LogoRegulatory Alerts
2022-08-01

Guideline 14 Risk Management for Commercial Banks in The Gambia

The Central Bank of The Gambia mandates that commercial banks implement comprehensive, scalable risk management frameworks covering credit, market, liquidity, operational, reputational, and ESG risks. Banks must establish clear board oversight and senior management execution through defined policies, risk limits, and continuous identification, measurement, monitoring, and control processes. This mandatory guideline enforces compliance through specified penalties under the Banking Act 2009 and takes effect on January 31, 2023.

Central Bank of The Gambia logo

Gambia

Central Bank of The Gambia

Click to view thumbnail

CENTRAL BANK OF THE GAMBIA

[Image of the Central Bank of The Gambia logo]

Guideline 14 : Risk Management for Commercial Banks in The Gambia

AUGUST 2022

RISK MANAGMENT ................................................................................... Error! Bookmark not defined. 14.1 INTRODUCTION................................................................................................................ 3 14.2.0 RISK MANAGEMENT SYSTEMS....................................................................................... 3 14.3.0 RISK MANAGEMENT STRUCTURE ................................................................................. 4 14.4.0 RISK MANAGEMENT PROCESSES ................................................................................. 4 14.4.1 Risk Identification....................................................................................................... 4 14.4.2 Risk Measurement...................................................................................................... 5 14.4.3 Risk Monitoring.......................................................................................................... 5 14.4.4 Risk Control................................................................................................................ 6 14.5.0 BASIC ELEMENTS OF A SOUND RISK MANAGEMENT PROGRAM................................... 6 14.5.1 Board Actions, Responsibilities and Oversight........................................................... 6 14.5.2 Senior Management Actions, Responsibilities, and Oversight.................................... 7 14.5.3 Policies Procedures and Limits ................................................................................... 7 14.5.4 Risk Monitoring and Management Information Systems ............................................ 8 14.5.5 Internal Controls......................................................................................................... 8 14.6.0 KEY RISKS AND THEIR MITIGANTS................................................................................ 9 14.7.0 PENALTIES...................................................................................................................... 9 14.8.0 EFFECTIVE DATE............................................................................................................. 9

2

14.1 INTRODUCTION

This Guideline is issued in line with Section 71 (3a) of the Banking Act 2009 with initiatives toward implementing a sound basis for risk management in banks. Under the risk-based approach for banking supervision, the supervisory focus is on ensuring that the management of all banks identify, measure, monitor, and control the level and type of risk a bank is exposed to. The Central Bank intends to employ this guideline as a benchmark upon which the risk management practices of banks will be evaluated. The Central Bank expects each bank to take appropriate measures to enhance their risk management policies and procedures using this guideline in observance of the structural recommendations of Guideline 13 – Corporate Governance

Many of the issues related to risk in this guideline are not mutually exclusive. Rather, they address the spectrum of risks and activities engaged in by a bank. As such, the requirements for internal control processes, senior management oversight, business continuity management, and limits, just to name a few such areas or activities that cannot necessarily be viewed solely as pertinent to a specific risk, as they affect all aspects of a bank’s operations and overlap many areas of risk. Consequently, the establishment of risk management policies, procedures, and practices should be developed and implemented holistically, and adjusted for specific risks and activities.

14.2.0 RISK MANAGEMENT SYSTEMS

This guideline sets out the minimum requirements for risk management systems and frameworks that banks should have in place. The guideline is in line with international practices. The Central Bank acknowledges issues of scalability in financial institutions but urges that bank boards and management strive to meet the minimums stated herein.

