Risk Analysis De Nederlandsche Bank NV

RiskRisk AnalysisAnalysis DeDe NederlandscheNederlandsche BankBank N.V.N.V. Agenda

! Background and objectives ! Risk analysis proces ! Demonstration Risk Analysis Support Tool Background

HighHigh impact impact and and frequency frequency of of changes changes in in the the financial financial servicesservices industry: industry: • •globalisation globalisation • •mergers mergers and and acquisitions acquisitions • •increasing increasing complexity complexity of of financial financial products products • •increasing increasing dependence dependence on on information information technology technology

DevelopmentDevelopment of of new new supervision supervision methodologies methodologies and and tools tools by by foreignforeign supervisiors supervisiors

IncreasingIncreasing need need to to allocate allocate supervision supervision resources resources of of DNB DNB effectivelyeffectively and and efficiently efficiently to to banks, banks, or or parts parts of of banks, banks, with with a a highhigh risk risk profile profile Objectives

PrimaryPrimary objective objective of of Supervision: Supervision: ToTo protect protect both both creditors creditors and and the the stability stability of of the the financial financial system system

ProvideProvide DNB DNB with with input input for for the the CreateCreate insight insight in in the the inherent inherent risks risks planningplanning process process and and efficient efficient and and andand the the quality quality of of controls controls of of the the effectiveeffective allocation allocation of of scarce scarce supervisedsupervised institutions institutions resourcesresources

StructureStructure and and standardise standardise the the FacilitateFacilitate effective effective communication communication supervisionsupervision approach, approach, introducing introducing withwith colleague colleague supervisiors supervisiors inter-subjectivityinter-subjectivity in in outcomes outcomes The Risk analysis proces

QualityQuality assurance assurance

GeneralGeneral descriptiondescription Risk Risk & & Aggregation Aggregation && BreakdownBreakdown control control & & financialfinancial assessment assessment reporting reporting analysisanalysis

RiskRisk Analysis Analysis Support Support Tool Tool Risk analysis is an integrated part of the supervision cycle

PlanningPlanning of of time, time, RiskRisk analysisanalysis instruments,instruments, skills, skills, andand experience experience based based andand onon risk risk profiles profiles planningplanning processprocess

Risk based supervision

OngoingOngoing EvaluationEvaluation supervisionsupervision

EvaluationEvaluation of of follow-up follow-up is is input input FocusFocus and and contents contents of of investigations investigations forfor risk risk analysis analysis basedbased on on risk risk analysis analysis methodology methodology Risk analysis: the new tool for Supervision De Nederlandsche Bank N.V.

Léon Spooren * Corné van der Burg **

Urged by the fast pace of changes in the financial sector, De Nederlandsche Bank (the Bank) continually needs to revise its supervisory methods. Banking institutions and the risks entailed by their activities increasingly call for a customised approach. To be able to realise the required methodology objectively and enhance the effectiveness of the supervision it exercises, the Bank’s Directorate Supervision has introduced risk analysis as a new instrument. This article highlights the backgrounds, objectives and outlines of this new tool for the supervision on banks.

Introduction

The Dutch financial sector has grown strongly in the past decade, expanding its foreign activities further. The resulting presence of Dutch banks in a great many financial centres compels supervisors to co-operate on an international level. The constant flow of new financial instruments on the markets with sometimes complex risk characteristics renders special attention imperative. The said period has seen numerous mergers and acquisitions in the banking and insurance sectors, especially in the Netherlands, which have had significant consequences for the institutions concerned in terms of financial strength, management structure and risk profile. Also the ongoing advance of, and the correspondingly increasing dependence on, information technology in the banking industry have added a new dimension to supervision. These fast developments entail new risks for the stability of independent financial institutions and the financial system. Therefore, within the scope of its task to maintain financial stability, the Bank has strengthened the analytical basis for its supervision on Dutch credit institutions. The first starting point underlying this policy is the notion that a uniform approach in supervision no longer suffices with today’s diversity of credit institutions in terms of size and activities. Instead, supervision must be geared to an individual credit institution’s activities and risks. In other words, the supervision on major credit institutions, like ABN AMRO, ING, Rabobank or Fortis, which are active in a great many countries in both retail and wholesale business with a wide range of new, complex products and services, is bound to differ from the supervision exercised on a small-scale credit institution in the Netherlands, focused on

* De Nederlandsche Bank N.V. Directorate Supervision, Internationally active banks. ** De Nederlandsche Bank N.V. Statistical Information and Reporting Department, Automation and Organisation Section.

