Risk Officer
risk management certificate

Risk officers are important for a sound risk management system, that should have the following key features:

1. Active board and senior management oversight.

2. Appropriate policies and procedures.

3. Comprehensive and timely identification, measurement, mitigation, controlling, monitoring and reporting of risks.

4. Appropriate management information systems (MIS) at the business and firm-wide level; and

5. Comprehensive internal controls.

A firm’s policies, procedures and limits should:

1. Provide for adequate and timely identification, measurement, monitoring, control and mitigation of the risks posed by its significant activities at the business line and firm-wide levels.

2. Be consistent with the firm’s stated goals and objectives, as well as its overall financial strength.

3. Clearly delineate accountability and lines of authority across the firm’s various business activities, and ensure there is a clear separation between business lines and the risk function.

4. Escalate and address breaches of internal position limits.

5. Provide for the review of new businesses and products by bringing together all relevant risk management, control and business lines to ensure that the firm is able to manage and control the activity prior to it being initiated; and

6. Include a schedule and process for reviewing the policies, procedures and limits and for updating them as appropriate.

Risk management processes should be frequently monitored and tested by independent control areas and internal, as well as external, auditors. The aim is to ensure that the information on which decisions are based is accurate so that processes fully reflect management policies and that regular reporting, including the reporting of limit breaches and other exception-based reporting, is undertaken effectively. The risk management function must be independent of the business lines in order to ensure an adequate separation of duties and to avoid conflicts of interest.

Reputational risk can be defined as the risk arising from negative perception on the part of customers, counterparties, shareholders, investors, debt-holders, market analysts, other relevant parties or regulators that can adversely affect a firm’s ability to maintain existing, or establish new, business relationships and continued access to sources of funding.

Reputational risk is multidimensional and reflects the perception of other market participants. Furthermore, it exists throughout the organisation, and exposure to reputational risk is essentially a function of the adequacy of the firm’s internal risk management processes.

Risk management enables leaders to distinguish between and among alternative actions, assess capabilities, and prioritize activities and associated resources by understanding risk and its impact on their decisions.

Standard risk management principles are not designed to promote uniformity or conformity; rather, they offer broad guidance that should be uniquely tailored for the specific needs of each organization.

While a “one-size-fits-all” approach for risk management is neither feasible nor desirable, all risk management programs should be based on two key tenets:

1. Risk management should enhance an organization’s overall decision making process and maximize its ability to achieve its objectives.

2. Risk management should be used to shape and control risks, not to eliminate all risks.

The key principles for effective risk management include:

1. Unity of Effort: Risk management is an enterprise-wide process, and should promote integration and synchronization with entities that share responsibility for managing risks.

Risk management efforts should be coordinated and integrated among all partners, with shared or overlapping risk management responsibilities, to include Federal, state, local, tribal, and territorial governments, as well as the private sector, non-governmental organizations, and international partners.

2. Transparency: Effective risk management depends on open and direct communications.

Transparency is vitally important in risk management due to the extent to which the decisions involved affect a broad range of stakeholders.

Transparency is important for the analysis that contributes to the decision making. It includes the assumptions that supported that analysis, the uncertainty involved with it, and the communications that follow the decision. Risk management should not be a “black box” exercise where analysis is hidden.

Those impacted by a risk management approach should be able to validate the integrity of the approach. This principle does not countermand the times when there is need for security of sensitive or classified information; however, it does suggest that the processes and methodologies used for risk management may be shared even if the information is not. In turn, transparency will foster honest and realistic dialogue about opportunities and limitations.

3. Adaptability: The principle of adaptability includes designing risk management actions, strategies, and processes to remain dynamic and responsive to change.

The landscape is constantly evolving as priorities, threats, and circumstances change, requiring risk managers to adapt to meet expectations and requirements. Risk managers must be flexible in their approach to managing risk.

This means that solutions must be dynamic. A changing world, filled with adaptive adversaries, increased interdependencies, and new technologies, necessitates risk management measures that are equally adaptable.

4. Practicality: The principle of practicality pertains to the acknowledgement that risk management cannot eliminate all uncertainty nor is it reasonable to expect to identify all risks and their likelihood and consequences.

