Arion Bank faces various risks arising from its day-to-day operations as a financial institution. Managing risk and taking informed decisions is a crucial component of the Bank's activities and its responsibility towards society. Risk management is therefore a core activity within the Bank. The key to effective risk management is a process of ongoing identification of significant risk, quantification of risk exposure, action to limit risk and constant monitoring of risk.
The Board of Directors is ultimately responsible for the Bank’s risk management framework and ensuring that satisfactory risk policies and governance structure for controlling the Bank’s risk exposure are in place. Similarly, the risk management of subsidiaries is the responsibility of that subsidiary. For the parent company (the Bank) the Board sets the risk appetite, which is translated into exposure limits and targets monitored by the Bank’s Risk Management division.
The CEO is responsible for sustaining an effective risk management framework, processes and controls as well as maintaining a high level of risk awareness among the employees, making risk everyone’s business.
The Bank’s Risk Management division is headed by the Chief Risk Officer. It is independent and centralized and reports directly to the CEO. Further information on Risk Management.
The Bank operates several committees to manage risk. The Board Risk Committee (BRIC) is responsible for supervising the Bank’s risk management framework, risk appetite and internal capital adequacy assessment process (ICAAP) and internal liquidity adequacy assessment process (ILAAP). The Asset and Liability Committee (ALCO), chaired by the CEO or his deputy, is responsible for managing the asset-liability mismatch, liquidity risk, market risk and interest rate risk, market risk, interest rate risk and capital management. The Underwriting and Investment Committee (UIC) decides on underwriting and investments. The role of the Data Committee (DC) is to ensure the appropriate management of data. The Security Committee (SC) is responsible for security issues, both information security and physical security.
The Bank has four credit committees: The Board Credit Committee (BCC) which decides on all major credit risk exposures; the Arion Credit Committee (ACC) which operates within limits specified as a fraction of the Bank’s capital; the Corporate Credit Committee (CCC) and the Retail Branch Committee (RBC) which operate within tighter credit granting limits. There are also five valuation committees whose role is to establish criteria for estimating collateral and also to inspect valuations of securities owned by the Bank.
The most significant risks the Bank is exposed to are credit risk, including concentration risk, liquidity risk, indexation risk and interest rate risk. The Bank’s Pillar 3 Risk Disclosures 2017 report discusses risk factors and risk management in detail.
The Bank’s capital is intended to meet the risk of unexpected loss in its operations. The size of the Bank’s own funds should reflect the risk at any given time and any potential adverse future development. Risk on the Bank’s balance sheet is assessed by calculating risk-weighted assets (RWA). The Bank uses a standardized approach for calculating RWA which is generally designed to be more conservative than methods based on internal models. Capital is calculated in accordance with the Financial Undertakings Act No. 161/2002 and Regulations on Prudential Requirements for Financial Institutions No. 233/2017, under which the European Union’s capital requirement directives, CRD IV and CRR, both based on Basel III, are being implemented in Iceland. Provisions for lower capital requirements for SMEs were not, however, implemented in Iceland.
The Bank’s total own funds were ISK 184.0 billion at the end of 2017. Common equity Tier 1 capital (CET1) accounted for ISK 180.6 billion of this total. The total own funds were reduced by the foreseeable dividend distribution and purchase of own shares, which were authorized at a shareholders' meeting on 12 February 2018. The Bank’s risk-weighted assets amounted to ISK 766.8 billion at the end of 2017, increasing by ISK 21.1 billion over the year. Calculations of the Bank's capital adequacy are based on the Group’s consolidated situation according to prudential requirements and do not take into account subsidiaries in the insurance sector, to which special solvency requirements apply. The Bank’s average risk-weighting (RWA as a percentage of total assets) has decreased from 72% to 68% during the year which can partly be explained by the divestment of shareholdings, decreasing defaults and reassessment of the value of collateral.
The Bank’s capital ratio at the end of 2017 was 24.0% taking into account the foreseeable equity reduction.
In addition to measuring its capital requirement in accordance with the rules on prudential requirements, Pillar 1, the Bank also assesses its additional capital requirement by performing an Internal Capital Adequacy Assessment Process, ICAAP. ICAAP is designed to ensure that the Bank has in place sufficient risk management processes and systems to identify, manage and measure the Bank’s total risk exposure. ICAAP is designed to identify and measure the Group’s risk across all risk types, including those which are not provided for under Pillar 1, and to ensure that the Group has sufficient capital in accordance with its risk profile. The Financial Supervisory Authority (FME) supervises the Group, receives the Group’s internal estimate of capital adequacy and sets additional capital requirements for the Group as a whole following a Supervisory Review and Evaluation Process (SREP). The capital adequacy in respect of the FME's internal evaluation in addition to the mandatory 8% requirement under Pillar 1 is called an additional capital requirement under Pillar 2. The additional requirement under Pillar 2 at the end of 2016 was 3.4% of RWA and this figure is based on the Group consolidated situation which excludes subsidiaries in the insurance sector.
