966
“Approved”
Financial Markets Supervisory Authority
of the Republic of Azerbaijan
Resolution № 1951100003
“30” January 2019
Acting Chairman of the Management Board
______________________
Ibrahim Alishov
Regulations on risk management in banks
General provisions
1.1. These Regulations have been developed in accordance with Article 34.5 of the Law of the Republic of Azerbaijan on Banks.
1.2. These Regulations determine minimum requirements on launch of a risk management system that provides risk identification, evaluation, management, monitoring and reporting for banks and local branches of foreign banks operating in the Republic of Azerbaijan (hereinafter – banks).
Definitions
2.1. Definitions used herein bear the following meanings:
2.1.1. risk – probability of an adverse impact of probable and unexpected events on bank capital;
2.1.2. risk management system – a system consisting of the elements established herein on risk management;
2.1.3. bank product – a method of presentation of types of activities carried out by the bank;
2.1.4. chief risk officer (CRO) – a Management Board member supervising (curating) activities of structural units of the bank related to the risk management function;
2.1.5. business units – units that carry out different types of bank activities and create risks;
2.1.6. risk-bearing capacity –maximum amount of risk that the bank can take without violating capital, liquidity and other prudential requirements;
2.1.7. risk acceptance – coverage of possible loss at the expense of bank capital, subject to compliance with capital adequacy requirements;
2.1.8. risk minimization – reduction of risk with various regulatory methods;
2.1.9. transfer of risk - transfer of operations considered risky by the bank to third parties;
2.1.10. risk avoidance – not carrying out risky operations higher than the level of risk set by the risk strategy;
2.1.11. risk culture – a set of norms, approaches and behaviors for identifying, accepting and managing risk, as well as making decisions on risk;
2.1.12. risk appetite statement – a document reflecting total risk limits that the bank will accept to achieve its business goals;
2.1.13. risk appetite - the amount of risk the bank wants to take within its risk-taking capacity to achieve its strategic goals;
2.1.14. risk limit – the maximum level of risk accepted for each type of activity;
2.1.15. risk profile – total level of risks to which the bank is exposed to;
2.1.16. shock – a probable and measurable event that can potentially affect bank's activities;
2.1.17. stress-testing – a tool for assessing potential impact of several shocks on bank’s financial condition.
Risk classification and management system
3.1. The main types of risks faced by banks in carrying out banking activities and the reasons for their emergence are as follows:
3.1.1. credit risk – arises as a result of the borrower's failure to perform his/her liabilities to the bank on time or in full;
3.1.2. market risk – arises from changes in market interest rates, exchange rates, the value of securities and commodities. There are the following subcategories of market risk:
3.1.2.1. interest rate risk – risk associated with unfavorable changes in interest rates;
3.1.2.2. currency risk – risk arising from unfavorable changes in exchange rates;
3.1.2.3. capital risk – risk arising from unfavorable changes in the value of securities purchased by the bank;
3.1.2.4. commodity risk – risk arising from unfavorable change in the price of goods in the market;
3.1.3. liquidity risk – results from failure to meet planned and unforeseen obligations in a timely and effective manner;
3.1.4. operational risk – results from shortcomings and errors made by bank employees, defects and troubles in information systems and technologies, as well as events outside the bank. There are the following sub-categories of operational risk:
3.1.4.1. human resources risk – the risk arising from violation of existing legal acts, mistakes and faults by bank staff in the course of banking operations knowingly or unwittingly;
3.1.4.2. IT risk – risk arising from problems with bank's information system or technologies;
3.1.4.3. legal risk – risk resulting from violation of legal acts, including legal acts of the supervisory and tax authorities; their incomplete, untimely or incorrect application; non-acceptance of internal rules of the bank; as well as contradictions and gaps in internal rules;
3.1.4.4. compliance risk - legal risk arising from non-compliance with legal acts on prevention of legalization of criminally obtained money or other property and financing of terrorism, and requirements of the supervisory authority and the financial monitoring body;
3.1.4.5. external risk – the risk caused by damage caused by a third party or nature;
3.1.5. strategic risk – arises as a result of incorrect selection of strategic goals;
3.1.6. reputation risk – results from low confidence in the bank and negative public opinion;
3.1.7. project risk – is perceived as failure of the bank to implement planned projects due to errors and external factors during implementation of the project or to achieve its goals.
