SUPERVISORY FRAMEWORK for BANKS and OTHER FINANCIAL INSTITUTIONS in NIGERIA July 2008

Supervisory Framework For Banks And Other Financial Institutions In Nigeria

Table of Contents

Section
1. Introduction .
2. Risk Assessment
3.	Significant Activities
4. Inherent Risk
5. Quality of Risk Management .
6. Net Risk .
7. Direction of Risk
8. Overall Net Risk .
9. Composite Risk .
	9.1 Capital .
	9.2 Earnings
	9.3 Composite Risk Rating .
10. Documenting the Risk Assessment .
	10.1 Risk Matrix .
	10.2 Risk Assessment Summary
11.	The Relationship Manager
12.	The Supervisory Process .
	12.1 Analysis .
	12.2 Planning .
	12.3 Action .
	12.4 Documentation
	12.5 Reporting
	12.6 Follow-up

Supervisory Framework For Banks And Other Financial Institutions In Nigeria

Table of Contents (cont'd) Section

Appendix A Risk Categories
	1. Credit Risk
	2. Market Risk
	3 Operational Risk
	4. Liquidity Risk .
	5. Legal and Regulatory Risk
	6. Strategic Risk .
	7. Insurance Risk .
Appendix B Definitions of Inherent Risk Ratings .
Appendix C Risk Management Control Functions
	1. Board
	2. Senior Management
	3. Compliance .
	4. Internal Audit .
	5. Risk Management
	6. Financial Analysis .
Appendix D Risk Matrix

Supervisory Framework For Banks And Other Financial Institutions In Nigeria

1. Introduction

The objective of the Supervisory Framework for Banks and Other Financial Institutions in Nigeria (Framework) is to provide an effective process to assess the safety and soundness of banks and other financial institutions. This is achieved by evaluating their risk profile, financial condition, risk management practices and compliance with applicable laws and regulations.

Developing supervisory practices is a dynamic process. Consolidation, and the resultant rapid expansion/development of the banking and other financial institutions' sectors, necessitated a re-evaluation of the way that supervision is conducted in Nigeria. In response to this changing financial landscape, a more risk based approach to supervision has been adopted, one that focuses on the identification of risk and an assessment of the management of that risk by regulated entities. Although effective risk management has always been central to safe and sound banking activities, it has assumed added importance. In addition to responding to the sector's post consolidation expansion both within and beyond Nigeria, in both financial and non-financial activities, there is need to comply fully with the Basel Core Principles on Supervision and to prepare an enabling environment for the eventual implementation of the Basel II Capital Accord.

The Framework:

• is a robust, proactive and sophisticated supervisory process, essentially based on the risk profiling of a bank;
• enables a better evaluation of risks through the separate assessment of inherent risks and risk management processes;
• is a dynamic, forward looking process, placing greater emphasis on the early identification of emerging risks and system-wide issues;
• is applied on a consolidated basis, using information from other regulators as appropriate. It includes an assessment of all material entities (subsidiaries, branches, or joint ventures) both in Nigeria and internationally;
• allows the supervisor to prioritize efforts and focus on significant risks by channeling resources to banks that have higher risk profiles. Work performed will be focused on clearly identified risks or areas of concern. Institutions that are well managed relative to their risks will generally require less supervision;
• includes the review of major risk management control functions such as Board and Senior Management Oversight, Internal Audit, Risk Management, Compliance and Financial Analysis. The Framework contemplates the use, where appropriate, of the institution's internal management and control functions; and
• contemplates reliance on external auditors for the fairness of the financial statements and their work will be used to modify the scope of reviews to minimize duplication of effort.

2. Risk Assessment

Risk assessment begins with identifying significant activities of an institution. The net risk in these significant activities is a function of the aggregate inherent risk offset by the aggregate quality of the risk management control functions. This evaluation is depicted as: Inherent Risks mitigated by Quality of Risk Management Control Functions = Net Risk

3. Significant Activities

The fundamental precept of the Framework is that supervisors must "know the institution" that they are responsible for. This knowledge will allow supervisors to identify those activities that are key (significant) to the achievement of the institution's business objectives or strategies.

