The regulations on the guidelines for Integrated Risk Management, approved by the Dominican Republic’s Monetary Policy Board on 16th March 2017, which came into effect on 18th May 2017, set out the minimum criteria and guidelines that financial intermediaries (FIs) must apply, that is, commercial banks, savings & loan banks, credit corporations, savings & loan associations, and public and mixed institutions, to implement and stick to an appropriate integrated risk management framework, in line with each institution’s type, size, complexity, risk profile and systemic importance, setting up good practices in integrated risk management.

Integrated Risk Management Framework

The regulation lays down that every institution must have a formal, integrated and permanent risk management framework:

• Formal: containing the policies, procedures and standards that describe the risk function and practices for measuring, mitigating and monitoring risk exposure.
• Integrated: providing a global vision of all types of risk being taken on;
• Permanent: forming part of the entity’s corporate strategy.

The Board of Directors and the institution’s senior management will be responsible for assessing the effectiveness of the Risk Management Framework on a regular basis, in addition to the mandatory review conducted by the internal audit function.

Risk management structure

FIs must have an integrated risk management structure, adapted to their activity, size, complexity and risk profile, and consisting of an Integrated Risk Management committee, an integrated risk management unit and a specialist risk management unit.

• Integrated Risk Management Committee: in charge of ensuring that the financial intermediation entity’s transactions are aligned with approved targets, policies, strategies, procedures and risk threshold & appetite levels, reporting to the Board and fulfilling the responsibilities set out in the Corporate Governance Regulations. It is made up of members of the Board and chaired by an independent external member, with the participation, as a member of the committee, of the Head of the integrated risk management unit and any other officer designated by the Board.

• Integrated Risk Management Unit: in charge of overseeing that the FI’s integrated risk management function is implemented and working appropriately according to the policies set by the Board. Depending on the entity’s level of complexity, the Head of the Unit may delegate specific risk tasks in the specialist risk management units; this structure will be reviewed regularly to verify that it is fit for purpose and independent from the business and operational areas.

The unit head will have a seat on the Integrated Risk Management Committee, and will be given the authority and powers necessary to comply with their responsibilities, reporting on administrative matters to the FI's CEO and on functional issues to the committee.

• Specialist Risk Management Unit: this unit works on policy and procedural design, through the body responsible for integrated risk management, and alerts the committee of exposures that may require additional layers of control. Staff in this unit must have the academic, practical and technology skillsets necessary to carry out their functions properly, and the unit will be overseen by the head of the Integrated Risk Management Unit.

The role of the Board of Directors

The Board of Directors is in charge of ensuring compliance with appropriate control and monitoring over the integrated management of the risk to which the FI is exposed.

Every year, in the 60 (sixty) day period following the submission of audited financial statements, the FI should send the banking authority a certified statement from the Board, signed by the Chair and the Company Secretary, to the effect that:

• The firm’s integrated risk management complies with the minimum regulatory criteria and requirements.
• The Board is cognisant that the information submitted by senior management, the reports by the audit and integrated risk management committees and the external assessment of the integrated risk management process, as well as the corrective measures taken are all recorded in the minutes.

Likewise, as an appendix to the certified statement above, the FI must submit a certified copy of the minutes of the Annual General Meeting of shareholders or associated depositors; these minutes should state that the FI’s integrated risk management report was presented at the AGM.

In the case of branches or subsidiaries of foreign banks, the parent company’s head of risk management must validate this certificate.

Methodologies, information and capital assessment

FIs may decide on the levels of risk exposure they assume by using the regulatory guidelines and requirements for different types of risk. Thus, depending on their nature, size, complexity, risk profile and systemic importance, they may use internal tools, methodologies and models in order to identify, quantify, assess, oversee, monitor or mitigate and report on risk exposures, as well as any of the methodologies established by the banking authority.

• Stress tests: these allow the FIs to analyse the impact of different scenarios on the types of risk to which they are exposed. These tests must be carried out regularly on the different types of risk, which will enable the identification of sources of potential tension and ensure that the existing exposures of each risk taken on are proportionate to the established risk threshold, using the results to adjust risk strategies, policies and positions, as well as to develop and enhance contingency planning.

• Business Continuity and Contingency Management Planning: FIs must have Business Continuity and Continuity Management plans in place in order to guarantee their ability to operate and minimise losses in the event of an emergency which interrupts the normal flow of business. There must be continuity plans for those processes identified as highly critical, while for the remainder it will be sufficient to have designed contingency plans; these plans and their updates should be sent to the banking authority. If the contingency plans are activated, the authorities should be notified immediately, and must be kept abreast of their progress and of when they are halted.

FIs must be capable of providing their Board and involved areas with the information necessary to take informed and appropriate decisions on managing the risks to which they are exposed.

FIs are required under this regulation to have an integrated and overarching internal process for assessing their capital depending on their risk profile and appetite, and a strategy that allows them to maintain their capital levels over time. The Board will view capital planning as a fundamental requirement in achieving its strategic aims and will determine its capital level according to its risk profile and the fitness of its risk management process and its internal control mechanisms, bearing in mind both external factors and the effects of the economic cycle and the current economic situation.

The outcomes of policy applications and of developing processes to assess capital adequacy must be recorded in an annual Capital Self-assessment Report, which will be approved by the Board and submitted to the banking authority by 30th April every year, with information to 31st December of the previous year and containing an estimation of the capital planning figures for the following 2 (two) years.

Adaptation

In the event of regulatory non-compliance by the FI, such administrative sanctions as provided for by the law and its regulation may be applied.

FIs will have 180 days, starting from the date the regulation was published, to make the necessary changes to comply with its provisions.