Supervisory Review: CAIIB Paper 2 (Module D), Unit 4

Supervisory Review: CAIIB Paper 2 (Module D), Unit 4

Dear Bankers,
We all know that CAIIB exams are conducted by the Indian Institute of Banking and Finance (IIBF).  CAIIB is said to be one of the difficult courses to be cleared for the bankers. But we assure you that with the help of our “CAIIB study material”, you will definitely clear the CAIIB exam.
CAIIB exams are conducted twice in a year. Candidates should have completed JAIIB before appearing for CAIIB Exam. Here, we will provide detailed notes of every unit of the CAIIB Exam on the latest pattern of IIBF.
So, here we are providing “Unit 4: Supervisory Review” of “Module D: Balance Sheet Management” from “Paper 2: Bank Financial Management (BFM)”


The Capital Adequacy Framework has three components or three Pillars. The Pillar 1 is the Minimum Capital Ratio while the Pillar 2 and Pillar 3 are the Supervisory Review Process (SRP) and Market Discipline, respectively.

The objective of the SRP is to ensure that the banks have adequate capital to support all the risks in their business as also to encourage them to develop and use better risk management techniques for monitoring and managing their risks.

The main aspects to be addressed under the SRP, and therefore, under the Internal Capital Adequacy Assessment Process (ICAAP), would include:

  • The risks that are not fully captured by the minimum capital ratio prescribed under Pillar 1
  • The risks that are not at all taken into account by the Pillar 1
  • The factors external to the bank

Since the capital adequacy ratio prescribed by the RBI under the Pillar 1 of the Framework is only the regulatory minimum level, addressing only the three specified risks (viz., credit, market and operational risks) and holding additional capital might be necessary for the banks, on account of (a) the possibility of some underestimation of risks under the Pillar 1 and (b) the actual risk exposure of a bank vis-a-vis the quality of its risk management architecture. Illustratively, some of the risks that the banks are generally exposed to, but which are not captured or not fully captured in the regulatory CRAR would include:

  • Interest rate risk in the banking book, which is part of market risk.
  • Credit concentration risk, which is normally part of credit risk.
  • Liquidity risk, for convenience sake included as part of market risk.
  • Settlement risk, which is also called as counter-party risk and is part of credit risk.
  • Reputational risk, which is equivalent to operational risk.
  • Strategic risk, which is equivalent to operational risk.
  • Risk of under-estimation of credit risk under the Standardised approach – Credit risk.
  • “Model risk” i.e., the risk of under-estimation of credit risk under the IRB approaches – Credit risk.
  • Risk of weakness in the credit-risk mitigants – Credit risk.
  • Residual risk of securitisation, etc. – can be part of Credit and Market risk.

Pillar 2 – Supervisory Review Process

Guidelines for the SRP of the RBI and the ICAAP of the Banks

While the Basel-I framework was confined to the prescription of only minimum capital requirements for banks, the Basel-11 framework expanded this approach not only to capture certain additional risk is the minimum capital ratio, but also includes two additional areas – the Supervisory Review Process and Market Discipline through increased disclosure requirements for banks. The Basel III framework has also maintained the same approach. Thus, the Basel Capital Adequacy Framework rests on the following three mutually-reinforcing pillars:

  • Pillar 1: Minimum Capital Requirements – which prescribes a risk-sensitive calculation of capital requirements that, for the first time, explicitly includes operational risk in addition to market and credit risk.
  • Pillar 2: Supervisory Review Process (SRP) which envisages the establishment of suitable risk management systems in banks and their review by the supervisory authority.
  • Pillar 3: Market Discipline – which seeks to achieve increased transparency through expanded disclosure requirements for banks.

The Basel Committee has also laid down the following four key principles in regard to the SRP envisaged under Pillar 2:

  • Principle 1: Banks should have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels.
  • Principle 2: Supervisors should review and evaluate the banks’ internal capital adequacy assessments and strategies, as well as their ability to monitor and ensure their compliance with the regulatory capital ratios. Supervisors should take appropriate supervisory action if they are not satisfied with the result of this process.
  • Principle 3: Supervisors should expect banks to operate above the minimum regulatory capital ratios and should have the ability to require the banks to hold capital in excess of the minimum.
  • Principle 4: Supervisors should seek to intervene at an early stage to prevent capital from falling below the minimum levels required to support the risk characteristics of a particular bank and should require rapid remedial action if capital is not maintained or restored.

