Presentation on theme: "Risk-based Supervision for Credit Unions"— Presentation transcript:
1Risk-based Supervision for Credit Unions Credit union supervision workshopKingstown, St. VincentCourtney Christie-veitchFinancial sector supervisor, CARTACAugust , 2014
2Presentation OutlineBackgroundSignificant ActivitiesMaterialityInherent risksQuality of Risk ManagementResidual Risk
3Presentation OutlineDirection of RiskCapital AssessmentEarnings AssessmentLiquidity AssessmentComposite Rating
4Background: Role of Prudential Supervision To protect shareholders/depositorsTo enhance the integrity of the financial systemTo help maintain competitive markets and promote effective competition in the interests of consumers
5Background: How Supervisors Carry Out Their Role The use of judgment in determining whether financial firms are safe and sound;provide appropriate protection for policyholders, depositors or investorsAssess whether firms continue to meet prudential requirements.A judgment-based approachThe assessment of firms not just against current risks, but also against those risks that could plausibly arise in the future.Use of Stress Testing and Scenario Analysis to assess risksA forward-looking approachFocus on those issues and those firms that pose the greatest risk to the stability of the financial system, depositors, investors and policyholdersAllocate scarce resources to greatest areas of need.A risk-focused approach
6The Essence of Risk Taking “Experience taught me a few things. One is to listen to your gut, no matter how good something sounds on paper. The second is that you're generally better off sticking with what you know. And the third is that sometimes your best investments are the ones you don't make.” Donald Trump
7Rationale for Risk-based Approach Resources are not infinite / allocation of scarce resourcesMechanism to prioritize work/on-sites – focus efforts on greatest risksFocus on risks to institution's aims and objectivesBasis for justifying approach, action and decisionDocumented and consistent approach to risk management
8Risk Management Stages Set Risk AppetiteRisk IdentificationRisk MeasurementRisk MitigationRisk ControlRisk Monitoring and ReportingDecision to be Risk-basedSet Risk Context
9Step I: Identifying Significant Activities Line of businessBusiness unitsEnterprise wide process e.g. information technologyActivities can be identified from:Organization structureStrategic plansOperational and Business plansCapital allocations,Financial reporting (internal/external)
10Step II: Determining Materiality Assets generated by the activity relative to total asset sizeRevenue generated by activity in relation to total revenueNet income before tax/total net income before taxRisk weighted assets generated by activity / total RWACapital allocation / total capitalStrategic importance
11Identify the significant activities Group Exercise # 1Using the Annual Reports and Audited Financial Statements provided for the five Credit Unions,Identify the significant activitiesDetermine materiality of the significant activity identified
12Step III: Assess Inherent Risks Inherent risk is risk which cannot be segregated from the activity. It is intrinsic to an activity and arises from exposure to and uncertainty from potential future events. Inherent risks are evaluated by considering the degree of probability and the potential size of an adverse impact on an institution’s capital, liquidity or earnings.
16Inherent Risk RatingLowLow probability of a material adverse impact on an institution’s capital or earnings due to exposure and uncertainty from potential future events.Medium LowLower than average probability of a material adverse impact on an institution’s capital or earnings due to exposure and uncertainty from potential future events.ModerateAverage probability of a material adverse impact on an institution’s capital or earnings due to exposure and uncertainty from potential future events.
17Inherent Risk RatingMedium HighHigher than average probability of a material adverse impact on an institution’s capital or earnings due to exposure and uncertainty from potential events.HighHigher than above average probability of a material adverse impact on an institution’s capital or earnings due to exposure and uncertainty from potential future events.
18Assessing Inherent Risk The CAMELS Rating System Uniform Financial Institutions Rating System (UFIRS)Adopted by Federal Financial Institutions Examination Council (FFIEC) in 1979Assesses six components of a deposit taking financial institution’s performance.Driven by both component and composite ratingsTakes into consideration financial, managerial and compliance factors common to all financial institutions.Licensees evaluated in a uniformed and comprehensive mannerSupervision attention appropriately focused on the financial institutions exhibiting financial and operational weaknesses or adverse trends.
