LogoRegulatory Alerts
2016-06-22

Notice No. 07/2016 of June 22: Risk Governance Principles

The Bank of Angola issued Notice No. 07/2016 to establish mandatory risk governance principles and requirements for financial institutions under its supervision. The regulation mandates that institutions define their risk appetite and risk-bearing capacity, ensuring these are aligned with their business strategy and subject to rigorous internal controls. It further requires the implementation of robust risk management frameworks, including clear segregation of duties, comprehensive concentration risk assessments, and strict oversight of outsourcing activities.

Banco Nacional de Angola logo

Angola

Banco Nacional de Angola

Click to view thumbnail

Published in the Official Gazette, First Series, No. 102, of June 22

NOTICE NO. 07/2016

SUBJECT: RISK GOVERNANCE

  • Risk Governance Principles

Given the need for risk governance principles in Financial Institutions and considering that risk acceptance is a fundamental part of their activity, these institutions must find a balance between the risk they are willing to assume and the returns they expect to achieve, in order to ensure a solid and sustainable financial situation.

Considering that the Bank of Angola requires Financial Institutions to establish a robust framework, considering the functions, policies, and risk management processes for the identification, assessment, monitoring, control, and reporting of credit, market, liquidity, and operational risks, as well as their respective concentrations.

In these terms, and under the combined provisions of letters d) and f) of Article 21st and letter d) of paragraph 1 of Article 51st, both of Law No. 16/10, of July 15 – Bank of Angola Law, and Article 90th of Law No. 12/15, of June 17 – Basic Law of Financial Institutions;

I DETERMINE:

Article 1. (Object) This Notice establishes the requirements and principles by which the internal risk governance systems of Financial Institutions must be governed, taking into account the provisions in Notices No. 01/2013 and No. 02/2013, both of April 19,

CONTINUATION OF NOTICE NO. 07/2016 Page 2 of 19 on corporate governance and internal control system, in Notice No. 03/2016, on regulatory capital requirements for credit risk and counterparty credit risk, in Notice No. 04/2016, on regulatory capital requirements for market risk and counterparty credit risk in the trading book, and in Notice No. 05/2016, on regulatory capital requirements for operational risk and in the Instruction on liquidity risk.

Article 2. (Scope) This Notice applies to Financial Institutions under the supervision of the Bank of Angola, hereinafter abbreviated as Institutions under the terms and conditions provided for in the Basic Law of Financial Institutions.

Article 3. (Definitions) Without prejudice to the definitions established in the Basic Law of Financial Institutions, for the purposes of this Notice, the following are understood:

  1. Risk Appetite: the level of risk that an Institution is willing to accept.
  2. Risk-Bearing Capacity: the level of risk that an Institution can assume, without compromising its long-term solvency.
  3. Senior Management: persons responsible for a function or organizational unit, and who report directly to the Board of Directors.
  4. Key Personnel: persons whose responsibilities are relevant to the functioning of a specific function or organizational unit.

CONTINUATION OF NOTICE NO. 07/2016 Page 3 of 19

  1. Risk Concentration: concentrations associated with holding multiple risk positions that are correlated. This can also be divided into: a) inter-risk concentration: concentrations associated with simultaneous exposure to different risks; b) intra-risk concentration: concentrations associated with simultaneous exposure to the same risk from multiple risk positions.

  2. Service Provider: service supplier, including products or facilities, to an Institution authorized by the Bank of Angola.

  3. Global Exposure: set of risk positions, regardless of whether they are assets, liabilities, or off-balance sheet items.

  4. Regulatory Capital: "RC" calculated in accordance with Notice No. 02/2016, on regulatory capital.

  5. Board of Directors: group of people, elected by partners or shareholders, tasked with representing the company, deliberating on all matters, and performing all acts to achieve its corporate purpose. It includes, notably, the managers of limited liability companies and the members of the Board of Directors provided for in the Companies Law.

  6. Risk Profile: representation of the actual risk exposure of an Institution. The risk profile is intrinsically linked to the business strategy, and depends on the type of activities carried out by the Institution, as well as the risk inherent in them.

  7. Risk: possibility of a future event occurring with a negative impact on the net worth of Institutions.

  8. Credit Risk: arising from the default of financial commitments contractually established, by a borrower or a counterparty in operations, including counterparty credit risk.

