RiskMgtFuidelineKenya5 PDF

Risk Management Guidelines
TABLE OF CONTENTS
1.0 INTRODUCTION 2
2.0 EXECUTIVE SUMMARY 4
3.0 STRATEGIC RISK MANAGEMENT 10
4.0 CREDIT RISK MANAGEMENT 13
5.0 LIQUIDITY RISK MANAGEMENT 23
6.0 INTEREST RATE RISK MANAGEMENT 29
7.0 PRICE RISK MANAGEMENT 37
8.0 FOREIGN EXCHANGE RATE RISK MANAGEMENT 40
9.0 OPERATIONAL RISK MANAGEMENT 43
10.0 REPUTATIONAL RISK MANAGEMENT 47
11.0 REGULATORY RISK MANAGEMENT 51
APPENDICES
APPENDIX 1: RISK MANAGEMENT STRUCTURE
APPENDIX II: COMPREHENSIVE RISK MANAGEMENT PROGRAMME
APPENDIX III: MAIN REFERENCES
1
1.0 INTRODUCTION
The Central Bank of Kenya has put forward this document for the purpose of providing guidelines
to all financial institutions on minimum requirements for risk management systems and frameworks.
The guidelines are in line with international best practices. While the types and degree of risks an
organization may be exposed to depend upon a number of factors such as its size, complexity business
activities, volume etc, these guidelines cover the most common risks in financial institutions namely;
Strategic Risk, Credit Risk, Liquidity Risk, Interest Rate Risk, Foreign Exchange Risk, Price Risk,
Operational Risk, Reputational Risk and Compliance/Regulatory Risks.
Risk-taking is an inherent element of banking and, indeed, profits are in part the reward for
successful risk taking in business. On the other hand, excessive, poorly managed risk can lead to
losses and thus endanger the safety of a bank’s deposits. For the purpose of these guidelines,
financial risk in a banking organization is the possibility that the outcome of an action or event
could bring up adverse impacts on the financial institution’s capital or earnings. Such outcomes
could either result in direct loss of earnings/capital or may result in imposition of constraints on
bank’s ability to meet its business objectives. These constraints pose a risk as they could hinder
a bank’s ability to conduct its ongoing business or to take benefit of opportunities to enhance
its business. As they make everyday decisions, managers of financial institutions are expected to
ensure that the risks a financial institution is taking are warranted.
Risks are warranted when they are understandable, measurable, controllable and within a financial
institution’s capacity to readily withstand adverse results. Sound risk management systems enable
managers of financial institutions to take risks knowingly, reduce risks where appropriate and strive
to prepare for a future that cannot be predicted with absolute certainty. Risk Management is a discipline
at the core of every financial institution and encompasses all activities that affect its risk profile. The
management of financial institutions should attach considerable importance to improve the ability
to identify, measure, monitor and control the overall levels of risks undertaken.
All institutions that do not currently have independent risk management structures must immediately
set up units that will concentrate fully on the risk management function. The risk management function
within an institution should report directly to the board, to ensure independence. In Appendix 1 of
this document, we have demonstrated how an independent risk management function within an
institution should be set up. At the outset, the Risk Manager and his/her team will be expected to
establish comprehensive Risk Management Programmes.
2
Appendix II of this document outlines the minimum coverage and elements of a comprehensive
risk management programme. The risk management programme of each financial institution should
at least contain the following elements of a sound risk management system:
• Active Board and Senior Management Oversight

• Adequate Policies Procedures and Limits
• Adequate Risk Monitoring and Management Information Systems (MIS)
• Adequate Internal Controls
These guidelines make reference to the need for adequate MIS, to facilitate effective monitoring of
each of the different risks. It is important to note that in so doing these guidelines are not calling for
the introduction of numerious independent management information systems, but rather are requiring
institutions to ensure that their management information systems are comprehensive enough to provide
timely information on all issues relevant for effective risk management.
It is now widely acknowledged that utilization of better risk measures not only provides insights
into risks, leading to better risk mitigation, but also leads to enhanced risk-return decisions,
which improves capital deployment. Consequently, the Central Bank of Kenya expects that the
adoption of these elements of sound risk management will translate to effective identification,
measurement, control and monitoring of all risks affecting institutions. This process will further
support institutions in computing and allocating their economic capital. Economic capital is
the capital that a bank holds and allocates internally as a result of its own assessment of risk.
Economic capital methods seek to translate quantitative risk assessment of multiple types into a
single common metric-economic capital, which can be used as an indicator of risks and returns
for each business activity, as a way to determine risk pricing and/or to allocate capital among
banking activities and modify allocations over time.
3
2.0 EXECUTIVE SUMMARY
2.1 Introduction
This set of guidelines outlines the framework for managing nine of the most critical risks faced by
financial institutions. The highlights of the risks and the relevant minimum measures to identify,
measure monitor and mitigate against these risks are contained in the following paragraphs.
2.2 Strategic risk management

Strategic risk is the current and prospective impact on earnings or capital arising from adverse business
decisions, improper implementation of decisions, or lack of responsiveness to industry changes.
The Board of Directors retains the overall responsibility for strategic risk management of the
institution. In turn senior management have a duty to ensure that there is an effective Strategic Risk
Management process.
Policies on business strategy are critical in defining the business segments that the institution will
focus on, both in the short and long run. There should be clear guideline on frequency and procedure
for review of the institution’s business strategy.
In order to ensure an effective strategic risk management process, every institution should deploy a
management information system that enables management monitor current and forecasted economic
conditions, e.g. economic growth, inflation, foreign exchange trends, etc.
Institutions also need strong internal control systems to ensure that they are not unduly exposed to
strategic risks.
2.3 Credit risk management

Credit risk is the current or prospective risk to earnings and capital arising from an obligor’s
failure to meet the terms of any contract with the bank or if an obligor otherwise fails to perform
as agreed. The largest source of credit risk is loans. However, credit risk exists throughout the
other activities of the bank both on and off the balance sheet.
An effective and sound credit risk management is critical to the stability of an institution. The board
of directors carries the ultimate responsibility of approving and reviewing the credit risk strategy and
credit risk policies of the institution. The senior management on the other hand has the responsibility
4
of implementing the credit strategy approved by the board of directors and developing policies
and procedures for effective management of the credit risk.
It is the responsibility of management to set up a credit administration team to ensure that once a
credit is granted it is properly maintained and administered. Procedures for measuring its overall
exposure to credit risk as well as stringent internal rating system should be in-place.
Effective and comprehensive procedures and information system need to be developed to monitor
the condition of the credit portfolio in terms of individual borrowings. The monitoring system will
ensure the likelihood that the credit will be repaid and the classification of the loan is adequate.
Another important element of credit risk management is stress testing. This involves identification
of possible events or future changes that could have a negative impact on the bank’s credit portfolio
and the bank’s ability to withstand the changes.
Institutions should have in place an independent internal system for assessment of the credit risk
management process. This function is necessary in order to independently enable the board determine
whether the risk management process is working effectively.
2.4 Liquidity risk management

Liquidity Risk is the current or prospective risk to earnings and capital arising from a bank’s
inability to meet its liabilities when they fall due without incurring unacceptable losses. It arises
when the cushion provided by the liquid assets are not sufficient to meet its obligations.
The prerequisites of an effective liquidity risk management include an informed board, capable
management, staff having relevant expertise and efficient systems and procedures. It is the
responsibility of board and management to ensure the institution has sufficient liquidity to meet its
obligations as they fall due. Institutions should formulate comprehensive liquidity policy statements
that take into account all on- and off-balance sheet activities.
Institutions should establish appropriate procedures and processes to implement their liquidity policies
while limits should be set which should be appropriate to the size, complexity and financial condition
of the financial institution.
An effective measurement and monitoring system is essential for adequate management of liquidity
risk. Consequently, institutions should institute systems that enable them to capture liquidity
5
risk ahead of time, so that appropriate remedial measures could be prompted to avoid any
significant losses.
Every financial institution must have adequate information systems that can capture significant
information for measuring, monitoring, and controlling existing as well as future liquidity risks and
reporting them to senior management.
In order to have effective implementation of policies and procedures, institutions should institute
review process that should ensure the compliance of various procedures and limits prescribed by
senior management.
2.5 Interest rate risk management

Interest rate risk is the current or prospective risk to earnings and capital arising from adverse
movements in interest rates. Excessive interest rate risk can pose a significant threat to a financial
institution’s earnings and capital base. The goal of interest rate risk management is to maintain a
financial institution’s interest rate risk exposure within self-imposed parameters over a range of
possible changes in interest rates.
The board of directors has the ultimate responsibility for understanding the nature and the level of
interest rate risk taken by the financial institution and for ensuring that management takes the steps
necessary to identify, measure, monitor and control these risks.
Financial institutions should have clearly defined policies and procedures for limiting and controlling
interest rate risk. These policies should be applied on a consolidated basis and as appropriate, at
specific affiliates or other units of the financial institution.
The risk measurement system should support a meaningful evaluation of the effect of stressful
market conditions on the financial institution. Stress testing should be designed to provide information
on the kinds of conditions under which the financial institution’s strategies or positions would be
most vulnerable and thus may be tailored to the risk characteristics of the institution.
An accurate, informative, and timely management information system is essential for managing interest
rate risk exposure, both to inform management and to support compliance with board policy. Reporting
of risk measures should be regular and should clearly compare current exposure to policy limits.
6
Financial institutions should have adequate internal controls to ensure the integrity of their
interest rate risk management process. These internal controls should be an integral part of the
institution’s overall system of internal control.
2.6 Price risk management

Price risk is the risk that a financial institution may experience loss due to unfavorable movements
in market prices. It arises from the volatility of positions taken in the four fundamental economic
markets: interest-sensitive debt securities, equities, currencies and commodities.
Financial institutions should have written policies governing activities in equities trading and other
investment activities. In general, policies should reflect the tolerance of the board and senior
management for the various risks arising from investment and trading activities.
Measuring price risk is very critical to understanding the potential loss an institution may be exposed
to in event of any loss. The principal goal is to provide strong assurance that losses resulting in price
changes will not substantively diminish the capital of the financial institution.
Accurate and timely information systems are critical to the management of price risk, and for ensuring
compliance with relevant risk limits. The internal audit should also ensure that management observe
the laid down policies and procedures governing price risk management and that accounting procedures
meet the necessary standards of accuracy, promptness and completeness.
2.7 Foreign exchange rate risk management

Foreign exchange rate risk is the current or prospective risk to earnings and capital arising from
adverse movements in currency exchange rates. The potential for loss arises from the process of
revaluing foreign currency positions in shilling terms.
The Board of Directors and senior management of financial institutions are ultimately responsible
for the institution’s exposure to foreign exchange risk and the level of risk assumed. They should put
in place well-articulated policies, setting forth the objectives of the financial institution’s foreign
exchange risk management strategy.
Financial institutions should have written policies in general the policies should reflect the tolerance
of the board and senior management for the various risks arising from foreign currency activities.
7
Measuring foreign exchange rate risk is very critical to understanding the potential loss an
institution may be exposed to in event of any loss. Management’s principal goal is to provide
strong assurance that foreign exchange losses will not substantively diminish the total earnings
of the financial institution.
Accurate and timely information systems are critical to the management of foreign currency positions,
and for ensuring compliance with relevant risk limits. The internal control system of the financial
institution should review and assess the foreign exchange risk management process.
2.8 Operational risk management

Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes,
people and systems or from external events. It is the risk of loss arising from the potential that
inadequate information system; technology failures, breaches in internal controls, fraud, unforeseen
catastrophes, or other operational problems may result in unexpected losses.
The Board and Senior Management should ensure that there is an effective, integrated operational
risk management framework. This should incorporate a clearly defined organizational structure, with
defined roles and responsibilities for all aspects of operational risk management/monitoring and
appropriate tools that support the identification, assessment, control and reporting of key risks.
Financial institutions should have policies, processes and procedures to control or mitigate material
operational risks. Operational risk policies and procedures that clearly define the way in which all
aspects of operational risk are managed should be documented and communicated.
The institution should identify and assess the operational risk inherent in all material products, activities,
processes and sytems and vulnerability to these risks. International trends are moving towards allocating
capital as a cushion specifically for operational risk. The measurement approaches available for
estimating operational risk range from simple approaches to fairly sophisticated ones.
An effective monitoring process is essential for adequately managing operational risk. Regular
monitoring activities can offer the advantage of quickly detecting and correcting deficiencies in the
policies, processes and procedures for managing operational risk. To be effective, strong internal
control systems should be an integral part of the structures of a bank.
8
2.9 Reputational risk management

Reputational risk is the potential that negative publicity regarding an institution’s business practices,
whether true or not, will cause a decline in the customer base, costly litigation, or revenue reductions.
This risk may result from a financial institution’s failure to effectively manage any or all of the other
risk types.
Ultimate accountability for reputational risk management rests with the board. The Board of directors
should address explicitly reputational risk as a distinct and controllable risk to the financial institution’s
safety and soundness. Management should fully understand all aspects of reputational risk and
exhibit a clear commitment to compliance.
reputational risks. Authority and accountability for compliance should be clearly defined and enforced.
Institutions’ privacy policies should fully consider legal and litigation concerns.
Risk identification is critical for the subsequent development of viable reputational risk
measurement, monitoring and control. A financial institution needs to have a clear understanding
of the main threats to its reputation. A system should exist to ensure that deficiencies identified
are promptly managed and meaningful corrective action implemented.
In some respects, reputation risk should be treated in the same way as more traditional risks. It should
be included within a company’s internal audit procedures to ensure that those to avoid, detect and,
respond to reputation risks are being applied and are kept up to date.
2.10 Regulatory risk management

Regulatory risk is the risk of non-compliance with regulatory guidelines. Regulatory risk is the
current and prospective risk to earnings or capital arising from violations of, or non-conformance
with, laws, rules, regulations, prescribed practice, or ethical standards issued by the regulator
from time to time. Regulatory risk also arises in situations where the laws or rules governing
certain bank products or activities of the bank’s clients may be ambiguous or untested.
Regulatory risk exposes an institution to fines, civil money penalties, payment of damages, and
the violation of contracts. It can lead to diminished reputation, reduced franchise value, limited
business opportunities, reduced expansion potential and an inability to enforce contracts.
9
3.0 STRATEGIC RISK MANAGEMENT
3.1 Introduction
Strategic risk is the current and prospective impact on earnings or capital arising from adverse
business decisions, improper implementation of decisions, or lack of responsiveness to industry
changes. This risk is a function of the compatibility of an organization’s strategic goals, the
business strategies developed to achieve those goals, the resources deployed against these goals,
and the quality of implementation.
The resources needed to carry out business strategies are both tangible and intangible. They include
communication channels, operating systems, delivery networks, and managerial capacities and
capabilities. In strategic management, the organization’s internal characteristics must be evaluated
against the impact of economic, technological, competitive, regulatory, and other environmental
changes.
3.2 Board & Senior Management Oversight

The Board of Directors retains the overall responsibility for strategic risk management of the
institution. In turn senior management have a duty to ensure that there is an effective Strategic Risk
Management process.
The Board and Senior Management should ensure that:

• Risk management practices are an integral part of strategic planning.
• Its Mission Statement, Strategic goals, objectives, corporate culture, and behaviour are effectively
communicated and consistently applied throughout the institution.
• The institution’s strategic/business plans make sense given the current economic and competitive
environment, and consist of reasonable and measurable targets.
• Management has successfully accomplished targets.
• Management information systems effectively support strategic direction and initiatives.
• Exposure reflects strategic goals that are not overly aggressive and are compatible with developed
business strategies.
• Initiatives are well conceived and supported by appropriate communication channels, operating
systems, and service delivery networks. The initiatives are supported by capital for the
foreseeable future and pose only nominal possible effects on earnings volatility.
• Strategic initiatives are supported by sound due diligence and strong risk management systems.
Decisions can be reversed with little difficulty and manageable costs.
10
3.3 Policies, Procedures & Limits

Effective management of strategic risk requires that policies, procedures and limits be established
to ensure objective evaluation of and responsiveness to a bank’s business environment.
Policies on business strategy are critical in defining the business segments that the institution
will focus on, both in the short and long run. There should be clear guideline on frequency and
procedure for review of the institution’s business strategy.
Procedures for defining and reviewing the institutions’ business strategy are intended to ensure that
the following aspects are given adequate consideration:
• The institution’s inherent strengths
• Its identified weaknesses
• Opportunities external to the institution
• External factors that pose threats to the institution
Limits are necessary in defining:

• Exposure to different sectors
• Growth of business and staff strength
• Network expansion programmes
3.4 Measuring and Monitoring Strategic Risk

In order to ensure an effective strategic risk management process, every institution should deploy an
integrated management information system that enables management monitor:
• Current and forecasted economic conditions, e.g. economic growth, inflation, foreign exchange
trends, etc.
• Current and forecasted industry and market conditions, such as:
• Increasing competition by new market entrants
• Number and size of mergers and acquisitions
• Changing customer behaviour
• New products/substitutes
• Exposure to different sectors, and associated sector risks
11
3.5 Internal Controls and Audit
Institutions need strong internal control systems to ensure that they are not unduly exposed to
strategic risks. Internal controls are required to ensure that:
• The organisation structure establishes clear lines of authority

• The institution’s systems and structures provide for business continuity planning.
• The process of setting up and reviewing strategic plans and comprehensive and is carefully
adhered.
12
4.0 CREDIT RISK MANAGEMENT
4.5 Introduction
Credit risk is the current or prospective risk to earnings and capital arising from an obligor’s
failure to meet the terms of any contract with the bank or if an obligor otherwise fails to perform
as agreed.
In general, the largest source of credit risk is loans, albeit that credit risk exists throughout the other
activities of the bank both on and off the balance sheet. These other activities include acceptances,
inter-bank transactions, trade financing, foreign exchange transactions, futures, swaps, options and
guarantees. Given the significant size of the loan portfolio in balance sheets of local banks, credit
risk remains the largest risk type in the local banking sector.
Therefore, an effective and sound credit risk management is important to the stability of any local
financial institution. Overall, the management of this risk requires the development of an appropriate
credit risk culture and environment. A sound credit extension process, maintaining appropriate credit
administration, measurement and monitoring process and ensuring adequate credit controls, enhances
this.
4.2 Board and Senior Management Oversight
4.2.1 The Board of Directors

The board of directors carries the ultimate responsibility of approving and reviewing the credit risk
strategy and credit risk policies of the bank. This role is part of the board’s ultimate responsibility of
offering overall strategic direction to the bank. The credit risk strategy should clearly set the acceptable
risk appetite and tolerance the institution is willing to engage, and the level of profitability the bank
expects to achieve for incurring the various credit risks. The credit policies should be adequate and
must cover all the activities in which credit exposure is a significant risk. The board should ensure
that:
• The credit strategy has a statement on acceptable levels of exposure to the various economic
sectors, currencies and maturities. It should also include the target markets, diversification and
concentration of the credit portfolio.
• The credit risk strategy and policies are effectively communicated throughout the institution.
• The financial results of the institution are periodically reviewed to determine if changes need
to be made to the credit risk strategy.
13
• The recruitment procedure ensures that the senior management team is fully capable of
managing the credit risk.
• There is an internal audit function capable of assessing compliance with the credit policies
and management of the entire credit portfolio.
• The delegation authority and approval levels are clearly defined.
• The management provides periodic reports on the insiders, provisioning and write-off on credit
loan losses and audit findings on the credit granting and monitoring processes.
4.2.1 Senior Management

The senior management has the responsibility of implementing the credit strategy approved by the
board of directors and developing policies and procedures for effective management of the credit
risk. The senior management should ensure the following:
• The credit granting activities conform to the laid down strategy.
• Written procedures have been developed, implemented and responsibilities of the various
functions are clearly defined.
• Compliance with internal exposure limits, prudential limits and regulatory requirements.
• The credit policies must be communicated throughout the institution, implemented, monitored
and revised periodically to address any changes.
• Internal audit reviews of the credit risk management system and credit portfolio are undertaken
regularly.
• Adequate research is undertaken for any new products or activities to ensure the risks are
appropriately identified and managed. These products must receive prior board approval.
4.3 Policies, Procedures and Limits
4.3.1 Policies relating to limits

Establishment of sound and well-defined policies, procedures and limits is vital in the management
of credit risk. These should be well documented, duly approved by the board and strictly implemented
by management.
An effective credit policy is the one that defines the credit concentrations, limits and exposures the
organisation is willing to assume. These limits will ensure that credit activities are adequately
diversified.
14
The policy on large exposures should be well documented to enable banks to take adequate
measures to ensure concentration risk is mitigated. The policy will stipulate clearly the percentage
of the bank’s capital and reserves that the institution can invest, grant loans or extend as other
credit facilities to any individual entity or related group of entities. In the exposure limit,
contingent liabilities should be included – for example guarantees, acceptances and letters of
credit. In the case of large exposures, banks must pay attention to the completeness and adequacy
of information about the debtor. Credit staff should ensure they monitor events affecting large
debtors and their performance on an on-going basis. Where external events present a cause for
concern, credit officers should request for additional information from the debtor. If there is
doubt that the debtor might have difficulties in meeting its obligations to the bank, the concerns
should be raised with the credit management and a contingency plan developed to address the
issues.
Lending to insiders or related parties typically include an institution’s parent, major shareholders,
subsidiaries, affiliate companies and directors. The policy should require that the board approve all
loans to related or connected parties. These credits should be based on market terms and should not
be more favourable with regard to amount, maturity, rate and collateral than those provided to other
customers. The main exposure limits covered under the policies should include the following:
• Acceptable exposure to individual borrowers.
• Maximum exposure to connected groups and insider dealings.
• The total overall limit on the credit portfolio in relation to capital, assets or liabilities.
• Limits in relation to geographical location.
• Maximum exposure to individual economic sectors (for example commercial, consumer, real
estate, agricultural).
• Acceptable limits on specific products.
4.3.2 Policies relating to credit products

The various types of loan products and credit instruments the institution intends to offer should be
documented. Management must have a good understanding of all the products on offer and a careful
review of the existing and potential risks must be undertaken. The products should also have a
maturity profile and the pricing of these products should be included and periodically reviewed. Any
new products should be fully researched and prior board approval obtained before introduction to
the customers.
Credit exposure for all off balance sheet commitments should be well documented. These main off
balance sheet items include letters of credit, guarantees, futures, options, swaps etc. The policy will
15
stipulate the credit risk analysis procedures and the administration of these credit instruments.
The key objective of the review is to assess the ability of the client to meet particular financial
commitments in a timely manner.
4.3.3 Policies relating to credit assessment and approval levels

