India

January 2014
For private circulation only
www.deloitte.com/in
Navigating the risk based
supervision process
Foreword 03
Understanding the risk based supervision process 04
Imperatives for the bank 08
Approach towards addressing the imperatives 13
RBS readiness self-assessment 15
About Deloitte 17
The Deloitte experience 18
Contacts 19
Contents
Navigating the risk based supervision process 3
Foreword
The role of the Indian banking industry has been
transformed from credit intermediation to integrated
customer service. High growth coupled with the quest
for superior customer service has led to innovation in
banking products and channels for delivering innovation
to customers. This has led to redundancies in the
traditional compliance and transaction testing based
supervisory approach and has put signicant strain on
supervisory resources. As the focus of global supervisors
shift towards ensuring nancial stability and managing
contagion risk in an increasingly inter-connected market-
place, the approach towards supervision is expected to
become more inclusive, risk based and data centric.
The Reserve Bank of India has embarked on a process
to move towards a risk based supervision approach
from the earlier transaction-centric CAMELS and
CALCS approaches. The new approach is expected to
signicantly change the approach towards regulatory
supervision. As a result, banks will be required to
gear up to meet the requirements of the revamped
supervisory process. The key changes in the revamped
regulatory supervision process are highlighted below:
Forward looking with a focus on both present and
future risks: The regulatory supervision process will
focus on inherent risks within the banks business
model and product offerings as opposed to results
of past transactions. This is expected to facilitate an
inclusive approach towards early corrective action by
the bank and the supervisor.
Optimization of supervisory resource deployment
through off-site monitoring: The supervisory process
will signicantly focus on continuous collection of
data from banks and a robust off-site surveillance
mechanism. This is expected to enhance the
supervision bandwidth and move towards a risk
indicator based early warning system.
Focus of on-site supervision on targeted and thematic
reviews: On-site reviews will focus on high risk areas
and industry-wide challenges. The supervisory team
is also expected to be augmented with relevant
specialization to address challenges emerging
from high risk areas. This is expected to help focus
supervisory bandwidth on high risk areas while the
banks internal controls systems, compliance and
audit functions provide the requisite transactional
assurance on other areas.
Impetus on corporate governance and regular
dialogue between the bank and supervisor: The
revamped regulatory supervision process will focus
on having a single point of contact for each bank
and continuous engagement through the single point
of contact. This is expected to support inclusiveness
and facilitate ongoing assessment of the quality of
governance and management of the bank.
The move towards risk based supervision is a step in
the right direction for the banking industry. However,
challenges abound both for the supervisor and the
banks as the industry grapples with wide-ranging
issues including quality of data, scalability of regulatory
reporting processes, efcacy of risk management
systems and cost of compliance. This document
explains the revamped supervision process and provides
a perspective on the holistic approach banks can
take to integrate the supervisory process with the
internal control systems and internal capital adequacy
assessment processes.
4
Understanding the risk
based supervision process
Background
The risk based supervision process (RBS) is designed
to work as a structured process that identies the most
critical risks faced by an individual bank and systemic
risks in the nancial system. The RBS process also
covers assessment of an individual banks management
of those risks along with its nancial vulnerability to
potential adverse experiences through a focused review
by the supervisor. The RBS process is forward looking
with a focus on evaluating both present and future
risks, identifying incipient problems and facilitating
prompt intervention/ early corrective action moves.
This is a departure from the earlier compliance focused
and transaction based approach called CAMELS which
typically covered point in time assessments.
To achieve its objective of continuous supervision and
early corrective action, the risk based supervision process
focuses on the following aspects:
Continuous collection of nancial and non-nancial
data from banks with a view to enable the regulator
to independently perform analysis of raw data
through off-site surveillance
Inclusive and regular onsite examination focused
on evaluating the risk and control environment
within the bank. The inclusive examination process
is designed to enable the supervisor to form an
objective view on the probability of failure and impact
of failure based on the existing control framework of
the bank
Thematic and targeted reviews by the supervisor
with a view to evaluate, through use of specialists,
the impact of systemic risks on the bank and the
manner in which the bank is addressing potential
high-risk areas
Increased reliance on the banks audit and
compliance functions to provide transactional
assurance to the supervisor and enable allocation of
supervisory resources to high risk areas
Use of capital add-ons based on the assessment of
probability and impact of failure to encourage banks
to strengthen their control environment
Increased engagement between the supervisor and
the senior management of the bank with a view to
ensure good corporate governance, transparency and
accuracy of information used by senior management
for decision making.
