risk assessment framework for banks - craft
TRANSCRIPT
Banking Supervisors Training Programme
Monetary Authority of Singapore Slide 2 of 42
Understand & be familiar with: - process/steps of performing a risk assessment of a
bank
Learning Outcomes
Supervisory Philosophy
MAS’ Framework for Risk & Impact Assessment of Financial Institutions
Supervisory Framework
Impact rating
Risk rating
Supervisory intensity
Risk assessment tool
Assesses the relative risk profile of the FI based on the business activities it conducts.
Uses activity-based approach to risk assessment
Produces supervisory assessment and rating for MAS’ supervisory purpose
rating goes into Impact and Risk Model to determine supervisory bucket (determines supervisory scope intensity & resource allocation)
assessment provides inputs to supervisory plan
ratings and concerns are disclosed to FI
What is CRAFT
Sources of information
• Meetings with bank, board, HO, IA, EA • Bank internal reports • EA and IA reports • Inspection reports • Applications, requests, queries received • Updates on business plans, strategies • Monitoring indicators, off-site surveillance • Previous year CRAFT • Peer bank assessments • Media, research reports • Credit rating agencies and analyses • Inputs from other departments (ID, CMI, SRD)
Monetary Authority of Singapore Slide 7 of 42
CRAFT – Overview of Components
Overall Risk Rating (ORR)
Inherent Risks Control Factors Oversight & Governance Capital
Earnings
Operational management
Internal audit
Monetary Authority of Singapore Slide 8 of 42
CRAFT – Steps
for each SA
Capital & Support
Supervisory Plan
CRAFT Scoresheet
Significant Activities
IR of SA
Overall
IR by risk type CF by risk type Net risk by risk type
Board, Senior Management and Head Office Oversight Institution Net Risk Capital Earnings Overall Risk Rating
Monetary Authority of Singapore Slide 10 of 42
What is considered significant ?
Significance = material to the institution’s financial condition or risk profile
Factors to Consider
Quantitative (P&L, asset/liability size, RWA, staff strength, AUM, etc)
Qualitative (strategic importance, brand or reputation value, etc)
Should generally be consistent with how a FI organises and manages its activities
CRAFT – Significant Activity
CRAFT – Significant Activity
For Financial Groups Flexibility to treat non-bank entities as significant
activities
CRAFT – Significant Activity
Examples of SAs (non-exhaustive) • Corporate Banking • Consumer Banking • Investment Banking • Private Banking • Wealth Management • Treasury • Global Markets • Clearing and Settlement • Custody Services • Regional Processing Centre • Mortgage Services
CRAFT – Significant Activity
What about “insignificant activities”?
Periodically review the inventory of activities in light of new information
Briefly list the activities that are considered but not assessed to be material at time of assessment
CRAFT – Significant Activity
Monetary Authority of Singapore Slide 15 of 42
Intrinsic risk to a business activity arising from exposure to uncertain events or business conditions
No consideration of risk mitigating measures
8 risk categories: Credit
CRAFT – Inherent Risks
Risk Description
Credit Risk The risk of loss arising from the failure of an obligor (e.g. borrower,
counterparty, reinsurer, etc.) to perform according to the terms and
conditions of his contract/agreement with the institution, as well as a
loss in value of the institution's assets due to deterioration in credit
quality of the obligor.
Liquidity
Risk
The risk that an institution will be unable to meet expected and
unexpected current and future cash flow needs hence affecting its
daily operations or financial condition. It arises from the mismatch of
maturities of cash inflows and outflows.
Market Risk The adverse effect on asset value due to adverse movements in the
level and volatility of the market rates or prices (e.g. interest rates,
exchange rates, equity prices, commodity prices, credit spreads, etc.)
of the underlying asset.
CRAFT – Inherent Risks
The risk of loss arising from complex operations, inadequate internal
controls, processes and information systems, organisational
changes, fraud or human errors, or unforeseen catastrophes
(including terrorist attacks and natural disasters).
Technology
Risk
Any potential adverse outcome, damage, loss, violation, failure or
disruption arising from the use of or reliance on computer hardware,
software, devices, systems, applications and networks. This risk is
usually related to system flaws, processing errors, software defects,
operating mistakes, hardware breakdowns, system failures, capacity
inadequacies, network vulnerabilities, control weaknesses, security
shortcomings, malicious attacks, hacking incidents, fraudulent actions
or inadequate recovery capabilities.
