Risk Management Guidelines (January 2013) PDF
Document Details
Uploaded by MagnanimousBohrium
2013
Tags
Summary
This document provides risk management guidelines for financial institutions in Kenya, focusing on various types of risks including strategic, credit, liquidity, market, operational, ICT, reputational, compliance, and country or transfer risks. It emphasizes the importance of a comprehensive risk management framework, including board oversight, policies, procedures, limits, and monitoring systems. The document was published in January 2013.
Full Transcript
RISK MANAGEMENT GUIDELINES January 2013 1 TABLE OF CONTENTS PAGE 1.0 OVERVIEW OF RISK MANAGEMENT FRAMEWORK 3 2.0 STRATEGIC RISK MANAGEMENT...
RISK MANAGEMENT GUIDELINES January 2013 1 TABLE OF CONTENTS PAGE 1.0 OVERVIEW OF RISK MANAGEMENT FRAMEWORK 3 2.0 STRATEGIC RISK MANAGEMENT 9 3.0 CREDIT RISK MANAGEMENT 16 4.0 LIQUIDITY RISK MANAGEMENT 29 5.0 MARKET RISK MANAGEMENT 40 6.0 OPERATIONAL RISK MANAGEMENT 47 7.0 INFORMATION AND COMMUNICATION TECHNOLOGY (ICT) RISK 54 8.0 REPUTATIONAL RISK MANAGEMENT 71 9.0 COMPLIANCE RISK MANAGEMENT 77 10.0 COUNTRY AND TRANSFER RISK MANAGEMENT 81 APPENDICES APPENDIX 1 89 APPENDIX 11 94 Page | 2 1. 0 OVERVIEW OF RISK MANAGEMENT FRAMEWORK 1.1 Introduction The Central Bank of Kenya has put forward this document for the purpose of providing guidelines to all institutions on minimum requirements for risk management systems and frameworks. For the purpose of these guidelines, financial risk in a banking organization is the possibility that the outcome of an action or event could bring about adverse impacts on the institution’s capital or earnings. Such outcomes could either result in direct loss of earnings/capital or may result in imposition of constraints on bank’s ability to meet its business objectives. Risk Categories While the types and degree of risks an organization may be exposed to depend upon a number of factors such as its size, complexity, business activities, and volume, these guidelines have identified the following categories of risks as critical risks in financial institutions:- 1. Strategic Risk 2. Credit Risk 3. Liquidity Risk 4. Market Risk 5. Operational Risk 6. Information and Communication Technology Risk 7. Reputational Risk 8. Compliance Risk and 9. Country and Transfer Risk Risk Management Function In accordance with the Basel Core Principles for Effective Banking Supervision, ‘Risk Management Processes’ requires that banks and banking groups must have comprehensive risk management processes (including Board and senior management oversight) to identify, evaluate, monitor and control or mitigate all material risks and to assess their overall capital adequacy in relation to their risk profile. These processes should be commensurate with the size and complexity of the institution. It is therefore a requirement that each institution prepare a comprehensive Risk Management Programme (RMP) tailored to its needs and circumstances under which it operates and establish a Risk Management Function that supervises overall risk management. The function should be independent from those who take or accept risks on Page | 3 behalf of the institution and should report directly to the board or a committee of the board. The risk management function is responsible for ensuring that effective processes are in place for: i. Identifying current and emerging risks; ii. Developing risk assessment and measurement systems; iii. Establishing policies, practices and other control mechanisms to manage risks; iv. Developing risk tolerance limits for Senior Management and board approval; v. Monitoring positions against approved risk tolerance limits; and vi. Reporting results of risk monitoring to Senior Management and the board. Risk Management Process. Regardless of the Risk Management Programme design, each programme should include: Risk Identification: Almost every product and service offered by institutions has a unique risk profile composed of multiple risks. For example, at least four types of risks are usually present in most loans: credit risk, interest rate risk, liquidity risk and operational risk. Risk identification should be a continuing process and risk should be understood at both the transaction and portfolio levels. Risk Measurement: Once the risks associated with a particular activity have been identified, the next step is to measure the significance of each risk. Each risk should be viewed in terms of its three dimensions: size, duration and probability of adverse occurrences. Accurate and timely measurement of risk is essential to effective risk management systems. Risk Control: Once risks have been identified and measured for significance, there are basically three ways to control significant risks, or at least minimize their adverse consequences: avoiding or placing limits on certain activities/risks, mitigating risks and/or offsetting risks. It is a primary management function to balance expected rewards against risks and the expenses associated with controlling risks. Institutions should establish and communicate risk limits through policies, standards and procedures that define responsibility and authority. Risk Monitoring: Institutions need to establish an MIS that accurately identifies and measures risks at the inception of transactions and activities. It is equally important for management to establish an MIS to monitor significant changes in risk profiles. A loan payment delinquency report reflecting loans that are not being repaid as agreed is one report that indicates possible changes in perceived risk profiles. Since many institutions depend heavily on their net interest margins for survival, an MIS that reflects the impact Page | 4 of changes in interest rate risk is very important. In general, ‘monitoring risks’ means developing reporting systems that identify adverse changes in the risk profiles of significant products, services and activities and monitoring changes in controls that have been put in place to minimize adverse consequences. 1.2 BASIC ELEMENTS OF A SOUND RISK MANAGEMENT SYSTEM The risk management program of each institution should at least contain the following elements of a sound risk management system: 1.2.1 Active Board and Senior Management Oversight Boards have ultimate responsibility for the level of risk taken by their institutions. Accordingly, they should approve the overall business strategies and significant policies of their organizations, including those related to managing and taking risks and should ensure that senior management is fully capable of managing the activities that their institutions conduct. All boards of directors are responsible for understanding the nature of the risks significant to their organizations and for ensuring that the management is taking the steps necessary to identify measure, monitor and control these risks. The level of technical knowledge required of directors may vary depending on the particular circumstances at the institution. Consequently, what is most important is for directors to have a clear understanding of the types of risks to which their institutions are exposed and to receive regular reports that identify the size and significance of the risks in terms that are meaningful to them. Directors could take steps to develop an appropriate understanding of the risks their institution face, possibly through briefings from auditors and experts. Using this knowledge and information, directors should provide clear guidance regarding the level of exposures acceptable to their institutions and have the responsibility to ensure that senior management implements the procedures and controls necessary to comply with adopted policies. Senior management is responsible for implementing strategies in a manner that limits risks associated with each strategy. Management should therefore be fully involved in the activities of their institutions and possess sufficient knowledge of all major business lines to ensure that appropriate policies, controls and risk monitoring systems are in place and that accountability and lines of authority are clearly delineated. Senior management is also responsible for establishing and communicating a strong awareness of and need for effective internal controls and high ethical standards. Meeting these responsibilities requires senior managers of institutions to demonstrate a thorough understanding of developments in the financial sector and a knowledge of the activities their institution conducts, including the nature of the internal controls necessary to limit the related risks. Page | 5 1.2.2 Adequate Policies Procedures and Limits The board of directors and senior management should tailor their risk management policies and procedures to the types of risks that arise from the activities the institution conducts. Once the risks are properly identified, the institution’s policies and procedures should provide detailed guidance for the day-to-day implementation of broad business strategies and should include limits designed to shield the organization from excessive and imprudent risks. A bank’s policies, procedures and limits should: Provide for adequate and timely identification, measurement, monitoring, control and mitigation of the risks posed by its lending, investing, trading, securitisation, off balance sheet, fiduciary and other significant activities at the business line and firm- wide levels; Ensure that the economic substance of a bank’s risk exposures are fully recognised and incorporated into the bank’s risk management systems; Be consistent with the bank’s stated goals and objectives, as well as its overall financial strength; Clearly delineate accountability and lines of authority across the bank’s various business activities, and ensure there is a clear separation between business lines and the risk function; Escalate and address breaches of internal position limits; Provide for the review of new businesses and products by bringing together all relevant risk management, control and business lines to ensure that the bank is able to manage and control the activity prior to it being initiated; and Include a schedule and process for reviewing the policies, procedures and limits and for updating them as appropriate. 1.2.3 Adequate Risk Monitoring and Management Information Systems (MIS) Effective risk monitoring requires institutions to identify and measure all material risk exposures. Consequently, risk-monitoring activities must be supported by information systems that provide senior managers and directors with timely reports on the financial condition, operating performance and risk exposure of the institution. The sophistication of risk monitoring and MIS should be consistent with the complexity and diversity of the institution’s operations. Every institution shall require a set of management and board Page | 6 reports to support risk-monitoring activities. These reports may include daily or weekly balance sheets and income statements, a watch list for potentially troubled loans, a report of overdue loans, simple interest rate risk report and other relevant reports. In order to ensure effective measurement and monitoring of risk and management information systems, the following should be observed: a) the institution's risk monitoring practices and reports address all of its material risks; b) key assumptions, data sources, and procedures used in measuring and monitoring risk are appropriate and adequately documented and tested for reliability on an ongoing basis; c) As an integral component of an institution’s risk management framework appropriate periodic stress testing should be conducted and management action plans to mitigate the risks identified in the Stress Tests are put in place. d) reports and other forms of communication are consistent with the institution's activities, structured to monitor exposures and compliance with established limits, goals, or objectives and, as appropriate, compare actual versus expected performance and; e) reports to management or to the institution's directors are accurate and timely and contain sufficient information for decision-makers to identify any adverse trends and to evaluate adequately the level of risk faced by the institution. 