19Assessing Inherent Risk The CAMELS Rating System References to the CAMELS Rating System in this Presentation are based on the Office of the Comptroller of the Currency (OCC) On-site Process Handbook, updated September 2012.The CAMELS Rating System is:Used to assess credit unions in the USAUsed by the majority of Financial Institution Regulators in the CaribbeanA risk assessment tool / not just a management or reporting tool as the PEARLS system
20Objectives of the CAMELS Framework Review and assess the credit union’s capital adequacy frameworkReview and assess the quality of the credit union’s assets (with emphasis on investments and loans).Review and assess Governance/Board and Management OversightReview and assess adequacy of earnings and the credit union’s profitabilityReview and assess the credit union’s liquidity status and adequacy of liquidityReview and assess the credit union’s sensitivity to market risks
21Additional Risks Not Explicitly Considered by CAMELS Review and assess the credit union’s Operational risk management frameworkReview and assess concentration risks in the credit union’s operations (with emphasis on concentration risks in loans, share/savings and investments ).Review and assess reputation risk in the credit unionReview and assess business strategy risk in the credit union
22CAMELS Asset Quality Assessment Soundness of risk identification practices, credit underwriting standards and credit administration practicesLevel, distribution, severity and trend of problem, classified, non accrual, restructured, delinquent and nonperforming assets (on and off balance sheet)
23CAMELS Asset Quality Assessment Adequacy of allowances for loans and lease losses and other valuation reservesCredit risks arising from or induced by off-balance sheet transactions, e.g. unfunded commitments, credit derivatives, commercial and standby letters of credit and lines of credit.
24CAMELS Asset Quality Assessment Diversification and quality of the loan and investment portfolioExtent of securities underwriting activities and exposures to counterparties in trading activitiesExistence of asset concentration
25CAMELS Asset Quality Assessment Ability of management to properly administer its assets, including timely identification and collection of problem assetsAdequacy of internal controls and management information systemsVolume and nature of credit documentation exception.
26Asset Quality RatingStrong asset quality and credit administration practices. Identified weaknesses are minor in nature and risk exposure is modest in relation to the capital protection and management’s abilities.Asset quality is of minimum supervisory concern1Satisfactory asset quality and credit administration practices.The level and severity of classifications and other weaknesses warrant a limited level of supervisory attention.Risk exposure is commensurate with capital protection and management's abilities.2
27Asset Quality RatingAsset quality or credit administration practices are less than satisfactory. Trends may be stable or indicate deterioration in asset quality or increased risk exposureLevel and severity of classified assets, other weaknesses and risks require an elevated level of supervisory concern.A general need to improve credit administration and risk management practices.3Deficient asset quality or credit administration practices. The levels of risk and problem assets are significant, and inadequately controlled, and they subject the financial institution to potential losses that, if left unchecked, may threaten its viability.4Critically deficient asset quality or credit administration practices that present an imminent threat to the institution’s viability.5
28CAMELS Sensitivity to Market Risk Assessment Sensitivity of earnings or the economic value of capital to adverse changes in interest rate, foreign exchange rates, commodity prices or equity pricesThe ability of management to identify, measure, monitor and control exposure to market risk given the size, complexity and risk profile of the FI
29CAMELS Sensitivity to Market Risk Assessment The nature and complexity of interest rate risk exposure arising from non trading positionsThe nature and complexity of market risk exposure arising from trading, asset management activities and foreign exchange operations
30CAMELS Sensitivity to Market Risk Rating Market risk sensitivity is well controlledMinimal potential that earnings performance or capital position will be adversely affectedRisk management practices are strong for the size, sophistication and market risk accepted by the institutionLevel of earnings and capital provide substantial support for the amount of market risk taken by the institution1
31CAMELS Sensitivity to Market Risk Rating Market risk sensitivity is adequately controlledModerate potential that earnings performance or capital position will be adversely affectedRisk management practices are satisfactory for the size, sophistication and market risk accepted by the institutionLevel of earnings and capital provide adequate support for the amount of market risk taken by the institution2
32CAMELS Sensitivity to Market Risk Rating Control of Market risk sensitivity needs improvementSignificant potential that earnings performance or capital position will be adversely affectedRisk management practices need to be improved based on the size, sophistication and market risk accepted by the institutionLevel of earnings and capital may not adequately provide support for the amount of market risk taken by the institution3
33CAMELS Sensitivity to Market Risk Rating Control of market risk sensitivity is unacceptableSignificant potential that earnings performance or capital position will be adversely affectedRisk management practices are deficient for the size, sophistication and market risk accepted by the institutionLevel of earnings and capital provide inadequate support for the amount of market risk taken by the institution4
34CAMELS Sensitivity to Market Risk Rating Control of market risk sensitivity is wholly unacceptableLevel of market risks assumed by institution is an imminent threat to its viabilityRisk management practices are wholly inadequate for the size, sophistication and market risk accepted by the institution5
