Internal Ratings-Based (IRB) Approach to Credit Risk: Accreditation Process
16 December 2015
To: All authorised deposit-taking institutions (ADIs)
The Financial System Inquiry (FSI) suggested that APRA could consider how to make the IRB accreditation process less resource intensive1. Specifically, the FSI Final Report proposed:
To promote incentives for ADIs to develop IRB capacity, APRA could also consider how to make the accreditation process less resource intensive without compromising the (necessarily) very high standards that must be met. APRA has already indicated it is willing to explore a proposal to decouple the need to achieve internal model accreditation for both financial and non-financial risks simultaneously. That is, an ADI may be accredited for regulatory capital models for credit and market risks without having been accredited to model operational risk. The Inquiry supports exploring such initiatives2.
As noted by the FSI, APRA has been considering possibilities to modify its IRB accreditation process with a view to making it easier for ADIs to achieve accreditation without weakening the overall standards that accreditation requires. As a result of its deliberations, APRA is today announcing two important changes to the IRB accreditation process.
Staged IRB accreditation
APRA’s long-standing policy position is that ADIs seeking IRB accreditation must:
- be capable of modelling all material credit portfolios; and
- meet accreditation requirements for all such portfolios before models can be used for regulatory capital purposes3.
Staged IRB accreditation refers to a modification of condition 2 above.
Staged accreditation provides the capacity for an ADI to use accredited IRB models for regulatory capital purposes for some credit portfolios ahead of others. APRA is open to an ADI adopting a staged accreditation, subject to the following criteria:
- APRA expects the ADI to present a credible plan for all material credit portfolios to ultimately be brought under the IRB approach;
- APRA must be confident that the period from accreditation of the initial set of credit portfolios to accreditation of the remaining portfolios will be reasonably short: no more than one to two years;
- the initial accreditation should cover the larger part of the ADI’s aggregate credit exposure;
- selection of portfolios for initial accreditation should not be motivated by ‘cherry-picking’: that is, the motivation should not be to simply arbitrage between IRB and standardised regulatory capital approaches;
- a significant portion (at APRA’s discretion, but at least 50 per cent) of any expected regulatory capital benefit from accreditation would only become available after obtaining complete accreditation. APRA also reserves the right to vary this percentage during the period from initial to final accreditation to reflect the confidence, or otherwise, in the progress towards final accreditation;
- accreditation approval may be withdrawn if APRA forms the view that the anticipated period to final accreditation (see criterion (ii)) will exceed two years from the date of initial accreditation.
These criteria are designed to ensure that the overarching principle that an ADI achieve full IRB accreditation of its credit exposures continues to be adhered to, and that an ADI has incentives to ensure this occurs.
As a practical matter, staged accreditation will require that all key aspects of IRB systems should be in place at the time of initial accreditation, albeit they may be operationally immature for some portfolios. In such cases, staged accreditation would allow an applicant ADI time to bed down (and demonstrate sufficient maturity) in the relevant portfolios. In order to meet the above criteria, APRA expects an ADI seeking to take advantage of staged accreditation would be able to:
- submit a single application covering all portfolios4; and
- demonstrate at the time of initial accreditation, for any yet-to-be-accredited portfolios:
- models and risk estimates that have been accepted by APRA (i.e. are considered to meet key IRB minimum requirements relating to calibration and discrimination);
- models and risk estimates that have been implemented, which also includes a requirement that all exposures have been rated based on the latest models under IRB standard credit risk management control processes;
- a validation and control framework — consisting of policies, procedures and human capital — encompassing both quantitative and qualitative aspects of ratings and ratings processes is in place;
- at least two quarters of parallel run have been completed;
- at least one cycle of annual validation and control processes applied to the latest models and estimates have been completed; and
- clear and achievable project timelines for closing outstanding ‘gaps’ are in place.
Decoupling operational risk modelling from IRB accreditation
Paragraph 27 of Prudential Standard APS 113 Capital Adequacy: Internal Ratings-based Approach to Credit Risk requires an IRB applicant to also seek to use, for regulatory capital purposes, an advanced measurement approach (AMA) to operational risk and an internal risk measurement model for interest rate risk in the banking book (IRRBB). Decoupling refers to the removal of the link between IRB and AMA accreditation (IRRBB accreditation will continue to be a condition of IRB accreditation).
In considering this issue, APRA has been guided by the view that, whilst the accreditation process considers modelling issues, the use of models for regulatory capital purposes is more fundamentally concerned with concepts of the use of, and experience with, models, and whether or not the ADI has an ‘advanced’ approach to risk management. APRA is prepared to consider, subject to the conditions in the attachments to this letter, that an ADI be accredited to use the IRB approach for credit risk without an accredited AMA model for operational risk.