The limitations of managing risk arises from the dynamic nature of threats, vulnerabilities, and consequences, as well as the uncertainty that is generally associated with assessing risks.

This is especially true when facing a threat from an adaptive adversary, such as a terrorist or criminal organization. Decisions often are made amidst uncertainty, but that uncertainty does not preclude the need for sound analysis or well thought-out and structured decision making.

Risk management is an effective and important management practice that should lead to better-supported decisions and more effective programs and operations.

5. Customization: Risk management programs should be tailored to match the needs and culture of the organization, while being balanced with the specific decision environment they support.

Organizations and personnel should tailor the methods for the dissemination of risk information and decision making and communications processes to fit the needs of their mission.

The customization principle includes ensuring that the organization’s risk management approach is appropriately governed and uses the best available information.

This assures that the risk management effort is systematic, timely, and structured based on the values of the organization. However, the principle of customization does not supersede the need to adhere to organizational standards, requirements, and operating procedures for risk management when there is a requirement for working together to analyze risks and promote joint decision making.

Risk management is not an end in and of itself, but rather part of sound organizational practices that include planning, preparedness, program evaluation, process improvement, and budget priority development.

The value of a risk management approach or strategy to decision makers is not in the promotion of a particular course of action, but rather in the ability to distinguish between various choices within the larger context.

You may also visit:

1. What is Risk?

2. The Role of the Risk Officer:

Basel III Framework, Supervisory review process (SRP)

SRP30 - Risk management

30.1 - Sound risk management processes are necessary to support supervisory and market participants’ confidence in banks’ assessments of their risk profiles and internal capital adequacy assessments. These processes take on particular importance in light of the identification, measurement and aggregation challenges arising from increasingly complex on- and off-balance sheet exposures.

30.2 - When assessing whether a bank is appropriately capitalised, bank management should ensure that it properly identifies and measures the risks to which the bank is exposed. A financial institution’s internal capital adequacy assessment process (ICAAP) should be conducted on a consolidated basis and, when deemed necessary by the appropriate supervisors, at the legal entity level for each bank in the group.

In addition, the ICAAP should incorporate stress testing to complement and help validate other quantitative and qualitative approaches so that bank management may have a more complete understanding of the bank’s risks and the interaction of those risks under stressed conditions. A bank should also perform a careful analysis of its capital instruments and their potential performance during times of stress, including their ability to absorb losses and support ongoing business operations.

A bank’s ICAAP should address both short- and long-term needs and consider the prudence of building excess capital over benign periods of the credit cycle and also to withstand a severe and prolonged market downturn. Differences between the capital assessment under a bank’s ICAAP and the supervisory assessment of capital adequacy made under Pillar 2 should trigger a dialogue that is proportionate to the depth and nature of such differences.

30.3 - Pillar 1 capital requirements represent minimum requirements. All of a bank’s risks – both on- and off-balance sheet, and particularly those risks related to complex capital market activities – should be adequately covered by capital, including through Pillar 2 in excess of minimum Pillar 1 requirements. This will help ensure that a bank maintains sufficient capital for risks not adequately addressed through Pillar 1 and that it will be able to operate effectively throughout a severe and prolonged period of financial market stress or an adverse credit cycle. This should, in part, include drawing down on the capital buffer built-up during good times. While all banks must comply with the minimum capital requirements during and after such stress events, it is imperative that systemically important banks have the shock absorption capability to adequately protect against severe stress events.

30.4 - The detail and sophistication of a bank’s risk management programmes should be commensurate with the size and complexity of its business and the overall level of risk that the bank accepts. This guidance, therefore, should be applied to banks on a proportionate basis.

30.5 - Supervisors should determine whether a bank has in place a sound firm-wide risk management framework that enables it to define its risk appetite and recognise all material risks, including the risks posed by concentrations, securitisation, off-balance sheet exposures, valuation practices and other risk exposures. The bank can achieve this by:

(1) adequately identifying, measuring, monitoring, controlling and mitigating these risks;

(2) clearly communicating the extent and depth of these risks in an easily understandable, but accurate, manner in reports to senior management and the board of directors, as well as in published financial reports;

(3) conducting ongoing stress testing to identify potential losses and liquidity needs under adverse circumstances; and

(4) setting adequate minimum internal standards for allowances or liabilities for losses, capital, and contingency funding.