The risk of loss resulting from inadequate pricing, making wrong
judgments in the selection, approval and retention of risks to be
insured or under-estimation of insurance policy liabilities.
Monetary Authority of Singapore Slide 18 of 42
CRAFT – Inherent Risks
Market
Conduct
Risk
The risk of loss or harm to consumers and counterparties arising
from undesirable market conduct practices by an institution and/or its
representatives, and/or their inability or unwillingness to comply with
the requisite market and business conduct requirements.
Money
Laundering/
Terrorism
Financing
Risk
The risk of an institution being used to transfer or hold funds that are
related to illicit activities such as terrorism, drug dealing, and other
serious offences.
The risk of loss arising from unenforceable contracts and adverse
judgments, negative publicity regarding an institution’s business
practices, or its inability or unwillingness to comply with laws, rules
and regulations.
Consider nature and characteristics of significant activities Example: Credit Risk is primary inherent risk associated with
lending. Some sub-components of the risk considered:
Obligor risk (Customer base, e.g. retail, SME or big corporations or MNC?)
Industry risk (industry sectors such as information technology or commodities are highly volatile)
Concentration risk (concentrations in certain industries or types of customers in its lending portfolio)
Country/Sovereign risk (eg. Political uncertainty in the country of borrower)
Focus on key risks (primary or secondary)
4 Ratings: High, Medium-high, Medium-low or Low
CRAFT – Inherent Risks
Example: Which bank has higher credit risk?
Bank Characteristics
A Fully secured lending to high net worth individuals as part of private banking business
B Bilateral loans, trade finance and other credit facilities to large corporates and small & medium-sized corporations, concentrated by industry & borrower, >50% unsecured
C Majority syndicated loans to large MNCs diversified by industry, >50% unsecured
L
MH
ML
Monetary Authority of Singapore Slide 21 of 42
Oversight infrastructure consisting of risk management systems & controls, operational management, internal audit, and compliance
Assessed relative to the nature, scope and risks of FI’s activities
Control factors should commensurate with level of risk i.e. If an activity is assessed as having High Inherent Risk, a greater degree of oversight and control is expected to be in place
CRAFT – Control Factors
CRAFT – Control Factors
Control Factor Description
The effectiveness of risk management systems and internal controls in
managing the risks inherent in the institution’s activities.
Operational
Management
The effectiveness of line management (local and/or cross-border),
department heads, etc, in the planning, directing and controlling of the day-
to-day operations of an institution’s business activities and in ensuring that
policies, processes, control systems, staff levels and experience are in place,
and are sufficient to effectively assess, manage and mitigate risks inherent in
the institution’s activities.
Internal Audit The effectiveness of the internal audit function in providing independent
assurance of the effectiveness of, and adherence to, the institution’s risk
management, control, and governance processes.
Compliance The effectiveness of the compliance function in providing independent
oversight of the management of the institution’s compliance with all laws,
regulations, codes of conduct, and standards of good practice relevant to the
activities of the institution in the jurisdictions in which it operates.
Monetary Authority of Singapore Slide 23 of 42
Benchmark against sound and generally accepted industry practices used by FIs with comparable activities
Rated as: Strong, Medium-Strong, Medium- Weak or Weak
Some useful questions to ask:
Meet generally accepted practices?