If APRA accepts that an ADI may apply for IRB accreditation but may use the Standardised Approach to calculate its regulatory capital requirement for operational risk, the ADI will nevertheless be required to demonstrate advanced risk management practices across all its material risks (including operational risk). The conceptual framework for this is described in Attachment A. Attachment B expands on the characteristics of advanced risk management in general, and Attachment C outlines those characteristics with specific reference to operational risk. APRA believes this approach appropriately balances the need to preserve the high standards required for accreditation with the recognition of the different characteristics of individual ADIs.
In the context of staged IRB accreditation, APRA would expect operational risk management to be at an advanced level at the time of initial accreditation.
Potential changes to Basel operational risk framework
As has recently been reported, the Basel Committee on Banking Supervision’s (Basel Committee) review of its operational risk capital standard is well advanced. In the near future, it is expected that the Basel Committee will publish, for consultation, a proposal for a more risk-sensitive standardised approach. It will also consider the future of operational risk modelling within the regulatory framework. Given the proposals are yet to be issued, it is too early to anticipate the outcome of the Basel Committee’s deliberations. However, if internal modelling for operational risk regulatory capital is removed from the Basel framework, the decoupling approach described in this letter is likely to provide a suitable alternative for ADIs currently accredited to use AMA.
ADIs with questions on these matters should contact their APRA Responsible Supervisor.
Executive General Manager
Supervisory Support Division
Conceptual Framework for Risk and Capital Management Expectations
Baseline expectations for risk and capital management5
An APRA-regulated institution must have systems for identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating material risks that may affect its ability, or the ability of the group it heads, to meet its obligations to depositors and/or policyholders. The risk management framework must be appropriate to the size, business mix and complexity of the institution and be consistent with the institution’s strategic objectives and business plan.
An APRA-regulated institution must have in place an Internal Capital Adequacy Assessment Process (ICAAP) appropriate to the institution’s size, business mix and complexity of its operations and group structure. The ICAAP will include elements, such as stress testing and scenario analysis, to ensure that the institution has adequate capital.
Advanced approach to risk and capital management
An advanced approach to risk and capital management is an approach that, in addition to qualitative elements, incorporates appropriate techniques to obtain a quantitative understanding of all material risks, including an understanding of the potential for, and the variability and uncertainty of exposure to, severe losses. This quantitative understanding is then used in the ICAAP and is actively used in the institution’s ongoing decision-making and oversight processes.
Accredited internal model for regulatory capital purposes
To achieve accreditation to use an internal model for regulatory capital purposes, an APRA-regulated institution will be expected to demonstrate that its model is conceptually sound, comprehensive, sustainable, robust, and technically sufficient to produce reliable, risk-sensitive, and comparable estimates of the capital required at the predetermined soundness standards.
The model should also provide estimates at an appropriate portfolio level to facilitate an understanding of the risk exposures and risk drivers to support decision-making, performance measures and the allocation of internally estimated capital requirements. The risk and capital management frameworks, including regulatory and internally estimated capital, are completely integrated.
APRA’s preference is that accreditation will be sought for all material risks. However, should an APRA-regulated institution be allowed by APRA to seek accreditation to use an internal model for regulatory capital purposes for a subset of risks6 only, prerequisites for accreditation will be that:
- the institution meet the expectations set out above under "Advanced approach to risk and capital management" for all other material risks; and
- so as not to undermine the use of the internal capital model for the modelled subset of risks, the institution’s approach to determining and allocating internally estimated capital should appropriately capture all material risks.
Advanced approach to Risk and Capital Management
More detailed criteria, in addition to the baseline expectation, for an advanced risk and capital management framework include:
- The Board (or a Board committee) and senior management are actively involved in the oversight of the measurement approaches for each material risk. This should include oversight of effective implementation and use of the outcomes in understanding the institution’s risk profile.
- The risk management function includes sufficient independent specialist risk resources with the appropriate technical skills for each material risk.
- The institution’s risk management framework facilitates reasonable and risk sensitive quantitative estimates of the risk exposures, including the potential for severe losses.
- The institution’s business line management are able to clearly articulate the drivers of the relevant risk profile (to the extent that it relates to their responsibilities), and demonstrate how they utilise the inputs to risk measurement and related outputs to inform monitoring, management and oversight processes.
- Each material risk is considered as a distinct risk class within the ICAAP with common quantitative elements used as part of both the risk and capital management frameworks.
- So as not to undermine the use test7, the institution’s approach to internally estimating required capital should include estimates for all material risks and be capable of attributing capital for those risks to the institution and to any materially significant internal business lines.
