Circular No. 23/2018 on Risk Management in Credit Institutions

[Logo: BRB]

BANK OF THE REPUBLIC OF BURUNDI

THE GOVERNOR

CIRCULAR No. 23/2018 ON RISK MANAGEMENT IN CREDIT INSTITUTIONS ISSUED PURSUANT TO LAW No. 1/17 OF 22 AUGUST 2017 GOVERNING BANKING ACTIVITIES

Having regard to Law No. 1/34 of 02 December 2008 establishing the Statutes of the Bank of the Republic of Burundi, particularly Articles 7 (paragraphs 4 and 6) and 8;

Having regard to Law No. 1/17 of 22 August 2017 governing banking activities, particularly Articles 49, 50 and 70;

Having regard to Circular No. 6/2018 on the segmentation of credit institution risks;

Having regard to Circular No. 12/2018 on risk classification and the establishment of provisions by credit institutions;

Having reviewed Circular No. 23/2017 on risk management in credit institutions;

The Bank of the Republic of Burundi, hereinafter referred to as the "Central Bank", hereby enacts:

CHAPTER I: GENERAL PROVISIONS

Article 1: Purpose

This circular aims to establish the minimum prudential rules applicable to credit institutions regarding risk management.

Article 2: Definitions

For the purposes of this circular, the following terms shall mean:

compliance charter, a document that sets out the objectives of the Compliance function, establishes its independence, defines its responsibilities and competencies, describes its relationships with other functions responsible for risk management and control as well as with internal audit;

credit institution, banks and financial institutions;

---

2

strategic plan, a document containing the general objectives of the institution, the full range of actions and strategies that facilitate the acquisition, use and allocation of resources to fulfill its missions;

business plan, a document that describes business goals, financial balance and risk management objectives, and outlines the steps to be taken to achieve these goals and objectives;

risk in a credit institution, exposure to a more or less foreseeable hazard that is likely to result in a financial loss, thereby impacting equity. The nature of the hazard depends on the risk typology (credit, liquidity, operational, etc.).

credit risk, the risk that a borrower or counterparty of a credit institution fails to meet its obligations in accordance with agreed terms;

liquidity risk, the risk that a credit institution is unable to meet its financial obligations as they fall due without incurring significant losses;

foreign exchange risk, the risk that fluctuations in exchange rates negatively impact the value of a bank's positions;

interest rate risk, the risk incurred due to unfavorable changes in interest rates across all on-balance sheet and off-balance sheet operations of the credit institution;

operational risk, the risk of direct or indirect losses due to inadequacy or failure of procedures (absent or incomplete analysis/control, insecure procedures), personnel (error, malice or fraud), internal systems (IT failure,...) or external events (flood, fire,...). This risk includes legal risk but excludes reputational risk and strategic risk:

strategic risk, risk related to a credit institution's inability to:

• grasp the environment;
• develop sufficiently forward-looking strategies to ensure the ongoing relevance and sustainability of its activities;
• develop products and services that respond to market dynamics and requirements;
• communicate its strategy across the organization.

This risk manifests in poor results stemming from unfavorable decisions or poor implementation of decisions;

---

3

compliance risk, the risk of a credit institution being exposed to reputational damage, judicial, administrative or disciplinary sanctions, or financial losses, due to non-compliance with applicable standards, namely legal and regulatory provisions, standards and practices applicable to its activities, or codes of conduct;

country risk, the risk of loss resulting from events occurring in a foreign country. This concept is broader than sovereign risk, as it covers all forms of lending and investment concerning individuals, companies, banks and States.

Article 3: Role of the Board of Directors

The Board of Directors of a credit institution sets the level of risk acceptance that the institution is willing to assume or tolerate and formally approves risk management strategies.

It regularly evaluates the crisis simulation program and ensures it accounts for significant risk sources and adopts plausible crisis scenarios. The results of this program must be integrated into decision-making and risk management processes (including contingency provisions), as well as into the assessment of its equity and liquidity levels.

Article 4: Role of Senior Management

Risk management strategies, policies, procedures and limits must be clearly defined by Senior Management and approved by the Board of Directors. These strategies must be documented, regularly reviewed to reflect the level of risk acceptance, risk profile and market and macroeconomic developments, and communicated within the institution.

Article 5: Implementation of Risk Management Systems

The credit institution must implement risk management systems capable of identifying, measuring, monitoring and controlling, or mitigating the various types of risks to which it is exposed.

These systems must be adapted to the nature, volume and degree of complexity of the credit institution's activities and operations; and regularly adjusted according to its risk profile and market developments.

It must also have adapted information systems that, under normal conditions and periods of stress, allow for measuring and evaluating the size, composition and quality of risk exposure, and reporting on it. Reports on this matter must reflect the institution's risk profile as well as its equity and liquidity needs, and must be presented in a timely manner to the Board of Directors and Senior Management in a format suitable for their use.

---

4

The management of each risk comprises the following steps:

• identification: all products and services offered by the credit institution have a unique risk profile composed of multiple risks. It covers in particular the operational processes for implementing activities and support functions. Risk identification must be a continuous process, and risk must be understood at both the transaction and portfolio levels.

