CENTRAL BANK OF NIGERIA REVISED GUIDELINES ON SUPERVISORY REVIEW PROCESS OF INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (SRP/ICAAP) SEPTEMBER 2021

Table Of Contents

1.0 INTRODUCTION.............................................................................................. 2 2.0 INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (ICAAP)......... 3

2.5	Regulatory Reporting of the ICAAP 1	0

2.4	Features of the ICAAP	. 5

2.3	Scope of Application	.. 4

5.4	Early Intervention 1	5

5.3	Proportionality in the SREP 1	4

5.2	Stages of the SREP 1	3

5.1	General Rules for the SREP 1	2

2.2	Proportionality in the ICAAP	. 4

2.1	General Rules for the ICAAP	. 3

3.0 INTERACTION BETWEEN RISK BASED SUPERVISION AND ICAAP ........ 11 4.0 INTERACTION BETWEEN ICAAP, ILAAP AND RRP.................................... 12 5.0 SUPERVISORY REVIEW AND EVALUATION PROCESS (SREP)............... 12 ANNEX A: RISKS SUBJECT TO THE ICAAP........................................................ 16 ANNEX B: MINIMUM EXPECTATION FOR ICAAP REPORTING......................... 17

1.0 Introduction

1. The Central Bank of Nigeria (CBN) has conducted the Supervisory Review and Evaluation Process (SREP) of banks' Internal Capital Adequacy Assessment Process (ICAAP) since December 2013 as part of its risk-based supervisory process.

2. The introduction of Basel III standards and its impact on capital requirements and supervisory expectations has made it necessary to update the CBN Guidance Note on Supervisory Review Process to ensure that it reflects emerging best practice. The Basel III Framework not only strengthened the risk-based capital standards but also introduced additional measures, some of which have a direct implication on banks' assessment of their risk profiles and capital requirements.

3. The Supervisory Review Process is structured along two separate but complementary stages.

a) The Internal Capital Adequacy Assessment Process (ICAAP), and b) The Supervisory Review and Evaluation process (SREP.

4. The Icaap Requires Banks To:

a) Perform an independent and complete forward looking assessment of the risks to which they are exposed, and b) Estimate the internal capital requirement that adequately reflects their risk profile, business strategy and risk acceptance level.

5. The SREP is the process by which the CBN: a) Reviews and assesses the bank's ICAAP; b) Analyses the bank's own assessment of its risk profile, the corporate governance, and the internal control system; c) Verifies overall compliance with prudential requirements and supervisory expectations in relation to the quantification of internal capital and liquidity requirements; and d) Formulates an overall view on the risk profile of a bank and, where necessary, takes remedial measures.

2.0 Internal Capital Adequacy Assessment Process (Icaap)

6. All banks are required to develop an ICAAP to maintain adequate capital levels consistent with their strategies, business plans, risk profiles and operating environment on a going concern basis.

7. The ICAAP should be based on appropriate risk management systems that require adequate corporate governance mechanisms, an organisational framework with clear lines of responsibility, and effective internal control systems. This is because capital should not be regarded as a substitute for addressing fundamentally inadequate control or risk management processes.

8. The ICAAP should be documented, understood, and shared by all bank structures and should be subject to independent internal review.

9. The respective banks' boards are entirely responsible for the ICAAP. They are expected to independently establish the design and organisation of the ICAAP in accordance with the risk appetite of the bank. They are also responsible for the implementation and the annual update of the ICAAP and the calculation of internal capital that takes into consideration the banks' activities and operating environment.

10.Banks should, on an annual basis, submit to the CBN an ICAAP report detailing, amongst others: the key features of the ICAAP, their risk exposures and the level of capital deemed adequate to support those risks. The report should also contain a self-assessment of the ICAAP, areas for improvement, any deficiencies in the process and any corrective measures to be taken.

2.1 General Rules For The Icaap

11.Banks should have a process for determining the total capital, currently and prospectively, necessary to support all material risks. This process should be; a) Formalized and documented; b) Subject to internal review and approval by board and management; and c) Proportionate to the nature, scale and complexity of the business conducted.

