CAPITAL—Supervisory Review Process of Capital Adequacy (Pillar 2) Related to the Implementation of the Advanced Approaches Final Rule

1. This guidance supplements the final rule published jointly by the U.S. federal banking agencies¹ in the Federal Register on December 7, 2007 (advanced approaches rule).² The advanced approaches rule implements a new risk-based capital framework encompassing three pillars:

The minimum risk-based capital requirements in Pillar 1 of the advanced approaches rule apply to a bank’s calculation of minimum risk-based capital requirements for credit risk and operational risk.³ If the bank is also subject to the market risk rule,⁴ then the minimum risk-based capital requirements in that rule would apply.⁵

2. This document addresses the process for supervisory review in the advanced approaches rule. As described in this guidance, supervisory review covers three main areas:

3. The process of supervisory review described in this guidance reflects a continuation of the longstanding approach employed by the agencies in their supervision of banks. However, because implementation of the advanced approaches rule affects certain aspects of supervisory review, this guidance highlights areas of existing supervisory review that are being augmented or more clearly defined to support implementation of the advanced approaches rule by U.S. banks.

4. The supervisory review process described in this document is intended to help ensure overall capital adequacy by

5. This guidance neither supersedes nor alters the functioning of the existing prompt corrective action requirements.⁶ Similarly, this guidance does not affect any other requirements for compliance with existing regulations and supervisory standards related to risk-management practices or other areas. The supervisory review process described in this guidance supports the supervisors’ existing ability to

6. Capital helps protect individual banks from insolvency, thereby promoting safety and soundness in the overall U.S. banking system. Minimum risk-based capital requirements establish a threshold below which a sound bank’s risk-based capital must not fall. Risk-based capital ratios permit some comparative analysis of capital adequacy across banks because they are based on certain common assumptions. However, supervisors must perform a more comprehensive review of capital adequacy that considers the risks that are specific to each individual bank, including those not incorporated in risk-based capital requirements. In short, supervisors must ensure that a bank’s overall capital does not fall below the level required to support its entire risk profile.

7. Supervisors generally expect banks to hold capital above their minimum risk-based capital levels, commensurate with their individual risk profiles, to account for all material risks. Going forward under the advanced approaches rule, supervisors will continue to review the overall capital adequacy of any bank through a comprehensive evaluation that considers all relevant available information. In determining the extent to which banks should hold capital in excess of risk-based capital minimums, supervisors will consider: the combined implications of a bank’s compliance with qualification requirements for regulatory capital standards; the quality and results of a bank’s own process for determining whether capital is adequate (the ICAAP); and the bank’s risk-management processes, control structure, and other relevant information relating to the bank’s risk profile and capital level.⁷ This review is consistent with current supervisory practice, under which the agencies assess a bank’s overall capital adequacy through a comprehensive evaluation of all relevant information.

8. The supervisory review process assesses whether a bank has a satisfactory process to determine that its overall capital is adequate and that the bank maintains adequate capital on an ongoing basis as underlying conditions change. For example, changes in a bank’s risk profile or in relevant capital measures are areas of particular focus that are effectively addressed through the supervisory review process. Generally, a bank should hold more capital for material increases in risk that are not otherwise mitigated, unless the bank already holds capital at a level exceeding what its internal processes and supervisors would regard as adequate. Conversely, a bank may be able to reduce overall capital (to a level still above regulatory minimums) if the supervisory review supports the conclusion that the bank’s inherent risk has materially declined or that it has been appropriately mitigated.

9. As a result of its comprehensive supervisory review, a bank’s primary federal supervisor may take action if it is not satisfied that capital is adequate. The primary federal supervisor may require the bank to take actions to address identified supervisory concerns, which may include requiring the bank to hold additional capital to bring capital to levels that the supervisor deems commensurate with the bank’s risk profile. In addition, the primary federal supervisor may, under its enforcement authority, require a bank to modify or enhance risk-management and internal-control processes, reduce its exposure to risk, or take any action deemed necessary to address identified supervisory concerns.

10. In order to use the advanced approaches rule to calculate minimum risk-based capital requirements, a bank must meet certain process and systems requirements. As part of the supervisory review process, the agencies will ensure that each bank meets these requirements. The advanced approaches rule provides an explanation of these qualification requirements for any systems and processes used.

11. A bank using the advanced approaches rule must comply with the rule’s qualification requirements for both initial and ongoing qualification. A bank that falls out of compliance with the qualification requirements would be required to establish a plan to return to compliance that satisfies its primary federal supervisor.

