GUIDELINES ON SUPERVISION BY RISK
(Appendix to Sec. 141)
II. Statement of policy
III. Guidelines for risk management
Types and definitions of risk
1. Credit risk arises from a counterparty’s failure to meet the terms of any contract with the FI or otherwise perform as agreed. Credit risk is found in all activities where success depends on counterparty, issuer, or borrower performance. It arises any time FI funds are extended, committed, invested, or otherwise exposed through actual or implied contractual agreements, whether reflected on or off the balance sheet. Credit risk is not limited to the loan portfolio.
2. Market risk is the risk to earnings or capital arising from changes in the value of traded portfolios of financial instruments. This risk arises from market-making, dealing, and position-taking in interest rate, foreign exchange, equity and commodities markets.
3. Interest rate risk is the current and prospective risk to earnings or capital arising from movements in interest rates. Interest rate risk arises from differences between the timing of rate changes and the timing of cash flows (repricing risk); from changing rate relationships among different yield curves affecting FI activities (basis risk); from changing rate relationships across the spectrum of maturities (yield curve risk); and from interest-related options embedded in FI products (options risk).
4. Liquidity risk is generally defined as the current and prospective risk to earnings or capital arising from an Fl’s inability to meet its obligations when they become due without incurring unacceptable losses or costs. Liquidity risk includes the inability to manage unplanned decreases or changes in funding sources.
5. Operational risk is the current and prospective risk to earnings or capital arising from fraud, error, and the inability to deliver products or services, maintain a competitive position, and manage information. Risk is inherent in efforts to gain strategic advantage, and in the failure to keep pace with changes in the financial services marketplace. Operational risk is evident in each product and service offered. Operational risk encompasses: product development and delivery, operational processing, systems development, computing systems, complexity of products and services, and the internal control environment.
6. Compliance risk is the current and prospective risk to earnings or capital arising from violations of, or non-conformance with, laws, rules, regulations, prescribed practices, internal policies and procedures, or ethical standards. Compliance risk also arises in situations where the laws or rules governing certain FI products or activities of the FI’s clients may be ambiguous or untested. This risk exposes the FI to fines, payment of damages, and the voiding of contracts. Compliance risk can lead to diminished reputation, reduced franchise value, limited business opportunities, reduced expansion potential, and lack of contract enforceability.
7. Strategic risk is the current and prospective impact on earnings or capital arising from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. This risk is a function of the compatibility of an organization’s strategic goals, the business strategies developed to achieve those goals, the resources deployed against these goals, and the quality of implementation. The resources needed to carry out business strategies are both tangible and intangible. They include communication channels, operating systems, delivery networks, and managerial capacities and capabilities. The organization’s internal characteristics must be evaluated against the impact of economic, technological, competitive, regulatory, and other environmental changes.
8. Reputation risk is the current and prospective impact on earnings or capital arising from negative public opinion. This affects the FI’s ability to establish new relationships or services or continue servicing existing relationships. This risk may expose the FI to litigation, financial loss, or a decline in its customer base. In extreme cases, FIs that lose their reputation may suffer a run on deposits. Reputation risk exposure is present throughout the organization and requires the responsibility to exercise an abundance of caution in dealing with customers and the community.
IV. FI management of risk
1. Identify risk: To properly identify risks, an FI must recognize and understand existing risks or risks that may arise from new business initiatives, including risks that originate in non-bank subsidiaries and affiliates. Risk identification should be a continuing process, and should occur at both the transaction and portfolio level.
2. Measure risk: Accurate and timely measurement of risk is essential to effective risk management systems. An FI that does not have a risk measurement system has limited ability to control or monitor risk levels. Further, the more complex the risk, the more sophisticated should be the tools that measure it. An FI should periodically conduct tests to make sure that the measurement tools it uses are accurate. Good risk measurement systems assess the risks of both individual transactions and portfolios. During the transition process in FI mergers and consolidations, the effectiveness of risk measurement tools is often impaired because of the technological incompatibility of the merging systems or other problems of integration. Therefore, the resulting FI must make a strong effort to ensure that risks are appropriately measured across the consolidated entity. Larger, more complex FIs must assess the impact of increased transaction volume across all risk categories.
3. Monitor risk: FIs should monitor risk levels to ensure timely review of risk positions and exceptions. Monitoring reports should be frequent, timely, accurate, and informative and should be distributed to appropriate individuals to ensure action, when needed. For large, complex FIs, monitoring is essential to ensure that management’s decisions are implemented for all geographies, products, and legal entities.
4. Control risk: The FI should establish and communicate risk limits through policies, standards, and procedures that define responsibility and authority. These control limits should be valid tools that management should be able to adjust when conditions or risk tolerances change. The FI should have a process to authorize exceptions or changes to risk limits when warranted. In merging or consolidating FIs, the transition should be tightly controlled; business plans, lines of authority, and accountability should be clear. Large, diversified FIs should have strong risk controls covering all geographies, products, and legal entities.
a. Implement the FI’s strategy;
b. Develop policies that define the FI’s risk tolerance and ensure that they are compatible with strategic goals;
c. Ensure that strategic direction and risk tolerances are effectively communicated and adhered to throughout the organization;
d. Oversee the development and maintenance of management information systems to ensure that information is timely, accurate, and pertinent.
V. Assessment of risk management
1. Policies are statements of the FIs’ commitment to pursue certain results. Policies often set standards (on risk tolerances, for example) and recommend courses of action. Policies should express an FI’s underlying mission, values, and principles. A policy review should always be triggered when an FI’s activities or risk tolerances change.
2. Processes are the procedures, programs, and practices that impose order on the FI’s pursuit of its objectives. Processes define how daily activities are carried out. Effective processes are consistent with the underlying policies, are efficient, and are governed by checks and balances.
3. Personnel are the staff and managers that execute or oversee processes. Good staff and managers perform as expected, are qualified, and competent. They understand the FI’s mission, values, policies, and processes. Compensation programs should be designed to attract, develop, and retain qualified personnel. In addition, compensation should be structured to reward contributions to effective risk management.
4. Control systems include the tools and information systems (e.g, internal/ external audit programs) that FI managers use to measure performance, make decisions about risk, and assess the effectiveness of processes. Feedback should be timely, accurate, and pertinent.
VI. Supervision by Risk
1. Identifying risks using common definitions. The categories of risk, as they are defined, are the foundation for supervisory activities.
2. Measuring risks using common methods of evaluation. Risk cannot always be quantified in pesos. For example, numerous internal control deficiencies may indicate excessive operational risk.
3. Evaluating risk management to determine whether FI systems and processes permit management to manage and control existing and prospective levels of risk.
(Circular No. 981 dated 3 November 2017)