CONTINUATION OF NOTICE NO. 07/2016 Page 4 of 19

  1. Counterparty Credit Risk: arising from the default by the counterparty of an operation before the final settlement of the respective financial flows.

  2. Liquidity Risk: arising from the inability of an Institution to meet its responsibilities when they become due.

  3. Market Risk: arising from adverse movements in the prices of bonds, stocks, or commodities, including exchange rate risk and interest rate risk: a) Exchange Rate Risk: arising from movements in exchange rates resulting from currency positions originated by the existence of financial instruments denominated in different currencies; b) Interest Rate Risk: arising from movements in interest rates resulting from mismatches in amount, maturities, or interest rate reset periods observed in financial instruments with interest to be received and paid.

  4. Operational Risk: arising from the inadequacy of internal processes, people, or systems, possibility of occurrence of fraud, internal and external, as well as external events, including information systems risk and compliance risk, thus defined: a) Information Systems Risk: risk arising from the inadequacy of information technologies in terms of processing, integrity, control, availability, and continuity, arising from inadequate strategies or use; b) Compliance Risk: risk arising from violations or non-compliance with laws, rules, regulations, contracts, prescribed practices, or ethical standards.

  5. Information and Communication Systems: provide information for the management of organizations, including processes for their collection, treatment, and dissemination, which facilitate operational and strategic activities, used for the management of main components, namely hardware, software, data, processes, and people.

  6. Limit System: composed of risk exposure limits, defined by the Board of Directors, taking into consideration the risk strategy, risk appetite, risk profile, and risk-bearing capacity. The limits are incorporated into information and communication systems in order to enable their effective compliance, notably by issuing alerts to key personnel whenever risk levels approach or exceed limits.

  7. Outsourcing: use of a third-party entity, by an Institution, to carry out activities that would normally be performed by the Institution.

  8. Security: fungible and freely negotiable financial instrument that confers on its holders credit, property, or equity participation rights, including, notably, shares, debentures, participation certificates, units in collective investment institutions, and subscription rights associated with all of them.

  9. Business Unit: element or segment of an organization that represents and performs a specific business function.

Article 4. (Risk Management)

  1. The Board of Directors must have a general perspective of the Institution's overall risk profile considering credit, market, liquidity, and operational risks, classifying them as material or immaterial.

  2. Without prejudice to the provisions of the previous paragraph, Institutions must consider risk concentration, including inter-risk and intra-risk concentration.

  3. The Bank of Angola establishes in specific regulations on risk governance for credit risk, market risk, liquidity risk, and operational risk, the functions, policies, and risk management processes for the identification, assessment, monitoring, control, and reporting of the respective risks.

Article 5. (Risk-Bearing Capacity)

  1. Institutions must formalize their risk-bearing capacity according to prudent and consistent assumptions. For this purpose, Institutions must consider, at a minimum, the following factors: a) financial capacity; b) management capacity; c) competitive dynamics of the markets in which they operate; d) operational flexibility; e) internal control systems.

  2. The Board of Directors of Institutions is responsible for establishing the methods to be used in determining the Institution's risk-bearing capacity and documenting the assumptions made therein, clearly and objectively, to guarantee the verification of its adequacy, at least annually, and whenever relevant changes occur in the factors referred to in the previous paragraph.

  3. Institutions must ensure that assumed risks are covered by their risk-bearing capacity, considering relevant correlations between risks.

Article 6. (Risk Appetite)

  1. Institutions must adequately consider risk appetite in their strategies, policies, and risk management processes, which must be aligned with the risk-bearing capacity and the overall strategy of the Institution.

CONTINUATION OF NOTICE NO. 07/2016 Page 7 of 19

  1. The Board of Directors must define the Institution's risk appetite, considering its strategy and long-term objectives, as well as its adaptation to changes in business, macroeconomic, and market conditions.

  2. The Board of Directors may approve an increase in the risk of a certain activity provided it is balanced by a reduction in the risk of another activity, so that the Institution remains within the initially agreed risk appetite.

