Risk Management

Risk is a fundamental part of our business and underpins every decision we make. Our proactive approach is driven by our values, which play an integral role in enforcing the discipline needed to protect the Bank, its customers and our reputation.

We remain a systemically important Bank and a consistent and sustainable performance depends on our ability to mitigate and manage risk at every level successfully.

Guided by our values of Integrity, Care, Ambition, Respect and Discipline every employee is expected to play an active part in our risk management.

This year we have made substantial progress in enhancing our approach to risk by strengthening our robust risk management governance structure and framework. As a result of the merger and the increase in our scale, we have established matrix reporting for the various risk functions based in our subsidiaries and overseas branches. They now report into their respective ADCB Head Office functional Heads which ensures alignment with and consistency in processes and procedures.

ACTIVITY IN 2019
The strength of this framework was crucial in delivering the successful integration of UNB and Al Hilal Bank into the ADCB Group in 2019. Following the merger, we reviewed our entire risk management framework, updating and harmonising policies and processes to ensure every element continued to comply with international best-practices and the standards and regulations set out by the UAE Central Bank.

In particular, we reviewed our risk profile and appetites, compliance, operational risk, and information security.

ENHANCED METRICS

This year, we added 10 new metrics and enhanced the measurements of a further 13 across seven of the 10 Principal Risks.

RISK PROFILE REVIEWED
The Bank regularly reviews its risk appetite to ensure it aligns with macro-economic scenarios, shareholder objectives, regulatory changes and best-practice. As a result of the merger, we made some adjustments to our risk appetite.

Four principles are inherent in the Bank’s framework — business models, organisational capabilities and skills, financial strength, and monitoring. Our Risk Appetite Statement encompasses all of ADCB’s capabilities and uses realistically achievable parameters.

Each year we evaluate our risk appetite through a process of systematic self-assurance, bank-wide surveys and a comprehensive stress test exercise. Alongside the Basel Accord’s three lines of defence model, this provides an overview of our current status. The framework guides other metrics set by management at line, business and portfolio levels which must be consistent with the overall Group appetite.

This year, we added 10 new metrics and enhanced the measurements of a further 13 across seven of the 10 Principal Risks. These changes are better aligned with regulatory, stakeholder, and investor expectations — for example, they consider real estate concentrations, IFRS 9 stage distribution, and portfolio NPLs.

Internally-developed metrics provide proxy parameters for previously not measured risks, such as Compliance, Conduct, Financial Crime, Technology, and Reputation. They ensure the Bank’s full enterprise risk profile is measured, monitored and aligned with our overall Group strategy.

Our risk appetite is established by identifying the amount and type of risks considered reasonable to deliver on our business strategy and to ensure that ADCB can maintain its activity in the event of unexpected circumstances. They set our tolerance for:

  • Capital adequacy (normal and stress scenarios) and earnings volatility, including return on risk and shareholder returns
  • Compliance and regulatory risks
  • Employee conduct
  • Credit concentrations in geographies, large groups, individual entities, economic sectors, revenues, the shape of the portfolio, enterprise-wide cost of risk, delinquencies and provision levels
  • Default risk and credit losses
  • Financial crime and resolution, anti-money laundering and political exposure
  • Information and technology risks
  • Market and price valuations
  • Liquidity and funding gaps, liability concentrations, liquidity under stress conditions
  • Market risks in the Trading, Investment and Banking books covering movements in interest rates, foreign exchange, equity exposures, commodities and market volatility
  • Operational and reputational risks, including human resources
  • External and internal ratings (which affect pricing and investor appetite)

Stress testing is also an integral part of ADCB’s Risk Appetite and the Bank sets in absolute terms the minimum capital ratio in case of pre-defined stress scenarios.

ADCB’s risk profile and appetite are approved by the Board and Risk and Credit Committee and then cascaded down to every department and individual throughout the organisation.

OPERATIONAL RISK ENHANCED
In 2019, we reinforced our approach to operational risk and implemented it across the enlarged group. We reviewed and enhanced our operational risk policy and framework, aligned our business continuity management policy and tools, and agreed on crisis management protocols.

The safety of our employees and the ability to withstand a crisis are vital to the Bank. To ensure this, we enhanced our emergency response procedures and business continuity plans to enable us to continue to achieve our business objectives in the face of an unexpected disruptive event. These plans are tested regularly, and we hold an ISO22301:2012 certification which illustrates the high standards we employ. As well as regular training to ensure wide-spread risk awareness, this year we implemented a new process for the escalation of operational risk events across the entire network.