There must be a clear understanding of the borrower or counter-party and adequate information
must be obtained to enable a comprehensive assessment of the risk profile of the customer. This will
include the purpose and repayment sources, financial statements, integrity and reputation of the
borrower or counter-party. Lack of adequate data and information in respect of a borrower would
normally lead to poor lending decisions.
Also lending authority delegated to staff with clearly established limits should be documented. It is
important to include the functions and reporting procedures of the various committees and individual
lending officers.
In addition, it is important to have checks and balances in place that ensure credit is granted on arms-
length basis. Extensions of credit to directors, senior management and other influential parties, for
example shareholders, should not override the established credit granting and monitoring processes
of the bank.
4.3.4 Credit risk mitigation techniques

Institutions use various techniques of mitigating credit risk. The most common are collateral,
guarantees and netting off of loans against deposits of the same counter-party. While the use of
these techniques will reduce or transfer credit risk, other risks may arise which include legal, operational,
liquidity and market risks. Therefore there is a need for a bank to have stringent procedures and
processes to control these risks and have them well documented in the policies. At present, in this
jurisdiction, the common credit risk mitigation technique used is collateral.
A collateralised transaction is one in which institutions have a credit exposure or potential credit
exposure and the exposure is reduced in whole or in part. The following is essential:
• There must be legal certainty. All documentation used for collateralised lending must be binding
to all parties and also be legally enforceable.
• The legal environment must provide for right of liquidation or right of possession in a timely
manner in the event of default.
• Necessary steps must be taken for obtaining and maintaining an enforceable security, for example
registration, right of set-off or transfer of title must meet all the legal requirements.
16
• Procedures for timely liquidation of collateral should be in place.

• On going valuations of the collateral should be undertaken to confirm that it remains
realisable.
• Guidance on the various acceptable forms of collateral should be documented.
The institution should primarily assess the borrowers capacity to repay and should not use collateral
to compensate for insufficient information.
4.3.5 Management of problem credits

The credit policy should establish the procedures for dealing with deteriorating and managing problem
credits. Early recognition of weaknesses in the credit portfolio is important and allows alternative
action and for an effective determination of loan loss potential.
An institution must have clearly articulated and documented policies in respect of the counting of
days past due. In particular, relating to granting extensions, deferrals, renewals and additional credits
to existing accounts. At a minimum it must have approval levels and reporting requirements in respect
of the above.
The policy should define a follow-up procedure for all loans and the various reports to be submitted
both to management and board of directors. It should also include the internal rating for loan
classification and provisioning.
4.3.6 Provisioning policy

The credit policy must clearly outline the provisioning procedures for all credits and the capital
charge to be held. This should comply at a minimum to the International Accounting Standards,
regulatory requirements and provisioning guidelines already issued by the Central Bank of Kenya.
The elements to be taken as indication of unlikeliness to pay include:

• The institution suspends or extends a zero rate interest on the obligation
• The institution sets aside a specific provision for the obligation
• The institution consents to a distressed restructuring of the credit obligation where this is
likely to result in a diminished financial obligation caused by material forgiveness, or
postponement, of principal, interest or where relevant fees.
• The institution has filed for bankruptcy or a similar order in respect of the obligors credit
obligation.
17
• The obligor has sought or has been placed in bankruptcy or similar protection where this
would avoid or delay repayment.
Once default has taken place the institution must make adequate provisions for these credits.
4.4 Measuring and Monitoring Credit Risk
4.4.1 Measuring Credit risk

An institution should have procedures for measuring its overall exposure to credit risk as well as
exposure to connected groups, products, customers, market segments and industries for appropriate
risk management decisions to be made.
Internationally, the direction has been for institutions to put in place stringent internal systems and
models, which allow them to effectively measure credit risk. This risk measurement system assists
institutions to make provisions for credit risk and assign adequate capital. The effectiveness of the
institution’s credit risk measurement process is dependent on the quality of management information
systems and the underlying assumptions supporting the models. The quality, detail and timeliness of
the information is of paramount importance in determining the effectiveness of the credit risk
management.
The measurement of the risk should take into account the nature of the credit, maturity, exposure
profile, existence of collateral or guarantees and potential for default. The institution should also
undertake an analysis of the whole economy or in particular sectors to ensure contingency plans are
taken on higher than expected levels of delinquencies and defaults.
4.4.2 Monitoring Credit Risk

For effective credit risk monitoring, it is important to have an internal risk rating system. This comprises
all the methods, processes, controls, data collection and IT systems that support the assessment of
credit risk ratings, and the quantification of default and loss estimates. An institution can utilise
multiple rating methodologies/systems for each class of asset. For example an institution may have
customised rating systems for specific industries or market segments (e.g middle market, and large
corporate). If an institution decides to use multiple systems, the rationale for assigning a borrower a
rating system must be documented and applied in a manner, that best reflects the level of risk of a
borrower. An institution must not allocate borrowers rating systems inappropriately to minimise
regulatory capital requirements.
18
Internal rating systems are therefore an important tool in monitoring and controlling credit risk.
They ensure early identification of potential or actual deterioration in credit risk. It is also
important for the board and senior management to receive periodic reports on the condition of
the portfolios based on the internal ratings.
An effective monitoring system will ensure that the bank:
• Understands the current financial condition of the borrower.
• Monitors compliance with the existing terms and conditions
• Assesses collateral in relation to the borrowers current condition
• Identifies non-performing accounts and enforces proper classification and loan loss provisioning
The bank should also assign specific individuals for monitoring the credit portfolio including ensuring
information is disseminated to those responsible for taking corrective action and assigning adequate
reserves for loan losses.
In addition to the above, the institution should undertake a detailed credit portfolio review to include
the following:
• All loans to borrowers with aggregate exposure larger than 10 percent of the institution’s capital.
• All loans to shareholders and connected parties.
• All loans for which interest or repayment terms have been rescheduled or otherwise altered
since the granting of the loan.
• All loans for which cash payment of interest and / or principal is more than 30, 60, 90 and 180
days past due, including those for which interest has been capitalized or rolled over.
• All loans classified as substandard, doubtful or loss.
The specific objective of these reviews is to assess the likelihood that the credit will be repaid and
the classification of the loan is adequate. When the amount exceeds 10% of a bank’s capital, the
analysis should also consider the borrower’s business plans for the future and the potential consequences
for debt service capacity and principal repayment.
4.4.3 Credit administration

Credit administration is critical in ensuring the soundness of the credit portfolio. It is the responsibility
of management to set up a credit administration team to ensure that once a credit is granted it is
properly maintained and administered. This will include record keeping, preparation of the terms
19
and conditions as well as perfection and safe custody of the securities. Credit files of institutions
should contain the following information:
• Credit application
• Evidence of approval
• Latest financial information
• Record and date of all credit reviews
• Record of all guarantees and securities
• Record of terms and conditions of facility
• Evidence of securities validation function that should include, legal validity, existence, valuation,
registration of charge and safekeeping.
• Internal rating
While developing the credit administration process the institutions should develop controls to ensure
compliance with the applicable laws and regulations and internal policy. Adequate segregation of
duties between approval and administration process should be maintained.
4.4.4 Stress testing

Another important element of credit risk management is stress testing. This involves identification
of possible events or future changes that could have a negative impact on the institution’s credit
portfolio and the bank’s ability to withstand the changes. The areas to examine critically are:
• Economic or industry changes
• Market – risk events
• Liquidity conditions
Financial institutions must be in a position of analysing the various situations in the economy or
certain sectors to determine the event that could lead to substantial losses or liquidity problem.
Whatever methods are used for stress testing, the output of these should be reviewed periodically
and appropriate action taken by senior management in cases where results exceed agreed tolerance.
4.4.5 Inter bank transactions

Inter-bank transactions also portend significant credit risk. These transactions are essentially for
facilitation of fund transfers, settlement of securities transactions or because certain services are
more economically performed by other banks due to their size or geographical location. A review of
the inter bank lending typically focuses on the following:
• The establishment and observation of counter party credit limits.
20
• Any inter-bank for which specific provisions should be made.

• The method and accuracy of reconciliation of the nostro and vostro accounts.
• Any inter-bank credit with terms of pricing that are not market norm.
• The concentration of inter–bank exposure with a detailed listing of banks and amounts
outstanding as well as lending limits.
4.4.6 Credit exposure and risk reporting

Credit risk information should be provided to board and management with sufficient frequency,
timelines and should be reliable. Reports should be generated on the credit activities both on and off
balance sheet for example:
• Credit exposures by business line such as commercial, industrial sector, real estate, construction,
credit cards, mortgage and leasing.
• Credit exposures relating to the composition of on and off balance sheet credits by major types
of counterparties, including government, foreign corporate, domestic corporate, consumer and
other financial institutions.
• Significant credit exposure in relation to individual borrowers or counterparties, related borrowers
or groups of borrowers
• Credit exposures by major asset category showing impaired and past due amounts relating to
each category.
• Credit exposures restructured during a certain period and credits which special conditions
have been granted.
4.5 Internal controls and audit

Institutions should have in place an independent internal system for assessment of the credit risk
management process. This function is necessary in order to independently enable the board determine
whether the risk management process is working effectively. The results of these audits should be
communicated promptly to the directors and senior management. The review should provide sufficient
information to the board and management to enable them evaluate accurately performance and
condition of the portfolio. The credit review function should report directly to the board of directors
or a board’s audit committee.
A review of the lending process should include analysis of the credit manuals and other written
guidelines applied by various departments of a bank, and the capacity and actual performance of all
departments involved in the credit function. It should also cover origination, appraisal, approval,
21
disbursement, monitoring, collection and handling procedures for the various credit functions
provided by the institution.
The internal audit review team should ensure compliance with the institution’s credit policies
and procedures. This will require comfirming the following:
• The credit granting function is carried out effectively.
• The credit exposures are within the prudential and internal limits set by the board of directors.
• Validation of significant change in the risk management process.
• Verification of the consistency, timeliness and reliability of data used for internal risk rating
system.
• Adherence to internal risk rating system.
• Identification of areas of weaknesses in the credit risk management process.
• Exceptions to the policies, procedures and limits.
The internal audit should be conducted on a periodic basis and ideally not less than once a year. The
audits should also identify weaknesses in the credit risk management process and any deficiencies
with the policies and procedures.
22
5.0 LIQUIDITY RISK MANAGEMENT
5.1 Introduction
Liquidity Risk is the current or prospective risk to earnings and capital arising from a bank’s inability
to meet its liabilities when they fall due without incurring unacceptable losses. Liquidity risk may not
be seen in isolation, because it is often triggered by consequences of other financial risk such as
credit risk, market risk etc. and similarly, liquidity problems may have significant implications on the
whole financial system.
Liquidity is the ability of an institution to generate sufficient cash or its equivalent in a timely
manner at a reasonable price to meet its commitments as they fall due. This guideline indicates some
of the elements that will be considered in assessing the strength of an institution’s liquidity management
framework and describes some of the information used to assess liquidity.
Liquidity risk management systems involves not only analyzing banks on and off balance sheet
positions to forecast future cash flows but also how the funding requirements could be met. The
latter involves identifying the funding market to which the bank has access, understanding the nature
of those markets, evaluating the bank’s current and future use of the market and monitoring signs of
confidence erosion.

