Risk management

Arion Bank faces various risks arising from its day-to-day operations as a financial institution. Managing risk and taking informed decisions is a crucial component of the Bank's activities and its responsibility towards society. Risk management is therefore a core activity within the Bank. The key to effective risk management is a process of ongoing identification of significant risk, quantification of risk exposure, action to limit risk and constant monitoring of risk.

The Board of Directors is ultimately responsible for the Bank’s risk management framework and ensuring that satisfactory risk policies and governance structure for controlling the Bank’s risk exposure are in place. Similarly, the risk management of subsidiaries is the responsibility of that subsidiary. For the parent company (the Bank) the Board sets the risk appetite, which is translated into exposure limits and targets monitored by the Bank’s Risk Management division.

The CEO is responsible for sustaining an effective risk management framework, processes and controls as well as maintaining a high level of risk awareness among the employees, making risk everyone’s business.

The Bank’s Risk Management division is headed by the Chief Risk Officer. It is independent and centralized and reports directly to the CEO.

Further on Risk Management

 
The Bank operates several committees to manage risk. The Board Risk Committee (BRIC) is responsible for supervising the Bank’s risk management framework, risk appetite and internal capital adequacy assessment process (ICAAP) and internal liquidity adequacy assessment process (ILAAP). The Asset and Liability Committee (ALCO), chaired by the CEO or his deputy, is responsible for managing the asset-liability mismatch, liquidity risk, market risk and interest rate risk, market risk, interest rate risk and capital management. The Underwriting and Investment Committee (UIC) decides on underwriting and investments. The role of the Data Committee (DC) is to ensure the appropriate management of data. The Security Committee (SC) is responsible for security issues, both information security and physical security.

The Bank has four credit committees: The Board Credit Committee (BCC), which decides on all major credit risk exposures; the Arion Credit Committee (ACC), which operates within limits specified as a fraction of the Bank’s capital; the Corporate Credit Committee (CCC) and the Retail Branch Committee (RBC), which operate within tighter credit granting limits. There are also five valuation committees whose role is to establish criteria for estimating collateral and also to inspect valuations of securities owned by the Bank.

The most significant risks the Bank is exposed to are credit risk, including concentration risk, liquidity risk, indexation risk and interest rate. The Bank’s Pillar 3 Risk Disclosures 2018 report discusses risk factors and risk management in detail.

Capital adequacy

The Bank’s capital is intended to meet the risk of unexpected losses in its operations. The extent of the Bank’s own funds should reflect the risk at any given time and any potential adverse future development. Risk on the Bank’s balance sheet is assessed by calculating the risk-weighted exposure value (REA). The Bank uses a standardized approach for calculating REA which is generally designed to be more conservative than methods based on internal models. Capital is calculated in accordance with the Financial Undertakings Act No. 161/2002 and Regulations on Prudential Requirements for Financial Institutions No. 233/2017, under which the European Union’s capital requirement directives, CRD IV and CRR, both based on Basel III, are being implemented in Iceland. Provisions for a capital charge supporting factor for small and medium enterprises have not, however, been implemented in Iceland.

The Bank's total own funds were ISK 175.5 billion at the end of 2018. Of this total, common equity Tier 1 capital (CET1) accounted for ISK 168.8 billion and was reduced over the year via dividend distribution and purchase of own shares. A subordinated bond was issued in the fourth quarter of 2018, giving rise to ISK 6.5 billion of Tier 2 capital at year-end 2018. In the calculation of own funds at 31 December the foreseeable distribution of dividend of ISK 10 billion is deducted, which is in accordance with the decision of the Board of Directors in February 2019. 

The Bank’s REA amounted to ISK 796.6 billion at the end of 2018, increasing by ISK 29.8 billion over the year. Calculations of the Bank's capital adequacy are based on the Group’s consolidated situation according to prudential requirements and do not take into account subsidiaries in the insurance sector, to which special solvency requirements apply. The Bank’s average risk-weighting (REA as a percentage of total assets of the Group’s consolidated situation) was 70%.

The Bank’s capital ratio at the end of 2018 was 22.0%.

In addition to measuring its minimum capital requirement under Pillar 1 in accordance with the rules on prudential requirements, the Bank also assesses its additional capital requirement by performing an Internal Capital Adequacy Assessment Process (ICAAP). ICAAP is designed to ensure that the Bank has in place sufficient risk management processes and systems to identify, manage and measure the Bank’s total risk exposure. ICAAP is designed to identify and measure the Group’s risk across all risk types, including those which are not provided for under Pillar 1, and to ensure that the Group has sufficient capital in accordance with its risk profile. The Financial Supervisory Authority (FME) supervises the Group, receives the Group’s internal estimate of capital adequacy and sets additional capital requirements for the Group following a Supervisory Review and Evaluation Process (SREP). The capital adequacy in respect of the FME's evaluation, in addition to the mandatory Pillar 1 requirement of 8% of REA, is called an additional capital requirement under Pillar 2. The Pillar 2 additional requirement, determined on the basis of the Group’s financial position as at the end of 2017, is 2.9% of REA and this figure is based on the Group consolidated situation which excludes subsidiaries in the insurance sector.

