National Bank of Ethiopia Risk-Based Supervision Framework

National Bank of Ethiopia
BANKING INSTITUTIONS
RISK BASED SUPERVISION FRAMEWORK
(Draft)
(Volume 6b1)
By: FISP Study Team
August 2009
National Bank of Ethiopia Risk Based Supervision Manual
Table of Contents
Page
1.0 Mission, Vision and Core Values of Banking Supervision (BS)...................................1
1.1 Mission ....................................................................................................................1
1.2 Vision ......................................................................................................................1
1.3 Objectives................................................................................................................1
1.4 Core Values .............................................................................................................1
2.0 Introduction ...................................................................................................................1
3.0 Benefits of RBS Framework .........................................................................................1
4.0 Key Principles/Policies..................................................................................................1
5.0 Coordination of Supervisory Activities.........................................................................2
5.1 Desk Officer ........................................................................................................2
5.2 Examiner-in-charge .............................................................................................3
6.0 RBS Methodology .........................................................................................................3
6.1 Understanding the Institution ..............................................................................4
6.2 Assessing the Institution’s Risk...........................................................................4
6.3 Planning and Scheduling Supervisory Activities.................................................12
6.4 Defining Examination Activities .........................................................................14
6.5 Performing On-site Activities..............................................................................15
6.6 Following up Findings and Recommendations ...................................................18
7.0 Reliance on Work of Third Parties ................................................................................19
Appendices
Appendix I: Detail Steps of Supervisory Process and Their Respective Outputs .................20
Appendix II: Guidance Notes and Institutional Overview ....................................................21
Appendix III: Guidance Notes and Corporate Profile ...........................................................25
Appendix IV: Functional Risk Mapping Chart ....................................................................27
Appendix V: Sample Supervisory Files and Review Note Formats......................................28
Appendix VI Risk Assessment Criteria.................................................................................55
Appendix VII (a): Board of Directors ...................................................................................58
Appendix VII (b): Senior Management.................................................................................62
Appendix VII (c): Risk Management ....................................................................................66
Appendix VII (d): Internal Auditors......................................................................................69
Appendix VII (e): Compliance..............................................................................................72
Appendix VII (f): Information and Communication .............................................................75
Appendix VIII: Overall Net Risk ..........................................................................................78
Appendix IX: Earnings..........................................................................................................79
Appendix X: Capital..............................................................................................................80
Appendix XI: Composite Risk Rating...................................................................................82
Appendix XII: Risk Matrix ...................................................................................................83
Appendix XIII: Risk Assessment Format..............................................................................84
Appendix XIV: CAMEL Rating & Financial Highlights......................................................85
Appendix XV: Guide to Intervention for Banks ...................................................................86
Appendix XVI: Guidance Notes to Completing Supervisory Plan .......................................89
Appendix XVII: Supervisory Plan Format............................................................................91
Appendix XVIII: A Sample Information Request Letter ......................................................92
Appendix XIX: Pre-Examination Working Tools.................................................................95
Appendix XX: Pre-Examination Checklist ...........................................................................105
Appendix XXI: Instructions for Preliminary Assessment of Risk & Financial Condition ...110
Appendix XXII: Scope Memorandum Format......................................................................114
Appendix XXIII: Scope Memorandum Sample ....................................................................115
i
Bank Supervision Directorate August 2009
Appendix XXIV: Scope Authorization Form 125

Appendix XXV: Sample Introduction/Entry Letter 126
Appendix XXVI: Examination Procedures 127
Appendix XXVII: Sample Examination Timeline 168
Appendix XXVIII: Sample Planning & Control Schedule 169
Appendix XXIX: Definition of Ratios for Risk and CAMEL Ratings 170
Appendix XXX: CAMEL Rating Guidelines 173
Appendix XXXI: Risk Rating Guidelines 181
Appendix XXXII: Report of Examination Format 194
Appendix XXXIII: Report of Examination Contents 195
ii
1.0 MISSION, VISION, OBJECTIVES & CORE VALUES OF BANKING SUPERVISION

1.1 Mission: to foster healthy banking industry in Ethiopia.
1.2 Vision: to be one of reputable bank supervisors in Africa in 2015.
1.3 Objectives: BS aims to ensure:
– Safety & soundness of banks;
– Efficiency & compliance of banks with rules & regulations; &
– Protection of depositors.
1.4 Core Values:
– Belongingness;
– Accountability;
– Pursuit of Excellence and Professionalism;
– Transparency;
– Integrity;
– Team Spirit;
– Confidentiality; and
– Dynamism.
2.0 INTRODUCTION
The roles of banking supervision involve assessing the safety and soundness of banks, providing
feedback to the banks, and using supervisory powers to intervene in a timely manner to achieve
supervisory objectives. The objective of this Supervisory Framework (Framework) is to provide a
systematic and effective process to assess the safety and soundness of banks. This is achieved by
evaluating a bank’s risk profile, risk management processes, compliance with applicable laws and
regulations, and financial condition.
Developing supervisory practices is a dynamic process. Continuing change in the banking

industry has led the NBE to review its existing supervisory practices to ensure that the practices
remain effective. The NBE strives to ensure that the Framework clearly focuses on assessment of
bank’s material risk exposures and quality of risk management. The Framework will be
continually refined from time to time based on experience and feedbacks from the users and other
stakeholders to ensure its efficiency and effectiveness.
3.0 BENEFITS OF RBS FRAMEWORK

The principal benefits of this Framework are:
 More systematic and structured risk assessment through separate assessment of inherent risks
and risk management processes;
 Greater emphasis on early identification of emerging risks; and
 Efficient use of resources through a sharper focus on risk.
4.0 KEY PRINCIPLES/POLICIES

The following key principles/policies form the basis of the Framework:
 Banking Supervision (BS) shall adopt risk-based supervision as integrated with CAMEL
system.
 BS shall implement consolidated supervision of banks.
 BS shall prepare annual supervisory plan for banking sector and each bank.
 BS shall not aim at preventing failures of individual banks; instead, at encouraging soundness
& efficiency of banking as a whole.
1
 The exercising of sound judgment in identifying and evaluating risks in a bank is central to
the effectiveness of the Framework.
 Supervisory assessment would be driven by significant activities carried out by the banks.
 Supervisory work will focus on identified material risks or areas of concern. Nevertheless,
supervisory attention will continue to be placed on critical details which may affect safety
and soundness of a bank.
 Supervisory assessment will include reviews of risk management control functions (RMCF)
such as Board Oversight, Senior Management, Risk Management, Internal Audit,
Compliance, and Information and Communication.
 Supervisory cycle of banks shall be extended up to a maximum of 24 months; but, may be
shortened depending on risk profile of each bank.
 Communication of findings and recommendations to the bank shall be carried out on timely
basis.
 Supervisory intervention shall be timely and the degree of the intervention shall
commensurate with the risk profile of the banks, in accordance with the ‘Guide to
Intervention for Financial Institutions’.
 Ratings shall be provided to banks quarterly. The ratings will be lined to the stage rating
which will determine the supervisory intervention actions in accordance with the ‘Guide to
Intervention for Banks’.
 Supervisors, where appropriate, shall use the work of the bank’s management and internal
control functions depending on the competency and reliability of the functions. The NBE
shall also rely on external auditors for fairness of the financial statements and will use their
work to determine the scope of reviews to minimize duplication of efforts.
 Examination report of banks shall be confidential, unless release of which is authorized in
writing by D/Director.
 Banks shall be entitled to submit objection to both quarterly ratings & examination reports of
FISP within a reasonable period of time.
 Degree of supervisory intervention by BS shall be in accordance with related guide &
commensurate with risk profile of banks; & costs to banks &/or their customers associated to
these measures shall be proportionate to expected benefits.
 BS shall conduct at least one bilateral prudential meeting with bank management & its
external auditor each, & tripartite meeting with bank management & its external auditor
every fiscal year; apart from continuous periodic meetings with bank throughout supervisory
cycle to obtain information &/or discuss supervisory concerns.
5.0 COORDINATION OF SUPERVISORY ACTIVITIES

Activities of banking supervision shall be coordinated by Financial Institutions Supervision
Process (FISP). A quality assurance committee shall be responsible for quality assurance of
reports of examination.
5.1 Desk Officer

A responsible desk officer shall be designated as central point of contact who may also work as
Examiner-in-charge (EIC) for each bank for a minimum period of two years. Desk officers are the
focal point for the supervision of the assigned banks and NBE’s primary contacts with those
banks. The desk officer shall:
(i) Be responsible for the preparation and updating of Institutional profile in a timely manner
as well as preparation of supervisory plan;
(ii) Be knowledgeable, on an ongoing basis, about the bank’s financial condition,
management structure, strategic plan and direction, operations and the risk profile;
2
(iii) Be knowledgeable and keep abreast with changes in the risk management policies
including those pertaining to new products and services;
(iv) Remain up-to-date and be knowledgeable regarding all supervisory activities, monitoring
and surveillance information, correspondences and various requests by banks, meetings
with management & external auditor and enforcement issues, if applicable;
(v) Ensure appropriate follow-up of supervisory concerns, corrective actions, or other matters
which come to light through ongoing communications, meetings or surveillance
including report of examination;
(vi) Participate in the examination process, as needed, to ensure consistency with the bank’s
supervisory plan and effective allocation of resources, and to facilitate requests for
information from the bank, wherever possible; and
(vii) In discharging some of the foregoing activities, the desk officer may arrange to visit the
bank under him/her upon obtaining necessary clearance from D/Director.
5.2 EIC
EIC shall be responsible for:
i. Coordinating Preliminary Review including pre-examination meeting;
ii. Preparation of scope memorandum;
iii. Leading the team of on-site examination;
iv. Preparing the report of examination; and
v. Accompanying D/Director to present report of examination to the board of the examined
bank.
6.0 RISK-BASED SUPRVISION METHODOLOGY

As descried in the table below and will be discussed in detail in the following sections, this
methodology consists of six key steps, each of which requires preparation of specific outputs.
Table 1: Steps of Risk-Based Supervision (see detail steps in Appendix I)

No. STEPS OUTPUTS
1. Understanding the Institution 1.Institutional Overview &
Corporate Profile
2. Assessing the Institution’s Risk 2. Risk Matrix
3. Risk Assessment Summary
3. Planning and Scheduling 4. Supervisory Plan
Supervisory Activities
4. Defining Examination Activities 5. Information Request Letter
6. Scope Memorandum
5. Performing Onsite Examination 7. Working Papers
8. Report of Examination
6. Following up findings 9. Updated Institutional Profile
and recommendations
3
6.1 Understanding the Institution - Step 1

The starting point for risk-based supervision is developing an understanding of the institution.
This step is critical as it enables the banking supervisors to customize the supervision program to
meet the unique characteristic of the bank. As circumstances change, he program can then be
adjusted accordingly.
Two documents are produced to facilitate the understanding of the institution, namely, the
institutional overview and corporate profile. These documents will form attachments to the
supervisory plan. The instructional overview should contain in one concise document, an
executive summary that demonstrates an understanding of the bank’s present condition, its
current and prospective risk profiles as well as key issues and past supervisory findings. In
general, information in the overview should include:
 A brief description of the overall condition, with comments on the impact of mergers,
changes in key business lines, growth areas, product lines, etc. since the last review;
 A summary of the risk assessment of the bank;
 External and internal factors affecting the bank;
 An overview of management;
 A brief analysis of the consolidated financial condition and trends;
 A description of the future prospects of the bank; and
 Key issues arising from the previous examination.
The corporate profile captures general information on the bank, such as the capital and ownership
structure, business strategies as will as composition of the board of directors and senior
management.
Formats of Institutional Overview and Corporate Profile, along with corresponding Guidance
Notes, are shown in Appendix II and Appendix III, respectively.
6.2 Assessing the Institution’s Risk – Step 2

Analysis of the bank is primary input into the risk assessment process. Desk officers are
responsible for on-going analysis and monitoring of banks which they are charged with. Analysis
is performed at least once every three months for banks rated Stage 1 or better, and on a monthly
basis for banks rated Stage 2 or worse. Analysis includes a review of the information gathered on
the bank as well as meetings with key individuals of the institution to discuss trends and emerging
issues arising from developments in the institution, industry and environment. For larger banks,
this will likely involve periodical visits. The scope of analysis will depend on the size and the risk
profile of the bank. Results of the analysis are used to update Institutional Overview and
Corporate Profile, Risk Matrix, and RAS.
Risk assessment begins with identifying significant activities carried out by an institution. The net
risk in these activities is a function of the aggregate of inherent risks offset by the aggregate
quality of risk management. This evaluation is illustrated by the following equation:
Inherent Risk mitigated by Quality of Risk Management = Net Risk
The results of risk assessment are summarized in the Risk Matrix in subsection 6.10.
4
6.2.1 Significant Activities (Horizontal Assessment – Track 1)

Significant activities (SA) are activities that could have material impact on the banks’ earnings
and capital as well as achievement of their business objectives. SA could include any line of
business, unit or process. SA are identified from various sources including the bank’s
organization charts, strategic business and IT plans, capital allocations, financial statements, and
internal/external reporting. Sound judgment is applied in determining the significance of activity
which a bank undertakes. Significance is determined in relation to the context (structure, size,
complexity) of the bank. The following are examples of criteria that may be used:
a) Assets generated by an activity in relation to total assets (both on- and off-balance sheet);
b) Risk-weighted assets generated by an activity in relation to total risk-weighted assets;
c) Revenue generated by an activity in relation to total revenue;
d) Net income before tax for an activity in relation to total net income before tax;
e) Expenditure of an activity in relation to total expenditure;
f) Internal allocation of capital to an activity in relation to total capital;
g) Capital charge for an activity in relation to total capital charge; and
h) Reserves held as a percentage of total reserves.
The supervisors need to determine and rank the materiality of the identified SA and it is to be
rated as ‘high’, ‘moderate’ or ‘low’. This is important as the supervisors would need to consider
the relative materiality of all SA in deriving at the Overall Net Risk. Lending is a compulsory SA
to be assessed. Detailed assessments of each SA shall be documented in the respective review
notes.
6.2.2 Inherent Risk

Inherent risk is risk intrinsic to a business activity and arises from exposure and uncertainty from
potential future events, or changes in business or economic conditions. Inherent risk is assessed
by considering the probability (likelihood) of the risk materializing and magnitude of adverse
impact on the bank’s earnings and capital if the risk materializes. Functional Risk Mapping Chart
is exhibited in Appendix IV for easier identification of risks associated with each function. This
should be used together with Risk Rating Guidelines in Appendix XXXI). Likewise, Sample
Supervisory Files and Review Note Formats are attached as Appendix V to assist risk assessment
process.
A thorough understanding of the environment in which a bank operates and the bank’s various
business activities, is essential to effectively identify and assess the risks inherent in those
activities. In the meantime, ‘A&L’ of CAMEL components are rated 1-5 here using CAMEL
Rating Guidelines in Appendix XXX. Inherent risks can be grouped in the following categories
for supervisory assessment purposes:
 Credit risk (asset quality);

 Market risk;
 Liquidity risk (liquidity); and
 Operational risk.
The following are definitions of the above risk categories.
a) Credit Risk
Credit risk arises from counterparty’s inability or unwillingness to meet or fully meet its on-
balance sheet and/or off-balance sheet contractual obligations. Exposure to this risk results from
financial transactions with a counterparty including borrower or guarantor.
5
b) Market Risk
Market risk is defined as the potential that changes in the market rates/prices may have an adverse
impact on the bank’s financial condition. In other words, it is the risk that the bank’s earnings or
capital position will be affected by fluctuations in interest rate and foreign exchange. Two types
of market risk factors that could be considered are:
 Interest rate risk; and

 Foreign exchange risk.
The above risks are described further below:
i) Interest Rate Risk

Interest rate risk arises from movements in interest rates. Exposure to this risk in banking book
primarily results from timing differences in the re-pricing of assets and liabilities, both on- and
off-balance sheet. In the scenario of rising interest rate, when liabilities re-price faster than assets,
interest spread would fall and hence profitability of the bank would be adversely affected.
ii) Foreign Exchange Risk

Foreign exchange risk arises from movements in foreign exchange rates. Exposure to this risk
mainly occurs during a period in which the bank has a foreign currency open position, both on-
and off-balance sheet, in spot markets. Movements in exchange rates may adversely affect the
value of a bank's foreign currency open positions.
c) Liquidity Risk
Liquidity risk arises from a bank’s inability to obtain the necessary funds, either by increasing its
liabilities or converting its assets, to meet on-balance sheet and/or off-balance sheet obligations as
they come due, without incurring unreasonable losses.
d) Operational Risk
Generally, operational risk is defined as the risk of loss resulting from inadequate or failed
internal processes, people, and systems or from external events. The definition includes:
 IT Risk;
 Legal and Regulatory Risk;
 Strategic Risk; and
 Reputational Risk.
i) Information Technology (IT) Risk

IT risk arises from any potential adverse outcome, impairment, loss, violation, failure or
disruption in the performance of business functions or processes due to the use of or reliance on
technology. Exposure to this risk can result from among others, systems flaws, software defects
and network vulnerabilities.
ii) Legal and Regulatory Risk

Legal and regulatory risk arises from a bank’s non-conformance with laws, rules, regulations,
prescribed practices, or ethical standards of any jurisdiction in which it operates.
iii) Strategic Risk
6
Strategic risk arises from a bank’s inability to implement appropriate business plans, strategies,
decision-making, resource allocation and its inability to adapt to changes in the business
environment.
iv) Reputational Risk

Reputational risk arises from negative publicity, be it true or not, regarding a bank’s business
practices.
After SAs have been identified, the level of each risk type inherent in those activities is assessed
as low, moderate or high. This assessment is made without considering the impact of risk
mitigations by the bank’s risk management processes and controls. The quality of these
mitigations is considered separately and netted-off against the inherent risk assessment to
determine the net risk of each SA. Upon determining the level of each risk type inherent in a SA,
the aggregate inherent risks for the SA is then determined, incorporating considerations of the
relative significance of each risk type to the activity.
The following are the definitions of the level of inherent risk ratings.
a) Low Inherent Risk:

Low inherent risk exists when there is a lower than average probability of an adverse impact on a
bank’s capital or earnings due to exposure and uncertainty from potential future events.
b) Moderate Inherent Risk:

Moderate inherent risk exists when there is an average probability of an adverse impact on a
bank’s capital or earnings due to exposure and uncertainty from potential future events.
c) High Inherent Risk:

High inherent risk exists when there is higher than average probability of an adverse impact on a
bank’s capital or earnings due to exposure and uncertainty from potential future events. The
broad risk assessment criteria for each risk type are described in Appendix VI.
6.2.3 Quality of Risk Management

The ‘quality of risk management’ is evaluated for each significant activity. It is an evaluation of a
bank’s Operational Management (OM) and Risk Management Control Functions (RMCF) for that
activity. The ‘quality of risk management’ is assessed as strong, acceptable, or weak.
In addition to OM, seven RMCFs that may exist in banks i.e. Board Oversight, Senior
Management, Risk Management, Internal Audit, Compliance, and Information and
Communication are identified as mitigations to inherent risks. The presence and nature of these
functions vary based on the size and complexity of banks.
After assessing the OM and each RMCF, an aggregate ‘quality of risk management’ is
determined, incorporating considerations on the relative significance of the OM and each RMCF
to the activity. The aggregate ‘quality of risk management’ assessment is then netted against the
aggregate inherent risk assessment for the given SA to derive net risk for the activity.
a) Operational Management
Operational Management (OM) for a given activity is a group of personnel who are directly
involved in planning, directing and controlling the day-to-day operations of the activity.
Examples of OM are heads of business units, e.g. Head of Corporate Banking, as well as other
management positions who report to him/her. They must ensure that policies and procedures are
7
implemented, control systems are adequate and adhered to, and resources are adequate to
effectively manage and mitigate the risks inherent in that activity. In performing their day-to-day
operations, they should focus on preventing and detecting material errors or irregularities in a
timely manner. For example, a business manager should not be only concerned with business
growth but must also ensure that adequate check and balance, and controls are in place.
OM acts to mitigate all types of inherent risk and not just operational risk. OM is not treated as
part of the RMCF due to its non-independent nature from the day-to-day operations.
The degree of assessment of OM depends on the assessment of the effectiveness of the RMCF.
For example, for a bank with ‘weak’ RMCF, supervisors would need to perform greater
supervisory work in assessing the OM. OM is assessed as strong, acceptable, or weak. There’s no
assessment criteria for OM, therefore supervisors are to exercise judgment based on the
explanations above.
b) Risk Management Control Functions

Risk management control functions (RMCFs) provide a level of review that is independent from
day-to-day operations and ensure that OM is effectively managing and controlling risk on a day-
to-day basis. RMCF have no operational responsibilities. Where banks lack some or all of the
RMCF, supervisors shall look for other functions, within or external to the bank, which carry out
the responsibilities expected of the RMCF. For example, in the absence of a dedicated
compliance function, supervisors may turn to other RMCF e.g. internal audit function for the
assessment of compliance.
Where independent RMCF are lacking and where independent reviews of OM by the RMCF have
not been carried out, supervisors will under normal circumstances, make appropriate
recommendations or direct appropriate work to be done. The following are brief descriptions of
each RMCF.
i) Board of Directors
The Board of Directors is responsible for providing stewardship and management oversight to the
bank. Its key responsibilities include:
 Ensure that management is qualified and competent;

 Review and approve organizational and procedural controls;
 Ensure that principal risks are identified and appropriately managed;
 Review and approve policies and procedures for the bank’s major activities;
 Review and approve strategic direction and business plans; and
 Conduct independent assessment of management and controls.
(ii) Senior Management

Senior management (SM) is responsible for planning, directing and controlling the strategic
direction and general operations of the bank. The key difference between SM and OM is that SM
are not involved in day-to-day operations and as such, are deemed as independent and performing
oversight roles. Examples of SM are Chief Executive Officer (CEO), Deputy CEO and Chief
Operating Officer. Their key responsibilities include:
 Ensure that organizational and procedural controls, including policies and procedures are
adequate and effective;
 Ensure compliance with approved policies and procedures;
 Develop strategies and plans to achieve approved strategic and business objectives; and
8
 Develop sound business practices, culture and ethics.
(iii) Risk Management

Risk management is an independent function responsible for planning, directing and controlling
the impact of risks arising from operations to the bank. The function is generally only found as a
separate unit in larger banks, and may carry out the following:
 Identification of risks;
 Development of systems for measurement of risks;
 Establishment of policies and procedures to manage risks;
 Development of risk tolerance limits;
 Monitoring of positions against approved risk tolerance limits; and
 Reporting of results of risk monitoring to senior management and the Board.
(iv) Internal Audit

Internal audit is an independent function within the bank that assesses adherence to and
effectiveness of operational and organizational controls. In addition, internal audit may also
assess adherence to and effectiveness of compliance and risk management policies and
procedures.
(v) Compliance
Compliance is an independent function within a bank that:
 Sets the policies and procedures to ensure adherence to regulatory requirements in all
jurisdictions where the bank operates;
 Monitors the bank’s compliance with these policies and procedures; and
 Reports on compliance matters to senior management and Board.
(vi) Information and Communication

Information and communication is the function that performs in-depth analyses of the bank’s
operational results and reports the results to senior management. Effective reporting is critical to
this function as operational results will influence the strategic and business decisions made by
management and the board. This function is generally found as a separate unit only in large
banks.
The broad assessment criteria for each RMCF are described in Appendix VII (a) to Appendix
VII (f).
6.2.4 Overall Assessment of Each RMCF (Vertical Assessment – Track 2)

Apart from being assessed at significant activity level (horizontal assessment), each RMCF is also
assessed individually (vertical assessment) to derive at their respective overall rating, i.e. strong,
acceptable, or weak. This assessment is conducted to determine the level of supervisory reliance
which could be placed upon the bank’s oversight functions, i.e. the RMCF. Assessment is also
made on the anticipated direction of each RMCF, i.e. ‘improving’, ‘stable’ or ‘deteriorating’.
Such assessment is made in the context of a defined period such as ‘in the next twelve months’,
‘in the next six months’, etc.
The broad assessment criteria for each RMCF under Track 2 are similar with the one used under
paragraph 5.2.3(b) and described in Appendix VII (a) to Appendix VII (f). ‘M’ of CAMEL
components is also rated 1-5 here (using CAMEL Rating Guidelines in Appendix XXX).
9
Detailed assessments of each RMCF shall be documented in the respective review notes.
6.2.5 Net Risk

The net risk for each significant activity is a function of the aggregate level of inherent risk offset
by the aggregate quality of risk management. The aggregate level of inherent risks is determined
based on considerations of all inherent risk ratings coupled with the relative significance of each
risk to the SA while the aggregate ‘quality of risk management’ is determined based on
considerations of all OM and RMCF ratings coupled with the relative significance of the OM and
each RMCF to the SA.
For example, the investment banking activity of a bank may be evaluated as having a high
aggregate level of inherent risk arising from a combination of high credit risk, high market risk,
and high liquidity risk. However, net risk for the activity may be rated as moderate due to
mitigation by a strong aggregate quality of risk management resulting from strong operational
management, strong internal audit, strong risk management, and strong Board oversight. Net risk
is rated as low, moderate or high as shown in the chart below:
Aggregate Aggregate Level of Inherent Risk

Quality of for Significant Activity
Risk Low Moderate High
Management
for Significant Net Risk
Activity
Strong Low Moderate Moderate/High
Acceptable Low Moderate High
Weak Low/Moderate Moderate/High High
6.2.6 Direction of Net Risk

Upon deriving the net risk rating for a given SA, the anticipated direction of the net risk is also
determined as decreasing, stable or increasing over a defined appropriate time horizon, e.g. ‘in
the next twelve months’, ‘in the next six months’ etc.
The direction of net risk will be influenced by the impact of potential changes in inherent risks,
operational management or RMCF, businesses and economic climate on significant activities, as
well as the nature and pace of planned changes within the bank. Under normal circumstances, a
time horizon of ‘in the next twelve months’ shall be used. However, the time horizon would be
shorter in the period of greater changes and volatility.
6.2.7 Overall Net Risk

Overall Net Risk (ONR) is the aggregate of the net risk of all significant activities in a bank. In
arriving at the overall rating of net risk, the relative materiality of each significant activity is
considered. This assessment ensures that an activity with low materiality but high net risk does
not skew the overall net risk rating. This is to ensure that supervisory efforts will be focused on
material high-risk activities. ONR is rated as Low, moderate, or high. The assessment criteria
are described in Appendix VIII.
6.2.8 Direction of Overall Net Risk

The anticipated direction of overall net risk is also determined as either ‘decreasing’, ‘stable’, or
‘increasing’ over a defined appropriate time horizon, e.g. in the next twelve months’, ‘in the next
six months’ etc. The direction of overall net risk will be influenced by the change in factors which
influence net risk assessment. Under normal circumstances, a time horizon of ‘in the next twelve
10
months’ shall be used. However, the time horizon would be shorter in the period of greater
changes and volatility.
6.2.9 Vertical Assessment by Risk Types (Track 3)

This assessment involves the aggregated assessment of various risks by their respective types, e.g.
credit, market, liquidity, and operational and is a function of the overall risk level offset by
overall quality of risk management for a given risk type. The assessment is to be conducted only
after assessments have been conducted on all SAs, so as to have the overall view of the aggregate
risk level and quality of risk management by various risk types bank-wide. Direction vertical net
risk is then rated as decreasing, stable or increasing.
6.2.10 Earnings and Capital

The assessment of capital includes a review of the quantity, quality and availability of externally
and internally generated capital. In reviewing an institution’s ability to generate capital internally,
profitability is considered. The assessment of earnings includes a review of the level, composition
and trends of earnings as well as future outlook. Peer group comparisons are also made. Earnings
and Capital are rated as ‘strong’, ‘acceptable’ or ‘weak’. Also, ‘C&E’ of CAMEL components
are rated 1-5 here using CAMEL Rating Guidelines in Appendix XXX. The assessment criteria
for Earnings and Capital are described in Appendix IX and Appendix X, respectively.
A determination on the expected direction of ‘Capital’ and ‘Earnings’ positions is also made as
either ‘Improving’, ‘Stable’ or ‘Deteriorating’. Such a determination is made in the context of a
defined period, e.g. ‘in the next twelve months’, ‘in the next six months’ etc. Under normal
circumstances, a time horizon of ‘in the next twelve months’ shall be used. However, the time
horizon would be shorter in the period of greater changes and volatility.
6.2.11 Composite Risk Rating

The composite risk rating (CRR) is an assessment of the overall risk profile of a bank, after
considering the impact of capital and earnings in its overall net risk. CAMEL composite is also
rated (1-5) here. These ratings reflect NBE’s overall assessment of the safety and soundness of
the bank. CRR is rated as low, moderate, or high. The assessment criteria are given in Appendix
XI.
6.2.12 Direction of Composite Risk

Direction of composite risk is also assessed as decreasing, stable, or increasing over a defined
appropriate time horizon, e.g. ‘in the next twelve months’. The direction of composite risk will be
influenced by the change in factors which influence overall net risk assessment and/or the change
in capital and earnings level.
6.2.13 Time Frame

‘Time Frame’ as appeared in the Risk Matrix refers to the time horizon within which a Desk
Officer feels that the CRR will hold before the need for another round of supervisory review and
assessment process. Time frame is determined by considering the level of Composite Risk rating
as well as the direction of the risk.
‘Time Frame’ is determined based on supervisors’ knowledge on potential changes in factors

which affect supervisory assessment, such as changes in the banks’ business plan and hence its
inherent risk profile, RMCF, capital and earnings as well as the environment and industry in
which the bank operates. The more adverse the Composite Risk rating and direction are, the
shorter is the ‘Time Frame’.
11
6.2.14 Risk Matrix

A Risk Matrix (refer Appendix XII) is used to record the ratings of inherent risks, ‘quality of risk
management’, net risk, overall net risk, earnings, capital and composite risk. It also includes the
direction of the net risk, overall net risk, composite risk and time frame to next review. While the
Risk Matrix is a convenient way to summarize the conclusions of risk assessment, it is supported
by documentation of the analysis and assessment (review notes) and the rationale for such
conclusions.
6.2.15 Risk Assessment Summary

Risk Assessment Summary (RAS) is a summary which highlights a bank’s present condition
(indicated by CRR and supervisory intervention stage rating), its prospective risk profile (based
on knowledge of business, strategic direction and future outlook), overall effectiveness of RMCF
as well as key supervisory issues and findings. The RAS is the primary document to be provided
to NBE’s senior management for information and discussion. Accordingly, it is critical that the
information be presented clearly and concisely. The length of the RAS will vary with the level of
information necessary to communicate supervisors’ assessment of a bank’s overall risk profile.
The information should be appropriately high level with details contained in the review notes.
RAS format is exhibited in Appendix XIII. CAMEL rating and financial highlights (see sample
in Appendix XIV) will be part of appendices to RAS. The RAS facilitates a sharper focus on
activities that pose the greatest risks to a bank. The RAS is used to set priorities for the year.
Information contained in RAS would be used to determine the appropriate supervisory
intervention action and formulate supervisory plan.
6.2.16 Supervisory Intervention

Supervisory intervention stage rating is reviewed after the RAS has been updated. Accordingly,
CRR of a bank is linked to its supervisory intervention stage rating in accordance with the ‘Guide
to Intervention for Banks’ shown in Appendices XV.
6.2.17 Quarterly Ratings

Disclosure of supervisory assessment results to banks would be limited to the ratings accorded as
well as supervisory issues which have contributed to the rating. The review notes, RAS and risk
matrix should not at all be divulged to the banks.
6.3 Planning and Scheduling Supervisory Activities – Step 3

A supervisory plan is prepared at the beginning of each operating year and outlines supervisory
work planned and resources required. The scope of the work planned is based on the RAS.
Supervisory focus would be placed on the SA, RMCF and various risk types which have been
identified in the RAS as significant risk areas. CAMEL components would also be considered
during planning. The RAS is used to determine priorities for the upcoming year and allocate
resources to individual institution accordingly.
The supervisory plan for each institution includes the following considerations:
 Environment and industry risks;
 Concerns or issues relating to the bank; and
 Benchmarking, peer reviews, or other special studies conducted on the bank.
The supervisory plan is subject to revisions if unforeseen events alter the risk profile of the
institution. Any changes require reassessment of priorities, not just an extension of the scope of
the supervisory efforts. Guidance Notes to Completing Supervisory Plan and Supervisory Plan
Format are shown in Appendix XVI and Appendix XVII, respectively.
6.3.1 Tools of Supervision
12
Tools of supervision that may be included in supervisory plan include:
(a) Full scope on-site examination: is one that is sufficient in scope to assess a bank’s CAMEL
components and the risk management system and make a conclusion about its safety and
soundness. Full scope onsite examination should be conducted at least once every 24 months.
(b) Targeted examination: is an onsite examination which does not cover all the CAMEL
components but rather focuses on specific product, area, or risk e.g. consumer loans, treasury
or operational risk.
(c) Planned meetings: are meetings with bank’s management to discuss its financial
performance, risk profile, strategies, the market in which it operates, and/or any other issue of
supervisory concern. These meetings should be conducted at least once during supervisory
period.
(d) Ad hoc meetings: are meetings with bank’s management either at NBE or onsite to discuss
business developments or plans and issues or concerns arising from the risk assessment
process or offsite analysis.
(e) Meetings with external auditors of the bank: are meetings with external auditors to
discuss supervisory issues and any other issue that might need attention of both the auditor
and the supervisor. If necessary, arrange with bank management to meet with the external
auditor to discuss:
 The external audit’s scope, results or significant findings, and upcoming audit plans or
activities;
 Reports, management letters, and other communications (written or oral) with the bank’s
board audit committee;
 Audit planning methodologies, risk assessments and sampling techniques, if necessary;
 How much the external auditor relies on the work of internal auditors and the extent of
external audit’s assessment and testing of financial reporting controls; and
 Assigned audit staff experience and familiarity with banking and bank auditing,
particularly in specialized areas.
(f) Off-site surveillance: this involves continuous off-site monitoring of the bank on the
performance and condition together with progress on implementation of various instructions
and/or recommendations from the supervisor.
During the supervisory period, the findings from different supervisory tools that have been
applied will provide NBE with new and more detailed information about the areas of risk or
concern identified during the risk assessment stage. This information will assist NBE to draw
conclusions, make instructions and recommendations for remedial action.
At any time during the supervisory period, NBE may need to seek remedial action from the bank
or take action itself to deal with issues of serious supervisory concern. In addition, a bank’s
circumstances may change because it is entering new markets, making an acquisition or is
affected by market developments. NBE will address first those areas which it considers to be
higher risk or concern. If such events occur, the supervisory plan may need to be revised.
Alternatively, NBE may decide that it should undertake another risk assessment as the profile of
the bank may have changed significantly.
13
All banks will be subjected to a supervisory plan. However, a bank with a low risk profile will
normally be subject to a less intensive supervisory plan. Nevertheless, a minimum level of
supervision is required across all banks to keep abreast of changes in the business. At minimum,
all banks should be subject to off-site surveillance and planned meetings.
6.3.2 Supervisory Cycle and Supervisory Period

The period between two consecutive onsite examinations is referred to as a supervisory cycle.
Where a bank has a low risk profile, its supervisory cycle may be extended to 24 months whereas
a bank with significantly high risk profile may have its supervisory cycle shortened to less than
12 months. A supervisory period is defined as a period equivalent to the 12 months which
coincide with NBE’s annual supervisory plan (from July to June).
6.4 Defining Examination Activities – Step 4

The pre-examination planning effort may be accomplished using both on- and off-site data. The
scope of onsite reviews depends on the areas of supervisory concern. EIC shall prepare a letter to
request information from the bank for the purpose of conducting preliminary review and
preparing scope memorandum. Scope memorandum identifies the key objectives and scope of on-
site examination. A letter introducing examiners to be involved in the examination exercise
should be sent to the bank.
6.4.1 Information Request Letter

The information request letter identifies the information necessary for the successful execution of
the on-site examination procedures. It is important that the information request letter be tailored
to fit the specific character and risk profile of the bank to be examined and the scope of the
activities to be performed. Thus, the effective use of request letter is highly dependent upon the
planning and scooping of a risk-based examination. To eliminate duplication and minimize the
regulatory burden on a bank, request letter should not request information that is provided on a
regular basis to or that is available within NBE, such as regulatory reports and various financial
information. Appendix XVIII provides a sample information request letter.
As specific items are selected for inclusion in the information request letter, the following
guidelines should be considered:
(a) Reflect risk-based supervision objectives and the examination scope. Items that are not
needed to support selected examination procedures should not be requested;
(b) Facilitate efficiency in the examination process and lessen the burden on banks. Minimize the
number of requested items, and avoid, to the extent possible, duplicating requests for
information already provided to NBE;
(c) Eliminate items used for audit-type procedures (e.g. verifications). Such procedures are
generally performed only when there is a reason to suspect that significant problems exist;
(d) Distinguish information to be received through mail for preliminary review to be conducted
off-site from information to be held at the bank for onsite review. Information that is not
easily reproduced should be reviewed on-site (e.g. policies, board minutes); and
(e) Allow management sufficient lead-time to prepare the requested information. The lead-time
should be at least two weeks.
6.4.2 Preliminary Review

The scope of onsite reviews depends on the areas of supervisory concern. These reviews and
interaction with the bank management also enhance supervisors’ understanding of the bank and
its risk profile. In the course of preparing the scope memorandum, EIC will coordinate
14
preliminary review, both on-site and off-site including pre-examination meeting with the senior
management of the bank. Documentation of pre-examination review is as per Appendices XIX,
XX and XXI.
During the pre-examination meeting the following issues may be discussed:
(a) Primary target market and business lines, and significant changes in bank products or
services including areas of growth since previous examination;
(b) Economic conditions within the target markets and any other external factors affecting
the primary business lines;
(c) Areas representing the greatest risk to the bank and/or markets;
(d) Changes in bank management, key personnel or operations since previous examination;
(e) Results of audit and internal controls review, any follow-up required by management;
(f) Any material changes to internal or external audit’s schedules or scope and adequacy of
audit staffing;
(g) Purchase, acquisition, merger or divestiture considerations;
(h) Changes in technology including operational systems, technology vendors/service
providers, critical software, internet banking, or plans for new products/activities that
involve new technology since previous examination;
(i) Issues regarding compliance with laws, directives and circulars governing banking
business;
(j) Other issues that may affect the risk profile; and
(k) Management concerns about the bank or NBE’s supervision including any areas the bank
would like the NBE to consider in the examination scope.
6.4.3 Scope Memorandum

The scope memorandum is an integral product in the risk-based methodology as it identifies the
key objectives and scope of the on-site examination. The focus of on-site examination activities,
identified in the scope memorandum, should be oriented to a top-down approach that includes a
review of the bank’s internal risk management systems and an appropriate level of transaction
testing. The risk-based methodology provides flexibility in the amount of on-site transaction
testing. Although the focus of the examination is on the bank’s processes, an appropriate level of
transaction testing and asset review will be necessary to verify the integrity of internal systems. If
internal systems are considered reliable, then transaction testing should be targeted to a level
sufficient to validate that the systems are effective and accurate. Conversely, if internal
management systems are deemed unreliable or ineffective, then transaction testing must be
adjusted to increase the amount of coverage.
The scope memorandum should be tailored to the size, complexity and current rating of the bank
and should define the objectives of the examination. The memorandum should generally include:
(i) Scope and objectives of the examination;

(ii) Summary of bank’s institutional overview and RAS after incorporating information from
preliminary review of both onsite and offsite information;
(iii) Summary of the pre-examination meeting;
(iv) Summary of audit review and reliance on risk management systems and internal and
external audit findings;
(v) Examination focus and procedures; and
(vi) Resource planning.
15
The scope memo should be submitted to Deputy Director for authorization. Scope memorandum
format and sample are attached as Appendix XXII and Appendix XXIII, respectively.
Authorization is granted by signing the Scope Authorization Form (Appendix XXIV).
6.4.4 Introduction/Entry Letter

EIC should prepare an introduction/entry letter indicating examination objectives and scope, staff
to be involved, commencement and completion dates. The bank should be informed at least one
week prior to commencement of examination. Appendix XXV presents Sample Introduction
Letter.
6.5 Performing On-Site Examination – Step 5

Onsite reviews are a critical part of the supervisory process. In performing on-site examination,
examiners should be guided by procedures as detailed in Appendix XXVI. Also, Examination
Time Line and Planning and Control Schedule are indicated in Appendix XXVII and Appendix
XXVIII, respectively. Examiners should tailor the procedures to the characteristics of each bank,
keeping in mind its size, complexity and risk profile. Examination procedures should focus on
developing appropriate documentation to adequately assess management’s ability to identify,
measure, monitor, and control risks. Procedures should be completed to the degree necessary to
determine whether the bank’s management understands and adequately controls the types and
levels of risks that are assumed.
In performing full scope examination, examiners will use core assessment and expanded
procedures (when necessary) to assess whether the risks within each bank are appropriately
identified and managed. The examination procedures should be tailored to fit the scope
memorandum for the examination. The examination also determines and validates the bank’s
condition. The core assessment will cover procedures to review the following areas:
(a) Capital Adequacy;

(b) Asset Quality and Credit Risk;
(c) Management & quality of risk management;
(d) Earnings;
(e) Liquidity and Liquidity risk;
(f) Market Risk; and
(g) Operational Risk.
The EIC should tailor the examination procedures to the risk rating as summarized in the risk
matrix. The core assessment procedures are divided into minimum-scope core assessment and
standard core assessment. The minimum-scope core assessment procedures are used in low-risk
areas while standard assessment procedures are used in areas identified as moderate-risk. A
combination of standard core assessment and expanded procedures (as needed) are used in high-
risk rated areas. The table below indicates the relationship between the risk rating and the
examination procedures:
Table 3: Relationship between preliminary risk rating and examination procedures

Low-risk rating Moderate-risk rating High-risk rating
Minimum-scope core Standard core assessment Standard core assessment plus
assessment expanded procedures (when
necessary)
6.5.1 Minimum Scope Core Assessment Procedures
16
The minimum-scope core assessment, which is the foundation for review in low-risk areas,
determines whether any significant changes have occurred in business activities, the risk profile,
management, or the condition of a low-risk area from the prior bank’s risk assessment. These
procedures will be used in low-risk areas to assign the appropriate CAMEL and risk ratings. If no
significant changes in the bank’s risk profile are identified after completion of the minimum
procedures, no further work will be done. However, if the assessment identifies supervisory
concerns, the EIC has the flexibility to expand the scope of the examination by completing other
procedures from the standard core assessment and/or expanded procedures.
6.5.2 Standard Core Assessment Procedures

For areas not identified as low-risk, examiners will complete other selected procedures from the
standard core assessment consistent with the bank’s complexity and level of supervisory concern.
While other procedures in the standard core assessment contain detailed procedures or clarifying
steps, examiners typically will not need to carry out every procedure.
6.5.3 Expanded Procedures

When specific area or risks are present that warrant a detailed review, examiners should widen
the scope of the supervisory activities by completing expanded procedures found in the
Examination Procedures. For example, if a bank has a higher-than-normal risk profile, NBE will
expect the bank to have more sophisticated and formalized policies and procedures to identify,
measure, monitor, and control risk. In these cases, the EIC will typically expand the examination
by using procedures from the Examination Procedures to more fully assess risk management
processes. If significant issues or areas of increasing risk are identified during the completion of
the core assessment, the EIC may also expand the examination to review areas of concern in more
depth. Expanded procedures may include additional transaction testing or a more thorough
assessment of the risk management process.
6.5.4 CAMEL Rating System

In the process of performing examination, examiners will also have to perform analysis of
CAMEL components that takes into consideration certain financial, managerial, and compliance
factors that are common to all banks. Under CAMEL analysis, the examiners endeavor to ensure
that all banks are evaluated in a comprehensive and uniform manner, and that supervisory
attention is appropriately focused on the banks exhibiting financial and operational weaknesses or
adverse trends. The CAMEL analysis also serves as a useful vehicle for identifying problem or
deteriorating banks, as well as for categorizing banks with deficiencies in particular component
areas. Further, the rating system assists banking supervision in following safety and soundness
trends and in assessing the aggregate strength and soundness of the banking industry.
Under the CAMEL, each bank is assigned a composite rating based on an evaluation and rating of
five essential components of a bank’s financial condition and operations. These component
factors address the adequacy of capital, the quality of assets, the capability of management
(quality of risk management), the quality and level of earnings, and the adequacy of liquidity.
Evaluations of the components take into consideration the bank’s size and sophistication, the
nature and complexity of its activities, and its risk profile.
Composite and component ratings are assigned based on 1 to 5 numerical scale where 1 indicates
the highest rating, implying strongest performance, risk management practices and least degree of
supervisory concern; while 5 indicates the lowest rating, implying weakest performance,
inadequate risk management practices and, therefore, the highest degree of supervisory concern.
17
The composite rating generally bears a close relationship to the component ratings. Composite
rating is not derived by computing an arithmetic average of the component ratings but rather, the
ratings are dependent on the worst rating in any of the five CAMEL components. Each
component rating is based on both quantitative and qualitative analyses of the factors comprising
that component and its interrelationship with the other components. It is important to note that
rating definitions under Composite 4 and 5 are similar with exception of two factors outlined
below which could lead a bank being rated 5 instead of 4:
(i) If the volume and severity of problems are beyond management’s ability or willingness
to control or correct; and
(ii) If immediate outside financial or other assistance is needed in order for the bank to be
viable.
Assigned composite and component ratings are disclosed to the bank’s board of directors and
senior management. Definition of Ratios for Risk and CAMEL ratings is provided in Appendix
XXIX. The composite rating definitions, and the descriptions and definitions for the five CAMEL
component ratings is attached as Appendix XXX. Similarly, Risk Rating Guidelines are attached
as Appendix XXXI to supplement risk rating process.
The ability of management to respond to changing circumstances and to address the risks that
may arise from changing business conditions, or the initiation of new activities or products, is an
important factor in evaluating a bank’s overall risk profile and the level of supervisory attention
warranted.
6.5.5 Minimum Documentation Requirements

It is important for examiners to document their overall conclusions after performing the
appropriate examination procedures. Documentation should include the procedures performed to
address the core assessment objectives, the conclusions for the area under review and the findings
that should be carried forward into the examination report or other document used to
communicate the findings to the bank’s board of directors and management.
More specifically, the supervisory file includes an updated copy of the RAS, a copy of reports,
and related correspondences, and copies of various review notes. A review note is prepared based
on standard format for each significant activity, RMCF and CAMEL component review. The
review notes are used to document assessments of SA, RMCF and CAMEL components.
Working papers necessary to support the assessment are also filed. If a significant activity or
RMCF is not reviewed during an on-site visit, the latest review notes for the SA or RMCF are
brought forward to ensure that the file contains the latest information on the institution.
6.5.6 Quality Assurance

The NBE’s quality assurance framework for on-site examination comprises quality and
consistency check on examination findings and assessment of specific portfolio, composite risk
rating and CAMEL rating assigned and areas of supervisory concerns identified, and supervisory
actions to be taken. Quality assurance process will be detailed in ‘Quality Assurance Framework’
to be developed.
6.5.7 Reporting Assessment Results to Supervised Banks

After completion of on-site examination, NBE will prepare a report for the examined bank. For
full scope on-site examination, contents of the report should clearly and concisely communicate
to the bank CAMEL ratings, risk ratings, and any supervisory issues or concerns related to the
18
bank. For targeted examination, the report should communicate findings arising from specific
areas examined. Recommendations should be specific, time bound and listed in order of
importance.
Findings and recommendations are first discussed during the exit meeting with senior
management of the bank together with its Risk Management and/or Internal Audit departments.
This is followed by management meeting with its Chief Executive Officer and board and/or board
committees. The feedbacks from the discussions will be taken into account in finalizing the
examination report. Examination reports to the bank are addressed to the Chairperson of the
board. Format and contents of report of examination are in Appendices XXXII and XXXIII,
respectively.
6.6 Following up Findings and Recommendations – Step 6

The findings and recommendations reported to the bank are followed-up on a timely basis and the
results are included in the RAS updates. The Desk Officer should maintain an on-going list of
issues to be followed up with the bank management within a specified timeframe. The results
may be incorporated in the institutional overview and corporate profile updates. Periodical reports
from the banks on the status of rectification measures are attached to the RAS.
7.0 RELIANCE ON WORK OF THIRD PARTIES

As one of the key principles of the Framework, the NBE will rely on the work of external parties
such as external auditors as input to its supervisory assessments, to facilitate risk-focused
assessments and minimize duplication of efforts. For this purpose ‘reliance letters’ would be sent
out by NBE to the external parties annually to communicate its intention to rely on their work.
The level of reliance put by NBE on the work of the external parties would depend on its
assessment of the parties’ competency and reliability.
19
APPENDIX: I
DETAIL STEPS OF SUPERVISORY PROCESS AND THEIR RESPECTIVE OUTPUTS

Supervisory Process Output
1. Know Your Institution 1. Information request
2. Understanding of business and strategies, direction of
institution
3. Understanding of institution’s inherent risk profile
4. Understanding of environment, industry and institution-
specific factors which affect institution’s risk profile
5. Institutional overview and corporate profile
2. List down all activities carried 6. Laundry list of all activities carried out by institution.
out by institution and determine 7. Relative materiality of the activities.
their relative materiality
3. Identify Significant Activities 8. List of SA to be monitored and assessed.
(SA)
4. Assign responsibility for 9. List of SA and responsible person.
assessment of SA
5. Perform assessment of each 10. Net Risk ratings and directions for each SA
SA and complete the respective 11. Completed/updated Review Notes, Risk Matrix and RAS
review notes. Derive net risk 12. Working papers/supporting documents
rating and its direction. Transfer
assessment results, i.e. inherent
risk rating, RMCF, net risk &
direction of net risk onto the Risk
Matrix
6. Derive the Overall Net Risk 13. ONR and its direction.
rating (ONR) and direction by
considering the relative
materiality of each SA and their
Net Risk ratings
7. Assess Earnings and Capital 14. Earnings and Capital ratings.
15. Completed/updated Review Notes, Risk Matrix and RAS.
20
16. Working papers/supporting documents.

