Printer friendly pdf versionThe Application of the Supervisory Review Process under Pillar 2
1. This paper sets out a general overview
of the approach which has been developed by the Committee of European
Banking Supervisors (CEBS) towards the implementation of Pillar
2 of the revised Basel Accord ("Basel II") and the relevant provisions
of the Capital Requirements Directive (NB1) .
(NB1 For reasons of simplicity, in this paper the term
"Capital Requirements Dire ctive" or "Directive" refers
to the prospective EU legislation that will be proposed by the
European Commission in summer 2004 to create the legal framework
f or the new EU capital requirements regime.)
2. The outcome of such work, reflecting the current thinking of
European banking supervisors, is expressed as High Level Principles
(HLPs) which are designed to deliver an appropriate degree of
convergence and to underpin the legal texts being developed in
the draft Capital Requirements Directive. They should also be
viewed within the overall context of risk-based prudential supervision,
which includes the information generally gathered by supervisors,
and supervisors' interaction with institutions during their ongoing
supervisory relationship.
3. The HLPs are based on a structure which has been developed
through a combination of adopting existing best practices and
developing agreed new practices to take account of the new elements
of Basel II and the draft Capital Requirements Directive. At the
time of producing this paper the Directive text is still under
development, and the HLPs and terminology may still need to be
amended to reflect any subsequent changes introduced in the final
Directive text.
Structure of the paper
4. The outline of this paper is as follows:
. Section 2 sets out in basic terms what is meant by the overall
Supervisory Review Process (SRP), and how the two elements - the
Internal Capital Adequacy Assessment Process (ICAAP) and Supervisory
Review and Evaluation Process (SREP) - fit together.
. Section 3 summarises the key considerations which underpin these
HLPs.
. Section 4 details what the supervisory authority will expect
from institutions in their own assessment of the adequacy of their
financial resources (ICAAP).
. Section 5 looks at the supervisory authority's obligations under
the SREP and how this might be performed.
. Annex A sets out key ingredients of the supervisory Risk Assessment
System (RAS) that constitutes an integral part of the SREP, and
which is used for organising (i.e. planning, prioritising and
allocating) the use of resources, and performing and managing
the supervisory risk assessment; and Annex B
summarises the risk and control factors which should be evaluated
as a minimum.
5. CEBS invites comments on this consultation paper by 31 August
2004 ( CP03@c-ebs.org ). The
received comments (unless the respondent requests otherwise) as
well as a reasoned explanation addressing all major points raised
will be published on the website.
Supervisory Review Process
6. The purpose of the SRP, according to the Basel Committee on
Banking Supervision, is to:
. ensure that institutions have adequate capital to support all
the risks in their business; and
. encourage institutions to develop and use better risk management
techniques in monitoring and measuring risks
7. The four principles for supervisory review agreed by the Basel
committee are:
Principle 1 : Banks should have a process for assessing
their overall capital adequacy in relation to their risk profile
and a strategy for maintaining their capital levels.
Principle 2 : Supervisors should review and evaluate
banks' internal capital adequacy assessments and strategies as
well as their ability to monitor and ensure their compliance with
regulatory capital ratios. Supervisors should take supervisory
action if they are not satisfied with the result of this process.
Principle 3 : Supervisors should expect banks to operate
above the minimum regulatory capital ratios and should have the
ability to require banks to hold capital in excess of the minimum.
Principle 4 : Supervisors should seek to intervene at
an early state to prevent capital from falling below the minimum
levels required to support the risk characteristics of a particular
bank and should require rapid remedial action if capital is not
maintained or restored.
8. Under Principle 1, the management body of an institution bears
primary responsibility for ensuring that processes exist to ensure
that an institution holds sufficient capital to meet both regulatory
and internal capital targets. Supervisors should review and validate
this process, in accordance with Principle 2. Under Principle
3, supervisors are able to require (or encourage) institutions
to hold capital in excess of the minimum Pillar 1 requirement.
Finally, it is the opinion of supervisors that Principles 2 -
4 imply that the supervisory authority should have strong risk
assessment capabilities as part of its review and evaluation,
in order to form its own well-informed judgement on what constitutes
an adequate level of capital in any one institution in relation
to its risk and control profile.
9. The Commission Services proposed in the third Consultation
paper (of July 2003) a framework which reflected these four principles.
The SRP prescribed in the EU Directive is intended to achieve
two equally important goals. On the one hand, it seeks to ensure
that institutions hold internal capital which is consistent with
their risk profile and strategy. And on the other, it requires
review of institutions' processes and strategies by supervisors,
and the timely adoption of prudential measures if weaknesses or
deficiencies are detected.
10. The SRP therefore comprises a set of relationships between
supervisors and institutions that hinge on two main elements.
The first is the Internal Capital Adequacy Assessment Process
which places certain obligations on the institution itself (see
ICAAP below). The second is the Supervisory Review and Evaluation
Process which places certain obligations on the supervisory authority
(see SREP below) and in turn leads to the identification of prudential
measures.
