The September 2009 edition
of the International Association of
Risk and Compliance
Professionals (IARCP)
newsletter
Dear
member,
Welcome to the September
newsletter of our Association. It is a long one,
as we have to
discuss what has happened during the summer.
A. GOOD DEFINITION TO SUPERVISION AND
REGULATION
House of
Lords
European Union Committee: The future of EU financial
regulation and supervision - Summary of
Conclusions
The definition of
regulation and supervision
We observed an
inconsistency among our witnesses in the use of the terms regulation
and supervision, which were often used interchangeably.
Supervision has to do with monitoring
and enforcement, and regulation with rule making.
Clive Maxwell, Director for Financial Stability at HM
Treasury, described regulation as "actual hard rules that are
written down" and supervision as "the
application of those rules to a particular firm or group of firms
and going in there and making sure that they are following those
rules".
The purpose of regulation
and supervision
The pursuit of financial stability is
the common goal of both regulation and
supervision.
Regulation should aim to safeguard a stable
financial system, whilst also offering protection to consumers.
Rules should be as simple and clear as possible, to avoid
both confusion and loopholes.
However, more regulation is not necessarily better.
Hastily applied regulation addressing a newsworthy problem
can often cause more harm than good.
The
quality of regulation is therefore more crucial than the quantity.
Professor Goodhart told us that what makes sense for
the institution individually frequently makes no sense at all for
the system as a whole.
For example, if an institution runs
into difficulties, its normal response is to cut back on new loans.
If every institution does this the whole system can implode.
Regulation must therefore work in the
interests of the whole system rather than individual institutions.
Supervision should ensure that a
bank or financial institution subject to regulation follows the
rules correctly and uniformly, that they adequately manage
their risks and that they adhere to certain minimum standards.
It should also examine the system of banks and financial
institutions as a whole to detect risks affecting the entire system.
Supervisors can issue binding decisions and impose penalties
on those institutions that do not adhere to the rules.
The work of a supervisory body usually consists of
four separate roles:
Licensing-the granting of permission
for a financial institution to operate within its jurisdiction;
Oversight-the monitoring of asset quality, capital adequacy,
liquidity, internal controls and earnings;
Enforcement-the
application of monetary fines or other penalties to those
institutions which do not adhere to the regulatory regime; and
Crisis management-including the institution of deposit
insurance schemes, lender of last resort assistance and insolvency
proceedings.
A distinction is now made between macro-
and micro-prudential supervision.
Macro-prudential supervision is the analysis of
trends and imbalances in the financial system and the detection of
systemic risks that these trends may pose to financial institutions
and the economy.
The focus of macro-prudential supervision
is the safety of the financial and economic system as a whole, the
prevention of systemic risk.
Micro-prudential supervision is the day-to-day
supervision of individual financial institutions.
The focus
of micro-prudential supervision is the safety and soundness of
individual institutions as well as consumer protection.
The
same or a separate supervisor can carry out these two functions.
If different supervisors carry out these functions they must
work together to provide mechanisms to counteract macro-prudential
risks at a micro-prudential level.
Because micro-prudential supervision monitors the degree to
which the banks abide by the rules, there is a connection between
regulation and supervision, since the very process of supervision is
subject to regulation.
B. SARBANES OXLEY
Breaking News:
Prepare for the amendment of the
Sarbanes-Oxley Act of 2002 to permit confidential supervisory
information sharing with foreign auditor oversight
bodies.
One critical step for the mutual recognition and
cooperation with the supervisory authorities of the European Union
and other countries.
111TH CONGRESS 1ST SESSION H. R.
3346
To amend the Sarbanes-Oxley Act of 2002 to permit the
sharing of confidential supervisory information with foreign auditor
oversight bodies.
IN THE HOUSE OF REPRESENTATIVES, JULY 27,
2009
Mr. FRANK of Massachusetts (for himself and Mr.
KANJORSKI) introduced the following bill; which was referred to the
Committee on Financial Services
A
BILL
To amend the Sarbanes-Oxley Act of 2002 to permit the
sharing of confidential supervisory information with foreign auditor
oversight bodies.
Be it enacted by the Senate and
House of Representa tives of the United States of America in
Congress assembled,
SECTION 1. AUTHORITY TO SHARE CERTAIN
INFORMATION.
(a) DEFINITION.- Section 2(a) of the Sarbanes-
Oxley Act of 2002 (15 U.S.C. 7201(a)) is amended by inserting after
paragraph (16) the following:
''(17) FOREIGN AUDITOR OVERSIGHT AUTHORITY.-The
term 'foreign auditor oversight authority' means any governmental
body or other entity empowered by a foreign government to conduct
inspections of public accounting firms or otherwise to administer or
enforce laws related to the regulation of public accounting
firms.''.
(b) AVAILABILITY TO SHARE
INFORMATION.-Section 105(b)(5) of the Sarbanes-Oxley Act of 2002 (15
U.S.C. 7215(b)(5)) is amended by adding at the end the
following:
''(C) AVAILABILITY TO FOREIGN
OVERSIGHT AUTHORITIES.-When in the Board's discretion it is
necessary to accomplish the purposes of this Act or to protect
investors, and without the loss of its status as confidential and
privileged in the hands of the Board, all information referred to in
subparagraph (A) that relates to a public accounting firm within the
inspection authority, or other regulatory or law enforcement
jurisdiction, of a foreign auditor oversight authority may be made
available to the foreign auditor oversight authority if the foreign
auditor oversight authority provides such assurances of
confidentiality as the Board determines
appropriate.''.
Notes
Congressman Frank became Chairman of
the Committee on Financial Services in January, 2007. The committee
has a very wide jurisdiction, and it is the second largest committee
in the Congress - there are seventy members.
House Financial Services Committee
The
Committee oversees all components of the US housing and financial
services sectors including banking, insurance, real estate, public
and assisted housing, and securities. The Committee continually
reviews the laws and programs relating to the U.S. Department of
Housing and Urban Development, the Federal Reserve Bank, the Federal
Deposit Insurance Corporation, Fannie Mae and Freddie Mac, and
international development and finance agencies such as the World
Bank and the International Monetary Fund. The Committee also ensures
enforcement of housing and consumer protection laws such as the U.S.
Housing Act, the Truth In Lending Act, the Housing and Community
Development Act, the Fair Credit Reporting Act
It is good to know: The Stages of the US Legislative
Process
Under the United States Constitution, the
power to legislate is vested in the United States Congress. The
Congress is made up of two bodies: the U.S. House of Representatives
and the U.S. Senate. The concurrence of both is required to enact a
law.
The Stages of the US Legislative
Process
1. Bill introduction
2. Referral to
committee(s)
3.
Committee hearings
4. Committee mark-up
5. Committee
report
6. Scheduling legislation
7. House: special
rules, suspension of the rules, or privileged matter
8.
Senate: unanimous consent agreements or motions to proceed
9. Floor debate
10. Floor amendment
11.
Vote on final passage
12. Reconciling differences between
the house and senate
13. Amendments between the houses,
or
14. Conference committee negotiations
15. Floor
debate on conference report
16. Floor vote on conference
report
17. Conference version presented to the president
18.
President signs into law or allows bill to become law without his
signature
19. President vetoes bill
20. First
chamber vote on overriding veto
21. Second chamber vote on
overriding veto
22. Bill becomes law if 2/3 vote to override
is achieved in both chambers
23. Bill fails to become law if
one chamber fails to override
Useful
website:
http://www.thomas.gov
THOMAS was launched
in January of 1995, at the inception of the 104th Congress. The 104th Congress directed the Library of Congress to
make federal legislative information freely available to the
public. Since that time THOMAS has expanded the scope of its
offerings to include the features and content listed
below.
