headline verdana bold breakfast briefing icaap - imia.ie · agenda 8.30 –8.40 welcome &...
TRANSCRIPT
Headline Verdana BoldBreakfast Briefing – ICAAP - Best Practices for Investment Firms19th September 2018
Agenda
8.30 – 8.40 Welcome & Introductions
8.40 – 9.00 Central Bank of Ireland’s Perspective on ICAAP Process – Simon Sloan, CBI
9.00 – 9.20 ICAAP in Practice– Elaine Staveley, IMIA
9.20 – 9.40 Lessons Learned from the Banking Sector – John McCarthy, Deloitte
9.40 – 10.00 Questions & Answers Session
Central Bank perspectives on the ICAAP process for investment firms
Simon SloanHead of Function – Asset Management Supervision Division
Central Bank of Ireland
Central Bank of Ireland - CONFIDENTIAL
3
Overview
Background
Risk framework
Production of the ICAAP
Seven principles in preparing the ICAAP
Good practices & areas for improvement
Stress testing
Wind down plan
Current issues to consider
Central Bank of Ireland - CONFIDENTIAL
4
BackgroundWhy was the ICAAP introduced?
Robust governance arrangements and
effective processes for managing all risks
Sound, effective and complete strategies
and processes to maintain capital
Stakeholder benefits:
Firm: Holistic assessment of risks
Regulators: Assurance policies &
procedures in place and documented
Central Bank of Ireland - CONFIDENTIAL
Pillar 1 Minimum Regulatory Requirement:
- Credit risk- Market risk
- Operational risk
Pillar 2ICAAP & SREP
Regulatory tools to assess completeness and adequacy
Pillar 3Disclosure requirements to allow market participants to gauge the
capital adequacy of firms.
5
Production of the ICAAP
Central Bank of Ireland - CONFIDENTIAL
Governance
Capital planning
Scenario design and stress testing
Internal controls, reviews, validation and documentation
Risk identification, measurement and aggregation
Risk data, IT infrastructure
Integration with the management framework
Sound capital planning process
Rigorous stress testing
Strong control environment
Strong risk identification, measurement and controls
Robust risk data and IT infrastructure
6
Seven principles in preparing the ICAAP
Central Bank of Ireland - CONFIDENTIAL
6. ICAAP risk quantification
methodologies are adequate,
consistent and independently
validated
7. Regular stress testing is aimed at ensuring capital
adequacy in adverse
circumstances
5. Internal capital is of high quality and
clearly defined
4. All material risks are identified and
taken into account in the ICAAP
2. The ICAAP is an integral part of the
overall management framework
3. The ICAAP contributes
fundamentally to the continuity of the
institution by ensuring its capital
adequacy from different
perspectives
1. The management body is responsible
for the sound governance of the
ICAAP
7
Risk framework
ICAAP
Risk register
Risk reporting
Risk governanceRisk culture
Risk appetite
statement
Central Bank of Ireland - CONFIDENTIAL
8
Good practices & areas for improvement
Central Bank of Ireland - CONFIDENTIAL
Firm wide engagement
Structure & content
Robust challenge
Operational risk & Pillar
II
Timely reviews
Mitigants identified
Entity specific
Risk assessment
& capital allocation
Risk appetite
statement
Live document
Holistic view
Overreliance on Pillar 1
9
Stress testing - factors to consider
Proportionality
Economic cycle
Risk parameter
s
Model risk awareness
Shortcomings
Frequency
Central Bank of Ireland - CONFIDENTIAL
Final Report on Guidelines on Institutions’ Stress Testing – EBA (July 2018)
10
Wind down plan
Central Bank of Ireland - CONFIDENTIAL
Fees
Staff retention & redundancy
Clients (and Client Assets)
Costs of doing business
Potential litigation
Timelines
A wind-down plan should provide the firm with
the structure to cease its regulated activities
and revoke its authorisations with minimal
adverse impact on its clients, counterparties or
the wider markets.
