Risk is at the heart of banking – and so is risk management. In a regulated bank, it is crucial to take a holistic view, including economic and normative perspectives. This material gives an overview of enterprise risk management in banks; specifics by risk type – credit risk, market risk, operational risk, liquidity risk, and other relevant risks – are not discussed here.

1. Risk Management in Banks
Kristi Rohtsalu, May 2024
Overview

2. Introductory remarks
Risk is at the heart of banking – and so is risk management. In a regulated bank, it is crucial to take a holistic view:
• From economic perspective, see risk as cost of doing business, and risk management as the way to control and (possibly) lower that cost.
• From normative perspective, meet the regulatory requirements to protect the banking license.
• See economic and normative perspective as complementary to each other.
This material gives an overview of the enterprise risk management in banks; specifics by risk type – credit risk, market risk, operational risk,
liquidity risk and other relevant risks – are not discussed here. Considerations only relevant to systemically important banks are not covered; the
focus is on smaller and less complex banks. Regulatory topics refer to the regulatory frameworks as applied in the European Union, including
but not limited to Capital Requirements Directive (CRD IV) and Capital Requirements Regulation (CRR), and Bank Recovery and Resolution
Directive (BRRD).
The term ‘bank’ also refers to the banking group. ‘Institution’ is a more general term which covers banks and other institutions for which CRD
IV, CRR and BRRD apply; therefore, the term is used in the regulatory documents, guidelines and technical standards.
‘Senior management’ refers to the management body in its management function. ‘Supervisory board’ or ‘Board’ refers to the management
body in its supervisory function. These terms should be interpreted in accordance with the applicable law and organization structure.
2

3. Contents
• Risks in banking
• Risk management process and risk culture
• Risk Appetite Framework (RAF)
• Principle of proportionality and risk-based approach to risk management
• Risk governance and -organization
• Basel III and reporting frameworks
• The three pillars of Basel III
• Regulatory capital and liquidity adequacy ratios
• COREP and FINREP
• Regulatory processes
• Internal Capital Adequacy Assessment Process (ICAAP) and Internal Liquidity Assessment Process (ILAAP)
• Supervisory Review and Evaluation Process (SREP)
• Recovery planning
• Stress testing and stress testing programs
• Inserting risk management considerations into credit pricing
• Appendices
• Abbreviations
• Links and references
3

4. Risks in banking
4

5. What is risk (in business and in banking)?
• In general terms, risk is cost of doing business.
• In financial terms, risk is the potential negative
impact to the value of business.
• For practical purposes, risk can also be defined as a
potential negative deviation from the expected
financial results. In that sense:
• Expected loss (EL) does not represent a risk,
because it is expected and therefore
provisioned.
• The risk lies in the unexpected loss (UL)
which is the negative deviation from the
expected loss.
• Risk is to be covered with adequate amounts of
capital and liquid assets such as cash.
• …And here we go again: cost of capital and
cost of liquidity factor in as costs of doing
business (besides other expenses).
5
Expected and Unexpected Loss in economic capital model

6. Risks in today’s banking (illustration)*
6
• Capital risk: Insufficient level or composition of capital to cover applicable capital requirements and support business activities under normal economic environments or stressed
conditions
• Credit risk: The risk that a counterparty fails to meet its obligations towards the bank and that the pledged collateral does not cover the claims
• Market risk, incl. interest rate risk in banking book (IRRBB): The risk to value, earnings, capital or exposure arising from movements of risk factors in financial markets
• Liquidity & funding risk: The risk of not being able to meet payment obligations and support business activities without incurring considerable additional costs for obtaining funds
or losses due to asset fire-sales
• Operational risk: The risk of losses, business process disruptions and negative reputational impact resulting from inadequate or failed internal processes, human errors and
systems, or from external events; sub-types of operational risk include (but are not limited to) the following:
• Process risk
• People risk aka personnel risk
• ICT & Information security risks
• AI risk & model risk
• Third-party / outsourcing risk
• Legal risk
• External fraud risk
• Regulatory compliance risk, incl. conduct risk and ML/TF risk: The risk of failure to fulfil and meet the external and internal regulations applicable to the licensed operations
• Strategic and business risk: Risk of losses, including in the form of foregone revenues or additional costs, due to failed business model, poor strategical planning and/or decisions,
or due to poor reputation not supporting strategic goals
• ESG risk: The risk of any current or prospective negative impact stemming from Environmental, Social or Governance (ESG) factors
• Reputation risk: Risk of losing reputation as a negative consequence resulting from the realization of one or several main risks
* This is an illustration only. Risk taxonomy may be different for different banks. One should also note interconnectedness of different risks as well as risk
concentrations.

7. Risk management process and risk culture
7

8. Risk management process
8
Identify
(‘gross
approach’)
Assess &
Measure
Manage &
Mitigate
Monitor
Report
• Business model analysis
• Evaluating specific products and services
• Evaluating internal processes and systems
• Evaluating external environment
• Stress testing to include forward-looking
perspective
Estimation of the likelihood and
potential impact:
• Qualitative analysis
• Quantitative assessment
Strategies to manage, mitigate
and/or eliminate risks, e.g.:
• Implementing control measures
• Improving processes
• Investing into technology
• Transferring risks through insurance
Monitor and review continually a)
inherent risks, and b) effectiveness
of risk mitigation strategies
Regular and ad hoc reporting (as
required) to management bodies
and other relevant stakeholders:
• Current risks
• Emerging risks
• Breaches of risk limits
• Effectiveness of risk management
framework • Risk taxonomy
• Definition of
‘material’ risk
• Risk inventory

9. Risk culture
• Risk culture is a term describing the
values, beliefs, knowledge, attitudes
and understanding about risk shared
by a group of people with a common
purpose.
• An effective risk culture is one that
enables and rewards individuals and
groups for taking the right risks in an
informed manner.
• In promoting a sound risk culture,
tone from the top plays a crucial role.
9
Risk culture
Organizational
culture
Behaviors
Personal
ethics
Personal
predisposition
to risk
Risk Culture Framework as designed by Institute of Risk Management
[WWW] https://www.theirm.org/what-we-say/thought-leadership/risk-culture/

10. Risk Appetite Framework (RAF)
10
Risk Appetite Framework is a strategic tool to reinforce strong risk culture, which in turn is critical for sound
risk management.

