Appendix 69

(Appendix to Sec. 141)

I. Background

It must be recognized that banking is a business of taking risks in order to earn profits. While banking risks historically have been concentrated in traditional banking activities, the financial services industry has evolved in response to market-driven, technological, and legislative changes. These changes have allowed FIs to expand product offerings, geographic diversity, and delivery systems. They have also increased the complexity of the FI’s consolidated risk exposure. Because of this complexity, FIs must evaluate, control, and manage risk according to its significance. The FI’s evaluation of risk must take into account how non-bank activities within a banking organization affect the FI. Consolidated risk assessments should be a fundamental part of managing the FI. Large FIs assume varied and complex risks that warrant a risk-oriented supervisory approach.

II. Statement of policy

The existence of risk is not necessarily a reason for concern. Likewise, the existence of high risk in any area is not necessarily a concern, so long as management exhibits the ability to effectively manage that level of risk. Under this approach, the Bangko Sentral will not necessarily attempt to restrict risk-taking but rather ensure that FIs identify, understand, and control the risks they assume. As an organization grows more diverse and complex, the FI’s risk management processes must keep pace. When risk is not properly managed, Bangko Sentral will direct FI management to take corrective action such as reducing exposures, increasing capital, strengthening risk management processes or a combination of these actions. In all cases, the primary concern of the Bangko Sentral is that the FI operates in a safe and sound manner and maintains capital commensurate with its risks. Further guidance on risk management issues will be addressed in subsequent issuances that are part of the overall risk assessment program.

III. Guidelines for risk management

For purposes of the discussion of risk, the Bangko Sentral will evaluate banking risk relative to its impact on capital and earnings. From a supervisory perspective, risk is the potential that events, expected or unanticipated, may have an adverse impact on the FI’s capital or earnings.

The Bangko Sentral-SES has defined eight (8) categories of risk for FI supervision purposes. These risks are: credit, market, interest rate, liquidity, operational, compliance, strategic, and reputation. These categories are not mutually exclusive; any product or service may expose the FI to multiple risks. In addition, they can be interdependent. Increased risk in one (1) category can increase risk in other categories.

Types and definitions of risk

1. Credit risk arises from a counterparty’s failure to meet the terms of any contract with the FI or otherwise perform as agreed. Credit risk is found in all activities where success depends on counterparty, issuer, or borrower performance. It arises any time FI funds are extended, committed, invested, or otherwise exposed through actual or implied contractual agreements, whether reflected on or off the balance sheet. Credit risk is not limited to the loan portfolio.

2. Market risk is the risk to earnings or capital arising from changes in the value of traded portfolios of financial instruments. This risk arises from market-making, dealing, and position-taking in interest rate, foreign exchange, equity and commodities markets.

3. Interest rate risk is the current and prospective risk to earnings or capital arising from movements in interest rates. Interest rate risk arises from differences between the timing of rate changes and the timing of cash flows (repricing risk); from changing rate relationships among different yield curves affecting FI activities (basis risk); from changing rate relationships across the spectrum of maturities (yield curve risk); and from interest-related options embedded in FI products (options risk).

4. Liquidity risk is generally defined as the current and prospective risk to earnings or capital arising from an Fl’s inability to meet its obligations when they become due without incurring unacceptable losses or costs. Liquidity risk includes the inability to manage unplanned decreases or changes in funding sources.

5. Operational risk is the current and prospective risk to earnings or capital arising from fraud, error, and the inability to deliver products or services, maintain a competitive position, and manage information. Risk is inherent in efforts to gain strategic advantage, and in the failure to keep pace with changes in the financial services marketplace. Operational risk is evident in each product and service offered. Operational risk encompasses: product development and delivery, operational processing, systems development, computing systems, complexity of products and services, and the internal control environment.

6. Compliance risk is the current and prospective risk to earnings or capital arising from violations of, or non-conformance with, laws, rules, regulations, prescribed practices, internal policies and procedures, or ethical standards. Compliance risk also arises in situations where the laws or rules governing certain FI products or activities of the FI’s clients may be ambiguous or untested. This risk exposes the FI to fines, payment of damages, and the voiding of contracts. Compliance risk can lead to diminished reputation, reduced franchise value, limited business opportunities, reduced expansion potential, and lack of contract enforceability.

7. Strategic risk is the current and prospective impact on earnings or capital arising from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. This risk is a function of the compatibility of an organization’s strategic goals, the business strategies developed to achieve those goals, the resources deployed against these goals, and the quality of implementation. The resources needed to carry out business strategies are both tangible and intangible. They include communication channels, operating systems, delivery networks, and managerial capacities and capabilities. The organization’s internal characteristics must be evaluated against the impact of economic, technological, competitive, regulatory, and other environmental changes.

8. Reputation risk is the current and prospective impact on earnings or capital arising from negative public opinion. This affects the FI’s ability to establish new relationships or services or continue servicing existing relationships. This risk may expose the FI to litigation, financial loss, or a decline in its customer base. In extreme cases, FIs that lose their reputation may suffer a run on deposits. Reputation risk exposure is present throughout the organization and requires the responsibility to exercise an abundance of caution in dealing with customers and the community.

IV. FI management of risk

Because market conditions and company structures vary, there is no single risk management system that works for all FIs. Each FI should tailor its risk management program to its needs and circumstances. Sound risk management systems, however, have several things in common; for example, they are independent of risk-taking activities. Regardless of the risk management program’s design, each program should:

1. Identify risk: To properly identify risks, an FI must recognize and understand existing risks or risks that may arise from new business initiatives, including risks that originate in non-bank subsidiaries and affiliates. Risk identification should be a continuing process, and should occur at both the transaction and portfolio level.