1.2.4 Adequate Internal Controls An institution’s internal control structure is critical to the safe and sound functioning of the organization, in general and to its risk management, in particular. Establishing and maintaining an effective system of controls, including the enforcement of official lines of authority and the appropriate separation of duties is one of management’s important responsibilities. When properly structured, a system of internal controls promotes effective operations and reliable financial and regulatory reporting, safeguards assets and helps to ensure compliance with relevant laws, regulations and institutional policies. Internal controls should be tested by an independent and suitably qualified internal auditor who reports directly to the board’s Audit Committee. Given the importance of appropriate internal controls to institutions, the results of audits or reviews, conducted by an internal auditor or other persons, should be adequately documented, as should management’s responses to them. In addition, communication channels should exist that allows negative or sensitive findings to be reported directly to the board’s Audit Committee. In order to ensure the adequacy of an institution's internal controls and audit procedures, the following should be observed:- Page | 7 The system of internal controls should be appropriate to the type and level of risks posed by the nature and scope of the institution's activities. The institution's organisational structure should establish clear lines of authority and responsibility for monitoring adherence to policies, procedures, and limits. Reporting lines should provide sufficient independence of the control areas from the business lines and appropriate segregation of duties throughout the institution such as those relating to trading, custodial, and back-office activities. Official institutional structures should reflect actual operating practices. Financial, operational, and regulatory reports should be reliable, accurate and timely; wherever applicable, exceptions are noted and promptly investigated. Adequate procedures for ensuring compliance with applicable laws and regulations should be in place. Internal audit or other control review practices should provide for independence and objectivity. Internal controls and information systems should be adequately tested and reviewed; the coverage, procedures, findings, and responses to audits and review tests should be adequately documented; identified material weaknesses should be given appropriate and timely high level attention; and management's actions to address material weaknesses should be objectively verified and reviewed. The institution's audit committee or board of directors should review the effectiveness of internal audits and other control review activities on a regular basis. Page | 8 2.0 STRATEGIC RISK MANAGEMENT 2.1 Introduction Strategic risk is the current and prospective impact on earnings or capital arising from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. It is a risk that could significantly impact on the achievement of the institution’s vision and strategic objectives as documented in the strategic plan. Strategic risk management is the process of identifying, assessing, measuring, monitoring and managing the risk in the institution’s business strategy. Strategic risk management involves evaluating how a wide range of possible events and scenarios will affect the strategy and its execution and the ultimate impact on the institution’s value. 2.2 Board and Senior Management Oversight 2.2.1 Specific responsibilities for the Board The Board has specific responsibilities for overseeing an institution’s strategic risk management process. These includes:- Ensuring that the institution has in place an appropriate strategic risk management framework which suits its own circumstances, business needs and risk tolerance; Ensuring that the institution’s strategic goals and objectives are clear and are set in line with its corporate mission and values, culture, business direction and risk tolerance; Approving the institution’s strategic plan (including strategies contained therein) and any subsequent changes, and reviewing the plan (at least annually) to ensure its appropriateness; Ensuring that the institution’s organisation structure, culture, infrastructure, financial means, managerial resources and capabilities, as well as systems and controls are appropriate and adequate to support the implementation of its strategies; Reviewing high-level reports periodically submitted to the Board on the institution’s overall strategic risk profile; ensuring that any material risks and strategic implications identified from those reports are properly addressed; and Ensuring that senior management is competent in implementing strategic decisions approved by the Board, and supervising such performance on a continuing basis. Page | 9 2.2.2 Specific responsibilities of senior management In ensuring effective strategic risk management within an institution, senior management should, among other things:– Establish and implement the institution’s strategic risk management framework based on criteria and standards set by the Board; Assist the Board in developing strategies to meet the institution’s strategic goals and objectives; Formulate the institution’s strategic plan and related implementation plans (such as business, development and operating plans) Ensure adequate implementation of the institution’s strategic plan, as approved by the Board. Implement an effective performance evaluation system; Ensure that any strategic issues and material risks arising from environmental changes or implementation of the institution’s strategies are reported to the Board on a timely basis. 2.3 Policies and Procedures and Limits Effective management of strategic risk requires that policies, procedures and limits be established to ensure objective evaluation of and responsiveness to a bank’s business environment. Policies on business strategy are critical in defining the business segments that the institution will focus on, both in the short and long run. There should be clear guideline on frequency and procedure for review of the institution’s business strategy. Procedures for defining and reviewing the institutions’ business strategy are intended to ensure that the following aspects are given adequate consideration: The institution’s inherent strengths. Its identified weaknesses. Opportunities external to the institution. External factors that pose threats to the institution. Limits are necessary in defining: Exposure to different sectors. Growth of business and staff strength. Network expansion programmes. 2.3.1 Strategic risk management process An effective strategic management process should include the following: Page | 10 2.3.1.1 Strategic Planning Strategic planning is the process whereby an institution determines the overall direction and focus of their organisation, establish medium and long term priorities in line with their corporate mission and goals, and translate those priorities into appropriate strategies for achieving stated goals and objectives. This process culminates in the development of a strategic plan. Strategic planning provides a process for institutions to identify and assess potential risks posed by their strategic plan, and consider whether they have adequate capacity to withstand the risks. It also facilitates institutions in responding on a timely basis to any adverse changes in circumstances (whether internal or external) that may undermine the achievement of their plan or affect their future development. A strategic planning process has three basic elements A process to set strategic goals and objectives, A process to evaluate the institutions strategic position and develop appropriate strategies, and A process to translate those strategies into action plans. 2.3.1.2 Setting of Strategic goals and objectives In setting strategic goals and objectives, institutions should be guided by their corporate mission which outlines the broad directions that the institution is to follow, and reflect the vision and values upheld by the institution. Strategic goals generally reflect an institution’s aspirations in relation to achieving growth and return, efficiency, and competitive advantage within the environment it operates. In setting strategic goals and objectives, institutions should identify and take into account the needs and aspirations of their major stakeholders and changes in operating environment (eg. political, legal, economic, social and technological changes). 2.3.1.3 Development of strategies Institutions should have a process for evaluating their strategic position and developing appropriate strategies to achieve their strategic position and developing appropriate strategies to achieve their strategic goals and objectives. The process involves understanding of the general banking, business and economic environment that an institution operates in, assess its strength and weaknesses and analyze its position and possible strategies that can be considered having regards to its stated goals and objectives and risk tolerance. Page | 11 2.3.1.4 Formulation of strategic plan Institutions should have a process for formulating and approving the strategic plan. This process and all related procedures, including the responsibilities of the Board and senior management and other staff concerned, should be clearly documented, approved by the Board, and subject to periodic review to ensure their appropriateness. Strategic decisions agreed upon during the planning process should form the basis of the strategic plan. Apart from describing what strategies the institution will take and how the institution will implement them to meet its strategic goals and objectives, the plan may also provide other information, such as the institution’s philosophy towards its business, its growth targets, the extent of its financial risk-taking, and other relevant factors (institutional and environmental) affecting its growth and development. The depth and coverage of the strategic plan should be commensurate with the institution’s scale and complexity of business. In the case of a local banking group with regional presence, the strategic plan should be prepared on a consolidated basis (i.e. including the positions of subsidiaries and overseas branches). Institutions which are branches or subsidiaries of a foreign bank should have their own strategic plan for strategic risk management purposes if the group’s strategic plan is not adequate to fully reflect their local situation, needs and activities. 