ANNUAL REPORT 2016

MANAGEMENT DISCUSSION AND ANALYSIS

6.0 RISK MANAGEMENT

Sound risk management remained a top strategic priority at Bank Audi in 2016, and during this year, the Bank continued enhancing its risk management framework by leveraging on the strategic plan common for Risk and Finance, that was laid out the year before.

The Bank maintained close risk oversight for its various entities, especially for its exposures in Egypt and Turkey in anticipation of the devaluation in their respective local currencies and in light of the challenging political and economic environments in these two countries. The Bank aims to ensure that its risk profile remains within the overall risk appetite framework, as approved by the Group’s Board of Directors.

6.1. STRENGTHENING THE RISK MANAGEMENT FRAMEWORK

In 2016, Bank Audi continued to improve and harmonise its risk and finance management infrastructure and processes, in conformity with its commitment to constantly protect the interest of its stakeholders and ensure optimal risk and reward, and in line with the Bank’s risk appetite.

RISK APPETITE

Bank Audi, initiated, during 2015, a project to revamp its existing risk appetite framework based on a top-down approach linking risk appetite directly to the Bank’s strategy. During 2016, the Bank made significant progress in that area and intends to submit, early 2017, the first version of the new risk appetite framework at a consolidated level to the Group’s Executive Committee and Board of Directors for approval. Following its approval, the Bank intends to start cascading down the new risk appetite framework to legal entities and business lines.

The new risk appetite framework is set to include both qualitative statements and quantitative indicators, along various dimensions including solvency, profitability, liquidity and franchise value. This new framework will allow Senior Management and the Board of Directors to ensure that all material risks resulting from the Bank’s strategy are properly and easily monitored and controlled. The Bank will continue to use the existing bottom-up framework that includes numerous key risk indicators, along the various types of risks to monitor the risk profile at the most granular levels.

RECOVERY AND RESOLUTION PLANS

During 2016 and in line with best practices, Bank Audi prepared the recovery plans for our three major subsidiaries in Lebanon, Turkey and Egypt. The purpose of the Recovery Plan is to draw recovery actions that can be triggered, when needed, to enhance the financial position of the Bank. In order to identify the recovery actions trigger points, the Bank has set quantitative indicators related to solvency, liquidity, profitability, and asset quality that are closely linked to the Bank’s risk appetite. The plan also includes identifications of core business lines and critical functions around which the recovery actions and quantitative indicators were set. In line with global regulatory requirements, the Bank also prepared resolution plans for these three subsidiaries. The purpose of these plans is to facilitate an orderly and timely reorganisation of these subsidiaries in the event of a severe stress event in order to minimise any consequent impact on the financial sector and its critical functions. During 2017, the Bank will be working on strengthening the governance aspect around these plans.

INTEGRATED MIS

During 2016, Bank Audi maintained its efforts towards integrating its risk and finance system to ensure one sole source of information for accurate, uniform and timely decision-making. The Bank went forward with the implementation of the Integrated Finance and Risk Management System (IFRMS) for Bank Audi’s three major entities in Lebanon, Egypt and Turkey.

In 2016, the IFRMS project did a major progress in Turkey where our subsidiary is planning to go live during 2017 for Asset-Liability Management (ALM), Liquidity Risk Management (LRM), Fund Transfer Pricing (FTP) and Profitability. In Lebanon, FTP and Profitability implementation is expected to be completed in 2017.

STRESS TESTING

Bank Audi continued to improve and upgrade its stress testing framework. Stress testing is used by Bank Audi to measure the Bank’s vulnerability to severe and plausible events and its impact on solvency, profitability, liquidity and franchise.

In 2016, the Bank worked on standardising the stress testing framework across entities by ensuring a consistent approach in terms of selection of scenarios, reporting of results and other components.

The selection of stress testing scenarios is the result of the discussion between Risk, Finance and business lines, in consultation with the Research Department. The results, which are reported to the Group’s Executive Committee, the Board Group Risk Committee and the Group’s Board of Directors, are increasingly becoming an integral part of Management’s decision-making process.

