Risk Management Directive (Exposure Draft)

BANK OF GHANA Risk Management Directive For Banks, Savings and Loans, Finance Houses and Financial Holding Companies (EXPOSURE DRAFT) Prepared by the Bank of Ghana June 25, 2021

BANK OF GHANA EST. 19 5 7

2

Table of Contents PART I – PRELIMINARY............................................................................................3 Title.........................................................................................................................3 Application ..............................................................................................................3 Interpretation...........................................................................................................3 PART II – OBJECTIVES AND RELEVANT REQUIREMENTS....................................6 Objectives and Key Requirements ..........................................................................6 PART III – SOUND RISK MANAGEMENT STANDARDS...........................................7 The Role of the Board.............................................................................................7 Risk Management Framework ................................................................................7 Risk Management Strategy (RMS)..........................................................................8 Risk Appetite...........................................................................................................9 Strategic Plan .........................................................................................................9 Policies and Procedures .........................................................................................9 Risk Culture and Organisational Accountability for Risk ........................................10 Risk Management Oversight Function ..................................................................10 Review of the Risk Management Framework ........................................................11 Risk Management Declaration ..............................................................................12 Notification Requirements .....................................................................................12 Exemptions ...........................................................................................................13 Additional Directives .............................................................................................13 Annexure A – RISK MANAGEMENT DECLARATION REQUIREMENTS.................14

3 PART I – PRELIMINARY Title

1. This Directive may be cited as the Risk Management Directive, 2021. Application
2. This Directive is issued pursuant to Section 92(1) of the Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930) and shall apply to Banks, Savings and Loans Companies, Finance House and Financial Holding Companies (FHC) licensed or registered under Act 930. Where an RFI is the ‘Parent of a Group’, it shall comply with this directive: a. in its capacity as an RFI; b. on a group basis by ensuring that the directive is applied to each entity in the group (including those entities within the group which are not regulated by the BOG) Where there is a conflict or inconsistency between this directive and a host supervisor that of the host supervisor shall be complied with. Interpretation
3. In this Directive, unless the context otherwise requires, “Act 930” means the Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930). “BoG” means the Bank of Ghana. “Board” means the Board of Directors of a Regulated Financial Institution. “Host Supervisor” means a supervisory authority in which a subsidiary of a foreign parent bank licensee is incorporated. “Material Risks” means risks that could have a material impact, both financial and non-financial, on the institution or on the interests of depositors and other stakeholders. “Regulated Financial Institution (RFI)” means a bank, savings and loans company, finance house and financial holding company regulated under Act

“Risk Appetite” means the aggregate level and types of risk an RFI is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and plan. “Risk Appetite Framework (RAF)” means the overall approach, including policies, processes, controls and systems, through which risk appetite is established, communicated and monitored. It includes a risk appetite statement,

4 risk limits and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the RAF. The RAF should consider material risks to the RFI as well as to its reputation vis-à-vis depositors and other stakeholders. The RAF aligns with the RFI’s strategy. “Risk Appetite Statement (RAS)” means the written articulation of the aggregate level and types of risk that an RFI will accept, or avoid, in order to achieve its strategic objectives. It includes quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate. It shall also include qualitative statements to address reputation and conduct risks as well as money laundering and unethical practices. “Risk Capacity” means the maximum amount of risk an RFI is able to assume given its capital base, risk management and control capabilities as well as its regulatory constraints. “Risk Culture” means an RFI’s norms, attitudes and behaviours related to risk awareness, risk-taking and risk management, and controls that shape decisions on risks. Risk culture influences the decisions of management and employees during the day-to-day activities and has an impact on the risks they assume. “Risk Governance Framework” means the framework through which the Board and senior management establish and make decisions about the RFI’s strategy and risk approach; articulate and monitor adherence to risk appetite and risk limits vis-à-vis the RFI’s strategy; and identify, measure, manage and control risks. “Risk Limits” means specific quantitative measures or limits based on, for example, forward-looking assumptions that allocate the RFI’s aggregate risk to business lines, legal entities as relevant specific risk categories, concentrations and, as appropriate, other measures. “Risk Management” means the processes established to ensure that all material risks and associated risk concentrations are identified, measured, controlled, mitigated and reported on a timely and comprehensive basis. “Risk Management Framework” means the totality of systems, structures, policies, processes and people within an institution that identify, measure, evaluate, monitor, report and control or mitigate all internal and external sources of material risk. “Risk Management Oversight Function” means a key component of the bank’s second line of defence in the three lines of defence model. This function is responsible for overseeing risk-taking activities across the RFI and should have authority within the organisation to do so. “Risk Management Strategy” means the strategy for managing risk and the