12. Supervisors will ensure that each bank using the advanced approaches rule complies with the qualification requirements both at the consolidated level and at any subsidiary bank that uses the advanced approaches rule. Thus, each bank that applies the advanced approaches rule must have appropriate risk-measurement and risk-management processes and systems that meet the rule’s qualification requirements.

13. The qualification requirements in the advanced approaches rule state that “a bank must have a rigorous process for assessing its overall capital adequacy in relation to its risk profile and a comprehensive strategy for maintaining an appropriate level of capital.”⁸ Because minimum risk-based capital requirements are based on certain assumptions and address only a subset of risks faced by an individual bank, each bank must conduct an internal assessment of whether its capital is adequate, given its risk profile. A bank must conduct this assessment, using the ICAAP, in addition to its calculation of minimum risk-based capital requirements.⁹

Accordingly, a bank’s capital should exceed the level required by its minimum risk-based capital requirements, and also should be adequate according to its own ICAAP.

14. The fundamental objectives of a sound ICAAP are

15. Assessing overall capital adequacy through the ICAAP requires thorough identification of all material risks, measurement of those that can be reliably quantified, and systematic assessment for the limitations of minimum risk-based capital requirements. The ICAAP should address the capital implications arising from both on- and off-balance-sheet positions, as well as from provisions of explicit or implicit support. Material risks include those that in isolation do not appear to be material at first, but when combined with other risks could lead to material losses. In this manner, the ICAAP should contribute broadly to the development of better risk management within the organization at both the individual entity and consolidated levels.

16. Each bank implementing the advanced approaches rule should have an ICAAP that is appropriate for its unique risk characteristics and should not rely solely upon the assessment of capital adequacy at the parent company level. This does not preclude the use of a consolidated ICAAP as an important input to a subsidiary bank’s own ICAAP, provided that each entity’s board and senior management ensure that the ICAAP is appropriately modified to address the unique structural and operating characteristics and risks of the subsidiary bank.

17. In general, the ICAAP will likely go beyond the assumptions built into minimum risk-based capital requirements. However, in certain instances, a bank’s ICAAP—when supported by proper justification and evidence—may build upon and utilize the methods, practices, and results it uses to determine minimum risk-based capital requirements. For example, in developing the ICAAP, a bank may choose to use data, ratings, or estimates from internal ratings-based approaches for credit risk; or a bank may choose to use the advanced measurement approaches as the basis for its internal assessment of operational risk. Furthermore, although the ICAAP should be a distinct and comprehensive process that produces its own capital measures, in some cases a bank may be able to demonstrate that minimum risk-based capital measures appropriately reflect certain aspects of a bank’s risk profile and thus are appropriate for use in its ICAAP.

18. The design and operation of any systems used to meet the ICAAP requirements will likely differ, depending on the complexity of each bank’s operations and risk profile. Many banks employ “economic capital” measures for some elements of risk management, such as limit setting, or for evaluating performance or determining aggregate capital needs.¹⁰ In some cases, economic capital measures may relate directly to a bank’s assessment of capital adequacy under the ICAAP; however, in other cases, a bank may be using economic capital measures that are not intended for capital adequacy assessments. In the latter case, a bank does not necessarily need to change its existing process or systems, but it may need to build upon or adjust its economic capital measures for use in the ICAAP, and the bank would have to demonstrate clearly how it does so. Notably, economic capital is not the only means to meet the ICAAP requirement. Regardless of the specific implementation method(s) chosen, the bank’s ICAAP should address the three ICAAP objectives listed in paragraph.

19. The first objective of the ICAAP is to identify all material risks. Risks that can be reliably measured and quantified should be treated as rigorously as data and methods allow. The appropriate means and methods to measure and quantify those material risks are likely to vary across banks. The key point is for a bank to be able to identify all material risks and measure those that can be reliably quantified in order to determine how those risks affect the bank’s overall capital adequacy.

20. Some of the risks to which a bank may be exposed include credit risk, market risk, operational risk, interest-rate risk in the banking book, and liquidity risk (as outlined be low).¹¹ Other risks, such as reputational risk, business or strategic risk, and country risk, may also be material for a bank and, in such cases, should be given equal consideration to the more formally defined risk types.¹² Additionally, if a bank employs risk-mitigation techniques, it should understand the risk to be mitigated and the potential effects of that mitigation (including enforceability and effectiveness).