Under the Financial Undertakings Act No. 161/2002 the Bank must meet a combined capital buffer requirement, which is designed to ensure that the Bank maintains a minimum level of capital despite severe shocks. The FME has decided on the level of capital buffer in accordance with a proposal from the Financial Stability Council and it has defined Arion Bank as a systemically important financial institution in Iceland. The combined capital buffer requirement was 8.75% at the end of 2017. Effective capital requirements for systemic risk buffers and the countercyclical capital buffer are determined using the weighted average capital buffer in the countries where the Bank has exposure and risk-weighting is decided by the percentage of credit risk in RWA. The other capital buffers are the capital conservation buffer and the buffer for systemically important financial institutions. The combined effective capital buffer for the Bank was 8.4% at the end of the 2017.
The Group’s total own funds meet the total capital requirement in respect of Pillar 1, Pillar 2 and capital buffers. The total requirement is 19.8% of RWA and the total own funds are 24.0% of RWA. The Bank also sets an internal management buffer of 1.5% of RWA. The FME can also set a capital target (Pillar 2G) on top of Pillar 1, Pillar 2 and capital buffers on the basis of the results of stress tests.
Credit risk is defined as the current or prospective risk to earnings and capital arising from the failure of an obligor to discharge an obligation at the stipulated time or otherwise to perform as agreed. Loans to customers and credit institutions are by far the largest source of credit risk.
Mortgages are a core product for Arion Bank. The mortgage portfolio represented 39% of the total loan portfolio at the end of the year, up from 12% since the end of 2010. The key to the growth of the mortgage portfolio was the acquisition of a mortgage portfolio from Kaupthing in 2011 and the acquisition of retail loan portfolios, coupled with strong organic growth via new mortgage lending. The Bank has been at the forefront of innovation on the mortgage market, offering for example, non-indexed mortgages and digital solutions for mortgage financing. At the end of 2017 non-indexed mortgage loans represented 29% of the mortgage portfolio, the remainder being CPI-linked loans.
Strong and improving mortgage portfolio
The quality of the mortgage portfolio has been steadily improving with lower average loan-to-value and a reduction in default rates. The main reasons for lower default rate in recent years have been the improving economic climate and better loan collection rates.
At the end of 2017, 83% of the mortgages, by value, had loan-to-value below 80%, compared with 76% at the end of 2016. The great majority of mortgage property is located in the Greater Reykjavík area or 71% of the portfolio value.
Well diversified loan portfolio
Loans to customers are well diversified. Loans to individuals represent 48% of total loans to customers, of which 85% are due to mortgages. The corporate portfolio is mainly in three sectors: real estate and construction, fishing and fish processing and wholesale and retail trade, which represent 32%, 20% and 14% of the corporate portfolio respectively. Although sector diversification is good, some single name concentration remains.
Single name concentration
At the end of 2017 the Bank had no single exposure to a group of related parties that exceeded 10% of the Bank's eligible capital (so-called large exposures), the same as at the end of 2016. As seen in the following diagram, the sum of large exposures has fallen sharply since 2011 when it was 87% of eligible capital. The sum of related exposures, excluding loans to financial institutions, exceeding 2.5% of own funds has increased from the previous year – was 125% at the end of 2017, compared with 92% at the end of 2016.
Collateral coverage of loans to customers
Mortgages over residential properties and charges over commercial real estates are the most common types of collateral obtained by the Bank, representing 79% of total collateral. Fishing vessels and other fixed and current assets, such as cash and securities, are also used to secure loans. The Bank places emphasis on collateral maintenance, valuation and central storage of collateral information. At the end of 2017 loans to customers (gross value ISK 765,101 million) are secured by collateral valued at ISK 630,500 million, giving a collateral coverage ratio of 85%, but as shown in the following diagram this ratio varies between different sectors.
Loan book quality is steadily improving
The Bank defines Problem loans as loans that are more than 90 days past due and loans that are past due but individually impaired. The ratio of problem loans has steadily decreased since its peak in 2010 mostly due to the progress made in problem loan restructuring and the resolution of the legal uncertainty surrounding FX loans. Approximately 65% of problem loans are 90 days past due but are not impaired due to sufficient collateral.