11. Supervisors assess the risk profile of an institution through
a variety of sources (e.g. statistical, desk-based analysis, on-site
visits, and routine relationship management etc.) as part of risk
based prudential supervision. This provides the foundation for
the supervisor to undertake, inter alia , an evaluation
of the institution's risk profile, key inputs to which will be
the evaluation of institution's ICAAP and the supervisory dialogue
this generates with the institution. It also enables the supervisor
to determine appropriate prudential measures (including if necessary
setting a capital requirement above the Pillar 1 minimum), apply
those prudential measures over an agreed supervisory period, and
to keep the risk assessment under review in the light of progress
in implementing those measures and/or other events which may have
a significant impact on the risk assessment.
12. While expressed as two separate processes, the SREP and ICAAP
are in practice closely intertwined and it is intended that there
will be a close interaction between them, especially so for the
larger, more complex and systemically important institutions.
This interaction will generate an important and necessary dialogue,
and feedback mechanism, through which supervisors can:
. gain deeper insights into the institution's overall control
and risk management frameworks;
. establish a closer understanding of how individual institutions
approach the measurement of risks and the amount of internal capital
allocated to them; and
. assess the extent to which the ICAAP may be relied upon as an
input into the supervisor's evaluation of the adequacy of capital
held against all risks.
13. These principles are expected to enhance the level playing
field in the EU under the new capital regime. Industry views on
this would be particularly helpful for further work by banking
supervisors to develop, collectively, additional principles aimed
at promoting convergence on how the ICAAP is linked to the SREP
and how the outcomes of that process might be determined. This
future work will help to underpin convergence and greater consistency
of supervisory outcomes.
Key Considerations
14. These proposals envisage that every institution to which the
Capital Requirements Directive applies must have an Internal Capital
Adequacy Assessment Process and will be subject to the Supervisory
Review and Evaluation Process.
15. The concept of proportionality is key to
both the ICAAP and SREP. As such, the ICAAP should be commensurate
and proportionate to the nature, scale and complexity of the activities
of an institution. Similarly, the depth, frequency and intensity
of the SREP will be determined by the risks posed to the supervisor's
objectives.
16. It is the responsibility of the institution to define
and develop its ICAAP . The onus is on the institution
to demonstrate to the supervisor in its dialogue (through the
interaction of the ICAAP and SREP) that its internal capital assessment
is comprehensive and adequate to the nature of risks posed by
its business activities and its operating environment. The framework
under which an institution should develop its ICAAP is designed
to be risk based. The new framework emphasises
the importance of capital planning , but also
the importance of management, and other qualitative aspects of
risk management . All institutions will have
to assess the impact of economic cycles and other future business
variables on their capital needs. For larger and more complex
institutions this may mean developing a stress and scenario testing
framework through which they will have to estimate the sensitivity
of the institution's capital needs to external risks and factors.
17. The supervisor's role, within the SRP, includes the review
and evaluation of the institution's ICAAP , and the performance
of an independent assessment of the institution's
risk profile , and if necessary taking
prudential measures and other supervisory actions , including
setting additional regulatory capital, to reflect the individual
circumstances of the institution, with a view to ensuring consistency
of capital treatment across institutions. Supervisors should have
arrangements in place for the collection and verification of any
relevant information, and procedures to maintain the quality and
consistency of risk assessments.
18. The Pillar 1 capital requirement will continue to be seen
as a minimum for regulatory capital requirements based on uniform
rules. However, no set of uniform rules for capital requirements
may capture all aspects of an individual institution's overall
risk profile. For institutions and supervisors alike, judgements
on risk and capital adequacy are based on the overall risk profile
and are therefore more than an assessment of compliance with Pillar
1 minimum capital requirements. As part of the supervisory review
process, regulatory capital over and above Pillar 1 is seen as
one of several regulatory tools to be potentially used by the
supervisor to mitigate identified risks, having carefully considered
controls and other mitigating actions. Emphasis should also be
placed on the institution's risk management process.
19. The scope of application for the SRP should
allow the supervisory authority to fulfil its legal responsibility
for supervision at the individual institution level while minimising
the burden on institutions. This element of the Directive is under
active discussion. It will be necessary to ensure that these HLPs
fully fit with the final text.
The Internal Capital Adequacy Assessment Process
Summary
20. The ICAAP is a comprehensive process including the management
body and senior management oversight, monitoring, reporting and
internal control reviews, that institutions must have to identify
and measure their risks, allowing them to ensure that adequate
provision is made for holding internal capital in relation to
their risk profile.
21. The ICAAP includes:
. Policies and procedures to identify, measure and report the
risks inherent in the institution's activities.
