Internal Capital Adequacy Assessment Process Guideline

NOVEMBER 2019 INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 1 Bank Supervision Department CENTRAL BANK OF BARBADOS Table of Contents

1. Introduction ...................................................................................................................... 2 1.1 The Four Principles of Pillar II ...................................................................................... 2 1.2 Principle 1: the ICAAP ................................................................................................. 2
2. Scope of Application........................................................................................................ 3
3. What is an ICAAP? ........................................................................................................... 4 3.1. ICAAP Characteristics ................................................................................................. 4 3.2. ICAAP Components..................................................................................................... 5 3.2.1. Board Responsibility................................................................................................. 6 3.2.2. Senior Management Responsibility .......................................................................... 6 3.2.3. Comprehensive Assessment of Risks ...................................................................... 7 3.2.4. Monitoring and Reporting ........................................................................................14 3.2.5. Internal Audit, Controls and Review.........................................................................14
4. Critical Success Factors.................................................................................................14 4.1. Methodology, Assumptions and Definitions.................................................................14 4.2. Suitable IT Systems ....................................................................................................15 4.3. Documentation............................................................................................................15
5. Role of the Bank..............................................................................................................15 5.1. Interaction of ICAAP with Supervisory Review ............................................................15 APPENDIX 1 ............................................................................................................................17 APPENDIX 2 ............................................................................................................................20 APPENDIX 3 ............................................................................................................................21

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 2 Bank Supervision Department CENTRAL BANK OF BARBADOS

1. Introduction 1.1 The Four Principles of Pillar II The Basel II Framework1 centres around three supporting pillars - minimum capital requirements (Pillar I), supervisory review (Pillar II), and market discipline (Pillar III). Pillar II reinforces Pillar I2 by addressing other key risks and factors not covered under Pillar I. It requires licensees to have adequate capital to support all material risks and it encourages them to address weaknesses in current risk management by using improved risk management techniques in the monitoring and management of their risks. Pillar II is based on the four interlocking principles that:
2. Licensees should have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels (the ‘Internal Capital Adequacy Assessment Process’, ICAAP).
3. Supervisors should review and evaluate licensees’ internal capital adequacy assessments and strategies, as well as their ability to monitor and ensure their compliance with regulatory capital ratios (the ‘Supervisory Review and Evaluation Process’, SREP). Supervisors should take appropriate supervisory action if they are not satisfied with the results of this process.
4. Supervisors should expect licensees to operate above the minimum regulatory capital ratios and should have the ability to require licensees to hold capital in excess of the minimum.
5. Supervisors should seek to intervene at an early stage to prevent capital from falling below the minimum levels required to support the risk characteristics of a particular licensee and should require rapid remedial action if capital is not maintained or restored. 1.2 Principle 1: the ICAAP The Central Bank of Barbados (Bank), in furtherance of its responsibility for the regulation and supervision of licensees under the Financial Institutions Act, Cap. 324A, has developed this Guideline, which focuses on Principle 1 of Pillar II. This Guideline addresses licensees’ responsibility in developing adequate ICAAPs and should assist licensees in the formulation and implementation of ICAAPs which are the processes used by licensees to determine their internal capital according to their risk profiles.

1 Basel Committee on Banking Supervision (2006): ‘International Convergence of Capital Measurement and Capital Standards. A Revised Framework. Comprehensive Version’. June; and subsequent supplementary documents published by the BCBS. 2 Pillar I sets minimum requirements for capital to cover credit, market and operational risks.

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 3 Bank Supervision Department CENTRAL BANK OF BARBADOS Institutions should establish their ICAAPs making adequate allowance for the principle of proportionality. The ICAAP will be proportional to the size, nature, scale and complexity of licensee’s activities. Based on that, the ICAAP may not include some of the areas discussed within this Guideline or may include other areas that may be relevant to their operations. As such, an ICAAP may be as simple or complex as a licensee’s characteristics warrant. Through its ICAAP each licensee will assess the total amount of capital that it calculates as necessary to safeguard it against all of the risks inherent in its business, both currently and taking a forward view. While some licensees will wish to adopt a sophisticated economic capital model in formulating their ICAAP, for others the ICAAP will more likely be derived from their Pillar I calculation, together with appropriate capital estimations determined by each licensee to cover other material risks. In each case, it must be evident from the Bank’s review that the licensee has adequately considered and understood all of its material risks when assessing their overall capital needs. Given the importance of risk management, the motivation for ICAAP implementation should not be driven by supervisory considerations, but more so by the promotion of a sound risk management and corporate governance culture within the licensee, built on risk-based capital and adequate risk management techniques. Accordingly, the ICAAP should be integrated into the strategic planning process by emphasising, inter alia, that strategic decision-making involves risk￾taking, which ultimately has to be offset by adequate levels of capital. A thorough and comprehensive ICAAP is a vital component of a strong risk management program. 2. Scope of Application This guideline applies to all entities that are incorporated in Barbados and are licensed under the Financial Institutions Act, Cap 324A. Licensees that are branches of foreign banks are exempt from the requirements of this guideline. Each licensee needs to implement a comprehensive ICAAP and prepare an ICAAP report providing both a relatively high-level overview of its business and sufficient detail to provide insight into the underlying analysis and procedures used in the assessment. The Bank recognizes that some licensees are subsidiaries of larger international banking groups and the ICAAP process may be led by their Head Office abroad. Barbadian subsidiaries of foreign banks may borrow from consolidated group methodologies for assessing risk and capital. However, the ICAAP of the local institution should reflect its own circumstances, and group-wide data and methodologies should be appropriately modified and adapted to yield internal capital targets and a capital plan that is relevant to the institution incorporated in Barbados. Each licensee should have an ICAAP that is appropriate for its unique risk characteristics and should not rely solely upon the assessment of capital adequacy at the parent company level. This does not preclude the use of a consolidated ICAAP as an important input to a subsidiary bank's own ICAAP, provided that each entity's Board and senior management ensure that the ICAAP is

