Decree of NBS No 13/2010 on Risk Management

Volume 29/2010 Journal of the NBS – Decree of NBS No. 13/2010 317 13 DECREE of Národná banka Slovenska of 31 August 2010 on further types of risks, on details of risk management system of a bank and a foreign bank branch and on defining a sudden and unexpected change of interest rates on the market In compliance with Article 27 Paragraph 14 Letter a) and d) and Article 33f Paragraph 3 of Act No. 483/2001 Coll. on Banks and on amendments and supplements to certain laws (hereinafter referred to as the “Act”), Národná banka Slovenska hereby lays down the following rules: Article 1 For the purposes of this Provision: a) A competent department is considered to be an organisational department of a bank or a foreign bank branch (hereinafter referred to as the “Bank”), Bank Council or a Bank employee performing a role in the process of risk management; b) A responsible employee is considered to be a Bank employee whose activity has or may have a specific impact on the risk the Bank is exposed to or who participates in the process of risk management; c) Risk identification is considered to be the identification of factors influencing the potential loss in Bank’s transactions, activities, processes and systems; d) Risk measuring is considered to be the calculation or estimation of the value of identified risk applying a chosen method and procedure; As a rule, risk measurement includes stress testing and back testing; e) Risk monitoring is considered to be the comparison of the measured risk values with values set by the Bank, especially in form of limits and on-going control of the following of set limits; f) Risk mitigation is considered to be the conclusion of Bank transactions or performance of its activities reducing the value of risk exposure; g) Back testing is considered to be the process of comparing risk values measured by the Bank with realised losses resulting from this risk; h) Stress testing is considered to be the process of identifying the usually little probable, but in reality possible events that may have an extraordinarily unfavourable impact on the financial health of a Bank and the adequate quantification of this impact; As a rule, stress testing consists of the development of stress scenarios and from the evaluation of their impact on costs and revenues or profit; i) The main currency is considered to be the currency in which the Bank keeps its balance sheet positions of significant volume or positions resulting from items not recorded in the balance sheet. Article 2 (1) Interest rate risk is the risk resulting from changes in interest rates. (2) Equity risk is the risk resulting from changes in the price of equity securities. (3) Foreign exchange risk is the risk resulting from changes in foreign exchange rates. (4) Commodity risk is the risk resulting from changes in the price of commodities.

318 Journal of the NBS – Decree of the NBS No. 13/2010 Volume 29/2010 (5) Risk related to options is the risk resulting from the change in the value of variables determined by the market influencing the price of the option. (6) Specific risk of debt financial instruments is the risk resulting from the change in the price of a long-term financial instrument caused by factors related to the issuer of the relevant financial instrument and in case of derivates to the issuer of the relevant underlying instrument. (7) General risk of debt financial instrument is the risk resulting from the change in the price of a debt financial instrument caused by changes in interest rates, excluding the impact of factors related to the issuer of the relevant financial instrument. (8) Specific risk of capital instruments is the risk resulting from the change in the price of the capital instrument caused by factors related to the issuer of the relevant financial instrument and in case of derivates to the issuer of the relevant underlying instrument. (9) General risk of capital instruments is the risk resulting from the change in the price of the capital instrument caused by the changes in prices of capital securities, excluding the influence of factors related to the issuer of the relevant financial instrument. (10) Risk of concentration is the risk resulting from the concentration of a Bank transaction with regards to a person, a group of economically associated persons, the government, a geographic region or economic sector. (11) Settlement risk is the risk resulting from a situation when a transaction settlement does not take place according to the agreed conditions. (12) Counterparty risk is the credit risk resulting from the position recorded in the bank´s trading book. (13) Risk of the country is the risk resulting from a situation when relevant bodies of the government or the central bank are unable or unwilling to fulfil their obligations to foreign entities and when remaining debtors in the given country will not be able to fulfil their obligations to foreign entities due to the fact that they are residents of this country. (14) Residual risk is the risk resulting from the fact that acknowledged procedures to mitigate credit risk used by the Bank are less effective than expected by the Bank. (15) The risk resulting from securitisation is the risk resulting from the fact that the Bank is in a position of an investor, originator1) or sponsor with regards to complex business obligatory relationships in the area of securitisation. Article 3 (1) The risk management system includes a) Creating conditions for risk management, mainly:

1. Development of risk management strategy according to Article 5;

1 ) For example, Article 139 Letter d) of Decree of Národná banka Slovenska No. 4/2007 on a bank’s own funds of financing and a bank’s capital requirements and on investment firm’s own funds of financing and investment firm‘s capital requirements (Notification No. 121/2007 Coll.).

