Risk Management Directive for Banking Corporations

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-1 Risk Management Contents Chapter A General remarks

1. Introduction 310-2
2. Incidence 310-2
3. Definitions 310-3
4. Risk management governance 310-4
5. Risk management principles at a banking corporation 310-5 Chapter B Corporate governance
6. Organizational risk management culture 310-6
7. Board of directors 310-6
8. Risk management committee 310-7
9. Senior management 310-8
10. Chief Risk Officer 310-8
11. Risk management function 310-9
12. Internal audit 310-12
13. Group-wide risk management 310-12 Chapter C Risk appetite and risk management framework
14. Risk appetite 310-14
15. Risk management framework 310-15
16. New product 310-16 Chapter D Risk identification, measurement, and assessment
17. Risk identification, measurement, and assessment methodologies 310-18
18. Models 310-19
19. Stress testing 310-19 Chapter E Risk monitoring and reporting
20. Management Information System 310-20
21. Risk reporting system 310-20
22. Risk statement 310-21

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-2 Risk Management Chapter A: General remarks Introduction

1. (a) An effective, broad, and firm-wide risk management system is central in assuring the long-term stability of a banking corporation. (b) This Directive establishes basic risk management and control principles from a Firm Wide Risk Management perspective to make banking corporations better able to identify and manage risks, so that the risks will be properly reflected in the banking corporations’ activity, capital adequacy assessment, and decision-making processes. (c) Sound risk management governance is based on three lines of defense: (1) business lines, (2) an independent risk management function, and (3) internal audit. (d) A strong risk management system includes the following major elements: a risk culture that reflects full understanding of business activity and the related risks; determining a risk appetite framework, oversight of the correspondence of the banking corporation’s business profile to this framework; establishment of an independent risk management function headed by a Risk Officer; provision of forward-looking risk assessment and measurement tools; and resources for the oversight and control of risks identified. (e) The details and sophistication of a banking corporation’s risk management system shall correspond to the scale and complexity of the corporation’s business activity and the overall level of risk that it assumes. Incidence
2. The instructions that follow shall apply to all banking corporations as defined in this Directive.

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-3 Definitions 3. “Banking corporation” As defined in the Banking (Licensing) Law, 5741- 1981, excluding a banking corporation that is a joint service company but including an auxiliary corporation that is a credit card company. “Risk management” Processes for risk identification and assessment and measurement of risk exposures, monitoring of risk exposures and ongoing determination of appropriate capital requirements, monitoring and assessment of decisions relating to risk taking, risk mitigants, and reportage of risk exposures and capital positions to senior management and the board of directors. “Firm Wide Risk Management” An integrated approach to the identification, assessment, monitoring, and management of the totality of a banking corporation’s risks. “Risk appetite” A high-level determination of the extent of risk a banking corporation is willing to accept taking into account the risk/return attributes; it is often taken as a forward-looking view of risk acceptance. "Risk tolerance" A more specific determination of the level of variance that a banking corporation is willing to accept around its business goals, usually considered the amount of risk that a banking corporation is willing to accept. “Risk profile” An aggregate assessment of the risk inherent in a banking corporation’s exposures and business activity at a specific point in time, determined by means of various tools and means. “Risk management framework” A framework that includes risk management policies, procedures, limits, and controls. “Risk concentration” Any single exposure or group of exposures (e.g., to a single borrower or counterparty, including hedging providers, geographical area, economic industry, or other risk factors) that may inflict sufficiently large losses or material change in a banking corporation’s risk profile.

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-4 Risk management governance 4. Appropriate corporate governance for risk management is based on three lines of defense: (a) Business line management Business line management is responsible for the identification, assessment, management, monitoring, mitigation, and reporting of risks inherent in products, activities, processes, and systems in their purviews, and for the management of a sound environment of risk management control. Support functions such as IT management are part of the first line of defense. (b) Independent risk management function An independent risk management function is the second line of defense. Its job is to complement the management activities of the business line. This function has a reporting structure independent of the risk-generating business lines and is responsible for the planning, maintenance, and ongoing development of the banking corporation’s risk management framework. One of its major duties is to challenge the adequacy of the business lines’ inputs for risk management, risk measurement, the banking corporation’s reporting systems, and the adequacy of the outputs obtained. Other compliance, monitoring, and control functions such as the compliance and anti-money-laundering officer, the Chief Accounting Officer, and control of financial reportage are part of the second line of defense. A banking corporation shall define the interfaces between all functions that comprise the second line of defense to ensure coordination and cooperation. (c) Internal audit Internal audit provides independent review and challenges the banking corporation’s risk management controls, processes, and systems. Its duties are specified in Proper Conduct of Banking Business Directive 307, “Internal Audit Function.”

