(Risk Assessment Process) Methodology

Risk Assessment Process
POT Methodology Public Part
Banking Supervision Department, October 2006
This document is a part of a system, which is used by the Banking Supervision Department in Bank of Slovenia when executing supervision
by the method Risk Assessment Process (Proces ocenjevanja tveganj, in further text: POT). Its integral part is also Manual POT Internal
Part. Methodology follows European guidelines for banking supervision on Risk Assessment System (RAS).
Preparing this document we used following materials:
De Nederlandsche Bank (Netherlands): Risk Analysis Manual Handbook RAST, June 2001;
Financial Services Authority (United Kingdom) : Risk based approach to supervision of banks, June 1998 and The firm risk assessment
framework, February 2003;
Federal Deposit Insurance Corporation (USA): Manual of Examination Policies, February 2002;
Committee of European Banking Supervisors:

The Application of the Supervisory Review Process under Pillar 2, June 2005,
Guidelines for Implementing a Common European Framework for Supervisory Disclosure, October 2005;
Arthur Andersen / Finansinspektionen (Sweden): Report regarding risk assessment for the Swedish financial sector, January 2002.
ver. 1.0
Page 2 of 53
Prironik POT - javni del - ANG.doc
Legend
A.
INTRODUCTION .................................................................................................................. 6
1.
BACKGROUND AND PRINCIPLES ...................................................................................... 6
2.
MONITORING AND ANALYSIS .......................................................................................... 8

The fixed part of the financial analysis ........................................................................................... 8
Total assets and market share...............................................................................................8
Balance sheet........................................................................................................................9
Income statement..................................................................................................................9
Profitability and performance indicators............................................................................10
Cost efficiency indicators...................................................................................................10
Credit risk indicators ..........................................................................................................10
Solvency .............................................................................................................................11
Liquidity ............................................................................................................................11
Interest rate risk indicators .................................................................................................11
Currency risk indicators .....................................................................................................12

Additional data and information ................................................................................................... 12
3.
RISK AREAS ................................................................................................................... 12
4.
CONTROL ENVIRONMENT AREAS ................................................................................... 13
5.
RISK PROFILE ................................................................................................................ 14

Dividing the bank into lines of business ....................................................................................... 14
Determining the importance and weight of lines of business........................................................ 15
Selecting major risks and defining their influence........................................................................ 15
Risk matrix .................................................................................................................................... 16
6.
ASSESSMENT ................................................................................................................. 18
7.
REVIEW PROCEDURE ..................................................................................................... 20

Planning and preparation for review ............................................................................................. 21
Review at the bank ........................................................................................................................ 22
Conclusion of review .................................................................................................................... 23
Action following review................................................................................................................ 23
8.
QUALITY ASSURANCE ................................................................................................... 23
B.
RISK AREAS ...................................................................................................................... 26

CREDIT RISK .................................................................................................................. 26
1.
Elements of credit risk .................................................................................................................. 26
Credit risk culture..............................................................................................................26
Key products and markets ..................................................................................................26
Features of the portfolio .....................................................................................................27
Concentration of the portfolio ............................................................................................27
Trends.................................................................................................................................28
ver. 1.0
Page 3 of 53
2.
MARKET RISK ............................................................................................................... 28

Elements of market risk................................................................................................................. 28
Composition of financial instrument trading portfolio ...................................................... 28
Variability of the rates of financial instruments and foreign currencies............................ 29
Currency imbalance of assets and liabilities...................................................................... 29
Liquidity of financial instruments and foreign currencies................................................. 29
Trends ................................................................................................................................ 29
3.
INTEREST RATE RISK ..................................................................................................... 30

Elements of interest rate risk ......................................................................................................... 30
Maturity mismatch of interest rate sensitive items ............................................................ 30
Shifts in the yield curve ..................................................................................................... 30
Basis risk ........................................................................................................................... 30
Embedded options ............................................................................................................. 31
Trends ................................................................................................................................ 31
4.
LIQUIDITY RISK ............................................................................................................ 31

Elements of liquidity risk .............................................................................................................. 32
Structure of liabilities ........................................................................................................ 32
Concentration of liabilities ................................................................................................ 32
Access to liabilities............................................................................................................ 33
Liquidity of assets.............................................................................................................. 33
Maturity gap between assets and liabilities ....................................................................... 33
Trends ................................................................................................................................ 33
5.
OPERATIONAL RISK ...................................................................................................... 34

Elements of operational risk .......................................................................................................... 35
People ................................................................................................................................ 35
Processes............................................................................................................................ 35
Systems.............................................................................................................................. 36
Environment ...................................................................................................................... 36
Trends ................................................................................................................................ 36
6.
STRATEGIC RISK ........................................................................................................... 37

Elements of strategic risk .............................................................................................................. 37
Business strategy ............................................................................................................... 37
Business environment........................................................................................................ 37
Responsiveness to changes in the environment................................................................. 38
Trends ................................................................................................................................ 38
7.
REPUTATION RISK ......................................................................................................... 38

Elements of reputation risk............................................................................................................ 38
Impression on the market .................................................................................................. 38
Impression of legislator ..................................................................................................... 39
Trends ................................................................................................................................ 39
8.
CAPITAL RISK ............................................................................................................... 39

Elements of capital risk ................................................................................................................. 40
Ownership structure........................................................................................................... 40
Structure and quality of capital.......................................................................................... 40
Accessibility of capital ...................................................................................................... 40
Assessing the capital ratio ................................................................................................. 40
Trends ................................................................................................................................ 40
Page 4 of 53
ver. 1.0
9.
PROFITABILITY RISK ..................................................................................................... 41

Elements of profitability risk......................................................................................................... 41
Interest margin....................................................................................................................41
Cost efficiency....................................................................................................................42
Quality of income...............................................................................................................42
Trends.................................................................................................................................42
C.
CONTROL ENVIRONMENT AREAS ...................................................................................... 43
10. INTERNAL CONTROLS .................................................................................................... 43

Elements of internal controls......................................................................................................... 43
Management .......................................................................................................................43
Reporting............................................................................................................................45
Procedures ..........................................................................................................................45
Audits .................................................................................................................................46
Compliance ........................................................................................................................46
Information technology ......................................................................................................46
Human resource..................................................................................................................47
11. ORGANISATION .............................................................................................................. 48

Elements of organisation............................................................................................................... 48
Organisational structure .....................................................................................................48
Consolidation .....................................................................................................................48
Segregation of responsibility and lines of reporting...........................................................49
Organisation of risk management.......................................................................................49
12. MANAGEMENT .............................................................................................................. 49

Elements of management .............................................................................................................. 50
Quality and composition of management bodies ...............................................................50
Decision-making process ...................................................................................................51
Strategic planning process..................................................................................................51
Culture of risk management ...............................................................................................52
Quality of internal audit .....................................................................................................53
ver. 1.0
Page 5 of 53
A. Introduction
1. Background and principles
Banks1 play an important role in the national economies of most countries in the world. At the same
time, a sound banking system is an important element of financial stability and represents a basis for
the maintenance, development and unimpeded functioning of the entire economic system. One key
activity of the banking system is of course financial intermediation services, defined as the gathering
of financial assets from those that have a surplus and the lending of such assets to those that need
them. Alongside this basic business of banking services, banks also provide a range of important
support functions, such as payments and other financial services for their clients.
Risk taking is an inseparable part of providing bank services, with inadequate awareness and
management of risk possibly leading to losses, which threatens the financial stability of the system as
well as the deposits entrusted by individuals to banks. Given the importance of the role played by
banks in national economies and the trust placed in these institutions by investors, banks must conduct
their business soundly and safely, and must maintain an appropriate level of capital as protection from
the possible risks deriving from their operations. For this reason, banks around the world are subject to
supervision and to formal and legal regulation by state-authorised institutions. In Slovenia this duty is
performed by the Bank of Slovenia.2
In recent times the financial industry throughout the world has undergone a series of major changes
that have also been reflected in Slovenias banking sector. The key changes may be defined as:
the phenomenon of globalisation,
the linking of financial institutions,
the development of new financial instruments,
the growing dependence on information technology.
Among the changes in Slovenia, the following could be highlighted:
transformation of the economic and political system,
accession to the European Union and implementation of the European acquis

communautaire,
the inflow of foreign banking capital.
Individual factors and their interaction within Slovenia have brought about an exceptionally dynamic
process of change in the financial and narrower banking sector. This dynamic environment is expected
to mark the development of the banking sector in the future, too.
Indeed this very development demands from the Bank of Slovenia continuous change, testing and
improvement of the system of supervision, with the aim of ensuring appropriate operations by banks.
At the same time, there is an increasingly insistent need for an approach that will focus the attention of
the supervisor on the risks to which banks are exposed. Thus in supervising the operations of banks we
may indeed speak of analysis of risks that are unique to the banking sector, and at the same time about
the quality of controls and procedures through which banks avoid or manage these risks.
In this document the term ''bank'' is used to denote banks, savings banks and other entities pursuant to the banking act
The Bank of Slovenia Act (Official Gazette of the Republic of Slovenia Nos 58/02, 85/02 and 39/06; April 2006; hereinafter
ZBS-1), Article 23 (Supervision of the operation of banks and savings banks): (1) The Bank of Slovenia shall conduct
supervision of banks, savings banks and other persons pursuant to the act governing banking, and shall design, bring into
effect and control a system of regulations to ensure the standards for safe operation of banks and savings banks.
2
Page 6 of 53
ver. 1.0
In this sense, there is a new and different way of understanding supervision of bank operations and the
supervisory review process, in terms of the definition in Pillar 2 of the Basel II capital accords. The
purpose of Pillar 2 and supervisory review process is not simply to ensure the necessary volume of
capital to cover the risks inherent in bank operations, but mainly to encourage banks to develop and
apply procedures for managing (i.e. identifying, measuring and assessing, monitoring and controlling)
risk. Here it should be stressed that the level of capital or capital adequacy should not be the only
means of managing the risks that banks encounter in their operations. Strengthening the processes of
risk management, such as respecting internal limits, prudent creation of provisions and improvement
of internal controls, is the means that banks must further develop and apply. Capital can therefore not
compensate for inadequate controls or non-existent processes of risk management.
In the spirit of the aforementioned changes, the Basel Committee3 reviewed the existing capital
system, and within Pillar 2 of the Basel II capital system it set new requirements both for banks and
for their supervisory bodies, and these were incorporated in their entirety into the European banking
directive.4 The new requirements are reflected in the following principles:
banks must have a process for assessing capital adequacy in relation to their risk profile
and a strategy for maintaining an appropriate level of capital (internal assessment of
capital adequacy);
the supervisor must review and evaluate the bank's internal assessment of capital
adequacy and its strategy, as well as the capacity of the bank to monitor and ensure the
compliance of its operations with regulatory capital adequacy (supervisory review and
assessment);
the supervisor expects banks to operate above minimum capital adequacy and may
require banks to maintain capital adequacy above the prescribed minimum;
the supervisor must intervene at an early stage to prevent any reduction of capital below
the minimum.
With the aim of implementing these principles, the Bank of Slovenia changed its methodology of
performing prudential supervision and in line with Directive 2000/12/EC5 it published its methodology
of performing supervision. The Bank of Slovenia believes that publishing the definitions, rules and
tools used by the supervisor is the correct path towards a better understanding of the role of bank
supervision and of the methodologies used, and at the same time, it represents a starting point for
interaction between the internal capital adequacy assessment process and supervisory review and
evaluation process. At the same time, the publication of methodology can benefit banks in terms of
identifying and being aware of the existence of specific risks, managing those risks and developing
internal controlling mechanisms (particularly the function of risk management, compliance of
operations with regulations and internal auditing).
Equally, we anticipate that external auditing companies will familiarise themselves with this manual in
performing reviews of bank operations. Our guideline is that through joint collaboration internal and
external audits and supervision of bank operations and by adhering to a clearly set out range of
responsibilities, we can contribute further to the soundness and stability of the banking system.
In formulating the manual, we were fully aware of the fact that no bank is exactly the same as another,
either in size, type of services, organisational structure, personnel potential, business culture and ethic
etc. Despite this, or precisely because of it, the need emerged for a methodology based on a definition
and description of areas of risk and a control environment with precisely detailed elements forming a
common denominator, by means of which the Bank of Slovenia supervises and assesses the bank's
performance and their capital adequacy.
The Basel Committee on Banking Supervision

Directive 2000/12/EC relating to the taking up and pursuit of the business of credit institutions (Official Journal of the
European Community L 126, 26/05/2000 p. 0001 0059; hereinafter Directive 2000/12/EC).
5
Directive 2000/12/EC, Article 144 (Supervisory disclosures).
4
ver. 1.0
Page 7 of 53
2. Monitoring and analysis

One of the principal objectives of analysing a bank's risk is to determine its overall risk profile. In
order to determine the bank's overall risk profile, two questions must be answered:
What is the degree of risk being taken on by the bank?
What is the financial power of the bank expressed in revenues (profit) and capital?
An answer to the first question can be provided by an assessment of the risks encountered by the
individual bank and by an assessment of its control environment. An answer to the second question is
provided by a detailed financial analysis of the bank, which is produced regularly by the supervisor as
part of its supervision process. An overall risk profile for the individual bank is thereby determined by
evaluating the findings of both analyses.
Financial analysis provides an insight into the financial power of the bank, and comprises two parts:
the fixed part of the financial analysis,
additional information relating to the individual bank.
The fixed part of the financial analysis

