Bank of Mozambique Administration

Financial Stability Division

Circular No. 01/EFI/2024

Maputo, January 3, 2024

Subject: ANALYTICAL FRAMEWORK FOR RISK-BASED SUPERVISION

Given the need to review the procedures of the Risk-Based Supervision Methodology, considering the evolution of the regulatory framework and international best practices, the diversity of supervised credit institutions and financial companies, the dynamism of their activities, and the risks of money laundering, terrorism financing, and proliferation financing, the Bank of Mozambique determines:

1. The Analytical Framework for Risk-Based Supervision, attached to and forming an integral part of this Circular, is approved.
2. Circular No. 01/SCO/2013, of May 30, which establishes the Analytical Framework for Risk-Based Supervision, is hereby revoked.
3. This Circular enters into force immediately.

Any doubts regarding the interpretation of this Circular must be submitted to the Prudential Supervision Department of the Bank of Mozambique.

BANK OF MOZAMBIQUE Financial Stability Division [Signature] Silvina de Abreu (Administrator)

---

ANALYTICAL FRAMEWORK FOR RISK-BASED SUPERVISION

January 2024

Prudential Supervision Department Bank of Mozambique

---

TABLE OF CONTENTS

1. INTRODUCTION ........................................................................................................................ 1
2. RESPONSIBILITY FOR SUPERVISION ACTIVITIES .................................... 3
3. PRUDENTIAL RISK-BASED SUPERVISION METHODOLOGY ............ 3 3.1. DESCRIPTION AND ANALYSIS OF THE INSTITUTION ................................................................. 4 3.2. PLANNING AND SCHEDULING OF SUPERVISION ACTIVITIES ... 5 3.3. DEFINITION OF ON-SITE INSPECTION OBJECTIVES AND ACTIVITIES ...... 6 3.4. CONDUCT OF ON-SITE INSPECTIONS .................................................................... 7 3.4.1. Working Papers ........................................................................................................ 8 3.4.2. Inspection Report ................................................................................................... 9 3.5. OFF-SITE MONITORING AND CONTINUOUS SUPERVISION ACTIONS ...... 9
4. SUPERVISOR RISK ASSESSMENT PROCESS (PARS) ............. 10
5. CAMELS RATING SYSTEM ................................................................................... 13
6. SUPERVISION OF MONEY LAUNDERING, TERRORISM FINANCING AND FINANCING OF THE PROLIFERATION OF WEAPONS OF MASS DESTRUCTION ........................................................................................................................ 14 6.1. Development of the Institutional Profile in ML/TF/PF ..................................................... 15 6.2. Planning and Scheduling of Supervision Activities in ML/TF/PF ........... 16 6.3. Conduct of On-Site Inspections in ML/TF/PF ............................................................. 16
7. QUALITY CONTROL ............................................................................................ 17

Analytical Framework for Risk-Based Supervision

---

1. INTRODUCTION

This document briefly describes the risk-based supervisory framework adopted by the Bank of Mozambique for monitoring credit institutions and financial companies (ICFCs or simply institutions), within the prudential and anti-money laundering, terrorism financing, and proliferation financing (ML/TF/PF) scope.

The analytical framework establishes an effective process to continuously monitor and assess the safety and soundness of ICFCs, providing a complete and reliable picture of their risk profile and the solidity of the structural elements of their financial situation, through the combination of several processes, namely:

i. Assessment of the risk level and trends associated with current and planned activities; ii. Assessment of management processes to identify, measure, monitor, and control risks; iii. Assessment of the institutions' financial conditions; iv. Assessment of compliance with applicable laws and regulations; v. Clear and transparent communication of findings, specific determinations, and recommendations, and obtaining commitment from the governing body and top management to correct significant deficiencies; and vi. Monitoring the implementation of corrective actions to ensure that all deficiencies are corrected in a timely and assertive manner.

In the risk-based supervision approach, the focus lies on analyzing and evaluating the areas and categories of highest risk for an institution, thereby ensuring efficient and effective supervision. This approach enables the Bank of Mozambique to better manage its resources, allocating them according to the institutions' risk profiles.

The analytical framework applies to all ICFCs operating in Mozambique and is intended to be flexible, allowing inspectors to broadly exercise professional judgment in selecting the tools to apply in the supervisory process.

Analytical Framework for Risk-Based Supervision

---

This includes selecting assessment procedures compatible with the institution's risk profile.

