Contents
MaRisk
AT 4.3 Internal control system
1 Depending on the nature, scale, complexity and riskiness of the business
activities conducted, every institution shall
(a) set up rules governing the organisational and operational structure,
(b) establish risk management and risk control processes, and
(c) implement a risk control function and a compliance function.
AT 4.3.1 Organisational and operational structure
When designing the organisational and operational structure it shall be ensured that activities that are not compatible with each other are performed by different staff members
and that conflicts of interest are avoided also when staff members change posts. If staff of
trading or front office units move to back office units and control units, appropriate cooling-off periods shall be applied to activities that violate the ban on self-audit and self-review.
Back office units and control units
Back office units and control units within the meaning of this number are:
- risk control function,
- compliance function,
- back office,
- settlement and control.
If the cooling-off periods would lead to a disproportionate delay in operating procedures, smaller, less complex institutions may establish alternative, appropriate control
mechanisms.
Processes as well as the related tasks, competencies, responsibilities, controls and reporting channels shall be clearly defined and coordinated. Rights and competencies shall be
assigned on a need-to-know basis and shall be swiftly adjusted, where necessary. This shall
include regular and ad hoc reviews of IT access rights, authorities to sign and other competencies that have been assigned within appropriate periods of time. The periods of time
shall depend on the significance of the processes and, in the case of IT access rights, on
the protection requirements of the processed data. The same shall apply to interfaces to
material outsourced activities and processes.
Reviewing rights and competencies
Access rights in connection with transaction accounts and material IT access rights shall
be reviewed at least annually, and all others at least every three years. Especially critical
IT access rights, such as those held by administrators, shall be reviewed at least every
six months.
AT 4.3.2 Risk management and risk control processes
1 Each institution shall establish appropriate risk management and risk control processes in order to ensure that the material risks and associated risk
concentrations are
(a) identified,
(b) assessed,
(c) managed,
(d) monitored and reported.
These processes shall be factored into an integrated performance and
risk management (Gesamtbanksteuerung). Suitable measures shall be
taken to ensure that the risks and associated risk concentrations are effectively limited and monitored, taking internal capital adequacy and risk
appetite into account.
Limiting and monitoring of risks and associated risk concentrations
Suitable measures to limit risks and associated risk concentrations can include quantitative instruments (eg limit systems, traffic-light systems) and
qualitative instruments (eg regular risk analyses).
Risks included in the internal capital adequacy approach are generally,
where this is meaningful, limited and monitored on the basis of an effective
limit system. Where risks cannot be meaningfully limited and monitored by
a limit system, other, primarily qualitative instruments may be used.
Intra-group claims
Intra-group claims shall be duly taken into account in the risk management
and risk control processes.
Maintaining data on exposures and associated collateral
The institution should maintain the data needed for appropriate risk assessment, management and monitoring, and for the provision of information.
This includes in particular data on collateral and on the relationship between
collateral and the underlying transactions.
2 The risk management and risk control processes shall ensure that the material risks – including risks resulting from outsourced activities and processes – can be identified early, fully captured and adequately presented.
To this end, the institution shall derive suitable indicators for the early
identification both of risks and of potential consequences across different
types of risk, which are based on quantitative and/or qualitative risk features depending on the nature of the risk type concerned.
3 Risk reports on the risk situation, including existing risk concentrations, shall be submitted to the management board at appropriate intervals. Moreover, the management board shall inform the supervisory board about the risk situation, including existing risk concentrations, at least quarterly in an appropriate written form. Details on
reporting risks to the management board and the supervisory board are set forth in
BT 3.
4 Material risk-related ad hoc information shall be promptly passed on to the management board, the responsible officers and, where appropriate, to the internal audit
function, so that suitable measures or audit activities can be initiated at an early stage.
A suitable procedure shall be established for this purpose.
Duty to inform the internal audit function
The internal audit function shall be informed whenever, in the opinion of the organisational units concerned, relevant risk-related shortcomings are identified, major loss or
damage has been incurred, or there is a concrete suspicion that irregularities have occurred.
5 The risk management and risk control processes, as well as the methods
and procedures used to quantify risks, shall be reviewed regularly, and in
the event of changing conditions their appropriateness shall be reviewed
and adjusted if necessary. This applies in particular to plausibility checks
of the outcomes and of the underlying data. AT 4.1 number 9 shall applyaccordingly.
AT 4.3.3 Stress tests
1 Appropriate regular and ad hoc stress tests shall be carried out in respect of the
material risks, which shall reflect the nature, scale, complexity and riskiness of the
business activities. To this end, the material risk factors pertaining to the respective
risks shall be identified. The stress tests shall additionally cover the assumed risk
concentrations and diversification effects within and between risk types. The stress
tests shall also take account of risks resulting from off-balance-sheet entities and
securitisation transactions.
Stress tests
In the following, the term “stress tests” is used as a generic term for the various methods via which institutions examine the individual potential risk they face with regard,
inter alia, to exceptional but plausible events at each relevant level of the institution
(eg at portfolio level, at the firm-wide level, at business unit level). The stress test programme includes sensitivity analyses (in which generally only one risk factor is varied)
and scenario analyses (in which several or all risk factors are changed simultaneously
in order to simulate a predefined event).
2 Regular and, where appropriate, ad hoc stress tests shall also be carried out in respect
of the institution’s overall risk profile. Based on the nature, scale, complexity and
riskiness of the institution’s business activities, suitable overarching scenarios shall
be defined which reflect both institution-specific (idiosyncratic) and market-wide
causes. Their combined potential impact on the material risk types shall be captured
in a way that takes account of interaction between the risk types.