What You Can Find on THOMAS
Bills, Resolutions
Bill
Summary & Status contains information about bills and
amendments. The summary and status information includes:
sponsor(s); cosponsor(s); official, short and popular titles;
floor/executive actions; detailed legislative history; Congressional
Record page references; bill summary; committees of referral;
reporting and origin; subcommittees of referral; links to other
committee information provided by the House of Representatives;
amendment descriptions (and text, when available); subjects
(indexing terms assigned to each bill); a link to the full text
versions and if the bill has been enacted into law, a link to the
full text of the law on the Government Printing Office Web site (in
both text and .PDF formats).
Bill
Summary & Status information is searchable by word/phrase,
subject (index) term, bill/amendment number, stage in the
legislative process, dates of introduction, sponsor/cosponsor and
committee.
The full text of bills can be searched across
multiple Congresses.
Coverage: 101st (1989) through current
Congress
Public Laws by Law
Number
This feature contains Bill Summary & Status
records for each bill that became public law. Laws are listed both
by law number order and in bill number sequence (House Joint
Resolutions, House Bills, Senate Joint Resolutions, Senate
Bills).
Do you know it?
Sarbanes Oxley Act, Section 304 --
Forfeiture of Certain Bonuses and Profits
A. Additional Compensation Prior to Non compliance With
Commission Financial Reporting Requirements.
If an
issuer is required to prepare an accounting restatement due to the
material non compliance of the issuer, as a
result of misconduct, with any financial reporting requirement under
the securities laws, the chief executive officer and chief financial
officer of the issuer shall reimburse the issuer for--
1. Any
bonus or other incentive-based or equity-based compensation received
by that person from the issuer during the 12-month period
following the first public issuance or filing with the Commission
(whichever first occurs) of the financial document embodying such
financial reporting requirement; and
2. Any profits realized from the sale of securities of
the issuer during that 12-month period.
B. Commission
Exemption Authority. The Commission may exempt any person from the
application of subsection (a), as it deems necessary and
appropriate.
Breaking news
On
July 22, 2009, the Securities and Exchange Commission brought an action, under Section 304 of the
Sarbanes-Oxley Act, seeking to compel a former CEO to reimburse his
company and its shareholders more than USD4 million that he received
in bonuses and stock sale profits while the company was committing
accounting fraud.
The SEC made clear that "personal
compensation received by CEOs while the companies they serve engage
in wrongdoing can be clawed back."
SECURITIES AND EXCHANGE COMMISSION, Plaintiff, vs.
***, Defendant.
Plaintiff Securities and Exchange
Commission (the "Commission") alleges as follows:
SUMMARY
By this action, the Commission
seeks an order from this Court, pursuant to Section 304 of the
Sarbanes-Oxley Act, requiring ***, former chairman and chief
executive officer of *** to reimburse the
company for all of his bonuses and other incentive-based and
equity-based compensation, and all of his profits realized from his
sale of company's stock, during the 12-month period following
the issuance of the company's financial statements contained in its
annual reports for fiscal years 2002, 2003 and 2004, all of which
were required to be restated, not once, but twice, as a result of
fraudulent conduct.
C.
BASEL II
Breaking News: Amendment of
Pillar 2
Measures against the "originate-to distribute" business
model
BIS, Enhancements to the Basel II framework, July
2009
Supplemental Pillar 2 Guidance (Supervisory review
process)
I. Introduction and background
A. Scope of
the risk management guidance
1. The purpose of this guidance
is to supplement Basel II's second pillar (supervisory review
process) with respect to banks' firm-wide risk management and
capital planning processes.
Banks and supervisors are
expected to begin implementing this supplemental Pillar 2 guidance
immediately.
2. This guidance addresses
several notable weaknesses that have been revealed in banks' risk
management processes during the financial turmoil that began in
2007.
As such, it contributes to the body of reports
on the source of the turmoil that have been issued by national and
international bodies since the crisis began.
The guidance is
intended to assist banks and supervisors in better identifying and
managing risks in the future and in appropriately capturing risks in
their internal assessments of capital adequacy.
The risk management principles in this guidance
reflect the lessons learned from the turmoil and reinforce how banks
should manage and mitigate their risks that are identified through
the Pillar 2 process.
A thorough and comprehensive
internal capital adequacy assessment process (ICAAP) is a vital
component of a strong risk management programme. The ICAAP should
produce a level of capital adequate to support the nature and level
of the bank's risk.
It is the role of the supervisor to
evaluate the sufficiency of the bank's internal assessment and to
intervene where appropriate.
3. Sound
risk management processes are necessary to support supervisory and
market participants' confidence in banks' assessments of their risk
profiles and internal capital adequacy assessments.
These processes take on particular importance in
light of the identification, measurement and aggregation challenges
arising from increasingly complex on- and off-balance sheet
exposures.
The areas addressed by this supplemental guidance
include:
� Firm-wide risk
oversight;
� Specific risk management topics:
- Risk
concentrations;
- Off-balance sheet exposures with a focus on
securitisation;
- Reputational risk and implicit support;
-
Valuation and liquidity risks;
- Sound stress testing practices;
and
- Sound compensation practices.
4. When
assessing whether a bank is appropriately capitalised, bank
management should ensure that it properly identifies and measures
the risks to which the bank is exposed.
A
financial institution's ICAAP should be conducted on a consolidated
basis and, when deemed necessary by the appropriate supervisors, at
the legal entity level for each bank in the group.
In
addition, the ICAAP should incorporate stress testing to complement
and help validate other quantitative and qualitative approaches so
that bank management may have a more complete understanding of the
bank's risks and the interaction of those risks under stressed
conditions.
A bank also should perform a careful analysis of
its capital instruments and their potential performance during times
of stress, including their ability to absorb losses and support
ongoing business operations.
A bank's
ICAAP should address both short- and long-term needs and
consider the prudence of building excess capital over benign periods
of the credit cycle and also to withstand a severe and prolonged
market downturn.
Differences between the capital assessment
under a bank's ICAAP and the supervisory assessment of capital
adequacy made under Pillar 2 should trigger a dialogue that is
proportionate to the depth and nature of such differences.
5.
Pillar 1 capital requirements represent minimum requirements.
An appropriate level of capital under Pillar 2 should exceed
the minimum Pillar 1 requirement so that all risks of a bank - both
on- and off-balance sheet - are adequately covered, particularly
those related to complex capital market activities.
This
will help ensure that a bank maintains sufficient capital for risks
not adequately addressed through Pillar 1 and that it will be able
to operate effectively throughout a severe and prolonged period of
financial market stress or an adverse credit cycle, in part, by
drawing down on the capital buffer built-up
during good times.
While all banks must comply with
the minimum capital requirements during and after such stress
events, it is imperative that systemically important banks have the
shock absorption capability to adequately protect against severe
stress events.
6. The detail and sophistication of a bank's
risk management programmes should be commensurate with the size and
complexity of its business and the overall level of risk that the
bank accepts. This guidance, therefore, should be applied to banks
on a proportionate basis.
B. Need for improved risk management
7.
The financial market crisis that began in mid-2007 has resulted in
substantial financial losses. It is evident that many financial
institutions did not fully understand the risks associated with the
businesses and structured credit products in which they were
involved.
Moreover, it is now apparent these banks did not
adhere to the fundamental tenets of sound financial judgment and
prudent risk management.
8. While financial institutions have
faced difficulties over the years for a multitude of reasons, the
major causes of serious banking problems continue to be lax credit
standards for borrowers and counterparties, poor portfolio risk
management, and a lack of attention to changes in economic or other
circumstances that can lead to a deterioration in the credit
standing of a bank's counterparties. This experience is common in
both G10 and non-G10 countries.