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-5 A strong risk culture and good communication among the three lines of defense are important characteristics of appropriate risk governance. Risk management principles at a banking corporation 5. A banking corporation shall manage its risks in accordance with the following principles: (a) Risks shall be managed from an integrated and firm-wide perspective up and down the management chain and also across business functions, using consistent methodologies and terminologies. (b) Risks shall be identified and monitored on an ongoing basis, at both the group and the individual entity levels. (c) Risks shall be managed from a forward-looking perspective that includes, along with regular monitoring of existing risks, identification of new or developing risks. (d) The sophistication of the risk management and internal control systems shall be updated in response to changes in the banking corporation’s risk profile (including expansion) and in the external environment. (e) The risk management processes shall capture all risks associated with the banking corporation, on and off the balance sheet, quantifiable and non￾quantifiable, and at the group, portfolio, and business-line levels, and shall take into account the extent of overlap among risks.

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-6 Chapter B: Corporate Governance Organizational risk management culture 6. A banking corporation shall assimilate an organizational culture based on strong risk management that supports professional and responsible conduct and provides appropriate norms and incentives for such conduct. To attain this goal, the board of directors and senior management shall: (a) be sufficiently knowledgeable and expert in all significant areas of activity to ensure effective policies, controls, and risk monitoring systems for said activities; (b) encourage all personnel at the banking corporation to identify and raise risk issues without relying on the risk management or internal audit functions for this purpose. (c) ensure clear definition of powers and accountabilities so that banking corporation personnel will understand their duties and responsibilities for risk as well as their power to act in regard to it. (d) ensure that risk management considerations are central in strategic and ongoing decisions. (e) encourage information sharing and communication within the organization, both horizontally (laterally) and vertically (up the management chain), in a way that abets effective decision making. (f) ensure alignment of remuneration policies with the banking corporation’s risk appetite, long-term strategic objectives, financial goals, and overall resilience, appropriately balancing risk and reward. Board of directors 7. As part of its responsibility for the banking corporation’s business and financial resilience and the discharge of its risk management duties as set forth in Directive 301, the board of directors shall:

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-7 (a) devise a comprehensive risk strategy, including risk appetite as specified in Section 14; (b) review and approve periodically, but at least once annually, a risk management framework anchored in a policy document for each material risk specified in Section 15; (c) track senior management’s activities and ensure that the risk profile is consistent with the specified risk appetite in view of developments and changes in financial markets, the external environment, risk management practices, and the banking corporation’s activities; (d) examine and approve new products before launching, as specified in Section 16. (e) To discharge these duties, the board of directors shall, at the very least: (1) ensure that the Chief Risk Officer enjoys an appropriate status and that the risk management function that she or he heads is appropriately staffed, adequately resourced, and independent and effective in the discharge of its duties; (2) discuss the risk report specified in Section 22 at least once per quarter; (3) decide which matters it wishes to submit to the board of directors risk management committee for more thorough examination. (4) discuss annually the credit control activity review specified in Directive 319. Risk management committee 8. The board of directors risk management committee shall: (a) advise the board of directors about the comprehensive risk strategy, including current and future risk appetite, and about the way senior management applies the strategy in practice; (b) communicate regularly with the Chief Risk Officer as specified in Section 10(d);