30.6 - These elements should be adequately incorporated into a bank’s risk management system and ICAAP specifically since they are not fully captured by Pillar 1 of the Basel III framework.

Firm-wide risk oversight

30.7 - A sound risk management system should have the following key features:

(1) active board and senior management oversight;

(2) appropriate policies, procedures and limits;

(3) comprehensive and timely identification, measurement, mitigation, controlling, monitoring and reporting of risks;

(4) appropriate management information systems (MIS) at the business and firm-wide level; and

(5) comprehensive internal controls.

30.8 - It is the responsibility of the board of directors and senior management to define the institution’s risk appetite and to ensure that the bank’s risk management framework includes detailed policies that set specific firm-wide prudential limits on the bank’s activities, which are consistent with its risk taking appetite and capacity. In order to determine the overall risk appetite, the board and senior management must first have an understanding of risk exposures on a firm-wide basis. To achieve this understanding, the appropriate members of senior management must bring together the perspectives of the key business and control functions.

In order to develop an integrated firm-wide perspective on risk, senior management must overcome organisational silos between business lines and share information on market developments, risks and risk mitigation techniques. As the banking industry has moved increasingly towards market-based intermediation, there is a greater probability that many areas of a bank may be exposed to a common set of products, risk factors or counterparties. Senior management should establish a risk management process that is not limited to credit, market, liquidity and operational risks, but incorporates all material risks. This includes reputational, legal and strategic risks, as well as risks that do not appear to be significant in isolation, but when combined with other risks could lead to material losses.

30.9 - The board of directors and senior management should possess sufficient knowledge of all major business lines to ensure that appropriate policies, controls and risk monitoring systems are effective. They should have the necessary expertise to understand the capital markets activities in which the bank is involved – such as securitisation and off-balance sheet activities – and the associated risks. The board and senior management should remain informed on an on-going basis about these risks as financial markets, risk management practices and the bank’s activities evolve. In addition, the board and senior management should ensure that accountability and lines of authority are clearly delineated. With respect to new or complex products and activities, senior management should understand the underlying assumptions regarding business models, valuation and risk management practices. In addition, senior management should evaluate the potential risk exposure if those assumptions fail.

30.10 - Before embarking on new activities or introducing products new to the institution, the board and senior management should identify and review the changes in firm-wide risks arising from these potential new products or activities and ensure that the infrastructure and internal controls necessary to manage the related risks are in place. In this review, a bank should also consider the possible difficulty in valuing the new products and how they might perform in a stressed economic environment.

30.11 - A bank’s risk function and its chief risk officer or equivalent position should be independent of the individual business lines and report directly to the chief executive officer and the institution’s board of directors. In addition, the risk function should highlight to senior management and the board risk management concerns, such as risk concentrations and violations of risk appetite limits.

30.12 - Firm-wide risk management programmes should include detailed policies that set specific firm-wide prudential limits on the principal risks relevant to a bank’s activities. A bank’s policies and procedures should provide specific guidance for the implementation of broad business strategies and should establish, where appropriate, internal limits for the various types of risk to which the bank may be exposed. These limits should consider the bank’s role in the financial system and be defined in relation to the bank’s capital, total assets, earnings or, where adequate measures exist, its overall risk level.

30.13 - A bank’s policies, procedures and limits should:

(1) provide for adequate and timely identification, measurement, monitoring, control and mitigation of the risks posed by its lending, investing, trading, securitisation, off-balance sheet, fiduciary and other significant activities at the business line and firm-wide levels;

(2) ensure that the economic substance of a bank’s risk exposures, including reputational risk and valuation uncertainty, are fully recognised and incorporated into the bank’s risk management processes;

(3) be consistent with the bank’s stated goals and objectives, as well as its overall financial strength;

(4) clearly delineate accountability and lines of authority across the bank’s various business activities, and ensure there is a clear separation between business lines and the risk function;

(5) escalate and address breaches of internal position limits;

(6) provide for the review of new businesses and products by bringing together all relevant risk management, control and business lines to ensure that the bank is able to manage and control the activity prior to it being initiated; and

(7) include a schedule and process for reviewing the policies, procedures and limits and for updating them as appropriate.

