Risk Management

The Bank is operating in a complex and dynamic environment and judicious management of risk is an essential component of good governance and long-term value creation. Identifying, quantifying and managing all risks as well as striking a balance between risk and return is the essence of risk management. The Bank has a professional Risk Management Framework (RMF) in place underpinned by rigorous structures, systems, procedures and practices, taking into account all the risks the Bank is exposed to, both internal and external. The RMF has been drawn up taking into account the needs of regulators and other stakeholders. It is detailed in the Risk Management Policy Guide. The Risk Management Framework is reviewed at least annually to take into account any changes in Saudi Arabian Monetary Authority (SAMA) regulations, the Bank’s risk management needs and the operating environment.

The Risk Appetite Framework (RAF) is an expression of the corporate strategy which serves as a guide for day-to-day operations. This covers both risks arising as a result of the Bank’s strategy as well as other risks. Regarding the former, it addresses the maximum level of risk the Bank could take without hampering its operations (risk capacity) as well the policy on the level of risk it should take (risk appetite). It also sets out the policy on the risk return trade-off which is measured by the budgeted Regulatory Capital Adequacy Ratio. The Bank’s risk profile is the actual risk exposures which are monitored across each category, aggregated and reported periodically to SAMA. The risk profile should be kept within the risk appetite.

The implementation of the RAF is supported by a robust risk culture that is instilled into employees at all levels. Directives from the Board are communicated as necessary to all levels and enforced stringently. The culture promotes open discussion of issues pertaining to risk, shared values and communication. Self-reporting of risk and control issues is encouraged as well as escalation of violations to higher levels. Exceptions to limits require approval of an appropriate authority. Risk profile measurement and aggregation is to be adequately monitored and reported.

The different types of risk that the Bank has to take into account are described below:

Credit risk

This is the risk that counterparties do not fulfil their obligations on time and/or in full. Credit risk may arise with any type of counterparty – corporate, small businesses or individuals. Credit risk with business entities arises primarily from loans, acceptances, guarantees, derivatives and foreign exchange products. Credit risk to retail customers mainly relates to loans, mortgages and credit cards. The Bank has a Credit Policy Guide (CPG) approved by the Board of Directors, which provides strategic guidelines for managing credit risk. The CPG seeks to maximise returns while keeping risk to a practicable minimum. It mandates rigid compliance with all relevant laws, rules and regulations. Risk is also minimised by avoiding concentration of risk and diversifying credit across borrowers, industries, geographic locations, banks, collaterals, products etc.

Operational risk

This is the risk arising from inadequate or faulty internal processes, human failures and external events. Some examples are internal or external fraud, market manipulation, damage to physical assets, hardware and software failures. An Operational Risk Management Framework, approved by the Board of Directors, addresses the various types of operational risk and how they should be handled. An Operational Risk Appetite Matrix has also been established for the Bank as a whole. Operational losses incurred are monitored on an ongoing basis and appropriate corrective action taken. A set of Key Risk Indicators (KRIs) has also been developed at the level of the business units to enable proactive monitoring and management of operational risks.

Market risk

This is the risk arising from changes in market variables such as interest rates, foreign exchange rates and equity prices. Management of such risks is laid down in the Treasury Policy Guide (TPG) issued by the Board of Directors.

Some of the types of market risk:

Interest rate risk

This is the possibility that changes in interest rates affect either future cash flows or fair values of financial instruments. This could arise from timing differences for fixed rate and floating rate assets and liabilities. The Board strives to manage these risks, by controlling mismatches by time periods.

Currency risk

This is the risk of fluctuations in exchange rates affecting values of financial instruments. The Board monitors this risk by setting limits of forward maturity gaps and by hedging strategies.

Equity price risk

Equity price risk is the risk of decrease in fair values of a Bank’s non-trading equities. This risk is mitigated by adhering to limits on equity investments which are set by the Board.

Investment risk

Investment risk, is a combination of credit risk, interest rate risk, market risk and currency risk. There are also dependencies and correlations between these various factors. The Board monitors this type of risk by setting limits on investments in terms of size, asset class, credit class, currency and type.

Liquidity risk

This is the risk that the Bank will be seriously hampered in its ability to meet its current or future cash flow requirements without resorting to exceptional measures that may jeopardise its financial position or standing. This tends to be a combination of other risks such as credit risk and market risk. This risk is mitigated by reducing dependence on more volatile funding sources such as wholesale funding and inter-bank funding; avoiding external downgrades or other negative news; reducing unsecured borrowings from the short-term money market; minimising inter-bank credit lines; avoiding flights of deposits; limiting off balance sheet derivative products and committed credit lines.