Banks’ Responsibilities

  • Banks should have in place a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels (Principle 1)
  • Banks should operate above the minimum regulatory capital ratios (Principle 3)

Supervisors’ Responsibilities

  • Supervisors should review and evaluate a bank’s ICAAP. (Principle 2)
  • Supervisors should take appropriate action if they are not satisfied with the results of this process. (Principle 2)
  • Supervisors should review and evaluate a bank’s compliance with the regulatory capital ratios. (Principle2)
  • Supervisors should have the ability to require banks to hold capital in excess of the minimum. (Principle 3)
  • Supervisors should seek to intervene at an early stage to prevent capital from falling below the minimum levels. (Principle 4)
  • Supervisors should require rapid remedial action if capital is not maintained or restored. (Principle 4)

Thus, the ICAAP and SRP are the two important components of Pillar 2 and could be broadly defined:

The ICAAP comprises a bank’s procedures and measures designed to ensure the following:

  • An appropriate identification and measurement of risks
  • An appropriate level of internal capital in relation to the bank’s risk profile
  • Application and further development of suitable risk management systems in the bank

The SRP consists of a review and evaluation process adopted by the supervisor, which covers all the processes and measures defined in the principles listed above. Essentially, these include the review and evaluation of the bank’s ICAAP, conducting an independent assessment of the bank’s risk profile, and if necessary, taking appropriate prudential measures and other supervisory actions.

The Structural Aspects of the ICAAP

The broad parameters of the ICAAP that the banks are required to comply with in designing and are: implementing their ICAAP are:

  • Every bank to have an ICAAP: The ICAAP should be prepared, on a solo basis, at every tier for each banking entity within the banking group, as also at the level of the consolidated bank (i.e., a of group entities where the licensed bank is the controlling entity).

ICAAP to encompass firm wide risk profile:

(I)General firm-wide risk management principles: Senior management should understand the importance of taking an integrated, firm-wide perspective of a bank’s risk exposure, in order to support its ability to identify and react to emerging and growing risks in a timely and effective manner. The purpose of this guidance is the need to enhance firm-wide oversight, risk management and controls around banks’ capital markets activities, including securitisation, off-balance sheet exposures, structured credit and complex trading activities.

A sound risk management system should have the following key features:

  • Active board and senior management oversight;
  • Appropriate policies, procedures and limits;
  • Comprehensive and timely identification, measurement, mitigation, controlling, monitoring and reporting of risks;
  • Appropriate management information systems (MIS) at the business and firm-wide level; and
  • Comprehensive internal controls.

(ii) Board and Senior Management Oversight: The ultimate responsibility for designing and implementation of the ICAAP lies with the bank’s board of directors. The structure, design and contents of a bank’s ICAAP should be approved by the board of directors to ensure that the ICAAP forms an integral part of the management process and decision making culture of the bank. Since a sound risk management process provides the basis for ensuring that a bank maintains adequate capital, the board of directors of a bank shall:

  • set the tolerance level for risk
  • ensure that the senior management of the bank:
  • establishes a risk framework in order to assess and appropriately manage the various risk exposures of the bank
  • develops a system to monitor the bank’s risk exposures and to relate them to the bank’s capital and reserve funds
  • establishes a method to monitor the bank’s compliance with internal policies, particularly in regard to risk management and effectively communicates all relevant policies and procedures throughout the bank
  • adopt and support strong internal controls
  • ensure that the bank has appropriate written policies and procedures in place
  • ensure that the bank has an appropriate strategic plan in place, which, as a minimum, shall duly outline
  • the bank’s current and future capital needs
  • the bank’s anticipated capital expenditure
  • the bank’s desired level of capital

(iii) Policies, procedures, limits and controls: The structure, design and contents of a bank’s ICAAP should be approved by the Board of Directors to ensure that the ICAAP forms an integral part of the management process and decision making culture of the bank.

