Risk Criticality Assessment
Ongoing development of the risk management system is crucial for timely identification and assessment of risks, and for efficient operation of the instruments developed to manage them. The bank annually identifies and assesses risks inherent in its activities.
Criticality tests result in the bank’s risk map, serving as the basis for qualifying particular types of risk as critical to the bank. The risk map grades the bank’s risks. The aggregated value of any risks is calculated as the sum of points given by an expert.
Classification of identified risks by their criticality is based on a two-factor assessment:
- potential damage;
- probability (forecasted frequency of risk events).
Each factor is scored 1 to 3 points by surveying experts from subdivisions responsible for taking and managing the bank’s risks. Critical risks are those scoring 4 or higher on the two criticality factors taken together.1. Concentration risk scored:
- 5 points in case of considerable exposures to one counterparty or group of counterparties;
- 4 points in case of:
- credit exposures to counterparties from one sector of economy (involved in same business activity or selling same goods and services);
- the Bank’s dependence on specific liquidity sources;
- credit risk mitigation efforts (indirect concentration risk from taking identical types of collateral or independent guarantees issued by one counterparty).
- 3 points in case of:
- considerable investments in instruments belonging to same type or sensitive to same factors;
- the Bank’s dependence on specific types of income.
- 2 points in case of:
- credit exposures nominated in same currency;
- credit exposures to counterparties based in same geographical area.
Changes in the Risk Profile Compared to 2019:
Motivational and emergency support risks were added to the long list of the most common (characteristic) risk types and subtypes inherent in the bank’s operations; technological risk was qualified as a part of operational risk.
The annual identification procedure (whose results were approved by the Supervisory Board) did not lead to any changes to the list of critical risk types for 2020 compared to that for 2019. Other risks inherent in the bank’s business, including singular risks, are not critical for it because they did not receive, pursuant to its internal methodology, scores implying material impact on the bank.
The bank at least annually deploys an action plan to identify risks and test them for criticality.
According to its risk map, the bank qualifies as critical the following risk types:
Credit risk is the main risk to which the bank is exposed given the nature of its business and balance-sheet structure. The source of this type of risk is the bank’s exposure to losses due to non-performance, late or partial performance by a debtor of its obligations to the bank under existing agreements and to consequences of a deteriorated condition of its borrowers, counterparties or securities issuers. A deteriorated condition means a deterioration both in their financial condition and of other quantitative and qualitative indicators (business reputation, positions among competitors, sector indicators, state of the regional economy, etc.), i.e. all factors that can affect a borrower’s, counterparty’s or security issuer’s solvency.
The credit risk includes:
- Credit risk of default means the probability of the bank suffering any losses due to a debtor defaulting on its contractual obligations to the bank, or any impact from a deteriorated condition of a borrower, counterparty or securities issuer.
- Counterparty credit risk, i.e. the risk that a counterparty fails to perform its contractual obligations before the relevant transactions are finally settled. Such operations are not made without prior evaluation of counterparties’ financial condition and probability of counterparty credit risk events both before the settlement is over and while it is underway.
The Bank has in-house models to quantify the probability of default and other credit risk components used to estimate expected losses, required economic capital and risk-weighted assets. The Bank creates provisions for its lending operations in line with the risk it assumes, strictly as recommended or required by the Bank of Russia.
Credit risk is measured using an evaluation system involving analysis of counterparty-specific risk factors based on type and nature of business. Credit risk is limited (controlled) by means of a multi-level system of limits applicable to individual counterparties/exposures and to portfolios of exposures grouped by a certain attribute (sector limits, limits by activities and types of financing, limits on concentration of largest borrowers, etc.).
