Bank Indonesia Circular Letter No. 13/23/DPNP - Amendment to Circular Letter No. 5/21/DPNP concerning Risk Management Implementation for Commercial Banks

No. 13/23/DPNP Jakarta, October 25 th , 2011 CIRCULAR LETTER Intended to ALL CONVENTIONAL COMMERCIAL BANKS IN INDONESIA Regarding : Amendment to Circular Letter No. 5/21/DPNP concerning Risk Management Implementation for Commercial Banks. Regarding to Bank Indonesia Regulation Number 5/8/PBI/2003 concerning Application of Risk Management for Commercial Banks (Official Gazette of Republic of Indonesia Number 56 Year 2003, Additions to Official Gazette of Republic of Indonesia Number 4292), as amended by Bank Indonesia Regulation Number 11/25/PBI/2009 (Official Gazette of Republic of Indonesia Number 103 Year 2009, Additions to Official Gazette of Republic of Indonesia Number 5029), Bank Indonesia Regulation Number 13/1/PBI/2011 concerning Bank Soundness Rating Assessment (Official Gazette of Republic of Indonesia Number 1 Year 2011, Additions to Official Gazette of Republic of Indonesia Number 5184), and Bank Indonesia Regulation Number 8/6/PBI/2006 concerning Consolidated Application of Risk Management by Banks that Control Subsidiaries (Official Gazette of Republic of Indonesia Number 8 of 2006, Additions to Official Gazette of Republic of Indonesia Number 4602), along in order to increase effectiveness of implementation and harmonization with the above provisions, so amendment to Circular Letter Number 5/21/DPNP of 29th September 2003 regarding Risk Management Implementation for Commercial Banks is needed, as follows:

1. Provision number 3 is amended as follows:
2. Consummation on risk management guidance as referred to in number 2 is done the latest on 30th November 2011 and is submitted to Bank Indonesia the latest 30 (thirty) days after the amendment has been made.
3. Provision number 4 is amended as follows:
4. Risk Management Standard Guidance for Commercial Banks, at least contains:

a. General Application of Risk Management, which consists of active oversight by Board of Commissioner and Directors; policy sufficiency, procedures, and limit Establishment; identification process sufficiency, measuring, supervising, and risk managing, also Risk Management information system; and comprehensive internal control system. b. Risk Management Implementation for Each Risks, which consists of risk management implementation for each risks which covers 8 (eight) Risks, that are Credit Risk, Market Risk, Liquidity Risk, Operational Risk, Legal Risk, Strategic Risk, Compliance risk, and Reputation risk. c. Risk Profile Assessment, which consists of assessment towards inherent Risk and assessment towards Risk Management implementation quality that reflects the risk control system, either for Bank in individual or Bank in consolidation. The assessment is done towards 8 (eight) Risks, which are Credit Risk, Market Risk, Liquidity Risk, Operational Risk, Legal Risk, Strategic Risk, Compliance Risk, and Reputation Risk. In doing Risk profile assessment, Banks must refer to Bank Indonesia provisions that govern Commercial Bank soundness rating assessment. In doing Risk profile assessment, Banks are obliged to refer to Bank Indonesia Regulation which governs Commercial Banks soundness rating assessment. 3. Appendix 1, Appendix 5, Appendix 6, and Appendix 7 are amended into Appendix 1, Appendix 5, Appendix 6, and Appendix 7 and are inseparable parts of this Bank Indonesia Circular Letter. 4. Provisions in Number 9 are amended as follows: 9. Reporting In the framework of Risk Management implementation, Banks must submit their report as follows: a. Risk Profile report

1. Bank must submit Risk profile report in individual or in consolidated basis to Bank Indonesia quarterly for March, June, September and December, which is disclosed comparatively along with the last quarter the latest of 15 (fifteen) working days after the end of report month.

2. The format and content of Risk profile report refers to Appendix 5 and Appendix 6 of this Bank Indonesia Circular Letter.

3. Risk profile report which is submitted by Banks to Bank Indonesia must contain the same substances with Risk profile report which is submitted by Risk Management unit to the President Director and Risk Management Committee. Mechanism of Risk profile assessment, Risk rating Establishment and Risk profile rating Establishment refers to Bank Indonesia regulations which govern Commercial Banks Soundness Rating assessment. b. Report of New Products and Activities The scope, format and submission method refer to Bank Indonesia regulations which govern reporting of new products or activities. c. Other report in case the condition is potential to arise significant loss to Bank's financial condition. In this case, the Bank’s conditions which can be:

4. Bank has been set by Bank Indonesia in a status of Bank in intensive supervision or Bank in special surveillance;

5. Bank has Market Risk exposure and very significant Liquidity Risk; and/or

6. External condition (market) is having a very sharp fluctuation and tends to be unable to be controlled by the Bank. This report is incidental, submitted to Bank Indonesia according to the latest condition of the Bank which has certain exposure and according to the result of Bank Indonesia assessment to the Bank. d. Other reports related to Risk Management implementation, such as Risk Management report for Liquidity Risk

7. Within the framework of liquidity monitoring, Banks must submit Risk Management report for Liquidity Risk to Bank Indonesia, that consists of: a) Cash Flow Projection report within the framework of liquidity position management and daily Liquidity Risk as referred to in point II. C. 3. c. 4). c). (2) of Risk Management Standard Implementation Guidance which is Appendix 1 of this Bank Indonesia Circular Letter; and b) Maturity Profile report in order to measure Liquidity Risk as referred to in point II. C. 3. c. 2). d). (2) of Risk Management

Implementation Standard Guidance which is Appendix 1 of this Bank Indonesia Circular Letter, either in rupiah or foreign currency. 2) Cash Flow projection report as referred to in point 1). a) covers the following week cash flow projection data which is charted daily. The report is submitted weekly every Friday according to Bank’s internal format. Example : Bank must submit Cash Flow Projection Report on Friday, 7 th October 2011, which consists of cash flow projection on Monday, 10th October 2011 until Friday, 14th October 2011. In case of Friday is a holiday, then the report is submitted on the working day before it. 3) Format of Cash Flow Projection Report as referred to in number 2) at least includes on and off balance sheet entries which has significant transactions according to characteristic, business activity and Bank complexity must be done consistently. Bank Indonesia may request Banks to adjust the format of Cash Flow Projection Report which is submitted to Bank Indonesia. In case of the Bank changed the Cash Flow Projection Report format which is submitted to Bank Indonesia, Bank must inform the reason of change to Bank Indonesia. 4) Maturity Profile report as referred to in point 1).b) is submitted to Bank Indonesia monthly in the scope and format according to Appendix 7 of this Bank Indonesia Circular Letter. The procedures of Maturity Profile report submission to Bank Indonesia is done according to Bank Indonesia provisions which regulate Commercial Bank periodic report. 5) As long as the format of Maturity Profile Report in Commercial Bank Periodic Report (LBBU) is still unfit with the format in Appendix 7 of this Bank Indonesia Circular Letter, Banks are still obliged to submit Maturity Profile Report according to the format in Bank Indonesia provisions which regulate on applicable Commercial Bank periodic report.

6. Cash Flow Projection Report and Maturity Profile Report which are submitted on-line to Bank Indonesia are: a) Cash Flow Projection Report through Commercial Bank’s Head Office Report (LKPBU); b) Maturity Profile Report through LBBU.
7. As long as the Cash Flow Projection Report has not been submitted online through LKPBU, the report must be submitted offline by Banks to Bank Indonesia with the address as follows: a) Direktorat Pengawasan Bank, Jl. M.H. Thamrin No. 2, Jakarta 10350, for Banks whose head office is in the working area of Bank Indonesia Head Office; or b) Kantor Bank Indonesia, for Banks whose head office is outside the working area of Bank Indonesia head office.
8. Other than compulsory report submitting as referred to in number 1), Bank Indonesia in certain condition may make compulsory for Banks to submit reports related to Risk Management implementation for Liquidity Risk other than the time that has been set and/or other reports that are compulsory submitted periodically. Example of other reports that are compulsory to be submitted periodically is cash flow projection report within the framework of risk measurement as referred to in point II. C. 3. c. 2). D). (3) of Standard Risk Management Implementation Manual and stress testing report as referred to in point II. C. 3. c. 2). d). (4) of Standard Risk Management Implementation Manual which are Appendix 1 of this Bank Indonesia Circular Letter. e. Other reports related to product publication or certain activity implementation, such as report of activity implementation related to mutual fund, report of implementation of marketing cooperation with insurance company (bancassurance). The scope, format and submission method refer to applicable Bank Indonesia provisions.

5. Closing Provision
6. At the time of this Bank Indonesia Circular Letter comes into force, Bank Indonesia Circular Letter Number 11/16/DPNP of 6th July 2009 concerning Risk

Management Implementation for Liquidity Risk and other implementation provisions related to Risk Management Implementation which are contrary to the regulations in this Circular Letter are revoked and declared not valid for Conventional Commercial Banks, except for provisions on reporting as referred to at number IV in Bank Indonesia Circular Letter number 11/16/DPNP of 6th July 2009 on Risk Management Implementation for Liquidity Risk. 2. Provisions on reporting as referred to at number IV in Bank Indonesia Circular Letter Number 11/16 DPNP of 6th July 2009 on Risk Management Implementation for Liquidity Risk is revoked and declared not valid on 31st December 2011 for Conventional Commercial Banks. 3. Provisions on Appendix 1, Appendix 5, Appendix 6, and Appendix 7 as referred to at number 3 and reporting provisions as referred to at number 4 in this Bank Indonesia Circular Letter comes into force on 31st December 2011. This Circular Letter of Bank Indonesia comes into force on October 25th 2011. So as to inform every person concerned, dictating the placement of this Circular Letter of Bank Indonesia in the Official Gazette of the Republic of Indonesia. Thus for Your acknowledgement. BANK INDONESIA, MULIAMAN D.HADAD DEPUTY GOVERNOR

APPENDIX 5 BANK INDONESIA CIRCULAR LETTER NUMBER 13/23/DPNP DATED October 25th 2011 CONCERNING AMENDMENT ON CIRCULAR LETTER NO. 5/21/DPNP REGARDING RISK MANAGEMENT IMPLEMENTATION FOR COMMERCIAL BANKS RISK PROFILE FOR BANK INDIVIDUALLY Bank Name : Position : March 31st/June 30th/September 30th/December 31st 20… Risk Profile Per Position Valuation Previous Position Valuation Inherent Risk Rating Risk Manageme nt Quality Rating Risk Level Rating Inherent Risk Rating Risk Manageme nt Quality Rating Risk Level Rating Credit Risk Market Risk Liquidity Risk Operation al Risk Legal Risk Strategic Risk Complian ce Risk

Reputatio n Risk Composit e Rating Risk Profile Rating Risk Profile Rating Analysis Description on bank risk profile in overall covers assessment on inherent risk and risk management implementation quality, with analysis focus on significant risk exposure at bank. In terms of the bank owning subsidiaries that must be in consolidation, the bank calculates the subsidiaries' risk impact towards bank risk profile taking consideration on subsidiaries’ significance and materiality and or the significance of the subsidiaries’ problems. RISK PROFILE FOR BANK IN CONSOLIDATION*) Bank name : Position : March 31st/June 30th/September 30th/December 31st 20… Risk Profile Per Position Valuation Previous Position Valuation Inherent Risk Rating Risk Manageme nt Quality Rating Risk Level Rating Inherent Risk Rating Risk Manageme nt Quality Rating Risk Level Rating Credit Risk Market Risk Liquidity Risk

Operation al Risk Legal Risk Strategic Risk Complianc e Risk Reputatio n Risk Composite Rating Risk Profile Rating Risk Profile Rating *) Only filled by Bank who has Subsidiaries Analysis Description on bank risk profile in overall covers assessment on inherent risk and risk management implementation quality, with analysis focus on significant risk exposure at bank. In terms of the bank owning subsidiaries that must be in consolidation, the bank calculates the subsidiaries' risk impact towards bank risk profile taking consideration on subsidiaries’ significance and materiality and or the significance of the subsidiaries’ problems.

DEPUTY GOVERNOR OF BANK INDONESIA, MULIAMAN D.HADAD

APPENDIX 6 BANK INDONESIA CIRCULAR LETTER NUMBER 13/23/DPNP DATED OCTOBER 25TH 2011 CONCERNING AMANDEMENTS ON CIRCULAR LETTER NUMBER 5/21/DPNP REGARDING RISK MANAGEMENT IMPLEMENTATION FOR COMMERCIAL BANKS RISK ANALYSIS …………………… *) Bank name : Period : Analysis Risk Rating : Final conclusion on inherent risk rating and risk management implementation quality rating so that it can describe bank risk rating. Inherent Risk : Description on inherent risk according to the factor of assessment and quantitative as well as qualitative indicator so that it can describe bank inherent risk rating. Risk Management Implementation Quality : Analysis of Risk Management Implementation Quality is a conclusion of bank risk management implementation which consists of risk governance; risk management framework; risk management process, human resources, and MIS; and risk control. *) This paper work is used to support analysis on risks of bank activities including credit risk, market risk, liquidity risk, operational risk, legal risk, strategic risk, compliance risk, and reputation risk. *) Submitted at the submitting period of Risk Profile Report for Quarter 1 and Quarter 3, whereas submission for Quarter 2 and Quarter 4 is a part of Bank Soundness Rating Assessment reporting according to the applicable provisions.