A bank’s policies, procedures and limits should:

  • Provide for adequate and timely identification, measurement, monitoring, control and mitigation of the risks posed by its lending, investing, trading, securitisation, off-balance sheet, fiduciary and other significant activities at the business line and firm-wide levels;
  • Ensure that the economic substance of a bank’s risk exposures, including reputational risk and valuation uncertainty, are fully recognised and incorporated into the bank’s risk management processes;
  • Be consistent stated goals and objectives, as well as its overall financial strength;
  • Clearly delineate accountability and lines of authority across the bank’s various business activities, and ensure there is a clear separation between business lines and the risk function;
  • Escalate and address breaches of internal position limits;
  • Provide for the review of new businesses and products by bringing together all relevant risk management, control and business lines to ensure that the bank is able to manage and control the activity prior to it being initiated; and
  • Include a schedule and process for reviewing the policies, procedures and limits and for updating them as appropriate.

(iv) Identifying, measuring, monitoring and reporting of risk: A bank’s MIS should provide the board and senior management in a clear and concise manner with timely and relevant information concerning their institutions’ risk profile.

To enable proactive management of risk, the board and senior management need to ensure that MIS is capable of providing regular, accurate and timely information on the bank’s aggregate risk profile, as well as the main assumptions used for risk aggregation.

(v) Internal controls: Risk management processes should be frequently monitored and tested by independent control areas and internal, as well as external, auditors. The aim is to ensure that the information on which decisions are based is accurate so that processes fully reflect management policies and that regular reporting, including the reporting of limit breaches and other exception-based reporting, is undertaken effectively. The risk management function of banks must be independent of the business lines in order to ensure an adequate separation of duties and to avoid conflicts of interest.

(vi) Submission of the outcome of the ICAAP to the Board and the RBI: As the ICAAP is an ongoing process, a written record on the outcome of the ICAAP should to be periodically submitted by banks to their board of directors. Based on the outcome of the ICAAP as submitted to and approved by the Board, the ICAAP Document, should be submitted to RBI in the prescribed format.

Review of the ICAAP Outcomes: The board of directors shall, at least once a year, assess and document whether the processes relating the ICAAP implemented by the bank successfully achieve the objectives envisaged by the board. In the light of such an assessment, appropriate changes in the ICAAP should be instituted to ensure that underlying objectives are effectively achieved.

ICAAP to be an Integral part of the management and decision-making culture: This integration could range the from using the ICAAP to internally allocate capital to various business units, to having it play a role in the individual credit decision process and pricing of products or more general business decisions such as expansion plans and budgets.

The Principle of Proportionality: The implementation of ICAAP should be guided by the principle of proportionality. Though the banks are encouraged to migrate to and adopt progressively sophisticated approaches in designing their ICAAP, the RBI would expect the degree of sophistication adopted in the ICAAP in regard to risk measurement and management to be commensurate with the nature, scope, scale and the degree of complexity in the bank’s business operations.

In relation to a bank that defines its activities risk management practices as simple, in carrying and out its ICAAP, that bank could:

  • Identify and consider that bank’s largest losses over the last 3-5 years and whether those losses are likely to recur;
  • Prepare a short list of the most significant risks to which that bank is exposed;
  • Consider how that bank would act, and the amount of capital that would be absorbed in the event that each of the risks identified were to materialize;
  • Consider how that bank’s capital requirement might alter under the scenarios in (c) and how its capital requirement might alter in line with its business plans for the next 3 to 5 years;
  • Document the ranges of capital required in the scenarios identified above and form an overall view on the amount and quality of capital which that bank should hold, ensuring that its senior management is involved in arriving at that view.

