Central Bank Of Nigeria

GUIDELINES FOR THE MANAGEMENT OF REPUTATIONAL RISK Issue Date: March 2019 Effective Date: March 2019

1.	Abbreviations 2
2.	Introduction 3
3.	Definition of Terms 4
4.	Scope of Application 5
5.	Guidelines on the Internal Governance of Reputational Risk 6
5.1	Overall Reputational Risk Strategy 6
5.2	Risk Management Framework and Responsibilities 7
5.3	Risk Policies, Processes and Controls 9
5.4	Risk Tolerance and Limits 9
5.5	Internal Audit Review 10
5.6	Reporting of Reputational Risk 10
6.	Risk Identification, Assessment, and Control 11
6.1	General Requirements 11
6.2	Risk Identification 11
6.3	Risk Assessment and Pillar 2 Capital 13
6.4	Risk Control 14

Table Of Content

7. Supervisory Approach to Reputational Risk .............................................15 8. Appendix 1: Scoring of Reputational Risk.................................................18

1. Abbreviations

Acronym	Description
BCBS	Basel Committee on Banking Supervision
CBN	Central Bank of Nigeria
DMB	Deposit Money Banks
IAF	Internal Audit Function
ICAAP	Internal Capital Adequacy Assessment Process
ICT	Information and Communication Technology
RAF	Risk Appetite Framework
RAS	Risk Appetite Statement
SLA	Service Level Agreement
SREP	Supervisory Review and Evaluation Process

2. Introduction

1. This framework sets out the Central Bank of Nigeria (CBN) approach to assessment of Reputational Risk as part of the Supervisory Review and Evaluation (SREP) of the banks' end-to-end Internal Capital Adequacy Assessment Process (ICAAP), and provides guidance to banks on the key elements of effective reputational risk management.

2. The CBN expects banks to manage reputational risks on a day-to-day basis rather than on ad hoc basis where it is approached as a crisis management issue. The focus should, in particular, not be only on damage control in the aftermath of a reputational event.

3. This framework is essential given that reputational risk has become a key concern for banks particularly in the wake of the 2008-2009 global financial crisis which resulted in increased stakeholders' interest in the issues of trust and corporate culture in financial institutions. The CBN therefore expects banks in Nigeria to effectively manage their reputational risk, which is critical given that trust in the integrity of the individual banks and the overall banking sector is essential in ensuring safety and soundness of banks, and stability of the overall financial system.

4. Reputational risk is not addressed in the context of Pillar 1 of the Basel Capital Framework though it is a material risk for banks given the rise of social media and the resulting speed at which information including rumours can be disseminated to a much wider audience.

5. The potential impact of reputational risk on financial performance and brand value of a bank can be very material. The general expectation therefore is that banks will assess their exposure to reputational risk as part of their ICAAP. The banks' internal assessment of reputational risk, including the quantification of any Pillar 2 capital and any other proposed management actions, will also be subjected to a rigorous SREP by the CBN.

3. Definition Of Terms

6. In the context of this framework, the meaning of reputational risk and other related terms are as detailed below:
7. "Reputation" means perception, opinions and beliefs that a bank's stakeholders have in respect of the bank, based on their experience with, or expectations of the bank 7.1. "Reputational event" includes any action, incident or circumstance in relation to a bank which induces, or is likely to induce, reputational risk for the bank. Reputational event may arise from market rumours, severe regulatory sanctions, operational shortcomings, questionable judgement, external attacks, bad conduct or heavy financial losses. Such events, if not actively managed, may turn into a full-blown crisis such as a run on the bank.

7.2. "Reputational risk" is the risk of damage to a bank's reputation as a result of any reputational event, arising from negative publicity about its business practices, conduct or financial condition. Such negative publicity may affect public confidence in the bank; result in decline in its customer base, business volume, revenue, liquidity or capital position. Reputational risk may also arise as a result of negative stakeholder opinion.

7.3. "Reputational risk management process" is the risk management process adopted by a bank to identify, assess, mitigate, control, monitor and report reputational risk.

7.4. "Stakeholders" mean those groups of individuals or organizations that (i) are involved or interested in the affairs of a bank, or (ii) can exert an influence over, or are affected by, the bank and its activities.

