CENTRAL BANK OF KENYA RISK BASED SUPERVISORY FRAMEWORK BANK SUPERVISION DEPARTMENT CENTRAL BANK OF KENYA MAY 2013 Table of Contents 1.0 Preamble 3 2.0 The Risk Based Supervisory Framework 4 2.1 The RBS Methodology: A Sequence of Events 5 3.0 Developing the Institutional Profile 6 3.1 Quantity of Risk/Inherent Risk 7 3.2 Quality of Risk Management 8 3.3 Composite Risk 8 3.4 Direction of Risk 8 3.5 Integration of Risk Profile & CAMEL Rating 9 4.0 Planning & Scheduling Supervisory Activities 9 4.1 Supervisory Plan 9 4.2 Examination Plan for the Year 11 4.3 Defining Examination Activities 11 4.4 Examination Procedures 12 5.0 Reporting and Updating the Institution's Information 12 5.1 The Inspection Report 12 5.2 Supervisory Programme 12 5.3 Financial Performance Review 12 6.0 Implementation of Consolidated Supervision 13 7.0 Establishment of Supervisory Colleges 14

Risk Based Supervisory Framework

1.0 Preamble

This document has been developed with the objective of outlining the Central Bank of Kenya's approach to Risk Based Supervision.

The Central Bank of Kenya (CBK) adopted the Risk Based Supervisory (RBS) approach in 2004 in cognisance of the limitations inherent in the traditional approach which prescribed a common supervisory approach to all institutions irrespective of differences in business activities conducted and risk appetites adopted. The traditional approach focussed on transaction testing with the objective of ascertaining the accuracy of the statement of financial position, statement of comprehensive income,the adequacy of internal controls and ensuring compliance with the applicable laws and regulations. The approach was largely ineffective particularly with large institutions due to failure to distinguish between high risk activities and low risk activities undertaken by institutions. Further, by focussing on the accuracy of figures, the traditional approach tended to reflect point in time assessments and was thus backward looking. In addition, the traditional approach tended to quantify the problem and prescribe solutions to address the symptoms of the problem rather than the root cause of the problem. The solutions adopted thereby tended towards risk reduction rather than management of risks through identification, measurement and monitoring of risks.

The Risk Based Supervisory (RBS) approach focuses on understanding the adequacy of an institution's risk management systems on an going basis and encourages greater interaction between an institution's management and the CBK.

The adoption of RBS commenced with a survey in September 2004 to determine the extent of adoption of risk management practices by institutions in Kenya. The results revealed positive practices in institutions with respect to existence of policies and procedures, organisational structures, independent reviews, awareness of risks and techniques for managing risks. However, the survey also highlighted the following weaknesses: Inadequacy of risk management practices and procedures for non credit risks; Reliance on CBK prudential guidelines to monitor risks e.g. the use of liquidity and foreign exchange exposure ratios alone to determine the level of risk; Lack of dedicated risk management functions and risk management tools e.g.

stress testing, modelling and gap analysis in most banks; Lack of specific budget allocation for risk management activities.

In response to the above findings, CBK issued Risk Management Guidelines in August 2005 to assist institutions formulate and implement internal risk management policies and procedures to facilitate better identification, measurement, monitoring and reporting on risks. The guidelines are published on the CBK website: http://www.centralbank.go.ke Upon issuance of the risk management guidelines, the CBK gave institutions a 6 month period to develop individual risk management programmes. The guidelines required institutions to establish independent risk management functions, structures and systems, amongst other issues. Each bank thereafter presented its risk management framework through "walk through" sessions at the CBK and institutions were notified of lapses noted in their frameworks.

2.0 The Risk Based Supervisory (Rbs) Methodology

The RBS framework is designed to allow CBK deliver consistent, high-quality supervision as the financial sector develops and as risk profiles of institutions change in reaction to competitive forces. The enhanced supervisory regime seeks to promote competition, safety and soundness of the financial sector. This approach benefits institutions as regulatory effort is more focused on high-risk areas and provides for more efficient supervision. Risk based supervision is an approach that places strong emphasis on understanding and assessing the adequacy of each institution's risk management systems which are expected to identify, measure, monitor and control risk in an appropriate and timely manner. The framework enables CBK to be more proactive and better positioned to pre-empt any serious threat to the stability of the financial system from current or emerging risks.

The assessment of the effectiveness of risk management has become even more important as new technologies, product innovation, regional expansion, size and speed of financial transactions have changed the nature of the banking sector.