In supervising ICFCs, the Bank of Mozambique applies the concept of proportionality when defining the scope and intensity of necessary actions during off-site and on-site activities, considering factors such as the type of institution, risk profile, systemic relevance, economic-financial condition, complexity, and nature of operations.

Given that the development of the supervisory analytical framework is a dynamic process, due to constant changes in the banking industry both locally and globally, the Bank of Mozambique periodically reviews this instrument to ensure it remains effective and up-to-date.

Analytical Framework for Risk-Based Supervision - 2

---

2. RESPONSIBILITY FOR SUPERVISION ACTIVITIES

The Bank of Mozambique is the entity responsible for supervising ICFCs, as established in Article 37 of Law No. 1/92 of January 3, in conjunction with Article 57 of Law No. 20/2020 of December 31.

Under the supervisory model, there are two sets of activities, namely:

i. Off-site monitoring, which involves the permanent supervision of ICFCs to ensure compliance with applicable regulations through the collection of data and information from supervised institutions and other external sources. To fulfill this activity, each institution is assigned a Responsible Inspector (RI), who is tasked with the permanent monitoring and updating of its risk profile, acting as the permanent contact point between the Bank of Mozambique and the institution; and

ii. On-site inspection, which aims, among other things, to ensure compliance with applicable regulations by evaluating, at the supervised entity's premises or through IT platforms, matters of interest or concern to the supervisor. On-site inspections are technically led by a Coordinating Inspector (CI) who ensures consistency and compliance with all inspection stages, and also acts as the contact point between the Bank of Mozambique and the institution during the inspections.

Quality assurance for all supervisory processes is the responsibility of a quality review team that includes the management chain of the area responsible for prudential supervision.

3. PRUDENTIAL RISK-BASED SUPERVISION METHODOLOGY

The risk-based supervision approach, which emphasizes effective planning, experience, and critical judgment by the supervisor, adjusts supervisory actions to the size and complexity of the institution's activities, concentrating inspection resources on areas exposed to the highest degree of risk.

Analytical Framework for Risk-Based Supervision - 3

---

Thus, the risk-based supervision methodology consists of five main stages, highlighted in the diagram below, each requiring the preparation of specific documentation.

Figure 1: Conceptual Structure of Risk-Based Supervision

STAGES	OUTPUTS
DESCRIPTION AND ANALYSIS OF THE INSTITUTION	INSTITUTIONAL PROFILE (IP) <br> ➤ General Description of the Institution; <br> ➤ Risk Assessment Summary
PRELIMINARY RISK ASSESSMENT
PLANNING OF SUPERVISION ACTIVITIES	ANNUAL SUPERVISION PLAN <br> ➤ On-site inspection; <br> ➤ Other supervision actions
DEFINITION OF INSPECTION OBJECTIVES AND ACTIVITIES	➤ SCOPE MEMORANDUM <br> ➤ INFORMATION REQUEST LETTER; <br> ➤ PRESENTATION LETTER
CONDUCT OF ON-SITE INSPECTION	✔ WORKING PAPERS; <br> ✔ INSPECTION REPORT
RISK RATING UPDATE
OFF-SITE MONITORING AND CONTINUOUS SUPERVISION ACTIONS	✔ UPDATED IP; <br> ✔ OFF-SITE REPORTS

3.1. DESCRIPTION AND ANALYSIS OF THE INSTITUTION

The starting point for risk-based supervision is the development of the institutional profile (institutional knowledge development). This stage is crucial for the

Analytical Framework for Risk-Based Supervision - 4

---

preparation of supervision plans tailored to the institution's characteristics and for their continuous adjustment based on circumstances.

The Institutional Profile (IP) is a dynamic document that supports the entire supervisory process and facilitates continuous monitoring of a given institution. This document is prepared and continuously updated to capture relevant issues occurring between inspection cycles, as a result of endogenous and exogenous factors (technological and market developments within the banking sector and the speed at which an institution's financial condition and risk profile can change). The document contains (i) key information about the institution, (ii) the risk profile assessment based on the Supervisor Risk Assessment Process (PARS) and (iii) the economic-financial condition assessment using the CAMELS Rating System.

3.2. PLANNING AND SCHEDULING OF SUPERVISION ACTIVITIES

A detailed supervision plan is prepared annually and updated as specific circumstances justify.

The supervision plan defines the scope and timeframe for activities, identifies the supervisory tools to be used, as well as the necessary resources. It is linked to areas of highest risk and concern, demonstrates how to address supervisory concerns identified in the risk assessment process and deficiencies observed in the previous inspection.

