A. Management Policy

1. Soundness and clarity of management policy

Check points		Specific sample questions
a. Soundness, rationality, and integrity of management policy	Has the management established a sound and rational policy (short- and long-term strategies) with full consideration given to current and future management conditions?	When drawing up management policy, does the management take into consideration soundness, rationality, and feasibility? Is the management policy integrated?
b. Clarity and permeability of management policy	Is the management policy clear and well understood, and does it function well?	Is the management policy clear with respect to criteria for action by each department? Is the policy well understood throughout the entire organization, and does it function well? Does the bank compile a medium- and long-term business plan (e.g., every 3-5 years)? Does the bank compile a business plan (annually or semiannually)? Does the department in charge of management planning regularly monitor the level of accomplishment and make necessary adjustments?

2. Permeability of risk management policy

Check points		Specific sample questions
a. Understanding of risk management	Does the management accurately recognize the types of risk and risk exposure inherent in the bank's portfolio and understand the method of risk management, and has it encouraged the bank to establish full awareness of the importance of risk control throughout the bank?	Does the management have high professional moral standards and make efforts to establish awareness of the importance of internal controls among employees? Does the management recognize internal and external factors constituting potential risks to the bank, and is the management aware of the different types and degrees of risk and risk exposure inherent in these factors? Does the management recognize different risk management methods according to the types of risk and risk exposure? Does the management set limits to the acceptable amount or degree of risks inherent in the bank and adequately instruct relevant sections?
b. Basic strategy for risk management	Is the management actively involved in drawing up strategies and establishing the framework for risk management giving due consideration to the balance between various risks to the bank's capital and also the strategic importance of its risk-taking?	Is the management clearly aware of its responsibility for drawing up appropriate and adequate risk management policy? Does the board of directors decide basic policy vis-a-vis risk-taking and risk control giving due consideration to the balance between various risks to the bank's capital as well as each business operation? Does the management regularly check the effectiveness of its risk management system? Does the management possess the necessary framework, system, and procedures for identifying, monitoring, and controlling various risks? Does the management aim to build a comprehensive risk management system on an institution-wide basis?
c. Diversification of risks	Does the bank diversify risks in the operation of its various businesses?	Is the bank aware of the necessity of diversifying fund-raising sources and investment vehicles? Does the bank have in place an organization and operational framework that further emphasizes the importance of risk management rules and regulations such as limit on exposure to a single borrower? Does the bank avoid excessive dependency on a specific counterparty in its business operation? Is it possible to monitor risks so as to detect any maldistribution?
d. Countermeasures against payment failure of other banks	Does the management understand the effects of payment failure by other banks and resulting instability of the financial system, and have in place appropriate countermeasures?	Does the management clearly understand the loss-burden rule applying to payment and settlement systems such as the Zengin Data Telecommunications System (Zengin System), Foreign Exchange Yen Settlement System, and CD on-line tie-up, and implement appropriate countermeasures against inherent risks? Does the bank have in place countermeasures against payment failure by other banks or resulting financial system instability?