9.
The financial market crisis has underscored the critical importance
of effective credit risk management to the long-term success of any
banking organisation and as a key component to financial stability.
It has provided a stark reminder of the need for banks to
effectively identify, measure, monitor and control credit risk, as
well as to understand how credit risk interacts with other types of
risk (including market, liquidity and reputational
risk).
The essential elements of a
comprehensive credit risk management programme include
(i)
establishing an appropriate credit risk environment;
(ii)
operating under a sound credit granting process;
(iii)
maintaining an appropriate credit administration, measurement and
monitoring process; and
(iv) ensuring adequate controls over
credit risk.
10. The crisis has also emphasised the
importance of effective capital planning and longer-term capital
maintenance. A bank's ability to withstand uncertain market
conditions is bolstered by maintaining a strong capital position
that accounts for potential changes in the bank's strategy and
volatility in market conditions over time.
Banks should
focus on effective and efficient capital planning, as well as
long-term capital maintenance. An effective capital planning process
requires a bank to assess both the risks to which it is exposed and
the risk management processes in place to manage and mitigate those
risks; evaluate its capital adequacy relative to its risks; and
consider the potential impact on earnings and capital from economic
downturns.
A bank's
capital planning process should incorporate rigorous, forwardlooking
stress testing, as discussed below in section III(F).
11.
Rapid growth in any business activity can
present banks with significant risk management challenges. This was
the case with the expanded use of the "originate-to-distribute"
business model, off-balance sheet vehicles, liquidity facilities and
credit derivatives.
The originate-to-distribute model
and securitisation can enhance credit intermediation and bank
profitability, as well as more widely diversify risk.
Managing the associated risks, however, poses significant
challenges. Indeed, these activities create exposures within
business lines, across the firm and across risk factors that can be
difficult to identify, measure, manage, mitigate and control. This
is especially true in an environment of declining market liquidity,
asset prices and risk appetite.
The inability to properly
identify and measure such risks may lead to unintended risk
exposures and concentrations, which in turn can lead to concurrent
losses arising in several businesses and risk dimensions due to a
common set of factors.
12. Strong demand
for structured products created incentives for banks using the
originate-to-distribute model to originate loans, such as subprime
mortgages, using unsound and unsafe underwriting standards. At the
same time, many investors relied solely on the ratings of the credit
rating agencies (CRAs) when determining whether to invest in
structured credit products.
Many investors conducted
little or no independent due diligence on the structured products
they purchased. Furthermore, many banks had insufficient risk
management processes in place to address the risks associated with
exposures held on their balance sheet, as well as those associated
with off-balance sheet entities, such as
assetbacked commercial paper (ABCP) conduits and structured
investment vehicles (SIVs).
13. Improvements in risk
management must evolve to keep pace with rapid financial innovation.
This is particularly relevant for participants in evolving and
rapidly growing businesses such as those that employ an
originate-to-distribute model.
Innovation has increased the
complexity and potential illiquidity of structured credit products.
This, in turn, can make such products more difficult to value and
hedge, and may lead to inadvertent increases in overall risk.
Further, the increased growth of complex investor-specific products
may result in thin markets that are illiquid, which can expose a
bank to large losses in times of stress if the associated risks are
not well understood and managed in a timely and effective
manner.
C. Supervisory responsibility
14.
Supervisors should determine whether a bank has in place a sound
firm-wide risk management framework that enables it to define its
risk appetite and recognise all material risks, including the risks
posed by concentrations, securitisation, off-balance sheet
exposures, valuation practices and other risk exposures.
The bank can achieve this by:
�
Adequately identifying, measuring, monitoring, controlling and
mitigating these risks;
� Clearly communicating the extent
and depth of these risks in an easily understandable, but accurate,
manner in reports to senior management and the board of directors,
as well as in published financial reports;
� Conducting
ongoing stress testing to identify potential losses and liquidity
needs under adverse circumstances; and
� Setting adequate
minimum internal standards for allowances or liabilities for losses,
capital, and contingency funding.
These elements
should be adequately incorporated into a bank's risk management
system and ICAAP specifically since they are not fully captured by
Pillar 1 of the Basel II framework.
II. Firm-wide risk oversight
A. General firm-wide
risk management principles
15. Recent market events
underscore the importance of senior management taking an integrated,
firm-wide perspective of a bank's risk exposure, in order to support
its ability to identify and react to emerging and growing risks in a
timely and effective manner.
The Basel Committee identified
a number of areas where additional supervisory guidance is
necessary.
The common theme of this guidance is the need to
enhance firm-wide oversight, risk management and controls around
banks' growing capital markets activities, including securitisation,
off-balance sheet exposures, structured credit and complex trading
activities.
A sound risk management
system should have the following key features:
� Active board
and senior management oversight;
� Appropriate policies,
procedures and limits;
� Comprehensive and timely
identification, measurement, mitigation, controlling, monitoring and
reporting of risks;
� Appropriate management information
systems (MIS) at the business and firm-wide level; and
�
Comprehensive internal controls.
B. Board and senior management
oversight
16. It is the responsibility of the board of directors and senior
management to define the institution's risk appetite and to ensure
that the bank's risk management framework includes detailed policies
that set specific firm-wide prudential limits on the bank's
activities, which are consistent with its risk taking appetite and
capacity.
In order to determine the overall risk
appetite, the board and senior management must first have an
understanding of risk exposures on a firm-wide basis.
To
achieve this understanding, the appropriate members of senior
management must bring together the perspectives of the key business
and control functions.
In order to develop an integrated
firm-wide perspective on risk, senior management must overcome
organisational silos between business lines and share information on
market developments, risks and risk mitigation techniques.
As the banking industry has moved increasingly towards
market-based intermediation, there is a greater probability that
many areas of a bank may be exposed to a common set of products,
risk
factors or counterparties.
Senior management should
establish a risk management process that is not limited to credit,
market, liquidity and operational risks, but incorporates all
material risks. This includes reputational, legal and strategic
risks, as well as risks that do not appear to be significant in
isolation, but when combined with other risks could lead to material
losses.
17. The board of directors and
senior management should possess sufficient knowledge of all major
business lines to ensure that appropriate policies, controls and
risk monitoring systems are effective.
They should
have the necessary expertise to understand the capital markets
activities in which the bank is involved - such as securitisation
and off-balance sheet activities - and the associated risks.
The
board and senior management should remain informed on an on-going
basis about these risks as financial markets, risk management
practices and the bank's activities evolve. In addition, the board
and senior management should ensure that accountability and lines of
authority are clearly delineated.
With respect to new or
complex products and activities, senior management should understand
the underlying assumptions regarding business models, valuation and
risk management practices.
In addition, senior management
should evaluate the potential risk exposure if those assumptions
fail.
18. Before embarking on new activities or introducing
products new to the institution, the board and senior management
should identify and review the changes in firm-wide risks arising
from these potential new products or activities and ensure that the
infrastructure and internal controls necessary to manage the related
risks are in place.
In this review, a bank should also
consider the possible difficulty in valuing the new products and how
they might perform in a stressed economic environment.
19.
A bank's risk function and its chief risk
officer (CRO) or equivalent position should be independent of the
individual business lines and report directly to the chief executive
officer (CEO) and the institution's board of directors. In addition,
the risk function should highlight to senior management and the
board risk management concerns, such as risk concentrations and
violations of risk appetite limits.
C. Policies, procedures, limits and
controls
20. Firm-wide risk management programmes
should include detailed policies that set specific firm-wide
prudential limits on the principal risks relevant to a bank's
activities.