The risk based supervision process focuses
heavily on off-site surveillance. It is,
therefore, extremely data intensive and it is
envisaged that banks will be able to provide
data in a seamless and automated manner to
the supervisor on a regular basis.
Navigating the risk based supervision process 5
The risk based supervision process
The key steps in the implementation of the RBS process are explained below:
The supervisor will determine the probability of failure based
on the residual risk and the available capital to absorb the
risk. Impact of failure varies for systemically important and
non-systemically important institutions. While probability
of failure and impact of failure are assessed separately, it is
important for an individual bank to strive towards reducing the
probability of failure.
Banks are expected to provide approximately 25,000 data
points through regulatory returns at multiple frequencies.
The requirements are expected to change dynamically
based on emerging risks in the industry. Data collected by
the supervisor covers both qualitative and quantitative data
and is broadly expected to cover the following aspects:
- Credit risk
- Market risk
- Operational risk
- Liquidity risk
- Pillar II risks
- Information technology
- Compliance
- Internal audit
- Management and Board
The supervisor has identied inherent risks applicable to all
banks. The data collected will form the basis for computing
risk indicators against the inherent risks identied.
Accordingly, the accuracy, completeness and timeliness
of data are critical for the determination of rating by the
supervisor.
The supervisor will determine the rating based on the risk the
bank poses to the supervisory objectives of nancial stability,
protection of depositors interests and customer protection.
The supervisory rating is therefore a function of the
probability of failure and the impact that the failure can cause
to the nancial system. Apart from objective parameters,
thematic reviews, the views of the supervisory relationship
manager assigned to the bank and the ability of the banks
to demonstrate good governance plays an important role in
determining the supervisory rating.
The supervisory stance resulting from the rating may lead
to baseline (normal) monitoring, closer monitoring or active
oversight. The bank should aspire to remain within the
baseline (normal) monitoring stance.
Based on the supervisory rating, the bank and the supervisor
are expected to agree on an action plan. The objective of the
action plan is largely expected to focus around reducing the
probability of failure. However, where banks are systemically
important, the focus is also expected to be on managing
potential contagion. Where the probability of failure is higher
or where the impact to the nancial system is high especially in
case of systemically important institutions, the supervisor may
require additional capital to be kept aside.
Assessment of probability of failure and impact
assessment
Data gathering and analysis
Supervisory stance and rating
Action plan and capital add-on
Risk and control, capital and compliance
assessment
Assessment of existing controls for inherent risks, available
capital, ability to raise capital, earnings growth to augment
capital and compliance form the basis for determining
the probability of failure. It is important for the bank to
demonstrate to the supervisor that controls are in place to
address inherent risks. The ability of the bank to demonstrate
that inherent risks are controlled appropriately as well as
the ability to demonstrate an appropriate scoring on the
risk indicators will have an impact on the determination of
the probability of failure. Further, qualitative aspects will be
assessed by the extent to which the compliance and internal
audit functions provide assurance to the supervisory staff. It
is expected that as the supervisory focus moves away from
transaction and compliance testing, the bank will augment
its transaction testing through concurrent/ internal audit and
compliance testing. Availability of excess capital judged by
existing excess capital, earnings growth and access to capital
raising sources forms a key part of the decision on probability
of failure.
