted to verify any assessment errors and facilitate course correction/ revision of strategy. The senior management shall also review the report to evaluate the sensitivity of the key assumptions and to assess the validity of the bank’s estimated future capital requirements.

IV.            ICAAP to be an integral part of the management and decision making culture of the institution: The ICAAP shall form an integral part of the management and decision-making culture of the Bank.

The integration would also mean that ICAAP shall enable the management to assess, on an ongoing basis, the risks that are inherent in their activities and material to the institution. In order to achieve the abovementioned objectives, Bank seeks to achieve convergence between Risk Management, Compliance and  Audit functions.

V.              Principle of Proportionality: The process for assessing capital adequacy has to be relative to its risk profile of the Bank. The implementation of ICAAP shall be guided by the Principle of Proportionality. Based on the degree of sophistication adopted for the ICAAP in regard to risk measurement and management, Simple, Moderately Complex and Complex approach may be adopted. The adopted approach shall be commensurate with the nature, scope, scale and the degree of complexity in the Bank’s business operations.

VI.            ICAAP to be forward Looking: ICAAP shall take into account the expected/ estimated future developments such as strategic plans, macro economic factors, etc., including the likely future constraints in the availability and use of capital.

VII.          ICAAP to be a risk based process: The adequacy of a bank’s capital is a function of its risk profile. Bank shall, therefore, set its capital target which is consistent with its risk profile and operating environment. At a minimum, Bank shall have in place a sound ICAAP, which includes all material risk exposures of the bank.

Climate Risk Management

Climate Risk can be defined as possibility of loss due to climate change. Climate change is expected to cause major disruptions in several economic sectors such as coal, petroleum and steel. Climate change is also likely to benefit other sectors such as renewables (wind & solar) or even electric cars!

Such adjustments are certainly going to substantially impact the working as well as the financials of banks.

Impact of Climate Risk in banks till recent past has been thought to be limited to being part of reputational risk which could be handled through the Environmental Social and Governance (ESG) plan of the bank. As a result, climate risk management has been the part of the Corporate Social Responsibility (CSR) function in banks.

However, it is being increasingly felt by experts that climate change is a much bigger risk for banks and financial institutions. Experts therefore advocate that climate risk in banks should be treated as a financial risk, which should be integrated in the existing risk management frameworks and responsibility for its management should lie with the Risk Management team.

Climate risk for banks is going to manifest itself as part of the existing risk categories such as Credit Risk (Financial Risk), Operational Risk, Legal risk or Reputational risk.

Climate change and CO2 emissions

Experts are of the view that the current rise earth’s temperature, after the industrial revolution is unnatural and is the result of emission of greenhouse gases into the earth’s atmosphere. The greenhouse gases such as carbon dioxide (CO2) are released by burning of fossil fuels, cutting of forests and industrial processes.

In 2015, in Paris various countries got together to counter the threat of climate change (Paris Agreement). The agreement decided on following a three-pronged action plan.

(i)                   Restrict the rise in global temperatures to below 2 degree Celsius while endeavouring to limit the increase to 1.50 degree Celsius.

(ii)                 Improve upon the capabilities and capacities of countries to develop green technologies (low emissions) and adapt to climate change.

(iii)               Direct the flow of financing towards climate resilient development and low emissions.

The banks have an important role to play in ensuring flow of financing towards low carbon emission developments. In this role banks face risks and also have new opportunities for growth.  

Physical Risk and Transition Risk.

The climate risks faced by banks can be further categorized into Physical Risk and Transition Risk.

Physical risks:

Risk of change in temperatures, food and water availability due to physical effect of climate change. These risks could disrupt operations and supply chains endanger employee safety due to events such as floods or storms.

Transition risks:

Risks linked to the transition process towards a low carbon emission economy. These may occur as a result of pace of the transition (too fast or too slow). There is also a risk if the transition does not happen at all. It could involve changes in policy, legislations, market and technology to meet the requirements pertaining to transition towards low carbon economy.

Opportunities for banks

Along with risks, climate change also ushers in new opportunities for banks. This could come up in the form of substantial new funding requirements for transition towards green economy for eg. financing for renewables and financing for development of green technology.

Steps for Management of Climate Risk.

• Climate Risk concerns need to be addressed by factoring in climate change in the banks existing risk management and governance framework.
• Board and Senior Management to take responsibility for management of climate change risk and incorporating it in the risk appetite statement.
• Risk Managers to identify, measure, monitor and report climate risk through the existing risk management frameworks treating it as a financial risk which manifests itself through other risks.
• Risk Management to develop new risk indicators for climate change and undertake their monitoring
• Assessment of climate risk to be part of the Internal Capital Adequacy Assessment Process (ICAAP) of banks.
• Banks should understand and analyse the possible impact of these on their customers and counterparties in whom they are invested or are planning to make investments in future.
• Scenario analysis is essential for management of transition climate risk. Scenario analysis tests banks resilience and capital adequacy through a series of scenarios based on possible different transition paths that may be adopted towards the goal of low carbon economy. There could be scenarios for testing bank’s resilience if the transition occurs at a fast pace, average pace, slow pace or the transition does not happen at all!
• Reporting to top management and board on the results of scenario analysis and monitoring of risk indicators pertaining to climate risks, enables better decision making.
• Disclosures pertaining to climate risk increase transparency for stake holders and help them in understanding banks efforts towards management of climate risk.

Cyber Risk Management

In recent past, cyber risk has emerged as a major concern in the financial sector, more specifically in banking operations involving critical payment system infrastructure. The banking industry is target of choice for cyber attack. The asymmetric nature of threats means attackers only need to find a single weakness, while defenders must guard against them all. Since such threats arise from low barriers to entry and continue to grow in scale, it is essential for the banking system to secure themselves adequately and enhance resilience.

IT is integral to operational strategies of banks. Banks need to proactively create and update mechanisms based on new developments and emerging concerns. Cyber security preparedness requires continuous and synchronous efforts from multiple stakeholders like Regulators, Government entities, participating banks and customers. It not only entails, putting in place an adaptive incident response, management and recovery framework to deal with adverse incidents but also involves creating awareness about cyber threats and their potential.

A 2014 study of cyber incidents by IBM found that 90 percent had a human component to them, meaning that the actions of an employee helped further the cyber attack rather than a purely technical failure. An organization’s internal security practices and training are as important as its controls around network access from the outside.

National Institute of Standards & Technology (NIST) framework for cyber security provides a set of desired activities and outcomes and also guides organisations in managing and reducing their cyber risk. It talks of five concurrent and continuous functions viz. identify, protect, detect, respond and recover. These functions provide a strategic view of lifecycle of an organisation’s management of cyber risk.

Although managing cyber risk requires commitment of the entire organisation, the Board  of  Directors  is  ultimately  responsible  for  cyber  security.  Senior Management is responsible for advising and making the Bank employees understand and train them about the cyber security risks to the Bank to ensure that they are adequately addressed from a governance perspective. The major role of top management involves implementing the Board approved cyber security policy, establishing necessary organizational processes for cyber security and providing necessary resources for successful cyber security.

Level 2 headings may be created by course providers in the future.