The Application of the Supervisory Review Process under Pillar 2 (CP03)

Start Date: 24/05/2004 | Deadline: 31/08/2004

1. This paper sets out a general overview of the approach which has been developed by the Committee of European Banking Supervisors (CEBS) towards the implementation of Pillar 2 of the revised Basel Accord ("Basel II") and the relevant provisions of the Capital Requirements Directive (NB1) 

(NB1  For reasons of simplicity, in this paper the term "Capital Requirements Dire ctive" or "Directive" refers to the prospective EU legislation that will be proposed by the European Commission in summer 2004 to create the legal framework f or the new EU capital requirements regime.) 

2. The outcome of such work, reflecting the current thinking of European banking supervisors, is expressed as High Level Principles (HLPs) which are designed to deliver an appropriate degree of convergence and to underpin the legal texts being developed in the draft Capital Requirements Directive. They should also be viewed within the overall context of risk-based prudential supervision, which includes the information generally gathered by supervisors, and supervisors' interaction with institutions during their ongoing supervisory relationship.

3. The HLPs are based on a structure which has been developed through a combination of adopting existing best practices and developing agreed new practices to take account of the new elements of Basel II and the draft Capital Requirements Directive. At the time of producing this paper the Directive text is still under development, and the HLPs and terminology may still need to be amended to reflect any subsequent changes introduced in the final Directive text.

Structure of the paper 

4. The outline of this paper is as follows:

. Section 2 sets out in basic terms what is meant by the overall Supervisory Review Process (SRP), and how the two elements - the Internal Capital Adequacy Assessment Process (ICAAP) and Supervisory Review and Evaluation Process (SREP) - fit together.

. Section 3 summarises the key considerations which underpin these HLPs.

. Section 4 details what the supervisory authority will expect from institutions in their own assessment of the adequacy of their financial resources (ICAAP).

. Section 5 looks at the supervisory authority's obligations under the SREP and how this might be performed.

. Annex A sets out key ingredients of the supervisory Risk Assessment System (RAS) that constitutes an integral part of the SREP, and which is used for organising (i.e. planning, prioritising and allocating) the use of resources, and performing and managing the supervisory risk assessment; and Annex B
summarises the risk and control factors which should be evaluated as a minimum.

5. CEBS invites comments on this consultation paper by 31 August 2004 ( ). The received comments (unless the respondent requests otherwise) as well as a reasoned explanation addressing all major points raised will be published on the website. 

Supervisory Review Process

6. The purpose of the SRP, according to the Basel Committee on Banking Supervision, is to:

. ensure that institutions have adequate capital to support all the risks in their business; and

. encourage institutions to develop and use better risk management techniques in monitoring and measuring risks

7. The four principles for supervisory review agreed by the Basel committee are:
Principle 1 : Banks should have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels.

Principle 2 : Supervisors should review and evaluate banks' internal capital adequacy assessments and strategies as well as their ability to monitor and ensure their compliance with regulatory capital ratios. Supervisors should take supervisory action if they are not satisfied with the result of this process.

Principle 3 : Supervisors should expect banks to operate above the minimum regulatory capital ratios and should have the ability to require banks to hold capital in excess of the minimum.

Principle 4 : Supervisors should seek to intervene at an early state to prevent capital from falling below the minimum levels required to support the risk characteristics of a particular bank and should require rapid remedial action if capital is not maintained or restored.

8. Under Principle 1, the management body of an institution bears primary responsibility for ensuring that processes exist to ensure that an institution holds sufficient capital to meet both regulatory and internal capital targets. Supervisors should review and validate this process, in accordance with Principle 2. Under Principle 3, supervisors are able to require (or encourage) institutions to hold capital in excess of the minimum Pillar 1 requirement. Finally, it is the opinion of supervisors that Principles 2 - 4 imply that the supervisory authority should have strong risk assessment capabilities as part of its review and evaluation, in order to form its own well-informed judgement on what constitutes an adequate level of capital in any one institution in relation to its risk and control profile.

9. The Commission Services proposed in the third Consultation paper (of July 2003) a framework which reflected these four principles. The SRP prescribed in the EU Directive is intended to achieve two equally important goals. On the one hand, it seeks to ensure that institutions hold internal capital which is consistent with their risk profile and strategy. And on the other, it requires review of institutions' processes and strategies by supervisors, and the timely adoption of prudential measures if weaknesses or deficiencies are detected.

10. The SRP therefore comprises a set of relationships between supervisors and institutions that hinge on two main elements. The first is the Internal Capital Adequacy Assessment Process which places certain obligations on the institution itself (see ICAAP below). The second is the Supervisory Review and Evaluation Process which places certain obligations on the supervisory authority (see SREP below) and in turn leads to the identification of prudential measures.