30.14 - A bank’s MIS should provide the board and senior management in a clear and concise manner with timely and relevant information concerning their institutions’ risk profile. This information should include all risk exposures, including those that are off-balance sheet. Management should understand the assumptions behind and limitations inherent in specific risk measures.

30.15 - The key elements necessary for the aggregation of risks are an appropriate infrastructure and MIS that:

(1) allow for the aggregation of exposures and risk measures across business lines and

(2) support customised identification of concentrations and emerging risks.

30.16 - A bank’s MIS should be capable of capturing limit breaches and there should be procedures in place to promptly report such breaches to senior management, as well as to ensure that appropriate follow-up actions are taken. For instance, similar exposures should be aggregated across business platforms (including the banking and trading books) to determine whether there is a concentration or a breach of an internal position limit.

30.17 - MIS developed to achieve this objective should support the ability to evaluate the impact of various types of economic and financial shocks that affect the whole of the financial institution. Further, a bank’s systems should be flexible enough to incorporate hedging and other risk mitigation actions to be carried out on a firm-wide basis while taking into account the various related basis risks.

30.18 - To enable proactive management of risk, the board and senior management need to ensure that MIS is capable of providing regular, accurate and timely information on the bank’s aggregate risk profile, as well as the main assumptions used for risk aggregation. MIS should be adaptable and responsive to changes in the bank’s underlying risk assumptions and should incorporate multiple perspectives of risk exposure to account for uncertainties in risk measurement. In addition, it should be sufficiently flexible so that the institution can generate forward-looking bank-wide scenario analyses that capture management’s interpretation of evolving market conditions and stressed conditions. Third-party inputs or other tools used within MIS (eg credit ratings, risk measures, models) should be subject to initial and ongoing validation.

30.19 - Risk management processes should be frequently monitored and tested by independent control areas and internal, as well as external, auditors.3 The aim is to ensure that the information on which decisions are based is accurate so that processes fully reflect management policies and that regular reporting, including the reporting of limit breaches and other exception-based reporting, is undertaken effectively. The risk management function of banks must be independent of the business lines in order to ensure an adequate separation of duties and to avoid conflicts of interest.

Risk concentration

30.20 - Unmanaged risk concentrations are an important cause of major problems in banks. A bank should aggregate all similar direct and indirect exposures regardless of where the exposures have been booked. A risk concentration is any single exposure or group of similar exposures (eg to the same borrower or counterparty, including protection providers, geographic area, industry or other risk factors) with the potential to produce

(i) losses large enough (relative to a bank’s earnings, capital, total assets or overall risk level) to threaten a bank’s creditworthiness or ability to maintain its core operations or

(ii) a material change in a bank’s risk profile. Risk concentrations should be analysed on both a bank legal entity and consolidated basis, as an unmanaged concentration at a subsidiary bank may appear immaterial at the consolidated level, but can nonetheless threaten the viability of the subsidiary organisation.

30.21 - Risk concentrations should be viewed in the context of a single or a set of closely related risk-drivers that may have different impacts on a bank. These concentrations should be integrated when assessing a bank’s overall risk exposure. A bank should consider concentrations that are based on common or correlated risk factors that reflect more subtle or more situation-specific factors than traditional concentrations, such as correlations between market, credit risks and liquidity risk.