Significant activities could include any significant line of business, unit (including a subsidiary) or process. Significant activities are identified from various sources including the institution's organization charts, strategic business plan, capital allocations, and internal and external financial reporting. Sound judgment is fundamental to the Framework and is applied in determining the significance or materiality of any activity in which an institution engages. It is important to note that significant activities are institution-specific as what is considered significant in one institution, may be insignificant in another and vice versa.

The following are some examples of criteria that may be used: a) the total income generated by the activity in relation to total income from ordinary activities; b) total expenditure incurred on an activity in relation to total expenditures; c) net income before tax for the activity in relation to total net income before tax; d) assets generated by the activity expressed as a percentage of total assets (both on and off balance sheet); e) risk-weighted assets generated by the activity in relation to total riskweighted assets; f) risk-weighted assets of an activity in relation to total adjusted capital; g) economic capital allocated to the activity in relation to total capital; and h) provisioning (reserves) made in respect of the activity as a percentage of total provisions (reserves).

4. Inherent Risk

Inherent risk is intrinsic to all business activities and arises from exposure to, and uncertainty from, potential future events. Inherent risk is evaluated by considering the degree of probability and the potential size of an adverse impact on an institution's capital or earnings.

As part of the Framework's "know the institution" precept, supervisors must have a thorough understanding of the environment in which the institution operates as well as its various business activities. This is essential to effectively identify and assess inherent risk in those activities. The Framework considers risks on a consolidated basis and groups them in the following categories for assessment purposes:

• credit risk
• market risk - operational risk - liquidity risk - legal and regulatory risk - strategic risk - insurance risk (for institutions with insurance subsidiaries) These risk categories are described in Appendix "A" Once the significant activities have been identified, the existence and level of each inherent risk in those activities is assessed as low, moderate, above average or high (see Appendix "B"). This assessment is made without considering the impact of risk mitigation through the institution's risk management processes and controls. The quality of these factors are considered separately and combined with the inherent risk assessment to determine the Net Risk of each activity.

5. Quality Of Risk Management

The quality of risk management is evaluated for each significant activity. The Framework identifies six risk management control functions that may exist in an institution. These are: the Board of Directors; Senior Management; Compliance; Risk Management; Internal Audit; and Financial Analysis (see Appendix "C"). The presence and nature of these functions vary based on the size and complexity of an institution.

The effectiveness of the risk management control functions will form the basis for moderating the level of aggregate inherent risk associated with a particular significant activity. Defined assessment criteria will be used to assess the quality of the risk management control functions according to the following formula: Characteristics plus Performance = Effectiveness The quality of the risk management control functions will be assessed as strong, acceptable, needs improvement or weak.

6. Net Risk

The quality or effectiveness of the risk management control functions will influence (offset) the level of the inherent risk in each significant activity, the outcome of which will be the Net Risk for each significant activity. Net Risk will be rated as low, moderate, above average or high as broadly depicted below:

Aggregate Level of Inherent Risk for Significant Activity
Aggregate Level of Risk Management for Significant Activity		Above
Low	Moderate	Average	High
Strong	Low	Low	Moderate	Moderate
Acceptable	Low	Moderate	Above	Above
		Average	Average
Needs	Moderate	Above	High	High
Improvement	Average
Weak	Above Average	High	High	High
7.	Direction of Risk

The above assessments include a determination of the current direction of Net Risk.

Direction of risk is assessed as decreasing, stable, or increasing over an appropriate time horizon for the institution. The time horizon considered is indicated in each case.

8. Overall Net Risk

In determining the Overall Net Risk, the relative significance or materiality of each activity is considered. This is rated low, moderate, above average or high. This assessment ensures that an activity with low materiality but high Net Risk does not skew the rating of the Overall Net Risk. The Framework will focus supervisory efforts on materially high risk activities, however, not to the total exclusion of other activities. The degree of such review will be determined on a case by case basis, as deemed necessary.

9. Composite Risk

The Composite Risk Rating is the Framework's "final" rating and reflects the assessment of the safety and soundness of the institution by the supervisor. The Composite Risk Rating will be the outcome of the Overall Net Risk, moderated by Capital and Earnings.

