LogoRegulatory Alerts
2024-06-18

Prudential Standard No. 2 - Risk Management (For Banks Only)

The Central Bank of Solomon Islands issued Prudential Standard No. 2 to mandate that all banks operating in the jurisdiction establish and maintain a robust risk management framework. The regulation requires banks to implement comprehensive systems for identifying, measuring, and mitigating material risks while ensuring the Board of Directors approves key documents such as the risk appetite statement and risk management strategy. Compliance is enforced through mandatory supervisory reporting and corrective measures for unsound practices, with specific provisions addressing group risk management and the independence of risk functions.

Central Bank of Solomon Islands logo

Solomon Islands

Central Bank of Solomon Islands

Click to view thumbnail

CENTRAL BANK OF SOLOMON ISLANDS Financial System Regulations Department

Prudential Standard No. 2 Risk Management

2

Contents

  1. Introduction.................................................................................................................................. 3 General stipulations ................................................................................................................. 3 Objectives and key requirements ............................................................................................ 3 Applicability ........................................................................................................................... 3 Enforcement and corrective measures ..................................................................................... 4 Supervisory Reporting ............................................................................................................. 4 References................................................................................................................................ 5 Effective Date ......................................................................................................................... 5 Abbreviation ........................................................................................................................... 6
  2. Definition of terms...................................................................................................................... 7
  3. The role of the Board of Directors ............................................................................................. 8 The Board................................................................................................................................ 8
  4. Bank and the group ..................................................................................................................... 8 Group risk management ........................................................................................................... 8
  5. Risk management framework ..................................................................................................... 9 Requirements for a robust and comprehensive RMF .............................................................. 9 Material risks .......................................................................................................................... 10 Risk appetite framework and statement ................................................................................... 10 Risk management strategy ....................................................................................................... 11 Business plan .......................................................................................................................... 11 Policies and procedures........................................................................................................... 11 Risk management function....................................................................................................... 12 Compliance function................................................................................................................ 13 Internal Audit .......................................................................................................................... 13 Review of the risk management framework ............................................................................ 13 Risk management declaration .................................................................................................. 14 Notification requirements ........................................................................................................ 15 Attachment A - Risk management declaration ......................................................................... 16

3

1. Introduction

General stipulations

  1. This Prudential Standard (PS) forms part of the Central Bank of Solomon Islands’ (CBSI) standards governing the conduct of banks in Solomon Islands.

  2. The requirements in this PS are specified pursuant to section 8 of the Financial Institution Act 1998 (the Act) as amended, to ensure that banks effectively establish and operate a sound risk management framework and proactive practices relating to the prudent operation of the banks.

  3. Part III of the Financial Institutions Act 1998 states that in determining whether or not a bank carries on its business in a prudent manner, the CBSI shall have regard to internal controls and risk management and such other matters as the CBSI considers relevant.

Objectives and key requirements

  1. This PS requires a bank to have systems for identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating material risks that may affect its ability to meet its obligations to depositors.

  2. Key requirements of this PS are that the Board of a bank is ultimately responsible for having a risk management framework (RMF) that is appropriate to the size, business mix and complexity of the bank, and more specific that the bank:

    a) maintains a risk management framework that is appropriate to the size, business mix and complexity of the institution or group, as relevant; b) maintains a Board-approved risk appetite statement; c) maintains a Board-approved risk management strategy that describes the key elements of the risk management framework that give effect to the approach to managing risk; and d) maintains a Board-approved business plan that sets out the approach for the implementation of the strategic objectives of the institution or group.

Applicability

  1. This PS is applicable to all banks operating in Solomon Islands. Notwithstanding that a bank may meet these Standards, the CBSI may by order direct the bank to take specific actions with regards to its risk management framework. A bank should furthermore inform CBSI when it becomes aware of a significant breach of, or material deviation from, the risk management framework, or that the framework does not adequately address a material risk.

4

  1. Unless specifically mentioned otherwise, in the case of a Foreign Incorporated Bank all the requirements set out in this Standard shall be applied in relation to the bank’s operations in Solomon Islands. Wherever relevant, a separate documentation of the policies, procedures and frameworks regarding these elements shall be maintained in Solomon Islands for easy verification by the CBSI. This Standard sets out certain responsibilities for the Boards of Directors of banks. In the case of Foreign Incorporated Banks, the responsibility for ensuring compliance with these requirements shall rest with the parent bank’s Board or any other authority within the bank to which the parent bank’s board may delegate this function.

