Supervisory Policy Manual - Hong Kong Monetary · PDF fileSupervisory Policy Manual ... 1.3...

Supervisory Policy Manual

SA-1 Risk-based Supervisory Approach V.1 – 11.10.01

1

This module should be read in conjunction with the Introduction and with theGlossary, which contains an explanation of abbreviations and other termsused in this Manual. If reading on-line, click on blue underlined headings toactivate hyperlinks to the relevant module.

—————————

PurposeTo explain the HKMA's risk-based supervisory approach

ClassificationA non-statutory guideline issued by the MA as a guidance note

Previous guidelines supersededThis is a new guideline.

ApplicationTo all AIs

Structure1. Supervisory framework

1.1 Introduction1.2 Key benefits1.3 Integration with CAMEL rating system1.4 Risk-based approach and methodology1.5 Risk assessment1.6 Supervisory process1.7 Primary prudential obligations of an AI

2. The eight types of inherent risk2.1 Credit risk2.2 Market risk2.3 Interest rate risk



2

2.4 Liquidity risk2.5 Operational risk2.6 Reputation risk2.7 Legal risk2.8 Strategic risk

3. Four elements of a sound risk management system3.1 Summary3.2 Board and senior management oversight3.3 Policies, procedures and limit structure3.4 Risk measurement, monitoring and management

reporting systems3.5 Internal controls and comprehensive audits

4. Rating risk management4.1 Factors considered4.2 Rating scale and integration into CAMEL rating4.3 Definitions of risk management ratings

—————————

1. Supervisory framework

1.1 Introduction1.1.1 The objective of the supervisory framework of the HKMA

is to provide an effective process to monitor and assessthe safety and soundness of AIs on a continuing basis.The process follows a risk-based approach. It consistsof a structured methodology designed to establish aforward-looking view on the risk profile of AIs. Thispermits a direct and specific focus on the areas ofgreatest risk to an AI. It also enables the HKMA to bemore proactive and better positioned to pre-empt anyserious threat to the stability of the banking system fromany current or emerging risks.



3

1.1.2 This enhanced risk-based supervisory approach hasbeen implemented by the HKMA in response to arecommendation in the Hong Kong Banking SectorConsultancy Study, completed in December 1998. Therecommendation was based in part on a perceived needto raise the supervisory process to a more effective levelby addressing the risks and increasing competition withinthe market place.

1.1.3 The adoption of a more risk-based framework isdesigned to allow the HKMA to continue to deliverconsistent, high-quality supervision as the banking sectordevelops and risk profiles of AIs change in reaction tocompetitive forces. The enhanced supervisory regimewill complement regulatory changes to promote bothcompetition and the safety and soundness of the bankingsector. This approach should benefit AIs as theregulatory effort is more focused on high-risk areas andprovides for more efficient supervision.

1.2 Key benefits1.2.1 The key benefits for both the HKMA and AIs from this

enhanced supervisory framework are:

• better evaluation of risks through separateassessment of inherent risks and riskmanagement processes;

• greater emphasis on early identification ofemerging risks at individual AIs and on a sector-wide basis;

• cost-effective use of resources through a sharperfocus on risk, which in time should result inexamination teams spending less time on site atindividual AIs;

• more utilisation by the HKMA of managementinformation prepared by AIs;

• a better appreciation by supervisors of themanagement quality of AIs, the characteristics oftheir business and the risks they face;



4

• enhanced value of the supervisory workperformed to both the management of AIs and thesupervisors, who have a common interest inensuring that risks are properly identified and thatadequate and effective control systems areestablished to monitor and control risks; and

• cost of supervision, in terms of management timeof an AI, will be more directly related to the AI’srisk profile, i.e. the intensity of supervision and theamount and focus of supervisory action willincrease or decrease in line with the perceivedrisk profile of the AI.

1.3 Integration with CAMEL rating system1.3.1 The CAMEL1 rating system, which has been

implemented at the HKMA since 1995, is designed toassess in a comprehensive manner an AI’s financialcondition, compliance with laws and regulations, riskmanagement systems and overall operating soundness.Its primary purpose is to help identify those AIs whereweaknesses in the aforementioned areas require specialsupervisory attention or warrant a higher than normaldegree of supervisory concern.

1.3.2 Risk-based supervision is a dynamic and forward-lookingapproach, which provides the supervisory process withthe necessary framework to factor the risk profile of an AIinto the CAMEL rating system. Risk-taking has alwaysbeen present in the banking business, and rightfully so,but has increased significantly, primarily due to the needto remain competitive in a fast-paced environment.

