VI. Material Risks
43. As a part of its risk management practices, each bank is responsible for implementing a regular process to identify, measure, report, monitor, and mitigate risks. Such risk management process should be used as direct input into the calibration of capital demand to cover both Pillar 1 and Pillar 2 risks. The framework supporting the estimation of capital consumption for each risk type should approved by Senior Management and the Board.
44. All risks identified as material risks are expected to be addressed in the ICAAP. Risk materiality should depend on each bank’s business model and risk profile. The scope of such risk identification should cover the entire group, including all branches and subsidiaries of the bank. The Central Bank considers credit concentration risk and interest rate risk in the banking book (IRRBB) as defined in this Guidance, as material risks. Given the growing risk universe outside of traditional Pillar 1 risks, each bank must define, update, and review the applicable ICAAP risks on a continuous basis (e.g. quarterly).
45. The identification of risks should distinguish between direct risks and indirect risks. Direct risks are explicit and commonly identifiable risks, such as the credit risk associated with facility underwriting. Indirect risks are arising as second order consequences of direct risks and unforeseen events. For instance, an increase in fraud and cyber-attacks as a consequence of an economic downturn or a pandemic during which employees are forced to work from home. Other examples are the credit risk arising from derivatives during periods of high market volatility or the increase in credit risk resulting from a drop in collateral values following a real estate market crash.
46. The identification of risks should be supported by a regular and structured process. An inventory of risks should be recorded for each business activity and each portfolio on a regular basis. In addition to the regular updates (i.e. at least quarterly), it is expected to adjust the inventory whenever it no longer reflects the risks that are material, e.g. because a new product has been introduced or certain business activities have been expanded. This should support the production of ICAAP from one year to the next.
47. The measurement of risk should be transparent, documented, and supported by subject-matter experts throughout the bank. Each expert function should contribute to its area of expertise, in such way that the ICAAP is a reflection of a collective work substantiated by thorough analysis. Each dedicated risk team should provide a comprehensive assessment of the risk drivers and materiality of the risk they manage.
48. The estimation of the capital consumption associated with each risk should be based upon clear methodologies designed appropriately for each risk type. Each bank should identify the owner of such methodology either within the team responsible to manage risks or with a centralised team responsible for aggregating risk information and to construct the ICAAP. Ultimately, the process to identify, measure risks, and estimate the associated capital consumption should be approved by Senior Management and the Board.
49. In the case of vendor models, this includes the expectation that such models are not expected to be imported mechanistically, but rather they are expected to be fully understood by the bank and well suited for, and tailored to, its business and its risk profile.
50. The identification of risks should result in distinct types:
(i) Pillar 1 risks that are not fully captured and that are covered by insufficient capital. For instance, the market risk capital consumption under Pillar 1 might not incorporate sufficient basis risk; and
(ii) Risks that are not captured at all as part of the Pillar 1 framework.
51. Each bank should not develop separate methodologies for risk measurement, if those are not employed for risk management. The Use Test assumes that the method and conclusion of the ICAAP should be coherent with the bank’s internal practices.
52. To ensure an adequate assessment of high quality, each bank should establish, and implement an effective data quality framework, to deploy adequate processes, and control mechanisms to ensure the quality of data. The data quality framework should ensure reliable risk information that supports sound decision-making, covers all relevant risk data, and data quality dimensions.
53. The next sections contain explanations and expectations on certain risk types (e.g. Business Model Analysis (BMA) and strategic risk, Interest Rate Risk in the Banking Book, and Credit concentration risk).
A. Business Model Analysis (BMA) and Strategic Risk
54. Business model analysis embodies the risk that the bank has failed to structure its organisation and operations (expertise, systems, and processes) in a way that leads to achieving its primary business and strategic objectives.
55. Strategic risks arise when the bank’s business model, organisation structure, operations, and/or strategy are no longer adequate to deliver the objective of the bank as specified by the Board.
56. The bank should conduct regular business model analysis (BMA) to assess its business and strategic risks to determine:
(i) The ability of the bank’s current business model to deliver suitable results over the following 12 months;
(ii) The sustainability of the bank’s strategy and its ability to deliver suitable/ acceptable results over a forward-looking period of at least three (3) to five (5) years, based on the strategic plans and financial planning;
(iii) The sustainability and sufficient diversification of income over time (three (3) to five (5) years). This analysis should consider the sources and levels of income and expenses; and
(iv) The ability of the bank to deliver total financial data across the group and for each of its key business units (includes forward-looking performance and profitability).