IFRS 9: EXPECTED CREDIT LOSS

The Banking Control Commission of Lebanon (BCC) issued, on 13 August 2015, a memo on the application of the IFRS 9 standard by Lebanese banks, whereby it requested from banks to start preparing for the implementation of this standard which will become fully effective at a consolidated basis starting 1 January 2018.

During 2016, Bank Audi has developed and rolled out its new IFRS 9 framework across the Group, and has conducted two impact studies on a consolidated basis: one for internal purpose and the other for regulatory purpose. This year was marked by a major transition in the approach the Bank allocates to provisions, first by widening the scope of the assets subject to provisioning requirements, from the loan portfolio during 2015 to all major credit asset classes during 2016, and second by introducing a forward looking component in the provisions calculation methodology.

In 2016, the Bank took additional provisions in comparison to the amount effectively required as per existing standard, in preparation for the IFRS 9 impairment adoption, as well as in order to comply with provisioning requirements of the Central Bank of Lebanon, as stipulated in Intermediary Circular No. 439. This excess provision was subject to a qualified opinion by the external auditor as the IFRS 9 impairment treatment is not applicable yet. Going forward and in 2017, Bank Audi intends to calculate the ECL on a consolidated and quarterly basis, in preparation for the full adoption of the standard beginning January 2018.

In support of the IFRS 9 initiative, Bank Audi further enhanced its risk-rating system and methodologies for Probability of Default and Loss Given Default for the various countries of operations, that will be used in the final ECL calculation.

ICAAP

During 2016, the Internal Capital Adequacy Assessment Process (ICAAP) was further integrated in the budgeting and capital planning process, and institutionalised stress testing as part of this process. ICAAP, which is performed on a yearly basis, complements Pillar 1 regulatory capital calculations and allows Management and the Board of Directors to assess the capital adequacy of the Group by taking into account all material risks that the Bank is facing under normal, but also severe, stress scenarios. It also enables the use and reporting of economic capital which reflects the Bank’s own views of capital requirements. The ICAAP exercise is conducted annually on a consolidated basis, and also at the level of our subsidiaries in Turkey, Egypt, Saudi Arabia, as well as the Jordanian branch network.

DATA GOVERNANCE

Along with the implementation of the Integrated Finance and Risk Management System (IFRMS) solution, the Bank continued to put significant efforts on data governance.

During 2016, the Risk function focused on addressing the completeness of IFRS 9 data given the importance of ensuring accurate Expected Credit Loss calculations. This effort was rolled out in various entities of the Group, in close coordination with related stakeholders for Risk, Finance, IT and the business lines. This effort will continue in 2017, and would include Basel 3 and other requirements.

PILLAR 3 PREPARATION

Even though the Bank’s regulators have not yet issued requirements on Pillar 3 compliance, the Bank is working on meeting the specific expectations set by the Basel Committee in its Pillar 3 disclosure standard, as part of an internal initiative and in anticipation of a future regulatory requirement. Over the next few years, we will therefore gradually bring our disclosure in line with the spirit and the requirements of Basel Pillar 3.

INTEREST RISK IN THE BANKING BOOK

The Bank has started calculating the Interest Rate Risk in the Banking Book (IRRBB) capital charge using the new Basel III approach, replacing by this the earlier version of Basel methodology. Going forward, the Bank will start incorporating this assessment and resulting capital charge in the ICAAP as part of Pillar 2, as well as in the new risk appetite framework.

RISK INTELLIGENCE

Bank Audi maintained its efforts on enhancing its reporting and early detection initiative at group level. The Bank has established a Risk Intelligence function within Group Risk in order to centrally build and maintain automated risk reports, streamline the monitoring of the risk profile and key risk indicators, as well as notify the appropriate stakeholder of an emerging risk when it occurs.

CREDIT INSPECTION

During 2016, the Bank established a new Credit Inspection function whose mission is to provide an independent evaluation of the quality of the credit portfolios and the effectiveness of the credit process being used to manage these portfolios.

This function has been scheduling and conducting on-site reviews of the commercial and corporate functions at the entities of the Group.