3

14.3.0 RISK MANAGEMENT STRUCTURE

The board of directors is responsible for understanding the risks faced by the bank and ensuring that they are appropriately managed. The board should understand the level and type of risk in which the bank is engaged and its risk-bearing capacity. The board should ensure that there is a risk management function that reports directly to the board or a committee thereof. The board and/or a Risk Management Committee (if the bank finds it appropriate to establish a separate committee) and the risk manager should be actively engaged in evaluating the overall risks faced by the bank and determining the level of risks that will be in its best interests. Each bank should develop its own comprehensive Risk Management Program tailored to its needs and circumstances. At a minimum, the Program should cover both inherent and ancillary risks as follows:

i. Operational Risk; ii. Credit Risk; iii. Liquidity Risk; iv. Market Risk; v. Reputational Risk; and vi. Environmental, Social, and Governance Risk (ESG).

14.4.0 RISK MANAGEMENT PROCESSES

All risk management processes must be incorporated into a bank’s risk management program. These processes are outlined below:

14.4.1 Risk Identification

To manage risks, they must first be identified. Every product and service offered by a bank has a unique risk profile often composed of multiple risks. For example, at least four types of risks are usually present in most loans: credit risk, market risk, liquidity risk, and operational risk. Central Bank considers that lending encompasses all risk levels

4

including Reputational Risk and ESG Risk. Risk identification should be a continuous process and risks should be understood at both the transaction and portfolio levels.

14.4.2 Risk Measurement

Once risks associated with a particular activity have been identified, the next step is to measure the significance of each risk. Each risk should be viewed in terms of its three dimensions: size, duration, and probability. Management should set risk limits and put in place processes for internal risk rating and stress testing as appropriate. Accurate and timely measurement of risk is essential to effective risk management.

As directed in Guideline 13 – Corporate Governance, banks must identify both risk appetite and risk tolerance. Risk appetite is the level of risk that a bank is willing to take in the pursuit of its objectives. For example, a bank might have an appetite for no violations regarding concentrations of credit. Risk tolerance is the level of risk occurring outside the bank’s acceptable level of risk before the institution acts. An example of tolerance is when a bank notices that a borrower or related group of borrowers is approaching its appetite for concentration and takes measures to reduce the concentration before the balance exceeds its stated risk appetite.

14.4.3 Risk Monitoring

Banks should have management information systems (MIS) that accurately identify and measure risks at the inception of transactions and activities. It is equally important for management to have a MIS that monitors significant changes in risk profiles, as the MIS serves as an important management tool for decisions making about risk. In general, monitoring risks means developing reporting systems that identify adverse changes in the risk profiles of significant products, services, and activities and monitoring changes in controls that have been put in place to minimize adverse consequences. There is a need for management to have some form of risk management functions or processes in place that monitor the level and nature of risk in the bank.

5

14.4.4 Risk Control

Once the risks have been identified and measured for significance, they may be controlled, or their impact minimized by: (i) avoiding or placing limits on certain activities/risks; (ii) mitigating the risks; and/or (iii) offsetting the risks.

It is a primary management function to balance expected rewards against risks and the expenses associated with controlling risks. Banks should establish and communicate risk limits through policies, standards, and procedures that define responsibility and authority. Management should put in place internal controls aimed at ensuring that risks are prudently managed. The internal and external audit functions as well as the compliance function are integral parts of the risk control process.

14.5.0 BASIC ELEMENTS OF A SOUND RISK MANAGEMENT PROGRAM

At a minimum, the risk management program shall contain the following elements:

14.5.1 Board Actions, Responsibilities and Oversight

The Board of Directors is responsible for the level of risk taken by its bank. The board shall establish the overall business strategies and policies of their banks, including those related to managing and taking risks. The board shall ensure that senior management is fully capable of managing the bank’s activities. The board of directors is responsible for understanding the nature of risks the bank faces and ensuring that management is taking the steps necessary to identify, measure, monitor, and control these risks.

The board shall ensure it receives regular reports that identify the size and significance of the risks and provide clear guidance regarding the level of exposures acceptable to their bank. The directors are responsible for ensuring that senior management implements the procedures and controls necessary to comply with adopted policies.