11. Key definitions of RAF
Risk appetite: The aggregate level and types of risk a financial institution is willing to assume within its risk capacity to achieve its strategic
objectives and business plan.
Risk Appetite
Framework
(RAF):
The overall approach, including policies, processes, controls, and systems through which risk appetite is established,
communicated, and monitored. It includes a risk appetite statement, risk limits, and an outline of the roles and responsibilities
of those overseeing the implementation and monitoring of the RAF.
Risk Appetite
Statement:
The articulation in written form of the aggregate level and types of risk that a financial institution is willing to accept, or to
avoid, in order to achieve its business objectives. It includes qualitative statements as well as quantitative measures expressed
relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate.
Risk capacity: The maximum level of risk a financial institution is able to assume given its capital base, its risk management and control
capabilities, and its regulatory constraints.
Risk limits: Quantitative measures based on forward looking assumptions that allocate the financial institution’s aggregate risk appetite
statement (e.g. measure of loss or negative events) to business lines, legal entities, specific risk categories, concentrations, and
as appropriate, other levels.
Risk profile: Point in time assessment of the financial institution’s gross and, as appropriate, net risk exposures (after taking into account
mitigants) aggregated within and across each relevant risk category based on forward looking assumptions.
Risk tolerance: The types of risks and levels of those risks that the financial institution does not intentionally expose itself to, but
accepts/tolerates.
11

12. Key definitions of RAF, illustration
12
Risk appetite
Risk tolerance
Risk capacity
Actual risk profile is
within risk appetite
Actual risk profile
exceeds risk appetite,
yet is acceptable (i.e.:
remains below risk
tolerance level)
Actual risk profile
exceeds risk
tolerance, yet is
tolerable (i.e.:
remains below risk
capacity level)
Actual risk profile
exceeds risk capacity:
recovery or the end of
story

13. Why do banks have to have a formalized Risk Appetite Framework?
“Children sometimes eat too much. Their eyes can be bigger than their stomachs. The result can be quite
unpleasant. For banks, it’s much the same. They sometimes take on more risk than they can stomach. The
results, however, can be worse than just a bellyache. Banks that take on too much risk can get into financial
trouble and fail, and, in some cases, they might even damage other banks and the economy.”
– Quote from speech by Danièle Nouy, Chair of the Supervisory Board of the ECB, International Conference on Banks’ Risk
Appetite Frameworks, Ljubljana, 10 April 2018
13
As compared to ‘normal’ private companies, banks are different: even banks in private ownership are kind of
quasi-private. This is because if a bank fails, this may easily become a problem in wider economy; fragility is
built into today’s financial system and requires careful balancing.

14. Designing RAF in five steps (one iteration*)
14
Step 1:
Identify all
material
risks.
Step 2: In the
Risk Appetite
Statement, spell
out how much
risk, and what
kind, you are
willing to take
on.
Step 3: Determine
risk capacity. How
much risk you can
actually stomach?
Step 4: Set risk
appetite limits by
business lines,
legal entity levels,
specific risk
categories, etc.
Step 5: Set up
policies,
processes,
controls and
systems for
implementation
and monitoring of
the RAF
Risk appetite may need
adjustment, given the
risk capacity.
* The development and establishment of an effective RAF is an iterative and evolutionary process that requires ongoing dialogue throughout the bank to attain
buy-in across the organization.

15. RAF – How to make it work?*
15
1. Effective governance and
tone from the top
- Establishment and
oversight by the Board
- Developed by the CRO, in
collaboration of the CEO,
CFO and relevant
stakeholders
- Board members and senior
management acting as role
models for the risk culture
3. Effective communication
- Risk Appetite Statement is
easy to communicate and
easy to understand
- Clear communication,
including communication of
roles and responsibilities of
all parties
5. Monitoring and
reporting
- The RAF should establish
the process for monitoring
and reporting, as well as
procedures for escalation
and cascading of limits.
- Tool: Risk Appetite
Dashboard
4. Alignment with
remuneration schemes
For example: if the
(intentional) action of an
employee leads to a breach
of risk limits, this might also
impact his or her
remuneration.
6. Stable over time, yet
agile and dynamic
The RAF should facilitate
timely management action
to respond to emerging risks
in the business and
externally.
2. Linkages to strategy and
structural processes, incl.
financial planning, capital
and liquidity planning,
contingency and business
continuity planning,
recovery planning, …
* Inspired by KPMG, “Insights: Leading practices for
Risk Appetite Frameworks” (October 2023)

16. Principle of proportionality and risk-based
approach to risk management
16

17. Principle of proportionality
• Banking regulations and regulatory guidelines are meant to be applied in a manner that is appropriate, taking into
account bank’s size and internal organization and the nature, scope and complexity of its activities.
• In banking supervision, banks are categorized into four SREP categories:
17
“The principle of proportionality is the idea that an action should not be more severe than is necessary.”
– Collins Dictionary
Put simply, when applied to risk management, principle of proportionality means focusing on what is of high risk rather than low
risk.
Category Description
1 Large institutions pursuant to Article 4(1), point (146) of Regulation (EU) No 575/2013, and other systemically important institutions if decided so
by the supervisor
2 Large institutions that are not classified under category ‘1’
Medium institutions with sizable cross-border activities and/or several business lines
Institutions with significant market shares in their lines of business
3 Small to medium institutions other than those in categories ‘1’, ‘2’ and ‘4’
4 Small and non-complex institutions pursuant to Article 4(1), point (145) of Regulation (EU) No 575/2013, and other small non-complex institutions
with limited scope and non-significant market share

18. Risk-based approach to risk management
• For risk-based approach to risk
management, all business functions,
supporting processes and information
assts should be classified in terms of
criticality and importance.
18
* Note that in Bank Recovery and Resolution Directive (BRRD), the
definition of ‘critical function’ is different than the one given here for
bank risk management purposes.
…secure
financial
performance
… secure
continuity of
banking
activities
A function is
critical*
and/or
important if
it is to…
… protect
banking
license