35Reputational Risk Assessment Corporate GovernanceManagement integrityStaff competence / supportCorporate cultureRisk management and control environment
36Reputational Risk Assessment Financial Soundness / Business viabilityBusiness practicesCustomer satisfactionLegal / regulatory complianceContagion risk / rumorsCrisis managementDisclosure and transparency
37Reputational Risk Rating Strong reputational risk management in all respectsEffective procedures to protect institution from potential threats to reputation and mitigate effects of reputation eventsNo negative publicity regarding the institution’s business practices noted, franchise value only minimally exposed to reputational riskFully effective internal controls and auditManagement fosters sound corporate culture / embedded in the organizationManagement anticipates and responds well to changes of a market or regulatory natureLow losses from fiduciary activitiesExcellent track record on regulatory compliance / limited experience of litigation and customer complaints1
38Reputational Risk Rating Adequate reputational risk management in most casesEffective procedures to protect institution from potential threats to reputation and mitigate effects of reputation eventsNo negative publicity regarding the institution’s business practices noted, franchise value only minimally exposed to reputational riskFully effective internal controls and auditManagement fosters sound corporate culture / embedded in the organizationManagement anticipates but may responds less frequently to changes of a market or regulatory natureMay experience few losses from fiduciary activitiesGood track record on regulatory compliance / limited experience of litigation and customer complaintsSafe and sound performanceFinancial condition of service provider is acceptableWhile internal control weaknesses may exist, there are no significant supervisory concerns.As a result, supervisory action is informal and limited.2
39Reputational Risk Rating Negative publicity regarding business practices is not seriousLevels of litigation, losses and customer complaints are manageable and commensurate with volume of businessNo significant cases of regulatory non-compliance noted and exposure to reputation risk is not expected to increase in the foreseeable futureManagement adequately responds to changes in market, business and regulatory environment.Internal controls and audits are generally effectiveSelf assessment practices are weak and are generally reactive to audit and regulatory exception.Repeat concerns / customer complaints may exist indicating that management may lack the ability or willingness to resolve concerns.Financial condition of service provider may be weak and/negative trends may be evident.While financial and operational failure is unlikely, increased supervision is necessaryFormal or informal action may be necessary to secure correction action.3
40Reputational Risk Rating Negative publicity regarding business practices is increasing and franchise value is substantially exposed by reputation risk.Poor administration, conflicts of interest or other legal or control breaches may exist.Risk management processes inadequately identify and monitor risk and are not appropriate for the size, complexity and risk profile of the institutionUnsatisfactory regulatory compliance, poor record of corrective action and potential exposure from reputation risk is increased by complex products and structuresSignificant weaknesses in management informationManagement does not perform self assessments and demonstrate an inability or unwillingness to correct audit and regulatory concerns.Financial condition of service provider is severely impaired and/or deteriorating.Failure of the financial institution or service provider may be likely unless reputation issues are remedied.Close supervisory attention is necessary and, in most cases, formal enforcement action is warranted.4
41Reputational Risk Rating Financial institutions and service providers operation / performance is critically deficient and in need of immediate remedial action.Negative publicity regarding business practices is increasing and franchise value is substantially exposed by reputation risk.Problems and serious weaknesses may exist in one or more of the critical operational, administrative, loans or investment activitiesRegulatory compliance is critically deficient, no significant improvement notedRisk management processes are severely deficient and provide management little or no perception of risk relative to the size, complexity and risk profile of the institutionManagement does not perform self assessments and demonstrate an inability or unwillingness to correct audit and regulatory concerns.Failure of the financial institution or service provider may be likely unless reputation issues are remedied.Close supervisory attention is necessary and, in most cases, formal enforcement action is warranted.Ongoing supervisory attention is necessary.5
43Operational Risk Assessment Operational risk is "the risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events (including legal risk), differ from the expected losses". Basel Definition
44Operational Risk Assessment Internal Fraud - misappropriation of assets, tax evasion, intentional mismarking of positions, briberyExternal Fraud- theft of information, hacking damage, third-party theft and forgeryEmployment Practices and Workplace Safety - discrimination, workers compensation, employee health and safetyClients, Products, & Business Practice- market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churningDamage to Physical Assets - natural disasters, terrorism, vandalismBusiness Disruption & Systems Failures - utility disruptions, software failures, hardware failuresExecution, Delivery, & Process Management - data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets
45Strategic Risk Assessment Strategic Risk is the risk of current or prospective impact on the financial institution’s earnings, capital, reputation or standing arising from change in the environment and from adverse strategic decisions, improper implementation of decisions or lack of responsiveness to industry, economic or technological changes.