1.3.3 The risk-based methodology incorporates the risk profile,which is ascertained by balancing the level of inherentrisk with the quality of risk management systems at AIs,into the CAMEL rating system. Each of the CAMELcomponents is, as shown in the following diagram,

1 CAMEL is an internationally recognised framework for assessing Capital adequacy, Asset quality,

Management, Earnings and Liquidity. The overall rating is expressed through the use of a numericalscale of 1 to 5 in ascending order of supervisory concern.



5

affected by one or more of the eight inherent risks (credit,market, interest rate, liquidity, operational, legal,reputation and strategic), which the HKMA has identifiedas risks to be assessed during the supervisory process.These eight inherent risks are described in section 2below.

1.3.4 Under the risk-based approach, a change in the CAMELrating of an AI may result from the qualitative analysis ofits risk profile in addition to the more traditionalquantitative analysis of its financial data. An example ofsuch a change would be a down-grade in asset quality toa "3" for an AI which displays current indicatorsrepresenting an asset quality of "2" but whose credit risk,as a result of recent aggressive lending practices andless than satisfactory credit risk management systems,has been assessed as high.

1.3.5 This approach to supervision does not eliminate orchange the quantitative approach to assessing thecomponents of the CAMEL rating system but it adds anew dimension, which enables the supervisory processto inject more judgement, based on a forwardperspective, in arriving at a final rating.

1.3.6 The risk-focused examination process places moreemphasis on an evaluation of the quality of riskmanagement systems and internal controls. A risk

Credit risk

Market risk

Interest rate risk

Liquidity risk

Operational risk

Legal risk

Reputation risk

Strategic risk

C

A

M

E

L

Risk profile

(balancing thelevel of inherentrisk with thequality of riskmanagementsystems)

AI



6

management rating is assigned at the conclusion of theon-site examination by the on-site manager to the AI andformally incorporated into the management componentof the CAMEL rating. It may also influence the ratingsgiven to the other CAMEL components, as illustrated inpara. 1.3.4 above. Section 3 below gives details of thefour elements of a sound risk management system andsection 4 describes the risk management rating system.

1.4 Risk-based approach and methodology1.4.1 The risk-based supervisory approach, which emphasises

effective planning and examiner judgement, customisesexaminations to suit the size and activities of AIs and toconcentrate examiner resources on areas that exposethe AI concerned to the greatest degree of risk.

1.4.2 The risk-based methodology, shown in the diagrambelow, consists of six key steps, each of which requiresthe preparation of specific documentation.



7

Process Specific DocumentationStep 1

Step 2

Step 3

Step 4

Step 5

Step 6

1.4.3 The first step in the risk-based methodology,Understanding the AI, requires the preparation of anInstitutional Overview document.

1.4.4 The Institutional Overview provides a concise portrait ofan AI’s structure and financial condition. It summariseskey business lines and functions, the business strategyand any planned introduction of new products, describeslegal structure and financial condition and identifiesproblem issues related to the AI itself or its affiliated

Understanding

the AI

Assessing

the risk

Planning

supervisory work

Defining examinationactivities

Performing risk-focusedon-site examination,reporting the findings

and reviewing theCAMEL rating

Conducting continuingoff-site supervision

including supervisoryactions

Institutional

Overview

Risk AssessmentNarrative

Planning and ScopeMemorandum

Report

of Examination

Institutional

Overview update



8

entities, such as domestic or foreign subsidiaries andbranches.

1.4.5 Information provided in the Institutional Overview isdetermined by the complexity of the AI and is primarilybased upon internal and public sources of data, as wellas information gathered from periodic on-site visitations.

1.4.6 The second step in the risk-based methodology,Assessing the Risk, results in the completion of a RiskAssessment Narrative.

1.4.7 The risk assessment exercise is designed to identify thetype, level and direction of risks of an AI.

1.4.8 In order to conduct this exercise effectively, a building-block approach is used in which each of the significantactivities of the AI is assessed with respect to the level ofeach of the inherent risks and the risk managementsystems in place to manage these risks.

1.4.9 The objective of the risk assessment exercise is todevelop a comprehensive risk profile, which captures allthe eight types of inherent risks of the AI. Subsection 1.5below describes the risk assessment process in moredetail.

1.4.10 The risk profile is used to complete the third and fourthsteps in the risk-based methodology, which are Planningthe Supervisory Work and Defining ExaminationActivities. The document to be prepared for these twosteps is the Planning and Scope Memorandum. TheHKMA will try to customise examination tasks so thatthey are consistent with the complexity and risk profile ofthe AI.