12.The calculation of total capital requires an assessment of all the risks to which a bank is or may be exposed, including those not considered in calculating the capital requirement under Pillar 1.

13.Banks should determine the risks, other than credit, market and operational risks, for which the adoption of quantitative methodologies that can be used in 3 determining internal capital would be appropriate, and those for which control and mitigation measures, in combination or alternatively, would be more suitable.

2.2 Proportionality In The Icaap

14.A bank is expected to have an appropriate approach for the assessment of its internal capital requirements in line with its size, the nature, scale, and complexity of its activities. The selection of the approach is the responsibility of the bank. Banks with fewer and less complex activities may use simpler approaches to identify and measure risks while banks with large and complex activities may use more comprehensive methods to assess internal capital requirements.

15.An assessment of the risk profile of a bank must consider all material risks arising from its business and operating environment. The ICAAP should fit banks' individual circumstances and needs, having regard to the risk profile and level of sophistication of their operations. The principle of proportionality shall be applied, taking into consideration factors such as: a) Size and complexity of the business; b) Growth and expansion strategies; c) Nature, scale and complexity of asset mix, and product offering; and d) Composition and market segments.

16.The principle of proportionality shall apply also to the following aspects: a) Methodologies used in measuring/assessing risks and in determining the related internal capital requirements; b) Type and nature of the stress tests adopted; c) Determination of total internal capital; d) Organisational structure of the risk control systems; and e) Scope and detail of ICAAP reporting to the CBN.

2.3 Scope Of Application

17.This Guideline is applicable to all Deposit Money Banks (DMBs) in Nigeria at both solo level and consolidated level. The CBN shall apply the principle of proportionality to its supervisory assessment of banks' processes and methodologies.

2.4 Features Of The Icaap

18.In developing an ICAAP, banks should consider the key supervisory principles as articulated by the Basel Committee on Banking Supervision (BCBS). At a minimum, banks should incorporate the following features in their ICAAPs: a) Board and senior management oversight; b) Established policies, procedures, limits, and control; c) Sound capital assessment and planning; d) Comprehensive assessment of risks; e) Stress testing; f) Monitoring and reporting; and g) Internal control review.

2.4.1 Comprehensive Identification Of Risks

19.Banks should independently identify the risks to which they are exposed, taking into consideration their operations and the markets in which they operate.

20.This analysis should consider, at a minimum, the risks listed in Annex A. This list is however not exhaustive. The identification of any further risk factors connected with a bank's specific operations is left to the prudent assessment of each bank.

21.Banks and banking groups should clearly identify the sources of the various forms of risks and where these are to be found at the level of operating units, enterprisewide, within the group or from external counterparties. This is to ensure that the regulatory and internal capital requirements calculated at the individual entity level for the most significant legal entities adequately cover the risks effectively faced by these entities.

22.Risk identification is an integral part of a bank's ICAAP. The identification of the risks to which a bank is exposed, and the determination of their materiality should be based on a comprehensive assessment of the existing and potential risk factors of individual transactions, products, activities, and processes of a bank. Banks should also ensure that the approaches to risk identification take into consideration the assessment of the external environment.

23.Banks are expected to have a defined process of risk identification and for the frequency of reviewing the risks included in the ICAAP. The identification process should be clear and also include the description of responsible departments for the identification process.

24.Given that the ICAAP is a bank-wide process, the CBN expects banks to ensure that all relevant departments participate in the risk identification process. An anchor department, normally the risk function, should be responsible for coordination and collation as well as communication of risks identified to the entire bank.

25.Bank are expected to identify all risks, whether material or immaterial. Banks should ensure that the basis for determining materiality of risks is directly associated with the bank's approach to the risk concerned and/or the assessment of expected loss from such risks. The criteria for determining the materiality of risks, including the set quantitative and qualitative thresholds, should be expressly stated in the bank's ICAAP.

26.Without prejudice to Annex A of this Guideline, banks are expected to have internal definitions of the risks they are exposed to and should clearly describe such risks in their ICAAP.