1 primarily traditional banking activities. The second starting point is that the supervision should be optimally adjusted to the risk control mechanisms employed by the credit institutions. After all, being the first responsible, credit institutions expend much effort on risk control, at considerable costs. Since, consequently, the objectives of credit institutions match those of the Bank’s Directorate Supervision, the Banks supervisors focus on the quality of the internal control, the administrative organisation and procedures and the other risk control mechanisms in place at the credit institutions under their supervision. Both principles also underlie the risk analysis, a methodology designed to assess the risks entailed by a credit institution’s activities and the measures taken to control these risks. The outcome determines the Bank’s supervisory approach, including, e.g., the principal areas of attention, the intensity of the supervision and the aspects on which the supervisor should consult with the management. Put differently, risk analysis serves to standardise the methods of assessment of mutually divergent credit institutions, after which the supervision procedure may be differentiated according to the extent to which the risks entailed by the individual activities are controlled.

Objectives of the risk analysis

Considering the foregoing, the risk analysis should meet the two following objectives: ! Creating insight into the inherent risks and the quality of controls of credit institutions; ! Structuring and standardising the supervisory approach, to maximise the objectiveness of the outcomes of the supervision. Other objectives are: ! Providing input for the Directorate Supervision’s planning process and for an efficient and effective allocation of scarce capacity (human resources); ! Facilitating effective communication with colleague supervisors at home and abroad.

Insight into the risks and controls of credit institutions under supervision The risk analysis methodology provides a guideline for assessing the magnitude of risks and the quality of controls within credit institutions. It does so, first, by broadening and refining the scope of supervision, thus facilitating insight into the principal risks and the quality of a credit institution’s controls, and, second, by making the know-how and experience of individual supervisors explicit and transparent for their colleagues and the Bank’s executive officers. Besides, the methodology charts those areas of a credit institution’s activities on which the Bank may not yet have sufficient information to be able to compose a complete risk profile.

2 Standardisation of the risk analysis process The risk analysis handbook presents a structured guideline for performing risk analyses. Use of a standardised and well-documented risk analysis enhances the transparency and consistency of assessments of individual credit institutions. Also, the risk analysis helps individual supervisors in substantiating their conclusions. Moreover, it improves the exchange of knowledge and experience in a team of supervisors.

Planning supervisory capacity Risk analysis results provide the Directorate Supervision with useful input for an effective and efficient management of time & resources. This allows the Bank to focus on those functional activities within a credit institution that show an unfavourable risk profile, i.e. activities with high risks and/or weak controls, and, if necessary, to allocate specific resources required for investigating such functional activities.

Communication with colleague supervisors Just like the Bank, other supervisory institutions, e.g. the Federal Reserve System in the United States and the Financial Services Authority in the United Kingdom, recently designed and implemented a risk analysis methodology. Use of similar analytical methodologies facilitates communication between supervisors, especially in the exchange of information pertaining to the supervision on large, internationally operating credit institutions.

Risk analysis, an introduction

Risk analysis consists of four steps, as shown in the middle four boxes of Figure 1. These steps are supported by a so-termed Risk Analysis Support Tool (RAST) and a quality assurance system designed to ensure a proper and consistent application of the methodology. The four steps are described in the following subparagraphs.

3 Quality assurance

General description Risk & control Aggregation & & Breakdown assessment reporting financial analysis

Risk Analysis Support Tool

Figure 1

General description and financial analysis This step in the risk analysis process is meant to lay down general information and a financial analysis of the institution, as is done of old. The general description covers information about the Board of Governors and the Supervisory Board, the external auditor and a possible rating, the overall strategy and policy, the group and shareholder structures, the core activities, (foreign) supervisors, contacts and any special areas of attention. The financial analyses comprise key figures from statutory reports submitted to the Bank by the institution under supervision. These figures concern the institution’s capital adequacy and liquidity, balance sheet and off-balance-sheet data and profit-and-loss account.

Breakdown of institutions To facilitate the detection, assessment and aggregation of the risks and the quality of the controls, the credit institution is broken down into significant and manageable units. This process is made up of the following steps: 1 Identification of all management units and functional activities, using the institution’s organisation chart as a starting point. Functional activities are distinguished on the basis of similar risk characteristics and controls. Also the group functions at a central level should be taken into account, like risk management, asset & liability management (ALM), the internal audit department and information technology (IT), as well as the institution’s governance structure; 2 Determination of the significance of each individual operational unit and functional activity by means of quantitative criteria (based on contribution to earnings, profit or capital requirement) and qualitative criteria;

4 3 Assigning of weights on a three-point scale (large (L) : medium (M) : small (S) = 4 : 2 : 1) to significant management units and functional activities, reflecting their relative importance in terms of contribution to (budgeted) earnings; 4 Determination of the applicable risks and control categories as well as their weighting, on the basis of a standard matrix; 5 Performance of a full-scale assessment, unless there is good reason for a simplified, less detailed assessment. In the latter case, the scores are assigned directly, on a more aggregated level. Steps 1-4 are illustrated in Figure 2.