8. Derive Composite Risk Rating 17. CRR and direction.
(CRR) and its 18. Updated Review Notes, Risk Matrix and RAS.
direction
9. Determine the time frame to 19. Time frame, e.g. 3 months, 6 months, etc.
next review
10. Seek feedback from Quality 20. Feedback from Quality Assurance (only for examination
Assurance reports).
11. Link CRR to Supervisory 21. Stage rating.

Intervention Action 22. Supervisory Intervention activities/report.
12. Reporting (reporting of 23. Examination reports
findings and 24. Quarterly ratings.
recommendations to the
institution)
13. Follow-up of findings and 25. Updated Review Notes, Risk Matrix and RAS
recommendations
APPENDIX: II
GUIDANCE NOTES TO COMPLETING INSTITUTIONAL OVERVIEW

(ATTACHMENT TO SUPERVISORY PLAN)
A. Overall Condition
Summarize the overall condition based on the level of supervisory concern, assessment of Risk
Management system and adequacy of management oversight over the bank. Any key
issues/concerns relating to the strategies employed should also be highlighted.
Example
Overall, supervisory concern over the bank is moderate. The bank is embarking on an expansion program
and contemplating introduction of new financial products. This new focus is characterized by increasing
level of operational, credit and liquidity risk. However, the bank employs a satisfactory risk management
system, complemented by adequate policies, procedures and internal controls. The board and management
exercise close supervision over the bank and have demonstrated their capabilities in steering the bank
through the recent financial crises. Strategies are in place to address the bank’s short and long term needs.
The financial performance of the bank remains satisfactory.
B1. Risk Assessment Summary
State the level of inherent risk, the adequacy of risk management systems, the overall composite
risk and the direction of overall composite risk.
Example
Type of Level of Adequacy of Risk Overall Direction of Overall

Risk Inherent Management Composite Risk Composite Risk
Risk* Systems**
Credit Moderate Acceptable Moderate Increasing
Liquidity Moderate Strong Low Increasing
Market Moderate Acceptable Low Decreasing
21
Operational Moderate Acceptable Moderate Increasing

*Equivalent to ‘Aggregate Inherent Risk’ in the Risk Matrix
** Equivalent to ‘Aggregate Risk Management Systems in the Risk Matrix.
B2. Individual risk narratives

B2.1. Credit Risk
B2.2. Liquidity Risk
B2.3. Market
(i). Interest rate risk
(ii). Foreign exchange risk
B2.4. Operational
C. Quality of Risk Management Overview
 Provide an overview of operational management.
 Briefly evaluate risk management control functions:
– Board Oversight,
– Senior Management,
– Risk Management,
– Internal Audit,
– Compliance,
– Information and Communication.
D. Significant Current Events
State briefly, events that may have an impact on, or influence on the bank’s operations and
condition. For example:
 Change in policies and strategic direction.

 New products/markets.
 Change in key management (particularly financial or operations personnel).
 Unusual turnover in the management.
 Recent acquisition or merger.
 Recent regulatory action imposed on bank.
 Recent major fraud.
E. Results of Last On-site Examination “ Recent Examination Results And Audit

Findings”
6.4.4 State the reference date of the on-site examination

(i) On-site Examination:
Based on last examination report, state the bank’s CAMEL ratings (individual
components and composite) and summarize key findings.
(ii) Information Systems (IS) Examination;
22
(iii) External and Internal audit findings

(iv) Off-site surveillance
F. Financial Overview
(i) Bank
Provide a brief write-up on the overall assessment of the financial performance of
the bank, based on Capital, Asset, Earnings and Liquidity.
(ii) Banking Group

Provide a financial statement on a consolidated basis (include review of parent
company and significant non-bank subsidiaries and associate companies).
G. Non-compliance to Regulatory and Administrative Requirements
List down any instance of non-compliance and corrective actions taken or to be taken by
the bank.
H. Environmental Considerations
Identify and state any external environmental factor, which may have an impact on the
operations and conditions of the bank, e.g. economic environment.
I. Accounting and Reporting Issues
Identify and state significant accounting or reporting issues that may have any impact on
the operations and condition of the bank. For example,
 Departure from standard accounting practices and the NBE guidelines on disclosure
and presentation.
 Significant transactions such as inter-company transactions and portfolio transfers.
J. Future Prospects
(i) State the result of stress test/s conducted by the NBE and the bank.
(ii) State the bank’s strategic forecasts for key performance areas, and budget
projections, and/or new markets and products
K. Other Outstanding Matters
State any pending matters which have been identified through correspondences, previous
examination reports, specific approvals/exemptions and issues to follow-up arising from
internal and external audit reports.
L. Supervisory Concerns
M. Attachments
List down the following documents as attachments (label them as appendices):
23
 Organization Chart.
 Business Plan.
 Risk Matrix.
 Annual Report.
 Relevant Extracts from internal audit reports.
 Any other relevant information.
 At least three consecutive audit financial statements that includes:
 Summary of key ratios
 Comparative income statements and balance sheet
N. Sign-off
The various parties have to sign-off (and date) the institutional overview.
(a) Desk Officer who prepared the institutional overview.
(b) Team Leader who concurred with.
(c) D/Director who approved the institutional overview.
Attachment to Supervisory Plan

INSTITUTIONAL OVERVIEW
Bank including address:
Contact Person:
Cut-off Date:
A. Overall Condition
B. Risk Assessment Summary

Type of Risk Level of Adequacy of Risk Overall Composite Direction of Risk
Inherent Risk Mgt Systems Risk Management
Credit
Liquidity
Market
Operational
C. Quality of Risk Mgt Overview (Operational Mgt and RMCF)
D. Significant Current Events
E. Results of Last Examination as at …..

CAMEL Summary of Key Findings
Capital Adequacy
Asset Quality
Management
Earnings
Liquidity
Composite Rating
F. Financial Overview as at …..

(i) Bank
Capital
Asset
Earnings
Liquidity
(ii) Banking Group
24
G. Non-compliance to Regulatory and Administrative Requirement

Compliance Corrective Actions Taken/To Be Taken
1.
2.
3.
H. Environmental Considerations
I. Accounting and Reporting Issues
J. Future Prospects
(i) Stress Test Results
(ii) Projections
K. Other Outstanding Matters
L. Attachments
M. Sign-Off
Name Signature Date Designation
Prepared by
Concurred by
Approved by
APPENDIX: III
GUIDANCE NOTES TO COMPLETING CORPORATE PROFILE

(ATTACHMENT TO SUPERVISORY PLAN)
For the Corporate profile, complete the following information:

1. State the name and address of the bank as well as contact person.
2. State the reporting date of the institutional overview.
3. Complete the following items:
CP1. Summary of the organization and formation of the bank

CP2. Summary of the business strategies of the bank
CP3. Capital structure of the bank
CP4. Total asset size and ranking in the industry
CP5. Ownership of the bank (major shareholders >2% shareholding) and the % shareholding
CP6. Senior management of the bank (names and designations)
CP7. Board of directors of the bank (names and designations)
CP8. Audit function of the bank:
(a) Audit committee (names and designations)
(b) Chief Internal Auditor (name)
(c) External Auditors (name)
CP9. Related organization of the bank
7 Subsidiary/ies (>50% shareholding)
8 Associate company/ies
CP10. Other information
(a) Number of branches of the bank
(b) Number of staff
25
4. Complete the following items in relation to customer profile (and indicate the reference date):
CP11. List of top 10 borrowers (aggregate all facilities under a single customers)
CP12. List of 10 non-performing loans (aggregate all NPLs under a single customer)
CP13. List of top 20 depositor (aggregate all facilities under a single customers)
CP14. NPLs by Economic Sectors.
Attachment to Supervisory Plan

CORPORATE PROFILE
Bank including address:
Contact person:
Cut-off Date:
CP1. Organization and Formation
CP2. Business Strategy
CP3. Capital Structure CP4. Asset Size and Industry Ranking

Birr ‘million Total Assets (Birr ‘million)
Authorized Ranking
Issued and fully paid
(No. of shares and value per share)
CP5. Major Shareholders CP6. Senior Management

% Name (qualification, experience) Designation
26
CP7. Board of Directors CP8. Audit & Legal Function

Name (qualification, experience) Position Name
Audit Committee Chairman
Chief Internal Auditor
External Auditor
Lawyer
CP9. Related Organizations CP10. Other Information

Holding (%) No. of Branches
Subsidiaries
Associates
No. of Staff
CP11. Top 10 Borrowers (Group/Individual) CP12. Top 10 NPLs (Group/Individual)

As at … As at …
O/S Balance O/S Balance
Birr’ Million Birr’ Million
Total Loans Total NPLs

% to Total Loans % to Total Loans
Sign-Off
Name Signature Date Designation
Prepared by
Concurred by
Approved by
APPENDIX: IV
FUNCTIONAL RISK MAPPING CHART
No. Functional Areas/Activities Inherent Risks
(based on the financial statements & business plan of
the bank) Credit Liquidity Market Operational
Forex Interest Rate
1 Banking operations:
-deposit liabilities other than banks X X X X
-special deposit accounts X X X
-deposits from banks and financial banks X X X X
-bankers checks and drafts issued X X
-payment orders/transfers payable X X
-borrowings X X X X
-subordinated debt X X X X
-trust and safe custody X
2 Cash management X X
3 Clearing/Payment system:
- checks and items for clearing X X
-Inter-branch float items X X
-electronic payment system e.g. ATMs, internet X
27
4 Fixed asset management:

-bank premises, furniture and equipment X
-other property and assets owned or acquired X
5 Lending/Credit:
-inter-bank loans receivable X X X X X
-loans advances and overdraft X X X X X
-commercial & other bills purchased & discounted X X X X
-customers liabilities for acceptances X X X X
-claims on the treasury X X
6 Off Balance sheet activities X X X X X
7 Placement in other banks:
-balances with NBE X X X X
-balances with other banks & financial banks X X X
8 Treasury and investments activities:
-investment in debt securities X X X X
-underwriting accounts X X
-equity investment X X
9 Foreign exchange trading X X X
10 Litigation and legal matters X X
11 Human Resource X
12 Information systems X
13 Internal controls & audit X
14 Other activities:
-other assets X
-accrued taxes & other expenses not paid X
-unearned income and other deferred credits X
-outstanding acceptances executed by or for account of
the bank X
-other liabilities X
APPENDIX: V
SAMPLE SUPERVISORY FILES AND REVIEW NOTES
SUPERVISORY FILE 1
INSTITUTION:
STATEMENT PERIOD:
SECTION: CORPORATE BANKING (modify for any significant activity)
DESCRIPTION WP REF
REVIEW NOTES
28
REVIEW NOTES 1
INSTITUTION:
STATEMENT PERIOD:
SECTION: CORPORATE BANKING
PREPARED/UPDATED BY: DATE:
REVIEWED BY: DATE:
REFERENCES:
This review note is used to provide an analysis and assessment of corporate banking activity of a bank. The purpose of
this general review note is to cover all aspects of corporate banking. This general review note should be used when it is
not appropriate or useful to further segment the activity into Corporate Real Estate, Loan Syndications, Trade Finance,
etc.
References:
1. Related Laws, NBE Directives and Guidelines
2. Commercial Bank Examination Manual, Federal Reserve Bank of U.S. Available on FRB Web site –
http://www.bog.fed.us
BACKGROUND AND ANALYSIS
Financial Risk Position/Treasury
29
Discuss and analyze the assets and liabilities (on and off balance sheet) generated by corporate banking activities on a
comparative basis over the past few years. Review unusual and/or material balances resulting from the corporate
banking activities. Assess the treasury/funding activities associated with corporate banking activities. Consider the
financial risks associated with these activities.
Strategic Importance and Key Strategies

Assess the importance of corporate banking activities to the overall success of the bank. How significant is corporate
banking relative to the rest of the institution, i.e. % of assets, deposits, non-credit fee income, earnings, and revenues?
Why does the bank engage in this type of banking? What are the competitive advantages of the corporate banking
activities for the institution? What are the key competitive strategies emphasize: cost leadership, differentiation or
market focus? What competitive threats have been identified? How successfully has management been able to
implement past strategies? Do the strategies make sense relative to its peers and general economic and market
conditions? Are the strategies congruent with overall institutional goals and objective?
Risk Policies
What are management’s risk policies regarding credit risk, market risk, etc. for corporate banking activities? Risk
averse or risk inclined? Does the institution “squeeze margins” to gain customer relationships? Does it seek market
share versus profitability? Do the risk policies adequately support the key strategies for corporate banking?
Marketing and Sources of Business

What distribution methods are used – central office, branches, electronic, etc? Is the institution dependent on any
source (partly or group) for a significant volume of business? Assess the marketing strategy and the institution’s major
corporate banking competitors. Assess any joint marketing arrangements. Discuss product pricing- how prices are set
and terms are evaluated. Does it develop its own products? Is it an industry follower or leader?
Activities, Products and Concentrations of Business

What types of corporate banking activities does the institution engage in? (large corporate, real estate, trade finance,
financial institutions, not-credit services etc.) What are the corporate banking products offered by the institution? What
is the current business mix and has it changed significantly since our last assessment? Identify any trends in portfolio
mix. Are there any significant credit concentrations? Analyze credit policies, limits, exposures, etc. Analyze the risk
profile of the book. How do the products, concentrations and risk profile reflect the key strategies and risk policies for
corporate banking activities? What bargaining leverage does the institution have with its corporate banking customers?
How price sensitive are the institution’s corporate banking products?
Financial Performance
Discuss financial performance on a comparative basis over the past few years. What factors have contributed to that
performance? Analyze margins by product, region, etc and compare to peers. Analyze loan loss experience and
compare to peers. What problems are there and what remedial action has management taken to address those problems?
Include a discussion of interim performance. Consider reviewing changes in average loan size, rates of new business
acceptance and rates of renewals. Indicate the trend in the non-interest expense ratio over the last few years. What has
contributed to the trend? How does this compare to its peer group?
Linkages and Alliances

Evaluate any linkages and alliances between corporate banking and other business units internal or external to the
institution? What is the nature of the alliances, i.e. revenue sharing, co-branding, loan syndication etc.? What impact
do these linkages and alliances have on the operations and performance of corporate banking? How do they help the
institution achieve its key corporate banking strategies? How adequately does the institution control these linkages?
30
INHERENT RISK
Consider: Economic conditions, market environment, stages of the business cycle, competitive forces, target markets
and characteristics of those markets, distribution methods, concentration of risk, portfolio growth rates, entry into new
markets or product lines, significant changes in market share, and characteristics of loan portfolios. Nature of margin
trends and sensitivity of margins to market conditions, loan loss ratios significantly different from peers in similar
business, centralized vs. decentralized operations. Degree of reliance on intermediaries and adequacy of contractual
agreement. Concentration of credit risk.
Inherent risks should be discussed using the categories identified in the Supervisory Framework: Credit, Market,
Liquidity, Operational, as applicable.) Please use sub-headings and indicate your assessment of each category).
Credit (Level: )
Market (Level: )
Liquidity (Level: )
Operational (Level: )
Notional Aggregate of Inherent Risk (Level: )
QUALITY OF RISK MANAGEMENT
Operational Management (Quality: )
Organizational and Operational Structure

Assess how well corporate banking is organized. What are the business sub-units within corporate banking? How is
lending, pricing, etc. authority structured? What are reporting lines within and between units? Who decides on new
products and marketing strategies? Are there specialist departments responsible for complex products? What is the
relationship between the front office, middle office and back office? How does the unit interact with other business
within the institution?
Resources, Staffing and Training

What is the unit’s budget for current and future years? What has been the trend in resources and staffing? How are
resources allocated? Is the group staffed with sufficient experience and expertise to deliver on its mandate? How are
staffs recruited? What amount and type of training is provided for staff?
Compensation Policies and Practices
31
Evaluate the compensation policies and practices used in corporate banking activities. Do they support the key
strategies for corporate banking? Do they encourage excessive risk taking? How are they integrated into human
resource and performance management? How do the policies and practices compare to the institution’s peers in
corporate banking?
Controls over Risk and Operational Practices

Are operations guided by well communicated, documented and up-to-date policies and procedures? Assess the
adequacy of the risk control mechanisms. How are the risk control mechanisms linked to the risk policies? How have
the risk controls been integrated into the day-to-day operational practices and procedures? Who is responsible for
assuring compliance with the controls and how are they checked? Assess the policies and procedures to ensure that
Corporate Banking operations comply with corporate standards and best practices. Consider controls over completeness
and accuracy of reporting, controls over new products, controls over entry into new markets, monitoring of risks and
performance, control over outsourcing arrangements and other third parties with significant operational impact.
Meaningful and timely reports provided to management. System capacity sufficient to cope with business volumes and
different products and their information needs. How effective is the unit in leveraging its customer relationships?
Outsourcing
Have any corporate banking products, services or operations been outsourced? If so, what products, services or
operations? Are the outsourcing arrangements managed according to NBE guidelines and circulars (to be issued)? Is
there independent third party review of the outsourcing?
Information and Communication (Quality: )

Provide an assessment of the Information & Communication oversight of the activity. Comment on the type, frequency,
quality and use of information/financial analysis used to support the institution’s corporate banking activities. Is the
reporting to an appropriately senior level?
Compliance (Quality: )
Provide an assessment of the oversight by Compliance for the activity. What role(s) does the compliance function play
in the compliance processes? How effective are they in carrying out these roles? What responsibility does the
Compliance function have for making sure corporate banking activities are in compliance with all relevant legislation
and regulations for all jurisdictions in which the institution conducts corporate banking activities? How do they carry
out these responsibilities? Have they identified and confirmed key compliance elements?
Internal Audit/Self-Assessment (Quality: )

Provide an assessment of the oversight by Internal Audit over the activity. Does the internal audit department have an
effective role for independently evaluating the corporate banking activities and processes within the institution? What s
the scope of work performed by internal audit for this activity? Is it adequately resourced to carry out this role? Is the
level of knowledge and skills of internal audit staff adequate for this activity? What other roles does internal audit have
in these processes of the institution, i.e. reliability of management information, consistency effectiveness? Is there
timely reporting and follow up of findings?
Risk Management (Quality: )

Provide an assessment of the oversight by Risk Management of the activity. How are the risks associated with
corporate banking strategies, objectives and initiatives assessed? Do corporate banking activities and decision making
include risk management considerations on a regular, structured basis? Have they identified and reported on key risks,
actual positions to limits and breaches/exceptions to limits?
32
Senior Management (Quality: )

Provide an assessment of senior management’s oversight of the activity. How effective is senior management in
planning, directing and controlling the corporate banking activities? What management tools (committees, independent
reviews, etc) are used to support senor management oversight of these processes? How well does senior management
control the implementation of corporate banking plans, objectives and initiatives? What s the knowledge and awareness
level of the senor management group regarding corporate banking activities and products?
Board/Committees (Quality: )
Provide an assessment of the effectiveness of the Board of Directors and Committees in overseeing corporate banking
activities? How open is the relationship between the Board and senior management regarding investment activities?
Does the Board actively engage in discussions, concerns and recommendations regarding corporate banking activities?
What limits/reports does the Board review and approve? What type of information does the Board receive on a regular
basis regarding corporate banking? Does the Board have a special committee for corporate banking activities?
Notional Aggregate Quality of Risk Management (Quality: )
NET RISK AND DIRECTION OF RISK

Briefly describe below your assessment of Net Risk and Direction of Risk taking into consideration the Inherent Risk
and Quality of Risk Management analysis and assessment above.
Net Risk (Level: )
Direction of Risk (Direction: )
USE OF THE WORK OF THIRD PARTIES

Support the use of the work of 3rd parties with detailed information regarding scope of review, findings and impact on
the NBE’s review. Copies of 3rd party documentation should be included to the extent considered necessary to support
use of their work.
SCOPE OF FURTHER REVIEW

Clearly identify the residual risks, if any, to be addressed and the significance of those risks and how they are proposed
to be addressed. Be specific.
PROCEDURES
Select procedures appropriate for the risks identified. If no risks remain to be addressed, not further procedures may be
necessary.
33
RESULTS AND RISK ASSESSMENT

All results and conclusions should be set out here. Include an overall assessment of the department’s business practices
and experience.
RECOMMENDATIONS
To the Institution
Disposition of recommendations should be noted after each point by indicating the action taken (e.g. included in
Examination Report, quarterly ratings, verbally discussed with institution, etc.)
For Future Reviews

Recommendations made here should be regarding items not addressed in the current reviews. Including
recommendations for enhancing the efficiency and effectiveness of our reviews in the future.
SUPERVISORY FILE 2 (IT)

ITINSTITUTION:
STATEMENT PERIOD:
APPENDIX NO:
NAME OF SA:
PREPARED/UPDATED DATE:
BY:
REVIEWED BY: DATE:
Notes Ref
34
XA: MATERIALITY ASSESSMENT

Based on the assessment criteria for inherent risk contained in the RBSF Assessment Guide for IT Risk Supervisors, as
well as analysis and assessment from the General Assessment section of IT/BC Review Notes (where applicable),
provide an assessment of Materiality for the Significant Activity
 The IT and network infrastructure that involved in the merger exercise would be complex. Merger exercise will
impact IT operation & IT infrastructure to be more complex.
 The time taken to stabilize the newly merged IT system.
 The magnitude and complexity of processing, transaction enquiries or reports produced or printed by the IT
system that are to be merged.
XB: INHERENT RISK

Based on the analysis and assessments contained in sections above, determine if it is appropriate to provide ratings with
a short rationale for any of the following inherent risks: Credit, Market, Liquidity, Operational (Please use sub-
headings).
Operational (Level: High)
The inherent operational risk is rated as High due to the followings,

 Massive data migration from old to new systems. After data migration, policy transactions must be processed in
the new system and not allow the renewal to continue in the old system. Otherwise, the parallel existence of both
systems will continue indefinitely.
 Weaknesses in DR readiness. The first disaster recovery (DR) testing after merger was conducted in June 2007.
Although there were a few shortcomings, they managed to identify the root cause and provide solution. But there
is possibility that customers could be lost to another bank that could provide more reliable system. A more
comprehensive and enhanced DR testing need to be done to ensure minimum disruption during disaster.
 Inadequate IT skilled personnel.
Information Technology (Level: High)
 The tendency and impact of data integrity and data quality issue due to merger exercise (cleanliness of the data
used for the merger, customer data, management reporting). Currently for each month-end report; the data need to
be extracted form various systems and figures to be reconciled. Time consuming.
 System limitation to set month end close. If there is need to set early month end closing, they need to change the
system date. The changing of the system-date in not acceptable from an audit point of view and proper solution
should be provided.
Strategic (Level: Moderate)
 Experienced significant glitches in ITD staff movement during the merger exercise.
35
 Need to revise business owners and IT representatives for the merged operations. This would impact the business
process.
 Need to consolidate the list of IT contracts & agreements (rationalization on contract expiry) and revisit/streamline
as part of ISO 90001 project requirements.
Notional Aggregate of Inherent Risk (Level: )
XC: QUALITY OF RISK MANAGEMENT

Provide an assessment of Operational Management, as well as the quality of oversight provided by for the following
quality of risk management functions: Board and Committees, Senior Management, Risk Management, Internal
Audit/Self Assessment, Compliance, Information & Communication pertaining to the Significant Activity (Please use
sub-headings, where necessary).
XC1: Operational Management (Quality: Acceptable )
No. Item Notes Ref

1 Provide an assessment of the activity by operational In performing day-to-day operation, adequate A1.1
management policies and procedure are formulated and
implemented.
IT merger plans are in line with business A1.4

plans.
The resources are adequate to effectively A4.5

mange and mitigate the inherent risk.
No major system downtime, network

downtime and application system security C1.1
breach.
Operation procedures (ISO 9001:2000) are in

place.
XC2: Board/Committee (Quality: Acceptable)
N Item Notes Ref

o.
1 How open is the relationship between the The information regarding information technology is A2.2
Board and senor management regarding escalated to the Board level
information technology/business
continuity plans?
2 Does the Board actively engage in Yes, the issues on IT and Business continuity were A2.2
discussions, concerns and table to the Board once in two months.
recommendations regarding the
institution’s information
technology/business continuity plans?
3 What type of information does the Board Some of the matters will be updated during Board A2.2
receive on a regular basis regarding these Meeting:
activities? -Resources i.e. staff strength/skills
- IT project updates i.e. BCM
4 Does the Board have a special committee A1.6
for information technology/business
continuity plans?
XC3: Senior Management (Quality: Acceptable)
No. Item Notes Ref
36
1 How effective is senior Senior management plays effective role in monitoring the A1.5
management in monitoring the achievement of the Board-approved IT plans, strategies and
activity? effectiveness of IT organizational structure and controls.
Among its prefix agenda for IT are IT services update and IT
systems update.
2 What management tools There are various committees to discuss on IT matter i.e. IS A1.6
(committees, independent Steering Committee (BCC), Business Continuity Committee
reviews, etc) are used to support (BCC), Information Security Committee (ISMC). The agreed
senior management oversight of frequency of meeting for :
these processes?  ISSC, BCC and ISMC- quarterly
3 How well does senior IT-related risks are adequately identified, discussed, A1.5
management control the monitored and controlled.
implementation of information Senior management also actively monitors adherence to
technology/business continuity approved policies and procedures, and compliance
plans? requirement, and ensures that timely action is taken to
remedy any deficiencies that may arise.
4 What is the knowledge and The senor management effectively oversees the execution of A1.5
awareness level of the senior approved IT strategies and effective management of overall
management group regarding IT operations. They put forward their ideas/suggestion or
these activities? concerns regarding implementation of IT/BCP during the
ITSC meeting.
XC4: Risk Management (Quality: Acceptable)
No. Item Notes Ref

1 Assess the adequacy of risk IT risk management framework is in place. A4.3
management’s oversight of the
management of information A quarterly assessment of key information security risk
technology/business continuity areas is done by Compliance Risk Management Committee
plan risks. Comment on the (CRMC).
structure and composition of the
function within the businesses There is IT security risk assessment being conducted by IT
unit, timeliness of reports and risk committee.
follow-up on findings
XC5: Internal Audit/Self Assessment (Quality: Weak)
No. Item Notes Ref

1 Does the internal audit department have an effective role Yes, the IAD has played its role XC5.1
for independency evaluating the information effectively and is deemed
technology/business continuity plans within the independent.
institution?
IAD reports directly to Audit
Committee in order to preserve the
independence.
2 What other roles does internal audit have in these To review Audit Framework if there A4.2
processes of the institution, i.e. reliability of management is any
information, consistency effectiveness?
3 Is the internal audit adequate for the size and complexity Existing staff force is 3 staff. A4.2
of the size and complexity of the institution’s IT Manpower shall be increased to 7
functions? staff in Year 2007.
There is only one IT auditor. But the
external auditors have been engaged
to perform IT audit.
No. Item Notice Ref

4 How is internal audit work planned for Proposed information system scope (general controls A4.2
IT functions? & application controls) by Regional IA.
5 Are critical new IT services/systems To be reviewed -
reviewed for security and internal
controls?
37
6 Are critical IT services/systems Yes. It is included in the audit coverage A4.2

reviewed on a regular basis?
7 Do internal audit staffs possess No, the internal IT auditor has only two years -
necessary technical competence, skills experience.
and knowledge?
8 Are internal audit reports sufficient for Yes. The appropriate actions taken are in place. A1.2
senior management to understand and
take appropriate action on findings,
conclusions and recommendations?
9 Is there timely follow-up by internal Yes. Progress report being escalated to management A1.2
audit? and NBE.
XC6: Compliance (Quality: Acceptable)
No. Item Notes Ref

1 Provide an assessment of the Compliance dept. provides independent oversight of the A1.4
oversight over the activity by management of the IT by monitoring compliance with
compliance. relevant internal/external procedures and guidelines
related to IT. A1.4
XC7: Information and Communication (Quality: Acceptable)
No. Item Notes Ref

1 Provide an assessment of the Based on information gathering process, project A1.5
oversight provided by information communication plan has effectively guided the relevant A2.4
and communication function over staff in communicating with various parties i.e. ITSC,
the activity. Project Working committee.
Senior management is being updated adequately on the

project status via ITSC.
XC8: Notional Aggregate of Quality of Risk Management (Quality: Acceptable)
XD: NET RISK AND DIRECTION OF RISK

Briefly describe below your assessment of Net Risk and Direction of Risk
XD1: Net Risk (Level: Acceptable)
The component of RMCF is strong to manage and mitigate the inherent risk. The main contributing factor is the
adequate IT merger plan with proper working committees to oversee IT merger implementation. The management
also plays and active role as to ensure the merger of IT system and Operations are successful according to the plan.
XD2: Direction of Risk (Quality: Stable)
The direction of risk is assessed as stable as the company has managed to identify the problems faced and its
solutions. In addition, the efforts to comply with GPIS 1 will definitely enhance the overall IT environment.
Furthermore, the IT risk management framework is in place and management will review the IT risk identification
and evaluation on quarterly basis. The internal audit has also taken a proactive measure in enhancing their IT audit.
External auditors are also engaged to perform IT audit.
XE: USE OF THE WORK OF THIRD PARTIES
38
Support the use of the work of 3rd parties with detailed information regarding scope of review, findings and impact
on the NBE’s review. Copies of 3rd party documentation should be included to the extent considered necessary to
support use of their work.
Notes Ref
XF: SCOPE OF FURTHER REVIEW

Clearly identify the residual risks, if any, to be addressed and the significance of those risks, (e.g., risk of significant
loss arising from unintended exposures from systems failures, poor management control, etc.) and how are they
proposed to be addressed.
Notes Ref
A1.5
1. Application review related to the SA A2.4
2. Data migration C1.3
3. Data integrity & reconciliation – management reports
4. BCM framework
5. IT IA functions and scope
XH: RESURLTS AND RISK ASSESSMENT
All results and conclusions should be set out here. Include an overall assessment of the department’s business
practices and experience.
Notes Ref
 Inability to assure mission critical business processes are available in the event of a disaster
XG: PROCEDURES
Select procedures appropriate for the risks identified. If no risks remain to be addressed, not further procedures may
be necessary.
Notes Ref
The procedures used for the assessment are based on the PRiSM work program and the questions provided
in the review notes.
XH: RESURLTS AND RISK ASSESSMENT
All results and conclusions should be set out here. Include an overall assessment of the department’s business
39
practices and experience.
Notes Ref
 Inability to assure mission critical business processes are available in the event of a disaster.
XI: RECOMMENDATIONS
XI 1: To the Institution
Examination Report, Quarterly Rating, verbally discussed with institution, etc.
Notes Ref
XI2: For Further Reviews

Recommendations made here should be regarding items not addressed in the current reviews and should include
Notes Ref
XJ: OTHERS
 This area is meant for other relevant matters with regard to the financial institution.
 Internal and external correspondences should be included in this section. The chronological order of the
correspondences is as per listing on the inner cover of this file.
SUPERVISORY FILE 3
INSTITUTION:
STATEMENT PERIOD:
SECTION: BOARD OF DIRECTORS
DESCRIPTION WP REF
REVIEW NOTES
40
REVIEW NOTES 3
INSTITUTION:
STATEMENT PERIOD:
SECTION: BOARD OF DIRECTORS
REVIEWED BY: DATE:
41
REFERENCES:
1. Corporate governance guidelines (to be issued)
2. Proclamations and related NBE directives/guidelines
BOARD COMPOSITION
Indicate the Board of Directors membership. Does the Board have proper proportion of inside and outside directors?
What is the size of the board? Is it adequate to function effectively? Are the business and financial experience of
directors appropriate in relation to the business activities and risk profile of the bank? Is the selection process for new
directors appropriate? Is it largely directed by management? Is it independent? Is there any board policy limiting the
number of years that a person can be a member of the board and specific board committees? Does the bank have
documented criteria to select Board and Board Committee members? Are policies for Conflict of Interest and
Confidential Information appropriate, effective and is adherence to them monitored?
MANDATE, ROLES AND RESPONSIBILITIES
Board Mandate
Overall is there evidence on focus on central issues, knowledge of chairman, attitudes, and skills for effective
leadership? Is there evidence that the Board explicitly assumes stewardship responsibility of the bank by taking
responsibilities on the following matters:
 Adoption of a strategic planning process;
 The identification of the principal risks of the bank’s business and ensuring the implementation of appropriate
systems to manage these risks;
 Succession planning, including appointing, training and monitoring senior management;
 A communication policy for the corporation;
 The integrity of the bank’s internal control and management information system; and
 Compliance with government legislation.
Is there a Board member’s manual that outlines the Board and its committee’s mandates, roles, responsibilities and
structures? Does the Board receive appropriate information in timely manner in order to meet their mandate, roles and
responsibilities? Does the Board provide a regular, independent assessment of senor management?
Board Committees
Evaluate the knowledge and involvements of the Board’s significant committees consider:
COMPOSITION:
 Describe the composition for significant committees.
 Do outside directors make up a majority of the committee?
 Are any members officers or employees of the bank or its subsidiary?
 Do the Committee members have meaningful qualifications?
Is there an adequate succession planning and compensation? Are there sufficient resources?
STRUCTURE:
 Does the committee have defined structures and mandates which are appropriately documented and communicated
to all involved parties (directors, management, auditors and regulators)?
MANDATE, ROLES AND RESPONSIB
 Does the committee perform the duties as set out in guidelines, as appropriate?
 Does it report to the Board after each meeting?
 Does the committee have direct and unrestricted communication channels (e.g. to external auditors, etc.) to discuss
and review specific issues, as appropriate?
 Does the committee meet with the full Board frequently enough to effectively deal with critical issues and monitor
the institution?
 Does the committee appear to come to grips with critical problems?
 Do minutes appear to appropriately document deliberations, decisions, dissent and approval?
42
 Is there evidence of accurate, adequate and timely information provided to and produced by the
Board/Committees? (agendas, minutes, committee reports):
Audit Committee
Remuneration Committee
Nominating Committee
Other Committees
Board Self-Assessment
Does the Board have a mechanism to measure its effectiveness? Is there a periodic performance review process for
Board members?
OVERALL ASSESSMENT
Assess effectiveness of the Board and its committees in overseeing and directing management’s responsibilities.
Provide justification and rational for your assessment. Insight may be gained, among other things, through the
process of analyzing the significant activities, discussions with external auditors, internal auditors, general
observations, on-going contact with the bank and/or exchange of information with other supervisors.
RATING DIRECTION
EFFECTIVENESS RATING (Strong, Acceptable, (Improving, Stable or
Marginal or Weak) Deteriorating)
BOARD OF DIRECTORS AND COMMITTEES
RECOMMENDATIONS
To the Institution
Examination Report, quarterly ratings, verbally discussed with bank, etc.)
For Future Examinations

Recommendations made here should be regarding items not addressed during the current examination and should
include recommendations for enhancing the efficiency and effectiveness of our reviews in the future.
43
SUPERVISORY FILE 4
INSTITUTION:
STATEMENT PERIOD:
SECTION: RISK MANAGEMENT
DESCRIPTION WP REF
REVIEW NOTES
44
REVIEW NOTES 4
INSTITUTION:
STATEMENT PERIOD:
SECTION: RISK MANAGEMENT
REVIEWED BY: DATE:
REFERENCES:
You may wish to use the following documents to assist you in the preparation of this review note:
1. RBS Framework.
2. BIS – Operational Risk Management paper
3. BIS- Principles for the Management of Interest Rate Risk
4. Related laws, NBE directives and guidelines/Circulars
Also here are some nifty web sites for further up to date info:
1. Global Association of Risk Professionals: http://WWW.barp.com/
2. International Association of Finance Engineers: http://www.jafe.org/
3. Management Control Concepts: http://WWW.mc2consulting.com/
4. Strategic Risk Management Group: http://WWW.srm.co.uk/
5. RISKLIST- Resources for Risk Managers: http://home.clara.net/rlowther/risklist.html
ORGANIZATION, MANDATE AND RESOURCES
Organization, Structure, and Independence

How is the risk management department organized? Does the department report to an appropriate level of management
to be free from organizational pressures that would limit their effectiveness? Are risk management staffs compensated
on an appropriate basis? Are there any restrictions on the scope of the department? Is there direct reporting to the Board
or its Audit Committee? How does the risk management organizational structure reflect the overall corporate
organization? Is the organization structure appropriate?
Mandate, Roles and Responsibilities
What corporate mandate has been established for the risk management department and/or its head? Is the department’s
scope sufficient to provide management and the Board an assessment on all material risks inherent in the institution’s
operations? How are roles and responsibilities assigned and managed in the department? How frequently is the group’s
mandate reviewed by the Board? Are risk management personnel given sufficient authority to deal with line
counterparts?
Resources, Staffing and Training
What is the department’s budget for current and future years? What has been the trend in resources and staffing? How
are resources allocated? Is the group staffed with sufficient experience and expertise to deliver on its mandate? How are
staffs recruited? What amount and type of training is provided for staff?
RISK MANAGEMENT PROCESS AND SYSTEMS
Risk Management Philosophy
What type of approach or focus does the institution use for risk management; integrated, enterprise-wide, business unit
45
or service function, individual risk, trading vs. non-trading, etc? Does the approach include assessing capital adequacy?
Compare this approach to the strategic planning framework of the institution. Assess the strengths and weakness of the
institution’s approach and its adequacy for the risks inherent in the activities of the institution.
Policies, Procedures and Limits
Assess the department’s process and framework of policies, procedures and limits? How comprehensive are they? Are
they consistent with management’s experience, the institution’s business strategies and objectives and the financial
strength of the institution? Are they adequate for identifying, measuring, monitoring and controlling the risk inherent
(new or existing) in the institution’s businesses or products (new or existing)? What is the process used to develop and
modify the policies, procedures and limits?
Methodologies and Models
Assess the risk management methodologies and models used by the institution. Does the institution use standardized
models and methodologies? How are the methodologies and models linked to the risk philosophies, policies,
procedures and limits? Do they adequately support the policies, procedures and limits? Does the institution utilize
specialists/consultants for certain areas? How are the methodologies and models independently validated? How are
methodologies and models reviewed and updated and how frequently?
Analysis and Documentation
How are the institution’s risk management policies, procedures and limits translated into its day-to-day operations?
What are the types of analysis and documentation required to support the assumption or underwriting of individual
risks? What is the role of the risk management department in this area? Is there congruence between the policies,
procedures and limits and the analysis and documentation?
Measurement
How does the institution’s risk measurement standards and systems link to its policies and procedures? Does the
institution measure and aggregate risks form trading and non-trading activities on a comprehensive institution-wide
basis? Are the risk measurement standards understood by relevant personnel throughout the institution? How “real-
time” is the measurement system? How does the institution measure and analyze stress situations as a result of probable
events or market changes? Are the risk measurement systems adequate to measure the scale, complexity and nature of
the risks inherent in the institution’s activities?
Monitoring and Control
Does the institution adequately monitor and control its risk management policies, procedures and limits? At what
organizational levels does the monitoring and controlling take place? What enforcement procedures and mechanisms
are used? How are new products monitored and controlled? Are the management information systems adequate to
quantify and monitor the risk positions of the institution?
46
Reporting
Do the institution’s management reporting systems produce accurate, informative and timely information to support the
risk management policies, procedures and limits? What are the nature, content and frequency of reports made to senior
management and the Board? Is there any assessment of the systemic impact of risk management issues on the whole
institution?
OVERSIGHT OF RISK MANAGEMENT
Role of Senior Management
How effective is senior management in planning, directing and controlling the risk management process? What
management tools (committees, independent reviews, etc) are used to support senior management oversight of the
institution’s risk management function? What is the knowledge and awareness level of the senior management group
regarding risks inherent in the institution’s businesses and products?
Role of Board of Directors
How effective is the Board of Directors and Committees in overseeing the risk management function? How open is the
relationship between the Board and risk management? Does the Board actively engage in risk management discussions,
concerns and recommendations? What type of risk management information does the Board receive on a regular basis?
Role of Internal Audit and Quality Assurance
Does the internal audit department have an effective role for independently evaluating the risk management function
within the institution? What other roles does internal audit have in the risk management processes of the institution, i.e.
limit compliance, reliability of risk management information? Is there an internal quality control review process for risk
management? Are there standards for the risk management department’s performance and documentation of work?
Relationship with External Auditors
What is the relationship between the institution’s risk management department and its external auditors? How do they
each rely on or use each other’s work? Does the external auditor perform additional work in areas of risk management
weakness?
47
OVERALL ASSESSMENT
Assessment and conclusions regarding effectiveness of risk management functions of the institution
EFFECTIVENESS RATING RATING DIRECTION