27.Banks are expected to review the materiality of the identified risks on a continuous basis, giving consideration to market conditions, information gathered in respect of counterparties as well as the possible impact of the risks on the bank's earnings, capital position and reputation.

2.4.2 Sound Capital Assessment

28.The capital assessment process should include the risk measurement and modeling process that produces accurate loss and resource estimates, and a detailed process for generating reports for the board and senior management.

29.In order to calculate internal capital, banks should have: a) Policies and procedures ddesigned to clearly identify, measure and report all material risks; b) A process that relates capital adequacy to the level of risks assumed; c) A process that relates capital adequacy goals with the banks' strategic focus and business plan; and d) A process of internal controls that reviews and audits continuously the bank's activities to ensure robustness and integrity of the overall risk management process; 30.Banks are also required to quantify all material risks they are exposed to using appropriate methodologies which capture their organisational and operational features.

31.For credit, counterparty, market and operational risks, a methodological starting point is provided by the regulatory systems for calculating capital requirements for such risk types under Pillar 1 of the Basel Framework.

32.Banks which have implemented internal models for the quantification of capital requirements under Pillar 2 should be able to fully demonstrate the appropriateness of such models given their risks and exposures. Banks should also ensure that such models adequately identify and measure the underlying risks arising from the bank's activities and are subject to rigorous on-going validation.

33.Banks are expected to consider several factors in relating capital to the level of risk, including: a) A comparison of their own capital ratios with regulatory standards and with those of industry peers; b) Potential severe adverse events, including historical experiences and the external economic environment; and c) Planned changes in the bank's business or strategic plans, identified changes in its operating environment, and consequential changes in its risk profile.

34.The banks' ICAAP should include a reconciliation between the total internal capital and the eligible regulatory capital. Banks should also, where applicable, explain the inclusion of capital instruments that may not be eligible as regulatory capital in the calculation of their internal capital.

35.Banks are expected to take into consideration the CBN guidelines on respective Pillar II risks in the assessment and the quantification of the relevant risk types.

2.4.3 Stress Testing

36.Banks should conduct stress testing of their risk mitigation and control systems and the adequacy of their internal capital, in order to enhance the assessment of their exposure to risks.

37.Banks are expected to consider the CBN Guidelines on Stress testing for the Nigerian Banks in the development of their end-to-end stress testing process. Banks should also consider the relevance of the CBN's stress scenarios and the suggested risk drivers1in the context of their business and specific risk drivers.

38.Banks are expected to articulate realistic management actions anticipated to reduce risk or restore capital adequacy in the event that: a) Severe and plausible adverse stress scenarios result in a Capital Adequacy Ratio (CAR) that is below the regulatory threshold; and/or b) The bank's current capital ratio is below its internal risk appetite target.

39.Banks are particularly expected to: a) Ensure that management actions are feasible given adverse macro-economic conditions and the potential impact on reputation; b) Consider preconditions that might affect the effectiveness of management actions e.g. debt covenants, legal or regulatory implications; c) Consider the implications of management actions on the bank's business model; d) Demonstrate the qualitative and quantitative impact of management actions on projected metrics under different scenarios; e) Demonstrate evidence of management actions implemented in the past during similar circumstances, e.g. through board reports and minutes of meetings, etc.

2.4.4 Corporate Governance In The Icaap

40.The board is responsible for ensuring that the bank maintains an appropriate level and quality of capital given its risk profile and business plan. The board should therefore have a sound understanding of the nature and materiality of risks inherent in the bank's activities.

41.The board should establish a framework for assessing the various risks, develop a system to relate risk to the bank's capital level, and establish a method for monitoring compliance with internal policies and regulatory capital limits2. The board should also: a) Implement strong internal controls and comprehensive policies and procedures, and b) Ensure that senior management effectively communicates these throughout the organization.