4 4. Scope Of Application

8. In line with the expectation of Principle 15 of the revised "Core Principles for Effective Banking Supervision" issued by the Basel Committee on Banking Supervision (BCBS) in September 2012, the CBN requires all banks in Nigeria to establish an effective process for the management of reputation risk. The adopted process should be appropriate for the size, geographical spread, product range and complexity of its operations.

9. These guidelines are applicable to all the Deposit Money Banks (DMBs) in Nigeria, including the specialized non-interest financial institutions. The principle of proportionality will however be applied by the CBN in the supervisory assessment of the banks' processes and methodologies.

10. The CBN has not prescribed any specific methodology for measuring and quantification reputational risks capital charge under Pillar 2. The discretion in respect of approaches to be adopted is left to the banks. However, this framework focuses on the following: 10.1. Ensuring that banks value their institution's reputation and assesses risks to that value. This includes understanding the contribution of the institution's reputation to its value creation and how this can be measured in absolute or relative terms; 10.2. Drawing banks' attention to various sources of reputational risk; 10.3. Providing banks with guidance on the key elements of reputational risk management; 10.4. Promoting the adoption of a formalized and structured approach to managing reputational risk; 10.5. Elaborating on the CBN's approach to supervisory review of reputational risk 5. Guidelines on the Internal Governance of Reputational Risk

5.1 Overall Reputational Risk Strategy

11. Though it does not appear in most balance sheets (except for acquisitions), reputation is increasingly being recognized as a valuable asset particularly to financial institutions for which the confidence of key stakeholders is critical to their survival. Business strategy and approach to its implementation can, in particular, have significant impact on the reputation of a bank. The board of a bank should therefore have a very good understanding of their organization's reputation and its key drivers including vulnerabilities. This knowledge is very important in strategic and risk management decision-making.

12. It is the responsibility of the bank's board to ensure that: (i) sufficient focus is given to reputational risk management, and (ii) the bank has appropriate governance structures and policies in place to facilitate the provision of reliable, timely and complete information on the bank's reputation and the underlying risks and vulnerabilities. Hence, the overall ownership of reputational risk management resides with the Board.

13. The banks' strategy for management of reputational risk, including the risk tolerance levels and the management actions to mitigate against the impact of reputation risk events should be approved by the board. Banks should also be able to fully demonstrate to the CBN that the risk management objectives of Reputational Risk Strategy are fully aligned with the overall strategic objective of the bank.

14. Banks are expected to implement appropriate governance framework to support the management of reputational risk. The framework should, among others, set out clear objectives in relation to management of reputational risk as well as define the responsibilities of all parties involved in the management of the risk. The responsibilities and lines of authorities should be adequately documented and disseminated to all the relevant parties. There should also be an effective process for monitoring the performance of assigned responsibilities, and for triggering early corrective actions before any damage to reputation is caused as a result of either internal or external events.

15. Banks are expected to carry out self-assessments of their reputational risk management practices and subject the same to independent third-party reviews.

5.2 Risk Management Framework And Responsibilities

16. The banks' board should ultimately be responsible for the oversight of Risk Management Framework and challenge of the adequacy of the level of the internally estimated capital to cover all the bank's material risks including reputational risk, where applicable. The board may however delegate the responsibility for the monitoring and management of reputational risk to bank's senior management or other board committees1 17. Banks are expected to continuously promote staff awareness of reputational risk in their respective businesses, operations or functions. This should particularly be the case for those staff that interact on an ongoing basis with external stakeholders such as depositors, investors, media, market participants, equity analysts, rating agencies, suppliers, vendors, etc.

17. Banks are required to continuously identify key risks (e.g. strategic, operational risks2 etc) that could significantly affect the bank's reputation or business and should bring them to the Board's attention in a timely manner.

18. Banks should ensure that it has Service Level Agreements (SLAs) for all its outsourced activities. The bank should also have a process in place to effectively monitor the performance of external service providers (e.g. outsourced telephone banking operations, Information Technology (IT) support, debt collection services, etc.) to ensure that

1 This include the Board Risk Management Committee 2 This includes the impact of ICT and Cyber-security risks in terms of both losses and reputational damage to the bank Page 7 the bank's' reputation is not damaged as a result of substandard services, business disruption or improper acts.