In order to reduce credit risk, the bank limits the total amount of credit risk per borrower (group of related borrowers). All lending limit requests trigger an independent risk measurement aimed at a comprehensive and thorough analysis of potential borrowers. Credit risks are managed based on limits set for various types of transactions and subject to the regular monitoring of borrowers’ creditworthiness. The bank also thoroughly and prudently analyses potential and existing borrowers for economic safety and values collateral taken to secure borrowers’ obligations to the bank, subject to the subsequent monitoring of their availability and changes in their actual value throughout the entire life cycle of the loan product. All loan-related documents are subject to thorough legal due diligence.
Lending activities are coordinated, and related decisions are taken, by the bank’s credit committee whose members represent all subdivisions concerned, including risk management. Some of the Credit Committee’s decision-making powers may be delegated to authorised officers. Credit risk management activities are coordinated by the Credit Risk Committee, a specialised management body reporting to the Management Board.
The principle of distribution of responsibility in credit risk management is reflected in the bank’s Risk Management Policy, Credit Policy and loan approval procedures.
Key credit risk management elements:
- The Risk Management Policy approved by the Supervisory Board is the bank’s framework risk management document, defining the goals, principles and tools of risk management;
- The bank’s Credit Policy which is regularly aligned with market conditions, the Bank’s lending strategy and existing risks;
- Improvement of the formalised borrower appraisal principles and methods (rating models for corporate borrowers, scoring systems for retail business), risk- based application of the general principles of pricing, collateralisation and provisioning. In the reporting period, the bank validated and revised its internal rating and scoring models to enhance their quality and bring them into line with best practices of quantitative credit risk evaluation;
- Control over limits for borrowers and groups of related borrowers, concentration limits, authority limits and other structured limits.
The source of this type of risk is the bank’s exposure to losses and negative consequences due to adverse changes in the market value of financial instruments in its trading book and derivatives, and in exchange rates of currencies and/or precious metals.
The market risk includes:
- instrument interest rate risk, i.e. the exposure to adverse effects from unfavourable changes in interest rates of the trading portfolio instruments (in particular, the risk of negative revaluation of the trading portfolio as a result of changes in fixed income interest rates);
- instrument currency risk, i.e. the exposure to adverse effects from changes in FX rates and/or precious metal prices through devaluation of FX-nominated financial instruments and/or precious metals in the trading portfolio; Trading portfolio currency risk is calculated based on interest rate and securities portfolio risks of FX-nominated instruments;
- securities portfolio risk, i.e. the exposure to adverse changes in market prices of securities in the trading portfolio or derivative financial instruments due to factors related to both specific issuers and general fluctuations in market prices of financial instruments.
- commodity risk, i.e. the exposure to losses due to adverse changes in market prices of commodities, save for precious metals (including commodity derivatives)
Operating in the financial market, the bank assumes risks of instruments in its trading portfolio (risks of adverse changes in the prices of equity instruments, changes in interest rates of fixed income debt instruments, as well as changes in currency exchange rates and the resulting negative revaluation of its trading portfolio).
The bank manages market risks as required by the Bank of Russia’s regulations and also uses internal methods compliant with guidelines of the Basel Committee on Banking Supervision.
The bank manages its market risk by setting limits on open positions in financial instruments, interest rates, maturities and currency, and also stop-loss limits. Limits and positions are monitored on a regular basis and are reviewed and approved by the Asset and Liability Committee / Management Board. In addition, the bank uses stress tests to model the impact of different market scenarios.
The bank applies conservative approaches to building its securities portfolio so as to avoid significant losses that could affect its financial stability. The bank mostly deals in bonds of Russian issuers included in the Bank of Russia’s Lombard List and having short durations.
The bank’s exposure to market risks may be evaluated by calculating maximum possible loss per each security and Value-at-Risk / Stressed Value-at-Risk for the entire portfolio.
The source of this type of risk is the exposure to adverse effects from the credit institution’s internal operating processes and procedures being inconsistent with the nature and scale of its activities and/or statutory requirements or being violated by its staff and/or other persons (by any unintentional or deliberate actions or omission), from its information, technological or other systems being functionally or otherwise inadequate and/or failing (malfunctioning), or from any external events.