3
1
2
4
5
6
Implementation of the risk based supervision process
SNo Implementation of
the RBS process
Inputs used by the
supervisor
Sources of data Expectations of the supervisor from
the bank
1 Data gathering and
analysis
Financial statement data
Internal capital adequacy
assessment process
Data relating to market,
credit, liquidity and
operational risk
Core banking systems
General ledger systems
Risk management systems
Treasury systems
Accuracy of data
Timeliness in providing data
Minimum manual intervention while
extracting data and providing to the
supervisor
Availability of data from source
systems
2 Risk and control,
capital and compliance
assessment
On-site assessment by the
designated supervisory
relationship manager and
thematic reviews
Off-site assessment through
OSMOS and other RBS data
collected
Internal audit
Concurrent audit
Operational risk framework
Compliance testing
Limited testing by supervisor
Various systems of the bank
Efcacy of the internal audit and
concurrent audit function
Compliance testing by the bank
Use of specialists by the bank to
perform as well as review critical
operations
Strong operational risk framework
Strong IT control framework
Enabling supervisor to access and
analyse data directly from source
systems
3 Assessment of
probability of failure
and impact assessment
Inherent risks in the business
segments in which the bank
operates
Internal controls to mitigate
those risks
Risk quantication and
aggregation
Available capital
Size and inter-connectedness
Size and complexity of
operations
Risk management systems
Capital computation systems
Demonstrating the existence of
controls to mitigate inherent risks
Accuracy and adequacy of
methodologies used to quantify risk
Adequacy of capital
4 Supervisory stance and
rating
Impact to the nancial system
Complexity of operations
Quality of management
Feedback from the supervisory
relationship manager
Feedback from auditors
Audit reports
Interactions and discussions
with the management
Results of thematic and
targeted reviews
Senior management being aligned and
involved with day to day operations
Efcacy of reviews by auditors and
other experts
Action plans to deal with
contingencies, potential contagion and
manage inter-connectedness
5 Action plan and capital
add-on
Capital planning as part of
ICAAP
Earnings growth
Dividend distribution and
retention of earnings
Ability and past history of
raising capital
ICAAP documents
ALM and ALCO reports
Efcacy of the ICAAP document
Demonstrable use of risk management
and results of risk quantication in
decision making
Capital planning and funding plans
including contingency plans
Navigating the risk based supervision process 7
For a bank to navigate
the risk based supervision
process effectively, the
following aspects become
critical
Quality of data
provided to the
supervisor and used by
the bank for internal
decision making
Demonstration
of high quality of
governance and
control framework
Demonstrable
integration of the
risk and business
decision making
processes
Effective capital
planning and
contingency planning
Efcacy of IT systems
from an internal control
and availability of data
stand-point
Ability to quantify
and aggregate risks
especially Pillar II risks
Efcacy and
quality of internal
audit, concurrent
audit, reviews and
compliance testing
Quality of risk
management systems
8
Imperatives for the bank
The risk based supervision process puts signicant onus
on the bank to improve various aspects of operations.
Certain aspects may be improved sequentially whereas
others may be required to be improved concurrently.
Further, the bank may slowly migrate to the desired
state depending upon the complexity of operations
and value-added by the RBS process to governance and
decision making. The fact that the supervisor is also
evolving the RBS process, models and calibration of
ratings on an ongoing basis will play a very important
role in determining the extent to which bank makes
investments in enhancing the RBS infrastructure.
Ongoing evolution in RBS will mainly affect the type
of data the regulator seeks for off-site monitoring. The
imperatives for the bank to align with the RBS process
are depicted below:
Data
Consistency in data
denitions
Mapping of data elds to
source systems
Process of validation of data
provided to supervisor
Reconciliation of RBS data
with nancial reporting and
other regulatory reports
Automation of data ows
from source systems to
supervisor and integration
with ADF
Needs to be addressed
immediately from a
compliance stand-point
Compliance framework and
compliance testing unit
Specialist reviews for
high-risk areas and
monitoring regulatory
action plan
Re-engineering the internal
and concurrent audit plans
and expectations
Assurance over efcacy of
internal and concurrent
audit
Embedding operational
controls in IT systems and
as part of audit testing
Imperatives that are
likely to improve the
RBS rating
ICAAP document aligned
with SREP expectations
Enterprise wide risk
quantication and
aggregation
Capital and liquidity
planning and allocation incl.
