Risk management Risk management
Policy, organisation and structure of risk management
VTB Group–level risk management
The main risks that VTB Group is exposed to are credit risk, market risks (including risks associated with changes in the market prices of financial instruments, interest rates and foreign exchange rates), liquidity risk and operational risks (including legal risks), as well as individual subtypes of concentration risk (risk of credit concentration within a group of borrowers, risk of concentration of financial instruments, risk of concentration of sources of liquidity).
Risk management at the Group level includes risk identification, evaluation and monitoring; control over the size, structure and concentration of risks; identification of effective measures to optimise and minimise risks; and compiling regular risk reports.
One of VTB Group’s key principles of risk management is to take the Group’s risk appetite into account when managing its activities. Risk appetite is determined in accordance with regulatory requirements and international practice. This approach involves the identification and oversight of the Group’s overall target risk level and risk profile in accordance with its strategic objectives and the integration of risk appetite into business planning and risk management procedures.
A high-level risk appetite for the Group includes the following key provisions:
- the size of potential losses on risks accepted by the Group should not reach a level that would lead to the cessation of the Group’s operations, including under stress conditions;
- Group companies must have enough capital to secure the interests of creditors in the hypothetical (extremely unlikely) event of unexpected losses as a result of risks taken;
- the structure of the Group’s operational cash flow and liquidity reserves should ensure the timely fulfilment of obligations to clients in the short and long term;
- the structure of assets and liabilities must ensure the efficient use of resources and comply with the Group’s business model;
- the level of risk involved in the decision-making process must be assessed and monitored on an ongoing basis, and the impact of activities must also be assessed on an ongoing basis while taking risks into account;
- as part of its operations, the Group must try to avoid a high degree of concentration of credit risk in counterparties, industries and countries/regions with a high level of risk;
- sustainable development and economic efficiency in the long term;
- compliance with the regulatory requirements of the Bank of Russia, the recommendations of international bodies, as well as the requirements of local (foreign subsidiaries) or industry regulators;
- maintaining an impeccable reputation, avoiding actions that could result in harm to the Group’s reputation;
- maintaining and improving credit ratings granted by international rating agencies (without state support).
VTB Group’s high-level risk appetite is detailed through the establishment of specific quantitative and qualitative indicators, with corresponding reference values.
Quantitative indicators of risk appetite are divided into operational indicators (they may be passed down to the system of limits established for business lines, VTB Group companies and other allocation levels) and structural indicators (centrally managed at the Group level). Risk appetite indicators limit all significant risks inherent to VTB Group’s operations.
VTB Group has established a procedure for monitoring risk appetite and a procedure for actions to be taken in case of a violation of risk appetite reference values.
VTB Group’s risk appetite covers all significant risks assumed by the Group and also sets reference values for compliance with capital adequacy ratios. The Group uses its own internal assessment of capital adequacy (the ratio of the Group’s assets to its capital) to ensure that it has enough capital to FULFILL its strategic business objectives and business plan provided that its consolidated capital can cover unexpected losses from all risks assumed by the Group.
During the reporting period, the Group ensured compliance with capital adequacy targets and with regulatory standards, taking into account the established regulatory margins and measures to reduce the regulatory and oversight burden.
The key principles of the Group’s risk management system also include:
- compliance with legal and other mandatory requirements;
- transparency of risk-associated activities for shareholders, investors and other interested parties (primarily by disclosing the relevant information as required), taking into account their interests;
- analysing and managing risks on a consolidated basis, covering all of the Group’s Russian and foreign banks, as well as its key financial companies;
- optimal distribution of risks within the Group; minimising exposure and potential losses from risks in markets where the Group operates;
- developing a risk management culture within the Group’s companies, including improving employees’ skills in terms of identifying and preventing possible risks and losses in their areas of responsibility;
- providing the risk management function with sufficient resources, introducing modern methods for assessing and monitoring risks and automated risk management systems based on industry best practices.
The Group’s risk management system has a multilayered structure, which includes consolidated (Group-level) and local-level risk management, with a high degree of centralisation of the Group’s risk management function. The risk management system is built around the Group’s global business lines (Corporate-Investment Business, Medium and Small Business, Retail Business) and is based on the harmonisation of approaches to managing risk, including through the coordination of competencies exercised by the Group’s specialised risk divisions.
