Challenges were seen in the retail, SME and MCD (Midsize Corporate Division) portfolios. Despite these challenging operating conditions, the ADCB portfolio continued to be resilient, reflecting the inherent strength of our franchise. Some of our key metrics that reflect this are:
We continue to invest in our risk management capabilities through expanded portfolio-reporting and analytics, standardised enterprise-wide stress tests, reverse stress tests, assessments of ratings migration, lessons-learned coaching, technical training, model-development capabilities, and tuning/calibration. Strict enforcement of discipline is also applied using tools such as Risk Adjusted Return on Capital (RAROC), economic capital computation, cross-selling, and portfolio-level returns.
We consistently monitor the impact of international developments and domestic challenges on our portfolio and continue to make changes as appropriate to our underwriting and policy measures. Developing work on automation and information management will improve both the quality and speed of response to regulatory reporting requirements. We are also continually upgrading the Bank’s risk infrastructure to ensure that our risk management practices remain best-in-class.
In 2017, we continued our key projects — implementation of a digitised credit application processing system that improves the credit monitoring capabilities and automates and strengthens the processes around credit monitoring. Several forums and internal reviews were conducted to identify and act on portfolios showing enhanced credit risk. These proactive steps, with timely credit policy and underwriting changes, supported the Bank in lowering its cost of risk to 0.81% under challenging macroeconomic conditions. We worked on a core banking implementation platform and undertook a significant amount of uplift to our limit monitoring platform. We reviewed and adjusted all our risk models to ensure we were well prepared for the IFRS9 regime.
We track emerging risks closely and have augmented our related IT risk infrastructure accordingly.
As part of our risk management strategy, we regularly identify and monitor “emerging risks.” These are events that could lead to a significant, unexpected negative outcome that could cause the Bank, or one of its divisions, to fail to meet a strategic objective. When we assess the potential impact of an emerging risk, we consider both financial and reputational implications.
This section describes the categories of emerging risks that could materially affect the UAE banking system and ADCB: macroeconomic conditions, geopolitical risks, the additional costs and rigours imposed by enhanced regulatory requirements, risks related to information technology and data security, and concentration risks.
Prolonged low oil prices will have an impact on the UAE economy and the GCC countries’ economies. Most analyst reports forecast a slowdown in the GDP growth rates and an associated period of lower credit growth and tighter liquidity conditions.
The UAE economy is well-diversified across non-oil sectors, which will help partially mitigate the impact of lower oil prices in the banking system. ADCB has more than 90% of its loans in the UAE and therefore expects to be a key beneficiary of this strategy compared to peer banks with more geographically diverse asset books within the MENA region. ADCB’s portfolio diversification, in terms of investment in non-GCC bonds, lending to diversified industry groups, and focus on granular and well-structured lending, is expected to help soften the impact of macroeconomic conditions.
ADCB is well-capitalised in terms of capital adequacy and regularly runs stress tests to ensure there is sufficient capital coverage at all times. We also have a proactive approach to liquidity risk, which includes monitoring of positions, regular stress testing, and buffers in excess of the Basel requirements.
This risk could stem from one of many sources unrelated to the Bank and its business. Geopolitical tension remains a persistent issue in the region.
The Bank regularly monitors geopolitical and economic situations around the world. In particular, ADCB’s Chief Economist centrally assesses the economic impact of changing geopolitical risks and provides key inputs to drive the Bank’s strategy. Where necessary, we adjust our country limits and exposures to reflect our appetite and to mitigate these risks.
Governments and regulators often develop policies that impose new requirements, the recent VAT implementation being a key example. These developments may affect our business model and profitability. Should a regulatory change reduce the Bank’s ability to respond to any of our customers’ needs or to achieve fair customer outcomes, we may experience increased costs and reputational damage. Moreover, inability to satisfy our customers would cause the Bank to fall short of strategic objectives, which could have an adverse effect on earnings, liquidity, capital and shareholder confidence. The risk of failure due to emerging unanticipated regulatory and legal changes affects all our businesses.