(Strong, Acceptable, or Weak) (Improving, Stable or Deteriorating)
RISK MANAGEMENT
RECOMMENDATIONS
To the Institution
Disposition or recommendations should be noted after each point by indicating the action taken (e.g. include in
Examination Report, Quarterly, verbally discussed with institution, etc)
Recommendations made here should be regarding items not addressed in the current examination and should include
recommendations for ways of enhancing the efficiency and effectiveness of our future reviews).
48
SUPERVISORY FILE 5
INSTITUTION:
STATEMENT PERIOD:
SECTION: EARNINGS
DESCRIPTION WP REF
REVIEW NOTES
49
REVIEW NOTES 5
INSTITUTION:
STATEMENT PERIOD
SECTION: EARNINGS
REVIEWED BY: DATE:
REFERENCES:
This review note is used to provide historical information and analysis regarding the institution’s total earnings record.
This information and analysis combined with supervisory work related to earnings completed in other Significant
Activities or Quality of Risk Management functions sections form the basis for establishing and supporting the earnings
rating on the Risk Matrix. To avoid duplication of effort, information considered in the earnings rating that is contained
in other review notes should be cross-referenced in this review note.
References:
1. RBS Framework.
2. Financial Statements of the bank.
3. Related laws, NBE directives, and guidelines.
BACKGROUND AND OBSERVATIONS
Components, Levels and Trends
Summarize and assess the composition of the institution’s earnings through an analysis of the major components, (i.e.
premiums, fees, interest, and expenses, and capital gains/losses). Assess the level and trends in the institution’s
earnings history, i.e. ROA, ROE, growth rates, etc. Review earnings performance against budget set by Board and
senior management. Identify provision quantum. Ensure proper accounting controls are in place for preparation of
accounts. Independently verify accounts that are susceptible to fraud such as miscellaneous accounts, or other accounts.
Highlight any concerns raised by external auditors.
Sustainability and Vulnerability
How much volatility is there in the institution’s earnings history? Does the institution have a stable level of core
earnings? How diversified are the institution’s earnings sources, i.e. market niches, geographical distribution, product
mix? Is the institution’s earnings vulnerable to easy erosion from existing or new competitors? How exposed is the
institution’s earnings to potential “shock” or “surprise” events, i.e. sudden changes in claims or loan losses? Can the
institution’s earnings levels and growth be sustained over the medium to long term? How “aggressive” or changeable is
the application of stress scenarios assumptions on the institution’s earnings?
Peer Group Comparison
Based on the analysis and assessment contained in the above sections, compare the institution’s earnings record to
the earnings record of a group of its peers.
50
OVERAL ASSESSMENT AND RATING
Provide a concluding assessment and rating regarding the quality of the earnings of the institution. The rating should
be based on the analysis and assessment contained in the other parts of this review note or in other review notes on
the institution, i.e. Strategic Directions and Future Outlook, Internal Audit, Senior Management, Board of Directors,
etc. Cross-referencing to other review notes should be provided in this review note. The Earnings rating worksheets
used under the CAMEL frameworks can be useful in establishing the Earnings rating here.
OVERALL ASSESSMENT RATING DIRECTION

EARNINGS
RECOMMENDATIONS
To the Institution
Examination Report, Quarterly Rating, verbally discussed with institution, etc.)
51
SUPERVISORY FILE 6
INSTITUTION:
STATEMENT PERIOD:
SECTION: CAPITAL
DESCRIPTION WP REF
REVIEW NOTES
52
REVIEW NOTES 6
INSTITUTION:
STATEMENT PERIOD
SECTION: CAPITAL
REVIEWED BY: DATE:
REFERENCES:
1. RBS Framework.
2. Other Related laws, NBE directives and Guidelines/Circulars.
AMOUNT AND COMPOSITION OF CAPIAL
Capital/Head Office Account
Summarize the institution’s capital amount, level and composition
 Have any capital instruments been issued or redeemed since the last examination?
 Has there been any significant change in ownership?
 To what extent does the institution rely on lower quality/quasi capital?
 Is there cross holdings of capital of other banks?
REGULATORY COMPLIANCE
Capital Adequacy
Assess the institution’s preparation of the Capital Adequacy for completeness and accuracy. Do the current types of
instruments used and the amount of capital qualify for inclusion in calculating institution’s regulatory requirements? Is
the institution’s regulatory level in excess of minimum requirements? What are the compositions of total capital? Are
the appropriate risk weights being used? How is goodwill treated? Determine the components of on and off balance
sheet items. Is the computation of RWCR accurate? Consider historical trends. How does the institution ensure that it is
in compliance with regulatory requirements on a continuous basis? Are there any issues with respect to solvency and its
willingness to support a small subsidiary?
Other Compliance Matters
Assess the institution’s compliance with other regulatory requirements
CAPITAL ADEQUACY
Capital Adequacy
Evaluate capital adequacy within the context of the overall risk profile of the institutions to determine any risk exposure
that may adversely affect the institution’s solvency and capital position. Consideration should be given to earnings
experience, the level and composition of asset, management’s tolerance/appetite for risk and the institution’s prospects
for growth, impact of off-balance sheet items or contingencies, etc. Identify how capital is allocated i.e. based on risk or
business line. Determine how capital is allocated for new products or business ventures. Is the institution adequately
capitalized on a stand-alone basis?
53
Access to Capital
Assess the institution’s ability to raise capital or increase deposit requirements. Consider such factors as: internal
capital generation capability, the financial strength of the institution or its parent, willingness of shareholders or head
office to inject additional capital when required, etc. Has the institution demonstrated solid ability to raise capital?
CAPITAL MANAGEMENT PROCESS AND SYSTEMS
Policies and Procedures
Assess the extent the institution has established and implemented i) sound and prudent policies and procedures
governing the quantity and quality of capital ii) appropriate and effective procedures to monitor, on an on-going basis,
the capital required to support the current and future business needs? Are the procedures for calculating capital/deposit
adequacy requirements independently verified for accuracy and completeness? What is the policy on dividend payouts?
Planning
Evaluate the institution’s capital plan. How is it developed? Which departments or committees are responsible for
capital management? How is it linked to the institution’s strategic plan? Is it adequate to meet regulatory requirements
and the risk profile of the institution?
Capital Management System
Assess the system used by the institution to manage the allocation of capital within the institution. How is this system
integrated into the planning, decision making and performance evaluation of business units, products and individuals
within the institution? How is stress testing of capital done? Identify the stress scenarios and frequency. Identify
options or strategies in place for undercapitalized institution.
OVERSIGHT OF CAPIAL MANAGEMENT
Role of Senior Management

Assess senior management’s involvement in developing and implementing capital management policies and procedures
to monitor the institution’s capital requirements and future needs. How effective is senior management in planning,
directing and monitoring the capital management process? What management tools (committees, independent reviews,
etc) are used to support senior management oversight of the institution’s capital management? Do the reports provided
to senior management provide timely and sufficient information to satisfy itself that the institution is complying with
capital regulatory requirements and consistent with corporate goals? What is internal audit’s view on the management
of capital by senior management?
Role of Board of Directors
Assess the Board of Director’s involvement in its oversight for the development and implementation capital
management policies and procedures to monitor the institution’s capital requirements and future needs. How effective
54
is the Board and Committees in overseeing capital management? Does the Board actively engage in capital
management discussions, concerns and recommendations? What type and quality of capital management information
does the Board receive on a regular basis? What is internal audit’s view on the management of capital by the Board?
USE OF THE WORK OF THIRD PARTIES
Review the work of third parties (i.e. external auditors, consultants, where applicable) including scope of engagement,
findings and impact on the management and adequacy of capital.
CONCLUSIONS ON CAPITAL ADEQUACY
Provide a concluding assessment and rating regarding the capital of the institution. The Capital rating worksheets used
under the CAMEL framework can be useful in establishing the Capital rating here.
OVERALL ASSESSMENT RATING DIRECTION

CAPITAL
RECOMMENDATIONS
To the Institution
Examination Report, Quarterly Rating, Verbally discussed with institution, etc.)
55
APPENDIX: VI
RISK ASSESSMENT CRITERIA FOR INHERENT RISKS CATEGORIES

(To be used together with Appendix XXXI)
The uniqueness of a bank is an important consideration in determining the criteria that are
relevant to the assessment of inherent risks. Examples of assessment criteria to determine the
level of inherent risks are as follows:
1. Credit Risk
 Changes in underwriting standards including credit score, leverage, policies, price, tenor,
collateral, guarantor support, covenants and structure;
 The borrowers’ ability to service debt based on debt service coverage, debt/income ratios and
credit history;
 The volume and extent of exceptions from credit policy;
 The bank’s credit strategy, including the target market, the portfolio and product mix,
acquisitions, diversification of repayment sources, new products, third-party originations and
concentration;
 The maintenance of an appropriate balance between risk and rewards;
 The impact of external factors including economic, industry, competitive and market
conditions, legislative and regulatory changes and technological advancement;
 The levels and trends of delinquencies, non-performing loans and problem assets, losses, risk
ratings and loan loss reserves;
 Trend in the growth and volume of lending, fee-based credit, including off-balance sheet
activities, and investments;
 Trends in the banking performance of the borrowers and counterparties;
 Trends identified in stress testing methods;
 Internal auditors’ assessment.
2. Market Risk
Interest Rate Risk
 The re-pricing mismatches of assets and liabilities over short and long-term horizon;
 The ability of funding strategy to tolerate adverse interest rate movements;
 The impact of the bank's overall business strategy on interest rate risk; and
 The ability to withstand losses arising from changes in interest rates caused by external
factors including economic and industry conditions, legislative and regulatory changes,
market competition and conditions.
Foreign Exchange Risk

 The level of capital which is subject to revaluation, in relation to currency translation
requirements;
 The potential volatility of capital ratios from translating accounts denominated in other
currencies to Birr equivalents, including analysis of recent trends and projections;
 The extent of exposure to foreign currency translation risk considering:
 The volume and stability of the portfolio;
 The level of income items denominated in foreign currencies;
 The mismatching of assets and liabilities denominated in foreign currencies;
 The types of products held in foreign currency accounts;
 The effectiveness of hedging activities to control exposures to translation risk by:
- Matching foreign asset and liability cash flows;
56
- Hedging projected income;

- The volume and tenor of foreign currency/Birr mismatches;
 The volume and tenor of cross currency mismatches;
 The impact of changes in business strategies; and
 The exposure to market volatility or other external factors such as economic conditions,
legislative changes, technological changes and competition.
3. Liquidity Risk
 The adequacy of current and projected cash flow projections in normal environments, as well
as in significantly deteriorated environments – New;
 Liquidity Framework;
 The deposit mix and tenor;
 The stability of deposits including the volume, composition, growth trends and projections of
retail and wholesale sectors;
 The concentration of deposits;
 The capacity to access additional unsecured market funding both in the current environment
and in a distressed environment;
 The presence of off-balance sheet items which could result in cash flows to or from the
balance sheet, including:
- Unused loan commitments;
- Guarantees;
- Letters of credit or other contingent liabilities.
 How external sources of liquidity view the bank’s current and projected asset quality,
earnings, capital and reputation risk;
 The impact of the parent company and affiliate's performances (if applicable);
 The impact of the external market environment, including:
 Relative cost of funds (debt spreads over comparable Treasury securities, compared with
those of competitors); and
 Economic conditions, including job growth, industry concentrations, competitions etc.
4. Operational Risk
 The volume, type and complexity of transactions, products and services offered throughout
the bank;
 Segregation of incompatible functions;
 System of checks-and-balances;
 The capacity and capability of systems and staff to cope with the volume and complexity of
transactions;
 The development of new markets, products, services, technologies and delivery systems in
order to maintain competitive position and gain strategic advantage;
 The volume and severity of operational, administrative and accounting control exceptions;
 The effectiveness of the internal audit function and the responsiveness of management to
internal audit findings;
 The volume and significance of non-compliance and non-conformance with policies and
procedures, laws, regulations, prescribed practices and ethical standards; and
 The amount and significance of litigation and customer complaints.
Information Technology Risk

 The frequency, trend or impact of the unavailability of IT systems to the bank’s operational
effectiveness;
57
 The frequency, trend or impact of slow response of IT systems to the bank’s operational
effectiveness;
 The tendency, trend or impact of data integrity or data quality issue to the bank’s operational
effectiveness;
 Potential flaws, defects, stability issues, problems or obsolescence in the operating systems,
application systems and or databases used;
 Potential security compromise, vulnerabilities, weaknesses or obsolescence in the security
systems, encryption and authentication method used;
 Potential vulnerabilities, security weaknesses or obsolescence in the IT infrastructure used;
 Potential flaws, obsolescence or support issues due to the outdated version number for all
critical software used;
 Potential weaknesses in the mode of data processing used; and
 Potential weaknesses or vulnerabilities in the type of network architecture adopted.
Strategic Risk
 The existence of a clear and viable business strategy;
 The quality of the strategic planning process, including the achievability and its implications
to the bank;
 The track record of strategy implementation;
 The level of support and technical expertise demonstrated by the Board and Senior
Management to implement strategic goals and business strategies;
 The ability to evaluate risk associated with new activities and the impact to the business
strategies;
 The adequacy of the resources deployed (in terms of communication channels, operating
systems, delivery networks and managerial capacities and capabilities); and
 The impact of external factors including economic, industry, competitive and market
conditions, legislative and regulatory changes and technological advancement.
58
APPENDIX: VII (a)

BOARD OF DIRECTORS
ASSESSMENT CRITERIA
ROLE OF BOARD OF DIRECTORS
The Board of Directors is responsible for providing stewardship and oversight of Management and
operations of the bank. Its key responsibilities include:
 Reviewing and approving organizational structure and controls;
 Ensuring that management is qualified and competent;
 Reviewing and approving business and IT objectives, strategies and plans;
 Reviewing and approving policies for major activities;
 Providing for an independent assessment of, and reporting on the effectiveness of, organizational and
procedural controls;
 Monitoring performance against business and IT objectives, strateg ies and plans;
 Reviewing and approving sound corporate and IT governance policies, and
 Obtaining reasonable assurance on a regular basis that the institution is in control.
QUALITY OF BOARD OVERSIGHT
 The following statements describe the rating categories for the assessment of the Board of Directors in
fulfilling its overall responsibilities of stewardship and oversight of management and operations of the
institution, with due consideration to its safety and soundness.
 An overall rating of the Board of Directors considers both its characteristics and the effectiveness of its
performance in carrying out its role and responsibilities in the context of the nature, scope, complexity,
and risk profile of the institution. Characteristics and examples of performance indicators that guide
supervisory judgment in determining an appropriate rating are set out below.
Ratings Definition
Strong  The composition, role and responsibilities, and practices of the Board meet or exceed
what is considered necessary, given the nature, scope, complexity, and risk profile of
the institution. The Board has consistently demonstrated highly effective performance.
Board characteristics and performance are superior to generally accepted corporate and
IT governance practices.
Acceptable  The composition, role and responsibilities, and practices of the Board meet what is
considered necessary, given the nature, scope, complexity, and risk profile of the
institution. Board performance has been effective. Board characteristics and
performance meet generally accepted corporate and IT governance practices.
Weak  The composition, role and responsibilities, and practices of the Board are not, in a
material way, what is considered necessary, given the nature, scope, complexity, and
risk profile of the institution. Board performance has demonstrated serious instances
where effectiveness needs to be improved through immediate action. Board
characteristics and/or performance often do not meet generally accepted corporate and
IT governance practices.
59
BOARD OF DIRECTORS
ASSESSMENT CRITERIA
BOARD CHARACTERISTICS
The following criteria describe the characteristics to be used in assessing the quality of Board stewardship and
oversight of management and operations of the institution, with due consideration to its safety and soundness.
The application and weighting of the individual criteria will depend on the nature, scope, complexity, and risk
profile of the institution and will be assessed collectively, together with Board performance, in rating its
overall effectiveness.
Essential Elements Criteria
1. Composition  Compliance with the provisions of enabling legislation.
 Adequacy of policies and practices to regularly determine Board size, range of
directors’ qualifications, knowledge, skills, and experience, and level of
commitment required to fulfill Board responsibilities.
 Appropriateness of Board size, range of directors’ qualifications, knowledge,
skills and experience, and level of commitment available to fulfill Board
responsibilities.
 Adequacy of policies and practices to recommend the selection, approval,
renewal, and succession of directors.
 Adequacy of policies and practices to ensure that there is sufficient unaffiliated
representation on the Board.
 Appropriateness of the unaffiliated representation on the Board.
2. Roles and  Adequacy of policies and practices to develop, approve, and periodically review
Responsibilities the role and responsibilities of the Board (including those of the Chair/Lead
Director) and to ensure that directors comply with sound corporate governance
practices.
Extent to which the Board’s responsibilities include:
i) Appointing the CEO, establishing his/her mandate, monitoring his/her performance
and approving his/her compensation;
ii) Approving the institution’s organizational structure;
iii) Approving the appointment of qualified individuals to senior management
positions, monitoring their performance and approving their compensation;
iv) Reviewing and approving, at least annually, human resources and compensation
policies and practices, including those pertaining to succession planning;
v) Approving business and IT objectives, strategies and plans, at least annually, and
regularly monitoring their execution and performance;
vi) Approving financial statements and related disclosures;
vii) Reviewing and approving, at least annually, significant risk management policies
and practices, and obtaining assurances that they are being adhered to;
viii) Reviewing and approving, at least annually, liquidity, funding and capital
management and IT policies and plans and obtaining assurances that approved
policies and plans are being adhered to;
ix) Approving the institution’s communication and disclosure policies;
x) Obtaining assurances on a regular basis that the institution’s risk management,
control environment and management information systems are appropriate and
operating effectively;
xi) Requiring implementation of a system to ensure compliance with applicable laws,
regulations and guidelines;
xii) Approving policies and practices for dealing with conflicts of interest; and
xiii) Establishing standards of ethical business conduct for the institution and
obtaining assurances that they are being adhered to.
xiv) Obtaining assurances that the institution’s IT strategic plan consistently supports
its strategic business plan;
60
xv) Reviewing and approving budget proposal for capital and non-capital IT
expenditures;
xvi) Requiring the implementation of a system to ensure the corrective measures
indicated by independent reviewer(s) are being adhered to;
xvii) Obtaining assurances on a regular basis, that the institution’s key performance
indicators and service level agreements mechanism are appropriately implemented.
 Appropriateness of policies and practices to periodically communicate Board
responsibilities to stakeholders.
3. Committees  Adequacy of policies and practices to regularly review the structure and
composition of Board committees to ensure that they provide sufficient oversight.
 Adequacy of policies and practices to establish and regularly review board
committee mandates.
 Adequacy of policies and practices to ensure that there is sufficient unaffiliated
representation on Board committees.
 Nature and extent to which Board committee mandates promote independent and
comprehensive oversight, with timely and regular reporting to the Board.
4. Practices  Adequacy of policies and practices to orient new directors, and periodically
update existing directors, on their responsibilities and on the institution’s
businesses and related risks.
 Adequacy of policies and practices to promote independent, effective, and timely
decision making, including practices related to the role of unaffiliated directors.
 Adequacy of policies and practices to establish and monitor work plans for
fulfilling Board goals and responsibilities.
 Adequacy of policies and practices to set Board agendas and priorities, arrange
and conduct meetings, and record its deliberations and decisions. Extent to which
these practices promote transparency in
 Board accountabilities.
 Adequacy of policies and practices to ensure that the directors are provided with
timely, relevant, accurate and complete information (including access to
independent advice) to enable them:
i) To determine that responsibilities delegated to Board committees and Senior
Management are being discharged effectively, and
ii)To enable directors to make informed and sound decisions.
 Extent to which the directors’ compensation program promotes prudent decision
making with due regard to the objectives of the institution.
 With respect to the oversight functions on which it relies (e.g., Internal Audit),
the extent to which the Board:
i) Approves the appointment of the function heads; and
ii)Ensures that they have adequate authority, independence and resources to carry
out their mandates;
iii) Provides appointees with unrestricted access to the Board and/or its
committees; and
 Requires periodic independent reviews of the functions.
5. Self-Assessment  Adequacy of policies and practices to regularly assess the effectiveness of the
Board, its committees, and individual directors (including the Chair) in carrying
out their responsibilities.
 Appropriateness of policies and practices to communicate Board achievements
against its responsibilities to stakeholders.
BOARD PERFORMANCE
 The quality of the Board’s performance is demonstrated by its effectiveness in providing stewardship and
oversight of management and operations of the institution to ensure the institution is in control, its risks
are appropriately mitigated and business objectives, strategies, and policies and practices are appropriate
and executed effectively.
 The assessment will consider how actively the Board embraces its responsibilities, bringing its collective
skills and experience to bear in providing objective and thoughtful insight and guidance to the institution.
61
BNM will look to indicators of effective Board performance to guide its judgment in the course of its
supervisory activities. These activities may include: conversations with directors and management to
determine the nature and extent of discussion, evaluation, and questioning of management at Board
meetings, the nature of discussions at meetings of unaffiliated directors and matters raised from those
discussions, and the extent of interaction of senior management with the Board and/or its committees;
review of how particular issues are dealt with by the Board; assessment of Board practices; review of
minutes, etc.
 Examples of indicators that could be used to guide supervisory judgment include the extent to which the
Board:
i) Performs a regular, in-depth review and evaluation of the institution’s business and IT objectives and
strategies, as well as events and transactions that could pose significant risks to the institution, with a view to
balancing both business and IT objectives with appropriate controls and governance;
ii) Is actively involved in the selection and performance evaluation of the CEO, and other Senior Management
as appropriate;
iii) Objectively assesses, on a regular basis, the appropriateness of the overall risk tolerance, major business
and IT activities and risks of the institution;
iv) Establishes thresholds for the type and significance of issues to be brought to its attention (including
adverse results, deficiencies in or breaches of limits, controls or policies, and changes in the external
environment that might require a review of the operating strategy or control environment). Responds quickly
to, and proactively follows up on, issues identified by management, internal or external audit, risk
management, appointed actuaries, BNM or other regulators, in order to satisfy itself that appropriate action
has been taken or resolution achieved;
v) Defines and periodically assesses for continued relevance, the type, comprehensiveness and frequency of
information and reporting it needs to monitor and act on a timely basis, and ensures needed changes are made
as required;
vi) Actively engages in the review of materials presented by management for information purposes or for
Board approval, appropriately weighing salient issues and alternatives, engaging in discussions, challenging
management’s underlying assumptions, and requesting additional information and/or explanation;
vii) Ensures its meetings provide an appropriately balanced focus on key issues and ongoing governance
requirements;
viii) h) Ensures there is sufficient opportunity for unaffiliated directors to meet ‘in camera’, and seriously
considers the output of such meetings;
ix) Proactively engages in reviewing the mandates, resources and scope of work of the key oversight
functions upon which it relies for risk management, control and compliance assurances, and ensuring that
Senior Management appropriately supports these functions; and
x) Performs a comprehensive self-assessment against its responsibilities and promptly addresses matters
identified.
62
APPENDIX: VII (b)

SENIOR MANAGMENT
ASSESSMENT CRITERIA
ROLE OF SENIOR MANAGMENT
Senior management is responsible for directing and overseeing the effective management of the
institution’s operations. Its key responsibilities include:
 Developing business and IT objectives, strategies, plans, organizational structure and controls, and
policies, for Board approval;
 Developing and promoting sound corporate and IT governance practices, culture and ethics (in
conjunction with the Board)
 Executing and monitoring the achievement of board-approved business and IT objectives, strategies,
and plans and the effectiveness of organizational structure and controls; and
 Ensuring that the Board is kept well informed.
QUALITY OF SENIOR MANAGEMENT OVERSIGHT
 The following statements describe the rating categories for the assessment of Senior Management’s
oversight of the institution’s activities and related risks, with due consideration to the institution’s
safety and soundness.
 An overall rating of Senior Management considers both its characteristics and the effectiveness of its
performance in executing its mandate, in the context of the nature, scope, complexity, and risk profile
of the institution. Characteristics and examples of performance indicators that guide supervisory
judgment in determining an appropriate overall rating are set out below.
Ratings Definition
Strong  The mandate, organization structure, expertise and practices of Senior Management
meet or exceed what is considered necessary, given the nature, scope, complexity, and
risk profile of the institution. Senior Management has consistently demonstrated highly
effective performance. Senior Management characteristics and performance are superior
to generally accepted management practices.
Acceptable  The mandate, organization structure, expertise and practices of Senior Management
meet what is considered necessary, given the nature, scope, complexity, and risk profile
of the institution. Senior Management performance has been effective. Senior
Management characteristics and performance meet generally accepted management
practices.
Weak  The mandate, organization structure, expertise and practices of Senior Management are
not, in a material way, what is considered necessary, given the nature, scope,
complexity, and risk profile of the institution. Senior Management performance has
demonstrated serious instances where effectiveness needs to be improved through
immediate action. Senior Management characteristics and/or performance often do not
meet generally accepted management practices.
63
SENIOR MANAGEMENT
ASSESSMENT CRITERIA
SENIOR MANAGEMENT CHARACTERISTICS
The following criteria describe the characteristics to be used in assessing the quality of Senior Management
oversight of the institution’s activities and related risks, with due consideration to the institution’s safety and
soundness. The application and weighting of the individual criteria will depend on the nature, scope, complexity,
and risk profile of the institution and will be assessed collectively, together with Senior Management performance,
in rating its overall effectiveness.
1. Mandate  Extent to which the Board has delegated to the CEO responsibility for developing
and implementing policies and practices for the effective management of the
institution’s operations. This may include, but is not limited to:
i) Strategic management;
ii) Risk management;
iii) Liquidity and funding management;
iv) Capital management;
v) Internal control environment;
vi) Information technology; and
vii) Ethical business conduct.
 Adequacy of policies and practices to delegate responsibilities from the CEO to
other members of Senior Management and to regularly review the
appropriateness of the delegation.
 Appropriateness of the mandates for Senior Management positions and the extent
to which they clearly define lines of authority, responsibility and accountability.
Extent to which these mandates are communicated across the institution.
 With respect to the oversight functions on which it relies (e.g., Internal Audit),
the extent to which Senior Management (a) approves the appointment of the
function heads; (b) ensures that they have adequate authority, independence and
resources to carry out their mandates; (c) provides appointees with unrestricted
access to Senior Management and/or its committees; and (d) requires periodic
independent reviews of the functions.
2. Organization Structure  Adequacy of policies and practices to regularly review Senior Management
organization structure.
 Appropriateness of Senior Management organization structure.
3. Committees  Extent to which Senior Management committees are used to oversee the
management of significant activities and related risks.
 Extent to which Senior Management committee mandates are clearly defined and
communicated across the institution.
4. Expertise  Adequacy of policies and practices to regularly review the range of
qualifications, knowledge, skills and experience required to fulfill Senior
Management responsibilities.
 Appropriateness of the range of qualifications, knowledge, skills and experience
available to fulfill Senior Management responsibilities.
 Adequacy of policies and practices for the selection, appointment and succession
of Senior Management.
 Extent to which management development programs are available to Senior
Management.
5. Practices  Adequacy of policies and practices to establish business and IT objectives,
strategies and plans, and to monitor the institution’s performance against them.
64
 Adequacy of policies and practices to regularly review the institution’s liquidity,

funding and capital management and IT policies, and to obtain assurances that
approved policies are being adhered to.
 Extent to which risk management policies and practices are:
i) Enterprise-wide;
ii) Co-ordinated with strategic, capital and liquidity management;
iii) Prudent in the context of the risk profile of the institution;
iv) Reviewed regularly for appropriateness; and
v) Communicated to appropriate individuals across the institution.
 Adequacy of processes, techniques and criteria used to consistently identify,
measure, monitor, control and report significant risks, and to ensure that
approved risk management policies and practices are adhered to.
 Adequacy of policies and practices to ensure regular review of the organizational
and procedural control environment.
 Adequacy of policies and practices to ensure compliance with applicable laws,
regulations and guidelines.
 Extent to which human resource policies and practices give priority to attracting,
developing and retaining high-caliber staff, and promoting good morale within
the institution.
 Extent to which compensation programs promote prudent risk taking and are
aligned with the long-term strategic objectives for the institution.
 Adequacy of policies and practices for communication and disclosure to
stakeholders.
 Extent to which management policies and practices promote sound corporate
governance and ethical business conduct.
6. Board Oversight  Extent to which Board (or a Board committee) approval is required for:
i) The institution’s organization structure and changes thereto;
ii) Senior Management organization structure and changes thereto;
iii) Senior Management appointments and mandates;
iv) Business and IT objectives, strategies and plans;
v) Liquidity, funding and capital management policies;
vi) Policies and practices for managing significant activities and related risks;
vii) Significant human resource policies and practices; and
viii) Communication and disclosure policies and practices.
 Adequacy of policies and practices to promote full, open and timely disclosure to
and discussion with the Board (or its committees) on all significant issues.
 Adequacy of policies and practices established by the Board (or a Board
committee) to regularly review Senior Management’s performance and
compensation.
BOARD PERFORMANCE
 The quality of Senior Management’s performance is demonstrated by its effectiveness in overseeing the
execution of approved strategies and effective management of the institution’s operations, with due regard to
the institution’s safety and soundness.
 The assessment will consider the ability of Senior Management to achieve the institution’s business and IT
objectives effectively while maintaining an appropriate governance and control culture. NBE will look to
indicators of effective Senior Management performance to guide its judgment in the course of its supervisory
activities. These activities may include: discussions with directors and management; assessment of Senior
Management oversight practices and how particular issues are dealt with; assessment of business and IT plans;
review of management information and audit reports; review of Senior Management minutes, etc.
 Examples of indicators that could be used to guide supervisory judgment include the extent to which Senior
Management:
i) Develops strategies and plans for the attainment of business and IT objectives that are appropriate and
prudent, in the context of the regulatory, competitive and economic environment, and regularly monitors the
execution of approved plans to ensure that objectives are achieved or strategies are appropriately adjusted to
deal with changes in business or economic conditions;
65
ii) Actively monitors adherence to approved policies, organizational and procedural controls, and compliance
requirements; ensures that appropriate and timely action is taken to remedy any deficiencies that may arise,
including issues brought to it by other control functions and regulators; and ensures that management
information systems provide timely and relevant information to support its oversight responsibilities;
iii) Is successful in attracting, developing and retaining high- calibre staff and in maintaining good morale and
ensures that direct reports clearly understand their responsibilities and holds them accountable for discharging
them;
iv) Sets an appropriate “tone from the top”, performing its duties in an ethical manner and expecting the same
from individuals across the institution; and
v) Keeps the Board and its committees fully apprised, on a timely basis, of market conditions, strategic
opportunities and concerns, operating performance and issues that could significantly affect the well-being of
the institution. This includes the quality of information provided to the Board.
66
APPENDIX: VII (c)

RISK MANAGEMENT
ASSESSMENT CRITERIA
ROLE OF RISK MANAGMENT
The Risk Management function provides independent oversight of the management of risks inherent in the
institution’s activities. The function is responsible for ensuring that effective processes are in place for:
 Identifying current and emerging risks;
 Developing risk assessment and measurement systems;
 Establishing policies, practices and other control mechanisms to manage risks;
 Developing risk tolerance limits for Senior Management and Board approval;
 Monitoring positions against approved risk tolerance limits; and
 Reporting results of risk monitoring to Senior Management and the Board.
QUALITY OF RISK MANAGEMENT OVERSIGHT
 The following statements describe the rating categories for the assessment of the Risk Management
function’s oversight of the management of risks inherent in the institution’s activities to ensure that
they are suitably mitigated.
 An overall rating of the Risk Management function considers both its characteristics and the
effectiveness of its performance in executing its mandate, in the context of the nature, scope,
complexity, and risk profile of the institution. Characteristics and examples of performance indicators
that guide supervisory judgment in determining an appropriate overall rating are set out below.
Ratings Definition
Strong  The mandate, organization structure, resources, methodologies and practices of the Risk
Management function meet or exceed what is considered necessary, given the nature,
scope, complexity, and risk profile of the institution. Risk Management has consistently
demonstrated highly effective performance. Risk Management characteristics and
performance are superior to generally accepted risk management practices.
Acceptable  The mandate, organization structure, resources, methodologies and practices of the Risk
Management function meet what is considered necessary, given the nature, scope,
complexity, and risk profile of the institution. Risk Management performance has been
effective. Risk Management characteristics and performance meet generally accepted
risk management practices.
Weak The mandate, organization structure, resources, methodologies and practices of the Risk
Management function are not, in a material way, what is considered necessary, given the
nature, scope, complexity, and risk profile of the institution. Risk Management performance
has demonstrated serious instances where effectiveness needs to be improved through
immediate action. Risk Management characteristics and/or performance often do not meet
generally accepted risk management practices.
67
RISK MANAGEMENT
ASSESSMENT CRITERIA
RISK MANAGEMENT CHARACTERISTICS
The following criteria describe the characteristics to be used in assessing the quality of the Risk Management
function’s oversight of the management of the institution’s activities and related risks, with due consideration to
the institution’s safety and soundness. The application and weighting of the individual criteria will depend on the
nature, scope, complexity, and risk profile of the institution and will be assessed collectively, together with Risk
Management performance, in rating its overall effectiveness.
1. Mandate  Extent to which the function’s mandate establishes:
i) Clear objectives and enterprise-wide authority for its activities;
ii) Authority to carry out its responsibilities independently;
iii) Right of access to the institution’s records, information and personnel;
iv) A requirement to report regularly on the effectiveness of the institution’s risk
management processes and on its aggregate exposures compared to approved
limits; and
v) Authority to follow-up on action taken by management in response to
identified issues and related recommendations.
 Extent to which the function’s mandate is communicated within the institution
2. Organization Structure  Appropriateness of the stature and authority of the function head within the
organization for the function to be effective in fulfilling its mandate.
 Extent to which the function head has direct access to the CEO and the Board (or
a Board committee).
 Appropriateness of the function’s organizational structure.
 Extent to which the function is independent of day-to-day management of risks.
3. Resources  Adequacy of the function’s processes to determine the required:
i) Level of resources necessary to carry out responsibilities;
ii) Qualifications and competencies of staff; and
iii) Continuing professional development programs to enhance staff
competencies.
 Adequacy of the function’s resources and appropriateness of its collective
qualifications and competencies for carrying out its mandate.
 Sufficiency of staff development programs.
 The effectiveness of people, processes, methodologies and technology designated
to execute selected risk management strategy.
4. Methodology and  Adequacy of process to regularly review and update risk management policies,
Practices processes and limits to take into account changes in the industry and in the risk
appetite of the institution.
 Appropriateness of risk management policies, practices, and limits given the
institution’s activities and related risks.
 Extent to which risk management policies and practices are co-ordinated with
strategic, capital and liquidity management, and IT policies and practices.
 Extent to which risk management policies, practices and limits are documented,
communicated and integrated with the institution’s day-today business activities.
 Adequacy of policies and practices to monitor positions against approved limits
and for timely follow-up on material variances.
 Adequacy of policies and practices to monitor trends and identify emerging risks,
and to respond effectively to unexpected significant events.
 Adequacy of policies and practices to model and measure the institution’s risks.
 Adequacy of management information system (MIS) to support risk management
functions.
5. Reporting  Adequacy of policies and practices to report identified issues along with
recommendations to management of business units.
 Adequacy of policies and practices to monitor and follow up on the resolution of
the identified issues.
68
 Adequacy of reporting timeliness to facilitate the decision making process.

6. Senior Management  Extent to which Board (or a Board committee) and Senior Management approval
and Board Oversight is required for:
i) The appointment and/or removal of the function head;
ii) The function’s mandate and resources; and
iii) The policies, practices and limits for managing significant risks and activities.
 Adequacy of policies and practices to report regularly to the Board (or a Board
committee) and Senior Management on the effectiveness of the institution’s risk
management processes, aggregate exposures and significant issues.
 Adequacy of policies and practices to perform periodic independent reviews of
the function, including communicating results to the Board (or a Board
committee) and Senior Management.
RISK MANAGMENT PERFORMANCE
 The quality of the Risk Management function’s performance is demonstrated by its effectiveness in overseeing
the identification and management of risks, with due regard to the institution’s safety and soundness.
 The assessment will consider the effectiveness with which the Risk Management function anticipates,
identifies and measures risks in a dynamic operating environment and oversees management of those risks
within the tolerance limits established by the Board. BNM will look to indicators of effective Risk
Management performance to guide its judgment in the course of its supervisory activities. These activities may
include: discussions with directors and management, including the Chief Risk Officer; assessment of the Risk
Management function’s oversight practices and how particular issues, such as breaches in approved limits, are
dealt with; review of risk management reports and reports of independent assessments of the function; review
of Board or risk management committee minutes, etc.
 Examples of indicators that could be used to guide supervisory judgment include the extent to which
 the Risk Management function:
i) Proactively updates its policies, practices and limits in response to changes in the industry and in the
institution’s strategy, business and IT activities as well as risk tolerances;
ii) Integrates its policies, practices and limits with day-to-day business activities and with the institution’s
strategic, capital and liquidity management policies;
iii) Models and measures inherent risks and actively participates in the development of new initiatives to
ensure processes are in place to appropriately identify and mitigate risks prior to implementation;
iv) Monitors risk positions against approved limits and ensures that material breaches are addressed on a
timely basis;
v) Uses risk measurement and monitoring tools that are sensitive enough to provide early warning indicators
of adverse trends and conditions; proactively analyzes these trends and conditions; and follows up to ensure
that they are addressed on a timely basis;
vi) Proactively and effectively addresses risk management issues identified as a result of internal or external
events, or by other control functions; and
vii) Provides regular, comprehensive, reports to the Board (or a Board committee) and Senior Management on
the effectiveness of the institution’s risk management processes and ensures that significant issues are
escalated to Senior Management and the Board on a timely basis.
69
APPENDIX: VII (d)

INTERNAL AUDIT
SESSMENT CRITERIA
ROLE OF INTERNAL AUDIT
The Internal Audit function provides independent oversight of the effectiveness of, and adherence to, the
institution’s organizational and procedural controls. It may also oversee the effectiveness of, and adherence
to, the institution’s compliance and risk management policies and practices.
QUALITY OF INTERNAL AUDIT OVERSIGHT
The following statements describe the rating categories for the assessment of the Internal Audit function’s
oversight of the effectiveness of, and adherence to, the institution’s organizational and procedural controls.
An overall rating of the Internal Audit function considers both its characteristics and the effectiveness of its
performance in executing its mandate in the context of the nature, scope, complexity, and risk profile of the
institution. Characteristics and examples of performance indicators that guide supervisory judgment in
determining an appropriate rating are set out below.
Ratings Definition
Strong  The mandate, organization structure, resources, methodologies and practices of the
Internal Audit function meet or exceed what is considered necessary, given the nature,
scope, complexity, and risk profile of the institution. Internal Audit has consistently
demonstrated highly effective performance. Internal Audit characteristics and
performance are superior to generally accepted industry practices and meet current
professional standards.
Acceptable  The mandate, organization structure, resources, methodologies and practices of the
Internal Audit function meet what is considered necessary, given the nature, scope,
complexity, and risk profile of the institution. Internal Audit performance has been
effective. Internal Audit characteristics and performance meet generally accepted
industry practices and current professional standards.
Weak  The mandate, organization structure, resources, methodology and practices of the
Internal Audit function are not, in a material way, what is considered necessary, given
the nature, scope, complexity, and risk profile of the institution. Internal Audit
performance has demonstrated serious instances where effectiveness needs to be
improved through immediate action. Internal Audit characteristics and/or performance
often do not meet generally accepted industry practices and current professional
standards.
70
INTERNAL AUDIT
ASSESSMENT CRITERIA
INTERNAL AUDIT CHARACTERISTICS
The following criteria describe the characteristics to be used in assessing the quality of the Internal Audit
function’s oversight of the effectiveness of, and adherence to, the institution’s organizational and procedural
controls. The application and weighting of the individual criteria will depend on the nature, scope, complexity, and
risk profile of the institution and will be assessed collectively, together with Internal Audit performance, in rating
its overall effectiveness.
iv) A requirement to express an opinion on the effectiveness of, and adherence
to, the institution’s organizational and procedural controls and applicable laws
and regulations; and
v) Authority to follow-up with management on action taken in response to audit
findings and recommendations.
 Extent to which the mandate is communicated within the institution.
2. Organization Structure  Appropriateness of the stature and authority of the function head within the
organization for the function to be effective in fulfilling its mandate.
 Extent to which the function head has direct access to the CEO and the Board (or
Audit Committee).
 Appropriateness of the function’s organization structure.
 Extent to which the function is independent of activities it audits and day-to-day
internal control processes.
iii) Continuing professional development programs to enhance staff
competencies.
qualifications and competencies for executing its mandate.
 Sufficiency of staff development programs and trainings.
4. Methodology and  Adequacy of policies and practices to ensure that audit methodologies conform to
Practices generally accepted industry practices and current professional standards
applicable laws and regulations.
 Adequacy of audit methodologies and practices to ensure the reliability and
integrity of the institution’s IT systems.
 Adequacy of policies and practices to provide early detection of fraud, errors,
omissions and other irregularities.
 Appropriateness of audit methodologies and practices to execute the function’s
mandate.
 Extent to which the function’s audit methodology is risk-based and responds to
changes in the institution’s risk profile.
5. Planning  Adequacy of policies and practices to review audit cycles in response to changes
in the institution’s environment and risk profile.
 Extent to which the annual audit planning process clearly identifies audit
objectives and scope of work.
6. Reporting  Adequacy of policies and practices to report audit findings and recommendations
to management and in accordance to the reporting requirement of BNM.
 Adequacy of policies and practices to follow-up on the resolution of audit
71
findings and recommendations.