Under the Financial Undertakings Act No. 161/2002 the Bank must meet a combined capital buffer requirement, which is designed to ensure that the Bank maintains a minimum level of capital despite severe shocks. The FME has decided on the level of capital buffer in accordance with a proposal from the Financial Stability Council and it has defined Arion Bank as a systemically important financial institution in Iceland. The combined capital buffer requirement was 8.75% at the end of 2018. Effective capital requirements for systemic risk buffers and the countercyclical capital buffer are determined using the weighted average capital buffer in the countries where the Bank has exposure and risk-weighting is decided by the percentage of credit risk in RWA. The other capital buffers are the capital conservation buffer and the buffer for systemically important financial institutions. The combined effective capital buffer for the Bank was 8.5% at the end of the 2018. FME has announced a 0.5% increase to the countercyclical capital buffer which will raise the Group’s combined effective capital buffer to 8.9% effective as of 15 May 2019. A further increase of 0.25% comes into effect in February 2020.

 
The Group’s total own funds meet the total capital requirement in respect of Pillar 1, Pillar 2 and capital buffers. The total requirement is 19.4% of REA at year-end 2018 while the total own funds are 22.0% of REA. The Bank also sets an internal management buffer of 1.5% of REA. The FME can also set a capital target (Pillar 2G) on top of Pillar 1, Pillar 2 and capital buffers on the basis of stress test results.

Credit risk

Credit risk is defined as the current or prospective risk to earnings and capital arising from the failure of an obligor to discharge an obligation at the stipulated time or otherwise to perform as agreed. Loans to customers and credit institutions are by far the largest source of credit risk.

Strong and improving mortgage portfolio

Mortgages are a core product for Arion Bank. The mortgage portfolio represented 41% of the total loan portfolio at the end of the year, up from 12% since the end of 2010. The key to the growth of the mortgage portfolio was the acquisition of a mortgage portfolio from Kaupthing in 2011 and the acquisition of retail loan portfolios, coupled with strong organic growth via new mortgage lending. The Bank has been at the forefront of innovation on the mortgage market, offering for example, non-indexed mortgages and digital solutions for mortgage financing. At the end of 2018 non-indexed mortgage loans represented 32% of the mortgage portfolio, the remainder being CPI-linked loans.

 
The quality of the mortgage portfolio has been steadily improving with lower average loan-to-value and a reduction in default rates. The main reasons for lower default rate in recent years have been the improving economic climate and better loan collection rates.

 
At the end of 2018, 87% of the mortgages, by value, had loan-to-value below 80%, compared with 83% at the end of 2016. The great majority of mortgage property is located in the Greater Reykjavík area or 70% of the portfolio value.

Well diversified loan portfolio

Loans to customers are well diversified. Loans to individuals represent 48% of total loans to customers, of which 86% are due to mortgages. The corporate portfolio is mainly in three sectors: real estate and construction, fishing and fish processing and wholesale and retail trade, which represent 34%, 20% and 15% of the corporate portfolio respectively. Although sector diversification is good, some single name concentration remains.

Single name concentration decreasing

At the end of 2018 the Bank had no single exposure to a group of related parties that exceeded 10% of the Bank's eligible capital (so-called large exposures), the same as at the end of 2017. The sum of related exposures, excluding loans to financial institutions, exceeding 2.5% of own funds has increased from the previous year – was 144% at the end of 2018, compared with 125% at the end of 2017.

Collateral coverage of loans to customers

Mortgages over residential properties and charges over commercial real estates are the most common types of collateral obtained by the Bank, representing 77% of total collateral. Fishing vessels and other fixed and current assets, such as cash and securities, are also used to secure loans. The Bank places emphasis on collateral maintenance, valuation and central storage of collateral information. At the end of 2018 loans to customers (gross value ISK 829,015 million) are secured by collateral valued at ISK 751,449 million, giving a collateral coverage ratio of 91%, but as shown in the following diagram this ratio varies between different sectors.

Loan book quality is steadily improving

Loans in default have steadily decreased in the past few years. The Bank now defines Problem loans as loans in the third and highest risk stage according to the IFRS 9 accounting standard. At the end of 2018 the Problem loan ratio was 2.6%, compared with 3.5% at the beginning of the year, and 21% of these loans are in default without being impaired due to sufficient collateral.

Operational risk

Operational risk is the risk of direct or indirect loss resulting from inadequate or failed internal processes, human and system error, or from external events that affect the Bank's operations. Reputational risk, IT risk and legal risk are considered subcategories of operational risk.