11. Supervisors assess the risk profile of an institution through a variety of sources (e.g. statistical, desk-based analysis, on-site visits, and routine relationship management etc.) as part of risk based prudential supervision. This provides the foundation for the supervisor to undertake, inter alia , an evaluation of the institution's risk profile, key inputs to which will be the evaluation of institution's ICAAP and the supervisory dialogue this generates with the institution. It also enables the supervisor to determine appropriate prudential measures (including if necessary setting a capital requirement above the Pillar 1 minimum), apply those prudential measures over an agreed supervisory period, and to keep the risk assessment under review in the light of progress in implementing those measures and/or other events which may have a significant impact on the risk assessment.

12. While expressed as two separate processes, the SREP and ICAAP are in practice closely intertwined and it is intended that there will be a close interaction between them, especially so for the larger, more complex and systemically important institutions. This interaction will generate an important and necessary dialogue, and feedback mechanism, through which supervisors can:

. gain deeper insights into the institution's overall control and risk management frameworks;

. establish a closer understanding of how individual institutions approach the measurement of risks and the amount of internal capital allocated to them; and

. assess the extent to which the ICAAP may be relied upon as an input into the supervisor's evaluation of the adequacy of capital held against all risks.

13. These principles are expected to enhance the level playing field in the EU under the new capital regime. Industry views on this would be particularly helpful for further work by banking supervisors to develop, collectively, additional principles aimed at promoting convergence on how the ICAAP is linked to the SREP and how the outcomes of that process might be determined. This future work will help to underpin convergence and greater consistency of supervisory outcomes.

Key Considerations

14. These proposals envisage that every institution to which the Capital Requirements Directive applies must have an Internal Capital Adequacy Assessment Process and will be subject to the Supervisory Review and Evaluation Process.

15. The concept of proportionality is key to both the ICAAP and SREP. As such, the ICAAP should be commensurate and proportionate to the nature, scale and complexity of the activities of an institution. Similarly, the depth, frequency and intensity of the SREP will be determined by the risks posed to the supervisor's objectives.

16. It is the responsibility of the institution to define and develop its ICAAP . The onus is on the institution to demonstrate to the supervisor in its dialogue (through the interaction of the ICAAP and SREP) that its internal capital assessment is comprehensive and adequate to the nature of risks posed by its business activities and its operating environment. The framework under which an institution should develop its ICAAP is designed to be risk based. The new framework emphasises the importance of capital planning , but also the importance of management, and other qualitative aspects of risk management All institutions will have to assess the impact of economic cycles and other future business variables on their capital needs. For larger and more complex institutions this may mean developing a stress and scenario testing framework through which they will have to estimate the sensitivity of the institution's capital needs to external risks and factors.

17. The supervisor's role, within the SRP, includes the review and evaluation of the institution's ICAAP , and the performance of an independent assessment of the institution's risk profile and if necessary taking prudential measures and other supervisory actions , including setting additional regulatory capital, to reflect the individual circumstances of the institution, with a view to ensuring consistency of capital treatment across institutions. Supervisors should have arrangements in place for the collection and verification of any relevant information, and procedures to maintain the quality and consistency of risk assessments.

18. The Pillar 1 capital requirement will continue to be seen as a minimum for regulatory capital requirements based on uniform rules. However, no set of uniform rules for capital requirements may capture all aspects of an individual institution's overall risk profile. For institutions and supervisors alike, judgements on risk and capital adequacy are based on the overall risk profile and are therefore more than an assessment of compliance with Pillar 1 minimum capital requirements. As part of the supervisory review process, regulatory capital over and above Pillar 1 is seen as one of several regulatory tools to be potentially used by the supervisor to mitigate identified risks, having carefully considered controls and other mitigating actions. Emphasis should also be placed on the institution's risk management process.

19. The scope of application for the SRP should allow the supervisory authority to fulfil its legal responsibility for supervision at the individual institution level while minimising the burden on institutions. This element of the Directive is under active discussion. It will be necessary to ensure that these HLPs fully fit with the final text.

The Internal Capital Adequacy Assessment Process


20. The ICAAP is a comprehensive process including the management body and senior management oversight, monitoring, reporting and internal control reviews, that institutions must have to identify and measure their risks, allowing them to ensure that adequate provision is made for holding internal capital in relation to their risk profile.

21. The ICAAP includes:

. Policies and procedures to identify, measure and report the risks inherent in the institution's activities.