In relation to a bank that defines its activities and risk management practices as moderately complex, in carrying out its ICAAP, that bank could:

  • having consulted the operational management in each major business line, prepare a comprehensive list of the major risks to which the business is exposed;
  • estimate, with the aid of historical data, where available, the range and distribution of possible losses which might arise from each of those risks and consider using shock stress tests to provide risk estimates;
  • consider the extent to which that bank’s capital requirement adequately captures the risks identified in (a) and (b);
  • areas in which the capital requirements are either inadequate or do not address a risk, estimate the additional capital needed to protect that bank and its customers, in addition to any other risk mitigation action that the bank plans to take;
  • consider the risk that the bank’s own analyses of capital adequacy may be inaccurate and that it may suffer from management weaknesses, which affect the effectiveness of its risk management and mitigation;
  • project that bank’s business activities forward in detail for one year and in less detail for the next 3-5 years, and estimate how that bank’s capital and capital requirement would alter, assuming that business develops as expected;
  • assume that business does not develop as expected and consider how that bank’s capital and capital requirement would alter and what that bank’s reaction to a range of adverse economic scenarios might be;
  • document the results obtained from the analyses in (b), (d), (f), and (g) above in a detailed report for that bank’s top management/board of directors, and
  • ensure that systems and processes are in place to review the accuracy of the estimates made in (b), (d), (f) and (g) (i.e., systems for back testing) vis-à-vis the performance/actual.

Regular Independent review and validation

The ICAAP should be subject to regular and independent review through an internal or external audit process, to ensure that the ICAAP is comprehensive and proportionate to the nature, scope, scale and level of complexity of the bank’s activities so that it accurately reflects the major sources of risk that the bank is exposed to. An a minimum, a bank shall conduct periodic reviews of its risk management processes, which should ensure:

  • The integrity, accuracy and reasonableness of the processes
  • the appropriateness of the bank’s capital assessment process based on the nature, scope, scale and complexity of the bank’s activities
  • the timely identification of any concentration risk
  • the accuracy and completeness of any data inputs into the bank’s capital assessment process
  • the reasonableness and validity of any assumptions and scenarios used in the capital assessment process
  • that the bank conducts appropriate stress testing.

ICAAP to Be A Forward-Looking Process

The ICAAP should be forward looking in nature, and thus, should take into account the expected/estimated future developments such as strategic plans, macro economic factors, etc., including the likely future constraints in the availability and use of capital. As a minimum, the management of a bank shall develop and maintain an appropriate strategy that would ensure that the bank maintains adequate capital commensurate with the nature, scope, scale, complexity and risks inherent in the bank’s on-balance-sheet and off-balance-sheet activities, and should demonstrate as to how the strategy dovetails with the macro-economic factors.

Thus, the banks shall have an explicit, Board-approved capital plan which should spell out the institution’s objectives in regard to level of capital, the time horizon for achieving those objectives, and in broad terms, the capital planning process and the allocate responsibilities for that process. The plan shall outline:

  • The bank’s capital needs
  • The bank’s anticipated capital utilisation
  • The bank’s desired level of capital
  • limits related to capital
  • a general contingency plan for dealing with divergences and unexpected events.

ICAAP to be a Risk-based Process

The adequacy of a bank’s capital is a function of its risk profile. Banks shall, therefore set their capital targets, which are consistent with their risk profile and operating environment. At a minimum, a bank shall have in place a sound ICAAP, which shall include all material risk exposures incurred by the bank. There are some types of risks (such as reputation risk and strategic risk) which are less readily quantifiable; for such risks, the focus of the ICAAP should be more on qualitative assessment, risk management and mitigation than on quantification of such risks.

ICAAP to Include Stress Tests and Scenario Analyses

As part of the ICAAP, the management of a bank shall, as a minimum, conduct relevant stress tests periodically, particularly in respect of the bank’s material risk exposures, in order to evaluate the potential vulnerability of the bank to some unlikely but plausible events or movements in the market conditions that could have an adverse impact on the bank. The use of stress testing framework can provide a bank’s management a better understanding of the bank’s likely exposure in extreme circumstances.

Select Operational Aspects of the ICAAP

This Section outlines in somewhat greater detail the scope of the risk universe that are expected to be normally captured by the banks in their ICAAP.

Identifying and Measuring Material Risks in ICAAP: The first objective of an ICAAP is to identify all material risks, such as Credit risk, Market risk, Operational risk, Interest rate risk in the banking book (IRRBB), Credit concentration risk, Liquidity risk. Risks that can be reliably measured and quantified should be treated as rigorously as possible with the support of data and methods. The appropriate means and methods to measure and quantify those material risks are likely to vary across banks.

