risk based supervision

Content

RISK-FOCUSED SUPERVISION

National Bank of Cambodia (NBC) Vithyea You, Off-Site Supervision Department

Implement following the Prakas T7-011-082Prokor (Risk Base and Forward Looking Supervision)

NBC, Off-Site Department, 1

Content

Module Outline 1. Introduction 2. Why Move to Risk Focus ? 3. Understanding the Institution 4. Assessing Risk 5. Risk-Focused

A. Risk Matrix B. Risk Assessment C. Supervisory Plan D. Examination Program E. Scope Memorandum F. Entry Letter

6. Risk Management Rating

NBC, Off-Site Department, Vithyea YOU 2

Content

Introduction • Supervision Goal:

• A system of effective internal controls is a critical component of bank management and a foundation for the safe and sound operation of banking organizations. Strong internal controls also can ensure that the goals and objectives of a banking company will be met, the bank will achieve long-term profitability targets, and reliable financial and managerial reporting will be maintained. In addition, such a system will ensure that an organization will comply with laws and regulations, as well as policies, plans, internal rules, and procedures, and will decrease the risk of unexpected losses or damage to the bank’s reputation.

• Risk-focused supervision consists of: • developing an understanding of the bank’s unique characteristics,

identifying • summarizing the major risks, and • formulating a supervisory strategy to address these risks.

3 Content NBC, Off-Site Department, Vithyea YOU

Content

Why Move to Risk Focus ? What we need to know before hand ?

• The Federal Reserve has shifted to a risk-focused approach due to market changes that have resulted in a highly sophisticated banking system exposed to a combination of risks.

• The first step in the risk-focused process is to understand the institution. Sources of information available to the examiner include off-site reports, internal reports, discussions with management, public sources, and other regulators.

• When assessing risk, examiners should focus on the entire spectrum of risks facing the bank—the six risks (credit, market, liquidity, operational, legal, and reputational).

• Examiners should consider the adequacy of internal risk-management systems, such as internal audit, internal loan review, and compliance.

• Information technology must be included in a risk assessment. Examiners should consider risks, risk-management tools, and the systems that process transactions and provide critical reports. The information technology framework (SR 98-9) includes the following elements: management processes, architecture, integrity, security, and availability.

• While the processes are very similar for large and small entities, the process for a community bank involves essentially one product, the preliminary risk assessment/ scope memorandum. The process for large banks is continuous and requires the preparation of several formal documents.


Content

Understanding the Institution • This step is the starting point for a risk-focused

examination approach and is critical to tailoring the supervision program to the characteristics of the organization. By reviewing certain information, either the examiner or the central point of contact, depending on the size of the organization, can gain an understanding of the institution’s risk profile and current condition. Information can be gathered from: • reports available to the National Bank of Cambodia, • the institution’s management information systems, • discussions with bank management, • public sources, and • the work of other supervisory agencies.


Content

Assessing Risk • The assessment of risks should point out both the strengths and

weaknesses of an institution and provide a foundation for determining supervisory activities.

• Risk Assessment focuses on the six risks identified in Prakas T7-010-172 Prokor (Bank and FI’s Internal Control Supervision) —credit, market, liquidity, operational, legal, and reputational.

• The examiner is required to assess accordingly the risk which is divided into four parts as outlined below: • 1. Review the type and intensity of competition, locations, types of

products and services the bank offers, loan and deposit customer base, and the local economy.

• 2. Determine the policies, procedures, management skills, or other mechanisms in place to manage these risks. Basically, determine if the bank has experienced staff, strong internal controls, an independent board of directors, and satisfactory MIS or formalized risk management process.

• 3. Compare, or weigh, the degree of risk in the bank with mitigating factors to determine a net level of risk and determine whether the level is significant for the institution.

• 4. Determine if management meets a set of basic criteria, or expectations, for each risk factor given the size, complexity, and activities of a given company.


Content

Assessing Risk-Risk monitoring 1 • Risk monitoring must be supported by effective management

information systems (“MIS.”). • Information Technology (“IT”) must provides for processing,

storing, synthesizing, analyzing, and reporting of data. • To evaluate IT appropriately, the examiner must ask two

fundamental questions: • What are the critical banking activities? AND • Are systems adequate to support these activities?

• An organization’s IT systems should be considered in relation to the size, activities, and complexity of the organization, as well as the degree of reliance on these systems. To do this, the examiner must determine which business unit or units are responsible for the development and operation of the systems. Safety and soundness examiners must coordinate with IT specialists during the risk assessment and planning phase of the examination, as well as during the on-site examination.