57. An effective BMA contains a through-the-cycle view of the sustainability of the business model in its current state and against a projected view of the bank’s funding structure, return on equity (ROE), capital supply, and capital demand, the effect this has on the product, service pricing, and resource requirements. The business planning should be clear, aligned, and integrated with the bank’s strategy, governance, risk-appetite statement, recovery plans, internal controls, stress tests, and internal reporting (MIS).
58. Each bank should elaborate on the linkage and consistency between their strategic decisions, risk appetite, and the resources allocated for achieving those strategies. The bank should articulate the frequency of monitoring and quantifying changes in its financial projections (e.g. balance sheet, profit and loss, and concentrations) regularly to verify that they are consistent with the business model, risk appetite, and the achievement of the bank’s strategic goals.
59. An effective BMA enables banks to identify vulnerabilities at an early stage and assess their ability to adapt to changes in their specific operating environment therefore helps to promote the safety and soundness of banks. A well-designed and comprehensive BMA approach provides banks with the basis to understand, analyse, assess the sustainability of their business models, enhance proactive, forward-looking operations, and strategy evaluation.
60. Each bank’s business model should be based on analyses and realistic assumptions (stress tests, scenario analyses, and driver analyses, etc.) about the effect of strategic choices on financial and economic outcomes of operations performed. This will enable the bank and the Central Bank to understand the nature of the business model and the inherent risks. Each bank should perform an analysis that involves identifying, challenging the dependency of strategies on uncontrollable external factors, and assumptions (e.g. market interest rates, demand growth in the target customer markets, degree of competition in the markets, cost of entry, and compliance costs).
61. An effective BMA addresses the banks’ ability to produce aggregate financial data across the banking group as a whole, and the bank solo level, for each of its main business units and business lines. Moreover, to make the best use of this data and transform it into relevant inputs, banks need to develop and use analytical tools including stress tests, peer group assessments, profitability forecasts and analysis, and scenario analyses.
62. The documentation provided in support of the business model should contain an overview of the business activities of the bank and an overview of the structure/organisational details of the bank. For example a brief description of the business model, present financial condition, any expected changes in the present business model, the expected future business environment, business plans, and the projected financial condition for the following year.
63. The following additional information and documentation should be referenced (if not part of) the ICAAP report:
(i) Bank’s strategic plan(s) with current-year, forward-looking forecasts, and underlying economic assumptions;
(ii) Financial reporting (e.g. profit and loss (P&L), and balance sheet), covering the most recent period and the whole (forward-looking) ICAAP reporting period;
(iii) Internal reporting (e.g. management information, capital reporting, liquidity reporting, and internal risk reporting);
(iv) Recovery plans, including the results of resolvability assessment, if any, and identification of critical functions;
(v) Third-party reports (e.g. audit reports, and reports by equity/credit analysts), states their main concerns and issues;
(vi) A descriptive report on the main business lines generating revenues broken down by main products, services, other activities, geographies, and market position; and
(vii) Peer group analysis segregated by competitor bank, product, or business lines targeting the same source of profits and customers (e.g. credit card businesses targeting consumers at a particular economic stratum in a specific country.
64. Business model analysis may act as a base for the development of Reverse Stress Test scenarios.
B. Credit Risk
65. Credit risk is the risk of losses arising from a borrower or counterparty failing to meet its obligations as they fall due. Each bank should assess all its credit exposures and determine whether the risk weights applied to such exposures under the regulatory standardised approach for credit risk (Standardised Approach) are appropriate for the inherent risk of the exposures. Each bank should have the ability to assess credit risk at the portfolio level as well as at the exposure or counterparty level.
66. To ensure that each bank has sufficient capital allocated for credit risk, each bank should compare their capital consumption under two methods for all credit exposures across all asset classes: (i) the Standardised Approach and (ii) an estimation under the foundation internal-rating based approach (F-IRB) in the Basel Framework (“IRB approach: risk weight functions”, CRE31).
67. The Central Bank recognises that some banks may not have appropriately calibrated probability of defaults (PDs) for the calculation of the F-IRB approach. In the absence of such calibration, banks should rely on their 1-year PD used for IFRS provisioning purposes. Each bank should undertake this comparison at asset class level, where higher F-IRB numbers indicate additional required capital. Drivers of material differences between the two approaches should be explained.
68. If a bank uses credit risk mitigation techniques (CRMT), it should analyse and evaluate the risks associated to such mitigation under Pillar 2 risks measurement. The bank should analyse potential effects, the enforceability and the effectiveness of such CRMT, in particular in the case of real estate collaterals in order to estimate residual credit risk with prudence.