These reviews are forward-looking and provide Management with an independent assessment of the future prospects of the credit portfolio managed by the business. This helps ensure that the Bank’s credit portfolio is m anaged i n a ccordance w ith t he c ore p rinciples o f t he B ank a nd i n compliance with the approved credit policies, procedures and appetite.

6.2. PRIORITIES FOR 2017

The Bank, in its continuous effort to be the leader in risk management, is always looking for ways to improve its risk management framework.

Priorities for 2017 are as follows:
  • Continue preparing for the IFRS 9 adoption by focusing on the automation of the ECL calculation process and enhancements of the related data quality.
  • Ensure optimal capital allocation.
  • Widen the scope of utilisation of the return on capital measures to include more businesses and entities to ensure proper risk-reward balance.
  • Maintain and strengthen the Group’s risk culture.
  • Continue to enhance the Bank’s stress testing framework.
  • Move towards further standardisation of risk management processes across the Group.
  • Increase the integration of capital planning and risk management.
  • Constantly reinforce the Bank’s security posture, increase the efficiency of the business continuity plan, and keep it abreast of upcoming changes.
  • Prepare for the Pillar 3 disclosure as an internal initiative.
  • Cascade the new risk appetite framework across geographies.

6.3. CREDIT RISK

CORPORATE CREDIT

Consolidated net loan portfolio decreased by 4.0% in 2016, from USD 17.9 billion as at end-December 2015 to USD 17.2 billion as at end-December 2016, mainly due to the devaluations of EGP and TRY versus the US Dollar. Excluding these devaluations, the consolidated portfolio would have displayed an 8.0% annual growth during 2016. Asset quality on the whole remains healthy, with all key related risk indicators broadly within their respective internal risk limits (see section on Loan Quality on Page 40).

Cross-border Country Risk

Country risk credit exposure is mainly concentrated in markets where Bank Audi holds material local operations, mainly Lebanon, Turkey, Egypt and Jordan. Bank Audi also places part of its foreign currency liquidity with banks, mainly in G10 and highly rated GCC countries. This generates additional cross-border exposure.

Outside of aforementioned markets, there is a limited amount of cross-border credit exposure captured as part of transactions conducted with customers. Such exposures are not normally significant and are in general spread across several countries. Exposures in countries that are considered high risk, excluding countries of presence of Bank Audi (sub-investment grade) are not material (reaching USD 440 million) and represent a manageable size as compared to the size of consolidated shareholders’ equity, standing at USD 3.8 billion as at end-December 2016. Note that this exposure is diversified and hence, would be relatively easy to absorb in a major stress scenario in one or potentially several correlated countries.

The table below sets the breakdown of cross border credit exposures by region/market as at end-December 2016, excluding collateral held in the various countries, considered as a mitigating factor:

BREAKDOWN OF CROSS-BORDER CREDIT EXPOSURE BY REGION/MARKET OF OPERATION (USD MILLION)

BREAKDOWN OF CROSS-BORDER CREDIT EXPOSURE BY REGION/MARKET OF OPERATION (USD MILLION)

The above table shows the well diversified portfolio of cross-border exposures spread mainly across highly rated countries (G10, GCC and investment grade), and countries of strategic importance for Group Audi, representing the bulk of the exposure (over 90%).

RETAIL CREDIT RISK

The development and deployment of application scorecards continued throughout 2016 in various entities of the Group. With this development, Bank Audi has largely completed the transition of credit decision platforms to reliable consistent ones which enhance the predictability of risk. Building on enhanced and proactive risk management, the Bank has initiated the process for building behaviour scorecards to upgrade the management of portfolios.

In addition to scorecards, the Bank has completed the development IFRS 9 compliant retail impairment models which have been rolled out in the entities for impact assessment. These models will be used during the 2017 parallel-run to calculate provisioning requirements, in preparation for the full adoption of the standard expected beginning January 2018.

