Ratings

• Weak: Risk management is regarded as a policeman, or a cost center that adds little value. Staffing and resources are insufficient.
• Adequate: The risk management department stands independent of business units and is regarded as a valued partner. It enjoys access to senior management and is staffed by quality employees. There is a demonstrated organizationwide commitment to risk management.
• Strong: The track record shows that the formal risk management department acts as a valued partner to the business units by advising them on both "local" and enterprisewide risks. Risk management is closely involved in planning and budgeting, and risk professionals rank highly within the firm. Indicators of a strong framework can include the existence of an Chief Risk Officer who reports directly to the CEO, and the existence of a Risk Management Board with nonexecutive director representation that reports to the board. There is clear evidence of board involvement in risk management issues.
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in its industry in ensuring that risk management occupies an important niche in the firm.

• Weak: The company is unable to express aggregate risk tolerance. Risk management is minimally involved in evaluating the organization's risks and developing the business strategy.
• Adequate: Some kind of aggregate risk tolerance measure is available, but it is either based on insufficient data or defined relatively vaguely. Tolerance may not be defined well in both qualitative and quantitative terms.
• Strong: The risk appetite has been established following a rigorous, collective review of risk-reward trade-offs. The tolerance is well defined both qualitatively and quantitatively. Staff members are well able to express the risk appetite of the firm.
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in its industry when it comes to the articulation of risk appetite.

• Weak: Risk is monitored silo-by-silo. The entity has little ability to acquire a consolidated view of risks across the enterprise.
• Adequate: The firm monitors risk primarily by silo, but can monitor and aggregate some risks across the organization. Business lines' risk policies parallel group policies.
• Strong: The institution has a demonstrated track record of success in monitoring and aggregating risks across the organization, including smaller/remote subsidiaries. Risk management initiatives are well coordinated across the entity. Business line risk policies parallel group policies, and strategies and commercial policies are consistent with group risk appetite and objectives. Economic capital, a balanced business scorecard, or a similar approach is actively used in the day-to-day management of the business.
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in its industry in ensuring that risk is managed across the entire enterprise.

• Weak: Meetings between senior management and risk staff are infrequent. Risk reporting is poor, and risk reports serve only a compliance role and are rarely perceived to have a wider business role.
• Adequate: Risk committee structures are in place, with improving metrics and report formats. Risk issues are discussed at a strategic forum. While there are regularly scheduled internal audits of the risk management function, risk reporting may be more reactive than proactive.
• Strong: The institution employs high-quality internal and external risk management reporting, with regular discussions in risk committees. The reporting framework is strong and well supported by the business units, showing visible improvements over time. The evaluation of risk issues is embedded in strategic decision making, budgeting, and planning. Risk reports are expected to contain tangible strategic applications, with a demonstrated link between risk reporting and commercial decisions. Risk issues that emerge are brought to the attention of senior executives quickly, responses are timely, and there is a track record of effective action being taken. A good balance has been struck between the measuring and modelling of risk, and the actual management of business risks.
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in its industry in ensuring that senior management is kept apprised of potential enterprisewide risks.

• Weak: A lack of understanding of the firm's operational risks pervades the firm's staff.
• Adequate: Business lines are developing or have improved their definitions of operational risk.
• Strong: A clear and consistent firmwide definition avoids overlaps with credit risk and market risk, for example.

Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in its industry in ensuring that the boundaries of operational risk are defined in a clear and usable manner.

• Weak: No comprehensive data-gathering framework exists. Operational losses are sometimes disguised as credit risk or market risk losses.
• Adequate: A consistent structure for capturing loss data has been developed (this may have been slowed by acquisitions). Potential exposure is assessed through key risk indicators, and control self-assessments, for example.
• Strong: The firm coordinates its efforts across business lines to capture and track "trigger" events and risk indicator data. It maintains a consistent structure for capturing loss data, which is not undermined by recent acquisitions. A transparent methodology has been developed for classifying key risk indicators.
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in the strength of its operational risk evaluation framework.

• Weak: The feedback mechanism linking loss data to operational controls is inadequate. Indeed, operational risk initiatives seem to be driven mainly by regulatory compliance.
• Adequate: The firm has shown clear responses to operational risk issues, but control improvements are mainly reactive. It is developing a process to allocate capital to the businesses for operational losses.
• Strong: A clear management focus and operational risk analysis via the use of operational risk dashboard reports drive control improvements. The firm has taken a proactive stance on operational risk issues, and a proven track record of effective responses is also evident. In the case of operational losses, a process for allocating capital to the businesses has been clearly articulated.
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in integrating operational risk analysis into management decisions.

