Key elements of CAAP General

4.3.1 AIs are expected to develop a CAAP that is:

 comprehensive in terms of the identification and measurement of the risks associated with an AI’s business and the assessment of how much capital is needed to support these risks;

 risk-based and forward-looking, with emphasis on the importance of capital planning, management and other qualitative aspects of risk management and controls, and takes into account the AI’s strategic plans and how these relate to macroeconomic factors;

 integrated into the management process and decision-making culture of the AI. For more sophisticated AIs, the CAAP should be integrated into their day-to-day management process. For example, in addition to allocation of capital to business units, the CAAP would likely play a part in making credit decisions or other general business decisions (e.g. expansion plans and budgets). The results of the CAAP may also feed into the process of determining business strategies and risk appetite / tolerance levels. Although smaller AIs tend to have less sophisticated capital planning and assessment systems, their CAAP should at least produce results that enable the ongoing assessment and management of their risk profile (e.g. the results may

Supervisory Policy Manual

CA-G-5 Supervisory Review Process

V.54 – 08.04.2016 Consultation

influence their lending behaviour or use of risk mitigants) and inform the setting of risk appetite / tolerance; and

 capable of producing a reasonable outcome on the overall level of capital required and the assessment supporting such outcome.

4.3.2 The CAAP should capture all material risks of an AI, including the eight inherent risks covered under the MA’s risk-based supervisory framework, and the interactions of these risks under both normal and stressed conditions.

The overall environment within which the CAAP should operate is also important. AIs should, in particular, be able to identify other external risk factors that may arise from the regulatory, economic or business environment.

In addition, adequate corporate governance and proper risk management and internal control arrangements constitute the foundation of an effective CAAP.

4.3.3 The basic elements of a sound CAAP should include:

 policies and procedures to identify, measure, monitor, control, and report the risks inherent in an AI’s activities;

 a process to relate the AI’s internal capital to its risks;

 a process to state the AI’s capital adequacy goals in relation to risks, taking into account its strategic focus and business plan; and

 a process of internal controls, independent reviews and audits to ensure the integrity of the overall management process.

Capital planning and management policies

4.3.4 It is likewise important that internal policies are in place for capital planning and management purposes and meet

Supervisory Policy Manual

CA-G-5 Supervisory Review Process

V.54 – 08.04.2016 Consultation

the standards and criteria required in the relevant supervisory guidelines (see Annex A for more details).

4.3.5 An AI should have a capital policy that will allow the AI to maintain ready access to funding, meet its obligations and continue its business during and after a stressful scenario. At a minimum, such a capital policy should include:

 the approach for determining the AI’s overall capital adequacy having regard to its risk profile and risk tolerance as approved by the Board and the senior management;

 the AI’s short-term and long-term capital adequacy goals in relation to its risk profile, taking into account its strategic focus and business plan;

 the approved capital targets that are consistent with the AI’s overall risk profile and financial position;

 the monitoring framework and relevant minimum thresholds and triggers (referencing a suite of capital- and performance-based indicators) for senior management’s attention and action; and

 the range of strategies that can be employed to address anticipated and unanticipated capital shortfalls and measures that would be taken in the event capital falls below a targeted level.

4.3.6 Other management policies should be in place to supplement the capital policy in relation to:

 firm-wide risk management, which takes into account all material risks (both quantifiable and

non-Supervisory Policy Manual

CA-G-5 Supervisory Review Process

V.54 – 08.04.2016 Consultation

quantifiable)¹⁷ as well as risks that do not appear to be significant in isolation, but when combined with other risks could lead to material losses or consequences¹⁸;

 stress-testing, which should adequately address economic cycle risk and measure the AI’s ability to withstand adverse conditions (see subsection 3.7 for more details);

 valuation practices, which should apply to all positions (including complex, structured products and financial instruments) that are measured at fair value and cover different circumstances, especially during times of stress;

 remuneration systems, which should consider risk-adjusted performance measures and focus on achieving longer-term capital preservation and financial strength rather than focusing on, and thereby potentially encouraging, the generation of short-term accounting profits;

 dividend payout, which should neither hinder the AI from capital formation to support business growth nor weaken its capital position or financial soundness;

 provisioning levels and provisioning methodology, which should ensure that the level of provisions established and maintained by the AI is adequate to

17 Apart from the eight inherent risks identified for the purpose of risk-based supervision, other material risks, such as those posed by concentrations, securitization and off-balance sheet exposures that are relevant to the AI, should also be considered.