The prerequisites of an effective liquidity risk management include an informed board, capable
management, staff with relevant expertise and efficient systems and procedures. It is the responsibility
of a institution’s board and management to ensure that the institution has sufficient liquidity to meet
its obligations as they fall due. It is primarily the duty of the board of directors to understand the
liquidity risk profile of the institution and the tools used to manage liquidity risk. The board has to
ensure that the institution has necessary liquidity risk management framework and that the institution
is capable of confronting uneven liquidity scenarios. Generally the board should:
• Approve the institution’s strategic direction and tolerance level for liquidity risk;
• Appoint senior managers who have the ability to manage liquidity risk and delegate to them
the required authority to accomplish the job;
• Continuously monitor the institution’s performance and overall liquidity risk profile; and
• Ensure that liquidity risk is identified, measured, monitored and controlled.
23
Senior management is responsible for the implementation of sound policies and procedures
keeping in mind the strategic direction and risk appetite specified by the board. To effectively
oversee the daily and long term management of liquidity risk, senior managers should:
• Develop and implement procedures and practices that translate the board’s goals, objectives
and risk tolerance into operating standards that are well understood by the bank personnel;
• Adhere to the lines of authority and responsibility that the board has established for managing
liquidity risk;
• Oversee the implementation and maintenance of management information and other systems
that identify, measure, monitor, and control the bank’s liquidity risk;
• Establish effective internal controls over the liquidity risk management process; and
• Ensure and review the contingency plans of the financial institution for handling disruptions
to its ability to fund some or all of its activities in a timely manner and at a reasonable cost.
The responsibility for managing daily liquidity assessment resides with the treasurer. However, the
balance sheet liquidity management resides with ALCO, which should comprise of senior management
from key areas of the institution that identify/manage liquidity risk. It is important that these members
have clear authority over the units responsible for executing liquidity-related transactions so that
ALCO directives reach these line units unimpeded. The ALCO should meet monthly, if not more
frequently.
A sound framework for managing liquidity risk has three dimensions:

• maintaining a stock of liquid assets that is appropriate to the institution’s cash flow profile and
that can be readily converted into cash without incurring undue capital losses;
• measuring, controlling and scenario testing of funding requirements; and
• managing access to funding sources.
5.3. Policies, Procedures and Limits
5.3.1 Policies
Institutions should formulate a comprehensive liquidity policy statement that takes into account all
on- and off-balance sheet activities and should be recommended by senior management and approved
by the board of directors (or Head Office). While specific details vary across institutions according
to the nature of their business, the key elements of any liquidity policy should include:
• General liquidity strategy (short- and long term), specific goals and objectives in relation to
liquidity risk management, process for strategy formulation and the level of approval within
the institution;
24
• Roles and responsibilities of individuals performing liquidity risk management functions,

including structural balance sheet management, pricing, marketing, contingency planning,
management reporting, lines of authority and responsibility for liquidity decisions;
• Liquidity risk management structure for monitoring, reporting and reviewing liquidity;
• Liquidity risk management tools for identifying, measuring, monitoring and controlling liquidity
risk (including the types of liquidity limits and ratios in place and rationale for establishing
limits and ratios);
• Where an institution is actively involved in multiple currencies and/ or where positions in
specific foreign currencies are significant to its business, its liquidity policy should address the
measurement and management of liquidity in these individual currencies which should include
a back-up liquidity strategy for circumstances in which its normal access to funding in individual
foreign currencies is disrupted; and
• Contingency plan for handling liquidity crisis.
To be effective the liquidity policy must be communicated down the line throughout in the
organization. It is important that the board and senior management review these policies at least
annually and when there are any material changes in the institution’s current and prospective liquidity
risk profile.
5.3.2 Procedures
Institutions should establish appropriate procedures and processes to implement their liquidity policies
and include the following features:
• A procedures manual which should explicitly narrate the necessary operational steps and
processes to execute the relevant liquidity risk controls;
• Periodic review and updating of the manual to take into account new activities, changes in
risk management approaches and systems;
• Management should be able to accurately identify and quantify the primary sources of a financial
institution’s liquidity risk in a timely manner;
• To properly identify the sources, management should understand both existing as well as future
risk that the institution can be exposed to; and
• Management should always be alert for new sources of liquidity risk at both the transaction
and portfolio levels.
5.3.3 Limits
Limits should be set which should be appropriate to the size, complexity and financial condition of
the financial institution. The limits should be periodically reviewed and adjusted when conditions or
25
risk tolerances change. When limiting risk exposure, senior management should consider the
nature of the institution’s strategies and activities, its past performance, the level of earnings,
capital available to absorb potential losses, and the board’s tolerance for risk. Financial institutions
may use a variety of ratios to quantify liquidity and create limits for liquidity management.1
In addition, balance sheet complexity will determine how much and what types of limits a bank
should establish over daily and long-term horizons. While limits will not prevent liquidity crisis, limit
exceptions can be early indicators of excessive risk or inadequate liquidity risk management.
5.4. Measuring and Monitoring Liquidity Risk

An effective measurement and monitoring system is essential for adequate management of liquidity
risk. Consequently, institutions should institute systems that enable them to capture liquidity risk
ahead of time, so that appropriate remedial measures could be prompted to avoid any significant
losses. An effective liquidity risk measurement and monitoring system not only helps in managing
liquidity in times of crisis but also optimize return through efficient utilization of available funds.
Key elements of an effective risk management process include an efficient Management Information
System (MIS), systems to measure, monitor and control risks.
Every financial institution’s MIS should be integrated to the overall management information systems
of the institution, and thus link various units related to treasury activities, i.e. the dealing, the treasury
operation and risk management department . A strong management information system that is flexible
enough to deal with various contingencies that may arise is central to making sound decisions related
to liquidity.
At the core of a financial institution’s liquidity management systems there should be a monitoring of:
• The maturity profile of cash flows under varying scenarios;
• The stock of liquid assets available to the institution and their market values;
• The ability of a institution to execute assets sales in various markets (notably under adverse
conditions) and to borrow in markets);
• Potential sources of volatility in assets and liabilities (and claims and obligations arising from
off-balance sheet business);
• The impact of adverse trends in asset quality on future cash flows and market confidence in
the bank;
• Credit standing and capacity of providers of standby facilities to meet their obligations;
• The impact of market disruptions on cash flows and on customers;
• Intra-group cash flows and the accessibility of intra-group funding; and
26
• The type of new deposits being obtained, as well as its source, maturity, and price.
Maturity Profile
Analyzing funding requirements involves the construction of a maturity profile. A cash flow
projection estimates a bank’s inflows and outflows and thus establishes net deficit or surplus (GAP)
over time horizon. It takes into account the institution’s funding requirement arising out of distinct
sources on different time frames. Maturity profiles will depend heavily on assumptions regarding
future cash flows associated with assets, liabilities and off-balance sheet business.
Financial institution should review the assumptions utilized in managing liquidity frequently to
determine that they continue to be valid, since a financial institution’s future liquidity position will
be affected by factors that cannot always be forecast with precision.
Contingency Planning
In order to develop a comprehensive liquidity risk management framework, institutions should have
way out plans for stress scenarios. A Contingency Funding Plan (CFP) is a set of policies and procedures
that serves as a blue print for a bank to meet its funding needs in a timely manner and a reasonable
cost. It is a projection of future cash flows sources of a bank under market scenarios including
aggressive asset growth or rapid liability erosion. To be effective it is important that a CFP represent
management’s best estimate of balance sheet changes that may result from liquidity or credit event.
Effective CFP should consist of several components:
• Provide specific procedures to ensure timely and uninterrupted information flows to senior
management
• Clear division of responsibility within management in a crisis
• Action plans for altering asset and liability behaviors (i.e., market assets more aggressively, sell
assets intended to hold, raise interest rates on deposits)
• An indication of the priority of alternative sources of funds (i.e., designating primary and
secondary sources of liquidity)
• A classification of borrowers and trading customers according to their importance to the
institution in order to maintain customer relationships; and
• Plans and procedures for communicating with the media. Astute public relations management
can help a bank to avoid the spread of rumours that could result in a significant run-off of
funds.
27
5.5. Internal Controls and Audit

In order to have effective implementation of policies and procedures, institutions should institute
review process that should ensure the compliance of various procedures and limits prescribed by
senior management. Institutions should have an adequate system of internal controls over it liquidity
risk management process. There should be regular, independent reviews and evaluations of the
effectiveness of the system. A fundamental component of the internal control system should include:
• A strong control environment
• An adequate process for identifying and evaluating liquidity risk
• The establishment of control activities such as policies and procedures and adequate information
systems with regular independent reviews and evaluations of the effectiveness of the system;
and
• Ensuring that appropriate revisions or enhancements to internal controls are made.
Financial institutions should ensure that all aspects of the internal control systems are effective,
including those that are not directly part of the risk management process. Periodic reviews should be
conducted verify the level of liquidity risk and management’s compliance with limits and operating
procedures. Any exception to that should be reported immediately to senior management/board and
necessary actions should be taken.
28
6.0 INTEREST RATE RISK MANAGEMENT
6.1 Introduction
Interest rate risk is the current or prospective risk to earnings and capital arising from adverse movements
in interest rates. Excessive interest rate risk can pose a significant threat to a financial institution’s
earnings and capital base. Changes in interest rates affect a financial institution’s earnings by changing
its net interest income and the level of other interest-sensitive income and operating expenses. Changes
in interest rates thus can have adverse effects both on a financial institution’s earnings, capital and its
economic value.
The goal of interest rate risk management is to maintain a financial institution’s interest rate risk
exposure within self-imposed parameters over a range of possible changes in interest rates.
Sound interest rate risk management involves the application of four basic elements in the management
of assets, liabilities and off-balance-sheet instruments:
• Appropriate board and senior management oversight;
• Adequate risk management polices, procedures and limits;
• Appropriate risk measurement and monitoring functions; and
• Comprehensive internal controls and independent audits.
The specific manner in which a financial institution applies these elements in managing its interest
rate risk will depend upon the complexity and nature of its holdings and activities as well as on the
level of interest rate risk exposure. What constitutes adequate interest rate risk management practices
can therefore vary considerably. For example, less complex financial institutions whose senior managers
are actively involved in the details of day-to-day operations may be able to rely on relatively basic
interest rate risk management processes.
However, other institutions that have more complex and wide-ranging activities are likely to require
more elaborate and formal interest rate risk management processes, to address their broad range of
financial activities and to provide senior management with the information they need to monitor and
direct day-to-day activities.
Moreover, the more complex interest rate risk management processes employed at such financial
institutions require adequate internal controls that include audits or other appropriate oversight
mechanisms to ensure the integrity and accuracy of the information used by senior management in
overseeing compliance with policies and limits.
29

The board of directors has the ultimate responsibility for understanding the nature and the level of
interest rate risk taken by the financial institution. The board therefore has the following principal
responsibilities:
• To formulate and approve broad business strategies and policies that govern or influence the
interest rate risk of the financial institution. Accordingly, the board of directors is responsible
for approving the overall policies with respect to interest rate risk and for ensuring that
management takes the steps necessary to identify, measure, monitor and control these risks.
• It should also review the overall objectives of the financial institution with respect to interest
rate risk and should ensure the provision of clear guidance regarding the level of interest rate
risk acceptable to the financial institution.
• To approve policies that identifies lines of authority and responsibility for managing interest
rate risk exposures. As such management is responsible for ensuring that the financial institution
has adequate policies and procedures for managing interest rate risk on both a long-term and
day-to-day basis and that it maintains clear lines of authority and responsibility for managing
and controlling this risk.
• To periodically review information that is sufficient in detail and timeliness to allow it to

understand and assess the performance of senior management in monitoring and controlling
these risks in compliance with the financial institution’s board-approved policies.
Management should be mandated by the board to be responsible for maintaining:

• Appropriate limits on risk taking;
• Adequate systems and standards for measuring risk;
• Standards for valuing positions and measuring performance;
• A comprehensive interest rate risk reporting and interest rate risk management review process;
and
• Effective internal controls.