The standard organisational structure of the Group’s banks and financial companies includes an independent risk assessment and control division that corresponds to the appropriate risk profile, specific features and scale of the business, as well as a senior manager responsible for comprehensive risk management.
The organisational structure of risk management within VTB Group includes the following:
- collective bodies responsible for coordination within the Group;
- collective bodies within VTB Bank as the parent bank of the banking group;
- headquarters (the Group’s chief risk manager and the Group’s specialised risk divisions);
- management bodies at the local level, collective working bodies (committees), structural divisions / authorised officers within Group companies.
Control over the organisation of risk management and the risk management policy within the Group’s companies is carried out on a systematic basis, primarily through corporate governance (including through the representation of VTB Bank on subsidiaries’ supervisory councils / boards of directors), as well as through the Group’s specialised risk divisions. Key internal regulations of subsidiaries related to risk management are approved by governing bodies, taking into account the contribution of the specialised risk divisions.
As part of the development of internal procedures for assessing capital adequacy, the following results have been achieved:
- steady compliance with regulatory capital requirements established by the Bank of Russia – compliance with capital adequacy ratios, taking into account risk appetite beyond the reference values in light of the established regulatory margins;
- compliance with capital requirements to cover the risks assumed with a margin sufficient for the implementation of strategic business development measures;
- compliance with the planned targets in terms of capital structure and capital adequacy, capital distribution by types of significant risks and areas of business;
- establishment of a system of control of material risks that ensures the required level of monitoring of the amount of risk in different areas of business and early warning when reference values are within reach;
- increased attention to data integrity and quality as a means of increasing the efficiency of internal procedures for assessing capital adequacy;
- capital planning and monitoring of capital adequacy are carried out in light of business development plans and the results of integrated stress testing.
VTB Bank–level risk management
The Bank’s main internal documents specifying key principles of and approaches to the organisation and development of its risk management system (including subsidiaries included in the Group’s consolidated risk management) are the following:
- the Regulation on the VTB Bank Risk Management System designed in line with the Procedures endorsed by the Russian Government and approved by the Supervisory Council on 5 November 2020;
- VTB Bank’s Strategy for Managing Risk and Capital and the Procedure for Managing VTB Bank’s Most Significant Risks developed in accordance with the regulatory requirements of the Bank of Russia and subject to revision at least once a year to update its provisions.
In 2020, new versions of VTB Bank’s Strategy for Managing Risk and Capital and the Procedure for Managing VTB Bank’s Most Significant Risks were approved by a decision of the Bank’s Supervisory Council on 5 November 2020.
The main strategic objective in risk management is to minimise potential financial losses from exposure to the risks faced by the Bank’s operations, ensuring financial strength and long-term sustainable growth for the Bank in accordance with the strategic objectives specified by the Supervisory Council. VTB Bank’s Development Strategy aims to create an integrated risk management system that corresponds to the nature and scale of the Bank’s operations and risk profile, and that enables further business development in line with economic conditions and the Bank’s needs.
The Bank’s risk management is developed and improved in accordance with legal regulations and recommendations of the Bank of Russia, as well as generally accepted international standards and banking best practices.
VTB Bank’s risk management system comprises the Supervisory Council and the Bank’s executive bodies, credit committees, the Retail Risk Committee, the Finance Committee, the Credit and Market Risk Management Committee and other special committees and structural units involved in risk management processes.
Credit risk is the risk that the Bank (Group) will incur losses as a result of a counterparty’s non-performance (improper performance) of its obligations to the Bank (Group companies).
VTB Group–level credit risk management
Credit risk at VTB Group is managed simultaneously at the local level with VTB Group companies and at the Group (consolidated) level.
Within the framework of the local credit risk management system, VTB Group companies assume and manage credit risks independently (including through insurance and hedging of risks), within the scope of their authority and limits with regard to risk indicators, and in accordance with national regulations. VTB Group’s companies are responsible for the results of their lending activities and the quality of their loan portfolios and also for monitoring and controlling the credit risks associated with their portfolios.