318 Journal of the NBS – Decree of the NBS No. 13/2010 Volume 29/2010 2. Ensuring risk management organisation according to Article 6 corresponding to the scope and complexity of a Bank’s activity and enabling the realisation of the approved risk management strategy; 3. Creating an information system according to Article 8; 4. Setting up an adequate system of transaction conclusion and development of internal regulations according to Article 9; 5. Creating a system of introducing new types of transactions according to Article 10; b) Identification, measuring, monitoring and mitigation of risks, especially determining

1. The method of risk identification;
2. The method of risk measurement corresponding to the scope and complexity of a Bank’s activity;
3. The methods to set limits and monitor risks;
4. Transactions, activities and procedures to mitigate risk; c) Creating an adequate system of internal control according to Article 11; d) Creating a system of evaluation of the adequacy of internal capital according to Article 27 Paragraph 3 of the Act. (2) A special regulation2) applies to the system of liquidity risk management. (3) Provisions of the Paragraph 1, fulfilment of which is demonstrably ensured by a foreign bank, do not apply to a foreign bank branch. Article 4 (1) A sudden and unexpected change of interest rates on the market is understood as a parallel shift of the revenue curve upwards or downwards by 200 basis points. (2) A revenue curve is understood as the chart presenting revenues until maturity of financial instruments on a corresponding transaction day depending on their residual maturity period, providing information about the time structure of interest rates. Article 5 (1) Risk management strategy is the document or a set of documents approved and evaluated by the statutory body of the Bank including the main aims and principles applied by the Bank in risk management, mainly: a) Detailed risk definitions used by the Bank, b) Long-term aims of the Bank in the area of risk exposure to risk, especially
5. The acceptable risk level;
6. The expected consequences resulting from the exposure to acceptable risk level; c) The principles of selecting the method of identification, measuring, monitoring and mitigation of risks in all important types of transactions, activities, processes and systems of the Bank; d) The types of limits to be used by the Bank and principles of selecting and determining of further limits, e) The volume of internal capital set aside to cover the risk and principles of determining the adequate height of internal capital;

2 ) Decree of Národná banka Slovenska No. 18/2008 on the liquidity of banks and branches of foreign banks and the procedure of liquidity risk management of banks and branches of foreign banks, and on the amendment of Decree of Národná banka Slovenska No. 11/2007 concerning the submission of statements, reports and other disclosured by banks, branches of foreign banks, investment firms and branches of foreign investment firms for supervision and statistical purposes (Notification No. 423/2008 Coll.), as amended.

318 Journal of the NBS – Decree of the NBS No. 13/2010 Volume 29/2010 f) The principles for performing new types of transactions; g) The principles of risk management organisation. (2) Credit risk management strategy includes mainly: a) The aims of the Bank in the area of credit risk management; b) The acceptable level of credit risk; c) The acceptable level of risk concentration with a single client, economically associated group of clients, economic sector, geographic areas or countries; d) The types of transactions and activities exposing the Bank to credit risk; e) The aim of the Bank in the area of providing credits, mainly:

1. Types of credits that the Bank aims to provide;
2. The main criteria of the Bank to provide credits;
3. Target economic sectors, geographic regions and groups of clients;
4. The expected quality of credits;
5. The expected development of credit volume;
6. The expected revenues from credits and the acceptable level of risk in terms of revenues from credits; f) Methods for measuring, monitoring and mitigating credit risk; g) Types of limits to be used by the Bank to manage credit risk and principles for the selection and setting of further limits; h) Distribution of responsibilities related to credit risk management. (3) Market risk management strategy includes mainly: a) Aims of the Bank in the area of market risk management; b) Acceptable level of market risk and main elements of the market risk; c) Types of transactions and activities exposing the Bank to market risk; d) Method of measuring, monitoring and mitigating the market risk; e) Principles and methods of position evaluation; f) Types of limits to be used by the Bank in order to manage market risk and principles of selecting and determining further limits; g) Distribution of responsibilities for market risk management; h) Principles of entering positions into the business record and Bank book including the list of transactions listed in the business book considered to be standard business positions. (4) Operational risk management strategy includes mainly: a) Aims of the bank in the area of operational risk management; b) Principles for determining and classifying events of operational risk in accordance with the definition of operational risk; c) Determining significant sources of operational risk that the Bank is exposed to; d) Methods of identification, estimate, monitoring and mitigation of operational risk; e) Distribution of responsibility for operational risk management; Article 6 (1) Risk management organisation includes mainly: a) Ensuring implementation of the risk management strategy; b) Creating organisational structure enabling to implement the approved risk management strategy; c) Involvement of relevant employees and competent departments in the process of risk management; d) Organisational and personnel distribution of activities and responsibilities of competent departments so that conflict of interest is prevented to the greatest possible degree, especially the department of

318 Journal of the NBS – Decree of the NBS No. 13/2010 Volume 29/2010 business activities and activities related to the settlement of transactions and activities connected with risk management for individual risks especially credit risk and market risk; e) Ensuring sufficient resources needed for the realisation of the approved risk management strategy, especially of financial resources and sufficient number of qualified employees and their substitution; f) Ensuring a balance between employee motivation, employee remuneration and risk management strategy; g) Creating adequate information flows between responsible employees of Bank and competent departments according to Article 7; h) Creating, re-evaluating and periodic testing of the process of risk management in the case of information system failure; i) Adequate awareness-raising among all responsible employees of the Bank about the approved risk management strategy in the Bank. (2) Division of business activities and activities connected with risk management according to Paragraph 1 Letter d) shall be ensured to the highest managerial level possible. (3) Business activity for the purposes of organisation and personnel division of activities is understood as the conclusion of transactions exposing the Bank to a risk. (4) For the purposes of credit risk management, activities performed separately are connected with: a) Transaction settlement, meaning especially

1. Control of the terms of concluded business;
2. Control of the fulfilment of conditions for using monetary resources;
3. Use of credit or financial settlement of the transaction except of a credit;
4. Issuing of accounting documents and accounting of a transaction;
5. Developing and keeping contractual documentation;
6. Following of the fulfilment of contractual conditions; b) Credit risk management is understood mainly as
7. Approving of limits for transactions exposing the Bank to credit risk and control of their following;
8. Analysis of the economic situation of a client or a contractual party;
9. Approving of methods and procedures of credit risk management;
10. Classification and evaluation of the assets, obligations and security;
11. Proposing of sources of identified credit risk and expected loss covering;
12. Claiming of receivables not being paid;
13. Identification, measuring, monitoring and mitigating credit risk;
14. Processing and providing of information regarding credit risk for the needs of management and decision-making; (5) For the purposes of market risk management in transactions including financial instruments of the monetary market and financial Instruments of the capital market, activities carried out in the Bank separately are connected with a) Transaction settlement, meaning especially
15. Control of the terms of concluded business;
16. Sending and accepting of confirmations regarding concluded business;
17. Financial and property settlement of the transaction;
18. Issuing of accounting documents and accounting of a transaction; b) Market risk management understood mainly as