The principal benefits of the risk based supervisory approach are: Better evaluation of risks through separate assessment of inherent risks and risk management processes; Greater emphasis on early identification of emerging risks and system-wide issues; Cost effective use of resources through a sharper focus on risk; and Reporting of risk focused assessments to institutions.

The Central Bank of Kenya RBS methodology is dynamic and will continue to be enhanced in line with international best practice and developments in the local, regional and international arena. For example, in November 2012, CBK issued reviewed Prudential Guidelines and Risk Management Guidelines to all commercial banks, mortgage finance companies, non-bank financial institutions and Representative Officers in Kenya of foreign institutions. The guidelines became effective from 1st January 2013 and introduced new Prudential Guidelines, namely Outsourcing, Country Risk, Stress Testing and Consumer Protection. Even though some of the concepts in the new guidelines are already incorporated in the RBS methodology, the CBK anticipates to further refine the methodology to incorporate all the arising issues.

2.1 The Rbs Methodology: A Continuous Sequence Of Events

CBK's RBS approach may be described as a sequence of events that are continuous in nature and results in a seamless coordination of off-site and on-site activities. This is illustrated in the diagram below:

Prepare/update the institutional profile Understanding the institution Risk assessment Follow up & Monitoring (Off site)

Full scope Examination Targeted exams, Meetings & meeting Off site Surevillance Tools of Supervision CBK's RBS Approach Institutional Profile Risk Assessment Summary Risk Matrix Develop the Supervisory Plan Incorporate all supervisory activities Prioritize on areas of higher risk Incorporate time lines and resources required The RBS approach may also be described as consisting of six key steps with certain deliverables, as outlined in the table below:

Table 1: Steps in RBS approach STEPS	OUTPUTS/DELIVERABLES
1.	Developing	the	Institutional		Institutional Profile
	Profile		Risk Assessment Summary
		Risk Matrix
2.	Planning	and	Scheduling		Supervisory Plan
	Supervisory Activities		Annual Inspection Plan
3.	Defining Examination Activities		Pre Inspection Plan
4.	Performing	Examination	Preliminary Conclusions
	Procedures
5.	Reporting	and	Updating	of	Examination Report(s)
	Institution's Information
6.	Follow	up	of	findings	and		Updated Institutional Profile
	recommendations		Supervisory Programme

An overview of each step is provided in the subsequent sections.

3.0 Developing The Institutional Profile

The starting point in understanding an institution is through the establishment of an institutional profile. Institutional profile has two main parts: Institutional Overview and Risk Assessment Summary. The Institutional Overview communicates the institution's present condition as well as highlights issues of supervisory concern and past supervisory findings.

A core element of an institutional profile is a description of the institution's risks through the risk matrix and risk assessment narrative. The risk matrix is a tabular presentation of the quantity of risk, quality of risk management and the direction of risk while the risk assessment narrative provides explanations and justification on the assessment of risks. The process of assessing an institutions' risks is to a greater extent subjective yet it is important as it determines the institution's supervisory cycle and thus the level of supervisory activities and attention. A risk matrix is illustrated below:

		Direction of Risk
Table 2: Risk Matrix Risks Quantity of Risk/ Inherent Risk	Quality of Risk	Aggregate
	Management	Risk/Composite Risk
Strategic Credit Operational Liquidity Interest Rate Forex Rate Reputational Regulatory Overall

The core components of the risk matrix, which is the core plank of the RBS methodology are described below:

3.1 Quantity Of Risk/Inherent Risk

The inherent risk in a functional area is a measure of the probability or chance of an adverse impact on an institution's capital and/or earnings arising from potential future events within the functional activity and therefore takes into account the frequency of occurence, probability of occurence and /or the severity of impact of an event. Inherent risk is assessed as being either high, moderate or low. Generally, an assessment of high inherent risk would reflect a higher than average probability of potential loss. High inherent risk exists when the functional area is significant to the bank, positions are large in relation to the banking institution's resources, the volume of transactions is high, or where the nature of the functional area is considered complex.

Moderate inherent risk exists where positions are average in relation to the institution's resources or to its peer group, where the volume of transactions is average, and where the activity is more typical or traditional. Thus, while the activity potentially could result in a loss to the organization, the loss could be absorbed by the organisation in the normal course of business. The probability of an adverse impact on a bank's capital or earnings is average.