The key elements of the Group’s consolidated credit risk management are as follows:
- harmonisation of credit policies (credit risk management policies) of the Group’s companies;
- development and adoption of common standards concerning credit procedures, decision-making processes, models and methods for managing credit risk to be used throughout the entire Group (including the methodology for assessing counterparties, pricing credit operations, collateral, monitoring, backup and stress testing);
- establishing consolidated limits and other restrictions within the Group (including limits on counterparties / groups of related counterparties, large transactions, countries, industry sectors);
- assessing the capital necessary to cover the Group’s credit risks;
- maintaining a centralised database of the Group’s borrowers, including those requiring particular attention;
- preparing regular consolidated financial statements regarding the Group’s credit risk and submitting them to the Group’s governing bodies for review.
Consolidated risk management covers all essential assets and off-balance-sheet operations of the Group’s companies that bear credit risk and that require control over their concentration within the Group as a whole. Within the context of consolidated control and reporting, the scope and range of such operations is determined by the Group’s coordinating bodies.
In 2020, specialised units within VTB Bank, including the Non-Core and Bad Assets Department and the Retail Debt Collection Department, dealt with identifying, monitoring and resolving issues of bad debt at the Group level.
In 2020, the corporate credit risks of subsidiary banks were managed by the Corporate Credit Risk Department. As the Group’s specialised risk division for corporate credit risks, the Corporate Credit Risk Department is responsible for developing common approaches and methods for managing corporate credit risks, for evaluating them on a centralised and systematic basis and for developing the optimal structure of corporate credit risk accepted by the Group, including its compliance with the Group’s risk appetite.
In 2020, the centralised management of retail risks at VTB Bank’s subsidiary banks was carried out by the Retail Credit Risk Department. Monitoring of the credit procedure in the expert decision-making area and control of limits on non-standard transactions was carried out by the Retail Credit Risk Department in conjunction with the Underwriting Department. As the Group’s specialised risk division dealing with credit risks, the Retail Credit Risk Department is responsible for developing common approaches and methods for managing retail risks, for evaluating them on a centralised and systematic basis and for developing the optimal structure of retail risk accepted by the Group, including its compliance with the Group’s risk appetite.
VTB Bank–level credit risk management
VTB Bank manages credit risk by:
- restricting credit risk through the Bank’s existing system of limits, which comply with the Bank of Russia’s mandatory regulations and other requirements. They are reviewed regularly by the Corporate Credit Risk Department and the Integrated Risk Management Department and approved by the authorised collective body;
- accepting collateral and insurance to cover credit risks, charging adequate fees for the credit risk and establishing provisions for possible loan losses;
- assessing the level of credit risk assumed by the Bank for each counterparty, as well as regularly monitoring the credit portfolio, individual customers, transactions and collateral (including by ranking borrowers);
- minimising credit risk at the loan application review stage and taking prompt measures as soon as credit risk factors have been identified through monitoring.
The Bank applies the following main methods of credit risk assessment:
- determining a customer’s level of creditworthiness by analysing financial and non-financial indicators and conducting an expert assessment (in compliance with the Bank’s internal procedures for ranking); the level at which a customer (or a group of related customers) is ranked is taken into account when determining the cost levels of loan transactions; assessing retail credit risks by means of scoring models and automated credit-related decision-making procedures, as well as verifying/assessing client data (the client’s financial position, social variables, credit history);
- analysing the level of concentration of the Bank’s credit risk for individual borrowers (or a group of related borrowers), industries, countries, customer segments, types of credit products;
- estimating possible losses from credit risk in the process of calculating and creating provisions for possible losses (in compliance with the requirements of the Bank of Russia and IFRS);
- assessing capital adequacy and the scale of credit risk when calculating the required ratios established by the Bank of Russia;
- determining internal capital needs (capital calculation) for credit risk, taking into account the actual quality of the loan portfolio (as required by the Bank of Russia and the standards set by the Basel Committee on Banking Supervision) ;
- conducting stress testing of loan portfolio losses, taking into account different macroeconomic scenarios.
The main tool for credit risk monitoring and mitigation is the system of established credit limits.
The key types of credit risk limits are:
- limits on the aggregate level of credit risk for the loan portfolio overall and for individual segments;
- limits restricting the level of risk for a particular customer (or a group of related customers); these limits include limits for operations with a customer (or a group of related customers), including sub-limits for various types of operations with a credit risk / designated purpose (credit limits, documentary limits, limits on trading activities, limits on transactions with debt securities, etc.);
- limits on the concentration of credit risk (by industry, country, credit products);
- credit and deposit limits are established for credit organisations (including overdraft sub-limits, nostro accounts, provision of funds), limits on trading operations, limits on transactions with debt securities, and limits on contingent liabilities;
- limits in accordance with the requirements (mandatory regulations) of the Bank of Russia.