2. Measure risk: Accurate and timely measurement of risk is essential to effective risk management systems. An FI that does not have a risk measurement system has limited ability to control or monitor risk levels. Further, the more complex the risk, the more sophisticated should be the tools that measure it. An FI should periodically conduct tests to make sure that the measurement tools it uses are accurate. Good risk measurement systems assess the risks of both individual transactions and portfolios. During the transition process in FI mergers and consolidations, the effectiveness of risk measurement tools is often impaired because of the technological incompatibility of the merging systems or other problems of integration. Therefore, the resulting FI must make a strong effort to ensure that risks are appropriately measured across the consolidated entity. Larger, more complex FIs must assess the impact of increased transaction volume across all risk categories.

3. Monitor risk: FIs should monitor risk levels to ensure timely review of risk positions and exceptions. Monitoring reports should be frequent, timely, accurate, and informative and should be distributed to appropriate individuals to ensure action, when needed. For large, complex FIs, monitoring is essential to ensure that management’s decisions are implemented for all geographies, products, and legal entities.

4. Control risk: The FI should establish and communicate risk limits through policies, standards, and procedures that define responsibility and authority. These control limits should be valid tools that management should be able to adjust when conditions or risk tolerances change. The FI should have a process to authorize exceptions or changes to risk limits when warranted. In merging or consolidating FIs, the transition should be tightly controlled; business plans, lines of authority, and accountability should be clear. Large, diversified FIs should have strong risk controls covering all geographies, products, and legal entities.

The Board must establish the FI’s strategic direction and risk tolerances. In carrying out these responsibilities, the Board should approve policies that set operational standards and risk limits. Well- designed monitoring systems will allow the Board to hold management accountable for operating within established tolerances. Capable management and appropriate staffing are also essential to effective risk management. FI management is responsible for the implementation, integrity, and maintenance of risk management systems. Management also must keep the directors adequately informed. Management must:

a. Implement the FI’s strategy;

b. Develop policies that define the FI’s risk tolerance and ensure that they are compatible with strategic goals;

c. Ensure that strategic direction and risk tolerances are effectively communicated and adhered to throughout the organization;

d. Oversee the development and maintenance of management information systems to ensure that information is timely, accurate, and pertinent.

V. Assessment of risk management

When assessing risk management systems, the Bangko Sentral will consider the FI’s policies, processes, personnel, and control systems. Significant deficiencies in any one of these areas will cause the Bangko Sentral to expect the FI to compensate for these deficiencies in their overall risk management process.

1. Policies are statements of the FIs’ commitment to pursue certain results. Policies often set standards (on risk tolerances, for example) and recommend courses of action. Policies should express an FI’s underlying mission, values, and principles. A policy review should always be triggered when an FI’s activities or risk tolerances change.

2. Processes are the procedures, programs, and practices that impose order on the FI’s pursuit of its objectives. Processes define how daily activities are carried out. Effective processes are consistent with the underlying policies, are efficient, and are governed by checks and balances.

3. Personnel are the staff and managers that execute or oversee processes. Good staff and managers perform as expected, are qualified, and competent. They understand the FI’s mission, values, policies, and processes. Compensation programs should be designed to attract, develop, and retain qualified personnel. In addition, compensation should be structured to reward contributions to effective risk management.

4. Control systems include the tools and information systems (e.g, internal/ external audit programs) that FI managers use to measure performance, make decisions about risk, and assess the effectiveness of processes. Feedback should be timely, accurate, and pertinent.

VI. Supervision by Risk

Using the core assessment standards of the Bangko Sentral as guide, an examiner will obtain both a current and prospective view of an FI’s risk profile. When appropriate, this profile will incorporate potential material risks to the FI from non-bank affiliates’ activities conducted by the FI. Subsidiaries and branches of foreign FIs should maintain sufficient documentation onsite to support the analysis of their risk management. This risk assessment drives supervisory strategies and activities. It also facilitates discussions with FI management and directors and helps to ensure more efficient examinations. The core assessment complements the RAS. Examiners document their conclusions regarding the quantity of risk, the quality of risk management, the level of supervisory concern (measured as aggregate risk), and the direction of risk using the RAS. Together, the core assessment and RAS give the appropriate supervising department of the Bangko Sentral the means to assess existing and emerging risks in FIs, regardless of size or complexity.

Specifically, supervision by risk allocates greater resources to areas with higher risks. The appropriate supervising department of the Bangko Sentral will accomplish this by:

1. Identifying risks using common definitions. The categories of risk, as they are defined, are the foundation for supervisory activities.

2. Measuring risks using common methods of evaluation. Risk cannot always be quantified in pesos. For example, numerous internal control deficiencies may indicate excessive operational risk.

3. Evaluating risk management to determine whether FI systems and processes permit management to manage and control existing and prospective levels of risk.

The appropriate supervising department of the Bangko Sentral will discuss preliminary conclusions regarding risks with FI management. Following these discussions, the appropriate supervising department of the Bangko Sentral will adjust conclusions when appropriate. Once the risks have been clearly identified and communicated, the appropriate supervising department of the Bangko Sentral can then focus supervisory efforts on the areas of greater risk within the FI, the consolidated banking organization, and the banking system.

To fully implement supervision by risk, the appropriate supervising department of the Bangko Sentral will also assign CAMELS ratings to the lead FI and all affiliated FIs. It may determine that risks in individual FIs are increased, reduced, or mitigated in light of the consolidated risk profile of the FI as a whole. To perform a consolidated analysis, it will obtain pertinent information from FIs and affiliates, and verify transactions flowing between FIs and affiliates.

(Circular No. 981 dated 3 November 2017)