42.The bank’s internal control structure is essential to the capital assessment process. Effective control of the capital assessment process includes an independent review and, where appropriate, the involvement of internal and external audit. The bank’s board of directors has a responsibility to ensure that management establishes a system for assessing the various risks, develops a system to relate risk to the bank’s capital level, and establishes a method for monitoring compliance with internal policies. The board must regularly verify whether its system of internal controls is adequate to ensure well-ordered and prudent conduct of business.

43.Risk management processes must be frequently monitored and tested by independent control areas and internal, as well as external, auditors. The aim is to ensure that the information on which decisions are based is accurate so that processes fully reflect management policies and that regular reporting, including the reporting of limit breaches and other exception-based reporting, is undertaken effectively. The risk management function of banks must be independent of the business lines in order to ensure an adequate separation of duties and to avoid conflicts of interest.

44.The purpose of periodic reviews of the risk management process is to ensure its integrity, accuracy, and reasonableness. Areas that the Central Bank will review include:

1. i.Appropriateness of the bank’s capital assessment process given the nature, scope and complexity of its activities;
2. ii.Identification of large exposures and risk concentrations;
3. iii.Accuracy and completeness of data inputs into the bank’s assessment process;
4. iv.Reasonableness and validity of scenarios used in the assessment process (scenarios and modelling assumptions behind banks’ response to those scenarios); and
5. v.Stress testing and analysis of assumptions and inputs together with the resultant outputs.
6. vi.Validation of the output (not only of the process) with proper benchmarking to peers and best practice.

Principle 2: The Central Bank will review and evaluate banks’ internal capital adequacy assessments and strategies, as well as their ability to monitor and ensure their compliance with regulatory capital Ratios. The Central Bank will take appropriate supervisory action if it is not satisfied with the result of this process.

45.The Central Bank will regularly review the process by which a bank assesses its capital adequacy, risk position, resulting minimum required capital levels, and quality of capital held. The Central Bank will also evaluate the degree to which a bank has in place a sound internal process to assess capital adequacy. The emphasis of the review must be on the quality of the bank’s risk management and controls with the Central Bank setting the minimum required capital. The periodic review can involve some combination of:

1. i.On-site examinations or inspections;
2. ii.Off-site review;
3. iii.Discussions with bank management;
4. iv.Review of work done by internal auditors and where appropriate external auditors;
5. v.Periodic reporting; and

46.The substantial impact that errors in the methodology or assumptions of formal analyses can have on resulting capital requirements requires a detailed review by the Central Bank of each bank’s internal analysis. The Central Bank will have its own methodologies to benchmark the outcomes of the ICAAP and, if necessary, impose additional capital requirements.