PIB A10.1 PIB A10.1 IRAP
PIB A10.1 Guidance
Guidanceis relevant to an Authorised Firmdescribed in PIB section 10.3 (that is, a firm in Category1, 2, 3A, 3B, 3C, 3D, 4 (if it provides Money Transmission, Account Information Services or Payment Initiation Services) or 5 in regard to an Internal Risk Assessment Process(referred to in this Guidanceas an IRAP).2. The following Guidancegenerally assumes that the Rulesrelating to capital adequacy in PIBapply to an Authorised Firmon a solo basis. However, the Guidanceis to be read as also applying where the capital adequacy requirements in these modules apply to the Financial Groupof an Authorised Firmon a consolidated basis.
Purpose of the
IRAP3. The IRAPis an internal process of an Authorised Firmwhich enables it to identify, assess, aggregate and monitor its risks adequately. The objective of the IRAPis to develop a comprehensive and detailed risk profile for the firm. The IRAPshould help the firm ensure that sound risk management systems are in place, address any weaknesses in its risk management framework, and maintain adequate internal capital relative to its risk profile.4. An Authorised Firmshould ensure that the IRAPforms an integral part of the firm's risk management framework and decision-making processes. The IRAPshould cover all activities of the Authorised Firmand should be proportionate to the nature and complexity of the firm's activities.5. The Authorised Firmshould be able to demonstrate to the DFSAthat its internal risk assessment is comprehensive and adequate relative to the nature of risks posed by its business activities and its operating environment.6. The DFSAdoes not prescribe any specific approach for the IRAPand, consequently, an Authorised Firmcan choose to implement an IRAPwhich is proportionate to the nature, size and complexity of the business activities.7. The IRAPshould be subject to adequate internal controls and reviews by internal audit to ensure the integrity and objectivity of the process. The IRAPshould consider the quality and effectiveness of the Authorised Firm'srisk management framework while determining its risk profile.8. The IRAPshould:a. identify and outline all related parties of the Authorised Firm, and list the types of transactions that occur between those related parties and the firm;b. identify the most significant risks to which the firm is exposed, which should, at a minimum, include the risks identified in Guidancenote 9;c. identify each of the firm's major business lines and prepare a comprehensive list of the major risks to which each of the businesses are exposed;d. identify the controls and risk management measures used to address the risks referred to in b. and c. and assess the strength of such controls and systems; ande. consider the impact of an economic or industry downturn on its future earnings, taking into account its business plans.9. The IRAPshould, in addition to the aforementioned factors:a. estimate, with the aid of historical data, where available, the range and distribution of possible losses which might arise from each of those risks and consider using stress tests to provide risk estimates;b. consider the extent to which the firm's Capital Requirementadequately addresses the type of risks referred to under Guidancenote 8 (b) and (c); andc. estimate the expected change in the firm's risk profile on the basis of projections of the firm's business activities for the next 3 to 5 years.10. If the firm's IRAPis based on this Guidance, it may enable the DFSAmore easily to review the IRAPas part of its SREP. However, the DFSAmay decide to rely on an IRAPthat is not consistent with the elements of this Guidance, owing to specific reasons and/or circumstances which necessitate an alternative approach. Guidanceon risks to be covered as part of the IRAP11. An Authorised Firmshould consider the following risks, where relevant, in its IRAP:a. Credit Risk, including Large Exposuresand Concentration Risks;b. Market Risk;c. Liquidity Risk;d. for Islamic Financial Businessinvolving PSIAs, displaced commercial risk;e. interest rate risk in the Non-Trading Book;f. Operational Risk;g. internal controls and systems; andh. reputational risk.12. This Guidanceis merely an indicative list of risk categories, which does not preclude an Authorised Firmfrom assessing other risks that it considers significant (for example, securitisation risks and residual risks). Likewise, certain categories of risks might not be relevant to all Authorised Firmscompleting the IRAP. In this case, the IRAPshould clearly indicate why the risk is considered minimal or not relevant. The IRAPshould also consider all risks arising from any non-regulated activities of the Authorised Firm, if they are seen as material to the risk profile of the firm.