Operational risks have the peculiarity of being inherent in all of the bank’s activities, rather than in individual products/processes.
To limit the operational risk, the bank details in its bylaws a complex of the following measures intended to minimise the probability of operational risk events resulting in losses and/or to minimise (limit) such losses:
- Procedures for execution of transactions, distribution of responsibilities, related reporting and follow-up control designed to prevent (limit) operational risk, and control over those procedures;
- Requirements pertaining to banking automation and InfoSec systems, and prospects of their development;
- Insurance procedures, including property insurance (insurance of buildings, other assets, including money and securities, from loss (destruction), shortage or damage, in particular inflicted by third parties or staff, and business risk insurance covering losses resulting from banking risk events) and personal insurance (H&S insurance);
- Bylaw approval procedures requiring validation by subdivisions responsible for assessing operational risks.
The bank’s operational risk management procedures set forth methods to identify and assess operational risks assumed in various areas of its activities.
Operational risk includes:
- staff risk, i.e. the risk of losses caused by errors or malfeasance of the bank’s staff, their insufficient qualification, work overload, unpractical working processes, etc.;
- process risk, i.e. the risk of losses caused by errors in transaction execution, settlement, booking, reporting, pricing and other processes;
- system risk, i.e. the risk of losses caused by deficiencies of the bank’s technologies such as insufficient capacity of its systems, their inadequacy for operations being made, rough data processing methods, or low quality or inadequacy of data used, etc.;
- external risks, i.e. the risks of losses caused by changes in the bank’s operating environment, such as changes in laws, politics, economy, etc., and risks of physical interference from outside;
- legal risk, i.e. the exposure to adverse effects of the bank’s failure to perform its contractual obligations to customers/counterparties, their failure to perform essential terms of supply and other agreements signed by them with the bank concerning provision of goods, works and services (except for credit-related agreements), unsatisfactory level of legal work in the bank, imperfection and instability of the Russian legal system, variability of laws and regulations governing the bank’s operations.
- compliance (regulatory) risk, i.e. the exposure to adverse effects from non-compliance with requirements of international and Russian laws, the bank’s commitments to its shareholders and third parties, its bylaws, standards of self-regulatory organisations (if mandatory for it) as well as due to sanctions and/or other enforcement actions imposed by supervisory bodies.
- technological risk, i.e. the exposure to losses from using outdated technologies or sunk costs of new technologies.
The risk of significant losses that can pose a threat to the bank’s solvency and ability to continue its business due to its exposure to large counterparty risks, risks in specific sectors, regions, markets, currencies, etc.
Concentration risk management procedures include the following:
- Concentration risk identification and measurement procedure;
- List of concentration limits on the existing structure of the bank’s risk-bearing assets grouped into portfolios by various attributes, and aggregate indicators of its operations. The aim is to limit losses resulting from overconcentration on certain counterparties, groups of counterparties or groups of assets of the bank;
- Developing ways to control compliance with such limits, in particular control the bank’s portfolios of instruments with the aim to identify risk concentrations that are new for it and are not captured by the concentration limit system, and ways to report limit violations to its management bodies, and corrective procedures.
The source of this type of risk is the possibility of the bank running short of cash to perform its obligations in full. Liquidity risk can arise as a result of a mismatch in the bank’s financial assets and financial liabilities (in particular caused by a failure of one or more of its counterparties to perform their financial obligations in due time) and/or an unforeseen abrupt acceleration of its financial liabilities.
The bank exercises strict control on a daily basis over compliance with statutory liquidity ratios set by CBR (instant (N2) and current (N3) liquidity ratios). The bank also controls compliance with the long-term liquidity ratio (N4); and, starting from 2018, as CREDIT BANK OF MOSCOW was included in the list of systemically important credit institutions, the short-term liquidity ratio (N26) (the “STL”; calculated in line with Regulation on Calculating the Short-Term Liquidity Ratio (Basel III) by Systemically Important Credit Institutions No. 510-P dated 03.12.2015) has been calculated and monitored on a daily basis.