Credit risk: A bank should have the ability to assess credit risk at the portfolio level in addition to the exposure or counterparty level. In making this assessment, the bank should be particularly attentive to identifying any credit risk concentrations and ensuring that their effects are adequately assessed. The bank should consider the various types of dependence among exposures, and the credit-risk effects of extreme outcomes, stress events, and shocks to assumptions about portfolio and exposure behavior. The bank should also carefully assess concentrations in counterparty credit exposures, including those that result from trading in less liquid markets, and determine the effect that these exposures might have on capital adequacy.

Market risk: A bank should be able to identify risks in trading and capital markets activities resulting from a movement in market prices and rates. This determination should consider factors such as illiquidity of instruments, leverage, concentrated positions, one-way markets, non-linear or deep out-of-the money option positions as well as embedded optionality, and the potential for significant shifts in correlations or other types of dependence structures. Assessments that incorporate extreme events, idiosyncratic variations, credit migrations or changes in credit spreads, defaults, and shocks should also be tailored to capture key portfolio vulnerabilities.

Operational risk: A bank should be able to assess the potential risks resulting from inadequate or failed internal processes, people, and systems, as well as from events external to the bank.¹³ This assessment should include the effects of extreme events and shocks relating to operational risk. Extreme events could include a substantial or sudden increase in failed processes across business units or a significant incidence of failed internal controls.

Interest-rate risk in the banking book: A bank should incorporate interest-rate risk in the banking book into its assessment of capital adequacy. In making this assessment, the bank should identify the risks associated with changes in interest rates that impact both on- and off-balance-sheet exposures in the banking book from a short- and long-term perspective. This might include the impact of changes due to parallel yield curve shocks, yield curve twists, yield curve inversions, changes in the adjustment of rates earned and paid on different financial instruments with otherwise similar repricing characteristics (basis risk), and other relevant scenarios, including some that incorporate stress events, extreme outcomes, and shocks to assumptions. The bank should be able to support any assumptions it has made with respect to the behavioral characteristics of servicing rights, non-maturity deposits, positions subject to prepayment risk, and other assets and liabilities, especially for those exposures characterized by embedded optionality.

Liquidity risk: A bank should incorporate liquidity risk into the assessment of its capital adequacy. A bank should evaluate whether capital is adequate given its own funding liquidity profile and given the liquidity of the markets in which it operates. This assessment should incorporate various types of liquidity environments and include an evaluation of the potential for a material disruption in the sources of liquidity typically relied on by the bank as a result of bank-specific as well as systemic events. A bank should consider the capital adequacy implications of lacking a well-diversified funding base, relying predominantly on wholesale credit markets for its funding, or relying heavily on volatile funding sources. A bank involved in securitization activities should consider the capital adequacy implications of relying on market liquidity to distribute warehoused assets, including the potential for disruptions that would cause a bank to bring certain items onto its balance sheet. In its assessment of the impact of liquidity risk on capital adequacy, the bank should also challenge assumptions built into its definition of liquid products.

The risk factors discussed above are not an exhaustive list of those affecting any given bank. A well-developed ICAAP should include an assessment of all relevant factors that present a material source of risk to capital and should account for concentrations within each risk type.

21. A bank should assess whether its capital is sufficient to absorb any losses that may arise from activities that expose the bank to multiple risks within and across business lines or create concentrations across risk types.¹⁴ A bank should recognize that losses could arise in several risk dimensions at the same time, stemming from the same event or a common set of factors. For example, a localized natural disaster could generate losses from credit, market, and operational risks. Additionally, the ICAAP should focus on any complex activities that give rise to multiple risks, and to their interaction. These activities can involve instruments that may be complex, illiquid, or difficult to value. For example, securitization activities expose a bank to a variety of risks that can affect capital adequacy at the same time, including credit, market, liquidity, and reputational risks; structured products can have multiple embedded risks that interact in complex ways and can present losses in multiple risk areas across different business lines at the same time. In general, the ICAAP should include an assessment of the potential effects of convergence of risks within and across business lines and their combined impact on capital adequacy.

22. The ICAAP should take into consideration the linkage between capital adequacy and damage or potential damage to a bank’s reputation. A bank might incur losses affecting capital adequacy because of damage to its reputation, or the bank might incur losses trying to prevent or mitigate damage to its reputation. In assessing the linkage between reputational risk and capital adequacy, a bank should assess risks associated with both on-balance-sheet and off-balance-sheet exposures and activities, as well as risks associated with affiliates, subsidiaries, counterparties, clients, or other third parties. The assessment should include activities for which the bank acts as a sponsor or advisor and cases in which the bank provides explicit or implicit support. A bank should also assess the risk of having to assume the losses of a third party to prevent or mitigate damage to the bank’s reputation.

