Risk Management

To protect and promote the financial integrity and efficiency of the State-based financial institutions system and to ensure that depositors are adequately protected from the risks that building societies incur in the process of financial intermediation. Towards this end, to ensure that societies are aware of the risks to which they are exposed, and that these risks are adequately measured, monitored and managed.

General Background

Pooling and managing risks for both borrowers and lenders is an important element of financial intermediation. Careful management of these risks is fundamental to the successful operation of any financial institution. As noted earlier, the primary responsibility for risk management rests firmly with the management of each society; the role of the supervisory authorities is limited to protecting the interests of depositors. Depositor protection, in turn, is enhanced by ensuring that societies approach risk management in a consistent manner and that they maintain a sufficient cushion of capital to afford depositors maximum confidence in the security of their deposits.

In assessing the appropriate level of capital, SSAs will require detailed information about the risk management procedures and practices of building societies. Inadequate management practices in this area will meet with additional requirements in terms of capital or, in certain cases, with additional requirements with respect to the holding of liquid assets.

While there will be no set formula relating the need for additional capital to particular deficiencies in risk management, SSAs will look for adequate procedures for identifying and measuring risk, adequate procedures for monitoring risks, and appropriate techniques for managing risks.

Additional capital will also be required of societies in direct proportion to their overall risk rating when these ratings imply risk in excess of industry norms. SSAs will advise building societies as to their risk ratings and capital requirements.

In a number of cases, the Prudential Standards require a society to consult with its SSA before particular transactions or activities can be undertaken. Consultation in this context will focus on the society's ability and systems to manage their risks prudently; the emphasis will be on processes rather than on the quality or otherwise of the decisions involved. Such consultation should not be taken to imply that the SSA in any sense sanctions or approves the particular activity. Decisions about the appropriate balance sheet structure for a particular society are its own responsibility. The SSA's role is to ensure that risk analyses are adequate and that each society's capital base is consistent with the risks that it undertakes.

Notwithstanding this responsibility, each building society must, prior to the assumption of any major new risks (for example, borrowing in foreign currency or moving into a new area of lending) first satisfy its SSA that it has:

(a) met all current prudential standards;

(b) the expertise and systems in place to manage the new risks involved; and

(c) sufficient capital in place to meet any additional requirements imposed by the authorities - this may include additional capital requirements if the proposed lending activities alter the assessed risk rating of the society as a whole.

Limited exemptions from this requirement may be granted under the transitional arrangements outlined earlier.

Specific Risks

Building societies face a number of different types of risk in conducting their businesses.

(i) Liquidity Risk - Prime Liquid Assets (PLA) Requirement

Liquidity risk arises from the tendency for a society's deposit base to be more readily liquidated than its assets. This is partly a consequence of the longer maturity of loans relative to deposits. It is also a consequence of the fact that loans which are not in arrears are not normally callable, whereas term deposits are often callable, albeit at a penalty. Despite this asymmetry in balance sheet liquidity, the capacity to meet promptly all obligations as they fall due is fundamental to financial intermediation.

The prudential standards require societies to hold a minimum level of 7 per cent of their total liabilities (excluding capital) in the form of highly-liquid, high-quality assets. This PLA ratio is to be met at all times. In day-to-day operations, however, these assets are not available to meet the ebb and flow of funds. They are intended only to provide a cushion of liquefiable funds, available in times of extreme pressure on liquidity, and then, only with the explicit approval of the SSAs.

(ii) Operational Liquidity Risk

While PLA provides a stock of high quality assets, each society must manage its cash flows without reliance on PLA. It is the responsibility of the board to assess its society's liquidity needs and determine the amount and composition of additional liquid assets required to cover day-to-day fluctuations in its operating liquidity arising from:

· withdrawals of deposits;

· increases in demands for loans, including increased drawdown of overdraft facilities;

· drawdown of credit card facilities;

· maturity mismatch of assets and liabilities; and

· unexpected operating expenses.

Each society is expected to have in place an appropriate management information system to allow monitoring and management of liquidity risk. Each society is also required to demonstrate an understanding of its deposit base (including strengths, limitations and historic volatility), the maturity mismatch between assets and liabilities and any risks arising from off-balance sheet activities. While cash flow projections, incorporating all significant cash flows and management of forward loan commitments, should form part of any liquidity management system, the sophistication of these systems will depend on the society's activities.

