It describes the risk based approach, and it will inform the reader about the procedure and guideline and step to do it; especially for new beginner to the Risk based supervision.
1. Content
RISK-FOCUSED
SUPERVISION
National Bank of Cambodia (NBC)
Vithyea You, Off-Site Supervision Department
Implement following the Prakas T7-011-082Prokor
(Risk Base and Forward Looking Supervision)
NBC, Off-Site Department, 1
2. Content
Module Outline
1. Introduction
2. Why Move to Risk Focus ?
3. Understanding the Institution
4. Assessing Risk
5. Risk-Focused
A. Risk Matrix
B. Risk Assessment
C. Supervisory Plan
D. Examination Program
E. Scope Memorandum
F. Entry Letter
6. Risk Management Rating
NBC, Off-Site Department, Vithyea YOU 2
3. Content
Introduction
• Supervision Goal:
• A system of effective internal controls is a critical component of
bank management and a foundation for the safe and sound
operation of banking organizations. Strong internal controls also
can ensure that the goals and objectives of a banking company will
be met, the bank will achieve long-term profitability targets, and
reliable financial and managerial reporting will be maintained. In
addition, such a system will ensure that an organization will comply
with laws and regulations, as well as policies, plans, internal rules,
and procedures, and will decrease the risk of unexpected losses or
damage to the bank’s reputation.
• Risk-focused supervision consists of:
• developing an understanding of the bank’s unique characteristics,
identifying
• summarizing the major risks, and
• formulating a supervisory strategy to address these risks.
3 ContentNBC, Off-Site Department, Vithyea YOU
4. Content
Why Move to Risk Focus ?
What we need to know before hand ?
• The Federal Reserve has shifted to a risk-focused approach due to market
changes that have resulted in a highly sophisticated banking system exposed
to a combination of risks.
• The first step in the risk-focused process is to understand the institution.
Sources of information available to the examiner include off-site reports,
internal reports, discussions with management, public sources, and other
regulators.
• When assessing risk, examiners should focus on the entire spectrum of risks
facing the bank—the six risks (credit, market, liquidity, operational, legal,
and reputational).
• Examiners should consider the adequacy of internal risk-management
systems, such as internal audit, internal loan review, and compliance.
• Information technology must be included in a risk assessment. Examiners
should consider risks, risk-management tools, and the systems that process
transactions and provide critical reports. The information technology
framework (SR 98-9) includes the following elements: management
processes, architecture, integrity, security, and availability.
• While the processes are very similar for large and small entities, the process
for a community bank involves essentially one product, the preliminary risk
assessment/ scope memorandum. The process for large banks is continuous
and requires the preparation of several formal documents.
4 ContentNBC, Off-Site Department, Vithyea YOU
5. Content
Understanding the Institution
• This step is the starting point for a risk-focused
examination approach and is critical to tailoring the
supervision program to the characteristics of the
organization. By reviewing certain information, either the
examiner or the central point of contact, depending on the
size of the organization, can gain an understanding of the
institution’s risk profile and current condition. Information
can be gathered from:
• reports available to the National Bank of Cambodia,
• the institution’s management information systems,
• discussions with bank management,
• public sources, and
• the work of other supervisory agencies.
5 ContentNBC, Off-Site Department, Vithyea YOU
6. Content
Assessing Risk
• The assessment of risks should point out both the strengths and
weaknesses of an institution and provide a foundation for determining
supervisory activities.
• Risk Assessment focuses on the six risks identified in Prakas T7-010-172
Prokor (Bank and FI’s Internal Control Supervision) —credit, market,
liquidity, operational, legal, and reputational.
• The examiner is required to assess accordingly the risk which is divided
into four parts as outlined below:
• 1. Review the type and intensity of competition, locations, types of
products and services the bank offers, loan and deposit customer
base, and the local economy.
• 2. Determine the policies, procedures, management skills, or other
mechanisms in place to manage these risks. Basically, determine if
the bank has experienced staff, strong internal controls, an
independent board of directors, and satisfactory MIS or formalized risk
management process.
• 3. Compare, or weigh, the degree of risk in the bank with mitigating
factors to determine a net level of risk and determine whether the level
is significant for the institution.