B. Internal Controls

1. Organization, delegation of authority, and reporting system

Check points		Specific sample questions
a. Organization	Is the bank adapting its organization so as to strengthen the risk management system and to implement flexible countermeasures to meet changes in the financial environment?	Is the bank adapting its organization and staff allocation so as to strengthen the risk management system? Is the burden of responsibility regarding business operations and risk management clearly defined? Does the bank have in place a system that can control risk exposure while responding to economic change by utilizing research department data? Does the bank have in place an internal control system capable of swiftly and adequately dealing with newly recognized risks arising from changes in the environment, etc.? Is the bank aware of the necessity for organizational reform in line with changes in the environment, etc., and is there a department responsible for planning and implementing measures in response to such changes? Does the institution-wide risk management section regularly assess the effectiveness of the bank's overall risk control system?
b. Separation of responsibilities	Are the framework and procedures for decision-making clarified? Are delegation of authority and allocation of responsibilities conducted appropriately from the standpoint of securing a double-checking system and avoiding conflict of interest? Are these procedures clearly stipulated in the internal rules for delegation of authority?	Are internal rules for the delegation of authority rational from the standpoint of securing double-checking of operations and risk control in line with business expansion? Has the bank confirmed that there is no excessive concentration of authority nor extreme delegation of authority to subordinates? Does the bank have in place a framework where monitoring and evaluation of major risks are conducted by a specializing section independent from the business promotion department? Are risk management responsibilities clearly defined among the board of directors, ALM committee, directors in charge, and department heads? Does the department head keep to the unavoidable minimum the range of duties where a sufficient double-checking system cannot be applied, and does the bank have in place a system for close monitoring?
c. Reporting of business information	Does the bank have in place an appropriate reporting system by which the management can receive valuable information on business operations and risk management? Are decisions made by the management clearly understood by the entire organization?	Does the bank have in place an appropriate reporting system by which directors in charge and the board of directors receive information on business operations and risk management without undue delay? Does the bank have a consistent reporting format, giving due consideration to easy comprehension and coherency of contents? Are decisions made by directors in charge and the board of directors adequately communicated to, and understood by, concerned sections (including domestic and overseas branches)? Does the bank have in place a regular reporting system to senior officers and management regarding risk management?

2. Staff recruitment and training

Check points		Specific sample questions
a. Staff recruitment	Does the bank recruit staff with appropriate experience, skill levels, and degree of expertise to undertake specialized business operations?	Does the bank recruit staff with appropriate experience, skill levels, and degree of expertise to undertake specialized business operations, in particular, those relating to risk management? Do staff members actively take part in business operations in line with their position and responsibilities? Does the bank recruit staff based on an employment plan?
b. Training	Does the management have a clear policy on staff training?	Does the on-the-job training (OJT) program function adequately? Does the bank have training programs according to qualifications and job description? Does the bank revise training programs in accordance with changes in business operation and sophistication of risk management?

3. Internal audit

Check points		Specific sample questions
a. Audit system	Does the bank conduct effective internal audits (headquarters audit and in-house audit) to enhance its risk management system and check the thoroughness of internal rules?	Are the frequency, check points, and scope of internal audits adequate? Does the internal audit section/department have auditors with expertise in each business area, and are they able to effectively audit the bank's overall operation? Does the internal audit section/department have access to all relevant documents and vouchers? Does the bank conduct regular internal audits of all departments including headquarters and of all operations excluding those which are considered customarily exempted from auditing? Is the internal audit section/department completely independent from other sections/departments, and does it directly report to the management?
b. Follow-up of audit	Does the management give prompt and adequate attention to audit results, and take appropriate measures if problems are detected?	Are internal audit results reported to the management promptly and accurately? Is information useful for improvement of operations regularly passed on to concerned departments such as the operations planning department? Does the internal audit section/department take the initiative in directing improvement measures such as the revision of internal rules in order to prevent the reoccurrence of problems? Does the management appropriately monitor whether improvement measures directed to sections/departments are carried out?

C. Profit/Loss Management and Risk Management of Affiliated Companies

1. Profit/loss management

Check points		Specific sample questions
a. Monitoring of profit/loss	Do the management and individual departments within the organization monitor profit/loss while considering the balance between risk and return?	Does a specialized department (e.g., the financial department) monitor profit/loss from various viewpoints such as profit by customer and branch, and on a consolidated basis? Does each department manage profit/loss bearing in mind the allocation of indirect costs? Is due consideration given to risk profiles when assessing and determining profit/loss conditions? Is there a computerized support system for profit/loss management (e.g., cost accounting of deposits and lending)?
b. Distribution of management resources taking into account risk and return	Is due consideration given to the balance between risk and return, and between risk and the bank's capital when distributing management resources to each department?	Does the bank thoroughly assess capital and other resources before embarking on a new business? Does the management appropriately decide the resources distribution policy based on regular profit/loss reports? Are limits on risk exposure set for each department taking into consideration the bank's capital?
c. Rational pricing	Is pricing of deposit and lending rates rational in view of operational/profit planning, market conditions, and risks?	Is the differential between actual market rates and pricing of deposit, lending, and derivatives rates within a rational range? Is delegation of authority relating to pricing clearly defined? In pricing, is consideration given not only to operations, profit, and market conditions, but also operating cost, credit spread, and embedded option premium for premature cancellation?