The fixed part of the financial analysis is the same for all institutions under supervision, and is based
on an analysis of data provided to the Bank of Slovenia through regular reports. In line with the
Banking Act,6 banks are obliged to report on a monthly, quarterly, half-yearly and annual basis. Based
on these reports, the Bank of Slovenia supervises the fulfilment of the standards of safe and prudent
practice (prudential limits) and monitors and analyses the operation of banks. Alongside an analysis of
balance sheet figures and of the financial statements, the basis of the financial analysis is the study of
prudential indicators, which grouped into individual areas (credit risk, liquidity risk, interest rate risk,
currency risk, solvency, profitability, cost efficiency) enable a comparison between institutions under
supervision. In addition to a comparison with other banks, the indicators for an individual bank are
always compared with the average for the banking sector or for a group of similar banks (peer group
analysis) and a ranking of banks is made according to the values of the individual indicator. In order to
monitor the time dynamic of an individual bank's operation, a comparison is also made of indicators
over time (trend analysis).
Total assets and market share
In this part of the analysis, the Bank of Slovenia compares the growth rate of the total assets for the
bank under observation with the growth rate of the total assets in the entire banking system (or group
of similar banks). In the same way, the growth rate of the bank's total assets in the current year is
compared with the growth rate of the total assets for that same bank in previous years. In this way, an
analysis is made of the growth of total assets relative to December of the previous year, as well as
year-on-year growth rates (growth from the same date of the previous year). Another important
finding relates to any increase/reduction in market share (measured by size of total assets or other
balance sheet items) of the bank under observation.
6
Banking Act (Official Gazette of the Republic of Slovenia Nos 7/99 and 59/01, 55/03 and 42/04; April 2004; hereinafter
ZBan).
Page 8 of 53
ver. 1.0
Balance sheet
The starting point for any financial analysis is a systematic examination of the balance sheet, where
the Bank of Slovenia focuses on:
structure of sources of financing and investments with an indication of the average

proportions of individual asset/liability items in the average total assets/liabilities (with
the requirement to state which are the main sources of bank funds and where it aims for
the most part to invest them, to make a comparison of the structure of the bank's balance
sheet with the structure of the banking system (or group of similar banks) and to analyse
changes in the structure of the bank's balance sheet over time);
trends in individual balance sheet items with an indication of absolute increases and
growth rates growth over December of the previous year or year-on-year growth (with
the requirement to state items that have most affected the banks balance sheet trends in
the observed period, and to compare the growth of these items with growth in the banking
system (or in a group of similar banks) or over time);
maturity structure of deposits by / loans to non-bank sectors with an indication of the

proportions of deposits/loans of individual maturities in all deposits by / loans to nonbank sectors (with the requirement to make a comparison with the banking system, to
advise of changes in the structure over time and especially to monitor the maturity
imbalance of assets and liabilities);
currency structure of deposits by / loans to non-bank sectors with an indication of the

proportions of deposits/loans in foreign currency in all deposits by / loans to non-bank
sectors (with the requirement to make a comparison with the banking system and to
advise of changes in the structure over time and of any currency imbalance of assets and
liabilities);
Income statement
The Bank of Slovenia compares the cumulative performance (profit/loss) of the bank under
observation in the current year with the bank's performance in the same period of the previous year,
and compares the growth rate with the growth of profits in the banking system. The bank's
performance depends therefore on individual sources of bank income (net interest, net fees and
commissions, net financial transactions, net other income) that make up the bank's gross income, as
well as on the spending of gross income on operating costs and provisioning.
In further analysing the income statement of the bank under observation, the Bank of Slovenia focuses
on:
ver. 1.0
sources of bank income that contributed most to increasing/reducing gross income in the
observed period relative to the same period of the previous year (with the requirement to
state the main sources of increase/reduction in the banks gross income and a statement of
absolute increases and growth rates, and to compare this with the banking system or
similar group of banks);
composition of gross income with an indication of the proportions of sources of bank

income in gross income (with the requirement to make a comparison with the
composition of gross income in the banking system and to advise of changes in the
structure over time);
spending of gross income with an indication of structural proportions, absolute increases

and growth rates of operating costs and net provisions (with the requirement to compare
this with the banking system and over time).
Page 9 of 53
Profitability and performance indicators
The Bank of Slovenia compares the performance indicators of the bank under observation (total profit
or loss/average total assets ROA total profit or loss/average capital ROE net interest/average
gross interest-bearing assets net interest margin, interest rate spread as the difference between
average lending and deposit interest rates for deposits by and loans to non-bank sectors) with the value
of these indicators for the banking system and over time.
Cost efficiency indicators
The Bank of Slovenia compares the cost efficiency indicators of the bank under observation (operating
costs/average total assets, operating costs/gross income, labour costs/average total assets and net noninterest income/operating costs) with the values of these indicators for the banking system and over
time. In interpreting the trends of these indicators, account is taken of year-on-year growth of average
assets, gross income and operating costs.
Credit risk indicators
As part of its analysis of credit risk, the Bank of Slovenia studies the scope and quality of the bank's
credit portfolio and monitors the concentration of the credit portfolio (to an individual person, a group
of related persons, an individual sector, geographical region, individual foreign country etc.). The
analysis of credit risk therefore covers at least:
an indication of the banks credit exposure (total exposure and amount of classified items)
with the number of borrowers and average credit exposure (with the requirement to
compare this with December of the previous year or with the same period of the previous
year, and to compare the growth rates with the growth rates of the banking system or
similar group of banks);
an overview of the credit rating structure of the credit portfolio with an indication of the
proportions of individual credit rating categories in all classified items and a calculation
of the average risk of the banks claims (with the requirement to compare this with the
banking system and to advise of changes in the credit rating structure or of average risk of
claims over time; for instance, increased proportions of non-performing items or
reclassification into groups with lower percentages of impairment or losses);
an indication of the value of indicators of non-performing items/total classified items,

impairment of financial assets by amortised cost/gross assets and impairment of financial
assets by amortised cost and provisions for off-balance-sheet items/total classified items
(with the requirement to compare the value of these indicators with indicators for the
banking system and over time);
monitoring the limit on the maximum permissible exposure to individual categories of

persons ( individual persons or groups of connected persons, , persons in special
relationships with the bank) and the amounts of large exposures relative to capital; in the
latter there is also a need to compare it with the banking system and to monitor it over
time;
an overview of the bank's exposure to individual sectors with an indication of structural

proportions of exposure to an individual sector in overall exposure and a presentation of
the average risk of the individual sector (with the requirement to compare this with the
banking system, to monitor changes in the structure over time and to advise of any
excessively large exposure to higher-risk sectors);
in the event of large exposure to foreign persons also an indication of structural

proportions of exposure to individual geographical regions or groups of countries (with
the requirement to compare this with the banking system, to monitor changes in structural
proportions over time and to advise of any excessively large exposure to individual
higher-risk groups of countries).
Page 10 of 53
ver. 1.0
Solvency
Banks must always dispose of adequate capital relative to the volume and type of transactions they
perform and the risks inherent in them. The capital adequacy ratio, which is the ratio of the bank's
own funds to total risk-adjusted assets and other risk-adjusted items, must always amount to at least
8%, unless the Bank of Slovenia issues an official decision setting a higher capital adequacy ratio.
As part of the analysis of solvency the Bank of Slovenia:
monitors the capital adequacy ratio trend over time and in comparison with the banking
system, and interprets this in relation to the capital trend or total risk-adjusted assets;
analyses changes in the amount of own funds or total risk-adjusted assets;
monitors changes in the structure of own funds (Tier 1 / Tier 2 capital) or in the structure
of total risk-adjusted assets (credit-, market- and currency-risk-adjusted items);
assesses whether the surplus of own funds over the regulatory minimum is sufficient to
cover other bank risks (without the prescribed capital requirement).
Liquidity
As a part of the assessment of liquidity the Bank of Slovenia:
monitors fulfilment of the prescribed level of liquidity ratios for individual categories
(with the requirement to compare the values of these ratios with the banking system
coefficients and in the course of time);
analyses the level of liquid assets of the bank and the proportion of liquid assets in total
assets (with the requirement to compare this with the proportion of the entire system and
to advise of changes in the level of secondary liquidity over time);
monitors the position on the interbank market (net creditor/net debtor) and the average
monthly amount of lending/borrowing (with the requirement to advise about the changes
in interbank market position over time or of any excessive increase in borrowing on the
interbank market);
monitors liquidity flows planned by the bank for the current and following working day
(by type of inflow and outflow) and the final balance in the settlement account and in
cash (with the requirement to compare the plan with actual business conducted, to
analyse any variances and to advise of major forecasted inflows/outflows);
analyses the concentration of liabilities by origin (investors, type of deposit, market,

currency etc.) and maturity of deposits (with the requirement to compare this with the
concentration in the system and to advise of any change in concentration over time).
Interest rate risk indicators
The Bank of Slovenia monitors the exposure of banks to interest rate risk on the basis of data collected
using the gap model. On this basis, analysis is focused on:
ver. 1.0
monitoring the gaps between interest-rate sensitive asset and liability items allocated at
13 different intervals (within which the interest rate changes),
monitoring the average period of interest rate change on the assets and liabilities sides
and monitoring the divergence between them (with the requirement to compare this with
data for the banking system and to advise of any increase in the time difference between
the changed interest rate in the assets and liabilities of the bank's balance sheet);
Page 11 of 53
monitoring exposure to interest rate risk by means of the standardised "interest rate
shock"7 method (parallel shift in the profitability curve by 200 basic points) and in
comparison with the bank's capital.
Currency risk indicators
The Bank of Slovenia monitors the bank's exposure to the risk of changes in foreign currency rates
based on data on the open foreign exchange position as a percentage of capital. There is a requirement
to perform both a comparison with the open foreign exchange position of the banking system and an
analysis of the open foreign exchange position trend over time.
Additional data and information
In addition to the aforementioned fixed part of the financial analysis, which is based on data and
information that are common to all banks, the supervisor can also include in the analysis additional
information that is specific only to the bank under observation, and which is not a part of regular
reporting but which the supervisor obtains from other sources (daily newspapers, conversations with
the bank etc.).
3. Risk areas
The nature of the banking business brings several types of risk, which differ in substance and scope.
Banks cannot avoid them. Relative to their line of business, size, type of organisation, business culture
etc. we distinguish between the differing extents to which banks take risk. For example: in their
tendency to take credit risk, two banks might differ to the extent that one has a high credit risk
assessment and the other a low. On the outside this manifests in the method of operating in the market
(aggressiveness, innovation), in the concentration of the lending portfolio, the variety of products,
types of collateral etc. Both approaches are legitimate, or rather both risk taking methods could be
right for the individual bank in a given environment.
In this sense, we can speak of inherent risk, which stems therefore from banking operations and from
the situation in which the bank can find itself in a given moment. Risk represents the probability of
events in the future affecting the operations and stability of the bank, and more specifically on its
earnings and capital. The task of the Bank of Slovenia is to make an appropriate assessment and
evaluation of such risk and through its mandate to take appropriate action.
The Bank of Slovenia has opted for the division of risk set out below,8 which it believes to be
appropriate for assessment and that the differentiation makes sense owing to the better understanding
of assuming risk at banks. At the same time this structure offers easier and better peer-to-peer and in
time comparison between banks.
Credit risk means the risk of loss9 resulting from an obligor's failure for whatever
reason to meet his financial or contractual obligations in full. This risk includes the risk of
concentration, credit risk in securitisation and country risk, as well as its special form of
cross-border or transfer risk.
This method is defined in Principles for the Management and Supervision of Interest Rate Risk, The Basel Committee on
Banking Supervision; July 2004
8
Of the important models for division, we used The Application of the Supervisory Review Process under Pillar 2
(Committee of European Banking Supervisors CEBS CP03; June 2005).
9
In defining all risk areas, we can define the risk of loss more precisely as the current or prospective risk of negative effects
on earnings and capital.
Page 12 of 53
ver. 1.0
Market risk means the risk of loss arising from adverse movements in bond prices,
security or commodity prices or foreign exchange rates in the trading book. This risk can
arise from market-making, dealing, and position-taking in bonds, securities, currencies,
commodities, or derivatives. This risk includes foreign exchange risk, which arises from
adverse movements in currency exchange rates in the banking book.
Interest rate risk means the risk of loss arising from adverse changes in interest rates in
the banking book.
Liquidity risk means the risk arising from an institution's inability to meet its liabilities
when they come due, without having exposed itself to any undesirable loss.
Operational risk means the risk of loss arising from the inadequate or failed
implementation of internal processes, actions by people, functioning of systems or from
the influence of external events. Operational risk also includes so-called IT risk, which is
the risk of loss resulting from inadequate information technology and processing in terms
of manageability, accessibility, integrity, controllability and continuity. It also includes
legal risk, which is the risk of loss arising from violations or non-compliance with laws,
rules, regulations, recommendations, agreements, good banking practices or ethical
standards.
Strategic risk means the risk of loss arising from changes in the business environment
of the institution and from adverse business decisions, improper implementation of
adopted decisions and insufficient responsiveness to changes in the business environment.
Reputation risk means the risk of loss arising from a negative image held regarding the
bank by its customers, business partners, owners/investors or regulators.
Capital risk relates to the inappropriate composition of capital for the scope and method
of operating, or to difficulties faced by the bank in obtaining fresh capital, especially with
the need for a rapid increase or in unfavourable conditions in the business environment.
Profitability risk relates to the inappropriate composition or spread of earnings or to the

inability of the bank to ensure adequate and continuous level of profitability (for example
owing to an inappropriate costs to earnings ratio).
Each risk area is divided into risk elements. Elements of the risk area represent conceptual components
of the risk that can be used to define and assess it more precisely.
Each risk area comprises the element of expected trends. In this subchapter, the Bank of Slovenia uses
past and present indices, criteria and circumstances to determine and assess future trends and the
anticipated exposure to risk in the future. This assessment relates to all other risk elements and has,
especially from the aspect of the process of planning supervisory activities, a greater weight than
others.
4. Control environment areas

The preceding chapter set out the risk areas as understood and defined by the Bank of Slovenia. A
bank can reduce the level of risk or manage it with the best possible control environment. Weaknesses
in the bank's control environment can cause undesirable effects on earnings and capital. The Bank of
Slovenia believes that the following classifications of the control environment areas are appropriate
for high-quality banking supervision:
ver. 1.0
Internal controls means mitigating risk from the aspect of risk management, reporting,
processes and business procedures, audits, compliance with regulations, information
technology and human resource;
Organisation covers the organisational structure, relationships between subjects in the

group, lines of reporting, the structure of responsibility and the organisation of risk
management;
Page 13 of 53
Management covers the quality and composition of the management bodies, the
decision-making process, the process of strategic planning, the culture of risk control and
the quality of internal audit.
As with the different risk areas, each control environment area is divided into elements that represent
conceptual components of the control environment that can be used to define and assess it more
precisely.
The area of internal controls always corresponds to the individual risk area, and its elements are taken
into consideration and evaluated as appropriate with regard to the corresponding risk. Whenever a
specific risk area is being assessed qualitatively, the internal controls are also assessed. The
assessment of internal controls at the individual bank level is the weighted sum of these assessments.
In contrast to the area of internal controls, the areas of organisation and management are evaluated
qualitatively only once for the entire bank.
5. Risk profile
The bank's risk profile represents the combined result of all the knowledge about the bank in terms of
the POT (Risk Assessment Process) methodology. It is the focal point of the continuous supervision
process, which incorporates information from the surrounding environment, findings from reviews at
banks, the results of financial analysis etc. It comprises a risk matrix10 as the basic tool for managing
the supervision process and documents intended to describe it.
This assists the supervisor in:
defining important points or the scope of a review at an individual bank,
communicating better with the bank,
timetabling reviews,
assessing banks.
Dividing the bank into lines of business

The risk and control environment areas described in previous chapters represent from the aspect of
banking supervision the lowest common denominator of the banking sector. Banking supervision
through this system ensures comparability both between individual banks and between different
periods. At the same time, this division also ensures external comparability to other relevant banking
supervision bodies in Europe.
Yet since each bank has a specific composition of business, there is also a need for a more individual
and manageable view of the bank. In order to ease the identification and assessment of risk and quality of control environment, the bank is divided up into its elementary or significant lines of
business.
Division of the bank into lines of business is performed using several factors:
business performed by the bank pursuant to the ZBan11 or Directive 2000/12/EC12 - that is
everything or individual banking and other financial services;
the static organisation of the bank and the size and importance of individual
organizational units;
10
Table A-1: Risk matrix on page 17.