• 4. Determine if management meets a set of basic criteria, or
expectations, for each risk factor given the size, complexity, and
activities of a given company.
6 ContentNBC, Off-Site Department, Vithyea YOU
7. Content
Assessing Risk-Risk monitoring 1
• Risk monitoring must be supported by effective management
information systems (“MIS.”).
• Information Technology (“IT”) must provides for processing,
storing, synthesizing, analyzing, and reporting of data.
• To evaluate IT appropriately, the examiner must ask two
fundamental questions:
• What are the critical banking activities? AND
• Are systems adequate to support these activities?
• An organization’s IT systems should be considered in relation
to the size, activities, and complexity of the organization, as
well as the degree of reliance on these systems. To do this, the
examiner must determine which business unit or units are
responsible for the development and operation of the systems.
Safety and soundness examiners must coordinate with IT
specialists during the risk assessment and planning phase of
the examination, as well as during the on-site examination.
7 ContentNBC, Off-Site Department, Vithyea YOU
8. Content
Assessing Risk-Risk monitoring 2
• In order to provide a common terminology and consistent
approach for evaluating the adequacy of an organization’s
information technology, five information technology:
• (1) Management Processes--planning, investment,
development, execution, and staffing of information technology
from a corporate-wide and business-specific perspective;
• (2) Architecture--the underlying design of an automated
information system and its individual components;
• (3) Integrity--the reliability, accuracy, and completeness of
information delivered to the end-user;
• (4) Security--the safety afforded to information assets and their
data processing environments, using both physical and logical
controls to achieve a level of protection commensurate with the
value of the assets; and,
• (5) Availability--the timely delivery of information to end-users.
8 ContentNBC, Off-Site Department, Vithyea YOU
9. Content
Risk-Focused - A. Risk Matrix 1
• The risk matrix is a structured approach to assessing risk and
lays the groundwork for the preparation of the narrative risk
assessment.
• The first step to establish a risk matrix is to identify significant
activities of the organization. The balance sheet, income
statement, and off-balance-sheet reports are good places to
begin this process.
• The income statement, in particular, can be an important
place to identify key activities and the relative importance of
such activities on revenues and net income. For example, a
fee-driven business may be a significant contributor to the
“bottom line” but not involve a large investment in assets.
• What types of activities is the bank engaged in and what is
the level of inherent risk associated with these activities?
Using the six banking risks, the examiner should determine
the associated level of each of the risk components for a
given activity.
9 ContentNBC, Off-Site Department, Vithyea YOU
10. Content
Risk-Focused - A. Risk Matrix 2
• The second step to establish a risk matrix is to identify
level of risk of the significant activities of the organization.
• High Risk is present where activities are significant or
positions are large in relation to the institution’s assets
and capital or its peer group, where there is a substantial
number of transactions, or where activities are more
complex than normal. The potential exists for a
significant or harmful loss to the institution.
• Moderate Risk is present where activities, positions,
and transactions are average in size or number and are
more typical or traditional to the organization. While a
loss is possible, the bank could absorb the loss in the
normal course of business.
• Low Risk exists where loss is remote and would have
little impact on the bank or its financial condition.
10 ContentNBC, Off-Site Department, Vithyea YOU
11. Content
Risk-Focused - A. Risk Matrix 3
• The third step to complete the risk matrix, a preliminary assessment of the risk
management systems covering each activity should be made.
• Strong Risk Management indicates that management effectively identifies and
controls all major types of risk posed by the relevant activity or function. The
board and senior management participate in managing risk and ensuring that
appropriate policies and limits exist. Policies are supported by risk-monitoring
procedures, reports, and management information systems. Internal controls
and audit procedures are appropriate to the size and activities of the institution,
and few exceptions are noted.
• Acceptable Risk Management indicates that the institution’s risk-management
systems, although largely effective, may be lacking to some modest degree.
The institution may have some minor risk-management weaknesses; however,
the problems have been recognized and addressed. Overall, board and senior
management oversight, policies, risk-monitoring procedures, reports, and
management information systems are considered effective.
• Weak Risk Management indicates risk-management systems that are lacking in
important ways and are a cause for more-than-normal supervisory attention.
The internal control system may be lacking in important respects, particularly if
continued control exceptions or failure to adhere to written policies and
procedures is evident. Those deficiencies could have adverse effects on the
financial institution.