Quantitative and Qualitative Approaches in ICAAP

  • All measurements of risk should incorporate both quantitative and qualitative elements, but to the extent possible, a quantitative approach should form the foundation of a bank’s measurement framework. In general, an increase in uncertainty related to modelling and business complexity should result in a larger capital cushion.
  • Quantitative approaches that focus on most likely outcomes for budgeting, forecasting, or performance measurement purposes may not be fully applicable for capital adequacy because the ICAAP should also take less likely events into account.

Risk Aggregation and Diversification Effects: An effective ICAAP should assess the risks across the entire bank. A bank choosing to conduct risk aggregation among various risk types or business lines should understand the challenges in such aggregation.

What is an ICAAP document?

The ICAAP Document would be a comprehensive paper furnishing detailed information on the ongoing assessment of the bank’s entire spectrum of risks, how the bank intends to mitigate those risks and how much current and future capital is necessary for the bank, reckoning other mitigating factors. The purpose of the ICAAP document is to apprise the Board of the bank on these aspects as also to explain to the RBI the bank’s internal capital adequacy assessment process and the banks’ approach to capital management. The ICAAP could also be based on the existing internal documentation of the bank. Board.

ICAAP Document should contain the following sections:

  • Executive Summary
  • Background of current
  • Summary and projected financial and capital positions
  • Capital Adequacy
  • Firm-wide rick oversight and specific aspects of risk management
  • Key sensitivities future scenario
  • Aggregation and diversification
  • Testing and adoption of the ICAAP within the bank
  • Use of the ICAAP within the bank

Executive Summary

The purpose of the Executive Summary is to present an overview of the ICAAP methodology and results. This overview would typically include:

(a) the purpose of the report and the regulated entities within a banking group that are covered by the ICAAP;

(b) the main findings of the ICAAP analysis:

  • how much and what composition of internal capital the bank considers it should hold as compared with the minimum CRAR requirement (CRAR) under ‘Pillar l’ calculation, and
  • the adequacy of the bank’s risk management processes;

(c) a summary of the financial position of the bank, including the strategic position of the bank, its balance sheet strength, and future profitability;

(d) brief descriptions of the capital raising and dividend plan including how the bank intends to manage its capital in the days ahead and for what purposes;

(e) commentary on the most material risks to which the bank is exposed, why the level of risk is considered acceptable or, if it is not, what mitigating actions are planned;

(f) commentary on major issues where further analysis and decisions are required; and

(g) who has carried out the assessment, how it has been challenged/validated/stress tested, and who has approved it.


This section would cover the relevant organisational and historical financial data for the bank. e.g., group structure (legal and operational), operating profit, profit before tax, profit after tax, dividends, shareholders’ funds, capital funds held vis-à-vis the regulatory requirements, customer deposits, deposits by banks, total assets, and any conclusions that can be drawn from trends in the data which may have implications for the bank’s future.

 Summary of current and projected financial and capital positions

This section would explain the present financial position of the bank and expected changes to the current business profile, the environment in which it expects to operate, its projected business plans (by appropriate lines of business), projected financial position, and future planned sources of capital.

The starting balance sheet used as reference and date as of which the assessment is carried out should be indicated.

Capital Adequacy

This section might start with a description of the bank’s risk appetite, in quantitative terms, as approved by the bank’s Board and used in the ICAAP. It would be necessary to clearly spell out in the document whether what is being presented represents the bank’s view of the amount of capital required to meet minimum regulatory needs or whether represents the amount of capital that a bank believes it would need to meet its business plans.


  • The effective date of the ICAAP calculations together with details of any events between this date and the date of submission to the Board/RBI which would materially impact the ICAAP calculations together with their effects; and
  • Details of, and rationale for, the time period selected for which capital requirement has been assessed.