7. Quality Assurance  Adequacy of policies and practices and code of ethics for monitoring of audit
staff to ensure that they comply with standards of professional practice and
utilize approved methodology in executing their reviews.
8. Senior Management  Extent to which Board (or Audit Committee) and Senior Management approval is
and Board Oversight required for:
i) The appointment and/or removal of the function head;
ii) The function’s mandate and resources; and
iii) The function’s annual work plan.
 Adequacy of policies and practices to report periodically to the Board (or Audit
Committee) and Senior Management on audit findings, recommendations and
progress in meeting annual audit plan (including the impact of any resource
limitations).
 Adequacy of policies and practices to perform regular independent reviews of the
function (including feedback received from the institution’s external auditor) and
to communicate the results to the Board (or Audit Committee) and Senior
Management.
 Adequacy of regular review on the effectiveness of the internal audit function
and other control review activities.
 Extent to which the institution’s Audit Committee members are comprise of non-
executive directors.
INTERNAL AUDIT PERFORMANCE
 The quality of the Internal Audit function’s performance is demonstrated by its overall effectiveness in
independently overseeing the effectiveness of, and adherence to, the institution’s organizational and
procedural controls.
 The assessment will consider how well the Internal Audit function promotes a sound control environment that
mitigates risks, ensures that control weaknesses are appropriately dealt with, and provides the Board and
Senior Management with reasonable assurance of the effectiveness of, and adherence to, organizational and
procedural controls. NBE will look to indicators of effective performance to guide its judgment in the course
of its supervisory activities. These activities may include: discussions with directors, management, including
the Chief Internal Auditor, and external auditors; review of how significant findings and management’s
responses to them are addressed with the Audit Committee; assessment of Internal Audit practices and
reporting; review of audit plans and working paper files, etc.
Internal Audit:
i) Is viewed by the Audit Committee and Senior Management as being effective in executing its mandate;
ii) Regularly engages the Audit Committee on the continued appropriateness of Internal Audit resources and
plan;
iii) Proactively communicates to the Audit Committee significant and persistent findings and management’s
action related to them;
iv) Reviews objectives, strategies, events, initiatives and transactions for changes that could materially impact
the institution in order to ensure risk management and control practices continue to be appropriate and
effective;
v) Actively seeks information from risk management, appointed actuary, compliance officers, external
auditors, BNM, parent company auditors or other relevant sources to corroborate or enhance its risk
assessment and to ensure that areas of weakness are appropriately considered in its audit plan;
vi) Proactively follows-up and reports on significant issues to ensure timely resolution. Demonstrates it can
cause necessary changes in the operations of the institution in response to material weaknesses identified;
vii) Appropriately considers the pervasiveness and significance of its findings, both at the individual activity
level, as well as in aggregate across the institution; and
viii) Appropriately differentiates between audit findings affecting safety and soundness from those affecting
operating efficiency, and the manner in which these are communicated and followed up.
72
APPENDIX: VII (e)

COMPLIANCE
SESSMENT CRITERIA
ROLE OF COMPLIANCE
The Compliance function provides independent oversight of the management of the institution’s
compliance with laws, regulations, circulars and guidelines relevant to the activities of the institution in the
jurisdictions in which it operates.
QUALITY OF COMPLIANCE OVERSIGHT
 The following statements describe the rating categories for the assessment of the Compliance
function’s oversight of the institution’s compliance with applicable laws, regulations, circulars and
guidelines.
 An overall rating of the Compliance function considers both its characteristics and the effectiveness of
its performance in executing its mandate. Characteristics and examples of performance indicators that
guide supervisory judgment in determining an appropriate rating in the context of the nature, scope,
complexity and risk profile of an institution are set out below.
Ratings Definition
Compliance function meet or exceed what is considered necessary, given the nature,
scope, complexity, and risk profile of the institution. Compliance has consistently
demonstrated highly effective performance. Compliance characteristics and
performance are superior to generally accepted industry practices.
Acceptable  The mandate, organization structure, resources, methodologies and practices of the
Compliance function meet what is considered necessary, given the nature, scope,
complexity, and risk profile of the institution. Compliance performance has been
effective. Compliance characteristics and performance meet generally accepted industry
practices.
Weak  The mandate, organization structure, resources, methodologies and practices of the
Compliance function are not, in a material way, what is considered necessary, given the
nature, scope, complexity, and risk profile of the institution. Compliance performance
has demonstrated serious instances where effectiveness needs to be improved through
immediate action. Compliance characteristics and/or performance often do not meet
generally accepted industry practices.
73
COMPLIANCE
ASSESSMENT CRITERIA
COMPLIANCE CHARACTERISTICS
The following criteria describe the characteristics to be used in assessing the quality of the Compliance
function’s oversight of the management of the institution’s compliance with applicable laws, regulations and
guidelines. The application and weighting of the individual criteria will depend on the nature, scope,
complexity and risk profile of the institution and will be assessed collectively, together with the Compliance
function’s performance, in rating its overall effectiveness.
iv) A requirement to express an opinion on the adequacy and effectiveness of the
compliance processes and status of compliance; and
v) Authority to follow-up with management on issues identified and
recommendations made related to compliance.
2.  Appropriateness of the stature and authority of the function head within the
Organization
Structure organization for the function to be effective in fulfilling its mandate.
 Extent to which the function head has direct access to the CEO and the Board (or a
Board Committee).
 Appropriateness of the function’s organizational structure.
 Extent to which the function is independent of the institution’s business activities and
day-to-day compliance processes.
iii) Continuing professional development programs to enhance staff competencies.
4. Methodology and Adequacy of policies and practices to ensure that the function’s approach and
Practices practices are in line with industry and regulatory compliance practices and are
appropriate for executing its mandate.
 Adequacy of policies and practices to keep abreast of new and changing legislation
and changes in the institution’s risk profile.
 Adequacy of policies and practices to promptly develop or amend the institution’s
compliance policies as legislation is introduced or amended or as new or changing
business activities impose different legislative requirements on the institution.
 Adequacy of policies and practices to document new or amended compliance policies
and communicate them across the institution on a timely basis.
 Adequacy of policies and practices to assist management in identifying, addressing
and integrating significant legislative or regulatory requirements into their business
and IT activities through appropriate procedural controls.
 Adequacy of policies and practices to monitor adherence to applicable laws,
regulations, circulars and guidelines across the institution in order to ensure that
significant issues are identified and brought to Senior Management’s attention for
timely resolution, as well as to support Senior Management’s opinion on the status of
compliance.
 Adequacy of policies to review compliance practices regularly for continued
effectiveness.
5.  Extent to which Board (or a Board committee) and Senior Management approval is
Senior
Management required for:
74
and Board Oversight i) The appointment and/or removal of the function head; and
ii) The function’s mandate and resources.
 Adequacy of policies and practices to report periodically to the Board (or a Board
committee) and Senior Management on compliance issues, recommendations and
status of compliance.
 Adequacy of policies and practices to perform periodic, independent reviews of the
function, and to communicate results to the Board (or a Board committee) and Senior
Management.
COMPLIANCE PERFORMANCE
 The quality of the Compliance function’s performance is demonstrated by its effectiveness in overseeing
management of the institution’s compliance with applicable laws, regulations, circulars and guidelines.
 The assessment will consider the effectiveness with which the Compliance function actively promotes
compliance with applicable laws, regulations and guidelines throughout the institution, ensuring that breaches
are identified and resolved on a timely basis. BNM will look to indicators of effective performance to guide
its judgment in the course of its supervisory activities. These activities may include: discussions with directors
and management, including the Chief Compliance Officer; review of practices to detect and dispose of
breaches of compliance; review of reports of independent assessments of the function; the institution’s
regulatory correspondence file; etc.
Compliance:
i) Develops, documents and actively communicates new and amended compliance policies or requirements to
all impacted areas of the institution;
ii) Proactively assists management in identifying, addressing and integrating significant legislative or
regulatory compliance requirements into its business and IT activities;
iii) Actively monitors adherence to applicable laws, regulations, circulars and guidelines across the
institution;
iv) Escalates significant breaches of compliance requirements to Senior Management and the Board;
v) Proactively follows up to ensure that significant issues are addressed on a timely basis; and
vi) Periodically reviews compliance practices for continuing effectiveness.
75
APPENDIX: VII (f)

INFORMATION AND COMMUNCIATION
ASESSMENT CRITERIA
ROLE OF INFORMATION AND COMMUNCIATION
The Information and Communication function performs in-depth analysis of the institution’s financial and
operating results independently of the business units and prepares management reports for Senior
Management and the Board. This function is generally found as a separate unit only in larger institutions.
QUALITY OF INFORMATION AND COMMUNCIATION
 The following statements describe the rating categories for the assessment of the Information and
Communication function’s independent analysis and reporting of the institution’s financial and operating
results for Senior Management and the Board.
 An overall rating of the Information and Communication function considers both its characteristics and the
effectiveness of its performance in executing its mandate. Characteristics and examples of performance
indicators that guide supervisory judgment in determining an appropriate rating in the context of the nature,
scope, complexity, and risk profile of the institution are set out below.
Ratings Definition
Information and Communication function meet or exceed what is considered necessary,
given the nature, scope, complexity, and risk profile of the institution. Information and
Communication has consistently demonstrated highly effective performance. Information
and Communication characteristics and performance are superior to generally accepted
industry practices.
Acceptable The mandate, organization structure, resources, methodologies and practices of the
Information and Communication function meet what is considered necessary, given the
nature, scope, complexity, and risk profile of the institution. Information and
Communication performance has been effective. Information and Communication
characteristics and performance meet generally accepted industry practices.
Weak  The mandate, organization structure, resources, methodologies and practices of the
Information and Communication function are not, in a material way, what is considered
necessary, given the nature, scope, complexity, and risk profile of the institution.
Information and Communication performance has demonstrated serious instances where
effectiveness needs to be improved through immediate action. Information and
Communication characteristics and/or performance often do not meet generally accepted
industry practices.
76
INFORMATION AND COMMUNCIATION

ASSESSMENT CRITERIA
INFORMATION AND COMMUNCIATION CHARACTERISTICS
The following criteria describe the characteristics to be used in assessing the quality of the Information and
Communication function’s independent analysis and reporting of the institution’s financial and operating results
for Senior Management and the Board. The application and weighting of the individual criteria will depend on the
nature, scope, complexity, and risk profile of the institution and will be assessed collectively, together with the
Information and Communication function’s performance, in rating its overall effectiveness.
ii) Authority to carry out its responsibilities independently of the business units;
iii) Right of access to the institution’s records, information and personnel; and
iv) A requirement to provide recommendations on strategic and/or business
opportunities, as well as on management information system changes needed to
enhance decision-making.
2. Organization Structure Appropriateness of the stature and authority of the function head within the
organization to enable the function to be effective in fulfilling its mandate.
 Extent to which the function head has direct access to Senior Management.
 Appropriateness of the function’s organization structure.
 Extent to which the function is independent of the operating units.
iii) Continuing professional development programs to enhance staff competencies.
4. Methodology and  Adequacy of the function’s methodologies, practices and techniques, for collecting,
Practices analyzing and producing operating and financial information.
 Extent to which the reports, produced for the Board and Senior Management, are
accurate, timely, presented using understandable formats, and include an appropriate
level of key performance indicators.
 Adequacy of the function’s capacity for preparing ad hoc reports for the Board and/or
Senior Management on a timely basis.
 Adequacy of policies to review the function’s methodology, practices, reports and key
performance indicators regularly to ensure that they continue to meet the needs of the
institution.
5. Senior Management  Extent to which Senior Management approval is required for:
and Board Oversight i) The appointment and/or removal of the function head; and
ii) The function’s mandate, resources, methodologies and practices.
 Adequacy of policies and practices to perform periodic, independent reviews of the
function, and to communicate the results to Senior Management.
INFORMATION AND COMMUNCIATION PERFORMANCE
 The quality of the Information and Communication function’s performance is demonstrated by its effectiveness in
providing independent analysis and reporting of the institution’s financial and operating results to Senior
Management and the Board.
 The assessment will consider the effectiveness with which the Information and Communication function provides
timely, accurate and insightful information, that supports effective decision-making, to Senior Management and the
Board. BNM will look to indicators of effective performance to guide its judgment in the course of its supervisory
activities. These activities may include: discussions with directors and management; discussions with external
auditors and appointed actuaries; review of the information provided to Senior Management and the Board; etc.
 Examples of indicators that could be used to guide supervisory judgment include the extent to which Information
77
and Communication:
i) Produces reports, independently of the business areas being reported on, for Senior Management and the Board
that are accurate, timely and understandable, and that include an appropriate analysis of key performance
indicators, and highlights matters requiring Senior Management and Board attention;
ii) Proactively provides insightful recommendations on strategic and/or business opportunities;
iii) Responds quickly to requests for ad hoc reports;
iv) Actively engages the CEO and Board Chair or lead director in discussion to confirm that its reports and
presentations continue to meet the needs of Senior Management and the Board; and
v) Proactively reconsiders, on a regular basis, the adequacy of management information systems to provide
effective and timely decision-making.
78
APPENDIX: VIII
OVERALL NET RISK RATING

ASSESSMENT CRITERIA
DEFINITION OF OVERALL NET RISK RATING
Introduction
 Overall Net Risk is the aggregate of the Net Risks for all Significant Activities within an institution
that considers the relative materiality of each activity. This assessment recognizes that an activity with
low materiality but high net risk may not contribute sufficiently to Overall Net Risk to affect the rating.
 Net Risk for each Significant Activity is a function of the level of Inherent Risks in the activity offset
by the Quality of Risk Management for the activity as a whole.
 Risk Management includes Operational Management as well as applicable oversight functions of the
institution. These oversight functions would include Board of Directors, Senior Management, Risk
Management, Internal Audit, Compliance and Information & Communication as appropriate to the
institution.
Ratings Definition
Low  The institution has risk management that substantially mitigates risks inherent in its
significant activities down to levels that collectively have lower-than-average
probability of a material adverse impact on its capital and earnings in the foreseeable
future.
 Normally, institutions in this category will have a predominance of significant activities

rated as low net risk. Other combinations may be possible depending on the
circumstances of the institution.
Moderate  The institution has risk management that sufficiently mitigates risks inherent in its
significant activities down to levels that collectively have an average probability of a
material adverse impact on its capital and earnings in the foreseeable future.
 Normally, institutions in this category will have a significant number of their activities
rated as moderate net risk, or a few of their significant activities rated as high net risk
with others rated as low net risk. Other combinations may be possible depending on the
High  The institution has weaknesses in its risk management that may pose a serious threat to
its financial viability or solvency and give rise to high net risk in a number of its
significant activities. As a result, net risks in its significant activities collectively have a
high probability of a material adverse impact on its capital and earnings in the
foreseeable future.
 Normally, institutions in this category will have the majority of their significant
activities rated as high net risk, or will have rated as high net risk one or more
significant activities that have a pervasive impact on its operations. Other combinations
may be possible depending on the circumstances of the institution. The weaknesses in
risk management lead to considerable doubt about the institution’s capability and/or
willingness to apply prompt and effective corrective measures to sufficiently mitigate
high net risks in its significant activities.
79
APPENDIX: IX
EARNINGS
ASSESSMENT CRITERIA
(The Assessment Criteria should be read in conjunction with Appendix XXX)
ROLE OF EARNINGS
Earnings absorb normal and expected losses in a given period and provide a source of financial support by
contributing to the institution’s internal generation of capital and its ability to access capital externally.
EARNINGS PERFORMANCE
The following statements describe the rating categories used in assessing an institution’s earnings and its
ability to continue to generate earnings required to ensure its long-term viability. The adequacy of an
institution’s earnings will be evaluated in the context of the nature, scope, complexity, and risk profile of
the institution. This evaluation considers quality, quantity and volatility of earnings.
Ratings Definition
Strong  The institution has consistent earnings performance, producing returns that significantly
contribute to its long term viability, and there is no undue reliance on non-recurring
sources of income to enhance earnings. The earnings outlook for the next 12 months
continues to be positive.
Acceptable  The institution has satisfactory earnings performance, producing returns needed to
ensure its long term viability, and there is no undue reliance on non-recurring sources of
income to enhance earnings. Although there is some exposure to earnings volatility, the
outlook for the next 12 months remains positive.
Weak  The institution has consistently recorded operating losses or earnings that are
insufficient to ensure its long term viability. It may be heavily dependent on
nonrecurring sources of income to show a profit. The earnings outlook for the next 12
months is expected to remain negative.
EARNINGS
ASSESSMENT CRITERIA
EARNINGS CRITERIA
The following statements describe the criteria for assessing an institution’s earnings performance. The application and
weighting of the individual criteria will depend on the nature, scope, complexity, and risk profile of the institution,
and will be assessed collectively in evaluating its ability to generate earnings required for long-term viability.
Essential elements Criteria
1. Historical trends, Level and  Adequacy of earnings relative to the risk profile of the institution.
Composition  Earnings contributions from volatile and non-volatile sources of income.
 Trend and volatility of earnings.
 Level of, and reasons for, earnings variances to plan.
 Extent to which sources of income are diversified.
 Extent to which the institution relies on interpretations of accounting and/or
actuarial principles to enhance earnings.
 Extent to which earnings are from non-recurring sources of income.
2. Peer Group Comparison  Profitability and earnings trends compared to its peers.
3. Future Outlook  Vulnerability of earnings to competition.
 Extent to which the institution’s earnings may be affected by an economic
downturn or market event.
 Extent to which the institution’s earnings ensure its long-term viability.
80
APPENDIX X
CAPITAL
ASSESSMENT CRITERIA
(The Assessment Criteria should be read in conjunction with Appendix XXX)
ROLE OF CAPITAL
Capital is a source of financial support to protect an institution against unexpected losses, and is,
therefore, a key contributor to its safety and soundness. Capital management is the on-going process of
raising and maintaining capital at levels sufficient to support planned operations. For complex institutions,
it also involves allocation of capital to recognize the level of risk in its various activities. The assessment
is made in the context of the nature, scope, complexity, and risk profile of an institution.
ADEQUACY OF CAPITAL
The following statements describe the rating categories used in assessing capital adequacy and capital
management policies and practices of an institution. Capital adequacy includes both the level and quality
of capital. The assessment is made in the context of the nature, scope, complexity, and risk profile of an
institution.
Ratings Definition
Strong  Capital adequacy is strong for the nature, scope, complexity, and risk profile of the
institution, and meets the NBE’s target levels. The trend in capital adequacy over the
next 12 months is expected to remain positive. Capital management policies and
practices are superior to generally accepted industry practices.
Acceptable  Capital adequacy is appropriate for the nature, scope, complexity, and risk profile of
the institution and meets the NBE’s target levels. The trend in capital adequacy over
the next 12 months is expected to remain positive. Capital management policies and
practices meet generally accepted industry practices.
Weak  Capital adequacy is inappropriate for the nature, scope, complexity, and risk profile of
the institution and does not meet, or marginally meets, minimum regulatory
requirements. The trend in capital adequacy over the next 12 months is expected to
remain negative. Capital management policies and practices do not meet generally
accepted industry practices.
CAPITAL
ASSESSMENT CRITERIA
CAPITAL CRITERIA
The following statements describe the criteria for assessing an institution’s capital adequacy and capital
management policies and practices. The application and weighting of the individual criteria will depend
on the nature, scope, complexity, and risk profile of an institution.
1. Capital Adequacy  Adequacy of the level of capital in relation to regulatory minimum and
target requirements, the institution’s risk profile, and internal targets.
 Appropriateness of the types and mix of capital instruments, and the level
of high quality capital.
 Extent of regulatory arbitrage in managing capital adequacy.
 Adequacy of the level of capital to support planned business activities.
 Willingness and ability of the shareholder(s) or head office to assist the
institution in maintaining regulatory capital or vesting requirements and/or
ability of the institution to raise capital externally.
2. Capital Management  Extent to which capital management policies and practices are enterprise-
Policies and Practices wide and supported by sufficient authority and resources.
 Appropriateness of the process for developing capital management
policies and practices.
 Appropriateness of capital management policies and practices.
81
 Extent to which the capital planning process is integrated with the

institution’s strategic and business plans and provides for regular
monitoring to ensure that it continues to meet regulatory minimum and
target capital requirements.
 Extent to which the capital management process provides for an
appropriate level of stress testing under different scenarios, including
possible events or changes in environmental conditions that could
adversely impact the institution.
 Adequacy of the capital plan.
3. Senior Management  Extent to which Senior Management and Board approval is required for:
and Board Oversight  Capital management mandate and resources;
 Capital management policies and practices; and
 Annual capital plan.
 Adequacy of policies and practices to provide complete, accurate and
timely reports on the institution’s capital management to enable Senior
Management and the Board (or a Board committee) to assess compliance
with:
 The institution’s capital plan, including the results of scenario
testing; and
 Regulatory capital requirements.
 Adequacy of policies and practices to perform regular independent
reviews to ensure that capital management complies with approved
policies and practices, and regulatory requirements.
82
APPENDIX: XI
COMPOSITE RISK RATING
ASSESSMENT CRITERIA
Definition of Composite Risk
 The Composite Risk Rating is an assessment of the institution’s overall risk profile, after considering
the impact of capital and earnings on its Overall Net Risk. It reflects the NBE’s assessment of the
safety and soundness of the institution.
 An institution’s Composite Risk Rating is assessed as low, moderate, above average, or high, with the
direction of change assessed as decreasing, stable or increasing for a specified time frame, depending
on the institution’s circumstances, and the business and economic environment.
QUALITY OF INFORMATION AND COMMUNCIATION
Ratings Definition
Low  A strong, well-managed institution. The combination of its overall net risk and its
capital and earnings makes the institution resilient to most adverse business and
economic conditions without materially affecting its risk profile. Its performance has
been consistently good, with most key indicators in excess of industry norms, allowing
it ready access to additional capital. Any supervisory concerns have a minor effect on
its risk profile and can be addressed in a routine manner.
 Normally, an institution in this category would have a low overall net risk coupled with
acceptable capital and earnings, or a moderate overall net risk coupled with strong
capital and earnings. Other combinations may be possible depending on the
Moderate  A sound, generally well-managed institution. The combination of its overall net risk and
its capital and earnings makes the institution resilient to normal adverse business and
economic conditions without materially affecting its risk profile. The institution’s
performance is satisfactory, with key indicators generally comparable to industry
norms, allowing it reasonable access to additional capital. Supervisory concerns are
within the institution’s ability to address.
 Normally, an institution in this category would have moderate overall net risk coupled
with acceptable capital and earnings, or low overall net risk coupled with capital and
earnings that need improvement. Other combinations may be possible depending on the
High  Poorly managed institution. The institution has serious safety and soundness concerns.
One or more of the following conditions are present. The combination of its overall net
risk and its capital and earnings is such that the institution is vulnerable to most adverse
business and economic conditions, posing a serious threat to its financial viability or
solvency unless effective corrective action is implemented promptly. Its performance is
poor, with most key indicators below industry norms, seriously impairing its ability to
access additional capital.
 Normally, an institution in this category would have high overall net risk, which is not
sufficiently mitigated by capital and earnings, or above average overall net risk coupled
with capital and earnings that need improvement. Other combinations may be possible
depending on the circumstances of the institution.
83
APPENDIX: XII
XYZ BANK S.C. RISK MATRIX As At (Date)
Quality of Risk Management
Inherent Risk OM RMCF
Information & Communication

Significant Activities Materiality
Operational Management
Direction of Net Risk

Senior Management
Risk Management
Board Oversight
Internal Audit
Compliance
Operational
Aggregate
Aggregate
Liquidity
Net Risk
Market
Credit
TRACK 1
Activity 1
Activity 2, etc
Overall Net Risk
TRACK 2
Vertical RMCF
TRACK 3
Vertical Risk
Overall Vertical Risk Mgt
Net Vertical Risk
Direction of NVR
Earnings Capital Composite Risk Rating

Direction Supervisory Intervention Stage
of CRR Time Frame
84
APPENDIX: XIII
RISK ASSESSMENT SUMMARY FORMAT
Bank : _______________________________________________
Cut-off Date : _______________________________________________
1. CRR and its direction; and supervisory intervention stage;
i) Composite risk rating

ii) Supervisory intervention stage
2. Summary of SAs and related risks identified;
i) Summary of significant activities identified

ii) Risks related to significant activities identified
3. An assessment of the effectiveness of the Quality of Risk Management;
i) Effectiveness of Operational Management

ii) Effectiveness of RMCFs
(a) Board of directors

(b) Senior management
(c) Risk management
(d) Internal audit
(e) Compliance
(f) Information and communication
4. An assessment of the adequacy of capital and the profitability of the bank;
i) Assessment of capital
ii) Assessment of earnings
5. Significant issues and concerns identified.
6. Sign-off
The various parties have to sign-off (and date) the risk assessment summary.
i) Person who prepared the risk assessment summary (the desk officer)
ii) Person who concurred with the risk assessment summary (the team leader)
iii) Person who approved the risk assessment summary (deputy director of BS)
Appendices
i) Risk Matrix;
ii) A listing of significant events that occurred during the past 3 months;
iii) CAMEL rating, including previous two ratings, and financial highlights on
capital position, asset quality, earnings performance and liquidity (stress test
result incorporated);
iv) Status of rectification measures by the bank;
v) Supervisory plan; and
vi) Intervention activities and status reports.
85
APPENDIX: XIV
CAMEL RATING AND FINANCIAL HIGHLIGHTS

Current and previous two onsite examinations overall CAMEL ratings:
Ratings Previous Previous Current
(Composite) Examination Examination Examination
CAMEL Satisfactory Satisfactory Satisfactory
a) Capital
The bank’s capital is rated satisfactory. As at 30th May, 2006, the bank’s paid-up capital was Birr
300 million which was above the legal requirement of Birr 75 million. Ratio of total capital to
total risk-weighted assets plus off-balance sheet exposure was 11 percent which was above legal
requirement of 8 percent, though below peer average. The bank has strong ability to grow capital
through earnings retention although it does not have a formal capital build-up plan.
b) Asset Quality
Asset quality of the bank is satisfactory. However, high growth in loans was observed, the bank
has low NPLs to total capital ratio of 2 percent, which was below peer average. Credit
concentration was noted to be high as large exposures accounted for 333% of total capital and 17
big borrowers made up 46% of the loan portfolio. Off balance sheet activities were moderate.
c) Earnings
Earnings were rated satisfactory. For the year ended June 30, 2009, the bank made a profit before
tax of Birr 18,004.00 million as compared to Birr 10,951.00 million made in the year 2004, an
increase of 64.40%. The bank recorded a return on assets of 3.40% and return on equity of
37.80%, which were both above the peer average. For the period up to 30th June, 2006, the bank
made a profit before tax of Birr 18,121.85 million. Return on average assets was 0.50%, and net
interest income to average earnings assets was 4.86%. Ratio of non-interest expenses to gross
income was 43% as compared to 56.45% recorded in the previous examination. Major sources of
income were interest income from loans and advances which contributed 40% of total income,
interest income from investment in debt securities (24%) commissions, fees and charged (18%)
and foreign exchange trading (11.40%).
d) Liquidity
Liquidity of the bank was rated strong. The liquid asset ratio was 55.2% which was above the
regulatory requirement of 25% and peer average. The ratio of loans to deposit was 53.95% which
was lower than industry average of 60%. The bank’s major sources of funding include Current
account deposits (57.11%); Savings deposits (20.03%); Time deposits (14.22%); Bankers Checks
and Drafts Issued (1.62%); Other Liabilities (4.63%); indicating stable sources of funding. The
bank also enjoys good market perception and access to inter-bank funding. Top ten depositors
accounted for 24% of total deposits, depicting moderate funding concentration.
86
APPENDIX: XV
GUIDE TO INTERVENTION FOR BANKS
CRR Intervention Stage
Low  Stage 0 - Low Priority. Banks are well managed
and in good financial condition
Moderate  Stage 1 – Early Warning. Deficiencies in policies

or procedures or existence of conditions that could
lead to Stage 2 conditions.
 Stage 2 – Risk to Volatility/Solvency. Existence
of problems or situations that may deteriorate if not
addressed promptly, but do not pose immediate
High threat to solvency or viability
Stage 3 – Viability/Solvency in Serious Doubt. In
the absence of mitigating actions, and unless
effective corrective measures are taken promptly,
future viability is under serious threat
Stage 4 – Non-Viability/Insolvency Imminent.
Absence of credible restructuring/recapitalization
plan to avoid imminent insolvency or failure to
meet minimum capital requirement
Stage 0 – Low Priority

 Banks are well managed and in good financial condition. Only require routine supervisory and
regulatory activities pursuant to mandates of the NBE
Intervention Actions
 Ongoing monitoring of banks based on information obtained from statutory filings, financial reports
and other sources:
o Assess financial condition and operating performance; and
o Verify compliance with statutory and other regulatory requirements.
 Periodic on-site examination of banks as required by statutes
o Inform management and board of directors of findings
o Require that concerns be addressed by bank
o Monitor measures if required
 Unless circumstances require otherwise, the use of informal enforcement tools (e.g. supervisory
letter, letter of undertaking and board resolution) is appropriate.
Stage 1 – Early Warning

 Deficiency in policies and procedures or the existence of other practices, conditions and
circumstances that could lead to the development of problems described in Stage 2.
 Situations are such that they can be remedied before they deteriorate into Stage 2 problems. Bank
would be subject to the NBE’s customary monitoring procedures.
In addition to any Stage 0 intervention action:
 Bank notified of concerns and requested to take measures to rectify situation.
 Monitoring of bank is enhanced
 Monitoring of remedial actions may involve requests of additional information and/or follow-up
examinations. Scope and frequency may be enlarged or increased.
 The NBE may require that bank’s external auditor enlarge scope of examination of bank’s financial
87
statement or that external auditor perform other procedures, and prepare a report thereon. The NBE
may assign cost of external auditor’s work to bank
 Unless circumstances require otherwise, the use of informal enforcement tools (e.g. supervisory
letter, letter of undertaking and board resolution) is appropriate
Stage 2 – Risk to Viability/Solvency

 Situation or problems that, although not serious enough to present an immediate threat to financial
viability or solvency, could deteriorate problems if not addresses promptly.
 The bank is put on a regulatory “watch list”, the intensity of supervisory oversight is and
intrusiveness of supervisory actions are increased. The use of formal enforcement action tool is
warranted.
In addition to any Stage 0 or Stage 1 intervention action:
 Senior NBE officials meet with management, board of directors and external auditor of bank to
outline concerns and discuss remedial actions.
 Bank must provide an acceptable Remedial Plan to the NBE that reflects appropriate measures that
will rectify problems within a specified time frame.
 Monitoring of bank is enhanced as to frequency of reporting requirements and/or the level of detail
of information submitted.
 Progress of remedial measures is monitored via reporting requirements and/or follow-up
examinations. Scope of on-site examination and/or frequency of on-site examinations may be
increased.
 The NBE may engage external experts to review specific areas of concerns, and thereon direct bank
to perform certain actions. The NBE may assign cost of external experts’ work to bank*
 Business restrictions appropriate to circumstances may be imposed on bank, covering such matters
as: payments of dividends or management fees, lending, investment, level of indebtedness, business
acquisitions or other restrictions tailored to circumstances.
 Bank is placed on regulatory ‘watch list;
o Bank’s management and board of directors are formally notified.
 The NBE conducts viability assessment and commences contingency planning.
 The NBE conducts an assessment of the competency of the bank’s directors and senior officers and,
if appropriate, recommends to the bank’s board and nomination committee that they be removed
from office.
 Unless circumstances require otherwise, the use of formal enforcement tools (i.e. Directions of
Compliance) is appropriate
* To develop policies and procedures for appointing third party contractors for intervention actions.
Stage 3- Viability/Solvency in Serious Doubt

 Situations or problems described at Stage 2 are at a level where, unless effective corrective measures
are applied promptly, pose a material threat to future financial viability or solvency.
 Banks would be subject to a more intense and focus surveillance procedures, and notified of the
possible use of more severe regulatory actions.
 Under appropriate circumstances, the use of resolution powers pursuant to Article 31 of the Banking
Business Proclamation No. 592/2008 may be warranted.
 In addition to any Stage 0, Stage 1 or Stage 2 intervention action:
 Frequency of engagement is increased, and pressure to rectify situation is exerted on management,
and BoD.
 Remedial Plan must reflect appropriate measures to rectify problems within a set time frame to
avoid triggering impaired viability or solvency procedures (see Stage 4).
 Monitoring of company may be further enhanced as to frequency of reporting requirements and/or
the level of detail of information submitted to monitor progress of remedial measures.
 Follow-up examinations may be carried out as required.
 The NBE may direct bank to increase its capital or assets.
 Enhanced examinations may be carried out focusing on particular areas of concern e.g. asset and/or
liabilities valuation.
88
 Depending on situation, NBE examination staff may be posted at bank to monitor situation on an
ongoing basis.
 A special audit may be required from an auditor other than the bank’s own external auditor if the
NBE is of the opinion that it is required. The NBE may assign cost of external auditor’s work to
bank*
 Depending on circumstances, business restrictions may be enhanced or additional ones imposed on
bank
 Pressure may be exerted on bank’s management and board to restructure the bank, or to seek out an
appropriate merger partner or prospective purchaser.
 The NBE develops contingency plan for taking rapid control of the assets of the bank if changes in
circumstances so warrant. This may include the appointment of external experts* to value the
business, assets and/or liabilities of the bank, the cost of which may be assigned to the bank.
 The NBE updates its assessment of the competency of the bank’s directors and senior officers and,
if appropriate, removes such directors or officers from office, by way of an order pursuant to Article
31 of Banking Business Proclamation No. 592/2008.
 The use of Directions of Compliance is appropriate. Depending on the circumstances, the use of an
order pursuant to Article 31 of Banking Business Proclamation No. 592/2008 may be warranted.
* To develop policies and procedures for appointing third party contractors for intervention actions.
Stage 4- Non Viability/Insolvency Imminent

 The bank is in severe financial difficulties resulting in:
o Statutory conditions for taking control being met, or
o Failure to meet the statutory capital and solvency requirement, in conjunction with inability
to rectify the situation within a short period of time, or
o Failure to develop and implement an acceptable recapitalization and rehabilitation plan,
thus making either of the two preceding circumstances inevitable within a short period of
time.
 The NBE formally notifies the bank’s board and management of its intended intervention measures.
 Unless circumstances require otherwise, the use of resolution powers pursuant to Article 31 of
Banking Business Proclamation No. 592/2008 is most appropriate.
89
APPENDIX: XVI
GUIDANCE NOTES TO COMPLETING SUPERVISORY PLAN
Bank : _______________________________________________________________
Cut-off Date : _______________________________________________________________
Completing the following items:
A. Supervisory Concerns
Identify supervisory concerns by reviewing the following:

 Risk assessment summary
 CAMEL assessment
 Other available information (e.g. examination, internal and external audit reports,
liaison with various parties)
 Other significant events (e.g. merger, acquisitions)
B. Supervisory Strategies and Activities
Identify strategies to address the supervisory concerns as well as specific activities to be

conducted (on bank, or subsidiaries)
 Off-site Monitoring
Provide information on proposed off-site activities, taking into considerations the

objectives, scope and specific supervisory concerns.
Example:
The bank is subject to continuous off-site surveillance through monthly reporting on key financial
indicators, quarterly CAMEL assessment and evaluation of stress test results. In addition,
interactions with the following parties to gather information and gain a better understanding of
the bank have been scheduled.
No. Activity Objective Period Remarks

1. Meeting with To obtain an overview of 1st Qtr 2010 Last done-Dec 2008
management the bank’s financial
performance and future
prospects
2. Meeting with To discuss recent fraud 2nd Qtr 2010 -
90
Internal Auditors trends and latest modus

operandi
3. Meeting with To discuss the adequacy of 3rd Qtr 2010 Last done-June 2009
External Auditors provisions and merger
integration issues prior to
the bank’s financial year-
end.
 On-site Examination
Provide information on proposed on-site examination activities, taking into consideration the
objectives, scope, date of last onsite examination and specific supervisory concerns.
Example:
To enable the supervisory concerns to be adequately addressed, full and limited scope on-site
examinations should be performed throughout the year on the Head Office, main branch, and
subsidiary X. Each examination should encompass a review of significant financial and
managerial issues, processes and reporting system. The proposed on-site examination program for
the bank is as follows:
No. Activity Objective/Scope of Period Remarks

Examination
1. Head Office Full Scope –to follow-up 1st Qtr 2010 Last
on previous year’s examined-
examination findings and Dec 2008
to focus on enhancing risk
management practices
2. Branch A Limited Scope-Review of 2nd Qtr 2010 Last examined
Asset Quality to focus on (full scope)-
credit risk March 2008
3. Subsidiary X Limited Scope – Review to 3rd Qtr 2010 Last examined
margin financing portfolio (full scope)-
since previous year’s full- June 2009
scope examination resulted
in satisfactory evaluations
4.
5.
6.
C. Sign-Off
The various parties have to sign-off (and date) the supervisory plan.
a) Person/s who prepared the supervisory plan (the desk officer)

b) Person who concurred with the supervisory plan (the team leader)
c) Person who approved the supervisory plan (the deputy director of BS)
91
APPENDIX: XVII
SUPERVISORY PLAN FORMAT

Bank:
Cut-off Date:
A. Supervisory Concerns
Supervisory Strategies and Activities to be Conducted
Offsite Monitoring
Comments:
No. Activity Objective/Scope Period Remarks

On-site Examination
Comments:
No. Activity Objective/Scope Period Remarks
92
Name Signature Dated Designation

Prepared by Desk Officer
Reviewed and
concurred by Teal Leader
Approved by Deputy Director of BS
APPENDIX : XVIII
SAMPLE INFORMATION REQUEST LETTER

5th July 2009
BSV/E.30/2//vol.II
President,
XYZ Bank S.C.
P.O. Box 186
Addis Ababa.
Dear Sir,
RE: REQUEST FOR INFORMATION
As authorized under Article 5(7) of the NBE Establishment Proclamation No. 591/08, and Article
29(1) of the Banking Business Proclamation No. 592/08, the Banking Supervision is planning to
conduct a full scope examination of your bank. The examination cut-off date will be June 30th,
2009 and is scheduled to begin on August 14th, 2009.
To increase the effectiveness of the examination, and to minimize the disruption to your bank, we
will conduct a preliminary review of the bank beginning on July 10, 2009, which will be
conducted both offsite at the NBE and on-site at your head office. The purpose of the review is to
gain an understanding of your operations so that the subsequent examination may be more
appropriately targeted to those areas of higher concern and/or risk. As part of the preliminary
review, examiners will have a meeting with senior management of the bank at your office on July
13, 2009.
The following examiners will participate in the preliminary review:
1) Ato Taye Sime Team Leader

2) W/ Roza Teka Assistant Team Leader
3) Ato Bayu Nuru Member
4) W/ Lily Reda Member
5) Ato Mola Bezu Member
Attached to this letter is a list of information that will be required for the preliminary review. List
A contains information to be submitted to the NBE not later that July 12, 2009, List B contains
information to be available onsite at your office from August 14, 2009 while List C contains
some of the issues to be discussed during the pre-examination meeting with the senior
management of your bank.
In case of any question, please contact the Team Leader, Ato Taye Sime at phone number 011
551 7430.
93
Yours faithfully,
Getu Belay
Deputy Director
Banking Supervision
List A: Information to be submitted to NBE by July 12, 2009. (All information as at June 30 th 2009)
(i) Trial Balance/General Ledger;
(ii) Branch by branch deposits, advances and profits/losses;
(iii) An organization chart listing reporting lines for all major functions and individuals. In
addition, please provide a listing of all branch offices and business locations. Highlight any
branches or locations that have opened/closed since the previous on-site examination;
(iv) Provide a listing of investments in corporate entities, including the name of the entity, the
nature of the entity’s business, the date of investment, the number of shares held and the
level (percentage) of ownership;
(v) A list of Board and Management committees and their members;
(vi) Internal audit plan for the current year and a summary of compliance with the audit plan;
(vii) A list of loans and advances to insiders and employees and their related interests. Please
provide details regarding the name and position of the insider, the purpose of the advance,
the amount of the advance (total committed and current balance), the term of the advance,
the rate charged and a description and value of the collateral;
(viii) Loan review reports indicating borrower’s rating and classification;
(ix) List of classified assets (other than loans);
(x) List of off-balance sheet items;
(xi) List of assets written off indicating amount sanctioned, expiry date, amount written off, and
date written off;
(xii) List of foreclosed assets indicating the name of the debt satisfied, value of debt satisfied,
types and values of foreclosed assets;
(xiii) A list of investment securities held; list the type of security, amount, and date purchased;
(xiv) List of litigations where the bank is the defendant detailing the plaintiff’s name, amount of
claim, and brief synopsis of the claim; and
(xv) Provide information on Directors and members of Senior Management as per the format
below (list Directors first, then members of Senior Management):
Name, Title Date of Birth and Compensation % of Qualification, Primary

and Place of date appointed to (salary, bonus, sitting Shares Occupation and position
Residence Board fees, travel etc) held in other financial banks
94
List B: Information to be Made Available at Your Office for Our

Review (from August 14, 2006)
(i) The board of directors’ minutes and papers and Annual General Meeting minutes for each
meeting since the prior on-site examination;
(ii) The board audit committee minutes for each meeting since the prior on-site examination;
(iii) The strategic business plan, the current year budget and a comparison of actual performance
relative to the budget;
(iv) Internal audit reports completed since the previous on-site examination;
(v) The external audit reports, management letter with management response completed since
the previous on-site examination;
(vi) A copy of all available policies including credit policy, asset/liability management policy,
liquidity policy, etc.; provide dates of approval or up dates;
(vii) The records of shareholdings and a current shareholders list with the following information;
shareholder name, place of shareholder residence, number of shares held, percentage
ownership, disclosure of any agreement to purchase or sell shares in the future, and
disclosure of any voting rights. If any shares are held in corporate name, please list the
individuals who are authorized to vote, and the individuals who actually vote.
List C: Agenda Items for a Pre-Examination Meeting (to be Conducted at Your Premises on July 13,
2009)
The following issues will be discussed during the pre-examination meeting with the senior management of
your bank:
(i) Primary target market and business lines, and significant changes in bank products or
services including areas of growth;
(ii) Economic conditions within the target markets and any other external factors affecting the
primary business lines;
(iii) Areas representing the greatest risk to the bank and/or market;
(iv) Changes in bank management, key personnel or operations since previous examination;
(v) Results of audit and internal controls review, any follow-up required by management;
(vi) Any material changes to internal or external audit’s schedules or scope and adequacy of
audit staffing;
(vii) Purchase, acquisition, merger or divestiture considerations;
95
(viii) Changes in technology including operational systems, technology vendors/service

providers, critical software, internet banking, or plans for new products/activities that
involve new technology since previous examination;
(ix) Issues regarding compliance with laws, directives and circulars governing banking
business;
(x) Other issues that may affect the risk profile; and
(xi) Management concerns about the bank or NBE’s supervision including any areas the bank
APPENDIX: XIX
PRE-EXAMINATION WORKING TOOLS

(To be used together with Appendix XIX)
Bank:
Examination Date:
EIC:
Reviewed by:
1) Review the structure and financial condition of related affiliates/groups.
When a bank is part of a larger conglomerate (group), events such as financial distress in one or more of the
related companies can potentially spread to the healthier part of the group directly or indirectly through:
 Attempts of senior management of the group to support or strengthen the weaker affiliate by
transferring cash or capital out of the bank thus weakening the ability of the bank to support its current
risk profile.
 Increased cash dividends payments, which typically lead to lower capital ratios. Even if the capital
ratios continue to meet the minimum regulatory guidelines, the reduced level of capital may be
insufficient to meet the changing risk profile of the bank. Therefore, capital ratios should be
maintained well above the minimum guidelines.
 Other times the bank may be called upon to support the weak affiliate by providing loans at non-arms
length implying that capital of the bank is under-employed.
 Distress can spread throughout the group due to the market perceptions.
These insights can be gained through review of the consolidated financial statements, published third party
analysis and credit ratings. If possible the examiner should attempt to obtain, separate entity financial
statements for the significant entities within the group.
Parent or Group Name

Address of Headquarters
Consolidated Total
Assets as of the last
financial year-end
Total revenue as of the
last financial year
List related entities,
affiliates or subsidiaries
of the bank
96
Name Location Type of % of % of Total Risk to Bank

Business consolidated/ Revenue Low Mod High
total Assets
 List any related entities (affiliates/subsidiaries) that operate in sectors known to be experiencing
economic stress.
Affiliates/Subsidiary Sector/comments:
Name
2) Review the previous two on-site examination reports. Note significant and recurring deficiencies.
Comment on compliance with recommendations from prior examinations.
The examiner should review the previous two on-site examination reports to gain understanding of the
existing issues and outstanding areas of concern and check compliance with the previous recommendations.
 CAMEL Rating;
 Risk Management Practices and Ratings;
 Summarize major findings;
 Comment Compliance with previous Recommendations; and
 Identity issues that need follow up.
After each comment note the risk that may be attested and the level of risk associated with the deficiency.
Comments: Type of Risk Affected; Risk Level
Credit, market,
liquidity, operational.
Examination Reference Date: (Year 1) L M H
Comments on CAMEL Ratings
Risk Management Practices and Ratings
Comment on major findings.
Comment on compliance with recommendations
Examination Reference Date: (Year 2)

Comments on CAMEL Ratings.
97
Risk Management Practices and Ratings.
Comment on major findings.
Comment on compliance with recommendations.
Key Changes since the previous NBE Examination
3) Review the prudential returns
 Check for accuracy and consistency e.g. between Form Type of Risk Affected Risk Level
SD1and its schedules, Form SD2 and corresponding
reports
 Note any significant errors
Returns Comments on accuracy and significant errors L M H
Operational
Comments:
4) Review Off-Site Reports.
The examiner should review key ratios over four quarters and contrast the banks performance to the peer
and/or industry average. The examiner should follow actual market events to identify new issues affecting
the industry as well as potential effects of these changes. Note and comment on:
 Recurring deficiencies;
 Areas of increased risk;
 Unusual Ratios and those that differ significantly from the peer and/or industry average;
 Rapid growth;
98
 Declining performance;
 The level and trend of key ratios relative to the industry; and
 Rate of change versus the industry average.
Type of Risk Level

Illustrate Significant Balance Sheet Trends: (figures in ‘000’) Risk
Affected
Quarter Ended – 4 quarter up to the most recent L M H
e.g.
31/3/06 31/12/05 30/09/05 31/06/05
Key Accounts:
Debt securities
Loans and Advances
Due from local banks
Due from bans
abroad
Total Assets
Deposits
Borrowings
Due to local banks
Due to banks abroad
Total Capital
Total Liabilities &
Capital
Growth Rate
Comments:
Type of Risk Level

Summarize the Income Statement: Risk
Affected
e.g.
31/3/06 31/12/05 30/09/05 31/06/05
Key Accounts
Net Interest Income

Provision for Losses
Non-Interest Income
Non-Interest Expense
Net Income Before
Tax
31/3/2006 31/12/2005 30/09/2005 31/06/2005
99
Bank Peer Ind. Bank Peer Ind. Bank Peer Ind. Bank Peer Ind.
Avg. Avg. Avg. Avg.
Return
on
Average
Assets
Return
on
Average
Equity
Net
Interest
Margin
Cost to
Income
Comments:
Type of Risk
Preliminary Capital Adequacy Rating: Risk Level
Rating at the Previous Examination: Affected
e.g.
31/3/2006 31/12/2005 30/09/2005 31/06/2005
Total Capital
Total RW Assets
31/3/2006 31/12/2005 30/09/2005 31/06/2005

Ban Peer Ind. Bank Peer Ind. Bank Peer Ind. Bank Peer Ind.
k Avg Avg. Avg. Avg
. .
Total Capital Ratio
Total Capital/Total
Assets
Total Capital/Total
Deposits
Asset Growth Rate
Comments:
Preliminary Asset Quality Rating: Type of Risk Risk Level

Rating at the Previous Examination: Affected
* Format as above for all.
100
L M H
Quarter Ended
Bank Ind. Bank Ind. Bank Ind. Bank Ind.
Avg. Avg. Avg. Avg.
NPAs/Total
Assets
NPLs/Gross
Loans
NPAs net of
provision
/Total Capital
Accumulated
Loan Loss
Provision/
NPL
Insider Loans/
Total Capital
Large
exposures/Tot
al Advances
Large
exposures/Tot
al Capital
List of large exposure (10% or more of Total Capital), indicating name of borrower, outstanding balances, and percentage
to Total Capital
Comments:
Preliminary Liquidity Rating: Type of Risk Level

Rating at the Previous Examination: Risk
Affected
Quarter Ended-4 quarter up to the most recent L M H
e.g.
31/3/2006 31/12/2005 30/09/2005 31/06/2005
Loans &
Advances
Deposits
Borrowings
(includes the
NBE loans).
Bank Ind. Bank Ind. Bank Ind. Bank Ind.