A society can pursue a range of strategies to manage liquidity risk including:

· holding adequate cash and readily liquefiable assets in addition to PLA;

· maintaining stand-by and overdraft facilities with banks, SSPs or other counterparties acceptable to AFIC;

· developing and maintaining a stable core of deposits;

· matching maturity structures of assets and liabilities, securitising assets and sourcing long-term funding; and

· developing sophisticated cash flow projections including improving asset and liability management.

In relation to the first point, each society is expected to hold 2 per cent of total liabilities (excluding capital) in one or more of the following: excess PLA, cash, funds securing settlement accounts and liquidity deposits with SSPs.

In determining liquidity needs, a society's board should aim at maintaining access to funds for the purpose of meeting operational demands at 6 per cent of total liabilities (less capital). Access to funds may be through off-balance sheet facilities and generally, each society is expected to look beyond its immediate deposit base to alternative sources of liquidity. These alternative sources include stand-by lines of credit or overdraft facilities with other financial institutions, including SSPs. Evidence that these arrangements have been firmly established and are available for immediate use will be required by SSAs.

To ensure that each SSA is aware of any weakening of a society's liquidity position, each society must advise its SSA if on-balance sheet liquid assets held to meet operating requirements falls below 2 per cent of total liabilities (excluding capital). Deviations below this liquidity trigger may occur from time to time and are not necessarily a source of concern.

Liquidity risk is also associated with large exposures to a single source of funds. Each society must include in its approach to liquidity management, a policy in respect of large liquidity exposures. Further, each society must report exposures in excess of 5 per cent of the society's total liabilities and, before a society accepts an exposure in excess of 10 per cent of total liabilities, it must consult with its SSA.

In reviewing a society's approach to liquidity management, the SSA may consider that the large liability exposure, or exposures in aggregate, create the potential risk for a society's liquidity to be strained or may consider that systems are otherwise inadequate. Under these circumstances, the SSA may require the society to hold higher levels of PLA or operational liquidity, report more frequently, or impose other requirements.

(iii) Market Risk

Market risk arises from the fluctuations that occur in the market values of assets and liabilities in the normal course of business. The primary source of such fluctuations is movements in interest rates. When interest rates change, the market values of loans, securities and deposits change to different extents. Whenever the interest rates paid on a financial institutions liabilities do not adjust in line with the rates earned on assets, the institution is exposed to market risk. The net effect of these valuation changes alters the institutions earnings and its net worth.

Financial innovations have provided building societies with a range of techniques for managing this risk. To the extent that deposits and loans are matched, either as variable interest instruments or, in the case of fixed-interest loans and deposits, by duration, the risk may be relatively small. Where a societys book is not naturally matched in the above sense or not readily adjustable, the market provides instruments for managing the mismatch, while still meeting customer preferences on the terms of loans and deposits. Interest rate futures, options and swaps are now widely used in the finance industry to manage market risk. Sections 120 and 121 of the FI Code outline the scope for societies to trade in these instruments for the purpose of managing market risk.

SSAs will seek detailed information about each society's methods for measuring and monitoring market exposures. In particular, where assets do not satisfy either the primary objects or the liquid asset tests, SSAs will look for evidence that societies are employing appropriate risk management techniques, including regular market value assessments and appropriate provisioning for risks (see Prudential Note 3.3 on Accounting and Disclosure).

Where a society proposes to engage in the raising of funds denominated in foreign currency, its SSA will require, in advance, details of the proposed methodology for hedging the exposure.

(iv) Credit Risk

A primary source of risk for any financial institution is the risk of default. Undue concentration of loans can expose a society to excessive credit risk. Sensible diversification of a society's loan book by geographical area, type of borrower and to some extent by type of loan can reduce the risk of the overall loan portfolio.

SSAs will seek detailed information about each society's practices with respect to credit scoring, loan monitoring and the overall assessment of credit risk. Societies should be able to demonstrate an understanding of the inter-relationships between the various credit risks they are carrying. SSAs will pay special attention to credit risk policies relating to assets which lie outside the definitions of primary objects and liquid assets.

