CENTRAL BANK OF NIGERIA Guidance Notes on Supervisory Review Process

TABLE OF CONTENTS
SUPERVISORY REVIEW PROCESS.
1.0	INTRODUCTION.
2.0	INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (ICAAP) ………………………………………………………………………… 3
	General Rules for the ICAAP .
2.1
2.2	Proportionality in the ICAAP.
2.3	Features of the ICAAP …
2.3.1	Comprehensive Identification of Risks
2.3.2	Sound Capital Assessment.
	Stress testing
2.3.3	Corporate Governance in the ICAAP .
2.3.4
2.3.5	Monitoring and Reporting
2.3.6	Internal Control Review .
2.4	Regulatory Reporting of the ICAAP .
2.4.1	Content and structure .
2.4.2	Frequency of ICAAP reporting
3.0	SUPERVISORY REVIEW AND EVALUATION PROCESS (SREP)
3.1	General Rules for the SREP
3.2	Stages of the SREP
3.3	Proportionality of the SREP
ANNEX A:	RISKS SUBJECT TO THE INTERNAL CAPITAL ADEQUACY ASSESSMENT
	PROCESS (ICAAP) .
ANNEX B: GUIDE FOR ICAAP REPORTING

Supervisory Review Process

1.0 Introduction

The Supervisory Review Process is structured along two separate but complementary stages. i) The Internal Capital Adequacy Assessment Process (ICAAP)1, and ii) The Supervisory Review and Evaluation process (SREP)2

2.0 Internal Capital Adequacy Assessment Process (Icaap)

• The ICAAP is based on appropriate risk management systems that require adequate corporate governance mechanisms, an organisational framework with clear lines of responsibility, and effective internal control systems because capital cannot be regarded as a substitute for addressing inadequate risk management processes.

• The ICAAP shall be documented, understood and shared by all bank structures and shall be subject to independent internal review.

• The respective banks' boards are entirely responsible for the ICAAP. They are expected to independently establish the design and organisation in accordance with the risk appetite of the bank. They are also responsible for the implementation and the annual update of the ICAAP and the resulting calculation of internal capital in order to ensure it is still in conformity with the banks' operations and environment.

• On an annual basis, banks shall render returns to the Central Bank of Nigeria (CBN) on the key features of the ICAAP, their risk exposure and the level of

    																																																										 1 The	ICAAP	requires	banks	to	perform	an	independent	and	complete	assessment	of	the	risks	to	which	they	are	exposed	and	calculate	an internal	capital	requirement 2 SREP is	 performed	 by	 the	 CBN,	 who	 reviews	 the	 ICAAP,	 formulates	 an	 overall	 opinion	 about	 the	 bank	 and,	 where	 necessary,	 takes remedial	measures.	The	SREP	is	the	process	by	which	the	CBN	reviews	and	assesses	the	ICAAP,	analyses	the	bank's	own	assessment	of	its risk	profile,	 the	corporate	governance	system	as	it	relates	 to	 the	ICAAP	and	 the	internal	control	system,	and	verifies	overall	compliance with	prudential	rules	in	calculating	internal	capital
  

capital deemed adequate to support those risks. The report shall also contain a self-assessment of the ICAAP, areas for improvement, any deficiencies in the process and the corrective measures to be taken.

2.1 General Rules For The Icaap

i) Banks shall have a process for determining the total capital, currently and prospectively necessary to support all material risks. This process shall be;

• formalized and documented, - subject to internal review and approval by board and management. - proportionate to the nature, scale and complexity of the business conducted.

ii) The calculation of total capital requires an assessment of all the risks to which a bank is or may be exposed, including those not considered in calculating the capital requirement under Pillar 1.

iii) Banks shall determine the risks, other than credit, counterparty, market and operational risks, for which the adoption of quantitative methodologies that can be used in determining internal capital would be appropriate3, and those for which control and mitigation measures, in combination or alternatively, would be more suitable.