30.22 - The growth of market-based intermediation has increased the possibility that different areas of a bank are exposed to a common set of products, risk factors or counterparties. This has created new challenges for risk aggregation and concentration management. Through its risk management processes and MIS, a bank should be able to identify and aggregate similar risk exposures across the firm, including across legal entities, asset types (eg loans, derivatives and structured products), risk areas (eg the trading book) and geographic regions. The typical situations in which risk concentrations can arise include:

(1) exposures to a single counterparty, borrower or group of connected counterparties or borrowers;

(2) industry or economic sectors, including exposures to both regulated and nonregulated financial institutions such as hedge funds and private equity firms;

(3) geographical regions;

(4) exposures arising from credit risk mitigation techniques, including exposure to similar collateral types or to a single or closely related credit protection provider;

(5) trading exposures/market risk;

(6) exposures to counterparties (eg hedge funds and hedge counterparties) through the execution or processing of transactions (either product or service);

(7) funding sources;

(8) assets that are held in the banking book or trading book, such as loans, derivatives and structured products; and

(9) off-balance sheet exposures, including guarantees, liquidity lines and other commitments.

30.23 - Risk concentrations can also arise through a combination of exposures across these broad categories. A bank should have an understanding of its firm-wide risk concentrations resulting from similar exposures across its different business lines. Examples of such business lines include subprime exposure in lending books; counterparty exposures; conduit exposures and structured investment vehicles (SIVs); contractual and non-contractual exposures; trading activities; and underwriting pipelines.

30.24 - While risk concentrations often arise due to direct exposures to borrowers and obligors, a bank may also incur a concentration to a particular asset type indirectly through investments backed by such assets (eg collateralised debt obligations), as well as exposure to protection providers guaranteeing the performance of the specific asset type (eg monoline insurers). A bank should have in place adequate, systematic procedures for identifying high correlation between the creditworthiness of a protection provider and the obligors of the underlying exposures due to their performance being dependent on common factors beyond systematic risk (ie “wrong way risk”).

30.25 - Procedures should be in place to communicate risk concentrations to the board of directors and senior management in a manner that clearly indicates where in the organisation each segment of a risk concentration resides. A bank should have credible risk mitigation strategies in place that have senior management approval. This may include altering business strategies, reducing limits or increasing capital buffers in line with the desired risk profile. While it implements risk mitigation strategies, the bank should be aware of possible concentrations that might arise as a result of employing risk mitigation techniques.

30.26 - Banks should employ a number of techniques, as appropriate, to measure risk concentrations. These techniques include shocks to various risk factors; use of business level and firm-wide scenarios; and the use of integrated stress testing and economic capital models. Identified concentrations should be measured in a number of ways, including for example consideration of gross versus net exposures, use of notional amounts, and analysis of exposures with and without counterparty hedges. A bank should establish internal position limits for concentrations to which it may be exposed. When conducting periodic stress tests, a bank should incorporate all major risk concentrations and identify and respond to potential changes in market conditions that could adversely impact their performance and capital adequacy.

30.27 - The assessment of such risks under a bank’s ICAAP and the supervisory review process should not be a mechanical process, but one in which each bank determines, depending on its business model, its own specific vulnerabilities. An appropriate level of capital for risk concentrations should be incorporated in a bank’s ICAAP, as well as in Pillar 2 assessments. Each bank should discuss such issues with its supervisor.

30.28 - A bank should have in place effective internal policies, systems and controls to identify, measure, monitor, manage, control and mitigate its risk concentrations in a timely manner. Not only should normal market conditions be considered, but also the potential build-up of concentrations under stressed market conditions, economic downturns and periods of general market illiquidity. In addition, the bank should assess scenarios that consider possible concentrations arising from contractual and non-contractual contingent claims. The scenarios should also combine the potential build-up of pipeline exposures together with the loss of market liquidity and a significant decline in asset values.

Reputational risk

30.29 - Reputational risk can be defined as the risk arising from negative perception on the part of customers, counterparties, shareholders, investors, debt-holders, market analysts, other relevant parties or regulators that can adversely affect a bank’s ability to maintain existing, or establish new, business relationships and continued access to sources of funding (eg through the interbank or securitisation markets). Reputational risk is multidimensional and reflects the perception of other market participants. Furthermore, it exists throughout the organisation and exposure to reputational risk is essentially a function of the adequacy of the bank’s internal risk management processes, as well as the manner and efficiency with which management responds to external influences on bank-related transactions.