C. Market Risk
69. Market risk is the risk of losses in on- and off-balance sheet positions arising from movements in market factors such as interest rates, foreign exchange rates, equity prices, commodities prices, credit spreads, and options volatilities. Each bank should have methodologies and limits that enable it to assess and actively manage all material market risks, at several levels of granularity including position, desk, business line, or firm-wide level.
70. Under its ICAAP, each bank should assess its capital adequacy for market risk by considering methods other than the regulatory standardised approach for market risk. Each bank should start this assessment with the metrics already employed to measure market risk as part of regular risk management, including net open positions (NOP), value-at-risk (VaR), stressed VaR, and economic stress tests. The calibration of capital associated to Pillar 2 risks should be undertaken with prudence and should include risks such as concentration risk, market illiquidity, basis risk, and jump-to-default risk.
71. Ultimately, market risk capital should be designed to protect the bank against market risk volatility over the long term, including periods of stress and high volatility. Therefore, each bank should ensure that such calibration include appropriate stressed periods. The analysis should be structured based on the bank’s key drivers of market risk, including portfolios, asset classes, market risk factors, geographies, product types and tenors.
72. Each bank should analyse its amortised cost portfolio under Pillar 2, considering the difference between the market value against the book value.
D. Operational Risk
73. Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, or systems, or external events. This definition includes legal risk and compliance risk but excludes strategic and reputational risk. The framework for operational risk management should cover the bank’s appetite and tolerance for operational risks, and the manner and extent to which operational risk is transferred outside the bank.
74. Operational risk is a recurrent and a material source of losses for many banks but the existing approaches (the Basic Indicator Approach (BIA), the Standardised Approach (SA), and the Alternative Standardised Approach (ASA)) for calculating Pillar 1 operational risk capital may not reliably reflect the nature and scale of potential operational risk losses. The Pillar 1 Standardised Approach for operational risk uses gross income as a measure of capital. Gross income is a risk-insensitive proxy for operational risk capital, which may lead banks to underestimate the risk. This was evident during the economic downturn in 2009, when banks’ income dropped, lowering their regulatory operational risk capital requirement, yet operational risks were either constant or even elevated in some cases. Therefore, banks should ensure that their Pillar 2 capital charge covers operational risks that are not captured by regulatory capital methodologies. The analysis should include a robust and conservative forecast of operational risk losses and respective capital requirements (at least split into conduct and non-conduct risks).
75. Legal risk is considered an operational risk. Each bank is required to analyse, assess, and quantify the impact of legal risk failures on its capital structure. Examples of legal risk include inadequate documentation, legal, regulatory incapacity, the insufficient authority of a counterparty, and contract invalidity/ unenforceability. The Legal department of each bank bear responsibility for the identification and management of this risk. They must consult with internal and external legal counsel. Subsidiaries and branches of major international banking groups typically have in-house legal departments, acting under the guidance of the group, which aims to facilitate the business of the group, by providing proactive, business-oriented advice. The outcome of legal and/or regulatory issues to which the bank is currently exposed, and others, which may arise in the future, is difficult to predict and, consequently, there can be no assurance that the outcome of a legal matters will not be material to the financial condition of the bank.
76. Given the potential impact from operational risk, each bank should evaluate under Pillar 2 risks arising from business conduct risks and money laundering / financing of terrorism. In addition, each bank should consider internal and external operational risks faced by it, including but not limited to operational cyber risk, IT risks, and outsourcing, and each bank is expected to consider ways in which it can improve its operational resilience. Each bank should provide details in the ICAAP report on the outcome of its Risk Control Self-Assessment (RCSA) process to collate bottom-up operational risk drivers across businesses.
77. Each bank should undertake quantitative stress testing based on its historical loss data and operational risk profile.
E. Credit Concentration Risk
78. Section V.D of the ICAAP Standard requires banks to address weaknesses at the portfolio level including credit concentrations risk. Credit concentration risk is the incremental credit loss in a portfolio of credit exposures, caused by high correlation between the credit risk drivers of those exposures. Such concentration risk arises mostly due to high correlations and dependencies between individual obligors (name concentration) or between economic sectors (sectoral concentration). Credit concentration risk can affect a bank’s health or core operations, liquidity, earnings and capital ratios. The Central Bank considers concentration risk as a key material Pillar 2 risk for all UAE banks.
79. Consequently, credit concentration arises when large exposures are associated with a small number of obligors or a small number of sectors, but not only. Credit concentration risk can arise from a seemingly granular portfolio but with high correlation between the obligors’ risk drivers.