• analysis and measurement: once risks associated with a particular activity have been identified, the next step is to measure the magnitude of each risk. Each risk must be considered in terms of its three dimensions: size, duration and probability of adverse events.

• risk monitoring: credit institutions must implement an Information and Management System (IMS) that accurately identifies and measures risks at the inception of operations and activities. The IMS monitors significant changes in risk profiles. As many credit institutions rely heavily on net interest margins for survival, it is important to implement an IMS that reflects the impact of interest rate risk variations.

• risk control: in addition to risk monitoring, the credit institution must implement adequate control and audit procedures. To this end, it ensures an appropriate internal control system relative to its risk profile and monitors the effectiveness of internal and external audit.

Article 6: Risk Management Function

The credit institution must have a risk management function covering all significant risks, equipped with sufficient resources, independence and authority. Thus, each institution must prepare a Risk Management Program (RMP) tailored to its needs and the circumstances in which it operates.

The risk management function must be clearly separated from risk-taking functions within the credit institution and must report directly to Senior Management on risk exposures, with a copy to the Risk Management Committee. The Head of the Risk Management Function may, at its own initiative or at the request of the Risk Management Committee, report directly to them.

The Risk Management Program (RMP) must contain effective processes enabling the risk management function to:

• identify current and emerging risks;
• develop risk assessment and measurement systems;
• establish policies, practices and other control mechanisms to manage risks;
• develop quantified risk tolerance limits, risk by risk, and monitor them;

---

5

• design crisis scenarios, adapted to their risk profile and systemic importance;
• present risk monitoring results to Senior Management and the Board of Directors.

Article 7: Risk Mapping

The credit institution must establish a risk map and a methodology to measure different risks.

Article 8: Holistic Risk Consideration

The credit institution's risk management strategies, policies and procedures must be consistent and integrated into the institution's overall risk management framework.

It must conduct crisis simulations accounting for at least two risks taken simultaneously and measure their overall impact on results and equity.

It must also ensure that periodic control is exercised over the validity and consistency of parameters and assumptions used for the assessment of each risk.

Article 9: Establishment of Provisions for Identified Risks

The credit institution, on its own initiative or that of the Central Bank, sets percentages or guidelines, or decides for each risk, depending on whether it is evident, the provisions to be established.

CHAPTER II: PROPER RISK MANAGEMENT

Section 1: Credit Risk Management

Article 10: Credit Risk Management Framework

The credit institution must implement policies and procedures that enable the detection, measurement, assessment, monitoring and control, or mitigation of credit risk, including counterparty risk and potential future exposures.

The institution's Board of Directors approves and reviews at regular intervals, at least annually, the credit risk management strategy as well as policies and procedures to ensure they correspond to the level of risk acceptance it has set.

Article 11: Credit Risk Identification Procedures

The credit institution must have prudent credit risk selection procedures and a risk measurement system enabling it, in particular, to:

---

6

• centrally identify its on-balance sheet and off-balance sheet risks vis-à-vis a counterparty or counterparties considered as a single beneficiary;
• grasp different levels of credit risk from qualitative and quantitative information;
• grasp and control concentration risk through documented procedures;
• verify the adequacy of exposure diversification against its credit policy.

Article 12: Credit Granting Procedures

The credit institution must ensure that the credit granting process is organized with written internal procedures specifying credit risk assessment criteria as well as the definition of responsibilities for persons and bodies authorized to commit the institution. These criteria must be adapted to the institution's characteristics, particularly its size, nature and complexity of activities.

Credit granting procedures must cover the various aspects of credit granting activities, including file preparation, application analysis, file approval, disbursement, credit monitoring and recovery, as well as resulting administrative operations. They must include prudent and appropriate lending limits, corresponding to the level of risk acceptance, risk profile and financial standing of the institution, which are understood by the relevant staff and regularly communicated to them.

The credit institution must implement procedures for approving credit extensions, renewals and restructuring. It must provide that exposures exceeding a certain amount or percentage of equity fall under the decision of the Board of Directors or Senior Management.

The same rule applies to particularly risky exposures or those falling outside the institution's usual activities.

Article 13: Credit Application File Preparation

Credit applications give rise to the preparation of files, regularly updated, containing complete audited financial statements for corporate clients as well as quantitative and qualitative information, enabling credit risk assessment by taking into account elements on the beneficiary's financial situation, particularly its repayment capacity and received guarantees.

Credit granting decisions must take into account the overall profitability of operations conducted with the client through forward-looking analysis of related expenses and revenues.

---

7

Article 14: Analysis of Loan Quality and Provisioning

The credit institution must regularly, and at least quarterly, analyze the evolution of the quality of its loans and exposures. This review allows, in particular, to determine necessary reclassifications within internal credit risk assessment categories, as well as, as needed, allocations to doubtful loan accounting entries and appropriate provisioning levels.

Provisioning must be determined loan by loan, in compliance with regulatory minimum rates, taking into account all information available to the credit institution, including on the debtor's quality, regardless of whether the loan is subject to regular repayment.

