Condition precedent for the risk management
Bank must adopt and implement respective documents designing and regulating risk management environment before commencing with the business operations (risk management strategy, policies, and procedures).
Risk management in the bank
A bank is responsible to continuously manage all risks it has been exposed to in its operations in accordance with the law, regulations of the CBoM and best risk management practices in the bank, and must establish risk management system that provides the following:
- Identification of current risks and the risks that may arise from new business products or activities;
- Measurement of risks through establishing the mechanisms and the procedures for the accurate and timely assessment of risks;
- Monitoring and analyzing of risks;
- Control of risks by limiting and minimizing risks.
Risk management system in a bank must correspond to the size of a bank, complexity of products and services in its operations and the level of assumed risk.
As a minimum, risk management system must include the following:
- Defined appropriate strategy for risk management;
- Adopted policies and developed processes for risk management;
- Clearly defined powers and responsibilities for risk management;
- Efficient and safe information technology system;
- Contingency plans;
- Stress testing.
A strategy for management of risks the bank has been exposed to in its operations must include, as a minimum, the following:
- Objectives, which the bank wants to accomplish with strategy;
- Selection of business activities, products and services that will be dominant in the bank’s performance;
- Expected relation of returns and risks for parts of bank portfolios and total assets;
- General criteria and methods which are relevant for creation of frameworks for risk management.
- Strategy for management of risks the bank has been exposed to in its operations shall be adopted for period not less than three years.
- The bank shall periodically, and at least annually, review adequacy of the risk management strategy.
Risk management policies must provide accomplishment of risk management strategy on a daily basis and have to include, as a minimum, the following:
- Areas in which the identification of risk and methods for risk identification is performed;
- Methods, indicators and timeframes for measurement of individual risks;
- Limits and control procedures of individual exposures to risks and overall exposure to individual risks that correspond to the size of a bank, complexity of products and services in its operations and the level of assumed risk;
- The manner and the dynamics of reporting and informing the board of directors and bank management on management of individual risks;
- The manner of connection of activities of individual risk management in bank with activities that are performed in dependent legal persons and other entities subject to supervision on consolidated basis and the manner for incorporation of these activities in the structure of risk management on consolidated basis;
- Methods and timeframes for back-testing of quality of risks management.
A bank must periodically, and at least annually, review adequacy of the adopted policies and processes for management of individual risks.
The CBoM may at any given time require the bank to document processes for management of individual risks.
A bank have to clearly define, in its rules and procedures, powers and responsibilities for risk management in bank for all levels of work process and decision-making, and provide segregation of risk taking from risk identification, measurement, monitoring and control.
The CBoM may prescribe minimum requirements for the information system functioning.
A bank must designate, within its organizational structure, an organizational part or persons, depending on the size and complexity of the bank’s operations, directly responsible for individual risk management on daily basis. The organizational parts or persons will be responsible to provide reports to the bank’s board of directors on risk management activities if needed, and at least once a month.
A bank must establish and maintain reliable information system that adequately ensures gathering and processing of information for the following:
- Measurement and monitoring of risk exposures on daily basis and in other determined periods;
- Monitoring if the established limits for risk management are met;
- Creation of reporting formats for bank bodies and other parties included in risk management process.
A bank needs to provide preparation of secure electronic backups of information and data on daily basis and store them on a secure location.
The CBoM may prescribe the minimum requirements for the information system functioning.
A bank shall also conduct, using several types of stress scenarios, testing of the bank’s sensitivity to individual types of risks on aggregate basis.
Stress scenario shall include, in the context of this law, assumptions on extreme changes of market and other factors, which may have significant material impact on bank’s performance.
Types of risks
The risks the bank is exposed to in its operations and for which it must establish risk management system are the following:
- Liquidity risk,
- Credit risk,
- Market risks,
- Operational risk,
- Interest rate risk not resulting from bank trading activities,
- Country risk,
- Other risks (reputation risk, compliance risk, etc.).
Liquidity risk shall be the risk that the bank will not be able to provide a sufficient amount of cash to meet its obligations as they become due, or risk that the bank may obtain cash with significant expenses to meet the matured obligations. The bank must operate so that it can meet all its obligations in cash as they become due.
Credit risk shall be the risk of incurring losses in bank operations due to the debtor’s failure to meet its obligations to the bank.
Total exposure of a bank to one party or group of related parties may not exceed 25% of bank’s own funds. The exposure of a bank to one party or group of related parties, in accordance with the CBoM regulation, shall be the total amount of all bank claims on loans and other assets, including amount of off balance sheet obligations and uncollected written off assets, decreased by the amount of claims that is secured by qualitative instruments of security of claims. The exposure of a bank to one party or group of related parties shall be considered as large if it is equal to or larger than 10% of bank’s own funds. The sum of all large exposures of a bank must not exceed 800% of bank’s own funds. The bank shall apply the following limits for the exposures to bank related parties:
- Total exposure of a bank to all bank related parties may not exceed the amount of 200% of bank’s own funds;
- Total exposure to a party that is member of the board of directors, audit committee or executive director, including members of its immediate family may not exceed 2% of bank’s own funds;
- Total exposure to legal persons that are controlled by above persons and/or members of their immediate families may not exceed 10% of bank’s own funds;
- Total exposure to an employee not referred above may not exceed 1% of bank’s own funds;
- Total exposure to a shareholder that does not have qualified participation in a bank, including exposure to legal persons that are controlled by such shareholder may not exceed 10% of bank’s own funds;
Sum of the total exposure of a bank to the following parties may not exceed 20% of bank’s own funds:
- Shareholders that have qualified participation in a bank, including exposure to legal persons that are controlled by such shareholders;
- Legal persons controlled by a party that controls the bank,
- Legal persons controlled by the bank.
Market risk shall be the probability of incurring losses in bank balance sheet and off-balance sheet financial instruments arising from changes in interest rates, foreign exchange rates, prices, indices and/or other market factors impacting the value of financial instruments, as well as the risks related with the marketability of financial instruments.
Operational risk shall be the risk of incurring losses in the bank’s operation, as a result of inadequate internal systems, processes and controls, including also inadequate information technology due to outsourcing, weaknesses and errors in performance, illegal actions and external events that may expose a bank to loss, including legal risk as well. In case of outsourcing provided through an outsourcing agreement or otherwise, a bank shall enable the CBoM, in the process of operational risk examination, review of quality of the services rendered, including the direct review with such service provider.
Country risk shall represent the possibility of incurring losses by a bank, due to inability to collect receivables from the entities outside of Montenegro, which results from political, social and economical environment of the country in which debtor has its head office or residence (hereinafter referred to as: debtor’s country). Country risk shall include:
- Political and economical risk, which means the probability of incurring losses arising from inability to collect bank’s receivables due to limits established by rules and procedures of government and other entities of the debtor’s country, as well as from economic and systemic conditions in the country;
- Transfer risk, which means the probability of incurring losses due to inability to collect receivables in currency other than the official currency of the debtor’s country, arising from limits of payment of obligations to creditors from other countries in particular currency, established by rules and procedures of government and other entities of the debtor’s country.
Interest rate risk not resulting from bank trading activities shall be the risk of incurring losses in bank’s operations due to the interest rate changes for balance sheet and off balance sheet items that are not intended for trade.