3.2. Banks create a risk management system adequate to the type, volume, characteristics and environment of operations, complexity and risks faced.
3.3. The risk management system consists of the following elements:
3.3.1. risk management strategy and risk appetite statement;
3.3.2. organizational structure of risk management;
3.3.3. risk management policy, including defense lines of risk management;
3.3.4. risk limits;
3.3.5. risk management on new products and services;
3.3.6. data summary and risk reporting;
3.3.7. contingency plan.
Risk management strategy
4.1. Each bank develops a risk management strategy that reflects risk management objectives and covers at least the following:
4.1.1. risk appetite in line with the bank's strategic goals;
4.1.2. all risks that the bank may be exposed to as a result of the bank's strategy;
4.1.3. bank's risk approach to introduction of new activities and systems;
4.1.4. strategic targets related to bank capital;
4.1.5. strategic targets related to the structure of assets and liabilities;
4.1.6. management of risks likely to arise from changes in the global and macroeconomic environment;
4.1.7. monitoring of the risk management system;
4.1.8. risk management in emergency cases.
4.2. The risk management strategy is reviewed based on results of the previous year during the first quarter of the following year after the end of each calendar year and appropriate changes are made as required.
Organizational structure of risk management
5.1. The organizational structure of risk management in banks ensures the following:
5.1.1. clearly identifies risk management authorities and responsibilities;
5.1.2. communication and information flow among all organizational structure levels;
5.1.3. measures against conflicts of interest between structural units and authorized persons;
5.1.4. independent and transparent decision-making process;
5.1.5. effective risk management reporting system.
5.2. In the risk management process, powers of the Supervisory Board, the Risk Management Committee (hereinafter - RMC), the Management Board, the Chief Risk Officer, the Risk Management Department, business units and internal audit are defined as follows:
5.2.1. The Supervisory Board:
5.2.1.1. ensures launch of an effective risk management system adequate to bank's risk profile;
5.2.1.2. approves the strategy, policy, internal rules and organizational structure on risk management;
5.2.1.3. controls the work of the Management Board related to risk management and receives direct reports from the risk management unit;
5.2.1.4. takes decisions on the issues related to risk management presented by the Management Board and the RMC;
5.2.1.5. approves risk appetite statement and risk limits;
5.2.1.6. assesses how effective the risk management system is at least once a year;
5.2.1.7. approves the emergency plan.
5.2.2. The RMC:
5.2.2.1. reviews risk management strategies, policies and rules, as well as changes to them, and submits them to the Supervisory Board for approval;
5.2.2.2. reviews the risk appetite statement, as well as risk limits, and submits to the Supervisory Board for approval;
5.2.2.3. determines selection of appropriate methods and tools for risk identification and evaluation and frequency of their implementation;
5.2.2.4. prepares and submits to the Supervisory Board a report on the state of risks to which the bank is exposed and effectiveness of the risk management system;
5.2.2.5. monitors consistency of risks taken with the bank's risk management strategy;
5.2.2.6. prepares proposals to the Supervisory Board on improving the risk management system;
5.2.2.7. evaluates the work of the risk management unit and informs the Supervisory and Management Boards on findings of the assessment;
5.2.2.8. monitors consistency between all financial services and products offered to customers and the bank's business model and risk strategy, evaluates the risks associated with them, taking into account prices and profitability of the products and services offered;
5.2.2.9. submits proposals to the Supervisory Board on the powers of structural units and other internal committees performing risk management functions;
5.2.2.10. reviews reports on risk appetite statement, issues proposals to the Supervisory Board on risk reduction or adjustment of risk limits to market conditions in case of violation of the limits on established risk indicators;
5.2.2.11. reviews the contingency plan together with the Management Board and submits to the Supervisory Board;
5.2.2.12. assesses current state of risk culture and takes measures to strengthen it;
5.2.2.13. holds meetings at least once every two months and reports on results to the Supervisory Board;
5.2.2.14. reviews reports submitted by the CRO on a monthly basis.