Low inherent risk exists where the volume, size, or nature of the activity is such that even if the internal controls have weaknesses, the risk of loss is remote or, if a loss were to occur, it would have little negative impact on the institution's overall financial condition. In statistical terms, an assessment of low inherent risk reflects a lower than average probability of an adverse impact on a banking institution's capital or earnings. The assessment of the quantity of risk management is made without considering the risk management processes and controls.

3.2 Quality Of Risk Management

The adequacy of the risk management system for identified activities is determined by considering the following key elements: active board and senior management oversight; adequate policies, procedures and limits for managing business activities; adequate risk management, monitoring and management reporting systems; and Comprehensive internal controls including an effective internal audit function.

The quality and adequacy of risk management systems is described as being "strong", "acceptable", or "weak" depending on the availability, completeness, suitability, and compliance with the risk management systems implemented in the specific functional area. A "strong" assessment is achieved where management effectively controls and identifies all major types of risks posed by any relevant activity or function. An "acceptable" assessment reflects ability to cope successfully with existing and foreseeable exposure that may arise in carrying out the institution's business plan while a "weak" assessment describe cases where an institution's risk management systems are lacking in important ways and therefore calls for more than normal supervisory attention.

3.3 Composite Risk/Aggregate Risk

This is a derivative of both the inherent (quantity) of risk and the quality of risk management and indicates the level of supervisory concern about the bank. The composite/aggregate risk is described as "high", "moderate" or "low". In assessing aggregate risk, all functional areas that constitute the institution are not necessarily given equal weighting as relative importance or significance of proportion is taken into account.

3.4 Direction Of Risk

This refers to the probable change in the aggregate level of risk over the next 12 months, which is described as "increasing","decreasing" or "stable". Direction of risk is assessed "increasing" where the supervisor anticipates higher risk over the examination cycle and/or declining risk management systems. Where the supervisor anticipates that the overall composite risk will decline over the next 12 months examination cycle, the direction of risk is assessed "decreasing". This may also be indicative of decreasing aggregate inherent risks and/or improving risk management systems. If the inherent risks are stable and/or the risk management systems are unchanged, the direction of the overall composite risk will be considered "stable".

3.5 Integration Of The Risk Profile With Camel Rating

CBK has traditionally used the CAMEL rating to determine an institutions' financial condition. CAMEL is an acronym for Capital adequacy, Asset quality, Management, Earnings and Liquidity. The composite CAMEL rating is a combination of the ratings achieved on the individual CAMEL components. The CAMEL (individual and composite) ratings is referred to as "strong" (1), "satisfactory" (2), "fair" (3), "marginal" (4) and "unsatisfactory" (5). The rating is compiled on a monthly basis on an off-site basis, and is verified during on-site examinations.

A bank rated "1" has the highest and best rating, and poses the least supervisory concern. A "5" rating is the lowest and worst rating, indicating a critically deficient level of performance and is reflective of inadequate risk management practices. The institution is at risk of failing and poses the greatest supervisory concern.

The computation of CAEL is based on ratios and is therefore quantitative. The "M" rating in CAMEL is largely influenced by the same factors that are used to determine the quality of risk management, namely: Adequacy of board and senior management oversight; Adequacy of policies, procedures and limits; Compliance with established policies, procedures and limits; and Comprehensiveness of internal controls.

Therefore, a bank which has scored well with respect to management rating also tends to attain a favourable rating on its quality of risk management and vice versa. In this way, there's a correlation between the CAMEL rating and a bank's composite risk.

4.0 Planning And Scheduling Supervisory Activities

4.1 Supervisory Plan

The supervisory plan is a bridge between the institution's risk assessment, which identifies significant risks, issues of supervisory concern, and the supervisory activities to be conducted in the period. The plan incorporates the selected regulatory tools to implement the plan which depends on the overall risk rating of the institution. Some of the regulatory tools available to the Central Bank of Kenya are: i) On site examinations which are conducted at regular intervals. The frequency depends on the institution's risk assessment which informs the institutions supervisory cycle. The examination may be full scope or targeted (focussed on a specific product, functional area or risk).

ii) Off site surveillance: Regular analyses of statistical and prudential returns. It entails comprehensive reviews of the performance and financial condition of the institution, including implementation of directives/recommendations from the Central Bank. Off site surveillance activities include financial performance reports, supervisory pogrammes, and stress tests among others.

iii) Prudential meetings with management of an institution: The CBK may schedule a meeting with an institution's senior management and/or board of directors, depending on the severity of supervisory issues. The purpose of the meeting is to allow CBK gain a better understanding of the institution's management controls, its operations, views of its business situation and prospects, financial performance, risk drivers and any other issue of supervisory concern. CBK has at least one prudential meeting with an institution during every supervisory cycle. The presentation of an inspection report to a bank's board of directors is considered a prudential meeting.

