An evolving risk environment
The Kingdom’s banking and financial services industry continued on the path of recovery from pandemic-driven effects in 2021. Changes to the KSA banking sector’s operating environment continued to dominate risk agendas along with emerging global developments disrupting legacy banking operating models.
Top risks across the sector in 2021 apart from those inherent in financial intermediation were digitalisation and its resulting requirement for re-skilled or up-skilled employees; disruptive competition from fintechs and new entrants; evolving demographics; increased regulations specifically around consumer protection and privacy laws; cybersecurity threats and increasing consumer and regulatory focus on sustainability.
A sound risk management framework
Compliance with all regulations of the Saudi Central Bank (SAMA) remains a core tenet of Al Rajhi Bank’s risk management framework. SAMA is recognised for its strong and sound implementation of prudential regulation and standards in promoting a world-class risk management environment within the Kingdom, and continues to introduce regulatory reforms to address the fast-paced industry-transforming changes resulting from technological advancements and the current operational environment.
In line with SAMA regulations, ARB has a sound risk management framework with guidance from the Board of Directors for identifying, assessing, measuring, mitigating, monitoring and reporting risks, enabling such risks to be proactively and prudently managed.
The primary objectives of the ARB Risk Group are to:
- Operationalise the Bank’s risk management policies by establishing required systems, processes, and procedures
- Assist in decisions relating to accepting, transferring, mitigating and minimising risks and recommending ways of doing so
- Evaluate the risk profile against the approved risk appetite on an on-going basis
- Estimate potential losses that could arise from risk exposures assumed
- Periodically conduct stress testing in accordance with regulatory requirements
- Ensure that the Bank holds sufficient buffers of capital and liquidity to meet unexpected losses and honour contractual obligations
- Integrate the Bank’s risk management practice with strategy development and execution
- Institutionalise a strong risk culture within the Bank including conduct risk enforcement
Types of risk
Conventionally the Bank is exposed to a number of risks, which it manages through its robust risk management framework. Various other external and internal factors also affect the Bank’s risk profile on an ongoing basis, with the Risk Group identifying emerging risks and uncertainties with potential to increase the unpredictability of the operating environment. Aside from the conventional risks, IT security and cybercrime became the top concerns of the Risk Group during the year under review.
Credit risk remains the largest and most common risk for the Bank and the Group. Credit facilities provided to customers, cash and deposits held with other banks and off-balance sheet financial instruments such as guarantees relating to purchase and sale of foreign currencies or letters of credit, all represent sources of credit risk, with counterparties failing to meet contractual obligations to the Bank.
During the year under review, the Bank continued to mitigate credit risk to ensure it maintained a robust loan and investment portfolio through a number of remedial measures; these included evaluating customer credit worthiness using quantitative and qualitative criteria, periodic loan reviews using Early-Warning modelling that enables detection of weaknesses in the quality of corporate client portfolios, automation to streamline processes and impose effective control via a decision engine to name a few.
The Risk Group also conducted risk assessments for all systems controls to ensure the Bank was in no violation of consumer lending guidelines. The Loan Origination System (LOS) was revamped and enhanced during the year under review with new features that improved overall user experience and leveraged system capabilities. Application and Behaviour Score benchmarks were enhanced. Relationship Teams and a Special Assets Management Unit also supported the Risk Group in mitigating credit risks during 2021.
The Bank’s Treasury has been proactive in managing daily and intra-daily liquidity during the year under review. This along with support from Corporate Banking has made cash flow forecasting a smooth process, which was further supported by a series of system developments.
Despite the sizable growth of the balance sheet and assets in 2021, the Risk Group successfully managed the Bank’s liquidity, profit-rate risk and capital regulatory ratios while maintaining healthy profitability margins. The optimisation of cost of funds as well as yield earned have been key in the Bank’s prudent management of assets. The year under review saw ARB’s management of liquidity become more dynamic, sophisticated and tailored to support the Bank’s planned asset growth. Ensuring the efficiency of the funding mix has been a special consideration in relation to the adequacy of liquidity management.
The Bank diversified its sources of funding during 2021 to further mitigate risk; Treasury introduced two new Sharia-complaint funding solutions in the form of Structured Deposits and Funding Swaps, with a number of new sources scheduled to be explored in 2022.
The Group witnessed a shift in the Bank’s funding profile in 2021 towards wholesale funding such as Term Deposits to support mortgage growth, a largely untapped segment of market borrowings that will be leveraged for the Bank’s advantage. ARB also started consciously optimising its liquidity ratio management during the year under review, and intends to continue the same next year.
In 2021, The Board of Directors approved the Bank’s existing enterprise Operational Risk Management Policy with no significant changes to ensure that an adequate control environment exists across its businesses and functions to maintain an acceptable level of residual risk for the year under review. The policy encompasses the implementation of operational risk tools designed to reduce or mitigate the failure of people, processes, systems and associated operational incidents and losses.
With underlying economic factors such as interest rates, fluctuations in mutual fund products, and especially foreign exchange rates continuing to pose a risk to earnings, the Bank focused on diversifying its investments in terms of duration, credit rating as well as geographical distribution, to be less impacted by and reactive to sudden market disruptions. In 2021, the Bank’s key challenge was to reduce its Foreign Exchange Net Open Position (FX NoP), particularly for USD. The year under review saw a 1.5-fold reduction of the Bank’s FX NoP, and an impressive 5.5-fold reduction of the Treasury FX NoP achieved by entering currency swaps as well as initiating outright positions on our own book for notional investments.