DEPUTY GOVERNOR OF BANK INDONESIA, MULIAMAN D.HADAD

APPENDIX 7 BANK INDONESIA CIRCULAR LETTER NUMBER 13/23/DPNP DATED October 25th 2011 CONCERNING AMENDMENTS OF CIRCULAR LETER NUMBER 5/21/DPNP REGARDING RISK MANAGEMENT IMPLEMENTATION FOR COMMERCIAL BANKS MATURITY PROFILE REPORT (RUPIAH) (in million Rupiah) Posts Outstanding Due Date*) until 1 week

1 week to 2 weeks 2 weeks to 1 month 1 month to 3 months 3 months to 6 months 6 months to 12 months 12 months I. Balance Sheet A. Assets

1. Cash

2. Placement in Bank Indonesia a. SBI b. Demand Deposit c. Others

3. Placement in other banks

4. Securities**) a. SUN

1. Trading
2. Available for Sale
3. Hold to Maturity
4. Loans and receivables b. Corporate securities
5. Trading
6. Available for Sale
7. Hold to Maturity
8. Loans and receivables c. Others

5. Loans a. Undue b. Due***)
6. Other bills a. Bills on reverse repo securities b. Others
7. Others Total Assets

B. Liabilities

1. Third party funds a. Demand Deposit b. Saving c. Term deposit
2. On call deposit
3. Time deposit
4. Others
5. Liabilities to Bank Indonesia
6. Liabilities to other banks
7. Securities a. Bond b. Subordinated ****) c. Others
8. Received loan a. Subordinated loan****) b. Others
9. Other liabilities a. Liabilities over reverse repo securities

b. Others 7. Others Total Liabilities Difference of Assets and Liabilities in Balance sheet II. OFF BALANCE SHEET A. Off Balance Sheet Receivables

1. Commitment a. Undisbursed loan facilities b. Outstanding spot and derivatives buying position

1. Spot
2. Derivatives c. Others

2. Contingency*****) Total Off Balance Sheet Receivables B. Off Balance Sheet Liabilities
3. Commitment

a. Undisbursed Loan facilities b. Outstanding Irrevocable L/C c. Outstanding spot and derivatives selling position

1. Spot
2. Derivatives d. Others

2. Contingency******) Total Off Balance Sheet Liabilities Difference of Receivables and Liabilities in Off Balance Sheet Difference [(IA-IB)+(IIA-IIB)] Cumulative Difference *) Numbers are based on due date according to contract for the contractual and/or estimated due date using various assumptions for the non contractual due date. **) Including reverse repo security

***) Filled with estimation of received payment on contractual due date credit ****) Including calculated in KPMM and submitted to LBU on Loan Capital post *****) That is estimated that will affect cash flow (via receivables) ******) That is estimated that will affect cash flow (via liabilities) MATURITY PROFILE REPORT (FOREIGN EXCHANGE)

Posts Outstanding Due Date*) until 1 week

1 week to 2 weeks 2 weeks to 1 month 1 month to 3 months 3 months to 6 months 6 months to 12 months 12 months

1. Balance Sheet A. Assets
2. Cash
3. Placement in Bank Indonesia
4. Placement in other banks
5. Securities**) a) Corporate securities
6. Trading
7. Available for Sale
8. Hold to Maturity
9. Loans and receivables b) Others
10. Loans a. Undue b. Due ***)
11. Other bills a. Bills on reverse repo

securities b. Others 7. Others Total Assets B. Liabilities

1. Third Party Funds a. Demand Deposit b. Saving c. Term deposit
2. On call deposit
3. Time deposit
4. Others
5. Liabilities to Bank Indonesia
6. Liabilities to other banks
7. Securities Issued a. Bond b. Subordinated ****) c. Others
8. Received Loan a. Subordinated loan****)

b. Others 6. Other liabilities a. Liabilities on reverse repo securities b. Others 7. Others Total Liabilities Difference of Assets and Liabilities in Balance sheet II. OFF BALANCE SHEET A. Off Balance Sheet Receivables

1. Commitment a. Undisbursed loan facilities b. Outstanding spot and derivatives buying position

1. Spot
2. Derivatives c. Others

2. Contingency *****) Total Off Balance Sheet Receivables B. Off Balance Sheet Liabilities
3. Commitment a. Undisbursed loan facilities b. Outstanding Irrevocable L/C c. Outstanding spot and derivative selling position

1. Spot
2. Derivatives d. Others

2. Contingency******) Total Off Balance Sheet Liabilities Difference of Receivables and Liabilities in Off Balance Sheet Difference [(IA-IB)+(IIA-IIB)]

Cumulative Difference *) Numbers based on due date according to contract for the contractual and/or estimated due date using various assumptions for the non-contractual due date. **) Including reverse repo security ***) Filled with estimation of received payment on contractual due date credit ****) Including calculated in KPMM and submitted to LBU on Loan Capital post *****) That is estimated that will affect cash flow (via receivables) ******) That is estimated that will affect cash flow (via liabilities) DEPUTY GOVERNOR OF BANK INDONESIA, MULIAMAN D.HADAD

MATURITY PROFILE REPORT FILLING GUIDANCE GENERAL A. Maturity Profile Report provides asset, liabilities, and off balance sheet which is categorized by time scale. Mapping is done according to remaining time until the due date according to the contract for balance sheet and off balance sheet posts, which have contractual due and/or estimated using various assumption for balance sheet and off balance sheet posts which do not have non maturity items. B. Maturity Profile Report aims to identify occurence of liquidity gap in certain time scale. Liquidity gap (difference) can be positive gap (difference) or negative gap (difference). C. Maturity Profile Report is compiled monthly for the end of month which consists of Maturity Profile Report in rupiah and Maturity Profile Report in foreign currency. Maturity Profile Report in rupiah is filled in millions rupiah, while Maturity Profile Report in foreign currency is filled in equivalent of thousands USD. For foreign currency denomination other than USD conversion to USD uses rate of exchange on report date. D. Time scale mapping is as follows:

1. For due date until the next 1 (one) week;
2. For due date more than next 1 (one) week until 2 (two) weeks;
3. For due date more than next 2 (two) weeks until 1 (one) month;
4. For due date more than next 1 (one) month until 3 (three) months;
5. For due date more than next 3 (three) months until 6 (six) months;
6. For due date more than next 6 (six) months until 12 (twelve) months;
7. For due date more than next 12 (twelve) months. E. Posts in Balance sheet which is put in Maturity Profile Report are only posts with cash flow in and/or cash flow out characteristic, so not all posts in balance sheet is put in Maturity Profile Report. For example, post balance sheet which isn’t put in Maturity Profile Report such as fixed assets, foreclosed collateral (AYDA), abandoned property, equity participation, and capital. F. In every posts of balance sheet (assets and liabilities), balance column must be the same with the total from all the columns from time scale and according to the total which is reported in Commercial Bank Monthly Report.

G. Posts in off balance sheet which is put in Maturity Profile Report are only parts of certain posts which is predicted will affect cash flow (becoming receivables or liabilities). H. In every off balance sheet posts, balance column must be the same with the total scale time columns. REPORT POSTS IN RUPIAH I. Details of balance posts according to enclosed report format is as follows : A. Assets

1. Cash
2. Placement in Bank Indonesia a. SBI b. Demand Deposit c. Others What is put in this post is Placement in Bank Indonesia which can not be put or grouped in either point a or b.
3. Placement in other banks
4. Securities Securities which are sold with condition to be bought back (Repo) also including Securities post. a. SUN
5. Trading
6. Available for Sale
7. Hold to Maturity
8. Loans and receivables b. Corporate securities
9. Trading
10. Available for Sale
11. Hold to Maturity
12. Loans and credit c. Others What are put in this post are securities which can not be put or grouped in either point a or b.
13. Loans

a. Undue is filled up according to total undue credits according to the contract. b. Due is filled up according to estimation of received credit settlement based on due contracts. 6. Other bills a. Bills on reverse repo securities b. Others What are put in this post are Other Bills which cannot be put or grouped in point a. 7. Others What are put in this posts are assets which cannot be put or grouped into post 1 until post 6. B. Liabilities

1. Third Party Funds a. Demand Deposit c. Saving d. Term deposit

2. On call deposit

3. Time deposit

4. Others What are put in this post are Term Deposit which cannot be put or grouped in either number 1) or number 2).

5. Liabilities to Bank Indonesia

6. Liabilities to other banks

7. Securities a. Bond b. Subordinated What included in this post is subordinated Securities which is calculated in KPMM and reported in LBU on Loan Capital post. c. Others What are put in this post are Securities Issued which cannot be put or grouped in either point a or point b.

8. Received Loan a. Subordinated Loan What included in this post is Subordinated Loan which is calculated in KPMM and reported in LBU on Loan Capital post. b. Others What is put in this post is Received Loans which cannot be put or grouped in point a.

9. Other Liabilities a. Liabilities on reverse repo securities b. Others What are put in this post are Other Liabilities which cannot be put or grouped in point a.

10. Others What are put in this post are liabilities which cannot be put or grouped into post 1 until post 6. Posts that are not explained specifically in this filling guidance refer to Commercial Bank Monthly Report. II. Details of off balance posts according to enclosed report format are as follows: A. Off Balance Sheet Receivables

11. Commitment a. Undisbursed loan facilities b. Outstanding spot and derivatives buying position

1. Spot
2. Derivatives Derivatives post consists of forward, future, swap, option. c. Others What are put in this post are commitment receivables which cannot be put or grouped in either point a and point b.

2. Contingency All contingency receivables which are predicted that will affect cash flow (become receivables)

B. Off Balance Sheet Liabilities

1. Commitment a. Undisbursed loan facilities Undisbursed loan facilities including facilities for customers and other banks. The facilities also covers committed and uncommitted facilities. b. Outstanding Irrevocable L/C Outstanding Irrevocable L/C consists of foreign L/C and local L/C. c. Outstanding spot and derivatives position

1. Spot
2. Derivatives Derivatives post consists of forward, future, swap, option.
3. Others What is put in this post is commitment liabilities which can not be put or grouped in either point a and point b.

2. Contingency All contingency liabilities which are predicted that will affect cash flow (become Liabilities). Posts that are not explained specifically in this guidance refer to Commercial Bank Monthly Report. REPORT POSTS IN FOREIGN EXCHANGE

3. Details of balance posts according to enclosed report format is as follows : A. Asset

4. Cash

5. Placement in Bank Indonesia

6. Placement in other banks

7. Securities Securities which are sold with condition to be bought back (Repo) including Securities post. a. Corporate securities

8. Trading

9. Available for Sale

10. Hold to Maturity

11. Loans and receivables b. Others What is put in this post is securities which cannot be put or grouped in either point a or b.

12. Loans a. Undue is filled with credits that has not reached due date. b. Due is filled up according to estimated payment on credit received that is based on due contracts.

13. Other bills a. Bills on securities that are bought with promise to be sold again (Reverse Repo). b. Others What is put in this post is other bills which cannot be put or grouped in point a.

14. Others What are put in this post are assets which cannot be put or grouped into post 1 until post 6. B. Liabilities

15. Third Party Funds a. Demand Deposit c. Saving d. Term deposit

16. On call deposit

17. Time deposit

18. Others What are put in this post are term deposits which cannot be put or grouped in either number 1) or number 2).

19. Liabilities to Bank Indonesia

20. Liabilities to other banks

21. Securities Issued

a. Bond b. Subordinated What included in this post are subordinated Securities which are calculated in KPMM and reported in LBU on Loan Capital c. Others What are put in this post are term deposits which cannot be put or grouped in either point a or point b. 5. Received Loans a. Subordinated loans What included in this post are Subordinated loans which is calculated in KPMM and reported in LBU on Loan Capital post. b. Others What are put in this post are received loan which can not be put or grouped in point a. 6. Other Liabilities a. Liabilities on reverse repo securities b. Others What are put in this post are Other Liabilities which cannot be put or grouped in point a. 7. Others What are put in this post are Liabilities which cannot be put or grouped into post 1 until post 6. Posts that are not explained specifically in this guidance refer to Commercial Bank Monthly Report. II. Details of off balance posts according to the enclosed report format are as follow: A. Off Balance Sheet Bills

1. Commitment a. Undisbursed loan facilities b. Outstanding spot and derivatives buying position

1. Spot
2. Derivatives Derivative post consists as follows forward, future, swap, option.

c. Others What are put in this post are commitment receivables which cannot be put or grouped in either point a and point b. 2. Contingency All contingency receivables which are predicted that will affect cash flow (become receivables) B. Off Balance Sheet Liabilities

1. Commitment a. Undisbursed loan facilities Undisbursed loan facilities includes facilities for customers and other banks. The facilities consist of committed and uncommitted facilities. b. Outstanding Irrevocable L/C Outstanding Irrevocable L/C consists of foreign L/C and local L/C. c. Outstanding spot and derivatives sellposition

1. Spot
2. Derivatives Derivatives post consists of forward, future, swap, option. d. Others What is put in this post is commitment liabilities which cannot be put or grouped in either point a and point b.

2. Contingency All contingency liabilities which are predicted that will affect cash flow (become Liabilities). Posts that are not explained specifically in this guidance refer to Commercial Bank Monthly Report. DEPUTY GOVERNOR OF BANK INDONESIA, MULIAMAN D.HADAD

APPENDIX 1 BANK INDONESIA CIRCULAR LETTER NUMBER 13/23 /DPNP DATE OCTOBER 25, 2011 CONCERNING THE AMENDMENT OF CIRCULAR LETTER NO. 5/21/DPNP CONCERNING RISK MANAGEMENT IMPLEMENTATION FOR COMMERCIAL BANKS STANDARD GUIDELINES OF RISK MANAGEMENT IMPLEMENTATION FOR COMMERCIAL BANKS DIRECTORATE OF BANKING RESEARCH AND REGULATION

TABLE OF CONTENTS I GENERAL GUIDELINES FOR THE IMPLEMENTATION OF RISK MANAGEMENT 34 A. Active Oversight from The Board of Commissioners and Directors 34

1. Authority and Responsibility of the Board of Commissioners and Directors 35
2. Human Resources 37
3. Risk Management Organization 38 B. Policy, Procedure, and Limit Establishment 43
4. Risk Management Strategy 43
5. Risk Appetite and Risk Tolerance 44
6. Policies and Procedures 45
7. Limit 47 C. Process of Risk Identification, Measurement, Supervision, and Risk Control as well as Risk Management Information System 49
8. Risk Identification 49
9. Risk Measurement 49
10. Risk Supervision 52
11. Risk Control 53
12. Risk Management Information System 53 D. Internal Control System 55 II GUIDELINES FOR THE IMPLEMENTATION OF RISK MANAGEMENT FOR EACH RISK 58 A. Credit Risk 58 B. Market Risk 72 C. Liquidity Risk 83 D. Operational Risk 101

E. Legal Risk 112 F. Strategic Risk 117 G. Compliance Risk 124 H. Reputation Risk 131 III GUIDELINES FOR THE ASSESSMENT OF RISK PROFILE 136

I. GENERAL GUIDELINES FOR THE IMPLEMENTATION OF RISK MANAGEMENT As stipulated in Article 2 of Bank Indonesia Regulation Number 5/8/PBI/2003 as amended by Bank Indonesia Regulation Number 11/25/PBI/2009 concerning The Risk Management Implementation For Commercial Banks, Banks are obliged to implement Risk Management effectively, whether for Banks individually or for Banks in consolidation with their Subsidiaries, which at the least includes 4 (four) pillars as follows:

1. Active oversight from the Board of Commissioners and Directors;

2. Sufficiency of policy, procedure, and limit establishment;

3. Sufficiency of identification process, measurement, surveillance, and Risk control, as well as Risk Management information system; and

4. Comprehensive internal control system. Risk Management Principles from each pillar are described as the followings: A. Active Oversight from The Board of Commissioners and Directors The Board of Commissioners and Directors are responsible for the effectiveness of the implementation of Risk Management in the Bank. Therefore, the Board of Commissioners and Directors shall understand the Risks which are faced by the Bank and shall be giving clear directions, doing surveillance, and active mitigation as well as developing the Risk Management culture in the Bank. In addition, the Board of Commissioners and Directors shall also ensure an adequate organization structure, set a clear task and responsibilities to each unit, and to ensure an adequate quantity and quality of human resources in order to support the implementation of Risk Management effectively. Things that need to be considered in the implementation of active oversight from the Board of Commissioners and Directors cover but not limited to the followings:

5. Authority and Responsibility of the Board of Commissioners and Directors a. Board of Commissioners and Directors are responsible to ensure that the implementation of Risk Management has been adequate according to the characteristics, complexities, and Risk profile of the Bank. b. Board of Commissioners and Directors have to understand well the type and rating of Risk attached to Bank’s business activities. c. The authority and responsibility of the Board of Commissioners, shall at least include:

1. approving the policy of Risk Management including the strategy and the Risk Management framework set according to the Risk that will be taken (Risk Appetite) and Risk Tolerance of the Bank;
2. evaluating the policy of Risk Management and Risk Management Strategy at least once in a year or in a more frequent duration in the event of a change in factors that influence Bank’s business activities significantly;
3. evaluating the accountability of the Directors and giving the improvement directions on implementing Risk Management policies periodically. The evaluation is done in order to ensure that the Directors are managing Bank’s activities and Risks effectively. d. The authority and responsibility of the Directors, shall at least include:
4. arranging policies, strategies, and Risk Management framework in written form and comprehensively including the Risk limit in overall and per type of Risk, by paying attention to level of Risk which will be taken and Risk tolerance according to Bank’s condition as well as taking into account the impact of the Risk towards the capital adequacy. After receiving the approval from

the Board of Commissioners, Directors shall set policies, strategies, and the Risk Management framework referred; 2) arranging, establishing, and updating procedures and means to identify, measure, monitor, and control the Risks; 3) arranging and establishing the mechanism of transaction approval, including those that are over the limit and authority for every level of position; 4) evaluating and/or renewing policies, strategies, and Risk Management framework at least once in a year or in a more frequent duration of time in the event of a change in factors which influences Bank’s business activities, Risk exposure, and/or Risk profile significantly. 5) establishing the organization structure including a clear authority and responsibility for every level of position related to the implementation of Risk Management; 6) being responsible for the implementation of the policies, strategies, and Risk management framework which have been approved by the Board of Commissioners as well as evaluating and giving directions according to the reports given by the Risk Management Unit including the report on Risk Profile; 7) ensuring all of the Material Risks and the impact which is posed by the referred Risk have been followed up and submitting an accountability report to the Board of Commissioners periodically. The report shall include the report of development and the problems related to the Material Risk and the remedial measures which have been conducted, are being conducted, and will be conducted; 8) ensuring the implementation of the remedial measures on the problems or the deviations in Bank’s business activities which are found by the Internal Audit Unit;

9. developing the Risk Management culture including Risk awareness to every organization level, such as the adequate communication to every organization level concerning the importance of an effective internal control;
10. ensuring the adequacy of financial support and infrastructure to manage and control the Risk;
11. ensuring the function of Risk Management is set independently which is reflected by such things as the separation between the functions of the Risk Management Unit which is doing the identification, measurement, monitoring, and controlling the Risk with the work unit which is doing and finalizing the transaction.