5.2.3. The Management Board:
5.2.3.1. ensures the implementation of the risk management strategy and policy;
5.2.3.2. organizes the risk management process;
5.2.3.3. analyzes the risks the bank is exposed to and takes necessary measures to eliminate revealed weaknesses;
5.2.3.4. takes a decision on introduction of a new bank product;
5.2.3.5. submits reports on risks and their management to the RMC and the Supervisory Board;
5.2.3.6. creates appropriate conditions for the risk management unit to operate adequately to the bank's risks;
5.2.3.7. reviews the contingency plan together with the RMC and submits to the Supervisory Board;
5.2.3.8. ensures cooperation of bank’s other structural units with the risk management unit, as well as takes measures to prevent interventions to its operations.
5.2.4. The CRO:
5.2.4.1. develops and submits to the RMC a risk management strategy and policy in light of the opinion of the Management Board;
5.2.4.2. coordinates activities of the Management Board and structural units on risk management;
5.2.4.3. reports on a monthly basis findings of monitoring of risk limits, as well as the bank's risk profile. In case of deviations in the risk appetite indicators, immediately informs the RMC, indicating reasons;
5.2.4.4. ensures reliable, transparent, comprehensive and timely preparation of periodic reports indicating the types and extent of risks related to the bank's activities;
5.2.4.5. issues proposals to the RMC and the Supervisory Board on improving the risk management system;
5.2.4.6. ensures that the risks the bank is exposed to are consistent with its risk-bearing capacity, risk management strategy and prudential requirements for risk management;
5.2.4.7. takes measures to increase knowledge and skills of employees of structural units performing the risk management function;
5.2.4.8. participates in meetings of the Supervisory Board in the review of risk management strategies, as well as in the discussion of issues related to risk management.
5.2.5. The Risk Management Unit:
5.2.5.1. coordinates risk management efforts;
5.2.5.2. prepares bank’s internal rules on risk management, as well as changes to them;
5.2.5.3. monitors compliance with risk management strategies and policies and submits deviation reports to the RMC and the Management Board;
5.2.5.4. together with bank’s relevant structural units makes proposals to the RMC and the Management Board on calculation of risk limits for activities and changes to them;
5.2.5.5. develops risk map and monitors its implementation;
5.2.5.6. constantly monitors observance of risk limits and immediately informs the CRO on violations;
5.2.5.7. carries out work on selection and application of methods and models for risk identification and evaluation (together with relevant structural units of the bank);
5.2.5.8. submits a report on risk identification, analysis and findings to the Management Board, the RMC and the Supervisory Board;
5.2.5.9. issues an opinion on all processes, new products and services covering the bank's activities in terms of risk recognition and management;
5.2.5.10. conducts stress tests together with relevant structural units and develops an action plan to reduce identified risks;
5.2.5.11. analyzes information received from bank’s other structural units for risk management;
5.2.5.12. submits proposals to the RMC on establishing and improving adequate and effective control procedures for the risk management process;
5.2.5.13. prepares contingency plan together with relevant structural units of the bank, submits it to the RMC and the Management Board;
5.2.5.14. develops and submits to the CRO the bank’s risk appetite statement;
5.2.5.15. monitors implementation of the risk appetite statement, as well as the system of limits, periodically submits a report to the Management Board and the RMC;
5.2.5.16. assesses threats and harmful habits that may cause damage to a sound risk culture and informs the RMC on potential risks at least once a year;
5.2.5.17. assesses project risks, makes recommendations to the Management Board and the RMC on taking necessary measures;
5.2.5.18. conducts residual risk assessment after risk mitigation measures for products, services or processes and submits a report to the Management Board;
5.2.5.19. coordinates collection of risk information from banking systems, relevant structures and reporting, as well as updates bank's risk profile by analyzing this information and identifying risks;
5.2.5.20. provides collection, registration of risk events in the bank, their assessment on actual and possible losses and preparation of relevant reporting;
5.2.5.21. provides methodological assistance to bank’s relevant structural units in risk management.