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-8 (c) call on outside experts where necessary, particularly in regard to strategically important business proposals such as mergers and acquisitions. Senior management 9. Senior management bears full responsibility for risk management. Within this construct, it shall: (a) formulate, assimilate, and implement a risk management framework based on the board of directors specified risk appetite set forth in Section 14; (b) ensure that the banking corporation’s activities are conducted by personnel who have adequate experience, technical capabilities, and access to resources and information systems; (c) ensure that banking corporation activities are consistent with board of directors approved risk appetite and policies; (d) implement the new product process specified in Section 16; (e) promote, by means of the finance and funding functions, effective risk management at the firm level, not only by supporting financial controls but also by using effective internal risk pricing. The cost of a business function’s internal sources should reflect material risks that the activities of the function pose to the banking corporation. Chief Risk Officer 10. Management of a banking corporation shall appoint a Chief Risk Officer (CRO) and hold him or her explicitly responsible for the risk management function and the firm-wide comprehensive risk management framework. The CRO shall have the following status, independence, and responsibilities: (a) The CRO shall be a member of senior management. (b) The CRO shall be independent and shall have no additional responsibilities in the following respects: (1) executive or financial responsibility for business lines or income￾generating functions;

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-9 (2) responsibility for additional staff or control duties (e.g., Chief Accounting Officer, internal auditor, IT manager, etc.). (c) The Supervisor of Banks may exempt certain banking corporations from the requirements in Sections (a) and (b) above. (d) The CRO shall report directly and regularly to the CEO and the board of directors and shall call their attention, with emphasis, to risk management issues including risk concentrations and potential overshootings of the risk appetite that has been set. Beyond periodic reporting, the CRO shall communicate with these officers concerning key risk issues including developments inconsistent with the banking corporation’s risk appetite and strategy. (e) The CRO shall have an appropriate status and power in the banking corporation, reflected in h/her ability to influence decisions that have implications for the banking corporation’s risk exposure. (f) The interactions specified in Subsection (d) and the CRO’s actions in the field of risk management must not endanger the CRO’s independence. (g) The dismissal of the CRO for any reason whatsoever shall take place per prior approval of the board of directors. (h) The Supervisor of Banks shall be advised in advance about the appointment of the CRO and the termination of h/her service. In the case of termination of service, the circumstances of the CRO’s departure shall also be reported. Risk management function 11. The risk management function shall operate in the following way: Responsibilities (a) The risk management function shall ensure that all risks to which a banking corporation is exposed are properly managed by the relevant functions and are shown to the board of directors from a holistic perspective. The function shall be responsible for adjusting the risk profile to the risk appetite that the board has established.

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-10 Even though the risk management function is central in leading and coordinating risk-related actions, prime responsibility for ongoing risk management belongs to businesss line management. (b) The risk management function shall assess possible ways of managing risk exposures and shall, to the extent necessary, recommend ways to mitigate or hedge risk in order to limit exposure. (c) The risk management function shall encourage senior management and business lines to identify and assess risks in a critical way that is not based on overly optimistic assumptions. (d) The risk management function shall be involved in the following processes at the very least: (1) planning risk strategy, including formulation of the risk appetite; (2) constructing and updating the banking corporation’s comprehensive risk management framework, as specified in Section 15; (3) assessing capital and liquidity adequacy (the ICAAP process); (4) approving new products, as specified in Section 16; (5) estimating potential risks in mergers and acquisitions; (6) approving and validating risk measurement and assessment systems, including models and stress tests. (7) material organizational changes at the banking corporation; (8) approving material transactions with related parties; (9) identifying risks originating in complex legal structures; (10) approving material credit exposures, as specified in Directive 311. Status and independence (e) The risk management function shall be sufficiently independent of the business lines whose activities and exposures it examines. (f) Notwithstanding the contents of Subsection (e), the risk management function shall have enough access to business lines to understand the business and shall have access to vital information.

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-11 (g) The board of directors, senior management, and business lines shall ensure that the risk management function’s views figure importantly in the considerations behind business decisions. (h) Remuneration for the risk management function shall be based mainly on the attainment of the function’s goals and shall not prejudice its independence. (For example, remuneration must not be materially linked to business lines’ income.) Resources (i) A banking corporation shall verify, by means of its planning and budgeting processes, that the risk management function has enough resources (in qualitative and quantitative terms) to discharge its duties and exercise its powers, including the need for adequate risk assessment and, specifically, human resources and access to Management Information Systems, system development resources, and internal information. (j) Risk management function staff shall be sufficiently knowledgeable, experienced, and trained, including proficiency in risks, to challenge business lines in all aspects of risk that stem from their activities. For this purpose, banking corporations shall: (1) offer extra remuneration and incentives so that the function can recruit and retain appropriately qualified personnel; (2) encourage business lines’ officers to accept a role in the risk management function as part of their compulsory career development path; (3) develop a professional training and development program that will help function personnel to maintain and enhance their professional capabilities. (k) The risk management function shall be entitled, at its discretion, to free and direct access to banking corporation records, information, and information systems throughout the group in Israel and abroad, subject to the law.