Avg. Avg. Avg. Avg.
Loan Growth
Rate
Deposit
Growth Rate
Advances/De
posits
Liquid
Assets/
Total Current
Liabilities
Liquid
101
Assets/ Total
Assets
Gross Loans/
Total
Deposits
One year
Cumulative
Gap/Total
Capital
Comments:
5) Review correspondence and list significant items.
These provide feedback on operation of the bank in various areas. Note and Comment on significant issues
including:
 Changes in business strategy;

 Requests to introduce new activities/products;
 Responses to examinations; and
 Supervisory letters raised for breach of prudential guidelines.
Date of Subject Summarize Type of Risk Affected Risk Level

Correspondence L M H
6) Review the organizational Chart.
Examiners should obtain the current organizational chart prior to the beginning of the on-site examination.
Changes in the structure and management represent areas of primary importance. Note and comment on:
 Significant changes in structure;

 Improper reporting channels;
 Significant changes in personnel or reporting lines;
 Vacancies;
 Incompatible duties;
102
 Compromises of independence;
 Lack of experience; and
 Determine the primary risks affected and the level of impact.
Type of Deficiency Describe Type of Risk Risk Level

Affected L M H
Reporting Lines:
Vacant position
Lack of relevant
experience/qualification
Other:
Comments:
6) Review the strategic plan and performance relative to budget for the previous year, and year
to-date.
The strategic plan serves as a roadmap for where the bank wants to go. The budget provides the details of
who is required to do what, by when and the level of resources committed to achieve specific
goals/objectives.
 List the Primary Goals of the Strategic Plan and their reasonableness;
 Assess budge performance;
 Discuss any significant changes in corporate direction, organization or culture;
 Determine if the bank is a market leader or market follower;
 Review and record the organization’s progress in meeting the goals; and
 Identify goals which the bank has not been able to meet.
A. Synopsis of Strategic Plan

Year 1 Year 2 Year 3 Year 4 Year 5
Total Assets
Loans, Advances and Overdrafts
Deposits
Borrowings
Capital
103
Net Income
B: Based on the above table (or otherwise) comment on banks business strategies (i.e. Products, Markets,
Processes, and Expansion):
C. Budget review
Line Item Previous Year-End 2005 YTD Type of Risk Level
May 2006 Risk Affected
Actual Budget Variance Actual Budget Variance L M H
Total Assets
Loans,
Advances,
Overdrafts
and
Discounts
Deposits
Borrowings
Capital
Net Interest
Income
Non-Interest
Income
Non-Interest
Expense
Net Income
Comments:
Review board minutes. Note and comment on significant issues including:

(a) The number and composition of directors;
(b) Whether the Chairman is a non-executive director;
(c) Whether new directors have been approved by NBE;
(d) Attendance of meetings for each director;
(e) Agenda Items;
(f) Any resolution or discussion covering development of new product/service or entry to a new
geographical area;
(g) Approvals of exceptions to policy;
(h) Internal Audit reports;
(i) Risk Management and Performance report;
(j) Actions taken to follow up deficiencies noted by internal audit;
(k) Periodic reviews and approval of policies and operating guidelines;
(l) Discussions on salary and compensation decisions;
(m) Whether actions taken by standing committees are reviewed and ratified by the full board; and
(n) Matters affecting insiders are discussed in their absence and that the interested party abstains from
subsequent voting on the matter.
Review AGMs (shareholders meetings) and comment on significant issues including:

(a) Nomination of directors;
(b) Approval of share issuance;
104
(c) Voting records;

(d) Appointment of independent auditor including approval by NBE;
(e) Engagement letter and any other correspondence with the external auditors; and
(f) Resignation of external auditor during the period under review.
Comments:
7) Review published annual reports including external audit reports.

Note and Comment on:
(a) disclosures of unusual/questionable accounting practices;
(b) risk management assessment by external auditors;
(c) most recent audited financial statements;
(d) two previous management letters;
(e) compliance with International Financial Reporting Standards;
Does the audit contain comments on compliance with NBE Establishment Proclamation No.
591/08, and Banking Business Proclamation No. 592/08?
8) Review the structure and capacity of internal audit department, a sample of audit reports
and determine whether internal audit reviews risk management function.
The primary function of the internal audit department is to provide an on-going assessment of the bank’s
internal control system. The primary purpose is to determine the level of reliance that can be placed on the
organization’s self-assessment function. This is an additional validation of the control environment and
could lead to reduction or increase in the level of transaction testing. Examiners resources can be more
efficiently targeted at weaknesses/deficiencies pointed out by a reliable internal audit function. The
examiner must be convinced that: the function is independent of line management and is properly staffed,
deficiencies are promptly identified corrective actions have time frames for implementation, and follow up
is preformed.
Review
(a) Audit Committee Minutes;
(b) Frequency and attendance to the meetings and issues discussed by the committee;
(c) Mandate of the Audit committee;
(d) Composition of Audit Committee members;
(e) Organization Chart of the audit department;
(f) Staff and Qualifications of the audit department;
(g) Audit plan and supporting budget;
(h) Audit reports completed since the previous examination;
(i) Audit exceptions follow up log; and
(j) Unresolved audit deficiencies and note:
(i) Deficiencies in internal control structure;
(ii) Evidence of repeat deficiencies;
(iii) Unresolved reconciling differences; and
(iv) Instances of similar deficiencies across functional or departmental lines
Comments:
9) Shareholders Register
 Check whether individuals or related group own more than 5% of share capital;
 Note changes in shareholding since the previous examination; and
 Check for any transfers of shares/ownership.
Shareholder Name Current Examination Prior Examination Transfers > 5
Shares % Ownership Shares % Ownership Y/N Date of NBE
Approval
105
10) If applicable, review media reports and news articles.
Media (newspapers, trade publication, TV, radio) can be a useful source of information.
Review and note in media significant news/articles, e.g.

(i) Actions of competitors or announcements (e.g. introduction of new products/technology plans to
reduce expenses, opening/closure of branches, reduction of prices, etc);
(ii) Changes in business strategy; and
(iii) Sector-wide concentration.
Comments:
106
APPENDIX: XX
PRE-EXAMINATION CHECKLIST
Introduction
The starting point of risk-focused supervision is developing an understanding of the bank. This step is
critical in tailoring the supervision program. It focuses the supervisory activities on the areas of greatest
risk to the bank. The examiner should perform a preliminary risk assessment, basically a review of the
strengths and vulnerabilities (weaknesses) of the bank.
The purpose of the pre-examination stage is to develop a basic understanding of what the bank does and
how well it does it. This information is used to develop the preliminary risk assessment and subsequently
the scope of the examination.
1. The Financial and Operating Conditions of the Group and Related Entities
(Inter Group Companies)
When a bank is part of al larger conglomerate (group), events such as financial distress in one or
more of the affiliated companies can potentially spread to the healthier part of the group directly or
indirectly through:
 Attempts of senior management of the group to support or strengthen the weak affiliate by
transferring cash or capital out of the bank thus weakening the ability of the bank to support
its current risk profile.
 Increased cash dividends payments, which typically lead to lower capital ratios. Even if the
capital ratios continue to meet the minimum regulatory guidelines, the reduced level of capital
may be insufficient to meet the changing risk profile to the bank. Therefore, capital ratios
should be maintained well above the minimum guidelines.
 Other times the bank may be called upon to support the weak affiliate by providing loans at
non-arms length implying that capital of the bank is under-employed.
 Distress can spread throughout the group due to the market perceptions.
These insights can be gained through review of the consolidated financial statements, published
third party analysis and credit ratings. If possible the examiner should attempt to obtain, separate
entity financial statements for the significant entities within the group.
2. Prior Examination Reports
The examiners should review the previous two on-site examination reports to gain understanding
of the existing issues and outstanding areas of concern and check compliance with the previous
recommendations.
 Summarize the financial condition; and

 Identify issues that need follow up.
After each comment note the risk that may be affected and the level of risk associated with the
deficiency.
3. Quarterly Off-site Reports
The Off-site analysis provides early warning signals.
 The examiners should identify significant changes;
107
 Recurring deficiencies;
 Areas of increased risk;
 Unusual ratios;
 Rapid growth; and
 Declining performance.
After each comment, note the primary risk area that may be affected and the level of risk
associated with the deficiency.
4. Prudential Returns
Examiner should confirm the accuracy and validity of the prudential returns. In addition,
analytical review of changes in trends and patterns should be done quarterly over a one-year
period.
Balance Sheet
 List key accounts of the balance sheet over the past four quarters;
 Review balance sheet growth ratios; and
 Describe significant growth trends and changes in the balance sheet composition.
Earnings and Profitability

 List key income statement accounts over the past four quarters;
 Compute key ratios at quarter ends; and
 Identify the primary sources of income.
5. Off-site Monitoring Reports
The examiners should review key ratios over 4 quarters and contrast the banks performance to the
industry average.
 Discuss ratios that differ significantly from the industry average;

 Note the level and trend of key ratios relative to the industry; and
 Note rate of change verses the industry average.
The examiner should follow actual market events to identity new issues affecting the industry as
well as potential effects of these changes.
6. Correspondences
These provide feedback on changes in business strategy or the introduction of new banking
products and it is a source for the assessment of the strength of the organizations response to
suggestions and recommendations contained in the examination reports. Note:
 Requests to initiate new activities/products;

 Responses to examinations;
 Supervisory letters raised for breach of prudential directives;
 Document significant correspondences by type and date; and
7. Organizational Chart
Examiners should obtain the current organizational chart prior to the beginning of the on-site
examination. Changes in the structure and management represent areas of primary importance.
Note:
108
 Significant changes in structure;

 Significant changes in personnel or reporting lines;
 Vacancies;
 Incompatible duties;
 Compromises of independence;
 Lack of experience; and
8. Strategic Plan and Budget
The strategic plan serves as a road map for where the bank wants to go. The budget provides the
details of who is required to do what, by when and the level of resources committed to achieve
specific goals/objectives.
 Record the banks’ goal and assess their reasonableness;

 Discuss any significant changes in corporate direction, organization or culture;
 Determine if the bank is market leader or market follower;
 Review and record the organization’s progress in meeting the goals;
 Identify goals which the bank has not been able to meet; and
 Review supporting budget, list actual, budge and variance, previous year and YTD.
9. Board Minutes
The review of the corporate minutes will help the examiner gain insight into who dominates the
decision making process and the future direction of the organization. The large part of the
assessment of corporate governance/strategic risk will be based on the appropriateness of the
strategic plan and budget as well as the consistency of management’s efforts to achieve the plan.
Note any shifts in plans and plans should be supported by analysis of benefits and potential risks.
Risk management systems should be put in place to support new products and services prior to
product launch.
 Record attendance of meetings for each director;

 Review the agenda items;
 Record any resolution or discussion covering development of new product/service or entry to
a new geographical area;
 Note approvals of exceptions to policy;
 Record review of Internal Audit reports;
 Record review of credit reports;
 Document actions taken to follow up deficiencies noted by internal audit;
 Record periodic reviews and approval of policies and operating guidelines;
 Record discussions on salary and compensation decisions;
 Check whether actions taken by standing committees are reviewed and ratified by the full
board; and
 Check that matters affecting insiders are discussed in their absence and that the interested
party abstains form subsequent voting on the matter.
Review AGMs (shareholders meetings)
 Note nominations of directors;

 Note approval of share issuance; and
 Note the voting records.
10. Published Financial Statements and External Audit Reports
109
Note disclosures of unusual/questionable accounting practices. Review the summary on risk

management practices, risk appetite and business strategy. Review the management letter to assess
the internal control environment and procedures. Note the external auditor’s assessment on
separations between risk taking functions and risk monitoring and control functions. This
information is important in determining the level of transaction testing. A clean audit opinion
would imply less on-site transaction testing while unclean audit opinion would call for a higher
level of transaction testing to independently validate the organizations financial statements and the
reported condition. Note any comments on growth, ratios, dividends etc.
 Review most recent audited financial statements;

 Review the previous two management letters (most recent and previous);
 Review engagement letter and any other correspondence with the external auditors; and
 Note any non-compliance with International Accounting Standards.
11. Internal Audit Reports
The primary function of the internal audit department is to provide an on-going assessment of the
bank’s internal control system. The primary purpose is to determine the level of reliance that can
be placed on the organizations self assessment function.
 This is an additional validation of the control environment and could lead to reduction or
increase in the level of transaction testing; and
 Examiners resources can be more efficiently targeted at weaknesses/deficiencies pointed out

by a reliable internal audit function.
The examiner must be convinced that:
 The function is independent of line management and is properly staffed;

 Deficiencies are promptly identified;
 Corrective actions have time frames for implementation; and
 Follow up is performed.
Obtain
 Audit Committee Minutes;

 List Audit Committee members;
 Obtain Organization Chart of the audit department;
 List Staff and Qualifications of the audit department;
 Obtain audit plan and supporting budget;
 Review audit reports completed since the previous examination;
 Check for audit exceptions follow up log; and
 Summarize unresolved audit deficiencies and Note:
- Deficiencies in internal control structure;
- Evidence of repeat deficiencies;
- Unresolved reconciling deficiencies; and
- Instances of similar deficiencies across functional or departmental lines.
The aim is to ascertain the level and reliability of self- assessment.
12. Internal Risk Management Reports

Obtain an internal credit risk assessment document to validate the credit granting processes. Check
for compliance with underwriting guidelines and policy parameters, on-going credit monitoring
and administration and accuracy of internal loan grading. Effective internal credit assessment can:
 Reduce the level of transactions testing (loan review); and
110
 Highlight areas of weakness to be targeted by the examiner.
Obtain the following documents
 Minutes of the internal credit committees and a list of committee members;

 Organizational chart of the department;
 List of staff and their qualifications;
 Loan review plan and supporting documents;
 Loan review reports; and
 Exceptions follow up log.
Summarize unresolved credit deficiencies and note:
 Non-compliance with authorization channels;

 Non-compliance with underwriting guidelines;
 Weak loan administration; and
 Compliance with Asset Classification and Provisioning Directives.
Assess accuracy of the banks credit risk self assessment
13. Shareholders List

Note:
 Check whether individuals or related group own more than 5% of share capital;
 Note changes in shareholding since the previous examination; and
 Check for any transfers of shares/ownership.
14. Media Reports and News Articles
Media (newspapers, trade publications, TV, radio) can be a useful source of information. Actions
of competitors, announcements (e.g. introduction of new products, plans to reduce expenses, close
branches, reduce pricing, targeted sectors).
Note:
 The introduction of new products/services;

 The introduction of new technology;
 Changes in business strategy;
 Changes in Management;
 Aggressive competitions; and
 Sector-wide concentration.
111
APPENDIX: XXI
INSTRUCTIONS FOR PRELIMINARY ASSESSMENT OF RISK AND FINANCIAL CONDITION
Bank: XYZ S.C.

EIC:
Review by:
Overall Conclusions:
This section is summary for your overall conclusions. Complete it last. Record previous exam rating and
current proposed rating. Note the level of exposure posed by the group
I.
CAMEL
Previous Examination Date 31/05/2005 Rating 22222/2
Date of Risk Assessment 31/05/2005 Proposed Rating
Risk Exposure from the Group or Low Moderate High
related entities
II. Main Issues – Group and Related Entities

Summarize your preliminary conclusions on group and related entities
III. Main Issues – Financial Factors: 1 = Strong, 2 = Satisfactory, 3 = Marginal,

4 = Unsatisfactory, 5 = Critical
Note: In completing this section, examiner should summarize conclusions drawn from pre-examination
working tool in Appendix XVIII as well as from CAMEL Rating Guidelines
Capital rating (1, 2, 3, 4, or 5)________________________________________________

Summarize conclusions._____
__________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
Refer to NBE Directives No. SBB/9/95. Also note the nature and extent of risks to the organization, the
level and quality of capital, the nature, trend, and volume of problem assets and the adequacy of the
allowance for loan losses, risk exposures presented by off-balance-sheet activities, the quality and strength
of earnings, market risk, concentration risk, reasonableness of dividends, and other appropriate sources of
financial assistance, and ability of management to address emerging needs for additional capital.
______________________________________________________________________________________
________________________________________________________________________
Asset Quality 1___2___ 3 4___ 5__________________________________________
Summarize conclusions in bullet points and tick as appropriate.
*
*
*
*
* ______
* ______
112
Note the level, distribution, severity, and trend of problem, classified, delinquent, non-accrual, non-
performing, and restricted assets, Both on-and off-balance-sheet, adequacy of provisions,
demonstrated ability to identify, administer, and collect problem asset; the diversification and quality
of loan and investment portfolios; the adequacy of loan and investment policies, procedures, and
practices; the extent of securities underwriting activities and exposure to counter-parties in trading
activities, asset concentration, underwriting standards, risk-identification practices, controls, and
management information systems.
______________________________________________________________________________________
________________________________________________________________________
Management 1___2 _ 3 4___ 5_____
______
Summarize conclusions.
* ______
* ______
* ______
* ______
* ______
* ______
The Board of Directors and Management are evaluated against all factors necessary to operate the bank in
a safe and sound manner and their ability to identify, measure, monitor, and control the risks of the bank’s
activities. This combines strategic risk management and corporate governance. Consideration is given to
the level and quality of oversight and support provided by the board and management; compliance with
regulations and statutes; the ability to plan for and respond to risks that may arise from changing business
conditions or initiation of new products or services; the accuracy, timeliness, and effectiveness of
management information and risk-monitoring systems; the adequacy of and compliance with internal
policies and controls; the adequacy of audit and internal control systems; the responsiveness to
recommendations form auditors and supervisory authorities; the reasonableness of compensation policies
and avoidance of self-dealing; a demonstrated understanding and willingness to serve the legitimate
banking need of the community; management depth and succession; the extent that management is affected
by or susceptible to dominant influence or concentration of authority, and the overall performance of the
bank and its risk profile.
______________________________________________________________________________________
Earnings 1___2____3 4___ 5_____
Summarize conclusions in bullet points and tick as appropriate. ______
*
*
*
*
*
Quality and quantity of earnings are evaluated in relation to the ability to provide for adequate capital
through retained earnings; level, trend, and stability of earnings, quality and sources of earnings;
level of expenses in relation to operations; vulnerability of earnings to market-risk exposures;
adequacy of provisions to the allowance for loan losses; reliance on unusual or nonrecurring gains or
losses; contribution of extraordinary items, and tax effects to net income; and adequacy of budgeting
systems, forecasting processes, and management information system.
Liquidity 1___2___3 4__ 5____

Summarize conclusions in bullet points and tick as appropriate. ____________
113
*
*
*
*
*
*
Refer to NBE Directives No. SBB/44/08. Liquidity and asset/liability management is evaluated in
relation to the trend and stability of deposits; degree and reliance on short-term, volatile sources of
funds, including any undue reliance on borrowings or brokered deposits to fund longer-term assets;
availability of assets readily convertible to cash without undue loss. Access to money markets and
other sources of funding; adequacy of liquidity sources and ability to meet liquidity needs;
effectiveness of liquidity policies and practices, funds-management strategies, management
information systems, and contingency funding plans; capability of management to properly identify,
measure, monitor, and control liquidity, and level of diversification of funding sources, both on-and
off-balance sheet.
IV. Main Issues – Risk Management Matrix
Note: In completing this section, the examiner should summarize conclusions drawn from pre-examination
working tool in Appendix XVI as well as from Risk Rating Guidelines
Quantity Quality of Risk Composite Direction of

of Risk Management Risk Risk
Credit Risk
Liquidity Risk
Market Risk
Operational Risk
Overall Risk
Briefly support the conclusions you presented in the risk matrix above.
Explain why quantity of risk is high, moderate or low in bullet form. Your comments should cover risks
presented by the external environment over which the bank has little control (e.g. Trends in the economy
and sector exposures for credit risk) and internal changes and practices (e.g. Underwriting Standards,
Staffing, MIS, launching of new products, level, distribution and trend of classified assets, insider lending,
non-accruals, restructured loans.
Next explain why risk management is weak, acceptable or strong, e.g. appropriateness of the organization
structure, reporting lines and board oversight, policies, procedures and limits, risk monitoring reports,
adequacy of MIS and internal control systems.
Finally assess the aggregate level and direction of risk. Aggregate risk is a function of the level of inherent
risk and how well you think management controls that risk. High inherent risk can be offset by strong risk
management, leading to a low or moderate aggregate risk. Conversely, moderate inherent risk can
increase to high if the risk management systems are week.
The direction of risk is a function of change, internal or external. For example is the organization
initiating more and more complex activities or products or is it streamlining operations into a few,
repetitive operations? Is the external environment changing while the bank is still? The direction can be
assessed over the next 12 months.
Credit Risk
*
*
*
114
*
*
*
*
*
Liquidity Risk
*
*
*
*
*
Market Risk
*
*
*
*
*
Operational Risk
*
*
*
*
*
V. Issues from current review:
*
*
*
*
*
*
*
*
*
*
*
*
115
APPENDIX: XXII
SCOPE MEMORANDUM FORMAT

Particulars:
Name of the bank:
Exam Date:
1. Scope and objectives
 Whether it is full or targeted

 Objectives of the examination
2. Summary of bank’s profile
 Financial condition
 Risk assessment
 Other issues of concern
3. Summary of the Pre-Examination Meeting
Make a summary of the pre-examination meeting highlighting on the major issues that may need a
further follow up.
4. Summary of Audit and Internal Risk Management Systems
Determine adequacy of the audit both external and internal and internal risk management systems to
establish level of reliance.
5. Examination Focus and Procedures
EIC should highlight areas of concentration during examination as indicated in Scope Memo Sample.
6. Resource Planning
Prepare and assign tasks by Risk/CAMEL and indicate required days for each examiner. Also indicate
a team leader for each Risk/CAMEL to be reviewed on-site.
7. Sign-off
Prepared by: _____________ ___________

(Desk Officer) (Date)
Reviewed and Concurred by: ___________ ___________

(Team Leader) (Date)
Approved by: _____________ ___________
(Desk Officer) (Date)
116
APPENDIX: XXIII
SCOPE MEMORANDUM SAMPLE

Particulars:
Bank: XYZ Bank S.C.
Exam Date: June 30, 2009
EIC: Ato Taye Sime
Composite Ratings CAMEL Risk

Previous Exam 22222/2 Moderate
Preliminary 22221/2 Moderate
1.0 Scope and objectives of the examination
A full scope examination of XYZ Bank S.C. (XYZ) is scheduled to commence on July 24, 2009, with a cut
off date of June 30, 2009. The objectives of the examination are:
1. To determine the overall financial condition of the bank with regard to CAMEL;
2. To evaluate the risk management systems with emphasis on credit and operational risks;
3. To determine the bank’s compliance with laws, directives and circulars;
4. To review the internal control systems, self assessments systems and risk controls for the high tech
products (VISA, ATMs and Internet Banking)
5. To review scope, independence and effectiveness of the internal audit function.
2.0 Summary of Institutional Profile
2.1 Financial Condition
The composite CAMEL rating of the bank was considered satisfactory. Capital was rated satisfactory.
Total capital to risk weighed assets ratio was 12.28%, which was above the regulatory requirements of 8%.
Asset quality was rated satisfactory. NPLs ratio net of provision to total loans was 2.44%, indicating low
exposure. Ratio of large exposures to capital was 281.20% while 17 top borrowers accounted for 46% of
the loan portfolio posing high risk.
Management was rated satisfactory on account of adequate Board and Senior Management oversight and
satisfactory financial performance. The bank has three board committees namely Audit, Risk and
Compliance Committee, Lending Committee and Remuneration Committee. The bank has been in long
outstanding labor dispute; however, agreement to resolve the same has been executed and filed with the
court.
Earnings were rated satisfactory. Net interest income accounted for 63% of total income while foreign
exchange trading contributed 11%.
Liquidity was rated strong with liquid asset ratio of 55.2% which was above the regulatory requirement of
25%. The loan to deposit ratio was 53.95% which was within the industry average of 60%.
Sensitivity to Market risk was considered moderate due to moderate foreign exchange risk and interest rate
risk.
2.2 Risk Assessment
117
The bank’s risk management system was considered satisfactory; the board of directors assumes the
ultimate responsibility for managing bank’s risks. The bank has Risk Officer who reports to the Board
Audit, Risk and Compliance Committee. However, each business unit is responsible for managing risks
inherent in their activities. The bank has put in place Management Risk Committee to oversee risk
management practices. The bank has adopted bank-wide Risk Management approach so as to manage
bank’s risk in an integrated manner. Policies and procedures approved by the board are in place and are
being reviewed annually. However, credit policy has not been reviewed since 2003 and foreign exchange
policy is still in the draft form. The bank has put in place Risk Management Programs which spell out its
risk management framework.
The overall risk of the bank is considered moderate and increasing due to high business growth, and
introduction of new products. The bank’s significant exposures arise from operational and credit risks. The
risk matrix is summarized below:
Quantity of Risk Quality of Risk Composite Risk Direction

Management
Credit Risk Moderate Acceptable Moderate Increasing
Liquidity Risk Low Acceptable Low Stable
Market Risk Moderate Acceptable Moderate Stable
Interest Rate Risk Moderate Acceptable Moderate Stable
Forex Risk Moderate Acceptable Moderate Stable
Operational Risk Moderate Acceptable High Increasing
Overall Risk Moderate Acceptable Moderate Stable
2.3 Other Issues of Concerns
During the period under review, the Chairperson of the bard, Ato Zeru resigned following appointment to a
post in IMF. Other two directors resigned due to expiry of their terms in office but one W/ Gete was re-
appointed. However, Ato Zeru was appointed an Acting Chairman.
BBC Bank acquired 60% of BIG Group which is a major shareholder of XYZ Bank S.C. BBC being a
major shareholder is yet to put in place new business strategies toward XYZ Bank S.C. The bank
introduced a new managerial post of Risk Officer. During the period under review the bank opened new
branch in Merkato area.
3. Summary of Pre-Examination Meeting
The meeting was held on 11th July 2009. The focus of the meeting was on issues enumerated in the
preliminary review section of the methodology. During the meeting the following issues came up:
(i) Financial Performance
Management reported that finance performance of the bank was satisfactory and compared to its peers.
Also, it was reported that, the bank surpassed the budget. Assets, loans and deposits grew between
30% and 45%. Growth for 2010 was projected at 40%. New products include group loans guaranteed
by employers, and the focus remained on Corporate and SMEs and trading.
(ii) Purchase, Acquisition, Mergers and Divestiture
On whether BBC Bank’s strategies toward XYZ Bank S.C. will change following its acquisition of
BIG Group, management reported that nothing has been decided yet. However, communication with
NBE on the matter has started.
(iii) Internal Audit Function
118
Internal audit function and independence was observed to be impaired due to limitation in scope of
audit as internal auditors do not audit some Head offices functions. However, the management argued
that, this was due to lack of capacity and requisite skills on the part of Internal Auditors in particular
inability to apply BIG Group’s Audit Methodology. Head Office operations are, however, audited by
Group’s Auditor.
(iv) Challenges and Perceived High Risk Area
Management indicated challenges of acquisition of BIG Group by BBC Bank, such as compliance with
Money Laundering risks and labor issues.
(v) Management Information System
Management reported that they do not anticipate any major changes in their core banking application
i.e. Flexcube and the system was robust enough to accommodate any new products.
(vi) Budget Performance
Examiners observed that the budgets have been achieved by far in nearly all areas of operations. They
queried the underlying assumptions. Management responded that the assumptions were realistic and
promised to avail copies; the same will be analyzed during onsite examination.
(vii) Board of Directors Composition and Quorum
Examiners observed that the Board Audit, Risk and Compliance Committee had no quorum for two
consecutive meetings thus rendering it ineffective. Management responded that they had gaps in the
board following appointment of the board chairman to a post of IMF. Other two directors resigned due
to expiry of their term in office but one W/ Gete was re-appointed. Ato Zeru was appointed an Acting
Chairman.
(viii) Capital Formation Plan
Examiners observed the need to align capital to growth in business. Management clarified that the
bank had divided policy which recognizes capital compliance issues
(ix) Provisioning
Management informed that detailed working paper on provisioning will be provided.
4.0 Summary of Audit and Risk Management Systems
The internal audit was considered adequate except for the limitation in scope where some Head Office
functions are not audited by the bank’s internal auditors but audited by the Group’s auditors. Risk
management system of the bank is considered adequate. The bank has adopted a bank-wide risk
management system and has established a set-up that is responsible for management of the overall risk.
However, some lapses have been observed such as lack of foreign exchange policy, failure to review and
update its credit policy, lack of investment and liquidity limits, failure to perform stress tests and failure to
put in place liquidity contingent plan.
5.0 Focus of the Examination
Summarized below are the examination focus areas and snap procedures to be applied for this examination
(N.B. These procedures are not intended to replace the procedures enlisted in this document under
Appendix X. These procedures are specific for this examination of XYZ bank. Each EIC will have to tailor
different procedures for each examination).
(a) Asset Quality and Credit Risk
119
Credit Risk is rated moderate and increasing. Standard core assessment procedures and expanded
procedures (if necessary) will be applied. The examiner will perform the following procedures:
1. At the beginning of the examination hold a discussion with the head of credit to ascertain Board and
Senior Management oversight (e.g. Existence of committees), existence of Policies, Procedures and
Limits, MIS for credit risk and ICS in the credit administration and management and control.
2. Determine the quantity of inherent credit risk
 Review the top 17 large exposures 10%+ of Capital;

 Review Sectoral Credit Concentration;
 Review all advances classified Doubtful and Substandard;
 Review 10 watch accounts for independent assessment;
 Review all restructured loans; and
 Obtain a break down of all write-off loans.
3. Determine the quantity of credit risk associated with other assets
 Placements with banks abroad;

 Inter-bank placements;
 Sundry Debtors; and
 Other assets with material balances.
4. Determine the adequacy of provisions
 Obtain and NPL and provisioning reports

 Validate the provisions in the balance Sheet and bookings to income statement
5. Determine the quality of credit risk management systems
 Review the credit policy/manual;

 Review credit underwriting standards (Appraisal, discretionary limits, authorization, placement of
limits, perfection of securities and documentation check list);
 Review credit administration and control;
 Review staffing size, experience and compensation systems; and
 Review internal controls and MIS pertaining to asset quality.
6. Assess Compliance with Prudential Requirements
 Confirm insider lending;

 Review reporting of large exposures; and
 Review compliance with classifications and provisioning requirements.
7. Determine whether to expand the procedures
 Consider whether there is a need for expanded procedures for the areas of concern
8. Conclude the Asset Quality and Credit Risk Review

 Provide and discuss with management a list of credit and collateral exceptions, policy exceptions,
loans with structural weaknesses and classified assets;
 Assign a rating for the level/quantity of inherent risk;
 Assign quality of risk management;
 Determine aggregate level of credit risk and direction;
 Assign asset quality rating; and
 List instructions and/or recommendations.
120
(b) Liquidity and Liquidity Risk
Liquidity risk is rated Low and Stable, minimum scope core assessment procedures and standard core
assessment procedures (if necessary) will be applied. The Examiner (s) will perform the following
procedures:
1. At the beginning of the examination, hold discussions with management covering actual or planned:
(a) Changes in liquidity risk management;

(b) Changes in liquidity planning or funding sources and needs;
(c) Changes in investment strategy; and
(d) Changes in the liquidity policy or contingency funding plan.
1. Follow up on significant liquidity audit issues identified during pre-examination review. Specifically,
examiner will be requite to review the following:
(a) Deposits structure and growth;

(b) Liquid assets composition and growth; and
(c) Trend in lending ratio.
2. Obtain and review the following information and documents, as appropriate:
(a) The bank’s liquidity reports including the most recent Maturity Gap Report; and
(b) ALCO minutes and reports since the last onsite examination.
3. Assess the bank’s compliance with prudential requirements regarding liquidity and liquidity risk.
Findings should be communicated to the examiner reviewing Management.
4. If the bank’s activities, risk profile, or risk controls have changed significantly, or if review of the
above information raises substantive issues, the examiner should expand the activity’s scope to include
additional objectives or procedures, as appropriate. If this review does not result in any significant
changes or issues, conclude the liquidity review.
5. Conclude the liquidity review.
a. Provide the examiner evaluating credit risk with a list of classified investments, and communicate
findings to other examiners, as appropriate;
b. In consultation with the EIC and other examiners, identify and communicate to other examiners as
appropriate any conclusions and findings from the liquidity review that are relevant to other areas
being reviewed; and
c. In discussion with the EIC, provide preliminary conclusions about:

(i) The quantity of liquidity risk;
(ii) The quantity of liquidity risk management;
(iii) The composite risk and direction;
(iv) The liquidity rating;
(v) Potential or actual impact of liquidity risk on earnings and capital; and
(vi) Instructions and/or recommendations, if any.
(c) Market Risk
(a) Foreign Exchange Risk
Foreign exchange risk is rated moderate and stable. Standard core assessment procedures and expanded
assessment procedures (if necessary) will be applied. The examiner will perform the following procedures:
121
1. Determine the scope of the foreign exchange risk review
At the beginning of the examination, hold discussions with management covering actual or planned:
(i) Changes to the foreign exchange operation policy (i.e. limit structure, risk measurement etc);
(ii) Changes in the foreign exchange risk management process;
(iii) Material changes in the bank’s foreign currency denominated asset and liability structure; and
(iv) Obtain and review the regulatory reports (e.g. Form 16.4 (a) and (b) and the most recent bank-
prepared reports used to monitor and manage foreign exchange risk.
2. Determine the quantity of foreign exchange risk.
Determine the quantity of foreign exchange risk by considering the following:

(a) Net open position in relation to capital;
(b) Income from foreign exchange operations to total income;
(c) Expenses denominated in foreign currencies to total expenses;
(d) Extent of foreign exchange fluctuation;
(e) Mismatch of assets and liabilities denominated in foreign currencies including cash flow
mismatch;
(f) Growth in foreign currency asserts/liabilities and off-balance sheet exposure;
(g) The types of products held in foreign currency accounts (e.g. loans, deposits, securities, etc); and
(h) The exposure to market volatility or other external factors such as economic conditions, legislative
changes, technological changes, and competition.
3. Determine the quality of risk management for foreign exchange risk.
(a) Review minutes of any committees responsible for overseeing foreign exchange risk;
(b) Determine whether the board has approved policies relating to foreign exchange risk and whether
the policies:
 Establish responsibility for the management of foreign exchange risk;

 Communicate risk tolerance; and
 Provide sound guidelines for the management of foreign exchange risk.
(c) Assess the effectiveness of management and the board in overseeing foreign exchange risk.
Consider:
(i) The existence and reasonableness of board-approved limits for foreign exchange risk;
(ii) Compliance with established risk limits;
(iii) The adequacy of controls over the foreign exchange risk management process;
(iv) Management’s level of understanding of foreign exchange risk and ability to anticipate and
respond appropriately to changes in foreign exchange rates or economic conditions including
competition in the market; and
(v) The quality of personnel and their responsibilities.
(d) Assess the timeliness, completeness, accuracy, and relevance of MIS;

(e) Determine whether a competent, independent review process periodically evaluates the
effectiveness of the foreign exchange risk management system; and
(f) Assess the adequacy of the system of internal control over foreign exchange risk.
4. Assess the bank’s compliance with prudential requirements on foreign exchange operations. Findings
should be communicated to the examiner reviewing management.
5. Expanded procedures are available in the Examination Procedures. The extent to which examiners will
expand procedures will be decided on a case-by-case basis.
122
6. Conclude the foreign exchange risk review.
(i) In consultation with the EIC and other examiners, identify and communicate to other
examiners as appropriate any conclusions and findings from the foreign exchange risk review
that are relevant to other areas being reviewed.
(ii) Provide preliminary conclusions about:
(a) The quantity of foreign exchange risk;

(b) The quality of foreign exchange risk management;
(c) The composite risk and direction of foreign exchange risk;
(d) Potential or actual impact of foreign exchange risk on earnings and capital; and
(e) Instructions and/or recommendations, if any.
(b) Interest rate risk
Interest rare risk is rated moderate and stable. Standard core assessment procedures and expanded
assessment procedures (if necessary) will be applied. The examiner will perform the following procedures:
1. At the beginning of the examination, hold discussions with management covering actual or planned:
(a) Changes to the IRR policy and Management structures (i.e. Committees, limits, risk measurement
methods, etc);
(b) Material changes in the bank’s interest bearing asset and sensitive liability structure;
(c) Changes in the investment portfolio and its impact on IRR (stress testing);
2. Obtain and review the most recent reports used to monitor and manage IRR, including ALCO reports.
Determine the appropriateness and effectiveness of the risk management practices over IRR.
3. Determine the quantity of interest risk.

(i) The composition and maturities of interest bearing assets and liabilities (interest Gap
Analysis);
(ii) The Volatility of the net interest margin over time;
(iii) The level and impact of basis risk, yield curve risk, options risk, and repricing risk;
(iv) The support provided by low-cost, stable non-maturity deposits (savings and current);
(v) Review the level and trend of earnings-at-risk as indicated by the bank’s risk measurement
system, if any;
(vi) Review the exposure to the bank’s capital.
4. Determine the quality of risk management for interest rate risk.
(i) Determine whether the board has approve policies establishing responsibility for the
management of IRR, communicating risk tolerance limits, and providing sound guidelines for
the management of IRR;
(ii) Check compliance with established risk limits;
(iii) Review minutes of ALCO;
(iv) Consider annual review of investment strategies and policies and whether significant risks in
the bank’s investment activities are understood and properly reported;
(v) Consider whether the bank performs and documents the results of stress testing;
(vi) Periodic evaluations of aggregate risk exposure and the overall performance of the investment
portfolio;
(vii) The pricing of Assets and the average cost of funds;
123
(viii) The ability to respond to competitive pressures in financial and local markets; and
(ix) Whether staff skills are appropriate for the level of complexity and risk.
5. Conclude the interest rare risk review.
a. In consultation with the EIC and other examiners, identify and communicate to other
examiners as appropriate any conclusions and findings from the interest rate risk review that
are relevant to other areas being reviewed;
b. In discussion with the EIC, provide preliminary conclusions about:

1. The quantity of interest rare risk;
2. The quality of interest rate risk management;
3. The net risk and direction of interest rate risk;
4. Potential or actual impact of interest rate risk on earnings and capital; and
5. Instructions and/or recommendations, if any
(d) Operational risk
Operational risk is rated high and increasing. Standard core assessment procedures and expanded
assessment procedures will be applied (when necessary). The examiner will perform the following
procedures:
At the beginning of the examination hold a discussion with the line manager to ascertain, Board and Senior
management oversight (operational Risk Committee), awareness of operational risk triggers relevant to the
bank’s current and planned activities, existence of checklists and minimum operations procedures and
manuals and implementation of dual controls, physical security and access rights, IT changes and KYC
processes.
(i) Assess the quality of operational risk management;

(ii) Review effectiveness of the Management and Board Audit Committees;
(iii) Review effectiveness of Compliance Unit;
(iv) Review the reporting lines of Compliance officer, Business Risk Officer vs. internal auditor;
(v) Ascertain independence, staffing, quality of staff, coverage and focus of internal audit
department;
(vi) Review effectiveness of internal controls at the branches and the level of compliance with
internal audit recommendations;
(vii) Assess the bank’s compliance with laws and other and prudential regulations including
accuracy of Returns submitted to NBE;
(viii) Review the effectiveness of the fraud management process;
(ix) Review account opening procedures for KYC compliance;
(x) Review adequacy of branch supervision;
(xi) Review frauds since last inspection and point out specific lapses in internal controls;
(xii) Assess adequacy of the bank’s IT and computerization process;
(xiii) Assess accuracy, security and reliability of information generated by the IT systems;
(xiv) Ascertain if the bank has a Disaster Recovery Plan;
(xv) Verify other assets and other liabilities;
(xvi) Verify items in transit and reconciliations, bills payable, cash management and adequacy of
insurance;
(xvii) Review procurement, custody and utilization of the bank’s assets and outsourcing; and
(xviii) Review contingent assets and liabilities e.g. pending litigations against the bank.
(e) Board Oversight and Management
(i) Arrange meetings with the different functional line managers;
124
(ii) Review board minutes and board committee minutes and ascertain the effectiveness of the
board and the newly constituted board committees for ALCO, Audit and Enterprise Risk
Management;
(iii) Review the branch expansion strategy and development of new products;
(iv) Review the quality of the strategic planning given the high inherent risks in most areas of
operations and assess internal and external threats to the bank;
(v) Review the budgeting process and budget performance reviews;
(vi) Review human resources management and staff incentives and compensation issues;
(vii) Review management succession and depth;
(viii) Review effectiveness of management committees;
(ix) Review the shareholding structure and capitalization plan;
(x) Review affiliate relationships and associated risks;
(xi) Review existence and implementation of policies, procedures and risk management limits;
(xii) Establish the extent of integration of the IT strategy to the business strategy; and
(xiii) Ascertain the level of inherent risk, quality of risk management systems, aggregate level and
direction of strategic risk.
(f) Earnings:
(i) Validate ROA, ROE, and other earnings ratio;

(ii) Review budgetary process, budgetary controls and compliance;
(iii) Ascertain the reason and implications of the earnings trends;
(iv) Ascertain quantity and quality of earnings with particular attention to:
a. Interest accrual policies;

b. Recognition of bad debts;
c. Level and trend of profits;
d. Reliance on non-financial income, including grants; and
e. Financial expenses and non-financial expenses.
(g) Capital Adequacy
(i) Review capital structure, and compliance with regulatory requirements;

(ii) Assess the capital position in relation to industry i.e. current level vs. industry average,
trend vs. industry trends;
(iii) Determine adequacy of contingency plans including shareholder ability to inject fresh
capital;
(iv) Assess the earnings retention, dividend policy and capital formation plans;
(v) Validate capital ratios; and
(vi) Assess major risks to capital/sustainability of capital.
Resources Planning
 Conducting the Examination 4 weeks

 Report writing and submission of drafts the EIC 7 days
 Preparation of consolidated draft report 7 days
 Exit meting 1 day
Summary of Activities
Risk/Activity Assigned Planned Actual Variances
Examiner (s) Days Days
Credit Risk and Asset Quality W/ Roza & Ato Bayu 8
Liquidity and Liquidity risk Ato Mola 3
Interest Rate Risk Ato Mamo 3
Foreign Exchange Risk Ato Mamo 3
Operational Risk W/ Lily 8
Capital Adequacy Ato Lulu 3
Board, Management & Corporate Ato Taye 8
125
Governance
Internal Audit W/ Kiya 3
Risk Management Framework W/Kiky 2
Earnings Ato Lulu 3
Sensitivity to Risk Ato Mamo 2
Branch examination
Based on the preliminary risk assessment, 25 branches will be examined with emphasis on the following:
(i) Physical security controls at the branches;

(ii) Viability of the branch operations (volume and quality of earnings);
(iii) Cash management, reconciliations and balancing;
(iv) Review internal audit reports of each branch;
(v) Check internal controls and schedule of duties of staff;
(vi) Review communication with head office and compliance with head office instructions;
(vii) Examine items in transit and the reconciliation of long outstanding items;
(viii) Review sundry accounts;
(ix) Review dormant account management;
(x) Check compliance with approved expenditure and authorization limits;
(xi) Review profit and loss statement and balance sheets and verification of all items on balance sheet;
(xii) Examine frauds and forgeries;
(xiii) Examine the adequacy of MIS at branch level, back up arrangement and computer access rights;
(xiv) Review fixed assets registers and controlled stationary; and
(xv) Review staff indebtedness.
126
APPENDIX: XXIV
SCOPE AUTHORIZATION FORM
Name of Bank: XYZ Bank S.C.

Examiner-In-Charge: Ato Taye Sime
Examination Cut-off Date: 30th June 2009
Start Date: 24th July 2009
Ending Date: 1st September 2009
th
Date Report Required: 6 October 2009.
Team Members:
1. Ato Taye Sime Team Leader

2. W/ Roza Teka Assistant Team Leader
3. Ato Bayu Nuru Member
4. W/ Lily Reda Member
5. Ato Mola Bezu Member
6. Ato Mamo Guya Member
7. W/ Kiya Lomi Member
8. Ato Lulu Bati Member
9. W/ Kiky Yayu Member
Required Authorization Level: All levels

Authority Signature
Examiner-in-Charge
D/Director, Banking Supervision
127
APPENDIX: XXV
SAMPLE INTRODUCTION/ENTRY LETTER
BSV/File ref… 4th September, 2009
Ato Birru Guya,

President,
XYZ Bank S.C.,
P. O. Box 186
Addis Ababa.
Dear Ato Birru,
RE: EXAMINATION OF XYZ BANK S.C.
In accordance with Article 5(7) of the NBE Establishment Proclamation No. 591/08, and Article 29(1) of
the Banking Business Proclamation No. 592/08, the Banking Supervision will conduct an examination of
your bank from 11th September to 20th October 2009.
The examination will be full in scope, and will cover the bank’s Head Office and branches.
The examination team will comprise the following examiners:
1) Ato Taye Sime Team Leader

2) W/ Roza Teka Assistant Team Leader
3) Ato Bayu Nuru Member
4) W/ Lily Reda Member
5) Ato Mola Bezu Member
6) Ato Mamo Guya Member
7) W/ Kiya Lomi Member
8) Ato Lulu Bati Member
9) W/ Kiky Yayu Member
Kindly accord the team your maximum co-operation so that the exercise can be a success.
Yours sincerely,
Getu Belay
Deputy Director
Banking Supervision
128
APPENDIX: XXVI
RBS EXAMINATION PROCEDURES
EXAMINATION PLANNING PROCEDURES
EIC will be responsible for performing these procedures. For procedure 4, other examination team
members will also be involved.
OBJECTIVE 1: Determine preliminary scope and objectives of examination.