318 Journal of the NBS – Decree of the NBS No. 13/2010 Volume 29/2010

1. Approval of limits for transactions exposing the Bank to market risk and control of their following;
2. Approval of methods and procedures of market risk management;
3. Approval of methods, procedures and models for evaluation of positions through which market risk originates;
4. Evaluation of positions creating market risk;
5. Identification, measuring, monitoring and mitigation of market risk;
6. Processing of providing of information about market risk for the needs of management and decision-making; (6) For the purposes of operational risk management, activities of internal control and internal audit department are carried out in the Bank separately from activities related with operational risk management, understood mainly as a) Approval of methods and procedures of operational risk management; b) Identification, estimation and monitoring of operational risk; c) Classification of events of operational risk; d) Taking measures to mitigate operational risk; e) Processing and providing of information regarding operational risk for the purposes of management and decision-making; Article 7 Adequate information flow for risk management include especially a) providing regular and extraordinary information to the statutory body and competent bodies regarding the level of risk that the Bank is exposed to; information is provided in such periodicity, up-to-date and detail in order to enable effective management of risks with a significant impact on the financial health of the Bank, especially 1. to evaluate the level and trends in risk development.
7. To compare risk with anticipated revenues.
8. To verify if the risk level is in accordance with the set limits.
9. To evaluate if the Bank has sufficient economic capital to cover the risk in accordance with the approved strategy.
10. To evaluate validity, appropriateness and fulfilment of prerequisites used to measure risk.
11. To evaluate results of stress testing and back testing. b) Availability of current and reliable information needed for risk management for all responsible employees of the Bank. c) Ensuring of mutual communication between responsible employees of the Bank and competent departments. d) Regular evaluation of information regarding the level of risk by statutory body and consequent informing of responsible employees of the Bank and competent departments regarding changes in the process of risk management. Article 8 (1) For the purposes of risk management, creation of an information system in a Bank ensures it corresponds with the extent and complexity of Bank activities and enables especially a) At various level of aggregation;
12. Collection of information regarding risk;
13. Measurement of individual risks or groups of risks;
14. Comparing achieved values of risk level with set limits;

318 Journal of the NBS – Decree of the NBS No. 13/2010 Volume 29/2010 4. Verification of the compliance of the real development of risk level with the expected risk level; b) Correct evaluation of positions; c) Ensuring adequate information flow related with risk management for responsible employees of the Bank; (2) Various level of aggregation is understood as the collecting of data according to selected criteria, especially for individual risks, geographic regions, currencies, organisational departments of the Bank, portfolios of the Bank, types of businesses and contractual parties. Article 9 (1) For the purposes of risk management, an adequate system of transaction conclusion and performing of activities in accordance with the approved risk management strategy and selected methods of identification, measuring of risk monitoring and mitigation is created in a Bank. (2) The system of transaction conclusion and performing of activities and procedures for identification, measuring, monitoring and mitigation of risk is a part of the internal regulations of a Bank issued according to Article 27 Paragraph 2 of the Act and in accordance with the approved risk management strategy. Article 10 For the purposes of risk management, procedure for the approval and including of new types of transactions in the risk management system of the Bank shall be introduced, containing mainly a) Description of the new type of transaction and activity connected with this transaction; b) c) Introduction of procedures to be used for the measurement, monitoring and control of risks connected with the proposed transaction; Identification of risk factors of transaction; Analysis of impacts of proposed transactions on a Bank; dሻ Evaluation of the preparedness of the individual competent departments to introduce a new type of transaction; eሻ fሻ Including a transaction into information system; Article 11 (1) Adequate system of internal control in the area of risk management includes mainly a) Creating a relevant control environment when performing activities at a Bank, especially

1. Control activities and mechanism performed by the Board of Directors or the head of the branch of a foreign bank,
2. Control activity performed by the head employees of the Bank at lower levels of management;
3. Control activity performed by Bank employees as a part of their responsibilities and duties; b) Regular verification of functionality of the risk management system by the department of internal control and internal audit of a Bank and evaluating the effectiveness of the internal control system. (2) System of internal control in the area of risk management in case of detecting flaws shall be ensured through a) Informing competent departments and head employees of a Bank responsible for the management of the individual types of risk regarding detected flaws; b) Accepting and taking corresponding measures for improvement;

318 Journal of the NBS – Decree of the NBS No. 13/2010 Volume 29/2010 c) Timely performance of inevitable modifications of the risk management system; Article 12 (1) Creating adequate system of transaction closing for the purposes of credit risk management include for a) credit provision, mainly