46Strategic Risk Assessment Four Key Elements:Strategic PlanningAlignment and change managementImplementation and monitoringPerformance evaluation and feedback
47Strategic Risk Assessment Compatibility or suitability of the institution’s goals and objectives (consistent with - corporate vision, values, culture, business direction, risk tolerance)Financial objectives consistent with strategic goalsStrategic decisions are prudent relative to size and complexity
48Strategic Risk Assessment Responsiveness to changes in environmentAdequacy of resources in carrying out strategic decisionsImplementation of strategic decisionsImpact of strategic decisions
49CORBASCEL Proposed Risk Assessment System – Inherent Risks Concentration RiskBusiness Strategy RiskCapitalOperational RiskAsset QualityEarningsReputational RiskSensitivity to Market RiskLiquidity
50Group Exercise # 21. Using a scale of 1 – 5 (1 = Strong and 5 = Critically Deficient), develop a risk scoring (definition) matrix for the following inherent risks:Strategic RiskOperational RiskConcentration Risk2. Identify the inherent risks in each of the significant activities and score on the scale of 1 – 5 for each of the five credit unions provided for the case studies.
51Quality of Risk Management and Oversight Operational ManagementCompliance FunctionInternal Audit / Supervisory Committee FunctionExternal Audit FunctionRisk Management FunctionSenior ManagementBoard Oversight
52Quality of Risk Management Assessment Operational managementDay to day management of significant activitiesAdequate and appropriate for nature, size and complexity of the financial institutionSufficient and effective in managing and mitigating key risksPoliciesprocessesControl systemsStaff levels and experience
53Quality of Risk Management Assessment Board OversightVary based on size, structure and complexity of institutionsInstitutions required to have in place an effective board of directors and senior managementBoard agree risk appetite e.g. aggressive or conservativeBoard of directors ultimately accountable for management and oversight of the institutionDepending on size, board may delegate some oversight responsibilities to board sub-committees e.g.. audit, risk management and human resource
54Quality of Risk Management Assessment Senior Management OversightDepending on size, senior management may delegate some oversight responsibilities to other oversight functions:Risk managementSupervisory Committee/Internal AuditCompliance
55Quality of Risk Management Assessment Level and quality of oversight and support of all institution activities by the board of directors and managementThe ability of the board of directors and management, in their respective roles to plan for, and respond to risks that may arise from changing business conditions or the initiation of new activities or products
56Quality of Risk Management Assessment Adequacy of, and compliance with appropriate internal policies and controls addressing operations and risks of significant activitiesAccuracy, timeliness and effectiveness of management information and risk monitoring systems appropriate for the FI’s size, complexity and risk profile.
57Quality of Risk Management Assessment (Audit and Internal Controls) Compliance with laws and regulationsResponsiveness to recommendations from auditors and supervisory authoritiesManagement depth and successionExtent that board of directors or management is affected by, or susceptible to, dominant influence or concentration of authority.