. A process to relate the institution's internal capital to its
risks
. A process to state the institution's goals in terms of adequate
internal capital
. A process of internal controls, review and audit
Background
22. The latest texts from the Basel Committee (CP3) and the European
Commission include some key requirements in relation to the ICAAP
as a process for assessing capital adequacy :
- Basel Committee - Principle 1 states that
"banks should have a process for assessing their overall capital
adequacy in relation to their risk profile and a strategy for
maintaining their capital levels"
- CP3 then elaborates the five main features of a rigorous process,
of which two relate specifically to the process for assessing
how much capital the institution needs:
. "sound capital assessment" (policies and procedures to ensure
capture of all material risks, a process to relate capital to
risk; a process to state capital adequacy goals to risk (which
should take account of the institution's strategic focus and business
plan); internal controls to ensure integrity); and
. "comprehensive assessment of risks" (all material risks to be
included, with consideration at least of credit risk, operational
risk, market risk, interest rate risk in the banking book, liquidity
risk and other risks, such as reputation and strategic risk).
23. The remaining three features set out some essential elements
of the overall environment within which the ICAAP should operate:
. management body and senior management oversight;
. monitoring and reporting; and
. internal control.
24. EU draft directive (Third Consultation paper of July 2003
incorporates the basic requirements concerning the assessment
process to be implemented by institutions to ensure that their
internal capital is adequate to cover the risks inherent in their
activities.
25. Therefore, even if the Directive is not final, there will
be a requirement for institutions to have a process/arrangements
to ensure that they have adequate internal capital to support
all material risks to which they are exposed and to encourage
the development and use of better risk management techniques.
For the purposes of simplification, the process defined above
is referred to as the internal capital adequacy assessment process.
26. The proposed High Level Principles set out how an institution
can comply with both the qualitative (corporate governance and
risk management) and the quantitative elements (internal capital
assessment) that ICAAP should include (i.e. comprising all five
features mentioned in relation to Basel CP3 in paragraph 21 above).
It is important to note however, that these high level principles
deal mainly with those issues related to the calculation of the
adequate internal capital to ensure that all material risks are
supported.
27. Adequate risk management arrangements and other important
elements of corporate governance are a necessary condition for
an adequate ICAAP and are the foundation of the capital adequacy
process. Notwithstanding this, those more qualitative elements
have further-reaching implications for an institution that go
well beyond the ICAAP. This paper does not intend to elaborate
on that risk management process or on other elements of corporate
governance.
ICAAP High Level Principles
I.
Every institution must have a process for assessing its capital
adequacy in relation to its risk profile (an ICAAP).
a. The scope of application of this principle to institutions
which are part of a group subject to consolidated supervision
(i.e. consolidated, sub-consolidated and/or solo) will depend
on the final decision taken in the Directive in relation to this
issue.
II. The ICAAP is the responsibility of the institution.
a. Institutions bear the responsibility for setting targets
of adequate internal capital in a way which is consistent with
their risk profile and operating environment.
b. Therefore the ICAAP should be the responsibility of each institution
itself to fit its circumstances and needs, and using its own inputs
and definitions.
c. At the same time, the institution must be able to explain and
demonstrate how the ICAAP meets supervisory requirements.
III. The ICAAP should be
proportionate to the nature, size, risk profile and complexity
of the institution.
a. Deciding on how to categorise institutions in order to
apply the principle of proportionality cannot be defined in a
principles paper; it is more of a case-by-case issue, which will
probably take account of factors such as size, significance to
financial stability or to other objectives of the
supervisory authority, risk profile, complexity, sophistication,
history of compliance, legal form of the institution etc.
b. It can be expected that proportionality considerations will
have a particular influence on the structure, comprehensiveness
and complexity of less sophisticated institutions' ICAAPs.
c. For less sophisticated institutions, and without prejudice
to Principe V, the outsourcing of parts of the ICAAP and/or its
review is also an issue. Conditions for accepting such outsourcing
could be established nationally or at European level. It must
be clear that each institution is considered according to its
specific situation and individual risk profile.
IV. The ICAAP should be formal,
the capital policy fully documented and the management body's
responsibility.
a. Responsibility rests with the management body of the institution
to initiate and design the ICAAP. It should approve the "conceptual
design" (at the very least the scope, general methodology and
objectives) of the ICAAP. The detailed "design" (being the technical
concept) is a task for the senior management. The management body
is also responsible for integrating capital planning and management
into the overall risk management culture and approach. It must
ensure that capital planning and management policies and procedures
are communicated and implemented institution-wide and supported
by sufficient authority and resources.
b. The institution's ICAAP (methodologies, assumptions and procedures)
and capital policy should be formally documented and approved
and reviewed at the top level (management body) of the institution.
c. The outcome of the ICAAP should be reported to senior management
and the top level management body.
d. Even though outsourcing of parts of the ICAAP - bearing in
mind CEBS' high level principles on outsourcing - could be permissible
for less sophisticated institutions, it must be clear that the
ICAAP remains at all times the responsibility of the institution's
management body. ( NB2)
(NB2 The management body is responsible for defining
general policy and for oversight or supervision.)