Financial institutions should have clearly defined policies and procedures for limiting and controlling
interest rate risk on both on- and off- balance sheet positions. These policies should be applied on a
consolidated basis and as appropriate, at specific affiliates or other units of the financial institution.
Such policies and procedures should:
30
• Delineate lines of responsibility and accountability over interest rate risk management
decisions and should clearly define authorised instruments, hedging strategies and position-
taking opportunities;
• Identify the types of instruments and activities that the financial institution may employ or
conduct, thus acting as a means through which the board can communicate their tolerance of
risk on a consolidated basis and at different legal entities;
• Identify quantitative parameters that define the level of interest rate risk acceptable for the
financial institution and where appropriate, such limits should be further specified for certain
types of instruments, portfolios and activities;
• Be reviewed periodically and revised as needed, so as to define the specific procedures and
approvals necessary for exceptions to policies, limits and authorisations; and
• Delineate a clear set of institutional procedures for acquiring specific instruments, managing
portfolios and controlling the financial institution’s aggregate interest rate risk exposure.
Prior to introducing a new product, hedging, or position-taking strategy, management should ensure
that adequate operational procedures and risk control systems are in place. The board or its appropriate
delegated committee should also approve major hedging or risk management initiatives in advance
of their implementation. Proposals to undertake new instruments or new strategies should contain
these features:
• A description of the relevant product or strategy;
• An identification of the resources required to establish sound and effective interest rate risk
management of the product or activity;
• An analysis of the reasonableness of the proposed activities in relation to the financial condition
and capital levels; and
• The procedures to be used to measure, monitor and control the risks of the proposed product
or activity.
Limits
An appropriate limit system should:-
• Enable management to control interest rate risk exposures, initiate discussion about
opportunities and risks and monitor actual risk taking against predetermined risk tolerances;
• Ensure that positions that exceed certain predetermined levels receive prompt management
attention;
• Be consistent with overall approach to measuring interest rate risk;
• Should be approved by the board of directors and re-evaluated periodically;
31
• Be appropriate to the size, complexity and capital adequacy of the financial institution as
well as its ability to measure and manage its risk; and
• Be identifiable with individual business unit, portfolios, instrument types or specific instruments.
Financial institutions must have adequate information systems for measuring, monitoring, controlling
and reporting interest rate exposures. Reports must be provided on a timely basis to the board of
directors, senior management and, where appropriate, individual business line managers.
The following are some of the board reports that should be provided:
• Violation of approved responsibilities by managers when taking interest rate risk exposures.
Or investing in un- approved instruments.
• Excesses over approved interest rate limits;
• Any exceptions highlighted by the internal auditor.
6.4 Measuring and Monitoring Interest rate risk

In general, but depending on the complexity and range of its activities, a financial institution should
have interest rate risk measurement and monitoring systems that:
• Assess the effects of rate changes on both earnings and economic value of the institution;
• Provide meaningful measures of financial institution’s current levels of interest rate risk
exposure;
• Are capable of identifying any excessive exposures that might arise;
• Are capable of assessing all material interest rate risks associated with a financial institution’s
assets, liabilities and off-balance-sheet positions;
• Utilize generally accepted financial concepts and risk measurement techniques; and
• Have well documented assumptions and parameters.
Measurement
The risk measurement system should support a meaningful evaluation of the effect of stressful
market conditions on the financial institution. Stress testing should be designed to provide
information on the kinds of conditions under which the financial institution’s strategies or
positions would be most vulnerable and thus may be tailored to the risk characteristics of the
institution. Possible stress scenarios might include abrupt changes in the general level of interest
rates, changes in the relationships among key market rates (i.e., basis risk), changes in the slope
and the shape of the yield curve (i.e., yield curve risk), changes in the liquidity of key financial
markets or changes in the volatility of market rates. In addition, stress scenarios should include
conditions under which key business assumptions and parameters break down. The stress
32
testing of assumptions used for illiquid instruments and instruments with uncertain contractual
maturities is particularly critical to achieving an understanding of the financial institution’s risk
profile. In conducting stress tests, special consideration should be given to instruments or markets
where concentrations exist as such positions may be more difficult to liquidate or offset in
stressful situations. Financial institutions should consider “worst case” scenarios in addition to
more probable events. Management and the board of directors should periodically review both
the design and the results of such stress tests, and ensure that appropriate contingency plans are
in place.
The simplest techniques for measuring a financial institution’s interest rate risk exposure begin with
a maturity/repricing schedule that distributes interest-sensitive assets, liabilities and off-balance-
sheet positions into “time bands” according to their maturity (if fixed rate) or time remaining to their
next repricing (if floating rate). These schedules can be used to generate simple indicators of the
interest rate risk sensitivity of both earnings and economic value to changing interest rates. When
this approach is used to assess the interest rate risk of current earnings, it is typically referred to as
gap analysis. The size of the gap for a given time band – that is, assets minus liabilities plus off-
balance-sheet exposures that reprice or mature within that time band – gives an indication of the
financial institution’s repricing risk exposure.
A maturity/repricing schedule can also be used to evaluate the effects of changing interest rates on
a financial institution’s economic value by applying sensitivity weights to each time band. Typically,
such weights are based on estimates of the assets and liabilities that fall into each time-band, where
duration is a measure of the percent change in the economic value of a position that will occur given
a small change in the level of interest rates. Duration-based weights can be used in combination with
a maturity/repricing schedule to provide a rough approximation of the change in a financial institution’s
economic value that would occur given a particular set of changes in market interest rates.
Financial institutions may employ more sophisticated interest rate risk measurement systems than
those based on simple maturity/repricing schedules such as, simulation techniques which typically
involve detailed assessments of the potential effects of changes in interest rates on earnings and
economic value by simulating the future path of interest rates and their impact on cash flows. In
static simulations, the cash flows arising solely from the current on-and off-balance sheet positions
are assessed. In a dynamic simulation approach, the simulation builds in more detailed assumptions
about the future course of interest rates and expected changes in a financial institution’s business
activity over that time.
33
These more sophisticated techniques allow for dynamic interaction of payments streams and
interest rates, and better capture the effect of embedded or explicit options. Regardless of the
measurement system, the usefulness of each technique depends on the validity of the underlying
assumptions and the accuracy of the basic methodologies used to model interest rate risk exposure.
In designing interest rate risk measurement systems, financial institutions should ensure that the
degree of detail about the nature of their interest-sensitive positions is commensurate with the
complexity and risk inherent in those positions. For instance, using gap analysis, the precision of
interest rate risk measurement depends in part on the number of time bands into which positions are
aggregated. Clearly, aggregation of positions/cash flows into broad time bands implies some loss of
precision. In practice, the financial institution must assess the significance of the potential loss of
precision in determining the extent of aggregation and simplification to be built into the measurement
approach.
When measuring interest rate risk exposure, two further aspects call for more specific comment: the
treatment of those positions where behavioural maturity differs from contractual maturity and the
treatment of positions denominated in different currencies. Positions such as savings and time deposits
may have contractual maturities or may be open-ended, but in either case, depositors generally have
the option to make withdrawals at any time. In addition, financial institutions often choose not to
move rates paid on these deposits in line with changes in market rates. These factors complicate the
measurement of interest rate risk change when interest rates vary.
Financial institutions with positions denominated in different currencies can expose themselves to
interest rate risk in each of these currencies. Since yield curves vary from currency to currency,
financial institutions generally need to assess exposures in each. Financial institutions with the
necessary skill and sophistication and with material multi-currency exposures, may choose to include
in their risk measurement process methods to aggregate their exposures in different currencies using
assumptions about the correlation between interest rates in different currencies. A financial institution
that uses correlation assumptions to aggregate its risk exposures should periodically review the stability
and accuracy of those assumptions. The financial institution should also evaluate what its potential
risk exposure would be in the event that such correlations break down.
6.5 Management Information System

An accurate, informative, and timely management information system is essential for managing
interest rate risk exposure, both to inform management and to support compliance with board
policy. Reporting of risk measures should be regular and should clearly compare current exposure
34
to policy limits. In addition, past forecasts or risk estimates should be compared with actual
results to identify any modeling shortcomings.
The board on a regular basis should review reports detailing the interest rate risk exposure of the
financial institution. While the types of reports prepared for the board and for various levels of
management will vary based on the financial institution’s interest rate risk profile, they should, at a
minimum include the following:
• Summaries of the financial institution’s aggregate exposures;
• Reports demonstrating the financial institution’s compliance with policies and limits;
• Results of stress tests including those assessing breakdown in key assumptions and parameters;
and
• Summaries of the findings of reviews of interest rate risk policies, procedures, and the adequacy
of the interest rate risk measurement systems, including any findings of internal and external
auditors and retained consultants.
The duties of the individuals involved in the risk measurement, monitoring and control functions
must be sufficiently separate and independent from the business decision makers and position takers
to ensure the avoidance of conflicts of interest.

Financial institutions should have adequate internal controls to ensure the integrity of their interest
rate risk management process. These internal controls should be an integral part of the institution’s
overall system of internal control. They should promote effective and efficient operations, reliable
financial and regulatory reporting, and compliance with Central Bank of Kenya’s prudential and
regulatory requirements. An effective system of internal control for interest rate risk includes:
• A strong control environment. These should include appropriate approval processes, exposure
limits, reconciliation, reviews and other mechanisms designed to provide a reasonable assurance
that the institution’s interest rate risk management objectives are achieved;
• An adequate process for identifying and evaluating risk;
• The establishment of control activities such as policies, procedures and methodologies;
• Adequate information systems; and
• Continual review of adherence to established policies and procedures. This is an important
element of financial institution’s internal control system over its interest rate risk management
process. such reviews and evaluations should be conducted regularly by internal auditors or
other individuals who are independent of the function they are assigned to review.
35
In those instances where internal auditors conduct the independent review, financial institutions
are encouraged to have the risk measurement, monitoring and control functions periodically
reviewed by external auditors.
36
7.0 PRICE RISK MANAGEMENT
7.1 Introduction
Price risk is the risk that a bank may experience loss due to unfavorable movements in market prices.
It arises from the volatility of positions taken in the four fundamental economic markets: interest-
sensitive debt securities, equities, currencies and commodities. The volatility of each of these markets
exposes banks to fluctuations in the price or value of on- and off- balance sheet marketable financial
instruments.
Price risk results from changes in the prices of equity instruments, commodities and other instruments.
The potential for loss arises from the process of revaluing equity or investment positions in shilling
terms.
Therefore the regulators require all financial institutions to formulate a sound price risk management
framework that must encompass the following critical areas: Board and Management Oversight;
Policies, Procedures and Limits; Risk Identification and Measurement, Monitoring and Management
Information Systems; and Internal Controls.