Risks Analysed

An identification of the major risks faced by the bank in each of the following categories:

(a) credit risk

(b) market risk

(c) operational risk

(d) liquidity risk

(e) concentration risk

(f) interest rate risk in the banking book

(g) residual risk of securitisation

(h) strategic risk

(i) business risk

(j) reputation risk

(k) pension obligation risk

(l) other residual risk; and

(m) any other risks that might have been identified

for each of these risks, an explanation of how the risk has been assessed and to the extent possible, the quantitative results of that assessment;

Capital Transferability

In case of banks with conglomerate structure, details of any restrictions on the management’s ability to transfer capital into or out of the banking business(es) arising from, for example, by contractual, commercial, regulatory or statutory constraints that apply, should be furnished. Any restrictions applicable and flexibilities available for distribution of dividend by the entities in the Group could also be enumerated. In case of overseas banking subsidiaries of the banks, the regulatory restrictions would include the minimum regulatory capital level acceptable to the host-country regulator of the subsidiary, after declaration of dividend.

Firm-wide risk oversight and specific aspects of risk management

V.1 Risk Management System in the bank

This section would describe the risk management infrastructure within the bank along the following lines:

  • The oversight of board and senior management
  • Policies, Procedures and Limits
  • identification, measurement, mitigation, controlling and reporting of risks
  • MIS at the firm wide level
  • Internal controls

V.2 Off-balance Sheet Exposures with a focus on Securitisation

V.3 Assessment of Reputational Risk and Implicit Support

V.4 Assessment of valuation and Liquidity Risk

V.5 Stress Testing practices

V.6 Sound compensation practices

Key sensitivities and future scenarios

Aggregation and Diversification

This section would describe how the results of the various separate risk assessments are brought together and an overall view taken on capital adequacy. At a technical level, this would, therefore, require some method to be used to combine the various risks using some appropriate quantitative techniques. At the broader level, the overall reasonableness of the detailed quantification approaches might be compared with the results of an analysis of capital planning and a view taken by senior management as to the overall level of capital that is considered appropriate.

In enumerating the process of technical aggregation, the following aspects could be covered:

  • any allowance made for diversification, including any assumed correlations within risks and between risks and how such correlations have been assessed, including in stressed conditions;
  • The justification for any credit taken for diversification benefits between legal entities, and the justification for the free movement of capital, if any assumed, between them in times of financial stress;

Testing and Adoption of the ICAAP

This section would describe the extent of challenging and testing that the ICAAP has been subjected to. It would thus include the testing and control processes applied to the ICAAP models and calculations. It should also describe the process of review of the test results by the senior management or the Board and the approval of the results by them. A copy of any relevant report placed before the senior management or the Board of the bank in this regard, along with their response, could be attached to the ICAAP Document sent to the RBI.

Use of the ICAAP within the bank

This section would contain information to demonstrate the extent to which the concept of capital management is embedded within the bank, including the extent and use of capital modelling or scenario analyses and stress testing within the bank’s capital management policy. For instance, use of ICAAP in setting pricing and charges and the level and nature of future business, could be an indicator in this regard.

Get Free CAIIB Study Materials & PDF by Filling this form

Read More BFM (CAIIB Paper 2) Unit wise Article 

CAIIB Online Mock test with Explanation

CAIIB Mock Link
CAIIB Paper-I (Advanced Bank ManagementOnline Mock
  • Unit wise Mock- 300+questions·
  • Cast Study Mock
  • Full length Mock 5- 500 Questions (Each Mock 100 Q)
  • Memory based Mock

Click here -Mock Link

Total- 1000+ Questions

CAIIB Paper-II (Bank Financial Management)Online Mock
  •  Unit wise Mock- 350+Questions·
  • Case Study Mock
  • Full length Mock 5- 500 Questions(Each Mock 100 Q)
  • Memory based Mock

Click Here- Mock Link

Total- 1000+ Questions

CAIIB/DBF Paper-3 (Retail Banking) Online Mock
  • Unit wise Mock-300Questions·
  • Full length Mock 3- 300 Questions(Each Mock 100 Q)
  • Memory based Mock

Click here-Mock Link

(600+ Questions)
  •  Approx (2700 +Questions) + Capsule PDF

Click here-Mock Link


CAIIB Combo (Paper 1+ Paper 2)
  • 2000 Questions+

Click here-Mock Link


Leave a Reply