A bank's
policies and procedures should provide specific guidance for the
implementation of broad business strategies and should establish,
where appropriate, internal limits for the various types of risk to
which the bank may be exposed.
These limits should consider
the bank's role in the financial system and be defined in relation
to the bank's capital, total assets, earnings or, where adequate
measures exist, its overall risk level.
21. A bank's policies, procedures and limits
should:
� Provide for adequate and timely identification,
measurement, monitoring, control and mitigation of the risks posed
by its lending, investing, trading, securitisation, offbalance
sheet, fiduciary and other significant activities at the business
line and firmwide levels;
� Ensure that the economic
substance of a bank's risk exposures, including reputational risk
and valuation uncertainty, are fully recognised and incorporated
into the bank's risk management processes;
� Be consistent
with the bank's stated goals and objectives, as well as its overall
financial strength;
� Clearly delineate accountability and
lines of authority across the bank's various business activities,
and ensure there is a clear separation between business lines and
the risk function;
� Escalate and address breaches of
internal position limits;
� Provide for the review of new
businesses and products by bringing together all relevant risk
management, control and business lines to ensure that the bank is
able to manage and control the activity prior to it being initiated;
and
� Include a schedule and process for reviewing the
policies, procedures and limits and for updating them as
appropriate.
D. Identifying, measuring, monitoring and reporting of
risk
22. A bank's MIS should provide the board and
senior management in a clear and concise manner with timely and
relevant information concerning their institutions' risk
profile.
This information should include all risk exposures,
including those that are off-balance sheet.
Management should
understand the assumptions behind and limitations inherent in
specific risk measures.
23. The key
elements necessary for the aggregation of risks are an appropriate
infrastructure and MIS that
(i) allow for the aggregation of
exposures and risk measures across business lines and
(ii)
support customised identification of concentrations (see section
III(A) below on risk concentrations) and emerging risks.
MIS developed to achieve this objective should
support the ability to evaluate the impact of various types of
economic and financial shocks that affect the whole of the financial
institution.
Further, a bank's systems should be flexible
enough to incorporate hedging and other risk mitigation actions to
be carried out on a firm-wide basis while taking into account the
various related basis risks.
24. To enable proactive
management of risk, the board and senior management need to ensure that MIS is capable of providing regular,
accurate and timely information on the bank's aggregate risk
profile, as well as the main assumptions used for risk aggregation.
MIS should be adaptable and responsive to changes in
the bank's underlying risk assumptions and should incorporate
multiple perspectives of risk exposure to account for uncertainties
in risk measurement.
In addition, it should be sufficiently
flexible so that the institution can generate forward-looking
bank-wide scenario analyses that capture management's interpretation
of evolving market conditions and stressed conditions. (See section
III(F) below on stress testing.)
Third-party inputs or other
tools used within MIS (eg credit ratings, risk measures, models)
should be subject to initial and ongoing validation.
25.
A bank's MIS should be capable of capturing
limit breaches and there should be procedures in place to promptly
report such breaches to senior management, as well as to ensure that
appropriate follow-up actions are taken. For instance, similar
exposures should be aggregated across business platforms (including
the banking and trading books) to determine whether there is a
concentration or a breach of an internal position limit.
E. Internal controls
26. Risk management
processes should be frequently monitored and tested by independent
control areas and internal, as well as external, auditors. The aim
is to ensure that the information on which decisions are based is
accurate so that processes fully reflect management policies and
that regular reporting, including the reporting of limit breaches
and other exception-based reporting, is undertaken effectively.
The risk management function of banks must be independent of
the business lines in order to ensure an adequate separation of
duties and to avoid conflicts of
interest.
III. Specific risk management topics
A. Risk
concentration
27. Unmanaged risk concentrations are an
important cause of major problems in banks.
A bank should
aggregate all similar direct and indirect exposures regardless of
where the exposures have been booked.
A risk concentration
is any single exposure or group of similar exposures (eg to the same
borrower or counterparty, including protection providers, geographic
area, industry or other risk factors) with the potential to produce
(i) losses large enough (relative to a
bank's earnings, capital, total assets or overall risk level) to
threaten a bank's creditworthiness or ability to maintain its core
operations or
(ii) a material change in a bank's risk
profile.
Risk
concentrations should be analysed on both a bank legal entity
and consolidated basis, as an unmanaged concentration at a
subsidiary bank may appear immaterial at the consolidated level, but
can nonetheless threaten the viability of the subsidiary
organisation.
28. Risk concentrations should be viewed in the
context of a single or a set of closely related risk-drivers that
may have different impacts on a bank. These concentrations should be
integrated when assessing a bank's overall risk exposure.
A
bank should consider concentrations that are based on common or
correlated risk factors that reflect more subtleor more
situation-specific factors than traditional concentrations, such as
correlations between market, credit risks and liquidity
risk.
29. The growth of market-based intermediation has
increased the possibility that different areas of a bank are exposed
to a common set of products, risk factors or counterparties. This
has created new challenges for risk aggregation and concentration
management.
Through its risk management processes and MIS, a
bank should be able to identify and aggregate similar risk exposures
across the firm, including across legal entities, asset types (eg
loans, derivatives and structured products), risk areas (eg the
trading book) and geographic regions.
The typical situations in which risk concentrations
can arise include:
� exposures to a single counterparty,
borrower or group of connected counterparties or borrowers;
�
industry or economic sectors, including exposures to both regulated
and nonregulated financial institutions such as hedge funds and
private equity firms;
� geographical regions;
�
exposures arising from credit risk mitigation techniques, including
exposure to similar collateral types or to a single or closely
related credit protection provider;
� trading
exposures/market risk;
� exposures to counterparties (eg
hedge funds and hedge counterparties) through the execution or
processing of transactions (either product or service);
�
funding sources;
� assets that are held in the banking book
or trading book, such as loans, derivatives and structured products;
and
� off-balance sheet exposures, including guarantees,
liquidity lines and other commitments.
30. Risk
concentrations can also arise through a combination of exposures
across these broad categories. A bank should have an understanding
of its firm-wide risk concentrations resulting from similar
exposures across its different business lines.
Examples of such business lines include subprime
exposure in lending books; counterparty exposures; conduit exposures
and SIVs; contractual and non-contractual exposures; trading
activities; and underwriting pipelines.
31. While risk
concentrations often arise due to direct exposures to borrowers and
obligors, a bank may also incur a concentration to a particular
asset type indirectly through investments backed by such assets (eg
collateralised debt obligations - CDOs), as well as exposure to
protection providers guaranteeing the performance of the specific
asset type (eg monoline insurers).
A bank should have in
place adequate, systematic procedures for identifying high
correlation between the creditworthiness of a protection provider
and the obligors of the underlying exposures due to their
performance being dependent on common factors beyond systematic risk
(ie "wrong way risk").
32. Procedures should be in place to
communicate risk concentrations to the board of directors and senior
management in a manner that clearly indicates where in the
organisation each segment of a risk concentration resides.
A
bank should have credible risk mitigation strategies in place that
have senior management approval.
This may include altering
business strategies, reducing limits or increasing capital buffers
in line with the desired risk profile.
While it implements
risk mitigation strategies, the bank should be aware of possible
concentrations that might arise as a result of employing risk
mitigation techniques.
Enhancements to the Basel II framework
33. Banks should employ a number of techniques, as
appropriate, to measure risk concentrations.
These
techniques include shocks to various risk factors; use of business
level and firm-wide scenarios; and the use of integrated stress
testing and economic capital models.
