Risk Governance Framework and Capital Management Framework
The Group's Risk Governance Framework (RGF) and Capital Management Framework rest on five pillars: a) effective Board oversight, b) sound risk management strategy, c) dynamic capital management process, d) risk and capital monitoring and escalation, and e) review and validation. The Group's risk management strategy and capital management systems respond to internal and external signals. Internal signals are manifested in its corporate Mission & Vision, which animate a set of strategies that aim to fulfill such vision while taking into account external indicators mostly involving current market movements and projections. Always, the RGF and Capital Management Framework see through bi-focal lenses - growth/business-as-usual scenario, and stress. With the foregoing as backdrop, business targets are determined along with the risks and the necessary capital, bearing in mind minimum capital adequacy regulations and internal triggers. In an ideal scenario, the process should lead to maximization of capital via robust capital allocation among the business units, and with performance assessed via risk-adjusted measures. The Group is committed to working towards this goal. The Frameworks and corresponding sub-processes are all subject to review and validation, a role largely driven by the Internal Audit Group. Finally, each facet of the Frameworks is monitored and reported to the designated oversight bodies.
Risk Governance Framework
The Risk Governance Framework of the Group follows a top-down approach, whereby the Board of Directors (BOD) takes ultimate accountability for: the risks taken, setting the tolerance level for these risks, business strategies, operating budget, policies, and overall risk philosophy. In the interest of promoting efficient corporate governance, the BOD constitutes committees to perform oversight responsibilities. These committees perform oversight functions in the area of risk policy formulation, decision-making, and risk portfolio management.
Board of Directors
The BOD ensures that the Group‘s corporate objectives are supported by a sound risk strategy and an effective risk governance framework that is appropriate to the nature, scale, and complexity of its activities. The BOD provides effective oversight of senior management‘s actions to ensure consistency with the risk strategy and policies, including the risk appetite framework. The BOD:
- Sets policies, strategies and objectives and oversees the executive function
- Sets the risk appetite and ensures that it is reflected in the business strategy and cascaded throughout the organization
- Establishes and oversees an effective risk governance and organizational structure
The Risk Oversight Committee
The ROC supports the BOD with respect to oversight and management of risk exposures of the RCBC parent bank and subsidiaries (the Group). In this regard, the ROC exercises authority over all other risk committees of the Group, with the principal purpose of assisting the BOD in fulfilling its risk oversight responsibilities. The ROC oversees:
- The risk governance framework
- Adherence to risk appetite
- The risk management function
- Capital planning and management
- Recovery plans
The Risk Management Groups
Supporting the ROC in carrying out its mandate are the Risk Management Group (RMG), and the Credit Management Group (CMG), headed by the Chief Risk Officer (CRO) and the Chief Credit Officer, respectively.
Administratively and functionally, enterprise risk management follows the ―centralized risk monitoring – decentralized risk management approach. The risk units in the subsidiaries implement the risk management process individually, and report to their respective risk committees.
The Parent Bank‘s risk management groups implement the risk management process in the parent and consolidate the risk MIS from the various subsidiary risk units for a unified risk profile that is presented to the ROC.
The risk management groups are responsible for overseeing the risk-taking activities across the Group, as well as in evaluating whether these remain consistent with the Bank‘s risk appetite and strategic direction. It shall ensure that the Risk Governance Framework remains appropriate relative to the complexity of the Bank‘s risk-taking activities. The risk management groups shall be responsible for identifying, measuring, monitoring, and reporting risk on an enterprise-wide basis. It shall directly report to the ROC. Personnel in the risk management groups should collectively have knowledge and technical skills commensurate with the Bank‘s business activities and risk exposures.
The Risk Management Group (RMG)
The following are the major risk management divisions and departments under RMG:
Enterprise Risk Division: The Enterprise Risk Division (ERD) is responsible for the Internal Capital Adequacy Assessment Process (ICAAP), Basel compliance, credit risk analytics, and the credit portfolio risk function. A quantitative risk unit is responsible for quantitative analysis, back-testing and validation of risk models, and the building of other risk metrics.
Portfolio Quality Division: The Portfolio Quality Division (PQD) was created to conduct an independent credit review and ensure compliance with the requirements of BSP Circular 855 on credit review process. PQD contributes to Risk Portfolio Management as governed by the ROC through the assessment of the overall portfolio quality of the Bank in terms of credit risk mitigation, environmental and social impact, and adherence to environmental and social risk due diligence. The Independent Credit Review function covers an evaluation of credit review procedures, policy formulation, and action plan monitoring. Observations are reported periodically to the ROC, following discussions with accountable groups in line with the requirements of BSP Circular 855. The functions pertaining to Sustainable Finance and ESMS provide oversight on the implementation of RCBC‘s Sustainable Finance Framework and ESMS policy, in support of the Bank‘s commitment to uphold social and environmental responsibility in all its business activities. Environmental and social risk and sustainable finance related updates are regularly reported to the ROC.
Market and Liquidity Risk Management Division: The Market and Liquidity Risk Management Division (MLRMD) is primarily tasked with the development and implementation of market and liquidity risk policies and measurement methodologies, recommending and monitoring compliance to risk limits, and reporting the same to the appropriate bodies. It is also the primary unit in the Group responsible for the formal management of interest rate risk in the banking book (IRRBB). It regularly reports to the ROC and the Asset & Liability Committee (ALCO) activities relevant to market, liquidity, and interest rate risk in the banking book management of the Group.