2.3.2 Alignment and change management Before implementing their strategies, institutions should ensure that they have made proper alignment of internal resources and processes and, if necessary, managed all change issues (such as those arising from organisational or cultural changes) to facilitate the achievement of desired outcomes. Interdependencies between processes across departments (e.g. reconciliation of transaction information between front and back offices using a more advanced IT system) should also have been addressed so that they can be properly understood and accounted for during the implementation. Ensuring proper alignment of internal resources and processes means, for example, checking to see whether: – sufficient resources (financial and non-financial) have been allocated to undertake the necessary tasks; the right people have been put in the right place; and the organisation and risk management structure, systems, infrastructure and technology are in the right shape to support the new initiatives. Page | 12 2.4 Measuring and monitoring The failure or success of a strategy depends on whether an institution has adequate resources and capability to implement the strategy and whether the institution has the ability to effectively monitor and control the progress of implementation. As such, in addition to strategic planning, institutions should have a process to facilitate the monitoring and control of strategies being implemented. Active Board and senior management oversight with the support of the strategic risk management function will help ensure effective implementation and control of strategies. In addition, there should be adequate management guidelines and written procedures for implementing strategies and monitoring and reporting the progress of implementation. Where institutions have identified strategic issues arising from anticipated operational or market changes which may result in a significant adverse impact on their business or financial conditions, such issues should be reported to the Board and senior management in a timely manner, with an assessment of the strategic risk implications and the need for taking remedial actions (such as modifying existing strategies and implementing risk mitigating or contingency measures). In order to ensure an effective strategic risk management process, every institution should deploy a management information system that will enable management to monitor: Current and forecasted economic conditions, e.g. economic growth, inflation, foreign exchange trends, etc. Current and forecasted industry and market conditions, such as: - Increasing competition by new market entrants - Number and size of mergers and acquisitions - Changing customer behaviour - New products/substitutes Exposure to different sectors, and associated sector risks. 2.4.1 Performance evaluation and feedback Comparison of actual performance to desired outcomes serves as an important check on the success of implementing approved strategies, and allows management to take timely remedial actions to address significant deviations from set targets. Therefore, institutions are expected to develop a performance evaluation system that tracks progress towards achieving both financial and non-financial targets. Page | 13 In order to ensure efficient and continuous performance evaluation, at the setting of strategic goals and targets stage, long term goals and targets should be broken down in short term (preferably yearly) measurable goals and targets. 2.4.2 Other Supporting Processes 2.4.2.1 Planning and Management of Capital and Funding needs Inadequate planning of capital and funding needs is an obstacle to implementing strategic decisions and can have a disruptive effect on an institution operations and its ability to meet strategic goals and objectives. As such, institutions should view such planning as a crucial element of the strategic planning process. Capital planning should be risk-based and forward-looking, and take into account such factors as an institution’s current and future capital needs, anticipated capital expenditures, dividend payment forecasts, desirable capital levels, and external capital sources (e.g. available supply of capital and capital raising options) 2.4.2.2 Management Information System In a competitive banking environment, the ability to effectively manage information is crucial to an institution’s ability to remain competitive, introduce new products and services, and achieve desired goals. Institutions should therefore ensure that they have sufficient and robust MIS to support their strategic planning and decision making processes. 2.4.2.3 Human resources management and development Human resources management has a strategic focus in that it is involved in gaining commitments to an institution’s goals and shaping its corporate culture. By developing policies to meet future needs, human resources management enables the adoption of a forward-looking approach to deal with change and growth and to anticipate future problems. 2.4.2.4 Succession Planning The institutions’ management should develop management succession plans to cater for staff turnover and retirement. This is particularly essential for institutions to cater for major turnover in senior and middle management, whether due to transfer, resignation or retirement. Page | 14 The institutions’ board of directors should also maintain succession plans for critical positions such as Chairman of the Board and the institution’s Chief Executive Officer. 2.4.3 Stress-Testing and Contingency Strategies Institutions should employ stress-testing techniques in their strategic planning and management processes to assess any potential threats to the implementation of their strategies. Stress-testing generally involves identifying possible events or changes in the external environment that could have unfavourable effects on an institution and assessing the institution’s ability to withstand those effects. Stress-testing does not necessarily mean the use of sophisticated financial modelling tools, but rather focuses on the need for institutions to evaluate in some way the potential impact (both financial and non-financial) different stress scenarios may have on their business. The level of resources devoted to this effort should be commensurate with the nature, scale and complexity of institutions’ business activities. 2.5 Internal audit and controls Institutions need strong internal control systems to ensure that they are not unduly exposed to strategic risks. Internal controls are required to ensure that: The organization structure establishes clear lines of authority. The institution’s systems and structures provide for business continuity planning. The process of setting up and reviewing strategic plans is comprehensive and is adhered to. The results of such audit reviews, including any issues and weaknesses identified should be reported to the Board and senior management directly. Both the Board, and a delegated committee (e.g. Board Audit Committee), and senior management should be sufficiently engaged in the process to determine whether such reviews and audits are effectively performed (e.g. whether the performing staff are independent and have sufficient authority to perform their duties) and identified issues are addressed. Page | 15 3.0 CREDIT RISK MANAGEMENT 3.1 Introduction Credit risk is the current or prospective risk to earnings and capital arising from an obligor’s failure to meet the terms of any contract with the bank or if an obligor otherwise fails to perform as agreed. Banks need to manage the credit risk inherent in the entire portfolio as well as the risk in individual credits or transactions. Banks should also consider the relationships between credit risk and other risks. The effective management of credit risk is a critical component of a comprehensive approach to risk management and essential to the long- term success of any banking organization. For most institutions, loans are the largest and most obvious source of credit risk; however, other sources of credit risk exist throughout the activities of a bank, including in the banking book and in the trading book, and both on and off the balance sheet. Banks are increasingly facing credit risk (or counterparty risk) in various financial instruments other than loans, including acceptances, interbank transactions, trade financing, foreign exchange transactions, financial futures, swaps, bonds, equities, options, and in the extension of commitments and guarantees, and the settlement of transactions. 3.2 Board and Senior Management Oversight 3.2.1 The Board of Directors The board of directors carries the ultimate responsibility of approving and reviewing the credit risk strategy and credit risk policies of the bank. This role is part of the board’s ultimate responsibility of offering overall strategic direction to the bank. The credit risk strategy should clearly set the acceptable risk appetite and tolerance the institution is willing to engage, and the level of profitability the bank expects to achieve for incurring the various credit risks. The credit policies should be adequate and must cover all the activities in which credit exposure is a significant risk. The board should ensure that: The credit strategy has a statement on acceptable levels of exposure to the various economic sectors, currencies and maturities. It should also include the target markets, diversification and concentration of the credit portfolio. The credit risk strategy and policies are effectively communicated throughout the institution. Page | 16 The financial results of the institution are periodically reviewed to determine if changes need to be made to the credit risk strategy. The recruitment procedure ensures that the senior management team is fully capable of managing the credit risk. There is an internal audit function capable of assessing compliance with the credit policies and management of the entire credit portfolio. The delegation authority and approval levels are clearly defined. The management provides periodic reports on the insiders, provisioning and write-off on credit loan losses and audit findings on the credit granting and monitoring processes. 3.2.2 Senior Management The senior management has the responsibility of implementing the credit strategy approved by the board of directors and developing policies and procedures for effective management of the credit risk. The senior management should ensure the following: The credit granting activities conform to the laid down strategy. Written procedures have been developed, implemented and responsibilities of the various functions are clearly defined. Compliance with internal exposure limits, prudential limits and regulatory requirements. The credit policies must be communicated throughout the institution, implemented, monitored and revised periodically to address any changes. Internal audit reviews of the credit risk management system and credit portfolio are undertaken regularly. Adequate research is undertaken for any new products or activities to ensure the risks are appropriately identified and managed. These products must receive prior board approval. Page | 17 3.3 Policies, Procedures and Limits 3.3.1 Policies relating to limits Establishment of sound and well-defined policies, procedures and limits is vital in the management of credit risk. These should be well documented, duly approved by the board and strictly implemented by management. Credit policies establish the framework for lending and guide the credit-granting activities of the institution An effective credit policy should outline the following:- Defines the credit concentrations, limits and exposures the organization is willing to assume. These limits will ensure that credit activities are adequately diversified. The policy on large exposures should be well documented to enable banks to take adequate measures to ensure concentration risk is mitigated. The policy will stipulate clearly the percentage of the bank’s capital and reserves that the institution can grant as loans or extend as other credit facilities to any individual entity or related group of entities. In the exposure limit, contingent liabilities should be included – for example guarantees, acceptances and letters of credit. In the case of large exposures, banks must pay attention to the completeness and adequacy of information about the debtor. Credit staff should ensure they monitor events affecting large debtors and their performance on an on-going basis. Where external events present a cause for concern, credit officers should request for additional information from the debtor. If there are signs that the debtor might have difficulties in meeting its obligations to the bank, the concerns should be raised with the credit management and a contingency plan developed to address the issues. The policy should require that the board approve all loans to related or connected parties. These credits should be based on market terms and should not be more favourable with regard to amount, maturity, rate and collateral than those provided to other customers. On exposure limits the policies should include the following: o Acceptable exposure to individual borrowers. o Maximum exposure to connected groups and insider dealings. o The total overall limit on the credit portfolio in relation to capital, assets or liabilities. o Limits in relation to geographical location. Page | 18 o Maximum exposure to individual economic sectors (for example commercial, consumer, real estate, agricultural). o Acceptable limits on specific products. Banks should ensure that their own internal exposure limits comply with any requirement made by the Central Bank under the Banking Act. In order to be effective, credit policies must be communicated throughout the organization, implemented through appropriate procedures, and periodically revised to take into account changing internal and external circumstances. 