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 4 Bank Supervision Department CENTRAL BANK OF BARBADOS appropriately modified to address the unique structural and operating characteristics and risks of the subsidiary bank. The Bank expects subsidiaries of international banking groups to put into place an ICAAP that covers the consolidated operations from the top-level regulated entity in Barbados. In addition, the Bank expects an institution’s capital planning to consider the risks of its foreign operations and the availability of capital and assets in Barbados to protect Barbadian depositors. 3. What is an ICAAP? The ICAAP is the formal process through which a licensee adequately identifies, measures, aggregates and monitors material risk, to ultimately build a risk profile that will become the basis for allocating internal capital to support the risks it takes on. The design of the ICAAP is the responsibility of the licensees. Each institution is responsible for its ICAAP, and for setting internal capital targets that are consistent with its risk profile and operating environment. The ICAAP should be tailored to the licensee’s circumstances and needs, and it should use the inputs and definitions that the institution normally uses for internal purposes. 3.1. ICAAP Characteristics The level of complexity and sophistication within an ICAAP depends on the nature of a licensee’s business operations. However, all ICAAPs should exhibit the following characteristics in order to ensure their adequacy and integrity. i. Comprehensive The ICAAP should be comprehensive and consider all material risks, including: a) Pillar I risks, including major differences between the treatment of Pillar I risks in the calculation of regulatory capital requirements and the treatment under the licensee’s own ICAAP. b) Risks not fully captured under Pillar I, such as underestimation of credit risk using the standardized approach, underestimation of operational risk using the basic indicator approach or the standardized approach. Regarding credit risk, particular attention should be paid to any residual risk arising from the use of credit risk mitigation (CRM), and securitization. c) All material Pillar II risks to which the licensee may be exposed, such as interest rate risk in the banking book, concentration risk, liquidity risk, reputation and strategic risk. Some of these risks are less likely to lend themselves to quantitative approaches, and licensees are expected to employ more qualitative methods of assessment and mitigation. d) Risk factors external to the institution. These include risks that may arise from the regulatory, economic or business environment and which are not included in the above-mentioned risks.

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 5 Bank Supervision Department CENTRAL BANK OF BARBADOS ii. Forward-Looking The ICAAP should take into account the licensee’s strategic plans and how they relate to macroeconomic factors. The licensee should develop internal strategies which incorporate factors such as loan growth expectations, future sources and uses of funds. The licensee should have an explicit, approved capital plan, which states the licensee's objectives and the time horizon for achieving those objectives, and in broad terms the capital planning process and the responsibilities for that process. The capital plan should include details on how the licensee will comply with capital requirements in the future, any relevant limits related to capital, and a general contingency plan for dealing with divergences and unexpected events (for example, raising additional capital, restricting business, or using risk mitigation techniques. In addition, licensees should conduct appropriate stress tests (See Section 3.2.3 for more details). Senior management and the Board should view capital planning as a crucial element in being able to achieve its desired strategic objectives. Because various definitions of capital are used within the banking industry, each licensee should state clearly the definition of capital used in any aspect of its ICAAP. Since components of capital are not necessarily alike and have varying capacities to absorb losses, a licensee should be able to demonstrate the relationship between its internal capital definition and its assessment of capital adequacy. If a licensee’s definition of capital differs from the regulatory definition, the licensee should reconcile such differences and provide an analysis to support the inclusion of any capital instruments that are not recognized under the regulatory definition. Although common equity is generally the predominant component of a licensee’s capital structure, a licensee may be able to support the inclusion of other capital instruments in its internal definition of capital if it can demonstrate a similar capacity to absorb losses. The licensee should document any changes in its internal definition of capital, and the reason for those changes. iii. Reasonable Outcome The ICAAP should produce a reasonable overall capital number and assessment. The licensee should document the similarities and differences between its ICAAP number and its regulatory capital. 3.2. ICAAP Components A rigorous ICAAP has six main components: • Board oversight • Senior management oversight • Sound capital assessment • Comprehensive assessment of risks • Monitoring and reporting • Internal control review