Item 1, paragraph 1, Article 3 of the ZBan and for other financial services paragraph 1, Article 6 of the ZBan.
12
Annex I (List of activities subject to mutual recognition) to Directive 2000/12/EC.
11
Page 14 of 53
ver. 1.0
the procedural organisation of the bank and the scope and importance of individual
business processes;
the distinctiveness and identity of the risk characteristics apparent at the bank;
the distinctiveness and identity of the control environment areas at the bank;
the manageability of the division;
the influences of related persons, corporate governance and group connections.
The line of business may therefore be a group or an individual business process, department, area,
division or subsidiary. The main motive of the division is to ensure a manageable and comprehensive
overview of the bank in terms of the identification of risk and its control.
Of course, the bank under observation will change over time. For this reason, dividing the bank into
lines of business is a continuous process that is independent of individual reviews or other activities.
For the sake of comparability over time, however, there is a tendency to make the least number of
changes possible to the established division.
Determining the importance and weight of lines of business
The next step in dividing the bank is determining the importance of the defined lines of business. This
is understood to mean the significance of the impact that an individual line of business has in terms of
defining and managing risk on the overall assessment of the bank. The importance of an individual
line of business is determined on the basis of the theoretical principles of banking industry operation,
the macroeconomic environment and the current situation in banking, specific quantitative criteria and
expert interpretation of the individual bank's operation.
The Bank of Slovenia defines each line of business by its importance expressed using a three-level
scale: great importance, medium importance and low importance. It is not possible to define only
quantitative criteria for defining the importance of a line of business. Nevertheless, it is possible to
make conditional use and observation of:
the proportion of earnings contributed by the line of business,
its share of the bank's profits,
its influence on capital adequacy through its proportion of risk-weighted assets,
the growth rate of the identified line of business.
Merging the assessments requires the conversion of the aforementioned quality assessments into
numerical values. In order for important lines of business to have greater weight, a progressive scale is
used: 4 great importance, 2 medium, 1 low. In determining the weighting, account is taken of all
the aforementioned factors and criteria, while the ultimate deciding factor is the inspector's expert
understanding of the functioning of the bank. All lines of business that have the same qualitative
importance have the same numerical weight.
Selecting major risks and defining their influence
In each line of business, the bank is exposed to several risks, where some are more significant than
others. For the sake of manageability and transparency, the selection of risk areas envisaged for
assessment is restricted to a maximum of four most important risks from the range of nine risk areas
that characterise the individual line of business. For each selected risk, the relevant internal controls
are examined and assessed. Owing to the differing importance, a weight is set for each selected
intersection of risk and line of business. Determining the weight is carried out in the same way as
described in the previous chapter. We use a three-level qualitative scale: great importance, medium
importance and low importance, with the progressive numerical weighting of: 4, 2 and 1. Within the
entire control environment, the review and assessment of the line of business always takes account of
the area of internal controls, so it is allocated an appropriate weighting for each line of business.
ver. 1.0
Page 15 of 53
We distinguish between strong and weak weights. A strong weight13 essentially means that the
relevant assessment must have not just a numerical score but also an explanation or findings by
individual risk elements. In other words, a strong weight means that the assessment is quantitative and
qualitative. For each strong weight in the risk area, a quantitative and qualitative assessment is also
made of the relevant internal controls. A weak weight requires only a numerical assessment. Here
internal controls are specifically not assessed.
The weight at the intersection of the individual risk area and the line of business affects both the total
assessment of the line of business and the total assessment of the risk and control environment area.
Using the assessments of the risk and control environment area we make up an overall assessment of
the bank, which is described in the next chapter. Independently of the individual bank, the Bank of
Slovenia determines whether for various reasons the effect of one risk area in the banking sector is
greater than the others. This effect is called the specific weight of risk and is taken into account in
making up the overall assessment of the bank. It is expressed in percentage points.
Risk matrix
Owing to the continuous changing of the individual bank, banking business and the macroeconomic
environment, the above procedure must be constantly evaluated and the target risk matrix must be
altered in line with the actual state of affairs. By dividing banks into lines of business, determining
their importance, selecting major risks and defining their influence we obtain in tabular form a defined
profile of risk or a risk matrix for the bank.14 This is one of the most important tools for objectively
determining the scope, depth, type and frequency of reviews performed by the Bank of Slovenia at
banks.
13
In Table A-1: Risk matrix on page 17 strong weights are shown in bold and underlined.
Lines of business, weights of lines of business and weights of risk and the control environment areas are only and
exclusively representational in nature and do not represent the situation at a specific bank.
14
Page 16 of 53
ver. 1.0
Table A-1: Risk matrix

Risk and
control environment areas Weight of
line of
business
Lines of business
Commercial banking loans and
guarantees
1.
CREDIT
RISK
2.
3.
4.
5.
6.
7.
MARKET INTEREST LIQUIDITY OPERATIO STRATEGI REPUTATI

RISK
RATE RISK
RISK
NAL RISK
C RISK
ON RISK
8.
9.
10.
Commercial banking financial

derivatives
Retail banking - lending
Retail banking saving
Retail banking other services
Treasury trading
Treasury asset management
Other payments
Other consultancy
Other custodian services
Other leasing
Other funds
Common functions management
Common functions back office
specific weight of risk
1
4
2
4
1
4
4
5%
5%
5%
5%
50%
20%
4
40%
10%
10%
12.
Commercial banking deposits
11.
CAPITAL PROFITABI INTERNAL ORGANISA MANAGEM

RISK
LITY RISK CONTROLS
TION
ENT
5%
15%
Page 17 of 53
4
30%
ver. 1.0
6. Assessment
The concept of assessment comprises a qualitative and quantitative part. The qualitative part is of key
importance and represents the findings and opinions of inspectors and analysts on the individual risk
or control environment element. The findings of inspectors and analysts form the basis for the
numerical assessment, which signifies the quantitative end of the assessment. Assessment is a
continuous process of the Bank of Slovenia's work. Reviews of banks are just a part of this process.
Other sources for assessing banks are the financial analysis of reports, regular contacts with the
management body, internal auditing and information from the bank's environment. The overall
assessment of a bank, which is the final result of assessment, comprises assessments for individual risk
and/or control environment elements for the individual line of business, adjusted in line with the
weights in the bank's risk matrix.
The Bank of Slovenia makes a critical review and verification of each component of a bank's
assessment at least in a one-year cycle. The Bank of Slovenia also determines the frequency, depth and
area of reviews on the basis of the risk profile for the individual bank. Irrespective of the other sources
for assessment and independently of the importance of the individual line of business or risk and
control environment area, all components of the bank's assessment are refreshed at least in a three-year
cycle through reviews and analyses.
The basic component of the risk assessment for the bank is the element of the risk and control
environment area. Inspectors therefore qualitatively (with an explanation) and quantitatively (with a
score) define each element. Inspectors formulate their explanations and findings by elements of the
risk and control environment areas in line with the instructions and rules that comprise the internal
manual of the Bank of Slovenia for performing banking supervision. The instructions and rules with
pertaining notes represent the procedural part of the manual and incorporate the principles and
procedures of good banking practice in the individual areas of banking business, and the references to
banking legislation, secondary regulations and recommendations. In addition to precisely defining the
substance, depth and scope of reviews, the internal manual defines the basic criteria for determining an
assessment of the individual element. The inspector must provide a finding for the reviewed element
irrespective of its importance, scope or other criteria. In their finding inspector back up their
quantitative assessment of the risk or control environment element.
To assess the elements of the risk and control environment areas the following scores are used for:
risk: 1 low, 2 acceptable, 3 significant, 4 high;

which means descriptively that the probability of events that might adversely affect bank
earnings or capital owing to current or prospective risk is low/acceptable/significant/high;
control environment 1 good, 2 acceptable, 3 deficient, 4 poor;

which means descriptively that the quality of the banks control environment, which
facilitates the overall reduction of risk and is well adapted to business requirements, is
good/acceptable/deficient/poor.
The four-level scale has been set up deliberately. In a three or five-level scale there is a middle, neutral
score, which is in practice used most commonly, while at the same time for that reason its interpretive
value is lowest. We wished to avoid this. In certain cases, it is possible that a certain risk or control
environment element for a given line of business at the bank is not appropriate or does not lend itself
to assessment. Any lacking assessment is taken into account appropriately in the calculation.
The inspector's decision to assess some element is followed by a process of aggregation or merging of
assessments, which is diagrammatically and descriptively presented below.
Page 18 of 53
ver. 1.0
Figure A-1: Diagram of assessment merging

assessment of element
merging for the risk and control environment area

for the line of business
merging by line of business
merging by risk and control environment area
merging into the risk assessment for the bank
The assessments of elements are first merged in the individual risk and control environment area for
the line of business. Here account is taken of the weights that determine the weighting of the element
within the risk and control environment area. In merging assessment scores the Bank of Slovenia
observes the logic of the Herfindahl-Hirschman index15 exclusively so that those scores representing
greater risk or a poorer control environment (numerically higher score) have greater importance in the
overall assessment.
Equation A-1: Calculation of the overall assessment of the risk or control environment area
assessment s =
assessments
weighti
scorei
n
i =1
i =1
weight i score i2 / weight i
, where
- overall assessment of the risk or control environment area

- weight of element i
- score of element i
- number of elements within the risk or control environment area
The assessments are placed in an assessment matrix that have the same form as the risk matrix lines
of business at the side of the table and risk and control environment areas at the head. In this way, we
obtain a transparent and structured view of the bank with regard to:
critical points (greater risk and/or poorer control environment),
relationships between lines of business,
relationships between risk and the control environment areas.
15
In economic theory, the Herfindahl-Hirschman index (HHI) is the generally recognised method of measuring concentration
in the market. It is calculated by squaring the market shares of companies operating in the market and summing the result.
The HHI therefore takes into account the relative size and number of companies operating in the market. The more
companies there are and the more they are equal in size, the lower the index. By reducing the number of companies and
increasing the difference between them, the index rises. In the practice and legislation of some countries, it is used to assess
the monopoly position of companies in the market.
ver. 1.0
Page 19 of 53
On this level of assessment, there is a merging of assessments for the individual line of business and
for the individual risk and control environment areas. Here account is taken of the weights as defined
in the risk matrix.
The exception to this is the area of internal controls, which is special in the sense that this column
brings together the assessments of internal controls made at all intersections with strong weights. If a
line of business has no strong weight for the risk area, internal controls are assessed directly for the
entire line of business.
In the assessment matrix at the intersections of lines of business and risk and control environment
areas, we thereby obtain assessments where the weights are entered in the risk matrix. The calculated
assessments are weighted and merged by line of business and by risk or control environment areas.
The overall assessment is calculated separately for inherent risk and for the control environment.
Specific weights of risk are taken into account. The overall assessment of the bank takes into account
the assessments for inherent risk and for the control environment in a ratio of 60:40. This assessment
in essence represents the remaining risk at which we arrive by also taking into account the quality of
management (in other words the control environment) of inherent risk.
The assessment matrix represents a basic tool for planning bank reviews. It is a useful aid for
identifying the need for increased Bank of Slovenia activities aimed at reducing or improving the
management of individual risk areas. At the same time, it is used in analysing and monitoring bank
operations in connection with indicators obtained in the financial analysis of the bank.
Despite the relatively simple, understandable and well structured method of merging and calculating
quantitative assessments, the personal and subjective judgement of the inspector is essential and
required. The inspector is expected to make a critical appraisal of all the aggregated assessments
(merging both by line of business and by risk area and control environment) and appropriate
corrections where necessary. Inspectors must individually back up any voided assessment obtained
from the automatic process of aggregation.
In appraising the merged assessments, inspectors pay special attention in the following cases:
the influence of an element, line of business, risk or control environment area is so

decisive for the entire bank that to a major extent it determines the overall assessment;
there are too few assessments from which the overall assessment is formulated;
certain assessments that have an important effect on the overall assessment are too far
removed in time or are no longer relevant owing to rapid changes within the bank or
within its operating environment.
7. Review procedure
The main purpose of supervising banks is to determine the level of risks encountered by banks and the
quality of managing these risks. Supervision is performed through monitoring, collecting and checking
bank reports and notices, performing reviews of bank operations and through the issuing of
supervisory measures. The basic approaches are:
analysis of banking operations through systematic and continuous monitoring of a bank's

operations by means of reports and other information at the Bank of Slovenia (off-site),
and
reviews of the bank's operations (on-site).
The two approaches complement each other. The aim is to effect a timely identification and
elimination of deficiencies in risk management and other objectionable action by banks. Reviews at
banks are performed using the Risk Assessment Process (POT) method adopted and confirmed by the
Governing Board of the Bank of Slovenia.
Page 20 of 53
ver. 1.0
Another component and important part of the supervisory process is continuous cooperation with bank
management boards in the form of regular annual meetings, occasional discussions, exchanges of
opinion and other forms of mutual cooperation. Continuous exchange of information facilitates the
ongoing monitoring of the bank and increases the effectiveness of supervision.
The review procedure is divided into:
preparation for review,
review at the bank,
conclusion of review,
action following review.
Figure A-2: Stages of review
Planning and preparation for review

In line with the Banking Supervision Departments strategic plan, reviews are carried out as a rule
according to an annual plan of reviews. The basis for planning is the results of risk analysis deriving
primarily from the risk profile, financial analyses, macroeconomic influences and based on other
information and requirements for the individual bank. This in turn has a decisive influence on the
frequency of reviews for individual areas of business at the bank.
Good preparation for review is a precondition for high quality, effective, proper and timely reviews.
Each review therefore requires planning and preparation. The aim of preparing for reviews is that even
before they start their work at the bank, the inspectors who will participate in the review will be
closely familiarised with the requirements of the review process and its objectives, and based on
available documentation they can analyse risk at the bank.
Preparation for review covers primarily the following elements:
Determining the aims, scope and substance of the review
The aims, scope and substance of the review are determined through a review plan generally in
accordance with the risk profile, the annual plan of reviews and other important information on the
ver. 1.0
Page 21 of 53
bank. Directly before setting out for the review, a special information meeting is held at the Bank of
Slovenia, which is used to present the detailed substance of the review and to determine possible
supplementary action, especially regarding the scope and substance.
Composition of team
Regular review teams are formed generally in the stage of drawing up the annual plan of reviews.
Depending on the objective of the review, the team will comprise inspectors specialised in specific
fields. Except in extraordinary cases, teams are headed by a senior inspector. This person is
responsible for allocating tasks for preparation and implementation of the review, for the unimpeded
progress (coordination) of work in the field, for communication with the bank, for exchanging
information with the Bank of Slovenia and for preparing all concluding activities and materials.
Document preparation
The documents that must be prepared prior to each review are drawn up with regard to the aim, scope
and substance of the review and are defined in the internal RAP manual. The review leader and the
analyst who monitors the bank are responsible for preparing the material.
Analysis of bank operations with emphasis on risk identification
Based on reports submitted by the bank to the Bank of Slovenia, regular contacts with the bank and
information from its operating environment, as well as on the basis of continuous monitoring and
analysis of trends in the bank's operations,16 prior to each review a detailed analysis is made of the
bank's operations with an emphasis on identifying high risks, data values that stand out and
unfavourable trends, and with a comparison of indicators for the bank with indicators for a group of
banks and the banking system as a whole.
Notification of review
The review leader is responsible for contacts with the management body and with the internal audit
department at the bank in which the review will be performed. In line with the provisions of the ZBan,
notification of the review is given in writing, setting out the appropriate request for a review and the
authorisation of the inspectors to perform the review. The request for a review contains a list of
documents that must be prepared by the start of the review, and the envisaged duration of the review.
If necessary, an inspector will conduct what is called a preliminary review at the bank, which is aimed
at coordination with the bank with regard to document preparation.
Review at the bank
The review at the bank is performed based on a review plan. Depending on the purpose and objective,
we distinguish between the following types of review:
regular review in line with the annual plan of reviews,
extraordinary review performed on the basis of extraordinary events at the bank or at