The provisioning policy must be determined by a function independent of the credit sales function, to guarantee the absence of conflicts of interest.

Senior Management must regularly inform the Board of Directors of the evolution of major risks extended to related parties, sectoral exposure and the level of provisioning by individual and sectoral risk.

Article 15: Credit Concentration Risk Measurement Framework

The credit institution must establish credit concentration risk measurement frameworks.

These frameworks must take into account risk concentration on the same individual counterparty or group of related counterparties, as well as concentrations by credit type, economic sector, geographic zone and guarantee type.

The credit institution's risk management policies and procedures define thresholds corresponding to acceptable risk concentrations, reflecting the level of risk acceptance, risk profile and financial standing of the credit institution, which are understood by the relevant staff and regularly communicated to them.

Furthermore, all significant concentrations are reviewed and reported to the Board of Directors at least semi-annually.

Article 16: Standards and Procedures for Managing Credit Risk on Related and Affiliated Parties

The credit institution must implement standards and procedures for managing its transactions with related and affiliated parties to ensure transparency and fairness in exposures.

Transactions with related and affiliated parties include on-balance sheet and off-balance sheet exposures and loans, but also service contracts, asset purchases and sales, construction contracts, lease contracts, derivatives transactions, borrowings and debt waivers.

---

8

Article 17: Board of Directors Approval of Transactions with Affiliated Parties

Transactions with affiliated parties are subject to prior approval by the credit institution's Board of Directors when they exceed limits set by this Board, or involve particular risks defined by it. These limits must not exceed those set by the circular on risk segmentation.

The same applies to debt waivers on affiliated parties. Board members with a conflict of interest are excluded from the approval process.

Article 18: Credit Risk Measurement Framework

The credit institution must implement a credit risk measurement framework enabling, in particular, the measurement and aggregation of risk resulting from all on-balance sheet and off-balance sheet operations for which it faces counterparty default risk, and allowing the establishment of appropriate provisions.

Credit risk analysis must in particular take into account the nature of activities conducted by the credit applicant, its financial situation, the asset base of its main shareholders or partners, its repayment capacity and the guarantees it has offered.

For risks on a company, it is also necessary to take into account the analysis of its economic environment, the characteristics of partners or shareholders and management, and entities with which it forms a group of interest.

Article 19: Credit Risk Monitoring and Control Framework

The credit institution must implement adequate monitoring and control mechanisms for credit risk enabling it to ensure:

• compliance with the implementation of credit risk management strategies, policies and procedures put in place;
• the quality of these strategies, policies and procedures for potential updates;
• compliance with limits on individual exposures, related parties and affiliated parties;
• the implementation of the credit risk identification, analysis and measurement process;
• the adequacy of its equity relative to its credit risk profile;
• the implementation of credit risk mitigation or control mechanisms.

---

9

Article 20: Crisis Simulations

The credit institution must periodically conduct crisis simulations to evaluate the vulnerability of its credit portfolio in the event of a market downturn or deterioration in counterparty quality.

It must also conduct crisis simulations for its main forms of credit concentration and examine their impact on its results and equity.

Section 2: Liquidity Risk Management

Article 21: Liquidity Risk Management Framework

The credit institution must establish a liquidity risk management strategy adapted to its risk profile as well as prudent policies and procedures corresponding to the level of liquidity risk acceptance, which enable the detection, measurement, assessment, monitoring and control, or mitigation of liquidity risk on a permanent and prospective basis. This framework ensures it permanently, notably through a buffer of high-quality liquid assets, sufficient liquidity to cope with a variety of stress situations, particularly any incident that could dry up or diminish its funding sources.

The Board of Directors of a credit institution must:

• set guidelines on the institution's liquidity risk tolerance;
• approve a liquidity risk management strategy, policies and procedures as well as contingency funding plans;
• conduct a regular review, at least annually, of the credit institution's liquidity risk profile;
• ensure appropriate adjustment of the strategy, policies and procedures for managing this risk based on the evolution of the institution's risk profile and market and macroeconomic conditions in which the institution operates;
• ensure that Senior Management effectively applies liquidity risk management policies and procedures, in accordance with the institution's risk acceptance level.

Article 22: Liquidity Risk Identification Procedures

The credit institution must have liquidity risk identification procedures enabling it to:

• identify the different sources of liquidity risk to which it is exposed, their impact on the risk profile and liquidity position;
• grasp the concentration risk of funding sources;

---

10

• capture any potential source of liquidity risk at the level of its balance sheet structure, off-balance sheet activities, exposure to other risks and market conditions;
• identify the impact of correlation with other risks that may underlie liquidity risk, notably credit, foreign exchange, interest rate, operational risks, etc.;
• identify and grasp the effects resulting from macroeconomic conditions and market conditions on its liquidity risk;
• identify the types, quality and quantity of liquid assets to hold to adequately meet its liquidity needs.

Article 23: Liquidity Risk Measurement Framework

The credit institution must implement a liquidity risk measurement framework based on a consistent methodology taking into account its risk profile, size, nature and complexity of its activities.

This framework must include a secure mechanism for a complete projection of cash flows related to assets, liabilities and off-balance sheet items s