headline verdana bold breakfast briefing icaap - imia.ie · agenda 8.30 –8.40 welcome &...

Headline Verdana BoldBreakfast Briefing – ICAAP - Best Practices for Investment Firms19th September 2018

Agenda

8.30 – 8.40 Welcome & Introductions

8.40 – 9.00 Central Bank of Ireland’s Perspective on ICAAP Process – Simon Sloan, CBI

9.00 – 9.20 ICAAP in Practice– Elaine Staveley, IMIA

9.20 – 9.40 Lessons Learned from the Banking Sector – John McCarthy, Deloitte

9.40 – 10.00 Questions & Answers Session

Central Bank perspectives on the ICAAP process for investment firms

Simon SloanHead of Function – Asset Management Supervision Division

Central Bank of Ireland

Central Bank of Ireland - CONFIDENTIAL

3

Overview

Background

Risk framework

Production of the ICAAP

Seven principles in preparing the ICAAP

Good practices & areas for improvement

Stress testing

Wind down plan

Current issues to consider


4

BackgroundWhy was the ICAAP introduced?

Robust governance arrangements and

effective processes for managing all risks

Sound, effective and complete strategies

and processes to maintain capital

Stakeholder benefits:

Firm: Holistic assessment of risks

Regulators: Assurance policies &

procedures in place and documented


Pillar 1 Minimum Regulatory Requirement:

- Credit risk- Market risk

- Operational risk

Pillar 2ICAAP & SREP

Regulatory tools to assess completeness and adequacy

Pillar 3Disclosure requirements to allow market participants to gauge the

capital adequacy of firms.

5

Production of the ICAAP


Governance

Capital planning

Scenario design and stress testing

Internal controls, reviews, validation and documentation

Risk identification, measurement and aggregation

Risk data, IT infrastructure

Integration with the management framework

Sound capital planning process

Rigorous stress testing

Strong control environment

Strong risk identification, measurement and controls

Robust risk data and IT infrastructure

6

Seven principles in preparing the ICAAP


6. ICAAP risk quantification

methodologies are adequate,

consistent and independently

validated

7. Regular stress testing is aimed at ensuring capital

adequacy in adverse

circumstances

5. Internal capital is of high quality and

clearly defined

4. All material risks are identified and

taken into account in the ICAAP

2. The ICAAP is an integral part of the

overall management framework

3. The ICAAP contributes

fundamentally to the continuity of the

institution by ensuring its capital

adequacy from different

perspectives

1. The management body is responsible

for the sound governance of the

ICAAP

7

Risk framework

ICAAP

Risk register

Risk reporting

Risk governanceRisk culture

Risk appetite

statement


8

Good practices & areas for improvement


Firm wide engagement

Structure & content

Robust challenge

Operational risk & Pillar

II

Timely reviews

Mitigants identified

Entity specific

Risk assessment

& capital allocation

Risk appetite

statement

Live document

Holistic view

Overreliance on Pillar 1

9

Stress testing - factors to consider

Proportionality

Economic cycle

Risk parameter

s

Model risk awareness

Shortcomings

Frequency


Final Report on Guidelines on Institutions’ Stress Testing – EBA (July 2018)

10

Wind down plan


Fees

Staff retention & redundancy

Clients (and Client Assets)

Costs of doing business

Potential litigation

Timelines

A wind-down plan should provide the firm with

the structure to cease its regulated activities

and revoke its authorisations with minimal

adverse impact on its clients, counterparties or

the wider markets.

Firms should consider both:

An orderly wind down

A forced wind down

11

Wind down planning - good practices & areas for improvement


Advance planning

Agreed assumptions

Detailed planning

Cross functional

collaboration

Core business

Realistic timelines

Sufficient scenarios

considered

Align to risk framework

Forward looking

Clear responsibility

12

Current issues to consider…

Brexit

Prudential Regime

Consolidation Client Assets

Conduct Risks

Cyber Risk (&advancing

technologies)Outsourcing

MiFID II

Culture


ICAAP in PracticeFocus on Smaller Investment Firms

Elaine Staveley

• Founded in 2017

• Objectives

• Provide a central representation to the Central Bank and other regulatory bodies on behalf of its members

• Promote good industry practices on regulatory requirements

• Host educational events

• Promote networking and peer interaction

• Over 30 member firms and growing

No “one size fits all” ICAAP solution

Proportionality applies… nature, scale and complexity

CEBS Paper on ICAAP for Smaller Institutions

‘Small’: non complex activities, limited products, small market share, limitedinternational activities (1)

Today’s Presentation

15

Today’s presentation is the approach of some IMIA member firms, not a recommendation from the IMIA!

