Skip to main content
  • IV. Four Key Principles of Supervisory Review

    11.The Central Bank has followed the international standards23 set out by the BCBS and identified four key principles of supervisory review.

    Principle 1: Banks must have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels.

    12.Banks must be able to demonstrate that the decided minimum capital levels are well founded and that these levels are consistent with their overall risk profile and current operating environment. In assessing capital adequacy, bank management needs to be mindful of the particular stage of the business cycle in which the bank is operating. Rigorous forward-looking stress testing that identifies possible events or changes in market conditions that could adversely affect the bank must be performed. Bank management clearly bears the responsibility for ensuring that the bank has adequate capital to support its risks.

    13.The seven main features of a rigorous process are as follows:

    1. i.Active board and senior management oversight;
    2. ii.Appropriate policies, methodologies for assessment of capital needs, procedures and limits;
    3. iii.Sound capital assessment;
    4. iv.Comprehensive and timely identification, measurement, mitigation, controlling, monitoring and reporting of risks;
    5. v.Appropriate management information systems (MIS) at the business and firm-wide level;
    6. vi.Comprehensive internal controls;
    7. vii.For the completion of ICAAP, regulatory requirements (Pillar I) is required as the first step of computation.

    It should also be noted that under no circumstances could Pillar I and Pillar II be netted against each other. They are both separate requirements.


    23 BCBS128 and BCBS157

    • A. Board and Senior Management Oversight

      14.It is the responsibility of the Board of Directors and senior management to define the bank’s risk appetite and to ensure that the bank’s risk management framework includes detailed policies and methodologies that set specific firm-wide prudential limits on the bank’s activities, which are consistent with its risk taking appetite and capacity. In order to determine the overall risk appetite, the board and senior management must first have an understanding of risk exposures on a firm-wide basis. To achieve this understanding, senior management must bring together the perspectives of the key business and control functions. In order to develop an integrated firm-wide perspective on risk, senior management must overcome organisational silos between business lines and share information on market developments, risks and risk mitigation techniques. Senior management must establish a risk management process that is not limited to credit, market, liquidity and operational risks, but incorporates all material risks. This includes reputational, legal, anti-money laundering, conduct risk and strategic risks, as well as risks that do not appear to be significant in isolation, but when combined with other risks could lead to material losses. The analysis of a bank’s current and future capital requirements in relation to its strategic objectives is a vital element of the strategic planning process. The strategic plan must clearly outline the bank’s capital needs, anticipated capital depletion expenditures, minimum internally assessed required capital level, and external capital sources. Senior management and the board must view capital planning as a crucial element in being able to achieve its desired strategic objectives.

      15.The board of directors and senior management must possess sufficient knowledge of all major business lines to ensure that appropriate policies, controls and risk monitoring systems are effective. They must have the necessary expertise to understand the capital markets activities in which the bank is involved – such as securitisation and off-balance sheet activities – and the associated risks. The board and senior management must remain informed on an on-going basis about these risks as financial markets, risk management practices and the bank’s activities evolve. In addition, the board and senior management must ensure that accountability and lines of authority are clearly defined.

      16.With respect to new or complex products and activities, senior management must understand the underlying assumptions regarding business models, valuation and risk management practices. In addition, senior management must evaluate the potential risk exposure if those assumptions fail.

      17.Before embarking on new activities or introducing products new to the bank, the board and senior management must identify and review the changes in firm-wide risks arising from these potential new products or activities and ensure that the infrastructure and internal controls necessary to manage the related risks are in place. In this review, a bank must also consider and address the possible difficulty in valuing the new products and how they might perform in a stressed economic environment. It is also the responsibility of the banks to assess prudential and market conduct risks when reviewing new products or activities.

      18.A bank’s risk function and its Chief Risk Officer (CRO) or equivalent position must be independent of the individual business lines and report directly to the bank’s Board of Directors. In addition, the risk function must highlight to senior management and the board risk management concerns, such as risk concentrations, violations of risk appetite limits as well as violations of minimum internally set capital requirements.

    • B. Appropriate Policies, Procedures and Limits

      19.Firm-wide risk management programmes must include detailed policies that set specific firm-wide prudential limits on the principal risks relevant to a bank’s activities. Additionally, a bank must have a clearly defined risk appetite for market conduct risk (non-prudential risks). A bank’s policies and procedures must provide specific guidance for the implementation of broad business strategies and must establish, where appropriate, internal limits for the various types of risk to which the bank may be exposed. These limits must consider the bank’s role in the financial system and be defined in relation to the bank’s capital, total assets, and earnings or, where adequate measures exist, its overall risk level.

