Enterprise Risk Management

Risk and Capital Management Framework

The Group's Risk and Capital Management Framework rests on five pillars: a) effective Board oversight, b) sound risk management strategy, c) dynamic capital management process, d) risk and capital monitoring & escalation, and e) review and validation. The Framework is illustrated in Figure 1. The Group's risk management strategy and capital management systems respond to internal and external signals manifested in its corporate vision & mission, which animate a set of strategies that aim to fulfill such vision while taking into account external indicators mostly involving current market movements and projections. Always, risk and capital management systems see through bi-focal lenses - growth/business-as-usual scenario, and stress. With the foregoing as backdrop, business targets are determined along with the risks and the necessary capital, bearing in mind minimum capital adequacy regulations and internal triggers. In an ideal scenario, the process should lead to maximization of capital via robust capital allocation among the business units, and with performance assessed via risk-adjusted measures. The Group is committed to working towards this goal. The Framework and its sub-processes are all subject to review and validation, a role largely driven by the Internal Audit Group. Finally, each facet of the Framework is monitored and reported to the designated oversight bodies

Risk and Capital Management Infrastructure and Oversight

The Framework is primarily driven by the Group's Board of Directors (Board). It sets the Group's Mission, Vision, and general strategic direction. It likewise approves the Group's risk appetite levels and the capital plan. In the interest of promoting effective and efficient corporate governance, however, the Board constitutes committees to perform oversight responsibilities. Central to the Risk and Capital Management Framework are the specific oversight functions performed by the Executive Committee (Excom), the Risk Oversight Committee (ROC), and the Audit Committee (AudCom). General oversight with respect to the Framework's implementation however rests with the ROC. A summary of the roles of and the relationship among the various Board Committees are illustrated in Figure 2.

Comprising the next organizational layer are the implementing arms of the various Board Committees. The Corporate Risk Management Services Group (CRISMS) is tasked with the implementation and execution of the Group's risk management framework, while the Corporate Planning Group drives the capital and strategic management function at the management level. The Controllership Group on the other hand ensures the provision of accurate financial information, while the Internal Audit Group ensures process integrity. Figure 3 summarizes the infrastructure discussed above.

The Risk Oversight Committee

The ROC is constituted by the Board, and exercises authority over all other risk committees of the various RCBC business groups and subsidiaries, with the principal purpose of assisting the Board in fulfilling its oversight responsibilities relating to:

  • Evaluation and setting of the Group's risk appetite;
  • Review and oversight of the Group's risk profile;
  • Implementation and continuous improvement of a sound framework for the identification, measurement, control, monitoring, and reporting of the principal risks faced by the Bank; and
  • Capital planning and oversight

In the course of fulfilling its oversight responsibilities, the ROC specifically takes on the following tasks:

  • Identify the Group's risk exposures, assess the probability of each risk becoming reality, and estimate its possible effect and cost.
  • Develop a written plan defining the strategies for managing and controlling major risks; and identify practical strategies to reduce the chance of harm and failure or minimize losses if the risk becomes real.
  • Cause the implementation of the plan; and communicate the same and loss control procedures to affected parties
  • Evaluate the risk Oversight plan to ensure its continued relevance, comprehensiveness, and effectiveness. It revisits strategies, looks for emerging or changing exposures, and stays abreast of developments that affect the likelihood of harm or loss

The Corporate Risk Management Services Group (CRISMS)

Supporting the ROC in carrying out its mandate is the Corporate Risk Management Services Group (CRISMS), headed by the Chief Risk Officer (CRO) as provided for by the Manual of Regulations for Banks (MORB) Sec X174. CRISMS' risk management function refers to all activities of identifying, assessing and/or measuring, controlling and monitoring all types of risk the Group is exposed to. The CRO is therefore tasked with the responsibility that CRISMS is able to effectively execute its risk management function. CRISMS implements the risk management process in the Parent, and additionally consolidates the risk MIS from the various subsidiary risk units for a unified risk profile and eventual disposition. Functionally, CRISMS is structured along the traditional make of risk management organizations, with separate divisions dedicated to the largest financial risks - credit, market, and operations. A quantitative risk unit exists to address the quantitative nature of risk management and to assist in the building of models and other risk metrics. Risk management of the Trust business is also directly under CRISMS, the same with Contingency Management / Business Continuity Management. I.T. risk management however is not directly under CRISMS; but the latter nonetheless exercises oversight. Figure 4 illustrates the organizational structure of CRISMS.

Credit Management Segment

The Credit Management Segment (CMS) of CRISMS is primarily tasked with the execution of the credit risk management framework adopted by the Group, recommends credit policies for eventual approval by the Board, and mirrors the same risk management function of CRISMS. It represents CRISMS in the various credit management venues. Organizationally, CMS is the largest unit in CRISMS. Figure 5 illustrates the structure and the attendant responsibilities of CMS.