  2. In the case of a Foreign Incorporated Bank that is not large CBSI may consider requests for partial/full exemption from any of the requirements set out in this PS. While evaluating such requests, CBSI will take into account the criticality of those requirements for ensuring safety and soundness of the bank, the degree of overall regulatory compliance, quality of its risk management, loss experience and latest supervisory rating.

Enforcement and corrective measures

  1. A bank which fails to comply with the requirements contained in this PS or submits reports to the CBSI which are materially inaccurate will be considered as following unsound and unsafe practices as provided in Section 16 (1) (a) of the Act.

  2. The CBSI may pursue any or all corrective measures as provided in Section 16 of the Act to enforce the provisions of this PS including:

    a) issuance of an order to cease and desist from the unsound and unsafe practices; and b) action to replace or strengthen the management of the bank.

Supervisory Reporting

  1. As part of this PS banks must provide to CBSI:

    a) a copy of a document containing the risk appetite statement and risk management strategy on an annual basis (or more frequently in case of material changes), no later than ten days after Board approval; b) a copy of risk management declaration on an annual basis (or more frequently in case of material changes) within three months of finalization of its financial statements. c) a business plan on an annual basis (or more frequently in case of material changes), no later than ten days after Board approval.

5

References

  1. This PS should be specifically applied in conjunction with the other PS’s issued by the CBSI.

Effective Date

The effective date of this PS is 30th September 2024. Issued this 6th day of June, 2024

[Signature]

Luke Forau, PhD, Governor Central Bank of Solomon Islands

6

Abbreviation

CBSI – Central Bank of Solomon Islands

CEO – Chief Executive Officer

CRO – Chief Risk Officer

MIS – Management Information System

RAS – Risk Appetite Statement

RMF – Risk Management Framework

RMS – Risk Management Strategy

SI – Solomon Islands

7

2. Definition of terms

  1. The following terms will have the same meaning as defined in the Prudential Standard No 1 on Governance.
  • "Bank"
  • "Banking Group"
  • "Board"/"Board of Directors"
  • "Chief Executive Officer"
  • "Chief Risk Officer"
  • "Director"
  • "Banking Group" Ro
  • "Foreign Incorporated Bank"
  • Risk appetite
  • "Risk appetite framework (RAF)"
  • "Risk appetite statement (RAS)"
  • "Risk capacity"
  • "Risk culture"
  • "Risk limits"
  • "Risk management"
  • "Risk profile"
  • "Senior Management"
  • "Subsidiary"

  1. "Senior Overseas Officer" means senior officer who directly oversee and is responsible for operations in Solomon Islands.

  2. "Three lines of defense": The business line – the first line of defense – has "ownership" of risk, whereby it acknowledges and manages the risk that it incurs in conducting its activities. The risk management function - the second line of defense- is responsible for further identifying, measuring, monitoring and reporting risk on an enterprise-wide basis as part of the second line of defense, independently from the first line of defense. The compliance function is also deemed part of the second line of defense. The internal audit function is charged with the "third line of defense", conducting risk-based and general audits and reviews to provide assurance to the board that the overall governance framework, including the risk governance framework, is effective and that policies and processes are in place and consistently applied.

8

3. The role of the Board of Directors

The Board

  1. The Board of Directors (or hereafter just "Board") of a bank is ultimately responsible for the bank’s risk management framework and is responsible for the oversight of its operation by management.

  2. In particular, in respect of the bank’s risk management framework (RMF) the Board must ensure that:

    a) it sets the risk appetite within which it expects management to operate and approves the bank’s risk appetite statement (RAS) and risk management strategy (RMS); and b) it forms a view of the risk culture in the institution, and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite, identify any desirable changes to the risk culture and ensures the institution takes steps to address those Role changes; c) senior management monitors and manages all material risks consistent with the strategic objectives, risk appetite statement and policies approved by the Board; d) the operational structure of the institution facilitates effective risk management; e) policies and processes are developed for risk-taking that are consistent with the RMS and the established risk appetite; f) sufficient resources are dedicated to risk management; and g) it recognizes uncertainties, limitations and assumptions attached to the measurement of each material risk.

4. Bank and the group

Group risk management

  1. A bank that is part of a group may meet requirements of this PS using group risk management frameworks, policies, procedures or functions, provided that the Board of the institution is satisfied that the requirements are met in respect of that bank.

