43. As a part of its risk management practices, each bank is responsible for implementing a regular process to identify, measure, report, monitor, and mitigate risks. Such risk management process should be used as direct input into the calibration of capital demand to cover both Pillar 1 and Pillar 2 risks. The framework supporting the estimation of capital consumption for each risk type should approved by Senior Management and the Board.

44. All risks identified as material risks are expected to be addressed in the ICAAP. Risk materiality should depend on each bank’s business model and risk profile. The scope of such risk identification should cover the entire group, including all branches and subsidiaries of the bank. The Central Bank considers credit concentration risk and interest rate risk in the banking book (IRRBB) as defined in this Guidance, as material risks. Given the growing risk universe outside of traditional Pillar 1 risks, each bank must define, update, and review the applicable ICAAP risks on a continuous basis (e.g. quarterly).

45. The identification of risks should distinguish between direct risks and indirect risks. Direct risks are explicit and commonly identifiable risks, such as the credit risk associated with facility underwriting. Indirect risks are arising as second order consequences of direct risks and unforeseen events. For instance, an increase in fraud and cyber-attacks as a consequence of an economic downturn or a pandemic during which employees are forced to work from home. Other examples are the credit risk arising from derivatives during periods of high market volatility or the increase in credit risk resulting from a drop in collateral values following a real estate market crash.

46. The identification of risks should be supported by a regular and structured process. An inventory of risks should be recorded for each business activity and each portfolio on a regular basis. In addition to the regular updates (i.e. at least quarterly), it is expected to adjust the inventory whenever it no longer reflects the risks that are material, e.g. because a new product has been introduced or certain business activities have been expanded. This should support the production of ICAAP from one year to the next.

47. The measurement of risk should be transparent, documented, and supported by subject-matter experts throughout the bank. Each expert function should contribute to its area of expertise, in such way that the ICAAP is a reflection of a collective work substantiated by thorough analysis. Each dedicated risk team should provide a comprehensive assessment of the risk drivers and materiality of the risk they manage.

48. The estimation of the capital consumption associated with each risk should be based upon clear methodologies designed appropriately for each risk type. Each bank should identify the owner of such methodology either within the team responsible to manage risks or with a centralised team responsible for aggregating risk information and to construct the ICAAP. Ultimately, the process to identify, measure risks, and estimate the associated capital consumption should be approved by Senior Management and the Board.

49. In the case of vendor models, this includes the expectation that such models are not expected to be imported mechanistically, but rather they are expected to be fully understood by the bank and well suited for, and tailored to, its business and its risk profile.

50. The identification of risks should result in distinct types:

51. Each bank should not develop separate methodologies for risk measurement, if those are not employed for risk management. The Use Test assumes that the method and conclusion of the ICAAP should be coherent with the bank’s internal practices.

52. To ensure an adequate assessment of high quality, each bank should establish, and implement an effective data quality framework, to deploy adequate processes, and control mechanisms to ensure the quality of data. The data quality framework should ensure reliable risk information that supports sound decision-making, covers all relevant risk data, and data quality dimensions.

53. The next sections contain explanations and expectations on certain risk types (e.g. Business Model Analysis (BMA) and strategic risk, Interest Rate Risk in the Banking Book, and Credit concentration risk).