(1) Source: CEBS Paper on Internal Adequacy Assessment Process (ICAAP) for Smaller Institutions, 2006

Pillar 1 – prescribed minimum capital to provide for credit, market and operational risk

Pillar 2

Firms consider all business and operating risks over and above Pillar 1 (ICAAP)

Supervisor review and evaluation (SREP)

Pillar 3 – a firm’s disclosure of its assessment of the risk it has identified and the manner in which they are managed

ICAAP - Context

16

Consider the firm’s business model and strategy

Assess if additional capital should be held for firm-specific risks

Forward looking

Supplemented by robust risk management framework

Head of Risk and Head of Finance are central to the process

Important for business to be involved

ICAAP - Summary

17

Business Model and Strategy

Pillar 1 Calculation

Governance Framework

Risk Management Framework

Risk Appetite Statement

Risk Profile

Risk Register

ICAAP

Pillar 2 Capital Assessment

Wind Down Plan

Stress testing

Liquidity Planning

Key Components

18

Starting point for any risk assessment

Set out the services you provide and in what financial instruments

Set out strategy and plans for growth

Assess external operating environment

Define your management structure

Include information on shareholder

Business Model and Strategy

19

Pillar 1 Calculation - Example

Calculation of Pillar 1 Capital €’000

Base Capital Requirement (A) 125

The sum of the Pillar 1 market, credit and operational risk requirements (B) 150

The Fixed Overhead Requirement (25% of previous year's fixed overheads plus inter-company balances less depreciation) (C)

700

Pillar 1 Capital Requirement (higher of A, B or C) 700

Pillar 1

20

ICAAP should detail that Board is ultimate responsibility for risk management and how the Board

Monitors the effectiveness of the risk management function

Embeds risk management in all areas of the business

Reviews and approves:

Risk appetite

Capital position

ICAAP

May delegate some oversight to a Risk Committee

Also outline Senior Management responsibilities

Governance

21

Board approved document

Describe:

the roles and responsibilities of the risk management function

the risk procedures in place (business errors, risk register, internal control, three lines of defence etc)

Detail the risk assessment process

Reviews

Approvals

When and by whom? (Business involvement in important)

Risk Management Framework

22

Operational risk

IT and Cyber security

Incl. Fraud

Conduct Risk

Concentration risk

Control/management risk

Credit risk

Liquidity including raising new capital

Strategic risk

Reputational

Impact from external factors

etc.

Risk Profile

Determine risks relevant to the firm, for example:

23

Level of risk a firm is willing to accept in pursuit of its strategic objectives

May be a mix of qualitative and quantitative

Use metrics to measure risks

Sets boundaries for the firm

Communicate and embed this throughout the firm

Ongoing monitoring taking account of changes to the firm’s business

Risk Appetite Statement

24

Risk Register

Risk Likelihood ImpactInherent Risk

Score

Risk

Mitigation /

Control

Residual

Likelihood

Residual

Risk ScoreKey Risk Indictors CBI Reporting

threshold

Operational risk

Describe or rate each

control

KRIs for each riske.g.