The Bank’s geographical diversity and the loyal patronage of its varied customer base – which spans industries, countries, and wallet-size – mitigates concentration risk by providing greater stability in the face of external impacts. The Bank faced no major concentration risks during the year under review.
The Risk Group initiated a number of major developments to mitigate cybersecurity risk during the year under review by rolling out the ARB Information Security Management (ISM) programme. Maintaining complete compliance with SAMA as well as the National Cybersecurity Authority (NCA), the ISM programme adheres to globally adopted standards and systems for cybersecurity management such as ISO 27001, the Payment Card Industry Data Security Standard (PCI-DSS) and electronic interbank fund transfer systems such as SWIFT and SARIE.
During the year under review, the ISM programme developed and introduced strategies, policies and internal controls to further enhance the efficiency, confidentiality and integrity of the Bank’s IT operations and monitoring capabilities, strengthening the confidence of customers and regulators on the quality of ARB’s cybersecurity, as well as its ability to manage confidential data and IT assets. The ISM programme has enabled the Risk Group to govern the Bank’s cybersecurity infrastructure, and scale and enforce security measures across the Bank’s growing operating verticals.
Risk management practices
The Risk Group is headed by the Chief Risk Officer, and functions within the Bank’s risk framework and policies approved by the Board of Directors to manage risk across the entirety of the Bank’s operations. The Group’s reports to the Board and related committees span credit risks and portfolio asset quality, operational risks, liquidity risks, market risks, reputational risks, technology and cybersecurity risks among others. The Risk Group continued to establish risk thresholds derived from the Bank’s risk appetite, accurately identifying risks and their impact on the Bank’s value creation process, and managing such risks with prudence and pragmatism in order to remain profitable and provide shareholders with sustainable returns.
Al Rajhi’s Board Risk Management Committee (BRMC) supports the Board of Directors in their role of overseeing the Bank’s performance in line with its risk appetite. The BRMC Charter was updated to comply with SAMA’s new Corporate Governance regulations during the year under review.
The Bank’s risk management framework is covered by the Bank’s Internal Capital Adequacy Assessment Process (ICAAP), and details the Bank’s risk appetite, risk management approach and primary risk controls. The ICAAP is submitted to SAMA on an annual basis following its review by the BRMC and approval by the Board. The BRMC then reviews and provides recommendations to the Board on the Internal Liquidity Adequacy Assessment Plan (ILAAP), which is also submitted to SAMA on an annual basis. The BRMC also reviews the Credit and Provisioning Policy, Operational Risk Policies, Risk Appetite Statements, Market and Liquidity Risk Policies and Information Security Policy of the Bank, submitting recommendations for the Board’s approval.
The Asset and Liability Committee (ALCO) evolved from its role as a delegate to the Board of Directors that identifies, measures and manages the Bank’s liquidity risks, into a steering committee for the Primary Dealership Committee (PDC) and Valuation Accounting Committee (VALCOM) in 2021. In its new role, ALCO will provide oversight on related activities, decisions and recommendations of PDC/VALCOM.
Al Rajhi has strengthened its reputation over the years by receiving stable to positive credit ratings from international rating agencies despite challenging economic and geopolitical environments. The credit ratings for the year under review:
|Upgraded in 2021
|Upgraded in 2021
|Upgraded in 2021
|Upgraded in 2022
Following the pervasive technological advances that powered past the pandemic-driven macroeconomic shocks of 2021, banks will continue to encounter widening and deepening regulations, giving added importance to the Bank’s Risk Group, governance and risk management functions. The Bank will continue to closely monitor its portfolios, especially those under the SAMA Payment Deferment Programme, while recalibrating its underlying policies, frameworks and tools in its effort to meet shareholder expectations.
For the coming year, focus will be on the Fundamental Review of the Trading Book (FRTB), The Basel Committee’s market risk framework, where the Bank will run its revisions in parallel with a target for the revised framework to go live in 2023. Since the Treasury Group initiated positions on derivatives and structured products, ensuring market, static and valuation data would be critical for assessment of the Bank’s capital reserves on a forward basis.
With a clear shift towards Non-Salary Transfers (NST), a market trend that is heavily dependent on consumer behaviour, the Bank will be observant of frequent changes in regulations, especially with regard to consumer lending guidelines and provisioning in 2022.
From social engineering attacks that manipulate people to give up confidential information, to ransomware attacks where the threat of publishing or blocking personal data is held against a ransom demand, cybersecurity threats will continue to grow in the coming year. The Bank will continue to proactively enhance the ARB Information Security Management programme against emerging threats in 2022 to ensure cybersecurity risks are mitigated.
Furthermore, the Bank will invest in advancing its Enterprise Operational Risk Management system in the coming year, optimising its effectiveness to ensure the Bank maintains adequate Governance, Oversight and Reporting benchmarks in risk management, most specifically in compliance with SAMA’s recently introduced guidelines on the ‘Calculation of Capital and Operational Risk’.
The Bank’s underlying policies and procedures will continue to be updated annually to bolster the risk management function, as per best practices as well as to ensure compliance with internal and regulatory policies.