Procedures:
1. Prepare the examination timeline as per Appendix XXVI
2. Obtain and review the information below

(a) Institutional Profile;
(b) Two previous reports of examination;
(c) Previous examination work papers;
(d) Off-site reports, e.g. Early Warning System report;
(e) Prudential returns;
(f) Audit reports including management letters;
(g) Annual report;
(h) Correspondence files;
(i) Organization Chart;
(j) Media reports and articles; and
(k) Any other information that may be relevant.
3. Send information request letter to the bank at least 35 days before the beginning of examination.
4. Conduct preliminary onsite review at least three weeks before the beginning of examination. The
review will be conducted in two stages, pre-examination meeting and review of information;
(a) Pre-examination meeting with senior management of the bank covering discussion of the
following:
(a) Primary target market and business lines, and significant changes in bank products or services
including areas of growth;
(b) Economic conditions within the target markets and any other external factors affecting your
primary business lines;
(c) Areas representing the greatest risk to the bank and/or markets;
(d) Changes in bank management, key personnel or operations;
(e) Results of audit and internal controls review, any follow-up required by management;
(f) Any material changes to internal or external audit’s schedules or scope and adequacy of audit
staffing;
(g) Purchase, acquisition, merger or divestiture considerations;
(h) Changes in technology including operational systems, technology vendors/service providers,
critical software, internet banking, or plans for new products/activities that involve net
technology;
(i) Issues regarding compliance with laws, directives and circulars governing banking business;
(j) Other issues that may affect the risk profile; and
(k) Management concerns about the bank or NBE’s supervision including any areas the bank
(b) Review the following information:
(i) The board of directors’ minutes and papers and AGM minutes for each meeting since the
prior on-site examination;
(ii) The board audit committee minutes for each meeting since the prior on-site examination;
129
(iii) The strategic business plan, the current year budget and a comparison of actual performance
relative to the budget;
(iv) Structure and financial conditions of related affiliates/groups;
(v) The records of shareholdings and a current shareholders list with the following information;
shareholder name, place of shareholder residence, number of shares held, percentage
ownership, disclosure of any agreement to purchase or sell shares in the future, and disclosure
of any voting rights. If any shares are held in corporate name, please list the individuals who
are authorized to vote, and the individuals who actually vote the shares;
(vi) Internal audit reports completed since the previous on-site examination;
(vii) Structure and capacity of internal audit function;
(viii) The external audit reports, management letter with management response completed since the
previous on-site examination;
(ix) A copy of all available policies including credit policy; and asset/liability management policy,
liquidity policy, etc. provide dates of approval of up dates.
5. Using the information obtained from the above procedures, prepare a scope memorandum for
management approval. The memorandum should include:
(a) Scope and objectives of the examination;

(b) Summary of bank’s profile after incorporating information from preliminary review of both onsite
and offsite information;
(c) Summary of the pre-examination meeting;
(d) Summary of audit review;
(e) Examination focus and snap examination procedures; appropriately customized to suit the risk
profile of the bank; and
(f) Resource planning.
6. Prepare and send a letter of authority signed by the management to the bank.
7. Allocate assignments for examination team members according to planning and control schedule
(Appendix XXVII) and communicate the same to every team member.
8. Conduct a briefing session on the forthcoming examination with all team members. Some of the issues
to discuss include:
(a) Issues raised in the scope memorandum;
(b) Examination focus;
(c) Review and consolidate issues to be discussed at the beginning of examination (i.e. first
procedure in all areas to be reviewed);
(d) Work days; and
(e) Administrative issues.
ASSET QUALITY AND CREDIT RISK EXAMINATION PROCEDURES
Conclusion:
Asset quality is rated (1, 2, 3, 4, or 5)
Credit Risk is rated (Low, Moderate, or High)
Direction of Credit Risk (Decreasing, Stable or Increasing)
Complete this section’s objectives to assign the asset quality and credit risk ratings. In assigning the ratings,
examiner should consult with the EIC and other appropriate examiners. When assigning the asset quality
and credit risk ratings, examiners should take into consideration rating factors outlined in the CAMEL
Rating Guidelines (Appendix XXVIII) and Risk Rating Guidelines (Appendix XXIX), respectively.
CORE ASSESSMENT
MINIMUM SCOPE CORE ASSESSMENT

Objective: determine the asset quality component rating, the adequacy of the allowance for probable
130
losses, the quantity of credit risk, and the quality of credit risk management.
Procedures:
1. At the beginning of the examination, hold discussions with appropriate management covering
actual or planned:
(a) Changes in the lending policies and loan administration;

(b) Changes in the lending area’s management or staff;
(c) Changes in loan products, marketing and loan growth;
(d) Changes in the loan review process or loan grading system; and
(e) Other changes in external or internal factors that could affect loan quality.
2. Follow up on significant asset quality and credit risk audit issues identified by the examiner
reviewing Audit and Internal Control Section.
3. If not previously provided, obtain and review the following information and documents, as
appropriate:
(a) Credit policy and procedures;

(b) The most recent loan review reports by the bank;
(c) List of renewed or restructured credit facilities;
(d) Past-due and non-performing assets reports;
(e) Internal credit scoring or loan grading reports;
(f) Problem and “watch” loan lists;
(g) List of loans to insiders including employees;
(h) Loans to politically connected borrowers
(i) Concentration of credit reports;
(j) The detail of any “other asset” accounts that are material to the financial statements;
(k) List of off balance sheet items; and
(l) Any other report that may be useful for the review of this area.
4. Review an appropriate sample of loans. The sample should generally include:
(a) Newly advanced credits, including loan commitments;

(b) Insider loans;
(c) Large loans (10% or more of capital);
(d) Past-due and non-performing loans;
(e) Previously criticized loans and loans from the bank’s problem and “watch” loan lists; and
(f) Off-balance sheet commitments.
The size of the sample should be based on the trends and overall risk posed by those segments
of the loan portfolio and should at least cover 40%. The purpose of the review is to determine
whether the loans evidence any changes in the bank’s risk selection, the bank’s underwriting
practices, its credit administration, its risk-rating criteria, or any other aspect of its credit risk
management. Examiner should ensure that the review covers all the criteria used for assessing
and rating the quality of credit risk management as pointed out in the risk matrix. This may be
accomplished by reviewing credit files, approval documents, and loan committee minutes.
Documentation of credit file reviews can normally be limited to summary comments detailing
the loan classification and the facts supporting it.
5. Assess the bank’s compliance with prudential requirements. Findings should be communicated
to the examiner reviewing Management.
6. If the bank’s activities, risk profile, or risk controls have changed significantly, or if review of
the above information raises substantive issues, the examiner should expand the scope to
131
include additional objectives or procedures, as appropriate. If this review does not result in any
significant changes or issues, conclude the asset quality and credit risk review.
STANDARD CORE ASSESSMENT
NOTE: Examiners should select the appropriate objectives and procedures necessary to assess the
bank’s condition and risks.
Objective 1: Determine the scope of the asset quality and credit risk review
Procedures:
actual or planned:
(a) Changes in the lending policies and loan administration;

(b) Changes in the lending area’s management or staff;
(c) Changes in loan products, marketing and loan growth;
(d) Changes in the loan review process or loan grading system; and
(e) Other changes in external or internal factors that could affect loan quality.
2. Review the previous examination report and other supervisory information to identify any
problems in this area that require follow-up.
3. Discuss with the examiner responsible for completing the “Audit and Internal Control” section
of the core assessment whether there are any significant audit findings that require follow-up or
whether a review of audit work papers is required.
4. If not previously provided, obtain and review the following information an documents, as
appropriate:
(a) Credit Policy and Procedures and any changes made since the last examination;
(b) The most recent loan review report by the bank;
(c) List of renewed or restructured credit facilities;
(d) Past-due and non-performing assets reports;
(e) Internal loan grading report;
(f) Problem and “watch” loan lists;
(g) List of loans to insiders including employees;
(h) Loans to politically connected borrowers
(i) Concentration of credit reports;
(j) The detail of any “other asset” accounts that are material to the financial statements; and
(k) Any other report that may be useful for the review of this area.
5. Review regulatory reports and other information provided by the bank to assess the size,
composition, and trends in the loan portfolio and any off-balance-sheet exposures. Consider:
(a) Current and planned loan growth in relation to bank capital and risk limits;
(b) Areas of high growth;
(c) Internal portfolio management reports (loan policy exceptions, concentrations of credit,
etc.);
(d) Unfunded and/or un-drawn loan commitments and other off-balance sheet items;
(e) Deteriorating trends in asset quality indicators; and
(f) Any other information related to the risk characteristics of the loan portfolio, including:
 Economic indicators;
 Industry trend; and
 New products planned or already initiated.
132
6. Obtain asset quality and credit risk-related information from the examiner assigned to review
board minutes. If necessary, repeat the review of the credit committee minutes to review the
bank’s lending practices.
7. Use bank reports to select an appropriate sample to loans from the bank’s loan portfolio
(commercial, retail, etc). Consult with the EIC when selecting the sample. Consider:
(a) Large loans (10% or more of core capital);

(b) Significant credit concentrations;
(c) New loans in new loan products and/or portfolios experiencing rapid growth;
(d) Insider loans and loans to affiliates;
(e) Loans to politically connected borrowers;
(f) Loans previously identified as having structural weaknesses, loans that are exceptions to
lending policies, risk selection, and underwriting standards;
(g) Loans or lending concentrations to businesses or industries exhibiting signs of weakness or
higher risk; and
(h) Off-balance sheet commitments.
Since credit risk typically poses the largest single risk to a bank’s earnings and capital, and
loans are the largest asset concentration in most banks, loan portfolio forms a significant
percentage of assets to be reviewed.
The size and composition of the loan sample should be commensurate with the quantity of
credit risk, the adequacy of risk management, the bank’s condition, and the objectives of the
asset quality and credit risk review. The sample size for moderate and high risk level should at
least be 60% and 80%, respectively.
The types of loans in the sample are as important as how much of the portfolio is reviewed. The
sample should be skewed toward the predominant risks in the portfolio. The higher the risk
posed to the bank, the more comprehensive the coverage and testing.
In a stable, well-managed bank exhibiting few signs of change, examiners should sample a
smaller number of new and pass-rated credits for the purpose of determining the continued
adequacy of loan quality and credit risk management.
If the number of exceptions to sound underwriting practices or risk selection practices is

significant, or if a bank’s risk identification or credit administration is suspect or deficient, the
examiner should expand the sample to determine the problems’ cause, their seriousness, and
their effect on credit quality. Additional samples may also be required, for example, when
banks have significant growth, the loan or product mix changes, credit or economic conditions
deteriorate, strategic direction or key personnel change, or loan portfolio management is suspect
or deficient. The additional sample should target lending areas that prompted the expanded loan
coverage.
Objective 2: Determine the quantity of credit risk inherent in the loan portfolio.
1. Analyze credits and discuss loans sufficiently to determine a risk rating and classification for
each loan reviewed;
2. Document and support the reasons for each loan rating and classification;
3. Maintain a list of loans identified as having structural weaknesses during the examiner‘s
analysis of the individual credits;
4. Maintain a list of loans with insufficient information on credit or collateral. Consider:
(a) Patterns or root causes of exceptions; and

(b) Relation of exceptions to credit processes.
5. For retail loans, perform a portfolio analysis. Consider:
133
(a) Size of the portfolio and rate of growth;

(b) Changes in products, marketing channels, underwriting standards, operations, and
technology;
(c) Level and trends in delinquencies and losses; and
(d) Levels and trends in restructuring and renewals.
6. Based on the results of the portfolio analysis of retail loans, select a sample of loans to
determine the bank’s underwriting and account management practices.
7. Determine the credit risk inherent in the loan portfolio as a whole, considering the risk-rating
profile, underwriting and risk selection practices, concentrations, loan policy exceptions, credit
and collateral exceptions, pricing, collateral coverage, adequacy or analysis and credit
administration practices, economic indicators, etc
Objective 3: Determine the quantity of credit risk associated with assets other than loans:
1. As appropriate, obtain and review a list of the following items:
(a) Placements with other banks;

(b) Inter-bank loan receivables;
(c) Commercial bills;
(d) Sundry debtors;
(e) Security investments; and
(f) Other asset accounts with material balances.
2. Obtain a list of classified investments and other appropriate findings regarding the quality and
composition of investments from the examiner evaluating the investment portfolio.
3. In discussion with bank management and based on the review of assets listed above, determine
which items should be classified or charged off.
Objective 4: Determine the adequacy of the allowance for probable losses.
1. Evaluate the method used to determine the allowance for probable losses balance. Consider:
(a) The reasonableness of management’s process;

(b) The quality and adequacy of the supporting documentation; and
(c) Findings from the asset quality and credit risk review.
2. If the allowance for probable losses methodology is considered flawed, consult with the EIC to
independently determine the adequacy of the allowance for probable losses balance. If it is
determined to be inadequate:
(a) Calculate the necessary provision to restore the allowance for probable losses to an
adequate level;
(b) Direct bank management to make any necessary adjustments to the bank’s books of
accounts and regulatory reports; and
(c) As appropriate, share these findings with other examiners.
Objective 5: Determine the quality of credit risk management systems.
1. Determine whether the number and nature of credit, collateral, and policy exceptions; risk rating
changes; or other loan review findings raise concerns about the quality of the credit administration
function.
2. Determine whether loan management and personnel are adequate to effectively manage the level of
credit risk inherent in the loan portfolio. Consider:
(a) Staffing size;

(b) Staffing expertise; and
(c) Compensation systems.
134
3. Assess the timeliness, completeness, accuracy, and relevance of MIS for credit risk. Consider the
sources of reports, controls over the preparation of reports, and whether the reports’ accuracy is
independently validated. Risk management reports should cover major sources of credit risk
identified in objectives 2 and 3 above. This review should be coordinated with the examiners
responsible for all areas of the examination, including internal control, to avoid duplication of effort.
Findings should be communicated to the examiner reviewing operational risk.
4. Using the findings from achieving the previous objectives consult with the EIC and other
appropriate examiners to make preliminary judgments on the adequacy of portfolio risk
management systems. Consider whether:
(a) Board and Management recognize and understand existing and emerging risks;
(b) Management measures risk in an accurate and timely manner;
(c) The board establishes, communicates, and controls risk limits; and
(d) Management accurately and appropriately monitors established risk levels.
5. Assess the bank’s system of internal control over the credit function. Examiners should take into
consideration the relevant controls listed in objective 5 of the “Audit and Internal Control” section
of the core assessment. Examiners should also take into consideration other controls pertinent to the
credit function.
6. In addition to the above procedures, examiners should consider all criteria specified in the Risk
Rating Guidelines for credit risk (Appendix XVIII)
Objective 6: Assess the bank’s compliance with prudential requirements.
Objective 7: Determine whether to expand the procedures

Consider whether there is a need for expanded procedures for the areas of concerns. Expanded
procedures are available in the Examination Procedures. The extent to which examiners will expand
procedures will be decided on a case-by-case basis.
Objective 8: Conclude the asset quality and credit risk review
1. Provide and discuss with management a list of credit and collateral exceptions, policy exceptions,
loans with structural weaknesses, and classified assets.
2. In consultation with the EIC and other examiners, identify and communicate to other examiners as
appropriate any conclusions and findings from the asset quality and credit risk review that are
relevant to other areas being reviewed.
3. Use the results of the foregoing procedures and any other applicable examination findings to
compose comments on asset quality and credit risk management for the report of examination.
4. In discussion with the EIC, provide preliminary conclusions about:
(a) The quantity of credit risk;

(b) The quality of credit risk management;
(c) The composite risk and direction of credit risk; (as appropriate, update the Risk Matrix);
(d) The Asset quality rating;
(e) Instructions and/or recommendations, if any.
LIQUIDITY AND LIQUIDITY RISK EXMINATION PROCEDURES
135
Conclusion:
Liquidity is rated (1,2,3,4, or 5)
Liquidity risk is rated (Low, Moderate, or High)
Direction of liquidity risk (Decreasing, stable or increasing)
Complete this section’s objectives to assign the liquidity and liquidity risk ratings. In assigning the ratings,
examiner should consult with the EIC and other appropriate examiners. When assigning the liquidity and
liquidity risk ratings, examiners should take into consideration rating factors outlined in the CAMEL
Rating Guidelines (Appendix XI) and Risk Rating Guidelines (Appendix XVIII) respectively.
CORE ASSESSMENT

Objective: Determine the liquidity rating, the quantity of liquidity risk, and quality of liquidity risk
management.
Procedures:
1. At the beginning of the examination, hold discussions with appropriate management covering actual
or planned:

2. Follow up on significant liquidity audit issues identified by the examiner reviewing the bank’s Audit
and Internal Control section.
(a) The bank’s liquidity reports including the most recent Maturity Gap Report; and
(b) ALCO minutes and reports since the last onsite examination.
4. Assess the bank’s compliance with prudential requirements. Findings should be communicated to
the examiners reviewing Management.
above information raises substantive issues, the examiner should expand the activity’s scope to
include additional objectives or procedures as appropriate. If this review does not result in any
significant changes or issues, conclude the liquidity review.
Objective 1: Determine the scope of the liquidity review.

Procedures:
actual or planned:
2. Review the previous examination report and other supervisory information to identity any
problems that require follow-up in this area.
136
3. Discuss with the examiner responsible for completing the “Audit and Internal Control” section
of the core assessment whether there are any significant audit findings that require follow –up.
4. Obtain and review the following items:

(a) Most recent liquidity reports;
(b) Contingency funding plan;
(c) List of investment; and
(d) Any other information reports management uses (ALCO reports and minutes, etc).
5. Discuss current investment, liquidity, and funds management strategies with appropriate
management.
Objective 2: Determine the adequacy of liquidity and the quantity of liquidity risk risk.
Procedures:
1. Identify volume and rends in funding by reviewing:
(a) Sources of funding, e.g. retail vs. wholesale;
(b) Projected funding needs vs. available sources;
(c) Wholesale funding that may be credit sensitive;
(d) Funding concentrations;
(e) Use and reliance on liabilities with short-term maturities;
(f) Liquid assets levels and trends;
(g) Off-balance-sheet commitments; and
(h) Proportion of long term assets financed by short term liabilities.
2. Evaluate the nature and magnitude of demands on the bank’s liquidity. Consider the following:
(a) Existence of ample sources of liquidity to ensure timely payment of all debt obligations;
(b) Magnitude of any anticipated increase in loan demand/volume. Consider continuing quality of
the loan portfolio including collateral sufficiency to support additional debt;
(c) The volume of outstanding loan commitments, giving consideration to the amount of
commitments likely to be drawn upon in light of seasonal loan volume fluctuations and
projected peak loan demand;
(d) Frequency and materiality of litigation issues;
(e) Other potential contingent liabilities;
(f) Significance of planned near-term capital expenditures;
(g) Liquidity needed to cover timing differences and/or any shortfall between operating income
and expense; and
(h) Significance of any anticipated cash dividends and/or cash redemption of shares/stock.
3. Evaluate the adequacy of sources of funds to meet anticipated or potential needs. Consider:
(a) Money market assets relative to short-term liquidity needs;

(b) Other currently available asset liquidity relative to overall liquidity needs e.g. free
(unencumbered) securities;
(c) Other potential sources of asset liquidity (cash flow from loans, investments, and off-balance-
sheet contracts, etc.);
(d) Estimated capacity to borrow from inter-bank market;
(e) The bank’s capacity to increase deposits through pricing and direct-marketing campaigns to
meet medium-and long-term liquidity needs;
(f) The bank’s capacity to borrow under the NBE collateralized program or other similar
collateralized borrowing facilities;
(g) The capacity to issue longer-term liabilities and capital instruments to meet medium-and long-
term funding liquidity needs. Options may include:
(i) Deposit mobilization;

(ii) Subordinated debts; and
137
(iii) Stocks/shares.
(h) The capacity to borrow from the NBE’s discount window.
4. Evaluate the quality of the investment portfolio as a potential source of liquidity. Consider the
following:
(a) Percentage and quality of investment portfolio that is un-pledged;
(b) Level and impact of portfolio depreciation;
(c) Maturity distribution of the investment portfolio;
(d) Distribution of securities designated held-to-maturity and available-for-sale;
(e) Trends in monthly cash flow from the investment portfolio; and
(f) Potential impact of embedded options on the cash flow patterns.
5. Determine how much the bank relies on wholesale/corporate funding sources.
6. Discuss wholesale/corporate funding with bank management to determine:
(a) How wholesale funding fits in the overall asset/liability strategy;

(b) What types of mismatches exist?; and
(c) Whether the wholesale funding strategy is meeting profit expectations.
7. If the bank relies significantly on wholesale/corporate funding, review factors that influence
wholesale/corporate funds providers. Consider the following:
(a) Current asset quality and potential for deterioration;

(b) Earnings performance and expectations;
(c) Changes in senior bank management;
(d) Negative media attention; and
(e) Legal restrictions.
8. Considering the foregoing and the relevant risk assessment factors, consult with EIC and other
appropriate examiners to determine the quantity of liquidity risk.
Objective 3: Determine the quality of liquidity risk management.

Procedures:
1. Obtain liquidity-related information from the examiner assigned to review board minutes. Review,
as appropriate, minutes of any committees responsible for overseeing liquidity risk.
2. Determine whether the board has clearly articulated policies and guidelines outlining lines of
authority/responsibility for the management of liquidity and its tolerance for liquidity risk. Consider:
(a) Has a measurement system that captures and quantifies risk been established?
(b) Are limits/guidelines defined and communicated to management and other relevant staff?
(c) Are the limits/guidelines reasonable?
(d) Do the planning, budgeting, and new product areas consider liquidity when making decisions?
3. Determine whether management has planned for adequate sources of liquidity to meet current and
potential funding needs.
4. Review the contingency funding plan and determine whether it adequately details management
responsibilities, quantifies potential funding needs/sources under multiple scenarios, and prioritizes
management action to respond to funding needs. Ensure that the plan is appropriate given the
complexity of the bank’s circumstances.
5. Determine whether strategies used to achieve the desired mix and maturities of assets and liabilities
are adequate. Consider:
138
(a) Discussing with management the bank’s liquidity risk strategies;

(b) Competitive pressures in the bank’s market, considering all funding sources (e.g. branch
network, wholesale funding, etc.);
(c) Maturity matching;
(d) Asset purchases or sales or borrowings and subordinate debts;
(e) Pricing of loans and deposits;
(f) Existence of off-balance-sheet items, such as credit lines and other commitments.
6. Assess the timeliness, completeness, accuracy, and relevance of MIS for liquidity. Consider the
sources of reports, controls or the preparation of reports, and whether the reports’ accuracy is
independently validated. This review should be coordinated with the examiners responsible for all
areas of the examination to avoid duplication of effort. Findings should be communicated to the
examiner reviewing operational risk. Consider whether MIS monitors:
(a) Compliance with risk limits;

(b) Sources and uses of funds;
(c) Funding concentrations;
(d) Funding costs;
(e) Availability under wholesale funding lines; and
(f) Projected funding needs.
7. Assess the system of internal control over liquidity. Examiners should take into consideration the
relevant controls listed in objective 5 of the “Audit and Internal Control” section of the core
assessment. Examiners should also take into consideration other controls pertinent to liquidity.
8. Using the findings from the foregoing, consult with the EIC and other appropriate examiners to
determine the quality of liquidity risk management. Examiners should consider all criteria specified
in the Risk Rating Guidelines for liquidity risk.
Objective 4: Determine the composition and quality of the investment porftfolio.

Procedures:
1. Review the NBE reports and the bank’s MIS reports to evaluate:
(a) Investment yields and market values; and

(b) Impact on earnings and capital adequacy caused by impairment of the investment portfolio.
2. From discussions with management and by reviewing internal reports, determine whether there is an
appropriate due diligence process to ensure that all securities acquired conform to lending policies
for credit analysis, underwriting, and approval.
3. From discussions with management and by reviewing internal reports, assess the trend in credit
quality of the investment portfolio between examinations. Determine whether there has been a
significant change in the credit risk profile and whether that change has been appropriately
managed.
4. From discussions with management and by reviewing internal reports, determine whether there are
any issues in the portfolio that are ineligible, in default, or below investment grade and distribute
findings, as appropriate, to the examiners reviewing credit risk, earnings, and capital adequacy.
Objective 5: Determine whether to expand the procedures:

Consider whether there is a need for expanded procedures for the areas of concern. Expanded procedures
are available in the Examination Procedures. The extent to which examiners will expand procedures will
be decided on a case-by-case basis.
139
Objective 6: Assess the bank’s compliance with prudential requirements on liquidity.

Objective 7: Conclude the liquidity review.
(a) Provide the examiner evaluating credit risk with a list of classified investments, and
communicate findings to other examiners, as appropriate.
(b) In consultation with the EIC and other examiners, identify and communicate to other examiners
as appropriate any conclusions and findings from the liquidity review that are relevant to other
areas being reviewed.
(c) In discussion with the EIC, provide preliminary conclusions about:
(i) The quantity of liquidity risk;

(ii) The quality of liquidity risk management;
(iii) The composite risk and direction;
(iv) The liquidity rating;
(v) Potential or actual impact of liquidity risk on earnings and capital; and
(vi) Instructions and/or recommendations, if any.
MARKET RISK EXAMIANTION PROCEDURES

Conclusion:
Market Risk Assessment (Low, Moderate, or High)
Direction of Market Risk (Decreasing, Stable or Increasing
I. FOREIGN EXCHANGE RISK EXAMINATION PROCEDURES

Conclusion:
Foreign Exchange Risk assessment (Low, Moderate, Above Average or High)
Direction of Foreign Exchange Risk (Decreasing, Stable or Increasing
Complete this section’s objectives to assign the foreign exchange risk rating. In assigning the rating,
examiner should consult with the EIC and other appropriate examiners. When assigning the foreign
exchange risk rating, examiners should take into consideration rating factors outlined in the Risk Rating
(Appendix XXIX).
CORE ASSESSMENT
Minimum objective: Determine the quantity of risk and the quality of risk management for foreign
exchange risk.
Procedures:
or planned:
(a) Changes to the foreign exchange operation policy (i.e. limits, structures, risk measurement,
etc);
(b) Changes in the foreign exchange risk management process; and
(c) Material changes in the bank’s foreign currency denominated asset and liability structure.
2. Follow up on significant foreign exchange risk audit issues identified by the examiner reviewing the
bank’s Audit and Internal Control section.
140
3. Obtain and review bank’s foreign exchange risk reports.
the examiner reviewing Management.
significant changes or issues, conclude the foreign exchange risk review.
Objective 1: Determine the scope of the foreign exchange risk review.

Procedures:
1. At the beginning of the examination, hold discussion with appropriate management covering actual
or planned:
(a) Changes to the foreign exchange operation policy (i.e. limits, structures, risk measurement etc);
(b) Changes in the foreign exchange risk management process; and
(c) Material changes in the bank’s foreign currency denominated asset and liability structure.
2. Review previous examination report/any supervisory information to identify any problems that
require follow-up in this area.
3. Discuss with the examiner responsible for completing the “Audit and Internal Control” section of
the core assessment whether there are any significant audit findings that require follow-up.
4. Obtain and review NBE reports and the most recent bank-prepared reports used to monitor and
manage foreign exchange risk.
Objective 2: Determine the quantity of foreign exchange risk.

Procedures:
1. Determine the quantity of foreign exchange risk by considering the following:
(a) Net open position relation to capital;
(b) Income from foreign exchange operations to total income;
(c) Expenses denominated in foreign currencies to total expenses;
(d) Foreign currency denominated assets to total assets;
(e) Foreign currency denominated liabilities to total liabilities;
(f) Extent of foreign exchange fluctuation;
(g) Mismatch of assets and liabilities denominated in foreign currencies including cash flow
mismatch;
(h) Growth in foreign currency assets/liabilities and off-balance sheet exposure;
(i) The types of products held in foreign currency accounts (e.g., loans, deposits, securities, etc.);
and
(j) The exposure to market volatility or other external factors such as economic conditions,
legislative changes, technological changes, and competition.
2. Using the findings from the above procedure and considering the relevant factors, consult with the
EIC and other appropriate examiners to determine the quantity of foreign exchange risk.
Objective 3: Determine the quality of risk management for foreign exchange risk.
Procedures
141
1. Obtain foreign exchange risk-related information from the examiner assigned to review board
minutes. Review, as appropriate, minutes of any committees responsible for overseeing foreign
exchange risk.
2. Determine whether the board has approved policies relating to foreign exchange risk that establishes
responsibility for the management of foreign exchange risk, communicating risk tolerance, and
providing sound guidelines for the management of foreign exchange risk.
3. Assess the effectiveness of management and the board in overseeing foreign exchange risk.
Consider:
(a) The existence and reasonableness of board-approved limits for foreign exchange risk;
(b) Compliance with established risk limits;
(c) The adequacy of controls over the foreign exchange risk management process;
(d) Management’s level of understanding of foreign exchange risk and ability to anticipate and
respond appropriately to changes in foreign exchange rates or economic conditions including
competition in the market; and
(e) The quality of personnel and their responsibilities.
4. Determine whether the risk management system used to measure foreign exchange risk is
appropriate for the level and complexity of the bank’s exposure. Determine whether the major
assumptions used to measure the risk are reasonable.
5. Determine whether assumptions used in the risk measurement system are documented with
sufficient detail so as to allow verification of their reasonableness and accuracy.
6. Assess the timeliness, completeness, accuracy, and relevance of MIS. Consider the sources of
reports, controls over report preparation, and whether reports’ accuracy is independently validated.
This review should be coordinated with the examiners responsible for all functional areas of the
examination, including internal control, to avoid duplication of effort. Findings should be
communicated to the examiner reviewing Operational risk.
7. Determine whether a competent, independent review process periodically evaluates the

effectiveness of the foreign exchange risk management system. Examiner should determine whether
the independent reviewer assesses the reasonableness of the assumptions used.
8. Assess the adequacy of the system of internal control over foreign exchange risk. Examiners should
take into consideration the relevant controls listed in objective 5 of the “Audit and Internal Control”
section of the core assessment. Examiners should also take into consideration other controls
pertinent to foreign exchange risk.
9. Using the findings under this objective, determine whether the risk management system to identify,
measure, monitor, and control foreign exchange risk is effective. Examiners should consider all
criteria specified in the Risk Rating Guidelines on foreign exchange risk.
Objective 4: Assess the bank’s compliance with prudential requirements on foreign exchange
operations.

Objective 6: Conclude the foreign exchange risk review.
142
1. In consultation with the EIC and other examiners, identify and communicate to other examiners, as
appropriate, any conclusions and findings from the foreign exchange risk review that are relevant to
other areas being reviewed.
(a) The quantity of foreign exchange risk;

(b) The quality of foreign exchange risk management;
(c) The composite risk and direction of foreign exchange risk;
(d) Potential or actual impact of foreign exchange risk on earnings and capital; and
(e) Instructions/recommendations, if any.
II. INTEREST RATE RISK EXAMINATION PROCEDURES
Conclusion:
Interest rate risk assessment (Low, Moderate, or High)
Direction of IRR (Decreasing, Stable or Increasing)
Complete this section’s objective to assign the interest rate risk rating. In assigning the ratings, examiner
should consult with the EIC and other appropriate examiners. When assigning the interest rate risk rating,
examiners should take into consideration rating factors outlined in the Risk Matrix.
CORE ASSESSMENT
Objective: Determine the quantity of risk and the quality of risk management for interest rate risk (IRR).
Procedures:
or planned:
(a) Changes to the IRR policy (i.e.., limit, structures, risk measurement etc);
(b) Changes in the IRR management process;
(c) Material changes in the bank’s asset and liability structure; and
(d) Changes in the investment portfolio and its impact on IRR.
2. Follow up on significant interest rate risk audit issues identified by the examiner reviewing Audit and
Internal Control section.
3. Obtain and review bank’s IRR reports, including ALCO reports.
4. Assess the bank’s compliance with prudential requirements. Findings should be communicated to the
examiner reviewing Management.
If the bank’s activities, risk profile, or risk controls have changed significantly, or if review of the above
information raises substantive issues, the examiner should expand the activity’s scope to include
additional objectives or procedures, as appropriate. If this review does not result in any significant
changes or issues, conclude the interest risk review.
Objective 1: Determine the scope of the interest rate risk review.

Procedures:
or planned:
143
(a) Changes to the IRR policy (i.e.., limit, structures, risk measurement etc);
(b) Changes in the IRR management process;
(c) Material changes in the bank’s asset and liability structure; and
(d) Changes in the investment portfolio and its impact on IRR.
2. Review the previous examination reports/any supervisory information to identify any previous
problems that require follow-up in this area.
3. Discuss with the examiner responsible for completing the “Audit and Internal Control” section of the
core assessment whether there are any significant audit findings that require follow-up, or whether a
review of audit work papers is required.
4. Obtain and review the most recent reports prepared by the bank used to monitor and manage IRR,
including ALCO reports.
Objective 2: Determine the appropriateness and effectiveness of the risk management practices over
investments portfolio.
Procedures:
1. Evaluate board and senior management oversight. Consider:
(a) Annual review of investment strategies and policies;

(b) The establishment of risk limits and procedures to ensure compliance; and
(c) How well board members and management who are not involved directly or daily in investment
activities understand those activities.
2. Review pre-purchase analyses of recent investments, and determine whether the analyses provide
adequate information to understand the price sensitivity of the security.
3. Determine whether the limits established by management are reasonable and serve as an appropriate
subset of bank-wide IRR limits, given the bank’s capital, earnings and management’s expertise.
4. Determine how well management monitors the investment portfolio. Consider:
(a) Whether significant risks in the bank’s investment activities are understood and properly
reported;
(b) Whether the bank performs and documents the results of stress testing; and
(c) Periodic evaluations of aggregate risk exposure and the overall performance of the investment
portfolio.
Objective 3: Determine the quantity of interest rate risk.

Procedures:
1. Review exposure to on-and off-balance-sheet positions. Consider:
(a) The composition and maturities of assets and liabilities (GAP Analysis);
(b) The volatility of the net interest margin over time;
(c) The support provided by low-cost, stable non-maturity deposits (Savings and current).
2. Review the level and trend of earnings-at-risk as indicated by the bank’s risk measurement system, if
any.
144
3. Using the findings from performing the above procedures and considering the relevant factors,
consult with the EIC and other appropriate examiners to determine the quantity of interest rate risk.
Objective 4: Determine the quality of risk management for interest rate risk.
Procedures
1. Obtain interest rate risk-related information from the examiner assigned to review board minutes.
Review, as appropriate, minutes of ALCO or any committee responsible for overseeing IRR.
2. Determine whether the board has approved policies establishing responsibility for the management of
IRR, communicating risk tolerance, and providing sound guidelines for the management of IRR.
3. Assess the effectiveness of management and the board in overseeing IRR. Consider:
(a) The existence and reasonableness of board-approved limits for exposure to IRR; and.
(b) Compliance with established risk limits.
4. Determine whether the risk management system used to measure the effect of interest rate changes to
earnings is appropriate for the level and complexity of the bank’s exposure and whether the major
assumptions used are reasonable.
5. Determine whether the risk management system used to measure the effect of interest rate changes to
economic value is appropriate for the level and complexity of the bank’s exposure and whether the
major assumptions used are reasonable.
6. Determine whether assumptions used in the risk measurement system are documented with sufficient
detail so as to allow verification of their reasonableness and accuracy.
7. Evaluate management’s ability and effectiveness in managing IRR. Consider:
(a) The level of understanding of the dynamics of IRR;

(b) The ability to respond to competitive pressures in financial and local markets;
(c) Whether a balanced presentation of risk and return are appropriately considered in asset/liability
strategies;
(d) The ability to anticipate and respond to adverse or changing economic conditions and interest
rates; and
(e) Whether staff skills are appropriate for the level of complexity and risk.
8. Assess the timeliness, completeness, accuracy, and relevance of MIS. Consider the sources of report,
controls over report preparation, and whether reports’ accuracy is independently validated. Findings
should be communicated to the examiner reviewing operational risk.
9. Determine whether a competent, independent review process periodically evaluates the effectiveness
of the IRR management system. In reviewing measurement tools, evaluators should determine
whether the assumptions used are reasonable and whether the range of interest rate scenarios
considered are appropriate.
10. Assess the adequacy of the system of internal control over IRR. Examiners should take into
consideration the relevant controls listed in objective 5 of the “Audit and Internal Control” section of
the core assessment. Examiners should also take into consideration other controls pertinent to IRR.
11. Using the findings from the above procedures, determine whether the risk management system to
identify, measure, monitor, and control IRR is effective. Examiners should consider all criteria
specified in the Risk Management Guidelines for interest rate Risk.
145
Objective 4: Assess the bank’s compliance with prudential requirements on interest rate.

Consider whether there is a need for expanded procedures for the areas of concerns. Expanded procedures
be decided on a case-by case basis.
Objective 6: Conclude the interest rate risk review.
appropriate any conclusions and findings from the interest rate risk review that are relevant to other
areas being reviewed.
(a) The quantity of interest rate risk;

(b) The quality of interest rate risk management;
(c) The composite risk and direction of interest rate risk;
(d) Potential or actual impact of interest rate risk on earnings and capital; and
(e) Instructions/recommendations, if any.
OPERATIONAL RISK EXAMINATION PROCEDURES

Conclusion:
Operational risk is rated (Low, Moderate or High).
Direction of Operation risk (Decreasing, Stable or Increasing)
Complete this section’s objectives to assign the operational risk rating. In assigning the rating, examiner
should consult with the EIC and other appropriate examiners. When assigning the operational risk rating,
examiners should take in to consideration rating factors outlined in the Risk Rating Guidelines (Appendix
XXIX).
CORE ASSESSMENT
Objective: Determine the quantity of risk and quality of operational risk management.
Procedures:
1. At the beginning of the examination, hold discussions with appropriate management covering:
(a) Actual system failures, service interruptions and frauds since previous examination;
(b) Actual or planned changes to the current or new business initiatives;
(c) Changes to the policies ad procedures to accommodate new activities or products;
(d) Changes in the financial condition of, or quality of service provided by, IT vendors and/or other
service providers;
(e) Actual or planned changes in IT vendors and/or other service providers’ systems, applications,
distribution channels, or personnel;
(f) Changes in the information security or contingency planning processes;
(g) Changes in the processes or reports management uses to monitor operational risk; and
(h) Impact of the changes noted above on the bank’s operational risk.
2. Follow up on significant audit issues related to operational risk identified by the examiner reviewing
the Audit and Internal Controls Section.
146
(a) Report on compliance with internal policies and procedures, legal and regulatory requirements;
(b) Report on customer complaints;
(c) The extent and impact of staff turnover;
(d) Report on actual or potential litigations against the bank;
(e) Report on external market information about events and conditions that may have an impact on
the bank’s operations;
(f) Results of tests of the bank’s IT security and management’s response;
(g) Results of tests of the bank’s contingency plan and management’s response;
(h) Reports on operational risk profile of the bank submitted to the board;
(i) Recent MIS reports on frauds, business disruption, system failures, and processing errors and
losses; and
(j) Documentation for major IT initiatives.
4. Assessment on compliance with laws and other prudential requirements should include the
following:
(a) NBE Establishment Proclamation No. 591/08 and Banking Business Proclamation No. 592/08
on issues not specifically covered in other areas of liquidity, asset quality, capital, market risk,
audit and internal control;
(b) NBE Directives No. SBB: 3-4/95; 9-10/95; 12-13/96; 19/96; 21/96; 24/99; 26-27/01; 29-31/02;
35-37/04; 38-40/06; 43/08; 44/08; 45/08;
(c) Other relevant laws like those related to labor, tax, etc.
information raises substantive issues, the examiner should expand the activity’s scope to include addition
objectives or procedures, as appropriate. If this review does not result in any significant changes or
issues, conclude the operational risk management review.
Objective 1: Determine the scope of the operational risk review.