80. In accordance with the Central Bank re Large Exposures - Credit Concentrations Limits (Notice No.226/2018), an exposure is deemed large if it accounts for more than 10% of a bank’s capital. Such threshold has been implemented for regulatory purposes. The measurement of concentration risk for risk management purposes and for determining Pillar 2 risk capital requirements should refer to the wider definition of concentration risk. Each bank is exposed to a degree of concentration risk, even when complying with the Large Exposure Regulation.
81. Each bank should perform a detailed risk analysis specific to the Real Estate exposures (RE) of the bank and the Central Bank re Standards for Real Estate Exposures (Notice No. 5733/2021).
82. Credit concentration risk is a common feature of UAE banks, but currently the Central Bank regulations for banks do not include an explicit Pillar 1 capital requirement for name and sector concentration risk. Credit concentration risk is a key prudential risk for which the capital requirement is at the discretion of banks, and it should be held under Pillar 2. This risk should warrant particular attention from each bank. In particular:
(i) For the purpose of risk management, each bank should ensure that credit concentration risk is pro-actively and efficiently addressed. Each bank should develop policies and procedures for the identification, measurement, monitoring, and reporting of credit concentration risk. Credit concentration risk arises from exposures to obligors structured as conglomerates. Therefore each bank should have a mechanism in place to identify and aggregate exposures across related entities based on their legal relationships. Data should be aggregated across systems operated by different business units or entities. This should be indicated through the bank’s management information system (MIS);
(ii) For the purpose of estimating the Pillar 2 capital associated with credit concentration risk, each bank should build upon the methodologies employed for risk management. These methods should be developed further, as deemed appropriate, in order to fully measure the additional capital. Each bank should compare several methodologies and propose a choice based on clear and documented justification. At a minimum, each bank should calculate and report the additional capital using the Herfindahl-Hirschman Index (HHI) methodology; and
(iii) For the purpose of capital planning, each bank should ensure that concentration risk is taken into account adequately within its ICAAP. Each bank should assess the amount of capital, which it consider adequate to hold given the level of concentration risk in their portfolios and given their business plan and the expected economic environment.
F. Interest Rate Risk in the Banking Book (IRRBB)
83. IRRBB is the risk of loss in the banking book caused by changes in interest rates. Interest rate risk can arise both in the banking book and/or the trading book. While interest rate risk in the trading book is addressed under the Pillar 1 market risk framework, the interest rate risk in the banking book should be addressed under Pillar 2. Conventional banks refer to this risk as IRRBB while Islamic banks are exposed to the analogous risk called profit rate risk in the banking book (PRRBB).
84. Each bank should define a risk appetite pertaining to IRRRB that should be approved by the Board and implemented through a comprehensive risk appetite framework, i.e. policies and procedures for limiting and controlling IRRBB. Each bank should have a process supported by adequate policies to manage IRRBB appropriately. This involves, as for any other risk, comprehensive identification, measurement, reporting, monitoring, and mitigation.
85. The measurement process should be based upon several existing Standards and Guidance:
(i) Central Bank “Standards re Capital Adequacy of Banks in the UAE - ICAAP Standards”;
(ii) Central Bank “Regulation and Standards re Interest Rate & Rate of Return Risk in the Banking Book” in 2018 (Notice 3021/2018 and Circular 165/2018);
(iii) Central Bank Model Management Standards and Guidance in 2022 (Notice 5052/2022); and
(iv) Basel Framework - Interest Rate Risk in the Banking Book (SRP 31).
Measurement
86. The assessment should include all positions of each bank’s potential basis risk, re-pricing gaps, commercial margins, gaps for material currencies optionality, and non-maturing deposits. The quantitative impact analysis should be supported by description and analysis of the key assumptions made by the bank, in particular, assumptions regarding loan prepayments, the behaviour of non-maturity deposits (CASA), non-rated sensitive assets, contractual interest rate ceilings or floors for adjustable-rate items, and measuring the frequency of the interest rate risk in the banking book.
87. DSIBs and other banks with significant interest rate risk (IRR) exposure should compute the economic value of equity (EVE) at a granular facility level, while non-DSIBs may compute EVE at exposure level, which is based upon the summation of discounted gap risk across time buckets, rather than a granular net present value (NPV) estimation at exposure level.
Scenarios
88. For the purpose of capital calibration, each bank should employ the interest rate shock scenarios corresponding to Table 12 of Central Bank Model Management Guidance and table 2 of the SRP 31 for their AED and non-AED positions respectively.