. A process to relate the institution's internal capital to its risks

. A process to state the institution's goals in terms of adequate internal capital

. A process of internal controls, review and audit


22. The latest texts from the Basel Committee (CP3) and the European Commission include some key requirements in relation to the ICAAP as a process for assessing capital adequacy :

Basel Committee - Principle 1 states that "banks should have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels"

- CP3 then elaborates the five main features of a rigorous process, of which two relate specifically to the process for assessing how much capital the institution needs:

. "sound capital assessment" (policies and procedures to ensure capture of all material risks, a process to relate capital to risk; a process to state capital adequacy goals to risk (which should take account of the institution's strategic focus and business plan); internal controls to ensure integrity); and

. "comprehensive assessment of risks" (all material risks to be included, with consideration at least of credit risk, operational risk, market risk, interest rate risk in the banking book, liquidity risk and other risks, such as reputation and strategic risk).

23. The remaining three features set out some essential elements of the overall environment within which the ICAAP should operate:

. management body and senior management oversight;

. monitoring and reporting; and

. internal control.

24. EU draft directive (Third Consultation paper of July 2003 incorporates the basic requirements concerning the assessment process to be implemented by institutions to ensure that their internal capital is adequate to cover the risks inherent in their activities.

25. Therefore, even if the Directive is not final, there will be a requirement for institutions to have a process/arrangements to ensure that they have adequate internal capital to support all material risks to which they are exposed and to encourage the development and use of better risk management techniques. For the purposes of simplification, the process defined above is referred to as the internal capital adequacy assessment process.

26. The proposed High Level Principles set out how an institution can comply with both the qualitative (corporate governance and risk management) and the quantitative elements (internal capital assessment) that ICAAP should include (i.e. comprising all five features mentioned in relation to Basel CP3 in paragraph 21 above). It is important to note however, that these high level principles deal mainly with those issues related to the calculation of the adequate internal capital to ensure that all material risks are supported.

27. Adequate risk management arrangements and other important elements of corporate governance are a necessary condition for an adequate ICAAP and are the foundation of the capital adequacy process. Notwithstanding this, those more qualitative elements have further-reaching implications for an institution that go well beyond the ICAAP. This paper does not intend to elaborate on that risk management process or on other elements of corporate governance.

ICAAP High Level Principles

I. Every institution must have a process for assessing its capital adequacy in relation to its risk profile (an ICAAP). 

a. The scope of application of this principle to institutions which are part of a group subject to consolidated supervision (i.e. consolidated, sub-consolidated and/or solo) will depend on the final decision taken in the Directive in relation to this issue.

II. The ICAAP is the responsibility of the institution.

a. Institutions bear the responsibility for setting targets of adequate internal capital in a way which is consistent with their risk profile and operating environment.

b. Therefore the ICAAP should be the responsibility of each institution itself to fit its circumstances and needs, and using its own inputs and definitions.

c. At the same time, the institution must be able to explain and demonstrate how the ICAAP meets supervisory requirements.

III. The ICAAP should be proportionate to the nature, size, risk profile and complexity of the institution. 

a. Deciding on how to categorise institutions in order to apply the principle of proportionality cannot be defined in a principles paper; it is more of a case-by-case issue, which will probably take account of factors such as size, significance to financial stability or to other objectives of the

supervisory authority, risk profile, complexity, sophistication, history of compliance, legal form of the institution etc.

b. It can be expected that proportionality considerations will have a particular influence on the structure, comprehensiveness and complexity of less sophisticated institutions' ICAAPs.

c. For less sophisticated institutions, and without prejudice to Principe V, the outsourcing of parts of the ICAAP and/or its review is also an issue. Conditions for accepting such outsourcing could be established nationally or at European level. It must be clear that each institution is considered according to its specific situation and individual risk profile.

IV. The ICAAP should be formal, the capital policy fully documented and the management body's responsibility.

a. Responsibility rests with the management body of the institution to initiate and design the ICAAP. It should approve the "conceptual design" (at the very least the scope, general methodology and objectives) of the ICAAP. The detailed "design" (being the technical concept) is a task for the senior management. The management body is also responsible for integrating capital planning and management into the overall risk management culture and approach. It must ensure that capital planning and management policies and procedures are communicated and implemented institution-wide and supported by sufficient authority and resources.

b. The institution's ICAAP (methodologies, assumptions and procedures) and capital policy should be formally documented and approved and reviewed at the top level (management body) of the institution.

c. The outcome of the ICAAP should be reported to senior management and the top level management body.

d. Even though outsourcing of parts of the ICAAP - bearing in mind CEBS' high level principles on outsourcing - could be permissible for less sophisticated institutions, it must be clear that the ICAAP remains at all times the responsibility of the institution's management body. ( NB2) 

(NB2  The management body is responsible for defining general policy and for oversight or supervision.) 