the request of the Bank of Slovenia management,
or
full scope review covers all key areas of the bank's operations,
target review focused on one or more areas of the bank's operations.
The review at the bank begins with an introductory meeting with representatives of the bank's
management and a coordination meeting with the internal audit department. At this meeting, the
review leader familiarises the bank's management with the purpose, aims, procedures and other
procedural requirements of the review. An agreement is made with the internal audit department on
the logistics of the review. A preliminary visit is sometimes needed to establish this agreement.
16
Here the Monitoring and Early Warning System methods are used.
Page 22 of 53
ver. 1.0
The review is conducted in line with the RAP internal manual, which sets out in detail the substance,
criteria and procedures of reviewing individual areas of the bank's operations. Inspectors obtain the
information needed to assess risk by examining the financial books, computer records and commercial
documentation, and in conversation with bank representatives. During the review, working notes are
made, and these are a component part of the final material following the review.
Conclusion of review
On the conclusion of the review, a discussion is held with the bank's management body on the findings
of the review and possible supervisory measures that the review team will propose at the Bank of
Slovenia. The review leader and inspectors present the substance of their findings and
recommendations, while the discussion is also a chance for the inspectors once again to verify their
findings and to obtain feedback from the bank's management body.
Action following review
Once the review is completed, the relevant documentation is drawn up (report, order, findings and
recommendations in a letter to the bank etc.), which is then submitted to the Bank of Slovenia Council
together with the proposed measures for a decision. Under the provisions of the ZBan, the Bank of
Slovenia has at its disposal a range of graduated supervisory measures whereby it can require the bank
to eliminate established violations and to establish the conditions for safe and sound operation. The
Bank of Slovenia follows up the decreed measures until they are fulfilled. All documentation is filed
in written and/or electronic form in line with the Bank of Slovenia's internal rules.
The various actions following the review include a final meeting between the bank's management and
the Banking Supervision Department heads and representatives of the team of inspectors that carried
out the review. The purpose of this meeting is to disclose possible measures against the bank and to
exchange other topical information.
Where a review has not yielded any violations of regulations, a decision terminating the supervisory
procedure terminates the review. In the event that a review has been followed by an order to eliminate
violations, once the violations have been actually eliminated, a decision is issued ruling that such
violations have been eliminated.
8. Quality assurance
The precondition for high-quality supervision of banks is the continuous ensuring of quality in the
personnel that perform this supervision. This is reflected primarily in the appropriate level of
professional qualification and in the adherence to ethical standards by anyone that participates in any
way in bank supervision. Other important factors in ensuring quality are an adequate legal and
regulatory framework, which must observe national and European standards of safe and sound
operation, and an internal base of knowledge about the method of carrying out bank supervision.
Ultimately, it is essential to emphasise the four eyes principle, which at banks is the foundation for
safe and sound operation, and in supervision, it is the basis for ensuring quality.
The main elements of quality assurance are:
professional training of supervisors and due professional diligence
Professional training of supervisors ranks as one of the most important elements of quality assurance.
Supervisors are expected to have and acquire the knowledge, experience and other abilities necessary
for carrying out their assignments. In their work, supervisors must act conscientiously and with the
diligence of an incisive and capable supervisor.
ver. 1.0
Page 23 of 53
Continuous education and training of supervisors
Another component part of a supervisor's duties is the commitment to continuous education.

Supervisors develop their knowledge and other abilities through continuous professional enhancement.
It is therefore every supervisor's duty to gain education in their job and during reviews at banks,
organised in the form of internal workshops within the Banking Supervision Department, at seminars
in Slovenia and abroad, and also through the assistance of domestic and/or foreign advisers for
individual areas of bank supervision.
Professional ethics of supervisors
Supervisors must adhere to and act according to The code of practice for banking supervision
employees, which binds staff in the Banking Supervision Department to maintain a high level of
professionalism through continuous enhancement of theoretical knowledge and skills, to perform their
work professionally in line with valid legislation and regulations, and to have a highly professional
attitude in communicating. The document entitled ''Rules on the protection of confidential data at the
Bank of Slovenia'' further sets out the types, criteria, procedures, authorisations and protection of
confidential data. Through a specific declaration, each inspector is bound and legally responsible to
respect the confidential nature of the information with which he or she is familiarised in his work.
Independence of supervisors
The independence of bank supervisors means that they perform supervision assignments in line with
professional ethics without any kind of outside pressure or influence. Supervisors may request from
banks reports and other information as well as access to documents on all matters that are important in
terms of the purpose of the individual supervision process. Supervisors are independent in assessing
data they obtain from banks in performing supervision, and equally, they are independent in assessing
data obtained from the reports of external auditors. Supervisors perform reviews at banks on the basis
of authorisation from the governor, who may for the purpose of performing certain supervisory tasks
also authorise a licensed auditor or other professionally qualified person, who are governed by the
same criteria regarding independence in supervision that apply to other authorised staff of the Banking
Supervision Department.
Legal and regulatory framework
The Banking Act and secondary regulations adopted on its basis represent the bottom line for the safe
and sound operation of banks. Thus, the Zban and its derived secondary regulations to the greatest
possible extent include international supervisory rules and standards, which serve to ensure the
adjustment of Slovenia's banking system to the international banking and financial environment.
An appropriate legal and regulatory framework with constant monitoring and adjustment to European
legislation therefore represents an important element of quality assurance.
Supervision procedures
The working procedures and methods for implementing activities for supervising bank operations are
set out in the POT manual and in other internal documents of the Bank of Slovenia. They represent the
base of knowledge that ensures the maintenance and continual improvement of quality in supervisory
operations. The defined procedures under which supervisors operate also allow monitoring of the
correctness and success of their actions.
Verifying results
The quality of a supervisory body's work is reflected in its professionalism, transparency, consistency
and accuracy. With the aim of ensuring these principles, the following mechanisms for verifying
results have been established internally at the Bank of Slovenia:
discussions with the bank's management,

management supervision of the work of inspectors (in the stage of preparation for
review, and during and after the actual review),
Page 24 of 53
ver. 1.0
annual checking and assessment of the work of inspectors through an analysis of

reviews performed,
reporting by inspectors and analysts on the findings of a review and in regular
monitoring of the bank.
Transparency of work
The concept of transparency of work and supervisory disclosure is defined17 as an understandable and
open policy that makes available to those with an interest all relevant information in connection with
the functioning of bank supervision, and helps them to understand its role and method of operation.
The legal framework clearly defines this. Alongside the principles of impartiality, confidentiality,
neutrality and verifiability, the principle of transparency is undoubtedly an important lever
contributing to the higher quality of supervision and at the same time increasing its effectiveness,
credibility and reputation.
Support for supervision
The quality of the supervision process is also enhanced by all the other departments of the Bank of
Slovenia, which work to ensure the maintaining of data, the drafting of legislation, legal and
accounting advice, information technology etc.
17
Directive 2000/12/EC, Article 144 (Supervisory disclosure) and the Guidelines for Implementing a Common European
Framework for Supervisory Disclosure (CEBS CP05; October 2005)
ver. 1.0
Page 25 of 53
B. Risk areas
1. Credit risk
Credit risk means the risk of losses arising from a debtor's failure to meet his financial or contractual
obligations in full.
Credit risk is encountered by banks in all areas of banking operations involving risk-bearing balance
sheet asset items, which comprise all due and undue short-term and long-term lending, investments in
securities and long-term investments in capital, discounted bills of exchange, claims from financial
leasing, claims from derivatives, investments in investment real estate, accrued interest, compensation,
fees and commissions, and claims for warranties paid, avals and other contingencies and commitments
including off-balance sheet items, deposits at banks and other items that can be allocated to a
particular debtor and are measured using the present value of the future cash flows or purchase price
or at fair value.
It also exists in areas involving the risk-bearing off-balance-sheet bank items, comprising issued
financial guarantees, avals, non-covered letters of credit and transactions with similar risk, on the basis
of which a bank may become liable for payment.18
The concept of credit risk includes a range of sub-categories that are frequently set out separately in
professional literature. It is important to mention the risk of concentration, which means the risk of
losses arising in the event of excessive exposure to an individual person or group of related persons or
in the event of excessive exposure to borrowers with similar economic characteristics. Credit risk in
securitisation means that a financial instrument representing a securitisation claim has the same risk
as the claim itself. Country risk arises in the case of international lending and is tied to the economic,
social and political environment of the debtor country, and a special form of this is transfer risk, which
exists when a debtor's liability is not denominated in the local currency.
Elements of credit risk
Credit risk culture
The method of taking on and managing credit risk is one of the basic components of prudential and
safe bank management, especially in terms of seeking the optimum ratio of yield to risk in an
individual investment, in a group, in the type of investment and in the investment portfolio as a whole.
Since for the majority of banks, credit risk represents the largest proportion of risk in their operations,
its identification, measuring, monitoring and supervision are important signs of the financial diligence
and quality of the bank in all areas.
The credit risk culture is reflected in the principles, objectives and strategies of the bank. This in turn
determines the attitude of the management and employees to credit risk, and the level of authorisation,
objectivity and consistency in exchanging information, dealing with customers etc.
The Bank of Slovenia assesses the method of taking risk (conservativeness, diligence, aggression,
innovation), the concordance of the entire credit function with the bank's adopted strategy and the
attitude of the management and employees to risk.
Key products and markets
The greater the variety of products involving credit risk and the greater the variety of markets (clients)
in which the bank operates, the more complex the management of credit risk becomes.
18
Decision on the Assessment of Credit Risk Losses of the Banks and Savings Banks (Official Gazette of the Republic of
Slovenia No 67/05; July 2005).
Page 26 of 53
ver. 1.0
Here the Bank of Slovenia assesses the product structure of the credit portfolio, the quantitative and
qualitative management of products and the level of exposure to individual markets (parts of a
market).
Features of the portfolio
The Bank of Slovenia assesses the features of the portfolio in terms of the probability of deterioration
in the quality of the portfolio and in terms of the method and rate of recovering defaulted payments.
The concentration or diversification of the credit portfolio is discussed under the next risk element.
The probability of deterioration in the quality of the portfolio and thereby a higher probability of
default on payment is reflected in the following factors:
the use and quality of systems for assessing clients ,
the methods of acquiring clients in the sense of the method of personal dealings with
clients, the use of intermediaries and the use of other sales channels (e.g. internet,
telephone),
the use of credit ratings by external institutions,
the quality and regularity of return trends analysis on different levels of the portfolio,
identification, monitoring and reaction to outside influences, such as the economic,

market and sector conditions of operation and legislative and technological changes,
analysing and examining cash flow and especially historical data on late payments, partial
payments etc.
The Bank of Slovenia assesses the method and success of recovering defaulted payments by the use of
credit enhancements or methods of risk mitigation: the type, quality, adequacy and level of collateral,
financial commitments, guarantees, credit derivatives etc. Regular reviews of collateral whose value
depends on market trends (such as real estate and securities) are essential.
Impairments owing to credit risk and their trends are important indicators of the quality of the credit
portfolio, although they are not a determinant of credit risk but just the result of accounting policies. A
precondition for monitoring impairments in a sequence of time is the fair assessment of the credit
portfolio quality and the consistent use of assessment methodology.
Concentration of the portfolio
A concentration is apparent when the banks portfolio contains an excessive quantity of:
loan transactions with one individual client, group of related persons, individual sector or
line of business, geographical region, individual country or group of similar countries,
one type of loan transaction,
loan transactions with one type of collateral,
loan transactions with a maturity in a narrow time corridor.
Excessive concentration increases the sensitivity of the bank to unfavourable changes in the area
where its loan business is concentrated and to deterioration in its collateral. Diligent and prudent
management of the credit portfolio includes minimising risk concentration by developing and applying
policies and procedures for ensuring its diversification.
The Bank of Slovenia assesses risk stemming from concentration with regard to the actually achieved
value of concentration in the credit portfolio and with regard to restrictions defined in the credit
portfolio diversification policies, which must determine the exposure to individual clients, groups of
related persons, sectors, geographical regions, new or existing products and types of collateral.
Wherever for instance a bank's credit portfolio is focused on one geographical region, the bank can
ver. 1.0
Page 27 of 53
achieve a diversification by approving loans to those categories of client that react differently to
economic cycles, or through different product lines.
Trends
Estimating future trends based on past indicators is an important element of the overall picture of the
level of credit risk at a bank. The Bank of Slovenia makes trend forecasts for each of the
aforementioned elements.
2. Market risk
Market risk19 is the risk of change in market variables (prices, exchange rates). Market risk
encompasses position risk and currency risk. Market risk arises where a bank performs the role of
market-maker, and where it trades or holds a position in bonds, shares, foreign exchange, goods or
derivatives.
Position risk is the risk of loss arising from changes to the market rates for bonds, shares, goods or
derivatives. The level of position risk is affected by the variability of financial instrument rates, the
composition of the financial instruments portfolio at the bank and the liquidity of the financial
instruments that the bank has in its portfolio. In its strategy, the bank determines how much position
risk it is prepared to accept, and in line with this, it sets limits regarding the credit rating of the security
issuer, the type of security and the liquidity of the security. In assessing the liquidity of the security the
bank must take into account the type of quotation (stock market listing, OTC market), the possibility
of closing the position (with regard to the number of market-makers, the depth of the market, the
buy/sell spread etc.) and the variability of security rates.
Currency risk is the risk of losses arising from changes in exchange rates. The level of currency risk is
affected by the level of the open foreign exchange position, the variability of the individual rate of the
foreign currency and the liquidity of markets for the individual currency. In its strategy the bank sets
out how high a currency risk is acceptable for it and in line with this, it sets an appropriate system of
limits. In setting limits, the bank must take into account the liquidity of markets for each individual
currency (depth of market, volume of daily trading, buy/sell spread) and the variability of exchange
rates for each individual currency.
Elements of market risk
Composition of financial instrument trading portfolio
The composition of the financial instruments portfolio has a major effect on the level of market risk to
which the bank is exposed. It is generally true that investments in bonds carry less market risk than
investments in shares or derivatives. Equally, it is a general rule that a portfolio composed of a small
number of different financial instruments carries greater risk than a portfolio comprising a large
number of different financial instruments (greater spread).
The bank determines the composition of the financial instruments portfolio in line with the level of
risk it wishes to take. In order to reduce market risk the bank must compose its portfolio of financial
instruments in such a way that it will be as diverse as possible in terms of the types of financial
instrument, the markets where these financial instruments are traded, the sectors from which these
instruments originate and the clients that issued these instruments.
19
This chapter for identification and management of market risk is aimed at checking both the management of the position
risk of items in the trading book and also the currency risk of items in the trading and banking books. Managing interest rate
risk in the banking book is presented in a separate chapter, so it will not be specially addressed under market risk.
Page 28 of 53
ver. 1.0
The Bank of Slovenia assesses the risk deriving from the composition of the financial instruments
trading portfolio based on the diversity and features of the financial instruments (risk, returns) that
make up the portfolio.
Variability of the rates of financial instruments and foreign currencies
The rate levels of the financial instrument and foreign currency are determined on the one hand by
supply and on the other hand by demand for the instrument or currency. Changes in the supply or
demand rate for the financial instrument are spurred by various factors, such as performance of the
company, changes in the economic or financial position of the country in which the company operates,
anticipated trends etc. The monetary policy of the individual country also plays a major part in
changing the exchange rate of the foreign currency.
The greater the anticipated variability of the financial instrument or foreign currency rate, the greater
is the position risk to which the bank is exposed.
The Bank of Slovenia assesses the anticipated variability of the rate based on the variability of the rate
in the past, where it also takes into account already known information that would tend to contribute to
changes in the rate in the future.
Currency imbalance of assets and liabilities
. The level of the open position by individual currency (currency imbalance of assets and liabilities)
affects the level of the currency risk taken at the bank. If the currency positions of the bank are entirely
closed, the bank is not exposed to currency risk. In practice this is very hard, if not impossible, to
ensure. It is not just that for each transaction it is not possible at the same instant for the bank to hedge
through a counter transaction, also the structure itself of items in assets and liabilities may be very
different despite the closed position (for instance an imbalance in the remaining maturity of asset and
liability items, the impossibility of reinvesting in instruments with such features that would represent
effective protection of liability positions and vice versa). The bank decides how much of currency risk
it is prepared to accept and in line with this it sets limits for individual positions in foreign currencies.
The Bank of Slovenia assesses the currency imbalance of assets and liabilities based on a review of the
significance of the level of the open foreign exchange position in the individual currency, in
connection with the variability of its exchange rate.
Liquidity of financial instruments and foreign currencies
The liquidity of a financial instrument or foreign currency means the possibility of immediate sale of
the financial instrument or foreign currency with minimal loss.
The greater the liquidity of financial instruments or foreign currencies held by the bank, the lower the
liquidity risk to which the bank is exposed.
The Bank of Slovenia assesses the liquidity of financial instruments and foreign currencies based on
reviewing:
the market in which the financial instrument or foreign currency is traded (depth of
market, volume of daily trading, buy/sell spread),
the level of encumbrance on the financial instruments (e.g. mortgages and repos)
possible changes in the liquidity of the market in future owing to changes in tax or other
legislation.
Trends
Anticipated events in the future have a major influence on the decisions that a bank will take today. It
is extremely important for the bank's operation that it is familiar with and takes into account the trends
evolving in world markets and in the markets where the bank operates.
ver. 1.0
Page 29 of 53
Based on familiarity with the circumstances at the bank and with the economic environment at home
and in the rest of the world the Bank of Slovenia makes projections of possible events in the future and
of the readiness of the bank to make an appropriate response.
3. Interest rate risk