  2. Where a bank is part of a group and any element of the risk management framework is controlled or influenced by another entity in the group, the bank’s risk management framework must specifically take into account risks arising from the group framework, and clearly identify:

    a) whether the bank’s risk management framework is derived wholly or partially from group risk management frameworks, policies, procedures or functions; b) the linkages and significant differences between the bank’s and the group’s risk management framework; c) how these linkages and significant differences change the risk profile of the

9

institution; and
d) the process for monitoring by, or reporting to, the group on risk management including the key procedures, the frequency of reporting and the approach to reviews of the risk management framework.

20. Where CBSI is of the view that the fulfilment of a requirement of this standard by a group does not adequately address the requirement for a bank within that group, CBSI may require that bank meet the requirement on a separate basis within a reasonable timeframe specified by CBSI.

5. Risk management framework

Requirements for a robust and comprehensive RMF

  1. A bank must maintain an RMF for the bank that enables it to appropriately develop and implement strategies, policies, procedures and controls to manage different types of material risks and provides the Board with a comprehensive bank-wide view of material risks.

  2. The RMF is the totality of systems, structures, policies, processes and people within an institution that identify, measure, evaluate, monitor, report and control or mitigate all internal and external sources of material risk. Material risks are those that could have a material impact, both financial and non-financial, on the institution or on the interests of depositors and/or policyholders.

  3. The RMF must encompass and be structured on business line management, independent review and audit.

  4. The RMF must be consistent with the business plan required under paragraph 34.

  5. The RMF must provide a structure for identifying and managing each material risk to ensure the institution is being prudently and soundly managed, having regard to the size, business mix and complexity of its operations.

  6. The RMF must, at a minimum, include:

    a) a risk appetite statement (RAS); b) a risk management strategy (RMS); c) a business plan; d) policies and procedures supporting clearly defined and documented roles, responsibilities and formal reporting structures for the management of material risks throughout the institution; e) a designated risk management function that meets the requirements of paragraph 39; f) a management information system (MIS) that is adequate, both under normal circumstances and in periods of stress, for measuring, assessing and reporting on

10

all material risks across the institution; and
g) a review process to ensure that the risk management framework is effective in identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating material risks.

27. The RMF must include forward-looking scenario analysis and stress testing programs, commensurate with the institution’s size, business mix and complexity, and which are based on severe but plausible assumptions.

  1. The MIS must provide the Board, Board committees and senior management of the bank with regular, accurate and timely information concerning the bank’s risk profile. The MIS must be supported by a robust data framework that enables the aggregation of exposures and risk measures across business lines, prompt reporting of limit breaches, and forward-looking scenario analysis and stress testing. Data quality must be adequate for timely and accurate measurement, assessment and reporting on all material risks across the institution and must provide a sound basis for making decisions.

Material risks

  1. The risk management framework must, at a minimum, address:

    a) credit risk including counterparty credit risk and credit concentration risk; b) market risk (amongst others covering foreign currency risk, interest rate risk (in the banking book) and trading market risk (in the case of trading activities); c) liquidity risk; d) operational risk; e) risks arising from the strategic objectives and business plans; f) reputational risk; and g) other risks that, singly or in combination with different risks, may have a material impact on the bank.

Risk appetite framework and statement

  1. A bank must have a risk management framework whereby it maintains an appropriate, clear and concise risk appetite statement for the institution that addresses the bank’s material risks. The Board is responsible for setting the risk appetite of the bank and must approve the bank’s risk appetite statement.

  2. The risk appetite statement must, at a minimum, convey:

    a) the degree of risk that the bank is prepared to accept in pursuit of its strategic objectives and business plan, giving consideration to the interests of depositors and/or policyholders (risk appetite); b) for each material risk, the maximum level of risk that the bank is willing to operate within, expressed as a risk limit and based on its risk appetite, risk profile and capital strength (risk tolerance); c) the process for ensuring that risk tolerances are set at an appropriate level, based on an estimate of the impact in the event that a risk tolerance is breached, and the

11

likelihood that each material risk is realized;
d) the process for monitoring compliance with each risk tolerance and for taking appropriate action in the event that it is breached; and
e) the timing and process for review of the risk appetite and risk tolerances.

Risk management strategy

  1. A bank must maintain an RMS that addresses each material risk listed under paragraph 29. The RMS must be approved by the Board.