1 Appendix II of the CBN Guidelines on Stress testing for the Nigerian Banks 2 Banks are expected to always operate above the minimum regulatory capital ratios 42.In exercising its oversight responsibilities, the board is expected to approve the bank's risk appetite and capital management frameworks and to ensure that senior management discharges its responsibilities for: a) The development and effective implementation of the ICAAP; b) The establishment of detailed policies that set institution-wide controls that are consistent with its risk-taking capacity and appetite; c) The establishment of a risk management framework that is not limited to credit, market, operational and liquidity risks, but incorporates all material risks, including reputational, legal and strategic risks, as well as risks which do not appear significant in isolation, but when combined with other risks could lead to material losses; d) The development of a system to relate risk to the bank's capital level as part of its internal assessment of capital adequacy; and e) Establishing strong internal controls and a process for monitoring compliance with internal policies.

2.4.5 Monitoring And Reporting

43.Banks should have a robust IT infrastructure and effective internal processes for monitoring and reporting risk exposures and assessing how their changing risk profiles affect their capital needs. They are therefore required to: a) Evaluate the level and trend of material risks and their effects on capital levels; b) Evaluate the sensitivity and reasonableness of the key assumptions used in capital assessment; c) Determine that they hold sufficient capital against the various risks and ensure compliance with established capital adequacy goals; and, d) Assess future capital requirements based on reported risk profiles and indicate any necessary adjustments to be made to the banks' strategic plan based on that assessment.

2.4.6 Internal Control Review

44.Banks should have a process of internal controls, independent reviews, and audits to ensure the adequacy, effectiveness, and reliability of the ICAAP and the overall capital planning process. Banks should also have a process for monitoring the actual performance against the approved capital targets 3 as well as conformity with the strategy and objectives stated in the ICAAP.

45.The board should ensure that the bank's system of internal controls facilitate the monitoring of its business environment.

46.The bank should conduct periodic reviews of its risk management process to ensure its continued integrity, accuracy, and reasonableness. The reviews should cover: a) Appropriateness of the ICAAP; b) Large exposures and risk concentration; c) Accuracy and completeness of data input; d) Reasonableness and validity of scenarios used in the assessment; and e) Stress testing and analysis of assumptions / inputs.

47.The frequency of the independent reviews and audits may vary depending on the size and complexity of individual bank but should not be less than once every year.

48.The ICAAP and risk management process should be subject to periodic reviews to ensure their integrity, accuracy, and reasonableness. At a minimum, the following areas should be reviewed: a) The appropriateness of risk appetite/tolerance levels and capital planning, the effectiveness of the ICAAP, and the strength of internal control infrastructure; b) The appropriateness, accuracy and reliability of third-party inputs or other tools used for management information purposes e.g. credit ratings, risk measures and models; c) The methodologies for identification of large exposures and risk concentrations; d) The accuracy and completeness of data input into the bank's assessment process; e) The reasonableness of scenarios used in the assessment process; and f) The stress testing and capital planning assumptions.

2.5 Regulatory Reporting Of The Icaap 2.5.1 Content And Structure

49.The ICAAP report will enable the CBN to conduct a comprehensive assessment of the key qualitative features of the capital planning process, the bank's overall exposure to risks and the quantification of total internal capital required to mitigate those risks.

50.The report should be submitted to the CBN along with the relevant board resolutions and senior management reports containing their comments on the ICAAP in line with their respective responsibilities and functions. The report should be organised, at a minimum, into the areas specified in Annex B.

2.5.2 Frequency Of Icaap Reporting

51.Banks should, on an annual basis, submit to the CBN a comprehensive ICAAP report and other relevant supporting documents. The ICAAP report as at 31st December of the previous year should be submitted not later than four months after the year end (end of April).

52.Banks are expected to frequently update and document their ICAAP to capture any material changes in their business strategy or macroeconomic conditions. At a minimum, banks are expected to update their ICAAP at least once annually.

53.The CBN may require banks to submit an updated ICAAP at any point in time and particularly where there has been a significant change in its risk profile.