2.2 Proportionality In The Icaap

The principle of proportionality shall apply to the following aspects: i) The methodologies used in measuring/assessing risks and in determining the related internal capital; ii) The type and nature of the stress tests adopted; iii) The treatment of correlation among risks and the determination of total

internal capital; 3 For the purposes of the provisions of this Regulation, "internal capital" shall mean capital at risk, i.e. the amount of capital related to a given risk that the bank deems necessary to cover losses exceeding a given expected level (this definition assumes that the expected loss shall be covered by net value adjustments – specific and portfolio – of equal amount; where the latter is lower, internal capital shall also cover this difference).

"Total internal capital" shall mean the internal capital related to all material risks faced by the bank, including any internal capital associated with strategic factors. "Capital" and "total capital" shall mean the capital elements that the bank feels it can use to cover "internal capital" and "total internal capital", respectively. iv) The organisational structure of the risk control systems; v) The scope and detail of ICAAP reporting to the CBN.

2.3 Features Of The Icaap

In developing an Internal Capital Adequacy Process, banks shall take cognizance of the key supervisory principles as enunciated by the Basel Committee on Banking Supervision (BCBS July 2006 paragraphs 725-760). The main features are summarized below:

2.3.1 Comprehensive Identification Of Risks

a) Banks shall independently identify the risks to which they are exposed, taking into consideration their operations and the markets in which they operate.

b) This analysis shall consider at a minimum, the risks listed in Annex A. This list is not exhaustive: the identification of any further risk factors connected with its specific operations is left to the prudent assessment of each bank.

c) Banks and banking groups shall clearly identify the sources of the various forms of risks and where these are to be found at the level of operating units, enterprisewide, within the group or from external counterparties. This makes it possible to ascertain whether the regulatory capital requirements calculated at the individual level for the most significant legal entities adequately cover the risks effectively faced by these entities.

2.3.2 Sound Capital Assessment

• In order to calculate internal capital banks should have: a) Designed policies and procedures that clearly identify, measure and report all material risks; b) A process that relates capital adequacy to the level of risks assumed; c) A process that relates capital adequacy goal with the banks' strategic focus and business plan; d) A process of internal controls that reviews and audits continuously the activities of the banks to ensure robustness and integrity of the overall risk management process;

• In addition, banks are required to quantify all material risks they are exposed to using methodologies they deem appropriate in relation to their organisational and operational features.

• For credit, counterparty, market and operational risks, a methodological starting point is provided by the regulatory systems for calculating capital requirements for such forms of risk;

• With regard to interest rate risk, all banks shall assess the impact of hypothetical shocks on the interest rate exposure of the banking book. Where this should cause a significant reduction of a bank's regulatory capital, the CBN shall examine the results with the bank and may adopt appropriate actions; and,

• The ICAAP of banks must be able to show how total capital reconciles with the definition of regulatory capital. Specifically, they shall explain the use of capital instruments that may not be included in regulatory capital but are included in the calculation of internal capital

2.3.3 Stress Testing

• Banks shall conduct stress testing of their risk mitigation and control systems and, where necessary, the adequacy of their internal capital, in order to enhance the assessment of their exposure to risks.

• Stress tests are quantitative and qualitative techniques used by banks to assess their vulnerability to exceptional, but plausible, events. They involve assessing the impact on banks' exposures of specific events (sensitivity analysis) or joint movements of a set of economic and financial variables under adverse scenarios (scenario analysis).

2.3.4 Corporate Governance In The Icaap

• The board and management of banks shall be responsible for the ICAAP.

• They shall establish a framework for assessing the various risks, develop a system to relate risk to banks' capital level, and establish a method for monitoring compliance with internal policies. It is likewise important that the board of directors adopts and supports strong internal controls and written policies and procedures and ensures that management effectively communicates these throughout the organization.