19. Risk governance and -organization
19

20. Tone from the top
• Risk management is not ‘contained’ in the unit(s) responsible for risk management and internal controls; it is everyone’s
responsibility. Yet it does not work without the tone from the top. Management body, including the Board and senior
management, retains overall responsibility for risks.
• The Board ensures that the institution-wide risk management framework is established. It defines and communicates
overall risk strategy and risk appetite as well as provides the foundation of a strong and sound risk culture and risk
awareness throughout the organization. It also, on a continuous basis, reviews and evaluates the effectiveness of the first
and second lines of defense risk management functions and assesses whether there are sufficient resources allocated in
that area.
• Board committees, first of all Risk Committee and/or Audit Committee are there to support and advise the Board.
• Senior management implements the risk strategy and risk appetite through internal rules and risk limit framework that
consists of limits, escalation triggers and key risk indicators.
• The head of the risk management function (CRO) ensures that all material risk are identified, measured and properly
reported. It delivers a complete view of the whole range of risks faced by the institution. CRO is actively involved in
elaborating the risk strategy and all material risk management decisions.
• The CRO shall not be removed without prior approval of the Board. The CRO shall be able to have direct access to the
Board where necessary. (Article 76, point (5) of Directive 2013/36/EU)
20

21. Risk organization and the three lines of defense
21
Risks
Supervisory board
Senior management
1st of defense:
Risk takers
Operative controls: Every
business unit is responsible for
identifying and managing the
risks inherent in the products,
activities, processes and systems
for which it is accountable.
Risk Ownership
2nd line of defense:
Risk management & Compliance
Ownership of the risk
management framework and
management of compliance risks:
• Risk policies, standards and
guidelines
• Stress testing and regulatory
processes
• Risk reporting
• Independent view regarding the
effectiveness of 1st line of defense
Risk Control
3rd line of defense:
Internal audit
Independent assurance to the
Board, supervisory authorities
and other interested parties of
the appropriateness of the
institution’s risk management
Auditors
Risk Assurance
Enforcement:
ECB
and
NCAs
Internal control
functions

22. Basel III and reporting frameworks
22

23. The three pillars of Basel III on capital and liquidity adequacy*
23
Basel III as imposed by CRD & CRR
Internal assessments on capital and
liquidity (ICAAP and ILAAP)
Supervisory Review and Evaluation
Process (SREP)
Pillar 2 requirements and guidance:
• Pillar 2 requirements on capital and/or
leverage (binding)
• Pillar 2 guidance on capital and/or
leverage (supervisory expectation)
• Pillar 2 liquidity requirements (e.g.:
buffer add-ons, cap on cash outflows,
supervisory minimum survival period)
Pillar 2:
Bank specific requirements
and guidance
Disclosure requirement (Pillar 3
report)
• Transparency for market
participants, concerning the banks
risk position (risk management,
detailed information on own
funds, etc.)
• Enhanced comparability among
banks
Pillar 3:
Market Discipline
Capital requirements:
• Base capital requirements: CET1,
Tier 1, Total Capital ratio
• Buffer requirements
• Base leverage ratio requirement
Liquidity requirements:
• Liquidity Coverage Ratio (LCR)
• Net Stable Funding Ratio (NSFR)
Pillar 1:
General minimum
requirements
* Requirements only applicable to systemically important banks are not included here.

24. Capital adequacy ratios
Total risk exposure amount (TREA) here refers to the risk-weighted exposure amount as defined in Article 92 of Regulation
(EU) No 575/2013. In other documents, TREA is also referred to as Risk-weighted Assets (RWA).
24
𝐶𝑜𝑚𝑚𝑜𝑛 𝐸𝑞𝑢𝑖𝑡𝑦 𝑇𝑖𝑒𝑟 1 𝑟𝑎𝑡𝑖𝑜 =
𝐶𝑜𝑚𝑚𝑜𝑛 𝐸𝑞𝑢𝑖𝑡𝑦 𝑇𝑖𝑒𝑟 1 (𝐶𝐸𝑇1)
𝑇𝑜𝑡𝑎𝑙 𝑅𝑖𝑠𝑘 𝐸𝑥𝑝𝑜𝑠𝑢𝑟𝑒 𝐴𝑚𝑜𝑢𝑛𝑡 (𝑇𝑅𝐸𝐴)
𝑇𝑖𝑒𝑟 1 𝑟𝑎𝑡𝑖𝑜 =
𝐶𝑜𝑚𝑚𝑜𝑛 𝐸𝑞𝑢𝑖𝑡𝑦 𝑇𝑖𝑒𝑟 1 𝐶𝐸𝑇1 + 𝐴𝑑𝑑𝑖𝑡𝑖𝑜𝑛𝑎𝑙 𝑇𝑖𝑒𝑟 1 𝑐𝑎𝑝𝑖𝑡𝑎𝑙 (𝐴𝑇1)
𝑇𝑜𝑡𝑎𝑙 𝑅𝑖𝑠𝑘 𝐸𝑥𝑝𝑜𝑠𝑢𝑟𝑒 𝐴𝑚𝑜𝑢𝑛𝑡 (𝑇𝑅𝐸𝐴)
𝑇𝑜𝑡𝑎𝑙 𝑐𝑎𝑝𝑖𝑡𝑎𝑙 𝑟𝑎𝑡𝑖𝑜 =
𝐶𝑜𝑚𝑚𝑜𝑛 𝐸𝑞𝑢𝑖𝑡𝑦 𝑇𝑖𝑒𝑟 1 𝐶𝐸𝑇1 + 𝐴𝑑𝑑𝑖𝑡𝑖𝑜𝑛𝑎𝑙 𝑇𝑖𝑒𝑟 1 𝑐𝑎𝑝𝑖𝑡𝑎𝑙 𝐴𝑇1 + 𝑇𝑖𝑒𝑟 2 𝑐𝑎𝑝𝑖𝑡𝑎𝑙 (𝑇2)
𝑇𝑜𝑡𝑎𝑙 𝑅𝑖𝑠𝑘 𝐸𝑥𝑝𝑜𝑠𝑢𝑟𝑒 𝐴𝑚𝑜𝑢𝑛𝑡 (𝑇𝑅𝐸𝐴)