Market and Liquidity Risk Division

The Market and Liquidity Risk Division (MRD) is primarily tasked with the development and implementation of market and liquidity risk policies and measurement methodologies, recommending and monitoring compliance to risk limits, and reporting the same to the appropriate bodies. It is also the primary unit in the Group responsible for the measurement, monitoring, and reporting of interest rate risk (IRRBB). It regularly reports to the ROC and the Asset & Liability Committee (ALCO) activities relevant to market, liquidity, and interest rate risk management of the Group. Figure 6 illustrates the structure of MRD.

Operational Risk Management Department

The Operational Risk Management Department (ORMD) is tasked with the design and implementation of operational risk management (ORM) tools in the group. It is expected to provide a regular and forward-looking analysis of the Group's operational risk profile, and aid in ensuring that risk mitigants are in place. To facilitate implementation of ORM tools in the various business lines of both the Parent Bank and its subsidiaries, various officers are deputized and serve as embedded Deputy Operational Risk Officers (DORO). A DORO therefore functions as ORMD's liaison to and implementation arm in the various business units. Figure 7 illustrates the structure of ORMD.

Complementary CRISMS Functions

Complementing these established units are two other functions under CRISMS: The Basel & Group Risk Oversight function is aimed at: a) furthering the Group's initiatives in relation to risk management practices espoused by the Basel Committee and the Bangko Sentral ng Pilipinas (BSP), and b) ensuring that a single risk framework is applied across the entire RCBC Group, and facilitating the Internal Capital Adequacy Assessment Process (ICAAP). The Risk Management Systems function exists to oversee the assessment, implementation, and management of existing and prospective risk systems. The said function is also responsible for CRISMS' oversight of I.T. Risk and Information Security.

Outlined below are the risks that the Group currently assess to be relevant and the various strategies it employs to manage them.

Credit Risk

It is the risk that a borrower, issuer or counterparty in a transaction may default and cause a potential loss to the Group. It arises from lending, trade finance, treasury, derivatives and other activities undertaken by the Group. As a matter of general strategy, the Group manages this risk through a system of policies, metrics, and authorities that govern the processes and practices of all credit-originating and borrowing relationship management units, as well as other units involved in the credit cycle.

Credit Concentration Risk

It is the current and prospective negative impact to earnings and capital arising from over-exposure to specific industries or borrowers / counterparties. The Group manages this risk via adherence to processes relating to industry and counterparty assessments, observance of regulatory ceilings, and setting of internal limits.

Liquidity Risk

It is the risk to earnings or capital arising from the Group's inability to meet its obligations when they become due without incurring unacceptable losses. The Group's strategy for managing this risk is generally via limiting the maturity mismatch between assets and liabilities, and by holding sufficient liquid assets of appropriate quality and marketability.

Market Risk

It is the risk resulting from adverse movements in the general level of or volatility of market rates or commodity/equity prices possibly affecting the Group's financial condition. The Group manages this risk via a process of identifying, analyzing, measuring and controlling relevant market risk factors, and establishing appropriate limits for the various exposures.

Interest Rate Risk in the Banking Book

It is the current and prospective negative impact to earnings and capital arising from movements or shifts in interest rates. The risk becomes inherent in the current and prospective interest gapping of the Group's balance sheet. The Group follows a set of policies on managing its assets and liabilities so as to ensure that exposure to fluctuations in interest rates are kept within acceptable limits.

Operational Risk

It is the risk arising from the potential that inadequate information system, operations or transactional problems (related to service or product delivery), breaches in internal controls, fraud or unforeseen catastrophes will result to unexpected loss. The Group manages this risk via a Framework involving various tools that promote a strong control environment, escalation, monitoring and reporting of risk events, and adequate mitigation of assessed risks.

Reputation Risk

It is the current and prospective adverse impact to earnings and capital arising from negative public opinion. The Group manages this risk primarily via processes observed and activities performed by a designated body tasked with ensuring a healthy public image of the Group.

Compliance, Regulatory, and Legal Risk

It is the current and prospective negative impact to earnings and capital arising from violation of laws, regulations, ethical standards, and the like. The Group has a Compliance office and a designated Compliance Officer charged with overseeing the implementation of an approved Compliance Program, including anti-money laundering processes and controls.

Strategic Business Risk

It is the downside potential arising from adverse business decisions, improper implementation of decisions, and lack of responsiveness to industry changes. The Group's strategy in managing this risk is to embed the same in the various business functions as espoused in its strategic and business planning processes.

IT Risk

It is the current and prospective negative impact to earnings arising from failure of IT systems, including information security. The Group's strategy in managing this risk is embodied in a comprehensive information technology security policy that encompasses IT risk assessment, vulnerability testing, monitoring, controls, and mitigation.

The foregoing risks notwithstanding, the Group maintains that the assessment of materiality is an evolving process. Any significant change in either the actual risk profile, or the perception of threats, therefore triggers a corresponding action in terms of the management of such threats, and the assessment as to whether the Group is in a position to continue to be exposed to the same.