1. Defining countries, currencies, geographic regions, economic sectors and contractual parties with whom it is possible to conclude credit transactions.
2. Introducing rules for approval of credit transactions including especially 2a. Examination of the purpose of concluded transaction. 2b. Analysis of the economic situation of the client prior to concluding of the transaction and during the duration of the transaction. 2c. Analysis of the economic sector of client and its position within this sector, 2d. evaluation of the quality, adequacy and claimability of the security, 2e. analysis of the source of repayment, 2f. Defining conditions for concluding business and for repayment of receivable that originates by transaction conclusion, 2g. Rules for changing of agreed terms of transaction, 2h. Requirements to submit documents on the part of the client according to the type of transaction and type of contractual party, 2i. Rules of performing transactions with persons with a special relationship to the Bank and identification of such relationship, 2j. Rules for the performance of transactions with economically linked groups of clients and identification of such groups, b) business with financial instruments of the monetary market and financial instruments of the capital market accompanied with credit risk, especially
3. Defining types of financial instruments that can be subject to transactions;
4. Introducing rules for conclusion of transactions, containing mainly 2a. Nominal values up to which the relevant employees are authorised to conclude transactions according to their types, other limitations of their activities related with the performance of these transactions; 2b. Procedure in case of a change or cancellation of a concluded transaction; 2c. Defining persons authorised to approve an exception to employees to limitations according to Clause 2a and 2b, conditions under which these persons may approve of an exception from limitations and cases when an employee can request such an exception,
5. Request to perform a written or audio recording from the agreement and conclusion of each transaction;
6. Request to store records indicated in Clause 3 outside of the organisational department that conclude transactions so that unauthorised manipulation is prevented at least for the period until the obligations and receivables of a Bank and a foreign bank branch last regarding the transactions that are recorded. (2) For the purposes of credit risk management, internal regulations of a bank issued according to Article 27 Paragraph 2 of the Act and in accordance with the approved credit risk management strategy contain also a) Competencies for the conclusion and approval of individual types of transactions, creating credit risk, for approval of limits, for approval of exceptions from the approved limits and procedures in the case of exceeding those limits. b) Way of cooperation and description of information flows between the organisational departments performing business activities, activities connected with settlement of business and activities connected with credit risk management.

318 Journal of the NBS – Decree of the NBS No. 13/2010 Volume 29/2010 c) Procedure to perform business administration creating credit risk and rules of creating sources of covering of the identified risk. d) Minimum extent of information in the record of the transaction case, for transactions accompanied with credit risk. e) Procedure for claiming of unpaid receivables. f) Procedure when evaluating security. g) Requests for regular and detailed information regarding credit risk for the statutory body and for other responsible employees of the Bank. h) Control activities when concluding transactions and performing activities. (3) The system of credit risk measurement introduced in a Bank shall correspond to the extent and complexity of Bank activities, and shall especially a) Ensure measurement of credit risk in all transactions and activities in which credit risk was identified. b) Record all concluded transactions in a correct and timely manner. c) Enable depiction of all significant sources of credit risk in assets and liabilities of a Bank. d) Evaluate the impact of changes of risk factors on the costs and revenues of a Bank, as well as the value of assets and liabilities of a Bank. e) Enable the measurement of a credit risk in individual transactions, groups of economically linked persons, individual bank portfolios, economic sectors, geographic regions, countries and currencies. Enable the measurement of a credit risk by a chosen method in accordance with the Bank strategy. fሻ gሻ Enabling measurement of credit risk so that its values can be compared with defined limits for all business units. (4) When selecting the method of credit risk measurement, the following is mainly considered: a) Type of transaction and conditions of the transaction; b) Volume of transaction until its repayment; c) Way and level of business security until the time of its repayment; d) Economic situation of the debtor or contractual party until the time of business repayment; (5) For the purposes of credit risk monitoring, especially the following is ensured in a Bank: a) Definition of limits and monitoring of positions according to

1. Type of transaction;
2. Contractual party on the level of the individual debtor and on the level of individual credit;
3. Groups of economically associated persons;
4. Economic sector;
5. Geographic region and country;
6. Currency; b) Compliance of internal limits of a Bank with all limits and limitations of a prudential business; c) Creating of a system of on-going control of the following of defined limits; d) Defining of rules and procedures for the case of exceeding limits and for approval of exceptions from set limits; e) Informing of competent departments about the level of credit risk and exceeding of limits; f) Appointing of employees of the Bank responsible for monitoring of the quality of each credit and monitoring of each security; g) Monitoring of the development of each transaction within the whole Bank portfolio so that identification and informing regarding potential problem credits and other Bank transactions is ensured, including mainly
7. Information regarding the current financial status of a debtor or contractual party;