We strive to ensure that the Bank’s views are considered when UAE regulatory policy is developed. ADCB chairs, or is a key member of, several UAE Banks Federation forums. Internally, we analyse all new pipeline requirements, regulatory consultation, and draft regulations or circulars to measure their impact qualitatively and quantitatively as well as to ensure they can be implemented effectively. We also confirm that our capital and liquidity plans anticipate the potential effects of any changes. We constantly monitor and expand our capital allocation and liquidity management disciplines to incorporate future increased capital and liquidity requirements and to drive appropriate risk management and mitigating actions.
In the past few years, the Bank has launched several initiatives to reduce reputational risk to our business model. For example, our Customer Experience Committee ensures that customers enjoy a superior and consistent experience. We have well-developed policies and procedures to deal with customer complaints, and all front-office staff and officers are trained to deal with customer concerns in a timely manner.
Cyberattacks are increasing in frequency and severity across the globe. This risk affects all our businesses. A successful cyberattack could lead to fraudulent activity or the loss of customer data, leading to adverse business, financial and reputational consequences. The Bank could experience significant losses because of the need to reimburse customers, pay fines, or both. Furthermore, a significant cyberattack could cause serious damage to the Bank’s reputation.
The Bank has a constantly-evolving and expanding large-scale programme to improve controls over user access security, as well as hardware and data integrity and protection. In addition, we have implemented additional anti-virus protection and engage in regular penetration testing and unusual-activity detection, mitigation, and elimination. We are insured against data-security risk and consequential risks, and conduct ongoing user and customer education on information protection.
The principal risks faced by ADCB are presented in this section, together with a summary of the key areas of focus and how the Bank managed these risks in 2017.
Credit risk reflects the risk of loss if one or more counterparties fails to meet all or part of their obligations to the Bank. Credit risk also includes concentration risk.
Concentration risk derives from increased exposure to large client groups, sectors or geographies.
Deteriorating macroeconomic conditions can affect ADCB’s performance and credit risk profile.
ADCB’s credit portfolio can worsen due to quality of assets and increased exposure to particular economic sectors or large client groups.
Losses can vary materially across portfolios. Problems may include the risk of loss due to the concentration of credit risk related to a specific product, asset class, sector or counterparty. Credit risk has the potential to damage ADCB’s financial performance and capital.
During 2017, our collective loan-impairment allowance 1.79% of credit-risk-weighted assets remained in excess of the Central Bank of the UAE’s mandated collective impairment allowance of 1.50%. The non-performing loan ratio dropped to 2.1% (compared with 2.7% in 2016), Provision coverage improved to 162.9% (from 129.9% in 2016).
The top 20 exposures as percentage of gross loans has steadily dropped the last 3 years
Measurement — We measure the amount that could be lost if a customer or counterparty fails to make repayments.
Monitoring — The Bank monitors concentrations on a continuous basis by customer group, by industry, by geography and by credit risk profile. We strictly enforce Risk Adjusted Return on Capital when screening proposed new business to ensure that all facilities are appropriately structured and that the expected income justifies the expected risk weight of assets to be booked.
Management — ADCB attempts to mitigate this risk by diversifying our portfolio, managing concentrations and adhering to disciplined credit review and underwriting guidelines. ADCB’s risk strategy focuses on growth of granular exposures, and risk parameters are set to encourage granular growth with an improvement in average portfolio quality. The Bank’s underwriting guidelines and minimum credit acceptance criteria ensure that new bookings improve portfolio quality.
Refer to Note 43 of the audited financial statements and the Pillar 3 report for further details.
Market risk is the risk that the Bank’s income or the valuation of financial instruments will fluctuate because of changes in external market factors that affect pricing.
Changes in interest rates, credit spreads, exchange rates, commodity prices and equity prices.
The traded market risk exposure arises in transactions in financial instruments such as debt securities, loans, deposits and equities, as well as in transactions in securities financing and derivatives.