Operational risk is the risk of direct or indirect loss resulting from inadequate or failed internal processes, human and system error, or from external events that affect the Bank's operations. Reputational risk, IT risk and legal risk are considered subcategories of operational risk.
Each business unit within the Bank is responsible for taking and managing its own operational risk. The Bank’s Operational Risk department is responsible for developing and maintaining tools for identifying, measuring, monitoring and controlling operational risk .
The primary tools used by the Bank to analyze and measure operational risk are:
- Business process management (BPM)
- Risk and control self-assessment
- Internal controls
- Loss data
- Change management
The Bank’s main tasks are mapped with processes which describe the key actions, controls and division of responsibility. Controls are defined to meet the risks estimated to be present in each process. Regular assessments are made of the main risks in the Bank’s processes and the quality of the controls being used.
Employees must report any deviations in operations. Deviations refer to things that go wrong during operations and which are connected to services to customers, the products offered by the Bank, how we perform our tasks or our business practices. Deviations can cause the Bank direct financial damage (loss data) but may also cause indirect damage or damage the Bank's reputation. Information on deviations is used to assess the Bank’s additional capital requirement for operational risk and as a basis for taking corrective action.
*From 2016 the parent company has adopted the approach of estimating the loss of reported events when the final results are not known. Among the incidents that are subject to this change are three incidents of alleged internal fraud that were investigated in 2016. One of these incidents is alleged to have occurred in an entity that merged with the parent company in the year of 2015.
Information from the risk assessment and loss data is used to make operational improvements which fit the Bank’s risk guidelines. The Operational Risk department follows up on the planned actions.
The Bank uses the standardized approach to calculate the capital requirement for operational risk. The capital requirement for operational risk in 2017 was ISK 6,881 million.
Market risk is the risk that price changes and interest rate changes will affect the value and cash flow from the Bank’s financial instruments and have a negative effect the Bank's earnings and capital. The main types of market risk are interest rate risk, equity price risk and foreign exchange risk.
Interest rate risk is primarily related to the fact that in part of the balance sheet there is a mismatch between interest-bearing assets and liabilities and a gap in interest-fixing periods. The majority of risk stems from the portfolio of CPI-indexed mortgages at fixed interest which were originally issued between 2004 and 2006. The risk is largely hedged because the portfolio is partly funded by structured covered bonds at fixed interest. The Bank has reduced this risk by issuing new covered bonds and by offering its customers loans with variable interest rates.
Interest rates have changed in Iceland recently, as both nominal interest rates and real interest rates have decreased. Due to favourable refinancing terms, prepayments and refinancing of loans by customers of the Bank have been substantial. The Bank’s prepayment risk is mitigated by prepayment fees and its own prepayment options for a proportion of the Bank's borrowings. The Bank’s prepayment of structured covered bonds over the last couple of years are a response to prepayments of mortgages. The Bank faces the risk that interest expenses on the Bank’s liabilities at fixed interest rates remain unchanged, while interest income from loans to customers decreases owing to falling base interest rates. The Bank’s calculations of interest rate sensitivity take prepayment risk into account.
The Bank has managed to substantially reduce equity price risk through a structured sale timetable in the last few years. At the beginning of 2016 the Bank’s holding in Bakkavör Group Ltd. was sold, bringing the Bank’s position in associate companies to a negligible level. The Bank’s position in other listed equity has also decreased significantly in recent years following further asset divestment.
The position in equities in the proprietary trading book and in respect of securities margin lending decreased last year. Risk Management closely monitors the associated risk and ensures that positions are kept within limits and that collateral is in place.
Foreign exchange risk is the risk that movements in the exchange rate of the Icelandic króna could have a negative impact on the Bank's earnings. The Group’s currency imbalance at the end of 2017 was ISK 0.2 billion and it has steadily decreased in recent years. The Bank uses derivatives to hedge against foreign exchange risk.
The net position of the Bank’s indexed assets and liabilities at the end of 2017 was ISK 133 billion, an increase of ISK 27 billion from the previous year. The increase is explained by the higher growth of indexed loans compared with indexed liabilities.
Liquidity risk is defined as the risk that the Group, though solvent, either does not have sufficient financial resources available to meet its liabilities when they fall due or can secure them only at excessive cost.
The Bank also carries out an Internal Liquidity Adequacy Assessment Process, or ILAAP. This process is designed to ensure that the Bank has sufficient liquidity and that appropriate plans, policies, methods and systems are in place to analyze, manage and monitor liquidity risk.
The FME and the Central Bank of Iceland monitor the Bank’s compliance with requirements and obligations in respect of liquidity risk.
Liquidity and liquidity risk are discussed in more detail here.