However, institutions in the large peer group and institutions with a CAMEL rating of marginal or worse should have at least two prudential meetings in their supervisory cycle. The CBK may also schedule ad hoc meetings with an institutions' senior management to discuss new developments, changes in the institutions' risk profile and any other issues of supervisory concern.

iv) Meetings with external auditors of an institution: External auditors play an important role in the supervisory process and CBK may schedule a meeting with external auditors to discuss pertinent issues relating to an institution, for example: findings/recommendations arising from the auditors management letter; scope of the external audit; and treatment of items in the financial statements among others-.

v) Exchange of information with other regulators: This includes regular contact with domestic regulators, namely; Insurance Regulatory Authority (IRA), Retirement Benefits Authority (RBA), Capital Markets Authority (CMA), SACCO Societies Regulatory Authority (SASRA) and other regulators, either through correspondences or visits or joint inspections. A Memorandum of Understanding (MOU) was entered into by CBK with the Domestic Financial Sector Regulators (CMA, IRA and RBA) in 2009.

In furtherance of the objective of facilitating collaboration and sharing of information amongst regional regulators, the CBK signed a Memorandum of Understanding (MOU) with the other four East African Community Central Banks in 2008. The MOU establishes arrangements for cooperation in the supervision of financial institutions and outlines the duties of each regulator with a view of promoting safe and sound regional financial system. Entering into MOUs with other foreign regulators is on-going. So far CBK has entered into MOUs with the Reserve Bank of South Africa, Central Bank of Nigeria, Reserve Bank of Malawi and Bank of Mauritius. Further, the ongoing establishment of supervisory colleges for Kenyan banks which have a significant cross border interests facilitates information sharing and supervisory collaboration among the participating supervisors.

4.2 Examination Plan For The Year

At the beginning of each financial year, CBK prepares an examination plan which outlines all institutions to be inspected in the year and the proposed inspection time frames. The purpose of the plan is to prioritize inspections of institutions with high risk profiles and weak financial conditions while ensuring optimal allocation of resources at the CBK. The plan is risk based, given that the scheduling of inspections is largely dependent upon an institution's CAMEL Rating and risk profile, factors which also determine an institutions' supervisory cycle.

Supervisory cycle refers to the period between two consecutive on-site examinations and ranges between six (6) months and 24 (twenty four) months.

For institutions that show signs of substantial weakness, the frequency of onsite examinations shall be sufficiently high for the Central Bank to appropriately determine its financial condition.

4.3 Defining Examination Activities

The RBS methodology calls for focus on the pre examination planning process.

This is achieved through establishment of a pre examination plan which effectively enables the examination team to obtain a thorough understanding of an institution to be inspected while determining the scope of the examination. An effective pre-examination plan results in a seamless and co-ordinated examination process by enabling the inspection team to focus on those areas of the institution that pose the greatest risk. The Central Bank notifies an institution of an impending inspection through the dispatch of an information request letter, usually one month before the start of the actual examination. This is to allow the institution's management sufficient lead time to prepare the requested information, which is used to scope the inspection and tailor make the examination procedures.

4.4 Examination Procedures

CBK has developed examination procedures to cover all the main risk areas and these are tailored during the pre-examination planning stage to suit a particular inspection, based on the institutions risk profile. The application of these programmes helps the examiner to cover adequate ground upon which the soundness of an institution can be established and appropriate directives made. CBK has developed examination procedures to cover all the main risks.

When a specific area or risks that warrant a detailed review are present, examiners widen the scope of the supervisory activities by completing the whole set of procedures so as to be able to draw up detailed conclusions in the area.

5.0 Reporting And Updating The Institution'S Information

5.1 The Inspection Report

After an onsite examination of an institution, CBK forwards an inspection report to communicate the findings to the institution's Board of Directors. The report clearly states the basis for the critic (i.e. the legal or normative provision that the bank violates), the findings of the examiners and provides specific recommendations on corrective actions the bank needs to take.

