SREP: How Europe’s banks can adapt to the new risk-based supervisory playbook

| Article

A new approach to bank supervision is taking hold in Europe for banks within the purview of the Single Supervisory Mechanism. This year’s stress tests of the European Banking Authority (EBA) and European Central Bank (ECB) will soon be over. The results will help shape this year’s Supervisory Review and Evaluation Process (SREP), an approach that introduces three fundamentally new principles to banking supervision: a forward-looking focus on the sustainability of a bank’s business model (even under stressed conditions), an assessment system that uses industry best practices as a guide, and an expectation that all banks eventually will reach the same high standards.

Early this year, the ECB announced its five supervisory priorities for 2016: business model and profitability risk, credit risk, capital adequacy, risk governance and data quality, and liquidity.1 This article will review the lessons from last year’s process, explain the role of these priorities in this year’s SREP, and outline banks’ responses. An adequate response is crucial; banks that score poorly may face increased regulatory capital requirements and more intense supervisory scrutiny in the future.

Success—but only a trial run

The first SREP took place in 2015, and supervisors have already told banks their findings. Critically, these findings had the power of peer-to-peer comparison. Previous supervisory reviews were conducted by different national authorities, using a range of practices, which made it difficult to compare banks or to draw fair conclusions about areas such as capital adequacy. The ECB now supervises the 129 largest banking groups in the eurozone, or about 82 percent of the banking sector’s total assets, through a common supervisory approach.

The 2015 SREP assessment was a significant step forward in the creation of a level playing field for banks in the eurozone, even if disclosures on the process followed and outcomes are still limited. Bank supervisors are now able to use one yardstick to measure the capital adequacy of banks in geographies where Pillar 2 implementation lagged or where banks generally “ticked the box” rather than truly assessed their capital resilience.

Banks came through the first review with a broad range of outcomes, as expected from the first-time application of a standard assessment after years of varied supervision. The ECB reported in March that many banks did not yet have sound liquidity-management plans, and capital adequacy remains a concern. But the process also led to the creation of a cybercrime-incident database and a way for banks to report cybersecurity lapses. In general, the new process was a learning experience. Banks were required to devote more time and resources to manage extensive data and documentation requests than ever before.

Our analysis shows that some of the areas that are problematic in Europe have also been vexing US bank supervisors: inadequate corporate governance and risk-management processes and procedures, particularly as they relate to integrating a risk-appetite framework into a bank’s strategic planning and operations, and inadequately involved boards of directors with limited understanding of their risk-management responsibilities. Coming from very different starting points, it seems the regions are eventually converging toward common principles.

2016 priorities

Many banks may consider their 2015 SREP experience a success. But before they get too comfortable, they must recognize that it was limited in scope. While certain topics—particularly the risk-appetite framework, board-level governance, and cybersecurity—were in the spotlight, the initial SREP was mainly a test run to get the processes in motion. This year’s process is framed more broadly. Liquidity management and capital adequacy, sticking points from the 2015 review, will be examined in more detail. While no one yet knows the full impact of the recent Brexit vote, we are assessing potential scenarios. The constant among them is that increased market volatility will no doubt add further pressure on liquidity and capital management. Other 2016 priorities include business models and profitability, credit risk, and risk governance and data quality.

Beyond 2016, we expect the SREP to continue to evolve. As supervisors delve deeper into banks across borders, we anticipate that certain best practices will emerge that should be emulated. Banks’ key processes (such as strategic and capital planning and day-to-day decision making) will need to show a higher level of integration with risk-management processes (for example, risk-appetite definition and stress testing), and the latter will be subject to more robust use tests.

Would you like to learn more about our Risk Practice?

As their risk and business teams engage with the 2016 priorities, detailed below, bank executives and boards of directors will have to demonstrate to supervisors that they are in charge of the SREP assessment dimensions. They should aim for strategic, material improvements in risk management, rather than formal compliance. They should project a positive outlook rather than solely focusing on defense of the status quo. And they should make sure that their SREP efforts are centrally coordinated, so that strategic implications are integrated into structural decision making and investments are prioritized by their relevance to the specificities of the business model. They must also be actively involved in supervisory discussions, which will improve those relationships.

Viability of business models

Although bank profitability slightly improved in 2015 and capital positions have further strengthened, European banks continue to struggle with diminished profitability in the ultra-low (or even negative) interest-rate environment. This is forcing banks to transform their business models as they search for alternative sources of income and re-base their cost structures. In fact, the German Federal Financial Supervisory Authority said in May that banks might have to consider creating a business model in which interest income plays only a minor role. While investors tend to look solely at return on equity, supervisors want to make sure that the business model and the returns it produces are sustainable, even in an economic downturn.