2. Risk management of affiliated companies

Check points		Specific sample questions
a. Monitoring of profit/loss on a consolidated basis including affiliated companies	Is financial performance monitored appropriately on a consolidated basis or on the basis of including affiliated companies not subject to consolidated accounting?	Is financial performance monitored on a consolidated basis with full understanding of the business performance of companies subject to consolidated accounting? Is financial performance monitored appropriately on the basis of including affiliated companies not subject to consolidated accounting taking into consideration degree of business affiliation?
b. Risk management of affiliated companies	Does the head office fully recognize the risks inherent in domestic and overseas affiliated companies, and monitor them appropriately?	Is there a section responsible for monitoring the business operations of affiliated companies (including non-bank financial institutions)? Is the bank capable of checking unusual activities such as large fund transfers among affiliated companies? Does the head office fully recognize the risk profiles inherent in overseas affiliated companies? Does the bank regularly monitor risks to which domestic and overseas affiliated companies are exposed in order to ensure that they are within a rational range in proportion to their financial strength such as capital?

D. Compliance and Disclosure

1. Establishment of a framework for compliance

Check points		Specific sample questions
a. Management understanding of legal compliance and action to achieve it	Does the management fully recognize the importance of complying with laws and regulations, market rules, and internal rules? Are they taking the initiative in raising compliance awareness?	Does the management fully understand that insufficient compliance can impair the management base? Is the top management making efforts to ensure that recognition of the importance of compliance penetrates throughout the bank? Is the management fully aware which bank operations are most likely to cause problems in terms of compliance? When starting a new type of operation, does the management take into consideration of newly arising risks in the area of compliance?
b. Establishment and implementation of a framework for compliance	Has the bank established a framework and concrete procedures (a compliance program) to ensure consistent compliance? Are they appropriately implemented?	Are responsibilities with respect to compliance made clear by appointing an executive director and setting up a coordination department in charge? Are matters related to the bank's compliance such as planning, proposals, and monitoring under centralized control? Does the bank have in place concrete procedures (i.e., planning of education and training programs, compiling codes of conduct and compliance manuals, drawing up internal rules, etc.) which effectively initiate compliance? Do banks with overseas branches have a compliance officer for each country who regularly collects information about changes in local legislation? Has the bank appropriately placed a person in charge of compliance in relevant departments and clearly stipulated their job descriptions in the allocation of duties? Have these positions been effectively put into practice (i.e., implementation of training programs and educational activities, consultation, and inspection in the event of any doubtful contradictions to rules, swift reporting to the coordinating department)? In the development and sales of new products, does the coordinating department confirm the legal compliance of its content and policy of customer explanation in advance? Does the bank maintain close contact with its lawyers with a view to forestalling trouble and dealing with any incident appropriately and swiftly?
c. Monitoring and reporting to management	In addition to monitoring, does a department independent of operations sections conduct checks on compliance? Are lawsuits and problems that could harm the bank's reputation appropriately reported to the management?	Is the compliance consistency in each type of bank business monitored by compliance officers and in-house audits on a daily basis? Does the compliance officer promptly and appropriately report the compliance consistency and problems in each operation section to the coordinating department? Does a department (i.e., internal audit department) independent from operation sections and a coordinating department regularly examine the compliance consistency? Does the coordinating or internal audit department promptly and appropriately report the compliance consistency and problems to the management and auditors (or auditors committee)? Are incidents and accidents swiftly reported to the supervisory authorities? Is the credibility of the content of reports sent to other authorities assured? Are summaries of customer complaints or lawsuits sent to branches in order to forestall problems?