Firms should consider both:
An orderly wind down
A forced wind down
11
Wind down planning - good practices & areas for improvement
Central Bank of Ireland - CONFIDENTIAL
Advance planning
Agreed assumptions
Detailed planning
Cross functional
collaboration
Core business
Realistic timelines
Sufficient scenarios
considered
Align to risk framework
Forward looking
Clear responsibility
12
Current issues to consider…
Brexit
Prudential Regime
Consolidation Client Assets
Conduct Risks
Cyber Risk (&advancing
technologies)Outsourcing
MiFID II
Culture
Central Bank of Ireland - CONFIDENTIAL
ICAAP in PracticeFocus on Smaller Investment Firms
Elaine Staveley
• Founded in 2017
• Objectives
• Provide a central representation to the Central Bank and other regulatory bodies on behalf of its members
• Promote good industry practices on regulatory requirements
• Host educational events
• Promote networking and peer interaction
• Over 30 member firms and growing
No “one size fits all” ICAAP solution
Proportionality applies… nature, scale and complexity
CEBS Paper on ICAAP for Smaller Institutions
‘Small’: non complex activities, limited products, small market share, limitedinternational activities (1)
Today’s Presentation
15
Today’s presentation is the approach of some IMIA member firms, not a recommendation from the IMIA!
(1) Source: CEBS Paper on Internal Adequacy Assessment Process (ICAAP) for Smaller Institutions, 2006
Pillar 1 – prescribed minimum capital to provide for credit, market and operational risk
Pillar 2
Firms consider all business and operating risks over and above Pillar 1 (ICAAP)
Supervisor review and evaluation (SREP)
Pillar 3 – a firm’s disclosure of its assessment of the risk it has identified and the manner in which they are managed
ICAAP - Context
16
Consider the firm’s business model and strategy
Assess if additional capital should be held for firm-specific risks
Forward looking
Supplemented by robust risk management framework
Head of Risk and Head of Finance are central to the process
Important for business to be involved
ICAAP - Summary
17
Business Model and Strategy
Pillar 1 Calculation
Governance Framework
Risk Management Framework
Risk Appetite Statement
Risk Profile
Risk Register
ICAAP
Pillar 2 Capital Assessment
Wind Down Plan
Stress testing
Liquidity Planning
Key Components
18
Starting point for any risk assessment
Set out the services you provide and in what financial instruments
Set out strategy and plans for growth
Assess external operating environment
Define your management structure
Include information on shareholder
Business Model and Strategy
19
Pillar 1 Calculation - Example
Calculation of Pillar 1 Capital €’000
Base Capital Requirement (A) 125
The sum of the Pillar 1 market, credit and operational risk requirements (B) 150
The Fixed Overhead Requirement (25% of previous year's fixed overheads plus inter-company balances less depreciation) (C)
700
Pillar 1 Capital Requirement (higher of A, B or C) 700
Pillar 1
20
ICAAP should detail that Board is ultimate responsibility for risk management and how the Board
Monitors the effectiveness of the risk management function
Embeds risk management in all areas of the business
Reviews and approves:
Risk appetite
Capital position
ICAAP
May delegate some oversight to a Risk Committee
Also outline Senior Management responsibilities
Governance
21
Board approved document
Describe:
the roles and responsibilities of the risk management function
the risk procedures in place (business errors, risk register, internal control, three lines of defence etc)
Detail the risk assessment process
Reviews
Approvals
When and by whom? (Business involvement in important)
Risk Management Framework
22
Operational risk
IT and Cyber security
Incl. Fraud
Conduct Risk
Concentration risk
Control/management risk
Credit risk
Liquidity including raising new capital
Strategic risk
Reputational
Impact from external factors
etc.
Risk Profile
Determine risks relevant to the firm, for example:
23
Level of risk a firm is willing to accept in pursuit of its strategic objectives
May be a mix of qualitative and quantitative
Use metrics to measure risks
Sets boundaries for the firm
Communicate and embed this throughout the firm
Ongoing monitoring taking account of changes to the firm’s business
Risk Appetite Statement
24
Risk Register
Risk Likelihood ImpactInherent Risk
Score
Risk
Mitigation /
Control
Residual
Likelihood
Residual
Risk ScoreKey Risk Indictors CBI Reporting
threshold
Operational risk
Describe or rate each
control
KRIs for each riske.g.