In particular, societies inevitably carry a substantial fixed asset exposure to property through their branch network systems. In the normal course of business this exposure should not exceed the size of the society's capital base. Exposure beyond this level will require prior consultation with its SSA.

A particular source of credit risk is large credit exposures to single borrowers. Large exposures can accumulate indirectly through lending to associated borrowers even though the exposure to any one member of the group may appear reasonable. While "associate" has been defined under Part 4 of the FI Code, the existence of these relationships may not represent any aggregation of risk (for example, where loans to associated family members are separately collateralised). It is recognised that a number of these relationships cannot be identified from data collected in the normal course of opening and operating accounts. Therefore, building societies will not be expected to monitor large exposures to groups of associated family members who have independent retail relationships with the building society. In the case of commercial lending, borrowers will be assumed to be associated where they collectively control the source of credit risk to the society.

Each society will be required to provide its SSA with a copy of its policy in respect of large exposures and to report exposures to individual borrowers or groups of associated borrowers in excess of 5 per cent of the society's capital base. These exposures are to be measured in terms of exposures to the consolidated group where relevant. Exposures beyond 10 per cent of a society's capital base will require prior consultation with its SSA. Certain exemptions may be permitted with respect to lending within primary objects. Further exemptions and general approvals may be granted by SSAs in the light of experience.

(v) Data Risk

A risk to any building society relates to the security and integrity of its data bases, both automated and non-automated. Detailed records of all financial transactions and balance sheet data should be kept in more than one location. Where records are computerised, back-up and storage procedures should be documented by the society and audited, as should procedures for preventing data corruption. Adequate disaster recovery procedures should be in place.

A particular risk to a societys data exists due to the potential for damage to or misuse of date-related data, caused by the use of computer programs or code that fail to calculate correctly or record dates after a particular date. This is commonly referred to as the "Year 2000 problem" because many computer and other electronic systems cannot deal with dates after 31 December 1999. However, the problem is not confined to the year 2000 and could arise through a range of other critical dates that might be embedded in computer systems. For convenience, AFIC is referring to this matter as the "Year 2000 problem".

To ensure the security and integrity of a societys data, the Directors of a society should ensure that a full review and assessment of the risks associated with the Year 2000 problem is undertaken. Those systems affected that are critical to using or storing the societys data, must be corrected. Directors must:

• ensure that appropriate tests are carried out to ascertain that any critical computerised systems using or storing the societys data are not affected by the Year 2000 problem; and

• obtain sufficient assurance that the societys systems and dates will not be significantly affected by inaccurate data or failure of services by its suppliers.

It may not be possible for every internal and external system to be corrected in the short time available before the year 2000, or any other critical date, arrives. Therefore, in anticipation of possible failures, each society must have a comprehensive written statement dealing with the risks and events that may arise due to either the society or an external service provider suffering disruptions that may, in turn, disrupt the societys normal business operations. These policies and procedures should form part of a societys Disaster Recovery Plan in respect of managing both data risk and operations risk.

(vi) Operations Risk

Building societies carry a range of operations risk in carrying out their day-to-day business. Many of these risks are insurable, others are not. Of particular importance in the latter category are societies' administrative systems and the consequences of breaches of legislation. In smaller societies, overdependance on a small number of key personnel can constitute a substantial risk to their operations. Other risks arise from litigation associated with a wide variety of possible events and actions, including discrimination, negligent advice and invasion of privacy. Whether or not these risks are insured or even insurable, societies must demonstrate an understanding of the risks involved and the capacity to measure, monitor and control them.

A particular risk to a societys operations exists due to the Year 2000 problem. Societies are faced with the potential for impairment of normal business operations through the failure of systems dependent on computer microchips, such as communications, security, and fire protection systems.

To ensure the societys operations risk is minimised, the Directors of a society should ensure that a full review and assessment of the risks associated with the Year 2000 problem is undertaken. Those systems affected that are critical to the societys normal business operations must be corrected. Directors must ensure that appropriate tests are carried out to ascertain that any critical computerised systems and devices required for the societys day-to-day operations are not affected by the Year 2000 problem.

A society must keep its insurance contracts under review to ascertain whether it is covered for interruptions to business and possible litigation, due to non-performance or disruption to business, as a result of the Year 2000 problem.