      20.A bank’s policies, procedures and limits must:

      1. i.Provide for adequate and timely identification, measurement, monitoring, control and mitigation of the risks (prudential and market conduct risks) posed by its lending, investing, trading, securitisation, off-balance sheet, fiduciary and other significant activities at the business line and firm wide levels;
      2. ii.Ensure that the economic substance of a bank’s risk exposures, including reputational risk and valuation uncertainty, are fully recognised and incorporated into the bank’s risk management processes;
      3. iii.Be consistent with the bank’s stated requirements and objectives, as well as its overall financial strength;
      4. iv.Clearly define accountability and lines of authority across the bank’s various business activities, and ensure there is a clear separation between business lines and the risk management function;
      5. v.Escalate and address breaches of internal position limits;
      6. vi.Provide for the review of new businesses and products by bringing together all relevant risk management, control and business lines to ensure that the bank is able to manage and control the activity prior to it being initiated; and
      7. vii.Include a schedule and process for reviewing the policies, procedures and limits and for updating them as appropriate.
    • C. Sound Capital Assessment

      21.Fundamental elements of sound capital assessment include:

      1. i.Policies, procedures and methodologies designed to ensure that the bank identifies, measures, and reports all material risks;
      2. ii.A process that relates capital to the level of risk;
      3. iii.A process that states capital adequacy requirements (i.e. minimum thresholds for CAR ratio) with respect to risk, taking account of the bank’s strategic focus and business plan; and
      4. iv.A process of internal controls, reviews and audits to ensure the integrity of the overall management process.
    • D. Comprehensive Assessment of Risks

      22.All material risks faced by the bank must be addressed in the capital assessment process. While the Central Bank recognises that not all risks can be measured precisely, a process must be developed to estimate risks. Therefore, the following risk exposures, which by no means constitute a comprehensive list of all risks, must be considered:

      23.Credit risk: Banks must have methodologies that enable them to assess the credit risk involved in exposures to individual borrowers or counterparties as well as at the portfolio level. For banks, the credit review assessment of capital adequacy, at a minimum, must cover four areas: risk rating systems, portfolio analysis/aggregation, securitisation/complex credit derivatives, and large exposures and risk concentrations.

      24.Internal risk ratings are an important tool in monitoring credit risk. Internal risk ratings must be adequate to support the identification and measurement of risk from all credit exposures, and must be integrated into a banks’ overall analysis of credit risk and capital adequacy. The ratings system must provide detailed ratings for all assets, not only for watch list or for problem assets. Appropriateness of loan loss reserves must be included in the credit risk assessment for capital adequacy.

      25.The analysis of credit risk must adequately identify any weaknesses at the portfolio level, including any concentrations of risk. It must also adequately take into consideration the risks involved in managing credit concentrations and other portfolio issues through such mechanisms as securitisation programmes and complex credit derivatives.

      26.Operational risk: The failure to properly manage operational risk can result in a misstatement of a bank’s risk/return profile and expose the bank to significant losses.

      27.A bank must develop a framework for managing operational risk (including cyber risk) and evaluate the adequacy of capital given this framework. The framework must cover the bank’s appetite and tolerance for operational risk, as specified through the policies for managing this risk, including the extent and manner in which operational risk is transferred outside the bank. It must also include policies outlining the bank’s approach to identifying, assessing, monitoring and controlling/mitigating the risk.

      28.Market risk: Banks must have methodologies that enable them to assess and actively manage all market risks, wherever they arise, at position, desk, business line and firm-wide level. For banks, their assessment of internal capital adequacy for market risk, at a minimum, must be based on stress testing, including an assessment of concentration risk and the assessment of illiquidity under stressful market scenarios, although all firms’ assessments must include stress testing appropriate to their trading activity.