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 6 Bank Supervision Department CENTRAL BANK OF BARBADOS 3.2.1. Board Responsibility The Board of Directors (Board) has the responsibility of ensuring that the institution has an adequate ICAAP. The Board should: i. Define corporate objectives, risk strategies, and the licensee’s risk profile; ii. Set the licensee’s risk appetite; iii. Establish, along with senior management and the Chief Risk Officer3 , the licensee’s risk appetite, taking into account the competitive and regulatory landscape and the licensee’s long-term interests, risk exposure and ability to manage risk effectively; iv. Approve the approach and oversee the implementation of key policies pertaining to the licensee’s ICAAP; v. Ensure that senior management implements the ICAAP with adequate systems and internal monitoring policies and procedures in place; vi. Review timely reports on the nature and level of all risk exposures and their relation to capital levels; vii. Understand and acknowledge that risk measurements will include a level of uncertainty; viii. Ensure that the results of the ICAAP form part of the ongoing management of the licensee's business; and ix. Review the ICAAP at least annually, or whenever material changes in the licensee's risk profile or business environment become evident. 3.2.2. Senior Management Responsibility The responsibility for the ongoing development of the ICAAP should reside with senior management. Therefore, the ICAAP should be considered and incorporated into the licensee’s strategic and operations management processes. Senior management, along with the independent risk management function4 , must be able to assess on a regular basis, the material risks within the licensee’s activities, as the results of such assessments will play a key role in the allocation of capital to business units, as well as influencing key business decisions such as expansion plans and budgets. Throughout these processes, senior management must establish clear and transparent reporting lines and define corresponding responsibilities. Specifically, senior managers should: i. Implement business strategies, risk management systems, risk culture, processes and controls for managing the risks to which the licensee is exposed and concerning which it is responsible for complying with laws, regulations and internal policies;

3 Where this role exists. See Section 8.3 of the Corporate Governance Guideline. 4 See Section 8.0 of the Corporate Governance Guideline which requires licensees to have an effective internal risk management function in place with adequate authority, stature, independence, resources and access to the Board.

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 7 Bank Supervision Department CENTRAL BANK OF BARBADOS ii. Establish, along with the Board and the Chief Risk Officer5 , the licensee’s risk appetite, taking into account the competitive and regulatory landscape and the licensee’s long-term interests, risk exposure and ability to manage risk effectively; iii. Define strategies and procedures for the setting of limits and adherence to capital requirements; iv. Ensure dissemination of information and procedures on the ICAAP to relevant staff; v. Establish suitable internal control systems and reporting structures and ICAAP supporting documentation to support the ICAAP; and vi. Ensure that employees are trained and well equipped to perform their duties. In addition, the following are responsibilities of the risk management function: i. Ensure that there are adequate systems for measuring, assessing and reporting on the size, composition and quality of exposures on a bank-wide basis across all risk types, products and counterparties; ii. Establish procedures for the regular and independent validation and testing of any models used to measure components of risk; iii. Report to the Board in a timely manner, the nature and level of all risk exposures and their relation to capital levels; and iv. Ensure that there is a regular (at least annual) review of systems, procedures and processes that support the ICAAP, and that adaptation is carried out as necessary. Overall, senior management is responsible for integrating capital planning and capital management into the licensee’s risk-management culture and approach. 3.2.3. Comprehensive Assessment of Risks The ICAAP involves multiple stages. An example of the sequence of steps is set out in Appendix

1. The main stages are described below. i. Risk Appetite and Risk Profile Identification and Assessment This initial stage is critical to ensuring the integrity of the ICAAP, as it sets the stage for the remainder of the risk management process. The licensee can only control risks if they are identified in this step. This segment of the ICAAP should be reviewed regularly and any changes to the licensee’s risk profile factored into the process. For instance, the introduction of new products or services by a licensee may alter its risk profile significantly. Licensees should explicitly define their risk appetite. The risk appetite refers to the aggregate level and types of risk a licensee is willing to assume, decided in advance and within its risk