Interest rate risk20 is risk to which a bank is exposed owing to adverse changes in interest rates.
Interest rate changes have a major impact on bank income and expenses.21
In order to evaluate interest rate risk correctly, the bank must apply its assumptions, which must
adhere to the bank's business policy and be adjusted to the size and complexity of bank business
Elements of interest rate risk
Maturity mismatch of interest rate sensitive items
Risk owing to the repricing of interest rates arises through maturity mismatches (in fixed interest rates)
or through a mismatch in the period in which interest rates are repriced (in variable interest rates), the
bank's interest rate sensitive assets and liabilities. Such mismatches are a feature of banking and derive
from the transformation of short term sources of financing into long term assets. Because of the
maturity mismatch of interest rate sensitive items, the change in interest rate makes influence on the
level of interest revenues/expenses and economic value of capital. If the bank has sources of financing
in the form of short-term deposits, for which interest rates (bank expenses) change rapidly, and assets
are tied up in longer-term investments, meaning that interest rates change only after longer periods, the
bank will pay increasingly more for its sources of financing (increase in expenses) in situation that
interest rate increase, while the bank's income does not simultaneously rise. A rise in expenses without
a concomitant increase in income means a decline in net income for the bank and consequently a
reduction in profits or even a loss, which can ultimately lead to a reduction in capital or even to
insolvency of the bank.
The Bank of Slovenia assesses the size of the gap between interest sensitive asset and liability items
under various maturities and the expected movements of gaps under various maturities in the future.
Shifts in the yield curve
Owing to the mismatch in the period of interest rate repricing for asset and liability items, the bank is
exposed to changes in the yield curve. The parallel movement and also the change of shape of yield
curve influence the level of interest income and economic value of capital. The economic value of a
10-year financial investment hedged through a short position in a five-year security can fall if the
angle of the yield curve increases, although the position is hedged against parallel shifts in the curve.
The Bank of Slovenia assesses the possibility of shifts and changes in the slope of the yield curve
based on a review of current expectations regarding the trend and past movements in interest rates.
Basis risk
Basis risk arises owing to an imperfect correlation in movements of different types of variable interest
rates that are earned or paid on various instruments, although they have similar interest rate repricing
periods. Put another way, basis risk arises owing to changes in interest rate relationships between
different yield curves and different markets. When interest rates change, these changes can contribute
20
This chapter addresses the area of interest rate risk in the banking book, although interest rate risk also appears in the
trading book. Owing to the nature of trading items, interest rate risk in the trading book is covered in the chapter on market
risk.
21
For the requirements of the definition, bank income and expenses relate to ascribed and actual interest set out in the
financial statements.
Page 30 of 53
ver. 1.0
to changes in cash flow and income from interest sensitive assets and liabilities of similar maturity or
similar periods of interest rate repricing.
The Bank of Slovenia assesses the correlation of interest rate movements of different types of variable
interest rates, used by the bank and the possibility of changes in these relationships based on past
trends.
Embedded options
An increasingly important interest rate risk derives from the embedded options held by interest
sensitive asset and liability. Options give the owner the right to correct the financial flows or maturity
of financial flows from financial instruments. In principle, clients use this option when this is good for
them and bad for the bank. The most widely used embedded options are option of credit return before
the maturity and option of recall of deposit before the maturity. Embedded options in financial
instruments increase the sensitivity of items to interest rate changes, which translates into an additional
effort for the bank in managing the risk of interest rate changes. Banks must correctly evaluate the risk
stemming from embedded options.
The Bank of Slovenia assesses the effect of embedded options in contracts on the bank's future
financial flows.
Trends
Based on established facts the Bank of Slovenia decides on the current and expected exposure to
interest rate risk and on the future preparedness and capacity of the bank to manage interest rate risk.
4. Liquidity risk
Liquidity risk arises when a bank is not able to meet its obligations upon their maturity, without
having exposed itself to any undesirable losses. Liquidity is the ability of the bank to sustain
withdrawal of deposits, to settle due liabilities and to increase assets.
Liquidity risk is closely linked to other risks in the bank (e.g. credit risk, interest rate risk and currency
risk) and is usually the result of transformation function performed by the bank when it places
collected deposits with short maturity into long-term assets. Liquidity is essential component of the
operation of all banks, since it offsets expected and unexpected movements in the balance sheet and
ensures growth.
A bank is liquid when it can within a reasonable time and at a reasonable price obtain the necessary
sources of financing (either through increasing liabilities or through selling investments). The price of
liquidity is a function of general market conditions and the risk exposure of the bank as recognized by
the market.
A greater need for liquidity usually arises with:
withdrawal of a major investor,
a large proportion of short-term deposits,
a large portion of bad loans (when there is no cash flow)
the likelihood of a large portion of unused approved credit lines being used,
a concentration of loans in a sector of the economy that has financial problems.
Bank can improve liquidity in the following ways:
ver. 1.0
increases highly liquid assets,
increases short-term borrowing,
reduces longer-term assets,
Page 31 of 53
increases longer-term liabilities,
increases capital.
In order to ensure liquidity maintaining assets in liquid form usually represents a relative loss of
earnings relative to other investment possibilities, so seeking the optimal ratio between liquidity and
profitability is one of the basic criteria for liquidity management in the bank.
Elements of liquidity risk
Structure of liabilities
The structure of liabilities is a key aspect of liquidity and usually represents a starting point for
assessing liquidity risk. Bank with stable, high-volume and well-dispersed source base will probably
have less liquidity problems than a bank that does not have such a base. Assessing the structure of
sources requires analysis of:
the structure of deposits by product, type of investor and maturity
In addition to the number of accounts and their balances, there is also a need to analyse the structure of
deposit products and the type of investors. Investors are usually separated into households, companies
and government. Separate analysis is necessary owing to the different pattern of behaviour
demonstrated by each group of investors.
stability of liabilities
With regard to the stability of liabilities, the following general rules apply:
deposits with longer maturity are more stable than deposits with shorter maturity,
since longer-term deposits are only exceptionally cancelled prior to their due date,
while the bank does not know whether short-term deposits will be extended after
their due date or not;
deposits from households are more stable than those from companies and the
government - indeed company deposits are more sensitive to interest rate changes
and other market factors, while government deposits involve other criteria such as
political interests;
small deposits are more stable than large ones, since with the possible transfer of a
large deposit from one to another bank the investor is in a better negotiating
position and can obtain a higher interest rate.
The stability of liabilities is also affected by the firmness of the established business relationship with
investors. Deposits from investors with long cooperation history and overall developed business
relationship will generally be more stable. In other words, the cooperation is established also in the
area of asset business (investments). Banks cultivate business relationships with investors through
regular personal contact, mutual exchange of information and promotional material.
The Bank of Slovenia assesses the structure of deposits by product, type of investor and maturity, as
well as the stability of the individual type of deposit.
Concentration of liabilities
An important element of liquidity risk is the concentration of liabilities. Concentration of liabilities

exposes the bank to potential liquidity risk from unexpected withdrawal of deposits. The general
liquidity problems of an individual investor or sector illiquidity can seriously impair the bank's
liquidity in the event of a high concentration of deposits. The bank is especially exposed to liquidity
risk if a large number of deposits fall due in a short period. The bank must ensure diversification of
deposits in terms of origin (by individual investor, type of deposit, individual market and individual
currency), amount and maturity.
Page 32 of 53
ver. 1.0
The Bank of Slovenia assesses diversification of deposits with regard to origin, volume and maturity.
Access to liabilities
Banks acquire liabilities in various ways: by collecting deposits, borrowing on the money market,
borrowing on the capital market or by issuing shares. The bank's borrowing potential is hard to assess,
since it depends on the capital position of the bank, the bank's credit rating, its reputation and current
market conditions. In a period of uncertain market conditions, major investors will not favour small
banks since by their judgement such banks would carry too much risk. A similar pattern of behaviour
can be traced among large banks when they have solvency problems. In the case of a banking group,
we must consider also possible liquidity support of the parent bank or other legal persons in the group.
The bank must regularly monitor what are the possibilities for obtaining different types of liabilities
and track the development of various forms of financing on the market.
The Bank of Slovenia assesses the access of the bank to sources of financing, their reliability, stability
and diversification.
Liquidity of assets
Since the bank has relatively small influence on the scope of liabilities, it must also ensure liquidity
through liquid assets. The volume of needed liquid assets is a function of the liabilities stability and
the potential growth of assets. Where the structure of liabilities is favourable and stable and the growth
of assets predictable the need for liquidity reserves is relatively low. Greater liquidity reserves are
needed when:
a competitive environment offers alternative investment products,
a significant reduction in large deposits arises,
a major proportion of liabilities has a short maturity and changeable structure,
the proportion of bad credit portfolio is significant,
it is expected that in the future a larger amount of approved credit lines or other offbalance-sheet assets are to be used.
Depending on the structure of liabilities and potential growth of assets, the Bank of Slovenia assesses
the appropriateness of the type and volume of liquid investments and the possibility of their
conversion into cash.
Maturity gap between assets and liabilities
A maturity gap between assets and liabilities arises owing to the basic function of the bank, that is the
transformation of short-term deposits into longer-term assets. Banks cannot avoid this divergence, but
they can manage it effectively. The gap between the maturity of assets and liabilities is a frequent
method of assessing exposure to liquidity risk, where greater importance is assigned to short-term
discrepancies.
The Bank of Slovenia assesses the extent and trend of the maturity gap between assets and liabilities.
Trends
A prediction of future trends indicates the potential direction of liquidity risk and points to possible
liquidity problems at the bank.
The Bank of Slovenia makes trend forecasts for each of the above-mentioned elements.
ver. 1.0
Page 33 of 53
5. Operational risk
. Operational risk means the risk of loss resulting from inadequate or failed internal processes, people
and systems or from external events and includes legal risk. Operational risk also includes IT risk,
which is the risk of losses resulting from inadequate information technology and processing, especially
from the aspect of manageability, access, integrity, supervision and business continuity. Legal risk is
the risk of losses arising from the violation of laws and secondary regulations, and non-adherence to
contracts, recommendations, good banking practices or ethical standards.22
Following on from the above definition of operational risk, the main categories that affect it are:
people: culture, ethics, motivation, knowledge, skills etc.;
processes: design, performance, transparency, adequacy of processes and controls, settled

goals, communication;
systems: appropriateness, safety, availability etc.;
environment: undesirable or unexpected changes, crime, disasters, extraordinary events.
Globalisation of financial services, together with the growing sophistication of financial technology,
is making the activities of banks and thus their risk profiles more complex. The development of
technology and methods of communication, numerous mergers and acquisitions, the extraordinary
increase in the volume of services and products, the outsourcing of certain business functions and the
increased use of financial techniques that on the one hand reduce credit and market risk, but on the
other hand increase operational risk, indicate that operational risk should be given greater importance
than it was the case in the past. Despite the fact that the concept of operational risk and the associated
activities to identify, measure, assess, monitor, control, accept, transfer, reduce and avoid it have been
performed for a very long time, it is only in the last few years that the banking industry has succeeded
through unified approach in defining operational risk and dedicating appropriate priority to it.
The specific approach to operational risk management depends on factors such as the size and
sophistication of the bank and the nature and complexity of its businesses. For this reason the Bank of
Slovenia understands and expects different levels of operational risk management. Regardless of these
differences, however, the following are of key importance in providing an effective framework for
managing operational risk at any bank:
a clear strategy,
awareness among management of the importance of managing operational risk,
supervision of the management body and senior executives,
a strong culture of managing operational risk,
implemented policies and processes to evaluate and manage the exposure to operational
risk, including to low-frequency high-severity events,
an internal definition of operational risk which illustrates in a clear way what constitutes
operational risk for the purposes of policies and processes referred to in the preceding
indent,
an implemented process for identification, assessment and measurement, of operational

risk,
an implemented process of monitoring operational risk and internal reporting,
an implemented process for mitigation (acceptance, transfer, reduction and avoidance) of

operational risk,
22
Under this definition, operational risk does not cover strategic and reputation risk. These forms of risk are covered in
special chapters.
Page 34 of 53
ver. 1.0
appropriate business continuity and contingency plans , to ensure a bank's ability to

operate on an ongoing basis and limit losses in the event of severe business disruption,
making public disclosures regarding their approach to managing operational risk.
The Bank of Slovenia expects banks to produce a comprehensive picture of their exposure to
operational risk, based on a frequency and severity of identified, assessed and monitored operational
risk types.
Elements of operational risk
People
Behind the success of every organisation stand its employees. For this reason the personnel function or
human resource management represents an extremely important element of risk management.
The Bank of Slovenia assesses to what extent a bank can realize its business strategy through its
existing employee structure at every level. Here it takes into account the size, complexity and
transparency of the organisation, the complexity and diversity of its products and the complexity of the
systems that it uses in its operations.
Other relevant personnel matters (addressed on three levels management board, senior management
and employees) are:
occupancy of systematically organised jobs,
the availability of skilled personnel in the labour market,
qualitative indicators (motivation, loyalty, experience, educational level),
staff turnover,
education,
succession and promotion plan,
the level of salaries, remuneration and other benefits relative to the sector.
Here the Bank of Slovenia also addresses the provisions for handling confidential information.
Processes
From the procedural aspect the bank's operations can be divided into:
basic banking processes (e.g. housing loans, interest rates swaps, annuity savings),
management processes (e.g. the development and changes of reports,

management board, external reporting),
support processes (e.g. implementing changes in IT equipment, user access assignment)

and
improving processes (e.g. handling complaints, project leadership).
reporting to
Their number is determined by the size and organisation of the bank, the number and complexity of
products/services and the methodology of process management.
The Bank of Slovenia analyses processes at the bank by means of the following criteria:
comprehensiveness, standardisation, integrity, documentation, compliance (with other processes or
legislation in power), management, accuracy, timeliness, technical support and control. Special
mention should be made of milestones in the process, where the potential risk is greatest.23
23
Milestones are a special group of activities in the business process that:

mark the end of a specific group of activities,
ver. 1.0
Page 35 of 53
Systems
In this element the main emphasis is on IT systems and the associated infrastructure. The following
areas of managing IT systems can be highlighted:
Strategy: the cohesion or harmonisation with the bank's business strategy from the aspect
of support for existing and future operations. An appropriate management attitude
regarding this issue is important.
Manageability: it is in the bank's interest to have the best maintained most adaptable and
compatible systems possible. Manageability of systems (hardware, software,
infrastructural IT equipment) is worse the more heterogeneous it is.
Accessibility: here we stress the quality of management and the organisation of user
access, the system of authorisations (rights) and links with outside subjects (attempts to
break into the system, the use of encryption, firewalls etc.).
Integrity: important indicators for assessment are the state of the data model (consistency,
completeness, being up to date and upgraded), the conformity of data/information to
legislation and internal provisions and the timeliness of information.
System supervision: this is addressed from two aspects prior to implementation (of
systems or changes thereof), where we speak about the quality of testing, the organisation
of internal development processes and contacts with outside suppliers, and after
implementation, when we discuss the introduction of check points, documentation and the
responsiveness of internal and external personnel to errors.
Business continuity: the frequency of interruptions to operations, the time needed to set
the system back up, the method of data protection, relations with outside suppliers,
organisation (duty rosters, crisis teams etc), the suitability, quality and familiarity with the
plan of uninterrupted operation, and implementation of stress tests.
Usability: what is important here is the comparability of operational systems and the level
and types of products/services offered by the bank, then the support (replacing manual
with automatic procedures), knowledge and the level of use by end users and userfriendliness in terms of the quality of software and IT support from experts (internal
and/or external).
Environment
This usually does not contribute to changes and/or events in the bank environment. It is important that
the bank on the one hand knows to the greatest possible extent how to foresee it, and on the other hand
to prepare for it through adequate organisation.
. There are many different factors that influence the risk level of the bank. The Bank of Slovenia
addresses the following:
financial, economic and political stability of the markets in which the bank operates;
legal safety in the business environment;
the probability of natural disasters;
the possibility of criminal activities;
Trends
Changes in elements of operational risk are extremely dynamic. The reasons for this are of an internal
nature; yet still often enough they are external stemming directly and continuously from the business
signify skipping an activity or transferring information from one department to another. Usually they also serve to
check the quality of the group of activities and to check the achievement of the desired tasks or objectives.
Page 36 of 53
ver. 1.0
environment. The Bank of Slovenia therefore assesses the trend orientation and the development of the
bank in this area.
6. Strategic risk
Strategic risk means the risk of loss arising from incorrect business decisions, inappropriate
implementation of adopted decisions or insufficient responsiveness to changes in the business
environment.
This risk depends on the harmonisation of the bank's established strategic objectives and the business
strategy for achieving these objectives, the commitment of funds for achieving these objectives and on
the quality of implementation. The assets for pursuing business objectives are both tangible and
intangible. The latter comprises communication channels, business systems and managerial abilities
and possibilities. Internal organisational features need to be evaluated from the aspect of the possible
impact of economic, technological, competitive, regulatory and other changes in the environment.
Elements of strategic risk
Business strategy
In determining the level of strategic risk, in addition to the actual quality of the strategy we need to
evaluate its aggressiveness, responsiveness to changes in the environment and errors in its
implementation. The adopted business strategy needs to be assessed primarily from the aspect of target
customers, markets and products.
The lowest risk is provided by a clear and conservative strategy supported by the responsiveness of the
management bodies to changes taking place in the industry. It is important that the strategy is
adequately supported with the necessary capital, management personnel and other appropriate
resources. Even an aggressive business strategy needs to be judged in the light of how far it
corresponds to the responsiveness of the bank to changes in the environment and the availability of
capital and other necessary assets.
The Bank of Slovenia assesses the business strategy from the aspect of the definition of the
institution's mission and its objectives, the internal culture and corporate values, the willingness to
accept risk etc.
In any event, an aggressive business strategy with poorly established objectives and poor
responsiveness to changes stemming from the environment represents a major risk.
The high-quality implementation of the business strategy must be supported such that the strategic
objectives are coordinated with the personnel and technological capacities and are adequately
communicated within the organisation.
Business environment
Certain changes in the environment are of course predictable for the bank, so it is important that these
are taken into account in operations. The influences of the environment on the business strategy differ
in both time and space. The most important influences from the environment are of course changes in
market and economic conditions, in the behaviour of clients, the introduction of new products,
political stability, current legislation and technological support for operations.
The lowest risk for a bank is where it operates in a stable and predictable economic, political and
market environment, while the biggest risk is where it operates in a highly unstable and unpredictable
environment that is economically undeveloped and politically unstable.
The Bank of Slovenia evaluates the stability of the environment in which the bank operates, including
both the domestic and international markets.
ver. 1.0
Page 37 of 53
Responsiveness to changes in the environment
Based on the strategic orientation of the owners and the business strategy, the bank must conduct its
business in line with the adopted operational plans, which cover all areas of the bank's operation, so it
is important that the bank monitors realization of the plan and takes action in the event of variances in
actual operations from the established objectives.
The Bank of Slovenia evaluates how the bank's decisions respond to business changes in the market
(e.g. changes in interest rates, the appearance of new banking services), to regulatory changes
(adherence to valid legislation), to new technology (new methods of data processing in the IT field, the
introduction of new banking channels) and to other changes in the environment.
Trends
Strategic risk is continuously present in banks and the management bodies must constantly refresh
their awareness of it. They must verify the results of their decisions in practice, since internal bank
decisions encounter constantly changing conditions in the environment. The Bank of Slovenia assesses
the likelihood of future trends for each of the aforementioned elements.
7. Reputation risk
Reputation risk is the risk of loss arising from a negative image held regarding the bank by its
customers, business partners, owners and regulators. This image affects the establishing of new
business relationships and services as well as the maintenance of existing ones. This risk can lead the
bank into legal disputes, to financial loss and can cause a reduction in the number of customers.
Reputation risk relates to all parts of the institution and incorporates responsibility for the greatest
possible attention in working with clients and in contacts with supervisory institutions and other
circles.
Elements of reputation risk
Impression on the market
The image of a bank that its customers and competitors will obtain in the market depends on the
method of dealing with customers, the maintenance of confidentiality within the institution, adherence
to contractual relations, conformity to the prescribed practices and ethical standards of the
environment and the proper behaviour of the institution in competition with others.
The factors that contribute to a decline in the reputation of a bank in the eyes of its customers can
vary: the imposition of procedures and payments that other banks do not exercise (the small print of
contracts that is not read by customers), non-observance of data confidentiality, non-cooperation of the
management board with the unions and legislators, frequent changes in the management board,
involvement in insider trading, money laundering, financing of terrorism, breaking embargos and
other orders and involvement in other dubious transactions whose purpose is to get around the law or
to impair third parties.
The general impression of a bank is also affected by complaints from customers, the behaviour of
staff, involvement in legal disputes, newspaper articles and letters to the editor relating to the bank, the
quality of the bank's public communication, rumours, possible deceptions, the value of shares on the
stock exchange, financial statements, the level of dividends, the proper and timely realization of
contracts etc.
In assessing a bank's reputation, the Bank of Slovenia evaluates the influence of all the aforementioned
factors.
Page 38 of 53
ver. 1.0
Impression of legislator
Supervisory institutions (primarily the central bank, the securities market agency, the tax authorities)
will assess the bank in terms of its performance within the framework of prescribed standards, its
regular and accurate reporting and its readiness to respond in the event of extraordinary requests.
The reputation of a bank reduces conflict with supervisory institutions and the payment of fines and
costs.
Trends
Reputation risk relates to the image of the bank in public and signifies for the bank's management
bodies an extremely sensitive area that can have long-term consequences for the bank in terms of
losing customers. The management must ensure through a special strategy that all employees work
towards the best image of the bank.
8. Capital risk
Capital risk relates to the inappropriate composition of capital for the scope and method of operating,
or to difficulties faced by the bank in obtaining fresh capital, especially with the need for a rapid
increase or in unfavourable conditions in the business environment.
Capital represents the first measure for assessing the solvency of the bank. The bank must constantly
dispose of an appropriate level of capital for the purpose of insuring the assets of its investors. An
adequate capital basis represents a safety reserve for various types of risk to which the bank is exposed
in its operations. Banks must have a level of capital adequate to their level of riskiness and business
strategy.
The job of the bank's management is to ensure an adequate capital structure and capital ratio, along
with appropriate capital management that generate confidence in the safety and stability of the bank,
while at the same time ensuring adequate capital returns for shareholders.
The bank's capital adequacy is measured by the capital adequacy ratio, which is defined as the ratio of
capital to risk-adjusted assets and other risk-adjusted items. The minimum capital requirements, the
forms and method of calculating capital and the method of calculating the amount of risk-adjusted
assets and other risk-adjusted items are defined by the ZBan and the regulations on the capital
adequacy of banks and savings banks.24
In line with the regulations, the bank must ensure capital for credit, market and operational risk. Since
the bank's operations expose it to other risks, however, such as interest rate risk, liquidity risk,
strategic risk and reputation risk, the Bank of Slovenia expects banks to maintain capital adequacy
above the regulatory minimum. This applies especially to banks exposed to major risks in their
operations.
A reserve in capital or in capital adequacy is in bank often in fact desired either for competitive or
operational reasons. A bank that has a reserve in capital usually earns a better score from rating
agencies, allowing it access to cheaper sources in the capital market. Usually oscillation in the volume
of business results in oscillations in the capital adequacy ratio, whereby a decline in capital adequacy
below the regulatory minimum can lead to undesirable action from the supervisor and business
partners. However, in unfavourable market conditions a capital reserve can temporarily postpone the
need for recapitalisation and rescue the bank from possibly expensive commercial moves.
24
Regulation on the capital adequacy of banks and savings banks (Official Gazette of the Republic of Slovenia No 24/02,
85/02, 22/03, 36/04, 68/04, 103/04, 124/04, 62/05 and 67/05; July 2005)
ver. 1.0
Page 39 of 53
Elements of capital risk
Ownership structure
The ownership structure of the bank is important primarily in terms of ensuring the bank's stability.
The majority owner of the bank should be financially powerful, and in the event of capital problems
capable of injecting new capital into the bank. It is important that the owner has a clear strategy
regarding the purpose of capital investment in the bank and a responsible dividend policy.
The Bank of Slovenia assesses the ownership structure from the aspect of financial power of
shareholders and ensuring the bank's stability.
Structure and quality of capital
The components of capital, as set out by the regulation on the capital adequacy of banks and savings
banks, can take various forms, maturities and levels of risk. Usually the components of capital have all
or a combination of three major features: permanence, availability to cover bank losses and legal
subordination to the rights of investors and other creditors.
The Bank of Slovenia assesses the structure, permanence, quality and causes of change in individual
components of capital.
Accessibility of capital
A stable and growing bank should regularly increase its capital basis through retained earnings.
Retained earnings enable growth and maintain the bank's competitive position. Internal
recapitalisation, however, is not always sufficient for the planned growth of the bank. Large, capitalstrong banks can obtain fresh capital injections on the capital market, be it debt or equity, while
smaller banks usually depend for capital on parent banks, if any, or majority shareholders, where the
question is whether existing owners have any interest at all in increasing their equity holding. Banks
must make a realistic assessment of the availability of sources for possible recapitalisation, and pursue
a business strategy in line with this.
The Bank of Slovenia assesses the possibility for recapitalisation from existing shareholders, the
market conditions for possible new share issues and the possibility for increasing capital through
subordinated debt and hybrid instruments.
Assessing the capital ratio
Ensuring a capital adequacy ratio above 8% is just the starting point for assessing capital adequacy. A
high capital ratio still does not ensure full capital adequacy, since this needs to be assessed relative to
the risks taken on by the bank, its risk management practices, the existing and planned scope and type
of business pursued by the bank, profits, the dividend policy, the quality of management and the
characteristics of the bank's business environment.
The Bank of Slovenia makes a qualitative assessment of all the key variables of operation that directly
or indirectly affect the bank's capital.
Trends
The capital adequacy ratio changes owing to changes in the level of capital and/or in risk-adjusted
assets and other risk-adjusted items.
Based on an assessment of the trend for individual components of capital, the planned volume of
business (strategic plans, annual plans), an assessment of assumptions on which the plans are based
and of the anticipated broader operating conditions, the Bank of Slovenia makes an appreciation of the
capital adequacy trend.
Page 40 of 53
ver. 1.0
9. Profitability risk
Profitability risk relates to the inappropriate composition or diversification of income or to the
inability of the bank to ensure adequate and continuous level of profitability (for example owing to
inappropriate costs to earnings ratio).
The development and continuing operation of the bank depend on achieving adequate returns on assets
and bank capital. Profits enable the bank to grow, they maintain or increase its competitive position
and they strengthen the bank's capital basis. Losses threaten capital and liquidity, and can undermine
public confidence. Yet the bank's profitability does not define simply the profit as set out in the
income statement, but also the quality and stability of income and the moderate level and structure of
costs.
Profitability is an important indicator of the bank's financial standing and often also an early indicator
of problems at the bank. Internal and external factors affect the bank's profitability. The internal
factors are those that the bank can control and manage, while the external ones are all other on which
the bank has no influence. The bank can influence the structure of business activities, the realization of
income (interest margin, non-interest income, gains from trading) and the quality of investments and
costs. Among the external factors, we can count the general level of interest rates, general economic
conditions and changes in the competitive environment in which the bank operates. The bank really
does have no influence on external factors, but it can assess them and foresee them and through the
adequate adaptability of operational plans, it can respond rapidly to possible changes in the
environment.
In analysing profitability, account needs to be taken on at least the following types of risk: credit risk,
liquidity risk, interest rate risk, operational risk and the risk of reduction in capital.
Credit risk is linked to the quality of investments and is directly reflected in the level of bank income
and expenses.
From the aspect of profitability the bank's liquidity is important, or rather the assessment of the bank's
ability to cover short-term liabilities with liquid short-term investments.
Imbalance between interest rates on investments and sources of financing can also have a major
impact on the bank's profitability. The vulnerability of profitability depends on the level of the interest
rate imbalance and the direction and level of the interest rate trend.
The bank's profitability is the first protection from risks to which the bank is exposed, and represents
the first line of defence against a reduction in capital owing to a reduction in the value of investments.
The general principle is that profit must be used primarily to cover losses and to create the necessary
reserves, and that the dividends should be paid out only after covering these requirements.
Elements of profitability risk
Interest margin
Net interest, which is the difference between interest income and interest expenses, is usually the most
important source of total income. An important indicator of net interest is the interest margin (net
interest/average gross interest-bearing assets), which is affected by the volume of interest-bearing
assets and interest-bearing liabilities and by the interest rate spread between them. The potential
vulnerability of the interest margin therefore depends on exposure to an individual type of investment
and sources, the sensitivity of the bank to interest rate changes, deterioration in the quality of
investments and potential liquidity pressures.
The Bank of Slovenia analyses the structure, trends of the interest margin, and assesses its stability.
ver. 1.0
Page 41 of 53
Cost efficiency
In addition to provisions, operating costs are the factor exerting the biggest influence on the bank's
costs. At the same time, operating costs are the most controllable component of profitability.
Operating costs are usually associated with the bank's efficiency. Efficient management of operating
costs requires a search for the optimum relationship between the strategy of minimum costs and the
strategy of investing, especially in personnel and banking technology, which is important to maintain
or increase the bank's competitive position. Operating costs are assessed in terms of overall
profitability of the bank and the lines of business pursued (for instance managing a credit portfolio is
more expensive that managing a securities portfolio). Cost efficiency is measured by various
indicators, such as:
operating costs/average total assets,
operating costs/gross income,
labour costs/gross income,
operating costs/interest income.
The Bank of Slovenia assesses the level, structure and trends of operating costs and the cost efficiency
of the bank in comparison with other comparable banks.
Quality of income
An important element of profitability is the quality of income that is the ability of the bank in the
future to maintain its existing level of earnings and profitability. The bank can record high income and
profitability, but in doing so exposes itself to above-average risk. A high return on assets is frequently
an indicator of the high risk of investments. By making high credit risk investments, short-term
revenues will very probably grow, but in the long term, their level will be questionable.
An important part of analysing risk is evaluating the sensitivity of income and profitability to changes
in the operating conditions, such as changes in interest rates, the interest margin and the size and
quality of the credit portfolio. An important tool in evaluating this sensitivity is stress tests.
Assessing the quality of income requires an analysis of the bank's balance sheet structure, since the
quality of income is determined by the structure of the banks investments and its sources of financing,
where both the structure of the volume of individual items and the structure of sources of financing
and investments in terms of maturity are important.
Good quality of income is usually the consequence of a varying combination of the following
elements of operation: good return on investments, low costs of financing, a significant level of net
non-interest income, low losses on investments and/or low operating costs. On the other hand, poor
quality of revenues is frequently the consequence of a combination of elements of operation such as
low-return investments, high costs of financing, low net non-interest income, high losses from
investments, high operating costs and/or erroneous handling of tax liabilities.
Based on an analysis of the individual type of income, the structure of banks investments and its
sources of financing, as well as the risk of investments, the Bank of Slovenia assess the ability of the
bank in the future to ensure an adequate level of income and profitability.
Trends
Based on the stability, quality and trend of individual components of the bank's income and expenses
and of profitability indicators, the Bank of Slovenia appreciates the future trend of the bank's
profitability.
Page 42 of 53
ver. 1.0
C. Control environment areas