The Bank employs collateral to reduce credit risk.
In the context of strategic initiatives undertaken in the reporting period, changes in the procedures and methodology for credit risk management were implemented.
The regulatory framework was updated as follows:
- the corporate ratings models were aligned with the retail segments of Group companies on the PDProbability of default. master scale;
- the previously unified business planning procedure for the retail loan portfolio in terms of the risk components set at subsidiary banks and in the Retail Business global business line was updated (separate qualitative planning for the new and old portfolios, planning additional risk metrics [arrears and repayment from 90+; amortisation and depreciation, early repayments, write-offs 90+]; the detailed breakdown of the actual and planned portfolios by credit deterioration buckets increased to 180+ days);
- models were developed for the segments cash loan refinancing, gold-secured loans (VTB Bank [Armenia]) and pre-approved credit cards (VTB Bank [Belarus]);
- the financial model (EROA assessment) was improved, including the unified methodology for calculating risk metrics.
Liquidity risk means the risk that the Group or a Group company will be unable to finance its activities, i.e., to ensure asset growth and settle liabilities as they become due without incurring losses in an amount that would threaten the financial stability of the Group and/or a Group company.
VTB Group–level liquidity risk management
Liquidity risk management involves a set of measures used to manage the Group’s assets and liabilities with the aim of maintaining the Group’s ability to meet its obligations while ensuring an optimal balance between the level of liquidity risk and profitability of the Group’s operations.
The VTB Group Management Committee, VTB Bank’s Finance Committee, VTB Bank’s Treasury Department and the Market Risk Division of the Integrated Risk Management Department all play a role in the Group’s liquidity risk management process.
The VTB Group Management Committee determines the Group’s general policy in the area of liquidity risk management, sets limits and triggers for VTB Group’s liquidity risk appetite, and also reviews reports on the status of VTB Group’s liquidity risk as part of reports on Group’s risks.
The Bank’s Finance Committee approves the Regulation on the Procedure for Managing Liquidity Risk in the Group, approves the Group’s liquidity risk assessment methodology, monitors the Group’s liquidity, and makes decisions on measures related to the management of the Group’s assets and liabilities with the aim of ensuring the required level of liquidity and growth of the Group’s assets.
Liquidity management is applied at the Group level based on bylaws approved by the Group’s Management Committee and is based on the following principles:
- each bank/company within the Group manages its own liquidity on a separate basis to meet its obligations and comply with the requirements of the national regulator and the recommendations of VTB Bank;
- VTB Bank manages the Group’s liquidity by centrally controlling and managing the key measures taken by the Group.
Methods for controlling and reducing the Group’s liquidity risk include monitoring compliance with the established appetite for liquidity risk and with the regulatory limit and the net stable funding ratio set by the Bank of Russia for the short-term liquidity of a banking group, as well as calculating the amount of capital needed to cover liquidity risk.
VTB Bank–level liquidity risk management
Liquidity risk management involves a set of measures used to manage the Bank’s assets and liabilities with the aim of maintaining the Bank’s ability to meet its obligations while ensuring an optimal balance between the level of liquidity risk and profitability of the Bank’s operations.
The Bank has current and forecast liquidity risk management in place.
Managing current liquidity entails short-term forecasting and management of cash flows in respect of currencies and terms (time frames) so that the Bank can ensure that it will meet its obligations, complete settlements on behalf of its customers and fund ongoing operations.
Current liquidity management is carried out by the Treasury Department based on a real-time (intraday) determination of the Bank’s current payment position and forecast future payment position, taking into account the payments schedule and other scenarios.
The objective in forecast liquidity management is to develop and implement instruments to manage assets and liabilities to support the Bank’s instant funding capability, and to plan increases in its asset portfolio by optimising the ratio of liquid assets and profitability.
The Bank achieves this by making liquidity forecasts on the basis of resource and business plans, and also by managing liquidity forecasts in light of the liquidity accounting standards established by the Bank of Russia.