contingency planning
Ongoing validation of risk
models to derive assurance
over risk quantication
Integrated stress testing and
impact assessment
Investment in
automation that may
be rationalized with
evolution in the RBS
process
Multi-level management
dashboard of risk, data,
indicators and interpretation
Demonstrable use of risk
models in the business
decision making process
Quality of governance and
oversight incl. managing
conicts of interest
Continuous monitoring
of qualitative factors and
demonstrable risk culture
Demonstrating that capital
after projected growth and
earnings covers enterprise-
wide risk
Investments to help
align business practices
with the supervisory
thought process
Legend
Control framework Risk management
Governance and business
application
Navigating the risk based supervision process 9
Addressing the imperatives
Data
SNo Imperative Current state of Indian banks Desired state
1 Consistency in data
denitions
First set of data provided to the supervisor based on
raw data available
Data denitions inconsistent between banks and
between various reports provided to the supervisor
Availability of data from source systems is a challenge
Creation of a single data dictionary across businesses
Review and validation of data denitions with the
supervisory relationship manager
Updation of source systems to collect, record or
compute data required by the supervisor
2 Mapping of data
elds to source
systems
Most data is extracted manually as and when required
Data from multiple systems is collated and aggregated
in spreadsheets to arrive at the data point required by
the supervisor
In certain cases, existence of data in source systems
not mapped
Map data and interim computations as dened in
the data dictionary with the source systems/ G/L
consolidation systems
Updation of source systems to store and compute
data required by supervisors or that may be required
for analysis by the management
3 Process of validation
of data provided to
supervisor
Currently, limited sense checks are carried out to
evaluate accuracy of data
Formal process of pre-audit or data validation not in
place
Direct system data-ows not established
Validation rules and tolerance limits used while
collating data in spreadsheets
Validation of data and pre-audit prior to population
in template sent to supervisor
In case of automation, validate data ows between
systems and IT controls over data ows
4 Reconciliation of
RBS data with
nancial reporting
and other regulatory
reports
Limited or no reconciliation of data with other
regulatory returns submitted over OSMOS and
non-DBS submissions
Map overlapping data requirements with existing
regulatory returns (OSMOS as well as non-DBS
returns)
Align sources of data for overlapping data
requirements
Create a reconciliation report for RBS and non-RBS
data submitted to supervisor
5 Automation of
data ows from
source systems
to supervisor and
integration with ADF
Multiple points of regulatory reporting including
source systems, reporting tools, spreadsheets and
other forms of semi-automatic data collation
RBS data is largely collected manually from source
systems
No integration between multiple systems providing
similar or overlapping data points
Extraction of all regulatory data requirements into
a single server/ staging area. All data requirements
to cover routine regulatory returns, DBS returns
including those on OSMOS, ADF requirements and
RBS requirements
Generate reports in the regulatory prescribed formats
through a reporting tool on the data-mart
Flexible reporting platform to accommodate future
data requirements/ changes in regulatory reports in a
cost effective manner
Initial supervisory focus is expected to be on the quality and consistency of data
provided. As the process for providing data stabilizes, regulatory focus will shift
towards analysing the inherent risk based on data provided. It is important for banks
to move quickly towards ensuring data consistency. It is also important for banks to
put in place internal systems to analyse inherent risk in a manner that is consistent
with the supervisory process.
10
SNo Imperative Current state of Indian banks Desired state
1 Compliance
framework and
compliance
testing unit
Fragmented compliance monitoring between business
units and central compliance teams
Compliance typically plays the role of an advisory
function
Lack of single repository of bank-wide compliances in
most banks
Central repository of all compliances updated
regularly
Compliance to play the role of advisory and
monitoring function
Formal compliance testing program to be put in
place which should be covered by a compliance
testing unit and concurrent auditors
Compliance self-assessments to be integrated with
risk-control self-assessment programs
2 Specialist reviews
for high-risk areas
and monitoring
regulatory
action plan
Limited use of specialists and targeted reviews
Regulatory action plans emerging from AFIs pending
for long periods of time
Limited use of formal process to determine high risk
areas based on macro or market trends
Integrate identication of high risk areas with internal
audit program and also based on macro and market
trends
Pre-thematic reviews for high risk areas like treasury,
risk management, KYC / AML, trade, remittances and
FEMA compliance
Formal program to centrally monitor implementation
of issues identied during regular audits and
pre-thematic reviews
3 Re-engineering
the internal
and concurrent
audit plans and
expectations
Internal and concurrent audit programs are typically
not comprehensive
Mapping of risk perception of supervisors and senior
management not aligned with internal/ concurrent
auditors
Aligning internal audit testing with Tranche III
requirements of the supervisor
Embedding the compliance and control review
elements within internal and concurrent audit plans.