The bank distinguishes the following liquidity risk types:
- risk of mismatch between incoming and outgoing cash flows;
- risk of unforeseen liquidity requirements, i.e. the risk of consequences of unexpected events in future that may require more resources than projected;
- market liquidity risk, i.e. the risk of selling assets at a loss or inability to close an existing position due to insufficient market liquidity or insufficient amount of trades. The effects of this form of risk may be factored into the market risk evaluation;
- funding risk, i.e. the risk associated with potential changes in cost of funding (individual and market credit spread) affecting the bank’s future income.
The bank’s liquidity risk management procedures include the following:
- Specific risk factors;
- Procedures to determine the bank’s funding needs, including identification of liquidity surplus/shortage and limits of liquidity surplus/shortage (liquidity limits);
- Procedures for liquidity forecasting and time analysis of liquidity (short-term, current and long-term liquidity);
- Procedures for setting liquidity limits and developing ways to control compliance with such limits, to report limit violations to the bank’s management bodies and suggest corrective actions;
- Procedures for daily liquidity management and longer-term liquidity management;
- Methods for analysing liquidity of assets and stability of liabilities;
- Liquidity recovery procedures, including procedures for making decisions on mobilisation (sale) of liquid assets and other possible (and most easily accessible) ways of additional funding in case of liquidity shortage.
Final decisions as to liquidity risk are taken by a collective body, the ALCO/Management Board, thus ensuring comprehensive and effective control over that risk.
The current and forecast liquidity risks are managed separately at the bank.
Current liquidity management is the main task of the bank’s operative management of assets and liabilities, involving short-term forecasting and management of cash flows in terms of currencies and maturities to ensure performance of the bank’s obligations, execution of customer payments and funding of assets-related transactions. Current liquidity is managed through prompt (intraday) estimation of the bank’s current payment position and forecasting changes therein based on the payment schedule and different scenarios.
The main purpose of forecast (medium- and long-term) liquidity management is to develop and implement a system of ALM measures to maintain the bank’s solvency and ensure the planned growth of the assets portfolio at an optimum balance between liquidity and profitability. This is done at the bank by making long-term liquidity forecasts and setting internal liquidity requirements (required liquid and highly liquid cushion, required amount of the liquid securities portfolio). Long-term liquidity forecasts go to the bank’s ALCO/Management Board.
In addition, stress tests are run based on risk factors relevant to liquidity forecasts and the bank’s capability to mobilise liquid assets in the event of a liquidity shortfall.
This prevents material liquidity gaps, ensures uninterrupted performance of obligations, saves costs of urgent fund raising in the case of emergency situations and makes assets-related transactions more profitable thanks to the right choice of instruments.
The risk of deterioration of the bank’s financial condition through a decrease of its capital, income or assets value resulting from a change in market interest rates affecting its assets and liabilities other than its trading portfolio. Interest rate risk in the banking book stems from mismatches between maturities of, or between changes in interest rates on, assets and liabilities.
Interest rate risk in the banking book management procedures include the following:
- Gap analysis using interest rate stress tests;
- Identification of major sources of IRRBB inherent to operations (transactions) sensitive to interest rate changes;
- Modelling of maturities and cost of assets (liabilities), in particular setting target product maturities at the business subdivisions’ level in the course of the business planning process;
- IRRBB limits and ways to control compliance with them, a system to report limit violations to the bank’s management bodies, and a correction process.
Final decisions as to interest rate risk in the banking book are taken by a collective body, the ALCO/Management Board, thus ensuring comprehensive and effective control over that risk.