3.0 Interaction Between Risk Based Supervision And Icaap

54.The CBN expects banks to articulate the interaction between Examiners' perceptions of their risk profile under the Risk Based Supervision (RBS) framework and its ICAAP Framework. Examiners' risk assessment of the inherent risk within each significant activity of a bank, the quality of risk management applied to mitigate these identified risks, direction of risk and overall net risk rating should be taken into account in the ICAAP.

55. The consideration of the Examiners' perception of risk is required to ensure that there is an appropriate interplay between Examiners' assessment of inherent risks and the banks' ICAAP. Specifically, banks are required to: a) Take into consideration the Examiners' findings on the assessment and perception of material risks during the most recent RBS examination; b) Demonstrate the extent of compliance with recommendations issued by Examiners during the most recent RBS Examination; and c) Demonstrate that the choice of stress testing scenarios and their severity reflect Examiners' perception of the bank's risk profile.

4.0 Interaction Between Icaap, Ilaap And Rrp

56.A bank's Recovery and Resolution Plan (RRP) is aimed at ensuring that banks and supervisors are prepared to manage the threat to the viability of a bank in times of stress. The main purpose of the ILAAP is to assess and be able to demonstrate that a bank has adequate liquidity, a prudent funding profile, and robust processes for the management of liquidity and funding risks. It forms part of a bank's liquidity management framework that ensures a bank's ability to fulfil its payment obligations at all times even under adverse conditions. Given the implication of ILAAP and RRP on capital, banks are expected to articulate the interlinkages between ICAAP, ILAAP and RRP in the ICAAP document.

Accordingly: a) Banks are expected to ensure consistency and coherence between the ICAAP, ILAAP and RRP in terms of assumptions, early warning indicators, triggers, escalation procedures following breaches of thresholds, and potential management actions; b) Potential management actions in the ICAAP should, where relevant, be reflected in the RRP and the ILAAP and vice versa, to ensure consistency in the assessment of inherent risks and reasonableness of the proposed management actions; and c) The underlying assumptions and proposed management actions should be consistent across the three risk management processes (ICAAP, ILAAP and RRP).

5.0 Supervisory Review And Evaluation Process (Srep) 5.1 General Rules For The Srep

57.The SREP shall be conducted for banks and banking groups on an annual basis.

The objective will be to verify that banks have established capital and organisational arrangements that are appropriate for the risks they face.

58.The SREP involves rigorous assessment of the adequacy of banks' capital and, where applicable, the determination of the appropriate capital add-ons and buffers, which take into account: (i) the quality of banks' overall risk management practices and internal control systems, (ii) the extent to which a bank is exposed to risks that are outside the coverage of Pillar 1, and (iii) the effectiveness of its ICAAP.

59.The review of a bank's risk profile will take into consideration the CBN assessment of the assumptions, methodology, coverage, and outcome of a bank's ICAAP, with a view to ascertaining the adequacy and effectiveness of the bank's ICAAP.

60.The CBN will consider the following in the assessment of the bank's risk profile: (i) the Examiners' perception of the bank's risk profile based on the most recent RBS, and (ii) the strength and availability of parental support as well as other relevant information from the home supervisor of its parent or host supervisors of its subsidiaries.

61.The review of a bank's risk profile shall also take into account the bank's prospects and ability to obtain or raise new additional capital, particularly under stressed market conditions. In the case of a bank within a group structure (local or foreign), the CBN shall also consider whether the bank has strong parental support and whether the parent bank or holding company has the resources to provide such support when needed.

62.The assessment of a bank's risk profile shall be based on a combination of tools, which include: a) Quantitative and qualitative assessments; b) Ranking of risk factors; c) Benchmarking against industry performance; and d) Peer group comparisons.

63.The CBN may, as a result of a bank's ICAAP assessment, impose a higher Pillar 2 capital requirement on the bank. This will however take into consideration the requirements set out in the CBN Supervisory Intervention Framework and the Capital Add-on Framework.

5.2 Stages Of The Srep

64.The SREP is organised into the following main stages: a) Analysis of exposure to all material risks and the relative control systems; b) Verification of compliance with capital and other supervisory requirements; c) Assessment of the procedure and methodologies for calculating total internal capital and of the adequacy of total capital given the bank's risk profile; d) Issuance of specific opinions (or rating) for each form of risk and the overall situation of the bank; e) Determination of any supervisory response including capital add-ons.

