RISK MANAGEMENT INTRODUCTORY REMARKS The traditional role of a commercial bank is to attract deposits, which it then uses to grant loans. This role implies a two-fold transformation: in transaction value and duration. In addition to this conventional business, known as "on-balance sheet" activities, commercial banks have introduced a growing number of new techniques 1 - and consequently, transactions - with the common aim of managing different types of risk (exchange, interest rate and credit risks). These transactions, known as "derivatives", are recorded "off-balance sheet", as generally no funds are exchanged upon their conclusion. The six types of risk that need to be constantly kept under control are: the credit risk, the liquidity risk, the interest rate risk, the foreign exchange risk, the operational risk, and the legal risk. The credit risk covers the risk of bankruptcy, or deterioration in the quality of a counterparty. The occurrence of such an event could generate losses in the bank's loan and bond portfolios. The liquidity risk, interest rate risk and exchange risk are usually grouped under the generic term "market risk". The operational risk is defined as the risk of loss that may occur for the bank as a result of mishandling transactions, problems with its IT tools, litigation with its customers or staff, internal and external fraud, and even loss or damage caused to its assets by the elements or criminal acts. The bank has developed specific instruments to manage all the risks associated with its activities. The management of the credit risk has been entrusted to the bank's Credit Risk Management Department, which is part of the credit policy and decision line. The Risk Management Department is responsible for the management of the market risk and the operational risk. The Legal Department manages the legal risk. CREDIT RISK MANAGEMENT Policy The task of defining the risk policy applicable to credit transactions and the management of the bank's investment portfolio lies with the Credit Policy Committee, chaired by the Managing Director responsible for risk management 2. This policy is in keeping with the general policy of ING Group. It is laid down in a credit policy handbook which is made available to all those responsible for credit decisions and monitoring. Decision-making structures The granting and monitoring of loans is subject to a strictly supervised procedure delegating powers to the bank's domestic and international subsidiaries, operations, regional offices, and branches. A similar procedure applies to operational risks relating to loan and derivatives contracts, acceptance of collateral and overdraft monitoring, as well as pre-litigation and litigation. As already stated above, legal risk assessment is the responsibility of the Legal Department. Decision-making powers are divided between two separate structures: credit committees, which decide on credit line ceilings for the purpose of the bank's commercial lending and financial market activities; securities committees, which decide on the bank's investment strategy for its own bond portfolios.the Credit Risk Management Department compiles the analyses and documents for the Central Securities Committee. The bank has developed a system, for use by its branches, to assist with the decision-making process for the granting of small loans. The system is based on customer scoring, according to specific rules. Scoring is applied to instalment loans, overdrafts, revolving credits, and debit and credit cards for private and business customers and small companies. With regard to mortgage loans, the bank generally limits these to the market value of the property, while ensuring that repayments do not exceed a reasonable portion of the borrower's or borrowers' net income. Branches have also developed a system governed by specific rules to assist the decision-making process for this type of transaction. Real estate transactions The bank makes a clear distinction between: transactions for the debtor's own account (mortgages to private customers or investment loans to companies), which are subject to the usual granting rules (as set out in this chapter); real estate promotion and investment, where the debtor is required to make a substantial capital contribution, and where the actual return on the property must match the level of debt servicing. 1 In addition to long-established forward exchange transactions / 2 See the section, "Executive Committee", in the chapter, "Corporate governance and structures". ING BELGIUM ANNUAL REPORT 2005 27
MANAGEMENT REPORT In the private and business customer and local company segments, the lending powers of branches are determined on a case-by-case basis, by the management of the regional offices, according to the latter's assessment of each party's decision-making ability. In the area of lending to corporate customers, the bank has developed an automated presentation system, which integrates assessment of potential risk and the risk-weighted return in relation to transactions and customers 1. Decisions beyond the scope of local branches require the opinion of an adviser-analyst. Depending on the size of the loan, the decision is referred to specific, decision-making structures involving two people and increasingly senior management levels. Certain transactions are referred, therefore, to ING Belgium's Executive Board or even to ING Group's Central Credit Committee. Special monitoring committees closely monitor difficult cases. When appropriate, they may demand the rapid implementation of precautionary measures. Problem cases are flagged by a series of automated warning signs. Diversification of risks In accordance with the principles applied by the statutory authorities for calculating major risks, no borrower - whether a corporate customer or a financial institution - may represent a risk greater than 25% of the bank's capital and reserves. ING Group has developed a set of "Golden Rules" for its major corporate customers, which determine the size of the