Identified
concentrations should be measured in a number of ways, including for
example consideration of gross versus net exposures, use of notional
amounts, and analysis of exposures with and without counterparty
hedges.
As set out in paragraph 21 above, a bank should
establish internal position limits for concentrations to which it
may be exposed. When conducting periodic stress tests (see section
III(F)), a bank should incorporate all major risk concentrations and
identify and respond to potential changes in market conditions that
could adversely impact their performance and capital
adequacy.
34. The assessment of such
risks under a bank's ICAAP and the supervisory review process should
not be a mechanical process, but one in which each bank determines,
depending on its business model, its own specific vulnerabilities.
An appropriate level of capital for risk
concentrations should be incorporated in a bank's ICAAP, as well as
in Pillar 2 assessments. Each bank should discuss such issues with
its supervisor.
35. A bank should have in
place effective internal policies, systems and controls to identify,
measure, monitor, manage, control and mitigate its risk
concentrations in a timely manner.
Not only should
normal market conditions be considered, but also the potential
build-up of concentrations under stressed market conditions,
economic downturns and periods of general market illiquidity.
In addition, the bank should assess scenarios that consider
possible concentrations arising from contractual and non-contractual
contingent claims.
The scenarios should also combine the
potential build-up of pipeline exposures together with the loss of
market liquidity and a significant decline in asset
values.
B. Off-balance sheet exposures and securitisation
risk
36. Banks' use of securitisation has grown
dramatically over the last several years.
It has been used as
an alternative source of funding and as a mechanism to transfer risk
to investors. While the risks associated with securitisation are not
new to banks, the recent financial turmoil highlighted unexpected
aspects of credit risk, concentration risk, market risk, liquidity
risk, legal risk and reputational risk, which banks failed to
adequately address.
For instance, a number of banks that
were not contractually obligated to support sponsored securitisation
structures were unwilling to allow those structures to fail due to
concerns about reputational risk and future access to capital
markets.
The support of these structures exposed the banks
to additional and unexpected credit, market and liquidity risk as
they brought assets onto their balance sheets, which put significant
pressure on their financial profile and capital ratios.
37.
Weaknesses in banks' risk management of securitisation and
off-balance sheet exposures resulted in large unexpected losses
during the financial crisis.
To help mitigate these risks, a
bank's on- and off-balance sheet securitisation activities should be
included in its risk management disciplines, such as product
approval, risk concentration limits, and estimates of market, credit
and operational risk (as discussed above in section II).
38.
In light of the wide range of risks arising from securitisation
activities, which can be compounded by rapid innovation in
securitisation techniques and instruments, minimum capital
requirements calculated under Pillar 1 are often insufficient.
All risks arising from securitisation, particularly those
that are not fully captured under Pillar 1, should be addressed in a
bank's ICAAP.
These risks
include:
� Credit, market, liquidity and reputational risk of
each exposure;
� Potential delinquencies and losses on the
underlying securitised exposures;
� Exposures from credit
lines or liquidity facilities to special purpose entities;
and
� Exposures from guarantees provided by monolines and
other third parties.
39. Securitisation exposures
should be included in the bank's MIS to help ensure that senior
management understands the implications of such exposures for
liquidity, earnings, risk concentration and capital.
More
specifically, a bank should have the necessary processes in place to
capture in a timely manner updated information on securitisation
transactions including market data, if available, and updated
performance data from the securitisation trustee or
servicer.
Risk evaluation and management
40. A
bank should conduct analyses of the underlying risks when investing
in the structured products and must not solely rely on the external
credit ratings assigned to securitisation exposures by the CRAs.
A bank should be aware that external ratings are a useful
starting point for credit analysis, but are no substitute for full
and proper understanding of the underlying risk, especially where
ratings for certain asset classes have a short history or have been
shown to be volatile.
Moreover, a bank
also should conduct credit analysis of the securitisation exposure
at acquisition and on an ongoing basis. It should also have in place
the necessary quantitative tools, valuation models and stress tests
of sufficient sophistication to reliably assess all relevant
risks.
41. When assessing securitisation exposures, a
bank should ensure that it fully understands the credit quality and
risk characteristics of the underlying exposures in structured
credit transactions, including any risk concentrations.
In
addition, a bank should review the maturity of the exposures
underlying structured credit transactions relative to the issued
liabilities in order to assess potential maturity
mismatches.
42. A bank should track credit risk in
securitisation exposures at the transaction level and across
securitisations exposures within each business line and across
business lines.
It should produce
reliable measures of aggregate risk.
A bank also
should track all meaningful concentrations in
securitisation exposures, such as name, product or sector
concentrations, and feed this information to firm-wide risk
aggregation systems that track, for example, credit exposure to a
particular obligor.
43. A bank's own assessment of
risk needs to be based on a comprehensive understanding of the
structure of the securitisation transaction.
It should
identify the various types of triggers, credit events and other
legal provisions that may affect the performance of its on- and
off-balance sheet exposures and integrate these triggers and
provisions into its funding/liquidity, credit and balance sheet
management.
The impact of the events or triggers on a bank's
liquidity and capital position should also be considered.
44.
Banks either underestimated or did not anticipate that a market-wide
disruption could prevent them from securitising warehoused or
pipeline exposures and did not anticipate the effect this could have
on liquidity, earnings and capital adequacy.
As part of its
risk management processes, a bank should consider and, where
appropriate, mark-tomarket warehoused positions, as well as those in
the pipeline, regardless of the probability of securitising the
exposures.
It should consider scenarios which may prevent it
from securitising its assets as part of its stress testing (as
discussed below in section III(F)) and identify the potential effect
of such exposures on its liquidity, earnings and capital
adequacy.
45. A bank should develop prudent contingency plans
specifying how it would respond to funding, capital and other
pressures that arise when access to securitisation markets is
reduced.
The contingency plans should also address how the
bank would address valuation challenges for potentially illiquid
positions held for sale or for trading.
The risk measures,
stress testing results and contingency plans should be incorporated
into the bank's risk management processes and its ICAAP, and should
result in an appropriate level of capital under Pillar 2 in excess
of the minimum requirements.
46. A bank that employs risk
mitigation techniques should fully understand the risks to be
mitigated, the potential effects of that mitigation and whether or
not the mitigation is fully effective.
This is to help
ensure that the bank does not understate the true risk in its
assessment of capital.
In particular, it should consider
whether it would provide support to the securitisation structures in
stressed scenarios due to the reliance on securitisation as a
funding tool.
C. Reputational risk and implicit support
47.
Reputational risk can be defined as the risk arising from negative
perception on the part of customers, counterparties, shareholders,
investors, debt-holders, market analysts, other relevant parties or
regulators that can adversely affect a bank's ability to maintain
existing, or establish new, business relationships and continued
access to sources of funding (eg through the interbank or
securitisation markets).
Reputational risk is multidimensional and reflects the perception of other
market participants.
Furthermore, it exists
throughout the organisation and exposure to reputational risk is
essentially a function of the adequacy of the bank's internal risk
management processes, as well as the manner and efficiency with
which management responds to external influences on bank-related
transactions.
48. Reputational risk can
lead to the provision of implicit support, which may give rise to
credit, liquidity, market and legal risk - all of which can have a
negative impact on a bank's earnings, liquidity and capital
position.
A bank should identify potential sources of
reputational risk to which it is exposed.
These include the
bank's business lines, liabilities, affiliated operations,
off-balance sheet vehicles and the markets in which it operates.
The risks that arise should be incorporated into the bank's
risk management processes and appropriately addressed in its ICAAP
and liquidity contingency plans.
49.
Prior to the 2007 upheaval, many banks failed to recognise the
reputational risk associated with their off-balance sheet vehicles.