Procedures:
(a) How management administers and controls IT activities throughout the organization;
(b) Actual system failures, service interruptions and frauds since previous examination;
(c) Actual or planned changes to the current or new business initiatives;
(d) Changes to the policies and procedures to accommodate new activities or products;
(e) How management monitors the quality and reliability of outsourced services and support
functions;
(f) Changes in the financial condition of, or quality of service provided by, IT vendors and/or other
service providers;
(g) Actual or planned changes in IT vendors and/or other service providers’ system, applications,
distribution channels, or personnel;
(h) Changes in the information security or contingency planning processes;
(i) Changes in the processes or reports management uses to monitor operational risk; and
(j) Impact of the changes noted above on the bank’s operational risk.
2. Review previous examination reports to identify any problems that require follow-up in this area.
3. Discuss with the examiner responsible for completing the “Audit and Internal Control” section of
the core assessment whether there are any significant audit findings that require follow-up, or
whether a review of audit work papers is required.
147
4. If not previously provided, obtain and review lists describing the complexity of the bank’s
processing environment and reports management uses to monitor operational risk, including but not
limited to:
(a) A list of vendors or other service providers, description of the products or services provided,
and bank’s analysis of vendors’ and/or other service providers’ financial condition;
(b) A list of computer systems and networks;
(c) A list of software and applications that support financial information processing or the risk
management process;
(d) Reports used to monitor computer activity, network performance, system capacity, security
violations, and network intrusion attempts:
(e) Report on compliance with internal policies and procedures, legal and regulatory requirements;
(f) Report on external market information about events and conditions that may have an impact on
the bank’s operations;
(g) Results of tests of the bank’s IT security and management’s response;
(h) Results of tests of the bank’s contingency plan and management’s response;
(i) Recent MIS reports on frauds, business disruption, system failures, and processing errors and
losses;
(j) Insurance policies;
(k) Documentation for major IT initiatives;
(l) Reports on operational risk profile of the bank submitted to the board;
5. Using the information obtained above, determine which processes or systems represent the most
significant risks to the bank to review during this examination.
Examiner should also consider:
(a) New regulatory guidance;
(b) Actual or planned organizational changes;
(c) The significance of the system or application in supporting bank products and services;
(d) The volume or average size of transactions processed;
(e) The overall complexity of the bank’s It environment;
(f) Management reliance on the application or its output; and
(g) Recent audit coverage provided internally or externally.
6. If an area of higher risk is identified, expand the review as necessary to assess the additional risks
inherent in such activities using procedures from the Examination Procedures.
Objective 2: Determine the quantity of operational risk.
Procedures:
(a) Reports on actual or attempted internal and external frauds, noting frequency and volumes of
losses;
(b) Levels of staff turnover and their impact on the bank’s operations;
(c) Number and frequency of customer complaints noting nature, seriousness of the complaints and
management’s responses;
(d) Number of actual and potential litigations against the bank determining the amount involved;
(e) Number and frequency of processing errors and losses, establishing nature and seriousness of
the errors; and
(f) Frequency of systems failures, establishing nature and impact on the bank’s operations.
Objective 3: Assess the quality of operational risk management.
Procedures:
148
1. Obtain information regarding operational risk from the examiner assigned to review board
minutes. Review, as appropriate, minutes of any committee responsible for overseeing
operational risk.
2. Analyze applicable internal and external audit reports as they relate to operational risks.
3. Determine quality of board and senior management oversight. Consider:
(a) Whether the board has clearly articulated and communicated policies and guidelines
outlining lines of authority/responsibility for the management of operational risk;
(b) If systems to evaluate operational risks involved in all products, and processes;
(c) Whether policies and operational manuals are reviewed frequently; and
(d) Whether Management addresses deficiencies revealed from Audit, examinations timely.
4. Review organizational charts, job descriptions, compensation, staff turnover, and training
programs to ensure that the bank has a sufficient number of personnel with the expertise the
bank requires.
5. Review the effectiveness of the bank’s management and monitoring of vendor and other service
providers by evaluating the following:
(a) Vendor/service provider selection process;

(b) Contract provisions, including customer privacy protections;
(c) Monitoring of vendor or service provider performance under the contract, including
availability of financial information and access to operations and security audits of the
service provider; and
(d) As applicable, availability of, or access to, application source code and documentation for
programs not developed or maintained by the bank.
6. Determine the adequacy of and compliance with IT security policy. Consider the following:
(a) Whether the policy has been approved and overseen by the board;
(b) Whether it is adjusted, as appropriate, for changes in the bank’s (or service provider’s)
processing environment or systems; and
(c) Whether it prescribes reports to the board (or committee) on the overall status of the IT
security and the bank’s compliance with the policy.
7. Review MIS reports for significant IT systems and activities to ensure that risk identification,
measurement, control, and monitoring are commensurate with the complexity of the bank’s
technology and operating environment. MIS should be timely, accurate, complete, and
relevant. Consider:
(a) Systems capacity, including peak processing volumes;

(b) Up-time performance (within time) and processing interruptions;
(c) Network monitoring including penetration attempts and intruder detection;
(d) Activity logs and security reports for operations, program and parameter changes, terminals
use, etc; and
(e) Volume and trends of losses from errors, fraud, and un-reconciled items, etc.
8. Review insurance policies to determine whether they are current and provide adequate
coverage.
9. Determine whether the volume and nature of fraud and processing losses, network and
processing interruptions, customer-reported processing errors, or audit criticisms lower the
quality of automated activities and services.
10. Determine whether the bank’s risk assessment process for customer information and its test of
149
key controls, systems, and procedures in the bank’s system security are commensurate with the
sensitivity of the information and the complexity and scope of the bank’s activities.
11. Assess the timeliness, completeness, accuracy, and relevance of MIS for operational risk.
Consider the source of reports, controls over report preparation, and independent validation of
report accuracy. Risk management reports should cover major sources of operational risk
identified above.
12. Using the findings from the above procedures, combined with the information from the EIC and
other appropriate examiners, make preliminary judgments on the quality of operational risk
(b) The board establishes and communicates policies for operational risk management;
(c) Management measures risk in an accurate and timely manner; and
(d) Management accurately and appropriately monitors established risk limits.
Objective 4: Assess the adequacy of controls to assure the integrity of data and the resulting MIS
reports.
Note: The review should be coordinated with the examiners responsible for the review of other risks and
the internal control portion of the examination to avoid duplication of effort.
Procedures:
150
1. Evaluate the separation of duties and responsibilities in the operation and data processing areas.
Check if the following duties are segregated:
(a) Input preparation;

(b) Data entry;
(c) Operation of the computer system;
(d) Processing of rejects (unacceptable information) and un-posted transactions;
(e) Verification of transactions; and
(f) Statement and report preparation and distribution.
2. Review controls and audit trails over master file change requests (such as address changes, due
dates, loan payment extensions or renewals, loan or deposit interest rates, and the service charge
indicator). Consider:
(a) Individuals authorized to make changes and potential conflicting job responsibilities;
(b) Documentation/audit trail of authorized changes; and
(c) Procedures used to verify the accuracy of master file changes.
3. Assess adequacy of controls over changes to systems, programs, data files, and personal-computer-
based applications. Consider:
(a) Procedures for implementing program updates, releases, and changes;

(b) Controls to restrict and monitor use of data-altering utilities;
(c) Process management uses to select system and program security settings (i.e., whether the
settings were made based on sound technical advice or were simply default settings);
(d) Controls to prevent unauthorized changes to system and programs security settings; and
(e) Process and authorizations to change application parameters.
4. Determine whether employees’ level of online access (blocked, read-only, update, override, etc.)
match current job responsibilities.
5. Evaluate the effectiveness of password administration for employee and customer passwords
considering the complexity of the processing environment and type of information accessed.
Consider:
(a) Whether passwords are confidential (known only to the employee/customer);

(b) Whether the procedures to reset passwords ensure that confidentiality is maintained;
(c) Frequency of required changes in passwords;
(d) Password design (number and type of characters);
(e) Security of passwords while stored in computer files, during transmission, and on printed
activity logs and reports.
6. Determine whether the bank has removed/reset default profiles and passwords from new systems an
equipment and determine whether access to system administrator level is adequately controlled.
Objective 5: Evaluate the effectiveness of controls to protect data confidentiality, i.e. to prevent the
inadvertent disclosure of confidential information.
Procedures:
1. Evaluate systems used to monitor access and detect unauthorized internal or external attempts to
access the bank’s systems (i.e. intruder detection).
2. Evaluate control and security for data transmitted to or from remote location. Consider:
(a) Type of data transmitted;

(b) Use of encryption or other security techniques (e.g. Firewalls); and
(c) Access to network components (servers, routers, phone lines, etc.) that support data
151
transmission.
3. Evaluate controls over remote access (by modem or internet link) to ensure use/access by authorized
users only.
Objective 6: Assess the adequacy of the bank’s policies and procedures to ensure the availability of
automated information and ongoing support for IT-based products and services.
Procedures:
1. Review the written business resumption contingency plan. Consider whether:
(a) The plan gives alternative mechanisms for resuming service in the event of an outage;
(b) The plan adequately addresses all mission-critical activities or services; and
(c) The board of directors or a board committee annually reviews the plan.
2. Review the annual validation of the contingency plan, including backup/alternate site test findings.
Determine whether the board and senior management were apprised of the scope and results of the
backup test.
3. If third-party service providers provide mission-critical activities or systems, ensure that the bank’s
recovery plan is compatible with the business recovery plans of the service providers.
4. Evaluate planning for event management activities. Consider:
(a) Emergency procedures and evacuation plans;

(b) Response to network attack or penetration; and
(c) Reporting to appropriate regulatory or law enforcement agencies.
5. Assess processes and procedures to prevent destruction of electronic files and other storage media.
Consider:
(a) Frequency of file backup;

(b) Access to backup files and storage media (disks, tapes, etc.);
(c) Location of off-site files storage; and
(d) Virus protection for networks and PCs.
6. Determine whether only authorized personnel have access to the computer area, electronic media,
supplies of negotiable items, and whether equipment and networks supporting mission-critical
services are appropriately secured. Consider physical security as well as environmental controls.
Objective 7: Assess the bank’s processes for managing operational risk
Procedures:
152
1. Analyze applicable internal and external audit reports as they relate to operational risks.
2. Determine whether the volume and nature of fraud and processing losses, network and processing
interruptions, customer-reported processing errors, or audit criticisms lower the quality of automated
activities and services.
3. Determine whether the bank’s risk assessment process for customer information and its test of key
controls, systems, and procedures in the bank’s system security are commensurate with the
sensitivity of the information and the complexity and scope of the bank’s activities.
4. Assess the timeliness, completeness, accuracy, and relevance of MIS for operational risk. Consider
the source of reports, controls over report preparation, and independent validation of report
accuracy. Risk management reports should cover major sources of operational risk identified above.
5. Using the findings from the above procedures, combined with the information from the EIC and
other appropriate examiners, make preliminary judgments on the quality of operational risk
(b) The board establishes and communicates policies for operational risk management;
(c) Management measures risk in an accurate and timely manner; and
(d) Management accurately and appropriately monitors established risk limits.
Objective 8: Assess the bank’s compliance with laws and other prudential requirements.
Assessment on compliance with laws and other prudential requirements should include the following:
1. NBE Establishment Proclamation No. 591/08 and Banking Business Proclamation No. 592/08
on issues not specifically covered in other areas of liquidity, asset quality, capital, market risk,
audit and internal control;
2. NBE Directives No. SBB: 3-4/95; 9-10/95; 12-13/96; 19/96; 21/96; 24/99; 26-27/01; 29-31/02;
35-37/04; 38-40/06; 43/08; 44/08; 45/08; and
3. Other relevant laws like those related to labor, tax, etc.

153
Objective 10: Conclude the review of operational risk.

1. Provide management with a list of deficiencies for consideration.
2. Communicate to other examiners as appropriate any conclusions and findings from the
operational risk review that are relevant to other areas being reviewed;
3. Use the results of the foregoing procedure and any other applicable examination findings to
compose comments on operational risk for the report of examination;
4. Examiner should incorporate findings from review of Audit and Internal Controls in arriving at
the rating of operational risk;
a. The quantity of operational risk;

b. The quality of risk management;
c. The composite risk and direction of operational risk;
d. Impact of the actual or potential exposure to operational risk on earnings and capital;
and
e. Instructions/recommendations, if any.
CAPITAL ADEQUACY EXAMINATION PROCEDURES
Conclusion:
Capital is rated (1, 2, 3, 4, or 5)
Complete this section’s objectives to assign the capital adequacy rating. In assigning the rating, examiner
should consult with the EIC and other appropriate examiners. When assigning the capital adequacy rating,
examiners should take into consideration rating factors outlined in the CAMEL Rating Guidelines
(Appendix XXVIII).
CORE ASSESSMENT
Objective: Determine the capital rating and any potential impact on the bank’s risk assessment.
Procedures:
a. The bank’s present condition and future plans (e.g. dividends, growth of operations,
new products, and strategic initiatives, including any plans to raise and deploy
significant new injections of capitals); and
b. Actual or planned changes in controlling ownership.
2. Follow up on significant capital audit issues identified by the examiner reviewing the bank’s
Audit and Internal Control Section.

a. The bank’s current risk-based capital computation (regulatory capital); and
b. Results from other areas of examination that may affect capital adequacy (e.g. earnings,
asset quality, etc).
154
After consultation with examiners reviewing other areas, the examiner should consider if the bank’s
activities, risk profile, or risk controls have changed significantly, or if review of the above information
raises substantive issues, the examiner should expand the activity’s scope to include additional objectives
or procedures, as appropriate. If this review does not result in any significant changes or issues, conclude
the capital review.
STANDARD CORE ASSESSMENT:
Objective 1: Determine the scope of the capital review.

Procedures:
(a) The bank’s present condition and future plans (e.g. dividends, growth of operations, new
products, and strategic initiatives, including any plans to raise and deploy significant new
injections of capital); and
(b) Actual or planned changes in controlling ownership.
2. Review the previous examination reports/any supervisory information to identify any problems that
3. Discuss with the examiner responsible for completing the Audit and Internal Control section of the
core assessment whether there are any significant audit findings that require follow-up, or whether a
review of audit work papers is required.
4. If not previously provided, obtain and review the following:
(a) The bank’s current risk-based capital computation; and

(b) A list of shareholders that own 5 percent or more, and their percentages of ownership.
5. If necessary, update information about controlling ownership.
Objective 2: Determine the adequacy and quality of capital.

Procedures:
1. Review applicable information to identify trends. Consider:
(a) Results from monitoring activities by NBE e.g. offsite analysis;

(b) Reports used by bank management to monitor and project capital requirements;
(c) Compare the bank’s ratios with those of peer banks; and
(d) The bank’s present condition and future plans.
2. Obtain capital-related information from the examiner assigned to review board minutes.
3. Consider the impact of the following on current or future capital adequacy:
(a) Dividends;
(b) Earnings;
(c) Asset quality and adequacy of allowance for probable losses;
(d) Historical and planned growth;
(e) On-and off-balance-sheet activities;
(f) Strategic initiatives, including any plans to raise and deploy significant new injections of
capital;
(g) Financial plans and budgets, including replacement costs for fixed assets and technology;
(h) New products, services, or distribution channels; and
(i) Related organizations (parent, subsidiary, associate, etc).
4. Evaluate the sources of capital. Consider:
155
(a) Earnings retention, including policy and practices;

(b) Shareholders capacity- condition of principal shareholders, parents, or subsidiaries; and
(c) History of public or private offerings.
Objective 3: Determine the risk to capital posed by the level (composite risk) or direction of any
applicable risks.
In consultation with the EIC and other examiners, decide whether the composite risk or direction of any
risk has an adverse impact on current or future capital adequacy.
Objective 4: Determine the quality of risk management systems through discussions with management
and analysis of applicable information.
Procedures:
1. Assess the bank’s system of internal controls over the capital accounts. Take into considerations the
relevant controls listed in objective 5 of the Audit and Internal Control section of the core assessment.
Also take into consideration other controls pertinent to capital.
2. Assess the timelines, completeness, accuracy, and relevance of MIS for capital. Consider the sources
of reports, controls over the preparation of reports, and whether the reports’ accuracy is
independently validated. This review should be coordinated with the examiners responsible for all
functional areas of the examination, including internal controls, to avoid duplication of effort,
findings should be communicated to the examiner reviewing operational risk.

be decided on a case-by-case basis.
Objective 7: Conclude the capital review.
(a) Adjust the bank’s reported capital computation to reflect the results of the examination and
communicate them to appropriate examiners.
Consider:
1. Examiner-directed additions to the allowance for probable losses;

2. Errors in financial reporting; and
3. Direct asset charge-offs, if nay.
(b) In consultation with the EIC and other examiners, identify and communicate to other examiners as
appropriate any conclusions and findings from the capital review that are relevant to other areas being
reviewed.
(c) Use the results of the foregoing procedures and any other applicable examination findings to make a
summary for the report of examination.
(d) In discussion with the EIC, provide preliminary conclusions about:

(i) The capital rating;
(ii) Instructions and/or recommendations, if any.
EARNINGS EXAMINATION PROCEDURES
Conclusion:
156
Earnings is rated (1, 2, 3, 4 and 5)
Complete this section’s objectives to assign the earnings rating. In assigning the ratings, examiners
should consult with the EIC and other appropriate examiners. When assigning the earnings rating,
(Appendix XXVIII).
CORE ASSESSMENT
Objective: Determine the earnings component rating and any potential impact on the bank’s risk
assessment.
Procedures:
(a) Actual or planned changes in the bank’s budget or budgeting process;

(b) The bank’s present condition and future plans; and
(c) Earnings trends and variances.
2. Follow up on significant earnings audit issues identified by the examiner reviewing the bank’s Audit
and Internal Control section.
(a) Business plan;

(b) Budget; and
(c) Variance reports.
4. Assess the bank’s compliance with prudential requirements. Findings should be communicated to the
examiner reviewing Management.
5. After consultation with examiners reviewing other areas, the examiner should consider if the bank’s
activities, risk profile, or risk controls have changed significantly, or if review of the above information
raises substantive issues, the examiner should expand the activity’s scope to include additional
objectives or procedures, as appropriate. If this review does not result in any significant changes or
issues, conclude the earnings review.
STANDARD CORE ASSESSMENTS:
Objective 1:Determine the scope of the earnings review

Procedures:
1. Review the previous examination reports/any supervisory information to identify any problems that
2. Discuss with the examiner responsible for completing the Audit and Internal Controls section of the
core assessment whether there are any significant audit findings that require follow-up.
3. If not previously provided, obtain and review the following:
(a) Most current balance sheet and income statement;

(b) Most recent budget, variance reports, and related reports;
(c) Policies and procedures on suspension of interest on non-performing assets; and
(d) Any other reports relating to earnings.
Objective 2: Determine the quality and composition of earnings
Procedures:
1. Review applicable information to identify trends. Consider:
157
(a) Results from NBE monitoring activities;

(b) Bank’s reports used to monitor and project earnings;
(c) Compare bank’s profitability ratios with those of peer banks;
(d) Potential impact on future earnings; and
(e) The bank’s present condition and future plans.
2. Obtain earnings-related information from the examiner assigned to review board minutes.
3. As necessary, discuss earnings trends and variances with management. Coordinate discussions with
examiners examining other areas.
4. Analyze earnings composition. Focus on:
(a) Major sources of earnings;

(b) Net interest margins;
(c) Non-interest income and expenses;
(d) Loan loss provisions;
(e) Off-balance-sheet compositions;
(f) Changes in balance sheet composition;
(g) Loan and deposit pricing;
(h) Earnings from affiliates; and
(i) Earnings from high-risk lines of business.
5. Determine the root causes of any significant trends and the impact of non-recurring items. Consider:
(a) Whether earning trends are improving, stable, or declining;

(b) Bank earnings compared with budget and peer group;
(c) Adequacy of bank earnings in relation to dividend-paying capacity. If appropriate (and in
conjunction with the examiner reviewing capital), review and discuss with management the
bank’s dividend plans.
6. As appropriate, adjust the bank’s reported earnings to reflect the results of the examination and project
the current year’s net income. Distribute adjustments to appropriate examiners.
Objective 3: Determine the adequacy of the bank’s budgeting process.

Procedures:
1. Review and determine the reasonableness of the bank’s budget. Consider:
(a) Economic, market, and other assumptions;

(b) Bank’s business plan and strategies; and
(c) Variance reports and other supplemental budgeting reports.
Objective 4: Determine the risk to bank earnings posed by the level (composite risk) or direction of any
applicable risks.
In consultation with the EIC and other examiners, decide whether the level or direction of any risk has an
adverse impact on the bank’s current or future earnings.
Objective 5: Determine the quality of risk management systems through discussions with management and
analysis of applicable internal and external audit reports, and any other relevant reports.
Procedures:
1. Assess the bank’s system of internal controls over income and expense accounts, examiners should take
into consideration the relevant controls listed in objective 5 of the Audit and Internal Control section of
the core assessment. Examiners should also take into consideration other controls pertinent to earnings.
2. Assess the timelines, completeness, accuracy, and relevance of MIS for earnings. Consider the source
158
of reports, controls over the preparation of reports, and whether the reports’ accuracy is independently
validated. This review should be coordinated with the examiners responsible for all functional areas of
the examination, including internal controls, to avoid duplication of efforts; findings should be
communicated to the examiner reviewing operational risk.
Objective 7: Determine whether to expand the procedures.
are available in the Examination Procedures. The extent to which examiners will expand procedures will be
decided on a case-by-case basis.
Objective 8: Conclude the earnings review.
(a) Use the results of the foregoing procedures and any other applicable examination findings to compose
appropriate comments for the report of examination.
(b) In consultation with the EIC and other examiners, identify and communicate to other examiners as
appropriate any conclusions and findings from the earnings review that are relevant to other areas being
reviewed.
(c) In discussion with the EIC, provide preliminary conclusions about:
(i) The earnings rating; and

(ii) Instructions and/or recommendations, if any.
AUDIT AND INTERNAL CONTROL EXAMINATION PROCEDURES
Conclusion: The quality of audit is (Weak, Acceptable or Strong)
The system of internal control is (Weak, Acceptable or Strong)
Complete this section’s objectives to assess the quality of the bank’s overall audit and system of internal
controls. In completing these assessments, the examiner should consult the EIC and other appropriate
examiners. Consider the following factors when assessing the quality of audit and internal controls:
 Board and management oversight;

 Systems and processes;
 Reporting; and
 Staffing.
CORE ASSESSMENT

Objective: Determine the quality of audit and internal control systems, and consider the potential impact
of these findings on the bank’s risk assessment.
Procedures:
1. At the beginning of examination, hold discussions with appropriate management covering the
following:
(a) Actual or planned changes in the audit or control system;

(b) Changes to policies and/or procedures relating to audit and controls since previous examination;
159
(c) Changes in board audit committee, audit department’s structure, management and staffing; and
(d) Actual or planned changes to audit plan and compliance to the plans.
(a) Board/audit committee minutes and related internal/external audit packages and information
submitted to the board/audit committee; and
(b) A small sample of internal audit work papers. The sample should focus on high-growth or high-
risk areas, and any new products or services offered by the bank. Communicate any significant
weaknesses identified by audit to the examiners assigned to review other functional areas for
follow-up as appropriate.
3. Assessment on compliance with laws and other prudential requirements. Findings should be
communicated to the examiners reviewing Management.
significant changes or issues, conclude the audit and internal controls review.
Objective 1: Determine the scope of the audit review
The examination will include a sample of internal audit work papers, representing a cross-section of the
bank’s functions, activities and bank-assigned internal audit ratings. The sample should focus on high-
growth, substantive, or high-risk areas, and any new products or services offered by the bank.
Procedures:
1. At the beginning of examination, hold discussions with appropriate management covering the
following:
(a) Actual or planned changes in the audit or control systems;

(b) Changes to policies and/or procedures relating to audit and controls since previous examination;
(c) Changes in audit department’s structure, management and staffing; and
(d) Actual or planned changes to audit plan and compliance to the plans.
2. If not previously provided, obtain and review the following, as applicable:
(a) Most recent external audit engagement letter and other written communications between the bank
and the external auditor;
(b) Internal and external audit reports issued since the last examination including management
letters;
(c) Current year internal and external audit plan/schedule and status reports;
(d) Management’s responses to internal and external audit reports issued since the last examination;
(e) Detailed listing of duties/responsibilities of internal auditor;
(f) Resumes of audit staff including educational and work background professional certifications,
and recent developmental training;
(g) Audit committee minutes or excerpts of board minutes applicable to audits since the last
examination and audit packages and information submitted to the audit committee or board;
(h) In the event the bank has been allowed by NBE to outsource internal audit services, obtain and
review outsourcing contracts/agreements/reports, etc.
3. Discuss with the examiners responsible for completing other areas any significant audit findings that
require follow-up.
4. In consultation with the EIC and examiners assigned other areas, identify and select an appropriate
160
sample of internal audit work papers for validation purposes. Consider having other examiners review
the internal audit work papers associated with those activities.
Note: in most situations, a work paper review of the procedures and testing performed by the internal
auditor should be sufficient in scope to substantiate conclusions about the quality and reliability of the
audit work. Audit procedures should not be re-performed.
Objective 2: Determine the quality of audit committee oversight of the bank’s audit programs
1. Obtain audit-related information from the examiner assigned to review board minutes. Review and
discuss with management, as appropriate, audit committee minutes or summaries and audit
information packages to determine whether:
a. Internal and external audit plans, policies, and programs, including any changes/updates and
selection/termination of external auditors or outsourced internal audit vendors, are
periodically reviewed and approved by the board of directors or its audit committee;
b. The board audit committee meets regularly with internal auditor, receives sufficient
information and reports to effectively monitor the audit and ensure that internal and external
auditors are independent and objective in their findings;
c. The board audit committee monitors, tracks, and, when necessary, provides discipline to
ensure that management properly addresses control weaknesses noted by internal or external
auditors and examiners;
d. Audit findings and management’s responses are reported directly to the board audit
committee;
e. The board audit committee retains auditors who are fully qualified to audit the kinds of
activities in which the bank is engaged. They work with internal and external auditors to
ensure that the bank has comprehensive audit coverage to meet the risks and demands posed
by its current and planned activities;
f. The board audit committee periodically evaluates the operations of the internal audit
function, including outsourced internal audit activities (if any), and has significant input into
the performance evaluation of the internal auditor or outsourced internal audit vendor; and
g. Majority of the audit committee’s members are non-executive directors.
Objective 3: Determine the adequacy of the bank’s internal audit function

1. Assess the quality of internal audit activities by considering:
a. The bank’s size, complexity, and risk profile;

b. The quality and effectiveness of internal control assessments, including those for financial
reporting;
c. Whether the audit is focused on appropriate areas, given the bank’s risk profile;
d. The quality of audit reports and findings;
e. The quality and timeliness of management responses to audit findings and whether audit
follows up on significant findings in a timely manner to assess the effectiveness of
management’s responses;
f. Reporting line to the board audit committee;
g. The quality and depth of audit coverage and audit procedures, including regular testing of
internal control and MIS;
h. Whether audit provides constructive business advice or consulting on evaluating safeguards
and controls in the acquisition and implementation of new products, services, and delivery
channels, and what its role is in merger, acquisition, and transition activities;
161
i. Whether audit plans address goals, schedules, staffing, and reporting;

j. Progress made toward completing annual audit plans or schedules;
k. Whether audit scope is adjusted for any significant changes in the bank’s environment,
structure, activities, risk exposures, systems, or new products or services; and
l. The use of audit software and other computer-assisted audit techniques.
2. Determine the competence and independence of the internal audit staff. Consider:
a. Audit staff experience and training;

b. Audit staff tenure, turnover, and vacancies;
c. Any incompatible duties performed by the audit staff;
d. Lines of reporting, operational duties assigned to the auditor, or other restrictions or
relationships; and
e. Staff’s ability to meet the audit schedule.
3. In case where internal audit services have been outsourced, review outsourcing arrangement contracts
or engagement letter and determine whether they adequately address the roles and responsibilities of
the bank and the internal audit outsourcing vendor. Determine whether:
4. The arrangement maintains or enhances the quality of internal audit and internal control.
5. Key bank employees and the vendor clearly understands the lines of communication and how the
bank will address internal control or other problems noted by the vendor;
6. The board and management perform sufficient due diligence to verify the vendor’s competence and
objectivity before entering into the outsourcing arrangement. The bank has an adequate process for
periodically reviewing the vendor’s performance effectively throughout the life of the arrangement.
7. Determine the adequacy of internal audit review of anti-money laundering issues.

Objective 4: Determine whether the bank has implemented an appropriate external audit function.
1. Determine what services are provided by external auditors: Consider:
a. Statutory audit; and

b. Special audits such as IT, internal control, credit, or compliance, etc.
2. If a statutory audit was performed, determine what type of opinion was issued (unqualified or
qualified).
3. Determine whether the external audit program is appropriate given the bank’s size, the nature and
extent of its activities and operations, and its risk profile.
4. Review the engagement letter and assess its adequacy. Consider:
a. The purpose and scope of the audit;

b. The period of time to be covered by the audit;
c. The reports expected to be rendered;
d. Any limitations placed on the auditor’s scope or work; and
e. Determine whether the board of directors or its audit committee and the external auditors
have discussed and resolved any financial, employment, business, or non-audit service
relationships that compromise or appear to compromise the external auditor’s independence.
Objective 5: Using the findings from the audit review and other areas under examination, assess the
bank’s internal control system.
1. Assess the bank’s control environment. As appropriate, consider:
a. The organizational structure of the bank (e.g. centralized or decentralized authorities and
responsibilities, and reporting relationships);
162
b. Management’s philosophy and operating style (e.g. formal or informal, conservative or

aggressive);
c. External influences affecting operations and practices (e.g. parent company influence,
independent external audits); and
d. The goals, objectives, attention, and direction provided by the board of directors and its
committees, especially the audit or risk management committees.
2. Evaluate the bank’s internal risk assessment system. As appropriate, consider:
a. The effectiveness of the system to identify, measure, monitor, and control the risks;
b. The responsiveness of the system to changing risk conditions; and
c. The competency, knowledge, and skills of personnel.
3. Assess the bank’s control activities. As appropriate, consider:
a. Quality of policies, procedures, and audit;

b. Quality and timeliness of management and staff training;
c. Timeliness of risk analysis and control processes;
d. Approvals and authorization for transactions and activities;
e. Supervision and oversight of payments against uncollected funds (potential for kiting);
f. Segregation of duties to ensure that the same employee does not originate a transaction,
process it, and then reconcile the general ledger account;
g. Vacation requirements or periodic unannounced rotation of duties for personnel in sensitive
positions;
h. Safeguards for access to and use of sensitive assets and records, including wire transfer
activities;
i. Internal review of employee accounts;
j. Dual control or joint custody over access to assets (e.g. cash, cash collateral, official checks,
and consigned items);
k. Independent checks or verifications on function (e.g. lending and wire transfer) performance
and reconciliation of balances;
l. Timely account reconciliation and resolution or clearing of outstanding items; and
m. Accountability for the actions taken by banks staff and the responsibilities/authorities given
to them.
4. Assess the bank’s accounting, information, and communication systems. As appropriate, determine
whether:
a. MIS identifies and captures relevant internal and external information in a timely manner;
b. Systems ensure accountability for assets and liabilities;
c. Information systems ensure effective communication of positions and activities; and
d. Business resumption and contingency planning for information systems are adequate.
5. Evaluate the bank’s self-assessments and monitoring systems. As appropriate, consider:
a. Periodic evaluations, self-assessments, or audits of internal controls;

b. Whether the system ensures timely and accurate reporting of deficiencies; and
c. Processes to ensue timely modification of policies and procedures, as needed.
Objective 6: Assess the bank’s compliance prudential requirements. Findings should be communicated to
Objective 7: Determine whether expanding the scope of the examination is warranted.

1. If the review of audit or internal controls, including the work paper review, discloses significant audit
or control discrepancies or weaknesses that are not mitigated by a satisfactory or strong risk
management program, consider whether expanded examination procedures should be performed to
163
identify the extent of problems and determine their effect on bank operations. Consider expanding
procedures if any of the following issues are identified:
(a) Concerns about the competency or independence of internal or external audit;

(b) Unexplained or unexpected changes in internal or external auditors or significant changes in
the audit program;
(c) Inadequate scope of the overall audit program, or in key risk areas;
(d) Audit work papers in key risk areas that are deficient or do not support audit conclusions;
(e) High growth areas without adequate audit or internal control; and
(f) Inappropriate actions by insiders to influence the findings or scope of audits.
Objective 8: Conclude the audit and internal control review.

1. Determine quality of audit (strong, satisfactory or weak) and internal controls (strong,
satisfactory or weak).
2. If warranted, develop action plans to address audit or control deficiencies before conducting
the exit meeting. Consider management’s ability to correct the bank’s fundamental
problems.
3. Use the results of the foregoing procedures and any other applicable examination findings to
compose appropriate comments for inclusion in the report of examination.
4. Incorporate the results of the above assessments into the relevant risk ratings. Emphasis
should specifically be made on operational risk ratings.
5. In consultation with the EIC and other examiners, identify and communicate to other
examiners as appropriate any conclusions and findings from the audit and internal controls
review that are relevant to other areas being reviewed.
6. Communicate conclusions regarding the quality of audit and the system of internal controls
to the EIC or examiner responsible for consolidating conclusions from the “Management”
Section.
MANAGEMENT EXAMINATION PROCEDURES
Conclusions: Management is rated (1, 2, 3, 4, or 5)
Complete this section’s objectives to assign the management raring. In assigning the rating, examiner
should consult with the EIC and other appropriate examiners. When assigning the management rating,
(Appendix XXVIII)
CORE ASSESSMENT
Objective: Determine the management component rating, and consider the potential impact of these
findings on the bank’s risk assessment.
Procedures:
1. At the beginning of the examination, hold discussions with appropriate management covering actual or
planned changes in:
a. Senior management or the board and its committees; and

b. The strategic plan or planning function.
164
2. Follow up on significant management audit issues identified by the examiner reviewing the bank’s
Audit and Internal Control section.
a. Results from supervisory activities; and

b. Board minutes and reports since the last examination.
4. Communicate with examiners reviewing other areas to assess level of compliance with the following:
(a) NBE Establishment Proclamation No. 591/08 and Banking Business Proclamation No. 592/08 on
issues not specifically covered in other areas of liquidity, asset quality, capital, market risk, audit
and internal control;
(b) NBE Directives No. SBB: 3-4/95; 9-10/95; 12-13/96; 19/96; 21/96; 24/99; 26-27/01; 29-31/02;
35-37/04; 38-40/06; 43/08; 44/08; 45/08; and
information raises substantive issues, the examiner should expand the activity’s scope to include additional
objectives or procedures, as appropriate. If this review does not result in any significant changes or issues,
conclude the management review.
Objective 1. Determine the scope of the management review

Procedures:
1. At the beginning of the examination, hold discussions with appropriate management covering actual or
planned changes in:
a. Major risks (current or planned) and management’s strategies to control them;

b. Changes, or planned changes, in senior management or the board since the last examination;
c. The board and board committee structure; and
d. Plans for growth or acquisition. Consider:
i. Board-approved strategic plan;

ii. Financial and operational plan;
iii. Changes in products, services, delivery channels, service providers, etc; and
iv. Resources and staffing necessary to accomplish strategic goals.
e. The potential impact of management succession plans.
2. Review the supervisory information to identify any problems that require follow-up in this area.
3. Discuss with the examiner responsible for completing the audit and internal control section of the core
assessment whether there are any significant audit findings that require follow-up.
4. As appropriate, obtain and review the following:
a. Board and committee minutes since the last examination;

b. Current organizational chart;
c. Findings from monitoring activities;
d. List of directors and their backgrounds;
e. Recent representative packet of board meeting materials;
f. List of significant pending litigation, including a description of the circumstances;
g. List of related organizations (e.g. parent holding company, affiliates, operating subsidiaries,
165
chain and parallel-owned banking organizations); and

h. Summary of transactions with bank related organizations.
5. Update the list of directors and executive officers in work papers, as appropriate.
Objective 2: Determine the adequacy of management and board oversight
1. At the beginning of the examination, discuss with senior management and other members of
management, as appropriate:
a. Major risks (current or planned) and management’s strategies to control them;

b. Changes, or planned changes, in senior management or the board since the last examination;
c. The board and board committee structure;
d. Plans for growth or acquisition. Consider:
i. Board-approved strategic plan;

ii. Financial and operational plan;
iii. Changes in products, services, delivery channels, service providers, etc; and
iv. Resources and staffing necessary to accomplish strategic goals.
e. The potential impact of management succession plans.
2. Review, as appropriate, the minutes of board and committee meetings held since the last examination.
Identify:
a. Areas of significant risk in the bank that are not being reported appropriately to the board or
its committees;
b. Potential or actual violations of law, regulations or policies. Report any violations of laws,
regulations, and policies to the EIC;
c. Actual or planned changes in bank operations or strategy and whether these were approved as
part of the bank’s strategic planning process;
d. Individuals or factions exercising control over the bank;
e. Directors who are involved in the management of the bank, and the degree of their
involvement;
f. Changes in the bylaws or articles of association;
g. Directors who do not regularly attend board or committee meetings. Determine:
i. Why they do not attend; and

ii. Whether these individuals are fulfilling their fiduciary responsibilities.
3. After reviewing board minutes, provide examiners of other areas with any significant information
obtained about those areas. Consider having the examiner responsible for other areas review minutes
of any committee that oversee it.
4. Review how the board and management select and retain competent staff. Consider as appropriate:
a. Requirements for annual performance reviews of senior management and other staff;
b. Length of vacancies in key positions;
c. Reasonableness of employment contracts;
d. Compensation programs; and
e. Recruitment methods.
5. Review the bank’s vulnerability to self-dealing and the level of compliance with established laws,
regulations, and policies regarding insider transactions and activities.
6. Review pending or threatened litigation with management to determine whether litigation has a
166
potentially significant impact on the financial condition of the bank.
7. Review the relationship (financial or operational) between the bank and its related organizations.
Determine whether the transitions between the bank and its related organizations are legal and conform
to proper accounting standards and regulatory requirements. Consider the impact on Earnings and
Capital.
8. Review how management plans for new products and services. Consider whether the bank performs
feasibility analysis covering:
a. Financial projections;
b. Risk analysis; and
c. Legal opinions.
Objective 3: Determine the quality of risk management systems
1. After completing the above procedures, consult with other appropriate examiners to make preliminary
judgments on the adequacy of risk management systems. Consider whether:
a. Board and Management recognize weaknesses and understand existing or emerging risks;
b. The board establishes, communicates, and controls risk limits through policies;
c. Management measures risk in an accurate and timely manner; and
d. Management accurately and appropriately monitors established risk levels.
2. In consultation with other examiners, determine whether findings from other areas (e.g. quantity of
risk, quality of risk management practices, direction of risk, or composite risk) affect the management
conclusion. Comment as necessary.
Objective 4: Determine the level of compliance with legal and regulatory requirements.
Communicate with examiners reviewing other areas to assess level of compliance with the following:
(a) NBE Establishment Proclamation No. 591/08 and Banking Business Proclamation No. 592/08 on
issues not specifically covered in other areas of liquidity, asset quality, capital, market risk, audit and
internal control;
(b) NBE Directives No. SBB: 3-4/95; 9-10/95; 12-13/96; 19/96; 21/96; 24/99; 26-27/01; 29-31/02; 35-
37/04; 38-40/06; 43/08; 44/08; 45/08; and
Objective 5: Conclude the management review
appropriate any conclusions and findings from the management review that are relevant to other areas
being reviewed.
2. Use the results of the foregoing procedure, the conclusions on the quality of audit and the system of
internal controls, bank’s risk profile, other CAMEL components and any other applicable examination
findings to compose appropriate comments for the report of examination.
3. In discussion with all examiners, draw preliminary conclusions about:
a. The Management rating; and

b. Instructions/recommendations, if any.
CONCLUSION OF EXAMINATION
Conclusion:
The bank is rated (1, 2, 3, 4, 5).
167
The bank’s overall risk profile is (low, moderate, high).
To conclude the supervisory cycle, examiners will meet all objectives under this section, regardless of the
bank’s risk designation.
Objective 1: Conclude on the bank’s risk profile.

1. Draw and record conclusions about quantity of risk, quality of risk management, composite risk, and
the direction of composite risk for each of the four risk categories.
2. Using the assessments made on the four individual risks, the EIC should establish the bank’s overall
risk rating.
Objective 2: Determine and update the bank’s CAMEL ratings.
1. Draw and record conclusions on each CAMEL component rating.
2. Using conclusions made in each of the CAMEL component, determine the bank’s composite rating.
Objective 3: Finalize the examination.
1. Prepare the draft Report of Examination (ROE) as per format prescribed in Appendix XXX.
2. Perform a final technical check to make sure that the report is accurate and acceptable. The check
should ensure that:
 The report meets established guideline;

 Comments support all regulatory ratings, as applicable;
 Any numerical totals are accurate;
 Any numerical data in the report and other supervisory comments are consistent with the bank’s
records; and
 Violations of law are cited accurately.
3. EIC should ensure that team leaders for each risk categories members submit their findings in a
standard template as per RBS ROE.
4. Discuss the draft ROE with other team members.
5. If there is any critical issue which needs immediate supervisory attention, the EIC should inform
banking supervision management before the exit meeting to develop a strategy for addressing the
problem.
6. Hold an on-site exit meeting with bank’s management to discuss examination findings:
(a) Inform management of areas of strengths as well as weaknesses;

(b) Solicit management’s commitment to correct material weaknesses; and
(c) Discuss the bank’s risk profile including conclusions from the risk assessment review.
7. Update the draft report and send it to quality assurance committee for quality assurance.
8. Incorporate the quality assurance comments and get comments of banking supervision management on
the draft report.
9. Finalize the draft and prepare a report transmittal letter.
10. Forward the final report with the transmittal letter to management for signatures.
11. Distribute the report to the Chairperson of the bank, with copies to the bank’s Chief Executive Officer,
the Governor and banking supervision management or process management, as the case may be.
Objective 4: Presentation of the ROE to the board of directors.
1. Prepare for the board meeting by:
168
 Preparing materials such as power point summaries, graphs, etc for the meeting; and
 Drafting responses to expected questions and comments.
2. Deputy Director is to present to the board of the bank report of examination. However, presentation
may be delegated to EIC if necessary.
3. Issues to be covered in the presentation should include:
(a) Objectives of the examination;

(b) Major concerns or issues, including significant risks facing the bank;
(c) The bank’s failure in correcting previously identified deficiencies and the potential impact of
failing to correct such deficiencies;
(d) What NBE expects the bank to do and when (i.e. instructions and recommendations);
(e) What the bank is doing well;
(f) Industry issues affecting the bank.
4. Document details of the meeting by including the following information:
 The date and location of the meeting and the names of attendees;
 Major items discussed; and
 A brief summary of the directors’ reactions to NBE presentation.
Objective 3: Follow up and monitoring.
1. After completion of an examination including presentation of the report to the board or directors, the
Desk Officer of that bank should make follow-up on implementation of examination instructions and
recommendations.
2. The Desk Officer should maintain an on-going list of issues to be followed up with bank’s
management within a specified timeframe including ensuring that the bank submits the progress report
every quarter. The results should be incorporated in the institutional profile.
169
APPENDIX: XXVII
SAMPLE EXAMINATION TIMELINE

DATE TASK TO BE DONE BY
PRE-EXAMINATION
1/6/09 Send information request letter and schedule pre-examination EIC
visit
12/6/09 Receive information from bank for the review EIC
15-19/6/09 Analyze the information and hold pre-examination meeting with EIC & Team
bank’s Senior Management and review information provided
under section 2
22/6/09 Submit the preliminary Risk Assessment and scope memo EIC
(including entry letter) to D/Director
23/6/09 Approve Preliminary Risk Assessment and scope memo, and D/Director
sign entry letter
24/6/09  Send entry letter to the Bank D/Director
 Hold entrance meeting EIC & Examiners
25/6/09 First day of examination EIC & Examiners
7/7/09 Last day of examination EIC & Examiners
POST EXAMINATION
8-9/7/09 Prepare sectional reports and include initial feedback EIC & Examiners
10-17/7/09 Prepare draft examination report EIC
17/7/09 Send first draft report to senior management of examined bank D/Director
by signing prepared letter
23/7/09 Write response to report Examined Bank
24/7/09 Incorporate comments of senior management EIC & Examiners
27/7/09 Provide the report to quality assurance team and D/Director for EIC
their feedback
27/7/09 Incorporate comments of quality assurance team and D/Director EIC & Examiners
28/7/09 Hold exit meeting with senior management of examined bank EIC & Examiners
and incorporate their comments
29/7/09 Send report to board of examined bank by signing prepared D/Director
letter
3/8/09 Present findings to board of examined bank D/Director & EIC
4/8/09 Include comments of board EIC
5/8/09 Approve report D/Director/Directo
r/Governor, as the
case may be
5/8/09 Release final report D/Director
170
NB: Between information request letter and on-site examination there should be at least 24 days out of which:
(i) 2 weeks will be used by banks to submit information

(ii) 8 working days for EIC to analyze submitted information, conduct preliminary onsite review and prepare
scope memo.
(iii) 1 working day for management to review and approve the scope memo.
APPENDIX: XXVIII
SAMPLE PLANNING AND CONTROL SCHEDULE

Risk/Activity Assigned Examiner (s) Planned Days
Preliminary discussions with line managers EIC and all examiners 2
Credit Risk and Asset Quality W/ Roza & Ato Bayu 8
Liquidity and Liquidity risk W/Kiky 3
Interest Rate Risk Ato Mamo 3
Foreign Exchange Risk Ato Mamo 3
Operational Risk W/ Lily 8
Capital Adequacy Ato Lulu 3
Board, Management & Corporate Governance Ato Taye 8
Audit Function and Internal Controls W/ Kiya 8
Risk Management Framework Ato Lulu 2
Earnings Ato Lulu 3
171
APPENDIX: XXIX
DEFINITION OF RATIOS FOR RISK AND CAMEL RATINGS

(1) RISK RATING RATIOS
A: CREDIT RISK
RATIO FORMULA INTERPRETATION
Loans to total assets This ratio is defined as gross loans Measures proportion of loan portfolio
divided by gross total assets to total assets and helps to determine
the inherent credit risk
Aggregate large This ratio is calculated by taking the This is intended to identify
exposure to total sum of all loans with outstanding vulnerabilities arising from the
capital balances of 10% or more of the bank’s concentration of credit risk. Large
total capital divided by total capital exposure refers to one or more credit
exposures to the same individual or
group that exceed 10% of total
capital
Non-performing loans This ratio is calculated by taking the This is intended to identify problems
to gross loans value of non performing loans (all with asset quality in the loan
loans classified as substandard or portfolio. An increasing ratio may
worse) as the numerator and the total signal deterioration in the quality of
value of loan portfolio, (including credit portfolio hence increase in
NPLs and before the deduction of credit risk
specific loans provisions) as the
denominator)
Growth rate of loans The rate of growth of loans portfolio Measures the growth rate of loan
(annual) for a period of twelve months to the portfolio
examination cut off date. The
percentage is determined by subtracting
loan portfolio balance as the
corresponding reporting period in the
previous year from the current period
loan portfolio balance and dividing the
result by the previous year loan
portfolio balance
Off-balance sheet This ratio is calculated by taking the The extent to which bank is exposed
exposures to total sum of all off-balance sheet exposures to credit risk as a result of holding
capital divided by the bank’s total capital off-balance sheet items
172
B: LIQUIDITY RISK
Liquid assets to current This ratio is calculated by taking the This is intended to capture the
liabilities (liquid asset sum of all assets maturing within one liquidity mismatch of assets and
ratio) year divided by all liabilities with the liabilities, and provides an indication
same maturity period of the extend to which banks could
meet short term withdrawal of funds
without facing liquidity problems
Excess short term This ratio is calculated by taking the Measures the extent to which long
liabilities to long term short term liabilities minus short term term assets have been financed by
assets assets (excess short term liabilities) short term liabilities
divided by long term assets i.e. assets
with maturity of more than one year
Gross loans to total This is calculated by taking gross loans Measure the extent to which deposits
deposits divided by total deposits have financed loan portfolio which
are considered illiquid assets
C: MARKET RISK
I: FOREIGN EXCHANGE RISK

Net open position to This ratio is calculated by taking the This is intended to identify the
total capital sum of open position of all currencies bank’s exchange rate risk exposures
translated into Birr divided by total compared to total capital. It measures
capital the mismatch (open position) of
foreign currency asset and liability
positions to assess the potential
vulnerability of the bank’s capital
position to exchange rate movements
Income form foreign This ratio is calculated by taking This is intended to measure
exchange trading and income from foreign exchange trading vulnerability of bank’s income and
revaluation to total and revaluation divided by total hence capital from movement in
income income, If the numerator is negative, exchange rates
ignore this ratio
II: INTEREST RATE RISK