Meanwhile, to help drive a more deep-rooted data culture across the Bank — where we collect, analyse, and deploy data to make better decisions — we appointed a Head of Data Management. The role is designed to help to develop further and embed the set of principles we use to govern the management of our data. This is particularly significant with the growth of digital channels both into and out of the Bank, and as we increase our use of data analytics to serve customers better.

The Head of Data Management will also help in the development of APIs and open banking. In addition, he will ensure we are fully compliant with the new regulations around general data protection to mirror the GDPR requirements brought in by the EU in May 2018.

INFORMATION SECURITY UPGRADED
We enhanced our information security risk framework, providing improved detection, protection and response times. We focused on improving security operations efficiency, while incorporating security resilience across the Bank, upgrading our threat hunting capabilities, and enhancing our reporting processes.

We take a proactive approach to cybersecurity, using advanced analytics and machine learning to detect potential breaches before they happen.

As part of this programme, we integrated Security Automation and Orchestration (SOAR) into our systems for better protection. SOAR, a machine-driven technology, enables us to collect security threats data and alerts from different sources, then immediately analyse them to define, prioritise and act on them instantly.

At the same time, we established a Managed Detection and Response (MDR) network monitoring capability across all internet gateways, including scans of email traffic, which is also capable of detecting threats that have passed other traditional perimeter security tools. We also reviewed payments systems access and carried out an extensive physical security review of all 72 branches.

Fraud continues to be a concern as the number of attacks grow and increase in their sophistication. This year we introduced several new measures across the group to strengthen our protection and to raise awareness amongst our employees and our customers.

We look forward to the results of the Financial Action Task Force’s (FATF) mutual evaluation process carried out in the UAE in July. FATF carried out interviews across ministries, financial sector bodies and a range of non-financial businesses to examine the strength of the country’s anti-money laundering (AML) and combating the financing of terrorism (CFT) laws and their effectiveness in practice. This report is due in early 2020 and the Bank will respond to support any actions required by the Central Bank of the UAE.

This year we also engaged a team of independent external consultants to validate our compliance with the UAE Information Assurance Standard issued by the Central Bank in September 2018. Our compliance levels were confirmed to be 97% — with detailed action plans and delivery dates in place for full compliance by early 2020.

RISK CULTURE STRENGTHENED
ADCB benefits from a strong risk culture where a high level of awareness amongst employees helps to reduce risk across the organisation. All staff are responsible for highlighting and managing potential hazards in the course of their work. We foster individual accountability through a focus on the Three Lines of Defence model.

In the organisational health survey in which more than 80% of staff took part, the scores for risk management were some of the highest in the Group. The survey placed ADCB Group Risk Management in the top decile of global companies.

These scores demonstrate the strength of our leadership and the importance of culture in risk. Our employees believe they are supported and encouraged to take responsibility through clear operational discipline.

ETHICAL BANKING DEVELOPED
Driven by our commitment to customer excellence, we attach great importance to protecting consumers and ensuring there are minimal levels of complaint. This year we increased our efforts to provide customers with greater clarity about what we offer, including the descriptions of our various products and more transparency about our terms and conditions, fees and charges.

We also believe that by promoting better education and developing greater awareness of money management, we help to reduce financial risk.

  1. First Line of Defence
    Business line management is responsible for the identification and control of risks in the first instance.
  2. Second Line of Defence
    The Bank’s risk control and compliance oversight functions make up the second line of defence.
  3. Third Line of Defence
    Independent assurance, through our internal audit team, is the third line of defence.

Roles & Responsibilities
(Risk Governance)

Board
Establish & ensure strong control environment

Management Executive Committee
Oversight & Implement

Risk Management function
Governance & Compliance

Business Line Management responsibility
Ownership

Internal Audit
Assurance

CAPITAL PLANNING PROCESS
Regulators view the systemic risk of bank failures very seriously. The loss they can cause to depositors and the costs of bailouts by the government can be substantial, and as a result, the capital structure of banks is subject to rigorous regulation. The Basel Accords focus on risk management in banks and link the business profile of banks to their risk profiles and subsequently to regulatory capital. Hence, the Bank places a high emphasis on capital structure, capital planning and capital allocation as part of strategic decision-making.

CAPITAL PLANNING IN ACTION
In practical terms, the role of capital in any bank is to provide creditor protection. Capital acts as a buffer against potential losses, thereby protecting depositors and other creditors. Provisions offer a cushion against expected losses. For a more detailed study of our Risk management, please see our separate Basel III — Pillar III report.

EXTERNAL RISK SCENARIOS
We regularly identify and monitor specific external risks. These are events that could lead to a significant, unexpected adverse outcome with the potential to cause ADCB, or one of its divisions, to fail to meet its strategic objectives.