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-12 Internal audit 12. Internal audit and the risk management function shall interrelate in the manner specified in Proper Conduct of Banking Business Directive 307, “Internal Audit.” Group-wide risk management 13. Banking corporations shall have in place a group-wide risk management system, as set forth below: Parent company (a) Parent companies shall maintain a group-wide risk strategy perspective and establish a group-wide risk policy. (b) Parent companies shall ensure that subsidiaries receive appropriate tools and powers for group-wide risk management and that subsidiaries understand the reporting requirements that they must satisfy vis-à-vis the parent company. Subsidiaries (c) A subsidiary’s board of directors and management shall be responsible for effective risk management processes at the subsidiary. (d) Subsidiaries shall operate on the basis of the group-wide strategy and policy, to which they shall make adjustments and risk assessments in accordance with local circumstances. Said adjustments and assessments shall be brought to the knowledge of the parent company. (e) The subsidiary’s management, with oversight from the subsidiary’s board of directors, shall assess and ensure that the group-wide risk management assessments and processes are suited to the nature of the subsidiary’s activity. The outcomes of the assessment shall be brought to the knowledge of the parent company. (f) A subsidiary’s stress tests shall be devised in accordance with the group-wide methodology and their outcomes shall be brought to the knowledge of the

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-13 parent company so that the parent company may examine their potential implications for itself.

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-14 Chapter C: Risk appetite and risk management framework Risk appetite 14. A banking corporation shall prepare a comprehensive risk appetite document at the firm level, as follows: (a) A banking corporation’s risk appetite shall be consistent with its business strategy (including an assessment of business opportunities), its liquidity and funding sources plan, and its capital plan. (b) In defining the risk appetite, banking corporations shall take all risks into account: material, quantifiable and non-quantifiable, contingent, off-balance￾sheet, and non-contractual. (c) The risk appetite statement shall include quantitative and qualitative elements that are mutually consistent and that shall aim to allow the board of directors and senior management to determine whether the actual risk level is consistent with the specified risk appetite, including: (1) a well defined range of quantitative indicators that capture all requisite information for understanding the risk appetite, including methodologies, assumption, and additional critical information; (2) qualitative elements, including strategic directions and limits of the desired business focus, undesired activities, and guidance and direction for senior management on underlying principles of the risk management framework at the firm-wide level and for each risk. (d) In determining the risk appetite, account shall be taken of capital and funding source constraints and the banking corporation’s obligations (e.g., regulatory requirements and limits) as well as the effect of potential stress events (e.g., acute deterioration in market conditions). (e) The risk appetite shall be enunciated in language that is clear and understandable to the board of directors and shall serve as a basis for the setting of risk policies and limitations. Limitations shall be determined on a cascade￾down basis, from the firm-wide level to the business function taking the risk.

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-15 They shall be neither so strict as to allow no possibility of breach nor so lenient as to make breaches routine. Utilization of risk appetite shall be measured on a consolidated basis and shall be subject to regular monitoring against the limits. (f) The document shall be ratified by the board of directors at least once per year on the basis of up-to-date risk information and indicators. Any change in risk appetite shall be subject to orderly and documented approval and the reasons for the change shall be specified. Risk management framework 15. The risk management framework shall be consistent with the risk appetite and shall be anchored in a policy document that specifies the overall risk management policy, the internal exposure limits, and the way each material risk shall be managed. (a) The policy document shall include the following topics at the very least: (1) standard definitions of operational risk terms to ensure consistency of risk identification, exposure rating, and risk management objectives; (2) description of the risk management governance structures, including lines of reportage, accountabilities, and clear separation among the three lines of defense specified in Section 4; (3) description of the methodologies and tools used to identify, measure, assess, and monitor risks, as set forth in Chapter D below, and of how they are to be used; (4) description of the banking corporation’s approach to establishing and monitoring risk exposure limits; (5) description of risk exposure limits and strategies and approved risk mitigation instruments; (6) risk reporting rules, including rules for the treatment of overshooting of limits, and a Management Information System (MIS) as specified in Chapter E.