Bank XYZ

Management units International division Netherlands division level 1 medium large

Management units Consumer banking Corporate banking level 2 large large

Functional Credit cards Mortgages activities small large

Risks Controls

Risks and Operational risk Credit risk controls medium large

Items Default Concentration Recovery probability and correlation rate

Figure 2

Risk and control assessment The core of the risk analysis is constituted by the assessment of the inherent risks and the quality of the controls for all significant functional activities of an institution under supervision. The risk analysis distinguishes between ten risk categories and three control categories. Per functional activity, at least the four principal risk categories and the three control categories are assessed. Every risk and control category is subdivided into a number of items, i.e. the determinants of the risks and the controls. These determinants are rated by means of a score. To support the supervisor, the methodology provides for item-specific evaluation topics. Besides the risk and control categories observed by the Bank, Figure 3 shows an example of the breakdown into items and evaluation topics for the risk category credit risk.

5 Cr edi t r i sk Items Assign scores at this level Price risk Default probability Interest rate risk Concentration & F or ei gn exch an ge r i s k Cor r elati on Liquidity risk R ecover y r at e Operational risk IT risk • Credit enhancements Risk categories • Level of provisioning Strategic risk • R egul ari ty of deposi ts L egal & i n t egr i t y r i sk • • ... Reputation risk Internal controls Evaluation topics Organisation Contr ol categor i es Management

Figure 3

Per risk category, all items are assessed on a four-point scale reflecting the potentially negative impact on earnings and capital in an ascending order. This effect may be small (1), non-significant (2), significant (3) or high (4). While the potential effect, directly or indirectly, on earnings and capital of some non-financial risks such as reputation risk, strategic risk, IT risk, legal or integrity risk is not always clearly measurable, these items must nevertheless be assessed. Similarly to the risk categories, also all control category items are assessed on a four-point scale, reflecting the quality of the controls in a descending order relative to the measure of mitigation of inherent risks.

Aggregation and reporting For a full-scale assessment first the results of the assessment of (the items of) risks and controls are aggregated to obtain one score for the functional activity concerned, in a way that ensures that the combination of low risks and poor controls results in a better score than the combination of high risks and good controls. Subsequently, the scores of all functional activities are aggregated at the credit institution’s higher levels as they are distinguished in the breakdown process. The assessment results are aggregated by means of a mathematical algorithm that takes all weighting coefficients from the breakdown into account. The algorithm, moreover, is based on the principle that high risks and weak controls should get greater emphasis in order to limit the averaging effect. The aggregation process is supported by the Risk Analysis Support Tool, which automatically calculates the aggregated scores at every level of the

6 organisation. The supervisor should always verify the calculated scores and, if necessary, overrule the calculated scores manually at every level. After aggregation of the scores at the highest level of the credit institution, the aggregated assessment is related to the financial position of the credit institution in terms of earnings and capital in order to determine the overall picture. Insight into the institution’s financial position is obtained through the financial analysis described above. A credit institution’s risk level and financial position are summarised in one report. In addition, it is possible to draw up reports related to one specific risk (a so- termed cross-section of the credit institution) and generate time series (the development of scores in the course of time). The various reports serve as starting points for internal planning, but also for consultations with the credit institutions.

Quality assurance and RAST The Directorate Supervision is continuously watching over the quality, consistency and transparency of the risk analysis process. Quality assurance is an integral element of the overall process, both during and after the execution of the risk analyses. A special team has been set up to provide daily support to individual supervisors, to maintain the methodology and to manage and maintain the software. All steps in the risk analysis process are supported by in-house developed software, the Risk Analysis Support Tool (RAST). See the appendix for an introduction to RAST.

Conclusion

Designed to realise various objectives, the new risk analysis tool notably provides for a standard analysis and assessment of a credit institution. On the basis of the outcomes thereof, the Bank plans and, subsequently, implements a customised supervisory programme. This means that in the exercise of its supervisory tasks, the Bank pays much attention to the functional activities that make a substantial contribution to earnings or have a poor risk profile. Furthermore, the risk analysis may serve as a means for the Bank to substantiate its Supervisory Reviews. The Bank has already received positive responses to its new risk analysis tool from credit institutions under its supervision and from other supervisors. From these reactions it is clear that risk analysis is a methodology that will contribute to further improvement of insight by the Bank in risk control at credit institutions as well as making the Bank’s supervisory tools match the changes taking place in the Dutch banking system.