Alignment of high risk areas with supervisory thought
process, management views and audits
4 Assurance over
efcacy of internal
and concurrent
audit
Lack of independent monitoring over concurrent
auditors
Concurrent audit programs not always comprehensive
Quality of concurrent audit not consistent
between banks
Annual evaluation of performance of concurrent
auditors
Independent compliance re-testing
5 Embedding
operational controls
in IT systems and as
part of audit testing
Operational risk controls may be automated or
manual depending on many factors typically the
quality of system implementation
Inadequate documentation of operational controls to
support automation
High cost of automation in certain cases leads to a
weak control environment
Monitoring automation index for operational
controls
Continuous identication of automation potential for
operational risk controls including compliance
related controls
Continuous updation program for operational risk
and risk control self-assessment templates
Operational risk controls to be covered by the
internal and concurrent audit
The onus of transactional and compliance testing is expected to move from the
supervisory staff to banks. It will become increasingly important for banks to
demonstrate the efcacy of internal control and internal audit processes to the
supervisor.
Control framework
Navigating the risk based supervision process 11
SNo Imperative Current state of Indian banks Desired state
1 ICAAP document
aligned with SREP
expectations
ICAAP is typically a theoretical document that
captures risks and mitigation plans only
Models for quantication of non-Pillar I risks may not
exist or may not be validated or accurate
Risk quantication and aggregation thought process
of bank not aligned with risk aggregation and
quantication process of the supervisor
ICAAP projections and actuals vary signicantly both
from an earnings and capital stand-point
ICAAP projections form the basis for business
planning, earnings and capital management
Risk quantication or scoring models for Pillar II risks
Regular validation of Pillar II risk models by external
auditors
Creation of risk aggregation and quantication model
and continuous tuning and calibration of parameters
to align with RBS thought process
2 Enterprise wide risk
quantication and
aggregation
Inadequate aggregation process/ methodology for
Pillar I and Pillar II risks
Most banks have not implemented enterprise-wise
risk aggregation
Enterprise-wide (including group entities) risk
aggregation and consequent capital allocation
3 Capital and liquidity
planning and
allocation including
contingency
planning
Separate contingency plans covering liquidity and
funding
Capital allocation across business units, products and
customer accounts not undertaken based on ROCE/
ROE which may lead to sub-optimal use of capital or
lower return on equity
Single integrated risk aggregation and capital
allocation model aligned with regulatory risk weights
Implementation of RAROCE as a measure to manage
capital allocation across business units
Integration of FTP mechanism with RAROCE models
Integrated contingency plans with integrated stress
testing framework
4 Ongoing
validation of risk
models to derive
assurance over risk
quantication
Risk models validated on an ad-hoc basis
Existing risk models not always validated or
back-tested
Internal and market data used in risk models which
forms the basis for quantication not always accurate
Integration of risk models and capital computation is
generally inadequate
Formal program for ongoing validation (annual or
more often) of all risk models including Pillar II risk
models
Formal program for data validation
Integration of risk aggregation and capital
computation systems
Supervisory focus is expected to increasingly move from Pillar I to Pillar II risks.
The use of risk models in business decision making, efcacy of risk models
and the impact of Pillar II risks on capital are expected to play a large role in
determining the probability of failure of the bank.
Risk management
12
SNo Imperative Current state of Indian banks Desired state
1 Multi-level
management
dashboard of risk,
data, indicators and
their interpretation
Fragmented data, business information and risk
indicators for management decision support
Limited use of high-performance data analytics to
support performance management
Risk indicators used by banks not aligned with
regulatory thought process
Implementation of 2-3 layered dashboard to
integrate senior management governance and
decision making with on-ground operations
Simultaneous view of risk and business (earnings and
growth) parameters
Alignment of data interpretation by senior
management and supervisor
2 Demonstrable use
of risk models in the
business decision
making process
Limited use of risk models in business decision making
except in case of ALM and credit risk
Lack of consistent interpretation of output from risk
models for business decision making
Output from risk models mapped with nancial
reporting parameters to trace back impact of risks to
nancial statements
Structured process of reporting on risk parameters as
part of internal management reporting
3 Quality of
governance and
oversight including
managing conicts
of interest
Governance framework typically aligned with
regulatory requirements
Conicts of interest typically arise with respect to
ring-fencing of data, localization of models and
segregation of duties
Demonstrating to the supervisor that conicts
of interest are avoided or managed within the
organization setup
4 Continuous
monitoring of
qualitative factors
and demonstrable
risk culture
Qualitative factors rarely considered for performance
management and risk evaluation
Alignment of qualitative factors with RBS
thought process
Embedding qualitative factors in people performance
management to create an inclusive and consistent
risk culture
5 Demonstrating
that capital after
projected growth
and earnings covers
enterprise-wide risk
Lack of accurate business and capital projections
including impact of BASEL 3 phase
ICAAP capital adequacy rarely assessed in addition to
Pillar I capital
Integrated capital adequacy assessment covering
Pillar I and Pillar II risks
Projected capital adequacy assessments covering
impact of risks (earnings at risk), projected growth
and earnings retention in a BASEL 3 environment
Draw up capital raising plans based on ICAAP
projections
Embedding risk indicators within the business processes of the bank is critical
for long-term sustainability of risk based supervision and integration of the SREP
and ICAAP process.
