14 August 2012

BaFin: The success story of the Minimum Requirements for Risk Management

One of the success stories in banking supervision is the development of the Minimum Requirements for Risk Management. They form a comprehensive framework for banks' own internal risk management that extends across different types of risk and attaches importance to the quality of risk management.

One of the major triggers for the development of the MaRisk in 2005 was the Basel Committee on Banking Supervision’s new framework for the capital adequacy of banks, which is generally referred to as “Basel II”. In addition to the quantitative rules governing capital adequacy (Pillar I), Basel II also includes a more quality-based Supervisory Review Process (Pillar II), which was also incorporated in the EU Banking Directive. Under Pillar II, institutions must establish appropriate management, monitoring and control processes (“robust governance arrangements”) as well as strategies and processes that ensure that all material risks are covered by internal capital (Internal Capital Adequacy Assessment Process – ICAAP). The quality of these processes is to be assessed at regular intervals by the supervisory authority under the Supervisory Review Process. Since then, these principles have been reflected in section 25a (1) of the German Banking Act (Kreditwesengesetz – KWG) and also in the MaRisk, which interpret the statutory standards.

The supervisory authority has succeeded in developing the MaRisk into a compact yet comprehensive framework. BaFin has thus made transparent how it will apply the rather vague legal terms of section 25a of the Banking Act in its supervisory practice. At the same time it gives institutions reliable suggestions for the appropriate structuring of their own internal risk management. The requirements are drafted in such a way that they are applicable for all institutions and are sufficiently flexible. For instance, they give institutions the necessary organisational latitude in the implementation. BaFin deliberately avoided laying down detailed set rules in the MaRisk and instead placed the emphasis on the necessity of a principles-based approach. This approach enables a risk-based organisation of the individual elements of risk management in that it takes into account the size of the institution and the nature, scale, complexity and risk content of the activities it engages in.

In order to keep the MaRisk up to date with changes in market practices over time, BaFin has also set up a specialist committee which consists of representatives of BaFin, Deutsche Bundesbank and the associations, representatives of institutions and external and internal auditors which support BaFin in the further development of the MaRisk.

Organisation and structure

The MaRisk are a principles-based approach which prescribes an action framework for the users but which also allows them extensive freedoms in the practical implementation, provided that these are compatible with the statutory goal of the appropriateness and effectiveness of risk management. The advantage of this principles-based arrangement over a rules-based arrangement is that the MaRisk can be implemented individually, according to the size of the respective institution and the nature of the business activities that it engages in and its risk structure.

The MaRisk are divided into a General Section (Allgemeiner Teil – AT) and a Special Section (Besonderer Teil - BT), while each section is composed in a modular way. The General Section contains fundamental requirements which have no special reference to the types of business and risks dealt with in the Special Section. To that extent, because of their overarching nature they take precedence and are to be observed irrespective of the types of business engaged in and risks. The Special Section contains rules for the internal control system, the requirements for the organisational and operational structure in the lending and trading business, requirements for the risk monitoring and risk control processes. It also renders more precisely the requirements for internal audit.

Revisions

In the past few years the MaRisk have been revised and updated a number of times in the light of new international standards. After slightly less than two years, on 30 October 2007, the first amended version of the MaRisk was published. The financial and economic crisis of 2008 and 2009, which among other things led to the collapse of Lehman Brothers Bank, demonstrated once again the importance of appropriate and effective risk management.

More and more regulation proposals were launched in the following years – either by the Basel Committee on Banking Supervision or by the predecessor institution of the European Banking Authority (EBA), the Committee of Banking Supervisors (CEBS). These entailed further amendments to the MaRisk.

Fourth amended version in preparation

Further versions of the MaRisk will emerge in the future as well: the 4th amended version is scheduled to be published in the autumn of 2012; it has already been the subject of a consultation process. Experience from supervisory practice, findings from the work of the EBA, EU Banking Directive (CRD IV) requirements and other EBA guidelines will all be reflected in the new MaRisk, on which BaFinQuarterly will report in a separate article.

Full article

© BaFin