In stressed conditions some firms went beyond their contractual
obligations to support their sponsored securitisations and
offbalance sheet vehicles.
A bank should incorporate
the exposures that could give rise to reputational risk into its
assessments of whether the requirements under the securitisation
framework have been met and the potential adverse impact of
providing implicit support.
50. Reputational risk may arise,
for example, from a bank's sponsorship of securitisation structures
such as ABCP conduits and SIVs, as well as from the sale of credit
exposures to securitisation trusts.
It may also arise from a
bank's involvement in asset or funds management, particularly when
financial instruments are issued by owned or sponsored entities and
are distributed to the customers of the sponsoring bank. In the
event that the instruments were not correctly priced or the main
risk drivers not adequately disclosed, a sponsor may feel some
responsibility to its customers, or be economically compelled, to
cover any losses.
Reputational risk also
arises when a bank sponsors activities such as money market mutual
funds, in-house hedge funds and real estate investment trusts
(REITs). In these cases, a bank may decide to support the value of
shares/units held by investors even though is not contractually
required to provide the support.
51. The financial
market crisis has provided several examples of banks providing
financial support that exceeded their contractual obligations. In
order to preserve their reputation, some banks felt compelled to
provide liquidity support to their SIVs, which was beyond their
contractual obligations.
In other cases, banks purchased
ABCP issued by vehicles they sponsored in order to maintain market
liquidity. As a result, these banks assumed additional liquidity and
credit risks, and also put pressure on capital ratios.
52.
Reputational risk also may affect a bank's liabilities, since market
confidence and a bank's ability to fund its business are closely
related to its reputation.
For instance, to avoid damaging
its reputation, a bank may call its liabilities even though this
might negatively affect its liquidity profile.
This is
particularly true for liabilities that are components of regulatory
capital, such as hybrid/subordinated debt. In such cases, a bank's
capital position is likely to suffer.
53.
Bank management should have appropriate policies in place to
identify sources of reputational risk when entering new markets,
products or lines of activities.
In addition, a
bank's stress testing procedures should take account of reputational
risk so management has a firm understanding of the consequences and
second round effects of reputational risk.
54. Once a bank
identifies potential exposures arising from reputational concerns,
it should measure the amount of support it might have to provide
(including implicit support of securitisations) or losses it might
experience under adverse market conditions.
In particular, in order to avoid reputational damages
and to maintain market confidence, a bank should develop
methodologies to measure as precisely as possible the effect of
reputational risk in terms of other risk types (eg credit,
liquidity, market or operational risk) to which it may be exposed.
This could be accomplished by including reputational
risk scenarios in regular stress tests.
For instance,
non-contractual off-balance sheet exposures could be included in the
stress tests to determine the effect on a bank's credit, market and
liquidity risk profiles.
Methodologies
also could include comparing the actual amount of exposure carried
on the balance sheet versus the maximum exposure amount held
off-balance sheet, that is, thepotential amount to which the bank
could be exposed.
55. A bank should pay particular
attention to the effects of reputational risk on its overall
liquidity position, taking into account both possible increases in
the asset side of the balance sheet and possible restrictions on
funding, should the loss of reputation result in various
counterparties' loss of confidence. (See section III(E) on the
management of liquidity risk.)
56. In contrast to
contractual credit exposures, such as guarantees, implicit support
is a more subtle form of exposure. Implicit support arises when a
bank provides post-sale support to a securitisation transaction in
excess of any contractual obligation.
Such non-contractual
support exposes a bank to the risk of loss, such as loss arising
from deterioration in the credit quality of the securitisation's
underlying assets.
57. By providing implicit support, a bank
signals to the market that all of the risks inherent in the
securitised assets are still held by the organisation and, in
effect, had not been transferred.
Since the risk arising
from the potential provision of implicit support is not captured ex
ante under Pillar 1, it must be considered as part of the Pillar 2
process. In addition, the processes for approving new products or
strategic initiatives should consider the potential provision of
implicit support and should be incorporated in a bank's ICAAP.
D. Valuation practices
58. In order to
enhance the supervisory assessment of banks' valuation practices,
the Basel Committee published Supervisory guidance for assessing
banks' financial instrument fair value practices in April
2009.
This guidance applies to all positions that are
measured at fair value and at all times, not only during times of
stress.
59. The characteristics of complex structured
products, including securitisation transactions, make their
valuation inherently difficult due, in part, to the absence of
active and liquid markets, the complexity and uniqueness of the cash
waterfalls, and the links between valuations and underlying risk
factors.
The absence of a transparent
price from a liquid market means that the valuation must rely on
models or proxy-pricing methodologies, as well as on expert
judgment.
The outputs of such models and processes
are highly sensitive to the inputs and parameter assumptions
adopted, which may themselves be subject to estimation error and
uncertainty.
Moreover, calibration of the valuation
methodologies is often complicated by the lack of readily available
benchmarks.
60. Therefore, a bank is
expected to have adequate governance structures and control
processes for fair valuing exposures for risk management and
financial reporting purposes.
The valuation governance
structures and related processes should be embedded in the overall
governance structure of the bank, and consistent for both risk
management and reporting purposes.
The
governance structures and processes are expected to explicitly cover
the role of the board and senior management. In addition, the board
should receive reports from senior management on the valuation
oversight and valuation model performance issues that are brought to
senior management for resolution, as well as all significant changes
to valuation policies.
61. A bank should also have clear and
robust governance structures for the production, assignment and
verification of financial instrument valuations.
Policies should ensure that the approvals of all
valuation methodologies are well documented.
In
addition, policies and procedures should set forth the range of
acceptable practices for the initial pricing,
markingto-market/model, valuation adjustments and periodic
independent revaluation.
New product approval processes
should include all internal stakeholders relevant to risk
measurement, risk control, and the assignment and verification of
valuations of financial instruments.
62. A bank's control
processes for measuring and reporting valuations should be
consistently applied across the firm and integrated with risk
measurement and management processes.
In particular,
valuation controls should be applied consistently across similar
instruments (risks) and consistent across business lines (books).
These controls should be subject to
internal audit.
Regardless of the booking location of
a new product, reviews and approval of valuation methodologies must
be guided by a minimum set of considerations.
Furthermore,
the valuation/new product approval process should be supported by a
transparent, well-documented inventory of acceptable valuation
methodologies that are specific to products and
businesses.
63. In order to establish and
verify valuations for instruments and transactions in which it
engages, a bank must have adequate capacity, including during
periods of stress.
This capacity should be
commensurate with the importance, riskiness and size of these
exposures in the context of the business profile of the institution.
In addition, for those exposures that represent material
risk, a bank is expected to have the capacity to produce valuations
using alternative methods in the event that primary inputs and
approaches become unreliable, unavailable or not relevant due to
market discontinuities or illiquidity.
A
bank must test and review the performance of its models under stress
conditions so that it understands the limitations of the models
under stress conditions.
64. The relevance and
reliability of valuations is directly related to the quality and
reliability of the inputs.
A bank is
expected to apply the accounting guidance provided to determine the
relevant market information and other factors likely to have a
material effect on an instrument's fair value when selecting the
appropriate inputs to use in the valuation process.
Where values are determined to be in an active
market, a bank should maximise the use of relevant observable inputs
and minimise the use of unobservable inputs when estimating fair
value using a valuation technique.
However, where a market
is deemed inactive, observable inputs or transactions may not be
relevant, such as in a forced liquidation or distress sale, or
transactions may not be observable, such as when markets are
inactive.
In such cases, accounting fair value guidance
provides assistance on what should be considered, but may not be
determinative.