  2. The RMS is a document that describes the strategy for managing risk and the key elements of the risk management framework that give effect to this strategy. At a minimum, an RMS must:

    a) describe each material risk identified, and the approach to managing these risks; b) list the policies and procedures dealing with risk management matters; c) summarize the role and responsibilities of the risk management function; d) describe the risk governance relationship between the Board, Board committees and senior management of the bank with respect to the risk management framework; and e) outline the approach to ensuring all persons within the institution have awareness of the risk management framework and for instilling an appropriate risk culture across the bank.

Business plan

  1. A bank must maintain a written plan that sets out its approach for the implementation of its strategic objectives (business plan).

  2. The business plan must be a rolling plan of at least three years’ duration that is reviewed at least annually, with the results of the review reported to the Board. The business plan must cover the entirety of the institution and be approved by the Board.

  3. A bank must identify and consider the material risks associated with its strategic objectives and business plan and must explicitly manage these risks through the risk management framework, including how changing these plans affects the bank’s risk profile.

Policies and procedures

  1. The policies and procedures required under subparagraph 33(b) must include:

    a) the process for identifying and assessing material risks and controls; b) the process for the validation, approval and use of any models to measure components of risk; c) the process for establishing, implementing and testing mitigation strategies

12

and control mechanisms for material risks;
d) the process for monitoring, communicating and reporting risk issues, including escalation procedures for the reporting of material events and incidents;
e) the process for identifying, monitoring and managing potential and actual conflicts of interest;
f) the mechanisms in place for monitoring and ensuring ongoing compliance with all prudential requirements;
g) the process for ensuring consistency across the risk management framework, including the components identified under paragraph 26;
h) the process for establishing and maintaining appropriate contingency arrangements (including robust and credible recovery plans where warranted) for the operation of the risk management framework in stressed conditions; and
i) the process for review of the risk management framework.

38. A bank must monitor the date when each policy or procedure was last revised, the date that it is next due for review, and who is responsible for the review.

Risk management function

  1. A bank must have a designated risk management function for the institution that, at a minimum:

    a) is responsible for assisting the Board of the bank, Board committees and senior management of the institution to maintain the risk management framework; b) is appropriate to the size, business mix and complexity of the institution; c) is operationally independent; d) has the necessary authority and reporting lines to the Board of the bank, Board committees and senior management of the institution to conduct its risk management activities in an effective and independent manner; e) is resourced with staff who have clearly defined roles and responsibilities and who possess appropriate experience and qualifications to exercise those responsibilities; f) has access to all aspects of the institution that have the potential to generate material risk, including information technology systems and systems development resources; and g) is required to notify the Board of any significant breach of, or material deviation from, the risk management framework.

  2. A bank must designate a person to be responsible for that function, referred to in this standard as a CRO. The CRO must be involved in, and have the authority to provide effective challenge to, activities and decisions that may materially affect the bank’s risk profile.

  3. The CRO must be independent from business lines, other revenue-generating responsibilities and the finance function. The CRO must not be the Chief Executive Officer (CEO), Chief Financial Officer, or Head of Internal Audit.

13

  1. The CRO must have a direct reporting line to the CEO and have regular and unfettered access to the Board and the Board Risk Committee. In the case of a "Foreign Incorporated Bank", the CRO must have a direct reporting line to the CRO of the parent bank.

Compliance function

  1. A bank must have a designated compliance function that assists senior management of the institution in effectively managing compliance risks. The compliance function must be adequately staffed by appropriately trained and competent persons who have sufficient authority to perform their role effectively and have a reporting line independent from business lines; have a direct reporting line to the CEO and have regular and unfettered access to the Board and the Board Risk Committee. In the case of a "Foreign Incorporated Bank", the Compliance Officer must have a direct reporting line to the Head of Compliance at the Head Office of the bank.

Internal Audit

  1. A bank must have an operationally independent and adequately resourced internal audit function and constitutes the third line of defense in the system of internal control.

  2. The internal audit function must have a clear mandate, be accountable to the Board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively.

  3. The internal audit function must provide an independent assurance to the Board and senior management on the quality and effectiveness of a bank’s internal control, risk management and governance systems and processes, thereby helping the board and senior management protect their organisation and its reputation.

  4. The objectives of the internal audit function must include evaluation of the adequacy and effectiveness of the financial and risk management framework of the bank.

  5. To fulfil its functions, the internal auditor must, at all times, have unfettered access to all the bank’s business lines and support functions.

  6. A bank must ensure that the scope of internal audit includes a review of the policies, processes and controls put in place by management to ensure compliance with the CBSI’s prudential requirements.