Each forecast includes receivables and payments according to the contractual terms for operations, while also taking into account planned transactions, possible extension of clients’ funds (deposits and promissory notes) and possible outflows of unstable on-demand funding (clients’ settlement and current accounts, as well as loro accounts). In addition, the Integrated Risk Management Department conducts stress testing to assess risk factors that can have an impact on the Bank’s liquidity forecast. Liquidity gaps are closed through new borrowings and the renewal of existing deposits. The Group’s medium-term liquidity is managed by attracting interbank loans and customer deposits, repo transactions and secured loans from the Bank of Russia. The currency structure of liquidity is managed by conducting conversion swap transactions.
A significant proportion of VTB Group’s liabilities is represented by customer deposits (deposits, promissory notes, current accounts of corporate and retail customers), resources from the Bank of Russia and interbank deposits.
Although a considerable portion of customer liabilities are short-term deposits and on-demand accounts, the diversification of these liabilities and VTB’s past experience indicate that these liabilities are consistently refinanced by customers, and they are, for the most part, a stable source of funding. The stable element of short-term customer liabilities is determined for various currencies using a statistical trend analysis of the cumulative balances of these accounts over time. Money-market instruments (interbank loans and deposits, repurchase agreements) are used to control short-term liquidity and are not considered as a source of funding for long-term assets.
Methods for controlling and reducing liquidity risk include:
- monitoring compliance with established internal limits and regulations, including appetite for liquidity risk;
- analysing liquidity risk using a set of quantitative and qualitative indicators;
- implementing forecasting, situational modelling and stress testing of the Bank’s liquidity;
- calculating the amount of capital needed to cover liquidity risk;
- monitoring calculated gaps taking into account the scenario analysis of the Bank’s liquidity for various time periods to identify disparities between receivables and payables;
- identifying and analysing the impact of internal and external factors on the Bank’s liquidity, and the forecast for changes;
- adopting and implementing solutions for management of the Bank’s assets and/or liabilities to maintain liquidity risk at a level that complies with internal and regulatory liquidity ratios;
- developing a detailed plan of action for mobilisation of liquid assets by the Bank in the event of insufficient liquidity;
- ensuring compliance with the Bank of Russia’s mandatory liquidity ratios by monitoring actual and forecast values of intrabank maximum permissible indicators for mandatory ratios.
Market risk is the risk of downward pressure on the Group’s financial results or its capital base due to adverse changes in the value of the Group’s assets/liabilities (claims/obligations) as a result of market conditions, i.e., risk factors.
VTB Group has a standing collective body within the Group Management Committee as part of its system for managing the Group’s consolidated assets and liabilities: the VTB Bank Finance Committee and the Credit and Market Risk Management Committee.
The main objectives of the Finance Committee in terms of managing the Group’s risks are as follows:
- improving the risk and capital management system;
- capital management;
- managing the currency risk of a structurally open currency position, the interest rate risk of the bank book, the market risk of the treasury debt securities portfolio and liquidity risk (including the risk of liquidity sources concentration);
- determining policies in terms of internal and external pricing and establishing principles for the system for funding operations.
The main objectives of the Credit and Market Risk Management Committee in terms of the Group’s risk management are:
- improving the system for managing core risks;
- managing the market risk of the trading book;
- managing credit risk;
- managing concentration risks (excluding the risk of the concentration of sources of liquidity).
The Regulation on the Procedure for Managing Market Risks (approved by VTB Group’s Market Risk Management Committee, Minutes No. 31 dated 7 December 2018) within VTB Group establishes procedures for identifying and monitoring market risks, the structure and hierarchy of market risk limits from the level of VTB Group to the level of Group companies and individual divisions, procedures for monitoring compliance with limits and restrictions and for responding in case they are exceeded, and it also specifies the procedure for preparing reports on the Group’s market risk.
According to this Regulation, market risk is assessed and managed in the context of the following types of books:
- a trading book consisting of operations carried out in order to extract profits through their revaluation or hedging of other elements of the trading book;
- a portfolio of treasury debt securities consisting of transactions conducted by the Treasury Department and revalued at fair value;
- a bank book consisting of interest-sensitive instruments that are revalued at amortised cost or instruments used to hedge elements of the bank book; loans that do not pass the SPPI test are counted in the bank book.