2. Human Resources (SDM) Within the framework of executing implementation responsibility of Risk Management related to SDM then Board of Directors shall: a. establish a clear qualification of SDM for every level of position related to the implementation of Risk Management; b. ensure the adequacy of the quantity and the quality of SDM available at the Bank and ensure the referred SDM understand the task and responsibilities, whether for the business unit, Risk Management Work Unit, or supporting unit that are responsible for the implementation of Risk Management; c. develop a system of employee recruitment, development, and employee training including managerial succession plans as well as adequate remuneration to ensure the availability of competent employees in the field of Risk Management; d. ensure the improvement of competence and integrity of the leaders and the members of the business unit, Risk Management Unit and Internal Audit Unit, by considering factors such as knowledge, experience/track records and sufficient ability in the field of Risk Management through a

sustainable education and training program, to guarantee the effectiveness of the Risk Management process; e. place the competent officers and staffs in each work unit according to the characteristics, amount, and complexity of the Bank’s business activities; f. ensure that the officers and staffs which are placed in each work unit have the followings:

1. comprehension on the Risk attached to every Bank’s product/activity;
2. comprehension on the relevant Risk factors and the market conditions which influence Bank’s product/activity, and the ability to do an estimation on the impact of alteration of the factors to Bank’s business continuity;
3. ability to communicate the Bank;s Risk exposure implication to the Directors and the Risk Management committee in a timely manner. g. ensure that all SDM understand the strategies, Risk appetite which will be taken and Risk tolerance, and Risk Management framework which have been set by the Directors and approved by the Board of Commissioners as well as implementing them consistently in the activities handled.

3. Risk Management Organization Within the framework implementing effective Risk Management, Bank’s Directors established organization structure by considering the followings: a. General

1. The organization structure that is compiled shall include the clarity of duties and responsibilities in general or related to the implementation of Risk Management to all work units which is

adjusted to the purposes and business policies, measurement and complexity of Bank’s business activity. 2) The organization structure must be designed to ensure that the work unit doing the internal control function (internal audit unit) and the Risk Management Unit are independent from Bank’s business work unit. 3) Bank is obliged to own independent Risk Management Committee and Risk Management Unit. 4) The adequacy framework of authority delegation must be adjusted to the characteristic and complexity of the product, Risk appetite which will be taken by the Bank, as well as the experience and the expertise of the personnel concerned. The delegated authority must be reviewed periodically to ensure that the authority is compatible with the recent condition and performance level of the related officials. b. Risk Management Committee

1. The membership of the Risk Management Committee is generally permanent but may be supplemented by non￾permanent members based on Bank’s need.
2. The membership of the Risk Management Committee at least includes the majority of related Directors and Executive Officials, by considering the followings: a) For Banks owning 3 (three) members of Directors as the minimum requirement stipulated in the applicable provisions, then the definition of the majority of Directors is at least 2 (two) Directors. b) Banks shall appoint the Director in charge of the Risk Management and Compliance function as a permanent member of the Risk Management Committee and Director

which are in charge of the implementation of Risk Management for Banks which appoint their own Directors. c) The related Executive Officials are the officials which are one level below the Director who lead the business work unit, the officials leading the Risk Management Unit and the officials leading the Internal Audit Unit. d) The membership of the Executive Officials in the Risk Management Committee is adjusted to the problem discussed in the Risk Management Committee such as Treasury and Investments, Credits and Operational, according to Bank’s need. 3) The authority and responsibility of the Risk Management Committee is to conduct an evaluation and to give recommendations to the President Director related to the Risk Management which at least includes: a) arranging the policy of the Risk Management and the changes including the strategy of the Risk Management, Risk appetite and Risk tolerance, Risk Management framework and the contingency plans to anticipate any abnormal conditions; b) enhancing the process of Risk Management periodically or incidentally as the result of the external and internal condition changes of the Bank which influences the sufficiency of the capital, Bank’s Risk profile, and the ineffectiveness of the implementation of the Risk Management based on the evaluation result; c) establishing the policy and/or business decision which deviates from the normal procedure, such as the significant exceeding of the business expansion comparing to the established Bank’s business plan or the

Risk position/exposure taking which exceeds the established limit. c. Risk Management Unit

1. The organization structure of the Risk Management Work Unit is adjusted to the size and complexity of Bank’s business activities and Bank’s Risk.
2. The leader of the Risk Management Work Unit is responsible directly to the President Director or the Director who is specifically assigned as the Director in charge of the Risk Management and Compliance function.
3. Risk Management Unit must be independent from business work unit such as treasury and investments, credits, funding, accounting, and from the internal audit unit (SKAI).
4. The authority and responsibility of the Risk Management Unit include: a) providing inputs to the Board of Directors in compiling the policy, strategy, and Risk Management framework; b) developing the procedures and means for identification, measurement, monitoring, and Risk control; c) designing and applying the means needed in the implementation of Risk Management; d) monitoring the policy implementation, strategy, and Risk Management framework recommended by the Risk Management Committee and has been approved by the Board of Directors; e) monitoring the position/exposure of the Risk in overall, or per Risk including monitoring the compliance towards Risk tolerance and the established limit;

f) conducting the stress testing in order to know the impact of the policy implementation and Risk Management strategy towards Bank’s portfolio or performance in overall; g) reviewing activity and/or new product suggestions which are developed by a certain unit of the Bank. The review is mainly focused to the Bank’s ability aspect to manage the activity and/or new product including the completeness of the system and procedures used and the impact to Bank’s Risk exposure in overall; h) providing recommendations to the business work unit and/or to the Risk Management Committee in relation to the implementation of the Risk Management, such as concerning the magnitude or maximum exposure of the Risk which may be maintained by the Bank; i) evaluating the accuracy and validity of the data used by Bank to measure the Risk for Bank which used a model for internal need; j) arranging and submitting Risk profile report to the Chief Executive, Risk Management and Compliance Director, and the Risk Management Committee periodically or at least quarterly. The frequency of the report must be increased if the condition of the market changes rapidly. k) executing a periodic review with the frequency adjusted to the Bank’s need, in order to ensure:

1. the adequacy of the Risk Management framework;

2. the accuracy of the Risk evaluation methodology; and

3. the adequacy of the Risk Management information system;

4. Business unit is obliged to submit the report or information concerning Risk exposure managed by the related unit to the Risk Management Unit periodically. B. Policy, Procedure, and Limit Establishment The effective implementation of Risk Management must be supported by the framework which covers the policy and procedure of the Risk Management as well as the Risk limit which is set clearly according to Bank’s vision, mission, and business strategy. The compilation of the policy and procedure of the Risk Management is conducted in accordance to the Risk appetite and the regulation stipulated by the authority and/or the sound banking practice. In addition, the policy and procedure implementation of the Risk Management which is owned by the Bank must be supported by the adequacy of capital and Human Resources quality. Within the framework of Risk controlling effectively, Bank’s policies and procedures must be based on the Risk Management strategy and completed by Risk tolerance and Risk limit. The establishment of the Risk tolerance and Risk limit is done by considering the Risk appetite and Bank’s overall strategy . Things that need to be considered in determining Risk Management framework including the policy, procedure, and limit are as the followings:

1. Risk Management Strategy a. Bank formulates the Risk Management strategy according to business strategy in overall by considering Risk appetite as well as Risk tolerance. b. Risk Management Strategy is compiled to ensure that Bank’s Risk exposure is managed in accordingly in line with to the policies, Bank’s internal procedures, and other applicable regulations and stipulations. c. Risk Management Strategy is compiled according to the general principles as follows:

1. Risk Management Strategy must be long-term oriented to ensure Bank’s business continuity by considering economy condition/cycle;
2. Risk Management Strategy comprehensively control and manage Bank’s Risk and its Subsidiaries; and
3. Achieving the expected capital adequacy along with the sufficient resources allocation. d. Risk Management Strategy is compiled by considering the following factors:
4. Economy and industry development and their impacts to Bank’s Risk;
5. Bank’s Organization including the sufficiency of human resources and supporting infrastructures;
6. Bank’s financial conditions including the ability to make profits, and Bank’s ability to manage Risk which occurs as the result of external and internal factor changes;
7. The mixture and diversification of Bank’s portfolio. e. The Board of Directors shall communicate the referred Risk Management strategy effectively to all business units, managers, and relevant staffs so it is clearly comprehended. f. The Board of Directors shall review the referred Risk Management strategy periodically including its impact to Bank’s financial performance, to determine whether or not it is needed to make any changes to Bank’s Risk Management strategy.

2. Risk Appetite and Risk Tolerance a. Risk appetite is the level and type of Risk which is willing to be taken by the Bank in order to achieve Bank’s target. The Risk appetite is reflected in Bank’s business strategy and target.

b. Risk tolerance is the level and type of Risk which is set in the maximum by the Bank. Risk tolerance is the description of the Risk level which will be taken. c. In arranging Risk Management Strategy, the Board of Directors must provide a clear direction concerning Bank’s Risk appetite and Risk tolerance. d. The Risk Appetite and the Risk tolerance must be considered in arranging the Risk Management policy, including in limit determination. e. In determining Risk tolerance, Bank needs to consider the strategy and the goal of Bank’s business as well as Bank’s risk bearing capacity. 3. Policies and Procedures a. Risk Management policy is a written direction in implementing the Risk Management and must be in accordance with Bank’s vision, mission, and business strategy and in the compiling must be coordinated with the related function or business unit. b. The policy and procedures must be designed and implemented by observing the characteristic and complexity of the business activity, the Risk appetite and Risk tolerance, Risk profile and the regulations set by the authority and/or sound banking practice. c. Bank must have the procedure and process to set Risk Management policy. The procedure and process are described in the implementation guideline which must be reviewed and updated periodically in order to accommodate the changes occured. d. Risk Management policy shall at least include:

1. the determination of the Risk which is related to the banking products and transactions based on the result of Bank’s analysis towards the Risk attached to every banking product and

transaction which are and will be done according to Bank’s business activity characteristics and complexities; 2) the determination of methods in doing the identification, measurement, monitoring, and Risk control as well as Risk Management information system in order to assess precisely the Risk exposure in every banking products and transactions as well as Bank’s business activity; 3) the determination of the data that must be reported, the format of the report, and the type of information that should be included in the Risk Management report in order to reflect the Risk exposure which becomes consideration in order to make business decisions in line with the prudential principles; 4) the determination of authorities and limit level in stages including the transaction limit which needs approval from Board of Directors, and the determination of Risk tolerance which is the potential loss limit that can be absorbed by Bank’s capital ability, and the monitoring method towards Bank’s Risk exposure ; 5) the establishment of Risk profile rating as the basis for the Bank to determine improvement steps towards products, banking transactions, and certain Bank’s business activity area as well as to assess Risk Management’s policy and strategy implementation result; 6) a clear organizational structure which formulates the role and responsibility of the Board of Commissioners, Board of Directors, committees, Risk Management Unit, operational unit, Internal Audit Unit, and other supporting units; 7) the implementation of internal control system in the implementation of Risk Management in order to ensure the compliance to the relevant external and internal regulations, the effectiveness and efficiency of Bank’s operational activities, the

effectiveness of the Risk culture at every level of the Bank’s organizational structure, and the availability of the accurate, appropriate, and timely financial and management information; 8) the business continuity plan or business continuity management policy on the possibility of the worst external and internal condition, so that Bank’s business activity can be maintained including the disaster recovery plan and contingency plan. Business continuity plan shall fulfill the followings: a) Involving various work units; b) Flexible in responding to the variety of interference scenarios which are unexpected and specific, by giving descriptions of certain conditions and the actions which are immediately needed; c) Testing and evaluating business continuity plan periodically; d) The Board of Directors are obliged to assess, review, and update the business continuity plan periodically to ensure the effectiveness of the compiled business continuity plan. e. The policy and procedure of the Risk Management must be documented properly and communicated to every employee. 4. Limit a. Bank must own Risk limit which is in line with the Risk level that will be taken, Risk tolerance, and Bank strategies in overall by observing Bank capital adequacy to be able to absorb Risk exposure or loss that occurs, historical loss experience, human resource skills, and compliance toward the applicable external provisions. b. Procedures and Risk limit establishment at least cover:

1. clear accountability and authority delegation level;

2. documentation of procedures and limit establishment adequately to facilitate the implementation of review and audit trace;

3. implementation of review towards procedures and limit establishment periodically at least once in a year or a greater frequency, according to the type of Risk, necessity and development of the Bank; and

4. limit establishment is done comprehensively on all related aspects, that covers the limit in overall, limit per Risk, and limit per Bank business activity that owns Risk exposure. c. The limit must be understood by every related party and communicated properly including if changes occur. d. Within the framework of Risk controlling, the limit is used as a threshold to decide the intensity level of Risk mitigation that will be done by management. e. Bank must have approval mechanism if over limit occurs. f. The limit level is proposed by related operational unit, that later recommended to Risk Management Unit to gain approval from the Board of Directors or Board of Commissioners through Risk Management Committee, or Board of Directors according to their authority that is governed in Bank’s internal policy. C. Process of Risk Identification, Measurement, Monitoring, and Control, also Risk Management Information System Risk identification, measurement, monitoring, and control are main part of Risk Management implementation. Risk identification is proactive, covering all Bank business activities and is done in order to analyze the source and possibility of Risk occurence as well as its impacts. In addition, Banks shall do Risk measurement according to the

characteristic and complexities of the business activity. In monitoring towards the Risk measurement result, Banks shall stipulate a unit independent from parties that do transactions to supervise the level and trend as well as to analyze Risk direction. Other than that, implementation effectiveness of Risk Management shall be supported by Risk control by considering Risk measurement and monitoring result. In order to support the process of Risk identification, measurement, monitoring, and control, Banks shall also develop management information system that is adjusted to characteristic, activities, and complexities of Bank’s business activities. Things needed to be consider in implementing the identification, measurement, control, and management information system which are such as follow:

1. Risk Identification a. Banks must do identification of all Risk periodically b. Banks must have methods or system to do Risk identification to all Bank products and activities. c. Risk identification process is done by analyzing all Risk source that is at least done towards Risk from Bank products and activities as well as ensuring that Risk from new product and activity has gone through feasible Risk Management process before they are introduced or executed.
2. Risk Measurement a. Risk measurement system is used to measure Bank’s Risk exposure as a reference to do controlling. Risk measurement must be done periodically for Bank’s products and portfolio as well as all business activities. b. The system concerned at least must be able to measure:

1. product/activity sensitivity towards factors changes that affects, either in normal or not normal condition;

2. tendency of referred factors changes according to fluctuation that occured in the past and its correlation;

3. Risk factors in individual;

4. Risk exposure in overall or per Risk, by considering linkage between Risks;

5. All Risks that are attached to all transactions as well as banking products, including new product and activity, and can be integrated in Bank management information system. c. Risk measurement method can be done in quantitative and/or qualitative. The measurement method concerned can be method that is stipulated by Bank Indonesia within the framework of Risk assessment and calculation of capital as well as method development by the Bank itself. d. Selection of measurement method is adjusted to characteristic and complexities of business activities. e. For Banks using alternative method and internal model in measuring Credit Risk, Market Risk, and Operational Risk at least should consider things as follow:

6. Requirements of internal model use: a) the content and quality of the data made or maintained must be in accordance to applicable general standard so that it allows reliable statistic result; b) the availability of the management information system that allows the system concerned to take data and information that are feasible and accurate at the right time; c) the availability of system that can produce Risk data on all Bank position; d) the availability of documentation from data source used for the purposes of Risk measurement process; e) database and data storage process must be part of system design in order to prevent dissolution of statistic data.