18 For example, the direct loss of an AI arising from an operational risk event (e.g. loss of confidential customer data) may be limited in itself. However, if this event affects a large number of customers and attracts substantial adverse market publicity, there may be significant damage to the AI’s reputation, apart from the potential claims for damages filed by the customers and other regulatory consequences for the AI for breaching data privacy rules and client confidentiality obligations.

Supervisory Policy Manual

CA-G-5 Supervisory Review Process

V.54 – 08.04.2016 Consultation

absorb estimated losses inherent in the AI’s asset portfolios, binding commitments and contingent liabilities; and

 income recognition and associated methodology, which should, among other things, clearly define under what situations the AI can or cannot recognise income and set out the details of the methodologies adopted.

Risk management policies and procedures

4.3.7 The policies and procedures to identify, measure, monitor, control, and report the risks inherent in an AI’s activities should meet the following standards:

 risk measurement systems should be sufficiently comprehensive and rigorous to capture the nature and magnitude of the risks faced by the AI, whilst differentiating risk exposures consistently among risk categories and levels of riskiness. Such systems should also be capable of performing risk data aggregation¹⁹ across different risk types or business lines;

 adequate controls should be in place to ensure the objectivity and consistency of risk identification and measurement and that all material risks (both on- and off-balance sheet) are adequately addressed;

 detailed analyses should be conducted to support the accuracy or appropriateness of the risk measurement techniques used;

19 Risk data aggregation means defining, gathering and processing risk data according to the AI’s reporting requirements to enable the AI to measure its performance against its risk tolerance/appetite.

An effective CAAP should use risk data aggregation techniques to estimate the amount of capital required, regardless of whether or not the AI uses risk-modelling techniques to assess capital adequacy. If an AI uses risk-modelling techniques to assess capital adequacy, the AI should comply with the additional requirements set out in subsection 4.4.

Supervisory Policy Manual

CA-G-5 Supervisory Review Process

V.54 – 08.04.2016 Consultation

 limitations of risk quantification and measurement methods should be identified and understood through appropriate processes;

 inputs used in risk measurement should be of good quality;

 those risks that are not easily quantifiable should be evaluated using qualitative assessment and management judgement. Nevertheless, AIs should recognise the biases and assumptions embedded in, and the limitations of, the qualitative approaches used, with a view to ensuring that the potential impact of the relevant risk is not underestimated;

 the economic substance of risk exposures, including reputation risk and valuation uncertainty, should be fully recognised and incorporated into the risk management process;

 changes in the AI’s risk profile should be promptly incorporated into risk measures, whether the changes are due to new products or new businesses, increased volumes, changes in concentrations, the quality of the portfolio or the overall economic environment;

 when measuring risks, comprehensive and rigorous stress tests should be performed to identify possible events or market changes that could have serious adverse effects or significant impact on the AI’s capital and operations (see Annex D for more details);

Supervisory Policy Manual

CA-G-5 Supervisory Review Process

V.54 – 08.04.2016 Consultation

 clear links between capital and liquidity monitoring should be established²⁰; and

 adequate consideration should be given to contingent exposures arising from loan commitments, securitization and other transactions or activities that may create such exposures (see Annex E for more details).

4.3.8 To facilitate firm-wide risk management and oversight, AIs should have in place appropriate infrastructure and MIS that contain, at a minimum, the following key elements:

For aggregation of risks

 allow for the aggregation of exposures and risk measures across business lines and platforms (including the banking and trading books) in managing risks and monitoring limits;

 support customised identification of concentrations and emerging risks;

 support the ability to evaluate the impact of various types of economic and financial shocks that affect the whole organisation;

 offer sufficient flexibility to incorporate hedging and other risk mitigating actions to be carried out on a firm-wide basis whilst taking into account the various related basis risks;

To enable proactive risk management

20 For instance, the capital position of an AI can have an effect on its ability to obtain liquidity, especially in times of stress. An AI should evaluate its capital adequacy with regard to its liquidity profile and the liquidity of the markets in which it operates, and have a mechanism in place to trigger any necessary action should circumstances warrant.