Reputation risk

This is the risk arising from a loss of public confidence in the Bank, and the resulting loss in earnings and capital. In today’s communication environment where news spreads instantaneously, it is paramount that reputation should be safeguarded. Reputation risk can arise from failure to comply with regulatory requirements, unethical conduct of employees or poor standards of service.

The Bank handles the possibility of reputation risk by strict compliance with laws, regulations and governance principles, updating Standard Operating and Accounting Procedures (SOAPs) and adhering to policies laid down by the Board.

Macroeconomic and business risk

This is the risk arising from macroeconomic parameters such as inflation rates and oil price fluctuations. These risks are taken into account in drawing up the annual business plans, and adherence to the plans will mitigate such risks.

Legal risk

Legal risk arises from failure to comply with statutory or regulatory obligations, uncertainty due to legal actions, uncertainty regarding application or interpretation of contracts, laws and regulations, or uncertainty about the rights and obligations of the parties the Bank is dealing with.

The Bank takes a proactive approach to managing legal risk by analysing all business activities considering their legal implications. Similarly, all Bank procedures, policies and documents are also reviewed periodically from a legal perspective.

Information security risks

This is the risk of unauthorised access or disclosure, tampering or destruction of information. This has become a very important threat in the present context when cyber threats have become widespread.

Information security is a part of corporate strategy. The Bank actively promotes security governance and a security culture. A clearly laid down Information Security Policy, on which is built an Information Security Management System (ISMS), is the foundation of the Bank’s security system. Comprehensive security measures are in place to safeguard IT facilities, hardware, data, and software.

Security is assured by risk based audit conducted by internal audit, external agencies and certification bodies. The Bank deploys adequate technical safeguards to prevent breaches of security. This is complemented by training and promoting awareness of staff and customers.

Strategic risk

Strategic risk is the impact on the Bank’s current or prospective earnings or capital arising from improper business decisions, flawed implementation of decisions or inadequate responsiveness to industry developments and the business environment. The Bank mitigates these risks by adhering to the five-year strategic plans which are prepared periodically.

Global risk

This is the risk arising from events over which the Government of the Kingdom has no control such as recessions in major economies, natural disasters and terrorist attacks. Global risks are monitored through the Asset and Liability Committee (ALCO) by monthly review meetings and corrective action.

Pre-settlement and settlement risk

Pre-settlement risk is the possibility of counterparties to a contract not fulfilling their obligations under the contract and defaulting before the contract’s settlement date prematurely ending the contract. This could arise for example, if the counterparty becomes bankrupt prior to performing the contract. This will entail finding a replacement party to complete the contract and incurring the resulting costs. The pre-settlement risks for various types of transactions are covered in the Bank’s Treasury Policy Guide. The Bank measures pre-settlement risk by the likelihood of adverse market movements leading to default situations.

Settlement risk is the possibility that a counterparty to a contract does not deliver a security or an agreed cash value when the Bank has fulfilled its obligations under the contract. This could occur with future contracts.

Risk governance

The Board of Directors bears the primary responsibility for risk governance assisted by several other committees such as Executive Committee, Risk Committee, Audit Committee and Compliance Committee. A number of other management committees also handles the risk governance at the management level. The composition, roles and responsibilities of these committees are laid down in the Corporate Governance Policy of the Bank as well as in their respective charters. Reporting to the various committees for monitoring and control/approval is independent of normal business lines at all times.

The CEO/ Business Heads/Chief Risk Officer/CFO/Head of Compliance and Head of Internal Audit are responsible for risk governance at the management level supported by the following committees.

• Credit Committee
• Asset and Liability Committee
• Enterprise Risk Management Committee
• Operational Risk Management Committee
• Financial Fraud Control Committee
• Business Continuity Management Committee
• Information Security Committee

The General Managers of various business units will manage risks pertaining to their respective units by adhering to the relevant guidelines and limits set by policies approved by the Board.

A Risk Management Group is in place to monitor and control the relevant risks and exposures of the Bank. The monitoring and controlling process is supported by Financial Planning and Control Department, Internal Audit Department and Compliance Department. The Risk Management Group is headed by a Chief Risk Officer and includes Heads of the Departments actively involved in risk management.