25. Banking ‘stuff’: Capital adequacy ratios (example)*
25
* Buffers and other requirements only applicable to systemically important banks are not included in this example. Specific numbers, except the base capital
requirement, are for illustration purposes only as they depend on specific circumstances.
CET 1 capital ratio Tier 1 capital ratio Total capital ratio
To be met at all
times
Base capital requirement 4.50% 6.00% 8.00%
Pillar 2 capital charge 3.60% 3.60% 4.60%
Total SREP capital requirement 8.10% 9.60% 12.60%
Combined buffer
requirement
Capital conservation buffer 2.50% 2.50% 2.50%
Systemic risk buffer 0.00% 0.00% 0.00%
Countercyclical buffer 1.50% 1.50% 1.50%
Overall capital requirement 12.10% 13.60% 16.60%
Pillar 2 guidance 1.50% 1.50% 1.50%
Total supervisory expectation 13.60% 15.10% 18.10%
Management buffer (if any) 0.40% 0.90% 0.90%
Internal capital target 14.00% 16.00% 19.00%

26. Leverage ratio
Leverage ratio Pillar 1 requirement (LR):
26
𝐿𝑒𝑣𝑒𝑟𝑎𝑔𝑒 𝑟𝑎𝑡𝑖𝑜 =
𝑇𝑖𝑒𝑟 1 𝑐𝑎𝑝𝑖𝑡𝑎𝑙
𝑇𝑜𝑡𝑎𝑙 𝑙𝑒𝑣𝑒𝑟𝑎𝑔𝑒 𝑟𝑎𝑡𝑖𝑜 𝑒𝑥𝑝𝑜𝑠𝑢𝑟𝑒
≥ 3%
Total leverage ratio exposure includes assets and off-balance sheet items, irrespective of how
risky they are. I.e.: leverage ratio is not risk-based but serves as a simple backstop to risk-
weighted capital requirements.
[For banks with an elevated risk of leverage] Leverage ratio Pillar 2 requirement (P2R-LR) on
top of the Pillar 1 requirement (legally binding, determined as part of SREP):
Intended to capture contingent leverage risk originating from a bank extensively using off-
balance-sheet items, derivatives etc. as well as engaging in regulatory arbitrage and providing
step-in support.
[Bank-specific recommendation] Leverage ratio Pillar 2 guidance (P2G-LR) on top of the Pillar
2 requirement (not legally binding but reflects supervisory expectations, determined as part of
SREP):
Set for some banks, considering the depletion of the leverage ratio in the stress test.
Leverage ratio Pillar 2
Guidance (P2G-LR)
Leverage ratio Pillar 2
Requirement (P2R-LR)
Leverage ratio Pillar 1
Requirement (LR)

27. Liquidity Coverage Ratio (LCR) base requirement
27
𝐿𝐶𝑅 =
𝑆𝑡𝑜𝑐𝑘 𝑜𝑓 𝐻𝑖𝑔ℎ 𝑞𝑢𝑎𝑙𝑖𝑡𝑦 𝑙𝑖𝑞𝑢𝑖𝑑 𝑎𝑠𝑠𝑒𝑡𝑠 (𝐻𝑄𝐿𝐴)
𝑇𝑜𝑡𝑎𝑙 𝑛𝑒𝑡 𝑐𝑎𝑠ℎ 𝑜𝑢𝑡𝑓𝑙𝑜𝑤𝑠 𝑜𝑣𝑒𝑟 𝑡ℎ𝑒 𝑛𝑒𝑥𝑡 30 𝑐𝑎𝑙𝑒𝑛𝑑𝑎𝑟𝑑 𝑑𝑎𝑦𝑠
=
=
𝑆𝑡𝑜𝑐𝑘 𝑜𝑓 𝐻𝑖𝑔ℎ 𝑞𝑢𝑎𝑙𝑖𝑡𝑦 𝑙𝑖𝑞𝑢𝑖𝑑 𝑎𝑠𝑠𝑒𝑡𝑠 (𝐻𝑄𝐿𝐴)
𝐶𝑎𝑠ℎ 𝑂𝑢𝑡𝑓𝑙𝑜𝑤𝑠 (30 𝑑𝑎𝑦𝑠) − 𝐶𝑎𝑠ℎ 𝐼𝑛𝑓𝑙𝑜𝑤𝑠(30 𝑑𝑎𝑦𝑠)
≥ 100%
High-quality liquid assets (HQLA) are
cash and assets that can be easily and
immediately converted into cash
without significantly affecting their
market value, e.g.:
• Cash and balances with central
banks
• Highly-rated government bonds
Cash – Outflows, example: Cash – Inflows, example:
Outflow Outflow rate
(weight)
Outflow – Stable deposits 5%
Outflow – Less stable deposits 10%
Undrawn credit facilities 5%
Other contractual cash outflows 100%
Inflow Inflow rate
(weight)
Inflows from fully performing
exposures
50%
Other contractual cash inflows Varying rates
LCR aims to ensure that banks survive a period of significant liquidity stress lasting 30 calendar days. The LCR is not designed to
cover all tail events involving deposit outflows, such as bank runs; instead, it should ensure that banks can withstand a certain
liquidity stress scenario.

28. Net Stable Funding Ratio (NSFR) base requirement
28
𝑁𝑆𝐹𝑅 =
𝐴𝑣𝑎𝑖𝑙𝑎𝑏𝑙𝑒 𝑎𝑚𝑜𝑢𝑛𝑡 𝑜𝑓 𝑠𝑡𝑎𝑏𝑙𝑒 𝑓𝑢𝑛𝑑𝑖𝑛𝑔 (𝐴𝑆𝐹)
𝑅𝑒𝑞𝑢𝑖𝑟𝑒𝑑 𝑎𝑚𝑜𝑢𝑛𝑡 𝑜𝑓 𝑠𝑡𝑎𝑏𝑙𝑒 𝑓𝑢𝑛𝑑𝑖𝑛𝑔 (𝑅𝑆𝐹)
≥ 100%
NSFR seeks to ensure that banks maintain stable funding structure. It is the ratio of the available amount of stable funding to
the required amount of stable funding over the time horizon of one year.
NSFR, illustration based on simplified balance sheet:
Assets
Cash and balances with central
bank
Performing exposures
Illiquid assets, incl. non-
performing exposures
Category
Highly
liquid
Fairly
liquid
Illiquid
RSF weight
0%
50-85%
100%
Short term borrowing
Liabilities and Equity
Retail deposits
Long term borrowing &
Own funds
Category
Less
stable
Non stable
Stable
ASF weight
90-95%
0-50%
100%