6

The Board of Directors must set the tone of the entire institution regarding the observance of its risk management policies.

Minutes of the Board of Directors should clearly reflect the risk management actions and considerations taken during meetings including the risks raised, the individual raising the issue, and the board’s recommended resolution.

As noted in Guideline 13, the Board of Directors are responsible for setting a high ethical standard to be followed at every level of the institution.

14.5.2 Senior Management Actions, Responsibilities, and Oversight

Senior management is responsible for executing the intent expressed by the Board of Directors. Senior management implements strategies in a manner that limits the risks associated with each strategy. Management must be fully involved in the bank’s activities and possess sufficient knowledge of all major business lines to ensure that appropriate policies, controls, and risk monitoring systems are in place and that accountability and lines of authority are clearly defined. Senior management is also responsible for establishing effective internal controls and following the high ethical standards exemplified by the Board of Directors. Senior managers must have a thorough understanding of developments in the financial sector.

14.5.3 Policies Procedures and Limits

The board and senior management should tailor the risk management policies and procedures to the risks that the bank faces. The policies and procedures should provide detailed guidance for the implementation of the business strategies and include limits in accordance with risk appetite and tolerance levels established by the Board designed to shield the bank from excessive and imprudent risks. The policies and procedures should be reviewed regularly, at a minimum annually, to respond to significant changes in the

7

bank’s activities or business conditions. Management should ensure that the policies and procedures are distributed to members of staff so that they are knowledgeable of them and are able to adhere to them.

14.5.4 Risk Monitoring and Management Information Systems

Senior management must put systems in place to identify and measure all material risk exposures which are supported by information systems that provide senior managers and directors with timely reports on the financial condition, operating performance, and risk exposure of the bank.

The sophistication of risk monitoring and MIS should be consistent with the complexity and diversity of the bank’s operations. Every bank must have management and board reports that support risk-monitoring activities. Banks are expected to have risk monitoring and MIS in place that provide directors and senior management with a clear understanding of the bank’s risk exposures.

14.5.5 Internal Controls

An institution’s internal control structure is critical to the safe and sound functioning of the institution. Establishing and maintaining an effective system of controls, including the enforcement of official lines of authority, and the appropriate separation of duties, are among management’s major responsibilities. Indeed, segregating duties is a fundamental and essential element of a sound risk management and internal control system. Failure to implement and maintain adequate separation of duties can constitute an unsafe and unsound practice and possibly lead to serious losses or otherwise compromise the financial integrity of the bank.

When properly structured, a system of internal controls promotes effective operations and reliable financial and regulatory reporting, safeguarding assets. Properly structured internal controls help ensure compliance with relevant laws, regulations, and institutional

8

policies. An independent and suitably qualified internal auditor who reports directly to the board’s Audit Committee should test internal controls frequently based on pertinent levels of risk. For example, reconciliations could be considered important for a bank with multiple external counterparty relationships and should be monitored by internal control accordingly. Given the importance of appropriate internal controls to banks, the results of audits or reviews conducted by an internal auditor or other persons, should be adequately documented, as should management’s responses to them.

A good risk management system should, at a minimum, embrace the above aspects. Senior management should regularly review its risk management program to assess its adequacy in coping with developments in the industry. Understanding the risk profiles of products and services and balancing them with actions taken to reduce the adverse consequences of risk-taking, allows a bank to optimize revenues and maximize the use of capital.

14.6.0 KEY RISKS AND THEIR MITIGANTS

Operational risks, credit risk, market risk and exchange risk are risks that are inherent in banking activity. Each of the risks and measures that must be taken to minimize them are detailed in additional Guidelines.

14.7.0 PENALTIES

The Guideline is mandatory and failure to comply will attract sanctions/penalties in accordance with the Banking Act 2009 or any other applicable law or regulations.

14.8.0 EFFECTIVE DATE

This Guideline shall come into force on January 31, 2023.

9

Share