23. The bank’s ICAAP should assess risks associated with new products, markets, and activities. In making this assessment, the bank should account for any uncertainty in the valuation of new products, whether by the bank or a third party, which could be more challenging if the new products are particularly complex or do not have liquid markets. The ICAAP should take into consideration changing dynamics in markets for new products and uncertainty as to how new markets might respond to stress conditions. The ICAAP should also assess the challenges presented by new business lines or strategic acquisitions in terms of their impact on capital adequacy.

24. All measurements of risk should incorporate both quantitative and qualitative elements. Generally, a quantitative approach should form the foundation of a bank’s measurement framework. Quantitative approaches that focus on most likely outcomes for budgeting, forecasting, or performance measurement purposes may not be fully applicable for assessing capital adequacy, which also should take less likely outcomes into account.

25. In some cases, quantitative tools can include the use of large historical databases. These databases are most applicable when they are fully reflective of all relevant risk characteristics, incorporate appropriate variability, and have adequate granularity and history; for example, they should include data-based not just on benign but also more-stressful economic periods or operating environments. When internal data are not available or do not reflect a bank’s risk profile, a bank may rely on external data for risk measurements but should ensure that external data have applicability to the bank’s own activities and risk profile.

26. The confidence a bank places in the results of its ICAAP should depend on the quality and robustness of the associated risk assessments. When measuring risks, a bank should understand that estimation and measurement errors are common and, in many cases, are themselves difficult to quantify. In general, the bank’s ICAAP should reflect an appropriate level of conservatism to account for uncertainty in risk identification, risk mitigation or control, and risk quantification. In most cases, appropriate conservatism will result in greater capital needs.

27. In many cases, risk assessments may rely to a significant degree on models that use both qualitative and quantitative inputs. The use of models can enhance the ICAAP, but it can also introduce challenges. Specifically, models may fail to work as intended or expected, or they may be used inappropriately for purposes not considered in their initial design. These concerns apply to models purchased from third-party vendors as well as to models that are internally developed. A bank using models as part of the ICAAP should recognize these possibilities and ensure that appropriate controls, such as rigorous initial and ongoing validation and independent review, are in place to mitigate and manage any risks related to model use. A bank should apply appropriate conservatism to compensate for any risks associated with models. Additional conservatism may be necessary to account for any uncertainties in the use of models to value on- or off-balance-sheet exposures or for imperfections and volatility in market-based valuations.

Additional conservatism may be necessary to compensate for increased risk, for example, when models or applications are more complex, or when they have a more significant influence on the ICAAP’s results.

28. To gain a fuller understanding of the risks beyond more-typical quantitative measures—such as those based on certain parameter behavior or distributional assumptions—a bank should also rely on other types of quantitative exercises. For example, stress testing, including scenario analysis and sensitivity analysis, is an additional quantitative exercise that a bank should regularly apply to complement more-typical quantitative measures. A bank may need to rely more heavily on such exercises when internal or demonstrably relevant external data are scarce. These exercises can help gauge the consequences of outcomes that are unlikely, but would have a considerable impact on safety and soundness.

29. In addition to quantitative approaches for assessing risk, a bank should also employ qualitative approaches that incorporate management experience and judgment. Qualitative measures should be employed not only for those cases in which scarce data or unproven quantitative methods limit a full assessment of risk, but also more generally to complement even sophisticated quantitative estimates based on extensive and high-quality data.

30. A bank should be cognizant that both quantitative and qualitative approaches have their own inherent biases and assumptions that affect risk assessment. Accordingly, a bank should recognize the biases and assumptions embedded in, and the limitations of, the approaches used.

31. An effective ICAAP is comprehensive, assessing material risks across the entire bank. Each bank should have systems capable of aggregating across risk types. A bank should understand the challenges presented by risk aggregation and the inherent uncertainty in quantitative estimates used to aggregate risks (including the difficulty in estimating concentrations across risk types as noted in paragraph 21). For example, a bank is encouraged to consider the various interdependencies among risk types, the different techniques used to identify such interdependencies, and the channels through which those interdependencies might arise—across risk types, within the same business line, and across different business lines. Consistent with paragraph 26, any associated uncertainty in aggregating capital estimates across risk types and business lines should translate into greater capital needs.

