PRU-EPRS 1.39 Instructional Guidelines — Internal Risk Assessment Process (IRAP) and Internal Capital Adequacy Assessment Process (ICAAP)

1. The DFSA has issued detailed rules and guidance regarding its approach to Supervisory Review and Evaluation Processes (SREP) in PIB Chapter 10 and Appendix 10. As part of this framework, an Authorised Firm (Firm) in PIB Category 1, 2, 3A, 3B, 3C or 5 is required to provide an up-todate IRAP and, if applicable, an ICAAP, to the DFSA annually (within 4 months of the Firms' Financial year end).
2. The DFSA is providing the following suggested template which can be used as guidance for this submission. While the use of this template is not mandatory, the submitted document should address the elements contained in the template. Before submission to the DFSA the document must be reviewed and approved by the Firm's Governing Body. The level of detail in the IRAP and ICAAP document will vary based on the size and complexity of the Firm. Supplementary information such as policies, risk management frameworks and processes can be referred to by way of appendices.
3. The overarching approach comprises of three steps as set out in PIB Chapter 10. Not all of the steps are applicable to all Firms. The application of the sections is set out in PIB 10.1 and is summarised below:
a. IRAP must be completed by a Firm in PIB Category 1, 2, 3A, 3B, 3C and 5;
b. ICAAP must also be completed by a Firm in PIB Category 1, 2, 3A and 5; and
c. SREP will apply to both a Firm completing an IRAP and ICAAP.
4. Following submission of the IRAP and ICAAP, the DFSA will conduct a SREP to review and evaluate the assessments carried out by a Firm under its IRAP and ICAAP. Following this review, the DFSA may engage with a Firm to discuss specific aspects or the Firm's risk profile in certain areas. For a Firm required to complete the ICAAP, this may also include the DFSA imposing an ICR on the Firm after the SREP review. The SREP will be structured to provide consistency of treatment to all Firms, taking into consideration risk profile, business strategy and management. The SREP does not constitute a parallel or secondary IRAP or ICAAP, rather its purpose is to review and evaluate the completeness and consistency of IRAP and ICAAP of a Firm.
5. Fundamentally, the SREP process aims to develop a meaningful and detailed assessment by a Firm of its own risks, and foster a meaningful interaction and dialogue between the DFSA and Firms to enhance understanding and consider any remedial actions that may be required to reduce a firms risk profile and meet prudential requirements on an on-going basis.
Suggested Format for IRAP and ICAAP assessments Applicable for IRAP Applicable for ICAAP
1. Executive Summary
2. Background
3. Structure and Governance
4. Statement of Risk Appetite
5. Internal Risk Assessment Process
6. Capital planning  
7. Liquidity Planning  
8. Stress testing and scenario analysis
9. Integration, review and Approval

1. Executive Summary

The Executive Summary should provide an overview of the IRAP and ICAAP methodology and the results. It should include:

a. a brief overview of the Firms business strategy and risk appetite;
b. commentary on the most material risks faced by the Firm, why the level of risk is acceptable and whether mitigating actions are planned or in progress;
c. an assessment of the adequacy of the Firm's risk management processes including governance framework;
d. a summary of the financial position of the Firm, balance sheet structure and projected profitability;
e. an assessment of whether the Firm considers its capital and financial resources as adequate given the size and complexity of its business; and
f. a summary of the main findings of the ICAAP analysis (where applicable), and whether the Firm has adequate Capital Resources over its planning horizon;
2. Background

This section should provide a high level overview of the process the Firm has taken when conducting its IRAP (and if applicable it's ICAAP). It should include a brief description of the review, challenge and approval process of the IRAP, and if applicable, the ICAAP.

It should include details of the Firm's risk management framework together with the business planning and capital management process utilised in the assessment. It should also provide details covering relevant policies and systems used by the Firm to identify, manage, and monitor its risks according to its risk appetite.