1.4.11 The emphasis of the risk-focused examination to beperformed in step five is on evaluating the effectivenessof the risk management system of the AI for each type ofinherent risks. At the conclusion of the on-siteexamination, as previously indicated in para. 1.3.6, a riskmanagement rating is assigned by the on-site managerand factored into the management component of theCAMEL rating. The risk management rating may alsoaffect the rating for one or more of the other CAMEL



9

components. A report of examination will then beproduced in this step to capture the examination findingsand results from the review of the CAMEL rating.

1.4.12 As the risk-based supervisory methodology revolvesaround a process of continuing off-site supervision, theInstitutional Overview produced in step one will beconstantly updated throughout the year in step six,making it a dynamic document which always reflects themost current position of the AI.

1.5 Risk assessment1.5.1 The development of a formal risk assessment process

represents an important addition to the HKMA'ssupervisory approach. The purpose of this riskassessment undertaking is, as indicated earlier, toidentify the type, level and direction of all significant risksof an AI. The process consists of determining the levelof risk in each of the eight inherent risks by businessactivity, the direction of risk, the adequacy of existing riskmanagement systems and the impact, if any, of externalrisk factors. It concludes with a composite risk level foreach business activity and an overall risk profile for theAI.

1.5.2 The level of inherent risk is defined as the probability anddegree of potential loss due to an adverse event oraction within a particular activity or product withoutregard to the adequacy and quality of the relevant riskmanagement system in place. Ascertaining the level ofinherent risk is a judgement call after assessing andweighing all the factors and evaluation criteria for each ofthe inherent risks. For example, if the asset quality ofthe loan portfolio being assessed has deteriorated to aless than satisfactory rating with a high level of classifiedcredits, the level of inherent credit risk will probably berated as high.

1.5.3 The adequacy of risk management systems isdetermined by evaluating the four elements of a soundrisk management system as follows:

• active Board and senior management oversight;



10

• effective organisational polices, procedures andlimits for managing business activities;

• adequate risk measurement, monitoring andmanagement reporting systems; and

• comprehensive internal controls, including aneffective internal audit function.

1.5.4 The following eight inherent risks which have beenidentified by the HKMA are to be assessed during thisprocess:

• credit;

• market;

• interest rate;

• liquidity;

• operational;

• legal;

• reputation; and

• strategic.



11

1.5.5 The risk assessment exercise consists of four phases asshown in the following diagram:

1.5.6 In phase one, sufficient information must be gathered tounderstand fully the business activities and riskmanagement systems of the AI. This is oftenaccomplished by conducting one or more on-sitevisitations to the AI to obtain the required information orto clarify information already received.

1.5.7 In phase two, functional business lines and the relativesignificance of activities are properly identified. Inidentifying functional businesses, the HKMA will adopt asfar as possible the AI's own classification of its differentbusinesses, since the internal management informationreports are likely to be compiled on the same basis. Useof the AI's own classification will usually facilitate theHKMA's analysis and assessment.

Phase One

Phase Two

Phase Three

Phase Four

Gathering

information

Defining

functional

business

lines

Completing

risk

assessment

narrative

On-site

Visitation(s)

Completing

the risk

matrix



12

1.5.8 There are four steps involved in phase three. The initialstep is to identify the level of inherent risk by functionalactivity for each of the eight inherent risks. The level ofinherent risk, which is a judgement call by the caseofficer, can be assessed as "high", "moderate" or "low".Qualitative as well as quantitative factors will beconsidered for each functional activity in arriving at thejudgement. Generally speaking, based on the statisticaltheory of probability, moderate inherent risk exists whenthere is an average probability or chance of an adverseimpact on an AI’s capital or earnings due to exposureand uncertainty from potential future events within thefunctional activity. An assessment of high inherent riskwould reflect a higher than average probability ofpotential loss and an assessment of low inherent riskwould reflect a lower than average probability. In arrivingat the level of inherent risk, the degree of potential loss inrelation to earnings and capital must also be consideredand factored into the decision. High inherent risk couldreasonably be expected to result in a significant andharmful loss to the AI. Moderate inherent risk couldreasonably be expected to result in a loss, which couldbe absorbed by the AI in the normal course of businessand low inherent risk could reasonably be expected toresult in little or no loss to the AI. In assessing inherentrisk, the direction of risk in the next 12 months, includingthe risk in any new products, must also be considered.

1.5.9 The second step is to evaluate by functional activity therisk management systems in place to manage theinherent risks. The risk management systems will beassessed as "strong", "acceptable" or "weak" in theareas of management oversight, policies andprocedures, risk measurement and internal controls, asmentioned earlier.