Review of the risk management framework

  1. A bank must ensure that compliance with, and the effectiveness of, the risk management framework of the bank is subject to review by internal and/or external audit annually but

14

where circumstance warrants for increase in review, internal and/or external audit should be conducted bi-annually. The results of this review must be reported to the institution’s Board Audit Committee, the Senior Overseas Officer or Compliance Committee, as relevant. In the case of a "Foreign Incorporated Bank", the results should also be reported to the Head of Risk Management at the Head Office of the bank.

51. A bank must, in addition to paragraph 46, ensure that the appropriateness, effectiveness and adequacy of the institution’s RMF are subject to a comprehensive review by operationally independent, appropriately trained and competent persons (this may include external consultants) at least every three years. The results of this review must be reported to the institution’s Board Risk Committee, the Senior Overseas Officer or other Board committees, as relevant. In the case of a "Foreign Incorporated Bank" the review may be conducted by specialized staff deputed by the Head Office /Regional Office of the bank. In their case, in addition to the Senior Overseas Officer, the results of this review must also be reported to Head of Risk Management at the Head Office of the bank.

  1. The scope of the comprehensive review must have regard to the size, business mix and complexity of the institution, the extent of any change to its operations or risk appetite, and any changes to the external environment in which the institution operates.

  2. The review of the RMF must, at a minimum, assess whether:

    a) the framework is implemented and effective; b) it remains appropriate, taking into account the current business plan; c) it remains consistent with the Board’s risk appetite; d) it is supported by adequate resources; and e) the RMS accurately documents the key elements of the risk management framework that give effect to the strategy for managing risk.

  3. Where a material changes to the size, business mix and complexity of the operations is identified outside the review required in paragraph 46, the bank must assess whether any amendment to, or a review of, the risk management framework is necessary to take account of these developments at that time.

Risk management declaration¹

  1. The Board of a bank must make an annual declaration to CBSI on risk management of

¹ In the case of a "Foreign Incorporated Bank" this requirement shall apply to the operations of the bank in Solomon Islands. The Board of the parent bank may delegate the authority to comply with the requirement to an executive of the bank not more than one level below the CEO of the parent bank.

15

the bank (risk management declaration) that must satisfy the requirements set out in Attachment A to this PS. The declaration must be signed by the chairperson of the Board and the chairperson of the Board Risk Committee (or equivalent, and only if in place).

56. The Board of a bank must qualify the risk management declaration of the institution if there has been any significant breach of, or material deviation from, the risk management framework or the requirements set out in Attachment A to this PS. Any qualification must include a description of the cause and circumstances of the qualification and steps taken, or proposed to be taken, to remedy the problem.

  1. Unless otherwise approved by CBSI, a bank must submit its risk management declaration to CBSI within three months of its annual balance date.

Notification requirements

  1. A bank must on adoption, and or following any material revisions, submit to CBSI a copy of its:

    a) Risk appetite statement; b) Business plan; and c) RMS

  2. A bank must notify CBSI as soon as practicable, and no more than 10 business days, after it becomes aware:

    a) of a significant breach of, or material deviation from the risk management framework of the bank; or b) that the risk management framework of the bank did not adequately address a material risk.

  3. A bank must notify CBSI as soon as practicable, and no more than 10 business days, after it becomes aware of any material or prospective material changes to the size, business mix and complexity of the institution.

  4. Where a bank conducts business in a jurisdiction outside SI, it must notify CBSI as soon as practicable, and no more than 10 business days, after it becomes aware that its right to conduct business in that jurisdiction has been materially affected by the law of that jurisdiction or its right to conduct business has ceased.

16

Attachment A - Risk management declaration

For the purposes of paragraph 55 of this PS, the Board of a bank must provide CBSI with a risk management declaration of the institution stating that, to the best of its knowledge and having made appropriate enquiries, in all material respects:

a) the institution has in place systems for ensuring compliance with all prudential requirements; b) the systems and resources that are in place for identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating material risks, and the risk management framework, are appropriate to the institution, having regard to the size, business mix and complexity of the institution; c) the risk management and internal control systems in place are operating effectively and are adequate having regard to the risks of the institution they are designed to control; d) the institution has an RMS that complies with this PS, and the institution has complied with each measure and control described in the RMS; e) the bank is satisfied with the efficacy of the processes and systems surrounding the production of financial information at the institution.

Share