To meet supervisory expectations embedded in the SREP approach—in particular, in the pillar “analysis of the business model”—we believe banks must upgrade their capabilities on three key dimensions:

  • Strategic-planning process. Banks need to demonstrate that they can promptly adapt their strategy to material changes in the macroeconomic and competitive environment. To achieve this, the annual strategic-planning and budgeting process will need to become more dynamic. The coherence and consistency of the scenarios (baseline and stressed) used for strategic planning and budgeting must be continually tested and a new iteration needs to be triggered whenever such scenarios do not hold.

  • Models and methodologies for projections. Projections used in banks’ balance sheets and profit-and-loss statements have dramatically changed, mainly due to the Comprehensive Capital Analysis and Review exercises. The so-called pre-provision-net-revenue models (and all other macroeconometric models to project banks’ key economics) have reached such a level of maturity and detail that they should no longer be ignored when it comes to running core decision-making processes such as strategic planning. Their value goes beyond compliance: they can provide banks with superior understanding of the behavior of their business model under different scenarios, which in turn will enhance more effective decision making.

  • Validation and back-testing. While banks are accustomed to validating and back-testing models in areas such as credit underwriting, they are not used to doing so in strategic planning. We expect such validation and back-testing to become key elements in proving the effectiveness of the strategic-planning and budgeting process. As an example, banks may be asked to show that the number and materiality of deviations of results versus budget and strategic plans decreases over time, or to distinguish scenario-related deviations from those that stem from performance.

Credit risk: Profitability concerns from impaired assets

European banks also face significant challenges from their high levels of impaired assets. A weak economy has left banks in many countries with elevated levels of nonperforming exposures (NPEs). These remain a concern and a potential inhibition to lending growth and profitability. More important for individual banks, the level of NPEs is seen as a key factor in SREP. Across the European Union, NPEs are close to 6 percent of total loans and advances, and about 10 percent of exposures to nonfinancial corporations. The general trend shows that the smaller the banks, the higher the NPE ratios.

NPE levels are particularly high in Southern Europe, as well as in several Eastern European countries. High NPEs burn up bank capital, deteriorate funding costs, and reduce bank profitability, all of which serves to dry up credit supply. Reducing NPEs quickly is crucial to stimulating credit growth, especially for small and medium-size enterprises that rely heavily on bank financing. But write-off rates for European banks remain extremely low. Some national supervisors have allowed banks to deal with large NPE backlogs through business-as-usual processes. In a positive development, national stress tests in some jurisdictions, coupled with the EU-wide comprehensive-assessment exercise, led to waves of write-downs. And markets for distressed debt in Europe are slowly evolving, allowing the entry of much-needed capital and expertise.

In the future, NPE levels will remain the focus of supervisors who will want to see that banks can keep the cost of credit risk under control. In the short to midterm, banks will want to leverage both organic and inorganic strategies and review their workout processes and tools to make sure they are in line with supervisory expectations. Over the longer haul, a material upgrade of credit risk-management capabilities will require strong investments in IT and technology—and analytics, which will help banks select the most suitable portfolios to meet investors’ appetites.

Capital adequacy and liquidity risks

Banks often think of these as two sides of the same coin, and we will deal with both here. Banks must have “robust strategies, policies, processes, and systems” to identify, manage, and monitor liquidity and capital risks, according to the December 2015 draft guidelines for the Internal Capital Adequacy Assessment Process (ICAAP) and the Internal Liquidity Adequacy Assessment Process (ILAAP). Banks are expected to design their own forward-looking, risk-based ICAAP and ILAAP frameworks, based on both quantitative and qualitative factors.

We expect ICAAP and ILAAP to play an increasingly important role within SREP. New EBA stress-testing requirements clearly indicate that 2016 results will be used in SREP to challenge banks’ own capital plans. Supervisors will also use benchmarking to derive top-down indications on capital and liquidity adequacy. Ongoing discussions in Europe also show an increasing skepticism from supervisors and investors about the possibility of using Pillar 1 capital requirements to measure capital adequacy. In this context, a sturdy ICAAP and ILAAP will represent the best chance for banks to adequately measure (and report to the supervisor) their capital and liquidity risks.

