Going into 2022, Al Rajhi Bank Risk Group’s primary focus was on the Fundamental Review of the Trading Book (FRTB), the Basel Committee’s market risk framework, where the Bank ran its revisions with a target for the revised framework to go live in 2023. The reporting period saw the Group implemented the Basel III reforms, which had been formulated in the wake of the 2008 financial crisis to enhance prudential regulatory standards, supervision and risk management of banks.
This implementation cut across three streams, namely Credit, Market and Operational Risk, and the Bank conducted gap analyses taking into account the regulatory guidelines, data requirements and system implementations including methodology validation.
The overall risk management framework was largely unaffected by these enhancements, though certain new policy and procedure changes around ”Trading Book” portfolio classification are expected to come into effect in January 2023. These include clear demarcation between Trading and Banking book boundaries. The Bank also introduced a separate Trading Book policy during the year under review as required by regulation with similar revisions to its Market Risk policy.
Types of risk
The Bank is exposed to a number of risks conventionally, which it manages through its robust risk management framework. Various other external and internal factors also affect the Bank’s risk profile on an ongoing basis, with the Risk Group identifying emerging risks and uncertainties with potential to increase the unpredictability of the operating environment. Aside from the conventional risks, IT security and cybercrime became the top concerns of the Risk Group during the year under review.
Top 10 Risk Ranked using Dimensional Scorecard
Being primarily a Retail bank with credit facilities provided to customers on-balance sheet and off-balance sheet, credit risk remained the largest and most common risk source for the Bank. However, given the solid nature of Al Rajhi Bank’s portfolio, which has a bigger concentration of Public Sector customers with salary assignment, the credit risk also remained lowest among its peers during the reporting period.
Due to the potential a retail portfolio comprising a large number of individual customers with small loans has to hurt the Bank when in collective default, Al Rajhi Bank continued to conduct regular data integrity and portfolio monitoring, providing fair evaluation of the individual borrower, and analysing their financial standing which reflects their capacity to repay the Bank.
A change in the Retail portfolio mix initiated in December 2021 saw a shift toward big-ticket loans such as mortgages, which posed a higher risk concentration per customer. Regular portfolio monitoring was conducted to build feedback loops and aid the Retail business and Risk Group to implement effective mitigants and controls to minimise impacts.
This also led to a re-evaluation of the Bank’s target markets, with the Risk Group shifting focus from high-risk segments where defaults and delinquency rates are higher than the Bank’s risk appetite, and redirected the focus towards low risk segments by targeting the higher income, salary aligned segment with stable employers.
The business verticals along with Risk and Compliance Groups worked together throughout the reporting period to ensure prompt compliance of all new and altered regulations and governing rules during the year.
Accelerated digital banking posed credit risk from a customer acquisition perspective during the reporting period, which the Bank addressed by adopting a phased approach to manage the credit risk at origination level, and ensure compliance based on the approved risk acceptance criteria. Stakeholders were consulted in the conceptualisation and implementation of the digitisation process.
For the growing Corporate Business, Al Rajhi Bank’s Loan Origination System (LOS) was revamped to automate the evaluation of customer credit worthiness using unique quantitative and qualitative criteria, and alerting the Bank of any changes in the counterparty’s credit risk profile. An Early Warning Signals (EWS) model geared to detect any weaknesses in the quality of portfolios was utilised to enable the Bank to proactively engage appropriate remedial measures through relationship teams or the Special Assets Management Unit to rectify any credit risk issues.
These actions resulted in a reduction in non-performing loans (NPL) of the non-Retail portfolio by over 20%. Regular monitoring of portfolios to determine delinquencies also helped Corporate Banking reduce the number of past due obligations and Expired Credit Applications (CA) well below expected risk appetite thresholds.
Different strategies were executed to ensure lower inflows going to late buckets, and address issues related to systems and logics to assess genuine defaults and find solutions. The bank also introduced a full ecosystem to manage any potential default in the Retail book, supported by a newly established Task Force to oversee all related legal cases.
2022 saw a significantly reduced error rate and improved turnaround time through continued automation as well as policy and control function enhancements. With all credit decisions that will be executed via the Bank’s credit decision engine, the error rate is expected to be further reduced towards an ambitious zero error rate once the phased implementation is completed by 2023.
During the year under review, the Risk Group proactively managed its liquidity risk by constantly monitoring liquidity ratios vis-à-vis Liquidity Coverage Ratio (LCR), Net Stable Funding Ratio (NSFR), Liquid-Asset-Ratio (LAR) and Loan-to-Deposit Ratio (LDR). Through continuous monitoring, the Bank ensured that these ratios were comfortably maintained above regulatory minimum with a healthy buffer. While these liquidity indicators are continuously monitored by Treasury and Risk Groups within the Bank, they are also reported to the Asset-Liability Committee (ALCO) and Board Committees on a regular basis.
An increased volume of term deposits, call account deposits and Tier 1 Sukuk issuances in 2022 improved the funding diversification of the Bank during the year to further mitigate risk. The Bank also continued to consciously optimise its liquidity ratio management during the reporting period, a process that has been ongoing for the past two years.
The Bank’s Operational Risk Management Policy underwent a comprehensive update in 2022 to adhere to the new Basel and SAMA requirements, alongside the automation of a number of operational risk tools and activities with its upgraded Enterprise Operational Risk Management System. These included the automation of Risk Control Self Assessment (RCSA), reporting and monitoring of Key Risk Indicators (KRI), incident logging and Root Cause Analysis (RCA), action plans logging and monitoring, risk register maintenance as well as risk reporting, maintaining the Bank’s benchmarks while in compliance with SAMA requirements.