5.3 Proportionality In The Srep

65.The CBN shall apply the principle of proportionality in the assessment of a bank's ICAAP including the Pillar 2 capital requirements. In order to ensure a proportional SREP, the CBN will categorize banks based on two dimensions: a) Systemic importance to the domestic economy; and b) The "quality" of the bank (risk level, risk control etc.) 66.The criteria for the assessment of the systemic importance is based on the indicator-based measurement approach in line with the framework for Regulation and Supervision of Domestic Systemically Important Banks (D-SIB). The criteria for categorization include: size, interconnectedness, substitutability, and complexity.

67.Categorization based on the "quality' of the bank shall be done on a case-bybase analysis and shall take into consideration the bank's individual risk profile including its sensitivity to external shocks, its available capital resources, and the quality of its risk management.

68.The intensity of a SREP for D-SIBs would be high while the intensity of SREP for non-systemic banks would depend on the composite risk rating of the respective banks as reflected in their most recent RBS report. Further, the SREP shall also be informed by the principle of proportionality, under which: a) The frequency and the comprehensiveness of the SREP shall have regard to the systemic importance, nature, size, and complexity of banks; and b) The corporate governance systems, risk management processes, internal control mechanisms and the determination of capital deemed adequate to cover risks shall be proportionate to the nature, scale and complexity of the business conducted by the banks; 69.The CBN, as part of its RBS process, will review and evaluate the soundness of a bank's ICAAP against the expectations set out under the features of ICAAP in this guideline. This review will also consider the comprehensiveness of the ICAAP and the quality of risk management to form a view on the appropriateness of the bank's internal capital targets and its capacity to meet the internal and supervisory targets.

70. Based on the ICAAP reviews, the CBN may require a bank to, among other things, take action to improve its capital and risk management processes if it is not satisfied with the bank's ICAAP.

5.4 Early Intervention

71.The board and senior management of banks shall have primary responsibility to ensure their institutions maintain adequate capital resources on an ongoing basis. The CBN can however intervene at an early stage to prevent a bank's capital from falling below the level that it deems adequate to support its risks. The CBN may also require rapid remedial action if adequate capital is not maintained or restored. The remedial actions could include the following: a) Altering the risk profile of the bank through the restructuring of business or operations; b) Directing a bank to raise additional capital; c) Strengthening of: (i) the risk management systems, procedures, and processes, (ii) internal control mechanisms, and (iii) internal assessment of capital adequacy; d) Restrictions on the distribution of profits or other elements of capital; e) Directing the bank to hold an amount of regulatory capital greater than the minimum under Pillar 1; f) Requiring a bank to prepare and implement a satisfactory capital adequacy restoration plan; and/or g) Using other measures as contained in the CBN Supervisory Intervention Framework (SIF) and the BOFIA.

5.5 Pillar 2 Capital Add-On Assessment

The Central Bank of Nigeria will challenge the adequacy of banks' estimate of Pillar 2 capital requirement for material risks. In doing so, the CBN will take into account:

1. Risk Based Supervision Composite Risk Rating 2. The banks' risk profile 3. The banks' risk management capacity 4. Compliance with the provision of the Pillar 2 Guidelines issued by the CBN The assessment will include the following elements: Single Name and Sectoral Credit Concentration Risk, IRRBB, Business Model Risk, Reputational Risk, Residual Operational Risk, Stress testing, ICAAP, Model Risk, and Country Risk. The outcome of this assessment will drive:

2. The Pillar 2 minimum capital requirement for the bank given its risk profile business model and systemic importance 2. Additional capital requirement for the bank which will flow into Pillar 1 capital requirement 3. The capital add-on would be imposed where the assessment produces ratings for Pillar II risks to be "Above Average" or "High" or the quality of risk management is "Weak" or "Need improvement".