7. If Banks are doing back-testing to internal models such as Credit Scoring Tools, Value at Risk (VaR), and stress testing for exposures that contain certain Risk, Banks must use historical data/a series of parameter and assumption that are compiled by the Bank itself and/or assumption that is required by Bank Indonesia.

8. In terms of the internal model is applied then the related data need must be adjusted to the data reporting system obliged by Bank Indonesia.

9. In order to overcome the weakness that may occure due to the usage of certain Risk measurement model then the Bank must do a validation to the model which is done by the internal party which is independent towards the business unit that applies the model. If necessary, the validation is done or completed with the review result done by a competent and skillful external party in development of the Risk measurement model.

10. Model validation is a process of: a) evaluation towards the internal logic of a certain model by verifying the mathematical accuracy; b) comparing the model prediction with the occurence after certain date position (subsequent events); c) comparing one model to another available model, either internal or external.

11. Validation should also be done to new models, whether self￾developed by the Bank or bought from a vendor. The model used by the Bank must be evaluated periodically or timely especially in the case of the occurence of a significant market condition change.

12. Risk measurement process must clearly include the validation process, validation frequency, requirement of data

documentation and information, requirement of evaluation towards the assumptions used, before the model is applied by the Bank. 8) Risk measurement method must be clearly comprehended by the related employee in Risk control, among others are the treasury managers, chief dealer, Risk Management Committee, Risk Management Unit, and the related field Directors. f. Risk measurement system must be evaluated and perfected periodically or timely when needed to ensure the suitability of the assumptions, accuracy, fairness and integrity of the data, as well as the procedures used to measure the Risk. g. Stress test is done to complement the Risk measurement system by estimating the Bank’s loss potential on a not normal market condition by using certain scenarios in order to see Bank’s performance sensitivity to the changes of Risk factors and identifying the influence that has significant impacts towards Bank’s portfolio. h. Banks must do the stress testing periodically and review the result of the stress testing and to take the right steps when the condition estimation that will occur exceeds the acceptable tolerance level. The result shall be used as an input at the time of stipulation or change of the policy and limit 3. Risk Monitoring a. Banks must own a system and procedures which include the oversight on the amount of Risk exposure, Risk tolerance, internal limit compliance and the result of stress testing or the consistency of the implementation with the stipulated policy and procedure. b. The supervision is done whether by the executing unit or Risk Management Unit.

c. The result of the monitoring is disclosed in a periodic report which is submitted to the Management within the framework of mitigation of Risk and the needed action. d. Banks must prepare a back-up system and effective procedures to prevent occurence of interference in the process of Risk monitoring, and do the checking and re-assessing periodically towards the back￾up system. 4. Risk Control a. Banks must own a sufficient Risk control system by referring to the stipulated policies and procedures. b. The process of Risk control set by the Bank must be adjusted to the Risk exposure or the Risk appetite and Risk tolerance. Risk control may be done by the Bank, such as by the hedging mechanism, and other Risk mitigation methods such as guarantee issuance, asset securitization , and credit derivatives, also by the addition of Bank’s capital to absorb loss potential. 5. Risk Management Information System a. The Risk Management information system is a part of the management information system which must be owned and developed according to Bank’s necessities within the framework of effective Risk Management implementation. b. As part of the Risk Management process, Bank’s Risk Management information system is used to support the implementation of Risk identification process, measurement, monitoring, and control. c. Risk Management information system must be able to ensure:

1. the availability of the accurate, complete, informative, timely, and reliable information which can be used by the Board of Commissioners, Board of Directors, and the related work unit in the implementation of Risk management to assess, monitor, and mitigate the Risk faced by the Bank whether overall/composite

Risk or per Risk and/or within the framework of decision￾making process by the Board of Directors; 2) the effectiveness of Risk Management implementation covers the policies, procedures, and Risk limit establishment; 3) the availability of the information about the result (realization) of Risk Management implementation compared to the target stipulated by the Bank according to the policy and strategy of Risk Management implementation. d. The Risk Management information system and the information produced must be adjusted to the characteristics and complexities of Bank’s business activities and adaptive towards changes. e. The adequacy of information coverage resulted from the Risk Management information system must be reviewed periodically to ensure that the coverage has been sufficient according to the development of business activity complexity level. f. As part of the Risk Management information system, Risk profile report is compiled periodically by Risk Management Unit which is independent from the unit that does business activities. The frequency of report submission to the related Board of Directors and Risk Management Committee should be increased according to the need especially when the market condition changes rapidly. g. Risk Management information system must support the reporting implementation to Bank Indonesia. h. In developing information system technology and the new software, the Bank should ensure that the application of the new information system and technology will not interfere the continuity of Bank’s information system. i. If Banks decide to assign outsourcing unit in the development of the software and system improvement, Banks must ensure that the decision of assigning the third party is done objectively and

independently. In the outsourcing agreement/contract, the clause concerning the maintenance and updating as well as the anticipation stages in order to prevent the possibility of interferences to occur during the operational must be included. j. Before implementing the new management information system, Banks must do a trial to ensure that the process and the output produced have undergone the process of development, testing, and re￾assessment accurately and effectively, and Banks must ensure that the historic accounting and management data can be accessed well by the new system/software. k. Banks have to manage and update the documentation system, which includes hardware, software, database, parameter, process stages, assumptions used, data source, and output produced in order to facilitate the embedded control and the implementation of audit traces. D. Internal Control System The process of the effective Risk Management implementation must be completed by a reliable internal control system. The implementation of the internal control system effectively may help Bank’s officers to guard Bank’s assets, guarantee the availability of financial reporting and the trustworthy managerial, increase Bank’s compliance towards the applicable provisions and regulations, as well as to reduce the Risk of loss, deviations and violations to the prudential aspects. The implementation of the reliable and effective internal control system of the Bank is the responsibility of all the operational units and the supporting units as well as the Internal Audit Unit. Things that need to be considered in the implementation of the internal control system are as the following:

1. Banks are obliged to execute the internal control system effectively in the implementation of Bank’s Risk Management by referring to the policies and procedures established. The implementation of the principle of segregation of duties (four eyes principle) must be adequate and is executed consistently.

2. Internal control system in the implementation of the Risk Management shall at least include: a. the suitability between the internal control system and the level and rating of the Risk attached to Bank’s business activities; b. the establishment of the authority and responsibility for the monitoring of policy, procedure and limit compliance; c. the establishment of a clear reporting and the segregation of duties from the operational unit to the unit which does controlling function; d. the organizational structure which describes clearly the tasks and responsibilities of each unit and individual; e. the accurate and timely financial report and operational activity; f. the adequacy of procedures to ensure Bank’s compliance towards the applicable provisions and legislations; g. an effective, independent, and objective review to the policies, framework, and Bank’s operational procedures; h. the sufficient testing and review towards the management information system; i. a complete and sufficient documentation on coverage, operational procedures, audit findings, and Bank’s officers responses based on the audit result; j. the periodical and continuous verification and review towards the handling of Bank’s material weaknessesl and Bank’s employee actions to fix the deviation occured.

3. The review towards the Risk Management implementation shall at least include the followings: a. The review and evaluation are done periodically, at least once in a year by the Risk Management Unit (SKMR) and the Internal Audit Unit (SKAI);

b. the coverage of the review and evaluation frequency/intensity may be increased based on the development of the Bank’s Risk exposure, market changes, measurement methods, and Risk management; c. especially for review and evaluation towards Risk measurement by the SKMR, shall at least include the followings:

1. the suitability of the Risk Management framework, which covers the policy, organizational structure, allocation of resources, Risk Management design process, information system, and reporting of Bank Risk with the necessity of Bank’s business, and the development of rules and best practice related to Risk management;

2. the methods, assumptions, and variables used for measuring the Risk and to set the Risk exposure limit;

3. the comparison between the result of the Risk measurement methods which is using the simulation or projection in the future with the actual result;

4. the comparison between the assumptions used in the referred method with the actual condition;

5. the comparison between the limit set with the real/actual exposure;

6. the suitability establishment between the measurement and the Risk exposure limit with the past performance and recent Bank’s capital position. d. the review by the independent party such as SKAI covers:

7. the reliability of the Risk Management framework, which covers the policies, organizational structure, resources allocation, Risk Management designing process, information system, and Bank’s Risk reporting;

8. The implementation of the Risk Management by the business unit/suporting activity, including the review on the monitoring implementation by SKMR.

4. The review result by SKMR is submitted to the Board of Commissioners, Internal Audit Unit (SKAI), Compliance Director, Audit Committee (if exist), and other related directors as an input in improving the framework and process of the Risk Management.
5. The remedial action based on the internal or external audit findings result must be monitored by SKAI. Audit finding which has not been followed up must be informed by SKAI to the Board of Directors to take the necessary steps.
6. Bank’s responsive level to the weakness and/or deviation occured towards the applicable internal and external provisions. II. GUIDELINES FOR THE IMPLEMENTATION OF RISK MANAGEMENT FOR EACH RISK A. CREDIT RISK
7. Definition a. Credit Risk is the Risk caused by the failure of debtor and/or other parties in fulfilling the obligation to the Bank. b. Credit Risk can be caused by various Bank business activities. In most Banks, lending is the biggest Credit Risk source. Beside credit, Bank is also facing Credit Risk from various financial instrument such as securities, acceptances, transactions between Banks, trade funding transactions, exchange and derivatives transactions, as well as liability from contingency and commitments. c. Credit Risk may arise due to the concentrated provision of funds, such as between debtors, geographical areas, products, type of

funding, or certain business field. This Risk is normally called Credit Concentration Risk. 2. Purpose The main purpose of Risk Management for Credit Risk is to ensure that the Bank’s provision of fund is not exposed to the Credit Risk which can cause disadvantages to the Bank. In general Credit Risk exposure is one of the main Risk exposures therefore Bank’s ability to identify, measure, monitor, and control the Credit Risk as well as to provide an adequate capital to the Risk is highly important. 3. The Implementation of The Risk Management Risk Management for Credit Risk, including Credit Concentration Risk management, for Bank individually or in consolidation with its Subsidiaries, should at least include: a. Active oversight from the Board of Commissioners and Directors In implementing Risk Management through the active oversight from the Board of Commissioners and Directors for Credit Risk, beside implementing an active oversight as referred to in point I.A, Banks need to implement several things in each aspect of active oversight from the Board of Commissioners and Board of Directors, as follows:

1. Authority and Responsibility of the Board of Commissioners and Directors a) The Board of Commissioners monitors the provision of funds including reviewing the provision of fund in a large amount or which is given to the related parties. b) The Board of Directors are responsible so that every provision of fund activity is done in accordance to the Credit Risk strategy and policy approved by the Board of Commissioners.

c) The Board of Directors have to ensure that the implementation of the Risk Management is done effectively in the provision of fund activities, by monitoring the development and problem in Bank’s business activities which is related to Credit Risk, including the problematic credit settlement. 2) Human Resources The adequacy of human resources for Credit Risk refers to the general implementation coverage as referred to in point I.A.2. 3) Credit Risk Management Organization Within the framework of Risk Management implementation for Credit Risk, there are some related units as the following: (i) business unit which implements lending activities or provision of funds; (ii) credit recovery unit which do non performing credit handling; (iii) Risk Management unit, especially the one which assesses and monitors Credit Risk. In addition, a Credit Committee which is responsible especially to decide a lending in a certain amount according to each Bank’s policies. The membership of Credit Committee is not limited to the Business Unit only but also from other units which relate to the management of Credit Risk, such as the credit recovery unit. b. Policy, Procedure, and Limit Establishment In executing the policy, procedure, and limit establishment for Credit Risk, therefore beside executing the policy, procedure, and limit establishment as referred to in point I.B, Banks must add the implementation of several things in each aspect of policy, procedure, and limit establishment, as follows:

1. Risk Management Strategy a) Risk Management Strategy for Credit Risk must cover the strategy for all activities that have significant Credit Risk

exposure. That strategy must include a clear direction of fund provisions which will be done, among others are based on the type of credit, business field, geographical area, currency, time period, and target market. b) Risk Management Strategy for Credit Risk must be in accordance with Bank’s purposes to maintain credit quality, profit, and business growth. 2) Risk Appetite and Risk Tolerance The establishment of Risk appetite and Risk tolerance for Credit Risk refers to the general coverage as referred to in point I.B.2 3) Policies and Procedures a) In Credit Risk policy which includes the implementation of Risk Management for Credit Risk for all Bank’s business activities, it is deemed necessary to establish the provision of fund framework and the sound fund provision policy including the policy and procedure within the framework of Credit Concentration Risk control. Banks must have the clear established procedures for the approval of fund provision, including changing, updating, and refinancing. b) Banks must have the policy and procedures to ensure that all fund provisions are done in control (arm’s length basis). If the Bank owns the policy which makes it possible to do fund provisioning beyond normal policy in certain conditions, therefore the policy must include clearly the criteria, conditions, and procedures including the steps to control or mitigate the Risk from the referred fund provision. c) Bank must have the policy and procedures to identify Credit Concentration Risk.

d) Bank must develop and implement the right policy and procedures to be able to: (1) support a sound provisions of funds; (2) monitor and control Credit Risk, including Credit Concentration Risk; (3) do a proper evaluation in the exploitation of new business opportunities; and (4) identify and handle the non performing credit. e) Bank’s policy must include the information needed in the sound credit lending, among others include: the purpose of the credit and the payment resources, debtor’s Risk profile and the mitigation as well as the sensitiveness level to the development of economy and market conditions, the ability to pay back, business ability and debtor’s business field condition and the debtor’s position in the certain industry, the proposed credit condition including the agreement designed to anticipate debtor’s Risk exposure changes in the future. f) Bank’s policy also include the factors which need to be considered in credit approval process, such as: (1) profitability level, which is by doing analysis of fund estimation and comprehensive income, including the estimated fee in the case of default, as well as the capital need calculation. (2) consistency of price setting, which is done by taking into account the Risk level, especially debtor’s condition in overall and the quality and the convenience level of the collateral disbursement. g) Banks must own procedures to do analysis, approval, and credit administration, which includes:

(1) The delegation of authority in decision-making procedures of the provision of funds which must be clearly formalized. (2) Function separations between the ones doing the analysis, approval, and credit administration in the working framework or the mechanism of the delegations in the provision of funds decision￾making procedure. (3) The work unit doing a periodic review in order to establish or update the quality of provision of funds that are Credit Risk exposed. (4) The development of credit administration system, which includes: (a) the efficiency and effectiveness of the credit operational administration, including monitoring on the documentation , term and condition of contracts , loan agreement, and collateral binding; (b) the accuracy and timeliness of the management information system; (c) the sufficient separations of function/task; (d) the proper control of all back office procedures, and (e) the compliance towards the written internal policies and procedures and the applicable provisions. (5) Banks must manage, document, and update all qualitative and quantitative information and the

material evidences in the loan archive which is used to do evaluation and review. 4) Limit a) Banks must set the limit of provision of funds in overall for all Bank’s business activities which contain Credit Risk, both for the related and non-related parties, also for the individual or group of debtors. b) Banks need to set Risk tolerance for Credit Risk. c) The limit for Credit Risk is used to reduce the Risk posed, including the occurence of concentration of credit distribution. d) Establishment of Credit Risk limit must be documented in written form and must be complete to ease the audit trail for internal and external auditors. c. The Process of Risk Identification, Measurement, Monitoring, and Risk Control, as well as Credit Risk Management Information System In implementing the Risk Management through the process of identification, measurement, and monitoring, and Risk Control, as well as the Risk Management information system for Credit Risk, therefore beside doing the process as mentioned in point I.C, Banks need to add some implementations of things in each referred process, as the following:

1. Credit Risk Identification

2. A system to do the Credit Risk identification, including the Credit Concentration Risk identification, must be able to provide the sufficient information, which is about the credit portfolio composition.