20. The bank's Internal Audit Function (IAF) is expected to provide independent assessment of the adequacy of risk management processes and the effectiveness of actions taken to control individual risks affecting the bank's reputation. The assessment should be done on a frequent basis (at least annually).

21. Banks are required to establish a process aimed at promoting effective external communications, especially in the handling of reputational risk related events. Banks should also ensure that reputational consideration is adequately taken into account in the design of the bank's risk management processes and in formulation of the business strategy.

22. Senior Management shall from time to time carry out surveillance of the external sources of reputational risks and report accordingly to the Board.

23. Banks should set up effective systems and controls for the management of all material risks (including reputational risk) faced by the bank, and to monitor compliance with all applicable laws, regulatory standards, best practices and internal guidelines.

24. Banks are expected to have adequate policies and procedures in place to ensure that all disclosures to external stakeholders are clear, accurate, complete, relevant, consistent and timely, and guided by the principles of ethics, integrity and transparency.

25. A bank's reputational risk management process can be standalone, centralized or integrated with other risk management processes. This depends on how the process fits into the bank's existing management structure, and the nature and complexity of its operations.

5.3 Risk Policies, Processes And Controls

26. Banks are required to have in place appropriate policies, codes of conduct, guidelines and procedures for managing the risk to its reputation. This is not only to facilitate the achievement of the set business goals as per the adopted strategy but also to guide the behaviour of staff. Banks should also implement adequate processes, procedures and controls to help monitor the performance of key service providers including outsourcing partners.

27. The bank's policies, codes of conduct and guidelines should clearly define expected, undesirable or unlawful practices. It should also set out the boundaries of acceptable risks (risk tolerance) for different business activities and areas of operations, taking into account the potential impact of any proposed activities or operations on customers and the general public. These policies should be adequately disseminated to all relevant parties within the bank.

5.4 Risk Tolerance And Limits

28. Banks are expected to articulate their risk tolerance for reputational risk in terms of the risk to financial performance, liquidity and brand or franchise value. The risk tolerance should set clear boundaries and expectations by establishing quantitative limits and qualitative statements. The bank should also ensure that the risk tolerance limit is approved by the Board and appropriately implemented through a comprehensive RAF.

29. Banks should establish adequate processes for the management of reputational risk event and should formulate action plans for escalation of breaches of reputation risk tolerance to the board. The risk management and escalation processes should enable the bank to respond quickly to reputational risk events and ensure that any potential damage to the bank's reputation is fully mitigated or substantially reduced.

5.5 Internal Audit Review

30. It is the responsibility of the Board and Senior Management to ensure independent reviews and audit of the bank's reputational risk management processes and procedures, whether in form of a review dedicated to reputation risk or as part of a wider review of the bank's risk management framework and practices. The independent review should be conducted regularly so as to provide the Board and Senior Management with assurance that controls and actions aimed at managing the risks to the bank's reputation are appropriately designed and operating effectively.

31. The approach, scope, frequency and depth of the independent reviews or internal audits of reputational risk management processes and procedures may vary depending on: individual bank's needs, the size and complexity of its operations, historical experience in relation to reputational risk events, and the inherent reputational risk given its business model.

32. The results of such reviews and audits, including any significant issues and weaknesses identified, should be promptly reported to the Board and senior management for early remedial actions.

33. The recommendations from the internal audit review should be subjected to a formal follow-up procedure by the appropriate levels of management to ensure and report on their effective and timely resolution.

5.6 Reporting Of Reputational Risk

34. Banks should ensure that the approach to identification of reputational risk events and the strategies in place to mitigate reputation risk are reported to the board and senior management at least on a quarterly basis while supervisory benchmarks (metrics) should be reported as part of the annual Internal Capital Adequacy Assessment Process (ICAAP) submission to the CBN. The reports to the board and senior management should include: 34.1. Reputational risk indicators reflecting stakeholder confidence to provide a gauge of a bank's reputation; 34.2. Early warning indicators such as a sudden increase in customer complaints, breaches of internal controls, operational errors, system outages, fraudulent incidents and any significant deterioration in other performance indicators; 34.3. Industry, market, political, legislative or social developments which may have implications on the bank's performance and reputation; 34.4. The progress in the implementation of remedial action plans arising from either the SREP, internal self-assessment or internal audit reviews, and 34.5. Other relevant issues or developments.