3. Structure and Governance

This section should include information regarding the following:

a. updated group structure (legal and operational);
b. internal organisation including staffing, reporting lines, Governing Body, and operational committees;
c. details of oversight from other group control functions;
d. background on key senior management and Directors;
e. summary of financial products and business lines in operation, including a breakdown of profitability by business line; and
f. details of the internal audit framework and audit work conducted during the period. This should also outline key audit findings and management actions taken.
4. Statement of Risk Appetite

This section should provide a high level overview of the Firm's risk appetite. It should also set out the frequency of review of the risk appetite by senior management and the Governing Body.

The DFSA appreciates that risk appetite will vary significantly between Firms considering the nature, scale and complexity of their business, including the nature of the Licence permissions. For example, Firms undertaking balance sheet risks will have materially different risk appetites than Firms engaging in advisory or pure brokerage business. Risk appetite may also vary across business lines and across risk types. Nevertheless, all Firms should set a risk appetite to provide a cornerstone for the Firm's risk management framework and business strategy.

5. Internal Risk Assessment Process (IRAP)

This section should provide a concise description of the Firm's risk identification process and outline how the Firm identifies material risk areas. While we have highlighted certain key risks below Firms should consider all specific risks applicable to their business.

Key risks which should be considered as part of an IRAP include:

a. Credit Risk;
b. Market Risk;
c. Operational Risk;
d. Interest rate risk in the non-trading book;
e. Concentration Risk;
f. Funding risk;
g. Liquidity risk;
h. Business/Strategic risk;
i. Reputation risk;
j. Conduct of business risk;
k. Money Laundering risk;
l. Sanctions risks;
m. Regulatory risks;
n. Displaced Commercial Risk (where a firm conducts Islamic Financial Business involving a Profit Sharing Investment Account); and
o. Any other risks identified.

Not all risk factors will have a quantifiable financial capital charge but these should nonetheless be considered with regards to appropriate mitigations and management actions to minimise any potential implications. For example, conduct and AML risks may lead to significant regulatory or other fines and penalties; and consequently will require appropriate systems and controls.

The Firm can utilise a separate appendix to provide further detail on the Firm's risk assessment and quantification methodology, including:

a. the Firm's definition of each of the key risks listed above and any others considered key based on the Firm's risk profile;
b. how the Firm determines the materiality of each key risk;
c. the Firm's business plan and strategy to deal with such risks
d. a description of how each material risk is then quantified for capital allocation purpose, including detailed methodology to specify data, assumptions and calculations; and
e. details of any stress testing and scenario analysis conducted to determine impact results on capital requirement.

At a minimum, the DFSA expects a Firm in PIB Category 1, 2 or 5 to provide a Pillar II capital allocation to cover IRRBB, Liquidity and Credit Concentration Risk.

6. Capital planning

This section should outline the Firms capital needs, anticipated capital expenditures, desired capital level and external capital sources and must be in line with the Firms desired strategic objectives and business plan. It should include the analysis conducted on the Firm's capital position and whether it is appropriate for the nature, scale and complexity of the business, including the refection of the perceived risks in section 5 above.

This section should include:

a. the Firm's “baseline” capital forecasts (at least quarterly, based on the annual business plan);
b. a 3-year summary forecast capital position, particular focus should be made on the next 12 month period; and
c. a description of the Firm's capital planning and management process, including an outline of how ICAAP is incorporated into this process.

The Firm should also include in this analysis details of the implications of DFSA or other capital requirements. For example the analysis should include:

a. the Firm's assessment as to how it will maintain a capital “cushion” in order to meet regulatory capital requirements; and
b. explicit disclosure of the Firm's capital targets and other regulatory obligations being introduced.