Based on an analysis of VTB Group’s portfolio, the following areas of market risk can be identified:
- interest rate risk of the bank book;
- currency risk of a structural open currency position;
- depending on the nature of the operations bearing currency risk, the Group’s entire currency position is attributed to either the trading book or the bank book;
- market risk for the trading book and the treasury debt securities portfolio.
Interest rate risk of the bank book
Interest rate risk management is based on VTB Group’s bylaws and includes:
- setting standard interest rates for deposits and internal rates for financing, taking into account current market conditions;
- calculating interest rate risk indicators;
- setting capital limits for covering the interest rate risk for the Group and individual banks;
- establishing an indicator for the bank book’s appetite for interest rate risk – the indicative value of the sensitivity of net interest income to a change in interest rates.
The main parameters used to assess interest rate risk are:
- the capital to cover interest rate risk, measured by assessing reductions in the net current value of the Bank’s interest rate position in the event of likely unfavourable interest rate movements;
- net present value (NPV) of assets/liabilities exposed to interest rate risk;
- sensitivity of NPV to a 100 b.p. change (ΔNPV + 100 b.p.);
- sensitivity of net interest income (ΔNII + 100 b.p. and ΔNII stress).
Currency risk of a structural open currency position
The Group uses internal regulations adopted by the Group’s Management Committee to manage its currency risk. It also ensures that the currency of its assets matches that of its liabilities and maintains an open currency position (OCP) in each of the Group’s banks within established limits, including internal OCP limits and the capital limit to cover the currency risk of structural OCP, as well as regulatory OCP limits.
Approved stress scenarios are used to calculate the capital required to cover VTB Bank’s currency risk stemming from structural OCP.
The following are the main parameters for assessing the currency risk of the Group’s structural OCP:
- calculation of open currency positions in the context of individual currencies and VTB Group companies;
- calculation of the OCP sensitivity to changes in foreign currency exchange rates of 1 RUB and by 1%;
- calculation of the OCP sensitivity to changes in foreign currency exchange rates against the rouble using the VaR approach (one day, 95%);
- capital to cover the currency risk of a structural OCP.
Market risk of trading operations
VTB Group is exposed to market risk through its trading book and its treasury debt securities portfolio associated with a negative revaluation of instruments due to changes in the values of various risk factors, including bond prices, stocks, commodity instruments, exchange rates, interest rates, credit spreads, risk volatility factors and correlations between them.
Although the treasury bond portfolio is separate from the trading book due to the different objectives in conducting transactions involving these portfolios, market risk management for treasury debt instruments is managed in the same way as for the trading book.
To limit market risk within VTB Group, a set of limits is used. All limits can be divided into the following two groups: portfolio limits (VaR limits, stop-loss limits and stress limits) and operational limits that limit the concentration of individual indicators or types of assets in the portfolio.
The Integrated Risk Management Department performs the following market risk management functions for trading operations:
- evaluates and reports on the Group’s market risk profile, reviews the structure of limits and prepares proposals for reducing and managing market risk for the trading book and the treasury debt securities portfolio;
- monitors on a daily basis compliance with the Group’s market risk limits; local market risk limits are monitored by the risk divisions of subsidiary banks also on a daily basis;
- informs business units on a daily basis about compliance with the Group’s limit discipline.
The results of stress testing are used to assess the market risk of the trading book and the treasury securities portfolio. The methodology used to assess these risk metrics is submitted to the Credit and Market Risk Management Committee for consideration and communicated to VTB Group companies.
The result of the revaluation of the Group’s trading book and treasury debt securities portfolio is modelled on the basis of historical changes in risk factor values (observed under conditions of significant changes in macroeconomic indicators), as well as hypothetical changes in risk factors.
A scenario analysis showed that, in 2020, the greatest impact on market risk would have corresponded with a significant increase in risk-free, rouble-denominated interest rates and the widening of credit spreads.
VaR is calculated based on the following parameters:
- historical period: two years;
- forecasting horizon: one trading day;
- confidence interval: 95%;
- the method used: historical modelling.
Operational risk is the risk of direct and indirect losses as a result of a failure or faulty internal processes at the Bank; the actions of personnel and other individuals; failures and shortcomings in terms of information, technological and other systems; or as a result of external events. Operational risk covers legal risks, information security risks (including cyber-risks) and information system risks.