V. The ICAAP should form an integral
part of the management process and decision-making culture of
the institution.
a. For the more sophisticated institutions, a complete integration
of the ICAAP into the day-to-day management is expected.
b. For less sophisticated institutions, the ICAAP should be constructed
in a way which allows the management body to assess, on an ongoing
basis, the risks inherent in their activities and which are material
to the institution.
c. As an integral part of the management process, this could range
from using the ICAAP to allocate capital to business units, to
playing a role in the individual credit decision process, to playing
a role in more general business decisions (e.g. expansion plans)
and budgets.
d. The results and findings of the ICAAP should feed into the
institution's considerations of its strategy and risk appetite.
For less sophisticated institutions in particular, for whom genuine
strategic capital planning is likely to be more difficult, the
results of the process can be expected to mainly influence the
institution's management of its risk profile, for instance via
changes to its lending behaviour or through the use of risk mitigants.
VI. The ICAAP should be reviewed
regularly.
a. The ICAAP should be reviewed at least annually, to ensure that
the risks are covered correctly and reflect the actual risk profile
of the institution.
b. The ICAAP and its review process must be subject to independent
internal review.
c. Appropriate adjustments to the ICAAP should be initiated in
the light of any changes to the institution's strategic focus,
business plan, operating environment or other factor that materially
affects assumptions or methodologies used in the ICAAP. New risks
that occur in the business must be identified and included in
the ICAAP.
VII. The ICAAP should be risk-based.
a. The adequacy of capital of an institution should be related
to its risk profile. Institutions should set targets which are
consistent with their risk profile (and operating environment).
b. Other considerations may also be taken into account, such as
external rating goals, market image, strategic goals etc., that
are essential for the institution when deciding how much capital
to hold.
c. Nevertheless, if these other considerations are included in
the process, the institution will also need to show how they have
influenced its decisions concerning the amount of capital to hold
for the purposes of its dialogue with its supervisor.
d. At the same time, there are some types of (less readily quantifiable)
risks for which the focus in the ICAAP should be more in qualitative
assessment, risk management and mitigation.
e. Those less sophisticated institutions that take the Pillar
1 "model" as the starting point of their ICAAP (see below), should
also start to meet this principle, in so far as the Capital Requirements
Directive is promoting a risk-based model (even in the Standardised
Approach for credit risk), and because general management and
control frameworks will increasingly be based on risks considerations.
VIII. The ICAAP should be comprehensive.
a. The ICAAP should consider all risks:
i. Pillar 1 risks;
ii. risks covered but not fully captured under Pillar 1;
iii. non-Pillar 1 risks, and
iv. risk factors external to the institution.
b. The ICAAP should capture all of the material risks to which
the institution is exposed, with the concept of materiality defined
and explained by the institution, including non-banking risks
(e.g. insurance).
c. There is no standard categorisation of risk types, although
supervisors will usually expect that the institution has considered
all material risks - see annex B. The institution should be free
to use its own terminology, but should be able to explain to the
supervisor the details, methods used, the coverage of all risks
and how this relates to its obligations under Pillar 1. This would
be the case, for example, if the institution uses a different
definition of operational risk to that in Pillar 1, or a definition
of interest rate risk that includes both banking book and trading
book risk.
d. External factors to be taken into account may include, e.g.
new accounting rules, EU and wider legislation, macro-economic
factors, procyclicality.
e. Whereas most risks are quantifiable and institutions can be
expected to devise methods to measure them, there may be others
which are more qualitative in nature. For these latter risks (which
may need to be "defined", but which will probably include reputation
and strategic risks) more qualitative methods of assessment and
mitigation may be necessary. An institution is expected to be
aware of all material risks, whether quantitative or qualitative
in nature, and to have a process to assess, monitor, manage and
control them.
f. Specifically regarding credit risk, the following should be
taken into account: stress-testing in IRB, residual risk in CRM,
concentration risk, securitisation etc.
g. In the aggregating all risks in a comprehensive manner the
institution may take into account risk correlations.
IX. The ICAAP should be forward-looking.
a. The ICAAP should take into account the institution's strategic
plans and how these relate to macro-economic factors. The institution
should develop an internal strategy for maintaining capital levels
which can incorporate factors, such as loan growth expectations,
future sources and uses of funds and dividend policy. The institution
should have an explicit, approved capital plan that states the
institution's objectives and time horizon for achieving them,
and sets out in broad terms the capital planning process and the
responsibilities for that process.
b. The plan should also set out how the institution will comply
with capital requirements in the future, any relevant limits related
to capital, and a general contingency plan for dealing with divergences
and unexpected events (e.g. raising additional capital, restricting
business, or use of risk mitigation techniques).
c. Larger and more complex institutions should conduct stress
tests which take into account the risks specific to the jurisdiction(s)
in which they are operating and the particular stage of the business
cycle. Institution should analyse what impact new legislation,
the actions of competitors etc. may have on its performance, in
order to see what changes in the environment it could sustain.