3. In doing the Credit Risk identification, whether individually or portfolio, the factors which can affect Credit Risk level in the future is needed to be considered, such as the possibility of economy condition changes and the Credit Risk exposure assessment in a stressed condition.

4. In identifying Credit Risk, there needed to be considered the credit quality assessment based on the analysis towards the business prospect, financial performance, and the ability to pay the debtors.

5. In identifying Credit Risk for the treasury and investment activity, Credit Risk assessment shall also pay attention to the type of transactions, characteristics of instruments, and market liquidity as well as the other factors which can influence Credit Risk.

6. Especially for the Credit Concentration Risk, Banks must also identify the causes of the Credit Concentration Risk due to the idiosyncratic factors (factors that are specifically related to each debtor) and the systematic factors (economy factors and financial factors which may influence the performance and or the market condition).

7. Credit Risk Measurement a) Banks must own the written system and procedures to do the Risk measurement which makes possible to: (1) the centralization of the balance sheet exposure and the off balance sheet which contain the Credit Risk from each debtor or per debtor group and/or certain counterparty refers to the single obligor concept;

(2) the assessment of a different Credit Risk rating category between debtors/counterparty by using the qualitative and quantitative aspect and selection of certain criteria; (3) the distribution of the Risk measurement result information for the monitoring purposes by the related work unit. b) The measurement system of the Credit Risk shall at least consider: (1) the characteristic of each Credit Risk exposed transaction; (2) the financial condition of debtor/counterparty’s and requirements in the credit agreement such as the interest rate; (3) credit tenure is linked to the potential changes which happen in the market; (4) security aspect, collateral, and/or guarantee; (5) probability of default, either based on the assessment result of the standard approaches or assessment result of internal rating process ; (6) Bank’s ability to absorb the failure potential. c) Banks which use Risk measurement technique using the internal rating approach must do the data updating periodically. d) The measuring method must be able to measure the quantified inherent Risk exposures, which are the asset portfolio composition which includes the type and feature of the exposure and the concentration level, and the

quality of provision of funds which includes the non performing assets level and foreclosed collateral. e) To measure the Credit Risk related to counterparty credit risk such as the over the counter/OTC derivative transactions, Banks must use the market value which is done periodically. f) Banks which develop and use the internal rating system in its Credit Risk management, must adjust the system concerned with the portfolio characteristic, size, and complexity of Bank’s business activities. g) The main principles in the internal rating system are as the following: (1) the procedure of internal rating system usage shall be formalized and documented. (2) The internal rating system should be able to early identifying the Risk profile changes which are caused by the potential or actual decrease in Credit Risk . (3) The internal rating system must be evaluated periodically by the independent work unit from the work unit which applies the internal rating. (4) If Bank uses the internal rating in order to determine the asset quality and the amount of reserve, there must be a formal procedure which ensure that the asset quality establishment and reserve and the internal rating is more prudent or similar to the related applicable regulation. (5) The report produced by the internal rating such as the credit portfolio condition report must be submitted periodically to the Board of Directors.

h) One of the models which can be used by the Bank is the statistic/probabilistic methods to measure the Risk which is related to the certain type of Credit Risk transaction, in example the credit scoring tools. i) In using the system Bank is obliged to: (1) do a periodic review to the model accuracy and the assumption used to project failure. (2) adjust the assumption with the changes occured to the internal and external conditions. j) When there is a great Risk exposure or the relatively complex transaction, the decision-making process of the Credit Risk does not only base on that system so that it needs to be supported by the other Credit Risk measuring methods. k) Banks must document the assumptions, data, and other information used in that system, including the changes, and the documentation must be updated periodically in the future. l) The implementation of the system must: (1) support the decision-making process and ensure the compliance to the authority delegation regulation; (2) independent to the engineering possibility which will influence the result through the reliable and effective security procedure; (3) reviewed by the work unit or the independent party from the work unit which applies the system. 3) Credit Risk Monitoring a) Banks must develop and implement a comprehensive information system and procedures to monitor the composition and condition of each debtor or the

counterparty to all Bank Credit portfolios. The system must be in accordance to Bank’s portfolio characteristic, size, and complexity. b) The monitoring procedures must be able to identify non performing asset or other transactions to make sure that the non performing assets receive more attention, including the recovery action and the forming of the sufficient reserve. c) The effective credit monitoring system shall make it possible for Bank to: (1) Comprehend Credit Risk exposure totally or per certain aspects to anticipate the Credit Concentration Risk, among others per type of counterparty, business field, industrial sector, or per geographical area. (2) Comprehend the recent financial condition of the debtor or counterparty including gaining the information about the debtor’s asset composition and its growth trend . (3) Monitor the compliance to the term in the credit agreement or any other transaction contracts. (4) Assess the collateral adequacy periodically comparing to the liability of the debtors or the counterparty. (5) Accurately identify the problem including inaccuracies of settlement and classify the potentially non performing loan on time for the recovery action. (6) Quickly handle credit problems.

(7) Identify Credit Risk level as a whole or per certain asset type. (8) Compliance to the limit and other stipulation which are related to fund provision, including Credit Concentration Risk limit. (9) The exception taken to the certain fund provision. d) In the implementation of the Credit Risk exposure system monitoring, the Risk Management Unit must compile the report concerning the Credit Risk improvement periodically, including the causing factors and submit it to the Risk Management Committee and Directors. 4) Credit Risk Control a) In order to control the Credit Risk, Banks must ensure that the credit work unit and other work units which do the Credit Risk exposed transactions have functioned adequately and the Credit Risk exposures are maintained to stay consistent to the established limit as well as fulfilling the prudential standard. b) Credit Risk control can be done through several ways, which are Risk mitigation, active management of position and Risk portfolio, target settlement of the concentration Risk limit in Bank’s annual plan, the settlement of authorization level in the fund provision approval process, and the concentration analysis periodically at least 1 (one) time a year. c) Banks must own an effective system to detect non performing credit. Aside from that, Banks must also separate the non performing credit settlement function with the function which terminates lending. Every strategy and result of the non performing loan handling

are managed and later be used as inputs for work unit which functions to distribute or restructure loan. 5) Credit Risk Management Information System a) Risk Management information system for Credit Risk must be able to provide the data accurately, completely, informatively, timely, and reliably concerning the amount of all individual lending exposure and counterparty, loan portfolio and the report of Credit Risk limit exception so it can be used by the Board of Directors to identify the identify Credit Concentration Risk. b) The information system which is owned must be able to accommodate Credit Risk mitigation strategy through various methods or policies, such as limit establishment, hedging, assets securitization, insurance, collateral, on￾balance-sheet netting agreement, and others. d. Internal Control System In implementing the Risk Management through the implementation of the internal control system for Credit Risk, then aside from implementing the internal control as referred to in point I.D, Bank also needs to implement these things:

1. The independent and continuous review system to the effectiveness of the Risk Management implementation for the Credit Risk which at the least include the credit administration evaluation process, internal ranking implementation accuracy evaluation or the work unit implementation or the officer who does credit quality monitoring.

2. Internal review system by the individual who is independent from the business unit in order to help the credit evaluation process in overall, to determine the accuracy of internal rating, and to evaluate whether the account officer monitors the credit individually and appropriately.

3. The efficient and effective report system to provide sufficient information to the Board of Commissioners, Board of Directors, and audit committee.

4. Internal audit process on the Credit Risk is done periodically, which covers the identification whether: a) the activity of the fund provision is in line with the established policy and procedure. b) all authorizations are done in accordance with the guidelines . c) Individual credit quality and portfolio composition have been reported accurately to the Directors. d) There are weaknesses in the Risk Management process for Credit Risk, policy and procedure, including the exceptions for the policy, procedure, and limit. B. MARKET RISK

1. Definition a. Market Risk is the Risk on the balance sheet and off balance sheet position including the derivative transactions due to the overall changes of the market condition, including the option price Risk changes. b. Market Risk includes interest rate Risk, exchange rate Risk, equity Risk, and commodity Risk. Interest rate Risk, exchange rate Risk and commodity Risk may arise from both trading book and banking book position. Meanwhile, the equity Risk arises from the trading book position. c. The implementation of Risk Management for the equity and commodity Risk should only be implemented by Banks which consolidate with their Subsidiaries.

d. The coverage of banking book and trading book position refers to Bank Indonesia regulations concerning minimum capital adequacy requirement. 2. Purpose The main purpose of the Risk Management for the Market Risk is to minimize the possibility of negative impact due to the market condition changes on Bank’s asset and capitalization. 3. Risk Management Implementation Risk Management Implementation for Market Risk for individual Banks and for Banks in consolidation with Subsidiaries at least covers: a. Active Oversight of Board of Commissioners and Board of Director In doing Risk Management Implementation through active oversight of Board of Commissioners and Board of Director, then other than doing active oversight as referred to in point I.A, Banks need to add implementation of several things in each aspect of Board of Commissioners and Director’s active oversight, as follows:

1. Authorities and Responsibilities of Board of Commissioners and Board of Directors a) Authorities and responsibilities of Directors, at least covers: (1) ensuring that in the policies and procedures about Risk Management for Market Risk has covered for activities of trading either daily, medium term, as well as long term. These responsibilities include ensuring the clarity of rights and responsibilities of managing Market Risk, system sufficiency for measuring Market Risk, sufficient limit structure for taking Risk, effective

internal controlling, and comprehensive reporting system, periodic, and time accuracy. (2) ensuring that the policies and procedure on Risk Management for banking book position become an integral part in policies of Bank Assets and Liabilities Management in overall according to the business preference that is taken by Bank. 2) Human Resources a) Quality of executive employee that is related to Market Risk must be sufficient that at least understand: (1) Risk taking philosophy; (2) factors that may affect Market Risk. b) The quality of executive employee in Risk Management Unit should be equal with the quality of executive employee that is related with market risk. The specialize and more experienced executive employee is needed when bank offers structured product or product that have more complex featured. 3) Market Risk Management Organization a) Establishment of organization structure, devices, and completeness of Unit/function which is related with Risk Management Implementation for Market Risk must be adjusted with characteristic and complexity of Bank’s activity. b) Within the framework of complementing Risk Management Committee especially related to Market Risk managing, Banks can have Assets and Liabilities Management Committee (ALCO) that also does Bank liquidity management.

b. Policies, Procedures, and Limit Establishment In doing policies, procedures, and limit Establishment for Market Risk, then besides doing policies and, procedures, and limit Establishment as referred to in point I.B, Banks need to add implementation of several things in each aspect of policies, procedures, and limit Establishment, as follows:

1. Risk Management Strategy In determining Risk Management strategy for Market Risk must also consider things such as: Bank’s trading strategy, Bank’s market position, Bank’s instruments/products composition, and Bank’s customers category.
2. Risk Appetite and Risk Tolerance Establishment of Risk appetite and Risk tolerance for Market Risk referring to implementation coverage in general as referred to in point I.B.2.
3. Policies and Procedures a) The policy must clearly include: (1) the criteria of financial instrument which may be stipulated as trading book and banking book and the mechanism to ensure that those criteria applied consistently.; (2) the purpose of having the trading book and banking book position; (3) the policy of the trading book and banking book portfolio management; (4) the establishment of the valuation methodology towards the financial instrument in trading book, by

using the daily fair value based on the market price or valuation model/technique; (5) Market Risk measurement method used by the Bank whether for the periodic Risk monitoring purposes or the capital adequacy calculation such as: sensitivity analysis, earnings at risk, value at risk, and economic value of equity; (6) the establishment of the independent party to do testing and validation of Risk measurement model and pricing model periodically; (7) the mechanism of the establishing and documenting every trading strategy based on the position or trading book portfolio; (8) especially for the interest rate Risk management in banking book, the policy must also include the treatment policy for the non-maturity instrument, which is the financial instrument which has no maturity or the adjustment of interest rates contractually. b) The policy and the process of defining the differences between the reference interest rates or the market interest rates to determine pricing transaction which is done by considering the financial condition as a whole and the prudential principles. c) The procedures established by Banks must be able to do the consolidation towards the open position at every position and must be able to allow to do an accurate calculation concerning the open position at any time or daily. 4) Limit

a) Banks must ensure the consistency among various different limit. b) Limit establishment may be set in stages for every level of Bank organization, in example the overall limit, portfolio limit and dealer limit. c) Bank may set limit as an internal trigger to anticipate the maximum limit achievement, such as establishing the Net Open Position (PDN) internal limit in order to prevent the exceeding limit set by the applicable stipulation especially in the case of all internal limits established have been used. c. Process of Risk Identification, Measurement, Monitoring, and Risk Control, as well as the Market Risk Information System In implementing Risk Management through identification process, measurement, monitoring, and Risk control, as well as the Risk Management Information system for Market Risk, thus aside from executing the processes as referred to in point I.C, Banks need to add several implementation of things in each mentioned processes, as the following:

1. Market Risk Identification Banks must own Risk identification process that is adjusted to the Market Risk attaching to Bank’s business activities which includes interest rates, exchange rate, equity, and commodity. Especially for the Interest Rate in Banking Book/IRRBB), the identification process covers identifying IRRBB Risk sources, such as repricing risk, yield curve risk, basis risk or optionally risk that can affect Bank’s interest income and the economic value of Bank’s financial position, as well as Bank’s capital.
2. Market Risk Measurement

a) Bank must own the system or Market Risk measurement model to measure the position and sensitivity attached to the Market Risk whether in normal condition or stress. b) Market Risk measurement system must at least: (1) provide the information on the outstanding position and the profit potential or loss daily, including the information about the position of each client; (2) cover all of the Market Risk recent and potential exposure, and able to do the marked to market; (3) able to accommodate the increase of the exposure volume, normal value evaluation technique changes, methodology changes, and new products; (4) calculate Market Risk exposure which is related to the option, whether the explicit or the attached option; (5) having the assumption and the parameter which are documented and evaluated periodically; (6) supported by the sufficient data compilation; (7) completed by the scenario analysis and stress testing; (8) integrated with the Risk Management routinely whether from the decision-making aspect, governance structure or the internal capital allocation process. c) The measuring tools should be able to measure the quantifiable inherent Risk exposure such as the volume and portfolio composition which includes Market Risk in the trading book, Fair Value Option (FVO), and the banking book especially the susceptibility of the Bank to the Interest rate Risk in the banking book.