The bank sets and regularly controls relevant limits linked to loan utilisation effectiveness, profitability and maximum interest rate gaps on various time horizons. To limit the impact of interest rate risk in the banking book on the bank’s financial results, the bank analyses maturities of loans issued and funding raised to reveal any mismatches between its assets and liabilities exposed to interest rate changes. This analysis helps decide what structure of assets and liabilities is optimal and ensures maximum resilience to financial losses caused by interest rate risk in the banking book. On an ongoing basis, the bank optimises interest rates on the assets side and liabilities side in line with the current market situation and tariff policies of its main competitors.
The exposure to potential losses due to changes in exchange rates/prices of foreign currencies/precious metals in which the bank has open currency positions (OCP) at the bank book level.
FX risk in the banking book represents potentially adverse effects from changes in FX rates and/or precious metal prices at the bank book level by measuring the aggregate long or short open currency position against the bank’s capital.
FXRBB management requires limits to be set on the bank’s OCP.
FXRBB management procedures include the following:
- The bank’s compliance with Bank of Russia Instruction No. 178-I “On Setting Open Currency Position Limits, the Methodology for Calculating them, and Modalities of Supervision of Credit Institutions’ Compliance therewith” dated 28.12.2016 is monitored on a daily basis: its designated subdivisions ensure that the open foreign currency position in any single foreign currency or precious metal does not exceed 10% of its equity (capital). The bank goes beyond the Bank of Russia’s regulatory restrictions by setting more conservative management limits on the size of its open foreign currency position in each currency;
- The bank monitors and forecasts on a daily basis its open foreign currency position in each currency and as a whole;
- The key currency risk factors, such as governmental, macroeconomic and financial ones are monitored on a daily basis.
The source of this type of risk is the bank’s exposure to losses as a result of an outflow of the bank’s customers (counterparties) due to a negative public perception of the bank’s financial stability, quality of its services or the nature of its activity as a whole. The probability and amount of losses that can be caused by this risk depends on the level of this risk in the Russian banking sector as a whole.
Reputational risk management procedures include the following:
- procedures/tools/mechanisms for dealing effectively with all categories of stakeholders;
- ethical conduct in provision of services;
- ongoing monitoring of internal and external threats to the bank’s reputation;
- understanding shareholders’ and investors’ expectations as to disclosure;
- maintaining an advanced corporate governance system and developing it in line with the bank’s strategic goals and interests of all stakeholders;
- ensuring a high level of corporate culture;
- adherence to the code of professional ethics and culture;
- transparent and advanced staff remuneration, incentive, training and qualification upgrade system.
The bank meets all of its obligations on time and in full. The bank’s credit history includes large loans from leading credit institutions of the world, syndicated loans and bond issues. The bank is also well-reputed in the national and international financial communities.
The bank makes considerable efforts to promote its image in the eyes of its customers and the public by increasing its information transparency. Reputational risk management is an integral part of the risk management system and is practiced with the direct involvement of the bank’s management.
This risk means the exposure to adverse consequences of mistakes (flaws) in strategic decisions such as oversight or underestimation of potential threats, wrong or inadequate choice of prospective business areas where it can gain an edge over its competitors, lack/insufficiency of resources (financial, material, technical, human) and organisational measures (managerial decisions) required to attain its strategic goals.
The main goal of the strategic risk management is to establish an interdisciplinary system allowing for appropriate managing decisions in respect of the bank’s activities, aimed at reducing the impact of strategic risks on the bank in general.
Strategic risk management procedures include the following:
- Periodic revaluation of the bank’s development strategy;
- Planning the development of new lines of business, new products, technologies and services, expansion of existing technologies and services and strengthening of the bank’s infrastructure;
- Analysing competition so as to identify strategic risks such as the threat of new competitors entering the market, the threat of product substitution or the threat of continuous evolution of strategic risk factors during the lifetime of services provided.
The capital charge estimation stage was embedded into the product/service development procedure.
Key strategic risk indicators are limited in accordance with the bank’s procedures. Limit control results, breaches and correction proposals are regularly reported to the bank’s management bodies to ensure prompt control over achievement of the bank’s strategic goals.