Content

Assessing Risk-Risk monitoring 2 • In order to provide a common terminology and consistent

approach for evaluating the adequacy of an organization’s information technology, five information technology:

• (1) Management Processes--planning, investment, development, execution, and staffing of information technology from a corporate-wide and business-specific perspective;

• (2) Architecture--the underlying design of an automated information system and its individual components;

• (3) Integrity--the reliability, accuracy, and completeness of information delivered to the end-user;

• (4) Security--the safety afforded to information assets and their data processing environments, using both physical and logical controls to achieve a level of protection commensurate with the value of the assets; and,

• (5) Availability--the timely delivery of information to end-users.


Content

Risk-Focused - A. Risk Matrix 1 • The risk matrix is a structured approach to assessing risk and

lays the groundwork for the preparation of the narrative risk assessment.

• The first step to establish a risk matrix is to identify significant activities of the organization. The balance sheet, income statement, and off-balance-sheet reports are good places to begin this process. • The income statement, in particular, can be an important

place to identify key activities and the relative importance of such activities on revenues and net income. For example, a fee-driven business may be a significant contributor to the “bottom line” but not involve a large investment in assets.

• What types of activities is the bank engaged in and what is the level of inherent risk associated with these activities? Using the six banking risks, the examiner should determine the associated level of each of the risk components for a given activity.


Content

Risk-Focused - A. Risk Matrix 2 • The second step to establish a risk matrix is to identify

level of risk of the significant activities of the organization. • High Risk is present where activities are significant or

positions are large in relation to the institution’s assets and capital or its peer group, where there is a substantial number of transactions, or where activities are more complex than normal. The potential exists for a significant or harmful loss to the institution.

• Moderate Risk is present where activities, positions, and transactions are average in size or number and are more typical or traditional to the organization. While a loss is possible, the bank could absorb the loss in the normal course of business.

• Low Risk exists where loss is remote and would have little impact on the bank or its financial condition.


Content

Risk-Focused - A. Risk Matrix 3 • The third step to complete the risk matrix, a preliminary assessment of the risk

management systems covering each activity should be made. • Strong Risk Management indicates that management effectively identifies and

controls all major types of risk posed by the relevant activity or function. The board and senior management participate in managing risk and ensuring that appropriate policies and limits exist. Policies are supported by risk-monitoring procedures, reports, and management information systems. Internal controls and audit procedures are appropriate to the size and activities of the institution, and few exceptions are noted.

• Acceptable Risk Management indicates that the institution’s risk-management systems, although largely effective, may be lacking to some modest degree. The institution may have some minor risk-management weaknesses; however, the problems have been recognized and addressed. Overall, board and senior management oversight, policies, risk-monitoring procedures, reports, and management information systems are considered effective.

• Weak Risk Management indicates risk-management systems that are lacking in important ways and are a cause for more-than-normal supervisory attention. The internal control system may be lacking in important respects, particularly if continued control exceptions or failure to adhere to written policies and procedures is evident. Those deficiencies could have adverse effects on the financial institution.


Content

Risk-Focused - A. Risk Matrix 4 • Lastly, a composite risk assessment for each activity and an overall

composite risk for the institution should be determined. To facilitate consistency in preparing the risk matrix, general definitions of the composite level of risk for significant activities are provided.

• High Composite Risk is generally assigned to an activity in which the risk-management system does not significantly mitigate the high inherent risk of the activity. Thus, the activity could potentially result in a financial loss even if systems are considered strong. For an activity with moderate inherent risk, a risk management system that has significant weakness could result in a high composite risk assessment, because management appears to have inadequate understanding of the risk.

• Moderate Risk generally would be assigned to an activity with moderate inherent risk where the risk management systems appropriately mitigate the risk. An activity with a low inherent risk but significant weakness in the risk-management system may result in a moderate composite risk. A high-risk activity with a strong risk-management system may also earn a moderate risk component.

• Low Composite Risk generally would be assigned to an activity with low inherent risks. An activity with moderate inherent risk and strong management systems may also be assigned a low composite risk.


Content

Risk Matrix for Bank A (Sample) Activity

Relative Weight

Inherent Risks Credit/ Market/ Liquidity/ Operational/ Legal/ Reputational

Risk Management Systems

Composite

Commercial loans

35% TA Mod/ Low/ Low/ Mod/ Mod / Low Acceptable Moderate

Treasury Securities

10% TA

Low/ Low/ Low/ Low/ Low/ Low

Strong

Low

13

OVERALL COMPOSITE RISK Moderate

Content NBC, Off-Site Department, Vithyea YOU

Content

Risk-Focused - B. Risk Assessment 1 • The risk assessment serves as an internal planning tool

and should provide a comprehensive risk-focused picture of the bank.

• The goal is to develop a document that presents a comprehensive, risk-focused view of the institution, delineating the areas of supervisory concern and laying the groundwork for the supervisory plan.