29. Reporting frameworks
The EBA has developed two reporting
frameworks being:
• COmmon REPorting Standards
(COREP) that specify the capital
and liquidity information required,
applies to all credit institutions and
investment firms operating in the
EEA.
• FINancial REPorting Standards
(FINREP) that specify the financial
information required and apply to
all credit institutions that
consolidate their financial reports
based on IFRS.
29
COREP FINREP
• Liquidity Adequacy:
LCR and NSFR
• Capital Adequacy:
credit risk, market risk,
operational risk
• Leverage
• …
• Primary statements:
balance sheet, income
statement, comprehensive
income, cash flows, equity
• Disclosures of financial
assets and liabilities, off
balance sheet activities, ..
• Forbearance and non-
performance
• …

30. Regulatory processes:
ICAAP and ILAAP, and SREP
30

31. Internal Capital Adequacy Assessment Process (ICAAP) & Internal
Liquidity Assessment Process (ILAAP)
Regulatory aim: Making banks more resilient and avoiding adverse situations by encouraging banks
to reflect on their capital and liquidity risks in a structured way.
ICAAP/ILAAP principles as set out by the ECB:
Principle 1 – The management body is responsible for the sound governance of ICAAP/ILAAP.
Principle 2 – The ICAAP/ILAAP is an integral part of the overall management framework.
Principle 3 – The ICAAP/ILAAP contributes fundamentally to the continuity of the institution by ensuring
capital/liquidity adequacy from different perspectives.
Principle 4 – All material risks are identified and taken into account in ICAAP/ILAAP.
Principle 5 – The internal capital / liquidity buffers are of high quality and clearly defined; the stable sources of
funding are clearly defined.
Principle 6 – ICAAP/ILAAP risk quantification methodologies are adequate, consistent and independently
validated.
Principle 7 – Regular stress testing is aimed at ensuring capital/liquidity adequacy in adverse circumstances.
31

32. Two complementary pillars of ICAAP & ILAAP: the economic and the
normative perspective
32
• The economic perspective covers the full universe of risks that may have material impact to
capital and liquidity position. The perspective is not based on regulatory provisions; instead, it is
based on the economic value considerations and economic capital. The bank should remain
economically viable and follow its strategy.
• The normative perspective is a multi-year assessment of the institution’s ability to fulfil all of its
liquidity-related and capital-related (quantitative) regulatory and supervisory requirements and
demands, and to cope with other external financial constraints, on an ongoing basis.
• Economic and normative perspective should mutually inform each other:
• Projections under economic perspective are expected to feed into the projections under normative perspective.
• Conversely, outcomes of the normative perspective ought to inform economic perspective risk quantifications and
adjust or complement the later.

33. ICAAP example: capital requirements under normative internal
perspective
33
• In baseline scenario, both Pillar 1 and Pillar 2 requirements and guidance shall be met over the planning period. In adverse
scenario, total SREP capital requirement shall be met at all times. (See the figures below.)
• Projections of the future capital position under the normative perspective should be informed by the economic perspective
assessments: to which extent the risks identified and quantified under the economic perspective may impact own funds and
exposure amounts in future?
• The impact of upcoming changes in legal, regulatory and accounting frameworks is expected to be considered as well.

34. ICAAP example: Management considerations under economic
perspective
• Under the economic perspective, economic risks and losses affect internal capital immediately and to their full extent. (Think, for example:
interest rate changes affecting the net value of bank’s cash flows immediately.) Hence, the economic perspective gives a very
comprehensive view of risks.
• When a significant downward trend is identified in the economic capital position, actions to reverse the trend, and review strategy and risk
appetite are ought to be taken. When the bank falls below the internal capital adequacy threshold, it should take necessary measures to
restore and ensure capital adequacy over medium term (3 years).
34
* The graph should not be understood as a projection of point-in-time economic situation. It depicts the deterioration of economic capital levels that may occur over time
beyond normal business cycle developments.

35. ICAAP example: Quantification of internal capital requirement
35
t=0
Capital
ratio
Internal target
ICAAP minimum
Economic minimum
Internal
point-in-
time
economic
capital
requirement
Combined
buffer
requirem
ent
P2G
Pillar
1
requirement
P2R
t=1
t=0 t=2 t=3 t=4 t=5
Internal
minimum
required
capital
ratio
incl.
scenario
buffer
Manage
ment
buffer
SREP
add-on
Time
Projected actual capital
ratio, base scenario
Projected actual capital
ratio, adverse scenario
Goal-seek capital ratio
based on adverse scenario,
normative perspective
Goal-seek capital ratio
based on adverse scenario,
economic perspective
Goal-seek: At the lowest point of the adverse scenario,
projected capital ratio ‘touches’ certain threshold (internal
point-in-time requirement for the economic perspective, or
the SREP capital requirement for the normative perspective).
SREP add-on (the difference between the SREP capital
requirement and the internal point-in-time estimate) ought to
be minimized; this through improving risk management,
transparency and communication with the supervisors

36. Approval of ICAAP & ILAAP,
and updated liquidity &
funding and capital plans
ICAAP & ILAAP: Illustrative process timeline
36
• Led by Finance
• Led by Risk Management
• Approval needed from Risk Committee (Management Body)
Key modelling assumptions
(business volumes etc.) and
calculation inputs in Risk
Committee
• Revision of risk inventory
• Scenario development (base and
adverse)
• High level / top-down analysis
Time
Oct-31 Nov-30 Dec-31 Jan-31 Feb-28 Mar-31
• Gathering inputs from risk takers
• Defining modelling assumptions
• Updating ICAAP & ILAAP
methodologies
• Gathering 31.12 start
data
• Performing stress test
analyses
• Point-in-time economic capital
calculations & analyses
• Updating Risk Appetite
Framework (RAF)
• ICAAP & ILAAP
documentation
• Financial plan
(base scenario)
• Reviewing/Updating
capital, and liquidity &
funding plans based on
ICAAP & ILAAP outcomes
ICAAP & ILAAP
scenarios in Risk
Committee
ICAAP & ILAAP results in
Risk Committee
ICAAP & ILAAP
submission to the
supervisory authority

37. Supervisory Review and Evaluation Process – SREP
• SREP is the core element of the FSA
regularly assessing and measuring
risks for each bank.
• Thereby, FSA assesses the bank’s
business model, strategy, internal
governance and controls, risks to
capital and liquidity, and capital and
liquidity adequacy. This is done in
dialogue with the bank.
• SREP outcome: SREP score on scale 1-
4 (and F, if failing or likely to fail)
• In the SREP decision, FSA sets capital
and liquidity targets, and sets key
objectives and deadlines to address
the identified issues (if any).
37
1 2 3 4 F
Overall SREP Score
Business
model
analysis
score
Internal
governance
and controls
score
Capital
adequacy
score
Liquidity
adequacy
score
Scores for
material
risks to
capital
Scores for
liquidity and
funding risks
Viability
score
Risk
score