New business line; System downtime;

Staff turnover; Unpaid invoice

Determine thresholds for

each risk; Removes any emotion out of

decision-making

Fraud 3 5 15 2 10Cybersecurity 4 3 12 3 9

Liquidity risk 3 4 12 1 4Strategic risk 4 4 16 3 12etcInterim RisksLegal / Strategic Risk - Brexit

4 4 16 3 12

Regulatory – MiFID IIImplementation

4 5 20 3 15

Extract from a sample risk register

25

Identify Key Risk Indicators for the Key Risks on the register

Define ranges, e.g.:

In Risk Appetite, define action that would be taken when status for risk is amber or red, for example:

Amber risks reported to the Risk Committee, with management comment

Red risks reported to the Board, with suggested, with remedial actions

Linking Risk Register to Risk Appetite

Number of business errors

over previous 12 months

Green Amber Red

<10 10-15 >15

26

Identify key risks on Risk Register and run a scenario analysis for each risk

Set aside appropriate capital for each key risk

For example:


Scenario Nature of financial impact

Potential financial impact €'000

Likelihood Weighting

Probability-adjusted financial

impact €'000

Cyber-security hack

Disruption costs: 5% of revenue

400 Medium (3) 25% 100

Residual likelihood

from Risk RegisterFor this firm,

‘Medium’ likelihood

means a 25% chance

27

Capital

allocated to

Cybersecurity

risk

The sum of the capital for each risk is the pillar 2 capital assessment


RiskCapital

(€’000s)

Operational riskFraud XXCybersecurity 100

Liquidity risk XXStrategic risk XXReputation risk XXRegulatory risk XXEnvironmental risk XXetcTotal 750

Sum of capital for all

scenarios = Pillar 2

capital

Results of scenario

analysis for

cybersecurity risk

28

Wind-down Plan

Ensure that initial Pillar 2 capital will cover estimated wind-down costs

If wind-down cost is higher, this should be the Pillar 2 capital

Wind-down Workings €’000IncomeIncome over nine month wind-down period xxCostsFixed overhead requirements: xxPlus Additional Wind-down CostsProfessional Fees (HR & Legal) xxRedundancy xxNon-Executive Director fees for final Board meetings xxIT costs xxetc

Total Wind-down Cost 600

Wind-down cost is

lower than Pillar 2

capital

29

The Internal Capital Requirement is the higher of the Pillar 1 and Pillar 2 capital

Internal Capital Assessment

Calculation of Internal Capital

Requirement€’000

Pillar 1 capital requirement (A) 700

Pillar 2 capital requirement (B) 750

Internal capital requirement

(higher of A or B)750

Internal Capital

Requirement

30

Stress Testing

Additional stress test to assess the robustness of internal capital requirement

E.g.

Stress the business plan with an unexpected reduction in income

Stress the scenario analysis

Calculate impact on capital after stress test

Outlines actions taken under different stress tests

What triggers a wind-down?

31

Liquidity Planning

Consider sources of funding and the likelihood of the withdrawal of that funding

Consider the firm’s ability to raise additional funding in an economic downturn and the cost of that funding

From a parent

In the market

Ensure the funding pool is sufficiently diversified

Consider a dividend policy

32

Final Steps

Board review and adopt

May decide to add an addition buffer

Regular reporting to board throughout year

Net asset position versus internal capital assessment

Any changes to strategy or risk that would trigger an ICAAP review

Minute the discussions!

33

Thank you

IMIA membership queries: [email protected]

www.imia.ie

Headline Verdana BoldThe Evolution of the ICAAPLessons from the Banking Sector for Investment Firms

Deloitte Ireland LLP, September 2018

© 2018 Deloitte. All rights reserved36

The Evolution of the ICAAPLessons from the Banking Sector for Investment Firms

Presenting to you today

John McCarthy

Senior Manager | Deloitte Risk Advisory

Phone: +353 (1) 417 2410

E-mail: [email protected]


The Evolution of the ICAAPLessons from the Banking Sector for Investment Firms

Agenda

1) Banking Sector ICAAP Requirements: Supervisory Milestones

2) An Integrated Regulatory Framework

3) Document to Process: A Deloitte Network View

4) Practical Implications for Firms: An Irish Banking Perspective

5) Questions & Answers / Round Table


The Evolution of the ICAAPBanking Supervisory Milestones

2013

Capital Requirements Regulation

Regulation (EU) No 575/2013

Capital Requirements Directive

Directive 2013/36/EU

2014

EBA Guidelines on common procedures and methodologies for SREP

EBA/GL/2014/13

2016

EBA Guidelines on ICAAP and ILAAP information collected for SREP

EBA/GL/2016/10

ECB Supervisory expectations on ICAAP and ILAAP and harmonised information collection on ICAAP and ILAAP Jan 2016

