BANK OF ISRAEL
Office of the Spokesperson and Economic Information
June 26, 2012
Press Release
New draft directives on risk management and credit risk management
Within the framework of the Banking Supervision Department's activities to
strengthen the banking system, the Supervisor of Banks today distributed several draft
Proper Conduct of Banking Business Directives for review by the Advisory
Committee on Banking Issues. Adopting these draft documents will enhance the
robustness of the banking sector through improved risk management and corporate
governance—so that they will be adequately reflected in a bank's decision making
processes and general activities—including integration of the lessons learned from the
global crisis of 2008–09.
Following are the main issues dealt with in the above-mentioned draft Proper Conduct
of Banking Business Directives:
Draft new comprehensive directive on risk management
The directive serves as a master directive for firm-wide risk management, and also
refers to management of specific risks, as it delineates the primary principles of risk
management. These primary principles refer to, among other things, corporate
governance and the roles of various functions with regard to risk management at the
banks, the internal control system which includes three lines of defense, as well as
risk management processes (appetite for risk, risk management framework, and new
products), methodologies for identification, measurement, and assessment of risk
through models and stress tests, and a monitoring and reporting system.
Three lines of defense: The directive establishes the framework for establishing a
proper risk management system by defining three lines of defense:
1.
2.
3.
Business line management—bears the responsibility for identifying and
managing the inherent risks in products, activities, processes, and
systems for which they are accountable.
Risk management function—a function independent of lines of
business, which serves as a second line of defense and is responsible for
the planning, maintenance, and development of a risk management
framework. One of the central functions of the function is to challenge
the risk management of the business lines and to examine its
comprehensiveness and effectiveness.
Internal audit—examines the appropriateness and effectiveness of the
administrative procedures of the first two lines of defense, and reveals
weaknesses in controls, so that it serves as a third line of defense.
Risk management process—the directive sharpens the need to implement a proper
culture of risk, arranges the risk management governance in the banking corporation,
and defines the foundation stones of the credit management procedure:
The Board of Directors must outline the appetite for risk—the maximum risk level
that the corporation is willing to take on itself. Setting the appetite for risk is one of
the central tools that the Board has in overseeing the corporation.
The banking corporation's management must formulate, integrate, and implement the
risk management framework which is anchored in written policy documents. The risk
management framework is derived from the appetite for risk and establishes specific
limitations, policies, procedures, and controls for the management of each risk.
The corporation is required to examine the need to update the risk management
framework in light of developments and changes in the external environment, in the
business activities, the control environment, new products, etc. The directive regulates
the required process of authorizing new products or activities as well as significant
changes in existing products.
Chief Risk Officer and risk management function—an appropriate risk
management system begins with the Board of Directors, continues with the CEO and
executive management, and includes all the banks' units, including the compliance
and control unit, supporting units, and business units. Within the framework of this
system, the directive regulates the position, independence, and responsibility of the
risk management function and its head, the Chief Risk Officer (CRO). As a member
of executive management designated to this issue, the CRO reports directly to the
CEO and the Board of Directors, and he or she must emphasize to them issues to
which they should pay attention, from a risk management perspective, such as risk
concentrations or deviation from the risk appetite.
The directive clarifies the roles of the risk management function in various areas, such
as formulating the risk appetite and the risk management framework, the process of
assessing capital adequacy and liquidity, the process of approving new products as
well as approving and validation of models. It is made clear that the function is
required to be involved in the risk management process in the banking corporation, to
the extent that its views represent an important part of the considerations in reaching
business decisions.
The directive emphasizes the independence (professional and organizational) of the
risk management function in the lines of business and that its compensation must not
be based to a significant degree on the revenue of the business lines. The corporations
are required to confirm, that the function is staffed with quality, experienced and
trained employees, and that it is allocated resources that are adequate for fulfilling its
function and challenging the business lines as required.
Identification, measurement and assessment, monitoring, and reporting risks—
the directive delineates quality demands regarding methodologies for identification,
measurement, and assessment of risks, particularly through models and stress
scenarios. In addition, the directive delineates requirements for a management
information system and a reporting system which is critical for effective monitoring
of risk.
Drafts of new directives on credit risk
The draft directives concerning credit risk—"Principles for the Management of Credit
Risk", "Loan Review", and "Sound Credit Risk Assessment and Valuation for
Loans"—provide a detailed listing of the expectations of the Banking Supervision
Department regarding issues related to credit risk management, including:
Credit risk strategy—it is the Board's responsibility to establish the strategy,
including maintaining required consistency in the strategic principles, with some
flexibility to adjust to changing conditions.
Credit policy—a clear definition of the policy and its appropriateness for the strategy
laid out by the Board of Directors; responsibility and authorization to compile and
approve the policy (particularly the requirement for the involvement of the risk
management function in the process); the extent of detail required in the policy;
setting credit limitations while taking into account the risk level, including under
stress scenarios, and other relevant factors; reference to specific risk factors, such as
country risk, transfer risk, and leveraged financing.
Corporate governance—wide ranging reference to the role of the Board of Directors
in overseeing management's activities; requirement that all credit risks should be
identified, measured, monitored, and reported, with a clear segregation of duties
among the various functions; thickening authorizations of risk management factors in
order to establish a balanced decision-making structure; matching the bank's
compensation policy to its credit risk strategy.
Credit approval process—comprehensive, methodical, define authorizations, full
understanding of credit needs and repayment sources, avoid deviation from credit
limitations, requirement that specific credit approvals be carried out with reference to
the opinion of an objective function which is uninvolved in credit marketing (risk
management function)
Oversight and control mechanisms—definition of credit risk control mechanisms at
the bank, reporting hierarchy, scope and frequency of reports, requirements regarding
the reliability of reported data, requirements for documenting specific credits,
maintaining separation of functions.
Credit ratings—use of uniform risk measurement as part of decision making process,
authorizations for developing rating systems and setting ratings; in particular, a bank
is required to allocate the necessary resources to develop and maintain a quality rating
system and the responsibility for setting the ratings, or approving them in real time,
lies with the risk management function.
Scenarios and stress tests—increased use of scenario analysis and stress tests for the
purpose of credit risk management.
Upgrade of the Loan Review function—transfer the emphasis from quantitativetechnical indices to qualitative features, and output required from this function.
Classification and provision processes—definition of minimum requirements
regarding identification and measurement processes for credit with declining quality,
and control of these functions.
The Supervisor of Banks said that advancing the drafts distributed today, along with
advancing the requirements of Basel III and other requirements, is an additional step
in the improvement of conduct and management of Israel's banking system, in a
manner which will strengthen its ability to successfully deal with expected future
challenges, both in Israel and abroad.