Accordingly, the assessment includes a review of the quality, quantity, and availability of externally and internally generated capital. In reviewing an institution's ability to generate capital internally, profitability is considered both on a consolidated and unconsolidated basis. Capital and Earnings, however, are not considered a substitute for sound risk management.

9.1 Capital

Institutions are required to maintain sufficient capital to support their operations in accordance with regulatory requirements. Such capital provides a cushion by absorbing unexpected losses and decline in asset values that could otherwise lead to failure. The Framework requires institutions to maintain capital levels above the regulatory minimum where determined necessary as a function of each institution's risk profile. Factors that will be considered in assessing capital include, amongst others: its adequacy; quality; relationship with earnings (internal generation, retention and outlook), peer comparison (consistency); capital management policy and practices; etc. The rating categories used in assessing capital adequacy and capital management policies and practices of an institution are strong, acceptable, needs improvement or weak. Capital adequacy includes both the level and quality of capital. The assessment is made in the context of the nature, scope, complexity, and risk profile of an institution. Capital is not a substitute for sound risk management.

9.2 Earnings

Earnings absorb normal and expected losses in a given period and provide a source of financial support by contributing to the institution's internal generation of capital and its ability to access external sources of additional capital. Earnings quality and quantity are evaluated in relation to their ability to support present and future operations. An assessment is made of the rate of retention, historical trend and stability of earnings, the sources (core versus non-core), contribution from volatile businesses and sustainability (long term viability). Also, in determining the quantity of earnings, consideration is given to product pricing, adequacy of provisions, impact of non-recurring incomes and expenses, dividend policies as well as performance relative to peer group. The rating categories used in assessing an institution's earnings and its ability to continue to generate earnings required to ensure its long-term viability are strong, acceptable, needs improvement or weak. The adequacy of an institution's earnings will be evaluated in the context of the nature, scope, complexity, and risk profile of the institution. Earnings are not a substitute for sound risk management.

9.3 Composite Risk Rating

Composite Risk will be rated as low, moderate, above average or high as broadly depicted below:

Capital and Earnings Combinations
Overall Net Risk	S/S/	S/A	S/NI	S/W	A/S A/A A/NI	A/W NI/S NI/A NI/NI NI/W	W/S	W/A	W/NI	W/W
High	M/AA	AA/H AA/H AA/H AA/H H	H	H	H	H	H	H	H	H	H	H
Above	L/M	M/AA M/AA M/AA M/AA AA AA/H AA/H AA H	AA	H	AA/H AA/H AA/H H
Average Moderate	L	L/M	L/M	L/M	L/M	M	M/AA M/AA M	AA AA	AA	M/AA M/AA AA	AA/H
Low	L	L	L/M	L/M	L	L	L/M	L/M	M	M	M	M	L/M	M	AA	AA
H: High	M: Moderate	S: Strong	W: Weak	AA: Above Average
L: Low	A: Acceptable	NI: Needs Improvement

The Composite Risk Rating is a significant factor in determining the supervisory response and plan for the institution. The degree of supervisory intervention will be commensurate with the risk profile of the institution, largely driven by the Composite Risk Rating. A robust "quality assurance" process will be utilized to ensure consistency and fairness of the supervisory ratings.

10. Documenting the Risk Assessment

10.1 Risk Matrix

A Risk Matrix (Appendix D) is used to record the assessment of inherent risks, the quality of risk management, and the resulting Net Risk evaluation for each significant activity.

The Risk Matrix includes a rating of the Overall Net Risk and the Direction of Risk.

An Overall Rating for each risk management control function is also included in the Risk Matrix. The Risk Matrix includes the Composite Rating and a Direction of Composite Risk for the institution. An appropriate time frame for the Composite Rating and the Direction of Composite Risk is also included. While the Risk Matrix is a convenient way to summarize the conclusions of risk assessment, it is supported by documentation of the analysis and the rationale for the conclusions. A critical component of the Framework is that all findings, recommendations and most importantly, supervisory ratings, are fully supported, defensible and documented.