3 The stress tests shall also reflect exceptional but plausible events. Appropriate historical and hypothetical scenarios shall be defined. Additionally, the stress tests shall
be used to analyse the impact of a severe economic downturn on the firm-wide level
of the institution. The institution’s strategic orientation and its economic environment are likewise to be taken into consideration when defining the scenarios.
4 In addition, the institution shall carry out reverse stress tests. Their content and implementation shall depend on the nature, scale, complexity and riskiness of the business activities and may be of a qualitative or quantitative nature.
Reverse stress tests
Reverse stress tests are carried out to examine what events could jeopardise the institution’s viability. Its viability may be assumed to be jeopardised if the original business
model proves to be no longer feasible or sustainable.
Reverse stress tests serve to complement other stress tests. Given their approach, reverse stress tests focus on a critical evaluation of the results. The results generally do
not need to be taken into account when assessing internal capital adequacy.
5 The appropriateness of the stress tests and their underlying assumptions shall be
periodically reviewed, at least once a year.
6 The results of the stress tests shall be critically evaluated. Institutions shall determine
whether and, if so, what action is required. The results of the stress tests shall also
be duly taken into account when assessing internal capital adequacy. Particular attention shall be paid to the impact of a severe economic downturn.
Need for action
An identified need for action does not automatically necessitate backing the identified
risks with available financial resources (risk coverage potential). Alternative measures
may be suitable, such as intensifying risk monitoring, modifying the limits or adjusting
the objectives of the business strategy orientation. The identified risks have to be covered by available financial resources (risk coverage potential) in cases where the stress
tests are consciously used to quantify internal capital requirements.
AT 4.3.4 Data management, data quality and aggregation of risk data
1 The requirements set forth in this module are addressed to significant institutions
and apply both at group level and at the solo level of each material legal entity of a
group. The institution shall define institution-wide and group-wide principles for data
management, data quality and the aggregation of risk data that shall be approved
and put into force by the management board.
Implementation of the principle of proportionality
The requirements of this module shall be implemented in an appropriate manner that
reflects the nature, scale, complexity and riskiness of the institution’s business activities.
Aggregation of risk data
The term “aggregation of risk data” refers to the end-to-end process chain beginning
with the collection and recording of data, then its processing, and ending with its evaluation based on certain criteria and the reporting of risk data.
2 The data structure and data hierarchy shall ensure that data can be identified unequivocally, compiled and evaluated, and that they are available in a timely manner.
Where possible, uniform naming conventions and identifiers for data shall be defined
and communicated within the institution. Where different naming conventions and
data identifiers are in use, the institution shall ensure that data are automatically reconcilable.
3 The institution shall ensure that risk data are accurate and complete. The data must
be evaluable according to different criteria and should, where possible and meaningful, be aggregated automatically. The use and scope of manual processes and interventions shall be substantiated and documented, and shall be limited to the level
necessary. The quality and completeness of the data shall be monitored on the basis
of suitable criteria. To this end, the institution shall formulate internal requirements
relating to the accuracy and completeness of data.
Evaluability according to different criteria
Evaluability covers not only risk categories and risk sub-categories but also, inter alia,
the categories business area, legal entity, type of asset, sector and region; further categories may be necessary depending on the risk in question. It must also be possible
to carry out multi-dimensional evaluations according to combined categories in an
appropriate manner.
4 The risk data shall be reconciled with other information available at the institution
and subjected to plausibility checks. Procedures and processes shall be set up to reconcile the risk data with the data in the risk reports to allow data errors and weaknesses in data quality to be identified.
Other information available at the institution
The reconciliation and the plausibility checks of the risk data shall be carried out, for
example, against data from accounting and, where appropriate, supervisory reporting.
5 The data aggregation capacities shall ensure that aggregated risk data are available
in a timely manner, both under normal circumstances and in times of stress. The institution shall define the timeframe within which the aggregated risk data must be
available taking into account the frequency of risk reports.
Risk data in times of stress
The data which must also be available in a timely manner in times of stress include:
- counterparty and credit risk at firm-wide/group level,
- aggregated exposure to large corporate borrowers,
- counterparty risk (resulting also from derivatives) – aggregated and allocated to
individual counterparties, - market risk, trading positions and operational limits and limit utilisation levels including possible concentrations,
- indicators of possible liquidity risk/shortfalls,
- time-critical indicators of operational risk.
6 The data aggregation capacities must be sufficiently flexible such that ad hoc information can be shown and analysed according to different categories. This includes
the possibility to show and analyse risk positions at a wide range of levels (business
areas, portfolios, where appropriate individual transactions).
Ad hoc information according to different criteria
The capability to generate and analyse the risk positions by country, sector, business
area etc must likewise be ensured for ad hoc information requirements. To the extent
possible and reasonable, it should be possible to break the main categories down to
the individual transaction level.
7 Responsibilities shall be defined for all steps in the risk data aggregation process and
appropriate process-related controls put in place. In addition, regular reviews shall
be carried out to determine whether staff are complying with the internal rules, procedures, methods and processes. These reviews shall be carried out by a unit that is
independent of organisational units that initiate and/or conclude transactions.
Review by an independent unit
The staff tasked with the review should, as far as possible, have sufficient knowledge
of the IT systems and the reporting system.
https://www.bafin.de/SharedDocs/Downloads/EN/Rundschreiben/rs_1021_marisk_ba_en.html