X. The ICAAP should be based on
adequate measurement and assessment processes.
a. Institutions should have a documented process for assessing
risks (whether individually or in groups).
b. Institutions will not be required to use formal economic capital
(or other) models, although it is expected that more sophisticated
institutions will elect to do so.
c. There is no one "correct" process. Depending on proportionality
considerations and the development of practices over time, institutions
may design their ICAAP in different ways, for example:
i. as the result produced by the regulatory Pillar 1 methodologies
(which are themselves risk-based) and consideration of non-Pillar
1 elements. In other words, to obtain a capital goal, institutions
may take the Pillar 1 requirements and then assess Pillar 2 concepts
that relate to Pillar 1 (e.g. concentration risk, residual risk
of CRM, securitisation etc.) and concepts that are not dealt with
in Pillar 1 (e.g. interest rate risk etc.). The Pillar 1 approach
may, in fact, be appropriate for some less sophisticated institutions,
although they would have to take an active role in justifying
this, including consideration of forward-looking elements. Supervisors
would expect the institution to demonstrate that it had analysed
all the risks outside Pillar 1 and found that those risks were
non-existent, not material, or covered by a simple cushion over
the Pillar 1 minimum;
ii. as a "building block" approach, using different methodologies
for the different risk types (Pillar 1 and Pillar 2 risks) and
then calculating a simple sum of the resulting capital "needs";
iii. as a more sophisticated and complex system, possibly using
"bottom-up" transaction-based approaches with integrated correlations.
d. Also, institutions are likely to find some risks, or the risks
in some countries, easier than others to measure depending on
information availability, meaning that their system is a mixture
of detailed calculations and estimates.
e. What is important is that institutions adopt the risk-based
concept in their philosophy; Pillar 1 may only partially cover
the risks in the business.
f. It is also important that institutions do not rely on quantitative
methods alone to assess their capital adequacy, but rather that
there is an element of qualitative assessment and management judgement
of the inputs and outputs. Considerations such as external rating
goals, market image and strategic goals should be taken into account
in all three "methodologies".
g. Non-measurable risks should be included if material, even if
they can only be estimated, although this might be moderated where
the institution can demonstrate that it has an appropriately policy
for mitigating/managing these risks.
XI. The ICAAP should produce a reasonable outcome.
a. The ICAAP should produce a reasonable overall capital number
and assessment. The institution should be able to explain the
similarities and differences between its ICAAP (which should cover
all the risks) and the regulatory requirements to the supervisor's
satisfaction.
b. Institutions might be encouraged to make greater disclosures,
in order to allow them (and others) to make a comparison, for
their internal purposes, of their ICAAP within their peer group,
and in order to have a basis for comparison and a reasonableness
check.
Supervisory Review and Evaluation Process
Summary
28. SREP is the comprehensive process which supervisors use to:
. Review and evaluate the institution's exposure to risks (i.e.
risk profile)
. Review and evaluate the adequacy and reliability of the institutions
ICAAP
. Review and evaluate the adequacy of the institution's own funds
and internal capital in relation to the assessment of its overall
risk profile
. Monitor ongoing compliance with standards laid down in the Directive
(i.e. supervisory evaluation of compliance)
. Identify any weakness or inadequacies and necessary prudential
measures
Background
29. The latest texts from the Basel Committee (CP3) and the European
Commission include some key requirements in relation to the SREP
as a process for supervisors to assess capital adequacy and the
overall control environment
. Basel Committee - Principle
2 states that "supervisors should review and evaluate bank's internal
capital adequacy assessments and strategies as well as their ability
to monitor and ensure their compliance with regulatory capital
ratios. Supervisors should take supervisory action if they are
not satisfied with the result of this process".
. CP3 then elaborates the key features of a rigorous process:
o "Review of adequacy of risk assessment" (the degree to which
internal targets and processes cover the full range of material
risks; risk measures used in assessing internal capital adequacy
and extent they are used operationally; and results of sensitivity
analyses and stress tests);
o "Assessment of capital adequacy" (processes used to determine:
target levels of capital are comprehensive and relevant; levels
are properly monitored and reviewed by senior management; and
composition of capital is appropriate);
o "Assessment of the control environment" (quality of the bank's
management information reporting systems; the way in which business
risks and activities are aggregated and management's record in
responding to emerging or changing risks);
o "Supervisory review of compliance with minimum standards.
30. The other Principles (3 and 4) relate to:
o Supervisors expecting institutions to operate above the minimum
regulatory capital ratios and having the ability to require institutions
to hold capital above the minimum; and
o Supervisors intervening early to prevent capital from falling
below minimum capital requirements.
31. The EU draft directive
(Third Consultation paper of July 2003) incorporates the basic
requirements for Supervisors to undertake this evaluation and
review.
32. Therefore even if the Directive is not final, there will be
a requirement for supervisors to have a process/arrangements to
ensure that they can form their own judgement about an institution's
overall risk profile, taking into account the control environment,
and the adequacy and composition of its capital (own funds and
internal capital) in relation to that assessed profile. An important
part of this process will be the supervisor's assessment of the
overall adequacy of the institution's ICAAP, which will be significantly
informed by the quality of the institution's own risk management
and controls.