38. Regulatory processes:
Recovery planning
38

39. Recovery planning in the context of Bank Recovery and Resolution Directive (BRRD)
• Recovery plans are intended to ensure that banks are prepared to restore their viability in a timely manner
even in periods of severe financial stress.
• The bank (banking group) shall be able to demonstrate to the satisfaction of the competent authority that
the Recovery Plan is reasonably likely to be implemented without causing any adverse effect on the financial
system.
• Recovery planning is designed to be an ongoing process that does not end once the bank’s management
body has approved the plan.
• A bank (banking group) may apply for preparation of recovery plan in simplified form:
1) a reduction in the contents of the Recovery Plan
2) a reduction in the frequency for updating the Recovery Plan
39

40. Recovery planning: Recovery Plan
• Structure & key elements:
1. Summary of the key elements of the Recovery Plan and of overall recovery capacity (ORC), and material changes since the
most recently filed Recovery Plan
2. Governance, incl.:
a. Recovery Plan development, and policies and procedures governing approval of Recovery Plan
b. The Plan’s consistency with the general management and risk management
c. The conditions and procedures to ensure timely implementation of recovery options
d. Recovery Plan indicators on capital, liquidity, profitability and asset quality, and (as applicable) market-based and macroeconomic indicators
3. Strategic analysis, incl.:
a. The description of the entity or entities covered by the Recovery Plan, incl. business and risk strategy, critical functions and core business lines
b. Recovery options, incl. options to restore capital and liquidity, and measures to reduce risk and leverage
c. Actions, arrangements and measures under recovery options; impact & feasibility assessment of the recovery options; continuity of operations
when recovery options are implemented; scenario analysis to test the effectiveness of recovery options and the adequacy of the Recovery Plan
indicators
d. Assessment to the overall recovery capacity
4. Communication and disclosure plan, incl.:
a. Internal communication
b. External communication
c. Effective proposals for managing any potential negative market reactions
a. Preparatory measures to facilitate the implementation of the Recovery Plan or to improve its effectiveness
40

41. Recovery planning: Recovery indicators (example for a small and non-
complex bank)*
41
Category Indicator name Early warning threshold
(Corresponds to ‘risk tolerance’
level from RAF)
Threshold to trigger recovery
actions (Corresponds to ‘risk
capacity’ level from RAF)
Near-default threshold
(Corresponds to regulatory
requirement, if applicable)
1. Capital indicators CET1 ratio [To be calibrated] [To be calibrated] [To be calibrated]
Total Capital ratio [To be calibrated] [To be calibrated] [To be calibrated]
Leverage ratio [To be calibrated] [To be calibrated] [To be calibrated]
2. Liquidity indicators Liquidity position [To be calibrated] [To be calibrated] n/a
LSR [To be calibrated] [To be calibrated] [To be calibrated]
NSFR [To be calibrated] [To be calibrated] [To be calibrated]
3. Profitability
indicators
Return on equity [To be calibrated] N/A N/A
Significant operational loss [To be calibrated] N/A N/A
4. Asset quality
indicators
Default rate [To be calibrated] N/A N/A
Coverage ratio [provisions / total
non-performing loans]
[To be calibrated] N/A N/A
(Gross non-performing loans) /
total loans
[To be calibrated] N/A N/A
* Adjusted from the lists in Annex II of the EBA/GL/2021/11.

42. Recovery planning: Recovery options and ORC range (illustration)
42
Identification of credible and feasible
recovery options
• Capital raising
• Restructuring of liabilities
• Cost reductions
• Sale of assets / loan portfolios
• Liquidity improvement
recovery options (e.g.: use of
central bank facilities)
• Disposal recovery options
(e.g.: sale of business lines,
sale of subsidiaries)
• Various management actions
(e.g.: reduce lending, margin
increases, increasing fee
income)
Testing recovery options in a range
of scenarios of severe
macroeconomic and financial stress
Define scenarios:
1. Systemic scenario(s)
2. Idiosyncratic scenario(s)
3. Combined scenario(s)
Choose and adjust recovery
options for constraining factors
related to the simultaneous or
sequential implementation of
recovery options
Calculate ‘scenario-specific
recovery capacities’ expressed
in ‘relevant RP indicators’:
• CET1 (18 months)
• Total capital ratio (18 months)
• Leverage ratio (18 months)
• LCR (timeframe: 6 months)
• NSFR (timeframe: 6 months)
Determination of the Overall Recovery Capacity (ORC) range
Difference between the highest and lowest ‘scenario-specific recovery
capacity’ of relevant scenarios, this in terms of:
a) Capital including leverage (capital ORC), and
b) Liquidity (liquidity ORC)
Capital ORC determination, example
Liquidity ORC determination, example
Relevant scenario CET1 ratio TC ratio LR
Scenario 1 - Systemic +4.50% +5.00% +2.50%
Scenario 3 - Combined +3.60% +4.00% +1.80%
Capital OCR 360-450 bps 400-500 bps 180-250 bps
Relevant scenario LCR NSFR
Scenario 2 – Idiosyncratic +70% +6.00%
Scenario 3 – Combined +40% +3.50%
Liquidity OCR 40%-70% 3.50%-6.00%

