The ICAAP is a process

Not a report, not (just) a model

A reflection for banks and banking supervisors about the first steps of Pillar 2 implementation

Cristina Pailhé, Advisor, Banking Supervision and Regulation*

The second Pillar of the Basel Capital Framework is by far one of the most challenging and -personal opinion backed by experience-, one of the most important elements to help strengthen both banks’ risk management and supervisory practices, especially in emerging markets. While working with banks and banking supervisors here and there, I’ve seen some recurrent and stylized facts on this matter.

In many emerging markets, banks are still in the first stages of implementation of their “Internal Capital Adequacy Assessment Process, (ICAAP)”. This typically arises as a consequence of a supervisory requirement, in the context of implementation of the Basel Capital Framework. The ICAAP is the first, and critical element of the second Pillar of the Framework. The other elements are the supervisory review of the internal capital calculation; capital levels in excess of the minimum requirement; and early supervisory intervention to ensure that capital is above the minimum required to support the risk characteristics of each bank.

Putting in place all the elements to ensure an effective implementation of Pillar 2 is challenging and demanding, and some areas deserve special attention. A few key lessons learned on the supervisory side:

• Modern and principle-based guidelines on risk management, corporate governance and stress testing are necessary to set expectations and to make sure that banks know which the benchmark is. Proportionality is a key element in such guidelines, meaning that implementation could differ according to the systemic importance, nature, and other characteristics of each bank.
• Supervisors should possess appropriate skills, which typically include a combination of soft and hard skills to make informed decisions about the solvency of the banks. Specialized resources are necessary to support the evaluation of specific risk areas (e.g., specific risks such as credit, market, operational, interest rate risk in the banking book, etc).
• Risk-based supervision (RBS) is a necessary (although not sufficient) condition for the successful implementation of Pillar 2. Compliance-based approaches to supervision and Pillar 2 simply cannot live together. Sound professional judgment is a precondition to assess banks’ ICAAPs, which cannot be evaluated by supervisors just by following a “checklist” of formal elements. Moving from compliance-based supervision to RBS is a long and challenging process, as a cultural change at both the supervisory agency and banks is necessary for a successful implementation.

In emerging markets, the presence of such elements cannot be taken for granted. Rather, the implementation of Pillar 2 has been one of the key drivers that motivated updates on such areas.

Do not forget the “P”! The ICAAP is a process, not just a report or a model

Once supervisors require banks to implement an ICAAP, the first years of the implementation are challenging, and the following situations are commonly observed:

• The ICAAP is considered a “compliance” exercise. In this scenario, banks typically submit, once a year, their “ICAAP reports” to the supervisors. It is commonly observed that some banks refer to the report as the ICAAP itself (“we submitted our ICAAP to the supervisor last month, and that is it”). Clearly the ICAAP cannot be “submitted” to the supervisor as the ICAAP is a process, and as such, is internal to the bank. When such an approach is observed, it is a good indicator that the ICAAP is seen as a compliance exercise, which is clearly not the objective. The ICAAP report is sent to the supervisor because it is requested and that is all. On the contrary, the ICAAP is a process that should be implemented on an ongoing basis at the bank; the report submitted to the supervisor at the requested frequency is just a summary of it.
• The ICAAP only assesses Pillar 1 risks based on the regulatory (standardized) methodologies. When this is the case, banks do not explain why they hold capital in excess of the minimum (Pillar 1) requirements. In their initial ICAAPs, some banks do not quantify Pillar 2 risks, but just Pillar 1 risks based on the regulatory methodologies are calculated in the ICAAP. No other risks are quantified, as are deemed inmaterial. But such argument contradicts what is observed in practice: banks typically do have capital in excess of the minimum Pillar 1 requirement; otherwise, the bank will be under some degree of supervisory intervention. A good way to approach the discussion is by trying to help the bank to rationalize the reasons behind such excess. What are the risks that the bank is trying to cover with such excess? Which scenarios does the bank believe can be addressed by such a number? And for how long? Capital is costly and it is even more costly for a bank to try to raise capital when is needed. Therefore, banks hold excess capital in advance, which a is prudent practice. Under Pillar 2, the first step is for them to explain and justify the rational for the observed capital buffers. The next step would be to assess if the existing buffers are sufficient to cover all material risks faced by the bank, not only under normal circumstances but also under stress scenarios and for a given planning period (e.g., three to five years).
• The ICAAP is disconnected from the risk appetite statement (RAS) of the bank. The RAS should determine the level and types of risks that the bank is willing to accept in order to conduct its business. The development of a RAS and the approval of it by the Board is also a recent practice in several jurisdictions and banks. The RAS are still too qualitative in many institutions, and there is no link to the risks identified in the ICAAP and the respective capital charges. Moreover, the RAS itself is frequently seen just as a regulatory requirement rather than a risk management tool.
• On the opposite side, some ICAAPs are just a quantification of risks, not supported by appropriate corporate governance. In that regard, it is worth remembering that banks may use models as part of their ICAAP, but the ICAAP is a much more comprehensive process. As such, it also includes Board and management oversight, sound corporate governance, comprehensive risks assessment, a sound capital assessment (process that relates risks to capital), monitoring and reporting, and a mechanism for internal control review.

 The implementation of Pillar 2 proves to be a challenging but crucial element in the process towards sound risk management and effective banking supervision.