33. The Risk Assessment System (RAS) is the supervisor's tool
for organising (i.e. planning, prioritising and allocating) the
use of resources, and performing and managing the supervisory
risk assessment (see annex A). It is intended to provide structure
and a practical step-by-step guide to the first phase of SREP
and how this crucial part of SREP might best be planned and organised,
its scope, how it is undertaken and managed, the outputs, the
quality assurance which should be applied, and how the outcomes
are communicated. It is therefore fundamentally a tool for internal
administrative purposes, though if adopted it could lead to greater
commonality of approach among authorities which, in turn, should
facilitate more effective communication between supervisors, especially
between home and host competent authorities. Also, given the need
for greater transparency, broad disclosure on the RAS will contribute
to the dialogue with institutions on their capital situation.
SREP High Level Principles
I. The SREP should
be an integrated part of the authority's overall risk-based approach
to supervision. a. The evaluation process will be an integral,
explicit and formal part of the authority's overall supervisory
approach.
b. The evaluation process underpins the supervisor's
dialogue with the institution (and does not replicate the role
of institutions' management).
c. It is understood and recognised that there will be different
types of evaluation process in place in different supervisory
authorities (for example, the emphasis on qualitative versus quantitative
judgements and the degree of automation within a system).
d. However, the European authorities agree that while flexibility
of approach is important, there will need to be common minimum
standards or benchmarks in order to ensure consistency of application
and a level playing field across Europe.
II. The SREP should apply to all
authorised institutions.
The scope of application of this principle to institutions which
are part of a group subject to consolidated supervision (i.e.
consolidated, sub-consolidated and/or solo) will depend on the
final decision taken in the Directive in relation to this issue.
III. The SREP should cover all
activities of the institution
a. All significant business units of the institution, including
banking, securities, investment management and life assurance,
pensions and general insurance, whether operating domestically
or overseas, will be considered within the evaluation process.
b. Other risks to the consolidated group will also be captured,
for example where services are being provided or control functions
are being exercised from outside the consolidated group on an
outsourced basis (even if within the wider group): for example
IT, accounting, payment and settlement functions.
IV. The SREP should cover all material
risks and risk management/internal controls.
a. The supervisor will perform its analysis with a formal evaluation
of risks factors and of control factors in place. The principles
for the minimum content of the Risk Assessment System (RAS) used
by supervisors are set out in Annex A.
b. The evaluation will focus on identifying each institution's
risk profile and assessing the quality of the institution's risk
management system. The Business risks and risk management and
internal controls, which should be evaluated, are set out in Annex
B. Business risks span all activities and significant business
units. Controls should include, at the minimum, an assessment
of the quality of corporate governance, senior management, organisational
structure, the risk management and control environment, internal
audit and compliance functions. Supervisors should review the
controls in place to mitigate risk, as well as the adequacy and
composition of capital held against those risks.
c. This review and evaluation allows the supervisor, inter
alia , to give qualitative feedback to an institution about
the adequacy of its risk management/internal controls in relation
to the business risk profile, and to assess and understand the
extent to which the output of the ICAAP can serve as an input
to the SREP.
d. The evaluation should be forward looking to the extent that
is should consider, based on information known at the time, whether
the risk profile of the institution is likely to change over the
forthcoming period.
e. Stress tests could be used by the supervisor to help in establishing
the need for early intervention.
V.
The SREP shall assess and review the institution's ICAAP.
a. The supervisor will assess the institution's ICAAP as part
of its SREP. This should include a consideration of the assumptions,
components, methodology, coverage and outcome of the institution's
ICAAP. This review should cover both the institution's risk management
processes and its assessment of adequate capital. Supervisors
should review the controls in place to mitigate risk as well as
the adequacy and composition of capital held against those risks
b. An important element of the assessment and review of the ICAAP
will be the necessary dialogue between the supervisor and the
institution. This dialogue will inform the supervisor about the
way in which the ICAAP is structured, the assumptions which are
used to determine underlying risks across different sectors and
risk types, risk sensitivity and confidence levels, and how the
risks are aggregated. The supervisor may use the results of the
RAS to inform its analysis.
c. In line with ICAAP Principle XI, the supervisor may require
the institution to explain the differences, if any, between its
own assessment of its capital needs and targets under the ICAAP,
and the regulatory requirement.
VI. The SREP shall assess and review
the institution's compliance with minimum standards laid down
in the Directive
As part of the SREP, the supervisor must also evaluate the institution's
compliance with the various minimum standards and requirements
under the Directive. These include an evaluation of the methods
and models used in advanced approaches under Pillar 1 and disclosure
under Pillar 3.
VII. The SREP should result in
the identification of existing or potential problems and key risks
faced by the institution; deficiencies in the control and risk
management frameworks; and assess the degree of reliance that
can be placed on the outputs of the institution's ICAAP.