30.30 - Reputational risk can lead to the provision of implicit support, which may give rise to credit, liquidity, market and legal risk – all of which can have a negative impact on a bank’s earnings, liquidity and capital position. A bank should identify potential sources of reputational risk to which it is exposed. These include the bank’s business lines, liabilities, affiliated operations, off-balance sheet vehicles and the markets in which it operates. The risks that arise should be incorporated into the bank’s risk management processes and appropriately addressed in its ICAAP and liquidity contingency plans.

30.31 - Prior to the 2007 upheaval, many banks failed to recognise the reputational risk associated with their off-balance sheet vehicles. In stressed conditions some firms went beyond their contractual obligations to support their sponsored securitisations and off-balance sheet vehicles. A bank should incorporate the exposures that could give rise to reputational risk into its assessments of whether the requirements under the securitisation framework have been met and the potential adverse impact of providing implicit support.

30.32 - Reputational risk may arise, for example, from a bank’s sponsorship of securitisation structures such as asset-backed commercial paper conduits and SIVs, as well as from the sale of credit exposures to securitisation trusts. It may also arise from a bank’s involvement in asset or funds management, particularly when financial instruments are issued by owned or sponsored entities and are distributed to the customers of the sponsoring bank. In the event that the instruments were not correctly priced or the main risk drivers not adequately disclosed, a sponsor may feel some responsibility to its customers, or be economically compelled, to cover any losses. Reputational risk also arises when a bank sponsors activities such as money market mutual funds, in-house hedge funds and real estate investment trusts. In these cases, a bank may decide to support the value of shares/units held by investors even though is not contractually required to provide the support.

30.33 - Reputational risk also may affect a bank’s liabilities, since market confidence and a bank’s ability to fund its business are closely related to its reputation. For instance, to avoid damaging its reputation, a bank may call its liabilities even though this might negatively affect its liquidity profile. This is particularly true for liabilities that are components of regulatory capital, such as hybrid/subordinated debt. In such cases, a bank’s capital position is likely to suffer.

30.34 - Bank management should have appropriate policies in place to identify sources of reputational risk when entering new markets, products or lines of activities. In addition, a bank’s stress testing procedures should take account of reputational risk so management has a firm understanding of the consequences and second round effects of reputational risk.

30.35 - Once a bank identifies potential exposures arising from reputational concerns, it should measure the amount of support it might have to provide (including implicit support of securitisations) or losses it might experience under adverse market conditions. In particular, in order to avoid reputational damages and to maintain market confidence, a bank should develop methodologies to measure as precisely as possible the effect of reputational risk in terms of other risk types (eg credit, liquidity, market or operational risk) to which it may be exposed. This could be accomplished by including reputational risk scenarios in regular stress tests. For instance, non-contractual off-balance sheet exposures could be included in the stress tests to determine the effect on a bank’s credit, market and liquidity risk profiles. Methodologies also could include comparing the actual amount of exposure carried on the balance sheet versus the maximum exposure amount held off-balance sheet, that is, the potential amount to which the bank could be exposed.

30.36 - A bank should pay particular attention to the effects of reputational risk on its overall liquidity position, taking into account both possible increases in the asset side of the balance sheet and possible restrictions on funding, should the loss of reputation result in various counterparties’ loss of confidence.

Valuation practices

30.37 - In order to enhance the supervisory assessment of banks’ valuation practices, the Basel Committee published Supervisory guidance for assessing banks’ financial instrument fair value practices in April 2009. This guidance applies to all positions that are measured at fair value and at all times, not only during times of stress.

30.38 - The characteristics of complex structured products, including securitisation transactions, make their valuation inherently difficult due, in part, to the absence of active and liquid markets, the complexity and uniqueness of the cash waterfalls, and the links between valuations and underlying risk factors. The absence of a transparent price from a liquid market means that the valuation must rely on models or proxy-pricing methodologies, as well as on expert judgment. The outputs of such models and processes are highly sensitive to the inputs and parameter assumptions adopted, which may themselves be subject to estimation error and uncertainty. Moreover, calibration of the valuation methodologies is often complicated by the lack of readily available benchmarks.

