54. Business model analysis embodies the risk that the bank has failed to structure its organisation and operations (expertise, systems, and processes) in a way that leads to achieving its primary business and strategic objectives.

55. Strategic risks arise when the bank’s business model, organisation structure, operations, and/or strategy are no longer adequate to deliver the objective of the bank as specified by the Board.

56. The bank should conduct regular business model analysis (BMA) to assess its business and strategic risks to determine:

57. An effective BMA contains a through-the-cycle view of the sustainability of the business model in its current state and against a projected view of the bank’s funding structure, return on equity (ROE), capital supply, and capital demand, the effect this has on the product, service pricing, and resource requirements. The business planning should be clear, aligned, and integrated with the bank’s strategy, governance, risk-appetite statement, recovery plans, internal controls, stress tests, and internal reporting (MIS).

58. Each bank should elaborate on the linkage and consistency between their strategic decisions, risk appetite, and the resources allocated for achieving those strategies. The bank should articulate the frequency of monitoring and quantifying changes in its financial projections (e.g. balance sheet, profit and loss, and concentrations) regularly to verify that they are consistent with the business model, risk appetite, and the achievement of the bank’s strategic goals.

59. An effective BMA enables banks to identify vulnerabilities at an early stage and assess their ability to adapt to changes in their specific operating environment therefore helps to promote the safety and soundness of banks. A well-designed and comprehensive BMA approach provides banks with the basis to understand, analyse, assess the sustainability of their business models, enhance proactive, forward-looking operations, and strategy evaluation.

60. Each bank’s business model should be based on analyses and realistic assumptions (stress tests, scenario analyses, and driver analyses, etc.) about the effect of strategic choices on financial and economic outcomes of operations performed. This will enable the bank and the Central Bank to understand the nature of the business model and the inherent risks. Each bank should perform an analysis that involves identifying, challenging the dependency of strategies on uncontrollable external factors, and assumptions (e.g. market interest rates, demand growth in the target customer markets, degree of competition in the markets, cost of entry, and compliance costs).

61. An effective BMA addresses the banks’ ability to produce aggregate financial data across the banking group as a whole, and the bank solo level, for each of its main business units and business lines. Moreover, to make the best use of this data and transform it into relevant inputs, banks need to develop and use analytical tools including stress tests, peer group assessments, profitability forecasts and analysis, and scenario analyses.

62. The documentation provided in support of the business model should contain an overview of the business activities of the bank and an overview of the structure/organisational details of the bank. For example a brief description of the business model, present financial condition, any expected changes in the present business model, the expected future business environment, business plans, and the projected financial condition for the following year.

63. The following additional information and documentation should be referenced (if not part of) the ICAAP report:

64. Business model analysis may act as a base for the development of Reverse Stress Test scenarios.

65. Credit risk is the risk of losses arising from a borrower or counterparty failing to meet its obligations as they fall due. Each bank should assess all its credit exposures and determine whether the risk weights applied to such exposures under the regulatory standardised approach for credit risk (Standardised Approach) are appropriate for the inherent risk of the exposures. Each bank should have the ability to assess credit risk at the portfolio level as well as at the exposure or counterparty level.

66. To ensure that each bank has sufficient capital allocated for credit risk, each bank should compare their capital consumption under two methods for all credit exposures across all asset classes: (i) the Standardised Approach and (ii) an estimation under the foundation internal-rating based approach (F-IRB) in the Basel Framework (“IRB approach: risk weight functions”, CRE31).

67. The Central Bank recognises that some banks may not have appropriately calibrated probability of defaults (PDs) for the calculation of the F-IRB approach. In the absence of such calibration, banks should rely on their 1-year PD used for IFRS provisioning purposes. Each bank should undertake this comparison at asset class level, where higher F-IRB numbers indicate additional required capital. Drivers of material differences between the two approaches should be explained.

68. If a bank uses credit risk mitigation techniques (CRMT), it should analyse and evaluate the risks associated to such mitigation under Pillar 2 risks measurement. The bank should analyse potential effects, the enforceability and the effectiveness of such CRMT, in particular in the case of real estate collaterals in order to estimate residual credit risk with prudence.

69. Market risk is the risk of losses in on- and off-balance sheet positions arising from movements in market factors such as interest rates, foreign exchange rates, equity prices, commodities prices, credit spreads, and options volatilities. Each bank should have methodologies and limits that enable it to assess and actively manage all material market risks, at several levels of granularity including position, desk, business line, or firm-wide level.

70. Under its ICAAP, each bank should assess its capital adequacy for market risk by considering methods other than the regulatory standardised approach for market risk. Each bank should start this assessment with the metrics already employed to measure market risk as part of regular risk management, including net open positions (NOP), value-at-risk (VaR), stressed VaR, and economic stress tests. The calibration of capital associated to Pillar 2 risks should be undertaken with prudence and should include risks such as concentration risk, market illiquidity, basis risk, and jump-to-default risk.

71. Ultimately, market risk capital should be designed to protect the bank against market risk volatility over the long term, including periods of stress and high volatility. Therefore, each bank should ensure that such calibration include appropriate stressed periods. The analysis should be structured based on the bank’s key drivers of market risk, including portfolios, asset classes, market risk factors, geographies, product types and tenors.