For ICAAP, a robust framework should allow a reconciliation of banks’ internal stress-test results with regulatory exercises (for example, based on the EBA methodology and scenarios). Top management and the board should discuss the results to derive business implications. Results should be made consistent with the inputs used for risk-appetite setting and strategic planning, even if calibrated differently. The findings should be easily disaggregated by risk type and business unit with sufficient detail (for instance, at the portfolio level). Business-unit leaders should have a proper understanding of risk drivers, as well as the opportunity to challenge the results based on the outcomes of risk-identification exercises conducted at the level of the first line of defense. Most institutions won’t be able to reach such a level of integration with management processes without first transforming data, infrastructure, models, methodologies, and their risk culture. Banks will need a credible program to enhance these skills to meet supervisory expectations.

Risk governance and data quality

Supervisors want to make sure that banks are collecting the right risk data and delivering the right reports to enable effective management and board decision making. Supervisors are expected to focus on data aggregation and quality this year, as well as to continue their ongoing thematic reviews of risk appetite and risk governance.

Large financial institutions, particularly the globally systematically important banks, have already complied with many of the requirements in the Basel Committee on Banking Supervision’s 2013 risk-data aggregation and risk-reporting guidance (BCBS 239), which were due in January 2016. Most European banks have kept their BCBS 239 teams in place, so that they can complete work on supervisors’ priorities, including infrastructure transformation, quality-control systems (data and reporting), automation, adaptability in times of stress, and regulatory-response management. These teams can also ensure compliance with new regulatory requirements (such as those arising from International Financial Reporting Standard 9 and from Basel’s new Pillar 3 requirements and its Fundamental Review of the Trading Book) and independently validate the program.

The future of bank risk management

The future of bank risk management

As the availability, timeliness, and quality of risk information have improved, top managers and boards have come to see that their banks are less skilled at anticipating risk. Complete solutions rely on new infrastructure and models, as mentioned above, though much can be done by just reengineering the current risk-identification and measurement processes. Some institutions are moving in this direction by setting up structured risk-identification and measurement exercises, conducted at the first line of defense and coordinated by risk management.

Regarding risk appetite and governance, banks must also focus on supervisory concerns from 2015 that they have not fully addressed. We see three potential areas of attention.

To start, banks should integrate the risk appetite with strategic planning and budgeting from the very start of the strategic-planning process. While many banks have taken formal steps in this direction, some still fall substantially short of compliance. Strategy and risk teams should work together to formulate potential risk-return scenarios for the contemplated strategic directions. These scenarios should produce specific combinations of risk-return targets and limits and should take account of stress tests. The scenarios should then be offered to the board for approval prior to the articulation of a specific business/risk strategy.

Second, risk-appetite policies and procedures must reach every business unit and portfolio level. This is a challenge for many institutions, mainly because they haven’t come up with the proper methodology and analytics to disaggregate risk targets and limits for each business unit and then align these with the corporate center. We suggest that banks act on several fronts, including improving risk-appetite metrics, developing key performance indicators that can link to actual business drivers, and double-checking that tools, policies, and strategies throughout the company are consistent with the framework. Banks should also review business-unit incentive systems and train line managers (and board members of subsidiaries, where relevant) on the risk-appetite process.

Finally, the risk appetite must cover all the potential risks a bank might face to avoid the possibility that an overlooked risk could poison the entire risk-mitigation effort. One of the lessons learned from the financial crisis was that the institutions that used multiple measures of risk were able to avoid significant unexpected losses more than those that focused on a limited set of key metrics. That is why it is so important for banks to instill a consistent, forward-looking, and especially multidimensional set of limits across risk types, legal entities, and business divisions.

Identifying uncovered risks and developing metrics to monitor them is an enormous task; new risk categories such as nonfinancial, strategic, and model risks are continually emerging. Banks need to balance the trade-off between comprehensiveness of the risks covered and effectiveness of the risk-appetite framework as a managerial tool to steer the bank. A long list of metrics will most likely dilute the board’s risk discussions, rather than enhance them. One possible way to manage risk metrics is to consider a two-level risk-appetite approach. Management informs the board on all the metrics for which it has defined a risk appetite; among the rest, it selects only representative metrics for board reporting and discussion. The remaining metrics may be tested each year to decide whether they should be included, or reported only when certain thresholds are breached.


Perhaps the best thing that banks can do to be ready for SREP is to develop a consistent habit of self-assessment, so that they can identify their own best practices—and weaknesses—before examiners come knocking on the door. Providing a good outlook rather than just defending the status quo requires an integrated program on how to correct deficiencies, have clear sponsorship from top management, and create a positive track record on the advancements. Banks that are able to show that such elements are in place will be able to outperform in the assessment and will eventually be recognized as such by the market.

Explore a career with us