3.3.2 Segregation of Duties Credit policy formulation, credit limit setting, monitoring of credit exposures and review and monitoring of documentation are functions that should be performed independent of the loan origination function. For small banks, where it might not be feasible to establish such structural hierarchy, there should be adequate compensating measures to maintain credit discipline, introduce adequate checks and balances and standards to address potential conflicts of interest. 3.3.3 Policies relating to credit products The various types of loan products and credit instruments the institution intends to offer should be documented. Management must have a good understanding of all the products on offer and a careful review of the existing and potential risks must be undertaken. The products should also have a maturity profile and the pricing of these products should be included and periodically reviewed. Any new products should be fully researched and prior board approval obtained before introduction to the customers. Credit exposure for all off balance sheet commitments should be well documented. These main off balance sheet items include letters of credit, guarantees, futures, options, swaps etc. The policy will stipulate the credit risk analysis procedures and the administration of these credit instruments. The key objective of the review is to assess the ability of the client to meet particular financial commitments in a timely manner. 3.3.4 Policies relating to credit assessment and granting process Banks must operate under sound, well-defined credit-granting criteria. These criteria should include a thorough understanding of the borrower or counterparty, as well as the purpose and structure of the credit, and its source of repayment. Page | 19 Banks must receive sufficient information to enable a comprehensive assessment of the true risk profile of the borrower or counterparty. At a minimum, the factors to be considered and documented in approving credits must include: the purpose of the credit and source of repayment; the integrity and reputation of the borrower or counterparty; the current risk profile (including the nature and aggregate amounts of risks) of the borrower or counterparty and its sensitivity to economic and market developments; the borrower’s repayment history and current capacity to repay, based on historical financial trends and cash flow projections; The borrower credit rating/report from licensed Credit Reference Bureau; a forward-looking analysis of the capacity to repay based on various scenarios; the legal capacity of the borrower or counterparty to assume the liability; for commercial credits, the borrower’s business expertise and the status of the borrower’s economic sector and its position within that sector; the proposed terms and conditions of the credit, including covenants designed to limit changes in the future risk profile of the borrower; and where applicable, the adequacy and enforceability of collateral or guarantees, including under various scenarios. Also lending authority delegated to staff with clearly established limits should be documented. It is important to include the functions and reporting procedures of the various committees and individual lending officers. In addition, it is important to have checks and balances in places that ensure credit is granted on arms-length basis. Extensions of credit to directors, senior management and other influential parties, for example shareholders, should not override the established credit granting and monitoring processes of the bank. 3.3.5 Credit risk mitigation techniques Institutions use various techniques of mitigating credit risk. The most common are collateral, guarantees and netting off of loans against deposits of the same counter-party. While the use of these techniques will reduce or transfer credit risk, other risks may arise which include legal, operational, liquidity and market risks. Therefore there is a need for a bank to have stringent procedures and processes to control these risks and have them well documented in the policies. At present, in this jurisdiction, the common credit risk mitigation technique used is collateral. Page | 20 A collateralized transaction is one in which institutions have a credit exposure or potential credit exposure and the exposure is reduced in whole or in part by collateral. The following is essential: There must be legal certainty. All documentation used for collateralized transactions must be binding to all parties and also be legally enforceable. The legal environment must provide for right of liquidation or right of possession in a timely manner in the event of default. Necessary steps must be taken for obtaining and maintaining an enforceable security, for example registration, right of set-off or transfer of title must meet all the legal requirements. Procedures for timely liquidation of collateral should be in place. Ongoing valuations of the collateral should be undertaken to confirm that it remains realisable. Guidance on the various acceptable forms of collateral should be documented. The institution should primarily assess the borrower’s capacity to repay and should not use collateral to compensate for insufficient information. 3.3.6 Internal Risk Rating Systems An important tool in monitoring the quality of individual credits, as well as the total portfolio, is the use of an internal risk rating system. A well-structured internal risk rating system is a good means of differentiating the degree of credit risk in the different credit exposures of a banking institution. This will allow more accurate determination of the overall characteristics of the credit portfolio, concentrations, problem credits and the adequacy of loan loss reserves. In determining loan loss reserves, banks should ensure that the Central Bank of Kenya classification criteria are the minimum. Typically, an internal risk rating system categorises credits into various classes designed to take into account the gradations in risk. Simpler systems might be based on several categories ranging from satisfactory to unsatisfactory; however, more meaningful systems will have numerous ratings for credits considered satisfactory in order to truly differentiate the relative credit risk they pose. While developing their systems, banks must decide whether to rate the riskiness of the borrower or counterparty, the risks associated with a specific transaction, or both. Internal risk ratings are an important tool in monitoring and controlling credit risk. In order to facilitate early identification, institution’s internal risk rating system should be responsive to indicators of potential or actual deterioration in credit risk e.g. financial position and business condition of the borrower, conduct of the borrower’s accounts, adherence to loan covenants and value of collateral. Page | 21 Credits with deteriorating ratings should be subject to additional oversight and monitoring, for example, through more frequent visits from credit officers and inclusion on a watch list that is regularly reviewed by senior management. The internal risk ratings can be used by line management in different departments to track the current characteristics of the credit portfolio and help determine necessary changes to the credit strategy. Consequently, it is important that the board of directors and senior management also receive periodic reports on the condition of the credit portfolios based on such ratings. The ratings assigned to individual borrowers or counterparties at the time the credit is granted must be reviewed on a periodic basis and individual credits should be assigned a new rating when conditions either improve or deteriorate. Because of the importance of ensuring that internal ratings are consistent and accurately reflect the quality of individual credits, responsibility for setting or confirming such ratings should rest with a credit review function independent of that which originated the credit concerned. It is also important that the consistency and accuracy of ratings is examined periodically by a function such as an independent credit review group. 3.3.7 Policies on Management of problem credits The credit policy should establish the procedures for dealing with deteriorating and managing problem credits. Early recognition of weaknesses in the credit portfolio is important and allows alternative action and for an effective determination of loan loss potential. An institution must have clearly articulated and documented policies in respect of the counting of days past due. In particular, policies should cover granting extensions, deferrals, renewals and additional credits to existing accounts. At a minimum, it must have approval levels and reporting requirements in respect of the above. The policy should define a follow-up procedure for all loans and the various reports to be submitted both to management and board of directors. It should also include the internal rating for loan classification and provisioning. 3.3.8 Policies on Inter-bank transactions Inter-bank transactions also portend significant credit risk. These transactions are essentially for facilitation of fund transfers, settlement of securities transactions or because certain services are more economically performed by other banks due to their size or geographical location. An institution’s lending policy should typically focus on the following: Page | 22 The establishment and observation of counter party credit limits. Any inter-bank transaction for which specific provisions should be made. The method and accuracy of reconciliation of the nostro and vostro accounts. Any inter-bank credit with terms of pricing that is not a market norm. The concentration of inter–bank exposure with a detailed listing of banks and amounts outstanding as well as lending limits. 3.3.9 Provisioning policy The credit policy must clearly outline the provisioning procedures for all credits and the capital charge to be held. This should comply at a minimum to the International Accounting Standards, regulatory requirements and provisioning guidelines already issued by the Central Bank of Kenya. 