The Middle East Knowledge Series: Preparing an ICAAP Report
The annual regulatory reporting season is upon us for Firms with a 31 December financial year end, and one of the requirements is for Firms to produce an Internal Capital Adequacy Assessment Process report (“ICAAP”). In this briefing, we look at the ICAAP, the purpose behind it, and the steps and procedures a Firm should consider in preparing it.
The ICAAP was a product of the Basel II Accord on Banking Supervision, which introduced the ‘3 Pillar’ model which is now the foundation of capital and prudential regulation for banks and other financial institutions. The 3 pillar model has been carried forward into Basel III. In brief, the 3 pillars are:
- Pillar 1 – Establishes minimum capital levels prescribed by regulators to provide specifically for credit risk, market risk and operational risk.
- Pillar 2 – Requires a Firm, and its supervisor, to consider all risks to which its business and operating model is subject, over and above the risks set out in Pillar 1. The ICAAP is the format in which this consideration is documented. Pillar 2 also encompasses a Supervisory Review and Evaluation Process (“SREP”) whereby the result of the ICAAP produced by the Firm is subject to review and analysis by the Firm’s supervisor. If the ICAAP and SREP indicate that the Firm’s risk profile demands more capital than is provided by Pillar 1, the supervisor may require the Firm to provide further capital, over and above that prescribed by Pillar 1.
- Pillar 3 – Relates to Market Discipline. It improves the transparency of disclosures made by financial institutions to the market as to risk management approaches, levels of capital and analysis of risk exposures and capital by distinct business segments.
The ICAAP is the process by which a Firm ensures that it operates with an appropriate level of capital. It encompasses a large part of what could be considered a complete Enterprise Risk Management (ERM) framework. The ICAAP brings together risk and capital management activities in a form that can be used to support business decisions.
Figure 1 (see pdf) sets out the various steps involved in the creation of an ICAAP. As can be seen, an ICAAP is a holistic assessment of the risks facing the Firm and the manner in which they are governed and controlled. It should include both quantitative and qualitative factors and should cover all parts of the business model. It is only after a thorough, holistic review that an appropriate determination of the capital needed for the Firm’s business model can be made. In summary the Firm needs to address the following areas:
- Board and senior management oversight
- Comprehensive risk identification and assessment
- Determination of the risk appetite and risk-taking capacity
- Risk control, mitigation and reporting
- Internal control review
- Adequacy of capital sources and contingency planning
- Stress testing of key assumptions and variables.
As previously stated, the objective behind Pillar 2 of the Basel Accord is to require Firms to consider risks which are either not captured at all, or not captured fully, by Pillar 1. As Pillar 1 is focused on credit risk, market risk and operational risk, the ICAAP should consider the following risks to the extent that they are applicable to the Firm and its business model. However, as the ICAAP is part of a Firm’s entire ERM Framework, it is normal for it to cover all risks to which the Firm is subject, both those within Pillar 1 and those within Pillar 2.
Key risks which should be considered as part of an ICAAP include:
- Credit risk;
- Market risk ;
- Operational risk;
- Interest rate risk in the non-trading book;
- Concentration risk;
- Funding risk;
- Liquidity risk;
- Business/strategic risk;
- Reputation risk;
- Conduct of business risk;
- Money laundering risk;
- Sanctions risks;
- Regulatory risks;
- Pension obligation risk
- Displaced commercial risk (where a Firm conducts Islamic financial business involving a Profit Sharing Investment Account ); and
- Any other risks identified by the Firm’s Enterprise Risk Framework.
Having performed the steps outlined in Figure 1, the Firm should record the results and conclusions in a formal document. The ICAAP report should have the following sections:
- Executive Summary
This should provide an overview of the methodology used, the main findings and results and an assessment as to whether the Firm has enough capital to manage its affairs over the planning horizon.
This section should provide a high-level overview of the process the Firm has followed when conducting its ICAAP. It should include a brief description of the review, challenge and approval process of the ICAAP. It should also provide details of the relevant policies and systems used by the Firm to identify, manage, and monitor its risks according to its risk appetite.
- Structure and Governance
This section should set out the various products and services the Firm provides and the manner in which those products and services are governed by its corporate governance arrangements. It should also include an organisation chart and the reporting lines, roles and responsibilities of the relevant functions, plus a description of the role of internal and external audit.
- Statement of Risk Appetite
This section should provide a high-level overview of the Firm’s risk appetite, and the frequency it is reviewed by the Governing Body.
- Enterprise Risk Framework (Internal Risk Assessment Process)
This section should provide a concise description of the Firm’s risk identification process and outline how the Firm identifies material risk areas. While we have highlighted certain key risks, Firms should consider all specific risks applicable to their business.
- Capital Planning
This section should outline the Firm’s capital needs, anticipated capital expenditures, desired capital level and external capital sources and must be in line with the Firm’s desired strategic objectives and business plan. It should include the analysis conducted on the Firm’s capital position and whether it is appropriate for the nature, scale and complexity of the business, including the perceived risks mentioned previously.
- Liquidity Planning
This section should summarise how Liquidity Risk is managed. In particular, it should set out the key assumptions and conclusions from stress testing of cash flows undertaken to manage the risk.
- Stress Testing and Scenario Analysis
This is a key element of the ICAAP assessment and focuses on stress testing key assumptions in the Firm’s forecasts. For example, for a start-up entity, the key assumption may be the delivery of revenues in the amount and timeline as set out in the forecasts. For an asset management entity, the key assumption may be the amount of assets under management.
- Integration, Review and Approval
This section should include information regarding:
- the role of the Governing Body in approving the conceptual design of the ICAAP. This should include a reference to its scope, methodologies and objectives;
- the review by the Governing Body and senior management and other control functions such as risk management, compliance and internal audit;
- how the results have been used by the Firm and how it is embedded in the decision making, business planning and risk management processes;
- how results have been integrated into risk limit setting and monitoring;
- any significant changes made in the current process as compared to previous ICAAP processes; and
- a list of all the relevant documents and policies used in the preparation, review, approval and implementation of ICAAP.
Performed correctly, the ICAAP process provides senior management, the Governing Body, and the Firm’s regulator with a wealth of information that would enable the Firm to better manage risks and make more informed decisions as to future strategy in response to market events. Firms should not, however, underestimate the amount of work and analysis required to produce the report, and should allow sufficient time for a thorough process to be undertaken.
Need assistance with the ICAAP reporting process? Get in touch with the Middle East Compliance Solutions team today.