10.2 Risk Assessment Summary

The Risk Assessment Summary (RAS) is an executive summary which highlights an institution's present financial condition, its prospective risk profile, key issues, and past supervisory findings. The RAS includes: a) a Risk Matrix; b) an overview of the group structure, inter-company relationships, main business activities and strategies; c) an assessment of the effectiveness of the key risk management control functions; d) an assessment of the adequacy of capital and the profitability of the institution; e) where an institution is part of a foreign entity (i.e. a subsidiary or a branch), a suitable assessment of the foreign entity's operations and the supervisory system in effect in the home jurisdiction; f) where the institution is part of a larger group and/or has subsidiaries, a suitable assessment of affiliates by other domestic/international regulators; g) a listing of significant events during the past 12 months; h) financial highlights; and The RAS facilitates a sharper focus on activities that pose the greatest risk to an institution and is used to set priorities for the year. It does not include the supervisory work to be carried out nor resources required. Planned work and resources required are included in the Supervisory Plan discussed in paragraph 12.2.

11. Relationship Manager

The Framework requires a continuous (as opposed to a point in time) assessment of the institution. The understanding of the institution developed through this assessment enables supervisors to tailor the on-site examination of the institution to its risk profile.

Continuous supervision requires that an ongoing relationship (and contact) be established and nurtured with the institution. A Relationship Manager is critical to fulfilling the objectives of seamless, risk-focused supervision. Each institution will be assigned a Relationship Manager who will typically be at the Deputy Director level. The Relationship Manager is the focal point for the continuous supervision of assigned institutions and CBN's primary contact with those institutions. The Relationship Manager is also integral to the regulatory approval process. The responsibilities of a Relationship Manager that support the key principles of the Framework are described below under the supervisory process.

12. Supervisory Process

The main steps of the supervisory process are: Analysis, Planning, Action, Documentation, Reporting and Follow-up. Although the steps appear sequential, updating of the risk assessment is a dynamic process requiring frequent reassessments at various stages of the supervisory process.

STEPS	OUTPUT
1. Risk Matrix
1. Analysis (Understanding the institution and developing a risk profile)	2. Risk Assessment Summary (RAS) 3. Supervisory Plans (by Institution, Group, and Sector)
2. Planning (Scheduling and planning activities for the supervisory period)	4. Information requests
3. Action (Conducting on-site reviews and on-going monitoring)	5. Section Notes 6. Working papers
4. Documentation (Preparing and filing information to support findings)	7. Management Report 8. Updated RAS
5. Reporting (Report of findings and recommendations to institution) 6. Follow-up of findings and recommendations	9. Updated RAS

12.1 Analysis (Step 1)

Analysis of the institution is a primary input into the risk assessment process. The supervisory groups are responsible for ongoing analysis and monitoring of institutions. An element of continuous supervision is that analysis is performed at least once every three months for institutions rated moderate or better, and on a monthly basis for institutions rated above average or worse. Analysis work carried out just prior to the preparation of the Supervisory Plan is more extensive to allow for better input into the planning process. Analysis and monitoring includes a review of the institution's information as well as meetings with key individuals at the institution to discuss trends and emerging issues.

The scope of this work will depend on the size, complexity and the risk profile of the institution. Results of the analysis are used to update the Risk Matrix and the RAS. 12.2 Planning (Step 2) A Supervisory Plan is prepared at the beginning of each fiscal year and outlines work planned and resources required. The scope of the work planned is based on the RAS. The focus is on the activities and risk management processes identified in the RAS as significant risk areas. The RAS is used to determine priorities for the upcoming year and to allocate resources to individual institutions accordingly. The number (and type) of resources dedicated to an institution will be significantly influenced by its size, complexity and risk profile (and systemic impact). The Supervisory Plan for each institution includes a consideration of the following:

• industry risks;
• concerns or issues raised by various supervisory teams;
• concerns or issues raised by CBN/NDIC executives; and
• planning for benchmarking, peer reviews, or other special studies. Once Supervisory Plans are approved at the group level and priorities established, the institution specific Supervisory Plans are finalized. The Supervisory Plan is subject to revisions if unforeseen events alter the risk profile of the institution. However, any changes require a reassessment of priorities, not just an extension of the scope of the supervisory efforts.

12.3 Action (Step 3)

The Relationship Manager communicates with key parties at the institution and maintains an on-going relationship with the institution's management. For larger institutions with greater systemic impact, this will likely involve quarterly visits.