V. The ICAAP should form an integral part of the management process and decision-making culture of the institution. 

a. For the more sophisticated institutions, a complete integration of the ICAAP into the day-to-day management is expected.

b. For less sophisticated institutions, the ICAAP should be constructed in a way which allows the management body to assess, on an ongoing basis, the risks inherent in their activities and which are material to the institution.

c. As an integral part of the management process, this could range from using the ICAAP to allocate capital to business units, to playing a role in the individual credit decision process, to playing a role in more general business decisions (e.g. expansion plans) and budgets.

d. The results and findings of the ICAAP should feed into the institution's considerations of its strategy and risk appetite. For less sophisticated institutions in particular, for whom genuine strategic capital planning is likely to be more difficult, the results of the process can be expected to mainly influence the institution's management of its risk profile, for instance via changes to its lending behaviour or through the use of risk mitigants.

VI. The ICAAP should be reviewed regularly.

a. The ICAAP should be reviewed at least annually, to ensure that the risks are covered correctly and reflect the actual risk profile of the institution.

b. The ICAAP and its review process must be subject to independent internal review.

c. Appropriate adjustments to the ICAAP should be initiated in the light of any changes to the institution's strategic focus, business plan, operating environment or other factor that materially affects assumptions or methodologies used in the ICAAP. New risks that occur in the business must be identified and included in the ICAAP.

VII. The ICAAP should be risk-based. 

a. The adequacy of capital of an institution should be related to its risk profile. Institutions should set targets which are consistent with their risk profile (and operating environment).

b. Other considerations may also be taken into account, such as external rating goals, market image, strategic goals etc., that are essential for the institution when deciding how much capital to hold.

c. Nevertheless, if these other considerations are included in the process, the institution will also need to show how they have influenced its decisions concerning the amount of capital to hold for the purposes of its dialogue with its supervisor.

d. At the same time, there are some types of (less readily quantifiable) risks for which the focus in the ICAAP should be more in qualitative assessment, risk management and mitigation.

e. Those less sophisticated institutions that take the Pillar 1 "model" as the starting point of their ICAAP (see below), should also start to meet this principle, in so far as the Capital Requirements Directive is promoting a risk-based model (even in the Standardised Approach for credit risk), and because general management and control frameworks will increasingly be based on risks considerations. 

VIII. The ICAAP should be comprehensive.

a. The ICAAP should consider all risks:

i. Pillar 1 risks;

ii. risks covered but not fully captured under Pillar 1;

iii. non-Pillar 1 risks, and

iv. risk factors external to the institution.

b. The ICAAP should capture all of the material risks to which the institution is exposed, with the concept of materiality defined and explained by the institution, including non-banking risks (e.g. insurance).

c. There is no standard categorisation of risk types, although supervisors will usually expect that the institution has considered all material risks - see annex B. The institution should be free to use its own terminology, but should be able to explain to the supervisor the details, methods used, the coverage of all risks and how this relates to its obligations under Pillar 1. This would be the case, for example, if the institution uses a different definition of operational risk to that in Pillar 1, or a definition of interest rate risk that includes both banking book and trading book risk.

d. External factors to be taken into account may include, e.g. new accounting rules, EU and wider legislation, macro-economic factors, procyclicality.

e. Whereas most risks are quantifiable and institutions can be expected to devise methods to measure them, there may be others which are more qualitative in nature. For these latter risks (which may need to be "defined", but which will probably include reputation and strategic risks) more qualitative methods of assessment and mitigation may be necessary. An institution is expected to be aware of all material risks, whether quantitative or qualitative in nature, and to have a process to assess, monitor, manage and control them.

f. Specifically regarding credit risk, the following should be taken into account: stress-testing in IRB, residual risk in CRM, concentration risk, securitisation etc.

g. In the aggregating all risks in a comprehensive manner the institution may take into account risk correlations.

IX. The ICAAP should be forward-looking.

a. The ICAAP should take into account the institution's strategic plans and how these relate to macro-economic factors. The institution should develop an internal strategy for maintaining capital levels which can incorporate factors, such as loan growth expectations, future sources and uses of funds and dividend policy. The institution should have an explicit, approved capital plan that states the institution's objectives and time horizon for achieving them, and sets out in broad terms the capital planning process and the responsibilities for that process.

b. The plan should also set out how the institution will comply with capital requirements in the future, any relevant limits related to capital, and a general contingency plan for dealing with divergences and unexpected events (e.g. raising additional capital, restricting business, or use of risk mitigation techniques).

c. Larger and more complex institutions should conduct stress tests which take into account the risks specific to the jurisdiction(s) in which they are operating and the particular stage of the business cycle. Institution should analyse what impact new legislation, the actions of competitors etc. may have on its performance, in order to see what changes in the environment it could sustain.