3.4 Measuring and Monitoring Credit Risk 3.4.1 Measuring Credit risk An institution should have procedures for measuring its overall exposure to credit risk as well as exposure to connected groups, products, customers, market segments and industries for appropriate risk management decisions to be made. Internationally, the direction has been for institutions to put in place stringent internal systems and models, which allow them to effectively measure credit risk. This risk measurement system assists institutions to make provisions for credit risk and assign adequate capital. The effectiveness of the institution’s credit risk measurement process is dependent on the quality of management information systems and the underlying assumptions supporting the models. The quality, detail and timeliness of the information is of paramount importance in determining the effectiveness of the credit risk management. The measurement of the risk should take into account the nature of the credit, maturity, exposure, profile, existence of collateral or guarantees and potential for default. The institution should also undertake an analysis of the whole economy or in particular sectors to ensure contingency plans are developed for higher than expected levels of delinquencies and defaults. An important tool in monitoring the quality of individual credits, as well as the total portfolio, is the use of an internal risk rating system. A well-structured internal risk rating system is a good means of differentiating the degree of credit risk in the different credit exposures of a bank. This will allow more accurate determination of the overall characteristics of the credit portfolio, concentrations, problem credits, and the adequacy Page | 23 of loan loss reserves. More detailed and sophisticated internal risk rating systems, used primarily at larger banks, can also be used to determine internal capital allocation, pricing of credits, and profitability of transactions and relationships. Typically, an internal risk rating system categorizes credits into various classes designed to take into account the graduations in risk. Simpler systems might be based on five categories which include Normal, Watch, Substandard, Doubtful and Loss; however, more detailed systems with numerous ratings for credits may be considered. 3.4.2 Monitoring Credit Risk An institution should have in place a system for monitoring the condition of individual credits. Key indicators of credit condition should be specified and monitored to identify and report potential problem credits. These would include indicators from the following areas:- Financial Position and Business Conditions Key financial performance indicators on profitability, equity, leverage and liquidity should be analysed as well as the operating environment of the obligor. When monitoring companies dependent on key management personnel or shareholders, such as small and medium enterprises, an institution should pay particular attention to assessing the status of these parties. Conduct of Accounts An institution should monitor the borrower’s principal and interest repayments, account activity, as well as instances of excesses over credit limits. Loan Covenants The borrower’s ability to adhere to pledges and financial covenants stated in the loan agreement should be assessed and breaches detected should trigger prompt action. Status and Valuation of Collateral The value of collateral should be updated periodically to account for changes in market conditions. For example, where the collateral is property or shares, an institution should undertake more frequent valuations in adverse market conditions. If the facility is backed by an inventory or goods purportedly on the obligor’s premises, appropriate inspections should be conducted to verify the existence and valuation of the collateral. Page | 24 External Rating and Market Price Changes in an obligor’s external credit rating and market prices of its debt or equity issues could indicate potential credit concerns Force Majeure Situation The institution should consider any unforeseen circumstances that have come into play which might affect the borrower’s ability to repay a facility. In addition to monitoring the above risk indicators, an institution should also monitor the use of funds to determine whether credit facilities are drawn down for their intended purposes. Where a borrower has utilised funds for purposes not shown in the original proposal, the institution should determine the implications on the creditworthiness of the obligor. Exceptions noted during the monitoring process should be promptly acted upon and reported to management 3.4.3 Credit administration Credit administration is critical in ensuring the soundness of the credit portfolio. It is the responsibility of management to set up a credit administration team to ensure that once a credit is granted it is properly maintained and administered. This will include record keeping, preparation of the terms and conditions as well as perfection and safe custody of the securities. Credit files of institutions should contain the following information: Credit application. Evidence of approval. Latest financial information. Record and date of all credit reviews. Record of all guarantees and securities. Record of terms and conditions of facility. Evidence of securities validation function that should include legal validity, existence, valuation, registration of charge and safekeeping. Internal rating. While developing the credit administration process, institutions should develop controls to ensure compliance with the applicable laws and regulations and internal policy. Adequate segregation of duties between approval and administration process should be maintained. Ongoing administration of the credit portfolio is an essential part of the credit process. The credit administration function is basically a back office activity that supports and control extension and maintenance of credit. A typical credit administration unit performs the following functions:- Page | 25 a. Documentation - It is the responsibility of credit administration to ensure completeness of documentation (loan agreements, guarantees, transfer of title of collaterals etc) in accordance with approved terms and conditions. Outstanding documents should be tracked and followed up to ensure execution and receipt. b. Credit Disbursement - The credit administration function should ensure that the loan application has proper approval before entering facility limits into computer systems. Disbursement should be effected only after completion of covenants, and receipt of collateral holdings. In case of exceptions necessary approval should be obtained from competent authorities. c. Credit monitoring - After the loan is approved and draw down allowed, the loan should be continuously monitored. These include keeping track of borrowers’ compliance with credit terms, identifying early signs of irregularity, conducting periodic valuation of collateral and monitoring timely repayments. d. Loan Repayment - The obligors should be communicated to ahead of time as and when the principal/markup installment becomes due. Any exceptions such as non-payment or late payment should be tagged and communicated to the management. Proper records and updates should also be made after receipt. e. Maintenance of Credit Files - Institutions should devise procedural guidelines and standards for maintenance of credit files. The credit files should not only include all correspondence with the borrower but should also contain sufficient information necessary to assess the financial health of the borrower and its repayment performance. f. Collateral and Security Documents - Institutions should ensure that all security documents are kept in a fireproof safe under dual control. Registers for documents should be maintained to keep track of their movement. Procedures should also be established to track and review relevant insurance coverage for certain facilities/collateral. Physical checks on security documents should be conducted on a regular basis. While in small institutions, it may not be cost effective to institute a separate credit administrative set-up, it is important that in such institutions individuals performing sensitive functions such as custody of key documents, wiring out funds, entering limits into system, should report to managers who are independent of business origination and credit approval process. Page | 26 3.4.4 Credit exposure and risk reporting Credit risk information should be provided to the board and management with sufficient frequency, timelines and should be reliable. Reports should be generated on the credit activities both on and off balance sheet for example: Credit exposures by business line such as commercial, industrial sector, real estate, construction, credit cards, mortgage and leasing. Credit exposures relating to the composition of on and off balance sheet credits by major types of counterparties, including government, foreign corporate, domestic corporate, consumer and other financial institutions. Significant credit exposure in relation to individual borrowers or counterparties, related borrowers or groups of borrowers. Credit exposures by major asset category showing impaired and past due amounts relating to each category. Credit exposures restructured during a certain period and credits for which special conditions have been granted. 3.5 Stress testing There is a distinct difference in the nature and magnitude of credit risks faced by an institution under normal business conditions and under stress conditions, such as financial crises. Under stress conditions, asset values and credit quality may deteriorate by a magnitude not predicted by analysis of normal business conditions. Stress testing is a tool that can be used to assess the impact of market dislocations on an institution’s credit portfolio. It can aid the institution in estimating the range of losses that it could incur in stress conditions, and in planning appropriate remedial actions. An important component of stress testing is the identification and simulation of stress conditions or scenarios an institution could encounter. The stress events and scenarios postulated should be plausible and relevant to the institution’s portfolio. These scenarios could include economic or industry changes, market – risk events and liquidity conditions. Institutions must be in a position of analyzing the various situations in the economy or certain sectors to determine the event that could lead to substantial losses or liquidity problem. Whatever methods are used for stress testing, the output of these should be reviewed periodically and appropriate action taken by senior management in cases where results exceed agreed tolerance. Page | 27 3.6 Internal controls and audit Institutions should have in place an independent internal system for assessment of the credit risk management process. This function is necessary in order to independently enable the board determine whether the risk management process is working effectively. The results of these audits should be communicated promptly to the directors and senior management. The review should provide sufficient information to the board and management to enable them evaluate accurately performance and condition of the portfolio. The credit review function should report directly to the board of directors or a board audit committee. A review of the lending process should include analysis of the credit manuals and other written guidelines applied by various departments of a bank, and the capacity and actual performance of all departments involved in the credit function. It should also cover origination, appraisal, approval, disbursement, monitoring, collection and handling procedures for the various credit functions provided by the institution. The internal audit review team should ensure the following:- The credit granting function is carried out effectively. The credit exposures are within the prudential and internal limits set by the board. Validation of significant change in the risk management process. Verification of the consistency, timeliness and reliability of data used for internal risk rating system. Compliance with the institution’s credit policies and procedures. Adherence to internal risk rating system. Identification of areas of weaknesses in the credit risk management process. Exceptions to the policies, procedures and limits. The internal audit should be conducted on a periodic basis and ideally not less than once a year. The audits should also identify weaknesses in the credit risk management process and any deficiencies in the policies and procedures. Page | 28 4.0 LIQUIDITY RISK MANAGEMENT 4.1 Introduction Liquidity risk is defined as the risk to an institution’s earnings or capital arising from its inability to meet its obligations as they fall due, without incurring significant costs or losses. Liquidity stress can lead to financial distress or even insolvency. More importantly, if not dealt with adequately and in a timely manner, the liquidity stress of an individual bank may trigger a crisis of confidence in the banking sector as a whole. Liquidity risk management systems involves not only analyzing banks on and off balance sheet positions to forecast future cash flows but also how the funding requirements could be met. The latter involves identifying the funding market to which the bank has access, understanding the nature of those markets, evaluating the bank’s current and future use of the market and monitoring signs of erosion of confidence. 