Governance and business application
Navigating the risk based supervision process 13
Approach towards
addressing the imperatives
Effective implementation of risk based supervision is
expected to be a long-drawn and continuous process
with improvements in various facets being brought
about gradually. RBS is also expected to touch upon
various functions within the bank. Accordingly, we
have developed a customized approach to enable a
non-disruptive and continuous improvement program.
The key features of the Deloitte approach include:
Immediate focus and attention to data to meet
regulatory needs
Continuous engagement with the bank to address
all facets of RBS over a period of time
Integrated approach covering both IT and
non-IT aspects
Focus on alignment of internal risk management
and capital adequacy process with RBS and SREP
thought process
Integrated approach towards risk management,
internal audit, thematic reviews and compliance with
a view to reduce probability of failure
Integrated approach towards risk and capital
management and business decision making
Focus on optimizing cost of governance and control
through a single-point integrated supervision and
surveillance approach.
14
Deloitte approach towards navigating RBS is depicted below:
S
t
e
p

1
S
t
e
p

4
S
t
e
p

2
S
t
e
p

5
S
t
e
p

3
S
t
e
p

6
1.1 3.1 5.1 2.1 4.1 6.1
1.2 3.2 5.2 2.2 4.2 6.2
1.3 3.3 5.3 2.3 4.3 6.3
1.4 3.4 5.4 2.4 4.4 6.4
1.5 3.5 5.5 2.5
RBS and internal
reporting data
dictionary
Data
management
and
integration
Risk and
capital
management
Integration
with
business
decision
making
Integrated
compliance,
audit and
operational
risk
management
assistance
Supplementing
supervisory
review, rating
and action
plans
Automation
Risk quantication
through models
and scorecards
Embedding risk
indicators in
performance
management
Integrated
compliance
framework and
testing
Risk assessment
based on macros
& market
conditions
Implementation
of integrated
data systems for
regulatory reporting
Data management
architecture
Risk aggregation
& integrated stress
testing
Integrated risk &
performance dash
boarding
Enhancing quality
and efcacy of
audit
Pre-thematic
reviews
Data analytics
Data mapping and
extraction
Internal
probability of
failure assessment
Risk adjusted fund
transfer pricing
Aligning internal
control framework
with supervisory
assessment
Post supervisory
reviews &
monitoring
Source system
data capture
enhancements
Data validation
and recon
framework
ICAAP and SREP
integration
RAROCE
framework
Optimizing cost of
compliance and
control
Validation of
risk and capital
computation
models
Source system
IT control
enhancements
Consolidated
regulatory
reporting
Capital planning
and projections
Capital allocation
models
Business and risk
indicators
Navigating the risk based supervision process 15
RBS readiness self-assessment
This section contains a self-assessment questionnaire
where can score your readiness for new supervisory
review process in the form of risk based supervision by
the regulator. Each option for a question represents a
score. The nal score can be obtained by aggregating
scores on individual questions.
Option which will most closely resemble your current situation Score
Question 1: What is the current state of RBS data collation?
RBS data is collated on an ad-hoc basis as and when required by the supervisor 0
Collection of RBS data is templatized. However, data denitions are not yet been validated with the supervisory relationship manager. 3
Consistent RBS data denitions and standardized collection templates in place. However, reconciliation not yet undertaken between
RBS data and other regulatory submissions
6
The bank has put in place an integrated data store which is leveraged to generate RBS reports, other regulatory reports and internal
risk management reports.
10
Your score for this question
Question 2: How is data quality ensured for RBS submissions?