X. The ICAAP should be based on adequate measurement and assessment processes

a. Institutions should have a documented process for assessing risks (whether individually or in groups).

b. Institutions will not be required to use formal economic capital (or other) models, although it is expected that more sophisticated institutions will elect to do so.

c. There is no one "correct" process. Depending on proportionality considerations and the development of practices over time, institutions may design their ICAAP in different ways, for example:

i. as the result produced by the regulatory Pillar 1 methodologies (which are themselves risk-based) and consideration of non-Pillar 1 elements. In other words, to obtain a capital goal, institutions may take the Pillar 1 requirements and then assess Pillar 2 concepts that relate to Pillar 1 (e.g. concentration risk, residual risk of CRM, securitisation etc.) and concepts that are not dealt with in Pillar 1 (e.g. interest rate risk etc.). The Pillar 1 approach may, in fact, be appropriate for some less sophisticated institutions, although they would have to take an active role in justifying this, including consideration of forward-looking elements. Supervisors would expect the institution to demonstrate that it had analysed all the risks outside Pillar 1 and found that those risks were non-existent, not material, or covered by a simple cushion over the Pillar 1 minimum;

ii. as a "building block" approach, using different methodologies for the different risk types (Pillar 1 and Pillar 2 risks) and then calculating a simple sum of the resulting capital "needs";

iii. as a more sophisticated and complex system, possibly using "bottom-up" transaction-based approaches with integrated correlations. 

d. Also, institutions are likely to find some risks, or the risks in some countries, easier than others to measure depending on information availability, meaning that their system is a mixture of detailed calculations and estimates.

e. What is important is that institutions adopt the risk-based concept in their philosophy; Pillar 1 may only partially cover the risks in the business.

f. It is also important that institutions do not rely on quantitative methods alone to assess their capital adequacy, but rather that there is an element of qualitative assessment and management judgement of the inputs and outputs. Considerations such as external rating goals, market image and strategic goals should be taken into account in all three "methodologies".

g. Non-measurable risks should be included if material, even if they can only be estimated, although this might be moderated where the institution can demonstrate that it has an appropriately policy for mitigating/managing these risks.

XI. The ICAAP should produce a reasonable outcome.

a. The ICAAP should produce a reasonable overall capital number and assessment. The institution should be able to explain the similarities and differences between its ICAAP (which should cover all the risks) and the regulatory requirements to the supervisor's satisfaction.

b. Institutions might be encouraged to make greater disclosures, in order to allow them (and others) to make a comparison, for their internal purposes, of their ICAAP within their peer group, and in order to have a basis for comparison and a reasonableness check.

Supervisory Review and Evaluation Process


28. SREP is the comprehensive process which supervisors use to:

. Review and evaluate the institution's exposure to risks (i.e. risk profile)

. Review and evaluate the adequacy and reliability of the institutions ICAAP

. Review and evaluate the adequacy of the institution's own funds and internal capital in relation to the assessment of its overall risk profile

. Monitor ongoing compliance with standards laid down in the Directive (i.e. supervisory evaluation of compliance)

. Identify any weakness or inadequacies and necessary prudential measures


29. The latest texts from the Basel Committee (CP3) and the European Commission include some key requirements in relation to the SREP as a process for supervisors to assess capital adequacy and the overall control environment

Basel Committee Principle 2 states that "supervisors should review and evaluate bank's internal capital adequacy assessments and strategies as well as their ability to monitor and ensure their compliance with regulatory capital ratios. Supervisors should take supervisory action if they are not satisfied with the result of this process".

. CP3 then elaborates the key features of a rigorous process:

o "Review of adequacy of risk assessment" (the degree to which internal targets and processes cover the full range of material risks; risk measures used in assessing internal capital adequacy and extent they are used operationally; and results of sensitivity analyses and stress tests);

o "Assessment of capital adequacy" (processes used to determine: target levels of capital are comprehensive and relevant; levels are properly monitored and reviewed by senior management; and composition of capital is appropriate);

o "Assessment of the control environment" (quality of the bank's management information reporting systems; the way in which business risks and activities are aggregated and management's record in responding to emerging or changing risks);

o "Supervisory review of compliance with minimum standards.

30. The other Principles (3 and 4) relate to:

o Supervisors expecting institutions to operate above the minimum regulatory capital ratios and having the ability to require institutions to hold capital above the minimum; and

o Supervisors intervening early to prevent capital from falling below minimum capital requirements.

31. The EU draft directive (Third Consultation paper of July 2003) incorporates the basic requirements for Supervisors to undertake this evaluation and review.

32. Therefore even if the Directive is not final, there will be a requirement for supervisors to have a process/arrangements to ensure that they can form their own judgement about an institution's overall risk profile, taking into account the control environment, and the adequacy and composition of its capital (own funds and internal capital) in relation to that assessed profile. An important part of this process will be the supervisor's assessment of the overall adequacy of the institution's ICAAP, which will be significantly informed by the quality of the institution's own risk management and controls.