4.2 Board and Senior Management Oversight The prerequisites of an effective liquidity risk management include an informed board, capable management, staff with relevant expertise and efficient systems and procedures. It is the responsibility of an institution’s board and management to ensure that the institution has sufficient liquidity to meet its obligations as they fall due. It is primarily the duty of the board of directors to understand the liquidity risk profile of the institution and the tools used to manage liquidity risk. The board has to ensure that the institution has necessary liquidity risk management framework and that the institution is capable of confronting uneven liquidity scenarios. Generally the board should: Approve the institution’s strategic direction and tolerance level for liquidity risk; Appoint senior managers who have the ability to manage liquidity risk and delegate to them the required authority to accomplish the job; Continuously monitor the institution’s performance and overall liquidity risk profile; and Ensure that liquidity risk is identified, measured, monitored and controlled. Senior management is responsible for the implementation of sound policies and procedures keeping in mind the strategic direction and risk appetite specified by the board. To effectively oversee the daily and long term management of liquidity risk, senior managers should:- Page | 29 Develop and implement procedures and practices that translate the board’s goals, objectives and risk tolerance into operating standards that are well understood by the bank staff; Adhere to the lines of authority and responsibility that the board has established for managing liquidity risk; Oversee the implementation and maintenance of management information and other systems that identify, measure, monitor, and control the bank’s liquidity risk; Establish effective internal controls over the liquidity risk management process; and Ensure and review the contingency plans of the institution for handling disruptions to its ability to fund some or all of its activities in a timely manner and at a reasonable cost. The responsibility for managing daily liquidity assessment resides with the treasurer. However, the balance sheet liquidity management resides with ALCO, which should comprise of senior management from key areas of the institution that identify/manage liquidity risk. It is important that these members have clear authority over the units responsible for executing liquidity-related transactions so that ALCO directives reach these line units unimpeded. The ALCO should meet monthly, if not more frequently. A sound framework for managing liquidity risk has three dimensions: maintaining a stock of liquid assets that is appropriate to the institution’s cash flow profile and that can be readily converted into cash without incurring undue capital losses; measuring, controlling and scenario testing of funding requirements; and Managing access to funding sources. 4.3 Policies, Procedures and Limits 4.3.1 Policies Institutions should formulate a comprehensive and responsive liquidity policy statement that takes into account all on- and off-balance sheet activities and should be recommended by senior management and approved by the board of directors. While specific details vary across institutions according to the nature of their business, the key elements of any liquidity policy should include: General liquidity strategy (short- and long term), specific goals and objectives in relation to liquidity risk management, process for strategy formulation and the level of approval within the institution; Roles and responsibilities of individuals performing liquidity risk management functions, including structural balance sheet management, pricing, marketing, contingency planning, management reporting, lines of authority and responsibility for liquidity decisions; Page | 30 Liquidity risk management structure for monitoring, reporting and reviewing liquidity; Liquidity risk management tools for identifying, measuring, monitoring and controlling liquidity risk (including the types of liquidity limits and ratios in place and rationale for establishing limits and ratios); Where an institution is actively involved in multiple currencies and/ or where positions in specific foreign currencies are significant to its business, its liquidity policy should address the measurement and management of liquidity in these individual currencies which should include a back-up liquidity strategy for circumstances in which its normal access to funding in individual foreign currencies is disrupted; and Contingency plan for handling liquidity crisis. To be effective the liquidity policy must be communicated down the line through out the organization. It is important that the board and senior management review these policies at least annually and when there are any material changes in the institution’s current and prospective liquidity risk profile. 4.3.2 Procedures Institutions should establish appropriate procedures and processes to implement their liquidity policies and include the following features: A procedures manual which should explicitly narrate the necessary operational steps and processes to execute the relevant liquidity risk controls; Periodic review and updating of the manual to take into account new activities, changes in risk management approaches and systems; Management should be able to accurately identify and quantify the primary sources of an institution’s liquidity risk in a timely manner; To properly identify the sources, management should understand both existing as well as future risk that the institution can be exposed to; and Management should always be alert for new sources of liquidity risk at both the transaction and portfolio levels. 4.3.3 Limits Limits should be set which should be appropriate to the size, complexity and financial condition of the financial institution. The limits should be periodically reviewed and adjusted when conditions or risk tolerances change. When limiting risk exposure, senior management should consider the nature of the institution’s strategies and activities, its past performance, the level of earnings, capital available to absorb potential losses, and the board’s tolerance for risk. Institutions may use a variety of ratios to quantify liquidity and create limits for liquidity management. Page | 31 In addition, balance sheet complexity will determine how much and what types of limits a bank should establish over daily and long-term horizons. While limits will not prevent liquidity crisis, limit exceptions can be early indicators of excessive risk or inadequate liquidity risk management. 4.4. Measuring and Monitoring Liquidity Risk Liquidity measurement involves assessing an institution’s cash inflows against its outflows and the liquidity value of its assets to identify the potential for future net funding shortfalls. An institution should be able to measure and forecast its prospective cash flows for assets, liabilities, off-balance sheet commitments and derivatives over a variety of time horizons, under normal conditions and a range of stress scenarios, including scenarios of severe stress. An effective measurement and monitoring system is essential for adequate management of liquidity risk. Consequently, institutions should institute systems that enable them to capture liquidity risk ahead of time, so that appropriate remedial measures could be prompted to avoid any significant losses. An effective liquidity risk measurement and monitoring system not only helps in managing liquidity in times of crisis but also optimize return through efficient utilization of available funds. Key elements of an effective risk management process include an efficient Management Information System (MIS), systems to measure, monitor and control risks. Every institution’s MIS should be integrated to the overall management information systems of the institution, and thus link various units related to treasury activities, i.e. the dealing, the treasury operation and risk management department. A strong management information system that is flexible enough to deal with various contingencies that may arise is central to making sound decisions related to liquidity. 4.4.1 Measurement of liquidity position The following are the indicators that a bank should utilise at a minimum, to measure its liquidity position. A bank must establish appropriate internal guidelines on the level of the ratio and ensure prompt corrective actions are undertaken to address any liquidity shortfall. It should be noted that the measures outlined in 4.4.1.3 developed by the Basel Committee on Banking Supervision are intended to come into effect in 2015. Institutions are encouraged to refer to the measures in 4.4.1.3 to strengthen their liquidity risk management frameworks. Page | 32 4.4.1.1 Minimum Liquidity Ratio Section 19 of the Banking Act requires that ‘an institution shall maintain such minimum holding liquid assets of liquid assets as the Central Bank may from time to time’. Currently an institution is required to maintain a statutory minimum of twenty per cent (20%) of all its deposit liabilities, matured and short term liabilities in liquid assets. The institution can however develop its own higher minimum liquidity ratio based on size, complexity and the risk appetite. 4.4.1.2 Loan to Deposit Ratio Banks should compute at month end, a loan to deposit ratio. Such ratio provides a simplified indication of the extent to which a bank is funding illiquid assets by stable liabilities. Institutions should set a trigger loan-deposit ratio above which liquidity risk management should be enhanced. 4.4.1.3 Liquidity Coverage Ratio The LCR is intended to promote resilience to potential liquidity disruptions over a thirty day horizon. The ratio ensures that institutions have sufficient unencumbered, high- quality liquid assets to offset the net cash outflows it could encounter under an acute short-term stress scenario. LIQUIDITY COVERAGE RATIO = Stock of High Quality Liquid Assets ≥ 100% Total Net Cash outflow Over 30 Day Period High quality liquid assets include ‘liquid assets’ specified in the Banking Act Section 19 (2) (a) to (e) and any other assets with the following characteristics:- Low credit risk – Risk of default by the counterparty is low. Low market risk- The asset should be easily traded in a developed, recognized and active market. Net cash outflows are defined as cumulative expected cash outflows minus cumulative expected cash inflows arising in the specified stress scenario in the time period under consideration. This is the net cumulative liquidity mismatch position under the stress scenario measured at the test horizon. Cumulative expected cash outflows are calculated by multiplying outstanding balances of various categories or types of liabilities by assumed percentages that are expected to roll- Page | 33 off, and by multiplying specified draw-down amounts to various off-balance sheet commitments. Cumulative expected cash inflows are calculated by multiplying amounts receivable by a percentage that reflects expected inflow under the stress scenario. 