2. Disclosure and accounting process

Check points		Specific sample questions
a. Active disclosure of financial information and restraints on management	From the standpoint of fulfilling accountability to customers and shareholders, does the management actively and fairly disclose financial information? Is the management sufficiently monitored internally and externally in order to secure business operations?	Are the bank's management policy and strategies made widely known through disclosure magazines and other means? Are major indicators of the bank's performance accurately disclosed? Do the board of directors and auditors (or auditors committee) function appropriately to secure proper execution of business by the management? When required, does the bank appoint external board members and set up a compliance committee? Does the management take due notice of the opinions of external auditors (letters of advice on improvement of internal control, i.e., management letters)? Does the management examine and implement appropriate improvement measures? Does the bank actively initiate relations with investors, by for example, conducting briefings about its business performance for investors?
b. Appropriate accounting procedures	Is the bank's processing of daily accounts and annual financial statements sound?	Is the processing of daily accounts carried out properly? Are annual financial statements produced in accordance with accounting principles? Is there any unsound accounting manipulation of statements (i.e., figures subject to financial statements and disclosure) such as carrying over of losses that should be realized? Are the required amounts of write-offs and provisioning determined by self-assessment appropriated in the financial statements? Are soundness of accounting principles and reliability of financial statements secured through adequate auditing?

E. Contingency Plan

1. Compilation and understanding of a contingency plan

Check points			Specific sample questions
a. Compilation of a contingency plan	Has the bank drawn up a countermeasure (contingency plan) against disasters and accidents?		Has the bank drawn up a comprehensive plan for the head office and all branches, and is there a manual for it? Is there a section responsible for drawing up and coordinating the plan?
b. Understanding of the plan	Are the management and the staff aware of the contingency plan, and do they fully understand it?		Is the management aware of the plan, and do they fully understand it? Are the staff aware of the plan, and do they fully understand it? Is the plan approved by the board of directors?
c. Content of the plan	Does the contingency plan enable the bank to continue its operations in case of emergency?	(1) Managerial factors	Does the plan give due consideration to the safety of customers and employees in case of an emergency? Does the plan clearly designate an emergency headquarters to be in charge of dealing with a crisis? Does the plan assess the degree of impact an emergency will have on operations? Does the plan clearly designate the priority level of each operation, delegation of authority, and arrangements for obtaining the necessary staff in case of an emergency? Does the plan clearly state the order and method of contacting management and staff in case of an emergency? Does the bank have a means of communication with entities operating payment systems and supervisory authorities, etc., in case of an emergency? Does the bank have in place a public relations network (including the use of mass communications) directed at customers in case of an emergency?
		(2) Material factors	Does the plan take into consideration electricity, water, and food supply? Does the plan clearly designate the necessary action to protect assets such as securing a warehouse to store things and deciding the evaluation procedure for damaged property? Has the bank secured backup data in a vault and/or distant location? Does the bank have in place a backup center or a backup contract with trustworthy subcontractors or other banks? Has the bank secured multiple communications methods using private lines between the head office and branches, and between the computer center and branches? Has the bank secured countermeasures (i.e., alternative office space, etc.) in the event of an emergency (in particular, for overseas branches)?
d. Review and on-site drilling of the plan	Does the bank have a system for reviewing the contingency plan when appropriate, and are on-site drills conducted regularly?		Does the bank have a system to review the plan when necessary? Are on-site drills conducted regularly at the head office against possible shutdown of the system? Are on-site drills conducted regularly at both the head office and branches? Are results of on-site drills reported to management after appropriate assessment, and utilized in reviewing the plan?