10. Internal controls
The nature of the banking business carries with it several types of risk, and these differ in substance
and scope. This in itself is nothing negative or problematic even extremely high risk can be
acceptable. What is crucial is that the bank appropriately manages the risk.
Risk management entails timely and proper identification, measurement and assessment, monitoring
and control. The basic objective of internal controls is of course to reduce the inherent risk to an
acceptable level.
An extremely important additional component of managing risk is the arrangement of the bank's own
business processes from the aspect of:
their description and instructions,
controls at various levels,
the quality of the employees involved in them,
conflicts of interest that arise in them and
the presentation of results.
Through elements of the control environment that to a greater or lesser extent relate to each risk area,
the Bank of Slovenia assesses the quality of risk management. In each assessment of risk inherent in a
line of business, therefore, the Bank of Slovenia also evaluates the area of its internal controls.
Assessments obtained in this way are merged into the overall assessment of internal controls.
Internal controls include:
the framework of risk management;
internal and external reporting;
operating procedures in business processes, working instructions and rules;
internal and external audit reviews;
compliance controls ;
IT support and its use in the business process;
human resource controls.
Elements of internal controls
Management
A comprehensive examination of risk management defines the methods, policies and procedures for
identification, measurement and assessment, monitoring and control of existing and potential risk.
For each type of risk the bank must have in place an effective and adequate system of management. It
is important that the management board and senior executives maintain a good overview of the entire
framework of risk management. Individuals, too, must be aware of their duties and responsibilities in
managing risk and of the importance of fulfilling their role in management adequately and
appropriately.
A good process of identification as part of risk management covers the comprehensive and early
recognition both of the causes of risk and of the various forms in which it can appear. Responsibility
for identifying risk must be clearly specified. An appropriate methodology for identification must be
ver. 1.0
Page 43 of 53
established, while identification should not be a one-off event but a repeating process based on the
policy adopted for each type of risk.
The system for measuring and assessing exposure to risk must be based on identifying risk and must
be capable of assessing its potential effects in line with the scope and complexity of the bank's
business. In view of this the bank establishes appropriate models and techniques for assessing
exposure to risk, which are reflected in qualitative and quantitative assessments. Quantitative
assessments are obtained from various models for measuring exposure to risk based on data time
sequences. Depending on the complexity of the lines of business the bank has gap models, models
which measure the effect on the economic value of capital, simulation models etc. It is very important
to have a precise description of assumptions and parameters on which the system for measuring risk
exposure is based. The primary objective of the system for risk assessment is to determine the
direction and size of exposure and not to determine the precise level of risk. The system must have
relevant criteria for measuring the current and future levels of exposure to risk and must be capable of
determining excessive exposure that might arise in the future. The entire system, including
assumptions and parameters, must be clear to all employees involved in the process and to the bank's
management. This applies especially in the use of more sophisticated models, so that the models
themselves do not become ''black boxes'' that assess and measure risk, while no one is familiar with
their essential components.
In organising the monitoring of risk, alongside the determining of responsibility and the frequency of
monitoring, the time sequence of the data being monitored must be defined. The following elements
are important for the effective monitoring of risk:
defining the content of reports on risk,
determining lines of reporting,
collection data,
ensuring high-quality information support.
Controlling risk covers methods of accepting, transferring, reducing or avoiding risk. Based on an
identification and assessment of risks, the bank addresses the risks for which it must take decisions or
action. Depending on the decision regarding the manner and level of risk acceptance, there are various
technical possibilities for controlling the risk such as the use of insurance, hedging through a counter
transaction, outsourcing, determining a limit system, reducing or terminating a line of business,
segregation of duties etc.
In connection with the segregation of duties, the bank must provide a precise description of the
authorisation of persons and committees in managing risk. The bank must ensure adequate segregation
of duties for all elements in the process of risk management, in order to avoid possible conflicts of
interest. The bank must ensure that through a precise description of duties the functions of
identification, measuring and monitoring risk are separated from those parts of the bank that deal with
controlling risk in terms of reducing or avoiding it. Reporting that derives from processes of risk
management must be aimed directly at the management board and/or another managerial level at the
bank.
The results deriving from the system of risk management comprise:
exposure to risk, to a possible risk trend in the future, meaning the forecast of exposure
with scenarios determined in advance;
the adequacy or conformity of risk management to specific internal policies and limits,
where a note must be made of all exceptions made and how they were approved;
major assumptions and exceptional events in operations;
the results of stress tests with an analysis of key variables and parameters;
summaries of the findings of reviews of policies, procedures and the appropriateness of

the system of risk management.
Page 44 of 53
ver. 1.0
The Bank of Slovenia assesses the framework for risk management according to the above-described
processes of identification, measurement and assessment, monitoring and control that the bank has
developed by individual risk areas. Special emphasis is placed on the role of the management board
and on the segregation of duties, responsibilities and authorisation in risk management processes.
Reporting
An important part of internal controls is an effective system of reporting at the bank. High-quality
reports are those that present the current situation and the prospects for the bank and/or its individual
parts in a balanced, accurate and timely manner. The Bank of Slovenia pays greater attention to reports
that allow the bank's management to assess the scope and trend of risk and its effect on capital.
The quality of reporting both inside the bank (by levels up to the management board) and in the
external environment (emphasis on reporting to the Bank of Slovenia) is judged in the following
components:
correctness, accuracy and timeliness and the methods used by the bank to provide it,
effectiveness in terms of the manner of distribution,
the rationale in the scope of regular reports and the appearance of ad-hoc reports in
extraordinary circumstances,
comprehensiveness, equal treatment of all subsidiaries, organisational units and/or lines

of business.
The descriptive or explanatory component of reporting is especially important.

Within this framework, the Bank of Slovenia also assesses the provision of the necessary information
for the operation of the bank in substantive terms: determining the actual results and situation,
realization of plans and key indicators of risk.
Procedures
Established procedures for pursuing lines of business, descriptions of business processes, rules and
working instructions significantly reduce the bank's inherent risk. They must become a strategic
element of risk management and a working tool for all employees. The most important thing here is to
achieve their consistent implementation, so that they are not an end in themselves, since the nonfulfilment of internal regulations exposes the bank to additional risk or consequently leads to
unexpected losses.
Procedures and documents are aimed at the proper conducting of business and at limiting and
controlling risk deriving from such business. They must determine in a painstaking and understandable
way the segregation of competence and responsibility at all levels of decision-making, they must
describe the entire process from contact with the client to recording the transaction throughout its
lifecycle, define permissible financial instruments, insurance, hedging through counter transactions,
managing positions etc.
High-quality procedures and documents have key points built in where controls are carried out. They
incorporate the principle of four eyes. In the majority of cases, the Bank of Slovenia anticipates the
quantitatively determined extent to which a bank conducts some individual transaction or to which the
bank is prepared to expose itself to risk. Procedures and documents must be periodically reviewed
depending on changes in the external environment (the behaviour of clients and competitors,
technological innovations, legislation) and within the bank (changes to personnel, organisation,
owners) and adjusted appropriately where the need arises.
A special example of this is activities pursued by the bank in introducing new products or prior to
appearing and operating in new markets. The bank must formulate adequate procedures and
documents that set out the method of implementation and the trial period. This must include all
departments that will be involved later.
ver. 1.0
Page 45 of 53
The Bank of Slovenia assesses the quality, adequacy, coherence and validity of the above-described
procedures and documents. It also verifies the familiarity of employees with them and the consistency
of their application.
Audits
Independent internal audit is an essential element of monitoring and assessing the comprehensiveness
of internal controls and the system of internal supervision. Each bank must have an established
independent internal audit system that enhances the adequacy and effectiveness of carrying out
organisational and procedural controls. The banks management board must ensure the independence
of regular auditing reviews and assessments.
In order for internal audit to be effective, it must at the least:
have an appropriate mandate setting out their duties and aims;
be independent of the areas and internal controls they are reviewing;
have adequate resources for the quality implementation of their mandate;
operate on the basis of a professional auditing programme;
regularly inform the bank's management board and supervisory board of the findings of
audits in appropriate reports.
The results of audits must also be available to the Bank of Slovenia for its requirements.
The internal audit department must review and assess business processes, the internal controls built
into them and the methodology applied. Such reviews must trace the understanding, testing and
documentation of the current business process, the identification, measuring, assessment and
monitoring of risk, assess accuracy and propose solutions for established weaknesses.
The Bank of Slovenia assesses the regularity, independence, quality and effectiveness of internal
audits. In its assessments, it also takes into account the findings of external audits and other
supervisory bodies.
Compliance
Compliance controls with regulations are important for managing compliance risk, which can be
described as the risk of legal or regulatory measures, financial losses or loss of reputation arising from
non-compliance with valid legislation, secondary regulations and best banking practice. For effective
management of compliance it is important for the bank to develop at all levels a culture and standards
of high ethical behaviour. Primarily it is the management board and senior bank executives that are
responsible for compliance with legislation, secondary regulations and standards of good banking
practice.
The Bank of Slovenia checks the compliance of the bank's operations with valid legislation, secondary
regulations and best banking practice, and assesses the established controls designed to ensure such
compliance. Equally, the Bank of Slovenia assesses the past actions of the bank's management upon
the discovery of violation.
Information technology
Nowadays IT tools support the majority of bank operations. Their quality has a significant effect on a
banks performance.
The Bank of Slovenia assesses IT support and its use in the business process through its:
effectiveness,
adaptation to the specific requirements of the business process,
integrity, correctness and timeliness,
Page 46 of 53
ver. 1.0
adaptability.
Here it checks whether the bank is abiding by good practices and recommendations in all components
of its IT support: the IT strategy, organisation and management of the IT area, IT security, hardware
and software and in ensuring that support is operational.
The assessment of the quality of the information technology strategy looks at the harmonisation of IT
support with the business processes, the quality of project planning, the adequacy of preparations for
formulating the strategy primarily in terms of collaboration with the widest possible circle of users,
familiarity of the bank's management with its substance and adequacy of the staff team in terms of
internal needs and outside competition.
In carrying out duties of managing the area of IT support special attention needs to be paid to
planning, adequate organisation of the IT support area, the method of financing and an environment
that will favour constant improvements.
Information technology security relates to the security policy and logical and physical controls on
access to IT systems.
Checking the quality of application software involves determining its adequacy, degree of
implementation and its use in business processes, in other words does the application meet the needs
of users, are the test and production environment separate and has the bank ensured separation of the
functions of development, maintenance and use of software. Moreover, there is also a need to check
the effectiveness of project leadership, the maintenance of existing applications, the management of
change, caretaking of databases and the operation of the quality assurance system.
Hardware, operating and network systems, program tools and systems for storing and protecting data,
which represent the technical support for the selected line of business or risk area, must meet the
requirements of the business process, internal and external technical standards, and in addition they
must be assured of constant maintenance. The department responsible for support must ensure that it is
operational; it must plan and monitor the level of equipment use, and must ensure its rational set-up
and configuration. Since in this area in practice there is frequent cooperation with outside suppliers, in
this case a contractual assurance of the desired level of services is expected.
Support operability is achieved through adequate organisation and effective leadership of the team
responsible for it. Achieving this objective is helped by measures such as: determining and noting
working procedures, especially procedures for introducing changes and those for solving problems,
planning the uninterrupted functioning of the system and drawing up a recovery plan.
Human resource
The quality of employees is vitally important for banks.

In order for the personnel function from its point of view to ensure an adequate control environment,
the personnel policy must follow the bank's strategy and be adequately organised and systemised.
In assessing the adequacy of the personnel situation for the selected line of business or risk area, the
following criteria are especially important:
ver. 1.0
occupancy of jobs,
knowledge and expertise,
education,
wage policy and bonuses,
succession and promotion plan,
the number of temporary employees or those on fixed-term contracts,
supervision of temporary employees.
Page 47 of 53
11. Organisation
Organisation25 covers the organisational structure, relationships between subjects in the group, lines of
reporting, the structure of responsibility and the organisation of risk management. The primary
purpose of establishing an organisational structure is the best possible pursuit of lines of business.
Organisation can contribute to reducing all risks at the bank:
through transparent organisational structure, and clear relationships between business