The costs and resource requirements to address the Year 2000 problem may be beyond the scope of some societies. Where directors are of the opinion that the society will be unable to address the Year 2000 problems adequately, with regard to its critical systems, the society should immediately notify its SSA. The SSA, together with the society, will then consider the appropriate action to be taken to ensure that the interests of the societys members are not adversely affected by the societys inability to manage Year 2000 problems adequately.

An important source of insurable operations risk arises from potential damage to the physical assets of the society through accident or fire. While compulsory worker's compensation covers potential loss through accidents involving staff, there is a similar risk to members of the public that is not automatically insured. Other operational risks arise from the potential for legal action against the society or its directors.

In addition to compulsory worker's compensation, all building societies should carry effective insurance with a reputable insurance company to protect their personnel, operations and physical assets. At a minimum, each society should carry the following insurance policies:

(a) fidelity guarantee;

(b) asset protection, including fire and malicious damage;

(c) directors' and officers' liability;

(d) public liability;

(e) professional indemnity; and

(f) loss of profits associated with specified events.

Insurance should cover the society and all subsidiaries (if any). SSAs will seek details of insurance policies and each society's approach to insurance.

Prudential Standards

3.1.1 Prime Liquid Assets Requirement

3.1.1.a Each building society is to maintain at all times a minimum proportion of its balance sheet in specified prime liquid assets. The required PLA ratio is to be 7 per cent of total liabilities excluding capital as defined in Prudential Note 3.2 (Capital Adequacy).

3.1.1.b The PLA ratio is to be met at all times. If a society finds itself in danger of breaching the minimum ratio, it must advise its SSA immediately and, in consultation with the SSA, take prompt action to correct the situation.

3.1.1.c To be eligible for inclusion in the PLA ratio, assets must be held in the society's own name, must be unencumbered by any pledge or restriction (other than restrictions arising from the emergency liquidity support facility) and must be readily negotiable.

3.1.1.d Assets deemed acceptable by AFIC for inclusion in the PLA ratio may change from time to time as circumstances and asset quality change. Until notice of alteration, PLA will include the following:

(i) Treasury notes;

(ii) other Commonwealth Government securities;

(iii) bank deposits and bank accepted and endorsed bills;

(iv) loans to authorised money market dealers against the security of Commonwealth Government securities;

(v) State or Territory Government issued or guaranteed securities; and

(vi) PLA deposits with special services providers (see Book 1).

3.1.1.e Given the potential for the liquidation value of some PLA to vary with market conditions, assets will be valued at market value for the purpose of calculating the PLA ratio.

3.1.1.f Societies must hold half of their required PLA assets in a manner that can be immediately accessed under the emergency liquidity support facility outlined in Part 6 of the AFIC Code (see also Prudential Standard 3.4.6).

3.1.2 Operational Liquidity

3.1.2.a Each society is to provide its SSA, on request, with a written description of its systems to measure, monitor and manage liquidity risk. These systems are to be audited annually by the society's external auditors and their operation in practice will be subject to review during on-site inspections by the SSA.

3.1.2.b It is the responsibility of each board to determine the liquidity needs and normal liquidity operating range of its society, and the associated composition and liquidity of assets to be held. Notwithstanding, each society should aim to maintain access to funds to meet operational demands at 6 per cent or more of total liabilities (less capital) with a minimum component of on-balance sheet assets of 2 per cent of total liabilities (less capital). As part of its liquidity management, each society must also satisfy its SSA that it has access to appropriate levels of funding through off-balance sheet facilities, provided by banks, SSPs or other entities advised by AFIC.

3.1.2.c Unless otherwise advised by Standard or Guidance Note, assets that may be included in on-balance sheet operational liquidity are:

(i) cash on hand;

(ii) PLA in excess of the required minimum;

(iii) funds securing settlement accounts; and

(iv) liquidity deposits with Special Services Providers.

3.1.2.d A society must advise its SSA if the level of on-balance sheet operational liquidity falls below 2 per cent of total liabilities (less capital).

3.1.2.e As part of its liquidity management system, each society must include a policy in respect of large liability exposures to individual lenders or a group of associated lenders. Each society must report quarterly liability exposures in excess of 5 per cent and must consult with its SSA prior to acceptance of a liability greater than 10 per cent of the society's total liabilities. The onus will be on the society to establish that the liability exposure does not constitute an excessive risk to the society.