      29.A bank must demonstrate that it has enough capital to not only meet the minimum capital requirements but also to withstand a range of severe but plausible market shocks. In particular, it must factor in, where appropriate:

      1. i.Illiquidity of prices;
      2. ii.Concentrated positions (in relation to market turnover);
      3. iii.One-way markets;
      4. iv.Non-linear products/deep out-of-the money positions;
      5. v.Events and jumps-to-defaults;
      6. vi.Significant shifts in correlations;

      30.The stress tests applied by a bank for market risk and, in particular, the calibration of those tests (e.g. the parameters of the shocks or types of events considered) must be reconciled back to a clear statement setting out the premise upon which the bank’s internal capital assessment is based (e.g. ensuring there is adequate capital to manage the traded portfolios within stated limits through what may be a prolonged period of market stress and illiquidity, or that there is adequate capital to ensure that, over a given time horizon to a specified confidence level, all positions can be liquidated or the risk hedged in an orderly fashion). The market shocks applied in the tests must reflect the nature of portfolios and the time it could take to hedge out or manage risks under severe market conditions.

      31.Concentration risk must be pro-actively managed and assessed by firms and concentrated positions must be routinely reported to senior management.

      32.Banks must demonstrate how they combine their risk measurement approaches to arrive at the overall internal capital for market risk.

      33.Interest rate risk in the banking book: The measurement process must include all material interest rate positions of the bank and consider all relevant repricing and maturity data, including modelling maturity assumptions. Such information will generally include current balance and contractual rate of interest associated with the instruments and portfolios, principal payments, interest reset dates, maturities, the rate index used for repricing, and contractual interest rate ceilings or floors for adjustable-rate items. The system must also have well-documented assumptions and techniques.

      34.Regardless of the type and level of complexity of the measurement system used, bank management must ensure the adequacy and completeness of the system. Because the quality and reliability of the measurement system is largely dependent on the various assumptions used in the model which will be checked by the Central Bank for reasonability, management must give particular attention to these items.

      35.Liquidity risk: Liquidity is crucial to the ongoing viability of any banking organisation. Banks’ capital positions can have an effect on their ability to obtain liquidity, especially in a crisis. Each bank must have adequate systems for measuring, monitoring and controlling liquidity risk. Banks must evaluate the adequacy of capital given their own liquidity profile and the liquidity of the markets in which they operate. Please refer to the Regulation regarding Liquidity Risk Circular No: 33/2015

      36.Other risks: Although the Central Bank recognises that ‘other’ risks, such as reputational, strategic and anti-money laundering, are not easily measurable, it expects banks to further develop techniques for managing all aspects of these risks.

      • E. Monitoring and Reporting

        37.The bank must establish an adequate system for monitoring and reporting risk exposures and assessing how the bank’s changing risk profile affects the need for capital. The bank’s senior management or board of directors must, on a regular basis, receive reports on the bank’s risk profile and capital needs. These reports must allow senior management to:

        1. i.Evaluate the level and trend of material risks and their effect on capital levels;
        2. ii.Evaluate the sensitivity and reasonableness of key assumptions used in the capital assessment measurement system;
        3. iii.Determine whether the bank holds sufficient capital against the various risks and is in compliance with established internal capital adequacy requirements; and
        4. iv.Assess its future capital requirements based on the bank’s reported risk profile (3 to 5 years) and make necessary adjustments to the bank’s strategic plan accordingly as well as the effect of any anticipated changes to regulatory requirements.

        38.A bank’s MIS must provide the board and senior management in a clear and concise manner with timely and relevant information concerning their bank’ risk profile. This information must include all risk exposures, including those that are off-balance sheet. Management must understand the assumptions behind and limitations inherent in specific risk measures.

        39.The key elements necessary for the aggregation of risks are an appropriate infrastructure and MIS that (i) allow for the aggregation of exposures and risk measures across business lines and (ii) support customised identification of concentrations and emerging risks. MIS developed to achieve this objective must support the ability to evaluate the impact of various types of economic and financial shocks that affect the whole bank. Further, a bank’s systems must be flexible enough to incorporate hedging and other risk mitigation actions to be carried out on a firm-wide basis while taking into account the various related basis risks.

        40.To enable proactive management of risk, the board and senior management need to ensure that MIS is capable of providing regular, accurate and timely information on the bank’s aggregate risk profile, as well as the main assumptions used for risk aggregation. MIS must be adaptable and responsive to changes in the bank’s underlying risk assumptions and must incorporate multiple perspectives of risk exposure to account for uncertainties in risk measurement. In addition, it must be sufficiently flexible so that the bank can generate forward-looking bank-wide scenario analyses that capture management’s interpretation of evolving market conditions and stressed conditions. Third-party inputs or other tools used within MIS (e.g. credit ratings, risk measures, models) must be subject to initial and ongoing validation.

