Principles for the Management of Credit Risk

Principles for the Management of Credit Risk

I. Introduction

1. While financial institutions have faced difficulties over the years for a multitude of reasons, the major cause of serious banking problems continues to be directly related to lax credit standards for borrowers and counterparties, poor portfolio risk management, or a lack of attention to changes in economic or other circumstances that can lead to a deterioration in the credit standing of a bank’s counterparties. This experience is common in both G-10 and non-G-10 countries.

2. Credit risk is most simply defined as the potential that a bank borrower or counterparty will fail to meet its obligations in accordance with agreed terms. The goal of credit risk management is to maximise a bank’s risk-adjusted rate of return by maintaining credit risk exposure within acceptable parameters. Banks need to manage the credit risk inherent in the entire portfolio as well as the risk in individual credits or transactions. Banks

should also consider the relationships between credit risk and other risks. The effective management of credit risk is a critical component of a comprehensive approach to risk management and essential to the long-term success of any banking organisation.

3. For most banks, loans are the largest and most obvious source of credit risk; however, other sources of credit risk exist throughout the activities of a bank, including in the banking book and in the trading book, and both on and off the balance sheet. Banks are increasingly facing credit risk (or counterparty risk) in various financial instruments other than loans, including acceptances, interbank transactions, trade financing, foreign exchange transactions, financial futures, swaps, bonds, equities, options, and in the extension of commitments and guarantees, and the settlement of transactions.

4. Since exposure to credit risk continues to be the leading source of problems in banks world-wide, banks and their supervisors should be able to draw useful lessons from past experiences. Banks should now have a keen awareness of the need to identify, measure, monitor and control credit risk as well as to determine that they hold adequate capital against these risks and that they are adequately compensated for risks incurred. The Basel Committee is issuing this document in order to encourage banking supervisors globally to promote sound practices for managing credit risk. Although the principles contained in this paper are clearly applicable to the business of lending, they should be applied to all activities wherecredit risk is present.

5. The sound practices set out in this document specifically address the following areas: (i) establishing an appropriate credit risk environment; (ii) operating under a sound creditgranting process; (iii) maintaining an appropriate credit administration, measurement and monitoring process; and (iv) ensuring adequate controls over credit risk. Although specific credit risk management practices may differ among banks depending upon the nature and complexity of their credit activities, a comprehensive credit risk management program will address these four areas. These practices should also be applied in conjunction with sound practices related to the assessment of asset quality, the adequacy of provisions and reserves, and the disclosure of credit risk, all of which have been addressed in other recent Basel Committee documents.1

6. While the exact approach chosen by individual supervisors will depend on a host of factors, including their on-site and off-site supervisory techniques and the degree to which external auditors are also used in the supervisory function, all members of the Basel Committee agree that the principles set out in this paper should be used in evaluating a bank’s credit risk management system. Supervisory expectations for the credit risk management approach used by individual banks should be commensurate with the scope and sophistication of the bank’s activities. For smaller or less sophisticated banks, supervisors need to determine that the credit risk management approach used is sufficient for their activities and that they have instilled sufficient risk-return discipline in their credit risk management processes. The Committee stipulates in Sections II to VI of the paper, principles for banking supervisory authorities to apply in assessing bank’s credit risk management systems. In addition, the appendix provides an overview of credit problems commonly seen by supervisors.

7. A further particular instance of credit risk relates to the process of settling financial transactions. If one side of a transaction is settled but the other fails, a loss may be incurred that is equal to the principal amount of the transaction. Even if one party is simply late in settling, then the other party may incur a loss relating to missed investment opportunities. Settlement risk (i.e. the risk that the completion or settlement of a financial transaction will

fail to take place as expected) thus includes elements of liquidity, market, operational and

1 See in particular Sound Practices for Loan Accounting and Disclosure (July 1999) and Best Practices for Credit Risk

Disclosure (September 2000).

reputational risk as well as credit risk. The level of risk is determined by the particular arrangements for settlement. Factors in such arrangements that have a bearing on credit risk include: the timing of the exchange of value; payment/settlement finality; and the role of intermediaries and clearing houses.2

8. This paper was originally published for consultation in July 1999. The Committee is grateful to the central banks, supervisory authorities, banking associations, and institutions that provided comments. These comments have informed the production of this final version of the paper.