58Quality of Risk Management Assessment (Audit and Internal Controls) Reasonableness of compensation policies and avoidance of self dealingDemonstrated willingness to serve the legitimate FI needs of the communityThe overall performance of the institution and its risk profile
59Quality of Risk Management Rating Strong performance by management and the board of directorsStrong risk management practices relative to the institution's size, complexity and risk profile.All significant risks are consistently and effectively indentified, measured, monitored and controlled.Management and the board have demonstrated the ability to promptly and successfully address existing and potential problems and risks.1Satisfactory management and board performance and risk management practices relative t of he institution's size, complexity, and risk profileMinor weaknesses may exist, but not material to the safety and soundness of the institution and are being addressed.Significant risks and problems are effectively identified, measured, monitored and control.2Management and board performance needs improvement or risk management practices less than satisfactory given the nature of the institution’s activities.Capabilities of management or the board of directors may not be sufficient for the type, size, or condition of the institution.Problems and significant risks may be inadequately indentified, measured, monitored or controlled.3
60Quality of Risk Management Rating Weak performance by management and the board of directorsWeak risk management practices relative to the institution's size, complexity and risk profile.All significant risks are not consistently and effectively indentified, measured, monitored and controlled.Management and the board have not demonstrated the ability to promptly and successfully address existing and potential problems and risks.4Very weak management and board performance and risk management practices relative t of he institution's size, complexity, and risk profileMajor weaknesses exist, that are material to the safety and soundness of the institution and are not being addressed.Significant risks and problems are not effectively identified, measured, monitored and control.5
61Quality of Risk Management Assessment StrongFunction consistently demonstrates highly effective performance in the context of the key risks inherent in the significant Activity.SatisfactoryFunction demonstrates effective performance in the context of the key risks inherent in the Significant Activity.
62Quality of Risk Management Assessment Needs ImprovementRisk management function may generally demonstrate effective performance, but there are some areas where effectiveness needs to be improved in the context of the key risks inherent in the significant Activity.DeficientRisk Management function demonstrates serious weaknesses in effectiveness in the context of the key risks inherent in the Significant Activity.Critically DeficientRisk Management function demonstrates severe weaknesses in effectiveness in the context of the key risks inherent in the Significant Activity.
63Residual Risk Assessment How key risks are managed in each significant activity – operational managementEffectiveness of oversight functionsGovernance / BoardInternal audit / Internal controlsComplianceEach key inherent risk is considered separately for each significant activityDetermine aggregate residual risk
64Residual Risk RatingLowLow probability of a material adverse impact on an institution’s capital or earnings due to exposure and uncertainty from potential future events.Medium LowLower than average probability of a material adverse impact on an institution’s capital or earnings due to exposure and uncertainty from potential future events.ModerateAverage probability of a material adverse impact on an institution’s capital or earnings due to exposure and uncertainty from potential future events.
65Residual Risk RatingMedium HighHigher than average probability of a material adverse impact on an institution’s capital or earnings due to exposure and uncertainty from potential events.HighHigher than above average probability of a material adverse impact on an institution’s capital or earnings due to exposure and uncertainty from potential futur4e events.