4 Control Factors are also assessed collectively
CRAFT – Control Factors
Monetary Authority of Singapore Slide 24 of 42
Risk Management systems and controls of XYZ Bank rated Medium Strong due to:
Adequate policies and controls
Auditors, home supervisor and MAS’ inspection did not highlight issues of concern
Assess Control Factors
Operational Management of XYZ Bank rated Medium Strong due to:
Experienced and qualified management
Assess Control Factors
Internal audit of XYZ Bank rated Medium Strong due to:
Independent with direct reporting line to Head Office internal audit
Audit scope and frequency deemed to be adequate
Sufficient qualified and experienced resources
Assess Control Factors
Compliance of XYZ Bank rated Medium Weak due to:
Non-compliance with regulations Errors in regulatory returns
Inconsistent risk ratings for customers raised by auditors
Assess Control Factors
Monetary Authority of Singapore Slide 28 of 42
The quality and effectiveness of the Board, Senior Management and Head Office in providing strategic direction and oversight of the bank’s operations
Effectiveness of risk oversight at the activity level
Corporate governance and strategic direction at the institution level
Assess Board, Senior Management & Head Office oversight
Monetary Authority of Singapore Slide 29 of 42
Risk profile of FI taking into account:
Inherent Risks
Control Factors
Rated as: High, Medium-High, Medium- Low or Low
CRAFT – Institution Net Risk
Monetary Authority of Singapore Slide 30 of 42
Safety nets that cushion against potential losses arising from poor business decisions, breakdown in risk management systems and controls and changes in operating environment
Not considered as substitutes for oversight of an institution’s business activities
Rated as: Strong, Medium-Strong, Medium-Weak, or Weak
Parental Support
Financial strength and ability of Head Office to provide support
Quality of home supervision
Monetary Authority of Singapore Slide 31 of 42
Key Rating under CRAFT
4 Components
Monetary Authority of Singapore Slide 32 of 42
Significance
ORR reflects level of risk that may affect MAS’ supervisory objectives, i.e. safety and soundness, and transparency and fair-dealing
More importantly, supervisors will highlight to Board/Senior Management of FIs the weaknesses in risk management and controls underlying the causes of ORR
Disclosure
MAS’ sharing of ORR (or Institution Net Risk) and issues of supervisory concern with FIs are part of CONFIDENTIAL supervisory dealings between MAS and FIs, and are not to be disclosed publicly
CRAFT – Overall Risk Rating (ORR)
Monetary Authority of Singapore Slide 33 of 42
CRAFT Scoresheet Inherent Risk Control Factors
Net
Ris
1
IR
2
IR
3
IR
4
IR
5
IR
6
IR
7
IR
8
CRAFT – Example
Significant Activities
IR of SA
Personal Financial Services
ML - - MH H MH MH MH MH MW MS MS MW MW MH 1
Corporate & Institutional Banking
MH - - MH ML ML MH ML MH MS MS MS MS MS ML 2
Commercial Banking H - - MH ML ML MH ML H S MS S S S MH 3
Global Markets L ML MH ML H - ML MH MH MS MS S MS MS ML 4
Overall S MS
IR by risk type ML ML MH MH H MH MH MS CF by risk type MS MS MS MS MS MS MS MS Net risk by risk type ML L ML ML MH ML MH ML
Board, Senior Management and Head Office Oversight
MS
Institution Net Risk ML Capital S Earnings S Overall Risk Rating L
Monetary Authority of Singapore Slide 35 of 42
CRAFT – Assessment Process
direction
with materiality of SAs
4) Determine Overall Risk
Why?
Quality
Consistency
Monetary Authority of Singapore Slide 37 of 42
What do we do? Comprehensive implementation guide on how to conduct
impact and CRAFT assessments
Functional / Technical Training , industry talks, seminars for supervisors
Support from risk specialists and practice leader groups (Faculty of Peers) to supervisors
Peer bank group comparison
Major regulatory or supervisory issues decided at senior management forum
MAS’ internal audit conducts independent checks on supervisory process
CRAFT – Quality Assurance
Identification of Peers
Banks with similar business activities and risk profiles (consider scale, size, complexity, risk mgt capabilities)
Geographical Region or Country (similar environment risk, corporate culture, country-specific factors)
Two levels of comparison
Peer Comparison
Monetary Authority of Singapore Slide 39 of 42
Using SA as basic units of assessment but subject to assessments on similar inherent risks and control factors, CRAFT provides a common framework but yet sufficient flexibility to address different classes of financial institutions with different activities
SA-based assessment enables good understanding of institution’s individual activities, and more granular and activity-specific analysis of risk management and control issues, which allows supervisory plan and activities to be more targeted and effective
CRAFT - Merits
Monetary Authority of Singapore Slide 40 of 42
Allows meaningful comparison at SA level, in addition to entire institution level across peer banks, e.g. useful for benchmarking risk management practices
Offers bottom-up assessment on increasingly riskier activities for industry-wide surveillance and to drive thematic supervisory activities
Self-validating by comparing the aggregate assessment across SAs and across risk types, and help identify and address gaps
CRAFT - Merits
Establish supervisory plan
CRAFT – Follow Up Actions
Monetary Authority of Singapore Slide 2 of 42
Understand & be familiar with: - process/steps of performing a risk assessment of a
bank
Learning Outcomes
Supervisory Philosophy
MAS’ Framework for Risk & Impact Assessment of Financial Institutions
Supervisory Framework
Impact rating
Risk rating
Supervisory intensity
Risk assessment tool
Assesses the relative risk profile of the FI based on the business activities it conducts.