5 Where this role exists. See Section 8.3 of the Corporate Governance Guideline.

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 8 Bank Supervision Department CENTRAL BANK OF BARBADOS capacity, to achieve its strategic objectives and business plan. A licensee’s risk limits refer to quantitative measures or limits based on, for example, forward-looking assumptions that allocate the bank’s aggregate risk to business lines, legal entities as relevant, specific risk categories, concentrations and, as appropriate, other measures. The risk capacity is the maximum amount of risk a licensee is able to assume given its capital base, risk management and control capabilities as well as its regulatory constraints6 . The Board should consider, inter alia, when defining the licensee’s risk appetite: ▪ How much risk can the licensee take on (especially, which supervisory constraints have to be observed)? ▪ How much risk does the licensee want to take on (and at what rate of return)? ▪ How much capital is necessary to cover the specific risks involved (capital planning)? Key to the process of identifying risks is the identification of the data necessary for the quantification of risks and how such data can be provided. Once the risk appetite has been determined, it should be transposed onto risk types and in more granular measures, such as business lines or operational sub-units. In this way, the licensee can more clearly define its risk profile. The risk profile is a point-in-time assessment of a licensee’s gross risk exposures (ie before the application of any mitigants) or, as appropriate, net risk exposures (ie after taking into account mitigants) aggregated within and across each relevant risk category based on current or forward-looking assumptions7 . This step will aid senior management in decision-making and assignment of responsibility for individual business lines and operational sub-units. ii. Assessment and Quantification of Material Risks The purpose of assessing risks is to give a picture of the significance and effects of risks on the licensee. Licensees need to look in detail at each type of relevant risk in order to determine its materiality. Licensees can establish their own risk indicators for each type of risk to help assess which risks are most material to its operations. Risk indicators are an important tool which can assist licensees in assessing their risk profile on an ongoing basis and may signal a change in the level of materiality of a risk. Licensees should ensure that a concise description of their material risk identification process is well documented. After licensees have identified the material risks throughout their operations, decisions must be made on how individual risks will be assessed and measured for the calculation of both internal and regulatory capital requirements. Such decisions must be transparent and formally documented. As such, licensees may draw up a risk categorisation profile to aid in managing the process. A template example is illustrated in Appendix 2.

6 BCBS (2015), Corporate governance principles for banks (See ‘Glossary’) and Financial Stability Board (FSB), Principles for an effective risk appetite framework, November 2013. 7 BCBS (2015), Corporate governance principles for banks (See ‘Glossary) and; Financial Stability Board (FSB), Principles for an effective risk appetite framework, November 2013.

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 9 Bank Supervision Department CENTRAL BANK OF BARBADOS For material risks, licensees also need to consider and assess how the risks are mitigated. Materiality should be considered against a range of benchmarks such as capital, earnings, market rating, impact on customer confidence, and impact on cost of funding. Some risks tend to overlap, so care should be taken not to double-count. While in some cases the degree of risk against which it is prudent to hold capital can be measured fairly precisely (e.g. for interest rate risk in the banking book by assessing the effect of a sudden 200 basis point shift in the yield curve), in other cases it will be necessary to allocate a suitable capital cushion less mechanistically. Once individual risks have been identified and the capital required to cover the risk has been quantified, the required capital for all the risks needs to be aggregated to determine the total ICAAP figure – i.e. the total amount of capital needed to cushion the licensee's unique risk profile. While not all risks can be measured precisely, a process should be developed to estimate risks. Therefore, the following risk exposures, which by no means constitute a comprehensive list of all risks, should be considered. Credit Risk Licensees should have methodologies that enable them to assess the credit risk involved in exposures to individual borrowers or counterparties as well as at the portfolio level. At a minimum and where applicable, the credit review assessment of capital adequacy should cover four areas: risk rating systems, portfolio analysis/aggregation, securitization/complex credit derivatives, and large exposures and risk concentrations. Internal risk ratings are an important tool in monitoring credit risk. Internal risk ratings should be adequate to support the identification and measurement of risk from all credit exposures, and should be integrated into an institution’s overall analysis of credit risk and capital adequacy. The ratings system should provide detailed ratings for all assets, not only for criticised or problem assets. Loan loss reserves should be included in the credit risk assessment for capital adequacy. Credit Risk Concentrations The impact of risk concentrations should be reflected in an institution’s ICAAP. Typical situations in which risk concentrations can arise include exposures to: ▪ single counterparty, borrower or group of connected counterparties or borrowers; ▪ industry or economic sectors, including exposures to both regulated and nonregulated financial institutions such as hedge funds and private equity firms; ▪ geographical regions; ▪ similar collateral types or to a single or closely related credit protection provider, and other exposures arising from credit risk mitigation techniques; and ▪ trading exposures/market risk. Risk concentrations can also arise through a combination of exposures across these broad categories. An institution should have an understanding of its firm-wide credit risk concentrations resulting from similar exposures across its different business lines.