New business line; System downtime;
Staff turnover; Unpaid invoice
Determine thresholds for
each risk; Removes any emotion out of
decision-making
Fraud 3 5 15 2 10Cybersecurity 4 3 12 3 9
Liquidity risk 3 4 12 1 4Strategic risk 4 4 16 3 12etcInterim RisksLegal / Strategic Risk - Brexit
4 4 16 3 12
Regulatory – MiFID IIImplementation
4 5 20 3 15
Extract from a sample risk register
25
Identify Key Risk Indicators for the Key Risks on the register
Define ranges, e.g.:
In Risk Appetite, define action that would be taken when status for risk is amber or red, for example:
Amber risks reported to the Risk Committee, with management comment
Red risks reported to the Board, with suggested, with remedial actions
Linking Risk Register to Risk Appetite
Number of business errors
over previous 12 months
Green Amber Red
<10 10-15 >15
26
Identify key risks on Risk Register and run a scenario analysis for each risk
Set aside appropriate capital for each key risk
For example:
Pillar 2 Capital Assessment
Scenario Nature of financial impact
Potential financial impact €'000
Likelihood Weighting
Probability-adjusted financial
impact €'000
Cyber-security hack
Disruption costs: 5% of revenue
400 Medium (3) 25% 100
Residual likelihood
from Risk RegisterFor this firm,
‘Medium’ likelihood
means a 25% chance
27
Capital
allocated to
Cybersecurity
risk
The sum of the capital for each risk is the pillar 2 capital assessment
Pillar 2 Capital Assessment
RiskCapital
(€’000s)
Operational riskFraud XXCybersecurity 100
Liquidity risk XXStrategic risk XXReputation risk XXRegulatory risk XXEnvironmental risk XXetcTotal 750
Sum of capital for all
scenarios = Pillar 2
capital
Results of scenario
analysis for
cybersecurity risk
28
Wind-down Plan
Ensure that initial Pillar 2 capital will cover estimated wind-down costs
If wind-down cost is higher, this should be the Pillar 2 capital
Wind-down Workings €’000IncomeIncome over nine month wind-down period xxCostsFixed overhead requirements: xxPlus Additional Wind-down CostsProfessional Fees (HR & Legal) xxRedundancy xxNon-Executive Director fees for final Board meetings xxIT costs xxetc
Total Wind-down Cost 600
Wind-down cost is
lower than Pillar 2
capital
29
The Internal Capital Requirement is the higher of the Pillar 1 and Pillar 2 capital
Internal Capital Assessment
Calculation of Internal Capital
Requirement€’000
Pillar 1 capital requirement (A) 700
Pillar 2 capital requirement (B) 750
Internal capital requirement
(higher of A or B)750
Internal Capital
Requirement
30
Stress Testing
Additional stress test to assess the robustness of internal capital requirement
E.g.
Stress the business plan with an unexpected reduction in income
Stress the scenario analysis
Calculate impact on capital after stress test
Outlines actions taken under different stress tests
What triggers a wind-down?
31
Liquidity Planning
Consider sources of funding and the likelihood of the withdrawal of that funding
Consider the firm’s ability to raise additional funding in an economic downturn and the cost of that funding
From a parent
In the market
Ensure the funding pool is sufficiently diversified
Consider a dividend policy
32
Final Steps
Board review and adopt
May decide to add an addition buffer
Regular reporting to board throughout year
Net asset position versus internal capital assessment
Any changes to strategy or risk that would trigger an ICAAP review
Minute the discussions!