Uses activity-based approach to risk assessment
Produces supervisory assessment and rating for MAS’ supervisory purpose
rating goes into Impact and Risk Model to determine supervisory bucket (determines supervisory scope intensity & resource allocation)
assessment provides inputs to supervisory plan
ratings and concerns are disclosed to FI
What is CRAFT
Sources of information
• Meetings with bank, board, HO, IA, EA • Bank internal reports • EA and IA reports • Inspection reports • Applications, requests, queries received • Updates on business plans, strategies • Monitoring indicators, off-site surveillance • Previous year CRAFT • Peer bank assessments • Media, research reports • Credit rating agencies and analyses • Inputs from other departments (ID, CMI, SRD)
Monetary Authority of Singapore Slide 7 of 42
CRAFT – Overview of Components
Overall Risk Rating (ORR)
Inherent Risks Control Factors Oversight & Governance Capital
Earnings
Operational management
Internal audit
Monetary Authority of Singapore Slide 8 of 42
CRAFT – Steps
for each SA
Capital & Support
Supervisory Plan
CRAFT Scoresheet
Significant Activities
IR of SA
Overall
IR by risk type CF by risk type Net risk by risk type
Board, Senior Management and Head Office Oversight Institution Net Risk Capital Earnings Overall Risk Rating
Monetary Authority of Singapore Slide 10 of 42
What is considered significant ?
Significance = material to the institution’s financial condition or risk profile
Factors to Consider
Quantitative (P&L, asset/liability size, RWA, staff strength, AUM, etc)
Qualitative (strategic importance, brand or reputation value, etc)
Should generally be consistent with how a FI organises and manages its activities
CRAFT – Significant Activity
CRAFT – Significant Activity
For Financial Groups Flexibility to treat non-bank entities as significant
activities
CRAFT – Significant Activity
Examples of SAs (non-exhaustive) • Corporate Banking • Consumer Banking • Investment Banking • Private Banking • Wealth Management • Treasury • Global Markets • Clearing and Settlement • Custody Services • Regional Processing Centre • Mortgage Services
CRAFT – Significant Activity
What about “insignificant activities”?
Periodically review the inventory of activities in light of new information
Briefly list the activities that are considered but not assessed to be material at time of assessment
CRAFT – Significant Activity
Monetary Authority of Singapore Slide 15 of 42
Intrinsic risk to a business activity arising from exposure to uncertain events or business conditions
No consideration of risk mitigating measures
8 risk categories: Credit
CRAFT – Inherent Risks
Risk Description
Credit Risk The risk of loss arising from the failure of an obligor (e.g. borrower,
counterparty, reinsurer, etc.) to perform according to the terms and
conditions of his contract/agreement with the institution, as well as a
loss in value of the institution's assets due to deterioration in credit
quality of the obligor.
Liquidity
Risk
The risk that an institution will be unable to meet expected and
unexpected current and future cash flow needs hence affecting its
daily operations or financial condition. It arises from the mismatch of
maturities of cash inflows and outflows.
Market Risk The adverse effect on asset value due to adverse movements in the
level and volatility of the market rates or prices (e.g. interest rates,
exchange rates, equity prices, commodity prices, credit spreads, etc.)
of the underlying asset.
CRAFT – Inherent Risks
The risk of loss arising from complex operations, inadequate internal
controls, processes and information systems, organisational
changes, fraud or human errors, or unforeseen catastrophes
(including terrorist attacks and natural disasters).
Technology
Risk
Any potential adverse outcome, damage, loss, violation, failure or
disruption arising from the use of or reliance on computer hardware,
software, devices, systems, applications and networks. This risk is
usually related to system flaws, processing errors, software defects,
operating mistakes, hardware breakdowns, system failures, capacity
inadequacies, network vulnerabilities, control weaknesses, security
shortcomings, malicious attacks, hacking incidents, fraudulent actions
or inadequate recovery capabilities.