• The Board of Directors and senior management of financial institutions are ultimately
responsible for the institution’s exposure to price risk and the level of risk assumed.
• They should put in place well-articulated policies, setting forth the objectives of the financial
institution’s risk management strategy on commodity dealing/financing with respect to price
risk.
• The board of directors should review and approve the price risk management policies and
procedures based on recommendations by senior management of the institution.
• The board of directors should also review and approve the procedures to measure, manage and
control price risk within which foreign exchange transactions shall be conducted.
• The parameters and limits within which this strategy is to be controlled should be clearly spelt
out.
• The board should periodically review and approve price risk limits to conform to any changes
in the institution’s strategies, address new products, and react to changes in market conditions.
• The board and senior management should therefore identify and have a clear understanding
and working knowledge of the price risks inherent in the institution’s investment portfolio and
make appropriate efforts to remain informed about this risks as financial markets, risk
management practices, and the institution’s activities evolve.
37
• Management should be sufficiently competent and able to respond to price risks that may
arise from changes in the competitive environment or from innovations in markets in
which the organization is active.

Financial institutions should have written policies governing activities equities trading and other
investment activities including off- balance sheet items that communicate the expectations of the
board of directors to the management and staff. Policies and procedures should have the following
attributes:
• In general, policies should reflect the tolerance of the board and senior management for the
various risks arising from investment and trading activities.
• There should be set limits governing price risk exposure that include company limit, sectoral
exposure and limits.
• Limits for more volatile and less liquid equities and other investments can be lower than those
for stable and liquid investments.
• The mechanisms by which positions are established by the investment manager/committee
should be clearly defined in the policy document.
• The policies should also spell out the frequency with which positions are revalued and reported
to both management and the board.
• On the overall, the board and senior management should ensure that the policies and guidelines
clearly identify procedures to be followed, type of services offered, definition of jobs and
responsibilities for all those entrusted the responsibility of making investment decisions.
7.4 Measuring and Monitoring Price risk

As measuring risk is critical to understanding the potential loss an institution may be exposed to, the
most common approaches to measuring and limiting price risk are enumerated below:
• To limit the size and concentration of investment that is price sensitive, based on percentage
of either total investment or total assets of the institution;
• Adherence to the prudential regulations and the limits on investments imposed by the
Banking Act;
• Determine the size of the loss that would be incurred should the prices of shares and other
investments move against the position the financial institution has taken; and
• Principal goal should be to provide strong assurance that losses resulting in price changes
involving both on- and off- balance sheet items, will not substantively diminish the capital of
the financial institution.
38
Management Information System

Accurate and timely information systems are critical to the management of price risk, and for ensuring
compliance with relevant risk limits. Financial institutions should:
• Devote the resources necessary to generating information on compliance with relevant risk
limits; and
• Design standardised reports to communicate the information regarding risk concentration,
current position, country/sectoral exposures etc.
At the minimum, reports available should include:

• total value of outstanding investments, and current market values;
• profit and loss, totals and comparison to previous mark to market;
• aggregate investment limits;
• limit or sectoral excesses; and
• valuation of option contracts, if any.
7.5 Internal Control and Audit

The internal audit function of the financial institution should review and assess the price risk
management process. The internal audit should ensure that management observe the laid down policies
and procedures governing price risk management and that accounting procedures meet the necessary
standards of accuracy, promptness and completeness.
The Audit Committee should, among other duties, review periodically the entire price risk management
process. The Audit Committee can greatly enhance the quality of reports and the reasonableness of
management information supplied to the board, the management and the Central Bank of Kenya.
39
8.0 FOREIGN EXCHANGE RATE RISK MANAGEMENT
8.1 Introduction
Foreign exchange rate risk is the current or prospective risk to earnings and capital arising from
adverse movements in currency exchange rates. The potential for loss arises from the process of
revaluing foreign currency positions on both on- and off- balance sheet items, in shilling terms.
All financial institutions should formulate a sound foreign exchange risk management framework
that must encompass the following critical areas: Board and Management Oversight; Policies,
Procedures and Limits; Risk Identification and Measurement, Monitoring and Management
Information Systems; and Internal Controls.

• The Board of Directors and senior management of financial institutions are ultimately
responsible for the institution’s exposure to foreign exchange risk and the level of risk assumed.
• They should put in place well-articulated policies, setting forth the objectives of the financial
institution’s foreign exchange risk management strategy.
• The parameters and limits within which this strategy is to be controlled should be clearly spelt
out.
• The board of directors should review and approve the foreign exchange risk management policies
and procedures based on recommendations by senior management of the institution.
• The board of directors should also review and approve the procedures to measure, manage and
control foreign exchange risk within which foreign exchange transactions shall be conducted.

• Financial institutions should have written policies governing on and off balance sheet activities
in foreign currencies – that communicate the expectations of the board of directors to the
management and staff.
• In general, policies should reflect the tolerance of the board and senior management for the
various risks arising from foreign currency activities.
• There should be set limits governing foreign exchange operations that include but not limited
to overnight open position limits, currency by currency, and for all currencies combined.
• Limits for more volatile and less liquid currencies should be lower than those for stable and
liquid currencies.
• There should also be set limits governing intra-day foreign exchange activities. Limits generally
should be based on estimates of loss potential.
40
• The mechanisms by which counter party credit, settlement limits and country limits are
established and allocated to the foreign department should be clearly defined in the policy
document.
• In addition to an aggregate credit limit for each counter party, a settlement risk sub-limit should
be established for the size of a transaction (or transactions) that can be settled on any given
day.
• The policies should also include the frequency with which such revaluations should be
performed for both management and accounting purposes - management revaluation being the
more frequent.
• On the overall, the board and senior management should ensure that the policies and guidelines
clearly identify type of products and services offered, definition of jobs and responsibilities for
dealing and operational functions, code of conduct for the foreign exchange personnel,
operational controls, reporting requirements; and profitability expectations and tolerance for
losses.
• Policies should be reviewed regularly to suit the volumes and risk as the environment changes.
8.4 Measurement, Monitoring and Control

Measuring risk is very critical to understanding the potential loss an institution may be exposed to in
event of any loss. Common approaches to measuring and limiting exchange rate risk are:
• Limit the size of the open positions in each currency as of the close of business each day.
Limits are established for either the nominal size of the position or the size of the percentage.
• Adherence to the regulatory requirements that pertain to the net open positions
• Determine, on a continuous basis, the size of the loss that would be incurred should the
exchange rate move against the financial institution’s open position.
• Provide strong assurance that foreign exchange losses will not substantively diminish the total
earnings of the financial institution.
• Ensure adequate training of personnel and segregation of duties between the front and the
back office.
8.5 Management Information System

Accurate and timely information systems are critical to the management of foreign currency positions,
and for ensuring compliance with relevant risk limits. Financial institutions should:
• Devote the resources necessary to generating information on compliance with relevant risk
limits.
• Design standardised reports to communicate the information regarding open foreign exchange
positions, forward interest rate positions, liquidity positions, counterparty and country exposures.
41
• Ensure that positions and exposures are reported on a consolidated basis. Such reports
should be prepared and verified by persons not responsible for transacting foreign currency
business.
At a minimum, reports available should include:

• Net overnight positions by currency;
• Maturity distribution by currency of the assets and liabilities for both on and off balance sheet
items;
• Outstanding contracts by settlement date and currency;
• Total value of outstanding contracts, spot and forward;
• Gains and losses, totals and comparison to previous day’s;
• Market value of off-balance sheet products;
• Aggregate dealing limits;
• Exceptional reports eg Limit or line excesses; and
• Valuation of option contracts, if any.

Internal audit should review and assess the foreign exchange risk management process subsequent to
the quantification of foreign exchange risk. It should also ensure that foreign exchange traders/
dealers observe their instructions and the code of behaviour required of them and that accounting
procedures meet the necessary standards of accuracy, promptness and completeness. It will also be
necessary for management to establish and implement procedures governing the conduct and practices
of foreign exchange traders/dealers.
Periodically, Audit Committee should review the foreign exchange risk management process so as to
enhance the quality of reports and the reasonableness of foreign exchange risk management information
supplied to the board, the management and the Central Bank of Kenya.
42
9.0 OPERATIONAL RISK MANAGEMENT
9.1 Introduction
Operational risk is associated with human error, system failures and inadequate procedures and
controls. It is the risk of loss arising from the potential that inadequate information system; technology
failures, breaches in internal controls, fraud, unforeseen catastrophes, or other operational problems
may result in unexpected losses. Operational risk exists in all products and business activities.
The focus on operational risk has gained momentum in the recent past as a result of various
developments that have influenced the manner in which banking operations are conducted. Some of
these developments include the use of sophisticated technologies, the growth of e-commerce, mergers
and acquisitions, the financial institutions increasing reliance on large-scale service providers and
use of financial techniques that reduce credit and market risk but increase operational risk. The
recognition of its importance has led to international trends favouring the inclusion of capital charges
for operational risk, in order to provide a cushion of capital to cover this risk.
Operational risk includes legal risks, but not regulatory risk. Legal risk is the current and prospective
risk to earnings or capital arising from non-conformance with, laws, rules, prescribed practice, internal
policies and procedures, or ethical standards. Legal risk exposes the institution to fines, civil money
penalties, payment of damages, and the violation of contracts.
The objective of operational risk management is to:

• To find out the extent of the financial institution’s operational risk exposure;
• To understand what drives it;
• To allocate capital against it; and
• Identify and employ tools both internally and externally, that would help in risk mitigation.

Ultimate accountability for operational risk management rests with the institution’s board of directors.
Consequently, the level of risk that the organization accepts, together with the basis for managing
those risks, is driven from the top down by those charged with overall responsibility for running the
business.
The board and senior management should ensure that there is an effective, integrated operational
risk management framework. This should incorporate a clearly defined organizational structure, with
defined roles and responsibilities for all aspects of operational risk management/monitoring
43
and appropriate tools that support the identification, assessment, control and reporting of key
risks.
Senior management should implement the strategic direction given by the board through the institution’s
operational risk management policy. Although the board may delegate the management of this process,
it must ensure that its requirements are being executed. The policy should include-
• The strategy given by the board of the bank;
• The systems and procedures to institute effective operational risk management framework;
• The structure of operational risk management function; and
• The roles and responsibilities of individuals involved.
A separate independent function should be established for effective management of operational risk.
The function should assess, monitor and report operational risk as a whole and ensure that the
management of operational risk in the institution is carried out as per strategy and policy.
9.3 Policies and Procedures

operational risks. Operational risk policies and procedures that clearly define the way in which all
aspects of operational risk are managed should be documented and communicated. These operational
risk management policies and procedures should be aligned to the overall business strategy and
should support the continuous improvement of risk management.
The policy should establish a process to ensure that any new or changed activity, such as new products
or systems, will be evaluated for operational risk prior to going online. It should be approved by the
board and documented. Management should ensure that it is communicated and understood
throughout the institution. There is also a need for management to place proper monitoring and
control processes in order to have effective implementation of the policy. The policy should be
regularly reviewed and updated, to ensure it continues to reflect the environment within which the
institution operates.
Advances in information technology and communications has led to a global system in which money
can move anywhere in the world with speed and ease. Financial institutions should establish adequate
financial transaction reporting systems, customer identification and comprehensive record keeping
procedures that enable detection of money laundering schemes.
44
9.4 Measuring operational risk

The institution should identify and assess the operational risk inherent in all material products, activities,
processes and systems and vulnerability to these risks. Institutions should also ensure that before
new products, activities, processes and systems are introduced or undertaken, the operational risk
inherent in them is subjected to adequate assessment procedures. The institution needs to
systematically track and record frequency, severity and other information on individual loss events.
Such data could provide meaningful information for assessing the institution’s exposure to operational
risk and developing a policy to mitigate/control that risk. The tracking of these data will provide
input for the models that the institution may adopt in order to measure the operational risk to which
the institution is exposed.
Methods of Measuring Operational risk.