The Chief Risk Officer’s duties include:

• Developing an appropriate risk appetite framework and obtaining approval for same
• Actively monitoring the Bank’s risk profile relative to its risk appetite, risk capacity and other risk limits
• Establish a process for monitoring and reporting on the alignment of the risk parameters with the Bank’s risk culture
• Ensure the integrity of risk management systems and MIS
• Act in a timely manner to minimise risks especially when there is a risk of exceeding risk limits
• Escalate promptly to the appropriate authorities any material risk limit breach that places the Bank at risk of exceeding its risk capacity

The Bank utilises a number of qualitative and quantitative tools to identify, assess, limit, and monitor risks.

The Bank utilises the following tools to identify, assess, limit and monitor risks.

• Measurement of risk in commercial and consumer lending and other asset exposures taking into account related collateral coverage
• Quantification of the sensitivity to market values of single positions or portfolios to changes in market positions
• Ongoing assessment of effectiveness of risk monitoring and reporting mechanisms

An Internal Capital Adequacy Assessment Plan (ICAAP) is prepared in accordance with Saudi Arabian Monetary Authority (SAMA) guidelines. ICAAP includes an assessment of the Bank’s risk exposures over a one year period, along with an assessment of available and required capital.

The Bank also carries out stress testing to gauge its robustness to withstand risks. This includes the Bank’s exposures to credit, market, liquidity, concentration, operational and other risks.

During the year under review, a number of initiatives were implemented to improve the risk management function, especially regarding increasing automation. The second phase of Proactive Risk Manager (PRM), an online fraud prevention system, was successfully implemented. Major improvements in automation of market risk and operational risk are also in progress. Initiatives are also under way regarding modelling credit risk. Probability of default (PD) and loss given default (LGD) will be quantified in line with the new IFRS for loan impairments; this is a team effort involving business, finance and IT.

Developing the human resources skills for credit risk management has not been neglected. During 2015, 22 Saudi graduates including nine women were recruited and they followed an intensive 15 week programme in risk management and related topics. These graduates have now been assigned to various departments within the Risk Management Group and have been confirmed in their positions. We look forward to a valuable contribution from them to the Bank’s risk management function in the years ahead.

Business continuity plan

The Bank is cognisant of the fact that it can be vulnerable to threats, both internal and external. Such threats include natural disasters, system failures, and data breaches which can seriously disrupt or halt operations. It can also seriously tarnish the Bank’s reputation and impair stakeholder confidence. The Bank has policies and plans in place to enable continuance of normal business operations despite a disruptive incident; also to detect, prevent where possible and minimise the impact of such incidents. Advance preparation and planning is required to restore normal services in the event of a disruptive crisis. Since the Bank’s processes are highly automated there is a need for backup and recovery strategies and temporary alternative processes in the event of a system crash or failure.

The business continuity function is overseen by a Business Continuity Management Committee (BCMC) headed by the Business Continuity Plan Manager. The Bank has a detailed Business Continuity Plan (BCP) to manage disruptive situations. The goal of the BCP is to enable the Bank to recover from any crisis situation and restore all critical business lines within four hours. It also aims to minimise the loss of information and assets to an acceptable level. All staff are familiarised with the BCP and their respective roles in a situation where it has to be invoked. The BCP is tested periodically in a simulated environment to ensure its applicability and effectiveness in a real situation. The BCMC will periodically review the progress of the BCP and consider necessary changes.

To reaffirm the comprehensiveness of our Business Continuity Plan, preparation for the ISO22301:2012 surveillance audit for the Bank-wide Business Continuity Management was commenced in 2017. The audit was conducted in January 2018 by TUV HELLAS and covered actions on previous surveillance observations, Business Continuity Management Structure and Policies, Business Impact Analysis (BIA) methodology and Business Continuity Plan. The audit was successfully completed with zero non-conformity, but three potential improvements were identified that will be considered in due course. The re-certification audit, which will be more comprehensive than the current one, will take place at the end of 2018.

Risk performance

It is suggested that the actual performance of some key risk indicators against a benchmark such as Bank target levels/Regulator approved limits/Saudi Industry averages be given in a table similar to that given below:

Risk category and parameter	Description	Benchmark/Regulatory limit	Actual position as at December 31, 2017
Credit risk Quality of lending portfolio
	Gross NPA ratio (%)	N/A	1.27
	Net NPA ratio (%)	N/A	1.29
	Provision cover (times)	N/A	1.39
Liquidity risk	Liquid coverage ratio (as of last 90 days) (%)	Minimum LCR to be maintained at 100%	223.17
Strategic risk Capital adequacy	Capital adequacy – Tier I	N/A	17.34
	Capital adequacy – Total capital	N/A	20.42
	Capital funds to deposits ratio	N/A	20.16
	ROE	N/A	10.72
	Creditworthiness – Fitch Ratings	Investment grade rating (BBB-)	BBB+/F2