entire group and the lending limits per consolidated borrower, expressed as notional amounts and economic capital. Counterparty risks linked to derivatives transactions The bank's counterparties are mainly financial institutions with a professional approach to such transactions. Moreover, the bank signs framework agreements with these institutions, based on the model provided by the International Swaps and Derivatives Association (ISDA). In the leading developed countries, these contracts allow the debit and credit positions of a defaulting counterparty to be offset, which in many cases considerably reduces the risk. Certain contracts also require the deposit of a guarantee (collateralisation) if the net position exceeds a pre-determined amount. The bank applies a rigorous policy for monitoring the counterparty risk linked to such transactions: each derivative contract is associated with a real credit risk ("present value") and a potential credit risk ("potential future exposure", or "PFE"); assessment of outstandings per counterparty takes account of existing setoff and collateralisation agreements; each counterparty must have an adequate credit line, granted by the appropriate decision-making level, and managed globally in real time for all dealing rooms; the bank will not finance purely speculative transactions 2. A computerised application monitors, in real time, the risks on the bank's main counterparties, and constantly updates the consolidated position of the use of credit lines in all the dealing rooms. This application is backed up by a legal database which enables automatic, real-time recognition of new transactions which could be legally set off against other transactions originating in other dealing rooms. With this new instrument, it is possible to efficiently calculate risk netting, and thus make more productive use of credit lines. RAROC tool (Risk Adjusted Return on Capital) The bank compiles an internal rating and evaluates sureties received in respect of each corporate file. The RAROC tool is used to calculate an average risk premium and a maximum theoretical risk 3. On this basis, it defines a "risk adjusted return" for each operation. The same procedure is applied to the overall relationship with a corporate customer and, even more broadly, with a portfolio of customers. Completing this procedure, pro-active management of the credits portfolio has been implemented using derivatives and securitisation instruments, in order to optimise the use of the bank's shareholders' funds. Minimum capital adequacy requirements - Basle II The bank, in conjunction with ING Group, will be able to comply with the Basle II capital adequacy requirements on credit risk modelling using the Internal Based Advanced Approach. It is also developing all the necessary documentation to comply with the new requirements of the Basle II rules relating to operational risk. 1 See below, "RAROC tool" / 2 This does not exclude transactions which contribute to dynamic fund management / 3 Weighted for the probability of default, calculated on a historical basis for the kind of company in question. 28 ANNUAL REPORT 2005 ING BELGIUM
MARKET RISK MANAGEMENT Decision-making structures and monitoring bodies Each month, the Executive Board, assisted by the relevant heads of departments, meets in the Assets and Liabilities Management Committee (ALMAC) 1 to analyse the major gapping items relating to assets and liabilities (on- and off-balance sheet). A replicating model is used to set the theoretical maturities in respect of assets and liabilities for which maturities are not contractually known. The ALMAC oversees capital ratios (Capital Adequacy Directive - CAD) and makes strategic decisions relating to interest rate risks, and therefore to Earnings at Risk. Dealing room operations are managed by a weekly Financial Markets Committee 1 headed by the member of the Executive Board in charge of all financial market operations. The Market Risk Management Department coordinates the daily monitoring of market risks, on a consolidated basis. It also compiles the analyses and documentation required for the smooth running of the ALMAC and the Financial Markets Committee. Value at Risk Potential risks relating to exchange and interest rate fluctuations must be kept under control. Dealing room transactions are recorded, per strategic category, in dealer books, which are, in turn, grouped into market books according to the type of activity. Accounting rules are applied at the level of market books. These are classified as banking or trading books, pursuant to CAD. Market book positions are monitored daily by the Market Risk Management Department. A two-tier system is used: an open position risk limit is fixed on the basis of Value at Risk (VaR); Stop loss and Trigger point limits are applied to the overall result per market book since the beginning of the year. This requires the use of very large databases to measure the volatility of several segments of interest rate curves in different currencies, and to identify correlations between the various curve segments for a particular currency, as well as between all the currencies used. The bank uses a consistent approach to all risks. In addition, operators in the dealing rooms are provided with risk management information relating to their individual positions. The bank also regularly estimates the possible repercussions of extraordinary market trends on VaR and on results ("stress testing"). These estimates supplement daily VaR and backtesting calculations. During 2005, the VaR of trading activities (the total of exchange risk, interest rate risk and equity risk) was on average EUR 16.7 million. The highest VaR was EUR 19.3 million and the lowest EUR 13.7 million. Liquidity risk management Liquidity management must avoid the risk of capital loss on asset disposals. It requires: detailed monitoring of daily gaps between the closest asset and liabilities' maturities; access to diversified funding sources; the holding of top-rate assets, which can easily be sold on the repurchase agreements (repos) market, or demanded as collateral to eliminate the risk for a lending counterparty. The holding of large quantities of government treasury bills and bonds puts the bank in a privileged position with regard to obtaining collateralised financing. The rapid development of the repos market calls for highly specialised monitoring of the market value of securities, in addition to constant surveillance of fund movements and "paper" deliveries linked to these transactions, which are usually in the very short term. Precise requirements have been laid down as regards reporting to the Financial Markets Committee. In this respect, the bank applies best market practices, by calculating its consolidated VaR daily. 