318 Journal of the NBS – Decree of the NBS No. 13/2010 Volume 29/2010 2. Monitoring of the fulfilment of obligations of a debtor or a contractual party and information about delays in contractual instalments; 3. Current evaluation of credit security; 4. Timely classification and evaluation of problem credits and other transactions; h) Monitoring of the development of the overall composition and quality of Bank portfolios adequately to the scope and complexity of Bank activities. (6) For the purposes of credit risk mitigation, the following shall mainly be ensured in a Bank: a) Defining of rules for accepting various types of security and security transactions; b) Defining procedures of regular security evaluation; c) Defining procedures to ensure current and future claimability of a security; d) Defining procedures for identification of risks originating at time of credit risk mitigation, mainly of

1. Market risk connected with valuation of the subject of securing a receivable;
2. Operational risk connected with the claiming of the subject of securing a receivable;
3. Credit risk related to the guarantor;
4. Legal risk connected with incorrect or incomplete documentation regarding securing of a receivable; e) Regular evaluation of the effectiveness of a security or security transactions and based on the result, changes in the use of security or security transactions; f) Regular informing of the responsible employees regarding the results of evaluating the effectiveness of a security and security transactions; Article 13 (1) Creating of an adequate system of concluding transactions involving financial instruments of the monetary market and financial instruments of the capital market during which market risks originate, mainly including: a) Defining the types of financial instruments with which it is possible to do business; b) Introducing rules for conclusion of transactions, containing mainly
5. Nominal values up to which corresponding employees are authorised to conclude transactions according to their types and other limitations of their activities connected with the performance of these transactions;
6. Procedure in case of a change of cancellation of a concluded transaction;
7. Definition of persons authorised to approve of an exception to employees with regards to limits according to Clause 1 and 2 of the conditions under which these persons may approve of an exception from the limitations and cases when an employee may request such an exception; c) Requirement to develop a written or audio recording from negotiation and conclusion of every transaction; d) Request to store records indicated in Clause c) outside of the organisational unit concluding transactions, at least for the period until the obligations and receivables of the Bank end resulting from the transactions that are recorded so that unauthorised manipulation is prevented. (2) For the purposes of market risk management, internal Bank regulations issued according to Article 27 Paragraph 2 of the Act and in accordance with the approved market risk management strategy include also a) Competencies for concluding and approving of transactions accompanied with market risk; b) Rules for classifying transactions in the Bank book and Book of transactions and possibilities of internal transactions between the books; c) Procedure and competencies for the settlement of transactions with financial instruments;

318 Journal of the NBS – Decree of the NBS No. 13/2010 Volume 29/2010 d) Procedure for price monitoring when concluding transactions and their comparison with market prices; e) Ways of cooperation and description of information flows between organisational units performing business activities, activities connected with the settlement of transactions and activities connected with market risk management; f) Procedure for back testing and stress testing; g) Method of risk calculation of weighted expositions used by a bank for market risk for those parts of the market risk for which a calculation alternative is possible; h) Requests for regular and detailed information regarding market risk for the statutory body and for other responsible employees; i) Control activities when concluding transactions and performing activities; (3) System of market risk measurement introduced in the Bank shall correspond with the extent and complexity of bank activities and shall mainly a) Record all concluded transactions in a correct and timely manner; b) Enable to record all significant sources of market risk in assets and liabilities of the bank; c) Evaluate the impact of changes of market risk factors on the costs and revenues of the Bank, as well as the value of assets and liabilities of a Bank; d) Enable to measure market risk using the selected method in accordance with the Bank strategy; e) To enable correct evaluation of positions; f) To enable aggregation of the individual positions according to the selected criteria so that aggregation does not lead to a significant level of risk that the Bank is exposed to; g) To enable measuring of the total value of market risk and comparing the value with set limits; h) Enable adequate documentation of pre-requisites and parameters of measuring market risk; i) Enable measurement of interest rate risk in every main currency; j) Enable depiction of the basic sources of interest rate risk, especially