6. Risk Identification, Assessment, And Control 6.1 General Requirements

35. Banks are required to adopt a systematic approach to identification, assessment, mitigation and control of any risk or potential threat that may adversely affect their reputation. The approach should be relevant to their business model and risk profile, and should be tailored to their individual circumstances and needs.

36. Banks are expected to document the results of their reputational risk identification and assessment exercise, as well as the proposed action plans to mitigate it.

6.2 Risk Identification

37. Banks are required to develop processes and procedures for the identification of reputational risk that: 37.1. Defines the types of risk events they would expect to capture and the areas of their focus in their risk assessment and management; 37.2. Establishes the key sources of reputational risk they are exposed to on the basis of bank's circumstances. These sources of risk may be classified by risk category, business activity or area of operations; 37.3. Describes the risks identified in terms of the nature of risk and the potential consequences that the risks may bring to their reputation; 37.4. Takes into account any risks arising from new business projects which may affect reputation; and 37.5. Establishes procedure to ensure that the risks identified are subject to ongoing review and no major risk areas or events are missed.

38. Banks are expected to involve all relevant staff (e.g. those representing major departments, business or functional units) in the identification of reputational risk. In doing so, banks should adopt techniques that are appropriate to their individual circumstances. These may include the use of: interviews, questionnaires, risk identification workshops, or selfassessments.

39. Stakeholder analysis constitutes an important part of banks' risk identification process; particularly given that reputation is largely about stakeholders' trust and confidence. As stakeholders' expectations and concerns changes over time, banks should conduct regular stakeholder monitoring to facilitate the identification of new issues and threats.

40. Banks are required to conduct stress testing or scenario analysis to assess any secondary effects of reputational risk on liquidity position, funding cost, earnings, own funds etc. In the formulation of stress test scenarios and estimation of impact, banks are required to take into account the potential interaction between reputational risk exposure and other material risk types such as credit, market, operational, liquidity etc.

41. Bank's stress test should also take into account peer incidences which may have spillover effects on its own financial performance, financial condition and reputation.

6.3 Risk Assessment And Pillar 2 Capital

42. Banks are required to develop and implement procedures for assessing the reputational risk event to determine the likelihood of the event materializing into a reputational risk and the impact of the risk on their business in terms of liquidity and capital positions.

43. Banks may employ different techniques and tools to facilitate assessment of the likelihood and the potential impact of the identified reputational risk events. The techniques may include: 43.1. Control assessment: using this tool, banks may assess the likelihood of an identified reputational risk materializing by analyzing the root causes of the risk, existing controls to manage the risk, and the effectiveness of such controls.

43.2. Stakeholders' impact assessment: This tool can be used to assess and analyze stakeholder's interest and influence in relation to a particular reputational event and deciding whether these groups have a critical influence on the bank, and anticipating the likely impact on the bank if these stakeholders react adversely to the risk.

43.3. Stress-testing: This tool is useful for identifying reputational events or changes that could pose significant threats to banks under different sets of stress scenarios which may lead to reputational crisis and adverse impact on their businesses and reputation.

44. In the event of limitation of internal data, banks may use other relevant information such as past experience of similar institutions for assessing likelihood and impact of reputational risk on their businesses.

45. Banks should identify and document the appropriate mitigants against any residual reputational risk under Pillar 2.

46. Banks operating as part of a group may be exposed to reputational risk events affecting their: parents, non-operating financial holding company, subsidiaries or other members of the group. Banks are therefore expected to develop contingency plans and procedures to deal with the potential reputational risk that may emanate from such relationship.

6.4 Risk Control

47. Banks are required to address all reputational events that could have adverse impact on its reputation, liquidity or solvency position as part of its ICAAP.

48. Banks should consider the appropriate actions required to address the identified risks, taking into account the results of its risk assessment. A contingency plan should also be established for all the identified reputational risk events.

49. Banks' management should carry out periodic review of the level and impact of reputational risk and where applicable take remedial action. The effectiveness of remedial actions should be subject to periodic review by the board.