5.2.6. Bank’s business units:
5.2.6.1. manage risks within their authorities in daily activities;
5.2.6.2. provides observance of related risk limits.
5.2.7. The internal audit unit:
5.2.7.1. checks effectiveness and adequacy of the risk management system;
5.2.7.2. submits reports, proposals and recommendations on findings of audits to the Supervisory Board and the Audit Committee;
5.2.7.3. provides information sharing with the risk management unit.
Risk management policy
6.1. The risk management policy should cover at least the following:
6.1.1. organization of risk management, including segregation of authorities;
6.1.2. risk management process on bank's activities, business processes and information systems. In this case, the lines of defense of risk management are taken into account:
6.1.2.1. the first line of defense – all groups whose activities pose a direct risk to the bank: structural units that serve bank's customers, develop products and services, as well as branches and divisions. The main responsibilities of the first line of defense are as follows:
6.1.2.1.1. responsibility for all risk management and related controls;
6.1.2.1.2 risk management covering all stages, from identification of risks through improvement, including resource allocation and priority decisions.
6.1.2.2. the second line of defense: the bank includes structural units that perform the functions of risk management, legal and compliance risk management. The legal and compliance risk management unit monitors bank's compliance with legal and regulatory requirements, as well as develops policies and procedures for legal and compliance risk management;
6.1.2.3. a third line of defense: consists of an independent internal audit unit and external auditors authorized to evaluate the first and second lines of defense. The internal audit unit conducts risk-based and general audits of effectiveness and perfectness of procedures and mechanisms, as well as their proper implementation.
6.2. The risk management policy requires establishment of a healthy risk culture so that all lines of defense take an acceptable level of risk in their day-to-day operations.
6.3. The risk management policy is reviewed at least once a year and changed as necessary.
Risk management process
7.1. The risk management process covers necessary procedures and evaluation methodologies for effective risk management in the bank.
7.2. Methods for identifying and assessing the risks arising from bank's activities are applied in line with the size and complexity of the bank's risk profile. The methods used and the assumptions about them are regularly evaluated.
7.3. Frequency of risk assessment should be appropriate to the extent and nature of the risks arising from bank's operations.
7.4. Risks are identified at least via the following methods:
7.4.1. risk map – shows the risks to which the bank may be exposed, internal and external causes of the risk, other risks to be triggered by the risk and potential losses, as well as determines frequency of risk emergence, management and assessment tools, the person or structural unit responsible for risk management. The risk map is reviewed at least twice a year and changed as necessary;
7.4.2. surveys – are used to identify various risks that are difficult to identify from surveys. The subject of the surveys is based on bank's risk expectations. Surveys are developed in a clear, concise and relevant manner;
7.4.3. empirical (true historical data based) analyses – the bank regularly analyzes its own and/or other banks' empirical data (e.g., losses) to identify risks;
7.4.4. early warning systems – are used to monitor risks. The early warning system provides information on probabilities and risks of various threats as a result of various ratios and factors used in banking activities approaching the limits set for them.
7.5. Risks identified by the risk management unit are grouped into relevant categories, findings are documented and a report is prepared.
