Bank of Zambia Circular 2/2000: Risk-Based Approach to Inspections

# Bank of Zambia
P.O. Box 30080, LUSAKA
10101
Tel. 228888/ 228903-20

10 April, 2000

C B Circular No. 2/2000

To: All Commercial Banks

Dear Sirs

## RISK BASED APPROACH TO INSPECTIONS

### 1. INTRODUCTION

The Bank of Zambia implemented the risk-based approach to inspections last year as per C B Circular NO. 1/99 dated 14th January 1999. The objective of introducing the risk-based approach to inspections was to enhance the effectiveness of the supervision process for banks.

Banks may have more categories of risks according to their business profiles. However, all banks will at a minimum be expected to have in place risk management systems and procedures that address common risks.

The risks that banks face are numerous and are grouped in various categories. For purposes of supervising banks, The Bank of Zambia has recognised some major risks facing banks and uses them as a basis of evaluation. These risks and the associated definitions are as follows:

---

### 2. RISKS

#### 2.1 CREDIT RISK

This is the risk that arises from the potential that a borrower or counterparty will fail to perform on an obligation. For example, the credit risk in lending operations is that the borrower may not be able to repay the principle or interest. It arises at any time bank funds are extended, committed, invested or otherwise exposed through actual or implied contractual agreements, whether reflected on or off balance sheet.

Traditionally, Credit risk has been the major risk in banking because banks carry a large proportion of their assets in loans of one kind or another as part of their function of inter-mediation. Credit risk extends to other forms of lending such as guarantees leases and inter-bank loans.

#### 2.2 LIQUIDITY RISK

This is the potential that a bank will be unable to meet its obligations as they fall due because of an inability to liquidate assets or obtain adequate funding without significantly lowering market prices.

#### 2.3 OPERATIONAL RISK

This is the risk that arises from the potential that inadequate operational or transactional problems (relating to service or product delivery); breaches in internal controls, fraud or unforeseen catastrophes will result in unexpected losses.
This risk can further be subdivided into:

- Transactional risk-which is a function of internal controls, information systems, employee integrity and operating processes.
- Compliance risk-which arises from violations or non-compliance with laws and regulations.

#### 2.4 MARKET RISK

This comprises the risk to an institution's condition resulting from adverse movements in market rates or prices, such as interest rates, foreign exchange rates, or other investments that the bank has made.

- Interest rate risk arises from changes in asset values due to movements in interest rates.

---

#### 2.5 STRATEGIC RISK

This type of risk emanates from business decisions and their implementation. This risk is closely related to the compatibility of an organisation's strategic goals, the business strategic developed to achieve those goals, the resources deployed against these goals, and the quality of implementation.

#### 2.6 REPUTATIONAL RISK

This is the risk associated with the potential that publicity regarding an institution's business practices, whether true or not, will cause a decline in the customer base, costly litigation or revenue reductions.

#### 2.7 LEGAL RISK

This risk arises from the potential that unforeseen contracts, lawsuits or adverse judgements may disrupt or otherwise negatively affect the operations or financial condition of the bank.

---

### 3.0 EVALUATION METHOD

For all banks that were inspected last year, a risk matrix was presented in the inspection reports. The risk profile of each bank was therefore summarised in the said report.

Appendix I shows an example of risk matrix. Each risk discussed is evaluated in the risk matrix using the following attributes.

#### 3.1 Inherent risks

This attribute is defined as the potential adverse effect an event or action may have on a particular business line, in the absence of internal controls and independent of individual employee performance. The inherent risk levels are identified and then defined as "High", "moderate" or "low". For each risk category, the subsisting environment in the inspected bank will determine the grading. Some parameters have been generally agreed as culminating to a high, moderate or low rating.

---

#### 3.2 Quality of managing the risk

This attribute summarises the inspectors’ evaluation of the adequacy of each bank’s risk control processes to identify, measure, monitor and control risk exposures. This evaluation considers the degree to which the existing control infrastructure effectively manages the inherent risk, including the ability to detect and correct an event or action that could adversely impact the institution’s overall condition.

Assessments of risk control systems are categorised as "strong", "acceptable", or "weak". Bank Of Zambia considers the degree to which an existing risk control system deficiency may compromise the ability of a bank to effectively manage and control inherent risks associated with each business activity. An evaluation will be made on the bank’s internal control environment.

For purposes of this approach, the Bank of Zambia defines internal control as,

> The process effected by the bank’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the effectiveness and efficiency of operations, the reliability of financial reporting, and the compliance with appropriate laws and regulations.

Note that this has considerable emphasis on board oversight in all the bank’s operations.

#### 2.3 Direction of risk

After a thorough review of a bank’s inherent risk profile and management control over the risk, an evaluation is made to determine if the inherent risk is increasing, stable or decreasing. This is dependent on the bank’s business decisions that are also impacted on by a bank’s particular risk appetite.