4.4.1.4 Net Stable Funding Ratio (NSFR) Stable Funding is funding which is not susceptible to fluctuations and is readily available at affordable cost and for a longer period of time (at least one year). The NSFR requires a minimum amount of stable sources of funding at an institution relative to the liquidity profiles of the assets, as well as the potential for contingent liquidity needs arising from off-balance sheet commitments, over a one-year horizon. The NSFR aims to limit over- reliance on short-term wholesale funding during times of buoyant market liquidity and encourage better assessment of liquidity risk across all on- and off-balance sheet items. Available amount of Stable Funding ≥ 100% Required amount of Stable Funding Available amount of Stable Funding (ASF) The ASF comprises of the bank’s capital, preferred stock and liabilities with maturities greater than or equal to one year, portions of demand and term deposits by retail customers and wholesale funding having residual maturities < 1 year which are not expected to be withdrawn during the stress event. It does not include borrowings from the central bank other than those available through regular open market operations. Each of these components are slotted into 4 separate ASF categories which are assigned ASF factors representing the amount of that components’ carrying value that will be included in the calculation of the numerator of the ratio. Broadly the available amounts of Stable Funding (ASF) factors are as given below. Bank’s capital, preferred stock and liabilities with maturities greater than or equal to one year will be assigned a factor of 100%. Stable and less stable portions of demand and term deposits by retail customers having residual maturities < 1 year will be assigned ASF factors of 90% and 80% respectively. Unsecured wholesale funding having residual maturities < 1 year will have an ASF factor of 50%. All other liabilities and equity categories not specified in the ASF categories mentioned will be assigned a factor of 0%. Page | 34 The available amount of stable funding is calculated as the weighted sum of the carrying values of each ASF component where the weights are ASF factors assigned to each component category. Required amount of Stable Funding (RSF) As in the case of the numerator of the NSFR ratio, the RSF is calculated as the weighted sum of the value of assets held and funded by the entity including off-balance sheet exposures where the weights are RSF factors assigned to each RSF asset category. The weights represent the portion of the asset that would not be able to be monetized either by its sales or its use as collateral in an extended firm-specific liquidity stress scenario- assets. In effect that would need to be covered by more stable sources of funds. Hence more liquid assets will be assigned a lower RSF factor whereas a higher RSF factor will be applied to values of the more illiquid assets. A brief outline of asset categories and RSF factors is given below: Cash, unencumbered short-term unsecured actively traded securities, securities with exactly offsetting reverse repo, securities and non-renewable loans with residual maturities < 1 year will have an RSF factor of 0%. Unencumbered debt issued or guaranteed by sovereigns, central banks, BIS, IMF, EC and PSEs/ multilateral development banks with risk weights of 0% under the Basel II standardized approach are assigned a RSF factor of 5%. Unencumbered non-financial sector corporate and covered bonds having residual maturities > 1 year with rating grade of AA- or higher and debt issued or guaranteed by sovereigns, central banks, PSEs with risk weights of 20% are assigned a RSF factor of 20%. Unencumbered listed equity securities or non-financial senior unsecured corporate bonds with residual maturities > 1 year and rating grades A+ to A-, gold and loans to non-financial corporate clients, sovereigns, central banks and PSEs with residual maturities > 1 year will have an RSF factor of 50%. Unencumbered residential mortgages of any residual maturity and non-financial entity loans with residual maturities > 1 year having risk weights of 35% will be assigned a RSF factor of 65%. Unencumbered retail loans with residual maturities < 1 year will have an RSF factor of 85%. All other assets are assigned an RSF factor of 100%. Off-balance sheet undrawn committed credit and liquidity lines are assigned RSF factors of 5%. Page | 35 4.4.1.5 Maturity Profile Analyzing funding requirements involves the construction of a maturity profile. A cash flow projection estimates a bank’s inflows and outflows and thus establishes net deficit or surplus (GAP) over time horizon. It takes into account the institution’s funding requirement arising out of distinct sources on different time frames. Maturity profiles will depend heavily on assumptions regarding future cash flows associated with assets, liabilities and off-balance sheet items. Institutions should review the assumptions utilized in managing liquidity frequently to determine that they continue to be valid, since an institution’s future liquidity position will be affected by factors that cannot always be forecast with precision given the rapidity of change in financial markets. 4.4.2 Monitoring Liquidity 4.4.2.1 Management Information An institution should have a reliable management information system designed to provide the board of directors, senior management and other appropriate personnel with timely and forward-looking information on the liquidity position of the bank. The management information system should have the ability to calculate liquidity positions in all of the currencies in which the bank conducts business. To effectively manage and monitor its net funding requirements, an institution should have the ability to calculate liquidity positions on an intraday basis, on a day-to-day basis for the shorter time horizons, and over a series of more distant time periods thereafter. The management information system should be used in day-to-day liquidity risk management to monitor compliance with the bank’s established policies, procedures and limits. 4.4.2.2 Key Liquidity Factors The following key liquidity factors should be monitored closely: The maturity profile of cash flows under varying scenarios; The stock of liquid assets available to the institution and their market values; The ability of an institution to execute assets sales in various markets (notably under adverse conditions) and to borrow in markets; Potential sources of volatility in assets and liabilities (and claims and obligations arising from off-balance sheet business); The impact of adverse trends in asset quality on future cash flows and market confidence in the bank; Credit standing and capacity of providers of standby facilities to meet their Page | 36 obligations; The impact of market disruptions on cash flows and on customers; Intra-group cash flows and the accessibility of intra-group funding; and The type of new deposits being obtained, as well as its source, maturity, and price. 4.4.2.3 Asset Liability Committee (ALCO) In order to effectively monitor its liquidity risk, an institution is supposed to establish an Asset Liability Committee (ALCO) with the following roles: a) Management of the overall liquidity of the institution; b) ALCO must report directly to the Board or in the case of a foreign incorporated bank, to senior management of the institution in the country; c) ALCO must facilitate, coordinate, communicate and control balance sheet planning with regards to risks inherent in managing liquidity and convergences in interest rates; and d) ALCO is responsible for ensuring that a bank’s operations lies within the parameters set by its Board of Directors. However, the ALCO is not responsible for formulating the in-house liquidity risk management policy. In determining the composition, size and various roles of the ALCO, the Board is required to consider the size of the institution, the risks inherent in the institution’s operations and the organizational complexity. All institutions are required to maintain written report of the deliberations, decisions and roles of the ALCO with regards to liquidity risk management. 4.4.3 Contingency Planning In order to develop a comprehensive liquidity risk management framework, institutions should have way out plans for stress scenarios. A Contingency Funding Plan (CFP) is a set of policies and procedures that serves as a blue print for a bank to meet its funding needs in a timely manner and a reasonable cost. It is a projection of future cash flows sources of a bank under market scenarios including aggressive asset growth or rapid liability erosion. To be effective it is important that a CFP represent management’s best estimate of balance sheet changes that may result from liquidity or credit events. Effective CFP should consist of several components: Provide specific procedures to ensure timely and uninterrupted information flows to senior management. Clear division of responsibility within management in a crisis. Page | 37 Action plans for altering asset and liability behaviors (i.e., market assets more aggressively, sell assets intended to hold, raise interest rates on deposits). An indication of the priority of alternative sources of funds (i.e., designating primary and secondary sources of liquidity). A classification of borrowers and trading customers according to their importance to the institution in order to maintain customer relationships; and Plans and procedures for communicating with the media. Astute public relations management can help a bank to avoid the spread of rumors that could result in a significant run-off of funds. 4.4.4 Stress Testing An institution should conduct stress tests on a regular basis for a variety of short-term and protracted institution-specific and market-wide stress scenarios (individually and in combination) to identify sources of potential liquidity strain and to ensure that current exposures remain in accordance with a bank’s established liquidity risk tolerance. A bank should use stress test outcomes to adjust its liquidity risk management strategies, policies, and positions and to develop effective contingency plans. Stress testing involves subjecting institution’s liquidity position to several scenarios and assessing whether the institution can withstand liquidity shocks. The scenario entails a significant stress, albeit not a worst-case scenario, and assumes the following: a significant downgrade of the institution’s public credit rating; loss of major deposits; a significant change in market interest rates; a significant increase in demand for loans and other funding; increases off-balance sheet exposures, including committed credit and liquidity facilities. 