The advanced measurement approach may be an indicator of good operational risk management practices.

• Weak: Back-office structures are not always independent of the businesses. Remote locations of the company have weaker structures.
• Adequate: A clear organizational structure for the back office, independent of the business, has been established. Several risk-related training opportunities are available to staff. The company is developing disaster recovery plans and business continuity plans. It has demonstrated an ability to cope with emerging operational risk issues.
• Strong: High-quality personnel, and strong training and development structures are evident. Data-recovery processes and business continuity plans are in place and continue to show enhancements. The firm maintains well documented and frequently (and preferably randomly) tested business continuity plans.
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in its commitment to provide the appropriate resources to mitigate operational risk.

• Weak: New product definition is unclear and final sign-off is vested with the business.
• Adequate: A new product approval process is in place, but can occasionally be circumvented.
• Strong: The risk function, in conjunction with the other support functions, vets new products, and can provide final sign-off. Risk management also vets pricing models, including data inputs.
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in its industry in empowering the risk management function to provide input on new products.

• Weak: Ineffective risk criteria. There is an apparent willingness to compromise underwriting standards to achieve short-term profit/growth targets.
• Adequate: Policies have been put in place, but may be not be sufficiently clear or subject to regular reviews. The number of exceptions to official policies may be sufficiently high to question their effectiveness.
• Strong: Clear risk and pricing policies have been established and are reviewed regularly. Effective credit scoring and delegated authorities are in evidence. Experienced and well-qualified personnel have implemented policies in a consistent manner.
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in its industry in establishing underwriting criteria consistent with its risk appetite.

• Weak: The institution lacks the necessary metrics and data to monitor the evolution of its portfolio. The entity is hampered by its limited ability to extract segment data quickly.
• Adequate: The institution is improving its risk metrics, but its ability to track performance may be limited for some products/segments. Data may be stuck in silos or insufficiently flexible to respond to changing needs. Staffing may be adequate, but some concerns exist about individuals' depth of experience, and the overall availability of resources for collections/recoveries.
• Strong: Effective portfolio analytics have been developed to monitor performance by product and vintage, track watch-list credits, and transfer underperforming exposures to collections/recoveries. There is more-than-adequate staffing of collections/recoveries units with experienced personnel in charge. The institution has conducted extensive analysis into the adoption of a specific credit modelling approach, with assumptions and limitations clearly documented. It boasts a solid track record of reserves/provisions versus actual losses.
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in its industry in monitoring its credit portfolio for potential risks.

• Weak: Only reactive techniques for managing exposure to particular entities or sectors are available. Few conscious decisions about the appropriate levels of risk for the company are made, and the management of risk concentrations is haphazard or insufficiently comprehensive.
• Adequate: Efforts have been made to manage the portfolio more proactively, with a conscious decision about the level of risk to be retained, but a limited range of tools or techniques are available. Risk concentrations are monitored and managed at a group level.
• Strong: The enterprise has taken a highly proactive view of the credit risks in the portfolio and methodically controls exposure to particular segments through a range of potential tools. Policies regarding hold levels and arrangements for sale of assets have been made clear, with teams' actions monitored closely. Reviews of particular portfolios are conducted using stress tests.
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in its industry in the techniques it uses in managing portfolio risk.

• Weak: The feedback mechanism from credit risk metrics to commercial and strategic decisions is inadequate. The use of some credit risk metrics and models seems to be driven mainly by regulatory compliance.
• Adequate: Clear responses to credit risk issues, with a process to allocate capital to the businesses for credit risk.
• Strong: Management understands credit metrics and processes well. It demonstrates a proactive approach as well as having a solid track record of effective responses to credit risk issues. Use of more advanced Basel II approaches typically indicate that the firm has more sophisticated data and risk management techniques, if backed by demonstrated understanding by management, and clear business usage of the information.
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in its linking of its credit risk management into management decision making.

