Chief Risk Officer Role1 and Responsibility Assessment Tool:2 Part of IFC’s Advanced Methodology for Financial Institutions

ACCEPTABLE BETTER DESIRABLE BEST PRACTICE I. Personal 1. Integrity – understands 1. Same.4 1. Same. 1. Same. Qualifications3 duties of loyalty and 2. Same. 2. Same. 2. Same. care. 3. Same. 3. Same. 3. Same. 2. Communication skills. 4. Strong quantitative 4. Same. 4. Same. 3. Honest and ethical. skills. II. General 1. General understanding 1. Same. 1. Same. 1. Same. Knowledge and of risk factors affecting 2. Same. 2. Same. 2. Same. Professional Skills financial institutions. 3. Same. 3. Same. 3. Same. 2. Specific understanding 4. Same. 4. Same, and holds 4. Same. of risk factors affecting 5. Same. internationally accepted 5. Same. the Bank. relevant certification 6. Same.

1 At some financial institutions in emerging markets, particularly smaller ones, the functions of the chief risk officer (CRO) may be split among the , , and others. Even at institutions that have CROs, some functions may be divided between CROs and others. In all cases, the relevant functions should be coordinated ensure that there are no gaps. 2 Prepared by Sinclair Capital, a G3 affiliate. 3 As the CRO position is relatively new, the normal experience requirements don’t seem to apply. There are CROs with banking backgrounds, but also with scientific, mathematics, operational, auditing, risk and compliance backgrounds. But they have to know the business of the bank. It is, however, a senior level position, and the CRO generally has a record of accomplishment, regardless of the field. CROs typically have at least 12 years of business experience. 4 “Same” in a column means that the recommendation with the same number in the column immediately to the left is carried over into that column. Where the recommendation is the same but with additions, the additions are in italics.

IFC’s Advanced Methodology for Financial Institutions Chief Risk Officer Role and Responsibility Assessment Tool 1 ACCEPTABLE BETTER DESIRABLE BEST PRACTICE 3. Familiarity with risk- (e.g. PRMIA, CPA, CFA, oriented regulations etc.). (e.g. Basel II). 5. Same. 4. Holds all applicable 6. Detailed knowledge of licenses (if required by business lines in the local regulation). Bank. 5. Has basic knowledge of and is generally familiar with anti-money laundering/combating the financing of terrorism (AML/CFT) and risks related to these. III. Appointment 1. Appointed by CEO. 1. Same. 1. Same. 1. Same. 2. Appointment subject 2. Same. 2. Same. to consultation with Board (or Board committee5). IV. Reporting Line 1. Independent of any 1. Same. 1. Same. 1. Same. and Accountability business line, so as to 2. Same, and has 2. Reports to CEO or to 2. Same. avoid any conflicts of unrestricted access to management interest. CEO. committee or executive 2. Reports to senior level committee or Board. If official (defined as a reports to the CEO, the

5 Such consultation should be conducted with the risk committee of the board or, if that committee has not been established, then the audit and compliance committees.

IFC’s Advanced Methodology for Financial Institutions Chief Risk Officer Role and Responsibility Assessment Tool 2 ACCEPTABLE BETTER DESIRABLE BEST PRACTICE maximum of two steps CRO has a “dotted line” removed from CEO). reporting relationship to Board or Board Committee.

V. Reporting 1. Routine and regular 1. Same. 1. Same. 1. Same. reports to CEO and/or 2. Same. 2. Same. 2. Same. CFO. 3. Formal report to 3. Same. 3. Same. 2. Ad hoc reports to Board. Board, at least 4. Responsible for reports 4. Same. annually. to regulators. 5. Same. 5. Assist senior 6. Ensures risk reports management and Board shared appropriately in drafting risk report across the Bank. for inclusion in the 7. Positions the Bank as Bank’s annual report. a leader in risk transparency and public disclosure. VI. Resources 1. Adequate time (if not 1. Risk management is 1. Same. 1. Same. such employee’s sole such employee’s sole 2. Same. 2. Same, and ensures role) to fulfill CRO role. responsibility. 3. Same. that expertise and 2. Ensures that risk 2. Same. 4. Same. function are measurement/manage 3. Same. 5. Same. sufficiently robust to ment function has 4. Same. be a competitive adequate expertise and 5. Ensures that ongoing advantage compared resources to fulfill its training is provided to other financial responsibilities to all relevant staff. institutions. 3. Ability to contract 3. Same. appropriate external 4. Same.

IFC’s Advanced Methodology for Financial Institutions Chief Risk Officer Role and Responsibility Assessment Tool 3 ACCEPTABLE BETTER DESIRABLE BEST PRACTICE assistance. 5. Same. 4. Resources adequate to 6. Provides appropriate meet regulatory training broadly requirements. throughout the Bank.