33. The Risk Assessment System (RAS) is the supervisor's tool for organising (i.e. planning, prioritising and allocating) the use of resources, and performing and managing the supervisory risk assessment (see annex A). It is intended to provide structure and a practical step-by-step guide to the first phase of SREP and how this crucial part of SREP might best be planned and organised, its scope, how it is undertaken and managed, the outputs, the quality assurance which should be applied, and how the outcomes are communicated. It is therefore fundamentally a tool for internal administrative purposes, though if adopted it could lead to greater commonality of approach among authorities which, in turn, should facilitate more effective communication between supervisors, especially between home and host competent authorities. Also, given the need for greater transparency, broad disclosure on the RAS will contribute to the dialogue with institutions on their capital situation. 

SREP High Level Principles

I. The SREP should be an integrated part of the authority's overall risk-based approach to supervision. a. The evaluation process will be an integral, explicit and formal part of the authority's overall supervisory approach.

b. The evaluation process underpins the supervisor's dialogue with the institution (and does not replicate the role of institutions' management).

c. It is understood and recognised that there will be different types of evaluation process in place in different supervisory authorities (for example, the emphasis on qualitative versus quantitative judgements and the degree of automation within a system).

d. However, the European authorities agree that while flexibility of approach is important, there will need to be common minimum standards or benchmarks in order to ensure consistency of application and a level playing field across Europe.

II. The SREP should apply to all authorised institutions.

The scope of application of this principle to institutions which are part of a group subject to consolidated supervision (i.e. consolidated, sub-consolidated and/or solo) will depend on the final decision taken in the Directive in relation to this issue.

III. The SREP should cover all activities of the institution 

a. All significant business units of the institution, including banking, securities, investment management and life assurance, pensions and general insurance, whether operating domestically or overseas, will be considered within the evaluation process.

b. Other risks to the consolidated group will also be captured, for example where services are being provided or control functions are being exercised from outside the consolidated group on an outsourced basis (even if within the wider group): for example IT, accounting, payment and settlement functions.

IV. The SREP should cover all material risks and risk management/internal controls. 

a. The supervisor will perform its analysis with a formal evaluation of risks factors and of control factors in place. The principles for the minimum content of the Risk Assessment System (RAS) used by supervisors are set out in Annex A.

b. The evaluation will focus on identifying each institution's risk profile and assessing the quality of the institution's risk management system. The Business risks and risk management and internal controls, which should be evaluated, are set out in Annex B. Business risks span all activities and significant business units. Controls should include, at the minimum, an assessment of the quality of corporate governance, senior management, organisational structure, the risk management and control environment, internal audit and compliance functions. Supervisors should review the controls in place to mitigate risk, as well as the adequacy and composition of capital held against those risks.

c. This review and evaluation allows the supervisor, inter alia , to give qualitative feedback to an institution about the adequacy of its risk management/internal controls in relation to the business risk profile, and to assess and understand the extent to which the output of the ICAAP can serve as an input to the SREP.
d. The evaluation should be forward looking to the extent that is should consider, based on information known at the time, whether the risk profile of the institution is likely to change over the forthcoming period.

e. Stress tests could be used by the supervisor to help in establishing the need for early intervention.

V. The SREP shall assess and review the institution's ICAAP.

a. The supervisor will assess the institution's ICAAP as part of its SREP. This should include a consideration of the assumptions, components, methodology, coverage and outcome of the institution's ICAAP. This review should cover both the institution's risk management processes and its assessment of adequate capital. Supervisors should review the controls in place to mitigate risk as well as the adequacy and composition of capital held against those risks

b. An important element of the assessment and review of the ICAAP will be the necessary dialogue between the supervisor and the institution. This dialogue will inform the supervisor about the way in which the ICAAP is structured, the assumptions which are used to determine underlying risks across different sectors and risk types, risk sensitivity and confidence levels, and how the risks are aggregated. The supervisor may use the results of the RAS to inform its analysis.

c. In line with ICAAP Principle XI, the supervisor may require the institution to explain the differences, if any, between its own assessment of its capital needs and targets under the ICAAP, and the regulatory requirement.

VI. The SREP shall assess and review the institution's compliance with minimum standards laid down in the Directive 

As part of the SREP, the supervisor must also evaluate the institution's compliance with the various minimum standards and requirements under the Directive. These include an evaluation of the methods and models used in advanced approaches under Pillar 1 and disclosure under Pillar 3.

VII. The SREP should result in the identification of existing or potential problems and key risks faced by the institution; deficiencies in the control and risk management frameworks; and assess the degree of reliance that can be placed on the outputs of the institution's ICAAP. 