33
Headline Verdana BoldThe Evolution of the ICAAPLessons from the Banking Sector for Investment Firms
Deloitte Ireland LLP, September 2018
© 2018 Deloitte. All rights reserved36
The Evolution of the ICAAPLessons from the Banking Sector for Investment Firms
Presenting to you today
John McCarthy
Senior Manager | Deloitte Risk Advisory
Phone: +353 (1) 417 2410
E-mail: [email protected]
© 2018 Deloitte. All rights reserved37
The Evolution of the ICAAPLessons from the Banking Sector for Investment Firms
Agenda
1) Banking Sector ICAAP Requirements: Supervisory Milestones
2) An Integrated Regulatory Framework
3) Document to Process: A Deloitte Network View
4) Practical Implications for Firms: An Irish Banking Perspective
5) Questions & Answers / Round Table
© 2018 Deloitte. All rights reserved38
The Evolution of the ICAAPBanking Supervisory Milestones
2013
Capital Requirements Regulation
Regulation (EU) No 575/2013
Capital Requirements Directive
Directive 2013/36/EU
2014
EBA Guidelines on common procedures and methodologies for SREP
EBA/GL/2014/13
2016
EBA Guidelines on ICAAP and ILAAP information collected for SREP
EBA/GL/2016/10
ECB Supervisory expectations on ICAAP and ILAAP and harmonised information collection on ICAAP and ILAAP Jan 2016
2018
EBA Guidelines on the revised common procedures and methodologies for the SREP and supervisory stress testing
EBA/GL/2018/03
ECB Draft Guides to ICAAP and ILAAP
(March 2018)
• Business model analysis
• Internal governance
• Risks to capital and capital adequacy
• Risks to liquidity
• Overall SREP assessment and SREP score
• Elements of own funds
• Capital requirements
• Liquidity requirements (LCR and NSFR)
• 3% Leverage ratio
• Large exposures regime
• Consistency in supervisory assessment of ICAAPs
• An overarching Reader’s Manual
• Summary of main ICAAP and ILAAP conclusions
• Quality assurance information
• Risk coverage
• Quality of internal capital
• Adequacy of assumptions
• Severity level of stress tests
• Reverse stress testing
• Stress testing scenario definition
• Introduction of Pillar 2 capital guidance (P2G)
• Enhanced supervisory stress testing requirements
• Scoring framework clarification
Contains sevenICAAPprinciples:
• Managementresponsibilities (CAS)
• Focus onconsistency
• Normativeand economicperspectives
• Regularity ofriskidentification
Institutions to have an ICAAP, i.e. sound, effective and comprehensive processes to assess and maintain the amounts, types and distribution of internal capital that they consider adequate to cover the risks they are exposed to (Article 73).
© 2018 Deloitte. All rights reserved39
2. Banking Sector ICAAP RequirementsAn Integrated Regulatory Framework
• Process
• Ongoing
• Full embeddedness into business
and organizational processes
• Comprehensive, holistic and
forward-looking
• Board’s active involvement in
review and challenge
• Board ownership
• Broad functional participation
Key M
an
ag
em
en
t Trig
gers
Stress Levels
• ICAAP• ILAAP• Business Continuity
Plan
• Recovery Plan• CFP• Wind-Down Plan
• Resolution PlanResolution
Recovery
Capital Planning
and Liquidity Buffers
Business as Usual
Str
ess T
ests
Str
ess a
nd R
evers
e S
tress
Tests
Integrated Regulatory Framework
FatalMild Severe
Bank’s Response
• Prepared by firms and reviewed by regulators• Robust menu of options to deal with stresses• Clear triggers for plan activation• Develop annually and reviewed periodically
• ‘Plan’ Prepared by regulators based on resolution ‘pack’ provided by firms
• Firms to identify barriers to resolution and propose changes to remove them
• Firms to supplement their stress testing framework with reverse stress testing
• Firms to identify situations where their business model may become non-viable
• Firms to conduct stress testing on a periodic basis to assess the impact on the firms’ financial condition and operations
• Stress scenarios to be ‘extreme but plausible’• Stress testing to be used as a key input to capital and liquidity adequacy
assessment
Recovery Triggers
© 2018 Deloitte. All rights reserved40
3. Document to ProcessA Deloitte Network View
ICAAP theme
Good ICAAP submissions will......
Describe the strategic managementprocesses and how risk management isintegrated within them. Describe the wider riskculture of the firm and how that supports riskmanagement.
Indicative action
Tone
Avoid being minimalistic. The ICAAP is a pitch, it should say why the firm can be trusted in its capital adequacy assessment. The ICAAP will create confidence in the firm.
Explain the internal ICAAP governance process. Illustrate the levels of senior engagement and input to the assessment.
Risk Management
Describe the risk management philosophy and approach. The outcome is confidence in the firm’s approach to risk management.
Detail risk management capabilities, e.g. stress testing, to demonstrate risk credentials and therefore the strength of the resulting capital assessment.
Embedding
Describe the Pillar I risk profile. Explain why there is confidence in the risk profile. Explain which risks are not adequately covered by the Pillar I rules.
Explain the risk identification process, which risks have been identified that are not covered by Pillar I? How has the firm measured those risks for capital requirements?