2 See in particular Supervisory Guidance for Managing Settlment Risk in Foreign Exchange Transactions (September

2000), in which the annotated bibliography (annex 3) provides a list of publications related to various settlement risks.

Principles for the Assessment of Banks’ Management of Credit Risk

A. Establishing an appropriate credit risk environment

Principle 1: The board of directors should have responsibility for approving and

periodically (at least annually) reviewing the credit risk strategy and significant credit

risk policies of the bank. The strategy should reflect the bank’s tolerance for risk and

the level of profitability the bank expects to achieve for incurring various credit risks.

Principle 2: Senior management should have responsibility for implementing the credit

risk strategy approved by the board of directors and for developing policies and

procedures for identifying, measuring, monitoring and controlling credit risk. Such

policies and procedures should address credit risk in all of the bank’s activities and at

both the individual credit and portfolio levels.

Principle 3: Banks should identify and manage credit risk inherent in all products and

activities. Banks should ensure that the risks of products and activities new to them are

subject to adequate risk management procedures and controls before being introduced

or undertaken, and approved in advance by the board of directors or its appropriate

committee.

B. Operating under a sound credit granting process

Principle 4: Banks must operate within sound, well-defined credit-granting criteria.

These criteria should include a clear indication of the bank’s target market and a

thorough understanding of the borrower or counterparty, as well as the purpose and

structure of the credit, and its source of repayment.

Principle 5: Banks should establish overall credit limits at the level of individual

borrowers and counterparties, and groups of connected counterparties that aggregate in

a comparable and meaningful manner different types of exposures, both in the banking

and trading book and on and off the balance sheet.

Principle 6: Banks should have a clearly-established process in place for approving new

credits as well as the amendment, renewal and re-financing of existing credits.

Principle 7: All extensions of credit must be made on an arm’s-length basis. In

particular, credits to related companies and individuals must be authorised on an

exception basis, monitored with particular care and other appropriate steps taken to

control or mitigate the risks of non-arm’s length lending.

C. Maintaining an appropriate credit administration, measurement and

monitoring process

Principle 8: Banks should have in place a system for the ongoing administration of their

various credit risk-bearing portfolios.

Principle 9: Banks must have in place a system for monitoring the condition of

individual credits, including determining the adequacy of provisions and reserves.

Principle 10: Banks are encouraged to develop and utilise an internal risk rating system

in managing credit risk. The rating system should be consistent with the nature, size and

complexity of a bank’s activities.

Principle 11: Banks must have information systems and analytical techniques that

enable management to measure the credit risk inherent in all on- and off-balance sheet

activities. The management information system should provide adequate information on

the composition of the credit portfolio, including identification of any concentrations of

risk.

Principle 12: Banks must have in place a system for monitoring the overall composition

and quality of the credit portfolio.

Principle 13: Banks should take into consideration potential future changes in economic

conditions when assessing individual credits and their credit portfolios, and should

assess their credit risk exposures under stressful conditions.

D. Ensuring adequate controls over credit risk

Principle 14: Banks must establish a system of independent, ongoing assessment of the

bank’s credit risk management processes and the results of such reviews should be

communicated directly to the board of directors and senior management.

Principle 15: Banks must ensure that the credit-granting function is being properly

managed and that credit exposures are within levels consistent with prudential

standards and internal limits. Banks should establish and enforce internal controls and

other practices to ensure that exceptions to policies, procedures and limits are reported

in a timely manner to the appropriate level of management for action.

Principle 16: Banks must have a system in place for early remedial action on

deteriorating credits, managing problem credits and similar workout situations.

E. The role of supervisors

Principle 17: Supervisors should require that banks have an effective system in place to

identify, measure, monitor and control credit risk as part of an overall approach to risk

management. Supervisors should conduct an independent evaluation of a bank’s

strategies, policies, procedures and practices related to the granting of credit and the

ongoing management of the portfolio. Supervisors should consider setting prudential

limits to restrict bank exposures to single borrowers or groups of connected

counterparties.

II. Establishing an Appropriate Credit Risk Environment

Principle 1: The board of directors should have responsibility for approving and

periodically (at least annually) reviewing the credit risk strategy and significant credit

risk policies of the bank. The strategy should reflect the bank’s tolerance for risk and

the level of profitability the bank expects to achieve for incurring various credit risks.