No process currently in place to ensure quality of RBS submissions 0
Sense checks are performed on key gures prior to submission 3
Pre-submission audits are undertaken for RBS data 6
Systems support straight through data ow. One time validation of data ows and systems controls undertaken. 10
Your score for this question
Question 3: Does the current banks risk architecture support integrated compliance, risk and regulatory reporting?
Disparate systems and spreadsheets used for compliance, risk and regulatory reporting. 0
Centralized data store in place. Reports generated from a mix of source systems and a central data store. 3
Existing risk architecture facilitates single point of collation of risk, compliance and regulatory reporting data. Integrated risk
infrastructure is extensively leveraged for risk and regulatory compliances.
6
Bank has an integrated risk-return management infrastructure covering compliance monitoring, risk reporting, regulatory reporting,
capital computation, capital allocation and early warning risk indicators.
10
Your score for this question
Question 4: What is the degree of condence the bank can place on internal control and internal/ concurrent audit
processes to support risk based supervision?

Internal/ concurrent audit processes are focused on transaction testing 0
Internal/ concurrent audit processes are risk based with a view to evaluate coverage. However, actual execution of audits is
transaction based.
3
Internal/ concurrent audit processes also cover regulatory compliance assessment and leverage specialists where required 6
Internal/ concurrent audit processes are closely aligned with supervisory focus areas, compliance testing requirements and help create
a central testing repository that can leveraged across functions
10
Your score for this question
Question 5: Are the banks existing risk processes adequately geared towards identifying and evaluating systemic risk and the
impact of macro-economic factors?
Risk management processes are only focused on the banks portfolio 0
Scenarios used for stress testing cover potential adverse market conditions 3
The bank has put in place risk indicators to identify system risk and potential contagion 6
The bank has put in place an internal model to continuously identify probability of failure which incorporates systemic risk elements in
the evaluation
10
Your score for this question
16
Question 6: Are the banks internal risk management processes aligned with the risk based supervision approach
The banks internal risk management systems focus on Pillar 1 risks and their implications on regulatory capital. It is assumed that
excess capital is sufcient to cover Pillar 2 risks.
0
The bank has put in place qualitative assessment models for Pillar 2 risks in addition to a robust Pillar 1 risk assessment mechanism 3
Risk indicators have been identied by the bank that is consistent with the risk indicators evaluated by the supervisor. These are
regularly monitored.
6
The bank has put in place and adequately validated models to assess/ quantify Pillar 2 risks and the enterprise-wise impact of all risks
on the probability of failure of the bank
10
Your score for this question
Question 7: Is the capital planning process aligned with the supervisory view on probability of failure, impact of failure and
capital add-ons to manage potential failure?
Capital planning exercise is not undertaken or is undertaken on an ad-hoc basis 0
Capital planning exercise undertaken is largely theoretical and mainly used for the purpose of ICAAP documentation 3
Capital planning factors in both potential future business growth and impact of all risk quantication on projected capital adequacy 6
The bank performs an internal assessment of probability of failure and has a dynamic capital provisioning model in place to augment
capital on an ongoing basis
10
Your score for this question
Question 8: To what extent are risk processes integrated into business decision making?
Risk functions in isolation and is used largely as a post-facto assessment 0
Risk assessments and quantication are presented to business units and are considered for business decision making. However, a
structured and consistent process is not followed for integration of risk evaluations and business decisions.
3
Risk based pricing is adopted wherever feasible to ensure that risk is adequately priced in 6
Risk quantication forms the basis for capital allocation to business units and portfolios 10
Your score for this question
Question 9: Is the management oversight and decision making process adequately supported through the same data
used for risk based supervision?
Risk based supervision data is not presented to senior management to support decision making 0
Risk and business information presented to senior management is disparate from the risk based supervision data 3
Management dashboards are put in place for risk based supervision data and relevant risk indicators. However, these are not
integrated with business and nancial data.
6
Management dashboards provide simultaneous information on risk and business parameters. Risk parameters are consistent with the
supervisory view and assessment of risk
10
Your score for this question
Question 10: Can adequate supervisory comfort be derived from the governance and risk culture?