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-16 (b) The policy document shall be reviewed at least once a year and updated in view of developments and changes in the external activity environment and in the banking corporation’s strategy, products, activities, and systems. (c) The risk management framework shall be based on an appropriate internal control environment and shall be anchored in clear procedures that will assure the existence of risk management processes that: (1) are managed efficiently and effectively; (2) ensure reliability, completeness, and timeliness of financial and management information; (3) verify compliance with the banking corporation’s obligations—statutory, regulatory, etc. New product 16. A banking corporation shall have new product approval policies that regulate the review and approval of each new product before it is launched: (a) For the purposes of this Section, a “new product” shall include, apart from a new product, a new activity, significant changes in existing products or activities, and entering new markets. (b) The new product approval process shall: (1) include an assessment of the risks inherent in the new product and their effect on the risk profile, including in all that relates to customers’ issues regarding the new product; (2) examine how well equipped the relevant functions are, in terms of tools and expertise, to identify, measure, monitor, control, and report on the risks inherent in the new product. (3) determine that the product complies with the legal requirements and relevant regulations. (c) All relevant functions shall take part in the new product approval process, including risk management, legal adviser, compliance officer, Chief Accounting Officer, IT manager, information security manager, business line,

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-17 and internal audit players. A banking corporation shall delay the approval of a new product until these functions confirm that the banking corporation has appropriate risk management resources, infrastructures, and processes in place. (d) The risk management function: (1) may determine that changes in an existing product or service shall trigger the new-product approval process. (2) shall provide, as part of the new-product approval process, a full and candid risk assessment in a range of scenarios as well as an assessment of potential risk management and internal control weaknesses that may impair the banking corporation’s ability to manage these risks effectively. (e) A banking corporation shall have in place a process for the assessment of the risk and performance level of approved new products relative to the preliminary assessment and shall adjust risk management processes accordingly. (f) A banking corporation shall apply in writing to the Supervisor of Banks before it begins to produce the following new products: (1) a transaction in an nth -to-default credit derivative; (2) a securitization transaction in which it is a non-investing party (i.e., an originator or a third party that hedges a securitization exposure by providing credit enhancement or a liquidity instrument). (3) execute activity related to crypto assets. In this regard: “crypto asset”—any digital asset implemented via cryptographic technology. (g) An application to the Supervisor of Banks as noted in Section (f) above shall include a detailed description of the new product, including an analysis of the risks inherent in the product or activity. The Supervisor of Banks may provide notice within 21 days regarding the Supervisor’s intention to examine the application. If the Supervisor provided notice that he intends to examine the application, the Supervisor shall send his stance regarding it no later than 90 days from the date of receiving all the information required for the examination.

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-18 Chapter D: Risk identification, measurement, and assessment Risk identification, measurement, and assessment methodologies 17. A banking corporation shall develop risk identification, measurement, and assessment methods and tools that are consistent with the principles specified in Section 5. These methods and tools shall be based, inter alia, on the following guidelines: (a) Risk analysis shall include quantitative and qualitative elements. (b) A banking corporation shall avoid overreliance on any specific risk measurement method and shall, to the extent possible, employ a range of measurement tools or methods to test exposures from different angles of observation. (c) A banking corporation shall acknowledge and understand the intrinsic assumptions and limits of its measurement methods. (d) Risk measurement shall cover a range of scenarios and shall not be based on overoptimistic assumptions about dependencies and correlations. (e) A banking corporation shall avoid overreliance on external risk assessments. (f) A banking corporation shall regularly review performance retroactively against risk estimates (backtesting). The outcomes of the tests shall be used to estimate the accuracy and effectiveness of the risk management process and to adjust the measurement methods and models as necessary. (g) A banking corporation shall act to identify and analyze risk concentrations that originate in similar exposures in different parts of the organization (one risk factor or a set of risk factors that have a common denominator or a correlation). For this purpose, the banking corporation shall total similar exposures, including those in different business lines, across legal entities, types of assets, areas of risk, and geographical regions.