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 10 Bank Supervision Department CENTRAL BANK OF BARBADOS An institution may also incur a concentration to a particular asset type indirectly through investments backed by such assets (e.g., collateralised debt obligations – CDOs), as well as through collateral or guarantees used to mitigate credit risk. Institutions that place more reliance on collateral values than on an evaluation of a borrower’s or counterparty’s capacity to perform may see themselves exposed to unexpected market risk in addition to wrong way risk, particularly where the value of the collateral declines. An institution should have in place adequate, systematic procedures for identifying high correlation between the creditworthiness of a protection provider or collateral and the obligors of the underlying exposures due to their performance being dependent on common factors beyond systemic risk (i.e. “wrong way risk”). Risk Diversification Institutions should exercise caution when including risk diversification benefits in ICAAP. Assumptions on diversification are often based on expert judgement and are difficult to validate. Institutions should be conservative in their assessment of diversification benefits, in particular between different classes of risk. Institutions should have clear policies and procedures supporting the aggregation across risk types. Institutions should understand the challenges presented by risk aggregation and the inherent uncertainty in quantitative estimates used to aggregate risks (including the difficulty in estimating concentrations across risk types). Institutions are encouraged to consider the various interdependencies among risk types, the different techniques used to identify such interdependencies, and the channels through which those interdependencies might arise – across risk types, within the same business line, and across different business lines. Any associated uncertainty in aggregating capital estimates across risk types and business lines should translate into greater capital needs. Securitization Where securitization activities (e.g., securitization of own-assets for risk transfer and/or funding; provision of backstop credit facilities to third-party conduits) are material, an institution’s ICAAP needs to consider the risks arising from originating, structuring, distributing and/or investing in such assets, including risks that are fully captured in minimum regulatory capital requirements. These may include, for example, reputational risk and the provision of non-contractual or implicit support to securitization vehicles. Asset performance may cause assets to return to the balance sheet through amortization and repurchase. Disruptions in market demand for asset-backed paper may leave assets in securitization pipelines on the balance sheet or force the originator to support its own paper. These have adverse implications for capital and liquidity that should be part of the institution’s capital and liquidity planning.

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 11 Bank Supervision Department CENTRAL BANK OF BARBADOS An institution should develop prudent contingency plans specifying how it would respond to capital pressures that arise when access to securitization markets is reduced. The contingency plans should also address how the institution would address valuation challenges for potentially illiquid positions held for sale or for trading. The risk measures, stress testing results and contingency plans should be incorporated into the licensee’s risk management processes and its ICAAP and should result in an appropriate level of capital under Pillar 2 in excess of the minimum requirements commensurate with the Board’s stated risk limits. Cross-Border Lending Institutions that engage in cross border lending are subject to increased risk including country risk, concentration risk, foreign currency risk (market risk) as well as regulatory, legal, compliance and operational risks, all of which should be reflected in the ICAAP. Laws and regulators’ actions in foreign jurisdictions could make it much more difficult to realize on assets and security in the event of a default. Where regulatory, legal and compliance risks associated with concentrations in cross border lending are not considered elsewhere in an institution’s risk assessment process; additional capital may be required for this type of lending in an institution's ICAAP. Operational Risk Similar rigor should be applied to the management of operational risk, as is done for the management of other significant banking risks. The failure to properly manage operational risk can result in a misstatement of an institution’s risk/return profile and expose the institution to significant losses. A licensee should develop a framework for managing operational risk and evaluate the adequacy of capital given this framework. The framework should cover the licensee’s appetite and limits for operational risk, as specified through the policies for managing this risk, including the extent and manner in which operational risk is transferred outside the licensee. It should also include policies outlining the licensee’s approach to identifying, assessing, monitoring and controlling/mitigating the risk Market Risk Institutions should have methodologies that enable them to assess and actively manage all material market risks, wherever they arise throughout the institution (i.e., position, trading desk, business line or firm-level). For more sophisticated institutions, the assessment of internal capital adequacy for market risk, at a minimum, should be based on both value-at-risk (VaR) or similar modelling and stress testing, including an assessment of concentration risk and the assessment of illiquidity under stressful market scenarios. An institution’s VaR model should be adequate to identify and measure risks arising from all its trading activities and should be integrated into the overall internal capital assessment as well as