1.5.10 The third step in phase three is to classify the compositerisk profile for each of the significant business activitiesas "low", "moderate" or "high". This is a summaryjudgement arrived at by balancing the level of inherentrisks of the business activity, the adequacy of the risk



13

management systems for the activity and the direction ofrisk.

1.5.11 The direction of risk is required so that the assessmentof risk reflects a forward as well as current view of thecomposite risk profile of an AI for a particular activity.For this purpose, the direction of risk is classified as“increasing”, “stable” or “decreasing”.

1.5.12 This means, for example, that if credit risk is the mostsignificant risk for a particular activity conducted by an AIand it is increasing, that may prompt the HKMA toincrease the composite risk profile for the activity inquestion (i.e. from “moderate” to “high”). If, however, thedirection of credit risk is either stable or declining, it maynot alter the composite risk profile for the activityconcerned.

1.5.13 Since, however, the risk assessment process includesmany judgemental considerations, it is also possible forthe composite risk profile for an activity to be loweredunder the same scenario of a stable or declining creditrisk environment after taking into account other relevantfactors. A risk profile matrix, which serves as a guide forascertaining the composite risk profile for eachsignificant activity and the appropriate supervisoryresponse is set out below:



14

Risk profile matrix2

RISK MANAGEMENT SYSTEMS

STRONG ACCEPTABLE WEAK

HIGH

Moderate to highaggregate riskLimited review

High aggregateriskLimited review

High aggregateriskFull-scopereview required

MODERATE

Low to moderateaggregate riskLimited or noreview required

Moderateaggregate riskLimited review

Moderateaggregate riskFull-scopereview required

INHERENTRISK

LOW

Low aggregateriskNo reviewrequired

Low aggregateriskNo reviewrequired

Low aggregateriskLimited review

1.5.14 The final step in phase three is to develop a risk matrixsummary, which shows the composite risk profile anddirection of risk by each type of inherent risk across allbusiness activities. The composite risk profile byinherent risk is arrived at by balancing the level ofinherent risk with the quality of risk managementsystems and the direction of risk. The risk matrixsummary also reflects an overall risk profile and directionof risk for the AI.

1.5.15 Phase four of the risk assessment process requires thecompletion of a risk assessment narrative document,which is an integral part of the entire risk-basedsupervisory methodology. The narrative shows theoverall level of risk by inherent risk category anddirection. It also analyses the business activities withineach of the risk categories and evaluates qualitativelymanagement's effectiveness in managing and controllingthe risks. The document also identifies key issues that

2 To be applied to each significant business activity of the AI



15

may affect the risk profile and contains details of the typeand level of activity that was assessed. The riskassessment narrative is used to assist in determining therisk-focused examination scope.

1.5.16 The goal of the risk assessment narrative is to developan overall risk profile of an AI and provide thebackground to how the overall risk profile for the AI hasbeen derived. The narrative should include a discussionof the AI's key risks, describe and assess how the AImanages the risks, detail the level and trend of the risks,document the areas of supervisory concern and providean overall assessment of the organisation.

1.5.17 The risk assessment narrative will also include adiscussion of the AI’s risk management rating, which isassigned at the conclusion of the risk-focused on-siteexamination. As previously indicated, the riskmanagement rating is factored into the CAMEL rating ofthe AI. The narrative document will also includecomments on the consolidated risk management systemand the internal and external audit function.



16

1.6 Supervisory process

INTEGRATED PROCESS OF RBS

PrudentialInterview

TripartiteMeeting

Understanding the AI

Pre-on-siteVisitation(s)

Assessing the Risk

Planning Supervisory Work

Defining Examination Activities

Conducting ContinuingOff-site Supervision

Including SupervisoryActions

Risk-Focused Examination

and CAMEL Rating

Meeting WithBoard

Post-on-siteVisitation(s)

1.6.1 The diagram above shows how the risk-basedsupervisory methodology has been integrated into theHKMA's overall supervisory process in a way thatprovides an enhanced level of continuous supervision.The risk-based approach, which by design is circular andconducted on as current a basis as possible in acontinuing cycle, is complemented and strengthened byon-site visitations, prudential interviews, annual tripartitemeetings and annual supervisory meetings with theBoard of Directors of locally incorporated banks.

1.6.2 On-site visitations to AIs may be conducted at any phaseof the cycle but are more likely to take place during theupdating of the risk assessment process prior to the startof, or subsequent to, the on-site examination. The



17

purpose of the "pre-on-site" visitation is usually to obtaina current picture of recent developments, which mayhave an effect on the risk profile of the AI, such as theintroduction of new products or any significant changesin the risk management systems. Also during the pre-on-site visitation, case officers are required to perform anassessment of the internal audit function of an AI. Theassessment includes a review of the internal audit’sindependence and performance. The results of theassessment will be used to decide the scope for the risk-focused on-site examination. If the internal audit functionis acceptable and meets the HKMA’s standards, theHKMA will be able to place more reliance on its work andthe scope for the on-site examination can be suitablyreduced. The "post-on-site" visitation is usuallyconducted to follow up on the status of any significantexamination findings or supervisory actions instituted.