3.1.2.f A society that fails to satisfy its SSA that it adequately manages its cash flows and operational liquidity may be directed to hold higher levels of liquid assets, maintain higher levels of capital, report more frequently or otherwise as determined by the SSA.

3.1.3 Managing Market Risk

3.1.3.a Each society is to provide its SSA, on request, with a written description of its systems to measure, monitor and control market risk. These systems are to be audited annually by the society's external auditors. Their operation in practice is subject to review during on-site inspections by the SSA.

3.1.3.b Failure by a society to satisfy its SSA that its practices are adequate to the risks involved may lead to its being required to maintain a capital adequacy ratio above the 8 per cent minimum.

3.1.3.c It is a requirement of the FI Code (Section 121) that any funds raised in foreign currency must be hedged so as to minimise the risk of loss. Before a society raises liabilities in foreign currency, it must first satisfy its SSA that it has the capacity to hedge the currency exposure.

3.1.4 Managing Credit Risk and Large Exposures

3.1.4.a Each society is to provide its SSA, on request, with a written description of its systems to measure, monitor and control credit risk. These systems are to be audited annually by the society's external auditors. Their operation in practice is subject to review during on-site inspections by its SSA.

3.1.4.b Each society is to include in this description a written statement of its policy with respect to acquiring assets not defined within primary objects or liquid assets.

3.1.4.c In the normal course of business, a society's exposure to its own fixed assets should not exceed the size of the society's capital base. Exposure beyond this level will require prior consultation with its SSA.

3.1.4.d Each society is to provide its SSA, on request, with a written statement of its policy in respect of exposures to individual members or groups of associated members. Associated members are defined on the basis of control.

3.1.4.e Each society must provide quarterly a return of all exposures of the consolidated group to individual borrowers and/or associated borrowers greater than 5 per cent of its capital base (as defined in Prudential Note 3.2). The intention of this Prudential Standard is to identify concentration of risks. SSAs will declare borrowers to be 'associated' if there is any suggestion of intent to disguise concentration.

3.1.4.f Before entering into any such exposure greater than 10 per cent of a society's capital base (or, in the case of a group, 10 per cent of the group's capital base), the society must first consult with its SSA. The onus will be on the society to establish that the exposure does not constitute an excessive risk. Lending within primary objects may be exempted from this process if, after examining the society's residential lending policies, the SSA is satisfied that they do not introduce excessive risk.

3.1.4.g Failure by a society to satisfy its SSA that its practices are adequate to the risks involved may lead to its being required to maintain a capital ratio above the 8 per cent minimum.

3.1.5 Data Risk

3.1.5.a Each society is to provide its SSA, on request, with a written statement of its policy in respect of managing data risk. Detailed records of all financial transactions and balance sheet data should be kept in more than one location. Where records are computerised, back-up and storage procedures should be documented by the society and inspected by the relevant SSA, as should procedures for preventing data corruption.

3.1.5.b The Directors of a society should ensure that a full review and assessment of the risks associated with the Year 2000 problem is undertaken. Those systems affected that are critical to using or storing the societys data, must be corrected. Directors must:

• ensure that full testing is carried out to ascertain that any critical systems for using or storing the societys data are not affected by the Year 2000 problem; and

• obtain sufficient assurance that the societys systems and dates will not be significantly affected by inaccurate data or failure of services by its suppliers.

3.1.5.c Each society must have a comprehensive written statement dealing with the risks and events that may arise due to either the society or an external service provider suffering disruptions that may, in turn, disrupt the societys normal business operations. These policies and procedures should form part of a societys Disaster Recovery Plan in respect of managing both data risk and operations risk.

3.1.6 Operations Risks

3.1.6.a Each society is to provide its SSA annually with a written statement of its policy in respect of disaster recovery planning and insurance including details of its individual insurance policies. SSAs will monitor the adequacy and currency of these policies. At a minimum, societies should take out the following insurance cover:

(i) Fidelity/Bond Insurance

(ii) Fire and Specified Perils

Physical loss or damage to tangible property due to fire and specified perils including:

" storm and tempest;