7 Appendix: an introduction to RAST.

RAST is realised in SAS version 6.12 supplement with SAS/AF!, SAS /FSP! and SAS/GRAPH!. The network’s central database consists of several directories: one with the system tables (datasets), one with the current bank data and one for each past period. Two datasets produce the bank data: one for key information (each record in the dataset is a node in the organisational chart) and one for the remarks. Generally, we use standard SAS objects in this application. In the main menu we use the cursor_tracker method to activate the buttons when the mouse pointer crosses the button. In this menu, you can only see the buttons that are active, so when you do not have administrator authorisation there is no administrator tools button on your screen.

When a user/supervisor wants to edit or view breakdown and assessment data of a bank, he first has to download the required system and bank tables to his local environment (laptop/PC), independent from the network. If he wants to make changes to the breakdown structure and/or assessment scores, he has to ‘lock’ the corresponding part of the bank first, in order to prevent other users from updating the same part at the same time. When the data has been downloaded the user can view or update this bank in his local environment independent from the network. If the supervisor has finished editing, he should unlock and upload his work to the central database. This allows other users to see his changes and edit his work as well.

Editing or viewing the breakdown and assessment of a bank can be done in the breakdown and assessment menu/frame. In this frame the ‘Organizational Chart’ is the most important object. Instead of the save_as method we used the traverse method in combination with a label in the SCL framecode. When the chart list consists of many nodes, the set_current method is slow. Therefore, it should be used only when necessary. On the right hand-side of the menu, we have opted for an invisible ‘Tab Layout Object’ within the visible tab layout to realise a different layout for all kind of node types. The ‘extended Text Entry’ object is used as input/display fields. This object has been subclassed, so it is possible to cut and paste with the popup menu. The feedback method is used to have more control over those input fields.

8 To produce graphical reports we use the Data Step Graphics Interface. The DSGI increases the flexibility, but it requires a lot of source code. With the ‘Breakdown and Assessment Reports’ menu, it is possible to make all kinds of reports of one bank. The following types of reports are available: overall reports, charts, selections, statistics and cross- sections. All the data will be selected from your local environment.

The breakdown structure chart is also created using the Data Step Graphics Interface.

The ‘view report’ menu shows an example of a graphical report. The reports can be exported in an Excel spreadsheet for further processing.

9 Besides the reports on one bank there is the ‘Reports across year and banks’ menu to create other kinds of reports. One for reports through time (‘time series’) and the other for reports involving multiple banks (‘range of banks’). All data are selected from the central database. This implies you only make that these reports can only be created when there is a network connection.

Besides the supervisor banks can perform a self assessment as well. With this menu the supervisor is able to compare his own assessment scores and remarks with the self assessment scores and remarks of the bank. The supervisor can adopt (parts of) the self assessment scores and remarks if he agrees on them.

The ‘Administration tools’ menu is available to the administrator only. It contains tools: ! To update system tables (user, bank, templates and guidelines). ! To export bank data for the external supervisors or self assessments. ! To import bank data from the external supervisors or self assessments. ! To make the self assessment data available to the supervisor. ! To monitor and remove locks. ! To do a roll forward (that’s archiving the current bank data to the historical database). All actions of the administrator are logged. Only the owner of the application is able to view these logs.

10 The user maintenance tool can be used to add, remove, or modify users, and to change authorisations. In RAST there are several authorisation levels. For example, an EDP auditor is only allowed to lock the risk category IT risk and the control item IT control. The administrator can only change the authorisation level if there is no conflict with current locks of the user. With this tool, it is also possible to authorise users to update banks.

The unlocking tool can be used to monitor all locks and, if for some reason this is required, remove locks.

The roll forward is a process that is performed at the end of the supervision cycle. During the roll forward, the bank data for all banks at the end of the supervision cycle are saved as the ’final’ results for that period. In addition, new bank and system data are created for the new supervision cycle. Before this action is performed, the administrator can remove all locks, change the aggregation algorithm, remove banks, make changes to categories and items, or make changes to existing templates. These options/actions are not available throughout the year to ensure consistency of the data within one supervision cycle. Each of these actions uses its own composite class. So for this frame/menu, we created an object which is able to load several different classes.

De Nederlandsche Bank developed this SAS application with help from PW-consulting and Search and Solve.