Supervisory Policy Manual

CA-G-5 Supervisory Review Process

V.54 – 08.04.2016 Consultation

 should be capable of providing regular, accurate and timely information on the AI’s aggregate risk profile as well as the main assumptions used for risk aggregation;

 should be adaptable and responsive to changes in the AI’s underlying risk assumptions;

 should incorporate multiple perspectives of risk exposure to account for uncertainties in risk measurement; and

 should be sufficiently flexible so that the AI can generate forward-looking firm-wide scenario analyses that capture management’s interpretation of evolving market conditions and stressed conditions.

4.3.9 If AIs use third-party inputs or other tools (e.g. credit ratings, risk measures and models, etc.) to produce risk management information, they should have adequate procedures in place to ensure that such inputs and tools are subject to initial and ongoing validation.

4.3.10 If AIs employ risk mitigating techniques, they should understand the risk to be mitigated and the potential effects of that mitigation (including its enforceability and effectiveness), and have in place appropriate policies and procedures to control risks associated with these techniques (see subsection B6.2 under Annex B for more details).

4.3.11 AIs should understand that it is often difficult to quantify measurement errors that may exist in risk measurement.

As a result, the level of capital maintained should cater for an increase in uncertainty related to modelling and business complexity. AIs should suitably account for measurement errors when calculating capital requirements, and be able to demonstrate the adequacy of capital to address such errors.

Supervisory Policy Manual

CA-G-5 Supervisory Review Process

V.54 – 08.04.2016 Consultation

4.3.12 AIs conducting risk aggregation among various risk types or business lines should understand the challenges in such aggregation. They should seek to address any potential concentrations across more than one risk dimension, recognising that losses could arise in several risk dimensions at the same time, stemming from the same event or a common set of factors. For example, a localised natural disaster could generate losses from credit, market and operational risks at the same time.

(See Annex F for more details.) Internal capital allocation process

4.3.13 The process of relating an AI’s internal capital to its risks should meet the following requirements:

 the amount of capital held should reflect not only the measured amount of risk but also an additional amount to account for potential uncertainties in risk measurement (e.g. measurement error or modelling risk) (see also para. 4.3.11);

 the AI’s capital should reflect the perceived level of precision in the risk measures used, the potential volatility of exposures and the relative importance of the activities producing the risk;

 capital levels should reflect the fact that historical correlation among exposures can change rapidly;

and

 the AI should be able to demonstrate that its approach to relating capital to risk is conceptually sound and that outputs and results are reasonable.

Setting of capital adequacy goals

4.3.14 There should be a process to state the AI’s capital adequacy goals in relation to risks, taking into account its strategic focus and business plan:

Supervisory Policy Manual

CA-G-5 Supervisory Review Process

V.54 – 08.04.2016 Consultation

 explicit goals and targets need to be established for evaluating the AI’s capital adequacy with respect to its risks;

 the AI should develop an internal strategy for maintaining capital levels which should not only reflect the desired level of risk coverage but also incorporate factors such as loan growth expectations, future sources and uses of funds, and dividend policy. There may be other considerations that the AI considers relevant or important in determining how much capital it should hold (e.g.

external rating goals, market image, strategic goals, etc.). If these other considerations are included in the CAAP, the AI will be required to show how the considerations have influenced its decisions concerning the amount of capital to be held;

 the AI’s approved capital plan should state its objectives and time horizon for achieving them, and set out in broad terms the capital planning process and the responsibilities for that process. The capital plan should recognise that accommodating additional capital needs requires significant lead time, and take into account the potential difficulties of raising additional capital during downturns or other times of stress. It should also set out how the AI will comply with regulatory capital requirements, any relevant limits related to capital, and a general contingency plan for dealing with divergences and unexpected events (e.g. raising additional capital, restricting business activities or using risk mitigating techniques for risk management purposes, etc.);

 the AI should obtain a forward-looking view on the AI’s capital adequacy through stress-tests and scenario analyses. The AI should conduct stress tests that take into account the risks of the environment and the prevailing stage of the economic cycle in which it is operating, to assess