In doing so, the process will enable the supervisory authority to tailor its approach to the individual institution; drive its general approach to an institution and its actions; and provide incentives for institutions to improve their risk management systems.

VIII. The SREP should lead to prudential measures and other supervisory actions being taken promptly to address any deficiencies identified according to Principle VII.

a. Having evaluated the adequacy of an institution's capital in relation to its risk profile, the supervisor should identify any prudential measures or other supervisory actions required. For example, where there is an imbalance between business and control risks, the supervisor should consider the range of remedial supervisory actions that may be needed to rectify a deficiency in controls and/or perceived shortfalls in capital, either as a long-term requirement(s) or as a short-term action(s).

b. The measures available to the supervisory authorities include the possibility to: (i) require a credit institution to hold own funds and/ or Tier 1 capital above the minimum level laid down, and/or impose other limitations on own funds; (ii) improve its internal control and risk management frameworks; (iii) require credit institutions to apply a specific provisioning policy or treatment of assets in terms of own fund requirements; (iv) restrict or limit the business, operations or network of credit institutions; and (v) reduce the risk inherent in activities, products and systems of credit institutions

c. The supervisory authorities acknowledge that the choice of supervisory action should be determined according to the severity and underlying causes of the situation and the range of measures/sanctions available to the supervisor

d. Such measures can be used singularly or in combination. A specific own funds requirement shall, however, be imposed at least on an institution which has an imbalance between its business risks and internal control/risk frameworks which cannot be remedied by other prudential measures or supervisory actions within an appropriate timeframe

e. A specific own funds requirement may be set to reflect the outcome of an institution's ICAAP; or, for example, where the supervisor judges the level of own funds held to be inherently inadequate for the institution's overall risk profile.

IX. The results of the SREP will be communicated to the institution, at the appropriate level (usually senior executive/management body), together with the action that is required of the institution, and any significant action planned by the authority. 

a. The authorities will convey the results of the risk assessment to the institution. This may be done as part of the discussion between the authority and an institution on the internal systems to access capital adequacy. In doing so, the authority will: (i) explain in sufficient detail the factors which have led to the risk assessment conclusions; (ii) indicate areas of weakness and the timeframe for remedial action; (iii) explain the reasons for any adjustment to the capital requirements; (iv) provide pointers as to what improvements could be made to systems and controls to make them adequate for the risks/activities of the institution, and hence be reflected in the capital requirements.

b. In relation to the communication of the results of the risk assessment to the auditors, it is recognised that the relationship between the supervisory authority and the institution's auditors varies from country to country and that, in some cases, it may not be appropriate to discuss the results of the assessment with the auditors.

X. The supervisory evaluation should be formally reviewed at least on an annual basis, in order to ensure that it is up to date and remains accurate.

a. The authorities agree that this review may not always constitute a full risk assessment.

b. However, the authority will at least take stock of any significant changes to the overall risk profile over the past year. In so doing, the authority will take into account the results of any supervisory visits, inspections and other information received during the period, and consider whether the timing of the next full assessment agreed during the previous full assessment process remains appropriated.

c. The nature of the review will depend on the nature and scale of the institution, taking into account the cost/benefit of such an exercise, and the extent to which there have been changes (either institutional or environmental) during the past year that might have impacted on the risk profile.

d. Notwithstanding the above, any significant new information received in the course of ongoing monitoring/supervision and which may impact on the risk profile will trigger consideration by the authority of the need for a formal review or a full risk assessment.

XI. The depth of the SREP can be varied according to the systemic importance and either the nature and scale (size, risk profile and complexity) of the institution, or the overall assessment of the quality of governance, management and systems and controls, or both. 

Competent authorities shall determine for each institution the frequency, intensity and scope of the evaluation process having regard to the systemic importance, nature, scale and complexity of the activities of the institution concerned. This concept of proportionality covers the whole risk management and assessment process and supervisory review including the ICAAP, the SREP (and RAS), as well as the intensity of the dialogue between the supervisor and the institution.

Annex A

Minimum Content of Risk Assessment Systems

1. This annex concentrates on the supervisor's internal processes for organising, performing and managing their Risk Assessment. The purpose is to achieve a necessary degree of convergence of supervisory practice across the supervisory authorities in the EEA in respect of the following areas:

- Creating insights into the risk profiles of the supervised institutions;

- Providing input for the planning process of the supervisor and efficient and effective allocation of resources;

- Facilitating effective communication with supervisory colleagues;

- Identifying any corrective action which needs to be taken.