11 ContentNBC, Off-Site Department, Vithyea YOU
12. Content
Risk-Focused - A. Risk Matrix 4
• Lastly, a composite risk assessment for each activity and an overall
composite risk for the institution should be determined. To facilitate
consistency in preparing the risk matrix, general definitions of the
composite level of risk for significant activities are provided.
• High Composite Risk is generally assigned to an activity in which the
risk-management system does not significantly mitigate the high
inherent risk of the activity. Thus, the activity could potentially result in
a financial loss even if systems are considered strong. For an activity
with moderate inherent risk, a risk management system that has
significant weakness could result in a high composite risk assessment,
because management appears to have inadequate understanding of
the risk.
• Moderate Risk generally would be assigned to an activity with
moderate inherent risk where the risk management systems
appropriately mitigate the risk. An activity with a low inherent risk but
significant weakness in the risk-management system may result in a
moderate composite risk. A high-risk activity with a strong risk-
management system may also earn a moderate risk component.
• Low Composite Risk generally would be assigned to an activity with
low inherent risks. An activity with moderate inherent risk and strong
management systems may also be assigned a low composite risk.
12 ContentNBC, Off-Site Department, Vithyea YOU
13. Content
Risk Matrix for Bank A (Sample)
Activity
Relative
Weight
Inherent Risks
Credit/ Market/ Liquidity/ Operational/
Legal/ Reputational
Risk
Management
Systems
Composite
Commercial
loans
35% TA Mod/ Low/ Low/ Mod/ Mod / Low Acceptable Moderate
Treasury
Securities 10% TA Low/ Low/ Low/ Low/ Low/ Low Strong Low
13
OVERALL COMPOSITE RISK Moderate
ContentNBC, Off-Site Department, Vithyea YOU
14. Content
Risk-Focused - B. Risk Assessment 1
• The risk assessment serves as an internal planning tool
and should provide a comprehensive risk-focused picture
of the bank.
• The goal is to develop a document that presents a
comprehensive, risk-focused view of the institution,
delineating the areas of supervisory concern and laying
the groundwork for the supervisory plan.
• The format and content of the risk assessment are
flexible and should be tailored to each institution.
• The risk assessment reflects the dynamics of the
institution and, therefore, should consider the institution’s
evolving business strategies and be amended as
significant changes in the risk profile occur.
14 ContentNBC, Off-Site Department, Vithyea YOU
15. Content
Risk-Focused - B. Risk Assessment 2
• The risk assessment, however, address the following:
1. The overall risk assessment of the organization.
2. The six types of risk and the trend (increasing, stable,
decreasing) of these risks.
3. The major functions, business lines, activities, products, and
legal entities from which significant risks emanate and the
key issues that could affect the risk profile. The business
strategies should be considered and amended as significant
changes occur.
4. The likelihood of an adverse effect and the potential impact
on the institution.
5. The institution’s risk management systems. Reviews by
internal and external auditors should also be discussed.
The risk assessment should attempt to identify the cause of
problems or unfavorable trends, not just list the symptoms. It
should not be a reiteration of facts but rather a comprehensive
analysis leading to conclusions about the risk profile of the
organization.
15 ContentNBC, Off-Site Department, Vithyea YOU
16. Content
Risk-Focused – C. Supervisory Plan 1
• The supervisory plan is a bridge between the risk assessment and
the supervisory activities to be conducted at the organization. It
should be completed annually and updated as circumstances change.
The plan outlines all activities to be conducted at the institution and
defines the scope as well as the objective and specific concerns
regarding those activities.
• Consideration should be given to:
1. Prioritizing supervisory resources on areas of higher risk.
2. Pooling examiner resources to reduce burden and redundancies.
3. Maximizing the use of examiners located where the activity is being
conducted.
4. Coordinating examinations of different disciplines.
5. Determining compliance with, or potential for, supervisory action.
6. Balancing mandated requirements with the objectives of the plan.
7. General logistical information.
8. The extent to which internal and external audit, internal loan review,
compliance, and other risk-management systems will be tested and
relied upon.