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 12 Bank Supervision Department CENTRAL BANK OF BARBADOS subject to rigorous ongoing validation. A VaR model’s estimates should be sensitive to changes in the trading book risk profile. Interest Rate Risk in the Banking Book The measurement process should include all material interest rate positions of the licensee and consider all relevant repricing and maturity data. Such information will generally include current balance and contractual rate of interest associated with the instruments and portfolios, principal payments, interest reset dates, maturities, the rate index used for repricing, and contractual interest rate ceilings or floors for adjustable-rate items. The system should also have well￾documented assumptions and techniques. Regardless of the type and level of complexity of the measurement system used, senior management should ensure the adequacy and completeness of the system. Because the quality and reliability of the measurement system is largely dependent on the quality of the data and various assumptions used in the model, senior management should give particular attention to these items. Liquidity Risk Liquidity is crucial to the ongoing viability of any banking organisation. Licensees’ capital positions can have an effect on their ability to obtain liquidity, especially in a crisis. Each licensee must have adequate systems for measuring, monitoring and controlling liquidity risk. Licensees should evaluate the adequacy of capital given their own liquidity profile and the liquidity of the markets in which they operate. Other Risks Although risks such as strategic and reputation risk are not easily measurable, institutions are expected to develop techniques for managing all aspects of these risks. Reputation risk is a key issue for an industry that relies on the confidence of consumers, creditors and the general marketplace. For example, when an institution acts as an advisor, arranges or actively participates in financial transactions, it may assume insurance, market, credit, and operational risks. Reputation risk often arises because of inadequate management of these other risks, whether they are associated with direct or indirect involvement in the sale or origination of complex financial transactions or relatively routine operational activities. Reputational risk can lead to the provision of implicit support, which may give rise to credit, liquidity, market and legal risk – all of which can have a negative impact on an institution’s earnings, liquidity and capital position. An institution should identify potential sources of reputational risk to which it is exposed. This includes the institution’s business lines, liabilities, affiliated operations, off-balance sheet vehicles and markets in which it operates. The risks that

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 13 Bank Supervision Department CENTRAL BANK OF BARBADOS arise should be incorporated into the institution’s risk management process and appropriately addressed in its ICAAP and liquidity contingency plans. iii. Development of a Suitable Risk Policy A risk policy must be formulated which will aid senior management in the setting of individual risk limits. The likely steps in developing such limits are as follows: • Definition of limits (initially aggregated for the overall operations of the licensee) on the basis of the licensee’s articulated risk appetite and its target risk structure; • Assignment of limits to individual risk categories and business lines or operational sub￾units; • Validation of the utilization of individual limits; • Implementation of limits in actual operations. iv. Scenario Analysis and Sensitivity Testing8 In addition to ensuring that licensees have comprehensive procedures for assessing their material risks, the Bank also expects a licensee's senior management to be able to demonstrate that they are alert to the particular stage of the business cycle currently obtaining. Licensees need to put in place rigorous forward-looking stress-testing, seeking to identify possible events or cyclical changes in market conditions that may impact severely their earnings, liquidity or asset values. The assumptions underlying the usual assessment methods may not be relevant in a stressed situation and this can lead to substantial underestimates of risk. For this reason, it is important for a licensee to define and document relevant stress scenarios, together with their relevant underlying assumptions. Licensees must define relevant stress scenarios for all material risk types and analyse the effect that simultaneous and concurrent occurrences of exceptional situations would have on the licensee’s risk-bearing capacity. The results of the stress tests provide indications, which may be helpful in identifying any existing weaknesses. An institution’s capital planning process should incorporate rigorous, forward-looking stress testing that identifies possible events or changes in market conditions that could adversely impact the institutions. In their ICAAPs, institutions should examine future capital resources and capital requirements under adverse scenarios. The results of forward-looking stress testing should be considered when evaluating the adequacy of an institution’s capital. Licensees should review the Bank’s guideline on stress testing in formulating stress scenarios.

8 Please refer to the Stress Testing Guideline, December 2007.

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 14 Bank Supervision Department CENTRAL BANK OF BARBADOS 3.2.4. Monitoring and Reporting The licensee should establish an adequate system for monitoring and reporting risk exposures and assessing how the licensee’s changing risk profile affects the need for capital. The licensee’s senior management and Board of Directors should, on a regular basis, receive reports on the licensee’s risk profile and capital needs. These reports should allow senior management to: ▪ Evaluate the level and trend of material risks and their effect on capital levels; ▪ Evaluate the sensitivity and reasonableness of key assumptions used in the capital assessment measurement system; ▪ Determine that the licensee holds sufficient capital against the various risks and is in compliance with established capital adequacy goals; and ▪ Assess its future capital requirements based on the licensee’s reported risk profile and make necessary adjustments to the licensee’s strategic plan accordingly. 3.2.5. Internal Audit, Controls and Review Adequate internal audit and controls provide critical support in any risk management system. Within the ICAAP, licensees are required to have strategies and processes in place for continuously assessing and maintaining the adequacy of internal capital. It is therefore essential that regular independent internal reviews of these strategies and processes be carried out to enable maintenance of the ICAAP’s integrity, reliability and relevance. The internal control system should ensure compliance with relevant laws and other regulations, as well as internal policies and procedures. The system of internal control, should include, inter alia, an ICAAP review process that is subject to independent internal reviews conducted as often as deemed necessary, to ensure that capital coverage reflects the actual risk profile of the licensee. This review should take place at least annually. Areas that should be reviewed include: i. Appropriateness of the licensee’s capital assessment process given the nature, scope and complexity of its activities; ii. Identification of large and/or material exposures and risk concentrations; iii. Accuracy and completeness of data inputs into the licensee’s assessment process; iv. Reasonableness and validity of scenarios used in the assessment process; and v. Stress testing and analysis of assumptions and inputs. 4. Critical Success Factors Below are some factors that are critical to developing and maintaining an adequate ICAAP. 4.1. Methodology, Assumptions and Definitions The ICAAP should include a description of how the assessments for each of the risks within the ICAAP have been approached and the main underlying assumptions. In addition, licensees must include within ICAAP documentation, all definitions of terminology used.

