Supervision release 31 October 2023 – 57/2023

Thematic review: Need for development in risk reporting to the boards of directors of credit institutions under direct FIN-FSA Supervision

In May–October 2023, the Financial Supervisory Authority (FIN-FSA) conducted a thematic review examining measures taken by credit institutions based on the recommendations of a thematic review conducted in 2019 concerning risk reporting to credit institutions’ boards of directors.

General findings

It was discovered in the thematic review that all supervised entities had developed risk reporting after the review of 2019. Either limited or some development was found to have taken place, and in three supervised entities, there had even been significant development. However, there was considerable variation across different risk areas and supervised entities.

Clear improvement had taken place, for example, through adding new risk components in various risk areas, providing the members of the board with a better position to formulate a view of the essence of the risk and of the significance of the components underlying the risk position. Written analysis in the reports had also been increased.

The risk areas and their development trends are also subject to more forward-looking assessment than before through scenario and stress-test analyses. In particular, the inclusion of IT risks, including cyber risks, and the monitoring of IT and other significant development projects in operational risk reporting reflects a request voiced by the boards of directors in the thematic review of 2019.

The risk positions and their developments are also described increasingly by various visual illustrations. For example, traffic light models, sign marks indicating development direction as well as different grading scales for significance are being used more often.

However, the FIN-FSA found that material submitted to the board of directors may be hundreds of pages in total, and it is up to the personal activity of the members to which degree they delve into the risk-specific material on a given risk area. Some of the supervised entities’ reporting continued to be focused on tables and figures, lacking written explanations. Therefore, risk area-specific summaries with a clear written description of the risk exposure (position) and the most significant expectations concerning the risk are prerequisites for effective board work.

Key findings and recommendations concerning credit risks

It was found out in the thematic review that credit risks are reported to the board of directors usually on a monthly basis, and in some banks, on a quarterly basis. The FIN-FSA recommends that at least a concise risk report is discussed by the board of directors on a monthly basis or in each board meeting if the board meets less frequently than monthly.

The risk report, and its summary in particular, should provide the board of directors with both a quantitative view from the perspective of limits and a written summary of the risk position. The report should indicate significant factors affecting the risk position at present as well as any actions planned to either stabilise or improve the situation.

The FIN-FSA recommends that a representative of the second line of defence (chief risk officer or equivalent) is responsible for presenting the risk report to the board of directors.

Credit risks

The most significant risk area for credit institutions is credit risks, constituting the largest share of prudential requirements for banks. Therefore, it is paramount that the members of the board of directors receive up-to-date and diverse information on both past development of the credit risk position as well as the current credit risk position. In addition, the board of directors should have a proactive view of the development of the bank’s credit risks in various future scenarios.

The FIN-FSA recommends that risk reporting on credit risks includes information relevant to the risk management policy, such as:

  • outcomes of risk indicators for risk appetite
  • development of the distribution of the entire credit portfolio by exposure class
  • sectoral and geographical concentration risks (also within Finland)
  • large customer exposures
  • development of non-performing exposures in the most significant credit portfolios
  • development of past due exposures in the most significant credit portfolios
  • development of forborne exposures in the most significant credit portfolios
  • outcomes of credit-portfolio specific quality, yield and growth targets included in the credit risk strategy
  • results of comparisons between the credit risk profile and the targets set in the institution’s credit risk strategy as well as credit risk appetite
  • information on any exceptions in credit policies
  • results of the stress test for credit risk
  • information and recommendations by the risk management function on any corrective actions regarding the risk appetite or breaches of risk limits  
  • developments regarding IFRS 9 impairment stages in the most significant credit portfolios
  • development of expected credit losses by IFRS 9 impairment stage in the most significant credit portfolios
  • use of expert adjustments in determining IFRS 9 impairment (amount + justifications)
  • as regards IRBA banks:
    • risk profiles of each credit rating grade
    • migrations across grades
    • estimates of relevant parameters per grade and a comparison of realised default rates, realised LGDs and CCFs against expectations and stress-test results, to the extent that own LGD and CCF estimates are used.

Key findings on the development of risk reports and their correspondence to ICAAP and ILAAP documents

The board of directors decides on the credit institution’s risk appetite and is responsible for the liquidity and allocation of capital covering risks that are taken intentionally and those that may occur. It is crucial that the board of directors is able to monitor the impacts of these decisions. The FIN-FSA finds it important that the board of directors also receives up-to-date reports on exposures to various risks and on development trends of these risks also in the periods between new decisions. The content of the reports should correspond as comprehensively as possible to the risks and their components, based on which the risk appetite, capital allocation and liquidity are determined.

It was discovered in the review that some supervised entities’ risks reports do not correspond at all, or correspond only partly, to the definitions of the risk areas in the ICAAP/ILAAP documents. The FIN-FSA recommends that the board of directors and the second line of defence review the correspondence of the risk reports and the ICAAP/ILAAP documents. All supervised entities had some inconsistencies in this regard. With respect to some risks, such as operational and compliance risks, exceptions from the ICAAP document were found acceptable. For example, the coverage of the regular risk report may be more comprehensive when including various event summaries. 

The FIN-FSA will revert to the supervised entity-specific findings for each risk area in the course of its supervision.

Background of the thematic review

The assessments are based on a thematic review conducted by the FIN-FSA in May–October 2023. The thematic review examined measures taken by credit institutions based on the recommendations of the thematic review conducted in 2019 concerning risk reporting to credit institutions’ boards of directors. The recommendations were published on 5 November 2019 in supervision release 57/2019 (in Finnish). In addition, a report on the thematic review of risk reporting to credit institutions’ boards of directors (in Finnish) was attached to the supervision release. The present thematic review was concerned with following up on recommendations 1 (a)–(d) and 2.

Credit risks were selected as a particular focus risk area for the thematic review. The review comprised an assessment of changes that had taken place and, in particular, an assessment of the quality of reports. Other risk areas included in the review were liquidity, business, interest rate, operational and compliance risks. In addition, the review looked into the work of the board of directors, the content of risk reports and internal documents assessing the adequacy of capital and liquidity (so-called ICAAP and ILAAP documents) in comparison to the risk reports. 

The thematic review was carried out through a survey of risk reporting sent to the second line of defence in fourteen credit institutions under direct FIN-FSA supervision. In addition to the response template, the participants were requested to submit the most recent risk reports by risk area, as well as the ICAAP and ILAAP reports.

For further information, please contact

Erika Penttilä, Chief Specialist, telephone +358 9 183 5270 or erika.penttila(at)