d) In relation to the Risk measurement of the interest rate in the banking book position, Bank should at least: (1) Own the interest rate Risk measuring system in the banking book which at least uses the gap report measurement model. Gap report presents asset , liability, and off balance sheet items which are interest rate sensitive to be charted in the certain time scale. The charting is done based on the remaining time to maturity date for the fixed interest rate instrument and based on the remaining period to maturity date up to the next rate adjustment for the floating interest rate instrument. (2) Comprehend the weakness of the applied method, calculate and mitigate the impact of that method weakness. e) The Data used must be in accordance to the measurement purposes (in example the trading activity should use the marked to market data), reflects Bank condition, accurate, complete (including the data in the balance sheet and off balance sheet transaction), update, and gained independently from the operational unit and used consistently. f) Bank must document the data properly and aware about the related problem of the data, such as incompleteness, insufficient information regarding to the position in the off balance sheet transaction and the attached options. g) For the instrument which market value or proxy is difficult to receive, Bank must use the valuation model which has been validated by the independent unit periodically and if a problem occurs to the model, the

adjustment of the valuation model must be reported and approved by the management. h) The review process or the validation of the Market Risk model measurement is done periodically by the independent party such as through the back testing, including the improving when necessary. i) In the Risk measurement at the portfolio level, Bank should calculate the correlation between markets and between Risk categories when evaluation Market Risk position comprehensively, for example by inserting that correlation as one of the stress testing scenarios. j) In the scenario and stress testing analysis, Bank can use the scenario which uses the historic data analysis, using the hypothetical analysis or using the scenario set by Bank Indonesia. 3) Market Risk Monitoring a) Banks must do a daily monitoring regarding limit compliance , and do a follow up for overcoming limit overdue, which later on shall be reported daily to the interested parties as ruled in the Bank internal policy. b) For the interest rate Risk monitoring in the banking book, the IRRBB Risk monitoring report used must cover the important assumption which is used such as the non￾maturity deposit behavior and the prepayment information or economy data. 4) Market Risk Control a) Management must take steps in order to control the Risk including preventing the greater Market Risk loss.

b) The responsibility in order to the Market Risk control in the executing unit shall at least include: (1) position reconciliation which is managed and recorded in the management information system; (2) control the profit and loss accuracy and the compliance to the stipulation including the relevant accounting standard. c) Bank which owns securities and bonds must do a periodic review to the issuer’s condition, credibility, and its ability to settle the securities and bonds. The review must be documented and done at least every six months. d) In the case of the Bank owns registered or traded securities and bonds in the capital market and based on that review there is a possibility of increasing issuer’s default, Banks must do the controlling such as tight monitoring of the securities and bonds credit spread and to take actions needed to reduce the loss such as forming the reserve. e) For the transaction with hedging purpose , Banks must set a clear responsibility in order to do the Risk control which has the purpose to: (1) ensure the record done is not deviating from the accounting standard and/or generating deviations on the revenue recognition; (2) ensure that the transaction has been done in accordance to the instruction or recommendation from the management/ALCO and the transaction can mitigate Market Risk exposure;

(3) reevaluate periodically that the hedging has been effective especially in the hedging ratio calculation and the comparison of that ratio from time to time; (4) ensure that the transaction contract is still managed until the due date and will not be converted to the trading position; (5) re-evaluate the counterparty credibility and prevent the concentrated allocation. 5) Market Risk Management Information System a) Market Risk Information System shall at the least be able to quantify Risk exposure and monitor the changes of market factors (interest rate, exchange rate, equity prices,, and commodity prices) on a daily and real time basis, may be used to predict the loss potential in the future. For the interest rate Risk in banking book, the quantifying process of the Risk exposure shall at least be done monthly. b) Risk Management information system must be able to facilitate stress testing especially to immediately identify the Risk so that it is possible to do the recovery action immediately including as the respond to the market factor changes which can have negative impacts on the Bank’s earning and capital. d. Internal Control System The implementation of the Risk Management through the internal control system application for Market Risk, therefore aside from doing the internal control as mentioned in point I.D, Bank also needs

to add several things in to each aspect of the internal control, as the following:

1. Bank must own the sufficient internal control system to ensure the transaction and the related process to the market risk taking are done by referring to the established policy, procedure, and limit.
2. The implementation of the segregation of duty must be sufficient and executed consistently.
3. Bank must have function/unit which does trading position valuation and the function/unit which does the validation to the Market Risk model measurement.
4. Function or unit which does the valuation must be independent to the function or unit which takes the Risk and the function/unit which does the validation is independent to the one improving the Market Risk measurement model. C. LIQUIDITY RISK

1. Definition a. Liquidity Risk is the Risk which is caused by Bank’s inability to meet its obligation from cash flow funding sources and/or the high quality liquid asset which can be pledged, without disturbing the activity and financial condition of the Bank. b. The inability to have the cash flow funding source so that it causes the Liquidity Risk which may be caused by:

1. inability to produce cash flow which is derived from the earning assets or from sale of asset including the liquid asset; and/or
2. inability to produce cash flow which derived from the fund raising, inter Bank transaction, and accepted loans.

2. Purpose The main purpose of the Risk Management for the Liquidity Risk is to minimize the possibility of the Bank’s inability to obtain cash flow funding source.
3. Risk Management Implementation Risk Management implementation for the Liquidity Risk to Bank as an individual or to Bank in consolidation with the Subsidiaries shall at least include: a. Active oversight of the Board of Commissioners and Board of Directors In implementing Risk Management through the active oversight from the Board of Commissioners and Board of Directors for Liquidity Risk, aside from doing the active oversight as referred in point I.A, it is needed to add several implementations in each aspect of the active oversight from the Board of Commissioners and Board of Directors, as the following:

1. The Authority and Responsibility of the Board of Commissioners and Board of Directors a) The Board of Commissioners and Directors are responsible to ensure that the implementation of the Risk Management for Liquidity Risk is compatible to the strategic target, scale, business characteristic, and Bank’s liquidity Risk profile, including to ensure the integration of the Risk Management implementation for the Liquidity Risk with the other Risks which may impacted Bank’s liquidity position. b) The authority and responsibility of the Board of Commissioners in the implementation of the Risk Management for Liquidity Risk among others are

periodically doing the approval and evaluation concerning the policy and strategy of the Risk Management for Liquidity Risk including emergency funding plan. The periodical evaluation is done at least once a year or in a higher frequency in the case of there are changes in the factors which significantly influencing Bank’s business activity. c) The authority and responsibility of the Directors, shall at least include: (1) monitoring the position and Liquidity Risk periodically in normal situation or in not profitable market situation; (2) doing an evaluation regarding the position and Liquidity Risk of the Bank at least once in a month; (3) doing immediate evaluation to the liquidity position and Bank’s Risk profile when there is a significant change happening such as the increase of fund raising cost and/or the liquidity gap increase; (4) doing adjustments to the policy and strategy of the Risk Management for the Liquidity Risk based on evaluation on liquidity position and Liquidity Risk. (5) submit report to Board of Commissioner regarding liquidity position, liquidity risk profile and the implementation of the Risk Management policy and procedure for Liquidity Risk which covers the evaluation on the policy, strategy, and procedure, liquidity procedure periodically or when there is a significant change happening. 2) Human Resources

Directors have to ensure that each function/unit which is responsible in the Liquidity Risk management have competent human resources, such as ALCO, treasury, and dealing room. 3) Liquidity Risk Management Organization Bank is obliged to have the liquidity management committee which is responsible on Bank’s liquidity management, such as ALCO. b. Policy, Procedure, and Limit Establishment In implementing the policy, procedure, and limit establishment for the Liquidity Risk, aside from implementing the policy, procedure, and limit establishment as referred to in point I.B, it is deemed necessary for Banks to add some implementations in each aspects of policy, procedure, and limit establishments, as the following:

1. Risk Management Strategy The arrangement of the strategy for the Liquidity Risk refers to the coverage as referred to in point I.B.1.
2. Risk Appetite and Risk Tolerance a) The Bank’s Risk Appetite is reflected by the asset and liability composition as well as the Bank’s gapping strategy . b) Risk Tolerance for the Liquidity Risk must describe Liquidity Risk level which will be taken by the Bank, which are determined by the liquid tool composition and funding sources which are owned by the Bank to support Bank’s recent and future strategy. .
3. Policies and Procedures a) The policy regarding the Risk Management for Liquidity Risk including the implementation of the strategy and limit of the Risk Management must be in accordance with the vision, mission, business strategy, Risk appetite. In

addition, the policy must be supported by the adequacy of the capital and human resources ability, as well as paying attention to the Bank funding capacity as a whole by considering external and internal changes. b) The policy and procedure of the Risk Management for Liquidity Risk beside including things as referred in point I.B.3.d also includes the followings: (1) the Risk management organization for Liquidity Risk including the task, authority, and responsibility of each involved unit or function, which are the Board of Commissioners, Directors, Internal Audit, Risk Management Unit, ALCO, treasury/dealing room, etc. (2) the policy concerning ALCO, including membership, member qualification, task and responsibility, meeting frequency. (3) The policy and procedure of the liquidity management at the least cover: (a) the composition of asset and liability; (b) the level of liquid asset which should be maintained by the Bank; (c) the establishment of type and allocation of the asset which is classified as the high quality liquid asset; (d) diversification and stability of the funding source; (e) liquidity management to every funding sources (according to the market, counterparty, location, type of currency, etc.);

(f) daily liquidity management including intraday and the liquidity management inter-group (liquidity of business group); (g) the limit of liquidity Risk. (4) The establishment of indicators which are the early warning indicators for Liquidity Risk as the problem identification tool and Liquidity Risk mitigation Establishment. The indicators of the early warning mentioned include the internal and external indicators. The internal indicators include the decreasing asset quality, increasing concentration to specific assets and funding sources, the increase currency mismatches, repetition of limit excess , the increase of overall cost of fund , and/or the decreasing cash flow position as the result of the increase of maturity mismatch especially in the small term duration. The external indicators include the negative publication on the Bank, the decrease of rating by the rating institution, continuous decline of Bank’s stock price , the decrease of credit line facility which is given by the Bank’s correspondent, the increase of deposit withdrawal before the maturity date, and/or the limited access to get long term funding. (5) The Liquidity Risk measurement method and Liquidity Risk the stress testing have to be adjusted with the Bank’s fund management strategy in order to describe well the profile of the Bank’s Liquidity Risk.

(6) Risk Management information system and other systems which sufficiently needed to identify, measure, monitor, and control Liquidity Risk including the liquidity report. (7) The emergency funding plan, in which explains about the approaches and strategies in facing crisis that have impacts on Bank’s liquidity position. The policy concerning the emergency funding plan at least includes Bank’s management action plan during the liquidity crisis and the method uses to get funding in that crisis situation. The Directors and/or ALCO must review and update the emergency funding plan periodically to ensure the effectiveness of that funding plan. 4) Limit a) Liquidity Risk limit must be consistent and relevant with the Bank’s business, the complexity of the business activity, Risk tolerance, characteristic of the product, currency, market where the Bank’s active doing the transaction, historical data, profitability level, and the available capital. b) The policy concerning the limit must be set consistently in order to manage the Liquidity Risk, such as to limit the funding gap in the various time period and/or to limit the concentration of funding source, instrument, or certain market segment. c) Liquidity Risk limit may include the mismatch limit of the cash flow in short term or long term including the cash flow which is derived from the off balance sheet position, the concentration limit in the asset and liability, overnight loan, and other liquidity ratios. Limit establishment is not

only used for managing the daily liquidity in normal condition but also covering the limit in order for the Bank to be operating during crisis. c. Process of Risk Identification, Measurement, Monitoring, and Risk Control as well as Liquidity Risk Management Information System In doing the implementation of the Risk Management through the identification, measurement, monitoring, and Risk control as well as Liquidity Risk Management information system, beside doing the implementation process as referred to in point I.C, Bank also needs to add several implementations in each referred processes, as the following:

1. Liquidity Risk Identification a) In order to identify Liquidity Risk, Bank must analyse every Liquidity Risk sources. The liquidity Risk sources include: (1) the banking product and activity which can influence the source and fund usage, whether in the asset and liability or off balance sheet position; and (2) other Risks which may increase the Liquidity Risk, for example the credit Risk, Market Risk, and Operational Risk. b) The analysis is done to identify the amount and the liquidity trend need as well as the funding sources available for those needs. c) Banks must do the analysis to the other Risk exposures which may increase the Liquidity Risk, such as the interest rate Risk, credit Risk, Operational Risk, and Legal Risk. In general, the Liquidity Risk is more likely to be caused by the weakness or problems derived from the other Risks, therefore the Risk identification must also

include the relation between the Liquidity Risk and the other Risks. 2) Liquidity Risk Measurement a) Bank is obliged to have a measuring tool which can quantify the Liquidity Risk timely and comprehensively. b) The measuring tool as referred in point a) should be able to be used to measure the Liquidity Risk which caused by the asset, liability, and off balance sheet. c) The measuring tool should be able to measure the exposure of inherent risk such as the composition of asset , liability, and off balance sheet transaction; concentration of asset and liability; and vulnerability to funding needs. d) The measuring tool at the least includes: (1) liquidity ratio, which is the financial ratio which describes the liquidity indicator and/or measure Bank’s ability to fulfill short term liability; (2) Maturity profile, which is the mapping of asset , liability, and off balance sheet position at a certain time scale based on the remaining time duration to the maturity date; (3) Cash flow projection, which is the projection of every inflow and outflow of cash, including the funding need to fulfill the commitment and contingency in the off balance sheet transaction; and (4) Stress testing, which is a test to the Bank’s ability in fulfilling the liquidity need in crisis condition by using stress scenarios specifically of the Bank or the stress of the market.

e) The complexity of the Liquidity Risk measurement approach which is used by the Banks must be adjusted to the composition of asset, liability, and Bank’s off balance sheet. In the case of the Bank with more complex business activity, Banks must use the simulation-type measurement, more dynamic and supported by the various of relevant assumptions. f) The liquidity ratio used in the Liquidity Risk measuring must be adjusted to the business strategy, Risk tolerance, and past performances. The measuring result by using the ratio must be analyzed by considering the relevant qualitative information. g) The maturity profile must present the asset , liability, and the off balance sheet items which are classified by time scale based on the remaining time to maturity date according to the contract and/or based on the assumption, especially for the balance post and the off balance sheet which has no contractual maturity date. The factors which are considered in determining the assumption to estimate the balance post and the off balance sheet which have no contractual residual maturity date are product characteristic, counterparty and/or client behavior, and market condition and historical experience. The purpose of compiling the Maturity Profile is to identify liquidity gap in certain time scale. Maturity profile must be arranged at least every month in term of Rupiah or foreign currency, Bank may classify maturity profile based on foreign currency for internal purposes. h) The cash flow projection presents the cash flow derived from the asset, liability, and off balance sheet as well as other business activities which are mapped into certain time scale. The compiling of the cash flow projection is

not only based on the contractual maturity, but also in the assumption of the relevant client behavior with Bank’s liquidity condition. The assumption which is used by the Banks must be acceptable for the normalcy, well documented, and reviewed periodically to assess the suitability with Bank’s liquidity condition. Cash flow projection must be composed at least every month according to the Bank’s need, by considering the sturcture of Bank’s asset, liability and off balance sheet. i) The measurement using the stress test as referred to in point d). (4) is done with such stipulations: (1) Stress test must be able to describe Bank’s ability to fulfill the liquidity need in crisis based on several scenarios. (2) The coverage and the frequency of the stress test must be adjusted to the size, business activity complexity, and Bank’s liquidity Risk exposure by these conditions: a) Stress test must be done by using the stress scenario specifically to the Bank and the stress scenario to the market. b) Stress test with the specific scenario should be done at least once in 3 (three) months, meanwhile stress test with the market scenario should be done at least once in 1 (one) year. Stress test implementation may be done in a shorter time duration if the Bank thinks that the crisis condition occured may cause the Bank to be exposed to the intolerable Liquidity Risk and/or as requested by Bank Indonesia.