7. Supervisory Approach To Reputational Risk

50. Reputational risk is one of the inherent risks which the CBN has identified as risks that should be assessed under ICAAP. Banks are thus required to establish a sound and effective system to manage all its material risks.

51. The CBN will use a combination of techniques, such as qualitative analysis, peer group comparison and supervisory judgment, in its assessment of appropriateness of banks' approach to management of reputational risk. Based on its assessment results, the CBN will assign one of the four risk score for reputational risk, i.e., Low, Moderate, Above Average, or High. Please see Appendix 1 for further details on the indicative criteria for assignment of the risk score.

52. The effectiveness of the banks' reputational risk management strategy will be assessed by the CBN as part of its SREP. The assessment will mainly focus on the quality of policies, systems, processes, procedures and controls established by banks. To facilitate this assessment, the CBN may require banks to provide the following, amongst other: 52.1. Policies, codes of conduct, guidelines and procedures relevant to reputation risk management; 52.2. Documentary evidence in support of the banks' processes for risk identification, assessment, control, monitoring and reporting (including early warning systems), as well as other available measures to mitigate against reputational risk; 52.3. Management reports submitted to the Board and senior management to facilitate the management of reputational risk; 52.4. Minutes of Board or committee meetings addressing reputational risk management; 52.5. Report of any independent review or audit relating to reputational risk management; 52.6. Historical records of reputation events, if any, and how they were managed.

52.7. Details of the methodology and quantification justifying the adequacy of capital charge assigned to reputational risk 53. The following are the proposed supervisory benchmarks (metrics) for use as the basis for peer group comparison of the level of reputational risk across Nigerian banks, and to facilitate the supervisory challenge of the appropriateness of the banks' reputational risk management framework including, where applicable, estimates of internal capital to cushion against the potential crystallization of reputational risk. Supervisory benchmarks (metrics) shall be reported as part of the annual Internal Capital Adequacy Assessment Process (ICAAP) submission to the CBN. The benchmarks are: a) Frequency, nature of and changes in complaints from customers and other third parties; b) Staff turnover at different operational and management levels; c) Number and nature of reported unethical practices, failure to comply with any market rules and conducts that could undermine orderly development and growth of the economy; d) Number and nature of regulatory sanctions from official bodies, i.e., financial regulator, tax authorities etc; e) Fraud rate (internal and external); f) Number of negative mentions in the traditional and social media; g) Increased costs of raising funds from the capital or money market; h) Average number of years of industry experience for the key office holders; i) Current and recent changes in external credit ratings; j) Supervisory rating of bank's quality of internal controls and governance arrangements; k) Where applicable, changes in share price, yield on debt instrument relative to peers or the relevant sectoral index; l) Number and nature of pending litigations; m) Failure to redeem obligations (such as obligations to Customers, other banks, contractors, vendors, staff, etc.) n) Frequency of system downtime o) Failure to execute valid customer instructions. p) Cybersecurity attacks and near misses

Please note that the indicators below are only indicative and not exhaustive. Consideration Supervisory Risk Score Low Moderate Above Average High
Negative publicity regarding the bank's business	Low relative to peers	Not substantial relative to peers	Above average relative to peers	High relative to peers
Probability of a reputational event having an adverse impact on the bank's performance	Low	Average	Above Average	High
		No significant cases of noncompliance	Unsatisfactory and no significant improvement has been noted
Regulatory compliance	Good track record and absence of regular litigation and customer complaints		Breach of regulatory
			requirements and possibility of regulatory sanctions
Exposure to reputational risk	Expected to remain low in
	the foreseeable future	Not expected to increase substantially in the foreseeable future	Expected to increase in the foreseeable future	Expected to have a significant adverse impact on the bank's performance
Management anticipation and response to market and regulatory changes and directives	Good	Adequate	Inadequate	Weak
Corporate culture and conflict of interest practices	Fully effective and well supported	Satisfactory with no evidence of conflicts of interest and other legal or control breaches	Less than
		effective with evidence of conflict of interest and other legal or control breaches	Weak with evidence of
			conflict of interest or other legal or control breaches
Quality of reputational risk management (including policies and procedures)	Strong	Satisfactory	Ineffective	Weak
Internal controls and audits to effectively reduce exposure	Fully effective	Generally	Less than effective	Absent or weak
		effective