The majority of the non-traded market risk exposure arises from retail and commercial banking activities in all franchises from assets and liabilities that are not classified as held-for-trading.
Metrics as at 31 December 2017 (AED)
Measurement — Our Market Risk function implements valuation and risk policies for all Level 1 and Level 2 financial instruments in the trading book. All valuation models are independently vetted and approved for mathematical integrity and suitability. We use these models to measure market risk within a 99% confidence level through VaR, SVaR, Expected Shortfall, and First Order Greeks (Delta and Vega). VaR and SVaR are used to estimate potential valuation losses on risk positions due to movements in market rates and prices over a specified time horizon and to a given level of confidence, augmented with stress/sensitivity testing to evaluate the potential impact on valuations of more extreme, though plausible, events or movements in a set of financial variables (non-statistical measures).
Monitoring — We apply the sensitivity of net interest income and the sensitivity of structural foreign exchange to the market risk positions within each risk type using measures including the valuation of interest rate, foreign exchange rate, fixed income and commodity derivatives.
Management — Using risk limits approved by the Management Risk Credit Committee (MRCC), all limit breaches are reported according to their materiality to appropriate levels of authorities.
Refer to Note 47 of the audited financial statements for further details.
Liquidity risk is the risk that the Bank will be unable to meet its payment obligations when financial liabilities fall due or is unable to replace funds when they are withdrawn. Funding risk is the risk that the Bank will be unable to achieve its business plans due to its capital position, liquidity position or structural position.
Liquidity risk arises from mismatches in the timing of cash flows, such as when the cash needed to fund lending commitments exceeds deposits and other available liquid assets.
Funding risk arises when the Bank cannot obtain the funds needed to meet current and future cash flow and collateral requirements at the expected terms and when required.
Liquidity and funding risk varies based on company-specific factors such as maturity profile, the composition of sources and uses of funding, and the quality and size of the liquid asset buffer. Broader market factors, such as wholesale market conditions and depositor and investor behaviour, also play a role. This type of risk can cause the Bank to fail to meet regulatory liquidity requirements, become unable to support normal banking activity or, at worst, cease to be a going concern.
The Bank manages its LCR at levels higher than mandated by the Basel Committee. LCR as at 31 December 2017 is 135%.
Measurement — This risk is measured using metrics related to Basel III liquidity ratios and survival horizons under liquidity stress tests and contingency funding plans. Liquidity stress tests are carried out using contractual, behavioural and stressed conditions coupled with contingency funding facilities.
Monitoring — The Asset and Liability Management Committee (ALCO) and the MRCC oversee the Bank’s liquidity and funding risk, stress-test-management process and corrective actions.
Management — Funding is diversified and raised through both retail and wholesale operations. In addition, businesses are required to self-fund all new operations. We strive to maintain a large portion of our funding as sticky deposits. Our Treasury department ensures access to diverse sources of funding, ranging from local customer deposits (from both retail and corporate customers) to long-term funding, such as debt securities and subordinated liabilities. Further, the Bank has borrowing facilities from the Central Bank of the UAE to manage liquidity risk during critical times.
Refer to Note 45 of the audited financial statements for further details.
Operational risk is the risk of loss arising from inadequate or failed internal processes, people and systems, or from external events. It excludes strategic and reputational risks.
Operational Risk could have many possible repercussions, including damage to the Bank’s reputation, legal or regulatory implications, and financial losses.
Day-to-day operations, potentially in any aspect of the Bank’s business.
Losses may be financial in nature (characterised by either frequent small losses or infrequent material losses), or may lead to direct customer or reputational impact (for example, a major breach of customer data leading to use of information for fraudulent activity). Operational risk has the potential to affect the Bank’s profitability and capital requirements directly and to impair stakeholder confidence.
There were no material operational losses in 2017.
Identification & Assessment — Operational risk is identified using both the risk analysis and the risk & control assessment process. These tests/reviews/measures assess the level of exposure to risk and the effectiveness of controls.