Each business unit within the Bank is responsible for taking and managing its own operational risk. The Bank’s Operational Risk department is responsible for developing and maintaining tools for identifying, measuring, monitoring and controlling operational risk.

The primary tools used by the Bank to analyze and measure operational risk are:

• Business process management (BPM)
  
  
• Risk and control self-assessment
  
  
• Internal controls
  
  
• Deviation analysis
  
  
• Change management

Employees must report any deviations in operations. Deviations refer to things that go wrong during operations and which are connected to services to customers, the products offered by the Bank, how we perform our tasks or our business practices. Deviations can cause the Bank direct financial damage (loss data) but may also cause indirect damage or damage the Bank's reputation. Information on deviations is used as a basis for taking corrective action and improving the operation.

The Bank performs a risk and control self-assessment (RCSA) in order to identify risks, both inherent and residual, and the results are used to make operational improvements which fit the Bank’s risk guidelines. The Operational Risk department follows up on the planned actions.

Key risk indicators are regularly monitored and these can indicate when risk is increasing and exceeding the risk appetite. Reporting to the senior management is based on factors such as loss data, the results of RCSA and key risk indicators.

The management of IT and data security is the responsibility of the Security Officer. With the number of channels to interact with customers greater than ever before and rapid technological developments, the potential for risk relating to data and IT security has increased. In order to respond to these changes the Bank has strengthened its efforts in managing data and IT security. IT security is a method of ensuring the confidentiality, integrity or availability of data.

Market risk

Market risk is defined as the risk that market price changes and interest rate changes will affect the value and cash flow from the Bank’s financial instruments with a negative effect on the Bank's earnings and capital. The main risk factors are interest rate risk, indexation risk, equity price risk and foreign exchange risk.

Interest rate risk is primarily related to the fact that in part of the balance sheet there is a mismatch between maturities and interest-fixing periods of interest-bearing assets and liabilities. At year-end 2018 the Bank had a long net position in nominal krona interest rates, which means that the average duration of fixed rates for the Bank’s assets exceeds that of its liabilities. Higher nominal rates would therefore result in depreciation of the net fair value of interest bearing assets and liabilities. The relationship between inflation and interest rates should be considered in this context, as higher inflation increases the Bank’s net interest earnings as the Bank’s indexed assets exceed its indexed liabilities, see below. For the Bank’s indexed assets and liabilities, lower rates would result in negative effect on the Bank’s earnings as the fixed rate duration of liabilities exceeds that of assets. The Bank’s sensitivity to changes to foreign interest rates is limited.

The aforementioned long and short net positions in terms of interest rate fixing have increased in the past years, increasing the Bank’s sensitivity to interest rate changes. Prepayments and refinancing of loans have been considerable due to favorable repricing conditions in the market. The increase of non-indexed mortgages, e.g. with five-year fixing terms, has exceeded that of the Bank’s matching liabilities. Pre-payments and refinancing of fixed rate indexed mortgages have been sizable, changing the interest fixing profile of the Bank. The Bank’s prepayments of its structured covered bonds in the past years is a reaction to this change, partly mitigating the risk. The risk is somewhat reduced because of diversification effects.

The Bank’s calculations of interest rate sensitivity take prepayment risk into account.

 
The Bank has managed to substantially reduce equity price risk through a structured sale timetable in the last few years. At the beginning of 2016 the Bank’s holding in Bakkavör Group Ltd. was sold, bringing the Bank’s position in associate companies to a negligible level. In 2018, the Bank divested its shares in the beverage manufacturer Refresco. The Bank’s position in other listed equity has also decreased significantly in recent years following further asset divestment.

The Bank’s position in equities in the proprietary trading book and in respect of securities margin lending was relatively stable in the last year. Risk Management closely monitors the associated risk and ensures that positions are kept within limits and that collateral is in place.

 
Foreign exchange risk is the risk that movements in the exchange rate of the Icelandic króna could have a negative impact on the Bank's earnings. The Group’s currency imbalance at the end of 2018 was ISK 3.6 billion. The Bank uses derivatives to hedge against foreign exchange risk.

The net position of the Bank’s indexed assets and liabilities at the end of 2018 was ISK 100.5 billion, decreasing by ISK 32.4 billion from the previous year. The decrease is explained by prepayments of indexed loans, issuance of indexed covered bonds and new derivatives positions.

Liquidity risk

Liquidity risk is defined as the risk that the Group, though solvent, either does not have sufficient financial resources available to meet its liabilities when they fall due or can secure them only at excessive cost.

The Bank also carries out an Internal Liquidity Adequacy Assessment Process, or ILAAP. This process is designed to ensure that the Bank has sufficient liquidity and that appropriate plans, policies, methods and systems are in place to analyze, manage and monitor liquidity risk.

The FME and the Central Bank of Iceland monitor the Bank’s compliance with requirements and obligations in respect of liquidity risk.

Further on Liquidity and liquidity risk