2018

EBA Guidelines on the revised common procedures and methodologies for the SREP and supervisory stress testing

EBA/GL/2018/03

ECB Draft Guides to ICAAP and ILAAP

(March 2018)

• Business model analysis

• Internal governance

• Risks to capital and capital adequacy

• Risks to liquidity

• Overall SREP assessment and SREP score

• Elements of own funds

• Capital requirements

• Liquidity requirements (LCR and NSFR)

• 3% Leverage ratio

• Large exposures regime

• Consistency in supervisory assessment of ICAAPs

• An overarching Reader’s Manual

• Summary of main ICAAP and ILAAP conclusions

• Quality assurance information

• Risk coverage

• Quality of internal capital

• Adequacy of assumptions

• Severity level of stress tests

• Reverse stress testing

• Stress testing scenario definition

• Introduction of Pillar 2 capital guidance (P2G)

• Enhanced supervisory stress testing requirements

• Scoring framework clarification

Contains sevenICAAPprinciples:

• Managementresponsibilities (CAS)

• Focus onconsistency

• Normativeand economicperspectives

• Regularity ofriskidentification

Institutions to have an ICAAP, i.e. sound, effective and comprehensive processes to assess and maintain the amounts, types and distribution of internal capital that they consider adequate to cover the risks they are exposed to (Article 73).


2. Banking Sector ICAAP RequirementsAn Integrated Regulatory Framework

• Process

• Ongoing

• Full embeddedness into business

and organizational processes

• Comprehensive, holistic and

forward-looking

• Board’s active involvement in

review and challenge

• Board ownership

• Broad functional participation

Key M

an

ag

em

en

t Trig

gers

Stress Levels

• ICAAP• ILAAP• Business Continuity

Plan

• Recovery Plan• CFP• Wind-Down Plan

• Resolution PlanResolution

Recovery

Capital Planning

and Liquidity Buffers

Business as Usual

Str

ess T

ests

Str

ess a

nd R

evers

e S

tress

Tests

Integrated Regulatory Framework

FatalMild Severe

Bank’s Response

• Prepared by firms and reviewed by regulators• Robust menu of options to deal with stresses• Clear triggers for plan activation• Develop annually and reviewed periodically

• ‘Plan’ Prepared by regulators based on resolution ‘pack’ provided by firms

• Firms to identify barriers to resolution and propose changes to remove them

• Firms to supplement their stress testing framework with reverse stress testing

• Firms to identify situations where their business model may become non-viable

• Firms to conduct stress testing on a periodic basis to assess the impact on the firms’ financial condition and operations

• Stress scenarios to be ‘extreme but plausible’• Stress testing to be used as a key input to capital and liquidity adequacy

assessment

Recovery Triggers


3. Document to ProcessA Deloitte Network View

ICAAP theme

Good ICAAP submissions will......

Describe the strategic managementprocesses and how risk management isintegrated within them. Describe the wider riskculture of the firm and how that supports riskmanagement.

Indicative action

Tone

Avoid being minimalistic. The ICAAP is a pitch, it should say why the firm can be trusted in its capital adequacy assessment. The ICAAP will create confidence in the firm.

Explain the internal ICAAP governance process. Illustrate the levels of senior engagement and input to the assessment.

Risk Management

Describe the risk management philosophy and approach. The outcome is confidence in the firm’s approach to risk management.

Detail risk management capabilities, e.g. stress testing, to demonstrate risk credentials and therefore the strength of the resulting capital assessment.

Embedding

Describe the Pillar I risk profile. Explain why there is confidence in the risk profile. Explain which risks are not adequately covered by the Pillar I rules.

Explain the risk identification process, which risks have been identified that are not covered by Pillar I? How has the firm measured those risks for capital requirements?

Practical Examples of Sub-Optimal Approaches

Capital

Omitted risks and failed to explain those risks that it assessed as not relevant.Large UK bank – stated there was no risk of under-estimation and was not credible.