(BCBS July 2006, Par 730)

2.3.5 Monitoring And Reporting

Banks should have a system for monitoring and reporting risk exposures and assessing how their changing business risk profiles affect their capital needs. They are therefore required to: a) Evaluate the level and trend of material risks and their effects on capital levels; b) Evaluate the sensitivity and reasonableness of the key assumptions used in capital assessment; c) Determine that they hold sufficient capital against the various risks and ensure compliance with established capital adequacy goals; and, d) Assess future capital requirements based on reported risk profiles and indicate any necessary adjustments to be made to the banks' strategic plan based on that assessment.

2.3.6 Internal Control Review

• An effective ICAAP requires that the relationship between risks and capital levels is monitored
• The board should ensure that its system of internal control can monitor its business environment
• The bank should ensure conduct of periodic review to ensure integrity, accuracy and reasonableness of its risk management process. Such reviews should cover: a) Appropriateness of the ICAAP b) Large exposures and risk concentration c) Accuracy and completeness of data input d) Reasonableness and validity of scenarios used in the assessment e) Stress testing and analysis of assumptions / inputs

2.4 Regulatory Reporting Of The Icaap 2.4.1 Content And Structure

a) The ICAAP report will enable the CBN to conduct a complete, documented assessment of the key qualitative features of the capital planning process, the overall exposure to risks and the consequent calculation of total internal capital.

b) The report is transmitted to the CBN along with the relevant board resolutions and senior management reports containing their comments on the ICAAP, in accordance with their respective responsibilities and functions.

c) The report shall be organised, at a minimum, into the areas specified in Annex B.

2.4.2 Frequency Of Icaap Reporting

• On an annual basis, banks shall, not later than the end of April, submit to the CBN the ICAAP report as at 31 December of the previous year.

• Based on the capital reported at the close of the previous year, the ICAAP document shall provide the bank's strategies for taking on risk and ensuring that the related capital needs through the end of the current year are met.

3.0 Supervisory Review And Evaluation Process (Srep) 3.1 General Rules For The Srep

The SREP shall be conducted for banks and banking groups on an annual basis in order to verify that they have established capital and organisational arrangements that are appropriate for the risks they face and ensures overall operational equilibrium.

3.2 Stages Of The Srep

The SREP is organised into the following main stages: a) Analysis of exposure to all material risks and the relative control systems; b) Verification of compliance with capital requirements and other supervisory rules; c) Assessment of the procedure for calculating total internal capital and of the adequacy of total capital in relation to the bank's risk profile; d) Issuance of specific opinions for each form of risk and of an overall opinion on the situation of the bank; e) Determination of any supervisory response

3.3 Proportionality In The Srep

The supervisory review and evaluation process is also informed by the principle of proportionality, under which: a) Corporate governance systems, risk management processes, internal control mechanisms and the determination of capital deemed adequate to cover risks shall be proportionate to the nature, scale and complexity of the business conducted by the banks; b) The frequency and the comprehensiveness of the SREP shall have regard to the systemic importance, nature, size and complexity of banks.

The CBN, as part of its Risk-Based Supervisory process, will review and evaluate the soundness of banks' ICAAP against the expectations set out under the features of ICAAP in this guideline. This review will also consider the comprehensiveness of the ICAAP and the quality of risk management to form a view on the appropriateness of the banks' internal capital targets and its capacity for meeting the targets. Based on these reviews, the CBN may require any bank to, among other things, take action to improve its capital and risk management processes if it is not satisfied with the bank's ICAAP. While the board and senior management of banks maintains primary responsibility for their institution's capital adequacy, the CBN reserves the power to intervene at an early stage to prevent a bank's capital from falling below the level that it deems adequate to support its risks. The CBN may require rapid remedial action if adequate capital is not maintained or restored. This may include the following: a) Altering the risk profile of the bank through business or operational restrictions; b) Directing banks to raise additional capital; c) Strengthening of the systems, procedures and processes concerning risk management, control mechanisms and internal assessment of capital adequacy; d) Prohibition of distribution of profits or other elements of capital; e) Directing the bank to hold an amount of regulatory capital greater than the legal minimum for credit risk, counterparty risk, market risk and operational risk; f) Using other measures as contained in the CBN Supervisory Intervention Framework (SIF) and the BOFIA.

