To meet Basle III / CRD IV requirements, there are four key risk reports that must be maintained as ‘living documents’ that are critical to risk governance, oversight and assurance. Essentially, these set out the bank’s risk appetite and risk control framework, assess the bank’s capital and liquidity needs and explain what actions the bank would take to recover from a crisis. The diagram below illustrates their relationship to other key sources of information and activities:
The Risk Appetite Statement articulates the nature and extent of the material risks that a bank is prepared to accept in order to meet its strategic objectives, business plan and regulatory obligations.
A RAS document should describe a bank’s:
- Risk Governance: Oversight, control, assurance and delegation of authorities for each type of risk
- Business and risk strategy and objectives to which the risk appetite is aligned
- Risk limits and boundaries that the bank expects to operate within, including early warning indicators to identify potential breaches
- Policies, procedures, controls and systems through which risk is identified, monitored and managed.
The RAS is a basic component of the other three main risk reports (ICAAP, ILAAP and Recovery Plan), which are likely to contain similar background information, such as governance, the bank’s business model and its risk management framework.
Banks are expected to regularly conduct stress tests to ensure that it operates within its Board-approved risk appetite. Early warning signals, risk indicators, controls and limits must be regularly reviewed in the light of any changes in the bank’s business and/or macroeconomic conditions.
Regulators view the Internal Capital Adequacy Assessment Process (ICAAP) as the next most important report to the Bank’s financial statements. This is the report that considers all of the risks that a bank might face, including liquidity and funding, even though they are assessed and reported separately in the ILAAP.
In fact, there is a fair bit of information that regulators expect to see that is common to all the key risk reports, such as a description of a bank’s business model, strategy and its risk governance, risk appetite and risk management frameworks.
Information specific to the ICAAP is expected to include:
- Key Risk identification, measurement, controls and mitigation, including credit, market, liquidity and operational risks
- Capital Assessment of all material risks, including methodologies used as well as an aggregated overall assessment with comparisons against Pillar 1 capital requirements
- Stress Testing including sensitivity analyses, scenario analyses and reverse stress testing, where appropriate
- Capital Planning , demonstrating how the bank’s business plan will be supported under both normal and adverse scenarios and calculation of the PRA Buffer (formerly Capital Planning Buffer).
Following changes to the PRA’s approach to implementing CRD IV, banks must also supply additional Pillar 2 reports, such as analyses of concentration risks, when formally submitting their ICAAP for supervisory review.
The Internal Liquidity Adequacy Assessment Process (ILAAP) replaces the former ILAA / ILSA documents as the risk report dealing with the Bank’s liquidity adequacy. Whereas much of the previous liquidity reporting framework for the ILAA was built around the FSA047/48 reports, the new liquidity regime is currently focused on the Liquidity Coverage Ratio (LCR).
Accordingly, the ILAAP must contain an explanation of how compliance with the LCR ‘Delegated Act’ will be maintained. However, LCR reporting being based on a snapshot of short-term (30-day) liquidity flows cannot fully capture all liquidity and funding risks and, in any case, the PRA regards the LCR as only a ‘Pillar 1’ standard.
This is reflected in the wider scope of the ILAAP that also includes:
- Liquidity Risk & Inherent Funding Risk Assessments: Unlike the ILAA, these are expected to be analysed under separate sections of the document
- Risk Management Framework, relating to liquidity and funding, covering internal governance, liquidity risk strategy & risk appetite, internal control framework, liquidity pricing as well as the Bank’s liquidity contingency plan
- Liquidity Stress Testing with an explanation of approaches to sensitivity and scenario analyses as well as stress assumptions and results analysed by liquidity risk driver
- Funding Plan, explaining how the bank’s business plan will be supported under both normal and adverse scenarios.
The Recovery Plan is the fourth of the key risk reports. Unlike the others which are intended for ongoing operations (under both normal and stressed conditions), the recovery plan contains a “menu of options” a bank would take to recover from severe conditions which otherwise would cause the Bank to fail.
The Plan must be capable of being implemented at any time. Clearly, to be effective arrangements must be in place in advance of any scenario crystallising. Recovery options identified by the Bank aim to have a material impact and be capable of implementation within an acceptable time period.
In addition to background information common to all reports, the Recovery plan is expected to include:
- Governance and Activation of the Plan, including the use of early warning signals and activation indicators
- Scenario Analysis based on stress tests relevant to a bank’s specific conditions and business model, including reverse stress tests to assist in identifying ‘near default’ conditions
- Recovery Plan Options with a comparative study of options and analysis of their effectiveness, such as the impact on capital, liquidity and regulatory requirements
- Disposals, Preparatory Measures and a Communication Plan.
The Recovery Plan is usually accompanied by a Resolution Pack upon submission to the Regulator, which includes a detailed analysis of activities (economic functions) and other information that would enable the authorities to identify the most appropriate resolution strategy for a bank.