In doing so, the process will enable the supervisory authority
to tailor its approach to the individual institution; drive its
general approach to an institution and its actions; and provide
incentives for institutions to improve their risk management systems.
VIII. The SREP should lead to prudential
measures and other supervisory actions being taken promptly to
address any deficiencies identified according to Principle VII.
a. Having evaluated the adequacy of an institution's capital in
relation to its risk profile, the supervisor should identify any
prudential measures or other supervisory actions required. For
example, where there is an imbalance between business and control
risks, the supervisor should consider the range of remedial supervisory
actions that may be needed to rectify a deficiency in controls
and/or perceived shortfalls in capital, either as a long-term
requirement(s) or as a short-term action(s).
b. The measures available to the supervisory authorities include
the possibility to: (i) require a credit institution to hold own
funds and/ or Tier 1 capital above the minimum level laid down,
and/or impose other limitations on own funds; (ii) improve its
internal control and risk management frameworks; (iii) require
credit institutions to apply a specific provisioning policy or
treatment of assets in terms of own fund requirements; (iv) restrict
or limit the business, operations or network of credit institutions;
and (v) reduce the risk inherent in activities, products and systems
of credit institutions
c. The supervisory authorities acknowledge that the choice of
supervisory action should be determined according to the severity
and underlying causes of the situation and the range of measures/sanctions
available to the supervisor
d. Such measures can be used singularly or in combination. A specific
own funds requirement shall, however, be imposed at least on an
institution which has an imbalance between its business risks
and internal control/risk frameworks which cannot be remedied
by other prudential measures or supervisory actions within an
appropriate timeframe
e. A specific own funds requirement may be set to reflect the
outcome of an institution's ICAAP; or, for example, where the
supervisor judges the level of own funds held to be inherently
inadequate for the institution's overall risk profile.
IX. The results of the SREP will
be communicated to the institution, at the appropriate level (usually
senior executive/management body), together with the action that
is required of the institution, and any significant action planned
by the authority.
a. The authorities will convey the results of the risk assessment
to the institution. This may be done as part of the discussion
between the authority and an institution on the internal systems
to access capital adequacy. In doing so, the authority will: (i)
explain in sufficient detail the factors which have led to the
risk assessment conclusions; (ii) indicate areas of weakness and
the timeframe for remedial action; (iii) explain the reasons for
any adjustment to the capital requirements; (iv) provide pointers
as to what improvements could be made to systems and controls
to make them adequate for the risks/activities of the institution,
and hence be reflected in the capital requirements.
b. In relation to the communication of the results of the risk
assessment to the auditors, it is recognised that the relationship
between the supervisory authority and the institution's auditors
varies from country to country and that, in some cases, it may
not be appropriate to discuss the results of the assessment with
the auditors.
X. The supervisory evaluation should
be formally reviewed at least on an annual basis, in order to
ensure that it is up to date and remains accurate.
a. The authorities agree that this review may not always constitute
a full risk assessment.
b. However, the authority will at least take stock of any significant
changes to the overall risk profile over the past year. In so
doing, the authority will take into account the results of any
supervisory visits, inspections and other information received
during the period, and consider whether the timing of the next
full assessment agreed during the previous full assessment process
remains appropriated.
c. The nature of the review will depend on the nature and scale
of the institution, taking into account the cost/benefit of such
an exercise, and the extent to which there have been changes (either
institutional or environmental) during the past year that might
have impacted on the risk profile.
d. Notwithstanding the above, any significant new information
received in the course of ongoing monitoring/supervision and which
may impact on the risk profile will trigger consideration by the
authority of the need for a formal review or a full risk assessment.
XI. The depth of the SREP can be
varied according to the systemic importance and either the nature
and scale (size, risk profile and complexity) of the institution,
or the overall assessment of the quality of governance, management
and systems and controls, or both.
Competent authorities shall determine for each institution the
frequency, intensity and scope of the evaluation process having
regard to the systemic importance, nature, scale and complexity
of the activities of the institution concerned. This concept of
proportionality covers the whole risk management and assessment
process and supervisory review including the ICAAP, the SREP (and
RAS), as well as the intensity of the dialogue between the supervisor
and the institution.
Annex A
Minimum Content of Risk Assessment Systems
1. This annex concentrates on the supervisor's internal processes
for organising, performing and managing their Risk Assessment.
The purpose is to achieve a necessary degree of convergence of
supervisory practice across the supervisory authorities in the
EEA in respect of the following areas:
- Creating insights into the risk profiles of the supervised institutions;
- Providing input for the planning process of the supervisor and
efficient and effective allocation of resources;
- Facilitating effective communication with supervisory colleagues;
- Identifying any corrective action which needs to be taken.
RAS High Level Principles
I. Overall assessment:
In order to carry out an overall assessment of an
institution the Supervisory Authority should define guidelines
covering both risks and controls. The overall assessment of the
risks and controls should be done in a way that facilitates organising
(i.e. planning, prioritising and allocating) the use of resources
for those (areas within) credit institutions that require the
most attention. The Supervisory Authority should have individual
ratings for risks and controls.