1.6.3 As part of the continuous supervisory process, an annualprudential meeting is held with the senior managementof an AI. The HKMA attaches great importance to thisregular dialogue as it enables the supervisory officials tounderstand better how senior management views andcontrols the AI's risks and how it views the currentbusiness situation and future prospects. The meetingalso provides the supervisors with an opportunity toclarify specific issues and discuss prudential concernswhich have arisen during any phase of the cycle.

1.6.4 For AIs belonging to a banking group, prudentialmeetings may be held both at group level and withindividual AIs of the group. In addition, the HKMA mayhold discussions with overseas head offices of foreignbanks, either through HKMA staff calling on them orduring their visits to Hong Kong.

1.6.5 Annual tripartite meetings are held with AIs and theirexternal auditors, normally following the completion ofthe annual audit. Matters discussed typically include anyissues arising out of the audit such as weaknessesidentified in internal controls, the adequacy of provisionsand compliance with prudential standards and thevarious requirements of the Banking Ordinance. The



18

HKMA will also wish to see the auditors' managementletter to the AI and discuss any matters of prudentialconcern contained in the letter.

1.6.6 As a further enhancement to the continuous supervisoryapproach, the HKMA will hold an annual meeting withthe Board of Directors of each locally-incorporated bank.This meeting will generally be conducted after thecompletion of the risk-focused on-site examination andupdating of the composite CAMEL rating of the AI. Thepurpose of this meeting is generally to discuss theexamination findings, particularly any significantdeficiencies in the risk management systems or anyother matters of prudential concern. The meeting canalso be a forum for the Board members and thesupervisory officials to discuss any matters of mutualinterest.

1.7 Primary prudential obligations of an AI1.7.1 AIs are expected to have in place a comprehensive risk

management system to identify, measure, monitor andcontrol the various types of risks within all of theiractivities and, where appropriate, to hold capital againstthese risks. AIs should have adequate policies,procedures, limits and controls to manage the eighttypes of inherent risk identified by the HKMA and anyother risks which have been identified by the AI itself.Specialised board committees such as the auditcommittee, the risk management committee or the assetand liability management committee have a useful role toplay in reviewing the adequacy of the risk managementsystem and the extent of the overall effectiveness of it.AIs should ensure that the four elements of a sound riskmanagement system are met (see para. 1.5.3).

1.7.2 The HKMA has issued various guidelines and guidancenotes to the industry, which represent either minimumstandards or in some cases best practices to be adoptedby AIs. These guidelines and guidance notes can befound in the HKMA’s Supervisory Policy Manual. AIs areexpected to have systems and procedures in place to



19

ensure compliance with these guidelines and guidancenotes as appropriate.

2. The eight types of inherent risk

2.1 Credit risk2.1.1 This is the risk that a borrower or counterparty may fail to

fulfill an obligation. The assessment of credit riskinvolves evaluating both the probability of default by thecounterparty, obligor or issuer and the exposure orfinancial impact on the AI in the event of default.

2.2 Market risk2.2.1 This is the risk to an AI's financial condition resulting

from adverse movements in market rates or prices suchas foreign exchange rates, commodity or equity prices.The primary determinant of the inherent market risk of abusiness line is the volatility of the relevant markets. Inassessing inherent market risk one must consider,however, the interaction between market volatility andbusiness strategy. A trading strategy that focusesexclusively on intermediation between end-users willtend to result in less market risk than a purely proprietarystrategy.

2.3 Interest rate risk2.3.1 This is the risk to an AI's financial condition resulting

from adverse movements in interest rates. Indetermining the levels of interest rate risk, assessmentsare made of the levels of repricing risk, basis risk,options risk and yield curve risk. In addition, evaluationsare made of the funding strategy with respect to interestrate movements and the impact of the overall businessstrategy on interest rate risk.

2.4 Liquidity risk2.4.1 This is the risk that an AI may be unable to meet its

obligations as they fall due. This may be caused by"funding liquidity risk", i.e. the AI's inability to liquidateassets or to obtain funding to meet its obligations. The



20

problem could also be caused by "market liquidity risk",where the AI cannot easily unwind or offset specificexposures without lowering market prices significantlybecause of inadequate market depth or marketdisruptions.