68Risk Impact Capital Adequacy Assessment Level and quality of capitalOverall financial conditionManagement’s ability to address emerging capital needsNature, trend and volume of problem assets and adequacy of provision for loans and investment losses and adequacy of other reserves
69Risk Impact Capital Adequacy Assessment Off balance risk exposuresGrowth prospects and past experiences in managing growthBalance sheet composition, nature amount of intangible assets, concentration risks, market risks, risks in non traditional activitiesAccess to capital
70Capital Adequacy Rating Strong capital level relative to the institution’s risk profile1Satisfactory capital level relative to the institution’s risk profile2Less than satisfactory level of capital that does not fully support the institution’s risk profile.Need for improvement even if the institution’s capital level exceeds minimum regulatory and statutory requirements3
71Capital Adequacy Rating Capital level is deficient based on risk profileViability of FI may be threatenedAssistance from shareholders and other external sources of financial support may be required.4Critical deficient level of capital such that institution’s viability is threatenedImmediate assistance from shareholders or other external sources of financial support is required.5
72Risk Impact Earnings Risk Assessment Levels of earnings including trends and stabilityAbility to provide for adequate capital through retained earningsQuality and sources of earningsLevel of expenses in relation to operations
73Risk Impact Earnings Risk Assessment Adequacy of the budgeting systems, forecasting processes, management information systemsAdequacy of provisions to maintain the allowance for loan and lease losses and other valuation allowanceThe earnings exposure to market risk, such as interest rate, foreign exchange and price risks
74Earnings Risk RatingStrong earnings / more than sufficient to support operations and maintain adequate capital and allowance levels after considering asset quality growth, and other factors1Satisfactory earnings. Sufficient to support operations and maintain adequate capital and allowance levels after consideration is given to asset quality growth and other factors affecting the quality, quantity and trend of earningsEarnings that are relatively static, or evening declining could be given a “2” rating provided the FI level of earnings is adequate.2
75Earnings Risk RatingEarnings need improvement. Earnings may not fully support operations and provide for the accretion of capital and allowance levels relative to the institutions overall condition, growth and other factors.3Earnings are deficient. Insufficient earnings to support operations and maintain appropriate capital and allowance levels. Erratic fluctuations in net income or net interest margin, significant negative trends, nominal or unsustainable earnings, intermittent losses, or substantive drop in earnings from pervious years.4Earnings critically deficient, institution experiencing losses that represents a distinct threat to its viability through the erosion of capital.5
76Risk Impact Liquidity Risk Assessment Availability of assets readily convertible to cash without undue lossAccess to money markets and other sources of fundingLevel of diversification of funding sources, both on and off-balance sheetThe degree of reliance on short-term, volatile sources of funds, including borrowings and brokered deposits, to fund longer term assets
77Risk Impact Liquidity Risk Assessment The trend and stability of depositsThe ability to securitize and sell certain pools of assetsThe capability of management to properly identify, measure, monitor and control institution’s liquidity position, including the effectiveness of funds management strategies, liquidity policies, management information systems, and contingency funding plans
78Liquidity Risk RatingStrong liquidity levels and well developed fund management practicesReliable access to sufficient resources of funds on favorable terms to meet present and anticipated needs.1Satisfactory liquidity levels and fund management practicesAccess to sufficient sources of funds on acceptable terms to meet present and anticipated liquidity needs.Modest weaknesses may be evident in funds management practices2Liquidity levels and funds management practices in need of improvement.Institution may lack ready access to funds or reasonable terms or may evidence significant weaknesses in funds management practices.3
79Liquidity Risk RatingDeficient liquidity levels or inadequate funds management practicesInstitutions may not have or not able to obtain a sufficient volume of funds on reasonable terms to meet liquidity needs.4Liquidity levels or funds management practices so critically deficient that the continued viability of the institution is threatened.Institutions require immediate external financial assistance to meet maturing obligations or other liquidity needs.5
80Composite Risk Assessment Composite ratings based on careful evaluation of managerial, operational, financial and compliance performance.Six key components used to assess institution’s financial condition and operations are capital adequacy asset quality, management capability, earnings quantity and quality , the adequacy of liquidity and sensitivity to market riskRating scale ranges from 1 – 5, with a rating of 1 indicating the strongest performance and risk management practices relative to the institution’s size, complexity and risk profileRatings of 5 indicated the most critically deficient level of performance, inadequate risk management practices relative to size, complexity and risk profile the greatest supervisory concerns.
81Framework for Risk-based Supervision CORBACELS INHERENT RISKSConcentrationOperationalReputationBusiness strategyAsset quality (credit)Sensitivity to MarketQUALITY OF RISK MANAGEMENT / OVERISGHTOperational ManagementComplianceRisk ManagementInternal AuditExternal AuditSenior ManagementBoard OversightIMPACT ASSESSMENTCapitalEarnings and profitabilityLiquidityCORBASCELSCAMELS
82Framework for Risk-based Supervision CORBASCEL Step IV Assess Risk Mgn. QualityOperational Mgn.OversightStep III Assess Inherent Risks and impact on capital, liquidity and earningsStep II Determination of MaterialityStep I Identification of Significant ActivitiesStep V Residual RiskStep VI Direction of RiskStep VIII Overall RatingStep VII Overall Assessment