activities, administrative units and group functions,
through adequate reporting at all levels and
through adequate structures of responsibility and authorisation.
Elements of organisation
Organisational structure
The transparency and appropriateness of the established organisational structure are very important for
the operation of the bank. A transparent and understandable organisational structure at the bank is
supported by appropriate documentation and an organisational scheme. Any changes are carefully
weighed up by the bank's management and are always simply the consequence of causes deriving from
the requirements of the bank's actual operations.
An appropriate organisational structure is harmonised with the size and complexity of the bank and at
the same time is harmonised with the management structure. The actual organisational structure of the
bank must be harmonised with the adopted rules of organisation. The rules must also set out the
organisational structure of the bank group, if one exists. They must define the role of the individual
organisation within the bank group from both the business and geographical aspects.
A high-quality organisational structure at the bank in terms of risk management facilitates firm
supervision and the balancing of inherent risk, and is very well coordinated with the commercial
requirements and processes at the bank. The legal organisation of the individual company within a
bank group must also be transparent and appropriate, as defined by the laws of the particular country
in which the company or member of the bank group operates. The legal organisation of the individual
company must also be adequately documented, including all the permits and licences required for its
operation. Any kinds of change must be documented.
The Bank of Slovenia assesses primarily whether the organisational structure of the bank is
sufficiently clear and understandable (both to bank employees and to supervisors) to support and
demonstrate effective and prudential management of the bank on the solo and consolidated levels.
Consolidation
In a group of related parties, the clarity of commercial connections is especially important, and this is
reflected in the centralisation of functions within the group, in the links between individual lines of
business and in the basic commercial connections. Within the group, there must be a clear method of
control conducted by the directly or indirectly superior company in the group and forming the basis for
conducting the business of individual subsidiaries in the group.
A group of companies that are linked in ownership such that the superordinate company can exercise
its commercial, managerial and supervisory (controlling) influence over the members of the group
draws up consolidated financial statements. These are compiled based on the original financial
statements with appropriate consolidation adjustments.
25
This chapter takes into account the general principles of bank management and similar financial institutions from the
document The Application of the Supervisory Review Process under Pillar 2 (CEBS; June 2005).
Page 48 of 53
ver. 1.0
The controlling bank in the group is bound to supervise the risk of the group such that it can exert
immediate influence on any potential increase in risk that might frequently or occasionally arise in the
group's operations, since the consolidated bank group includes both banks and other financial
companies, as well as companies that deal with real estate, data processing and other similar services
that are regarded as ancillary bank services.
Banks must devote special attention to consolidation, since on the consolidated basis a bank must also
fulfil the requirements regarding the minimum amount of capital, with at least the minimum
prescribed capital adequacy being ensured, and it must adhere to the limits regarding exposure of the
entire group to individual persons or groups of related persons etc.
Segregation of responsibility and lines of reporting
The structure and segregation of responsibility on individual organisational levels as well as lines of
reporting are closely connected to the organisational structure.
A segregation of responsibility that can be regarded as adequate is characterised by its effectiveness, a
high-quality leadership structure, clearly defined competence and clear instructions for action. A clear
and effective segregation of responsibility requires the reciprocal operation of both the commercial
and support sections of the bank, as well as of internal audits and risk management employees. A
balance in the responsibility and competence of the commercial and support sections of the bank is
essential for high-quality risk management.
Equally, there must be a clear segregation of responsibility in the bank's leadership structure
(management board, other executive level etc.). In any event, the four eyes principle must be ensured
for decisions at the highest level (the management board).
Lines of reporting depend on the organisational structure and segregation of responsibility, and must
be suited to the nature, structure and scope of operations of the bank and of course to its management
structure. Lines of reporting must ensure for the bank's managers timely and accurate data and
information providing a basis for them to take correct and rapid action.
Adequately established lines of reporting are also important for the correct and timely reporting to
bank supervisors.
The Bank of Slovenia assesses primarily whether the lines of reporting and the segregation of
responsibility at the bank are understandable, precisely defined, clear, uninterrupted and adhered to in
practice.
Organisation of risk management
Risk management is one of the key organisational features, so it must be effectively organised for the
implementation of adopted risk policies and for risk management. The function of risk management
can be organised centrally, and in bigger banks in a decentralised system or separated by line of
business. It is important that the bank ensures for this organisational section appropriate independence
and weight in deciding on various levels.
The Bank of Slovenia assesses whether risk management is organised in a way that supports the
implementation of the adopted policies of risk and risk management at the bank.
12. Management
Management26 covers the quality and composition of management bodies, the decision-making
process, the process of strategic planning, the culture of risk control and the quality of internal audits.
26
This chapter takes into account the general principles of managing banks and similar financial institutions from the
document The Application of the Supervisory Review Process under Pillar 2 (CEBS; June 2005).
ver. 1.0
Page 49 of 53
Management bodies can make a decisive contribution to risk management through the appropriate
composition and organisation of a management team suited to the scope and complexity of business,
through a clear and understandable segregation of responsibility, adequate management supervision
and control, through the development of an appropriate culture of risk management and by
establishing high-quality internal auditing.
By monitoring the bank through reports, direct reviews and in conversations with the bank, the Bank
of Slovenia assesses individual elements of administration as set out below, and the quality of
administration as a whole, and monitors trends in the development of administration at the individual
bank.
Elements of management
Quality and composition of management bodies
The term management bodies covers the supervisory and management boards of the bank, which are
the most important bodies in terms of management. The supervisory board is responsible for
supervising the work of the management board and the operation of the entire bank. It performs this
function primarily by reviewing the reports from the management board and internal audits, but may
also request a review of the books of account and other documentation. The main tasks and
responsibility of the management board are conducting business and representing the company.
The guarantee for successful bank management is the selection of a high-quality management team
that enjoys constructive mutual cooperation and works primarily to ensure that the adopted strategy is
implemented. Equally, it is important that lower management levels have a good system of supervision
established over the implementation of adopted decisions. A major motivating factor for other bank
employees is their satisfaction with the work of the management team.
The qualifications and experience of the other management level, and where necessary operational
managers at lower levels, is assessed by the Bank of Slovenia generally as part of reviewing an
individual area of bank operations with which individual managers are responsible.
In carrying out reviews of operations, the Bank of Slovenia first familiarises itself with the work of the
bank's management bodies. In the process of assessing the quality and composition of the management
bodies, the Bank of Slovenia assesses whether the members of the management and supervisory
boards are appropriately qualified and have the characteristics and experience necessary for managing
the bank's business. Here it assesses the numerical adequacy, it checks professional references, the
working experience of individual members, their knowledge of the bank's strategy, the influence of an
individual body and individual person from the management team on implementation of the strategy,
and determines whether the mutual demarcation of tasks in the management bodies is suited to the
scope, substance and complexity of the bank's business and to what extent the management team
manages or controls the working process.
The Bank of Slovenia also determines the level of satisfaction among other employees with the work
of the management bodies and what attention is paid to the ethical treatment of employees and
customers. Special attention is paid to preventing exposure to ''conflicts of interest'', which might lead
to abuse of the bank on the part of workers, who might exploit inside information so-called insiders.
In assessing the quality of management bodies, the Bank of Slovenia also examines and assesses
whether the supervisory and management boards, each within the sphere of their responsibility:
have taken all key decisions necessary for the healthy operation of the bank and whether
they have determined the main commercial goals, strategies and risk profile for the bank,
whether they have adopted a written policy for achieving the selected commercial goals
and whether the internal acts of the bank (articles of association, rules of procedure)
clearly set out the responsibilities of the two bank bodies,
Page 50 of 53
ver. 1.0
have ensured that the strategy and adopted policies are communicated and explained to
employees at the bank (at least down to the level of staff responsible for the working
process),
have ensured the systematic and regular overhaul of adopted risk management policies,
have ensured the establishment and functioning of a quality system of internal controls,
including the function of risk management, internal audit and supervision of compliance
with legislation,
in developing the system of internal controls have demarcated tasks in order to prevent
any conflicts of interests,
through investment strategies and policies have ensured the use of the bank's own assets,
i.e. share capital in line with risks,
have supervised and periodically (at least once a year) assessed the effectiveness of the
system of management and adopted any necessary changes,
have fostered ethical and professional standards and an internal controls culture,
have ensured that the bank aims for the highest standards of honest disclosure of its
operations,
have ensured that the bank discloses its current standing and future potential in a
balanced, accurate and regular manner.
Decision-making process
The business decisions made by the bank's management board and executive directors represent the
guidelines for the work of bank staff. An effective process of decision-making presumes clear
segregation of responsibility for decisions, a dependence on ''key players'' in decision-making within
acceptable limits, a well-developed system of responsibility and an effective system for eliminating
errors. The management team must be especially attentive to cases of commercial decisions taken with
the exclusion of bank bodies. It is also essential to have a constant and open dialogue between the
supervisory board and management board, since this reduces potential conflicts regarding business
decisions.
The Bank of Slovenia assesses whether the process of decision-making is suitable and sufficiently
effective. Here special attention is paid to understanding the role of the management board and
employees in the process of decision-making and in understanding of control mechanisms that ensure
supervision of the implementation of adopted decisions. Equally, it examines the level of definition
(formalisation) of the decision-making process in policies and controls, the dependence of the
decision-making process on ''key players'', the allocation of responsibility and the elimination of errors
in the event of variances in practices from the adopted policies and limits.
In assessing the decision-making process, the Bank of Slovenia examines whether the management
and supervisory boards:
make decisions actively and independently,
can explain adopted decisions to the Bank of Slovenia and to interested parties,
adopt policies for selecting, substituting, supervising and planning (the existence of
succession plans) replacement personnel for key positions.
Strategic planning process
Planning is an organised and continuous process that ensures that the envisaged future economic
environment will have an effect today on the current business decisions of the bank. Planning is
roughly divided into long-term (strategic) and short-term (operational).
High-quality strategic planning:
ver. 1.0
Page 51 of 53
has an established and supervised process of planning that includes all relevant managers
and experts,
relies on comprehensive and reliable data and its results are clearly set out commercial
goals,
includes the periodical monitoring of its realization and action in the event of deviations.
The objective pursued by the Bank of Slovenia in assessing the quality of the strategic planning
process, is to determine whether the planning process is sufficiently broad and clear. In order to
achieve this objective the Bank of Slovenia devotes special attention to understanding the involvement
of the management board and employees in planning, and it checks the frequency of planning and the
adequacy of information for planning. It is especially important to determine which controls in the
planning process provide for the bank quality input data and quality output reports. The clarity of
projections is also a subject of assessment.
Culture of risk management
A component part of assessing the environment in the management of the bank is assessing the
tendency of the management team to accept risk and an identification of the attitude it has to
constructing a system of prudential controls (internal and prescribed) and methods of risk
management. This style of management behaviour is denoted by the common expression culture of
risk management.
The desired culture of risk management assumes that the management adjusts the assumption of risk
to the economic power and quality of the bank, while at the same time the management supports and
directs the setting up of the internal controls system. A high culture of risk management also involves
a constructive and open attitude of on the part of the management bodies to supervisory institutions
and adherence to their own adopted accounting orientations and tax policies.
In assessing the culture of risk management, the Bank of Slovenia assesses the kind of emphasis
placed by the management board and other executives responsible for risk on the assuming of such
risk. Here it is important whether the team understands the risks and has received adequate reports on
the risks, whether risk analysis has been performed prior to the introduction of a new type of business
and prior to entry into new markets, whether the team is able and ready to introduce adequate controls
over risks and whether any strategic incentives have been envisaged for acquiring new markets and
products representing a realization of the adopted strategy.
An important element in assessing the system of internal controls is the willingness of the
management to facilitate adequate sources for establishing these controls, to recruit staff with the
knowledge and experience demanded by the assumed risks, to encourage training in risk management,
and to ensure the construction of internal controls suited to the assumed risks.
Major importance in judging the attitude of the management to supervisors and those issuing
regulations is given to compliance of the bank's operations with valid legislation, implementation of
regulatory requirements and bank's willingness to provide supervisors with accurate and timely
information and to inform them immediately of significant current matters and issues.
The Bank of Slovenia expects:
the bank to have an organised system of internal controls with three mutually independent
functions separated from the business functions: risk management, compliance control
and internal audit,
the function of risk management to be performed such that it ensures compliance with the
adopted risk policies,
the department responsible for checking compliance with regulations to discover and
assess the risk of the bank operating contrary to regulations,
Page 52 of 53
ver. 1.0
the internal audit department to operate as a tool of the supervisory and management
boards, ensuring the adequacy of internal controls,
the bank to have an established and effective system of internal controls and a reliable
information system covering all the main activities of the bank,
the bank to have established appropriate procedures for accepting and dealing with
comments and complaints made by employees in connection with the managing of the
bank.
Quality of internal audit
Internal audit is an independent part of the organisation that is directly subordinated to the bank's
management board and is functionally and organisationally separate from the other organisational
sections of the bank.
The tasks of the internal audit department are defined by law. The internal audit department performs
constant and comprehensive supervision of the bank's operations, with the aim of reviewing and
assessing the appropriateness and effectiveness of internal control systems, assessing the
implementation and effectiveness of procedures for risk management and methodologies of assessing
risk, evaluating the system of assessing the bank's capital with regard to its estimate of risk, assessing
the reliability of the IT system, checking the completeness, reliability and timeliness of reporting in
line with regulations and checking the compliance of the bank's actions with regulations.
The Bank of Slovenia assesses the composition and work of the internal audit department with the aim
of determining whether the function of internal auditing is of sufficient independence, quality and
effectiveness. Independence must be assured for internal auditing in the organisational and functional
sense (internal audit staff should not perform any other duties), and reporting on findings must be
performed without the influence of the audited persons. The quality of internal auditing is judged
according to the professional references and auditing experience of the internal audit staff, the
comprehensive nature of the annual programme of work and the detailed auditing plan, and in terms of
the quality of reports and working papers on audits conducted. Of key importance for the effectiveness
of internal auditing is independent reporting to the management and supervisory boards and support
from the management board for the internal audit findings, so that identified deficiencies are
eliminated, and also following up recommendations to ensure their realisation.
The Bank of Slovenia expects the bank's management board to set up an entirely independent internal
audit department, which employs high-quality programmes of checking and reports on its findings
directly to the management board, to a possible review panel and to the bank's supervisory board.
ver. 1.0
Page 53 of 53

(Risk Assessment Process) Methodology

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

(Risk Assessment Process) Methodology

Diunggah oleh

Hak Cipta:

Format Tersedia

Risk Assessment Process

POT Methodology Public Part

Banking Supervision Department, October 2006

Committee of European Banking Supervisors:

Prironik POT - javni del - ANG.doc

BACKGROUND AND PRINCIPLES ...................................................................................... 6

MONITORING AND ANALYSIS .......................................................................................... 8

Total assets and market share...............................................................................................8

Profitability and performance indicators............................................................................10

Cost efficiency indicators...................................................................................................10

Credit risk indicators ..........................................................................................................10

Interest rate risk indicators .................................................................................................11

Currency risk indicators .....................................................................................................12

RISK AREAS ................................................................................................................... 12

CONTROL ENVIRONMENT AREAS ................................................................................... 13

RISK PROFILE ................................................................................................................ 14

REVIEW PROCEDURE ..................................................................................................... 20

QUALITY ASSURANCE ................................................................................................... 23

RISK AREAS ...................................................................................................................... 26

Elements of credit risk .................................................................................................................. 26

Credit risk culture..............................................................................................................26

Key products and markets ..................................................................................................26

Features of the portfolio .....................................................................................................27

Concentration of the portfolio ............................................................................................27

Prironik POT - javni del - ANG.doc

MARKET RISK ............................................................................................................... 28

Composition of financial instrument trading portfolio ...................................................... 28

Variability of the rates of financial instruments and foreign currencies............................ 29

Currency imbalance of assets and liabilities...................................................................... 29

Liquidity of financial instruments and foreign currencies................................................. 29

INTEREST RATE RISK ..................................................................................................... 30

Maturity mismatch of interest rate sensitive items ............................................................ 30

Shifts in the yield curve ..................................................................................................... 30

Basis risk ........................................................................................................................... 30

Embedded options ............................................................................................................. 31

LIQUIDITY RISK ............................................................................................................ 31

Structure of liabilities ........................................................................................................ 32

Concentration of liabilities ................................................................................................ 32

Maturity gap between assets and liabilities ....................................................................... 33

OPERATIONAL RISK ...................................................................................................... 34

STRATEGIC RISK ........................................................................................................... 37

Business strategy ............................................................................................................... 37

Responsiveness to changes in the environment................................................................. 38

REPUTATION RISK ......................................................................................................... 38

Impression on the market .................................................................................................. 38

Impression of legislator ..................................................................................................... 39

CAPITAL RISK ............................................................................................................... 39

Structure and quality of capital.......................................................................................... 40

Accessibility of capital ...................................................................................................... 40

Assessing the capital ratio ................................................................................................. 40

Prironik POT - javni del - ANG.doc

PROFITABILITY RISK ..................................................................................................... 41

CONTROL ENVIRONMENT AREAS ...................................................................................... 43

10. INTERNAL CONTROLS .................................................................................................... 43

Information technology ......................................................................................................46

11. ORGANISATION .............................................................................................................. 48

Organisational structure .....................................................................................................48

Segregation of responsibility and lines of reporting...........................................................49

Organisation of risk management.......................................................................................49

12. MANAGEMENT .............................................................................................................. 49

Quality and composition of management bodies ...............................................................50

Decision-making process ...................................................................................................51

Strategic planning process..................................................................................................51

Culture of risk management ...............................................................................................52