The risk of loss resulting from inadequate pricing, making wrong
judgments in the selection, approval and retention of risks to be
insured or under-estimation of insurance policy liabilities.
Monetary Authority of Singapore Slide 18 of 42
CRAFT – Inherent Risks
Market
Conduct
Risk
The risk of loss or harm to consumers and counterparties arising
from undesirable market conduct practices by an institution and/or its
representatives, and/or their inability or unwillingness to comply with
the requisite market and business conduct requirements.
Money
Laundering/
Terrorism
Financing
Risk
The risk of an institution being used to transfer or hold funds that are
related to illicit activities such as terrorism, drug dealing, and other
serious offences.
The risk of loss arising from unenforceable contracts and adverse
judgments, negative publicity regarding an institution’s business
practices, or its inability or unwillingness to comply with laws, rules
and regulations.
Consider nature and characteristics of significant activities Example: Credit Risk is primary inherent risk associated with
lending. Some sub-components of the risk considered:
Obligor risk (Customer base, e.g. retail, SME or big corporations or MNC?)
Industry risk (industry sectors such as information technology or commodities are highly volatile)
Concentration risk (concentrations in certain industries or types of customers in its lending portfolio)
Country/Sovereign risk (eg. Political uncertainty in the country of borrower)
Focus on key risks (primary or secondary)
4 Ratings: High, Medium-high, Medium-low or Low
CRAFT – Inherent Risks
Example: Which bank has higher credit risk?
Bank Characteristics
A Fully secured lending to high net worth individuals as part of private banking business
B Bilateral loans, trade finance and other credit facilities to large corporates and small & medium-sized corporations, concentrated by industry & borrower, >50% unsecured
C Majority syndicated loans to large MNCs diversified by industry, >50% unsecured
L
MH
ML
Monetary Authority of Singapore Slide 21 of 42
Oversight infrastructure consisting of risk management systems & controls, operational management, internal audit, and compliance
Assessed relative to the nature, scope and risks of FI’s activities
Control factors should commensurate with level of risk i.e. If an activity is assessed as having High Inherent Risk, a greater degree of oversight and control is expected to be in place
CRAFT – Control Factors
CRAFT – Control Factors
Control Factor Description
The effectiveness of risk management systems and internal controls in
managing the risks inherent in the institution’s activities.
Operational
Management
The effectiveness of line management (local and/or cross-border),
department heads, etc, in the planning, directing and controlling of the day-
to-day operations of an institution’s business activities and in ensuring that
policies, processes, control systems, staff levels and experience are in place,
and are sufficient to effectively assess, manage and mitigate risks inherent in
the institution’s activities.
Internal Audit The effectiveness of the internal audit function in providing independent
assurance of the effectiveness of, and adherence to, the institution’s risk
management, control, and governance processes.
Compliance The effectiveness of the compliance function in providing independent
oversight of the management of the institution’s compliance with all laws,
regulations, codes of conduct, and standards of good practice relevant to the
activities of the institution in the jurisdictions in which it operates.
Monetary Authority of Singapore Slide 23 of 42
Benchmark against sound and generally accepted industry practices used by FIs with comparable activities
Rated as: Strong, Medium-Strong, Medium- Weak or Weak
Some useful questions to ask:
Meet generally accepted practices?