2.5 Operational risk2.5.1 This is the risk of direct or indirect loss resulting from

inadequate or failed internal processes, staff andsystems or from external events.

2.5.2 The evaluation of operational risk involves anassessment of both product and AI-specific factors. Therelevant product factors include the maturity of theproduct in the market, the need for significant fundmovements, the impact of a breakdown in segregation ofduties and the level of complexity and innovation in themarket place. AI-specific factors, which can significantlyincrease or decrease the basic level of operational risk,include the quality of the audit function and programme,the volume of transactions in relation to systemsdevelopment and capacity, the complexity of theprocessing environment and the level of manualintervention required to process transactions.

2.6 Reputation risk2.6.1 This is the potential that negative publicity regarding an

AI's business practices, whether true or not, will cause adecline in the customer base or lead to costly litigation orrevenue reductions. Market rumours or publicperceptions are significant factors in determining thelevel of risk in this category.

2.7 Legal risk2.7.1 This is the risk arising from the potential that

unenforceable contracts, lawsuits or adverse judgmentsmay disrupt or otherwise negatively affect the operationsor financial condition of an AI.

2.8 Strategic risk



21

2.8.1 This is the risk of current and prospective impacts onearnings, capital, reputation or standing arising from poorbusiness decisions, improper implementation ofdecisions or lack of response to industry, economic ortechnological changes. This risk is a function of thecompatibility of an organisation’s strategic goals, thebusiness strategies developed to achieve these goals,the resources deployed to meet these goals and thequality of implementation.

3. Four elements of a sound risk management system

3.1 Summary3.1.1 While risk management systems vary among AIs, there

are four basic elements contributing to a sound riskmanagement environment.

• active Board and senior management oversight;

• organisational policies, procedures and limits thathave been developed and implemented tomanage business activities effectively;

• adequate risk measurement, monitoring andmanagement information systems that are inplace to support all business activities; and

• established internal controls and the performanceof comprehensive audits to detect anydeficiencies in the internal control environment ina timely fashion.

3.1.2 These are discussed in turn below.

3.2 Board and senior management oversight3.2.1 The quality of Board and senior management oversight

is evaluated in relation to the following elements:

• whether the Board and senior management haveidentified and have a clear understanding of thetypes of risk inherent in business lines andwhether they have taken appropriate steps toensure continued awareness of any changes inthe levels of risk;



22

• whether the Board and senior management havebeen actively involved in the development andapproval of policies to limit the risks, consistentwith the AI's risk appetite;

• whether the Board and senior management areknowledgeable about the methods available tomeasure risks for various activities;

• whether the Board and senior managementcarefully evaluate all the risks associated with newactivities and ensure that the proper infrastructureand internal controls are in place; and

• whether the Board and senior management haveprovided adequate staffing for the activity anddesignated staff with appropriate credentials tosupervise the activity.

3.3 Policies, procedures and limit structure3.3.1 The following key factors are to be considered in

evaluating the adequacy of policies, procedures andlimits:

• whether policies, procedures and limits areproperly documented, drawn up after carefulconsideration of the risks associated with theactivity and reviewed and approved bymanagement at the appropriate level;

• whether policies assign full accountability andclear lines of authority for each activity andproduct area; and

• whether compliance monitoring procedures havebeen developed. These procedures shouldinclude internal compliance checks for adherenceto all policies, procedures and limits by anindependent function within an AI such as aninternal control unit.

3.4 Risk measurement, monitoring and management reportingsystems



23

3.4.1 Effective risk monitoring requires AIs to identify andmeasure all quantifiable and material risk factors.Consequently, risk monitoring activities must besupported by information systems that provide themanagement with timely and accurate reports on thefinancial condition, operating performance and riskexposure of the AI.

3.4.2 Management information systems should provide regularand sufficiently detailed reports for line managersengaged in the day-to-day management of the AI'sbusiness activities.

3.4.3 All AIs are expected to have risk monitoring andmanagement information systems that provide seniormanagement with a clear understanding of the AI'spositions and risk exposures.

3.4.4 The following factors should be considered in assessingthe effectiveness of the risk measurement, monitoringand management reporting systems:

• the adequacy, on a historical basis, of the riskmonitoring practices and reports addressing allmaterial risks of the organisation;

• the adequacy and appropriateness of the keyassumptions, data sources and procedures usedto measure and monitor risk, including theadequacy of analysis, documentation andreliability testing of the system on a continuingbasis;

• any material changes in the AI's lines of businessor products that might require changes in themeasuring and monitoring systems;

• any changes in the information technology ormanagement information system environment thathave significantly changed the production processfor reports or the assumptions on which reportsare based;

• how consistently management information reportsand other forms of communication monitor all



24

meaningful exposures, check compliance withestablished limits, goals or objectives andcompare actual with expected performance; and

• the adequacy, accuracy and timeliness of reportsto the Board and senior management and whethersuch reports contain sufficient information forthem to identify any adverse trends and toevaluate the level of risks fully.