In parallel, reviews of portfolios’ quality, a core process within the risk management framework, were particularly critical throughout 2016 due to the economic and regulatory challenges faced in Egypt and the political developments and subsequent economic implications in Turkey. While pressure on retail asset quality has increased in these two countries, performance remains well within the Bank’s risk appetite. In fact, the retail portfolio has demonstrated strong resilience to the economic challenges across major entities, which together with the proactive risk management measures taken, translated in improvements in risk indicators of key portfolios. In addition to addressing performance, the Bank worked on improving governance and policies in the entities.

6.4. OPERATIONAL RISK

Operational risk is the risk of loss that exists in the natural course of the Bank’s activities. This risk can result from inadequate or failed internal processes, people, systems and external events.

The mitigation of operational risk entails, at a minimum, applying good business practices and ensuring a continuous improvement of internal controls. This can be achieved through a Group Operational Risk Framework that sets a robust governance, as well as the standards and guidelines mandated by the Board of Directors to manage operational risks, while ensuring compliance with laws, regulations and best practices.

At Bank Audi, the effective management of operational risk is not restricted to a specific function; rather it is decentralised based on a three-line-of-defence approach. The first responsibility of operational risk management relies on the business lines Managers which act as a first line of defence. The second line of defence is assumed by several support functions that include: Operational Risk, Corporate Information Security and Business Continuity, Compliance, Regulatory Compliance and Internal Control. Internal Audit, which is the third line of defence, provides an independent assurance on whether the operational risk framework is effective, implemented as intended, and whether the associated governance across the Group is adequate. The operational risk framework is audited yearly as per the local regulatory requirements and standard industry practices.

Operational risks are identified, assessed, monitored and controlled through risk and control assessments, Key Risk Indicators, incident reporting, and through risk sign-offs on new projects and major changes pertaining to products, services, processes, activities and systems. All these activities are conducted in accordance with the Board-approved Group Operational Risk framework. To support operational risk management activities while ensuring an efficient and standardised group-wide implementation, the Bank has acquired and implemented an operational risk solution across entities.

As an additional layer of mitigation against operational risk events, the Bank purchases adequate insurance coverage from highly rated reinsurers to cover specific risks such as computer crime, infidelity, professional indemnity, property, political violence, external fraud on credit cards, etc.

The Bank also ensures that operational risk inherent to outsourced activities is subject to adequate assessment procedures to maintain a consistent and sound risk management across all activities in the organisation.

BUSINESS CONTINUITY AND INFORMATION SECURITY RISK

Bank Audi is constantly committed to protect the interest of its stakeholders and to maintain a high quality of service to its customers with minimum disruption. Several initiatives were implemented during the past year to enhance the Bank’s Information Security posture and to improve crisis management and handling of security incidents. Several initiatives were also implemented to ensure the continuity of business operations.

Information Security

The Bank is adopting a proactive risk management approach to protect its information assets, prevent data loss, reduce its vulnerability to cyberattacks, and improve the security of its systems, networks and underlying IT infrastructure. Accordingly, risk and vulnerability assessments are conducted on regular basis to identify threats and vulnerabilities to information assets, and appropriate measures are implemented to reduce identified risks to an acceptable level. Necessary measures are also taken on a continuous basis to raise the awareness level of staff and Management, enhance the governance framework, and improve the monitoring of critical activities, as well as the effectiveness of information security controls, especially those pertaining to cybersecurity, data leak prevention, change management, and logical and physical access.

Cyber Resilience

Bank Audi is aware of the increasing effects of cybercrime globally, especially on the banking sector. It has therefore taken several technical and non-technical measures to minimise the risk of a cyberattack and to strengthen its cyber resilience posture. External expert support is sought on a continuous basis to stay abreast of the latest cyber security trends, threats, countermeasures, technologies and tools.