5 basis on which the Board will evaluate the success of its RMF and its approach. “Risk Profile” means point-in-time assessment of an RFI’s gross risk exposures (i.e. before the application of any mitigants) or, as appropriate, net risk exposures (i.e. after taking into account mitigants) aggregated within and across each relevant risk category based on current or forward-looking assumptions. “Risk Tolerance” means the maximum level of risk that the institution is willing to operate within, which is expressed as a risk limit based on its risk appetite, risk profile and capital strength. “Risk Universe” means the set of material risks or risk categories the Board of an RFI has identified in its business activities, which must be managed efficiently to generate sustainable profitable returns. “Senior Management” means members of the Executive Management Committee (EXCO) of an RFI and any other Key Management Personnel as may be determined by the Regulated Financial Institution. “Three Lines of Defence Model” means an organisational model of risk management in which the business lines that take risk form the first line of defence; the risk management and compliance oversight functions are the second line of defence; and independent internal audit and assurance form the third line of defence.

6 PART II – OBJECTIVES AND RELEVANT REQUIREMENTS Objectives and Key Requirements 4. An RFI shall have systems for identifying, measuring, evaluating, controlling, mitigating and reporting material risks that may affect its ability to meet its obligations to depositors and other stakeholders. 5. The Board of an RFI is ultimately responsible for having a risk management framework. The risk management framework must also be consistent with the RFI’s strategic objectives and plan. 6. The key requirements of this directive are that an RFI must: a) develop and maintain a risk management framework that is appropriate to the size, business mix and complexity of the institution and relevant at all times; b) maintain a Board-approved risk appetite statement; c) maintain a Board-approved risk management strategy that describes the key elements of the risk management framework that give effect to the approach to managing risk; d) maintain adequate resources to ensure compliance with this directive; and e) notify BoG when it becomes aware of a significant breach of, or material deviation from, the risk management framework; or that the risk management framework does not adequately address a material risk.

7 PART III – SOUND RISK MANAGEMENT STANDARDS The Role of the Board 7. The Board of an RFI is ultimately responsible for the RFI’s risk management framework. The Board shall exercise oversight over Senior Management and in particular, the Board shall: a) set the risk appetite, together with the Chief Risk Officer, within which it expects management to operate and also approves the RFI’s Risk Appetite Statement (RAS) and Risk Management Strategy (RMS); b) form a view of the risk culture in the RFI, and the extent to which that culture supports the ability of the RFI to operate consistently within its risk appetite, identifies any desirable changes to the risk culture and ensures the RFI takes steps to address those changes; c) ensure that senior management of the RFI monitor and manage all material risks consistent with the strategic objectives, risk appetite statement and policies approved by the Board; d) ensure that the operational structure of the RFI facilitates effective risk management; e) ensure that policies and procedures are developed for risk-taking that are consistent with the RMS and the established risk appetite; f) ensure that sufficient resources are dedicated to risk management; and g) recognise uncertainties, limitations and assumptions attached to the measurement of each material risk. Risk Management Framework 8. An RFI shall maintain a Risk Management Framework (RMF) that enables it to appropriately develop and implement strategies, policies, procedures and controls to manage different types of material risks, and provides the Board with a comprehensive enterprise-wide view of material risks. 9. There shall be an RMF which shall be approved by the Board. 10. The RMF shall be consistent with the RFI’s strategic plan. 11. The RMF shall provide a structure for identifying and managing each material risk to ensure the RFI is being prudently and soundlymanaged, commensurate with the size, business mix and complexity of its operations. 12. TheRMF shall, at aminimum, include: a) a risk appetite statement; b) a Risk Management Strategy (RMS); c) policies and procedures supporting clearly defined and documented roles, responsibilities and formal reporting structures for the management of material risks throughout the institution; d) a designated risk management oversight function that meets the requirements of paragraph 27;

8 e) an Internal Capital Adequacy Assessment Process (ICAAP); f) a management information system(s) (MIS) that is adequate, both under normal circumstances and in periods of stress, for measuring, assessing and reporting on all material risks across the institution; and g) a review process to ensure that the risk management framework is effective in identifying, measuring, evaluating, controlling, mitigating and reporting material risks. 13. The RMF shall include a forward-looking scenario analysis and stress testing programs, commensurate with the institution’s size, business mix and complexity, which are based on severe but plausible assumptions. Risk Management Strategy (RMS) 14. There shall be a Risk Management Strategy (RMS) approved by the Board. 15. A core component to the RMS is the Board’s articulation of the Risk Universe. 16. An RFI shall maintain an RMS that: a) describes each material risk, and the approach to managing these risks; b) lists the policies and procedures for dealing with all material risks; c) summarises the role and responsibilities of the risk management (oversight) function; d) describes the risk governance relationship between the Board, Board sub￾committees and senior management of the RFI; and e) outlines the approach to ensuring that all persons within the RFI have an awareness of the risk management framework as it relates to their role and for instilling an appropriate risk culture across the institution. 17. In defining the Risk Universe, the Board shall at a minimum consider the extent to which the under-listed risks shall be addressed: a) credit risk; b) market risk; c) liquidity risk; d) operational risk; e) information communication technology (ICT) risk; f) Cyber security risk; g) reputational risk; h) compliance risk; i) concentration risk; j) country and transfer risk; k) interest rate risk in the banking book; l) risks arising from the strategic objectives and plans; and m) other risks that, singularly or in combination with different risks, may have a material impact on the institution.