7.6. Risk evaluation is based on findings of the risk identification process. In this case, based on the analysis of quantitative and qualitative indicators, bank's risk-bearing capacity is determined and the level of risk is assessed. A detailed explanation of the methods used to evaluate risks should be reflected in bank’s internal rules. At least the following models should be used for evaluation:
7.6.1. value at risk (VAR) models – is the maximum amount of probable loss over a period of time (at least one year) with a predetermined confidence level. This amount reflects the amount of probable loss of the bank on various types of risks. A minimum of 99% is taken as the confidence level when applying any VAR model;
7.6.2. portfolio at risk (PAR) model – helps calculate credit risk by grouping loans by delinquencies. Delinquency groups should cover periods of up to one year monthly; up to two years annually; and more than two years in general. These period groups may be grouped by the bank on shorter periods;
7.6.3. risk equivalent to bankruptcy – potential bankruptcy volume of total portfolio is projected, given probability of bankruptcy for each group of delinquency. Probability of bankruptcy is based upon bank's empirical data. As the delinquency period increases, this probability also increases and is defined as 100% for overdue credit groups with a delinquency period of more than one year;
7.6.4. vintage analysis – provides a more effective solution to problems on the portfolio, allowing a detailed analysis of overdue loans by date, unit, administrator, loan officer and other criteria. Based on the structure of the loan portfolio, additional analysis indicators can be identified along with the above criteria;
7.6.5. stress-tests – every bank develops and updates at least once a year stress test models depending on the size and complexity of its activities to identify and assess the events that may adversely affect its risk profile:
7.6.5.1. the stress-testing model takes into account the probability that each shock will change to the most unfavorable level. These shocks include components of market, credit, liquidity, operational and other risks;
7.6.5.2. stress tests determine bank's resilience to shocks, maximum loss suffered by the bank as a result of shocks and other gaps in bank's operations;
7.6.5.3. when performing stress tests, ‘very unfavorable’, ‘unfavorable’ and ‘probable’ scenarios are developed and separate criteria and shocks are set for each scenario, including probabilities. In preparing stress tests, the bank uses empirical data, probable scenarios that take into account potential risks and maximum losses;
7.6.5.4. stress-tests are conducted at least every six months;
7.6.5.5. an action plan to prevent identified risks based on stress test findings is developed and implemented;
7.6.5.6. the bank develops a program to eliminate potential capital shortfall depending on stress test findings.
7.7. Quantitative models used in risk assessment should be subject to the ‘reverse verification’ principle. The reverse verification is performed to determine adequacy of the applied model by comparing expected results with actual ones. When the pre-calculated probable result differs sharply from the actual one, appropriate modifications are made to the models and they are adjusted to current macro- and microeconomic conditions.
7.8. Stress-testing findings are submitted to the Financial Markets Supervisory Authority together with prudential reports for the relevant period.
7.9. A report is prepared on findings from application of the adopted methods and models. The RMC analyzes the findings and gives relevant instructions to the risk management unit on implementation of measures, such as acceptance, minimization, transfer of risks, as well as risk avoidance for effective risk management.
7.10. If the CRO does not agree with decisions of the Management Board and internal committees on lending, investments and new products, the Board takes the issue to the Supervisory Board within 7 (seven) working days for discussion (with a written substantiation of the CRO). The Supervisory Board makes a decision on the issue within the next 15 (fifteen) working days. During this period, execution of decisions of the Management Board and internal committees on relevant issues is suspended.
7.11. The CRO should be a member of internal committees that make decisions on risk management, rewards, lending, investments and new products.
7.12. The head of the risk management unit should have at least 4 (four) year risk management experience and be appointed by the Supervisory Board upon the recommendation of the RMC. The unit staff should have access to any database in the bank, internal operating systems, as well as internal audit reports.
Risk appetite statement
8.1. A risk appetite statement is based upon the bank’s risk strategy. The statement should fully cover material risks and be consistent with the bank's business strategy.
8.2. The statement defines tolerance zones on quantitative and qualitative indicators (limits) of risk appetite, covering the risks the bank is exposed to, and identifies measures in case of deviations from each zone.