1. Time discrepancy between maturity and re-evaluation of assets, liabilities and items not recorded in the balance sheet;
2. Insufficient correlation between the paid and acquired interest payments for various financial instruments with differently similar maturities and re-evaluation;
3. Changes in case of changed angle or shape of the revenue curve;
4. Presence of included options in assets, liabilities and items not recorded in the balance sheet that may change the expected cash flow of financial instruments; (4) For the purposes of measuring market risk in a Bank, the following is mainly ensured a) Regular performance of back testing; b) Re-evaluation of the methods and procedures of market risk measurement based on the results of the back testing; c) Regular performance of stress testing; d) Regular verification of validity of pre-requisites of stress scenarios in accordance with the change in conditions on the market or in a bank; e) Special performance of stress testing, even in case of extraordinary situations that may have a specific impact on the Bank’s exposure to risk; f) Re-evaluation of set limits for market risk according to the results of the stress testing; g) Informing of the responsible employees about the results of back testing and stress testing; (5) For the purposes of market risk monitoring the following is mainly ensure in a Bank:

318 Journal of the NBS – Decree of the NBS No. 13/2010 Volume 29/2010 a) Setting of a limit for the level of market risk and limit for individual parts of the market risk; based on the extent of a Bank’s activities, further limits may be defined especially for individual portfolios, types of transactions or organisational units of a Bank; b) Compliance of internal limits of a Bank with all limits and limitations of a prudential business; c) Following of positions exposing the bank to market risk mainly according to:

1. Type of financial instrument;
2. Contractual party or geographic region;
3. Currency; d) Creating of a system of on-going control of the following of defined limits; e) Defining rules and procedures for the case of exceeding limits and for approval of exceptions from the set limits f) informing competent departments about the level of the market risk and about exceeding of limits; (6) For the purposes of market risk mitigation, the following is especially ensured in a Bank: a) Defining types of security transactions and activities to mitigate market risk; b) Defining the way and procedure of the use of selected security transactions and activities; c) Regular evaluation of the effectiveness of security transactions and activities and based on the results changing the use or types of security transactions and activities; d) Regular informing of the responsible Bank employees about the results of the evaluation of the effectiveness of security transactions and activities; Article 14 (1) Identification of operational risk is at the bank ensured in all: a) Types of businesses that are concluded; b) Processes applied; c) Information systems used; (2) For the purposes of operational risk management, identification includes: a) Defining of events of operational risks monitored by the Bank; b) Classifying events of operational risks into groups defined by the Bank in accordance with the Bank strategy; (3) For the purposes of operational risk management, internal bank regulations issued according to Article 27 Paragraph 2 of the Act and in accordance with the approved operational risk management strategy, also include: a) Developing of procedures for the identification of sources of operational risk in transactions, key activities, processes and systems; b) Including events of operational risk and their classification; c) Including monitoring and evaluation of the operational risk into everyday’s performance of activities in a Bank; d) Procedure for the use of operational risk mitigation, especially for the events of operational risk with low frequency, but possible high financial losses for the Bank; e) Developing principles and procedures for risk management connected with activities ensured for the bank on a supplier basis; f) Developing of plans for unexpected events and for the ensuring of the on-going business activity of a Bank; g) Regular testing and evaluation of plans for unexpected events so that they correspond to the current business strategy of a bank;

318 Journal of the NBS – Decree of the NBS No. 13/2010 Volume 29/2010 h) Method of cooperation and exchange of information between organisational units where the operational risk originated and organisational unit evaluating the operational risk for the whole Bank. (4) For the purposes of operational risk management, a system of operational risk estimation shall be introduced in the Bank corresponding to the extent and complexity of Bank activities, that mainly: a) Enables regular monitoring of cases of losses due to operational risk; b) Enables to depict all significant sources of operational risk in transactions and activities of the Bank; c) Provides timely warning about increased risk of future losses based on numeric indicators set by the Bank; (5) To estimate the level of operational risk, the following may mainly be used: a) Evaluation of processes and activities of bank with regards to the set of limited events of operational risk monitored by the Bank; b) Mapping of operational risk originating in individual business lines of the Bank; c) Monitoring of indicators of operational risk, e.g. number of unsuccessful transactions, the level of employee fluctuation, frequency and number of errors; d) Measuring of operational risk, e.g. based on monitoring historic losses due to events of operational risk. (6) For the purposes of monitoring operational risk, the following shall mainly be ensured in a Bank: a) Identifying the indicator of operational risk for the purposes of timely warning about increased risk of potential losses; b) Monitoring of events of operational risks and evaluation of losses resulting from these events; c) Informing the competent departments about the level of operational risk according to the chosen system of operational risk evaluation and significant events of the operational risk. (7) For the purposes of operational risk mitigation, the following shall mainly be ensured in a Bank: a) Defining procedures to select a Bank’s approach to an identified risk, mainly:

1. Risk mitigation, e.g. insurance;
2. Risk carrying;
3. Reduction of the extent of activities;
4. Termination of activities; b) Regular evaluation of a Bank’s approaches to an identified risk and based on its results, changes in the use of individual approaches; c) Regular informing of the responsible Bank employees about the results of the evaluation of the approach of the Bank to the operational risk; d) Safe, reliable and flawless operation of its information system, mainly:
5. Security policy of the information system shall be developed defining the aims in the area of bank information system security, main principles and procedures for their achievement and following of this policy shall be ensured.
6. Information security infrastructure shall be created representing purposefully created control bodies and working groups, the role of which is to manage and ensure the effective level of bank, data and information system safety.
7. Information system risk analysis shall be developed and regularly re-evaluated.
8. Information system protection against unauthorised access and damage and bank facility protection shall be ensured at places where equipment for data and information processing and information and data itself are located.

318 Journal of the NBS – Decree of the NBS No. 13/2010 Volume 29/2010 5. Effective, safe, reliable and on-going operation of equipment for information processing shall be ensured. 6. Management of personal access to data and information of the bank shall be ensured by means of their processing and network services. 7. Identification and evaluation of unauthorised activities in the bank’s information system shall be ensured. 8. Continuity of functions and operation of information system in the case of major shutdowns and emergencies shall be ensured and in order to achieve this, plans of restoration and back-up of the information system shall be developed. (8) Business line for the purposes of this provision is the groups of similar activities of a bank according to the nature and character of the performed business. Article 15 (1) Risk management system connected to options, risks of the government, risk of concentration, risk of business settlement, legal risk, risk of business partner, risk resulting from securitisation, specific risk of debt financial instruments, specific risks of capital instruments, general risk of debt financial instruments, general risk of capital instruments and residual risk adequately apply provisions of Article 3 Paragraph 1. (2) If the Bank is exposed to certain risk only due to its participation in a consolidated unit, management of such risks are adequately governed by provisions of Article 3 Paragraph 1. Article 16 Legal acts of the European Union included in the Annex shall be adopted by this Decree. Article 17 The Decree of Národná banka Slovenska of 26 November 2004 No. 12/2004 on risks and a system of risk management shall be abolished (Notification No. 672/2004 Coll.) in accordance with Decree No. 15/2006 (Notification No. 682/2006 Coll.). Article 18 This provision shall come into effect as of 31 December 2010. Jozef Makúch, in his own hand Governor Issued by: Regulation and Financial

Volume 29/2010 Journal of the NBS – Decree of the NBS No. 13/2010 331 Analysis Department Banking and Payment Service Regulation Section Developed by: Ing. Stanislav Guniš Ing. Martin Mačuga Tel.: +421 2 5787 3301 Fax: +421 2 5787 1118 Tel.: +421 2 5787 2885 E-mail: stanislav.gunis@nbs.sk Tel.: +421 2 5787 2887 E-mail: martin.macuga@nbs.sk Annex to the Decree No. 13/2010 The list of adopted legally binding acts of the European Union

1. Directive 2006/48/EC of the European Parliament and of the Council of 14 June 2006 relating to the taking up and pursuit of the business of credit institutions (revised version) (OJ L 177, 30.06.2006).
2. Directive 2009/111/EC of the European Parliament and of the Council of 16 September 2009 amending and supplementing Directives 2006/48/EC, 2006/49/EC and 2007/64/EC as regards to banks affiliated to central institutions, certain own funds items, large exposure, supervisory arrangements, and crisis management (OJ L L302, 17.11.2009).