VII. Responsibility – 1. Assists in developing 1. Same, and specifically 1. Same. 1. Same. Policy6 policies and processes assists in creating 2. Same. 2. Same. for identifying, overall credit and 3. Same. 3. Same. classifying, assessing, market risk limits, as 4. Same. 4. Same. monitoring and well as country risk 5. Same. 5. Same. managing risks. limits for non- 6. Same. 6. Same. 2. Specifically, reviews domestic exposures, 7. Specifically addresses 7. Same. and recommends and counterparty risk non-financial 8. Same. aggregate loss limit limits. reputational risks. 9. Moves the Bank risk targets for various risk 2. Same. 8. Recommends risk policies towards an categories (e.g. loan 3. Same, including measurements and “enterprise risk losses, market losses, exception reporting rating methodologies to management” operational risk), mechanisms. be reported to approach (as defined paying special attention 4. Same, and business regulators and used by by COSO7 or similar). to capital adequacy and continuity planning. the Board in evaluating 10. Specifically addresses liquidity requirements. 5. Suggests appropriate corporate performance strategic risks. 3. Develops and levels of delegated and risk appetite (e.g. 11. Stays abreast of “best

6 This and the following sections attempt to show the fairly typical evolution of risk management from the most basic elements (credit, market, macro-economic) to more advanced (operations, competition, reputation, technology, etc.) to the broadest possible (Enterprise Risk Management). 7 The Treadway Commission’s Committee of Sponsoring Organizations (COSO) issued a report, “Enterprise Risk Management – Integrated Framework” in August, 2004 which attempted to integrate COSO’s earlier internal controls framework into a broader, risk management approach.

IFC’s Advanced Methodology for Financial Institutions Chief Risk Officer Role and Responsibility Assessment Tool 4 ACCEPTABLE BETTER DESIRABLE BEST PRACTICE recommends a authority to commit Value at Risk, Economic practice” risk comprehensive risk the Bank’s resources Capital, internal management management program. in each area of its measures, Risk practices and 4. Reviews the Bank’s risk business. Adjusted Return on suggests management 6. Specifically Capital, credit ratings, modifications to Bank infrastructure and addresses non- etc.). policy based on new control systems to financial operational developments. ensure adequacy to risks. 12. Suggests ways to enforce Bank’s risk instill risk culture in policies. the Bank, such as training, compensation, etc. Works with Board (the Risk Committee) and CEO to implement. VIII. Responsibility - 1. Implements risk 1. Same. 1. Same. 1. Same. Implementation policies and framework 2. Same. 2. Same. 2. Same. established by Board 3. Same. 3. Same. 3. Same. (Risk Committee) to 4. Same. 4. Same. 4. Same. monitor and report risk 5. Same. 5. Same. 5. Same. exposures and assess 6. Supervises 6. Same. 6. Same. how the Bank’s contingency 7. Reviews exposures to 7. Same. changing risk profile (business continuity) major clients, 8. Same. affects need for capital. planning. counterparties, 9. Same. 2. Regularly reviews countries, and 10. Same. Bank’s risk exposures economic sectors. 11. Same. and compares to 8. Reviews assumptions 12. Same.

IFC’s Advanced Methodology for Financial Institutions Chief Risk Officer Role and Responsibility Assessment Tool 5 ACCEPTABLE BETTER DESIRABLE BEST PRACTICE approved limits. Serves used in risk 13. Same. as independent and measurement models. 14. Same. objective check of the Considers whether 15. Works with senior risk-taking activities. model risk issues have management and 3. Reviews Bank’s risk been properly Board (Risk management considered. Committee) to infrastructure to ensure 9. Conducts stress tests on establish an adequacy, at least credit, liquidity, market, enterprise-wide risk annually. and operational risks. management 4. Documents risk 10. Examines and analyzes framework for all measurement/manage risks over various time business units at all ment program. frames. levels. 5. Proposes CRO’s annual 11. Supervises Bank’s 16. Responsible for work plan to the Board preparations and instilling a risk (ordinarily the Risk implementation of culture in the Bank. Committee or, if not Basel II with respect to established, the Audit risk management and and Compliance measurement issues. Committee). 12. Together with , reviews adequacy of Bank’s capital and allocation to business units. 13. Provides technical assistance to business unit managers. 14. Reviews new products to ensure they are

IFC’s Advanced Methodology for Financial Institutions Chief Risk Officer Role and Responsibility Assessment Tool 6 ACCEPTABLE BETTER DESIRABLE BEST PRACTICE consistent with the Bank’s risk policies and risk management systems.

Acceptable Minimum acceptable practices in and risk management. Elementary. Meets the basic and regulatory/legal requirements. Reflexive.

Better Taking further steps to strengthen corporate governance and risk management. More established. Beginning to form a system. Meeting some internal and external regulatory/legal requirements.

Desirable Major contributor to improving corporate governance and risk management nationally. Established. A system is in place. Meets all internal and external requirements. Proactive and forward-looking. Working toward best practices.

Best Practice Conforms with international best practices in the industry. Well-established system. Risk management is integrated with the corporate governance framework. Forward looking and focused on continuous improvement.

IFC’s Advanced Methodology for Financial Institutions Chief Risk Officer Role and Responsibility Assessment Tool 7