In assessing whether a
source is reliable and relevant, a bank should consider, among other
things:
� the frequency and availability of the
prices/quotes;
� whether those prices represent actual
regularly occurring transactions on an arm's length basis;
�
the breadth of the distribution of the data and whether it is
generally available to the relevant participants in the
market;
� the timeliness of the information relative to the
frequency of valuations;
� the number of independent sources
that produce the quotes/prices;
� whether the quotes/prices
are supported by actual transactions;
� the maturity of the
market; and
� the similarity between the financial instrument
sold in a transaction and the instrument held by the
institution.
65. A bank's external reporting should
provide timely, relevant, reliable and decisionuseful information
that promotes transparency.
Senior management should
consider whether disclosures around valuation uncertainty can be
made more meaningful.
For instance, the bank may describe
the modelling techniques and the instruments to which they are
applied; the sensitivity of fair values to modelling inputs and
assumptions; and the impact of stress scenarios on valuations.
A bank should regularly review its disclosure policies to
ensure that the information disclosed continues to be relevant to
its business model and products and to current market
conditions.
E. Liquidity risk management and
supervision
66. The financial market crisis
underscores the importance of assessing the potential impact of
liquidity risk on capital adequacy in a bank's ICAAP.
Senior management should consider the relationship
between liquidity and capital since liquidity risk can impact
capital adequacy which, in turn, can aggravate a bank's liquidity
profile.
67. In September 2008, the Committee
published Principles for Sound Liquidity Risk Management and
Supervision, which stresses that banks need to have strong liquidity
cushions in order to weather prolonged periods of financial market
stress and illiquidity.
The standards address many of the
shortcomings experienced by the banking sector during the market
turmoil that began in mid-2007, including those related to stress
testing practices, contingency funding plans, management of on- and
off-balance sheet activity and contingent commitments.
68.
The Committee's liquidity guidance outlines requirements for sound
practices for the liquidity risk management of banks.
The
fundamental principle is that a bank should both assiduously manage
its liquidity risk and also maintain sufficient liquidity to
withstand a range of stress events.
Liquidity is a critical element of a bank's
resilience to stress, and as such, a bank should maintain a
liquidity cushion, made up of unencumbered, high quality liquid
assets, to protect against liquidity stress events, including
potential losses of unsecured and typically available secured
funding sources.
69. A key element in the management
of liquidity risk is the need for strong governance of liquidity
risk, including the setting of a liquidity risk tolerance by the
board.
The risk tolerance should be communicated
throughout the bank and reflected in the strategy and policies that
senior management set to manage liquidity risk.
Another
facet of liquidity risk management is that a bank should
appropriately price the costs, benefits and risks of liquidity into
the internal pricing, performance measurement, and new product
approval process of all significant business activities.
70.
A bank is expected to be able to thoroughly identify, measure and
control liquidity risks, especially with regard to complex products
and contingent commitments (both contractual and non-contractual).
This process should involve the ability to project cash
flows arising from assets, liabilities and off-balance sheet items
over various time horizons, and should ensure diversification in
both the tenor and source of funding.
A
bank should utilise early warning indicators to identify the
emergence of increased risk or vulnerabilities in its liquidity
position or funding needs.
It should have the ability
to control liquidity risk exposure and funding needs, regardless of
its organisation structure, within and across legal entities,
business lines, and currencies, taking into account any legal,
regulatory and operational limitations to the transferability of
liquidity.
71. A bank's failure to effectively manage
intraday liquidity could leave it unable to meet its payment
obligations at the time expected, which could lead to liquidity
dislocations that cascade quickly across many systems and
institutions.
As such, the bank's
management of intraday liquidity risks should be considered as a
crucial part of liquidity risk management.
It should
also actively manage its collateral positions and have the ability
to calculate all of its collateral positions.
72. While banks
typically manage liquidity under "normal" circumstances, they should
also be prepared to manage liquidity under stressed conditions.
A bank should perform stress tests or
scenario analyses on a regular basis in order to identify and
quantify their exposures to possible future liquidity stresses,
analysing possible impacts on the institutions' cash flows,
liquidity positions, profitability, and solvency.
The
results of these stress tests should be discussed thoroughly by
management, and based on this discussion, should form the basis for
taking remedial or mitigating actions to limit the bank's exposures,
build up a liquidity cushion, and adjust its liquidity profile to
fit its risk tolerance.
The results of stress tests should
also play a key role in shaping the bank's contingency funding
planning, which should outline policies for managing a range of
stress events and clearly sets out strategies for addressing
liquidity shortfalls in emergency situations.
73. As public disclosure increases certainty in the
market, improves transparency, facilitates valuation, and
strengthens market discipline, it is important that banks publicly
disclose information on a regular basis that enables market
participants to make informed decisions about the soundness of their
liquidity risk management framework and liquidity
position.
74. The liquidity guidance also augments
sound practices for supervisors and emphasises the importance of
assessing the adequacy of a bank's liquidity risk management and its
level of liquidity.
The
guidance emphasises the importance of supervisors assessing the
adequacy of a bank's liquidity risk management framework and its
level of liquidity, and suggests steps that supervisors should take
if these are deemed inadequate.
The principles also stress
the importance of effective cooperation between supervisors and
other key stakeholders, such as central banks, especially in times
of stress.
F. Sound stress testing practices
75. In
order to strengthen banks' stress testing practices, as well as
improve supervision of those practices, in May 2009 the Basel
Committee published Principles for sound stress testing practices
and supervision.
Improvements in stress testing alone cannot
address all risk management weaknesses, but as part of a
comprehensive approach, stress testing has a leading role to play in
strengthening bank corporate governance and the resilience of
individual banks and the financial system.
76. Stress testing is an important tool that is used
by banks as part of their internal risk management that alerts bank
management to adverse unexpected outcomes related to a broad variety
of risks, and provides an indication to banks of how much capital
might be needed to absorb losses should large shocks occur.
Moreover, stress testing supplements other risk
management approaches and measures.
It
plays a particularly important role in:
� providing forward
looking assessments of risk,
� overcoming limitations of
models and historical data,
� supporting internal and
external communication,
� feeding into capital and liquidity
planning procedures,
� informing the setting of a banks' risk
tolerance,
� addressing existing or potential, firm-wide risk
concentrations, and
� facilitating the development of risk
mitigation or contingency plans across a range of stressed
conditions.
Stress testing is especially important
after long periods of benign risk, when the fading memory of
negative economic conditions can lead to complacency and the
underpricing of risk, and when innovation leads to the rapid growth
of new products for which there is limited or no loss
data.
77. Stress testing should form an integral part of the overall governance and
risk management culture of the bank.
Board and senior management involvement in setting
stress testing objectives, defining scenarios, discussing the
results of stress tests, assessing potential actions and decision
making is critical in ensuring the appropriate use of stress testing
in banks' risk governance and capital planning.
Senior management should take an active interest in
the development in, and operation of, stress testing.
The
results of stress tests should contribute to strategic decision
making and foster internal debate regarding assumptions, such as the
cost, risk and speed with which new capital could be raised or that
positions could be hedged or sold.
Board
and senior management involvement in the stress testing program is
essential for its effective operation.
78. To provide
a complementary risk perspective to other risk management tools such
as Value at Risk (VaR) and economic capital, stress tests should be
used to provide an independent risk perspective.
Stress tests should complement risk management models
that are based on complex, quantitative models using backward
looking data and estimated statistical relationships.
In
particular, stress testing outcomes for a particular portfolio can
provide insights about the validity of statistical models at high
confidence intervals, used to determine for example
VaR.
79. Therefore, a bank's capital planning process
should incorporate rigorous, forwardlooking stress testing that
identifies possible events or changes in market conditions that
could adversely impact the bank.