        41.Banks are required that their MIS must be capable of capturing limit breaches and there must be procedures in place to promptly report such breaches to senior management, as well as to ensure that appropriate follow-up actions are taken. For instance, similar exposures must be aggregated across business platforms (including the banking and trading books) to determine whether there is a concentration or a breach of an internal position limit.

      • F. Internal Control Review

        42.The bank’s internal control structure is essential to the capital assessment process. Effective control of the capital assessment process includes an independent review and, where appropriate, the involvement of internal and external audit. The bank’s board of directors has a responsibility to ensure that management establishes a system for assessing the various risks, develops a system to relate risk to the bank’s capital level, and establishes a method for monitoring compliance with internal policies. The board must regularly verify whether its system of internal controls is adequate to ensure well-ordered and prudent conduct of business.

        43.Risk management processes must be frequently monitored and tested by independent control areas and internal, as well as external, auditors. The aim is to ensure that the information on which decisions are based is accurate so that processes fully reflect management policies and that regular reporting, including the reporting of limit breaches and other exception-based reporting, is undertaken effectively. The risk management function of banks must be independent of the business lines in order to ensure an adequate separation of duties and to avoid conflicts of interest.

        44.The purpose of periodic reviews of the risk management process is to ensure its integrity, accuracy, and reasonableness. Areas that the Central Bank will review include:

        1. i.Appropriateness of the bank’s capital assessment process given the nature, scope and complexity of its activities;
        2. ii.Identification of large exposures and risk concentrations;
        3. iii.Accuracy and completeness of data inputs into the bank’s assessment process;
        4. iv.Reasonableness and validity of scenarios used in the assessment process (scenarios and modelling assumptions behind banks’ response to those scenarios); and
        5. v.Stress testing and analysis of assumptions and inputs together with the resultant outputs.
        6. vi.Validation of the output (not only of the process) with proper benchmarking to peers and best practice.

        Principle 2: The Central Bank will review and evaluate banks’ internal capital adequacy assessments and strategies, as well as their ability to monitor and ensure their compliance with regulatory capital Ratios. The Central Bank will take appropriate supervisory action if it is not satisfied with the result of this process.

        45.The Central Bank will regularly review the process by which a bank assesses its capital adequacy, risk position, resulting minimum required capital levels, and quality of capital held. The Central Bank will also evaluate the degree to which a bank has in place a sound internal process to assess capital adequacy. The emphasis of the review must be on the quality of the bank’s risk management and controls with the Central Bank setting the minimum required capital. The periodic review can involve some combination of:

        1. i.On-site examinations or inspections;
        2. ii.Off-site review;
        3. iii.Discussions with bank management;
        4. iv.Review of work done by internal auditors and where appropriate external auditors;
        5. v.Periodic reporting; and

        46.The substantial impact that errors in the methodology or assumptions of formal analyses can have on resulting capital requirements requires a detailed review by the Central Bank of each bank’s internal analysis. The Central Bank will have its own methodologies to benchmark the outcomes of the ICAAP and, if necessary, impose additional capital requirements.

      • Supervisory Review Process

        • A. Review of Adequacy of Risk Assessment

          47.The Central Bank will assess the degree to which internal requirements and processes incorporate the full range of material risks faced by the bank. The Central Bank will also review the adequacy of risk measures used in assessing internal capital adequacy and the extent to which these risk measures are also used operationally in setting limits, evaluating business line performance, and evaluating and controlling risks more generally. In addition, the Central Bank will review the results of stress tests (including sensitivity analyses and scenario analyses) conducted by the banks and how these results relate to capital plans.

        • B. Assessment of Capital Adequacy

          48.The Central Bank will review the bank’s processes to determine that:

          1. i.Minimum capital requirements chosen are comprehensive and relevant to the current operating environment and the risk profile of the bank;
          2. ii.Minimum capital requirements are properly monitored and reviewed by senior management; and
          3. iii.The composition of capital is appropriate for the nature and scale of the bank’s business.

          49.The Central Bank will also consider the extent to which the bank has provided for unexpected events in setting its minimum capital requirements. This analysis must cover a wide range of external conditions and scenarios, and the sophistication of techniques and stress tests used must be commensurate with the bank’s activities.