8.3. Compliance of the risk appetite statement with indicators of tolerance zones is monitored on a monthly basis.
Risk limits
9.1. Limits are set to contain credit, market, liquidity and operational, as well as other existing risks that the bank faces and can be measured from the moment they emerge.
9.2. According to the risk appetite, risk limits are set for the bank as a whole in line with its size, risk profile and activities.
9.3. The Management Board and internal committees of the bank approve sub limits within the limits approved by the Supervisory Board.
9.4. Risk limits are reviewed at least once a month and adjusted to current market conditions and banking strategy.
Risk management on new products and services
10.1. The Bank prepares in advance when introducing a new product or service, as well as when launching projects. This process includes analyzing product's compliance with the bank's strategy for the service or project and identifying associated risks.
10.2. When offering a new product or service, the following is taken into account in accordance with the bank's risk policy:
10.2.1. detailed description of the product or the service;
10.2.2. assessment of risks that may arise from the product or service;
10.2.3. analysis of the impact of the product or service on bank’s financial condition;
10.2.4. identifying resources needed to implement effective risk management for a new product or service;
10.2.5. potential risk management.
10.3. After introducing a new product or service, the bank should evaluate its impact on the risk profile and take into account results of this assessment when similar products or services are offered in future.
10.4. Structural units that perform risk management and compliance functions assess the risks that may arise from new products and activities under different scenarios, as well as bank's ability to effectively manage new risks. The risk management function should have the authority to request changes as part of the new product management approval process.
10.5 Assessment of high-value projects takes into account the impact of potential risks on bank's overall competitiveness, its technological condition and market position.
Information summary and risk reporting
11.1. The bank creates an adequate risk information summary and risk reporting framework to ensure identification, evaluation, management and monitoring of credit, market, liquidity, operational, as well as other existing risks, approved by the Supervisory Board.
11.2. The bank creates a management information system (MIS) that ensures effectiveness of risk information summarization and risk reporting, and the following is implemented through this system:
11.2.1. identification, evaluation, management and monitoring of daily risks;
11.2.2. verification of compliance with established rules and limits;
11.2.3. tracking trends in risk indicators;
11.2.4. preparation of reports in the format established by prudential requirements and internal rules of the bank;
11.3. The MIS should be capable to monitor risk limits and notify the Management Board and other users when they reach a predetermined level.
11.4 The Supervisory and Management Boards, the RMC and other related staff should have access to reports generated by the MIS.
11.5. The risk management unit prepares analytical reports covering at least the following areas and submits them to the RMC, the Management and Supervisory Boards:
11.5.1. main risks and their structure;
11.5.2. capital structure and the level of its adequacy;
11.5.3. analysis of current and future capital requirement;
11.5.4. bank’s liquidity position;
11.5.5. assets and liabilities in foreign currency, including an open currency position;
11.5.6. use of risk limits;
11.5.7. stress test findings.
11.6. Information in risk reports should be clear, precise and detailed enough to make a decision.
Contingency plan
12.1. Every bank develops a contingency plan, which includes measures to prevent the risks arising in emergencies and ensure a business continuity of the bank.
12.2. The contingency plan includes:
12.2.1. classification of emergency cases;
12.2.2. authorities of the persons responsible for restoration of the activity disrupted in emergencies;
12.2.3. measures to be oriented towards prevention of various risks;
12.2.4. source of funds to be attracted in emergencies;
12.2.5. the policy of protection from a reputation risk in emergencies;
12.2.6. classification of banking operations and activities by degree of importance in emergencies.
12.3. The Bank's contingency plan is reviewed at least once a year and changed as necessary. When reviewing the contingency plan, various scenarios are tested on internal and external factors, and test findings are taken into account in changes to be made to the plan.
12.4. Every employee of the bank involved in risk mitigation in case of emergency is informed about the contingency plan and changes made therein by the risk management unit and relevant trainings are conducted at least once a year.