9 Risk Appetite 18. An RFI shall maintain an appropriate, clear and concise risk appetite statement which addresses the RFI’s material risks. 19. The risk appetite statement shall, at aminimum, convey: a) the degree of risk that the RFI is prepared to accept in pursuit of its strategic objectives and plan; giving consideration to the interests of depositors and other stakeholders; b) for each material risk, the maximum level of risk within which the RFI is willing to operate. This is expressed as a risk limit based on its risk appetite, risk profile and capital strength (risk tolerance); c) the process for ensuring that risk tolerances are set at an appropriate level, based on an estimate of the likelihood and impact of each material risk being realised in the event that a risk tolerance is breached; d) the process for monitoring compliance with each risk tolerance and for taking appropriate action in the event of a breach; and e) the timing and process for review of the risk appetite and risk tolerances. Strategic Plan 20. An RFI shall maintain a written plan for the institution that sets out its approach for the implementation of its strategic objectives. 21. The strategic plan shall be a rolling plan of at least three (3) years’duration that is reviewed at least once a year, with the results of the review reported to the Board. The strategic plan shall cover the entirety of the institution and be approved by the Board. 22. An RFI shall identify and consider the material risks associated with the institution’s strategic objectives and plan, and shall explicitlymanage these risks through the risk management framework. This shall take into account how changing these plans affect the RFI’s risk profile. Policies and Procedures 23. The policies and procedures required under subparagraph 16(b) shall include: a) the process for identifying and assessing material risks and controls; b) the process for the validation, approval and use of any models to measure components of risk; c) the process for establishing, implementing and testing mitigation strategies and control mechanisms for material risks; d) the process for monitoring, communicating and reporting risk issues, including escalation procedures for the reporting of material events and incidents; e) the process for identifying, monitoring and managing potential and actual conflicts of interest; f) the mechanisms in place for monitoring and ensuring ongoing compliance

10 with all prudential requirements; g) the process for ensuring consistency across the risk management framework, including the components identified under paragraph 12; h) the process for establishing and maintaining appropriate contingency arrangements (including robust and credible recovery plans where warranted) for the operation of the risk management framework in stressed conditions; and i) the process for review of the risk management framework. Risk Culture and Organisational Accountability for Risk 24. There shall be a risk culture which effectively communicates and demonstrates accountability for risks by officers, management and all employees engaged in the business established by the RMF and RMS. 25. The Three Lines of Defence Model generally refers to the whole of enterprise discipline to risk management that spans the Board and its Committees, the business lines, the corporate support functions, the risk management (oversight) function, the compliance function and the audit function. By this organisational model of risk management, everyone is responsible for sound risk practices in the course of business. The first line of defence is the business lines that take risk. The second line of defence isthe risk management and compliance oversight functions. The third line of defence is the independent audit and assurance function. 26. The RMF shall articulate the respective duties that each line of defence shall undertake to promote and ensure the effectiveness of the risk culture to the business. Risk Management Oversight Function 27. An RFI shall have a designated risk management oversight function, which at a minimum: a) is responsible for assisting the Board, Board sub-committees and senior management of the RFIto maintain the risk management framework; b) is appropriate to the size, business mix and complexity of the institution; c) is operationally independent; d) has the necessary authority and reporting lines to the Board, Board sub￾committees and senior management of the RFI to conduct its risk management activitiesin an effective and independent manner; e) isresourced with staff who have clearly defined roles and responsibilities and who possess appropriate experience and qualifications to exercise those responsibilities; f) has access to all aspects of the institution that have the potential to generate material risk; and g) is required to notify the Board of any significant breach of, or material deviation from, the risk management framework.