Where relevant, Financial Group ICAAP considerations will typically take into account the risks to which the Firm is exposed due to its membership of a broader corporate group. Examples to be considered include:

a. contagion, Counterparty Risk, reputational risk and risks related to operational dependencies such as shared functions and systems; and
b. an assessment of the level of Group resources to consider transferability of capital intergroup and stress testing availability of such capital under a range of market conditions.
7. Liquidity Planning

This section should summarise how Liquidity Risk is managed (as distinct from any capital set aside to cover losses incurred in a liquidity stress). In particular, it would set out the key assumptions and conclusions from stress testing of cash flows undertaken to manage the risk.

It would generally be helpful for the ICAAP to include as appendices the following, where relevant:

a. an organisation chart that covers liquidity and funding risk management delegated authorities and reporting lines within the firm;
b. asset-liability committee (ALCO) papers and samples of management information used day to day in Treasury operations;
c. liquidity and funding policy documentation including limit breach policy documentation;
d. internal audit reports relating to Treasury departments (if applicable);
e. liquidity stress testing documentation;
f. an explanation of intra-group liquidity arrangements, especially if operating in several countries. This is particularly important for Firms operating as subsidiaries and should include any restrictions on the ability of the Group to provide liquidity to the DIFC Firm;
g. number, scale and timeline of commitments whether formal or informal towards:
i. off-balance sheet financing vehicles or other exposures;
ii. market counterparties (including margin or collateral obligations); or
iii. towards clients;
h. analysis of sources of liquidity, including details of specific funding risks or market liquidity risks; and
i. detailed contingency funding plans.

Any material impact of Liquidity Risk on capital such as scenarios relating to ratings downgrades or material increases in cost of a liquidity stress should be included in the stress and scenario testing outlined in the next section.

8. Stress & Scenario testing

This is a key element of the IRAP and ICAAP assessments and should focus on the assumptions utilised realistically to stress test a Firm's financial position. The DFSA does not stipulate specific stress test criteria or scenarios given the broad nature of business models in operation and scale and complexity of Firms. However, the following are suggested guidelines to be utilised:

Using the “baseline” projections, the Firm should use stress-tests to consider how it would perform under stressed conditions. This section should:

a. set out the stress tests undertaken and the rationale for their choice;
b. summarise the methodology and assumptions used in each scenario tested;
c. summarise how the Firm would manage its business and capital so as to ensure that minimum regulatory requirements are met at all times;
d. where mitigating actions are relied upon, provide the results of the stress tests on both gross and net of controls, and credible management action basis; and
e. provide explicit disclosure of the linkage between the stress and scenario testing done as part of ICAAP and the Firm's stress testing programme.

Management actions following the stress tests should be outlined, with consideration to:

a. quantitative impact of those actions;
b. sensitivity analysis/testing of management actions; and
c. justification of why these mitigating actions are plausible.

At a minimum, the DFSA expects each Firm to include the following stress tests in its ICAAP analysis:

a. a standardised (200 basis points) interest rate shock (a single factor test);
b. downturn in its credit quality or an equivalent credit stress scenario which is relevant to the Firm's business lines (a single factor test); and
c. a scenario that in management's view would most likely cause a breach of DFSA target capital levels (a reverse engineered scenario test).

For Firms without material Credit Risk, ensure that suitable tests are completed to reflect other relevant risks such as operational or reputation risk. For example, a Firm undertaking asset management services could run a stress test assuming a 30% loss of AuM or the loss of its largest client.

9. Integration, Review and Approval

This section should include information regarding:

a. the role of the Governing Body in approving the conceptual design of the IRAP and where applicable ICAAP. This should include reference to its scope, methodologies and objectives;
b. the review by the Governing Body and senior management and other control functions such as risk management, compliance and internal audit;
c. how the review has been used by the Firm and how it is embedded in the decision making, business planning and risk management processes;
d. how results have been integrated into risk limit setting and monitoring;
e. any significant changes made in the current process as compared to previous IRAP/ICAAP processes; and
f. a list of all the relevant documents and policies used in the preparation, review, approval and implementation of ICAAP (these can be included as appendices).
[Added] [VER3/04-14]