II. Creating a 'break down' of
the credit institution:
In order to adequately capture all risks and controls,
the supervisor should perform a breakdown of each institution
to the level where these are actually run or performed (depending
on the scale and structure of the institution, this might be business
units, business lines, or processes within the same business unit).
The supervisor should set clear rules and standards for such a
breakdown process, considering both the need to keep it proportionate
to the scale and complexity of each institution and the objectives
of the RAS as a planning tool for supervisory work.
III. Comparability of risk assessment
:
A risk assessment system
should encompass all the relevant risks and risk management/internal
controls, while at the same time making a clear distinction between
the two. To support the comparability of different risk assessment
systems, each jurisdiction should be able to map its own classification
to the risks and risk management/internal controls mentioned (in
annex B) which encompasses the risks identified in the second
Basel accord.
IV. Quantitative and qualitative assessment :
In order to make the
results of the risk assessments comparable between the various
institutions within a country and between countries the results
of the risk assessment of the Supervisory Authority should be
both quantitative and qualitative in nature.
V. Quality assurance:
Procedures for quality
assurance should be in place in order to maintain the quality
and consistency of risk assessments. Quality assurance is an integral
element of the overall process. It is provided to maintain the
quality and consistency of assessment results.
VI. Information Collection and Verification :
Arrangements should
be in place for the collection and verification of any information
considered relevant to the evaluation process, using any reasonable
means and must be able to verify its quality. The extent to which
information is taken into account in the risk assessment will
depend on the quality, independence and reliability of that information,
as adjudged by the authority.
VII. Communication of methodology
:
Supervisory authorities
will communicate their general risk assessment methodology to
the institutions to which it applies, and such information will
also be available to the general public .
Annex
B
SREP: Business Risks and Control Factors
[NB This list is provisional and may need to be updated in order
to match the final set of risks and controls in the Basel Accord
and the Capital Requirements Directive]
| Risk factors | Short definition |
| Credit risk |
Credit risk is the current or prospective risk to earnings
and capital arising from an obligor's failure to meet the
terms of any contract with the institution or otherwise fail
to perform as agreed. This risk comprises concentration risk,
residual risk, the credit risk in securitisation and cross
border (or transfer) risk |
| Market risk |
Market risk is the current or prospective risk to earnings
and capital arising from adverse movements in bond prices,
security and commodity prices and foreign exchange rates in
the trading book. This risk arises from market making, dealing,
and position taking in bonds, securities, currencies, commodities,
and derivatives (bonds, securities, currencies, and commodities).
This risk comprises foreign exchange risk, defined as the
current or prospective risk to earnings and capital arising
from adverse movements in currency exchange rates in the banking
book. |
| Interest rate risk |
This is the current or prospective risk to earnings
and capital arising from adverse movements in interest rates
in the banking book. |
| Liquidity risk |
This is the current or prospective risk to earnings
and capital arising from an institution's inability to meet
its liabilities when they come due without incurring unacceptable
losses. |
| Operational risk |
Operational risk is the risk of loss resulting from
inadequate or failed internal processes, people and systems
or from external events, including legal risk It includes,
amongst others, IT risk, legal and integrity risk. |
| Strategic risk |
Strategic risk is the current or prospective risk to
earnings and capital arising from changes in the business
environment and from adverse business decisions, improper
implementation of decisions or lack of responsiveness to changes
in the business environment. |
| Reputation risk |
Reputation risk is the current or prospective risk to
earnings and capital arising from adverse perception of the
image of the financial institution by customers, counterparties,
shareholders/investors, or regulators. |
| Capital risk |
Capital risk refers to an inadequate composition of
own funds for the scale and business of the institution or
difficulties for the institution to raise additional capital,
especially if this needs to be done quickly or at a time when
market conditions are unfavourable. |
| Earnings risk |
Earnings risk refers to an inadequate diversification
of earnings or the inability for the institution to provide
a sufficient and permanent level of profitability due for
example to an inadequate cost to income ratio. |
| Control factors | Short comments |
| Risk management & Internal controls |
Internal controls comprise the risk management framework,
financial and management reporting, operations risk controls,
audit controls, compliance controls, IT controls and HR controls.
Internal Controls enable mitigation of inherent risk by timely
and appropriate identification, measurement, monitoring and
management of all risks within the business processes. |
| Organisation |
Organisation comprises the organisation structure, group
relationship, reporting lines and responsibility structure.
Organisation enables mitigation of inherent risk by a transparent
organisation structure, clear relationships between activities,
management units, and group functions, adequate reporting
on all levels and an adequate responsibility and authorisation
structure within the business processes. |
| Management |
Management comprises management quality and structure, decision making process, strategic planning process and risk-control attitude. Management should enable mitigation of inherent risk through a management structure and composition in line with the volume, scope and complexity of the business, clear and comprehensive allocation of responsibilities and adequate management oversight and control, including fostering a culture of risk and control awareness within the business processes. |