To meet Basle III / CRD IV requirements, there are four key risk reports that must be maintained as ‘living documents’ that are critical to risk governance, oversight and assurance. Essentially, these set out the bank’s risk appetite and risk control framework, assess the bank’s capital and liquidity needs and explain what actions the bank would take to recover from a crisis. The diagram below illustrates their relationship to other key sources of information and activities:

Risk Appetite Statement (RAS)

The Risk Appetite Statement articulates the nature and extent of the material risks that a bank is prepared to accept in order to meet its strategic objectives, business plan and regulatory obligations.

A RAS document should describe a bank’s:

  • Risk Governance: Oversight, control, assurance and delegation of authorities for each type of risk
  • Business and risk strategy and objectives to which the risk appetite is aligned
  • Risk limits and boundaries that the bank expects to operate within, including early warning indicators to identify potential breaches
  • Policies, procedures, controls and systems through which risk is identified, monitored and managed.

The RAS is a basic component of the other three main risk reports (ICAAP, ILAAP and Recovery Plan), which are likely to contain similar background information, such as governance, the bank’s business model and its risk management framework.

Banks are expected to regularly conduct stress tests to ensure that it operates within its Board-approved risk appetite. Early warning signals, risk indicators, controls and limits must be regularly reviewed in the light of any changes in the bank’s business and/or macroeconomic conditions.

Capital Adequacy Assessment (ICAAP)

Regulators view the Internal Capital Adequacy Assessment Process (ICAAP) as the next most important report to the Bank’s financial statements. This is the report that considers all of the risks that a bank might face, including liquidity and funding, even though they are assessed and reported separately in the ILAAP.

In fact, there is a fair bit of information that regulators expect to see that is common to all the key risk reports, such as a description of a bank’s business model, strategy and its risk governance, risk appetite and risk management frameworks.

Information specific to the ICAAP is expected to include:

  • Key Risk identification, measurement, controls and mitigation, including credit, market, liquidity and operational risks
  • Capital Assessment of all material risks, including methodologies used as well as an aggregated overall assessment with comparisons against Pillar 1 capital requirements
  • Stress Testing including sensitivity analyses, scenario analyses and reverse stress testing, where appropriate
  • Capital Planning , demonstrating how the bank’s business plan will be supported under both normal and adverse scenarios and calculation of the PRA Buffer (formerly Capital Planning Buffer).

Following changes to the PRA’s approach to implementing CRD IV, banks must also supply additional Pillar 2 reports, such as analyses of concentration risks, when formally submitting their ICAAP for supervisory review.