3. The removal of the Pillar II capital add-on would be dependent on the respective bank addressing the identified issues to the full satisfaction of the CBN.

Annex A: Risks Subject To The Icaap 1. Pillar 1 Risks

a) Credit risk (including counterparty risk); b) Market risk; c) Operational risk. 2. Pillar 2 risks a) Concentration risk b) Interest rate risk in the banking book c) Business and Strategic risk.

d) Reputational risk.

e) Country and Transfer risk. f) Model risk g) Environmental and Social risk (E&S) Note: The above listed Pillar 2 risks are not exhaustive. Banks are therefore required to assess all their respective material risks. At a minimum, banks are expected to provide the following information in their ICAAP report, or as part of the supplementary submission: 1. Organization of the ICAAP Report a) Executive Summary b) Structure and Operations c) Governance Structure d) Risk Appetite Framework e) Risk Identification and Materiality Assessment f) Risk Assessment and Capital Adequacy g) Stress Testing h) Capital Planning i) Capital Allocation and Reconciliation of Internal Capital j) Internal Audit and Review of ICAAP k) Approval, Review, and Use of ICAAP l) Challenges and Further Steps m) Summary of Internal Capital Adequacy Assessment Process n) Use of Internal Models for Capital Assessment

2. Strategies And Forecasting Horizon Adopted

a) Business plan and annual budgets; schedule of reviews of business plan and its components; extraordinary events necessitating review.

b) Reconciliation between time horizon of business plan and capital plan. c) Ordinary and extraordinary sources of capital. 3. Corporate governance, organizational arrangements and internal control systems connected with the ICAAP a) Description of the process for the preparation and updating of the ICAAP. b) Description of the process for reviewing the ICAAP. c) Definition of the role and functions assigned to the board and senior management bodies for the purposes of the ICAAP.

d) Definition of the role and functions assigned to various corporate functions for the purposes of the ICAAP, e.g., internal audit, compliance, risk management etc.

e) Description of organizational and contractual safeguards relating to any elements of the ICAAP that is outsourced.

f) Description of internal policies and procedures relevant to the ICAAP. g) Minutes of the board meeting and relevant committee meetings evidencing implementation of ICAAP.

h) Evidence of discussion on, or changes in, the bank's risk and capital situation, limit breaches, etc., including decisions on management actions or any explicit decisions not to take any action.

i) Decisions on management actions related to internal capital estimates, their aggregation, and their comparison with the available internal capital (current situation and forward-looking).

4. Business Model And Strategy

a) Description of the current business model(s) including identification of core business lines, markets, geographies, subsidiaries, and products.

b) Description of main income and cost drivers, allocated to core business lines, markets, geographies and subsidiaries.

c) Description of the changes planned by the bank to the current business model and its underlying activities.

d) Description of how the business strategy and ICAAP are linked.

5. Risk Appetite Framework

a) A copy of the board approved risk appetite statement. b) Description of the alignment between the bank's strategy and business model and its risk appetite framework.

c) Description of the process and governance arrangements, including the roles and responsibilities within the senior management and the board, in respect of the design and implementation of the risk appetite framework.

d) Description of the risk appetite/tolerance levels, thresholds and limits set for the identified material risks, as well as the time horizons, and the process for the review and update of such thresholds and limits.

e) Description of the limit allocation framework within the banking group. f) Description of the integration and use of the risk appetite framework in the risk and overall management.

6. Risk Identification And Materiality Assessment

a) Description of the approach taken to identify risks, of the identified risks included within risk categories covered in the ICAAP, and the approach for assessing the materiality of risks.

b) Description of ICAAP time horizon(s), including an explanation of possible differences between the risk categories and the subsidiaries covered, where applicable.

c) Description of risk categories and sub-categories covered in the ICAAP, including their definitions.

d) Explanations of the differences between the risks covered in the ICAAP and the risk appetite framework, where the scope of risks covered is different.

e) Description of any deviations in the ICAAP process and in the key assumptions within the group and the subsidiaries of the group, where applicable.

f) Description, for every category of measurable risk, of the main characteristics of the main risk control and mitigation instruments.

g) General description of systems for control and mitigation of non-measurable risks.