The approach for risk management chosen by an institution will depend on a range of factors including
its size and sophistication and the nature and complexity of its activities.
International trends are moving towards allocating capital as a cushion specifically for operational
risk. The measurement approaches available for estimating operational risk range from simple
approaches to fairly sophisticated ones.
Financial institutions should consider moving along the spectrum of available approaches as
they develop more sophisticated operational risk measurement systems and practices.
9.5 Monitoring Operational risk.

An effective monitoring process is essential for adequately managing operational risk. Regular
monitoring activities can offer the advantage of quickly detecting and correcting deficiencies in
the policies, processes and procedures for managing operational risk. Promptly detecting and
addressing these deficiencies can substantially reduce the potential frequency and/or severity of
a loss. There should be regular reporting of pertinent information to senior management and
the board of directors that supports the proactive management of operational risk.
Management should ensure that information is received by the appropriate people, on a timely
basis, in a form and format that will aid in the monitoring and control of the business. The
reporting process should include information such as:
• The critical operational risks facing the institution;
• Risk events and issues together with intended remedial actions;
• The effectiveness of actions taken;
45
• Details of plans formulated to address any exposures where appropriate;

• Areas of stress where crystallization of operational risks is imminent; and
• The status of steps taken to address operational risk.
Contingency Planning: Financial institutions should have in place contingency and business continuity
plans to ensure their ability to operate as going concerns and minimise losses in the event of severe
business disruptions.
9.6 Internal Control and Audit

Although a framework of formal, written policies and procedures is critical, it needs to be reinforced
through a strong control culture that promotes sound risk management practices. In our financial
system, weak and or non-effective internal controls have led to failure of some of our financial
institutions. To be effective, strong internal control systems should be an integral part of the structures
of an institution.
The business units should establish risk management and internal control procedures to address
2
operational risks. While the extent and nature of the controls adopted by each institution will
be different, very often such measures encompass areas such as code of conduct, delegation of
authority, segregation of duties, audit coverage, compliance, succession planning, mandatory
leave, staff compensation, recruitment and training, dealing with customers, complaint handling,
record keeping, MIS, physical controls, etc.
46
10.0 REPUTATIONAL RISK MANAGEMENT
10.1 Introduction
Reputational risk is the potential that negative publicity regarding an institution’s business
practices, whether true or not, will cause a decline in the customer base, costly litigation, or
revenue reductions. This risk may result from a financial institution’s failure to effectively manage
any or all of the other risk types.
Reputational risk also involves external perception. Thus reputational risk is where the actions
of a business damage its reputation, to the extent that it may lose sales or customers, or where
the actions of a financial institution damage its reputation to the extent that they lose business
or offer to bear or share loses suffered by their customers. Many management teams have been
criticized for the way they handled a crisis – not because their strategy was ill conceived or
clumsily implemented, but because they failed to tell the outside world what the strategy was.
Managing reputational risk is an important feature of sound risk management practice in any
financial institution. The exact approach chosen by an individual financial institution will depend
on a range of factors, including its size and sophistication and the nature and complexity of its
activities.
The way a financial institution handles a crisis is not only dependent on the quality and timeliness
of its decision making but also on how its stakeholders perceive it. This is based on a blend of
perceptions, which may pre-date the crisis. If a financial institution has a reputation for putting
profit before principle, it will face a tougher battle to protect its reputation.
A versatile risk management framework for reputational risk must include: Board and
Management Oversight, Policies, Procedures and Limits, Risk Measurement, Monitoring and
Management Information Systems and Internal Controls.
10.2 Board and Management Oversight

Ultimate accountability for reputational risk management rests with the board. The Board of
directors should address explicitly reputational risk as a distinct and controllable risk to the
financial institution’s safety and soundness.
Management should fully understand all aspects of reputational risk and exhibit a clear
commitment to compliance. The commitment should be communicated throughout the
47
institution. Responsibility for corporate reputation is typically resided with the chief executive
or the corporate communications department. Reputation risk falls between the two, cutting
across many aspects of the business. It requires a small, cross-functional team to create and
implement a protection strategy. This would typically comprise a representative from corporate
communications, customer relations, the health and safety department, investor relations, the
legal department, operations, public affairs, and risk management, with input from the chief
executive or chairman.
The board should approve a reputational risk strategy and establish a management structure capable
of implementing that strategy. The board should review the strategy regularly to ensure that the
financial institution is managing the reputational risks. This review process should also aim to
incorporate industry innovations (such as the internet) in reputational risk management into the
financial institution’s systems and processes.

Management must translate the reputational risk management strategy established by the board of
directors into policies, processes and procedures that can be implemented and verified. While each
level of management is responsible for the appropriateness and effectiveness of policies, processes,
procedures and controls within its purview, senior management must clearly assign authority,
responsibility and reporting relationships to encourage this accountability. This responsibility includes
ensuring that the necessary resources are available to manage reputational risk effectively.
reputational risks. Authority and accountability for compliance should be clearly defined and enforced.
Institutions’ privacy policies should fully consider legal and litigation concerns.
10.4 Reputational Risk Identification and Measurement

Risk identification is critical for the subsequent development of viable reputational risk measurement,
monitoring and control. A financial institution needs to have a clear understanding of the main
threats to its reputation. These might manifest themselves through sustained media coverage, rapid
fall in share price, and loss of customer confidence. They can be caused by factors such as the effects
of activism, discrimination in the workplace, unethical trading, marketing failures, or more traditional
risks such as product/service failure.
Once the risks have been identified, they need to be prioritised in order to help managers determine
where to devote effort and resources. This prioritisation process should be linked to the financial
48
institution’s existing risk management strategies. The institution might evaluate the reputation
risk ranking. For instance, an institution might feel that the likelihood of an earthquake on a key
operation might be relatively low, but if it were to happen such an event would be catastrophic
– the risk is therefore defined as small but significant.
10.5 Risk Monitoring and Management Information System

Examining reputational risk for their likelihood and impact only shows one side of the coin. The
other side requires an assessment of the organization’s ability to avoid the risk or responds to it if it
occurs.
Having mapped important risks, the organization should establish procedures to monitor early warning
signs of them occurring or increasing. One of the important listening posts in a financial institution
is the customer services department. This department will often be able to establish early warning
signals of a trend occurring before the issue spills over to the public domain. The frequency of
monitoring should reflect the risks involved and the frequency and nature of changes in the operating
environment. The results of these monitoring activities should be included in management and
board reports.
A system should exist to ensure that deficiencies identified are promptly managed and meaningful
corrective action implemented. Training programs should be effective, and the necessary resources
provided to ensure compliance.
Using the website proactively enables a company to provide regular updates to all its important
stakeholders. This need not only apply to external audiences but can apply internally through the
corporate intranet. “Crisis centres” might make information available in real time, assisting those
attempting to manage the situation. It can ensure that a single, current position statement is used by
representatives in every market in which the company operates, reducing inaccuracy and inconsistency.
It can also provide low-cost training and a central facility to capture the lessons learned from past
crises.

No financial institution will be able to avoid or pre-empt all of the risks it faces – neither should it
seek to do so. However, it does need to establish a defensive armoury to protect its corporate
reputation against the unforeseeable. Such an armoury would cover procedures, training, materials,
and relationships.
49
In some respects, reputation risk should be treated in the same way as more traditional risks. It
should be included within a company’s internal audit procedures to ensure that those to avoid,
detect and, respond to reputation risks are being applied and are kept up to date. The Y2K
millennium bug illustrates this well. Although in the event most companies survived relatively
unscathed, for many the issue only appeared on the reputation radar screen in 1999, despite
being a reputational risk for a number of years before that.
50
11.0 REGULATORY RISK MANAGEMENT

Regulatory risk is the risk of non-compliance with regulatory guidelines. Regulatory risk is the
current and prospective risk to earnings or capital arising from violations of, or non-conformance
with, laws, rules, regulations, prescribed practice, or ethical standards issued by the regulator
from time to time. Regulatory risk also arises in situations where the laws or rules governing
certain bank products or activities of the bank’s clients may be ambiguous or untested.
Regulatory risk exposes an institution to fines, civil money penalties, payment of damages, and the
violation of contracts. It can lead to diminished reputation, reduced franchise value, limited business
opportunities, reduced expansion potential and an inability to enforce contracts.
The ultimate accountability for Regulatory risk management rests with the board. Management should
fully understand all aspects of Regulatory risk and exhibit a clear commitment to compliance. The
commitment should be communicated throughout the institution. The board and senior management
should ensure that there is an effective, integrated Regulatory risk management framework.
Banks should have policies, processes and procedures to control or mitigate material Regulatory
risks. Authority and accountability for compliance should be clearly defined and enforced. Number
or seriousness should measure violations or non-compliance issues. Every institution should have a
record of its compliance.
A system should exist to ensure that deficiencies identified are promptly managed and meaningful
corrective action implemented. Training programs should be effective, and the necessary resources
provided to ensure compliance. Management should show preparedness towards anticipation of
Regulatory risk and be able to respond well to changes of a market, technological or regulatory
nature.
Compliance management process and information systems should be sound and the institution should
have a strong control culture. Compliance considerations should be incorporated into product and
system development and modification processes, including changes made by outside service providers
or vendors.
The institution should have a strong control structure that has proven effective. Compliance
management systems should be sound and minimize the likelihood of excessive or serious future
violations or non-compliance. Appropriate controls should and systems should be implemented
to ensure compliance problems and assess performance.
51
APPENDIX 1: RISK MANAGEMENT STRUCTURE
The primary responsibility of understanding the risks run by a financial institution and ensuring that
the risks are appropriately managed should clearly be vested with the board of directors. The board
should set limits by assessing the financial institution’s risk and risk-bearing capacity. At the
organizational level, overall risk management should be assigned to a Risk Management Committee
or an independent Risk Manager that reports directly to the board. The Risk Manager must sufficiently
be independent of the business lines in order to ensure an adequate separation of duties and the
avoidance of conflicts of interest.
The Risk Management Committee or the Risk Manager shall take full responsibility for evaluating
the overall risks faced by the financial institution and determining the level of risks that will be in the
best interest of the financial institution. The functions of the Risk Management Committee or Risk
Manager should essentially be to identify, measure, monitor and control the risks undertaken
by a financial institution.
(i)52
APPENDIX II: COMPREHENSIVE RISK MANAGEMENT PROGRAMME