Measurement — Operational risk is measured using the standardised approach prescribed by the Central Bank of the UAE. Reports are submitted to the Central Bank as per its reporting timelines.
Monitoring — The Bank uses key indicators, risk thresholds, expected loss and other internal control activities to monitor operational risk.
Management — ADCB’s operational risk-management process prescribes the escalation of issues and events, leading to greater risk transparency across the organisation. All employees are responsible for identifying and assessing risks, implementing controls to manage them, and monitoring the effectiveness of those controls using the operational risk-management framework.
Refer to the Pillar 3 disclosures for further details.
Regulatory risk refers to risk the Bank will be exposed to in the event of regulatory sanctions or fines due to a failure to comply with regulatory guidelines or with laws.
Changes in the regulatory environment in which ADCB functions and our response to new requirements.
Regulatory defaults or non-compliance can have an adverse effect on the Bank’s customers, strategy, business, financial condition or reputation, primarily due to the threat of regulatory enforcement or other interventions.
There were no material incidents of regulatory non-compliance in 2017.
Monitoring — We closely watch and actively try to influence key regulatory developments. In particular, ADCB participates in regulatory consultative meetings and is an active member of various forums, such as the UAE Banks Federation. Regulatory compliance is closely monitored by the Risk and Audit areas under the oversight of the Board-level Committees.
Management — We allocate capital to cover any unforeseen sanctions or fines that may arise from changes in the Bank’s internal and external regulatory environment. Based on the peer group experience, and considering our own complexity, the Bank sets aside capital commensurate with regulatory risk as part of its Internal Capital Adequacy Assessment Process (ICAAP).
Reputational risk refers to the potential adverse effects that can arise if the Bank’s reputation is damaged due to factors such as unethical practices, breach of law or regulation, customer dissatisfaction and complaints, or adverse publicity.
Reputational risk could arise from the failure of the Bank to effectively mitigate the risks described above in any of our businesses.
Damage to ADCB’s reputation could cause existing clients to reduce or eliminate their business with us and discourage prospective clients from forming business relationships with ADCB.
There were no material-reported incidents in 2017 that could lead to reputational risk.
Identification & Assessment — All employees are responsible for identifying and managing reputational risk in their daily activities. These responsibilities form part of ADCB’s Code of Conduct and are further embedded through values-based performance assessments.
Monitoring — Reputational risk management is aligned with our focus on creating the most valuable bank in the UAE, our strategic objectives and our risk-appetite goal of maintaining shareholder confidence.
Management — ADCB’s Risk Management function addresses the reputational risk associated with the Bank’s businesses. It sets policy and provides guidance to avoid reputational risk relating to business engagements with, and lending to, clients in sensitive industry sectors.
Training and Awareness — ADCB ensures induction training for all new employees and regular refresher programmes for all existing employees to ensure the Bank’s policies and procedures are implemented and adhered.
Information security risk is the risk of loss of confidential information or the disruption of business processes because IT systems are not available for normal operations, and the risk that this loss or disruption may cause financial, reputational or regulatory damage.
Information security risk arises from information leakage, loss or theft.
Information security risk gives rise to potential financial loss and reputational damage, which could adversely affect customer and investor confidence. Loss of customer data also constitutes a regulatory violation that could result in the imposition of fines and penalties.
There was no material loss of confidential data or disruption of processes due to the unavailability of our IT system reported in 2017.
Identification & Assessment — ADCB proactively identifies top organisational information security risks by continuously evaluating threats and by benchmarking information security controls against leading industry standards.
Monitoring — We maintain and continually update an information-risk heat map that plots the Bank’s protection mechanisms against ever-evolving cyber threats. We use knowledge from a variety of sources, such as published research, security forums, threat intelligence and regional events, to keep these mechanisms relevant.
Management — The Bank’s comprehensive security risk-management programme covers classification of assets, identification of vulnerabilities and assessment of the risks of all internal assets and key third parties, which enables management to prioritise and mitigate information security risks. All critical systems and applications undergo regular security testing (including external third party testing) to ensure effectiveness.