Business Continuity

Bank Audi’s Business Continuity framework has been designed to ensure the continuity of critical business activities in the event of an unforeseen event that may disrupt the operations of the Bank. Therefore, the Bank has established a world-class business continuity site, along with a disaster recovery site that was awarded the Tier 4 – Fault Tolerant Certification of Design Documents and Constructed Facility. Additionally, a Business Continuity Plan (BCP) was developed and implemented to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters, and to ensure their timely resumption. This plan identifies business continuity teams and the role of each, calling trees, emergency procedures, vital records, assembly points among other items. The BCP is updated on an annual basis and upon major changes. Several tests are conducted on yearly basis to evaluate the effectiveness of the Bank’s Business Continuity readiness. In addition, the Bank is updating the evacuation procedures and conducting fire drills for its headquarters’ locations on a regular basis to ensure the safety of its personnel in the event of fire or other emergencies.

6.5. LIQUIDITY RISK MANAGEMENT

Liquidity risk is the risk that the Group will be unable to meet its payment obligations when they fall due under normal and stress circumstances.

Liquidity risk can manifest in the following two forms:
  • Funding liquidity risk is the risk that the Bank’s financial condition is adversely affected as a result of its inability to meet both expected and unexpected current and future cash flow and collateral needs in a timely and cost efficient manner.
  • Market liquidity risk is the risk that the Bank cannot easily offset or eliminate a position at the market price because of inadequate market depth or market disruption ultimately leading to loss.

The Bank addresses these risks in two distinct environments:
  • Normal conditions where the Bank must satisfy daily liquidity needs (flows) and the liquidity risk associated with those needs (e.g. in conjunction with expanding product or business mix, settlement, deposit/loan growth, etc.).
  • Stressed conditions where the Bank is facing liquidity strains due to idiosyncratic or systemic conditions and may invoke the Contingency Funding Plan (CFP) and Recovery Plan as a result.

LIQUIDITY ADEQUACY

Management considers the Bank’s liquidity position to remain strong, based on its liquidity metrics as at end-December 2016, and believes that the Bank’s funding capacity is sufficient to meet its on and off-balance sheet obligations.

The Bank’s funding strategy is intended to ensure sufficient liquidity and diversity of funding sources to meet actual and contingent liabilities through both normal and stress periods.

The Bank continues to source funds by relying on a stable customers’ deposit base constituting 81% of its funding (liabilities + equity). The Bank maintains its franchise in Retail/Personal Banking at 69% of deposits, while about 30% are corporate/SME. The large Retail/Personal Banking base highlights the Bank’s reliance on sources of funding that are considered to be the most stable.

All entities where LCR has come into effect are compliant with their jurisdictional minimum. There is no regulatory requirement for LCR in Lebanon, neither at entity standalone nor consolidated levels. Internal assessments show that should it be implemented, the Bank would probably be in a healthy situation.

The Bank’s consolidated short-term liquidity ratios (defined as current accounts and maturing placements with central banks, plus banks and financial institutions relative to maturing deposits over 1-month and 3-month horizons) are at healthy levels. For example, the 1-month ratio is 31%.

The Bank maintains pools of liquid unencumbered securities and short-term placements with highly rated bank counterparts or the central bank in the relevant jurisdiction, and engages in short-term reverse repo agreements whose underlying securities’ risk-weighting is equal to or better than those of their domestic sovereign. The Bank also actively monitors the availability of funding across various geographic regions and in various currencies. Its ability to generate funding from a range of sources in a variety of geographic locations and in a range of tenors is intended to enhance financial flexibility and limit funding concentration risk. As mentioned later under Liquidity Management, the Bank’s liquidity management strategy promotes self-sufficiency of legal entities, most especially across borders.

The Bank monitors its liquidity position daily. Its fund-raising ability in Turkey has been tested and found reliable in several instances during unsettled periods, including the failed coup attempt of July.

GOVERNANCE

The Bank’s governance process is designed to ensure that its liquidity position remains strong at both entity and parent levels. The Asset-Liability Committee (ALCO) formulates and oversees execution of the Bank’s liquidity policy at the level of each entity (which essentially lays down the Bank’s liquidity management strategy). The liquidity risk policy for identifying, measuring, monitoring, and reporting of liquidity risk, and the contingency funding plan are recommended by Risk Management, reviewed by ALCO, approved by the Group’s Executive Committee, and finally ratified by the Board of Directors. Measurement, monitoring and reporting are performed for the most part by either Treasury or Risk Management, each of which informs and may escalate to ALCO based on key risk indicators and both regulatory and internal limits.