3.5 Internal controls and comprehensive audits3.5.1 A critical element of an AI's ability to operate in a safe

and sound manner and to maintain an acceptable riskmanagement system is the adequacy of its internalcontrol environment. Establishing and maintaining aneffective system of controls, including the enforcement ofofficial lines of authority and the appropriate segregationof duties, is one of management's most importantresponsibilities. Serious lapses or deficiencies in internalcontrols such as inadequate segregation of duties maywarrant supervisory action.

3.5.2 When properly structured, a system of internal controlspromotes effective operations, provides for reliablefinancial reporting, safeguards assets and helps toensure compliance with relevant laws, regulations andinternal policies. An independent internal auditor shouldtest internal controls and the results of these audits,including management’s response to the findings, shouldbe properly documented.

3.5.3 The following factors should be considered in evaluatingthe adequacy of the internal control environment:

• the appropriateness of the system of internalcontrols in relation to the type and level of risksposed by the nature and scope of the AI'sbusiness activities and products;

• whether the AI's organisation structure establishesadequately clear lines of authority andresponsibility for monitoring compliance withpolicies, procedures and limits;



25

• whether reporting lines provide for sufficientindependence of the control functions from thebusiness areas, as well as adequate segregationof duties throughout the organisation (such asthose relating to trading, custodial and back-officeoperations or loan origination, marketing andprocessing);

• whether the official organisational structurereflects actual operating practices;

• the reliability, accuracy and timeliness of allfinancial, operational and regulatory reports;

• the adequacy of procedures for ensuringcompliance with applicable laws, regulations andinternal policies and procedures;

• the effectiveness, independence and objectivity ofinternal audit or other control and reviewprocedures in providing adequate coverage of theAI’s operations;

• whether internal controls and information systemsare adequately tested and reviewed;

• whether the coverage, procedures, findings andmanagement responses to audits are adequatelydocumented; and

• whether identified material weaknesses are givenappropriate and timely high-level attention andmanagement’s actions to correct materialdeficiencies are objectively verified and reviewed.

4. Rating risk management

4.1 Factors considered4.1.1. The following factors will be considered in assigning a

rating to the overall risk management system at theconclusion of the risk-focused on-site examination:

• the extent to which an AI is able to manage all therisks inherent in its lending, trading, treasury and



26

other major activities and in particular its ability toidentify, measure, monitor and control these risks;

• the soundness of the qualitative and quantitativeassumptions implicit in the risk managementsystem;

• whether risk policies, guidelines and limits at theAI are appropriate and consistent with its lending,trading and other activities, managementexperience level and overall financial strength;

• whether the management information system andother forms of communication are consistent withthe level of business activity and complexity ofproducts offered at the AI and provide sufficientsupport to monitor risk exposure and compliancewith established limits accurately; and

• the ability of management to recognise andaccommodate new risks that may arise from thechanging environment and to identify and addressrisks not readily quantified in a risk managementsystem.

4.1.2 For example, in the lending area, an AI would beexpected to have qualified and experienced lendingofficers, an effective credit approval and review functionand, where appropriate, a credit work-out function. Thelending area should also have a credit risk evaluationsystem that is capable of assessing adherence to creditrisk lending limits, lending guidelines, portfolio policiesand underwriting standards. In addition, the credit areashould have a system that identifies existing andpotential problem credits, the adequacy of provisioningand a method for assessing the likely impact of thosecredits on current and future profits. Procedures shouldalso be in place for assessing the impact to the portfoliobrought by specific or general changes in the businessclimate.

4.2 Rating scale and integration into CAMEL rating



27

4.2.1 The rating for risk management, which is assigned by theon-site manager at the conclusion of the on-site risk-focused examination, is based on a scale of one to fivein ascending order of supervisory concern. This rating isassigned to reflect findings within the four elements ofsound risk management as outlined in section 3. Therisk management rating will be factored into themanagement component of the CAMEL rating for the AI.It may also influence the rating for one or more of theother CAMEL components. This concept adds a newdimension to the traditional methodology for assessingthe CAMEL components and by extension could affectthe composite CAMEL rating. The following indicateswhat this process entails.

4.2.2 The overall risk management rating is incorporated andheavily weighted in relation to the other factors includedin the analysis for assessing and rating the managementcomponent of CAMEL. If the risk management rating is"3" the management component of the CAMEL cannotusually be better than "3".