11 28. An RFI shall designate a Chief Risk Officer (CRO) to be responsible for the oversight function provided in paragraph 27. The CRO shall be involved in, and have the authority to provide effective assessment of activities and decisions that may materially affect the institution’srisk profile. 29. The CRO shall be responsible for supporting the Board in its engagement with and oversight of the development of the bank’s risk appetite and RAS and for translating the risk appetite into a risk limits structure. 30. The CRO role shall be independent from business lines, other revenue￾generating responsibilities and the finance function. There shall be no “dual hatting” (i.e. the chief operating officer, CFO, chief internal auditor or other senior manager should in principle not also serve as the CRO). 31. The CRO shall report directly toto the Chief Executive Officer (CEO); and have regular and unfettered access to the Board and the Board Risk Committee. Management Information System (MIS) 32. The MIS shall provide the Board, Board sub-committees and senior management of the RFI with regular, accurate and timely information concerning the RFI’srisk profile. The MIS shall be supported by a robust data framework that enables the aggregation of exposures and risk measures across businesslines, prompt reporting of limit breaches, forward-looking scenario analysis and stress testing. Data quality shall be adequate for timely and accurate measurement, assessment and reporting on all material risks across the RFI. The MIS shall also provide a sound basis for making decisions. Compliance Function 33. An RFI shall have a designated compliance function that assists senior management of the RFI in effectively managing compliance risks. The compliance function shall be adequately staffed by appropriately trained and competent persons who have sufficient authority to perform their role effectively, and have a reporting line independent from business lines. Review of the Risk Management Framework 34. An RFI shall ensure that compliance with, and the effectiveness of, the risk management framework of the institution is subject to review by internal and/or external audit at least once a year. The outcome of this review shall be reported to the RFI’s Board Audit Committee. 35. An RFI shall, in addition to paragraph 34, ensure that the appropriateness, effectiveness and adequacy of the RFI’s risk management framework are subject to a comprehensive review by operationally independent, well trained and competent persons (this may include external consultants) at least once every three

12 (3) years. The outcome of this review shall be reported to the institution’s Board Risk Committee. 36. The scope of the comprehensive review shall be commensurate to the size, business mix and complexity of the institution, the extent of any change to its operations or risk appetite, and any changes to the external environment in which the RFI operates. 37. The comprehensive review of the RMF shall, at a minimum, assess whether: a) the framework has been implemented and is effective; b) the RMF remains appropriate, taking into account the current strategic plan; c) the RMF remains consistent with the Board’s risk appetite; d) the RMF issupported by adequate resources; and e) the RMS accurately documents the key elements of the risk management framework that give effect to the strategy for managing risk. 38. Where a material change to the size, business mix and complexity of the operations is identified outside the review required in paragraph 37, the RFI shall assess whether any amendment to, or a review of, the RMF is necessary to take account of these developments at that time. Risk Management Declaration 39. The Board of an RFI shall make an annual declaration on the risk management of the RFI to BoG and in its annual report and/or website (risk management declaration). The declaration shall satisfy the requirements set out in Annexure A to this Directive. The declaration shall be signed by the chairperson of the Board and the chairperson of the Board Risk Committee. 40. The Board of an RFI shall qualify the risk management declaration of the RFI if there has been any significant breach of, or material deviation from, the risk management framework or the requirements set out in Annexure A to this Directive. Any qualification shall include a description of the cause and circumstances of the qualification and steps taken, or proposed to be taken, to remedy the problem. 41. Unless otherwise approved by BoG, an RFI shall submit the risk management declaration of the RFI to BoG: a) not later than 31st March of the ensuing year in the case of a bank; and b) not later than 30th April of the ensuing year in the case of all other RFIs. Notification Requirements 42. An RFI shall submit a copy of its approved RMF to the BoG not later than one hundred and eighty (180) days after the publication of this directive. 43. Upon the incorporation of a material revision, an RFI shall submit to BoG a copy of its revised RMF not more than ten (10) business days, after Board approval.

13 44. An RFI must notify BoG not more than ten (10) business days, after it becomes aware: a) of a significant breach of, or material deviation from, the RMF of the RFI; or b) that the RMF of the RFI did not adequately address a material risk. 45. Where an RFI conducts business in a jurisdiction outside Ghana, it shall notify BoG not more than ten (10) business days, after it becomes aware that its right to conduct business in that jurisdiction has been materially affected by the laws of that jurisdiction or its right to conduct business has ceased. Exemptions 46. BoG may exempt a category of RFIs from complying with a specific requirement of this Directive. Additional Directives 47. BoG may issue further directives regarding material risk areas it considers necessary or appropriate to ensure prudent management of those risk areas.

14 ANNEXURE A – RISK MANAGEMENT DECLARATION REQUIREMENTS

1. For the purposes of paragraph 40 of this Directive, the Board of an RFI shall make an annual declaration on risk management of the RFI to BoG and in its annual report and/or website stating that, to the best of its knowledge and having made appropriate enquiries, in all material respects: a) the RFI has put in place systems for ensuring compliance with all prudential requirements; b) the systems and resources that are in place for identifying, measuring, evaluating, controlling, mitigating and reporting material risks, and that the RMF is appropriate to the RFI and is commensurate to the size, business mix and complexity of the RFI; c) the risk management and internal control systems in place are operating effectively and are adequate; d) the RFI has an RMS that complies with this Directive, and the RFI has complied with the requirements described in its RMS; and e) the RFI is satisfied with the effectiveness of its processes and management information systems.