        • C. Assessment of the Control Environment

          50.The Central Bank will consider the quality of the bank’s management information reporting and systems, the manner in which business risks and activities are aggregated, and management’s record in responding to emerging or changing risks.

          51.In all instances, the capital requirement at an individual bank must be determined according to the bank’s risk profile and adequacy of its risk management process and internal controls. External factors such as business cycle effects and the macroeconomic environment must also be considered. Another consideration is the variability in a bank’s profitability in normal circumstances.

        • D. The Central Bank’s Review of the Regulatory Framework

          52.In order for certain internal methodologies (e.g. VaR), credit risk mitigation techniques and asset securitisations to be recognised for regulatory capital purposes, banks will need to meet a number of requirements, including risk management standards and disclosures. In particular, banks will be required to disclose features of their internal methodologies used in calculating minimum capital requirements. As part of the supervisory review process, the Central Bank will ensure that these conditions are met on an ongoing basis.

          53.The Central Bank regards this review of as an integral part of the supervisory review process under Principle 2.

          54.The Central Bank will also perform a review of compliance with certain conditions and requirements set for standardised approaches.

          Principle 3: The Central Bank expects banks to operate above the minimum regulatory capital ratios and may require banks to hold capital in excess of the minimum.

          55.The Central Bank will take appropriate action if it is not satisfied with the results of the bank’s own risk assessment and capital allocation or with the minimum capital levels as determined by the bank. The Central Bank will add additional capital requirements where the Central Bank is not satisfied that all risks have been identified. Important to note is that banks shall not disclose this publicly.

          56.Pillar 1 capital requirements shall include a buffer for uncertainties surrounding the Pillar 1 regime that affect the banking population as a whole. Bank-specific uncertainties will be treated under Pillar 2. The Central Bank require banks to operate with a buffer, over and above the Pillar 1 standards. Banks must maintain this buffer for example:

          1. i.Pillar 1 minimums are anticipated to be set to achieve a level of bank creditworthiness in markets that is below the level of creditworthiness sought by many banks for their own reasons. For example, most international banks appear to prefer to have low risk profile and thus be highly rated by internationally recognised rating agencies. This is currently the case in the UAE. Thus, banks are likely to choose to operate above Pillar 1 minimums for competitive reasons.
          2. ii.In the normal course of business, the type and volume of activities will change, as will the different risk exposures, causing fluctuations in the overall capital ratio.
          3. iii.It may be costly for banks to raise additional capital, especially if this needs to be done quickly or at a time when market conditions are unfavourable.
          4. iv.For banks to fall below minimum regulatory capital requirements is a serious matter. It will place banks in breach of the relevant law and/or prompt nondiscretionary corrective action on the part of supervisors such as withdrawal of license.
          5. v.There may be risks, either specific to individual banks, or more generally to an economy at large, that are not taken into account in Pillar 1. The Central Bank uses its own internal benchmarks and may request banks at any time for additional data to calculate an add-on.

          57.There are several means available to the Central Bank for ensuring that individual banks are operating with adequate levels of capital. Among other methods, the Central Bank may set higher minimum capital requirements or define categories above minimum ratios (e.g. well capitalised and adequately capitalised) for identifying the capitalisation level of the bank.

          Principle 4: The Central Bank will intervene at an early stage to prevent capital from falling below the minimum levels required to support the risk characteristics of a particular bank and will require rapid remedial action if capital is not maintained or restored.

          58.The Central Bank will consider a range of options if it becomes concerned that a bank is not meeting the requirements embodied in the supervisory principles outlined above. These actions may trigger the recovery plan that includes and not limited to intensifying the monitoring of the bank, restricting the payment of dividends, requiring the bank to prepare and implement a satisfactory capital adequacy restoration plan, and requiring the bank to raise additional capital immediately. The Central Bank have the discretion to use the tools best suited to the circumstances of the bank and its operating environment.

          59.The permanent solution to banks’ difficulties is not exclusively increased capital. However, some of the required measures (such as improving systems and controls) may take some time to implement. Therefore, increased capital requirements might be used as an interim measure while permanent measures to improve the bank’s position are being put in place. Once these permanent measures have been put in place and have been seen by the Central Bank to be effective, the interim increase in capital requirements may be removed.