c) A specific stress scenario to the bank, which may be used are: the decreasing rating of the Bank which is done by the rating institution; a big fund withdrawal; disturbance/failure of the system which supports Bank’s operational. d) Stress scenario to the market which may be used are: the economic indicator changes and the market condition changes, locally or globally. e) When doing the stress test, Bank uses the historical and/ hypothetical scenario and other scenarios by considering business activity and Bank’s vulnerability. f) Stress test must calculate scenario implication in various time duration, including daily. j) Banks must develop stress test assumptions for the specific scenarios of the Bank or the market scenarios, such as: (1) the assumption regarding to the behavior of the counterparty and/or the client in the crisis condition which may influence cash flow; and (2) the assumption regarding to the other market behaviors as the response to the crisis condition in the market. k) The assumptions used in the Liquidity Risk measurement must be acceptable for the normalcy and adjusted to the asset liquidity characteristic, liability liquidity, and off balance sheet transaction liquidity , and updated according to the market condition and volatility.

l) When doing the stress test for the Liquidity Risk, Bank needs to consider the valuation result which is done to the other Risk types (such as the Market Risk, Credit Risk, Reputation Risk) and analyses the interaction possibility with those Risk types. m) Bank needs to do a follow up of the stress test, such as: (1) adjust the policy and strategy of the Risk Management for the Liquidity Risk, (ii) adjust the asset liquidity composition, (iii) develop or perfect emergency funding plan, and/or (iv) review the establishment of limit. The result of the stress test and the follow up of the stress test must be reported and evaluated by the Board of Directors. 3) Liquidity Risk Monitoring a) Liquidity Risk monitoring which is done by the Bank should pay attention to the early warning indicators to know the potential increase of the Bank’s Liquidity Risk . b) The early warning indicators consist of the internal indicator and external indicator. (1) Internal Indicator covers Bank funding and asset growth strategy, the increase of concentration on the asset side or the liability side, foreign exchange mismatch increase, the position which is repeatedly close to or over the internal limit or the regulator limit, and the increase of Bank’s cost of fund. (2) External Indicator may come from the third parties, analysts, or market participants. In general those indicators are related to the Bank’s credit capacity. The example of the indicators which come from the

third parties are: the rumors in the market concerning Bank’s issue, the decrease of credit rating by the rating institution, the decrease of Bank’s stock price, the decrease of transaction volume or the decrease of the line of credit. 4) Liquidity Risk Control a) Liquidity Risk control is done through the funding strategy, the management of the daily liquidity position and Liquidity Risk, the management of intragroup liquidity position and Liquidity Risk, the management of the high quality liquid asset, and emergency funding plan. b) Funding strategy (1) The funding strategy covers the source diversification strategy and funding duration which are related to the Bank’s characteristic and business activity. (2) Banks must identify and monitor the main factors which influence its ability to earn fund, including identifying and monitoring the alternative source of fund and the market access which can strengthen its capacity to survive in crisis condition. c) The Management of the Daily Liquidity Position and Liquidity Risk (1) The active management on the daily liquidity position and liquidity risk has the purpose to fulfill intraday liability on a timely manner whether in the normal condition or crisis condition by prioritizing the critical liability. (2) Banks must analyze the liquidity position changes which happen because of the intraday settlement

and/or fund acceptance. The analysis of the liquidity position done are based on the cash flow position which needs to be compiled daily in rupiah or foreign currency which at least covers the projection in a week duration to come and will be presented daily. The cash flow projection arrangement is done by the unit who does treasury activities. d) The Management of Intragroup Liquidity Position and Liquidity Risk In the management of the intragroup liquidity position and liquidity risk, Banks must calculate and analyze: (1) the need of company funding in Bank’s business group which can influence the liquidity condition of the Bank; and (2) the obstacles in accessing intragroup liquidity, as well as ensuring the impacts which have been calculated in the Liquidity Risk measurement. e) High Quality Liquid Assets Management (1) Bank must own sufficient high quality liquid assets and the composition which is adjusted to the business characteristic and Liquidity Risk profile in order to fulfill intraday liquidity need, short term, and long term. (2) Bank must do evaluation and monitor all position and composition of the high quality liquid assets including those which has been bonded and/or available as collaterals. (3) The availability of an active market, and the time duration needed for collateral process.

f) Emergency Funding Plan (1) Banks must own the emergency funding plan to handle the liquidity problem in the various of crisis conditions which is adjusted to the Risk profile level, stress test result, the complexity of business activity, business coverage, organizational structure, and Bank’s role in financial system. (2) The emergency funding plan includes the policy, strategy, procedure, and action plan to ensure Bank’s ability in earning the right funding sources on time and with the proper price which at least include: (a) the establishment of indicators and/or events used for identifying crisis the happening of crisis; (b) the mechanism of monitoring and internal reporting of the Bank concerning the indicators as referred to in letter (a) periodically; (c) the strategy in facing various crisis conditions and the procedure of decision-making to take actions on the behavior changes and the cash flow pattern which causes the deficit of cash flow; (d) the strategy to obtain funding support in crisis condition by considering the cost and its impact to the capital and other important aspects; (e) the coordination of the managerial at least includes:

i. the establishment of the parties which authorize and responsible to do the identification, execute emergency funding plan, and form a special team during crisis conditions; and ii. the implementation of the good communication strategy and procedure to the internal parties. (f) the internal report procedure for management’s decision making process ; (g) the procedure to implement the relation priorities with the client to overcome the liquidity problems in crisis conditions. (3) The emergency funding plan must be documented, evaluated, updated, and tested periodically to ensure the reliability level. 5) Liquidity Risk Management Information System a) Banks must have sufficient and reliable Risk Management information system to support the implementation of the identification process, measurement, monitoring, and control, as well as the Liquidity Risk reporting in the normal and crisis conditions coherently, accurate, update, complete, and continuously. b) Risk Management information system must be able to provide the information at least concerning: (1) cash flow and maturity profile of assets, liabilities, and off balance sheet;

(2) compliance to the policies, strategies, and procedures of the Risk management for Liquidity Risk including limit and liquidity ratio; (3) Risk profile report and liquidity trend in a timely manner for the interest of the management ; (4) the information used for stress testing purpose ; and (5) other information which is related to the Liquidity Risk such as the position and valuation of the high quality liquid asset portfolio, concentration of the funding sources, asset and liability as well as the receivables and liabilities of the off balance sheet which are not stable. d. Internal Control System In the implementation of the Risk Management through the implementation of the internal control for the liquidity Risk, aside from implementing the internal control as mentioned in point I.D, Banks need to add several implementations in each internal control aspects, as follows:

1. Banks need to implement the sufficient internal control and independent review to the implementation of the Risk Management for Liquidity Risk which is done by Internal Audit Unit (SKAI) or the Risk Management Unit (SKMR).
2. The internal control to the implementation process of the Risk Management for the Liquidity Risk which is done by SKAI includes:

a) the adequacy of Liquidity Risk management, including active oversight from the Board of Commissioners and Board of Directors; b) the adequacy of the Risk Management framework for Liquidity Risk; c) the adequacy of the Liquidity Risk limit; d) the adequacy of the process and Risk Management system and the human resources in the function or unit which applies Risk Management for Liquidity Risk. 3) The Independent review done by SKMR includes: a) The compliance to the policies and procedures of the Risk Management for the Liquidity Risk including the management of the liquidity position and Liquidity Risk, the composition of asset and liabilities, the high quality liquid assets, and limit compliance; b) The adequacy of methods, assumptions, and indicators of the Liquidity Risk measurement including stress testing; c) The performance of the Liquidity Risk measurement model, which is based on the comparison between Liquidity Risk measurement result and the actual value. 4) The identified weakness in the internal control and independent review must be reported to the authorized parties to be followed up. D. OPERATIONAL RISK

1. Definition a. Operational Risk is the Risk which is caused by the inadequacy and/or non-functioning internal process, human error, system failure, and/or external events which influence Bank’s operational.

b. Operational Risk may come from several sources such as the Human Resources (SDM), internal process, system and infrastructure, and external events. c. Those Risk sources may cause negative impact events to the Bank’s operational therefore the occurrence of the types of Operational Risk is one of the measurement of the success or failure of the Risk Management for the Operational Risk. The type of Operational Risk can be categorized into several event types such as internal fraud, external fraud, the practice of employment and work environment safety, customer, products and business practice, physical asset damages, business activity interferences and system failure, and the error of process and execution. 2. Purpose The main purpose of the Risk Management for the Operational Risk is to minimize the possibility of negative impact from the malfunctioning internal process, human error, system failure, and/or external events. 3. Risk Management Implementation The implementation of the Risk Management for the Operational Risk for the Banks as individuals or Banks in consolidation with the Subsidiaries covers: a. Active Oversight from the Board of Commissioners and Board of Directors In implementing Risk Management through the active oversight from the Board of Commissioners and Board of Directors for Operational Risk, other than doing an active oversight as mentioned in point I.A, Banks need to add some implementations in each aspect of active surveillance from the Board of Commissioners and Board of Directors, as the followings:

1. The Authority and Responsibility of the Board of Commissioners and Board of Directors a) The Board of Commissioners and Board of Directors are responsible to develop a standard organization culture to the Operational Risk and grow the commitment in managing Operational Risk according to business strategy of the Bank. b) The Board of Commissioners ensures that the remuneration policy of the Bank is compatible with the business strategy of the Bank. c) The Board of Directors of the Bank create the disclosure culture objectively on the Operational Risk to all of the organization elements so that the Operational Risk can be immediately identified and mitigated correctly. d) The Board of Directors set the reward policy including the effective remuneration and punishment which is integrated in the performance evaluation system in order to support the implementation of the optimal Risk Management.
2. Human Resources a) Banks must have code of conduct applicable to every employee in every organizational level. b) Banks must apply the sanction consistently to the officers and employees which proven to have done deviations and violations.
3. Operational Risk Management Organization a) Business unit management or the supporting unit is the risk owner responsible to the Risk Management for daily Operational Risk process and report the problems and

Operational Risk specifically in the unit according to the relevant report level. b) In the Risk Management Unit, Bank may form an independent unit or assign the official who is in charge of implementing the Risk Management for the Operational Risk function coherently. The unit or officer is working to help the Board of Directors in managing Operational Risk and to ensure the policy of the Risk Management for the Operational Risk runs in every organization level, which covers: (1) Assisting the Board of Directors in arranging the policy of the Risk management for the whole Operational Risk; (2) Designing and implementing tools to evaluate the Operational Risk and for reporting purpose; (3) Doing the activity coordination of the Risk Management for the Operational Risk across every work unit; (4) Arranging Operational Risk profile report which will be submitted to the Chief Executive or assigned Directors and the Risk Management Committee; (5) Doing assistance to the business unit regarding the Risk Management for the Operational Risk issue and Risk Management training for the Operational Risk. c) To facilitate the process of the Risk Management for the Operational Risk in the business unit or supporting unit and to ensure the consistency of the policy implementation of the Risk Management for the Operational Risk, bank can appoint a dedicated

operational risk officer who has double reporting lines which are directly to the chief of business unit or to the Risk Management Unit. The responsibility of the dedicated operational risk officer covers the development of the specific Risk indicator of the business unit or the supporting unit, set the escalation border and arrange the report of Risk Management regarding Operational Risk. b. Policy, Procedure, and Limit Establishment In implementing the policy, procedure, and limit establishment for the Operational Risk, aside from executing the policy, procedure, and limit establishment as mentioned in point I.B, Bank needs to add some implementations in each aspect of the policy, procedure, and limit establishment, as the followings:

1. Risk Management Strategy The strategy arrangement for the Operational Risk refers to the general coverage of the implementation as referred to in point I.B.1.
2. Risk Appetite and Risk Tolerance The establishment of Risk Appetite and Risk tolerance for the Operational Risk refers to the general coverage of the implementation in point I.B.2.
3. Policies and Procedures a) Banks must set the Risk management for the Operational Risk policy which should be internalized to the business process of all of the business lines and supporting activities of the Bank, including the Operational Risk policy which is unique according to the needs of the business lines and supporting activities.

b) Banks must have procedures which are the derivations of the Risk Management for the Operational Risk policy. Those procedures may be in the form of: (1) general control, which is the general operational control to all of the business lines and the supporting activities of the Bank, in example the function separation or the necessity to take leaves, and (2) specific control, which is the specific operational control to every business lines and supporting activities of the Bank, in example the reconciliation transaction in the trading activity or the debtor’s credit document management. c) Banks must have Business Continuity Management (BCM) which is the process of integrated and complete management (protocol) to ensure Bank’s operational continuity in running the business and servicing customers. In the BCM, Banks must own the policy which at the least covers: (1) Business Impact Analysis (BIA); (2) Operational Risk evaluation which may happen because of the interferences in Bank’s operational; (3) Recovery strategy which is conducted by the Bank for every interference; (4) Documentation, such as the disaster recovery plan and contingency plan; (5) Periodic testing to ensure that the BCM approach used can be effectively operated during the occurence of interference.

d) To mitigate the Operational Risk derived from the internal process complexity, Banks must own the policy which at the least includes: (1) the restrain to prevent operational Risk to happen whether for all of the internal process or the ones directly related to the customers; (2) The completion procedure of the internal process in which to ensure the effectiveness of the transaction settlement process; (3) The accounting implementation procedure to ensure the accurate accounting record, which are the validity of the accounting method used, the process of the executed accounting, and the supporting document management; (4) The procedures of asset and custodian storage, which are asset documentation and custodian, the control needed for asset physical security, and periodic checking concerning the asset condition; (5) The procedures of the execution of product and other activity provisions which is done by the Bank, such as outsourcing, private banking/wealth management; (6) The prevention and fraud termination procedures. e) To reduce the possibility of the Operational Risk occurrence which comes from the Human Resources, Bank’s Risk Management policy should at least include the policy about recruitment and allocation according to the organization’s needs, remuneration and the competitive incentive structure, training and developing, periodic rotation, the policy of career planning and

succession, and issue handling related with lay off and labor union. f) To reduce the possibility of Operational Risk occurrence which derived from the infrastructure system, Bank’s Risk Management policy must be supported by the access procedures to the management information system, accounting information system, Risk management system, dealing room security, and data processing room. g) To reduce the possibility of Operational Risk occurrence which derived from the external event, Bank’s Risk Management policy must be supported by the insurance protection to Bank’s physical assets, backup system, and the guarantee of safety working for certain high risked working field. h) To reduce the possibility of Operational Risk occurrence which derived from the profile of the customer and the future customer, Bank’s Risk Management policy must include Bank’s obligation to do Customer Due Diligence (CDD) or Enhanced Due Diligence (EDD) periodically and consistently according to the exposure of the Operational Risk. The implementation of CDD/EDD must refer to all of the conditions and guidelines as ruled in the applicable stipulation concerning Anti Money Laundering and Prevention of Terrorism Funding Program. CDD/EDD must be supported by the effective internal control system, especially Bank’s efforts to prevent internal fraud. 4) Limit Limit establishment for the Operational Risk refers to the general coverage of the implementation as referred to in point I.B.4.