No single risk management system works for all financial institutions. For this reason, the
Central Bank of Kenya requires each financial institution to develop its own comprehensive
Risk Management Programme (RMP) tailored to its needs and circumstances. This Risk
Management Programme, however, should at least cover the most common risks, as follows:
• Strategic Risk
• Credit Risk
• Liquidity Risk
• Interest Rate Risk
• Foreign Exchange Risk
• Price Risk
• Operational Risk
• Regulatory Risk
Regardless of the Risk Management Programme design, each programme should include:
Risk Identification In order to manage risks, risks must first be identified. Almost every product
and service offered by financial institutions has a unique risk profile composed of multiple risks. For
example, at least four types of risks are usually present in most loans: credit risk, interest rate risk,
liquidity risk and operational risk. Risk identification should be a continuing process and risk should
be understood at both the transaction and portfolio levels.
Risk Measurement Once the risks associated with a particular activity have been identified, the
next step is to measure the significance of each risk. Each risk should be viewed in terms of its three
dimensions: size, duration and probability of adverse occurrences. Accurate and timely measurement
of risk is essential to effective risk management systems.
Risk Control Once risks have been identified and measured for significance, there are basically
three ways to control significant risks, or at least minimize their adverse consequences: avoiding or
placing limits on certain activities/risks, mitigating risks and/or offsetting risks. It is a primary
management function to balance expected rewards against risks and the expenses associated with
controlling risks. Financial institutions should establish and communicate risk limits through policies,
standards and procedures that define responsibility and authority.
Risk Monitoring Financial institutions need to establish an MIS that accurately identifies and
measures risks at the inception of transactions and activities. It is equally important for
53(ii)
management to establish an MIS to monitor significant changes in risk profiles. A loan payment
delinquency report reflecting loans that are not paying as agreed is one report that indicates
possible changes in perceived risk profiles. Since many financial institutions depend heavily on
their net interest margins for survival, an MIS that reflects the impact of changes in interest rate
risk is very important. In general, monitoring risks means developing reporting systems that
identify adverse changes in the risk profiles of significant products, services and activities and
monitoring changes in controls that have been put in place to minimize adverse consequences.
BASIC ELEMENTS OF A SOUND RISK MANAGEMENT SYSTEM
The risk management program of each financial institution should at least contain the following
elements of a sound risk management system:
Active Board and Senior Management Oversight

Boards of directors have ultimate responsibility for the level of risk taken by their institutions.
Accordingly, they should approve the overall business strategies and significant policies of their
organizations, including those related to managing and taking risks and should ensure that senior
management is fully capable of managing the activities that their institutions conduct. All boards of
directors are responsible for understanding the nature of the risks significant to their organizations
and for ensuring that the management is taking the steps necessary to identify, measure, monitor and
control these risks.
The level of technical knowledge required of directors may vary depending on the particular
circumstances at the institution. Consequently, what is most important is for directors to have a clear
understanding of the types of risks to which their institutions are exposed and to receive regular
reports that identify the size and significance of the risks in terms that are meaningful to them.
Directors could take steps to develop an appropriate understanding of the risks their institution face,
possibly through briefings from auditors and experts. Using this knowledge and information, directors
should provide clear guidance regarding the level of exposures acceptable to their institutions and
have the responsibility to ensure that senior management implements the procedures and controls
necessary to comply with adopted policies.
Senior management is responsible for implementing strategies in a manner that limits risks
associated with each strategy. Management should therefore be fully involved in the activities of
their institutions and possess sufficient knowledge of all major business lines to ensure that
54
(iii)
appropriate policies, controls and risk monitoring systems are in place and that accountability
and lines of authority are clearly delineated. Senior management is also responsible for establishing
and communicating a strong awareness of and need for effective internal controls and high
ethical standards. Meeting these responsibilities requires senior managers of a financial institution
to demonstrate a thorough understanding of developments in the financial sector and a detailed
knowledge of the activities their institution conducts, including the nature of the internal controls
necessary to limit the related risks.
Adequate Policies Procedures and Limits

The board of directors and senior management should tailor their risk management policies and
procedures to the types of risks that arise from the activities the institution conducts. Once the risks
are properly identified, the institution’s policies and procedures should provide detailed guidance for
the day-to-day implementation of broad business strategies and should include limits designed to
shield the organization from excessive and imprudent risks. While all financial institutions should
have policies and procedures that address their significant activities and risks, the coverage and level
of detail embodied in these documents will vary among institutions. Management is expected to
ensure that policies and procedures address the material areas of risk to an institution and that they
are modified when necessary to respond to significant changes in the financial institution’s activities
or business conditions.
Adequate Risk Monitoring and Management Information Systems (MIS)

Effective risk monitoring requires institutions to identify and measure all material risk exposures.
Consequently, risk-monitoring activities must be supported by information systems that provide
senior managers and directors with timely reports on the financial condition, operating performance
and risk exposure of the consolidated organization.
The sophistication of risk monitoring and MIS should be consistent with the complexity and diversity
of the institution’s operations. Every financial institution shall require a set of management and
board reports to support risk-monitoring activities. These reports may include daily or weekly balance
sheets and income statements, a watch list for potentially troubled loans, a report of overdue loans,
simple interest rate risk report and other relevant reports. Financial institutions are expected to have
risk monitoring and management information systems in place that provide directors and senior
management with a clear understanding of the financial institution’s risk exposures.
Adequate Internal Controls

An institution’s internal control structure is critical to the safe and sound functioning of the
organization, in general and to its risk management, in particular. Establishing and maintaining
(iv)
55
an effective system of controls, including the enforcement of official lines of authority and the
appropriate separation of duties is one of management’s more important responsibilities. Indeed,
appropriately segregating duties is a fundamental and essential element of a sound risk management
and internal control system. Failure to implement and maintain an adequate separation of duties
can constitute an unsafe and unsound practice and possibly lead to serious losses or otherwise
compromise the financial integrity of the institution. Serious lapses or deficiencies in internal
controls including inadequate segregation of duties may warrant supervisory action, including
formal enforcement action.
When properly structured, a system of internal controls promotes effective operations and reliable
financial and regulatory reporting, safeguards assets and helps to ensure compliance with relevant
laws, regulations and institutional policies. Internal controls should be tested by an independent and
suitably qualified internal auditor who reports directly to the board’s Audit Committee. Given the
importance of appropriate internal controls to financial institutions, the results of audits or reviews,
conducted by an internal auditor or other persons, should be adequately documented, as should
management’s responses to them. In addition communication channels should exist that allow negative
or sensitive findings to be reported directly to the board’s Audit Committee.
A good risk management system shall at the minimum embrace the above aspects. The financial
institution shall on a regular basis review its risk management programme to assess its adequacy in
coping with developments in the industry. It should be appreciated that understanding the risk
profiles of products and services, and balancing them with actions taken to reduce the adverse
consequences of risk-taking, allows an institution to optimize revenues and maximize the use of
capital.
(v)
56
APPENDIX III
MAIN REFERENCES
1 Basel Committee on Banking Supervision
• Principles for the Management of Credit Risk (September 2000)
• Sound Practices for Managing Liquidity in Banking Organizations (February 2000)
• Principles for the Management and Supervision of Interest Rate Risk (January 2001)
• Sound Practices for the Management and Supervision of Operational Risk (December 2001)
2 World Bank’s Bank Supervision Guidelines
• Foreign Exchange Management
• Credit Portfolio Evaluation
3 Canadian Deposit and Insurance Corporation (CDIC) Standards of Sound Business and Financial Practices
4 Office of the Comptroller’s Handbook (USA)
5 Federal Reserve System’s Commercial Bank Examination Manual
6 Australian Prudential Regulatory Authority
• Risk Management Systems in Banks
7 Fundamentals of Risk Management in a Financial Environment (Thomas Fitzgerald)
8 Risk Management Systems in Banks – Guidelines Reserve Bank of India (October 1999)
9 Risk Management Guidelines, Bank of Uganda
10 The Financial Risk Manual, A Systematic Guide to Identifying and Managing Financial Risk (by John Holliwell)
11 Analysing and Managing Banking Risk (Second Edition), by H van Greuning & S B Bratonavic
12 Risk Management Guidelines for Commercial Banks and DFIs, State Bank of Pakistan
13 Prudential Regulations for Banking Institutions, Central Bank of Kenya

(vi)
57

RiskMgtFuidelineKenya5 PDF

Uploaded by

Copyright:

Available Formats

RiskMgtFuidelineKenya5 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RiskMgtFuidelineKenya5 PDF

Uploaded by

Copyright:

Available Formats

Risk Management Guidelines

2.0 EXECUTIVE SUMMARY 4

3.0 STRATEGIC RISK MANAGEMENT 10

4.0 CREDIT RISK MANAGEMENT 13

5.0 LIQUIDITY RISK MANAGEMENT 23

6.0 INTEREST RATE RISK MANAGEMENT 29

7.0 PRICE RISK MANAGEMENT 37

8.0 FOREIGN EXCHANGE RATE RISK MANAGEMENT 40

9.0 OPERATIONAL RISK MANAGEMENT 43

10.0 REPUTATIONAL RISK MANAGEMENT 47

11.0 REGULATORY RISK MANAGEMENT 51

APPENDIX 1: RISK MANAGEMENT STRUCTURE

APPENDIX II: COMPREHENSIVE RISK MANAGEMENT PROGRAMME

APPENDIX III: MAIN REFERENCES

• Active Board and Senior Management Oversight

2.0 EXECUTIVE SUMMARY

2.2 Strategic risk management

2.3 Credit risk management

2.4 Liquidity risk management

2.5 Interest rate risk management

2.6 Price risk management

2.7 Foreign exchange rate risk management

2.8 Operational risk management

2.9 Reputational risk management

2.10 Regulatory risk management

3.0 STRATEGIC RISK MANAGEMENT

3.2 Board & Senior Management Oversight

The Board and Senior Management should ensure that:

3.3 Policies, Procedures & Limits

Limits are necessary in defining:

3.4 Measuring and Monitoring Strategic Risk

• The organisation structure establishes clear lines of authority

4.2 Board and Senior Management Oversight

4.2.1 The Board of Directors

4.2.1 Senior Management

4.3 Policies, Procedures and Limits

4.3.1 Policies relating to limits

4.3.2 Policies relating to credit products

4.3.3 Policies relating to credit assessment and approval levels

4.3.4 Credit risk mitigation techniques

• Procedures for timely liquidation of collateral should be in place.

4.3.5 Management of problem credits

4.3.6 Provisioning policy

The elements to be taken as indication of unlikeliness to pay include:

4.4 Measuring and Monitoring Credit Risk

4.4.1 Measuring Credit risk

4.4.2 Monitoring Credit Risk

4.4.3 Credit administration

4.4.4 Stress testing

4.4.5 Inter bank transactions

• Any inter-bank for which specific provisions should be made.

4.4.6 Credit exposure and risk reporting

4.5 Internal controls and audit

5.0 LIQUIDITY RISK MANAGEMENT

5.2 Board and Senior Management Oversight

A sound framework for managing liquidity risk has three dimensions:

5.3. Policies, Procedures and Limits

• Roles and responsibilities of individuals performing liquidity risk management functions,

5.4. Measuring and Monitoring Liquidity Risk