The operational risk management system distinguishes individual types of operational risk and outlines the management procedures carried out by specialised divisions concerning such risk types.
One type of operational risk is information security risk: the risk of information security threats caused by deficiencies in information security processes, including technological and other measures, shortcomings in the software used for automated systems and applications, as well as a lack of conformity between these processes and the Bank’s operations. The Bank implements a set of measures aimed at ensuring information security and monitors their impact.
VTB Bank’s operational risk management system is designed to minimise incidents of operational risk, including reducing the likelihood of business process failures, the inability to provide high-quality services to the Bank’s clients caused by staff errors, deliberate actions by staff and/or third parties in relation to the Bank/customers, system and equipment failures, and violations of the rights of customers and counterparties; the operational risk management system is also designed to limit losses from the realisation of said risk.
In managing operational risk, the Bank adheres to the Bank of Russia’s regulations as well as the recommendations of the Basel Committee on Banking Supervision. To implement its operational risk strategy, VTB carries out regular procedures to identify, assess, monitor, control and respond to operational risk. All significant deficiencies from a risk perspective that are identified within the internal control system are subjected to detailed analysis. Based on this analysis, measures are taken in order to eliminate the causes and sources of the risk.
To manage operational risk, the Bank has implemented the following unified mechanisms to identify, assess and monitor the level of operational risk: a centralised process to collect information on incidents of operational risk and resulting losses, monitoring of key operational risk indicators, including control indicators of the level of operational risk, an operational risk self-assessment and scenario analysis. All changes concerning Bank processes, products (services) and systems at the development stage are subject to mandatory analysis in order to identify operational risks in a timely manner.
The application of the above mechanisms makes it possible to carry out a quantitative and qualitative assessment of the level of operational risk, including in the context of certain types of events and areas of the Bank’s operations, types of operational risk, sources of risk and other elements of classification. Based on the results of the assessment, mitigating actions are developed and taken, and management reports are prepared.
The Bank uses the following methods to respond to operational risks:
- taking mitigating actions: developing and implementing the necessary corrective measures to minimise operational risk with the aim of reducing the negative impact of operational risk on the quality of processes and the total amount of losses from the realisation of said risk;
- accepting risk: the Bank’s readiness to accept possible losses (issues of risk acceptance are subject to consideration by the Bank’s authorised bodies if the implementation of measures to minimise risk does not appear to be economically justified);
- avoiding risk: refusal to provide particular types of services or operations due to a high level of operational risk (used if the implementation of risk minimisation measures is not economically justified);
- transferring risk (risk insurance): the Bank’s operational risks are insured; the risk is transferred to another party – a counterparty and/or customer (used if the Bank is unable to manage the operational risk independently).
The Bank uses the following principal measures to reduce the negative impact of operational risk:
- changing processes;
- establishing additional forms (methods) of control;
- training employees, including those involved in processes;
- using automated solutions.
The main measures aimed at limiting the amount of losses from the realisation of operational risk events include, among other things:
- setting thresholds for decision-making authority and establishing limits;
- developing plans to ensure the continuity and/or recovery of critical processes and the functioning of information systems, as well as plans to ensure the security and integrity of information systems and information;
- insuring operational risks.
The insurance programmes covering risks related to the Bank’s professional activities in 2020 were provided by insurance against crime under the Financial Institution’s Blanket Bond scheme (including electronic and computer crimes), liability insurance for directors and officers of the Group’s companies, insurance for funds and valuables while in storage and during transit. In addition, the Bank provides insurance against risks related to business activities (including buildings, equipment and vehicles) and civil liability.
In 2020, the Group took the following steps to develop its system for managing operational risk:
- development of mechanisms to monitor the level of operational risk at the level of the Bank and the Group’s companies as part of the management of risk appetite;
- unification of methodological approaches in order to bring the operational risk management system in line with new regulatory requirements;
- determination of priorities for the creation of a detailed development plan to ensure the continuity and restoration of operations, and the establishment of recommended approaches to determine the most critical activities;
- improvement of regular reporting on the Group’s operational risks.
Operational risk did not have a significant impact on the Bank’s performance in 2020.
