Regular Compliance

The existence of risk is not necessarily reason for concern. Likewise, the existence of high risk in any area is not necessarily a concern, so long as management exhibits the ability to effectively manage that level of risk. Under this approach, the Bangko Sentral ng Pilipinas (BSP) will not necessarily attempt to restrict risk-taking but rather to ensure that FIs identify, understand and control the risks they assume. As an organization grows more diverse and complex, the FI’s risk management processes must keep pace. When risk is not properly managed, BSP will direct FI management to take corrective action such as reducing exposures, increasing capital, strengthening risk management processes or a combination of these actions. In all cases, the primary concern of the BSP is that the FI operates in a safe and sound manner and maintains capital commensurate with its risk. Further guidance on risk management issues will be addressed in subsequent issuances that are part of the overall risk assessment program. 

For purposes of the discussion of risk, the BSP will evaluate banking risk relative to its impact on capital and earnings. From a supervisory perspective, risk is the potential that events, expected or unanticipated, may have an adverse impact on the FI’s capital or earnings. The BSP-Supervision and Examination Sector has defined eight categories of risk for FI supervision purposes. These risks are: credit, market, interest rate, liquidity, operational, compliance, strategic and reputation. These categories are not mutually exclusive; any product or service may expose the FI to multiple risks. In addition, they can be interdependent. Increased risk in one category can increase risk in other categories. 

As market conditions and company structures vary, this risk management program was designed to guide not only the risk and compliance unit but the management as well to evaluate level of risk and mitigation measures to lessen the impact across banking operations. 

1. Identify risk: To properly identify risks, the bank shall recognize and understand existing risks or risks that may arise from new business initiatives, including risks that originate in non-bank subsidiaries and affiliates. This risk identification process shall be on a continuing process. 

2. Measure risk: Accurate and timely measurement of risk is essential to effective risk management systems. Risk measurement system shall be established to control or monitor the risk levels. Periodic testing shall be conducted to make sure that the measurement tools are accurate. Due to complexity of the bank’s transactions, assessment of impact of increased transaction volume across all risk categories shall be done. 

3. Monitor Risk – Monitoring of risks level to ensure timely review of risk positions and exceptions shall be done. Monitoring reports should be frequent, timely, accurate, and informative and should be distributed to appropriate individuals to ensure action, when needed. 

4. Control Risk – Communication of risks limits through policies, procedures, and standards shall be established. These policies, procedures and standards shall define responsibility and authority. These control limits should be valid tools that management should be able to adjust when conditions or risk tolerances change. Strategic direction and risk tolerance shall be established by the board. As such, policies that set operational standard and risk limit shall be approved by the board. With this, the board can hold management accountable for operating within established tolerances. Capable management and appropriate staffing are also essential to effective risk management. The bank management is responsible for the implementation, integrity, and maintenance of risk management systems. Management also must keep the board adequately informed. Management must be responsible in the following: 

a. Implementation of the strategy. 

b. Develop policies that define the risk tolerance and ensure compatibility with strategic goals. 

c. Ensure that strategic direction and risk tolerances are effectively communicated and adhered to throughout the bank. 

d. Oversee the development and maintenance of management information systems to ensure that information is timely, accurate and pertinent. 

The compliance risk management system of the bank is designed to specifically identify and mitigate risks that may erode the franchise value of the bank such as risks of legal or regulatory sanctions, material financial loss, or loss to reputation, that bank may suffer as a result of its failure to comply with laws, rules, related self-regulatory organization standards, and codes of conduct applicable to its activities. 

This compliance risk management will also mitigate risk arising from failure to manage conflict of interest, treat customers fairly, or effectively manage risks arising from money laundering and terrorist financing activities. 

Compliance risk management is not solely the responsibility of the compliance unit, but instead the responsibility and shared accountability of all personnel, officers and Board of Directors. This has been an integral part of the culture and risk governance of the institution.