9. As with all other areas of a bank’s activities, the board of directors3 has a critical role

to play in overseeing the credit-granting and credit risk management functions of the bank.

3 This paper refers to a management structure composed of a board of directors and senior management. The Committee is

aware that there are significant differences in legislative and regulatory frameworks across countries as regards the

functions of the board of directors and senior management. In some countries, the board has the main, if not exclusive,

function of supervising the executive body (senior management, general management) so as to ensure that the latter

fulfils its tasks. For this reason, in some cases, it is known as a supervisory board. This means that the board has no

executive functions. In other countries, by contrast, the board has a broader competence in that it lays down the general

framework for the management of the bank. Owing to these differences, the notions of the board of directors and senior

management are used in this paper not to identify legal constructs but rather to label two decision-making functions

within a bank.

Each bank should develop a credit risk strategy or plan that establishes the objectives guiding

the bank’s credit-granting activities and adopt the necessary policies and procedures for

conducting such activities. The credit risk strategy, as well as significant credit risk policies,

should be approved and periodically (at least annually) reviewed by the board of directors.

The board needs to recognise that the strategy and policies must cover the many activities of

the bank in which credit exposure is a significant risk.

10. The strategy should include a statement of the bank’s willingness to grant credit

based on exposure type (for example, commercial, consumer, real estate), economic sector,

geographical location, currency, maturity and anticipated profitability. This might also include

the identification of target markets and the overall characteristics that the bank would want to

achieve in its credit portfolio (including levels of diversification and concentration

tolerances).

11. The credit risk strategy should give recognition to the goals of credit quality,

earnings and growth. Every bank, regardless of size, is in business to be profitable and,

consequently, must determine the acceptable risk/reward trade-off for its activities, factoring

in the cost of capital. A bank’s board of directors should approve the bank’s strategy for

selecting risks and maximising profits. The board should periodically review the financial

results of the bank and, based on these results, determine if changes need to be made to the

strategy. The board must also determine that the bank’s capital level is adequate for the risks

assumed throughout the entire organisation.

12. The credit risk strategy of any bank should provide continuity in approach.

Therefore, the strategy will need to take into account the cyclical aspects of any economy and

the resulting shifts in the composition and quality of the overall credit portfolio. Although the

strategy should be periodically assessed and amended, it should be viable in the long-run and

through various economic cycles.

13. The credit risk strategy and policies should be effectively communicated throughout

the banking organisation. All relevant personnel should clearly understand the bank’s

approach to granting and managing credit and should be held accountable for complying with

established policies and procedures.

14. The board should ensure that senior management is fully capable of managing the

credit activities conducted by the bank and that such activities are done within the risk

strategy, policies and tolerances approved by the board. The board should also regularly (i.e.

at least annually), either within the credit risk strategy or within a statement of credit policy,

approve the bank’s overall credit granting criteria (including general terms and conditions). In

addition, it should approve the manner in which the bank will organise its credit-granting

functions, including independent review of the credit granting and management function and

the overall portfolio.

15. While members of the board of directors, particularly outside directors, can be

important sources of new business for the bank, once a potential credit is introduced, the

bank’s established processes should determine how much and at what terms credit is granted.

In order to avoid conflicts of interest, it is important that board members not override the

credit-granting and monitoring processes of the bank.

16. The board of directors should ensure that the bank’s remuneration policies do not

contradict its credit risk strategy. Remuneration policies that reward unacceptable behaviour

such as generating short-term profits while deviating from credit policies or exceeding

established limits, weaken the bank’s credit processes.

Principle 2: Senior management should have responsibility for implementing the credit

risk strategy approved by the board of directors and for developing policies and

procedures for identifying, measuring, monitoring and controlling credit risk. Such

policies and procedures should address credit risk in all of the bank’s activities and at

both the individual credit and portfolio levels.