16 ContentNBC, Off-Site Department, Vithyea YOU
17. Content
Risk-Focused – C. Supervisory Plan 2
• The central point of contact should seek to minimize disruption to
the company and avoid duplication of examination efforts. This
requires extensive coordination with other supervisory agencies
to ensure that scheduling is efficiently accomplished.
Coordination of specialty examinations, such as information
technology and trust, is also noted in the plan.
• The plan documents that supervisory concerns identified through
the risk assessment will be addressed. Resources are prioritized
based on highest risk, which is determined through the
assessment process. If risk-management systems are
considered strong, the depth of supervisory review may be
adjusted. In addition, the plan will indicate the extent to which
internal audit, internal loan review, compliance, and other risk-
management systems will be tested and relied upon. General
logistical concerns will also be discussed in the plan.
NBC, Off-Site Department, Vithyea YOU 17
18. Content
Risk-Focused – D. Examination Program
• The preparation of the examination program involves a
comprehensive schedule of examination activities for the
entire organization. Prior to the implementation of a risk-
focused examination approach, the regulator developed an
independent schedule. For entities with multiple banks and
charters, different regulators throughout the year could
conduct examinations.
• The program generally incorporates
(1) a schedule of activities, with durations and resource
estimates;
(2) an indication of the agencies participating in the activity;
(3) the planned product for communicating findings; and
(4) the need for special examiner skills and the extent of
participation by specialty disciplines.
18 ContentNBC, Off-Site Department, Vithyea YOU
19. Content
Risk-Focused – E. Scope Memorandum
• The scope memorandum for large complex institutions is similar, as it defines the central
objectives of the on-site examination. It should identify specific areas to be reviewed and the
extent of those reviews. The scope should be tailored to the size, complexity, and current
condition of the company, and for less complex but large companies, it can be combined with
the supervisory plan or risk assessment. The scope memorandum will generally provide a
brief synopsis on the CAMELS components and overall financial condition. The scope
memorandum should define the objectives of the examination and generally should include:
1. A statement of the objectives.
2. An overview of the activities and risks to be evaluated.
3. The level of reliance on internal risk management systems and internal or external audit
findings.
4. A description of the procedures those are to be performed, indicating any sampling
process to be used and the level of transaction testing, where appropriate.
5. Identification of the procedures that are expected to be performed off-site.
6. A schedule of activities, duration of time and resource estimates for planned projects.
7. An identification of the agencies conducting and participating in the supervisory activity
and resources committed by all participants to the areas) under review.
8. The planned product for communicating findings.
9. The need for special examiner skills and the extent of participation by specialty disciplines.
19 ContentNBC, Off-Site Department, Vithyea YOU
20. Content
Risk-Focused – F. Entry Letter
• Once the scope of the examination has been determined, an entry
letter is prepared. The letter, which requests specific information to be
provided to the examiners, should also be tailored to the organization.
More importantly, the letter should consider the risk-focused supervision
objectives, and only items needed to support examination procedures
should be requested.
• As specific items are selected for inclusion in the entry letter, the
following should be considered:
1. Reflect risk-focused supervision objectives and the examination
scope.
2. Facilitate efficiency in the examination process and lessen the burden
on the bank. Minimize the number of requested items and avoid
duplication.
3. Limit, to the extent possible, requests for special management reports.
4. Eliminate items used for audit-type procedures.
5. Distinguish information to be mailed or held at the institution.
6. Allow management sufficient lead time to prepare the requested
information.
20 ContentNBC, Off-Site Department, Vithyea YOU
21. Content
Risk Management Rating 1
• The rating for risk management is based on a scale of one through five in
ascending order of supervisory concern. The risk-management rating
should be reflected in the overall “Management” rating of the institution
and should be consistent with the following criteria:
• Rating 1 (Strong) A rating of 1 indicates that management effectively
identifies and controls all major types of risk posed by the institution’s
activities, including those from new products and changing market
conditions. The board and management are active participants in
managing risk and ensure that appropriate policies and limits are
supported by risk-monitoring procedures, reports, and management
information systems that provide management and the board with the
necessary information and analysis to make timely and appropriate
responses to changing conditions.
Internal controls and audit procedures are sufficiently comprehensive and
appropriate to the size and activities of the institution. There are few
noted exceptions to the institution’s established policies and procedures,
and none are material. Management effectively and accurately monitors
the condition of the institution consistent with standards of safety and
soundness and in accordance with internal and supervisory policies and
practices. Risk management is considered fully effective to identify,
monitor, and control risks to the institution.
