PIB A10.1 Guidance
Guidance is relevant to an Authorised Firm described in PIB section 10.3 (that is, a firm in Category 1, 2, 3A, 3B, 3C, 3D, 4 (if it provides Money Transmission, Account Information Services or Payment Initiation Services) or 5 in regard to an Internal Risk Assessment Process (referred to in this Guidance as an IRAP).
2. The following
Guidance generally assumes that the Rules relating to capital adequacy in PIB apply to an Authorised Firm on a solo basis. However, the Guidance is to be read as also applying where the capital adequacy requirements in these modules apply to the Financial Group of an Authorised Firm on a consolidated basis.
Purpose of the
IRAP is an internal process of an Authorised Firm which enables it to identify, assess, aggregate and monitor its risks adequately. The objective of the IRAP is to develop a comprehensive and detailed risk profile for the firm. The IRAP should help the firm ensure that sound risk management systems are in place, address any weaknesses in its risk management framework, and maintain adequate internal capital relative to its risk profile.
Authorised Firm should ensure that the IRAP forms an integral part of the firm's risk management framework and decision-making processes. The IRAP should cover all activities of the Authorised Firm and should be proportionate to the nature and complexity of the firm's activities.
Authorised Firm should be able to demonstrate to the DFSA that its internal risk assessment is comprehensive and adequate relative to the nature of risks posed by its business activities and its operating environment.
DFSA does not prescribe any specific approach for the IRAP and, consequently, an Authorised Firm can choose to implement an IRAP which is proportionate to the nature, size and complexity of the business activities.
IRAP should be subject to adequate internal controls and reviews by internal audit to ensure the integrity and objectivity of the process. The IRAP should consider the quality and effectiveness of the Authorised Firm's risk management framework while determining its risk profile.
a. identify and outline all related parties of the
Authorised Firm, and list the types of transactions that occur between those related parties and the firm;
b. identify the most significant risks to which the firm is exposed, which should, at a minimum, include the risks identified in
Guidance note 9;
c. identify each of the firm's major business lines and prepare a comprehensive list of the major risks to which each of the businesses are exposed;
d. identify the controls and risk management measures used to address the risks referred to in b. and c. and assess the strength of such controls and systems; and
e. consider the impact of an economic or industry downturn on its future earnings, taking into account its business plans.
IRAP should, in addition to the aforementioned factors:
a. estimate, with the aid of historical data, where available, the range and distribution of possible losses which might arise from each of those risks and consider using stress tests to provide risk estimates;
b. consider the extent to which the firm's
Capital Requirement adequately addresses the type of risks referred to under Guidance note 8 (b) and (c); and
c. estimate the expected change in the firm's risk profile on the basis of projections of the firm's business activities for the next 3 to 5 years.
10. If the firm's
IRAP is based on this Guidance, it may enable the DFSA more easily to review the IRAP as part of its SREP. However, the DFSA may decide to rely on an IRAP that is not consistent with the elements of this Guidance, owing to specific reasons and/or circumstances which necessitate an alternative approach.
Authorised Firm should consider the following risks, where relevant, in its IRAP:
Credit Risk, including Large Exposures and Concentration Risks;
Islamic Financial Business involving PSIAs, displaced commercial risk;
e. interest rate risk in the
Non-Trading Book ;
g. internal controls and systems; and
h. reputational risk.
Guidance is merely an indicative list of risk categories, which does not preclude an Authorised Firm from assessing other risks that it considers significant (for example, securitisation risks and residual risks). Likewise, certain categories of risks might not be relevant to all Authorised Firms completing the IRAP. In this case, the IRAP should clearly indicate why the risk is considered minimal or not relevant. The IRAP should also consider all risks arising from any non-regulated activities of the Authorised Firm, if they are seen as material to the risk profile of the firm.