Information requested from an institution is based on the specific requirements arising from the risk assessment process. The main information request is made prior to an on-site review. On-site reviews are a critical part of the supervisory process. The scope of on-site reviews depends on the Overall Rating of Net Risk. These reviews and interaction with the institution's management also enhance the supervisor's understanding of the institution and its risk profile. All institutions will be subject to at least one onsite examination per year. For larger institutions with greater systemic impact, it is conceivable that all significant activities will not be reviewed during the same examination visit. These institutions will receive a number of "targeted" examination visits during the year.

12.4 Documentation (Step 4)

All supervisory groups use the same documentation standards.

The supervisory file structure is consistent with the new risk Framework. The file includes an updated copy of the RAS, a copy of the Management Report and related correspondence, and copies of various section notes. A section note is prepared in the standard format for each significant activity or risk management control function identified for review. The section note is used to fully document an assessment of the activity or the risk management control function. Working papers necessary to support the assessment are also on file. If a significant activity or risk management control function is not reviewed during an on-site visit, the latest section note is brought forward. This ensures that the file contains the latest information available on all areas of an institution.

12.5 Reporting (Step 5)

The Relationship Manager is responsible to write to the institution outlining the results of the supervisory work including that of any on-site review. In the case of an on-site review, the final stage of the process includes three levels of verbal and written reports. These levels target the following audiences: CBN/NDIC Executive, the institution's management, and external stakeholders. Written reports to CBN/NDIC Executive consist of the updated RAS, a summary of the findings and section notes with detailed information of significant findings.

Findings and recommendations are first discussed with appropriate senior managers in the institution. Where there is a Risk Management or Internal Audit department, the findings and recommendations are discussed with the responsible manager. This is followed by reporting to the Chief Executive Officer (CEO), Managing Director and the Board of Directors. This reporting is not tied to the timing of Board of Director's meetings, but a meeting is scheduled with this group at the earliest possible time after the Management Report is completed. The Management Report is the key written document sent to the institution. It addresses findings, recommendations and follow-up of previous findings. The Management Report will also include a brief explanation of the Composite Risk Rating. Management Reports are addressed to the CEO and copied to the Chair of the Board. In all cases, the covering letter requests that a copy of the Management Report be provided to the external auditors.

12.6 Follow-Up (Step 6)

The findings and recommendations reported to the institution are followed-up on a timely basis and the results included in the RAS updates. Timely follow-up is a critical component of continuous supervision. Institutions will be afforded reasonable, but firm, deadlines for corrective action and will be expected to provide regular reports on progress achieved.

Appendix A Inherent Risk Categories Following are descriptions of the risk categories identified in subsection 4 of the Framework. These descriptions should be read within the context of the definition of inherent risk contained in Section 4.

1. Credit Risk

The risk arising from the type and nature of credit activities undertaken by the institution. Credit risk arises from a counterparty's inability or unwillingness to fully meet its onand/or off-balance sheet contractual obligations. Exposure to this risk results from financial transactions with a counterparty including issuer, debtor, borrower, broker, policyholder or guarantor.

2. Market Risk

Market risk arises from changes in market rates or prices. Exposure to this risk can result from market-making, dealing, and position-taking activities in markets such as interest rate, foreign exchange, equity, commodity and real estate. Interest rate risk and foreign exchange risk are described further below:

A. Interest Rate Risk

Interest rate risk arises from movements in interest rates. Exposure to this risk primarily results from timing differences in the re-pricing of assets and liabilities, both on- and off-balance sheet, as they either mature (fixed rate instruments) or are contractually re-priced (floating rate instruments).

B. Foreign Exchange Risk

Foreign exchange risk arises from movements in foreign exchange rates.

Exposure to this risk mainly occurs during a period in which the institution has an open position, both on- and off-balance sheet, and/or in spot and forward markets.

3. Operational Risk

Operational risk arises from problems in the performance of business functions or processes. Exposure to this risk can result from deficiencies or breakdowns in internal controls or processes, technology failures, human errors or dishonesty and natural catastrophes.

4. Liquidity Risk

Liquidity risk arises from an institution's inability to purchase or otherwise obtain the necessary funds, either by increasing liabilities or converting assets, to meet its on- and off-balance sheet obligations as they come due, without incurring unacceptable losses.