We consider the financial and reputational implications of each risk. On the next page, we identify the types of external threats that could materially affect the UAE banking system and ADCB itself. These include macroeconomic conditions, geopolitical risks, the additional costs and rigours imposed by enhanced regulatory requirements, risks related to information technology and data security, and concentration risks.

Our risk performance

KPI 2019
Capital
Common equity Tier 1
(CET1) ratio
13.53%
Liquidity
Liquidity coverage ratio (LCR) 127.3%
Deposit concentration
(Top 10 depositors)
26%
Credit
Investment-grade exposures as a % of total exposures
(excluding unrated)
59%
Loan-to-value ratio of retail mortgages 76.2%
20 most significant customer loan exposures as a % of gross loans 27.58%
Non-performing loan (NPL) ratio 3.16%1
Provision coverage ratio 123.2%2
Cost of risk 0.80%
1 4.53% NPL ratio including POCI, net.
2 Includes fair value adjustments on loans and advances of AED 3.2 billion for computing coverage ratio.

External risk scenarios

External risk Definition and potential impact Mitigation strategy
Macroeconomic conditions in the operating markets Prolonged volatility in the price of oil will affect the UAE economy and those of other GCC countries.

Forecasts are for GDP growth rates to remain low with limited credit growth.
The Bank will refine its Risk Appetite to the variety of industries with which it deals and will continue to adhere to the credit risk metrics already in place that address various portfolio dimensions.
Geopolitical risk This risk could stem from one of many sources unrelated to the Bank and its business. Geopolitical tension remains a persistent issue in the region. We regularly monitor geopolitical and economic situations around the world.

As part of our Asset and Liability Committee (ALCO) deliberations, we factor in geopolitical risks as part of overall liquidity considerations. ADCB’s Chief Economist assesses the economic impact of changing geopolitical risks and provides vital inputs to drive our strategy. Where necessary, we adjust our country limits and exposures to reflect our appetite and to mitigate these risks.
Regulatory and legal risks to our business model New regulatory requirements may affect our business model and profitability. Should a regulatory change reduce our ability to meet any of our customers’ needs or to achieve fair customer outcomes, we may experience increased costs and reputational damage.

Moreover, the inability to satisfy our customers would cause the Bank to fall short of its strategic objectives, which could hurt earnings, liquidity, capital and shareholder confidence.

The risk of failure due to external unanticipated regulatory and legal changes affects all our businesses.
We strive to ensure that the Bank’s views are considered when UAE regulatory policy is developed. ADCB chairs, or is a member of, several UAE Banks Federation forums. Internally, we analyse all new draft regulations or circulars to measure their impact as well as to ensure they can be implemented effectively.

We also confirm that our capital and liquidity plans anticipate the potential effects of any changes.

We continuously monitor and expand our capital allocation and liquidity management disciplines to incorporate future increased capital and liquidity requirements and to drive appropriate risk management and mitigating actions.

In the past few years, the Bank has launched several initiatives to reduce reputational risk to our business model. For example, our Customer Experience Committee ensures that customers enjoy a superior and consistent experience. We have well-developed policies and procedures to deal with customer complaints, and all front-office staff and officers are trained to deal with customer concerns promptly.
Integration Risk The impact of our merger with UNB and the acquisition of Al Hilal Bank could result in lack of oversight, process lapses or inadequate policy/portfolio amalgamation. The impact of the merger and integration process is reviewed and assessed each week by a steering committee chaired by the Group Chief Executive Officer. Each area has a working group, with a documented action plan and an operational readiness plan to ensure seamless integration. The Bank has identified and adopted target operating models for all risk areas, rolled out enterprise-wide risk appetite, harmonised its risk models and portfolio monitoring reports, and adopted a unified approach to ECL and risk practices. The teams are fully integrated and cross-trained on the new policies and procedures. ADCB’s Group risk policies are based on the core tenet of responsible growth within a pre-defined risk appetite.

Principal risks

PRINCIPAL
RISK TYPE
DEFINITION APPROACH OVERSIGHT

Capital Risk

Strategic Pillar Impacted 1,4

Potential for: (i) insufficient level or composition of capital to support normal activities or stressed conditions; and (ii) risk of loss arising from the Group failing to maintain the level of capital required by prudential regulators and other key stakeholders to support operations and risk appetite.

We maintain a healthy and active approach to capital management, including the maintenance of buffers sufficient to support our strategic aims and maintenance of an investment-grade rating.