Practical Examples of Sub-Optimal Approaches
Capital
Omitted risks and failed to explain those risks that it assessed as not relevant.Large UK bank – stated there was no risk of under-estimation and was not credible.
Approached ICAAP as a regulatory compliance exercise and simply stated the required add-ons.
Process only involved risk managers.
Only explained its risk and capital as prescribed. No ability for the reviewer to be confident in their risk profile.
Could not explain any linkages between ICAAPand any of its BAU management processes suchas planning.
Omitted any description of risk management approach.
Insufficient reference to risk management capabilities and failed to build reviewer confidence.
Engage senior management and engineer a ‘hands-on’ senior leader, e.g. CRO or CFO, to provide tone.
Manage ICAAP as a project, led by risk but establish joint accountability with finance and a senior management body.
Engage CRO and embed his philosophy within the document.
Greater focus on risk management processes within the document. Explain how they interact and provide insights to support ICAAP assessment.
Work with risk function to articulate the risk profile and to actively investigate where the Basel rules fail to capture risk profile.
Work with risk function to articulate the risk profile and to actively investigate where the Basel rules fail to capture risk profile.
Involve CRO, CFO and Treasurer andexplain how their existing processesshould be influenced and integrated.
© 2018 Deloitte. All rights reserved41
4. Practical Implications for FirmsLessons from the Banking Sector
…an evolving Regulatory Landscape…
…a fundamental shift in the role of the ICAAP…
Governance Role of the
Board
Processes Resourcing
© 2018 Deloitte. All rights reserved42
4. Practical Implications for Irish FirmsLessons from the Banking Sector
Governance
Role of the
Board
Role of the existing Committee structure
New committees
Re-evaluation of the Three Lines of Defence model
Reader’s Manual and Increased Scrutiny
Governance around ad hoc CBI/ECB requests
Reactive to Proactive
Heightened expectations, heightened interest
Attestation Statement
Culture
© 2018 Deloitte. All rights reserved43
4. Practical Implications for Irish FirmsLessons from the Banking Sector
Governance
Role of the
Board
Pillar 2 methodology review and renewal
Operational Blueprints
Policy and Development Manuals
Reader’s Manual
Transfer of ICAAP ownership
Second line resource augmentation
Increased skillset and expertise requirements
Dedicated SREP Second Line of Defence unit
Pressure arising from ad hoc CBI/ECB requests
Third party support
Processes
Resourcing
© 2018 Deloitte. All rights reserved44
5. Practical Implications for Irish FirmsConcluding Remarks
Evolving regulatory landscape and a fundamental shift in supervisory expectations…
Macro regulatory changes driving internal bank changes…
Internal and External Pressures on banks to improve design and effectiveness of the ICAAP…
Regulatory wheel keeps turning, onwards to a CRD 5 / CRR 2 landscape…
At Deloitte, we make an impact that matters for our clients, our people, our profession, and in the wider society by delivering the solutions and insights they need to address their most complex business challenges. As the largest global professional services and consulting network, with approximately 263,900 professionals in more than 150 countries, we bring world-class capabilities and high-quality services to our clients. In Ireland, Deloitte has nearly 3,000 people providing audit, tax, consulting, and corporate finance services to public and private clients spanning multiple industries. Our people have the leadership capabilities, experience and insight to collaborate with clients so they can move forward with confidence.
This publication has been written in general terms and we recommend that you obtain professional advice before acting or refraining from action on any of the contents of this publication. Deloitte Ireland LLP accepts no liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.
Deloitte Ireland LLP is a limited liability partnership registered in Northern Ireland with registered number NC1499 and its registered office at 19 Bedford Street, Belfast BT2 7EJ, Northern Ireland.
Deloitte Ireland LLP is the Ireland affiliate of Deloitte NWE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NWE LLP do not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.
© 2018 Deloitte. All rights reserved
Questions & Answers
Keep in touch
• Slides will be sent to the attendees.
• Regulatory monthly update newsletter – contact OJ to subscribe ([email protected])
• Check out our website
• https://www2.deloitte.com/ie/en/pages/risk/topics/regulatory-risk.html?icid=top_regulatory-risk
• Watch out for future events
• If you would like to discuss this or other Regulatory topics please contact John Kernan ([email protected]) or Sean Smith, Regulatory Partner ([email protected])