Risk Governance
As part of the overall corporate governance framework, the Board of Directors is responsible for overseeing a strong risk governance framework. The Bank has established a solid risk governance framework, which serves as the foundation for consistent and effective risk management. The risk governance framework mainly consists of a clear risk governance structure, risk appetite, risk management policies, consistent risk management processes, and an embedded risk culture. The Board of Directors holds ultimate responsibility of bank-wide risk management and ensure that all risk governance framework is well communicated through the whole organization. For effective risk oversights, the Risk Oversight Committee (ROC) has been delegated by the Board of Directors to review and oversee the management of all risks across the Bank and is authorized to approve certain parts of Bank’s risk management strategies, policies, frameworks and standards, as well as aggregate risk tolerance and risk concentration levels.
Risk Management Processes
Risk Management in the Bank consists of 5 key risk management processes:
- Risk Appetite Setting: The Bank annually sets risk appetites for various risk types (Credit, Market and Non-Financial Risk). These appetites are input for and aligned with the business planning process, are discussed in and endorsed by the relevant Sub-Committees, and ultimately approved by the Board of Directors. Actual performance is regularly measured against and reported on the basis of these risk appetites.
- Risk Identification: The Bank classifies risks that are arising in daily business activities into 6 key risk areas: Credit Risk, Market Risk (including but not limited to Foreign Exchange Risk and Interest Rate Risk), Liquidity Risk, Non-Financial Risk (comprising Operational Risk, IT Risk, Compliance Risk including Market Conduct Risk, and Legal Risk), Strategic Risk and Reputational Risk.
- Risk Assessment & Measurement: The Bank uses different methods and tools to measure various risk types in both quantitative and qualitative aspects. In addition, the Bank also conducts Stress Testing for material risks to measure the quality and resilience of the Bank’s portfolio and the Bank’s capacity to absorb the impact resulting from various stress event scenarios.
- Risk Monitoring and Control: The Bank regularly monitors, controls, and mitigates risks by setting key risk indicators, risk limits, as well as risk appetite at bank-wide, portfolio, product and other levels as deemed appropriate.
- Risk Reporting & Communication: The Bank regularly reports the status of various risk types covering both financial risk and non-financial risk as well as actions taken/to be taken are reported to relevant parties/committees and top management on a regular basis. The risk reports cover product level, portfolio level, functional level, and the bank-wide level.
Three Lines of Defense:
Over the last years, the Bank has invested significantly in strengthening its risk management culture by establishing three lines of defense. In this structure the employees in the business units (the 1st line of defense) identify risks, consider the impact, report if necessary and apply appropriate risk mitigation strategies. Investments include training, tooling, processes, and policies. Risk Management units under the Chief Risk Officer perform the 2nd line of defense duties of formulating risk strategy and appetite, policies, guidelines, standards, and appropriate risk structures, provide oversight and monitor the 1st line of defense and actively challenge the risk – return trade-off in the Business units. Internal audit as the 3rd line of defense provides independent and objective assurance on the effectiveness of controls and recommends improvements to the governance, risk & control framework.
Risk Culture
Fostering a solid risk culture throughout the Bank is a fundamental component of effective risk management. Several measures have been implemented to ensure that risk awareness is instilled from the highest level of the organization. Examples include:
- Regular provision of risk management knowledge to the Board of Directors.
- Incorporation of risk management metrics into a corporate KPI, which is cascaded down to senior management and relevant employees. Risk modifier metrics are used to ensure that the senior management are accountable for the implementation of risk and control measures. The risk modifier metrics include, but are not limited to, the completion of risk and control self-assessment activities, compliance with AML/KYC/CDD, and other related regulatory requirements. Any delays/mis-target/overdue deliverables in relations to the significant risk and controls are monitored in the risk oversight dashboard and shall be considered a disincentive to the senior executives.
- Mandatory E-learning around risk topics is provided to employees on an annual basis to ensure that all employees develop risk awareness in their day-to-day responsibilities. For example, non-financial risk management, PDPA (Personal Data Protection Act), cybersecurity risk awareness, fraud risk management, anti-corruption, market conduct, anti-money laundering and Counter-Terrorism and Proliferation of Weapon of Mass Destruction Financing.
- ttb awards – an annual innovation competition aiming to motivate employees to propose initiatives that promote customers’ financial well-being and/or improve the Bank’s performance in six key areas, including a specific focus on data and risk management.
- Incorporation of proper risk assessment for all products and services which the bank would like to offer to the customers into the Products and Services Approval Process (PSAP). The process ensures that adequate risk assessments are performed, and effective mitigation controls are put in place to manage the inherent risks within the Bank’s appetite.