ADCB is well-capitalised and regularly runs stress tests to ensure sufficient capital coverage at all times.

We manage capital utilisation, and business growth within the risk-weighted asset (RWA) target ranges reflected in our business plans. Such plans also target stability of earnings. We grow our business by targeting recurring economic profit commensurate with risks being taken and returns expected.

Accountable Executives:

Group Chief Financial Officer Group Chief Risk Officer

Accountable Committees:

PMC, BACC, BRCC, Board

Compliance/Regulatory Risk

Strategic Pillar Impacted 1,2,3,4

Potential for impact and exposure to regulatory sanctions, or loss from a failure to comply with regulatory requirements, laws or industry standards.

We are committed to upholding compliance standards, laws, regulations and industry standards, as well as internal policies and sound corporate governance principles. Identified breaches are remedied as soon as practicable. The Bank has no appetite for deliberate or negligent non-compliance.

Accountable Executives:

Group Chief Compliance Officer
Group Chief Risk Officer

Accountable Committees:

MEC, BACC, Board

Conduct Risk

Strategic Pillar Impacted 1,3,4

Potential for detriment to retail customers, corporate clients or market integrity from the inappropriate supply of financial services, or from a failure on our part to abide by the Group’s Code of Conduct Policy and/or applicable laws or regulations, including insider trading and anti-bribery risk.

We maintain the standards in our code of conduct and core values and ensure we always “Do the Right Thing” in the way we conduct business.

The Bank expects employees to conduct themselves with a high degree of integrity and to strive for excellence in the work they perform and the outcomes they achieve.

The appetite for behaviours which do not meet these standards is very low. ADCB takes any breaches of its Code of Conduct very seriously.

We have clearly defined policies on anti-bribery and corruption, anti-money laundering and insider trading. We are committed to creating a safe working environment for all of our staff, where they are protected from physical and psychological harm. We have zero tolerance for practices or behaviours that could be expected to lead to staff being harmed while at work.

We are also committed to treating our customers fairly by operating with transparency and providing clear information on products and services, managing conflicts of interest related to these services, avoiding misselling and having a rigorous process to ensure products and services we sell are suitable to customers.

Accountable Executives:

Management Executive Committee members

Accountable Committees:

MEC, NCHRG, BACC, Board

Credit Risk

Strategic Pillar Impacted 1,4

Potential for financial loss due to the failure of a customer to meet the agreed obligations to pay the Bank. It also includes concentration risk (increased exposure to large client groups, sectors or geographies) and decreases in credit quality.

We manage our credit exposures by having a sound analytical framework, focusing on analysis of cashflows and considering the legal framework in which the Bank and borrower operate. We apply a set of criteria and policies to lending that means we only deal with clients with good creditworthiness. This ensures facilities are appropriately secured, wherever feasible.

ADCB Group submitted a special ICAAP and stress test report post-merger to the UAE CB. The results were above the regulatory thresholds.

We have a greater appetite for risk in industries we better understand and have the insights, capability and capacity to manage and monitor.

We remain a relationship-driven business rather than pursuing opportunistic transactions. Wherever possible, collateral is taken to reduce unsecured lending.

Accountable Executives:

Group Chief Credit Officer, Business Heads for Consumer & Wholesale Banking, Group Chief Risk Officer

Accountable Committees:

MRCC, BACC, SBRCC, Board

Financial Crime Risk

Strategic Pillar Impacted 1,2,3,4

Potential for legal or regulatory penalties, material financial loss or reputational damage resulting from the failure to comply with applicable laws and regulations relating, but not limited to, international sanctions, anti-money laundering and anti-bribery and corruption.

We have no tolerance for breaches in laws and regulations related to financial crime, recognising that while incidents are unwanted, they cannot be entirely avoided. The Bank has no appetite for any fraud or corruption perpetrated by its staff. Any and all allegations of suspected fraud or corruption are taken seriously as set out in the Code of Conduct.

Accountable Executives:

Chief Compliance Officer, Group Chief Risk Officer,
Head of Fraud & Investigations

Accountable Committees:

MEC, BACC, Board

Information Security and Technology Risk

Strategic Pillar Impacted 1,2,3,4,5

Potential for loss from a breach of confidentiality, integrity or availability of the Group’s information systems and assets through cyber-attack, insider activity, error or control failure; this includes the risk of loss of confidential information plus the management and quality of data held within systems which may lead to financial losses.

We have a minimal appetite for risk concerning the availability of critical business systems.

Service availability requirements have been identified and agreed within each business area.

We have no appetite for damage to our assets from threats arising from malicious attacks. To address this risk, we have strong internal processes and robust technology controls.