Treasury is responsible for executing the Bank’s liquidity policy, as well as maintaining the Bank’s liquidity risk profile according to ALCO directives, all within the risk appetite set by the Group’s Board of Directors.

The parent bank’s Treasury and Capital Markets Division communicates with the entities’ Treasury Departments to ensure adequate liquidity conditions at the group level.

LIQUIDITY MONITORING AND RISK APPETITE

Monitoring and setting of risk appetite for liquidity occur independently for each entity. Given the Bank’s operating environment, the Bank monitors liquidity adequacy in each currency separately, especially for significant currency positions.

of the Bank’s reliance on short-term unsecured funding as a percentage of total liabilities, as well as analyses of the relationship of short-term unsecured funding to highly liquid assets, the loans-to-deposits ratio and other balance sheet measures). The Bank also uses methods like Basel’s Liquidity Coverage Ratio to measure and monitor liquidity under different conditions, which is not confined to the regulatory weighting, but reflects Management’s own view under different scenarios in the relevant jurisdiction.

The Bank performs liquidity stress tests as part of its liquidity monitoring. The purpose is to ensure sufficient liquidity for the Bank under both idiosyncratic and systemic market stress conditions. They are produced for the parent and major bank subsidiaries.

LIQUIDITY MANAGEMENT

Liquidity management at the parent level takes into account regulatory restrictions that limit the extent to which bank subsidiaries may extend credit to the parent and vice-versa, and to other non-bank subsidiaries. The Bank’s liquidity management strategy promotes self-sufficiency of legal entities, most especially across borders.

Although considered as a source of available liquidity, the Bank does not view borrowing capacity at central bank discount windows in the jurisdictions it operates in as a primary source of funding, but rather as a secondary one. In addition, the Bank holds high quality, marketable securities available to raise liquidity, such as corporate and sovereign debt securities.

6.6 MARKET RISK MANAGEMENT

Market risk is defined as the potential loss in both on and off-balance sheet positions resulting from movements in market risk factors, such as foreign exchange rates, interest rates and equity prices.

The Bank maintains low appetite to market risk stemming from changes in equity prices and foreign exchange rates. However, operations in Turkey open revenue-generating opportunities from trading activities in FX and interest rates which the Bank is willing to make use of, albeit with a relatively low appetite.

The Bank’s main exposure, on a parent level, to changes in FX rates at year-end 2016 stems mainly from its structural FX positions resulting from its equity investments in banking subsidiaries in non-hard currencies that cannot be hedged against, except for the Turkish Lira where derivatives can be used.

IRRBB

Interest Rate Risk in the Banking Book arises out of the Bank’s interest-sensitive asset, liability and derivative positions. The mismatch in the repricing dates of these positions creates interest rate risk for the Bank, which is inherent in its banking activities.

The sensitivity of net interest income to major currencies is listed below at the consolidated group level.

INTEREST RATE SENSITIVITY - 2016

INTEREST RATE SENSITIVITY - 2016

It is important to note that interest rates on liabilities are not fully correlated with asset rates. The stickiness of customers’ deposit rates, an observed phenomenon in the Lebanese market, has been incorporated in the above table. It has been quantified for the Lebanese USD customers’ deposit market whereby a relationship between changes in deposit rates has proven statistically reliable and reflects historical behaviour. This relationship is applied for customers’ deposits in Lebanese entities only, whereas other entities are calculated on purely contractual terms. It is worth noting that the relationship also incorporates the lag in the response of deposit rate changes to changes in market rates. These relationships are reviewed annually to ensure they still hold.

The interest rate risk profile of the Bank from a net interest income perspective is within acceptable bounds. The impact of a change in rates in any currency reduces less than 1% of net interest income. LBP impact reversed compared to year-end 2015 given that the Group has a much higher amount of LBP short-term placements at year-end 2016.

The interest rate shocks shown in the table do not reflect any particular view Management is assuming on rates, and are not indicative of historical or assumed correlation between them.