Credit Risk Policy

From Open Risk Manual


Credit Risk Policy is the set of formal instructions, typically documented and approved by internal governing bodies, that define in sufficient operational detail an organization's perception and attitude towards the range or credit risks it faces and desires to manage

The Credit Risk policy is a key part of an organization's Risk Framework

EBA Guidelines

EBA Guidelines on Loan Origination and Monitoring specify[1]

Institutions should set out, in their credit risk policies and procedures:

  • the criteria for identifying, assessing, approving, monitoring, reporting and mitigating credit risk, and
  • the criteria for measuring allowances for both accounting and capital adequacy purposes.

Institutions should document the framework and update it regularly.

The objective followed in credit risk policies and procedures should be to promote a proactive approach to monitoring credit quality, identifying deteriorating credit early and managing the overall credit quality and associated risk profile of the portfolio, including through new credit-granting activities.

Credit risk policies and procedures should cover all lending activities, asset classes, client segments, products and specific credit facilities, credit risk management practices, and associated responsibilities and controls.

Credit risk policies and procedures should include specific lending policies and procedures, with sufficient granularity to capture the specific business lines of the institution, for different sectors, in line with their varying complexities and sizes, and risks of different market segments related to the credit facility.

Credit risk policies and procedures should specify:

  • policies and procedures and rules for the approval of credit granting and decision-making, including appropriate authorisation levels set in accordance with the credit risk appetite and limits;
  • credit-granting criteria, taking into account the items referred to in Annex 1;
  • requirements for the handling of information and data needed for the creditworthiness assessment, as set out in Section 5.1;
  • requirements for the creditworthiness assessment, including a sensitivity analysis, as referred to in Section 5.2;
  • requirements for exposure aggregation and credit risk limits and the management of credit risk concentrations;
  • requirements and procedures regarding the acceptance and use of collateral and credit risk mitigation measures, to determine their effectiveness in minimising the inherent risk of a credit facility — such requirements and procedures should be asset class-specific and product type-specific and should duly consider the type, size and complexity of the credit facilities being granted;
  • conditions for the application of automated decision-making in the credit-granting process, including identifying products, segments and limits for which automated decision-making is allowed;
  • a risk-based approach, addressing possible deviations from standard credit policies and procedures and credit-granting criteria, including:
    • conditions defining the approval process for deviations and exceptions and the specific documentation requirements, including the audit trail;
    • criteria for rejections and criteria for the escalation of deviations/exceptions to higher levels of the decision-making authority (including Overrides, overrules, exposures possibly approved as an exception to general lending standards and other non-standard business under a special process with different approval authorities);
    • requirements for the monitoring of circumstances and conditions for an exceptional credit-granting decision, including requirements for their review by the relevant functions during the regular review of the application and compliance with policies and limits;
  • requirements relating to what is to be documented and recorded as part of the credit-granting process, including for sampling and audit purposes — this should include, at a minimum, the requirements for the completion of credit applications, the qualitative and quantitative rationale/analysis, and all supportive documentation that served as a basis for approving or declining the credit facility;
  • requirements for monitoring credit-granting activities — the internal control framework should ensure that it covers all phases after the granting of credit;
  • where applicable, the criteria as set out in Sections 4.3.2, 4.3.3, 4.3.4, 4.3.5 and 4.3.6;
  • criteria as set out in Section 4.3.1 and 4.3.7.

Within their credit risk policies and procedures and building on the credit risk strategy, institutions should also take into account principles of responsible lending. In particular:

  • they should consider the specific situation of a borrower, such as the fair treatment of borrowers that are in economic difficulties;
  • they should design credit products that are offered to consumers in a responsible way.

For the credit products that are offered to consumers, institutions should ensure that the credit-granting criteria are not inducing undue hardship and over-indebtedness for the borrowers and their households.

In their credit risk policies and procedures dealing with credit decision-making as referred to in paragraph 38(a) and creditworthiness assessments as referred to in paragraph 38(d), institutions should also specify the use of any automated models in the creditworthiness assessment and credit decision-making processes in a way that is appropriate to the size, nature and complexity of the credit facility and the types of borrowers. In particular, institutions should set out appropriate governance arrangements for the design and use of such models and the management of the associated model risk, taking into account the criteria set out in Section 4.3.4, and for model risk-related aspects of the EBA Guidelines on the supervisory review and evaluation process

Institutions should ensure that the credit risk policies and procedures are designed to minimise the risk of internal or external fraud in the credit-granting process.

Institutions should have adequate processes in place to monitor any suspicious or fraudulent behaviour.

Institutions should review the credit risk policies and procedures on a regular basis, and for this purpose should clearly identify the functions and staff members tasked with maintaining specific policies and procedures to date and their roles and responsibilities in this regard.

See Also


  1. EBA, Guidelines on loan origination and monitoring EBA/GL/2020/06

Contributors to this article

» Wiki admin