Our appetite remains low for IT system-related incidents which are generated by improper project management practices, excluding the unknowns before any ‘go live’.

ADCB provides a secure environment for its people and assets by ensuring its physical measures meet high standards.

We have no appetite for the failure of physical security measures. We are committed to ensuring that information is authentic, appropriately classified, properly conserved and managed in accordance with legislative and business requirements.

We have no appetite for the deliberate misuse of information. Nor do we have any appetite for compromise of processes or data integrity issues that may cause limited or erroneous data to adversely affect our ability to make correct business decisions or jeopardise the integrity of management and regulatory reporting, which may also lead to financial loss.

We will mitigate these risks at all times balancing the cost of maintaining a controlled environment against the impact and likelihood assessment of a risk occurring.

Accountable Executives:

Head of Information and Physical Security Governance, Head of Data & Governance, Head of Technology Services and Group Chief Risk Officer

Accountable Committees:

MEC, BRCC, Board

Liquidity and Funding Risk

Strategic Pillar Impacted 1,2,4

Potential that the Bank will be unable to meet its payment obligations associated with its financial liabilities when they fall due and to replenish funds when they are withdrawn.

Funding risk is the risk that ADCB will be unable to achieve its business plans due to its capital position, liquidity position or structural position.

We actively manage our liquidity and funding base to ensure that we always have sufficient liquidity to meet our liabilities when due, under both normal and stressed conditions, without incurring unacceptable losses or risking damage to the Group’s reputation.

We do not have any appetite for the loss of our investment-grade rating and are mindful of managing liquidity and funding within the constraints of Basel III, regulator obligations and the desire to be the last bank standing.

Accountable Executives:

Treasurer, Head of Market Risk, Group Chief Risk Officer

Accountable Committees:

ALCO, BRCC, Board

Market Risk

Strategic Pillar Impacted 1,2,4

Potential that changes in market prices, such as interest rates, equity prices, foreign exchange rates, commodity prices and credit spreads (not related to credit standing) will affect the Group’s income, assets/liabilities or the value of its holdings of financial instruments.

We control our trading portfolio and activities to ensure that market risk losses (financial or reputational) do not cause material damage to the Bank. Our appetite across six key categories is laid out within the market risk appetite framework covering: interest rate risk; foreign exchange risk; equity exposure risk; commodity risk; volatility risk; and liquidity risk. Specific limits are established based on trading book, investment book and banking book activities.

Accountable Executives:

Treasurer, Head of Market Risk, Group Chief Risk Officer

Accountable Committees:

ALCO, BRCC, Board

Operational Risk

Strategic Pillar Impacted 1,2,3,4,5

Potential for loss resulting from inadequate or failed internal processes, people and systems, or the impact of external events. This includes fraud, technology, outsourcing and legal risk.

Operational risk is a fundamental element of the Bank’s approach to risk and impacts its banking products, activities, processes and systems. Our framework ensures a consistent approach and supports business objectives, reinforces a proactive risk management culture, and continuously improves ADCB’s control environment.

We manage operational risk by ensuring accountability and ownership across the Bank. We employ tools to reduce the probability of the occurrence of operational risk events that could threaten the Bank’s reputation, the quality of our services and products, and the efficiency of our processes.

We monitor the stability of our systems, the effectiveness of business continuity planning and disaster recovery to ensure the level of service we offer our customers and the expectations of regulators are never compromised.

We have adopted five levels of operational risk severity ratings: Minor, Low, Moderate, Major and Extreme, whereby Minor and Low risks would lie within the Bank’s risk appetite and Extreme constitutes a threat to the Bank’s ability to continue its operations.

The Bank mitigates these risks at all times, balancing the cost of maintaining a controlled environment against the impact and likelihood of a risk happening.

Accountable Executives:

Business Heads, Head of Operational Risk, Head of Fraud & Investigations, Group Chief Risk Officer

Accountable Committees:

Operational Risk Working Group, MEC, BACC, BRCC, Board

Reputational Risk

Strategic Pillar Impacted 1,2,3,4,5

Potential adverse effects that can arise if the Bank’s reputation is damaged due to factors such as unethical practices, breach of law, regulation, customer dissatisfaction and complaints or adverse publicity

We protect the Bank from material damage to its reputation by ensuring that any business activity is satisfactorily assessed and managed by the appropriate level of management and governance oversight. We have a very low appetite for material legal cases against the Group and where appropriate, will adequately make provisions for the same in a timely manner.

Accountable Executives:

Management Executive Committee members

Accountable Committees:

BACC, Board

Risk Management, Key graphic