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 15 Bank Supervision Department CENTRAL BANK OF BARBADOS 4.2. Suitable IT Systems Licensees may conduct a gap analysis to determine the capacity and capabilities of existing IT systems as it relates to the requirements of an ICAAP. In some cases, licensees may be able to rely on existing risk management systems (risk measurement, limit monitoring) to support their ICAAP. However, it may be necessary for some licensees to invest in expansions and new acquisitions within its IT systems, in order to support its ICAAP. 4.3. Documentation Adequate supporting documentation is critical to help ensure the proper functioning of an ICAAP. Documentation of methods and procedures used within the ICAAP should describe, inter alia, the risk management process, internal risk definitions, risk assessment methods applied during the risk management process, as well as assumptions made during this process. The ICAAP must be transparent throughout the organisation and documentation of its different aspects must be tailored to the relevant target groups throughout the organisational structure. It is therefore advisable to use various levels of detail and explanation of the ICAAP for different levels of responsibility throughout the organisation. The scope and level of detail of documentation should be proportionate to the size, complexity and risk levels of the licensee. Therefore, senior management must determine if varying levels of documentation are necessary to support the type of business operations, which the ICAAP is meant to support. In cases where this kind of documentation structure may be necessary, Appendix 3 gives an indication of the type and depth of documentation that may be required at each level of responsibility within the organisation. 5. Role of the Bank The Bank is responsible for evaluating how well licensees are assessing their capital needs relative to their risks and therefore requires that the ICAAP be shared with the Bank.9 However, the Bank does not intend to make a licensee's ICAAP subject to specific approval. Once received, the ICAAP will be reviewed in detail by the Bank as the basis for a supervisory review dialogue with the licensee's senior management. 5.1. Interaction of ICAAP with Supervisory Review The Bank has developed a Supervisory Framework10. One of the main outputs of this framework is a Composite Risk Rating (CRR) which represents the Bank’s assessment of the safety and

9 Please refer to the Bank’s ICAAP Submission Template. This template serves only as a guide to licensees in developing the ICAAP document for submission to the Bank. It is not the required format, but licensees must ensure that the ICAAP document addresses all elements. 10 See the supervisory framework document at http://www.centralbank.org.bb/banking-supervision/regulatory￾framework/supervisory-practices for further discussion on this process.

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 16 Bank Supervision Department CENTRAL BANK OF BARBADOS soundness of the licensee. The Bank reaches this rating by:

1. Identifying and determining the level of all inherent risks present in the significant activities of a licensee;
2. Assessing the effectiveness and adequacy of its oversight and risk management functions; and
3. Assessing the mitigating ability of its capital and earnings which includes the review of the licensee’s ICAAP. The Bank’s review of the ICAAP will:
4. Consider the risks to which the licensee is or may be exposed;
5. Consider the likelihood that the licensee’s governance, control deficiencies and/or business model or strategy are likely to exacerbate or mitigate these risks, or expose the licensee to new sources of risk; and
6. Assess whether the licensee’s capital resources provide sound coverage of these risks. It is expected that the review of the ICAAP and the ongoing dialogue with the licensee's senior management will lead to a more accurate and effective supervisory risk-based assessment. Additionally, the Bank will consider the materiality of any deficiencies or vulnerabilities identified to determine:
7. The potential prudential impact of not addressing the issue (i.e. whether it is necessary to address the issue with a specific measure);
8. Future supervisory resourcing and planning for the licensee; and
9. The need for early intervention measures as specified in the Bank’s Intervention Policy Framework.11

11 See the Intervention Policy Framework at http://www.centralbank.org.bb/banking-supervision/regulatory￾framework/supervisory-practices.