Supervisory Policy Manual

CA-G-5 Supervisory Review Process

V.54 – 08.04.2016 Consultation

the impact of possible adverse events or scenarios on its capital. The AI should analyse what impact new legislation or competitors’ actions may have on its performance, in order to ascertain what changes in the environment it could sustain. The requirements and scenarios for stress-testing should be proportionate to the nature, size, risk profile and complexity of the AI’s business activities. Most importantly, the AI should aim at attaining a capital level that can withstand the stressed conditions in all the relevant stress tests (e.g. the supervisor-driven stress tests and other relevant stress tests conducted by the AI, and supervisory top-down solvency stress tests conducted by the MA, as applicable).

 the AI should evaluate whether its long-run capital targets might differ from its short-run goals, based on current and planned changes in its risk profile and the lead time for raising new capital;

 it is not necessary for the AI to use formal economic capital models for setting capital goals and targets and assessing its capital adequacy, although it is expected that more sophisticated AIs will elect to do so (in which case the additional criteria set out in subsection 4.4 have to be satisfied);

 the capital goals and targets should be reviewed and approved by the Board or designated committee of the Board regularly (at least annually) to ensure their appropriateness; and

 appropriate adjustments to the CAAP should be promptly initiated if changes in the business, strategy or operational environment suggest that the CAAP is no longer adequate.

4.3.15 AIs should recognise that the §97F minimum CAR imposed on an AI represents a regulatory floor

Supervisory Policy Manual

CA-G-5 Supervisory Review Process

V.54 – 08.04.2016 Consultation

requirement below which the AI’s overall capital level must not fall, even if the AI’s management believes that a lower capital level is justified.

4.3.16 AIs should ensure that adequate capital is held against all material risks not just at a point in time, but over time, to account for changes in their strategic direction, evolving economic conditions and volatility in the financial environment.

Design of CAAP

4.3.17 AIs may design their CAAP in different ways to cater for their individual needs and circumstances. The following are some options that AIs may have reference to:

 using the BCR minimum CAR as a starting point and adding considerations which are not captured, or not adequately captured, by the BCR minimum CAR.

For many small and less complex AIs, a relatively simple CAAP is entirely acceptable. One possibility might be to base their CAAP primarily on the methodology set out in the Banking (Capital) Rules, supplemented as necessary for any other generic factors which have a particular bearing on their risk profile (e.g. in terms of size, sector or products). For example, to obtain a capital goal, an AI may simply take the BCR minimum CAR and adjust it with a self-determined “capital surcharge” ²¹ which is calibrated from elements outside the consideration of the BCR minimum CAR and from other forward-looking elements (including the effect of stressed conditions). The AI should be able to demonstrate that it has adequately analysed all material risks

21 The term “capital surcharge” referred to in para. 4.3.17 covers the situation in which an AI determines the additional capital it should maintain on top of the BCR minimum CAR based on its own internal capital assessment.

Supervisory Policy Manual

CA-G-5 Supervisory Review Process

V.54 – 08.04.2016 Consultation

outside the BCR minimum CAR and found that all such risks were covered by the “capital surcharge”;

 using different methodologies for different risk types (including all risks captured by the BCR minimum CAR and the self-determined “capital surcharge”) and then calculating a simple sum of the resulting capital “needs”;

 using a more sophisticated and complex system, e.g. “bottom-up” transaction-based approaches with integrated correlations; or

 using a combination of the above.

4.3.18 AIs should ensure that decisions regarding the design and operation of the CAAP should not be unduly influenced by competing business objectives.

4.3.19 AIs should enhance and refine their CAAP over time, taking into account changes in their risk profile and activities as well as advances in risk measurement and management practices.

Documentation of CAAP

4.3.20 AIs should have complete documentation covering the CAAP. Such documentation should at least include:

 a description of the overall process;

 all related policies and management guidelines;

 all committees and individuals involved in the CAAP, including their responsibilities;

 the methodologies, assumptions and procedures used in the CAAP, covering all aspects ordinarily expected for the sound use of quantitative methods, including model selection, limitations, data selection and maintenance, controls and validation;

Supervisory Policy Manual

CA-G-5 Supervisory Review Process

V.54 – 08.04.2016 Consultation

 the frequency of CAAP-related reporting; and

 the procedures for the periodic evaluation of the appropriateness and adequacy of the CAAP.

4.3.21 The documentation of the CAAP should be subject to

4.3.21 The documentation of the CAAP should be subject to

在文檔中 Supervisory Policy Manual (頁 66-79)