In addition to off-site monitoring, the following supervisory approaches may be used:

a) Comprehensive or broad-scope on-site inspection; b) Targeted or narrow-scope on-site inspection; c) Unprogrammed or ad-hoc on-site inspection; d) Enhanced monitoring by a resident inspector; e) Prudential meetings with the institution's management; f) Meetings with the institution's external auditors; and

Analytical Framework for Risk-Based Supervision - 5

---

g) Joint assessments with other supervisory entities.

Findings resulting from the application of different supervisory approaches provide more information on risk areas or concerns identified during the risk assessment stage, which assists the Bank of Mozambique in formulating conclusions, based on which it issues specific determinations or recommendations for taking corrective measures or actions.

Specific determinations refer to decisions by the Bank of Mozambique resulting from mandatory regulatory standards.

Recommendations, on the other hand, are voluntarily complied with by the supervised institution and generally stem from international best practices and guidelines.

3.3. DEFINITION OF ON-SITE INSPECTION OBJECTIVES AND ACTIVITIES

Inspections are preceded by the preparation of a Scope Memorandum (SM), which identifies the main objectives and scope of the on-site inspection, and is approved by the Bank of Mozambique's administration. The inspection activities identified in the SM are guided by a top-down approach perspective, which includes a review of the institution's internal risk management systems and an appropriate level of transaction testing. The SM is adjusted to the institution's size, complexity, and risk rating.

To communicate with the institution to be inspected, a presentation letter is prepared, indicating the scope and objectives of the inspection, the designated inspectors, and the start and end dates. However, depending on the circumstances dictating the inspection, the Bank of Mozambique reserves the right not to disclose the start date or the reasons for conducting the inspection.

An Information Request Letter (IRL) is also sent, identifying the information necessary for applying on-site inspection procedures. The IRL is

Analytical Framework for Risk-Based Supervision - 6

---

customized to suit the characteristics and risk profile of the institution to be inspected and the scope of activities to be carried out.

3.4. CONDUCT OF ON-SITE INSPECTIONS

During on-site inspections, which can be conducted at the inspected institution's premises or virtually, inspectors follow the detailed procedures in the ICFC Supervision Manual, adjusting them to each institution's characteristics, considering its size, complexity, and risk profile.

Inspection procedures are executed to the extent necessary to determine whether the institution's management adequately understands and controls the types and levels of risks assumed in business development.

During comprehensive scope inspections, inspectors conduct a holistic assessment and adopt detailed procedures to determine whether risks are adequately identified and managed. The assessment includes procedures to examine the following risk categories:

1. Credit risk;
2. Liquidity risk;
3. Interest rate risk;
4. Exchange rate risk;
5. Operational risk;
6. Strategic risk;
7. Reputational risk;
8. Compliance risk;
9. Information technology risk; and
10. Cyber risk.

Additionally, there are assessment procedures not related to specific risks, but which provide crucial information on risk management quality, namely:

Analytical Framework for Risk-Based Supervision - 7

---

1. Internal audit and control; and
2. Governance system.

Assessment procedures are divided into minimum and standard, whereby:

(i) Minimum procedures are used to assess areas of reduced risk; and

(ii) Standard procedures are used to assess areas identified as having moderate or material risk.

A combination of standard procedures with more detailed review will be used in areas with high risk ratings.

The table below illustrates the relationship between risk ratings and inspection procedures.

Table 1: Relationship between preliminary risk assessment ratings and inspection procedures

REDUCED RISK RATING	MODERATE OR MATERIAL RISK RATING	HIGH RISK RATING
Minimum assessment procedures	Standard assessment procedures	Standard procedures with more detailed review

When the preliminary risk assessment results in a high rating or whenever specific concerns arise requiring more detailed review, inspectors may expand the scope of supervisory activities. These activities are adjusted to address specific areas of concern and may include testing additional transactions, detailed assessment of systems and records, expanding the sample size for reviewing individual credit and investment operations, among others, or greater depth in evaluating the risk management process.

3.4.1. Working Papers

Working papers constitute the primary documentation of the inspection process. They include information in physical and electronic format, prepared or obtained during the process, and are important for the following:

i. Providing evidence of the work performed, findings, and conclusions of the inspection report;

Analytical Framework for Risk-Based Supervision - 8

---

ii. Ensuring that inspection objectives and Bank of Mozambique standards are met; iii. Assessing the quality of work performed and inspector performance; and iv. Planning and conducting future inspection activities.