Interest bearing assets This ratio is calculated by taking the This is intended to measure the
to interest bearing sum of all interest bearing assets (both extent of the mismatch between
liabilities: local and foreign currencies) divided by interest bearing assets and interest
the sum of all interest bearing liabilities bearing liabilities
(both local and foreign currencies)
- when liabilities are
more than assets
- when assets are
more than liabilities
Interest income to total This ratio is calculated by taking total This is intended to measure
income interest income divided by total income vulnerability of bank’s income and
of the bank i.e. interest income plus hence capital from movement in
non interest income interest rate
(II): CAMEL RATIOS
A: CAPITAL ADEQUACY
Total Capital/TRWA+ This ratio is calculated by taking total This is intended to measure capital
173
OBSE capital divided by the sum of risk adequacy of a bank relative to risk
weighted assets and risk weighted off profile of a bank
balance sheet exposures
Absolute Total Capital This is available total capital of a bank This is intended to compare available
Amount total capital against the minimum
legal requirement
B: ASSET QUALITY
NPLs to Gross Loans This ratio is calculated by taking the This is intended to identify problems
value of non performing loans (all with asset quality in the loan
loans classified as substandard or portfolio. An increasing ratio may
worse) as the numerator and the total signal deterioration in the quality of
value of loan portfolio, (including credit portfolio hence increase in
NPLs and before the deduction of credit risk
specific loan loss provisions) as the
denominator
Large Exposures to This ratio is calculated by taking the This is intended to identify
Total Capital sum of all loans with outstanding vulnerabilities arising from the
balances of 10% or more of the bank’s concentration of credit risk. Large
total capital divided by total capital exposure refers to one or more credit
exposures to the same individual or
group that exceeded 10% of total
capital.
NPLs Net of This is calculated by taking the value of This is intended to compare the
Provisions to Total non performing loans less the value of potential impact on capital of Non-
Capital specific loan loss provisions as the performing Loans, net of provisions.
numerator and total capital as the It can provide an indication of the
denominator capacity of bank capital to withstand
NPL-related losses
C: EARNINGS
Return on Average This ratio is calculated by dividing net This is intended to measure bank
Assets income by the average value of total efficiency in using its assets
assets over the same period
Net Interest Income to This is calculated by taking total This is intended to measure bank
Average Interest interest income less total interest efficiency in using its interest bearing
Bearing Assets expense divided by the average of the assets
interest bearing assets
Non-Interest Expense This is calculated by operating This is intended to measure the size
to Gross Income expenses as the numerator, and gross of administrative expenses to gross
income as the denominator income
D: LIQUIDITY
Liquid Assets to This ratio is calculated by taking the This is intended to capture the
Current Liabilities sum of all assets maturing within one liquidity mismatch of assets and
year divided by all liabilities with the liabilities, and provides and
same maturity period indication of the extend to which
banks could meet short term
withdrawal of funds without facing
liquidity problems
Gross Loans to Total This is calculated by taking gross loans Measure the extent to which despots
Deposits divided by total deposits have financed loan portfolio which
are considered illiquid assets
174
APPENDIX: XXX
CAMEL RATING GUIDELINES
Final CAMEL ratings are arrived at after assessment of both quantitative factors (detailed in A below) and
qualitative factors for each component (detailed under in B below). Initial ratings provided by the
quantitative factors are adjusted upwards or downwards as appropriate after considering the relevant
qualitative factors. Composite CAMEL rating is then assigned considering the definitions detailed in C
below.
A: QUANTITATIVE CAMEL RATING CRITERIA
1. CAPITAL ADEQUACY RATING CRITERIA
RATINGS Total Capital to RWA+OBS

1 Above 14%
2 12%-14%
3 10%-12%
4 08%-10%
5 Below 08%
2. ASSETS QUALITY RATING CRITERIA
NPLs to Gross Loans Large exposures to Total Capital NPLs net of Provisions
to Total Capital
40% 20% 40%
RATINGS NPLs to Gross Loans Large Exposure NPLs Net of Provisions

to Total Capital to Total Capital
1 Below 5% Below 150% Below 20%
2 5%-10% 150%-250% 20%-30%
3 10%-15% 250%-350% 30%-40%
4 15%-20% 350%-400% 40%-50%
175
5 Above 20% Above 400% Above 50%
3. EARNINGS RATING CRITERIA
Return on Net Interest Income to Average Non-Interest Expenses

Average Assets Earning Assets to Gross Income
40% 20% 40%
RATINGS Return on Net Interest Income to Non-Interest Expenses to

Average Assets Average Earning Assets Gross Income
1 Above 3% Above 5% Below 55%
2 2%-3% 3%-5% 55%-70%
3 1%-2% 1%-3% 70%-85%
4 0%-1% 0%-1% 85%-100%
5 Below 0% Below 0% Above 100%
4. LIQUIDITY RATING CRITERIA
Liquid Assets to Current Liabilities Gross Loans to Total Deposits

80% 20%
RATINGS Liquid Assets to Gross Loans to

Current Liabilities Total Deposits
1 Above 40% Below 70%
2 30%-40% 70%-75%
3 20%-30% 75%-80%
4 15%-20% 80%-85%
5 Below 15% Above 85%
B: QUALITATIVE CAMEL RATING CRITERIA
COMPONENT RATINGS
Early warning ratings will be used as preliminary ratings when assessing each CAMEL
component. Final rating for each component will be determined after taking into account other
evaluation factors as listed under each component.
Each of the component rating descriptions is divided into two sections: a list of the principal
evaluation factors that relate to that component; and a brief description of each numerical rating
for that component. Some of the evaluation factors are reiterated under one or more of the other
components to reinforce the interrelationship between components. The listing of evaluation
factors for each component rating is in no particular order of importance.
3.1 Capital Adequacy
The capital adequacy of a bank is rated based upon, but not limited to, an assessment of the
following evaluation factors:
(a) The level and quality of capital and the overall financial condition of the bank;
(b) The ability of management to address emerging needs for additional capital;
176
(c) The nature, trend, and volume of problem assets, and the adequacy of allowances for probable
losses and other valuation reserves;
(d) Balance sheet composition, including the nature and amount of intangible assets,
concentration risk, and risks associated with non-traditional activities;
(e) Risk exposure represented by off-balance sheet activities;

(f) The quality and strength of earnings, and the reasonableness of dividends;
(g) Prospects and plans for growth, as well as past experience in managing growth; and
(h) Access to other sources of capital, including support provided by shareholders.
A brief description of each numerical rating for capital adequacy is as follows:
Rating 1: Indicates a strong capital level relative to the bank’s risk profile.
Rating 2: Indicates a satisfactory capital level relative to the bank’s risk profile.
Rating 3: The rating indicates level of capital that does not fully support the bank’s risk
profile and therefore a need for improvement, even if the bank’s capital level
exceeds minimum regulatory and statutory requirements.
Rating 4: Indicates a deficient level of capital. In light of the bank’s risk profile, viability
of the bank may be threatened. Assistance from shareholders or other external
sources of financial support may be required.
Rating 5: Indicates a critically deficient level of capital such that the bank’s viability is
threatened. Immediate assistance from shareholders or other external sources of
financial support is required.
3.2 Asset Quality
The asset quality of a bank is rated based upon, but not limited to, an assessment of the following
evaluation factors:
(a) The adequacy of underwriting standards, soundness of credit administration practices, and
appropriateness of risk identification practices;
(b) The level, distribution, severity, and trend of problem, classified, non-accrual, restructured,
delinquent, and non-performing assets for both on and off-balance sheet transactions;
(c) The adequacy of the allowance for probable losses and other asset valuation reserves;
(d) The credit risk arising from or reduced by off-balance sheet transactions, such as unfounded
commitments, commercial and standby letters of credit;
(e) The diversification and quality of the loan and investment portfolios;
(f) The existence of asset concentrations;
(g) The adequacy of loan and investment policies, procedures, and practices;
(h) The ability of management to properly administer its assets, including the timely
identification and collection of problem assets;
(i) The adequacy of internal controls and management information systems; and
177
(j) The volume and nature of credit documentation exceptions.
Ratings
A brief description of each numerical rating for asset quality component is as follows:
Rating 1: Indicates strong asset quality and credit administration practices. Identified
weaknesses are minor in nature and risk exposure is modest in relation to capital
protection and management’s abilities. Asset quality in such banks is of minimal
supervisory concern.
Rating 2: Indicates satisfactory asset quality and credit administration practices. The level
and severity of classifications and other weaknesses warrant a limited level of
supervisory attention. Risk exposure is commensurate with capital protection
and management’s abilities.
Rating 3: Indicates that asset quality or credit administration practices are less than
satisfactory. Trends may be stable or indicate deterioration in asset quality or an
increase in risk exposure. The level and severity of classified assets, other
weaknesses, and risks require an elevated level of supervisory concern. There is
generally a need to improve credit administration and risk management
practices.
.
Rating 4: Is assigned to banks with deficient asset quality or credit administration
practices. The levels of risk and problem assets are significant, inadequately
controlled, and subject the bank to potential losses that, if left unchecked, may
threaten its viability.
Rating 5: Represents critically deficient asset quality or credit administration practices that
present an imminent threat to the bank’s viability.
3.3 Management
The capability and performance of management and the board of directors is rated based upon, but
not limited to, an assessment of the following evaluation factors:
(a) The level and quality of oversight and support of all bank activities by the board of directors
and management;
(b) The ability of the board of directors and management, in their respective roles, to plan for, and
respond to, risks that may arise from changing business conditions or the initiation of new
activities or products;
(c) The adequacy of, and conformance with, appropriate internal policies and controls addressing
the operations and risks of significant activities;
(d) The accuracy, timeliness, and effectiveness of management information and risk monitoring
systems appropriate for the bank’s size, complexity, and risk profile;
(e) The adequacy of audits and internal controls to: promote effective operations and reliable
financial and regulatory reporting; safeguard assets; and ensure compliance with laws,
regulations, and internal policies;
(f) Compliance with laws and regulations;
(g) Responsiveness to recommendations from auditors and supervisory authorities;
178
(h) Management succession;
(i) The extent that the board of directors and management are affected by, or susceptible to,
dominant influence or concentration of authority;
(j) Reasonableness of compensation policies and avoidance of self-dealing;
(k) Demonstrated willingness to serve the banking needs of the community;
(l) The overall performance of the bank and its risk profile.
Ratings
A brief description of each numerical rating for management component is as follows:
Rating 1: Indicates strong performance by management and the board of directors and
strong risk management practices relative to the bank’s size, complexity, and
risk profile. All significant risks are consistently and effectively identified,
measured, monitored, and controlled. Management and the board have
demonstrated the ability to promptly and successfully address existing and
potential problems and risks.
Rating 2: Indicates satisfactory management and board performance and risk management
practices relative to the bank’s size, complexity, and risk profile. Minor
weaknesses may exist, but are not material to the safety and soundness of the
bank and are being addressed. In general, significant risks and problems are
effectively identified, measured, monitored, and controlled.
Rating 3: Indicates management and board performance that need improvement or risk
management practices that are less than satisfactory given the nature of the
bank’s activities. The capabilities of management or the board of directors may
be insufficient for the type, size or condition of the bank. Problems and
significant risks may be inadequately identified, measured, monitored, or
controlled.
.
Rating 4: Indicates deficient management and board performance or risk management
practices that are inadequate considering the nature of a bank’s activities. The
level of problems and risk exposure is excessive. Problems and significant risks
are inadequately identified, measured, monitored, or controlled and require
immediate action by the board and management to preserve the soundness of the
bank. Replacing or strengthening management or the board may be necessary.
Rating 5: Indicates critically deficient management and board performance or risk

management practices. Management and the board of directors have not
demonstrated the ability to correct problems and implement appropriate risk
management practices. Problems and significant risks are inadequately
identified, measured, monitored, or controlled and now threaten the continued
viability of the bank. Replacing or strengthening management or the board of
directors is necessary.
3.4 Earnings
The rating of a bank’s earnings is based upon, but not limited to, an assessment of the following
evaluation factors:
(a) The level of earnings, including trends and stability;
179
(b) The ability to provide for adequate capital through retained earnings;
(c) The quality and sources of earnings;
(d) The level of expenses in relation to operations;
(e) The adequacy of the budgeting systems, forecasting processes, and management information
systems in general;
(f) The adequacy of provisions to maintain the allowance for probable losses; and
(g) The earnings exposure to market risk such as interest rate and foreign exchange.
Ratings
A brief description of each numerical rating for earnings component is as follows:
Rating 1: Indicates earnings that are strong. Earnings are more than sufficient to support
operations and maintain adequate capital and allowance levels after
consideration is given to asset quality, growth, and other factors affecting the
quality quantity, and trend of earnings.
Rating 2: Indicates earnings that are satisfactory. Earnings are sufficient to support
operations and maintain adequate capital and allowance levels after
consideration is given to asset quality, growth, and other factors affecting the
quality, quantity, and trend of earnings. Earnings that are relatively static, or
even experiencing a slight decline, may receive a 2 rating provided the bank’s
level of earnings is adequate in view of the assessment factors listed above.
Rating 3: Indicates earnings that need to be improved. Earnings may not fully support
operations and provide for the accumulation of capital and allowance levels in
relation to the bank’s overall condition, growth, and other factors affecting the
quality, quantity, and trend of earnings.
.
Rating 4: Indicates earnings that are deficient. Earnings are insufficient to support
operations and maintain appropriate capital and allowance levels. Banks so rated
may be characterized by erratic fluctuations in net income or net interest margin,
the development of significant negative trends, nominal or unsustainable
earnings, intermittent losses, or a substantive drop in earnings from the previous
years.
Rating 5: Indicates earnings that are critically deficient. A bank with earnings rated 5 is
experiencing losses that represent a distinct threat to its viability through the
erosion of capital.
3.5 Liquidity
Liquidity is rated based upon, but not limited to, an assessment of the following evaluation factors:
(a) The adequacy of liquidity sources compared to present and future needs and the ability of the
bank to meet liquidity needs without adversely affecting its operations or condition;
(b) The availability of assets readily convertible to cash without undue loss;
(c) Access to money markets and other sources of funding;
180
(d) The level of diversification of funding sources, both, on-and off-balance sheet;
(e) The degree of reliance on short-term, volatile sources of funds, including borrowings and time
deposits, to fund longer term assets;
(f) The trend and stability of deposits; and
(g) The capability of management to properly identify, measure monitor, and control the bank’s
liquidity position, including the effectiveness of funds management strategies, liquidity
policies, management information systems, and contingency funding plans.
Ratings
A brief description of each numerical rating for liquidity component is as follows:
Rating 1: Indicates strong liquidity levels and well-developed funds management

practices. The bank has reliable access to sufficient sources of funds on
favorable terms to meet present and anticipated liquidity needs.
Rating 2: Indicates satisfactory liquidity levels and funds management practices. The bank
has access to sufficient sources of funds on acceptable terms to meet present and
anticipated liquidity needs. Modest weaknesses may be evident in funds
management practices.
Rating 3: Indicates liquidity levels or funds management practices in need of

improvement. Banks rated 3 may lack ready access to funds on reasonable terms
or may evidence significant weaknesses in funds management practices.
.
Rating 4: Indicates deficient liquidity levels or inadequate funds management practices.
Banks rated 4 may not have or be able to obtain a sufficient volume of funds on
reasonable terms to meet liquidity needs.
Rating 5: Indicates liquidity levels or funds management practices so critically deficient

that the continued viability of the bank is threatened. Banks rated 5 require
immediate external financial assistance to meet maturing obligations or other
liquidity needs.
C. COMPOSITE RATINGS
Composite ratings are based on a careful evaluation of a bank’s managerial, operational, financial,
and compliance performance. The five key components used to assess a bank’s financial condition
and operations are: Capital adequacy, Asset quality, Management capability, Earnings quantity
and quality and the Adequacy of liquidity. The rating scale ranges from 1 to 5 as defined below:
Composite 1
Banks in this group are sound in every respect and generally have components rated 1 or 2. Any
weaknesses are minor and can be handled in a routine manner by the board of directors and
management. These banks are the most capable of withstanding the vagaries of business
conditions and are resistant to outside influences such as economic instability in their trade area.
These banks are in substantial compliance with laws and regulations. As a result, these banks
exhibit the strongest performance and risk management practices relative to the bank’s size
complexity, and risk profile, and give no cause of supervisory concern.
Composite 2
181
Banks in this group are fundamentally sound. For a bank to receive this rating, generally no
component rating should be more severe than 3. Only moderate weaknesses are present and are
well within the board of directors’ and management’s capabilities and willingness to correct.
These banks are stable and are capable of withstanding business fluctuations. These banks are in
substantial compliance with laws and regulations. Overall risk management practices are
satisfactory relative to the bank’s size, complexity, and risk profile. There are no material
supervisory concerns and, as a result, the supervisory response is informal and limited.
Composite 3
Banks in this group exhibit some degree of supervisory concern in one or more of the component
areas. These banks exhibit a combination of weaknesses that may range form moderate to severe;
however, the magnitude of the deficiencies generally will not cause a component to be rated more
severely than 4. Management may lack the ability or willingness to effectively address weaknesses
within appropriate time frames. Banks in this group generally are less capable of withstanding
business fluctuations and are more vulnerable to outside influences than those banks rated a
composite 1 or 2. Additionally, these banks may be in significant noncompliance with laws and
regulations. Risk management practices may be less than satisfactory relative to the bank’s size,
complexity, and risk profile. These banks require more than normal supervision, which may
include formal or informal enforcement actions. However, failure appears unlikely, given the
overall strength and financial capacity of these banks.
Composite 4
Banks in this group generally exhibit unsafe and unsound practices or conditions. Banks have one
or more of their components rated 5. There are serious financial or managerial deficiencies that
result in unsatisfactory performance. The problems range from severe to critically deficient. The
weaknesses and problems are not being satisfactorily addressed or resolved by the board of
directors and management. Banks in this group generally are not capable of withstanding business
fluctuations. There may be significant noncompliance with laws and regulations. Risk
management practices are generally unacceptable relative to the bank’s size, complexity, and risk
profile. Close supervisory attention is required, which means, in most cases, formal enforcement
action is necessary to address the problems. Failure is a distinct possibility if the problems and
weaknesses are not satisfactorily addressed and resolved.
Composite 5
Banks in this group exhibit extremely unsafe and unsound practices or conditions; exhibit a
critically deficient performance; often contain inadequate risk management practices relative to
the bank’s size, complexity, and risk profile; and are of the greatest supervisory concern. The
volume and severity of problems are beyond management’s ability or willingness to control or
correct. Immediate outside financial or other assistance is needed in order for the bank to be
viable. Ongoing supervisory attention is necessary. Banks in this group pose a significant risk and
failure is highly probable.
182
APPENDIX: XXXI
RISK RATING GUIDELINES

1. CREDIT RISK
QUANTITY OF RISK (QR) QUALITY OF RISK MANAGEMENT (QRM)
FACTORS Low Moderate High SCORE FACTORS SCORE
Loans to total assets Below 20%-50% Above 3 Board & Senior Management Oversight: 2
20% 50%
Aggregate large exposure (10% or more) to total Below 150%- Above 2 Board approval of credit risk strategy, policies 2
capital 150% 300% 300% including policy exceptions
Non-performing loans to gross loans Below 5%-10% Above 1 Lending authority structure and sanctioning 1
5% 10% limits approved by the board are in place
Growth rate of loans (annual) Below 20%-40% Above 3 Review of strategy and policies at least 2
20% 40% annually
Off BS exposures to total capital Below 160%- Above 3
60% 180% 180%
Others: JUDGEMENTAL 2 Top management and individuals responsible 2
for credit risk management possess sound
expertise and knowledge to accomplish the risk
management function
Degree of Concentration (sectoral, geographical, 2 Review of exposure to insiders and their 2
maturity, etc) related parties
Change in portfolio and/or product mix, target 1 Board reviews trends in portfolio quality & 2
market, new products & service delivery adequacy of provision for credit losses
channels
Change in external factors (exchanges rate, 2 Board outlines content and frequency of 2
natural calamities, interest rate, inflation, legal, reports
competition and market condition, technology)
Size of off balance sheet items 1 Managers develops procedures and practices in 3
line with policies approved by the board and
implements effectively
Growth of off-balance sheet items 1 Timely dissemination of policies, procedures 2
and other information to staff involved
The levels and trends of classified, non- 2 Management monitors quality of credit 3
performing and problem assets portfolio and ensuring that adequate provisions
are made.
183
Exposure to placements with other banks (local 2 The appropriateness of management’s response 2
and foreign) to deficiencies identified in policies,
procedures, personnel and control systems.
Policies, procedures and limits: 2
The consistency of the policies with the bank’s 2
overall strategic direction and tolerance limits
Policies should provide guidance on all aspects 2
of risk management function
The appropriateness of policies that establish 1
risk limits or positions and whether the bank
requires periodic review.
Policies address target market, level of 1
diversification, acceptable collateral
Criteria for granting credit facilities. e.g. 1
Purpose of credit, repayment history, etc
Credit evaluation process, administration, and 2
documentation
Approval limits including authority for 2
approving exceptions
Concentration limits on single 2
borrowers/counterparty, group of connected
borrowers/counterparty, products, industry, etc
Strategy on credit pricing is in place 2
Roles and responsibilities of staff in 2
origination and management of credit
Guidance on management of problem loans 2
Guidance on internal rating system 2
Adequacy and appropriateness of credit 2
policies, procedures and limits
Risk Measurement, Monitoring and MIS 3
Adequate and reliable credit analysis including 2
syndicated loans
A system of identifying related borrowers 2
Clear audit trail documenting approval process 2
Criteria for renewing and/or change of terms 2
and conditions of existing credits
184
Adequate documentation including updated 3

information
Reliable MIS to assist board and management 3
in their respective oversight roles i.e.
Production of timely, accurate, complete and
relevant reports.
MIS checks for compliance with policies, 3
procedures, limits, laws and regulations
Adequacy and quality of mitigating tools e.g. 2
Type of collateral (new)
Credit monitoring-site visits, review of 3
collateral, identification of credit deterioration
Rating of borrowers or portfolio, review be 3
done at least quarterly
Adequate system for identifying problem loans 2
and mange them effectively.
Internal Controls 3
Adequacy of internal controls including 3
segregation of duties and dual control
The scope, frequency and independence of risk 2
review, quality assurance, external/internal
audit functions
The effectiveness of risk review, quality 3
assurance, and external/internal audit functions
in identifying deficiencies.
QUANTITY OF RISK AVERAGE SCORE 2 QUALUTY OF RISK MANAGEMTN AVERAGE 3
SCORE
QUANTITY OF RISK RATING Moderate QUALITY OF RISK MANAGEMENT RATING Weak
NET RISK: High
KEY: High risk = 3, Moderate risk = 2, Low risk =1 KEY: Strong QRM = 1, Acceptable QRM = 2, Weak QRM = 1
185
2. LIQUIDITY RISK
Liquid assets to current liabilities (liquid asset ratio) Above 20%-40% Below 1 Board & Management Oversight:
40% 20%
Excess short term liabilities to long term assets Below 0%-20% Above 3 Board approval of liquidity risk strategy and
0% 20% policies
Gross loans to total deposits Below 70%-80% Above 1 Review of strategy and policies at least
70% 80% annually
Quality of personnel and their responsibilities
Others: JUDGEMENTAL 2 Monitoring liquidity risk profile through
reviewing various reports
Level of maturity gap Board outlines content & frequency of reports
Asset & OBSE growth funded by volatile large deposits Management effectively implements
strategies and policies through developing
procedures and practices
The capacity to access additional unsecured market funding (in a normal and in a distressed Establishment of internal controls-lines of
environment) accountability and authority
Any borrowing form NBE (discount window) Timely dissemination of policies, procedures
and other information to individuals involved
The presence of off-balance-sheet items which could result in cash flows to or from the Oversee implementation and maintenance of
balance sheet MIS & other systems for managing the risk
Change in interest rate (refer to interest rate risk factors) Identification and approval of policy
exceptions by the board
Relationship of volume and trends in liquid assets compared with volume and trends of Policies, Procedures and Limits:
liabilities
The loyalty and stability of the customer base Policies should address strategies on
composition of assets and liabilities,
diversification of funding sources how to
manage liquidity in different currencies,
dealing with liquidity disruptions, etc.
Status in the inter-bank market (net borrower or net lender) The consistency of the liquidity policy with
the bank’s overall strategic direction and
tolerance limits
186
How external sources of liquidity view the bank’s current and projected: Asset quality, Whether the policy establishes appropriate
earnings, and capital and reputation risk, or other credit-sensitive factors that could influence responsibilities and accountability at every
customer behavior level
Impact of the parent company’s and affiliate’s current and projected: asset quality, earnings, Adequacy of procedures for communicating
capital, & liquidity; reputation risk, strategic risk, or other factors that could influence policies and expectations to appropriate
customer behavior. personnel (starting with the asset-liability
committee (ALCO) or similar committee)
The impact of the external market environment including : relative cost of funds, economic Appropriateness of Liquidity risk
conditions, including job growth, migration, industry concentrations, competition, etc. management tools including limits and the
appropriateness of liquidity guidelines that
establish risk limits or positions and whether
periodic review is required.
Contingency plan for handling liquidity crises
under normal and abnormal circumstances
Policies should provide guidance on all
aspects of risk management function
Risk Measurement, Monitoring and MIS 0.75
Liquidity risk measurement through

assessment of bank’s cash inflows against its
outflows including funding needs for OBSE
(maturity ladder), maturity gap limits and
adherence to limits
Monitoring of economic and market trends
affecting liquidity
Making assumptions about future funding
needs & review them from time to time
Bank maintains a margin of excess liquidity
MIS checks for compliance with policies,
procedures, limits, laws, directives
Bank manages its liquidity position in
individual and aggregate major currencies
Bank’s effort to establish and maintain
market access
187
Reliable MIS for day-to-day liquidity

management
Bank performs stress testing and produces

reports for senior management review.
Internal Controls:
Scope, frequency, effectiveness, and

independence of the risk review, quality
assurance, and internal/external audit
functions.
The effectiveness of control systems to

identify and prevent internal control
deficiencies
Results of review be reported to the board &

management to respond to the
recommendations
QUANTITY OF RISK AVERAGE SCORE 2 QUALITY OF RISK MANAGEMTN AVERAGE
SCORE
QUANTITY OF RISK RATING Moderate QUALITY OF RISK MANAGEMTN RATING Weak
COMPOSITE RISK: High
KEY: High risk = 3, Moderate risk = 2, Low risk =1 KEY: Strong QRM = 1, Acceptable QRM = 2, Weak QRM = 1
188
3. Market Risk
3.1 FOREIGN EXCHANGE RISK


Net open position to total capital Below+/- +/-10%-20% Above 3 Board & Management Oversight: 2
10% +/- 20%
Income from foreign exchange trading and revaluation Below 10%-20% Above 2 Board & Management awareness, effectiveness
to total income [if the numerator is negative, ignore 10% 20% and expertise in managing the risk
this ratio] Board approval of foreign exchange risk strategy
and significant policies
Others: JUDGEMENTAL 2 Review of strategy and significant policies at least
annually
Quality of personnel and their responsibilities
Extent and trend of foreign exchange rate fluctuation in Monitoring foreign exchange risk profile through
major currencies against the Birr reviewing various reports
The mismatch of assets and liabilities denominated in a Board outlines content and frequency of reports
foreign currency including cash flow mismatch (refer
liquidity risk factors)
Growth in foreign currency assets/liabilities and Off Management effectively implements strategies and
Balance Sheet Exposures (OBSE) policies through developing procedures and
practices
Level and trend of income and expense items Establishment of internal controls-lines of
denominated in foreign currencies accountability and authority
The types of products held in foreign currency Timely dissemination of policies, procedures and
accounts (e.g. loans, deposits, securities, etc) other information to individuals involved
The exposure to market volatility or other external Oversee implementation and maintenance of MIS
factors such as economic conditions, legislative & other systems for managing the risk
changes, technological changes, and competition
Identification and approval of policy exceptions by
the board
Policies, Procedures & Limits: 2
Policies should include a statement of risk
principles and objectives governing the extend to
which the bank is willing to assume risk
189
Policies should provide for prudent limits on

exposure to foreign exchange risk and review of
the same
Policies should provide for clearly defined levels
of delegation of trading authorities
Policies should provide for the review of new
activities to ensure that infrastructures are in place
to manage the risk
Policies should provide guidance on all aspects of
risk management function
The appropriateness of the approval process for
policy exceptions
The adequacy of the internal control for hedging
operations (front-and back office) including
segregation of duties, dual controls, and authority
commensurate with duties, etc
The capabilities of the front-and back-office
systems to support current and projected foreign-
currency-denominated activities.
Bank measures exposure to foreign exchange risk

e.g. Using net open position
Use of hedging instruments
Monitoring of economic and market trends
affecting foreign exchange activities
Making assumptions about future foreign
exchange needs & rates, & review them from time
to time
procedures, limits, laws and regulations
Reliable MIS that produce timely, accurate,
complete, and relevant management information,
including OBSE
Bank performs stress testing and produces reports
for senior management review.
190
Internal Controls 2
Responsiveness of control systems to prevent and

respond to internal control deficiencies
Scope, frequency, effectiveness, and independence
of the risk review, quality assurance, and
internal/external audit functions.
The independence of risk-monitoring and control
functions from the risk-i.e. segregation of duties
and
delegation of authority
taking functions(s)
QUANTITY OF RISK AVERAGE SCORE 2 QUALITY OF RISK MANAGEMTN AVERAGE SCORE 2
QUANTITY OF RISK RATING Moderate QUALITY OF RISK MANAGEMTN RATING Acceptable
COMPOSITE RISK: Moderate
KEY: High risk = 3, Moderate risk = 2, Low risk = 1 KEY: Strong QRM = 1, Acceptable QRM = 2, Weak QRM = 3
191
3.2 INTEREST RATE RISK

FACTORS Low Moderate High SCORE FACTORS SCOR
E
Interest bearing assets to interest bearing liabilities: 3 Board & management oversight: 2
- when liabilities are more than assets 75%- 50%-75% Below Board & Management awareness, effectiveness
100% 50% and expertise in managing the risk
- when assets are more than liabilities 100%- 125%-150% Above Board approval of interest rate risk strategy and
125% 150% significant policies
Interest income to total income Below 50%-70% Above 3 Review of strategy and significant policies at least
50% 70% annually
Others: JUDGEMENTAL 2 Quality of personnel and their responsibilities
Re-pricing mismatch of assets and liabilities over the Monitoring interest rate risk profile through
short-term and long term reviewing various reports
The vulnerability of earnings and capital to large Board outlines content and frequency of reports
interest rate changes/fluctuations.
Use of different indices to price assets and liabilities Management effectively implements strategies and
(e.g. T-bill rate, inter-bank rate etc) that may change at policies through developing procedures and
different times or by different amounts practices
Exposure of on-and off-balance-sheet positions to Establishment of internal controls- lines of
changes in the yield levels and shape accountability and authority
The ability of the funding strategy to tolerate adverse Timely dissemination of policies, procedures and
interest rate movements other information to individuals involved
The impact of the bank’s overall business strategy on Oversee implementation and maintenance of MIS
interest rate risk (e.g. entering into new business & other systems for managing the risk
activities, speculating on the direction and volatility of
interest rates, investing in supporting technology)
Reliance on Treasury Bills (which are considered to Identification and approval of policy exceptions by
have low returns) the board
Overexposure to low yield nostro accounts 3.0 Policies, Procedures & Limits: 2
Policies should provide for prudent limits on
exposure to interest rate risk and review of the
same
Policies should provide for clear lines of
responsibility and accountability in managing the
risk
192
Policies should provide for the review of new

products & activities to ensure that infrastructures
are in place to manage the risk
Policies should provide guidance on all aspects of
risk management function
Bank measures exposure to interest rate risk e.g.

gap analysis
Perform stress testing to determine bank’s
vulnerability to change in market condition
Making assumptions about interest rates, maturity,
etc & review them from time to time
procedures, & limits
Reliable MIS that produce timely, accuracy,
complete, and relevant management reports for
monitoring, and control functions
Internal Control 3
The scope, frequency, effectiveness, and
independence of the risk review, quality assurance,
and internal/external audit functions
The effectiveness of control systems to identify
and prevent internal control deficiencies including
segregation of duties and delegation of authority
The independence of risk-monitoring and control
functions form the risk-taking function(s)
The independence and validation of models and
other measurement tools and the validity of
assumptions
QUANTITY OF RISK AVERAGE SCORE 3 QULAITY OF RISK MANAGEMTN AVERAGE SCORE 3
QUANTITY OF RISK RATING High QUALITY OF RISK MANAGEMTN RATING Weak
NET RISK: High
KEY: High risk = 3, Moderate risk = 2, Low risk = 1 KEY: Strong QRM = 1, Acceptable QRM = 2, Weak
QRM = 3
193
4. OPERATIONAL RISK
QUANTITY OF RISK QUALITY OF RISK MANAGEMTN (QRM)

JUDGEMENTAL 3 Board & Senor Management Oversight: 3
Staff turnover Board & management awareness, effectiveness and expertise in
managing the risk
Volume and frequency of Frauds (actual losses and Board provides clear guidance and direction to management and
attempts) approves policies
Burglaries and robberies (actual losses and Clear definition as to what constitutes operational risk
attempts)
System failures Board & management establish clear lines of management
responsibility, accountability and reporting
Customer complaints Key processes are in place to mange the risk
Frequency of data processing errors Board review policies regularly to accommodate changes in the
market and for new products.
Level of complexity of products Bank has qualified staff with necessary experience, technical
capabilities and access to resources e.g. training, computers, etc
Compliance Policies are communicated to all staff, and remuneration policies
are consistent with bank’s risk appetite
Litigations against the bank Policies, Procedures & Limits: 3
Business strategies Policies provide structure of operational risk management
function and roles and responsibilities of individuals involved
Policies establish a process to evaluate operational risk involved
in new products or systems before launch/use
Policies provide for the review of new products & activities to
ensure that infrastructures are in place to mange the risk
Policies provide for guidance on managing risks associated with
outsourcing activities
Disaster recovery and business continuity plans are in place, and
periodically reviewed.
Risk identification system is in place
Bank assesses its vulnerability to identified risks
Review and monitoring activities of 3rd party service providers
194
Bank has an effective monitoring process to ensure compliance

with laws, directives, internal policies and procedures.
Frequency reporting to board and management on compliance
with laws, directives, internal policies and procedures
Reports on frauds and losses-amounts involved, trends and
frequency.
Internal Controls 2
Board and management review of bank’s progress towards the
stated objectives e.g. performance review vs. budget
A system of documented approvals and authorizations to ensure
accountability
Segregation of duties and that personnel are not assigned
responsibilities which create conflict of interest
Internal audit is independent from operational risk management
process
Adequate internal coverage to verify that operating policies and
procedures are effectively implemented
QUANTITY OF RISK AVERAGE SCORE 2 QULAITY OF RISK MANAGEMTN AVERAGE SCORE 3
QUANTITY OF RISK RATING Moderate QUALITY OF RISK MANAGEMENT RATING Weak
Composite Risk High
KEY: High risk = 3, Moderate risk = 2, Low risk = 1 KEY: Strong QRM=1, Acceptable QRM = 2, Weak QRM =3
195
APPENDIX: XXXII
REPORT OF EXAMINATION FORMAT

Table of Contents
1.0 Background Information

1.1 Institutional Overview
1.2 Scope of Examination
1.3 Exit Meeting
2.0 Executive Summary

2.1 Examination Conclusions
2.1.1 Risk Rating
2.1.2 CAMEL Rating
2.2 Recommendations
3.0 Assessments
3.1 Risk Assessment
3.1.1 Significant Activities and Related Risks
3.1.2 Effectiveness of the RMCF
3.1.3 Adequacy of Capital and Profitability
3.1.4 Composite Risk Rating
3.2 CAMEL Analysis

3.2.1 Capital Adequacy
3.2.2 Asset Quality
3.2.3 Management
(a) Operational Management
(b) Risk Management Control Functions
(i) Board Oversight
(ii) Senior Management
(iii) Risk Management
(iv) Internal Audit
(v) Compliance
(vi) Information and Communication
3.2.4 Earnings
3.2.5 Liquidity
3.2.6 Overall CAMEL Rating
4.0 Other Supervisory Matters
5.0 Appendices
196
APPENDIX: XXXIII
REPORT OF EXAMINATION CONTENTS
This Report of Examination consists of five major sections as indicated below:
1.0 Background Information

2.0 Executive Summary
3.0 Assessments
4.0 Other Supervisory Matters
5.0 Appendices
Brief description of each section of the report is as follows:
1.0 Background Information: The Background Information section contains the Institutional
Overview, Scope of Examination and Exit Meeting sub-sections.
2.0 Executive Summary: The Executive Summary section contains Examination Conclusions
regarding Risk and CAMEL Ratings, Supervisory Concerns and Recommendations.
3.0 Assessments: Assessments Section contains Risk Assessment, and CAMEL analysis.
4.0 Other Supervisory Matters: This section includes analysis of those issues that were not
discussed in the previous sections such as introduction of new products, branch expansion,
mergers and acquisitions, etc.
5.0 Appendices: Appendices section contains various information to support examination

observations and conclusions. The information includes comparative balance sheets, comparative
income statements, capital analysis, asset classification, credit concentration, assets with
documentation exceptions and any other relevant information.
Section I: Background Information
1.1 Institutional Overview
This sub-section should include the following: Ownership, status of the bank, branch network,
date of license and incorporation, major changes in the bank since previous examination.
1.2 Scope of Examination
This sub-section is used to provide statement of reliance placed on the work of internal and
external auditors and other relevant parties, list areas reviewed during the examination and briefly
describe the extent of those reviews. At minimum, the following should be addressed: date of
examination (commencement and conclusion), the type of examination (full-scope, targeted), and
areas of focus based on the results of risk assessment.
1.3 Exit meeting

This sub-section should include a confirmation that examination results were discussed with the
bank and a list of those attending the meeting. The date of exit meeting should also be indicated.
Section II: Executive Summary
Examination Conclusions
(A) Summary of ratings
197
Examiner should report the overall risk and CAMEL rating in a tabular form for current and two
previous examinations.
(B) Risk Rating
Examiner should briefly comment on the overall quantity of risks and the quality of risk
management and overall composite risk rating and the direction of risks over the next 12 months.
Examiner should also comment on the highest risk for the bank, its rating and the reasons thereof.
(C) CAMEL Rating
Examiner should briefly comment on the composite CAMEL rating and provide ratings of
individual CAMEL components. Examiner should also comment on the components which have
received unsatisfactory ratings and reasons thereof.
Supervisory Concerns and Recommendations
In this section, examiner should list major supervisory concerns and recommendations to address
all weaknesses observed. Recommendations should be specific, time bound and listed in order of
importance.
Section III: Assessments
3.1 Risk Assessment
(A) Summary of risk rating
Examiner should report the overall risk rating and individual risk ratings in a tabular form (Risk
Matrix)
(B) Results of assessment
Examiner should provide summary of significant activities and related risks identified; an
assessment of the effectiveness of the RMCF; an assessment of adequacy of capital and the
profitability of the bank; and composite risk rating for the next 12 months. Examiner should also
provide reasons for his/her conclusions regarding the quantity of each type of risk, the quality of
risk management and the direction of a particular risk. Significant issues or concerns are also
indicated here.
3.2 CAMEL Analysis
(A) Summary of Rating
Examiner should report the rating of CAMEL components in a tabular form for current and two
previous examinations.
(B) Examiner should comment on the individual CAMEL components ratings and reasons thereof. At
minimum, examiners should provide the following information in each component report:
3.2.1 Capital Adequacy
Under this section, conclusion of the following information should be reported:
(a) Whether the capital meets the minimum regulatory requirements;

(b) Adequacy of a bank’s capital including the impact of asset quality, off-balance-sheet items and
earnings;
198
(c) Trends of changes in the capital level and structure;

(d) Comparison of growth of capital and assets;
(e) Adequacy of allowances for probable losses and their effect on the capital when they are inadequate;
(f) Dividend policies and their impact on the capital;
(g) Management and shareholder ability/willingness to maintain an adequate level of capital; and
(h) Any additional capital required to meet the regulatory requirements.
3.2.2 Asset Quality
(a) Adequacy of underwriting standards, soundness of credit administration practices, and appropriateness
of risk identification practices;
(b) The level, distribution, severity, and trend of problem, classified, non-accrual, restructured, delinquent,
and non-performing assets for both on and off-balance sheet transactions;
(c) The adequacy of the allowance for probable losses and other asset valuation reserves;
(d) The credit risk arising from or reduced by off-balance sheet transactions, such as unfounded
commitments, commercial and standby letters of credit;
(e) The diversification and quality of the loan and investment portfolios;
(f) The existence of asset concentrations;
(g) The adequacy of loan and investment policies, procedures, and practices;
(h) The ability of management to properly administer its assets, including the timely identification and
collection of problem assets;
(i) The adequacy of internal controls and management information systems; and
(j) The volume and nature of credit documentation exceptions.
3.2.3 Management
(a) Operational Management (OM); and

(b) Risk Management Control Functions (RMCF) including:
i) Board Oversight;
ii) Senior Management;
iii) Risk Management;
iv) Internal Audit;
v) Compliance; and
vi) Information and Communication.
3.2.4 Earnings
(a) Level of earnings, including trends;
(b) Quality and structure of earnings, adequacy of provisions for probable losses;
(c) Major types of income/expense sizes and trends;
(d) Vulnerability to outstanding items, types of activities with high risks, and unconventional sources of
income;
199
(e) Control over income and expenses including variance analysis of budget vs. actual;
(f) Vulnerability to expensive funds;
(g) Timely adjustments to the balance-sheet to ensure accurate booking of income and expense;
(h) Impact of possible claims to the bank arising from litigations; and
(i) Income/expense items that should be adjusted in accordance with the results of the examination.
3.2.5 Liquidity
(a) Trends, levels and sources of liquid assets (i.e. those assets that can be easily converted to cash);
(b) Money markets and other sources of funding;
(c) Diversity of funding sources of balance-sheet and off-balance-sheet items;
(d) Stability of attracted funds with regard to the bank’s level of vulnerability to expensive and unstable
funding sources (inter-bank funds, etc);
(e) Management’s ability and competence to adequately determine, measure, monitor and control the
bank’s liquidity position;
(f) Adequacy of management information systems, contingency planning and compliance with liquidity
requirements including timely and adequate decision making in the funds management areas; and
(g) Possible impact of other risks on liquidity.
Section IV: Other Supervisory Matters
This section includes analysis of those issues that were not discussed in the previous sections such as:
(a) Introduction of new products;

(b) Branch expansion;
(c) Mergers and acquisitions, reorganizations, restructuring;
(d) The bank’s relationships and/or dependence on its related practices; and
(e) Other issues.
Section V: Appendices
Appendices section contains various information to support examination observations and conclusions. The
information include comparative balance sheets, comparative income statements, capital analysis, asset
classification, credit concentration, assets with documentation exceptions, list of shareholders, board of
directors and senior management and any other relevant information.
200

National Bank of Ethiopia Risk-Based Supervision Framework

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

National Bank of Ethiopia Risk-Based Supervision Framework

Uploaded by

Copyright:

Available Formats

National Bank of Ethiopia

By: FISP Study Team

Appendix XXIV: Scope Authorization Form 125

1.0 MISSION, VISION, OBJECTIVES & CORE VALUES OF BANKING SUPERVISION

Developing supervisory practices is a dynamic process. Continuing change in the banking

3.0 BENEFITS OF RBS FRAMEWORK

4.0 KEY PRINCIPLES/POLICIES

5.0 COORDINATION OF SUPERVISORY ACTIVITIES

5.1 Desk Officer

6.0 RISK-BASED SUPRVISION METHODOLOGY

Table 1: Steps of Risk-Based Supervision (see detail steps in Appendix I)

6.1 Understanding the Institution - Step 1

6.2 Assessing the Institution’s Risk – Step 2

Inherent Risk mitigated by Quality of Risk Management = Net Risk

6.2.1 Significant Activities (Horizontal Assessment – Track 1)

6.2.2 Inherent Risk

 Credit risk (asset quality);

The following are definitions of the above risk categories.

 Interest rate risk; and

The above risks are described further below:

i) Interest Rate Risk

ii) Foreign Exchange Risk

i) Information Technology (IT) Risk

ii) Legal and Regulatory Risk

iii) Strategic Risk

iv) Reputational Risk

a) Low Inherent Risk:

b) Moderate Inherent Risk:

c) High Inherent Risk:

6.2.3 Quality of Risk Management

b) Risk Management Control Functions

 Ensure that management is qualified and competent;

(ii) Senior Management

 Develop sound business practices, culture and ethics.

(iii) Risk Management

(iv) Internal Audit

(vi) Information and Communication

6.2.4 Overall Assessment of Each RMCF (Vertical Assessment – Track 2)

6.2.5 Net Risk

Aggregate Aggregate Level of Inherent Risk

6.2.6 Direction of Net Risk

6.2.7 Overall Net Risk

6.2.8 Direction of Overall Net Risk

6.2.9 Vertical Assessment by Risk Types (Track 3)

6.2.10 Earnings and Capital

6.2.11 Composite Risk Rating

6.2.12 Direction of Composite Risk

6.2.13 Time Frame

‘Time Frame’ is determined based on supervisors’ knowledge on potential changes in factors

6.2.14 Risk Matrix

6.2.15 Risk Assessment Summary

6.2.16 Supervisory Intervention

6.2.17 Quarterly Ratings

6.3 Planning and Scheduling Supervisory Activities – Step 3

6.3.1 Tools of Supervision

Tools of supervision that may be included in supervisory plan include:

6.3.2 Supervisory Cycle and Supervisory Period

6.4 Defining Examination Activities – Step 4

6.4.1 Information Request Letter

6.4.2 Preliminary Review

During the pre-examination meeting the following issues may be discussed:

6.4.3 Scope Memorandum

(i) Scope and objectives of the examination;