• Weak: The market risk function has a narrow remit, limited controls, and loose or inconsistent coverage. It relies on over-simplistic measurement techniques. Management has a limited understanding of the market risk reports.
• Adequate: Expanding coverage of market risk across the group is evident. Some areas may still be excluded. Management generally has an acceptable understanding of the market risk reports.
• Strong: The market risk framework captures risks borne by subsidiaries, including nonbanking subsidiaries. Market risks associated with pensions and other employee benefits are also captured, if relevant. Regular usable reports are issued at a group level to assess the groupwide position.
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in its industry in ensuring that its market risk function has a broad reach.

• Weak: These risks are not measured or managed effectively. There is no defined remit. Limits or controls are loose and there are over-simplistic measurement techniques.
• Adequate: The firm has improved its measurement of structural interest rate risk (or foreign exchange or equity risk, as relevant), but it may still be only partial. Risk reports may give less effective guidance to management, and the firm's tools are not sophisticated enough when compared with evolving industry standards. Metrics should be appropriate for the risk type.
• Strong: The institution has designed a risk-adjusted approach to produce profits within risk parameters that have been agreed by the board and senior management. Structural interest rate risk is measured comprehensively, with regular reporting and value-added metrics (typically with scenario analysis that is considered usable by the business).
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in its industry in managing structural interest rate risk.

• Weak: The firm uses unrealistic assumptions that heavily influence the reported exposures.
• Adequate: Clear assumptions are made, but with more limited back-testing or use of stress testing.
• Strong: The firm uses assumptions that are back tested, stressed, and clearly articulated. The firm evaluates multiple scenarios, and takes into account behavioral characteristics rather than contractual characteristics only.
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in its industry when it comes to incorporating assumptions into its asset-liability management framework in a rigorous and robust manner.

• Weak: The business units have excessive authority. The usefulness of stress testing is limited by a view that stress tests are for regulatory compliance, not for adding value. Senior management neither understands nor appreciates stress tests.
• Adequate: There is a clear process for assigning limits, and unambiguous (but restricted) procedures for the granting of exceptions. All excesses and breaches of limits are reported quickly to the appropriate executive level. Stress tests are used, but may have insufficient granularity and only a small role in decision making.
• Strong: Close cooperation has been established between the business units and risk functions. Only risk management can approve excesses over key limits. Dual limit structures may be used. Regular stress testing of macro, historical, and hypothetical scenarios is conducted. A range of stress tests is used, but are all considered relevant. Stress tests and scenario analyses are run and revised at an appropriate level of granularity for the business profile.
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in conducting stress tests and using limit frameworks to support its businesses.

• Weak: The institution is overly focused on minimizing the cost of funds and possesses a limited understanding of liquidity risks. It also demonstrates difficulty or unwillingness to diversify the funding profile.
• Adequate: The institution has diversified its funding mix, but with a more reactive--rather than proactive--policy. Its views on the appropriate levels of funding concentration may not be rigorously formed.
• Strong: The institution maintains a diverse funding profile, without over-reliance on any single source. The firm has a proactive view toward its funding mix. It has clearly defined views about the optimal funding mix, with appropriate limits and guidelines.
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in its industry in creating the right mix of funding concentrations and managing its funding base proactively.

• Weak: Underprepared for a liquidity crunch, this company uses insufficiently severe stress tests that do not prompt follow-up actions. Risk management techniques are slow to respond to growth in more sensitive funding sources.
• Adequate: Contingency plans are used, but are either not very detailed or are not rolled out at the appropriate levels across the group (for example, by subsidiary or country). Exposure to a potential downgrade may only be monitored in times of stress. Risk management techniques may still be adjusting to recent growth in the use of some more sensitive funding sources.
• Strong: The firm undertakes detailed stress tests and liquidity continuity scenario planning. Demonstrated links between these tests and management actions have been established. With a clear-eyed view of the potential effects of a downgrade, the entity has developed a plan to manage this exposure. The group's risk management framework takes account of its reliance on sensitive funds.
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in its industry in establishing contingency plans for a liquidity crunch.

• Weak: Inadequate emergency liquidity sources mean that the firm is overly reliant on committed bank lines and/or questionable liquidity sources.
• Adequate: Sufficient emergency liquidity sources have been earmarked, but they may be relatively concentrated.
• Strong: The firm holds sufficient unencumbered liquid assets, as well as central bank lines and/or other sources of emergency liquidity to meet stress outflows.
• Excellent: The organization exhibits all "strong" characteristics, and is an acknowledged leader in its industry in maintaining sufficient emergency liquidity capacity.