Advanced approach to Risk and Capital Management - Operational Risk
An ADI seeking IRB accreditation without an AMA model would still need to demonstrate an advanced approach to risk and capital management in relation to operational risk. Specifically for operational risk, the additional criteria for an advanced risk and capital management framework include:
1. Oversight - the Board (or a Board committee) and senior management are expected to be actively involved in the oversight of the measurement approaches for each material risk. This should include oversight of effective implementation and use of the outcomes in understanding the institution’s risk profile, including:
- an appropriate understanding of the measurement approach so as to be able to interpret and assess the outcomes;
- a risk appetite statement which expressly includes consideration of the operational risk exposures8 as informed by the measurement approach; and
- active oversight of the scenario and measurement outcomes as part of the relevant decision processes (e.g. as part of the strategic and business planning process).
2. Independent specialist risk resources – the institution should have an independent specialist operational risk management function with sufficient personnel with appropriate skills and experience to support the:
- development of an integrated operational risk measurement and management approach; and
- independent review and challenge of the business inputs and reasonableness of the outputs of the operational risk measurement and management approach.
3. Risk management framework - the institution must, as part of the risk management framework, have an integrated operational risk measurement and management approach, as a distinct risk type. This approach will be suitably rigorous and consistent with the complexity of the institution’s business, and facilitate reasonable and risk sensitive quantitative estimates of the operational risk exposures. This would include specific requirements on the use of elements such as:
- incident management and loss event data tracking;
- scenario analysis process;
- organisational change management; and
- analysis of relevant information on the business environment (e.g. external loss events and business environment factors).
4. Risk profiling9- the institution will be expected to provide its management and the Board with information on operational risk exposures at a level which supports their decision-making and oversight responsibilities. Each business should be able to clearly articulate the drivers of its operational risk profile and demonstrate how it utilises the inputs and outputs of the operational risk measurement and management framework to inform the monitoring, management and oversight processes.
The operational risk profiling will include at least two key points as part of the overall risk exposure:
- expected loss (or residual risk) - anticipated losses, based on the assessed (perceived) effectiveness of the control environment, generally aligned to performance measures (day-to-day operations), can be influenced through changes or improvements to the controls – often referred to as ‘traditional’ operational risk management assessments; and
- unexpected loss (or potential severe loss) - more aligned to the overall operational risk exposure using the assumption that the controls have not operated as anticipated, or other factors have resulted in losses being materially in excess of the expected loss, based on the nature and complexity of the business, products and systems.
5. ICAAP - operational risk should be considered as a distinct risk class with the relevant elements of the operational risk measurement approach, in particular scenario analysis, being appropriately incorporated into the process.
6. Internal capital estimate – so as not to undermine the use test, the institution’s approach to internally estimating required capital should include an estimate for operational risk and must be capable of attributing capital for operational risk to the institution and to any material internal business lines.
1 Detailed requirements regarding the use of internal models for regulatory capital purposes are set out in Prudential Standard APS 113 Capital Adequacy: Internal Ratings-based Approach to Credit Risk, Prudential Standard APS 115 Capital Adequacy: Advanced Measurement Approaches to Operational Risk, Prudential Standard APS 116 Capital Adequacy: Market Risk, and Prudential Standard APS 117 Capital Adequacy: Interest Rate Risk in the Banking Book (Advanced ADIs).
2 Financial System Inquiry, Final Report, November 2014, p66: http://fsi.gov.au/publications/final-report/.
3 APRA has been open to some carve-outs from this principle, for immaterial portfolios. Such portfolios remain on the Standardised Approach. Also, as a matter of pragmatism, temporary exceptions for newly-acquired material subsidiaries/portfolios have been considered acceptable with the understanding that these would be accredited for IRB purposes within a reasonably short period of time.
4 An ADI seeking staged accreditation would be expected to identify more gaps requiring closure for those portfolios where a later stage accreditation is targeted.
5 Detailed requirements regarding risk management are set out in Prudential Standard CPS 220 Risk Management. Detailed requirements regarding capital management are set out in Prudential Standard APS 110 Capital Adequacy.
6 In practice, this principle would typically apply to the case where an ADI does not seek accreditation for internal modelling of operational risk capital.
7 The use test pertains to the use by an ADI of a model and/or model components for internal risk management purposes. It is designed to ensure that models have not been built purely for regulatory purposes, but rather an integral component of an ADI’s risk management framework.
8 Operational risk exposure includes the quantified potential for loss that might occur as a result of an operational risk event (or a number of related events). The exposure should include consideration of the range of potential impacts and related probabilities (e.g. both the expected and unexpected/severe losses), and a qualitative statement for those potential impacts that cannot be quantified.
9 The operational risk profile refers to the total operational risk exposure of the APRA-regulated institution based on the nature of its business and activities. This includes actual and potential operational risk events, taking into consideration the range of potential financial and (relevant) non-financial impacts that could arise.