• The format and content of the risk assessment are flexible and should be tailored to each institution.

• The risk assessment reflects the dynamics of the institution and, therefore, should consider the institution’s evolving business strategies and be amended as significant changes in the risk profile occur.


Content

Risk-Focused - B. Risk Assessment 2 • The risk assessment, however, address the following: 1. The overall risk assessment of the organization. 2. The six types of risk and the trend (increasing, stable,

decreasing) of these risks. 3. The major functions, business lines, activities, products, and

legal entities from which significant risks emanate and the key issues that could affect the risk profile. The business strategies should be considered and amended as significant changes occur.

4. The likelihood of an adverse effect and the potential impact on the institution.

5. The institution’s risk management systems. Reviews by internal and external auditors should also be discussed.

The risk assessment should attempt to identify the cause of problems or unfavorable trends, not just list the symptoms. It should not be a reiteration of facts but rather a comprehensive analysis leading to conclusions about the risk profile of the organization.


Content

Risk-Focused – C. Supervisory Plan 1 • The supervisory plan is a bridge between the risk assessment and

the supervisory activities to be conducted at the organization. It should be completed annually and updated as circumstances change. The plan outlines all activities to be conducted at the institution and defines the scope as well as the objective and specific concerns regarding those activities.

• Consideration should be given to: 1. Prioritizing supervisory resources on areas of higher risk. 2. Pooling examiner resources to reduce burden and redundancies. 3. Maximizing the use of examiners located where the activity is being

conducted. 4. Coordinating examinations of different disciplines. 5. Determining compliance with, or potential for, supervisory action. 6. Balancing mandated requirements with the objectives of the plan. 7. General logistical information. 8. The extent to which internal and external audit, internal loan review,

compliance, and other risk-management systems will be tested and relied upon.


Content

Risk-Focused – C. Supervisory Plan 2 • The central point of contact should seek to minimize disruption to

the company and avoid duplication of examination efforts. This requires extensive coordination with other supervisory agencies to ensure that scheduling is efficiently accomplished. Coordination of specialty examinations, such as information technology and trust, is also noted in the plan.

• The plan documents that supervisory concerns identified through the risk assessment will be addressed. Resources are prioritized based on highest risk, which is determined through the assessment process. If risk-management systems are considered strong, the depth of supervisory review may be adjusted. In addition, the plan will indicate the extent to which internal audit, internal loan review, compliance, and other risk-management systems will be tested and relied upon. General logistical concerns will also be discussed in the plan.


Content

Risk-Focused – D. Examination Program • The preparation of the examination program involves a

comprehensive schedule of examination activities for the entire organization. Prior to the implementation of a risk-focused examination approach, the regulator developed an independent schedule. For entities with multiple banks and charters, different regulators throughout the year could conduct examinations.

• The program generally incorporates (1) a schedule of activities, with durations and resource

estimates; (2) an indication of the agencies participating in the activity; (3) the planned product for communicating findings; and (4) the need for special examiner skills and the extent of

participation by specialty disciplines.


Content

Risk-Focused – E. Scope Memorandum • The scope memorandum for large complex institutions is similar, as it defines the central objectives of the on-site examination. It should identify specific areas to be reviewed and the extent of those reviews. The scope should be tailored to the size, complexity, and current condition of the company, and for less complex but large companies, it can be combined with the supervisory plan or risk assessment. The scope memorandum will generally provide a brief synopsis on the CAMELS components and overall financial condition. The scope memorandum should define the objectives of the examination and generally should include: 1. A statement of the objectives. 2. An overview of the activities and risks to be evaluated. 3. The level of reliance on internal risk management systems and internal or external audit

findings. 4. A description of the procedures those are to be performed, indicating any sampling

process to be used and the level of transaction testing, where appropriate. 5. Identification of the procedures that are expected to be performed off-site. 6. A schedule of activities, duration of time and resource estimates for planned projects. 7. An identification of the agencies conducting and participating in the supervisory activity

and resources committed by all participants to the areas) under review. 8. The planned product for communicating findings. 9. The need for special examiner skills and the extent of participation by specialty disciplines.


Content

Risk-Focused – F. Entry Letter • Once the scope of the examination has been determined, an entry

letter is prepared. The letter, which requests specific information to be provided to the examiners, should also be tailored to the organization. More importantly, the letter should consider the risk-focused supervision objectives, and only items needed to support examination procedures should be requested.

• As specific items are selected for inclusion in the entry letter, the following should be considered:

1. Reflect risk-focused supervision objectives and the examination

scope. 2. Facilitate efficiency in the examination process and lessen the burden

on the bank. Minimize the number of requested items and avoid duplication.