4.5.5. Internal Controls and Audit In order to have effective implementation of policies and procedures, institutions should institute review processes that should ensure the compliance of various procedures and limits prescribed by senior management. Institutions should have an adequate system of internal controls over the liquidity risk management process. There should be regular, independent reviews and evaluations of the effectiveness of the system. A fundamental component of the internal control system should include: A strong control environment; An adequate process for identifying and evaluating liquidity risk; Page | 38 The establishment of control activities such as policies and procedures and adequate information systems with regular independent reviews and evaluations of the effectiveness of the system; and Ensuring that appropriate revisions or enhancements to internal controls are made. Institutions should ensure that all aspects of the internal control systems are effective, including those that are not directly part of the risk management process. Periodic reviews should be conducted to verify the level of liquidity risk and management’s compliance with limits and operating procedures. Any exceptions should be reported immediately to senior management/board for necessary action to be taken. Page | 39 5.0 MARKET RISK MANAGEMENT 5.1 Introduction Market risk is the risk that the value of on and off-balance sheet positions of a financial institution will be adversely affected by movements in market rates or prices such as interest rates, foreign exchange rates, equity prices, credit spreads and/or commodity prices resulting in a loss to earnings and capital. Institutions may be exposed to Market Risk in a variety of ways. Market risk exposure may be explicit in portfolios of securities / equities and instruments that are actively traded. It may also arise in form of interest rate risk due to mismatch of loans and deposits and from activities categorized as off-balance sheet items. Therefore market risk is potential for loss resulting from adverse movement in market risk factors such as interest rates, foreign exchange rates, equity and commodity prices. What constitutes adequate market risk management practices can vary considerably from one institution to the other. For example, less complex institutions whose senior managers are actively involved in the details of day-to-day operations may be able to rely on relatively basic market risk management processes. However, institutions that have more complex and wide-ranging activities are likely to require more elaborate and formal market risk management processes, to address their broad range of financial activities and to provide senior management with the information they need to monitor and direct day-to-day activities. The risk arising from market risk factors can be categorized into the following categories: Interest rate risk Price Risk Foreign Exchange risk 5.1.1 Interest rate risk Interest rate risk is the current or prospective risk to earnings and capital arising from adverse movements in interest rates. Excessive interest rate risk can pose a significant threat to an institution’s earnings and capital base. Changes in interest rates affect an institution’s earnings by changing its net interest income and the level of other interest- sensitive income and operating expenses. Changes in interest rates thus can have adverse effects both on an institution’s earnings, capital and its economic value. Page | 40 5.1.2 Price Risk Price risk is the risk that a bank may experience loss due to unfavorable movements in market prices. It arises from the volatility of positions taken in the four fundamental economic markets: interest-sensitive debt securities, equities, currencies and commodities. The volatility of each of these markets exposes banks to fluctuations in the price or value of on- and off- balance sheet marketable financial instruments. 5.1.3 Foreign Exchange risk Foreign exchange risk is the current or prospective risk to earnings and capital arising from adverse movements in currency exchange rates. The potential for loss arises from the process of revaluing foreign currency positions on both on- and off- balance sheet items. 5.2 Board and Senior Management Oversight 5.2.1 The Board of Directors The board of directors has the ultimate responsibility for understanding the nature and the level of market risk taken by the institution. The board therefore has the following principal responsibilities: To formulate and approve broad business strategies and policies that govern or influence the market risk of the institution. Accordingly, the board of directors is responsible for approving the overall policies with respect to interest rate risk, price risk and foreign exchange and ensuring that management takes the steps necessary to identify, measure, monitor and control these risks. It should also review the overall objectives of the institution with respect to market risk and ensure the provision of clear guidance regarding the level of market risk acceptable to the institution. To approve policies that identify lines of authority and responsibility for managing market risk exposures. As such it is responsible for ensuring that the institution has adequate policies and procedures for managing market risk on both a long-term and day-to-day basis and that it maintains clear lines of authority and responsibility for managing and controlling this risk. The board of directors should also review and approve the procedures to measure, manage and control price risk within which foreign exchange transactions shall be conducted. Page | 41 The board and senior management should therefore identify and have a clear understanding and working knowledge of the price risks inherent in the institution’s investment portfolio and make appropriate efforts to remain informed about these risks as financial markets, risk management practices, and the institution’s activities evolve. The board of directors should also review and approve the procedures to measure, manage and control foreign exchange risk within which foreign exchange transactions shall be conducted. To periodically review information that is sufficient in detail and timeliness to allow it to understand and assess the performance of senior management in monitoring and controlling these risks in compliance with the institution’s board- approved policies. 5.2.2 Senior Management The senior management has the responsibility of implementing all approved policies that govern Market Risk and developing procedures for effective management of the risks. 1. Management should be mandated by the board to be responsible for maintaining: Appropriate limits on risk taking; Adequate systems and standards for measuring market risk; Standards for valuing positions and measuring performance; A comprehensive market risk reporting and review process. Effective internal controls. 2. Management should be sufficiently competent and able to respond to price risks, interest risks and foreign exchange risks that may arise from changes in the competitive environment or from innovations in markets in which the institution is active. 5.3 Policies, Procedures and Limits Institutions should have clearly defined policies and procedures for limiting and controlling market risk on both on- and off- balance sheet positions. These policies should be applied on a consolidated basis and as appropriate, at specific affiliates or other units of the institution. Such policies and procedures should: Page | 42 Delineate lines of responsibility and accountability over market risk management decisions and should clearly define authorized instruments, hedging strategies and position-taking opportunities. Identify the types of instruments and activities that the institution may employ or conduct, thus acting as a means through which the board can communicate their tolerance of risk on a consolidated basis and at different legal entities. Identify quantitative parameters that define the levels of interest rate risk, price risk and foreign exchange risk acceptable for the institution and where appropriate, such limits should be further specified for certain types of instruments, portfolios and activities. Review and revise periodically the procedures so as to define the specific procedures and approvals necessary for exceptions to policies, limits and authorizations. Delineate a clear set of institutional procedures for acquiring specific instruments, managing portfolios and controlling the institution’s aggregate market risk exposure. Prior to introducing a new product, hedging, or position-taking strategy, management should ensure that adequate operational procedures and risk control systems are in place. The board or its appropriate delegated committee should also approve major hedging or risk management initiatives in advance of their implementation. An appropriate limit system should:- Enable management to control market risk exposures, initiate discussion about opportunities and risks and monitor actual risk taking against predetermined risk tolerances; Ensure that positions that exceed certain predetermined levels receive prompt management attention; Be consistent with overall approach to measuring market risk; Should be approved by the board of directors and re-evaluated periodically; Be appropriate to the size, complexity and capital adequacy of the institution as well as its ability to measure and manage its risk; and Be identifiable with individual business unit, portfolios, instrument types or specific instruments. Institutions must have adequate information systems for measuring, monitoring, controlling and reporting market risk exposures. Reports must be provided on a timely basis to the board of directors, senior management and, where appropriate, individual business line managers. The following are some of the board reports that should be provided: Violation of approved responsibilities by managers when taking interest rate risk exposures. Or investing in un- approved instruments. Page | 43 Excesses over approved interest rate limits; Any exceptions highlighted by the internal auditor. 5.4 Measurement, Monitoring and Control 5.4.1 Approaches to measuring and limiting Market Risk Measuring risk is very critical to understanding the potential loss an institution may be exposed to in event of any loss. The principal goal should be to provide strong assurance that losses resulting from market risk will not substantially diminish the capital and earnings of an institution. Common approaches to measuring and limiting market risk are: Limit the size of the open positions in each currency as of the close of business each day. Limits are established for either the nominal size of the position or the size of the percentage; Limit the size and concentration of investment that is price sensitive, based on percentage of either total investment or total assets of the institution; Adherence to the regulatory requirements that pertain to the net open positions Determine, on a continuous basis, the size of the loss that would be incurred should the exchange rate move against the institution’s open position. Determine the size of the loss that would be incurred should the prices of shares and other investments move against the position the institution has taken; and Ensure adequate training of personnel and segregation of duties between the front and the back office. 5.4.2 Stress tests Stress tests to measure vulnerability to loss arising from market risk operations should be undertaken regularly. Stress tests shall cover major interest rate, foreign exchange, commodities and equities exposures. Stress situations include but are not limited to market movements or bank specific situations in terms of profitability, liquidity and capital adequacy. The risk measurement system should support a meaningful evaluation of the effect of stressful market conditions on the financial institution. Stress testing should be designed to provide information on the kinds of conditions under which the institution’s strategies or positions would be most vulnerable and thus may be tailored to the risk characteristics of the institution. Page | 44 5.4.3 Assets and Liability Committee ALCO committee is crucial in sound management of market risk. The committee is responsible for supervision and management of Market Risk and liquidity risk. The committee generally comprises of senior managers from treasury, Chief Financial Officer, business heads generating and using the funds of the bank, credit, and individuals from the departments having direct link with interest rate and liquidity risks. The size as well as composition of ALCO depends on the size of each bank, business mix and organizational complexity. To be effective ALCO should have members from each area of the bank that significantly influences market and liquidity risk. The Asset and Liability Management Committee (ALCO) should review the management of foreign currency denominated assets and liabilities within the risk parameters approved by the Board of Directors. 5.4.4 Management Information System An accurate, informative, and timely management information system is essential for managing market risk exposure, both to inform management and to support compliance with board policy. Reporting of risk measures should be regular and should clearly compare current exposure to policy limits. In addition, past forecasts or risk e