32. Management should be systematic and rigorous in considering possible effects of diversification. Assumptions about diversification should be identified at each level where diversification is recognized, supported by analysis and evidence, and remain robust over time and under different market environments, including stressed market conditions. For example, a bank calculating the dependence structure within or among risk types should consider data quality and consistency, such as the volatility of correlations over time and during periods of market stress. In general, a bank should consider a wide range of possible adverse outcomes that have the potential to affect multiple risks at the same time and to limit expected diversification benefits. Consistent with paragraph 26, uncertainty in diversification estimates should translate into greater capital needs.

33. The second objective of the ICAAP is to set and assess capital adequacy goals in relation to all material risks. Under this objective, a bank should have a well-defined process to translate estimates of risk into an assessment of capital adequacy. In practice, capital adequacy goals may be reflected in various ways. A bank may choose to hold capital in excess of the level internal processes would regard as adequate for any number of business or strategic reasons. Excess capital may fluctuate over time. Each bank should recognize that minimum risk-based capital requirements represent a floor below which the bank’s overall capital level must not fall, even if bank management believes that there is justification to maintain less capital.

34. A bank may establish its risk-tolerance level to reflect a desired level of risk coverage and/or a certain degree of creditworthiness, such as an explicit solvency standard. Accordingly, assessments of risk and capital adequacy should reflect the chosen risk tolerance of the bank. Because risk profiles and choices of risk tolerance may differ across banks, capital targets may also differ. However, if for internal capital adequacy purposes a bank were to choose to apply a level of risk coverage or a solvency standard that is less than that implied by minimum risk-based capital requirements, the bank would have to be able to: identify and support the rationale for a lower solvency standard; demonstrate clearly that its ICAAP adequately addresses low-probability, high-severity events; and ensure that there is sufficient capital to absorb losses associated with such extreme events. Regardless of the solvency standard used, supervisors expect banks to hold capital at a level above that established by minimum risk-based capital requirements.

35. A bank should consider external conditions and other factors that influence its overall capital adequacy, including the potential impact of contingent exposures and changing economic and financial environments. The ICAAP should address the potential impact of broader market or systemic events, which could cause risk to increase beyond the bank’s chosen risk-tolerance level, and have appropriate contingency plans for such outcomes. Such exercises may include stress testing, such as scenario and sensitivity analysis; however, in all cases they should incorporate both quantitative and qualitative methods.¹⁵

36. Through the ICAAP, a bank should ensure that adequate capital is held against all material risks and that capital remains adequate not just at a point in time, but over time, to account for changes in a bank’s strategic direction, evolving economic conditions, and volatility in the financial environment. A bank should be cognizant of the impact of market-driven valuations on the volatility of capital. Moreover, recognizing the sensitivity of capital to economic and financial cycles should be a critical component of a bank’s planning for current and future capital needs. For example, a bank should consider the potential effects of a sudden, sustained economic downturn. The level of capital deemed adequate by a bank given its ICAAP might also be influenced by the bank’s intention to hold additional capital to mitigate the impact of volatility in capital requirements, its need to support acquisition plans, or its decision to accommodate market perceptions of capital adequacy and their impact on funding costs.

37. In analyzing capital adequacy, a bank should evaluate the capacity of its capital to absorb losses. Because various definitions of capital are used within the banking industry, each bank should state clearly the definition of capital used in any aspect of its ICAAP. Since components of capital are not necessarily alike and have varying capacities to absorb losses, a bank should be able to demonstrate the relationship between its internal capital definition and its assessment of capital adequacy. If a bank’s definition of capital differs from the regulatory definition, the bank should reconcile such differences and provide an analysis to support the inclusion of any capital instruments that are not recognized under the regulatory definition. Although common equity is generally the predominant component of a bank’s capital structure, a bank may be able to support the inclusion of other capital instruments in its internal definition of capital if it can demonstrate a similar capacity to absorb losses. The bank should document any changes in its internal definition of capital, and the reason for those changes.

38. An effective capital plan recognizes a bank’s short- and long-term capital needs and objectives. Accordingly, a bank should evaluate whether long-run capital targets are consistent with short-run goals, based on current and planned changes in risk profiles. In developing its capital plan, the bank also should recognize that accommodating additional capital needs can require significant lead time, can be costly, or can be quite difficult, especially during downturns or other times of stress. A bank should have contingency plans to address unexpected capital needs.