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-19 Models 18. The use of models, including those purchased from an outside supplier, shall be subjected to preliminary and ongoing verification as specified in “Model Verification Guidance,” October 17, 2010. Stress testing 19. A banking corporation shall complement its risk management approaches by using forward-looking stress tests based on complex quantitative models, as specified below. (a) Stress tests shall help to a banking corporation in the following processes: (1) capital and liquidity planning; (2) testing the banking corporation’s risk appetite; (3) identifying existing or potential risk concentrations; (4) developing risk mitigation tools or business continuity plans. (b) The board of directors and senior management shall be involved in setting stress test goals, defining scenarios, discussing stress test results, assessing potential actions, and making decisions. Senior management shall oversee the development and implementation of the stress tests. (c) Stress test results shall be forwarded to relevant business lines and cited in their considerations. The results shall contribute to strategic decision-making and encourage internal discussion of assumptions relating to the cost, risk, and speed of capital raising and hedging or selling a position.

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-20 Chapter E: Risk monitoring and reporting Management Information System 20. Risk monitoring and reporting shall be based on automated Management Information Systems (MIS) that will provide the board of directors and senior management with clear, accurate, relevant, and timely information about the banking corporation’s risk profile. (a) The MIS shall: (1) allow the totaling of risk positions and indicators across business lines (e.g., geographically and by types of risk); (2) aid in identifying risk concentrations of relevance to the banking corporation and evolving risks; (3) identify and forewarn about breaches of limits; (4) allow forward-looking scenario analyses; (5) reflect hedging and risk-mitigation transactions. (b) The MIS shall be flexible enough to adjust to changes in underlying risk assumptions and to present a risk exposure from different angles of observation. Risk reporting system 21. A banking corporation shall maintain effective communication, both horizontal (across the organization) and vertical (up the management chain), to help avert decisions that are not consistent with the exposure to change. Such communication shall be based on the reporting array specified below: (a) Reporting frequency and structure shall correspond to what is considered appropriate for the type of risk and requirements presented by the board of directors and management. (b) Information shall be presented to the board of directors and management in a way that is timely, complete, comprehensible, and accurate, so that these organs will have tools for intelligent decision-making.

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-21 (c) Management and those responsible for control functions shall present information that does not conceal charged issues or weaknesses that carry risk potential, and shall refrain from submitting irrelevant information in quantities that impair reporting effectiveness. (d) Risk monitoring and reporting shall be both disaggregated and upward￾aggregated in order to elicit a firm-wide or consolidated picture of risk exposures. (e) The reporting system shall present clearly any deficiencies or limitations in risk estimates and any significant underlying assumptions on which the estimates are based. (f) A banking corporation shall create mechanisms for effective information￾sharing among its functions. (g) A banking corporation shall introduce periodic reviews of the quantity and quality of information that the board of directors receives or should receive, in order to ensure succinctness and clarity in the presentation of risk information. Risk report 22. The risk report shall provide a concise and clear presentation of the risk profile so that the board of directors may monitor management actions and ensure their consistency with its approved risk appetite and risk management framework. (a) The risk report shall include at least the following information: (1) a description of developments in the banking corporation’s risk profile and risk factors relative to the risk appetite and exposure limits established, as of the statement date and over time. This description shall relate to the full range of material risks and include an analysis of external and internal factors that have a material bearing on the banking corporation’s current or future risk profile; (2) an itemized account of deviations from the banking corporation’s risk appetite and exposure limits in the reporting period and a description of management’s actions to deal with them;

Supervisor of Banks: Proper Conduct of Banking Business [3] (02/23) Risk Management Page 310-22 (3) stress test results and forward-looking scenario analyses that help to examine the banking corporation’s ability to stay within the established risk appetite under a range of problematic circumstances; (4) an itemized account of main weaknesses and deficiencies identified in infrastructures, systems, and working processes and their impact on the effectiveness of risk management and control, including reference to how these weaknesses and deficiencies were treated. (b) The risk report shall be discussed at least once per quarter by the board of directors risk management committee and by the board plenum, and shall be included in any discussion of material changes in the risk profile. (c) Responsibility for coordinating the report and presenting it to the board of directors shall belong to the CRO. (d) The risk report shall call special attention to risks that deserve further analysis, including information about risk concentrations, and shall encourage appropriate discussion of matters such as current and potential exposures, risk/return ratios, risk appetite, etc. Updates Circular 06 no. Version Details Date 2356 1 Original circular Dec. 27, 2012 2669 2 Update September 30, 2021 2741 3 Update February 26, 2023