30.39 - Therefore, a bank is expected to have adequate governance structures and control processes for fair valuing exposures for risk management and financial reporting purposes. The valuation governance structures and related processes should be embedded in the overall governance structure of the bank, and consistent for both risk management and reporting purposes. The governance structures and processes are expected to explicitly cover the role of the board and senior management. In addition, the board should receive reports from senior management on the valuation oversight and valuation model performance issues that are brought to senior management for resolution, as well as all significant changes to valuation policies.

30.40 - A bank should also have clear and robust governance structures for the production, assignment and verification of financial instrument valuations. Policies should ensure that the approvals of all valuation methodologies are well documented. In addition, policies and procedures should set forth the range of acceptable practices for the initial pricing, marking-to-market/model, valuation adjustments and periodic independent revaluation. New product approval processes should include all internal stakeholders relevant to risk measurement, risk control, and the assignment and verification of valuations of financial instruments.

30.41 - A bank’s control processes for measuring and reporting valuations should be consistently applied across the firm and integrated with risk measurement and management processes. In particular, valuation controls should be applied consistently across similar instruments (risks) and consistent across business lines (books). These controls should be subject to internal audit. Regardless of the booking location of a new product, reviews and approval of valuation methodologies must be guided by a minimum set of considerations. Furthermore, the valuation/new product approval process should be supported by a transparent, well-documented inventory of acceptable valuation methodologies that are specific to products and businesses.

30.42 - In order to establish and verify valuations for instruments and transactions in which it engages, a bank must have adequate capacity, including during periods of stress. This capacity should be commensurate with the importance, riskiness and size of these exposures in the context of the business profile of the institution. In addition, for those exposures that represent material risk, a bank is expected to have the capacity to produce valuations using alternative methods in the event that primary inputs and approaches become unreliable, unavailable or not relevant due to market discontinuities or illiquidity. A bank must test and review the performance of its models under stress conditions so that it understands the limitations of the models under stress conditions.

30.43 - The relevance and reliability of valuations is directly related to the quality and reliability of the inputs. A bank is expected to apply the accounting guidance provided to determine the relevant market information and other factors likely to have a material effect on an instrument's fair value when selecting the appropriate inputs to use in the valuation process. Where values are determined to be in an active market, a bank should maximise the use of relevant observable inputs and minimise the use of unobservable inputs when estimating fair value using a valuation technique. However, where a market is deemed inactive, observable inputs or transactions may not be relevant, such as in a forced liquidation or distress sale, or transactions may not be observable, such as when markets are inactive. In such cases, accounting fair value guidance provides assistance on what should be considered, but may not be determinative. In assessing whether a source is reliable and relevant, a bank should consider, among other things:

(1) the frequency and availability of the prices/quotes;

(2) whether those prices represent actual regularly occurring transactions on an arm's length basis;

(3) the breadth of the distribution of the data and whether it is generally available to the relevant participants in the market;

(4) the timeliness of the information relative to the frequency of valuations;

(5) the number of independent sources that produce the quotes/prices;

(6) whether the quotes/prices are supported by actual transactions;

(7) the maturity of the market; and

(8) the similarity between the financial instrument sold in a transaction and the instrument held by the institution.

30.44 - A bank’s external reporting should provide timely, relevant, reliable and decision-useful information that promotes transparency. Senior management should consider whether disclosures around valuation uncertainty can be made more meaningful. For instance, the bank may describe the modelling techniques and the instruments to which they are applied; the sensitivity of fair values to modelling inputs and assumptions; and the impact of stress scenarios on valuations. A bank should regularly review its disclosure policies to ensure that the information disclosed continues to be relevant to its business model and products and to current market conditions.

Sound stress testing practices

30.45 - Stress testing is a critical element of risk management for banks and a core tool for banking supervisors and macroprudential authorities. It is integral to banks’ risk management and banking supervision, in that stress testing alerts bank management and supervisory authorities to unexpected adverse outcomes related to a broad variety of risks, and provides an indication to banks and supervisory authorities of the financial resources that might be needed to absorb losses should large shocks occur.