#### 2.4 Overall risk rating

The overall risk rating for each business activity or risk category is a summary judgement determined by balancing the inherent risks of the activity with the adequacy of risk control systems for that activity. This evaluation reflects both the current and prospective view of a bank’s risk profile.

---

### 4.0 FACTORS CONSIDERED ON EACH RISK CATEGORY

The evaluation of the risks prevalent in each institution will depend on some criterion and factors presented below. These are not all-inclusive but serve as a guide to you to understand the parameters under which your banks will be graded.

#### 4.1 Credit Risk

- Adequacy of policies and procedures that delineate the credit function’s operations.
- Composition of the loan portfolio (customer type, connected parties/insiders, concentrations).
- Protection afforded by collateral (type, quality of collateral, perfection, marketability, nature of documentation exceptions).
- Adequacy of underwriting standards.
- Bank’s exposure to unfunded commitments (contingent liabilities).
- Trends in loan volume and growth, delinquencies, non-performing loans, and loan losses.

#### 4.2 Liquidity Risk

- Adequacy of Board and senior management oversight.
- Adequacy of a formal documented liquidity plan.
- Availability of a contingency plan.
- Rate of growth in the bank’s assets portfolio.
- Concentration of deposits (diversification of funding sources, profile of bank’s funding sources).
- Inter-bank borrowings irrespective of cost of funds.
- Failure to comply with BOZ core liquidity requirements.

#### 4.3 Operational risk

- Adequacy of documented policies, procedures and limits such as operational manuals.
- Adequacy of internal audit/controls.
- Frequency of incidences of frauds.
- Adequacy of information systems.
- Accuracy of financial, operational, and reports.
- Clear segregation of duties as outlined in the organisation structure which outlines lines of authority and accountabilities.

#### 4.4 Market risk

- Adequacy of bank’s documented business plan.
- Availability of documented policies and treasury procedures as regards forex and interest determination.
- Stability of forex income.
- Availability of hedging instruments.
- Levels of interest and non interest margins.
- Level of bank’s interest rates in comparison to market rates.

#### 4.5 Strategic risk

- Quality and comprehensiveness of bank’s strategic plan.
- Congruency of plan to legal and market conditions.
- History of bank in adhering to its plans or stated objectives.
- Effectiveness of communicating the plans to all staff.
- Resource allocation in relation to objectives.

#### 4.6 Reputational risk

- Adequacy of management’s response to internal and regulatory reviews.
- Nature and frequency of customer complaints.
- Management’s ability to adjust to changes in regulatory and other stakeholder requirements or pressures.
- Market response to bank’s products.
- Historical losses from litigation.
- Demands made on the bank when it operates on the interbank (OMO), such as demand for security and higher than market rates of interest on overnight borrowing.
- Frequency of publishing financial statements.

#### 4.7 Legal risk

- Nature and frequency of violations to prudential regulations and Laws of Zambia.
- History of complaints and litigation against the bank by third parties.
- Adequacy of staffing in legal department.
- Incidences of incomplete documentation.
- Nature and complexity of the bank’s business transactions.
- History of poor collateral perfection by legal department.

The above list is no means exhaustive, but is indicative of the factors to be considered. The business activities of each bank will determine which particular factors will be considered.

---

### 5.0 RISK MANAGEMENT POLICIES

For effective implementation of the risk based examination process, it is important that banks establish Risk Management Policies. Such policies will at a minimum define the risks facing the bank, the methods of measuring risk, monitoring and controlling methods in respect of the risk. Every risk is required to submit the policy to Bank of Zambia no later than 31 May 2000.

---

For comments or clarifications arising from this circular, contact The Director Financial System Supervision.

Yours sincerely

Dr Abraham Mwenda
DEPUTY GOVERNOR-OPERATIONS

---

## APPENDIX I

### RISK MATRIX

| RISK CATEGORY      | INHERENT RISK | QUALITY OF MANAGEMENT | OVERALL RISK RATING | DIRECTION OF RISK |
|--------------------|---------------|------------------------|---------------------|-------------------|
| CREDIT             | High          | Acceptable             | High                | Increasing        |
| OPERATIONAL        | Moderate      | Weak                   | High                | Increasing        |
| LIQUIDITY          | Low           | Acceptable             | Moderate            | Stable            |
| LEGAL RISK         | High          | Weak                   | High                | Increasing        |
| REPUTATIONAL       | Low           | Acceptable             | Moderate            | Stable            |
| OVERALL RISK RATING| Moderate      | Acceptable             | High                | Increasing        |

Narratives which give the basis upon which the grading are made on each evaluation criteria always accompany this matrix.