89. In addition to the standard shocks prescribed above, DSIBs and other banks with significant exposure to interest rate risk are expected to apply further shocks/ idiosyncratic scenarios, which will take into account:
• The bank’s inherent risk profile;
• Historical shocks experienced by the bank due to market sentiment and corresponding to macro-financial factors; and
• Additional scenarios prescribed by the Central Bank specifically through supervisory interactions or financial stability processes.
Capital Calculation
90. The capital requirement should be aggregated across all currencies and scenarios conservatively.
91. The estimation of the Pillar 2 capital corresponding to IRRBB should be based on the most conservative loss arising from (i) the change in the economic value of equity (ΔEVE), and (ii) the change in net interest income (ΔNII). The most conservative result should be considered across all the scenarios calibrated by the bank. (In avoidance of doubt, the allocated capital for IRRBB should not be lower than the maximum of the absolute EVE impact and the absolute NII impact: Max(abs(EVE impact), abs(NII impact).
92. The Central Bank considers a bank as an outlier when the IRRBB EVE impact based on the standard parallel shock leads to an economic value decline of more than 15% of its Tier 1 capital. The Central Bank may request an outlier bank to:
(i) Reduce its IRRBB exposures (e.g. by hedging);
(ii) Raise additional capital;
(iii) Set constraints on the internal risk parameters used by a bank; and/ or
(iv) Improve its risk management framework.
93. Irrespective of the approach or model chosen by the bank, at a minimum each bank should calculate and report IRRBB using the methodology described by the Central Bank Model Management Standards and Guidance.
G. Model Risk
94. Models have become an integral part of decision-making in the banking sector for risk management, business decisions, and accounting. Inaccurate model results, e.g. based on wrong assumptions or valuations, may lead to actual or potential financial losses or an underestimation of risks. Therefore, the Central Bank considers model risk a significant risk type.
95. Simple models should not be confused with poorly designed models. Poorly designed models can be misleading and interfere with sound decision-making. Small and/or unsophisticated banks can employ simple models. However, they cannot employ poorly designed models. Each bank should manage model risk in accordance to the Central Bank Model Management Standards and Guidance.
96. Model risk should be incorporated in each banks’ risk framework alongside other key risks, as inherent consequences of conducting their activities (refer to Appendix 3.2). Consequently, model risk should be managed through a formal process incorporating the bank’s appetite for model uncertainty. The framework should be designed to identify, measure, monitor, and mitigate this risk. A bank should mitigate a large appetite for model risk by counter-measures such as conservative buffers on model results and/ or additional allocated Pillar 2 capital.
97. The Central Bank recognises that the estimation of model risk is challenging. However, each bank should demonstrate that they have implemented steps to measure the potential losses arising from model risk. At minimum, each bank should implement a grouping approach to categorise models according to their associated model risk. The uncertainty and losses arising from models should be estimated by using a range of different techniques, including:
(i) Internal and external validations;
(ii) Comparison against alternative models;
(iii) Sensitivity analysis; and
(iv) Stress tests.
98. Each bank should also consider the quality of its model risk management in the model risk analysis, including but not limited to the quality of model documentation, data, assumptions, validation, staff, implementation, and usage.
Risk Diversification Effects
99. Each bank is expected to take a prudent approach whenever assuming risk diversification effects. Furthermore, each bank should be aware that the Central Bank as a matter of principle will not take into account inter-risk diversification in the SREP. Banks should be cognisant of this when applying inter-risk diversification in its ICAAP.
H. Financial Risks from Climate Change
100. Banks are expected to build up Board awareness and understanding of the financial risks arising from climate change and how they will affect their business models. Each bank should use scenario analysis and stress tests to improve the risk identification process, to understand the short- and long-term financial risks to their business model from climate change, and to develop appropriate strategies accordingly.
I. Liquidity Risk and Funding Cost
101. Though capital is not a direct mitigation for liquidity risk and liquidity is not a mitigation for capital risk, both risk types are interlinked. The Internal Capital Adequacy Assessment Process (ICAAP) and the Internal Liquidity Adequacy Assessment Process (ILAAP) are expected to inform each other; with respect to the underlying assumptions, stress test results, and forecasted management actions. Each bank is expected to assess the potential impact of scenarios, integrating capital and liquidity impacts, and potential feedback processes, taking into account, in particular, losses arising from the liquidation of assets, increased funding costs or availability of funding during periods of stress.
102. For example, each bank is expected to assess the impact of deteriorating capital levels, as projected in the ICAAP, on their liquidity. A downgrade by an external rating agency could, for example, have direct implications for the refinancing ability of the bank. Vice versa, changes in funding cost could impact capital adequacy.