Approached ICAAP as a regulatory compliance exercise and simply stated the required add-ons.

Process only involved risk managers.

Only explained its risk and capital as prescribed. No ability for the reviewer to be confident in their risk profile.

Could not explain any linkages between ICAAPand any of its BAU management processes suchas planning.

Omitted any description of risk management approach.

Insufficient reference to risk management capabilities and failed to build reviewer confidence.

Engage senior management and engineer a ‘hands-on’ senior leader, e.g. CRO or CFO, to provide tone.

Manage ICAAP as a project, led by risk but establish joint accountability with finance and a senior management body.

Engage CRO and embed his philosophy within the document.

Greater focus on risk management processes within the document. Explain how they interact and provide insights to support ICAAP assessment.

Work with risk function to articulate the risk profile and to actively investigate where the Basel rules fail to capture risk profile.

Work with risk function to articulate the risk profile and to actively investigate where the Basel rules fail to capture risk profile.

Involve CRO, CFO and Treasurer andexplain how their existing processesshould be influenced and integrated.


4. Practical Implications for FirmsLessons from the Banking Sector

…an evolving Regulatory Landscape…

…a fundamental shift in the role of the ICAAP…

Governance Role of the

Board

Processes Resourcing


4. Practical Implications for Irish FirmsLessons from the Banking Sector

Governance

Role of the

Board

Role of the existing Committee structure

New committees

Re-evaluation of the Three Lines of Defence model

Reader’s Manual and Increased Scrutiny

Governance around ad hoc CBI/ECB requests

Reactive to Proactive

Heightened expectations, heightened interest

Attestation Statement

Culture


4. Practical Implications for Irish FirmsLessons from the Banking Sector

Governance

Role of the

Board

Pillar 2 methodology review and renewal

Operational Blueprints

Policy and Development Manuals

Reader’s Manual

Transfer of ICAAP ownership

Second line resource augmentation

Increased skillset and expertise requirements

Dedicated SREP Second Line of Defence unit

Pressure arising from ad hoc CBI/ECB requests

Third party support

Processes

Resourcing


5. Practical Implications for Irish FirmsConcluding Remarks

Evolving regulatory landscape and a fundamental shift in supervisory expectations…

Macro regulatory changes driving internal bank changes…

Internal and External Pressures on banks to improve design and effectiveness of the ICAAP…

Regulatory wheel keeps turning, onwards to a CRD 5 / CRR 2 landscape…

At Deloitte, we make an impact that matters for our clients, our people, our profession, and in the wider society by delivering the solutions and insights they need to address their most complex business challenges. As the largest global professional services and consulting network, with approximately 263,900 professionals in more than 150 countries, we bring world-class capabilities and high-quality services to our clients. In Ireland, Deloitte has nearly 3,000 people providing audit, tax, consulting, and corporate finance services to public and private clients spanning multiple industries. Our people have the leadership capabilities, experience and insight to collaborate with clients so they can move forward with confidence.

This publication has been written in general terms and we recommend that you obtain professional advice before acting or refraining from action on any of the contents of this publication. Deloitte Ireland LLP accepts no liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.

Deloitte Ireland LLP is a limited liability partnership registered in Northern Ireland with registered number NC1499 and its registered office at 19 Bedford Street, Belfast BT2 7EJ, Northern Ireland.

Deloitte Ireland LLP is the Ireland affiliate of Deloitte NWE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NWE LLP do not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.

© 2018 Deloitte. All rights reserved

Questions & Answers

Keep in touch

• Slides will be sent to the attendees.

• Regulatory monthly update newsletter – contact OJ to subscribe ([email protected])

• Check out our website

• https://www2.deloitte.com/ie/en/pages/risk/topics/regulatory-risk.html?icid=top_regulatory-risk

• Watch out for future events

• If you would like to discuss this or other Regulatory topics please contact John Kernan ([email protected]) or Sean Smith, Regulatory Partner ([email protected])

headline verdana bold breakfast briefing icaap - imia.ie · agenda 8.30 –8.40 welcome &...

Documents