39. A satisfactory ICAAP comprises a complete process with proper oversight and controls, and not just an ability to carry out certain capital calculations. The various elements of a bank’s ICAAP should complement and reinforce one another to achieve the overall objective of assessing capital adequacy, taking into account the bank’s risk profile.

40. A bank should maintain adequate internal controls to ensure the integrity, objectivity, and consistent application of the ICAAP. Decisions regarding the design and operation of the ICAAP should reflect sound risk management and should not be unduly influenced by competing business objectives. A bank should identify any deficiencies in its ICAAP and plan and take remedial actions to address the deficiencies in a timely manner. The principles underlying a bank’s ICAAP should be incorporated into policies that are reviewed and approved at appropriate levels within the organization.

41. A bank should maintain thorough documentation of its ICAAP to ensure transparency. At a minimum, this should include a description of the bank’s overall capital management process, including the committees and individuals responsible for the ICAAP; the frequency and distribution of ICAAP-related reporting; and the procedures for the periodic evaluation of the appropriateness and adequacy of the ICAAP. In addition, where applicable, ICAAP documentation should demonstrate the bank’s sound use of quantitative methods (including model selection and limitations) and data-selection techniques, as well as appropriate maintenance, controls, and validation. A bank should document and explain the role of third-party and vendor products, services, and information—including methodologies, model inputs, systems, data, and ratings—and the extent to which they are used within the ICAAP. A bank should have a process to regularly evaluate the performance of third-party and vendor products, services, and information. As part of the ICAAP documentation, a bank should document the assumptions, methods, data, information, and judgment used in its quantitative and qualitative approaches.

42. The ICAAP should be enhanced and refined over time, with learning and experience (both quantitative and qualitative) contributing to its improvement. The ICAAP should evolve with changes in the risk profile and activities of the bank, as well as with advances in risk-measurement and -management practices. For example, a bank should incorporate in its ICAAP the introduction of new products and business lines and activities to ensure that the bank’s capital plan is responsive to changes in the operational and/or business environment.

43. The board of directors and senior management have certain responsibilities in developing, implementing, and overseeing the ICAAP. The board should approve the ICAAP and its components. The board or its appropriately delegated agent should review the ICAAP and its components on a regular basis and approve any revisions. That review should encompass the effectiveness of the ICAAP, the appropriateness of risk tolerance levels and capital planning, and the strength of control infrastructures. Senior management should continually ensure that the ICAAP is functioning effectively and as intended, under a formal review policy that is explicit and well documented. Additionally, a bank’s internal audit function should play a key role in reviewing the controls and governance surrounding the ICAAP on an ongoing basis.

44. Each bank should ensure that the components of its ICAAP, including any models and their inputs, are subject to the bank’s validation policies and procedures. Validation should be independent of the development, implementation, and operation of the ICAAP components, or the validation process should be subject to an independent review of its adequacy and effectiveness. Validation is generally defined as an ongoing process that includes, but is not limited to, the collection and review of developmental evidence, process verification, benchmarking, outcomes analysis, and monitoring activities used to confirm that processes are operating as designed. Validation policies and procedures should reflect the bank’s business, structure, and sophistication, as well as the relative importance of each component of the ICAAP. Accordingly, a bank is encouraged to consult the agencies’ existing guidance on validation.

45. A bank’s ICAAP should be aligned with and be a part of the bank’s wider internal governance structure and overall risk-management processes. The ICAAP should not be viewed as simply a compliance exercise. Rather, it is a dynamic and evolving process that is used by a bank to provide internal assurance that capital is adequate given the bank’s risk profile. Management is responsible for ensuring that the ICAAP is fully consistent with the overall risk-management framework of the bank. Information derived through the ICAAP process should influence decision making at both the consolidated and individual business-line levels, and be used to inform other management processes related to risk assessment, business planning and forecasting, pricing strategies, and performance measurement.

46. As part of the ICAAP, the board or its delegated agent, as well as appropriate senior management, should periodically review the resulting assessment of overall capital adequacy. This review, which should occur at least annually, should include an analysis of how measures of internal capital adequacy compare with other capital measures (such as regulatory, accounting-based or market-determined). Upon completion of this review, the board or its delegated agent should determine that, consistent with safety and soundness, the bank’s capital takes into account all material risks and is appropriate for its risk profile. However, in the event a capital deficiency is uncovered (that is, if capital is not consistent with the bank’s risk profile or risk tolerance), management should consult and adhere to formal procedures to correct the capital deficiency.