4.2.3 As to how the risk management rating can affect othercomponents of the CAMEL, it is necessary to considerthe factors which in the above example led to an overallrisk management rating of "3". If serious deficiencieswere found in the credit risk management process, itmay be necessary to rate the asset quality component as"3" notwithstanding that the quantitative indicators forportfolio quality may support a "2" rating.

4.2.4 Since the risk-based approach views the financialcondition of an AI from a forward perspective, theCAMEL rating must also reflect this view, whereas thetraditional methodology only captured the currentposition.

4.3 Definitions of risk management ratings

1 Management effectively identifies and controls allmajor types of risk posed by the AI's activities,including those from new products and changingmarket conditions. The Board and management are



28

active participants in managing risk and ensure thatappropriate policies and limits exist. The Boardunderstands, reviews and approves them. Policiesand limits are supported by risk monitoringprocedures, reports and management informationsystems that provide management and the Board withthe necessary information and analysis to make timelyand appropriate responses to changing conditions.Internal controls and audit procedures are sufficientlycomprehensive and appropriate to the size andactivities of the AI. There are few noted exceptions tothe AI’s established policies and procedures and noneis material. Management effectively and accuratelymonitors the condition of the AI consistent withstandards of safety and soundness and in accordancewith internal and supervisory policies and practices.Risk management is considered fully effective toidentify, measure, monitor and control risks to the AI.

2 The AI’s management of risk is largely effective butlacking to some modest degree. It reflects aresponsiveness and ability to cope successfully withexisting and foreseeable exposures that may arise incarrying out the AI's business plan. While the AI mayhave some minor risk management weaknesses,these problems have been recognised and are beingaddressed. Overall, Board and senior managementoversight, policies and limits, risk monitoringprocedures, reports and management informationsystems are considered satisfactory and effective inmaintaining a safe and sound environment.Generally, risks are being controlled in a manner thatdoes not require additional or more than normalsupervisory attention.Internal controls may display modest weaknesses ordeficiencies but they are correctable in the normalcourse of business. The on-site team may haverecommendations for improvement but theweaknesses noted should not have a significant effecton the safety and soundness of the AI.



29

3 Risk management practices are lacking in someimportant ways and are therefore a cause for morethan normal supervisory concern. One or more of thefour elements of sound risk management areconsidered less than satisfactory and have precludedthe AI from addressing fully a significant risk to itsoperations. Certain risk management practices are inneed of improvement to ensure that management andthe Board are able to identify, monitor and controladequately all significant risks to the AI. Weaknessesmay include continued control exceptions or failuresto adhere to written policies and procedures that couldhave adverse effects on the AI.The internal control system may be lacking in someimportant respects, particularly as indicated bycontinued control exceptions or by failure to adhere towritten policies and procedures. The risks associatedwith the internal control system could have adverseeffects on the safety and soundness of the AI ifcorrective actions are not taken by management.

4 Indicates marginal risk management practices thatgenerally fail to identify, monitor and control significantrisk exposures in numerous material respects.Generally, such a situation reflects a lack of adequateguidance and supervision by management and theBoard. One or more of the four elements of soundrisk management are considered marginal and requireimmediate and concerted corrective action by theBoard and management. A number of significantrisks to the AI have not been adequately addressedand the risk management deficiencies warrant a highdegree of supervisory attention.The AI may have serious identified weaknesses, suchas inadequate separation of duties, that requiresubstantial improvement in its internal control oraccounting procedures or in its ability to adhere tosupervisory standards or requirements. Unlessproperly addressed, these conditions may result inunreliable financial records, reports or operating



30

losses that could seriously affect the safety andsoundness of the AI.

5 Indicates a critical absence of effective riskmanagement practices to identify, monitor or controlsignificant risk exposures. One or more of the fourelements of sound risk management are consideredwholly deficient and management and the Board hasnot demonstrated the capability to addressdeficiencies.Internal controls may be sufficiently weak as tojeopardise seriously the continued viability of the AI.If not already evident, there is an immediate concernas to the reliability of accounting records andregulatory reports and about potential losses thatcould result if corrective measures are not takenimmediately. Deficiencies in the risk managementprocedures and internal controls at the AI requireimmediate and close supervisory attention.

—————————

Contents Glossary Home Introduction

Supervisory Policy Manual - Hong Kong Monetary · PDF fileSupervisory Policy Manual ... 1.3...

Documents

Transcript of Supervisory Policy Manual - Hong Kong Monetary · PDF fileSupervisory Policy Manual ... 1.3...