Corporate governance guidelines are not completely adhered to 0
Minimum guidelines are corporate governance issued by regulators are adhered to 3
Ability to demonstrate to the regulator that management is adequately involved in managing risks identied in the supervisory
process
6
Management performance and remuneration linked to risk adjusted returns and not just absolute returns 10
Your score for this question
Self-Assessment score /100
Navigating the risk based supervision process 17
About Deloitte
Deloitte is one of the worlds largest and most
diversied professional services organization, providing
assurance and advisory, tax, management consulting,
and enterprise risk management services with revenue
to the tune of $31.3 billion (FY12). In overall terms,
Deloitte member rms serve over 80% of Fortune Global
500 companies.
Deloittes headcount is in the region of 200,000 globally
and a presence in 153 countries. Our organization
includes the worlds largest private consultancy, and
a unique portfolio of competencies integrated in one
industry-leading organization.
We bring a unique combination of business, functional,
and technical knowledge that allow our clients to
better align their business objectives and strategies with
the need of todays competitive market. We serve Indian
business houses, multinational corporations and the
public sector and provide assistance to global
clients seeking to develop local businesses and expand
into emerging markets such as India. Our edge lies in
our ability to draw upon a well-equipped global
network and teaming this with customized services of a
local ofce.
Deloitte is the multi-
dimensional
professional services
organization with
integrated global
capabilities across
Consulting, Tax,
Enterprise Risk
Services and Financial
Advisory
Deloitte is the largest Management & Advisory
Consultancy in the world (includes S&O, HR, IT, Risk,
FA, Audit, and Tax advisory capabilities).
Deloitte is a leader in management consulting,
having extensive capabilities and depth in strategy,
OM and HR, as well as BAS and IT consulting.
Asia Pacic
113 ofces in 26 countries
Key Ofces: Pakistan,
Singapore, Thailand,
Vietnam, Indonesia
India
13 ofces
Key Ofces: Mumbai, Delhi,
Hyderabad, Bangalore
Africa & Middle East
46 ofces in 35 countries
Key Ofces: Johannesburg,
Cape Town, Kenya, Tel Aviv
South America
69 ofces in 28 countries
Key Ofces: Sao Paulo, Mexico
City, Buenos Aires, Santiago,
Caracas
North America
131 ofces 2 countries
Key Ofces: New York,
San Francisco, Los Angeles,
Denver, Toronto, Montreal
Europe
297 ofces in 47 countries
Key Ofces: London, Frankfurt,
Paris, Rome, Dusseldorf, Madrid,
Moscow, Prague
18
The Deloitte experience
Deloittes unique value proposition stems from the
diverse expertise and the advantages of having worked
with regulators across the world on the subject of
supervision. Above all is the relentless focus on project
execution, and of meeting, if not exceeding clients
expectations by delivering on all that is proposed and
promised. Our differentiators include:
Dedicated multi-locational Financial Services Team of over 700 professionals and
Subject matter specialists on governance, risk, compliance, IT systems and
supervision
Involved in multiple risk management, concurrent audit, ICAAP assessment, IT
transformations and capital management projects
Wide array of functional expertise and domain exposures in the eld of risk
management, concurrent audit, ICAAP assessment, IT transformations and capital
management.
Dominant risk management and advisory practice in India
Experience of having worked with multiple global regulatory bodies in designing
the supervision framework
Experience of having undertaken risk management transformation engagement for
the largest public sector, private sector and multi-national banks in India
Involvement of multidisciplinary teams on multifaceted projects
Utilization of our global experience and thorough understanding to deliver right
solutions to clients
Focus on working together with the banks team to meet the RBS imperatives
Focus on an integrated approach that covers supervision, compliance, audit and risk
management
Optimizing cost of compliance and control
Assistance throughout and across all aspects of the RBS journey
Our team
Our experience
and
specialization
Our Integrated
and inclusive
approach
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member rms,
each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of
Deloitte Touche Tohmatsu Limited and its member rms.
This material and the information contained herein prepared by Deloitte Touche Tohmatsu India Private Limited (DTTIPL) is intended to provide
general information on a particular subject or subjects and is not an exhaustive treatment of such subject(s). None of DTTIPL, Deloitte Touche
Tohmatsu Limited, its member rms, or their related entities (collectively, the Deloitte Network) is, by means of this material, rendering
professional advice or services. The information is not intended to be relied upon as the sole basis for any decision which may affect you or your
business. Before making any decision or taking any action that might affect your personal nances or business, you should consult a qualied
professional adviser.
No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this material.
2014 Deloitte Touche Tohmatsu India Private Limited. Member of Deloitte Touche Tohmatsu Limited