72. Each bank should analyse its amortised cost portfolio under Pillar 2, considering the difference between the market value against the book value.

73. Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, or systems, or external events. This definition includes legal risk and compliance risk but excludes strategic and reputational risk. The framework for operational risk management should cover the bank’s appetite and tolerance for operational risks, and the manner and extent to which operational risk is transferred outside the bank.

74. Operational risk is a recurrent and a material source of losses for many banks but the existing approaches (the Basic Indicator Approach (BIA), the Standardised Approach (SA), and the Alternative Standardised Approach (ASA)) for calculating Pillar 1 operational risk capital may not reliably reflect the nature and scale of potential operational risk losses. The Pillar 1 Standardised Approach for operational risk uses gross income as a measure of capital. Gross income is a risk-insensitive proxy for operational risk capital, which may lead banks to underestimate the risk. This was evident during the economic downturn in 2009, when banks’ income dropped, lowering their regulatory operational risk capital requirement, yet operational risks were either constant or even elevated in some cases. Therefore, banks should ensure that their Pillar 2 capital charge covers operational risks that are not captured by regulatory capital methodologies. The analysis should include a robust and conservative forecast of operational risk losses and respective capital requirements (at least split into conduct and non-conduct risks).

75. Legal risk is considered an operational risk. Each bank is required to analyse, assess, and quantify the impact of legal risk failures on its capital structure. Examples of legal risk include inadequate documentation, legal, regulatory incapacity, the insufficient authority of a counterparty, and contract invalidity/ unenforceability. The Legal department of each bank bear responsibility for the identification and management of this risk. They must consult with internal and external legal counsel. Subsidiaries and branches of major international banking groups typically have in-house legal departments, acting under the guidance of the group, which aims to facilitate the business of the group, by providing proactive, business-oriented advice. The outcome of legal and/or regulatory issues to which the bank is currently exposed, and others, which may arise in the future, is difficult to predict and, consequently, there can be no assurance that the outcome of a legal matters will not be material to the financial condition of the bank.

76. Given the potential impact from operational risk, each bank should evaluate under Pillar 2 risks arising from business conduct risks and money laundering / financing of terrorism. In addition, each bank should consider internal and external operational risks faced by it, including but not limited to operational cyber risk, IT risks, and outsourcing, and each bank is expected to consider ways in which it can improve its operational resilience. Each bank should provide details in the ICAAP report on the outcome of its Risk Control Self-Assessment (RCSA) process to collate bottom-up operational risk drivers across businesses.

77. Each bank should undertake quantitative stress testing based on its historical loss data and operational risk profile.

78. Section V.D of the ICAAP Standard requires banks to address weaknesses at the portfolio level including credit concentrations risk. Credit concentration risk is the incremental credit loss in a portfolio of credit exposures, caused by high correlation between the credit risk drivers of those exposures. Such concentration risk arises mostly due to high correlations and dependencies between individual obligors (name concentration) or between economic sectors (sectoral concentration). Credit concentration risk can affect a bank’s health or core operations, liquidity, earnings and capital ratios. The Central Bank considers concentration risk as a key material Pillar 2 risk for all UAE banks.

79. Consequently, credit concentration arises when large exposures are associated with a small number of obligors or a small number of sectors, but not only. Credit concentration risk can arise from a seemingly granular portfolio but with high correlation between the obligors’ risk drivers.

80. In accordance with the Central Bank re Large Exposures - Credit Concentrations Limits (Notice No.226/2018), an exposure is deemed large if it accounts for more than 10% of a bank’s capital. Such threshold has been implemented for regulatory purposes. The measurement of concentration risk for risk management purposes and for determining Pillar 2 risk capital requirements should refer to the wider definition of concentration risk. Each bank is exposed to a degree of concentration risk, even when complying with the Large Exposure Regulation.

81. Each bank should perform a detailed risk analysis specific to the Real Estate exposures (RE) of the bank and the Central Bank re Standards for Real Estate Exposures (Notice No. 5733/2021).

82. Credit concentration risk is a common feature of UAE banks, but currently the Central Bank regulations for banks do not include an explicit Pillar 1 capital requirement for name and sector concentration risk. Credit concentration risk is a key prudential risk for which the capital requirement is at the discretion of banks, and it should be held under Pillar 2. This risk should warrant particular attention from each bank. In particular:

83. IRRBB is the risk of loss in the banking book caused by changes in interest rates. Interest rate risk can arise both in the banking book and/or the trading book. While interest rate risk in the trading book is addressed under the Pillar 1 market risk framework, the interest rate risk in the banking book should be addressed under Pillar 2. Conventional banks refer to this risk as IRRBB while Islamic banks are exposed to the analogous risk called profit rate risk in the banking book (PRRBB).

84. Each bank should define a risk appetite pertaining to IRRRB that should be approved by the Board and implemented through a comprehensive risk appetite framework, i.e. policies and procedures for limiting and controlling IRRBB. Each bank should have a process supported by adequate policies to manage IRRBB appropriately. This involves, as for any other risk, comprehensive identification, measurement, reporting, monitoring, and mitigation.