Operational Risk Management Department; The Operational Risk Management Department (ORMD) was created to ensure that operational risks are managed at an enterprise level, the systems and processes used to manage these risks are effectively implemented, and that management of these risks is embedded in the Group‘s processes. ORMD is tasked to ensure implementation of the Operational Risk Management (ORM) Framework across the Group; and to develop an appropriate operational risk management environment where operational risks are identified, assessed, reported, monitored, and controlled/mitigated. It is also expected to identify and recommend mitigants for emerging risk types, and to promote and maintain quality operational risk programs and infrastructure. ORMD is also responsible for ensuring the Bank‘s capability to plan and respond to incidents and business disruptions and enable the continuity of key business operations at predefined acceptable levels. The department also provides the processes and methodologies designed to protect the clients by implementation of the Consumer Protection Program.
To facilitate implementation of ORM tools in the various business lines of both the parent bank and its subsidiaries, various officers are deputized and serve as embedded Deputy Operational Risk Officers (DORO) and Consumer Assistance Officers (CAO). A DORO or CAO functions as ORMD‘s liaison to and implementation arm in the various business units for Operational Risk and Consumer Protection, respectively.
Enterprise Fraud Risk Department: The Enterprise Fraud Risk Department (EFRD) is tasked to ensure proper observance of the fraud management program (i.e., prevention, detection, investigation and escalation, containment and recovery, analysis and recommendation), and provide a high-level Enterprise-wide Fraud Risk Management Framework and its corresponding policies and standards. This serves as the basis upon which the Business, Operations and Support units will develop their own specific procedures and guidelines that will operationalize the controls to mitigate fraud risks that are inherent in their day-to-day activities. EFRD also conducts periodic analysis of all fraud incidents and losses, creates rules/parameters for monitoring, investigates fraud cases, and determines current and emerging fraud risk trends which are reported to the BOD, through the ROC, and to the Management, thereby assisting them to make well-informed fraud risk management decisions.
Information Security Governance Department: The Information Security Governance Department (ISGD) deals with all aspects of information whether spoken, written, printed, electronic, or relegated to any other medium regardless of whether it is being created, viewed, transported, stored, or destroyed. This covers all business units, branches/offices, and subsidiaries, both domestic and overseas, third party institutions, and individuals.
The ISGD is tasked to ensure compliance with regulatory requirements set forth by the regulating bodies and laws in the areas of information security and electronic banking services. The department monitors and ensures that policies, procedures, and standards in managing information security and technology risk are observed across the Group. It also oversees and is part of the process for detecting, analyzing, and responding to any information security incident. ISGD also keeps the senior management and BOD apprised on information security risks. ISGD executes an Information Security Strategic Plan (ISSP) and Information Security Program (ISPr) aligned with the business objectives of the Group. The department also establishes governance specific policies, standards, and procedures for information security risk management, conducts trainings and issues advisories to increase information security awareness, and performs the Information Security Risk Assessment (ISRA) and Information Security Annual Certification (ISAC) for the whole RCBC Group to manage, identify, and address information security risks.
ISGD executes an Information Security Strategic Plan (ISSP) and Information Security Program (ISPr) aligned with the business objectives of the Group. The department also establishes governance-specific policies, standards, and procedures for information security risk management, conducts trainings and issues advisories to increase information security awareness, and performs the Information Security Risk Assessment (ISRA) and Information Security Annual Certification (ISAC) for the whole Group to manage, identify, and address information security risks.
The Credit Management Group (CMG)
The Credit Management Group (CMG) focuses on the operational and front-end aspect of the credit cycle.
Major responsibilities of CMG include:
- Provides inputs on the credit quality of accounts to ascertain that all credit issues are disclosed and discussed thoroughly, so that approving authorities can render decisions based on adequate information
- Prepares financial analysis and spreadsheets to provide input for credit risk assessment and credit packaging; issues and reviews credit risk ratings
- Strengthens loan portfolio quality; guides business units and determines which accounts are weak or are potential problem loans
- Subjects the portfolio to stress testing to determine the potential effect on the loan portfolio of possible stress scenarios, in order to assist management in formulating contingency plans for the portion of the portfolio that is vulnerable
- Provides property valuation to ensure adequate collateral security as a second way out of the bank's lending activities
- Formulate and amends credit policies through benchmarking, industry research, keeping updated with regulatory requirements and international risk standards, and ensuring compliance with all BSP requirements
- Reviews policies formulated by various business units/groups within the Bank, and of subsidiaries such as RSB and Bankard to ensure that their policies are generally aligned with the parent bank‘s policies
- Reviews/revises annually credit concentration limits such as industry, country and counterparty limits for CBG and Treasury by consulting the Corporate Planning Group, CBG, and Treasury on business requirements and risks
- Prepares various regulatory and management reports to provide the needed inputs for audited financial reporting, compliance with regulatory requirements, and as a tool for managing the loan portfolio and for credit decision-making
Capital Management Framework
The Capital Management Framework of the Group incorporates the planning process, the Capital Plan, and the continuing review and reporting of results.
Strategic and Business Planning
In the Strategic and Business Planning Process of the UniBank, the overall risk appetite is developed as part of the business plans.
The process involves the development of strategic and business objectives, anchored on the Mission & Vision, as interpreted and articulated by Senior Management. This is an iterative process involving both internal and external analyses and risk assessment.
The planning process then results in a business plan, the annual budget, medium-term forecast/projections, which all incorporate identified risks. It includes a regular review of the business plan (monthly, quarterly) based on key performance indicators.
The other component of the Framework is the development of the Capital Plan that incorporates the current business plan and additional projections and stress testing.
This component highlights the use of medium to long-term forecasts and stress scenarios in the management of capital. The results of the forecasts are always reviewed against the internal minimum capital ratios, inclusive of Pillar 2 charges, and the regulatory minimum.
More details on the Group’s RGF and Capital Management Framework can be found in the published Annual and Sustainability Report (https://www.rcbc.com/annual-reports).