3. Limit, to the extent possible, requests for special management reports. 4. Eliminate items used for audit-type procedures. 5. Distinguish information to be mailed or held at the institution. 6. Allow management sufficient lead time to prepare the requested

information.


Content

Risk Management Rating 1 • The rating for risk management is based on a scale of one through five in

ascending order of supervisory concern. The risk-management rating should be reflected in the overall “Management” rating of the institution and should be consistent with the following criteria:

• Rating 1 (Strong) A rating of 1 indicates that management effectively identifies and controls all major types of risk posed by the institution’s activities, including those from new products and changing market conditions. The board and management are active participants in managing risk and ensure that appropriate policies and limits are supported by risk-monitoring procedures, reports, and management information systems that provide management and the board with the necessary information and analysis to make timely and appropriate responses to changing conditions. Internal controls and audit procedures are sufficiently comprehensive and appropriate to the size and activities of the institution. There are few noted exceptions to the institution’s established policies and procedures, and none are material. Management effectively and accurately monitors the condition of the institution consistent with standards of safety and soundness and in accordance with internal and supervisory policies and practices. Risk management is considered fully effective to identify, monitor, and control risks to the institution.


Content

Risk Management Rating 2 • Rating 2 (Satisfactory) A rating of 2 indicates that the institution’s

management of risk is largely effective, but lacking to some modest degree. It reflects a responsiveness and ability to cope successfully with existing and foreseeable exposures that may arise in carrying out the institution’s business plan. While the institution may have some minor risk-management weaknesses, these problems have been recognized and are being addressed. Overall, board and senior management oversight, policies and limits, risk-monitoring procedures, reports, and management information systems are considered satisfactory and effective in maintaining a safe and sound institution. Generally risks are being controlled in a manner that does not require additional or more-than-normal supervisory attention.

• • Internal controls may display modest weakness or deficiencies, but

they are correctable in the normal course of business. The examiner may have recommendations for improvement, but the weaknesses noted should not have a significant effect on the safety and soundness of the institution.


Content

Risk Management Rating 3 • Rating 3 (Fair) A rating of 3 signifies risk-management practices that

are lacking in some important ways and, therefore are a cause for more-than-normal supervisory attention. One or more of the four elements of sound risk management are considered fair and have precluded the institution from fully addressing a significant risk to its operations. Certain risk-management practices are in need of improvement to ensure that management and the board are able to identify, monitor, and control adequately all significant risks to the institution. Weaknesses may include continued control exceptions or failures to adhere to written policies and procedures that could have adverse effects on the institution.

• • The internal control system may be lacking in some important

respects, particularly as indicated by continued control exceptions or by the failure to adhere to written policies and procedures. The risks associated with the internal control system could have adverse effects on the safety and soundness of the institution if management does not take corrective actions.


Content

Risk Management Rating 4 • Rating 4 (Marginal) A rating of 4 represents marginal risk-

management practices that generally fail to identify, monitor, and control significant risk exposures in many material respects. Generally, such a situation reflects a lack of adequate guidance and supervision by management and the board. One or more of the four elements of sound risk management are considered marginal and require immediate and concerted corrective action by the board and management. A number of significant risks to the institution have not been adequately addressed, and the risk management deficiencies warrant a high degree of supervisory attention.

• • The institution may have serious identified weaknesses, such as an

inadequate separation of duties, that require substantial improvement in internal control or accounting procedures or in the ability to adhere to supervisory standards or requirements. Unless properly addressed, these conditions may result in unreliable financial records or reports or operating losses that could seriously affect the safety and soundness of the institution.


Content

Risk Management Rating 5 • Rating 5 (Unsatisfactory) A rating of 5 indicates a critical absence of effective risk-

management practices to identify, monitor, or control significant risk exposures. One or more of the four elements of sound risk management are considered wholly deficient, and management and the board have not demonstrated the capability to address deficiencies.

• Internal controls may be sufficiently weak as to jeopardize seriously the continued viability of the institution. If not already evident, there is an immediate concern about the reliability of accounting records and regulatory reports and about potential losses that could result if corrective measures are not taken immediately. Deficiencies in the institution’s risk-management procedures and internal controls require immediate and close supervisory attention.

• The risk-management rating should be an important factor when determining the overall management rating of the CAMELS rating system. Comments, conclusions, and criticisms relating to a bank’s risk-management process should be brought to the attention of management and included on the “Management/ Administration,” “Examination Conclusions and Comments,” and “Matters Requiring Board Attention,” sections of the report, if appropriate.

• Examiners should also consider the extent to which weaknesses in a bank’s management of risk may indicate material noncompliance with one or more safety and soundness guidelines covering internal controls and information systems, internal audit systems, loan documentation, credit underwriting, interest rate exposure, asset growth or compensation, fees, and benefits.


Content

End


risk based supervision

Economy & Finance