The inspection report is presented to the institutions' Board of Directors at a special meeting. The purpose of the meeting is to ensure that all the members of the board are well informed of the state of the financial institution as well as soliciting commitment by the Board to take corrective action and to address financial, operational and business risks that have been highlighted in the report.

5.2 Supervisory Programme

The institution is required to respond to the issues highlighted in the inspection report in a specified format, within 15 days of presentation to the institutions' board of directors. The response is used by CBK to develop a supervisory programme for the bank which is used to ensure that corrective actions are undertaken in a timely manner.

5.3 Financial Performance Review

Continuous monitoring of institutions is done through quarterly reviews of each institution's financial performance. The focus of the quarterly review is on perfomance and identification of unique risks which may have arisen in the intervening period. The reviews are prepared using analysed data submitted to CBK (prudential returns) through an online portal in accordance with the prescribed format and frequency. The reviews also incorporate comparisons of the institution's key financial indicators vis a vis those of peers and industry averages as well as the results of stress tests. The stress testing tool developed by CBK evaluate the financial condition of the bank under the stressed conditions and the impact of increasing /decreasing certain scenarios on the capital levels of the institution.

6.0 Implementation Of Consolidated Supervision

Since 2006, CBK has been working on establishing a framework for implementation of consolidated supervision. Consolidated supervision is a structured framework for supervisory evaluation to ensure that all risk exposures of a bank and its subsidiaries, or of a bank belonging to a financial group or conglomerate, are taken into account, whether the risks arise in the bank itself, or in a related entity.

The rationale for implementation of consolidated supervision emanates from the prevalence of banking groups and conglomerates in the country as well as the rapid expansion of Kenyan banks in the East African region. Another impetus for implementation of consolidated supervision arises from the need to comply with Basel Core Principles.

CBK considers consolidated supervision as a complement and a logical extension of the RBS approach, due to its focus on risk exposures. Consolidated supervision is applied to financial institutions which have significant group relationships and the primary focus on such entities remains institutions licensed by CBK. For parent companies, subsidiaries and associates, CBK will not exercise direct supervision (unless the parent company, subsidiary or associate is itself an institution as defined in the Banking Act or Building Societies Act). However, CBK identifies the relationships, and obtains necessary information to identify and assess risks to the institution arising elsewhere in the group.

CBK issued a Prudential Guideline on Consolidated Supervision (CBK/PG/19), which took effect on 1st January 2013 to provide guidance in respect to reporting requirements for institutions within banking groups. The prudential guideline outlines the prudential requirements for capital adequacy, liquidity, single borrower limits and restrictions on facilities to insiders on both a consolidated and a solo basis. CBK has developed inspection procedures on Consolidated Supervision to assist the supervisors during the examination of a financial institution on a consolidated basis.

7.0 Establishment Of Supervisory Colleges

In 2012, CBK developed a framework for establishing supervisory colleges for institutions with significant cross-border operations. The inaugural Supervisory College meeting was convened in October 2012. Supervisory Colleges will be established for all Kenyan banks will significant cross-border operations.The rationale for the establishment of supervisory colleges for Kenyan banks is as follows: i) The Basel Core Principles on Consolidated Supervision and Home-Host Relationships issued by Basel Committee on Banking Supervision require supervision of banking groups on a consolidated basis and co-operation and information exchange between home supervisors and host banking supervisors respectively. Establishment of supervisory colleges is one way of meeting these requirements.

ii) Kenyan banks have in the recent past established a regional footprint in other countries and there's growing interest by other banks to establish offices in Kenya.

iii) The establishment of supervisory colleges for Kenyan banks with regional operations will facilitate the exercise of consolidated supervision and assist to achieve cooperation and coordination among home and host supervisors contemplated by the Basel Core Principles for Effective Banking Supervision.

The specific objectives that CBK expects to achieve by establishing supervisory colleges for Kenyan banks with significant operations outside Kenya are:- To provide the CBK and other supervisory authorities participating in the college with a better understanding of the risk profiles of the banking groups; To make operationally effective the information sharing and coordination provisions of Memoranda of Understanding entered into between the CBK and host country supervisory authorities; To consider economic conditions affecting a banking group and individual group entities, as well as group-wide exposures, as part of macro-prudential analysis; To provide a foundation for crisis preparedness and contingency planning for an emergency situation that might arise within a cross-border banking group; and To assist the CBK in meeting its obligations as a home country supervisor and other supervisory college members in meeting their obligations as host supervisors, pursuant to the Basel Core Principles for Effective Banking Supervision.