Banks, under their ICAAPs,
and supervisors, under Pillar 2, should examine future capital
resources and capital requirements under adverse scenarios. In
particular, the results of forward-looking stress testing should be
considered when evaluating the adequacy of a bank's capital buffer.
Capital adequacy should be assessed under stressed
conditions against a variety of capital ratios, including regulatory
ratios, as well as ratios based on the bank's internal definition of
capital resources. In addition, the possibility that a crisis
impairs the ability of even very healthy banks to raise funds
at
reasonable cost should be considered.
80. Stress
testing is particularly important in the
management of warehouse and pipeline risk.
Many of
the risks associated with pipeline and warehoused exposures emerge
when a bank is unable to access the securitisation market due to
either bank specific or market stresses.
A bank should
therefore include such exposures in their regular stress tests
regardless of the probability of the pipeline exposures being
securitised.
81. In addition, a bank should develop
methodologies to measure the effect of reputational risk in terms of
other risk types, namely credit, liquidity, market and other risks
that they may be exposed to in order to avoid reputational damages
and in order to maintain market confidence.
This could be done by including reputational risk
scenarios in regular stress tests.
For instance,
including non-contractual off-balance sheet exposures in the stress
tests to determine the effect on a bank's credit, market and
liquidity risk profiles.
82. A bank
should carefully assess the risks with respect to commitments to
off-balance sheet vehicles and third-party firms related to
structured credit securities and the possibility that assets will
need to be taken on balance sheet for reputational reasons.
Therefore, in its stress testing programme, a bank
should include scenarios assessing the size and soundness of such
vehicles and firms relative to its own financial, liquidity and
regulatory capital positions.
This analysis should include
structural, solvency, liquidity and other risk issues, including the
effects of covenants and triggers.
83. Supervisors should
assess the effectiveness of banks' stress testing programme in
identifying relevant vulnerabilities.
Supervisors should
review the key assumptions driving stress testing results and
challenge their continuing relevance in view of existing and
potentially changing market conditions.
Supervisors should
challenge banks on how stress testing is used and the way it affects
decision-making.
Where this assessment reveals material
shortcomings, supervisors should require a bank to detail a plan of
corrective action.
G. Sound compensation practices
84. Risk
management must be embedded in the culture of a bank.
It
should be a critical focus of the CEO, CRO, senior management,
trading desk and other business line heads and employees in making
strategic and day-to-day decisions.
For a broad and deep
risk management culture to develop and be maintained over time,
compensation policies must not be unduly linked to short-term
accounting profit generation.
Compensation policies should be linked to longer-term
capital preservation and the financial strength of the firm, and
should consider risk-adjusted performance measures.
In addition, a bank should provide adequate
disclosure regarding its compensation policies to stakeholders.
Each bank's board of directors and senior management have
the responsibility to mitigate the risks arising from remuneration
policies in order to ensure effective firm-wide risk
management.
85. Compensation practices at large financial
institutions are one factor among many that contributed to the
financial crisis that began in 2007.
High short-term profits
led to generous bonus payments to employees without adequate regard
to the longer-term risks they imposed on their firms.
These
incentives amplified the excessive risk-taking that has threatened
the global financial system and left firms with fewer resources to
absorb losses as risks materialised.
The lack of attention
to risk also contributed to the large, in some cases extreme
absolute level of compensation in the industry.
As a result,
to improve compensation practices and strengthen supervision in this
area, particularly for systemically important firms, the Financial
Stability Board (formerly the Financial Stability Forum) published
its Principles for Sound Compensation Practices in April 2009.
Paragraphs 86 through 94 below set out those principles,
which should be implemented by banks and reinforced by
supervisors.
86. A bank's board of
directors must actively oversee the compensation system's design and
operation, which should not be controlled primarily by the chief
executive officer and management team. Relevant board members and
employees must have independence and expertise in risk management
and compensation.
87. In addition, the board of
directors must monitor and review the compensation system to ensure
the system includes adequate controls and operates as intended.
The practical operation of the system should be regularly
reviewed to ensure compliance with policies and procedures.
Compensation outcomes, risk
measurements, and risk outcomes should be regularly reviewed for
consistency with intentions.
88. Staff that are
engaged in the financial and risk control areas must be independent,
have appropriate authority, and be compensated in a manner that is
independent of the business areas they oversee and commensurate with
their key role in the firm.
Effective independence and
appropriate authority of such staff is necessary to preserve the
integrity of financial and risk management's influence on incentive
compensation.
89. Compensation must be
adjusted for all types of risk so that renumeration is balanced
between the profit earned and the degree of risk assumed in
generating the profit.
In general, both quantitative
measures and human judgment should play a role in determining the
appropriate risk adjustments, including those that are difficult to
measure such as liquidity risk and reputation risk.
90.
Compensation outcomes must be symmetric with risk outcomes and
compensation systems should link the size of the bonus pool to the
overall performance of the firm.
Employees' incentive
payments should be linked to the contribution of the individual and
business to the firm's overall performance.
91. Compensation payout schedules must be sensitive to the
time horizon of risks.
Profits and
losses of different activities of a financial firm are realiszed
over different periods of time. Variable compensation payments
should be deferred accordingly.
Payments should not be finalised over short periods
where risks are realised over long periods.
Management should question payouts for income that
cannot be realised or whose likelihood of realisation remains
uncertain at the time of payout.
92. The mix of cash, equity
and other forms of compensation must be consistent with risk
alignment. The mix will vary depending on the employee's position
and role.
The firm should be able to explain the rationale for its mix.
93.
Supervisory review of compensation practices must be rigorous and
sustained, and deficiencies must be addressed promptly with the
appropriate supervisory action.
Supervisors should include
compensation practices in their risk assessment of firms, and firms
should work constructively with supervisors to ensure their
practices are adequate.
Regulations and supervisory practices
will naturally differ across jurisdictions and potentially among
authorities within a country. Nevertheless, all supervisors should
strive for effective review and intervention.
94. Firms must
disclose clear, comprehensive and timely information about their
compensation practices to facilitate constructive engagement by all
stakeholders, including in particular shareholders. Stakeholders
need to be able to evaluate the quality of support for the firm's
strategy and risk posture.
Appropriate
disclosure related to risk management and other control systems will
enable a firm's counterparties to make informed decisions about
their business relations with the firm. Supervisors should have
access to all necessary information in order to evaluate banks'
compensation practices.
It is good to know that...
Resecuritization is the process in which the
end product of a securitization is securitized again.
According to the Bank of International Settlements, this is
the definition that will be used in the Basel ii framework after
July 2009:
"A resecuritisation exposure is a
securitisation exposure in which the risk associated with an
underlying pool of exposures is tranched and at least one of the
underlying exposures is a securitisation exposure."
"In
addition, an exposure to one or more resecuritisation exposures is a
resecuritisation exposure."
Dear
members,
Visit the website of our association.
www.risk-compliance-association.com
Write in your CV, resume,
websites etc. that you are members of the International Association
of Risk and Compliance Professionals (IARCP). Take
advantage of the distance learning and online certification program
- at a cost that is unheard
of.
Best Regards,
George Lekatis
President of
the International Association of Risk and Compliance Professionals
(IARCP)
General Manager and Chief Compliance Consultant,
Compliance LLC
1200 G Street NW Suite 800, Washington DC 20005,
USA
Tel: (202) 449-9750
Email:
lekatis@risk-compliance-association.com
Web:
www.risk-compliance-association.com
HQ: 1220 N. Market Street
Suite 804, Wilmington DE 19801, USA
Tel: (302)
342-8828
|