7. Quantification Of Pillar 2 Capital Requirement

a) General description of key features of quantification/measurement methodologies and models, including metrics, assumptions and parameters used (e.g. confidence intervals, holding periods etc.) for all risk categories and sub-categories.

b) Description of the quality of internal challenge of the adequacy of internal capital estimates.

c) Demonstration of the reasonableness of the internal capital estimates given the bank's risk profile.

d) Information on the actual data used, including an explanation of how the data used reflects the scope of subsidiaries covered by the ICAAP, including the length of the time series.

e) Description of the main differences between the measurement methodologies and models used for ICAAP purposes and those used for the calculation of the minimum Capital Adequacy Ratio (CAR).

f) The results of the calculation of internal capital estimates for all material risk categories covered by ICAAP on a risk-by-risk basis.

g) Where certain risks are identified as material but resulted in zero capital, the bank shall demonstrate the basis of its judgment.

8. Capital allocation and Reconciliation of internal capital, regulatory requirements as well as regulatory capital a) Description of the methodology and assumptions used for the allocation of internal capital to operating units, subsidiaries, business segments and products, where appropriate.

b) Description of the monitoring process (comparison of internal capital estimates vs.

allocated capital), including escalation procedures.

c) Amount of internal capital available to date, broken down by various elements of capital considered.

d) Actual amounts of the internal capital allocated to risks covered by ICAAP and group subsidiaries, and core business lines.

e) Quantitative comparison between the actual internal capital usage relative to the internal capital allocated based on ICAAP estimates supported by an explanation of cases where actual capital usage is close to or exceeds the allocated capital.

f) Reconciliation of total internal capital and regulatory requirements. g) Listing and definition of capital components covering internal capital. h) Eligibility of components covering internal capital to be calculated for supervisory purposes including the explanation for inclusion of ineligible components.

6. Capital Planning

a) Description of capital planning, including dimensions considered (e.g. internal, regulatory), time horizons, capital instruments, capital measures etc.

b) Description of the main assumptions underlying the capital planning. c) Description of the current conclusions from capital planning such as planned issuances of various capital instruments, other capital measures (e.g. dividend policy) and planned changes to the balance sheet (e.g. sales of portfolios etc.).

d) Documented capital policy and scope in term of coverage of all the material risk types in the capital planning process.

e) Description of management framework for preserving capital.

9. Stress Testing In Icaap

a) Description of adverse scenarios considered under the ICAAP, scenario assumptions and key macroeconomic variables.

b) Description of how reverse stress tests have been used to calibrate the severity of scenarios used.

c) Governance of the end-to-end stress testing process and data infrastructure. d) Information on role of outputs in the management decision making. e) Description of key assumptions used in the scenarios considered, including management actions, business assumptions regarding balance sheet, reference dates, time horizons etc.

f) Quantitative outcome of the scenarios considered and impact on key metrics, including profit & loss and capital, both internal and regulatory own funds, and prudential ratios, as well as the impact on the liquidity position.

g) Explanation of how the scenario outcomes are relevant to the institution's business model, strategy, material risks and group entities covered by ICAAP.

10. Internal audit review of ICAAP a) Scope and frequency of the internal audit review of ICAAP. b) Resourcing of, and the independence of, the internal audit function. c) Process for tracking of open audit issues and verification of management action prior to their closure.

d) Approach to review of methods and techniques, assumptions and sources of information used in the ICAAP.

e) The outcome from the independent validation of risk measurement models.

11. Self -Assessment Of Icaap

a) Identification of the areas for improvement; b) Planning of capital or organisational actions.

12. Decision-Making Process:

a) The decisions approved by senior management should be properly documented.

b) Key decisions about capital actions should include the detailed criteria on which the following decisions were made; - Formulation of Risk Appetite Statement (RAS) - Allocation of internal capital to specific business lines

• Assessment of capital adequacy under stress market conditions
• Assessment of performance of specific business lines and product on risk adjusted basis.