ANNEX A: RISKS SUBJECT TO THE INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (ICAAP)

1. Pillar 1 risks a) Credit risk (including counterparty risk,); b) Market risks; c) Operational risk.

2. Other Risks

a) Concentration risk: the risk arising from exposures to counterparties, groups of connected counterparties, and counterparties in the same economic sector or which engage in the same activity or are from the same geographic region; b) Interest rate risk in the banking book: the risk arising from potential changes in interest rates; c) Residual risk: the risk that recognized credit risk mitigation techniques used by the bank may be less effective than planned; d) Securitization risk: the risk that the economic substance of a securitization operation is not fully reflected in risk assessment and management decisions; e) Business and Strategic risk: the current or prospective risk of a decline in profits or capital caused by changes in the business environment or erroneous decisions, the inadequate implementation of decisions or poor responsiveness to competitive developments; f) Reputational risk: the current or prospective risk of a decline in profits or capital should customers, counterparties, shareholders, investors or supervisors take a negative view of the bank; g) Liquidity risks; Banks' liquidity profile and the liquidity of the markets in which they operate.

h) Compliance with minimum standards and disclosure requirements; i) Factors external to the bank, e.g., business cycle effects

Annex B: Guide For Icaap Reporting

1. Strategies And Forecasting Horizon Adopted

a) Business plan and annual budgets; schedule of reviews of business plan and its components; extraordinary events necessitating review; b) Reconciliation between time horizon of business plan and capital plan; c) Ordinary and extraordinary sources of capital.

2. Corporate governance, organizational arrangements and internal control systems connected with the ICAAP a) Description of the process for the preparation and updating of the ICAAP; b) Description of the process for reviewing the ICAAP; c) Definition of the role and functions assigned to the board and senior management bodies for the purposes of the ICAAP; d) Definition of the role and functions assigned to various corporate functions for the purposes of the ICAAP (for example, internal auditing, compliance, planning, risk management, and other units such as head office and branch network commercial units, accounting and audit); e) Description of organizational and contractual safeguards relating to any elements of the ICAAP that is outsourced; f) Indication of internal regulations relevant to the ICAAP.

3. Risk exposures, risk measurement and aggregation methodologies, stress testing a) Risk mapping: illustration of the position of the bank in respect of Pillar 1 and Pillar 2 risks; b) Risk mapping in relation to bank's operating units and/or legal entities of the group; c) Techniques for risk measurement, internal capital determination and stress testing; d) Description, for every category of measurable risk, of the main characteristics of the main risk control and mitigation instruments; e) General description of systems for control and mitigation of non measurable risks.

4. Components, estimation and allocation of internal capital a) Quantification of internal capital for each risk and total internal capital; b) Any methods for allocating internal capital (by operating unit and/or legal entity).

5. Reconciliation of internal capital, regulatory requirements and regulatory capital a) Reconciliation of total internal capital and regulatory requirements; b) Listing and definition of capital components covering internal capital; c) Eligibility of components covering internal capital to be calculated for supervisory purposes; explanation of inclusion of ineligible components; d) Estimate of cost of using other capital sources in addition to those used.

6. Self -Assessment Of Icaap

a) Identification of the areas of the process amenable to improvement; b) Planning of capital or organisational actions.

7. Organization Of The Icaap Report

1. Executive Summary 2. Structure and Operations 3. Governance Structure 4. Risk Assessment and Capital Adequacy 5. Stress Testing 6. Capital Planning 7. Design, Approval, Review, and Use of ICAAP 8. Challenges and Further Steps 9. Summary of Internal Capital Adequacy Assessment Process 10. Risk Appetite Statement 11. Use of Internal Models for Capital Assessment 12. Review of ICAAP