4 Control Factors are also assessed collectively
CRAFT – Control Factors
Monetary Authority of Singapore Slide 24 of 42
Risk Management systems and controls of XYZ Bank rated Medium Strong due to:
Adequate policies and controls
Auditors, home supervisor and MAS’ inspection did not highlight issues of concern
Assess Control Factors
Operational Management of XYZ Bank rated Medium Strong due to:
Experienced and qualified management
Assess Control Factors
Internal audit of XYZ Bank rated Medium Strong due to:
Independent with direct reporting line to Head Office internal audit
Audit scope and frequency deemed to be adequate
Sufficient qualified and experienced resources
Assess Control Factors
Compliance of XYZ Bank rated Medium Weak due to:
Non-compliance with regulations Errors in regulatory returns
Inconsistent risk ratings for customers raised by auditors
Assess Control Factors
Monetary Authority of Singapore Slide 28 of 42
The quality and effectiveness of the Board, Senior Management and Head Office in providing strategic direction and oversight of the bank’s operations
Effectiveness of risk oversight at the activity level
Corporate governance and strategic direction at the institution level
Assess Board, Senior Management & Head Office oversight
Monetary Authority of Singapore Slide 29 of 42
Risk profile of FI taking into account:
Inherent Risks
Control Factors
Rated as: High, Medium-High, Medium- Low or Low
CRAFT – Institution Net Risk
Monetary Authority of Singapore Slide 30 of 42
Safety nets that cushion against potential losses arising from poor business decisions, breakdown in risk management systems and controls and changes in operating environment
Not considered as substitutes for oversight of an institution’s business activities
Rated as: Strong, Medium-Strong, Medium-Weak, or Weak
Parental Support
Financial strength and ability of Head Office to provide support
Quality of home supervision
Monetary Authority of Singapore Slide 31 of 42
Key Rating under CRAFT
4 Components
Monetary Authority of Singapore Slide 32 of 42
Significance
ORR reflects level of risk that may affect MAS’ supervisory objectives, i.e. safety and soundness, and transparency and fair-dealing
More importantly, supervisors will highlight to Board/Senior Management of FIs the weaknesses in risk management and controls underlying the causes of ORR
Disclosure
MAS’ sharing of ORR (or Institution Net Risk) and issues of supervisory concern with FIs are part of CONFIDENTIAL supervisory dealings between MAS and FIs, and are not to be disclosed publicly
CRAFT – Overall Risk Rating (ORR)
Monetary Authority of Singapore Slide 33 of 42
CRAFT Scoresheet Inherent Risk Control Factors
Net
Ris
1
IR
2
IR
3
IR
4
IR
5
IR
6
IR
7
IR
8
CRAFT – Example
Significant Activities
IR of SA
Personal Financial Services
ML - - MH H MH MH MH MH MW MS MS MW MW MH 1
Corporate & Institutional Banking
MH - - MH ML ML MH ML MH MS MS MS MS MS ML 2
Commercial Banking H - - MH ML ML MH ML H S MS S S S MH 3
Global Markets L ML MH ML H - ML MH MH MS MS S MS MS ML 4
Overall S MS
IR by risk type ML ML MH MH H MH MH MS CF by risk type MS MS MS MS MS MS MS MS Net risk by risk type ML L ML ML MH ML MH ML
Board, Senior Management and Head Office Oversight
MS
Institution Net Risk ML Capital S Earnings S Overall Risk Rating L
Monetary Authority of Singapore Slide 35 of 42
CRAFT – Assessment Process
direction
with materiality of SAs
4) Determine Overall Risk
Why?
Quality
Consistency
Monetary Authority of Singapore Slide 37 of 42
What do we do? Comprehensive implementation guide on how to conduct
impact and CRAFT assessments
Functional / Technical Training , industry talks, seminars for supervisors
Support from risk specialists and practice leader groups (Faculty of Peers) to supervisors
Peer bank group comparison
Major regulatory or supervisory issues decided at senior management forum
MAS’ internal audit conducts independent checks on supervisory process
CRAFT – Quality Assurance
Identification of Peers
Banks with similar business activities and risk profiles (consider scale, size, complexity, risk mgt capabilities)
Geographical Region or Country (similar environment risk, corporate culture, country-specific factors)
Two levels of comparison
Peer Comparison
Monetary Authority of Singapore Slide 39 of 42
Using SA as basic units of assessment but subject to assessments on similar inherent risks and control factors, CRAFT provides a common framework but yet sufficient flexibility to address different classes of financial institutions with different activities
SA-based assessment enables good understanding of institution’s individual activities, and more granular and activity-specific analysis of risk management and control issues, which allows supervisory plan and activities to be more targeted and effective
CRAFT - Merits
Monetary Authority of Singapore Slide 40 of 42
Allows meaningful comparison at SA level, in addition to entire institution level across peer banks, e.g. useful for benchmarking risk management practices
Offers bottom-up assessment on increasingly riskier activities for industry-wide surveillance and to drive thematic supervisory activities
Self-validating by comparing the aggregate assessment across SAs and across risk types, and help identify and address gaps
CRAFT - Merits
Establish supervisory plan
CRAFT – Follow Up Actions