  3. In determining risk appetite, Institutions must consider the following measures: a) quantitative: which can be translated into risk limits capable of being aggregated and disaggregated to allow measurement of the risk profile against appetite and risk-bearing capacity; b) qualitative: to assess risks that are not quantifiable, notably the consequences at the reputation level resulting from ineffective conduct risk management.

Article 7. (Strategy)

  1. The Board of Directors must define a viable risk strategy, capable of withstanding economic cycles and consistent with risk-bearing capacity and risk appetite, as provided for in Articles 5th and 6th of this Notice, and this responsibility must not be delegated.

  2. The risk strategy and its level of detail must be adequate to the nature of the activity, size, complexity, and consider content in terms of risk for each business in which it operates, always ensuring consistency with the business strategy.

  3. In formulating the strategy, Institutions must consider their legal structure, key business lines, the breadth and diversity of markets, products, and jurisdictions in which they operate or plan to operate, macroeconomic conditions, common market practices, and legal requirements, national and foreign, and their respective updates.

  4. The strategy defined by the Board of Directors must consider the level of sophistication of the Institution's information and communication systems, as well as its systems and processes for risk management.

  5. The risk strategy must contain objectives for risk management regarding material activities and significant risks of Institutions, including a definition and formalization of the Institution's risk appetite based on credible assumptions and reliable and current information.

  6. The Board of Directors must ensure the implementation and monitoring of the strategy, even if this competence can be delegated to senior management.

  7. Within the scope of monitoring and controlling the risks presented in Article 4th of this Notice, the Board of Directors must establish a cross-institutional limit system, in order to ensure compliance with the strategy and risk-bearing capacity.

  8. The limit system must include sub-limits and alerts adapted to the business unit or entity and to types of risks, for risk positions with counterparties or groups of interconnected counterparties, sectors or industries, as well as risk positions with products, currencies, locations, or specific markets.

  9. The Board of Directors must ensure that policies and processes for risk acceptance are developed that are consistent with the risk management strategy and appetite.

  10. In reviews of the risk strategy, risk appetite, risk management policies, and limit system, stress test results must be considered.

  11. In defining the strategy, Institutions must determine the relationship between risk and return on their investments, taking into consideration the cost of capital and respective available equity for its coverage, considering regulatory requirements and those resulting from the Institution's own assessment, as well as its liquidity situation.

  12. The Board of Directors must periodically review the Institution's financial results, at least quarterly, and, based on this analysis, determine if changes in the risk strategy are necessary.

  13. The Board of Directors and senior management must ensure that the risk strategy is properly documented, that it is reviewed regularly, at least annually, in order to reflect changes in risk appetite, risk profile, risk-bearing capacity, and macroeconomic and market conditions.

  14. The Board of Directors and senior management must ensure that the contents of the risk strategy, as well as any changes resulting from its reviews, are communicated internally to areas directly related to the respective contents, in order to guarantee consistency in the overall functioning of the Institution.

Article 8. (Risk Concentration)

  1. Institutions must adequately consider risk concentration in their strategies, policies, and risk management processes, defining the responsibilities of key personnel and developing processes for the identification, assessment, monitoring, control, and reporting of risk concentration, considering inter and intra-risk concentration.

  2. Senior management must evaluate and periodically review the influence of risk concentration on the Institution's business strategy and, analogously, the influence of the business strategy on risk concentration itself.

  3. Institutions must establish a practical definition of what constitutes a material concentration, aligned with their risk-bearing capacity and risk appetite. They must also determine the level of risk concentration resulting from different accepted risk positions, taking into consideration the strategy, size, and geographical location.

  4. The assessment of risk concentration must allow for the quantification of the impact of risk concentrations on profitability, solvency, and liquidity position, as well as ensure compliance with regulatory requirements.

  5. The assessment mentioned in the previous paragraph must be reviewed regularly and reflect changes in the external environment, as well as changes in the Institution's risk profile and consider its strategy.

  6. Institutions must perform risk concentration assessments proportionally to the nature, size, and complexity of the operations in which they are involved.

  7. The risk concentration mitigation techniques used by Institutions must be adequate, feasible, and understood by key personnel.

  8. Institutions must ensure that their risk concentration mitigation measures do not depend too much on certain instruments, which may result in another type of concentration, taking into consideration the nature and quality of mitigation instruments.