RAS High Level Principles 

I. Overall assessment:
In order to carry out an overall assessment of an institution the Supervisory Authority should define guidelines covering both risks and controls. The overall assessment of the risks and controls should be done in a way that facilitates organising (i.e. planning, prioritising and allocating) the use of resources for those (areas within) credit institutions that require the most attention. The Supervisory Authority should have individual ratings for risks and controls.

II. Creating a 'break down' of the credit institution:
In order to adequately capture all risks and controls, the supervisor should perform a breakdown of each institution to the level where these are actually run or performed (depending on the scale and structure of the institution, this might be business units, business lines, or processes within the same business unit). The supervisor should set clear rules and standards for such a breakdown process, considering both the need to keep it proportionate to the scale and complexity of each institution and the objectives of the RAS as a planning tool for supervisory work.

III. Comparability of risk assessment :

A risk assessment system should encompass all the relevant risks and risk management/internal controls, while at the same time making a clear distinction between the two. To support the comparability of different risk assessment systems, each jurisdiction should be able to map its own classification to the risks and risk management/internal controls mentioned (in annex B) which encompasses the risks identified in the second Basel accord.

IV. Quantitative and qualitative assessment :

In order to make the results of the risk assessments comparable between the various institutions within a country and between countries the results of the risk assessment of the Supervisory Authority should be both quantitative and qualitative in nature.

V. Quality assurance:

Procedures for quality assurance should be in place in order to maintain the quality and consistency of risk assessments. Quality assurance is an integral element of the overall process. It is provided to maintain the quality and consistency of assessment results

VI. Information Collection and Verification :

Arrangements should be in place for the collection and verification of any information considered relevant to the evaluation process, using any reasonable means and must be able to verify its quality. The extent to which information is taken into account in the risk assessment will depend on the quality, independence and reliability of that information, as adjudged by the authority.

VII. Communication of methodology :

Supervisory authorities will communicate their general risk assessment methodology to the institutions to which it applies, and such information will also be available to the general public .

Annex B

SREP: Business Risks and Control Factors

[NB This list is provisional and may need to be updated in order to match the final set of risks and controls in the Basel Accord and the Capital Requirements Directive]

Risk factors Short definition
Credit risk

Credit risk is the current or prospective risk to earnings and capital arising from an obligor's failure to meet the terms of any contract with the institution or otherwise fail to perform as agreed. This risk comprises concentration risk, residual risk, the credit risk in securitisation and cross border (or transfer) risk
Market risk

Market risk is the current or prospective risk to earnings and capital arising from adverse movements in bond prices, security and commodity prices and foreign exchange rates in the trading book. This risk arises from market making, dealing, and position taking in bonds, securities, currencies, commodities, and derivatives (bonds, securities, currencies, and commodities). This risk comprises foreign exchange risk, defined as the current or prospective risk to earnings and capital arising from adverse movements in currency exchange rates in the banking book.
Interest rate risk
This is the current or prospective risk to earnings and capital arising from adverse movements in interest rates in the banking book.
Liquidity risk

This is the current or prospective risk to earnings and capital arising from an institution's inability to meet its liabilities when they come due without incurring unacceptable losses.
Operational risk

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, including legal risk It includes, amongst others, IT risk, legal and integrity risk.
Strategic risk

Strategic risk is the current or prospective risk to earnings and capital arising from changes in the business environment and from adverse business decisions, improper implementation of decisions or lack of responsiveness to changes in the business environment.
Reputation risk

Reputation risk is the current or prospective risk to earnings and capital arising from adverse perception of the image of the financial institution by customers, counterparties, shareholders/investors, or regulators.
Capital risk

Capital risk refers to an inadequate composition of own funds for the scale and business of the institution or difficulties for the institution to raise additional capital, especially if this needs to be done quickly or at a time when market conditions are unfavourable.
Earnings risk

Earnings risk refers to an inadequate diversification of earnings or the inability for the institution to provide a sufficient and permanent level of profitability due for example to an inadequate cost to income ratio.
Control factors Short comments
Risk management & Internal controls

Internal controls comprise the risk management framework, financial and management reporting, operations risk controls, audit controls, compliance controls, IT controls and HR controls. Internal Controls enable mitigation of inherent risk by timely and appropriate identification, measurement, monitoring and management of all risks within the business processes.

Organisation comprises the organisation structure, group relationship, reporting lines and responsibility structure. Organisation enables mitigation of inherent risk by a transparent organisation structure, clear relationships between activities, management units, and group functions, adequate reporting on all levels and an adequate responsibility and authorisation structure within the business processes.

Management comprises management quality and structure, decision making process, strategic planning process and risk-control attitude. Management should enable mitigation of inherent risk through a management structure and composition in line with the volume, scope and complexity of the business, clear and comprehensive allocation of responsibilities and adequate management oversight and control, including fostering a culture of risk and control awareness within the business processes.