1 For further details on the composition of these committees, see the chapter, "Corporate governance and structures". ING BELGIUM ANNUAL REPORT 2005 29
MANAGEMENT REPORT Interest rate risk management The interest rate (or mismatching) risk results from gaps between maturing assets and liabilities (final maturities or rate review maturities), both on- and off-balance sheet. Depending on their nature and the trend in rates, they may have a positive or negative impact on the interest margin: if the bank is regularly a net daily borrower in times of falling rates, this will benefit its interest margin; should rates rise before the bank reverses its position, the opposite will occur. As it is not possible to correctly forecast the trend in rates at all times, the interest rate risk must be managed through absolute authorised amounts of gaps for pre-defined periods in the future. At this level, there is a direct link between the volume and the remaining duration of the positions. All this is taken into account in calculating the VaR. The bank constantly monitors its maturity profiles, interest rate sensitivity and VaR per dealer book. The use of internal models for calculating VaR is encouraged by the regulatory authorities. They accept their use for calculating equity requirements in relation to market risks, provided that the model used meets the following stringent requirements of the Basle Committee: a time horizon of 10 working days; a confidence interval of 99%; "back testing" (verification that VaR - as calculated by the model - is actually in line for 99 out of 100 successive days); "stress testing" (estimation of Net Asset Value fluctuation in the event of anomalies in certain statistical rate distributions); multiplication, by a minimum of three, of the highest result obtained using the two following methods: - VaR calculated daily; - average VaR over the last 60 working days; approval of the model by the regulatory authorities, prior to its use for calculating equity requirements in relation to market risks. OPERATIONAL RISK MANAGEMENT The Operational Risk Management team, which forms part of the Risk Management Department, is responsible for managing this risk for all the entities included in ING Belgium's consolidation scope. It relays the policy and procedures laid down by ING Group to these entities. It checks that they have been completely understood and implemented. Operational risk management has always been of the utmost importance for the bank's income statement. Against the background of Basle II, this risk also surfaces in the calculation of capital adequacy. The increasing significance given to its management has resulted in the implementation of three specific structures: the Security & Operational Risk Steering Committee meets every month under the authority of two ING Belgium managing directors and the general managers of the bank's main business lines, including insurance and asset management 1 ; this committee draws up general measures aimed at managing the operational risk; the Operational Risk Forum also meets monthly under the supervision of the Operational Risk Management team manager and the key Operational Risk Managers of the Belgian entities; an Operational Risk Committee functions in each of the entities coming under ING Belgium's consolidation scope and also in the main departments of key entities. Identifying risks Each entity and department carries out a regular risk & control self-assessment overseen by the Operational Risk Management team. This procedure involves: pinpointing potential risks, gauging their frequency, and estimating the maximum financial impact; taking stock of existing controls and checking their efficiency; analysing the economic soundness 2 of implementing new controls aimed at minimising risks deemed to be unacceptable. 1 See the chapter, "Corporate governance and structures" / 2 In terms of the cost/benefit ratio. 30 ANNUAL REPORT 2005 ING BELGIUM
Measuring risks This involves taking stock of all the operational incidents that occur and in each case determining the type and cause of risk, in addition to the business line concerned. The Operational Risk Management team learns lessons from incidents with a view to increasing awareness among the other entities and departments. When responding to a major incident, it requests the implementation of preventive and remedial measures. Monitoring risks Carrying out the above-mentioned risk & control self-assessment generally leads to identifying the key risks that have to be monitored as a precaution, in order to prevent them from developing into losses. Each entity or department senior manager builds up his own vital statistics, allowing him to manage his operational risks and to gauge whether they have improved or worsened using appropriate indicators. Minimising risks The recommendations formulated by the regulatory authorities and internal and external auditors must be implemented as quickly as possible. This also applies to reports prepared by the senior managers themselves (see previous point). Implementing these recommendations is instrumental in reducing the potential sources of operational losses, inasmuch as this results in control weaknesses being corrected. ING BELGIUM ANNUAL REPORT 2005 31