85. The measurement process should be based upon several existing Standards and Guidance:

Measurement

86. The assessment should include all positions of each bank’s potential basis risk, re-pricing gaps, commercial margins, gaps for material currencies optionality, and non-maturing deposits. The quantitative impact analysis should be supported by description and analysis of the key assumptions made by the bank, in particular, assumptions regarding loan prepayments, the behaviour of non-maturity deposits (CASA), non-rated sensitive assets, contractual interest rate ceilings or floors for adjustable-rate items, and measuring the frequency of the interest rate risk in the banking book.

87. DSIBs and other banks with significant interest rate risk (IRR) exposure should compute the economic value of equity (EVE) at a granular facility level, while non-DSIBs may compute EVE at exposure level, which is based upon the summation of discounted gap risk across time buckets, rather than a granular net present value (NPV) estimation at exposure level.

Scenarios

88. For the purpose of capital calibration, each bank should employ the interest rate shock scenarios corresponding to Table 12 of Central Bank Model Management Guidance and table 2 of the SRP 31 for their AED and non-AED positions respectively.

89. In addition to the standard shocks prescribed above, DSIBs and other banks with significant exposure to interest rate risk are expected to apply further shocks/ idiosyncratic scenarios, which will take into account:

Capital Calculation

90. The capital requirement should be aggregated across all currencies and scenarios conservatively.

91. The estimation of the Pillar 2 capital corresponding to IRRBB should be based on the most conservative loss arising from (i) the change in the economic value of equity (ΔEVE), and (ii) the change in net interest income (ΔNII). The most conservative result should be considered across all the scenarios calibrated by the bank. (In avoidance of doubt, the allocated capital for IRRBB should not be lower than the maximum of the absolute EVE impact and the absolute NII impact: Max(abs(EVE impact), abs(NII impact).

92. The Central Bank considers a bank as an outlier when the IRRBB EVE impact based on the standard parallel shock leads to an economic value decline of more than 15% of its Tier 1 capital. The Central Bank may request an outlier bank to:

93. Irrespective of the approach or model chosen by the bank, at a minimum each bank should calculate and report IRRBB using the methodology described by the Central Bank Model Management Standards and Guidance.

94. Models have become an integral part of decision-making in the banking sector for risk management, business decisions, and accounting. Inaccurate model results, e.g. based on wrong assumptions or valuations, may lead to actual or potential financial losses or an underestimation of risks. Therefore, the Central Bank considers model risk a significant risk type.

95. Simple models should not be confused with poorly designed models. Poorly designed models can be misleading and interfere with sound decision-making. Small and/or unsophisticated banks can employ simple models. However, they cannot employ poorly designed models. Each bank should manage model risk in accordance to the Central Bank Model Management Standards and Guidance.

96. Model risk should be incorporated in each banks’ risk framework alongside other key risks, as inherent consequences of conducting their activities (refer to Appendix 3.2). Consequently, model risk should be managed through a formal process incorporating the bank’s appetite for model uncertainty. The framework should be designed to identify, measure, monitor, and mitigate this risk. A bank should mitigate a large appetite for model risk by counter-measures such as conservative buffers on model results and/ or additional allocated Pillar 2 capital.

97. The Central Bank recognises that the estimation of model risk is challenging. However, each bank should demonstrate that they have implemented steps to measure the potential losses arising from model risk. At minimum, each bank should implement a grouping approach to categorise models according to their associated model risk. The uncertainty and losses arising from models should be estimated by using a range of different techniques, including:

98. Each bank should also consider the quality of its model risk management in the model risk analysis, including but not limited to the quality of model documentation, data, assumptions, validation, staff, implementation, and usage.

Risk Diversification Effects

99. Each bank is expected to take a prudent approach whenever assuming risk diversification effects. Furthermore, each bank should be aware that the Central Bank as a matter of principle will not take into account inter-risk diversification in the SREP. Banks should be cognisant of this when applying inter-risk diversification in its ICAAP.

100. Banks are expected to build up Board awareness and understanding of the financial risks arising from climate change and how they will affect their business models. Each bank should use scenario analysis and stress tests to improve the risk identification process, to understand the short- and long-term financial risks to their business model from climate change, and to develop appropriate strategies accordingly.

101. Though capital is not a direct mitigation for liquidity risk and liquidity is not a mitigation for capital risk, both risk types are interlinked. The Internal Capital Adequacy Assessment Process (ICAAP) and the Internal Liquidity Adequacy Assessment Process (ILAAP) are expected to inform each other; with respect to the underlying assumptions, stress test results, and forecasted management actions. Each bank is expected to assess the potential impact of scenarios, integrating capital and liquidity impacts, and potential feedback processes, taking into account, in particular, losses arising from the liquidation of assets, increased funding costs or availability of funding during periods of stress.

102. For example, each bank is expected to assess the impact of deteriorating capital levels, as projected in the ICAAP, on their liquidity. A downgrade by an external rating agency could, for example, have direct implications for the refinancing ability of the bank. Vice versa, changes in funding cost could impact capital adequacy.