17. Senior management of a bank is responsible for implementing the credit risk strategy

approved by the board of directors. This includes ensuring that the bank’s credit-granting

activities conform to the established strategy, that written procedures are developed and

implemented, and that loan approval and review responsibilities are clearly and properly

assigned. Senior management must also ensure that there is a periodic independent internal

assessment of the bank’s credit-granting and management functions.4

18. A cornerstone of safe and sound banking is the design and implementation of written

policies and procedures related to identifying, measuring, monitoring and controlling credit

risk. Credit policies establish the framework for lending and guide the credit-granting

activities of the bank. Credit policies should address such topics as target markets, portfolio

mix, price and non-price terms, the structure of limits, approval authorities, exception

procesing/reporting, etc. Such policies should be clearly defined, consistent with prudent

banking practices and relevant regulatory requirements, and adequate for the nature and

4 This may be difficult for very small banks; however, there should be adequate checks and balances in place to promote

sound credit decisions.

complexity of the bank’s activities. The policies should be designed and implemented within

the context of internal and external factors such as the bank’s market position, trade area, staff

capabilities and technology. Policies and procedures that are properly developed and

implemented enable the bank to: (i) maintain sound credit-granting standards; (ii) monitor and

control credit risk; (iii) properly evaluate new business opportunities; and (iv) identify and

administer problem credits.

19. As discussed further in paragraphs 30 and 37 through 41 below, banks should

develop and implement policies and procedures to ensure that the credit portfolio is

adequately diversified given the bank’s target markets and overall credit strategy. In

particular, such policies should establish targets for portfolio mix as well as set exposure

limits on single counterparties and groups of connected counterparties, particular industries or

economic sectors, geographic regions and specific products. Banks should ensure that their

own internal exposure limits comply with any prudential limits or restrictions set by the

banking supervisors.

20. In order to be effective, credit policies must be communicated throughout the

organisation, implemented through appropriate procedures, monitored and periodically

revised to take into account changing internal and external circumstances. They should be

applied, where appropriate, on a consolidated bank basis and at the level of individual

affiliates. In addition, the policies should address equally the important functions of reviewing

credits on an individual basis and ensuring appropriate diversification at the portfolio level.

21. When banks engage in granting credit internationally, they undertake, in addition to

standard credit risk, risk associated with conditions in the home country of a foreign borrower

or counterparty. Country or sovereign risk encompasses the entire spectrum of risks arising

from the economic, political and social environments of a foreign country that may have

potential consequences for foreigners’ debt and equity investments in that country. Transfer

risk focuses more specifically on a borrower’s capacity to obtain the foreign exchange

necessary to service its cross-border debt and other contractual obligations. In all instances of

international transactions, banks need to understand the globalisation of financial markets and

the potential for spillover effects from one country to another or contagion effects for an

entire region.

22. Banks that engage in granting credit internationally must therefore have adequate

policies and procedures for identifying, measuring, monitoring and controlling country risk

and transfer risk in their international lending and investment activities. The monitoring of

country risk factors should incorporate (i) the potential default of foreign private sector

counterparties arising from country-specific economic factors and (ii) the enforceability of

loan agreements and the timing and ability to realise collateral under the national legal

framework. This function is often the responsibility of a specialist team familiar with the

particular issues.

Principle 3: Banks should identify and manage credit risk inherent in all products and

activities. Banks should ensure that the risks of products and activities new to them are

subject to adequate risk management procedures and controls before being introduced

or undertaken, and approved in advance by the board of directors or its appropriate

committee.

23. The basis for an effective credit risk management process is the identification and

analysis of existing and potential risks inherent in any product or activity. Consequently, it is

important that banks identify all credit risk inherent in the products they offer and the

activities in which they engage. Such identification stems from a careful review of the

existing and potential credit risk characteristics of the product or activity.

24. Banks must develop a clear understanding of the credit risks involved in more

complex credit-granting activities (for example, loans to certain industry sectors, asset

securitisation, customer-written options, credit derivatives, credit-linked notes). This is

particularly important because the credit risk involved, while not new to banking, may be less

obvious and require more analysis than the risk of more traditional credit-granting activities.

Although more complex credit-granting activities may require tailored procedures and

controls, the basic principles of credit risk management will still apply.

25. New ventures require significant planning and careful oversight to ensure the risks

are appropriately identified and managed. Banks should ensure that the risks of new products

and activities are subject to adequate procedures and controls before being introduced or

undertaken. Any major new activity should be approved in advance by the board of directors

or its appropriate delegated committee.

26. It is critical that senior management determine that the staff involved in any activity

where there is borrower or counterparty credit risk, whether established or new, basic or more