  9. Institutions must consider their mitigation techniques in the global exposure to risk concentration.

  10. In the assessment of mitigation techniques, Institutions must analyze the quality of their risk management, internal systems and controls, as well as their capacity for effective management decision-making, in order to adjust risk concentration levels.

Article 9. (Requirements for segregation of duties, duties of senior management and the risk management function)

  1. Institutions must consider the following areas in their organizational and operational structures: a) the one that initiates operations respecting the credit/trading activity (front office/trading desk); b) the one responsible for monitoring and reporting risks (middle office); c) the one responsible for settling and accounting for trading operations (back office).

  2. The areas described in the previous paragraph must be independent of each other, from the lowest levels of the hierarchy up to the level of the Board of Directors.

  3. Institutions must formalize and document the objectives and policies and processes for the individual management of the risks disposed of in Article 4th of this Notice and its concentration, notably: a) strategies and processes, keeping in mind risk appetite, risk-bearing capacity, and the business environment; b) structure and organization of the relevant risk management function; c) scope and nature of reporting and risk assessment systems; d) policies for risk hedging or mitigation and strategies and processes to monitor the continuous adequacy and effectiveness thereof.

  4. Institutions must ensure that whenever exceptions to the limit system, mentioned in paragraph 7 of Article 7th of this Notice, occur, these are properly documented and communicated to key personnel and authorized by senior management and, when necessary, by the Board of Directors.

  5. Institutions must establish procedures to monitor exceptions to the limit system, including an adequate escalation procedure and corrective actions by senior management.

  6. Senior management must ensure effective coordination and communication between personnel responsible for managing the various risks.

  7. In order to guarantee effective and efficient compliance with the responsibilities of the risk management function and maintenance of transparency of risk management practices: a) the person responsible for the function established in Article 11th of Notice No. 02/2013, of April 19, on internal control system, the administrator with the risk portfolio, or the person responsible for the delegation of competencies regarding risk management mentioned in Notice No. 01/2013, of April 19 on corporate governance, may be dismissed from their position only after approval by the Board of Directors; b) the dismissal acts referred to in the previous letter must be disclosed together with the information referred to in Article 22nd of Notice No. 01/2013, of April 19, on corporate governance.

  8. Institutions must immediately communicate to the Bank of Angola the reasons that led to the situations referred to in the previous paragraph.

  9. The Board of Directors must guarantee that personnel have adequate training and experience regarding the task they perform, providing training actions to personnel so that they keep up with the evolution of internationally accepted practices.

Article 10. (Outsourcing of Services)

  1. The Board of Directors must establish adequate and comprehensive procedures regarding the outsourcing of services.

  2. Institutions must establish a comprehensive policy for outsourcing risk management, in order to consider outsourced activities and the relationship with the service provider.

  3. The outsourcing risk management policy must include contingency plans, which must cover recovery plans and periodic tests of security systems and exit strategies.

  4. Institutions must ensure that outsourcing does not affect their capacity to fulfill their obligations towards clients, nor constitute an impediment to effective supervision by the Bank of Angola.

  5. The segregation of duties established in paragraph 1 of Article 9th of this Notice must be observed at the level of service providers.

  6. Senior management must ensure effective coordination and communication between personnel responsible for managing the various risks and those responsible for acquiring external services, notably outsourcing agreements.

  7. Institutions must establish a process for the assessment and subsequent selection of service providers.

  8. Outsourcing relationships must be guided by contracts that describe the relevant aspects thereof, including the rights, duties, and expectations of the intervening parties, data ownership and confidentiality, as well as contract termination rights.

  9. The Bank of Angola may determine that certain activities are not capable of being carried out using service providers.

Article 11. (Information and Communication Systems)

  1. Institutions must have effective and reliable information and communication systems that cover all their activities.

  2. The level of sophistication of information and communication systems must depend on the nature, size, and complexity of the business activities of Institutions.

  3. Information and communication systems must be articulated among all activities, in order to allow effective management of the Institution's risks and its concentration.

  4. Institutions must ensure that their information and communication systems, including those that contain and use data, are secure, subject to independent oversight, and

CONTINUATION OF NOTICE NO. 07/2016 Page 14 of 19

[Text ends here as per provided input]

Share