As firms start to consider in earnest how to approach their Individual Capital Adequacy Assessment Process ("ICAAP") and the appropriate documentation of that process, which needs to be in place in final form by 1 January 2008 at latest, there are a number of practical issues which need to be addressed.
For a number of small and medium sized firms, the use of internal models or economic capital models will not be a realistic option for ICAAP purposes. They will therefore go down a "Pillar 1 plus" route; ie, taking the assessment of capital requirements from their Pillar 1 calculation of capital requirements and assessing the incremental level of capital required to capture both the risks not met by the Pillar 1 calculation for market, credit and operational risk, and the additional Pillar 2 requirements not addressed by the Pillar 1 calculation. This second list will need to be tailored to the firm’s view of the major risks it faces. It is likely to include operational risk for those firms which do not assess it fully or at all at Pillar 1, interest rate risk (which is likely to be relevant to every firm), concentration risk, business risk, residual risk (which collateral does not cover the full risk of counterparty balances), etc.
This is where it becomes clear that the ICAAP is not a formulaic or pre-programmed exercise, but rather a requirement for firms to demonstrate full responsibility for their own capital planning and to set out their own logical vision of their "risk appetite" for the various elements of the business risks they face.
The risk appetite of the firm will manifest itself in various different ways, for example from the level of principal positions it is willing to take to the effectiveness of the firm’s infrastructure. There is nothing necessarily wrong with firms setting a "Mini" rather than a "Rolls Royce" level of operational processing, but there is a potential capital implication of that decision if it leads to operational errors, etc. This part of the process must be undertaken at the highest level within the business, and should be informed by senior management’s understanding of the risk profile of the business itself (e.g. is it under particular commercial pressures?), and the issues which have been raised in the firm’s FSA ARROW risk assessment or internal or external audit and other reporting.
How then should businesses go about the ICAAP itself? It is a balanced assessment of the current state of the business and of the likely future performance. For the current state assessment, firms will need to catalogue the risks they face across the business, the mitigating controls and the likely probability of particular risks being encountered and their likely impact. This will give a form and shape to the likely capital required to be taken against individual risk categories, based on the assessment of their impact and probability and the quality of internal controls in place against them. Some elements of this assessment can be "scientific", i.e. based on particular loss event data, but for many firms there will not be a track record of losses in some risk categories. They will also not use complex models to assess risk in their business.
This is where the assessment of risk becomes more judgmental and more reliant on senior management’s deep insight into the firm’s business model and operational infrastructure. The current state assessment, which should be refreshed at least annually as part of the review of the ICAAP methodology and results, should also be used to drive control improvements in the business, using the risk and controls matrices to set a rectification programme for the identified control gaps.
In terms of the assessment of the future performance of the business, the firm should set budgets going out at least five years, and should apply appropriate stress and scenario testing to those budgets, which most closely model the macro economic risks to which the firm is subject. The FSA has stated the need for this forward look to be based on budgets set over at least a five year timescale, with appropriate stress and scenario testing, including testing which emulates a once in 25 year risk event. This is again not an easy requirement for firms to achieve, particularly where they have not previously extensively used scenario analysis in the business. What is important to remember is that the risk measures chosen should be appropriate, proportionate and focussed on the relevant risks of the business.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