30.46 - Stress testing practices have evolved significantly over time. The increasing importance of stress testing, combined with a significant range of approaches adopted by supervisory authorities and banks, highlight the need for high-level principles to guide all elements of a sound stress testing framework. To this end, the Committee has in place Stress testing principles that cover sound stress testing practices for application to large, internationally active banks and to supervisory and other relevant financial authorities in Basel Committee member jurisdictions. These principles are set at a high level so that they may be applicable across many banks and jurisdictions and to help ensure their relevance as stress testing practices evolve over time. The Principles set out guidance that focuses on the core elements of stress testing frameworks, such as objectives, governance, policies, processes, methodology, resources, and documentation that may guide stress testing activities and facilitate their use, implementation and oversight. Nevertheless, the Basel Committee expects that for internationally active banks, stress testing is embedded as a critical component of sound risk management and supervisory oversight.

30.47 - The principles are intended to be applied on a proportionate basis, depending on size, complexity and risk profile of the bank or banking sector for which the authority is responsible. This recognises that smaller banks and authorities in all jurisdictions can benefit from considering in a structured way the potential impact of adverse scenarios on their business, even if they are not using a formal stress testing framework but are instead using simpler methods.

Liquidity risk management

30.48 - A bank should both assiduously manage its liquidity risk and also maintain sufficient liquidity to withstand a range of stress events.

30.49 - A bank is expected to be able to thoroughly identify, measure and control liquidity risks, especially with regard to complex products and contingent commitments (both contractual and non-contractual). This process should involve the ability to project cash flows arising from assets, liabilities and off-balance sheet items over various time horizons, and should ensure diversification in both the tenor and source of funding. A bank should utilise early warning indicators to identify the emergence of increased risk or vulnerabilities in its liquidity position or funding needs. It should have the ability to control liquidity risk exposure and funding needs, regardless of its organisation structure, within and across legal entities, business lines, and currencies, taking into account any legal, regulatory and operational limitations to the transferability of liquidity.

30.50 - A key element in the management of liquidity risk is the need for strong governance of liquidity risk, including the setting of a liquidity risk tolerance by the board. The risk tolerance should be communicated throughout the bank and reflected in the strategy and policies that senior management set to manage liquidity risk. Another facet of liquidity risk management is that a bank should appropriately price the costs, benefits and risks of liquidity into the internal pricing, performance measurement, and new product approval process of all significant business activities.

30.51 - While banks typically manage liquidity under “normal” circumstances, they should also be prepared to manage liquidity under stressed conditions. A bank should perform stress tests or scenario analyses on a regular basis in order to identify and quantify their exposures to possible future liquidity stresses, analysing possible impacts on the institutions’ cash flows, liquidity positions, profitability, and solvency. The results of these stress tests should be discussed thoroughly by management, and based on this discussion, should form the basis for taking remedial or mitigating actions to limit the bank’s exposures, build up a liquidity cushion, and adjust its liquidity profile to fit its risk tolerance. The results of stress tests should also play a key role in shaping the bank’s contingency funding planning, which should outline policies for managing a range of stress events and clearly sets out strategies for addressing liquidity shortfalls in emergency situations.

30.52 - Senior management should consider the relationship between liquidity and capital since liquidity risk can impact capital adequacy which, in turn, can aggravate a bank’s liquidity profile.

You may also visit:

The Role of the Risk Officer:

Credit Risk:

Market Risk:

Operational Risk:

Systemic Risk:

Political Risk:

Strategic Risk:

Conduct Risk:

Reputation Risk:

Liquidity Risk:

Cyber Risk:

Climate Risk:

Emerging Risk:

Membership and certification

Become a standard, premium or lifetime member. Get certified.


In the Reading Room (RR) of the association you can find our weekly newsletter - "Top risk and compliance management news stories and world events, that (for better or for worse) shaped the week's agenda, and what is next". Our Reading Room

contact us

Lyn Spooner


George Lekatis

President of the International Association of Risk and Compliance Professionals (IARCP)

1200 G Street NW Suite 800, Washington DC 20005, USA - Tel: (202) 449-9750


Privacy, legal, impressum