43. Competent Authorities’ Assessment of Recovery Plan and the ORC score
43
Assessment of the
‘scenario-specific
recovery capacity’
• Are scenarios severe enough?
• Are the selected recovery options credible and feasible, including the
timeframe, the impacts and any constraining factors?
Assessment of the
ORC – ‘adjusted ORC’
• Is the ORC calculated by the bank as the range between the lowest and the
highest ‘scenario-specific recovery capacity’ both in terms of capital (including
leverage) and liquidity ‘relevant RP indicators’?
• Overall quantitative and qualitative assessment of the ORC & determining the
‘adjusted ORC’ both in terms of capital and liquidity
• ‘Adjusted ORC’ <= ORC determined by the institution
Assigning ORC score
• Indicative ORC score, given the ‘adjusted ORC’ & considering the ‘relevant RP
indicators’: ‘satisfactory’, ‘adequate with potential room for improvement’ or
‘weak’
• Plus qualitative considerations, not already reflected in the ‘adjusted ORC’
(e.g.: difference between the institution’s ORC and the ‘adjusted ORC’)
• Lead to final ORC score: ‘satisfactory’, ‘adequate with potential room for
improvement’ or ‘weak’
Assessment criteria:
• Completeness of the Plan
• Quality of the Plan
• Level of integration and consistency of the Plan
with the general corporate governance,
internal processes and risk management
framework
• Sufficient number of plausible and viable
recovery options
• Overall Recovery Capacity (ORC) of the
institution ↓ →
ORC
score
Satisfactory
Adequate
Weak

44. Connecting BAU mode, continuity plans, ICAAP & ILAAP, and RP
• Business continuity plans, ICAAP & ILAAP, capital and liquidity contingency plans,
and Recovery Plan are parts of the same risk management continuum:
• Business continuity plans, ICAAP & ILAAP, and capital and liquidity contingency
plans are aimed at maintaining continuity of the bank.
• Recovery plans set out measures (incl. extraordinary measures) to restore its
financial position following a significant deterioration.
• Calibration of the indicators for continuity/contingency plans and the Recovery Plan
should be consistent with each other, and with the overall Risk Appetite Framework:
• Recovery Plan indicators present a subset of all indicators in Risk Appetite
Framework
• Recovery Plan capital/liquidity indicators should be integrated into the
ICAAP/ILAAP
• In Business as Usual (BAU) mode, Overall Recovery Capacity (ORC) is generally
expected to be improved over time.
44
Business As Usual Some stress
High stress / Business
continuity situation
Focus of continuity plans
and ICAAP & ILAAP
Emergency / Financial
Recovery situation
Focus of Recovery Plan
Recovery Plan
indicators
Risk indicators in Risk
Appetite Framework
Risk indicators to
trigger business
continuity, and capital
and liquidity
contingency plans

45. Recovery planning: Further thoughts
• Recovery planning can be an interesting and beneficial thought experiment, especially for more complex
institutions. It basically means breaking the monolith into pieces (entities, business lines etc.), identifying
critical functions and core business lines, and then putting the pieces back together while leaving only what
is important.
• Recovery planning has implications to the organization set-up. A resilient set-up ought to be such that in
the financial recovery situation, disposal of less significant business lines and subsidiaries can be considered
as a feasible recovery option.
• List of recovery options is like a menu to choose from when things get tough.
45

46. Regulatory processes: Stress testing and
stress testing programs
46

47. Stress testing
• Stress testing is a central risk
management tool to take forward-
looking view in risk management,
strategy planning, capital planning
and liquidity planning.
• Stress testing program includes:
• Sensitivity analyses
• Scenario analyses
• Reverse stress testing
• Stress testing may be performed
top-down and bottom-up.
47
Stress
testing
Data infra-
structure
Risk
appetite
Strategic
planning &
budgeting
Capital
planning &
ICAAP
Liquidity
planning &
ILAAP
Recovery
planning

48. Stress testing program: Minimum set (example for a small and non-
complex bank)
48
Analysis type Description Why? Coverage Frequency (unless higher frequency is
requested by the management body
and/or there are significant new
developments)
Sensitivity
analyses
Sensitivities to various risk factors To identify material risks As appropriate As needed
Sensitivities of ECLs and IFRS9
impairment provisions to various inputs
IFRS9 disclosures Credit risk in the banking book Once a year
Sensitivities to various interest rate
scenarios
Risk reporting and risk
management disclosures
Interest rate risk in the banking book Quarterly
Scenario analyses Base scenario, upside scenario and
downside scenario for credit losses
IFRS9 expected credit loss
modelling
Credit risk in the banking book Scenario development: once a year
ECL calculations: once a month
Solvency stress test based on unlikely
but possible adverse economic scenario
covering at least 3 years
ICAAP All material risks to capital;
banking group and connected
entities
Full process: once a year; quarterly
updates to the management body
Liquidity stress test based on unlikely but
possible liquidity risk scenario that
includes market-wide and idiosyncratic
schock(s)
ILAAP All material risks to liquidity and
funding;
banking group and connected
entities
Full process: once a year; quarterly
updates to the management body
Reverse stress
testing
Identification of ‘near-default’ / close to
failure scenario(s); stress testing based
on the identified scenario(s)
Recovery planning;
Assessing the severity of the
ICAAP and ILAAP scenarios
All material risks;
banking group and connected
entities
Once a year (unless a lower frequency is
agreed with the FSA)

49. Stress testing program: Elements
• Types of stress testing and their main objectives and applications
• The frequency of the different stress testing exercises
• The internal governance arrangements: lines of responsibility and procedures
• Coverage: entities, risk types and portfolios included
• Relevant data infrastructure
• Methodology and models
• Assumptions, incl. business and managerial
49

50. Inserting risk management considerations
into credit pricing
50

51. Guidelines from European Banking Authority (Chapter 6 of
EBA/GL/2020/06)
• Pricing frameworks should reflect credit risk appetite and business strategy, including profitability and risk perspective.
Loan pricing should also be linked to the characteristics of the loan product and consider competition and prevailing
market conditions. Institutions should also define their approach to pricing by borrower type and credit quality, and
riskiness of the borrower. […]
• According to the guidelines, costs to be reflected in loan pricing should include the following:
• The cost of capital (both regulatory and economic capital)
• The cost of funding which should match the key features of the loan, e.g. the expected duration of the loan
• Operating and administrative costs resulting from cost allocation
• Credit risk cost
• Any other real costs associated with the loan in question
• Competition and prevailing market conditions, in particular lending segments and for particular loan products
• For the purposes of pricing and measuring of profitability, risk-adjusted profitability measures such as economic value
added (EVA), return on risk-adjusted capital (RORAC) and risk-adjusted, return on capital (RAROC), return on risk-weighted
assets (RORWA) and other relevant measures should be considered.
• There should be ex ante transaction tools as well as tools for regular ex post monitoring in place.
51