In connection with the Bank’s transition to the use of internal ratings for the purpose of calculating capital adequacy ratios, model risk was one of the Bank’s significant sustainability risks in 2020. Model risk is understood as the risk of errors in the processes of developing, verifying, adapting, accepting and applying the methods used in quantitative and qualitative models for assessing assets, risks and other indicators used in making management decisions. Model risk is a subtype of operational risk.
In order to ensure effective management of model risk in line with the requirements of national regulators and international supervisory bodies, the model risk management function is set apart in a separate, independent unit, the Model Risk and Validation Department, which regularly validates and analyses the effectiveness of models. In addition, it determines, together with the Integrated Risk Management Department, the level of model risk, which is taken into account when determining the Bank’s capital adequacy in the context of internal procedures for assessing capital adequacy.
Model risk management procedures are governed by the Regulation on the Model Risk Management Procedure of VTB Bank, enacted by Order No. 1670 dated 3 September 2020, which establishes the classification and life cycle of models, basic principles of model risk management, and the stages of and participants in the model risk management process.
In conducting model risk management, the Bank is guided by the principles of regularity, completeness, confidentiality, the distribution of responsibilities, the functioning of three lines of defence, as well as the principle of conservatism. Of the stages of the model life cycle, the stage of evaluating (validating) the effectiveness of models is separate from the others. The Bank carries out regular (at least once a year) validation of significant models.
To ensure the identification of model risk, a consolidated register of models has been created and is updated on a regular basis, while the Bank’s authorised body regularly considers issues related to recognising models as significant on the basis of the data in the register as well as other available information.
A quantitative assessment of model risk is carried out both in the context of operational risk management procedures and by the Model Risk and Validation Department in the context of each significant model, including during regular model validation procedures. Model and process risk ratios are aggregated in order to calculate the capital needed to cover the Bank’s model risk; this is carried out annually in accordance with the Methodological Guidelines for the Calculation of Capital for Model Risk.
The standard methods for responding to model risk are complemented by a regulated procedure for making recommendations and instructions to the model owners/developers based on the results of a performance assessment, including those aimed at making changes to the model in order to improve its quality; improving the processes associated with the implementation and application of the model; improving IT systems; improving the quality, availability and completeness of data; and adding a conservative approach to the model (model results) to cover the model risk.
Regarding oversight of the functioning of the model risk management system, regular audits of the Bank’s activities are carried out by an independent structural unit, the Internal Audit Department, in accordance with the requirements of the Bank of Russia and the procedures established by the Bank’s internal regulations and directives.
Other sustainability risks
In the context of sustainable development and taking into account the complex interrelationships between risks, the Bank pays attention to ESG (environmental, social, governance) risks associated with risk factors such as environmental impact and social and managerial issues that affect the Company’s value (taken into account when making responsible investments) and that are realised within the framework of the Bank’s identified risks.
ESG risk management is carried out in the context of comprehensive management of credit risk, concentration risk and reputational risk as well as operational and strategic risks.
The following types of ESG risks may affect financial stability:
- physical risk: the risk of financial and economic losses as a result of emergencies or acts of nature (floods, earthquakes, increases in average temperature);
- transition risk: the risk of financial losses as a result of political, legal and technological changes in connection with the transition to a low-carbon economy. This category of risks is associated with the financial implications of measures aimed at limiting the negative impacts of climate change or adapting to climate change.
Transitional risk is assessed by the Bank in terms of credit risk when considering the possibility of issuing a loan and assigning a credit rating to the borrower.
The Bank performs a physical risk assessment primarily as part of an operational risk assessment; the Bank may also conduct a scenario analysis, including an assessment of the consequences of possible adverse conditions, as well as a self-assessment of the actual losses incurred from operational risk, including in connection with emergencies. In addition, in the context of collateral assessment, an analysis is conducted of the risks associated with the possibility of emergency situations.
In its sectoral analysis, the Bank takes into account political, legal and technological changes in the sector, thus carrying out an additional assessment of the transition risk.
As part of the assessment of credit risk premiums, the borrower’s credit rating is taken into account, which in turn includes an assessment of the probability of losses from investment risks stemming from transition risk as well as from physical risk.
In the context of its approach to ESG risk management, the Bank verifies a customer’s compliance with legal requirements, and also analyses the impact of pledged real estate and property assets on the environment.