3.4.2. Inspection Report

Upon completion of the on-site inspection, the Bank of Mozambique produces a report for the inspected institution. This report contains, among other aspects, the inspection objectives and methodology, details of findings by area or risk examined, and respective determinations or recommendations, presented in order of importance with compliance deadlines indicated. The inspection report is shared with the institution's Board of Directors at the closing meeting held at the inspected institution's premises.

3.5. OFF-SITE MONITORING AND CONTINUOUS SUPERVISION ACTIONS

Off-site monitoring consists of evaluating the economic-financial, prudential, and other inherent risk dimensions of institutions individually, aiming to safeguard their soundness and ultimately protect their depositors and other creditors, preventing the institution from becoming a risk to the stability of the national financial system.

This monitoring is conducted continuously, based on the assumption that institutions must maintain their prudential indicators within the limits required by current legislation at all times.

Monitoring for each institution is carried out through the analysis of risks and deviant behaviors, considering either the institution's own data or information, or from a comparative perspective with the universe of institutions (the system).

This activity also involves monitoring the implementation of specific determinations or recommendations addressed to the inspected institution. In this

Analytical Framework for Risk-Based Supervision - 9

---

perspective, monitoring is conducted through the evaluation of periodic reports submitted by the inspected institution.

4. SUPERVISOR RISK ASSESSMENT PROCESS (PARS)

The Supervisor Risk Assessment Process consists of an analytical approach that includes the identification and assessment of risks, as well as the quality of the institution's management controls. To focus supervisory activities on areas of highest risk, a risk assessment is conducted per institution. Through the systematic application of PARS, risk assessment highlights the institution's strengths and weaknesses and provides the basis for determining the supervisory activities to be developed.

PARS consists of six key steps that lead to the production of an institution's risk matrix. The risk matrix summarizes the level of inherent risks associated with the institution's activities and the quality of management functions in mitigating such risks. It also summarizes the direction of these risks after considering internal and external factors that may affect the institution's risk profile over the next twelve months.

The key steps of PARS are as follows:

(i) Identification of Significant Activities/Functional Areas

Significant activities include any lines of business, units, or processes and can be identified from various sources including the organizational chart, strategic or business plan, capital allocation, internal and external financial reports, such as trial balances, balance sheets, and income statements. Identifying significant activities is important for determining the intrinsic risks associated with the institution's activities.

For risk assessment purposes, the Bank of Mozambique has identified ten risks that are mapped within these significant activities to allow for correct identification of intrinsic risk levels.

Analytical Framework for Risk-Based Supervision - 10

---

(ii) Determination of Intrinsic Risk Level

Intrinsic risk is associated with the nature, complexity, and volume of activities that generate the risk in question. It is important to note that the assessment of the quantity of risk (intrinsic risk) is conducted without considering management processes and controls, which are considered in the assessment of the risk management system's quality.

The level of each individual risk will be assessed using qualitative and quantitative criteria. The overall intrinsic risk level will be determined using a geometric mean of the score assigned to each criterion. PARS adopts four intrinsic risk levels, namely reduced, moderate, material, and high, with ratings 1, 2, 3, and 4, respectively.

(iii) Assessment of Risk Management Quality

In assessing an institution's risk management quality, greater attention is paid to reviewing the following essential elements of a good risk management system:

i. Oversight by the governing body and top management; ii. Policies, procedures, and limits; iii. Adequate measurement, monitoring, and management information systems; and iv. Internal controls.

Considering these elements, the robustness of the risk management and control process for each identified risk is assessed. The Bank of Mozambique establishes criteria for evaluating the quality of the risk management system and controls, with the assigned rating depending on the judgment made based on these criteria. The overall risk management quality rating will be determined using a geometric mean of the scores assigned to each essential element.

For risk management classification purposes, the rating grid also includes values 1, 2, 3, and 4, reflecting the existence of a strong, adequate, inadequate, or weak risk management system, respectively.

Analytical Framework for Risk-Based Supervision - 11

---

(iv) Determination of Aggregate Risk

Aggregate risk for each risk category is determined by combining the quantity of intrinsic risk with the quality of risk management systems at the institution. Credit risk at an institution may be inherently high; however, the probability and potential impact (the magnitude of possible losses) can be reduced by applying very conservative credit assessment standards, effective credit administration systems, robust internal controls, and a good alert system. Consequently, after considering these mitigating factors, the overall credit risk profile may be considered material.

The following matrix illustrates the determination of aggregate risk by balancing the observed quantity of intrinsic risk with the quality of risk management systems.

---