The Bank also revamped the end-to-end process of its new products and services development framework, enhancing request forms to capture essential requirements, and strengthening stakeholder involvement by ensuring that key control and support functions are engaged. The approval process of the new products and services development framework was automated using the Jira platform.
During the year under review, given the natural growth of the Bank’s asset portfolio, there was increased reliance to fund the Bank’s balance sheet growth from Term Deposits, given the insufficient incremental growth of Demand Deposits for the same. Despite liquidity and funding pressures witnessed in a market environment of interest rate hikes in 2022, the Bank successfully grew its asset book with corresponding positive growth in its bottom-line.
The Bank’s geographical diversity and the loyal patronage of its varied customer base mitigates concentration risk by providing greater stability in the face of external impacts. For the year under review, Corporate Banking enjoyed the advantage of a well-diversified portfolio across different business segments, industries and wallet sizes, despite rising interest rates that may have impacted customer debt servicing capabilities. The Bank reviewed certain predefined financial parameters across its entire portfolio in order to assess rate hike impacts, and adopted a detailed action plan to resolve such a situation.
The Retail portfolio, too, remained highly diversified. The bank proactively created an ecosystem to support low-income segments whose disposable income may be affected by higher inflation, providing multiple options especially across its growing mortgage portfolio, which the Risk Group continued to monitor closely.
With the fast-paced adoption of digitalization, the threat of cybersecurity risk is growing spurred by an expanding landscape. The Bank currently employs multiple dynamic defences via a number of countermeasures for prevention, detection, and response in an effort to proactively address the current cybersecurity challenges. In order to ensure the efficiency of the Bank’s overall cybersecurity posture, the Bank has also implemented a number of security measures using the defence-in-depth and multilayer security principles. By applying the best cybersecurity standards recommended by the national cybersecurity and financial sector regulators, the Bank has reinforced its current cybersecurity governance procedures and ensured the confidentiality, integrity, privacy, and availability of all business and technological processes. The Bank continuously improves its cybersecurity culture by implementing a variety of training and awareness initiatives that are directed at both customers and employees. To ensure that all of its business services are trustworthy and secure, the Bank continuously conducts cybersecurity assurance assessments on its systems, apps, and networks. Additionally, the Bank regularly engages its recognized vendors in independent internal and external audits to confirm the efficiency of installed cybersecurity controls and compliance with national and international standards including the Payment Card Industry Data Security Standard (PCI DSS), SAMA, SWIFT, SARIE, and the Saudi National Cybersecurity Authority (NCA). The Bank has a Security Operation Center that is operational around-the-clock, 365 days a year, continuously monitoring and promptly addressing cybersecurity threats and attacks. The Bank has shown resilience against cyberattacks as a result of the implementation of cybersecurity measures, with no cybersecurity-related outage or operational impact thus far.
Apart from the conventional risks inherent in financial intermediation, a number of emerging risks were identified during the reporting period based on internal assessments and external market trends.
|Emerging Risk type
|Cyber Risk and Financial Crime
| Business digitalization risk
and change management
Risk management practices
The Risk Group is headed by the Chief Risk Officer, and functions within the Bank’s risk framework and policies approved by the Board of Directors to manage risk across the entirety of the Bank’s operations. The Group’s reports to the Board and related committees span credit risks and portfolio asset quality, operational risks, liquidity risks, market risks, reputational risks, technology and cybersecurity risks among others.
In 2022, the Risk Group continued to establish risk thresholds derived from the Bank’s risk appetite, accurately identifying risks and their impact on the Bank’s value creation process, and managing such risks with prudence and pragmatism in order to remain profitable and provide shareholders with sustainable returns.
Al Rajhi Bank’s Board Risk Management Committee (BRMC) supports the Board of Directors in their role of overseeing the Bank’s performance in line with its risk appetite. The BRMC Charter was updated to comply with SAMA’s new Corporate Governance regulations during the year under review.
The Bank’s risk management framework is covered by the Bank’s Internal Capital Adequacy Assessment Process (ICAAP), and details the Bank’s risk appetite, risk management approach and primary risk controls. The ICAAP is submitted to SAMA on an annual basis following its review by the BRMC and approval by the Board. The BRMC then reviews and provides recommendations to the Board on the Internal Liquidity Adequacy Assessment Plan (ILAAP), which is also submitted to SAMA on an annual basis. The BRMC also reviews the Credit and Provisioning Policy, Operational Risk Policies, Risk Appetite Statements, Market and Liquidity Risk Policies and Information Security Policy of the Bank, submitting recommendations for the Board’s approval.
The Asset and Liability Committee (ALCO) evolved from its role as a delegate to the Board of Directors that identifies, measures and manages the Bank’s liquidity risks, into a steering committee for the Primary Dealership Committee (PDC) and Valuation Accounting Committee (VALCOM) during the previous reporting year, and ALCO continues to provide oversight on related activities, decisions and recommendations of PDC/VALCOM in its new role.
Al Rajhi Bank continued to strengthen its repute among international rating agencies by receiving stable to positive credit ratings for the year under review:
|Rating (Long Term)
In light of recent growth and diversification in the Bank’s Treasury portfolio, some of the risk management initiatives in 2023 will focus on developing a robust framework for measuring, monitoring and reporting the Standardised Approach for Counterparty Credit Risk (SA-CCR) and Credit Valuation Adjustment (CVA) risk.
In the coming year, the Bank will take a closer look at its pricing and valuation models that impact the risk sensitivities, and in-turn the capital charge. Enhancements will be undertaken to ensure the desired changes for regulatory and MIS reporting.
In 2023, the Bank will also work towards developing a Recovery and Resolution plan in line with the Systemically Important Financial Institutions (SIFIs) Law issued in the region.