5. Legal And Regulatory Risk

Legal and regulatory risk arises from an institution's non-conformance with laws, rules, regulations, prescribed practices, or ethical standards in any jurisdiction in which the institution operates.

6. Strategic Risk

Strategic risk arises from an institution's inability to implement appropriate business plans, strategies, decision-making, resource allocation and its inability to adapt to changes in its business environment.

7. Insurance Risk

This risk results where the institution has the business of insurance as a significant activity, either through a subsidiary or affiliate. Insurance risk typically derives from:

A. Product Design And Pricing Risk

Product design and pricing risk arises from the exposure to financial loss from transacting insurance and/or annuity business where costs and liabilities assumed in respect of a product line exceed the expectation in pricing the product line.

b. Underwriting and Liability Risk Underwriting and liability risk is the exposure to financial loss resulting from the selection and approval of risks to be insured, the reduction, retention and transfer of risk, the reserving and adjudication of claims, and the management of contractual and non-contractual product options.

Appendix B Definitions of Inherent Risk Ratings Low Inherent Risk: Low inherent risk exists when there is a lower than average probability of an adverse impact on an institution's capital or earnings due to exposure and uncertainty from potential future events.

Moderate Inherent Risk:

Moderate inherent risk exists when there is an average probability of an adverse impact on an institution's capital or earnings due to exposure and uncertainty from potential future events.

Above Average Inherent Risk:

Above average inherent risk exists when there is an above average probability of an adverse impact on an institution's capital or earnings due to exposure and uncertainty from potential future events.

High Inherent Risk:

High inherent risk exists when there is a higher than average probability of an adverse impact on an institution's capital or earnings due to exposure and uncertainty from potential future events.

Appendix C Risk Management Control Functions 1. Board of Directors The Board of Directors is responsible for providing stewardship and management oversight for the institution. Its key responsibilities include:

• ensure management is qualified and competent; - review and approve organizational and procedural controls; - ensure principal risks are identified and appropriately managed; - review and approve policies and procedures for the institution's major activities; - review and approve strategic and business plans; and - provide for an independent assessment of management controls.

2. Senior Management

Senior management is responsible for planning, directing and controlling the strategic direction and general operations of the institution. Its key responsibilities include:

• ensure organizational and procedural controls are effective;
• ensure compliance with approved policies and procedures;
• develop strategies and plans to achieve approved strategic and business objectives; and
• develop sound business practices, culture and ethics.

3. Compliance

Compliance is an independent function within an institution that: 1) sets the policies and procedures for adherence to regulatory requirements in all jurisdictions where an institution operates; 2) monitors the institution's compliance with these policies and procedures; and, 3) reports on compliance matters to senior management and the Board.

4. Internal Audit

Internal audit is an independent function within the institution that assesses adherence to and effectiveness of operational and organizational controls. In addition, internal audit may also assess adherence to and effectiveness of compliance and risk management policies and procedures.

5. Risk Management

Risk management is an independent function responsible for planning, directing and controlling the impact on the institution of risks arising from its operations. The function is generally only found as a separate unit in the larger institutions, and may address the following:

• identification of risks; - development of measurement systems for risks; - establishment of policies and procedures to manage risks; - development of risk tolerance limits; - monitoring of positions against approved risk tolerance limits; and - reporting of results of risk monitoring to senior management and the Board.

6. Financial Analysis

Financial analysis is the function that performs in-depth analyses of the operational results of an institution and reports them to management. Effective reporting is key to this function as the operational results affect strategic and business decisions made by management and the Board. This function is generally only found as a separate unit in larger institutions.

Appendix D

	INSTITUTION NAME
	RISK MATRIX AS AT DATE
Significant Activities	Materiality	Inherent Risks	Quality of Risk Management	Net Risk	Direction of Risk
	Credit	Market	Operational	Liquidity	Legal	Strategic	Insurance	Board	Senior mgmt	Compliance	Internal Audit	Risk Mgmt	Financial Analysis
Activity 1 Activity 2 Activity 3 etc. Overall Rating Capital	Earnings
Composite Rating	Direction of Risk	Time Frame:

Risk Matrix