ICAAP regulations - revolutionary
Saloni Ramakrishna
ICAAP regulations if implemented in letter and spirit would
fundamentally change the way banks plan and strategize their business.
“All courses of action are risky, so prudence is not in avoiding
danger (it’s impossible), but calculating risk and acting decisively.”
Niccolo Machiavelli
As bankers across the world go back to their strategy tables to
rework their risk management framework, they would do well to heed that
advice. Given that not taking Risk is not an option, prudence is in
understanding risks being taken, calculating and acting on them and that
is what ICAAP (Internal Capital Adequacy Assessment Process) aims to do.
Given the current challenges facing the global financial services
industry, ICAAP, which falls under Pillar II of the Basel regulatory
framework, could not have been mandated at a more appropriate time.
It provides banks with a valuable opportunity to understand and
manage their risk canvas in a brand new and holistic manner.
In fact, ICAAP is a quiet revolution, disguised as a regulation as it
broadens and deepens the risk canvas of a bank.
Pillar II or ICAAP is the central pillar of the spirit of the Basel
regulatory framework. Pillar I was a prescriptive approach that laid
down specific and detailed rules; Pillar II, requires banks to think for
themselves within a broad framework.
It centers around the critical idea that banks face both quantitative
risks such as concentration risk, liquidity risk or interest rate risk,
as well as qualitative risks such as reputation risk, strategic risk or
business risk in addition to the traditional Credit, Market and the more
recent Operational Risks.
ICAAP expects banks to understand their entire risk universe and
identify which of those are material based on their individual
businesses, operations and future plans.
It encourages banks to define their risk appetite, capture the
essence of their risk profiles and choose appropriate approaches and
risk systems to best manage their businesses and finally arrive at
appropriate capital buffer.
While this may be a liberal and empowering approach, the challenge is
that banks will have to defend their ICAAP to regulators in supervisory
reviews.
Thus, while the risk management and the Capital Planning process is
internal, its defence will be external.
The ICAAP mandate also brings to life the complexities of the banking
business; it provides a three dimensional effect to risk management. In
implementing the new framework, banks will have to use a six-step
process.
Banks must state their risk appetite, identify risks that the
business carries, assess which of those risks are material, quantify the
risks, do capital planning, allocate capital to businesses, and have a
risk reporting framework.
It is important to note that each of these steps throw up several
challenges, but if implemented well ICAAP offers great new opportunities
for banks.
The challenges
In a nutshell every step of the process does throw up tough
challenges, none of which can be trivialized. Having said that the
bright side of the exercise is that if the process is implemented as
envisaged would creates such huge opportunities that the effort is more
than well worth it.
A crucial part of the ICAAP process is that it is forward looking.
Banks cannot depend on history alone to assess future risks because of
newer products, newer ways of doing business, shrinking of global
financial borders, lack of standardization etc., the demand on banks to
have great clarity about their proposed balance sheet and risks it
entails as also its capacity to withstand stressed situations becomes
critical.
This approach tests a bank’s real capability to envision the risks of
its future plans, including those of new strategic initiatives, new
geographies and business lines.
ICAAP offers banks the opportunity to holistically understand their
risk canvas and be better prepared in their business. It invites banks
to plan business growth by balancing risk and return and move from
forecasting just profit to economic profit, using risk-adjusted
performance measures. Thus, ICAAP has with a single stroke changed the
contours of business forecasting, profit planning and capital planning
and made forecasting a cognitive and deliberate process.
Arguably, the biggest challenge in implementing ICAAP is the lack of
guidelines on how to assess materiality, how to quantify newer and
especially qualitative risks, or how to relate these risks to capital.
Skills in these areas are in their infancy, especially since there
are no clear regulatory guidelines. For example, can a bank numerically
quantify reputation or strategy risk and decide how much capital is
appropriate to be allocated to such risks? It is here that ICAAP’s
evolutionary nature comes into play - since banks, academicians and
regulators are working hard in this area, over time there will be
answers to both how to quantify risks and how to relate them to capital.
In this context, score cards can be a good way to assess materiality.
The starting point is to break down these risks into their underlying
indicators and then methodically building a score card. For example,
reputation risk could include the risks of negative publicity, customer
complaints or possible lawsuits, each with potential costs.
Stress Testing is an effective tool for capital planning and
management. The skill lies in turning stress testing into an art, a
craft and a science. Banks must institutionalize stress testing
mechanisms that allow them to recreate historical scenarios as well as
to create blue-sky, hypothetical ones. Making Stress Testing a mere
statistical exercise defeats the purpose - it needs to be led by
business thinking.
On the reporting front, Pillar II calls on banks to change their
reporting systems from being static to being dynamic and interactive.
Such systems must capture not just risk-related information at a micro
level, but must be able to provide an aggregated view as well in the
form of a set of dashboards/ reports that give senior management an
instant and continuously updated view of multiple factors including
risk, capital positions, Stress Test results etc amongst other things.
This gives banks the opportunity to set up robust, interactive
reporting systems that provide decision support for risk planning,
profit planning and capital planning, as well as for operations and
strategy.
Implications for the stakeholders
This paradigm shift has interesting implications for all stakeholders
of the bank, both internal as well as external, and they are all
learning on the go.
First, the bank’s board will now have to focus on making planning a
forward looking process, it will have to define risk appetite in
concrete terms and take responsibility for those definitions.
ICAAP asks senior management to change their perspective from a
historical one to a forward looking, futuristic and realistic one:
predictive skills must be developed to formulate a future end state,
which must then be worked backwards into actual plans, business
operations and numbers.
Next, since auditors have now become the first line of defense ahead
of regulatory reviews, they are scaling up their skills and will
challenge business leaders on the projections and help them validate
their plans in an entirely new way. Shareholders will know the optimum
capital to be held against risks: too much capital means a loss of
revenue, while too little capital is a risk in itself.
There are interesting implications for the external stakeholders too.
Perhaps for the first time, the emphasis is on a dialogue between
regulators and banks rather than a one-sided compliance measurement.
Pillar II leaves a lot up to the individual bank in terms of assessment
and quantification; by implication it also leaves a lot up to the
judgment of the individual supervisor performing the regulatory review.
Thus, regulators will be challenged to perform effective reviews
without complete standardization. This problem will be more complex and
manifold for global banks which are required to meet regulations in
different countries, as well as for the regulators themselves. Thus both
regulators and regulations will continue to evolve based on the actual
supervisory experience.
The final set of stakeholders, the customers, will perhaps benefit
most from ICAAP. They will be dealing with banks that have developed a
more objective approach to business planning and a clear understanding
of their risk-return equation, which can only make them more stable and
robust organizations to deal with.
Conclusion
ICAAP poses short-term challenges but at the same time, if done well,
offers numerous opportunities. It invites banks to draw up a blueprint
for the future and work towards it consciously.
It asks banks to use planning and risk management as strategic
instruments and mesh them with operations for optimal results. Thus,
ICAAP has moved the realm of risk management away from a dusty corner
into the entire being of a bank.
(The writer is Principal Architect, Risk & Compliance Oracle
Financial Services) |