21 ContentNBC, Off-Site Department, Vithyea YOU
22. Content
Risk Management Rating 2
• Rating 2 (Satisfactory) A rating of 2 indicates that the institution’s
management of risk is largely effective, but lacking to some modest
degree. It reflects a responsiveness and ability to cope successfully
with existing and foreseeable exposures that may arise in carrying out
the institution’s business plan. While the institution may have some
minor risk-management weaknesses, these problems have been
recognized and are being addressed. Overall, board and senior
management oversight, policies and limits, risk-monitoring
procedures, reports, and management information systems are
considered satisfactory and effective in maintaining a safe and sound
institution. Generally risks are being controlled in a manner that does
not require additional or more-than-normal supervisory attention.
•
• Internal controls may display modest weakness or deficiencies, but
they are correctable in the normal course of business. The examiner
may have recommendations for improvement, but the weaknesses
noted should not have a significant effect on the safety and
soundness of the institution.
NBC, Off-Site Department, Vithyea YOU 22
23. Content
Risk Management Rating 3
• Rating 3 (Fair) A rating of 3 signifies risk-management practices that
are lacking in some important ways and, therefore are a cause for
more-than-normal supervisory attention. One or more of the four
elements of sound risk management are considered fair and have
precluded the institution from fully addressing a significant risk to its
operations. Certain risk-management practices are in need of
improvement to ensure that management and the board are able to
identify, monitor, and control adequately all significant risks to the
institution. Weaknesses may include continued control exceptions or
failures to adhere to written policies and procedures that could have
adverse effects on the institution.
•
• The internal control system may be lacking in some important
respects, particularly as indicated by continued control exceptions or
by the failure to adhere to written policies and procedures. The risks
associated with the internal control system could have adverse effects
on the safety and soundness of the institution if management does
not take corrective actions.
23 ContentNBC, Off-Site Department, Vithyea YOU
24. Content
Risk Management Rating 4
• Rating 4 (Marginal) A rating of 4 represents marginal risk-
management practices that generally fail to identify, monitor, and
control significant risk exposures in many material respects.
Generally, such a situation reflects a lack of adequate guidance and
supervision by management and the board. One or more of the four
elements of sound risk management are considered marginal and
require immediate and concerted corrective action by the board and
management. A number of significant risks to the institution have not
been adequately addressed, and the risk management deficiencies
warrant a high degree of supervisory attention.
•
• The institution may have serious identified weaknesses, such as an
inadequate separation of duties, that require substantial improvement
in internal control or accounting procedures or in the ability to adhere
to supervisory standards or requirements. Unless properly
addressed, these conditions may result in unreliable financial records
or reports or operating losses that could seriously affect the safety
and soundness of the institution.
24 ContentNBC, Off-Site Department, Vithyea YOU
25. Content
Risk Management Rating 5
• Rating 5 (Unsatisfactory) A rating of 5 indicates a critical absence of effective risk-
management practices to identify, monitor, or control significant risk exposures. One
or more of the four elements of sound risk management are considered wholly
deficient, and management and the board have not demonstrated the capability to
address deficiencies.
• Internal controls may be sufficiently weak as to jeopardize seriously the continued
viability of the institution. If not already evident, there is an immediate concern
about the reliability of accounting records and regulatory reports and about potential
losses that could result if corrective measures are not taken immediately.
Deficiencies in the institution’s risk-management procedures and internal controls
require immediate and close supervisory attention.
• The risk-management rating should be an important factor when determining the
overall management rating of the CAMELS rating system. Comments, conclusions,
and criticisms relating to a bank’s risk-management process should be brought to
the attention of management and included on the “Management/ Administration,”
“Examination Conclusions and Comments,” and “Matters Requiring Board
Attention,” sections of the report, if appropriate.
• Examiners should also consider the extent to which weaknesses in a bank’s
management of risk may indicate material noncompliance with one or more safety
and soundness guidelines covering internal controls and information systems,
internal audit systems, loan documentation, credit underwriting, interest rate
exposure, asset growth or compensation, fees, and benefits.
NBC, Off-Site Department, Vithyea YOU 25