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 17 Bank Supervision Department CENTRAL BANK OF BARBADOS APPENDIX 1 ONGOING PROCESS STEPS TYPES OF QUESTIONS TO ASK AND CONSIDERATIONS EXAMPLES OF DOCUMENTATION LEVEL OF RESPONSIBILITY Identify risk appetite and risk profile ▪ What is the entity's business strategy and risk appetite? ▪ Does it employ a conservative or a risky strategy? ▪ In what type of business is the entity engaged? ▪ What are the risks inherent its type of business? ▪ Any plans for product/service expansion? If so, what are the risks inherent in any proposed new ventures and how will they be managed? ▪ What were the main reasons for past losses and the likelihood of similar losses? ▪ How much capital is needed to cover risks identified? ▪ Business Strategy ▪ Risk Management Structure ▪ Board of Directors Assess risks identified and align with business lines and operational sub-units ▪ How are the individual risks monitored? For example, what reports, limits, reporting lines and controls are employed to manage each risk? ▪ What is your definition of material and non￾material risks? ▪ Assignment of limits to individual risk categories and lines of business or operational sub-units. ▪ Identify your use of risk mitigants e.g. insurance, hedging. ▪ Stress testing variables defined ▪ Management reports ▪ Chief Risk Officer ▪ Senior management ▪ Line management

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 18 Bank Supervision Department CENTRAL BANK OF BARBADOS APPENDIX 1 Cont’d ONGOING PROCESS STEPS TYPES OF QUESTIONS TO ASK AND CONSIDERATIONS EXAMPLES OF DOCUMENTATION LEVEL OF RESPONSIBILITY ▪ What is the role of stress and scenario testing in your assessment of risk? Develop and maintain suitable risk policy/strategy to aid senior management in setting individual risk limits ▪ How will the defined risk appetite be managed? ▪ What expertise is needed to manage the risk profile identified? ▪ Risk policy which details, inter alia, limits and managerial responsibilities ▪ Individual risk policies e.g. Credit Risk Management Policy ▪ Board of Directors ▪ Chief Risk Officer ▪ Senior management Determine what techniques are to be used to quantify risk capital and quantity ▪ Describe the processes/quantification techniques used to link capital to material risks. ▪ Do the complexity of the risk/business operations warrant a complex model to quantify the risk or will an add-on/capital cushion method be used? Or a combination of the two? ▪ Does the expertise exist in-house to execute a particular technique? ▪ ▪ Documentation detailing rationale for choice of quantification technique ▪ Documentation detailing technique chosen e.g. inputs and outputs of Model ▪ Chief Risk Officer ▪ Senior management ▪ Line management Approach Chosen ▪ Simple ▪ Model Simple ▪ How much buffer is needed to cover Pillar II risks Model ▪ Will a shelf or customized model be used? ▪ Does it meet supervisory requirements? ▪ ▪ Output reports of approach chosen ▪ Chief Risk Officer ▪ Senior management ▪ Line management

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 19 Bank Supervision Department CENTRAL BANK OF BARBADOS APPENDIX 1 Cont’d ONGOING PROCESS STEPS TYPES OF QUESTIONS TO ASK AND CONSIDERATIONS EXAMPLES OF DOCUMENTATION LEVEL OF RESPONSIBILITY Aggregate risk capital to determine ICAAP i.e. the total required capital ▪ Are there diversification and correlation benefits among the risk categories? ▪ What are the assumptions made when aggregating? ▪ Are there any differences between the ICAAP number and the amount of capital required under Pillar I? How does the ICAAP number influence/inform management decisions? ▪ Detailed Assumptions Report detailing the ICAAP number and its interpretation ▪ Board of Directors ▪ Chief Risk Officer ▪ Senior management

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 20 Bank Supervision Department CENTRAL BANK OF BARBADOS APPENDIX 2 Sample Template of a Risk Categorisation Profile Risk Type Risk Subtype (if applicable) Risk Level e.g. High etc. Justification (if risk is immaterial) Risk Assessment/Quantification Procedure used Credit Risk Default Risk Concentration risk High Strict limits and increased monitoring Interest rate risk in the Banking Book High Value at Risk Model Operational Risk Medium Basic Indicator Approach Market Risk Foreign Exchange risk in the trading book Immaterial Hedges 100% of foreign currency exposures Not considered Liquidity Risk Term liquidity risk Medium Maturity Gap Analysis/Limits Other risks Strategic risk Medium Cushion Reputation risk Low Cushion

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE November 2019 Internal Capital Adequacy Assessment Process Guideline: November 2019 21 Bank Supervision Department CENTRAL BANK OF BARBADOS APPENDIX 3 Possible Types and Depth of Documentation Under an ICAAP Responsibility Subject of Documentation Significance and Level of Detail (increases with direction of arrow) Board Example of document type: Risk Strategy ▪ Risk appetite; ▪ Risk Management Structure; Level of Detail Strategic and frequency Significance of revisions Chief Risk Officer Example of document type: Risk Manual ▪ Risk Management Process; ▪ Risk assessment, control and monitoring; Division/ Department Example of document type: Department specific manuals ▪ IT user manuals; ▪ Work objectives;