52. Components of effective interest rate* in risk-based loan offer
generation (example)
52
Derived based on the projected
loan cash flows, given borrower-
and transaction specific credit risk
parameters as inputs
Cost of own funds
Cost of deposits and
other liabilities
Allocated operating and
administrative costs, and
other real costs
Expected credit losses
Economic profit margin
Targeted internal rate of
return in the calculation of
cost-based credit price
Ceiling to the cost of credit for
the borrower (as applicable,
given e.g. the responsible
lending considerations)
Space for pricing
optimization, given prevailing
market conditions
Offered credit price
(effective interest rate)
Cost-based credit price
(incl. opportunity cost
reflected in the
shareholders’ expected
returns)
* The term ‘effective interest rate’ is used to reflect different pricing structures, i.e.: different possible splits between the loan interest rate, loan contract fee and
other fees charged in connection with the loan.
Links between credit pricing, and ICAAP, ILAAP
and SREP:
• Cost of own funds depends on the
amount/proportion of capital that is required
to cover for the risks to capital, as estimated
in the course of ICAAP and SREP.
• Weighted average cost of capital (WACC),
incl. cost of own funds, cost of deposits and
cost of other liabilities, should reflect cash
drag, i.e.: the proportion of funds that cannot
be lent out but has the be kept in high-quality
liquid assets (HQLA) with (normally) very low
or non-existent returns. Required proportion
of HQLA is an output of the ILAAP and SREP.
Further, the required composition of liabilities
and thus, the cost of liabilities, also depend
on the outcomes of ILAAP and SREP.

53. Appendices
53

54. Abbreviations
AI – Artificial Intelligence
AML/CFT – Anti-money Laundering and Counter-
terrorism Financing
ASF – Available Stable Funding
AT1 – Additional Tier 1 capital
BAU – Business as Usual
BRRD – Bank Recovery and Resolution Directive
(Directive 2014/59/EU)
bps – basis points
CAS – Capital Adequacy Statement
CEO – Chief Executive Officer
CET1 – Common Equity Tier 1 capital
CFO – Chief Financial Officer
COREP – COmmon REPorting Standard
CRD – Capital Requirements Directive (Directive
2013/36/EU)
CRR – Capital Requirements Regulation
(Regulation (EU) No 575/2013)
CRO – Chief Risk Officer
EBA – European Banking Authority
ECB – European Central Bank
ECL – Expected Credit Loss (under IFRS9
framework)
EEA – European Economic Area
EL – Expected Loss
ESG – Environmental, Social and Governance
EVA – Economic Value Added
FINREAP – FINancial REPorting Standards
FSA – Financial Supervisory Authority
HQLA – High Quality Liquid Assets
ICAAP – Internal Capital Adequacy Process
ICT – Information and communication
technology
IFRS – International Financial Reporting Standard
ILAAP – Internal Liquidity Assessment Process
IRRBB – Interest Rate Risk in the Banking Book
LAS – Liquidity Adequacy Statement
LCR – Liquidity Coverage Ratio
LR – Leverage Ratio
MDA – Maximum Distributable Amount
ML/TF – Money Laundering / Terrorism Financing
N/A – Not Applicable
NCA – National Competent Authority
NPAP – New Product Approval Policy and Process
NSFR – Net Stable Funding Ratio
ORC – Overall Recovery Capacity
P2G – Pillar 2 guidance
P2R – Pillar 2 requirement
P2G-LR – Pillar 2 leverage ratio guidance
P2R-LR – Pillar 2 leverage ratio requirement
RMF – Risk Management Function
RAF – Risk Appetite Framework
RAROC – Risk-adjusted Return on Capital
RORAC – Return on Risk-adjusted Capital
RORWA – Return on Risk-weighted Assets
RP – Recovery Plan
RSF – Required Stable Funding
RTS – Regulatory Technical Standards
RWA – Risk-weighted Assets
SREP – Supervisory Review and Evaluation Process
T2 – Tier 2 capital
TC – Total Capital
TREA – Total Risk Exposure Amount
TSLRR – Total SREP Leverage Ratio Requirement
UL – Unexpected Loss
WACC – Weighted Average Cost of Capital
54

55. Links and references
• EBA Interactive Single Rulebook (BRRD, CRD, CRR, …): https://www.eba.europa.eu/regulation-and-policy/single-rulebook/interactive-single-rulebook
• EBA Guidelines on internal governance under CRD: https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-
internal-governance
• Risk Appetite Framework:
• Principles for An Effective Risk Appetite Framework by Financial Stability Board: https://www.fsb.org/wp-content/uploads/r_131118.pdf
• Speech by Danièle Nouy, Chair of the Supervisory Board of the ECB, International Conference on Banks’ Risk Appetite Frameworks, Ljubljana, 10 April 2018:
https://www.bankingsupervision.europa.eu/press/speeches/date/2018/html/ssm.sp180410.en.html
• Resources on ICAAP, ILAAP and SREP:
• ECB guidelines to ICAAP and ILAAP: https://www.bankingsupervision.europa.eu/press/publications/newsletter/2019/html/ssm.nl190213_3.en.html
• Guidelines on common procedures and methodologies for the supervisory review and evaluation process (SREP) and supervisory stress testing under
Directive 2013/36/EU (EBA/GL/2022/03): https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/supervisory-review-and-evaluation-
process-srep-4
• Resources for recovery planning (in addition to BRRD):
• EBA Guidelines on the overall recovery capacity in recovery planning: https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/recovery-
resolution-and-dgs/guidelines-overall?version=2023#activity-versions
• Regulatory Technical Standards on the content of recovery plans: https://eur-lex.europa.eu/legal-
content/EN/TXT/?qid=1468424758476&uri=CELEX%3A32016R1075
• EBA Guidelines on recovery plans indicators (EBA/GL/2021/11): https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/recovery-
resolution-and-dgs/guidelines-recovery
• EBA/GL/2014/06 on the range of scenarios to be used in recovery plans: https://www.eba.europa.eu/documents/10180/760136/05cc62a3-661c-4eee-
ad07-d051f3eeda07/EBA-GL-2014-06%20Guidelines%20on%20Recovery%20Plan%20Scenarios.pdf
• ECB webpage on recovery plans: https://www.bankingsupervision.europa.eu/banking/tasks/recoveryplans/html/index.en.html
• EBA Guidelines on loan origination and monitoring (EBA/GL/2020/06): https://www.eba.europa.eu/legacy/regulation-and-policy/regulatory-activities/credit-
risk/guidelines-loan-origination-and
55