c. Process of Risk Identification, Measurement, Monitoring, and Risk Control, as well as Operational Risk Management Information System In implementing the Risk Management through the identification process, Measurement, Monitoring, and Risk Control, as well as Operational Risk Management Information System for the operational risk, aside from executing the process of identification, measurement, monitoring, and risk control, as well as Risk management information system for Operational Risk as mentioned in point I.C, Bank needs to add some implementations in each aspect of the processes, as the followings:

1. Identification and Measurement of the Operational Risk a) Banks must do the identification and measurement to the parameters influencing Operational Risk exposure, which are the frequency and impact of: (1) system failure and error; (2) administration system weaknesses; (3) failure of customer relationship; (4) accounting error; (5) delay and error of payment settlement; (6) fraud; (7) accounting manipulation. b) Banks develop a database concerning: (1) the type and impact of the loss, which is caused by the Operational Risk based on the Risk identification, in the form of loss data which possibilities of occurrence are predictable or the ones which are unpredictable;

(2) the violation of the control system; and/or (3) other operational issues which may cause loss in the future. c) Banks must consider various internal and external factors when identifying and measuring the Operational Risk, which are: (1) Bank’s organizational structure, Risk culture, human resources management, organizational changes, and employee turnover; (2) Bank’s customer’s characteristic, products and activities, and the complexity of business activities and transaction volume; (3) Design and implementation of the system and process used; (4) External environment, industry trend, market structure including social and politic condition. d) The method which can be used by the Bank to do identification and measurement of the Operational Risk, are such as: Risk Control Self Assessment (RCSA), risk mapping, Key Risk Indicators (KRI), scorecards, event analysis, frequency matrix, quantitative and qualitative methodology. e) For Banks which have not developed specific method to do the identification and Operational Risk measurement, the main information source of the Operational Risk is the Internal Audit findings which are related to the Operational Risk. 2) Operational Risk Monitoring

a) Banks must do Operational Risk monitoring continuously towards all Operational Risk exposures and the loss which may be caused by Bank’s main activity, such as by implementing the internal control system and providing the periodic report concerning the loss caused by Operational Risk. b) Banks must do the review periodically towards all factors which cause the occurence of Operational Risk and their loss impact. 3) Operational Risk Control a) Risk Control is done consistently according to the Risk appetite, the result of identification, and measurement of the Operational Risk. b) In the implementation of the Operational Risk prevention, Banks can develop a program to mitigate the Operational Risk such as security of the information technology process, insurance, and outsourcing to some of the Bank’s operational activities. c) In the case of the Bank develops the security for information technology process, the Bank must ensure the security level of the electronic data processing. d) The control of the information system must ensure: (1) the existence of a periodic assessment towards the information system security, which is followed by the corrective action when necessary; (2) the availability of the back-up procedure and contingency plan to guarantee the flow of Bank’s operational activities and prevent the significant interferences to happen, which is tested periodically;

(3) the existence of information submission to the Board of Directors regarding the problems in letter (1) and (2); (4) the availability of the storage of the information and document which are related to the analysis, programming, and the data processing execution. e) Banks must own a supporting system, which at least includes: (1) early identification of errors; (2) efficient, accurate, and timely processing and settlement of all transactions; and (3) confidentiality, validity, and security of the transaction. f) Banks must do a periodic review to the procedures, documentation, data processing system, contingency plans, and other operational practices in order to reduce the possibility of human error. 4) Operational Risk Management Information System a) The management information system must be able to produce a complete and accurate report in order to detect and correct the deviation in time. b) Banks must own the reporting mechanism towards the Operational Risk which can give information according to the user’s needs, as follows: (1) Operational Risk profile and the loss it causes; (2) The result of various methods of Operational Risk measurement and the trend, and/or the summary of the internal audit findings;

(3) Status report and the effectiveness of the action plan implementation of the operational risk issues; (4) Report of procedure deviation; (5) Report of fraud event; (6) Recommendation from the Risk Management unit for the Operational Risk, external auditor recommendation letter (especially the Bank operational control aspects), and Bank Indonesia instruction letter. d. Internal Control System In the implementation of the Risk management through the execution of internal control system for the Operational Risk, aside from doing the internal control as referred in point I.D, Banks need to own a routine rotation system to avoid the potential of self-dealing, conspiracy or the concealment of improper documentation or transaction. E. LEGAL RISK

1. Definition a. Legal Risk is Risk that happened because of legal claim and/or weakness of jurisdiction aspect. b. Legal Risk can be from the following weakness of jurisdiction law which is caused by the weakness in legal agreement that is done by the Bank, absence and/or amendment of law regulation which causes a transaction that has been done by Bank to be not suitable with the regulation that will be exist, and litigation process which is either happened from suit of third party to Bank or Bank to the third party.
2. Purpose

Risk Management main purpose for Legal Risk is to ensure that Risk Management can minimize the negative effect from the weakness of jurisdiction aspect, the non-existence and/or amendment of legislation regulation, and litigation process. 3. Risk Management Implementation Risk Management Implementation for Legal Risk for individual Bank as well as for Bank in consolidation with Subsidiaries more or less covers: a. Active Oversight of the Board of Commissioners and Board of Directors In doing Risk Management implementation via through active oversight of the Board of Commissioners and Board of Directors for Legal Risk, so other than doing active oversight as referred to in point I. A, Banks must add application of some points in every aspect of active oversight of the Board of Commissioners and Board of Directors, as follows:

1. Authority and Responsibilities of Board of Commissioners and Board of Directors a) The Board of Directors must decide an effective communication mechanism, which includes involving Bank’s official and employee, on law problem which is faced with law part or related work unit in order that the Legal Risk can be prevented and controlled. b) The Board of Directors and Board of Commissioners must implement legal governance which is a management system to form, execute, and interpret legislations and internal provisions including standard agreement used. c) The Board of Directors must ensure the existence of legal consistency on every business activity which is the existence of concordance between activity or business activity which is done with applicable legislations and does not cause ambiguity to occur in an agreement that is made by the Bank.

d) The Board of Directors must ensure the existence of legal completeness, so everything that is regulated by legislation either nationally or internationally can be implemented well by the Bank, including restriction in applicable regulations and legislations which are compiled clearly in Bank’s internal policy. 2) Human Resource Banks must apply sanction consistently to officials and employees which is proven doing deviation and violation to external and internal provision as well as Bank’s internal code of conduct. 3) Legal Risk Management Organization a) Banks must have work unit or function which has a role as legal watch that provides law analysis/advice to every employee in every level of organization. b) Banks must have independent work unit/function that assess and supervise the Risk Management implementation for Legal Risk continually. Generally this can be done by Risk Management unit or work unit/function which supervises legal field which is responsible directly to Bank’s Chief Executive. Other than that, the work unit/function is also responsible to develop and evaluate strategy, policy, and procedure of Risk Management for Legal Risk as well as to give inputs to the Board of Commissioners and Board of Directors. Involvement of work unit/function which supervises legal field is also important in every business activity of Bank which is exposed to Legal Risk including amongst in terms of Bank will issue new activity and product. c) Work unit/function which supervises legal field, Risk Management Unit, and operational work unit must assess together the effect of certain provision and regulation amendment towards Legal Risk exposure.

b. Policy, Procedure and Limit Establishment In implementing policy, procedure and limit Establishment for Legal Risk, then other than doing policy, procedure and limit Establishment as referred to in point I.B, Banks need to add implementation to some points in every policy, procedure and limit Establishment aspects, as follows:

1. Risk Management Strategy Risk Management Strategy for Legal Risk is an inseparable integral part from Bank’s Risk Management as a whole as referred to in point I. B. 1.
2. Risk Appetite and Risk Tolerance Establishment of Risk appetite and Risk tolerance for Legal Risk refer to the implementation scope generally as referred to in point I.B.2.
3. Policy Procedure and Limit Establishment a) Banks must have and execute law aspect analysis procedure towards new product and activity. b) Bank must do evaluation and updating of Legal Risk policy and procedure periodically, according to Bank external and internal development, such as amendment of applicable provisions and regulations. c. Process of Risk Identification, Measurement, Monitoring, and Risk Control, as well as Information Management System for Legal Risk In doing Risk Management implementation via identification, measurement, monitoring and risk control process, as well as Risk Management information system for Legal Risk, so other than executing process as referred to in point I.C, Banks must add application to some points in every process referred to, as follows:
4. Legal Risk Identification

Identification implementation for Legal Risk refers to general application as referred to in point I.C.I. 2) Legal Risk Measurement a) Banks must have Risk measurement method for adequate and integrated Legal Risk with Bank’s Risk Management framework, either using quantitative or qualitative approach. b) In measuring Legal Risk, the following can use an indicator/parameter such as loss potential because of litigation, annulment of agreement because of agreement weakness, the occurence of legislation amendment which causes Bank products become not in line with the existing provisions. 3) Legal Risk Monitoring Monitoring execution for Legal Risk refers to implementation coverage in general in point I.C.3. 4) Legal Risk Control a) Work unit/function which supervises legal field must do review periodically towards the contract and agreement between Bank and other parties, such as by doing re￾assessment to the effectiveness enforceability process in order to check validity of rights in the contract and agreement concerned. b) In terms of Bank published guarantee such as netting agreement, collateral pledges and margin calls then it must be supported by enforceable and effective legal document. 5) Legal Risk Information Management System Banks must record and manage every event , including litigation process that is related to Legal Risk including the amount of loss potential which is caused by the event concerned. The recording and managing of the data concerned

is compiled in a statistic data which can be used for projecting Bank business activity potential loss at certain period. d. Internal Control System Internal Control System Implementation for Legal Risk refers to the general implementation scope as referred to in point I.D. F. STRATEGIC RISK

1. Definition a. Strategic Risk is Risk because of imprecision in taking and/or executing a strategic decision as well as failure in anticipating business environment change. b. Strategic Risk can be from the following source such as weakness in strategic formulation process and imprecision in strategic formulation, insufficient information management system, inadequate internal and external environment analysis result, over aggressive strategic aim establishment, imprecision in strategy implementation, and failure in anticipating changes in business environment.
2. Purpose Main purpose of Risk Management for Strategic Risk is to ensure that Risk Management process can minimize the possibility of negative effect from imprecision of strategic decision making and failure in anticipating changes in business environment.
3. Risk Management Implementation Risk Management Implementation for Strategic Risk for individual Bank as well as for Bank in consolidation with Subsidiaries, at least includes:

a. Board of Commissioners and Director Active Oversight In doing Risk Management implementation through active oversight of the Board of Commissioners and Board of Directors for Strategic Risk, so other than executing active monitoring as referred to in point I.A, Banks need to add implementation on some points in every aspect of active oversight of the Board of Commissioners and Board of Directors, as follows:

1. Authority and Responsibility of the Board of Commissioners and Board of Director a) The Board of Commissioners and Board of Directors must arrange and endorse on strategic plan and business plan which consists of things as stipulated in applicable provisions and to communicate it to the officials and/or bank employees in every level of organization. b) The Board of Directors is responsible in Risk Management implementation for Strategic Risk which consists of:
2. to guarantee that the defined strategic aim has been in line with mission and vision, culture, business direction and Bank Risk tolerance.
3. to give agreement to strategic plan and every of its changes, as well as doing periodic review (at least once in 1 year) towards the strategic plan in order to ensure its suitability.
4. to ensure that the structure, culture, infrastructure, financial condition, workforce, and managerial competency including executive official, as well as the existing system and control in Bank is appropriate and adequate to support defined strategy implementation. c) The Board of Directors must control the internal condition (Bank’s weakness and strength) and external

factor/condition development that directly or indirectly affects the defined Bank business strategy. d) The Board of Directors must decide work unit/function which has the authority and responsibility that supports strategic execution control and formulation, including strategic plan and business plan. e) The Board of Directors is responsible to ensure that Risk Management for Strategic Risk has been applied effectively and consistently in all related operational level. In case of Director delegates part of responsibility to executive official and related management, said delegation won’t erase Director responsibility as main party that must be responsible. 2) Human Resource Adequacy of human resource for Strategic Risk refers to general implementation scope as referred to in point I.A.2. 3) Strategic Risk Management Organization a) All business unit and supporting unit are responsible to help the Board of Directors compile strategic planning, and implement the strategy effectively. b) Business unit and supporting unit are responsible to ensure that:

1. Risk Management practice for Strategic Risk and control in business unit has been consistent with overall Risk Management framework for Strategic Risk;
2. Business unit and supporting unit have authority, procedure and resource to support the effectivity of Risk Management framework for Strategic Risk. c) The Board of Directors leads change management program which is needed in order to implement strategy which has been defined.

d) Work Unit for Strategic Planning is responsible to help Board of Directors in managing Strategic Risk and facilitate change management program in order to develop the company continuously. e) Other than that, Risk Management Work Unit is also responsible for Strategic Risk especially in aspects as follows: (1) Coordinating with all business units in strategic plan establishment process. (2) Supervising and evaluating strategic plan implementation development, as well as giving suggestion relating to opportunity and alternatives for development and repairing strategic continuously. (3) Making sure that all strategic issues and effects toward strategic aim accomplishment has been followed up on time. b. Authority, Procedure and Limit Establishment In performing authority, procedure, and limit establishment for Strategic Risk, then other than performing authority, procedure and limit Establishment as referred to in point I.B, Bank needs to add implementation to some points in every authority, procedure, and limit Establishment aspect, as follows:

1. Risk Management Strategy a) In compiling strategy, the Bank must evaluate Bank’s competitive positioning in the industry . In this case the Bank needs to: (1) understand business, economy and banking industry environment condition including how the environment changes affect toward business, product, technology and Bank’s office network.

(2) measure strength and weakness of Bank related to competitiveness position, Bank’s positioning in banking industry, and financial performance, organization structure and Risk Management, infrastructure for current and future business needs, managerial ability, as well as availability and limited Bank resource. (3) analyze all available alternative strategy after considering strategic purpose as well as Bank Risk tolerance. Analysis depth and scope must be in line with Bank’s business activity scale and complexity. b) Banks must decide written strategic plan and business plan and execute the policy concerned. c) The strategic plan and business plan concerned must be evaluated and can be adjusted if there is any deviation from aimed target because of significant external and internal change. d) In case of Bank is planning to implement long term and continuous strategy, Bank must has enough succession managerial plan to support the effectiveness of continuous strategy implementation . e) Bank must have adequate financial source to support strategic plan implementation. 2) Risk Appetite and Risk Tolerance Risk appetite and Risk tolerance for Strategic Risk refers to general implementation scope as referred to in point I.B.2. 3) Policies and Procedures a) Banks must have policy and procedure to arrange and approve strategic plan. b) Banks must have adequate procedure to be able to identify and respond to changes in business environment.

c) Banks must have procedure to measure achievement of business plan realization and performance according to the set schedule. 4) Limit General Strategic Risk limit is the following related to deviation limit from the set strategic plan, such as deviation budget limit and deviation completion time target limit. c. Identification, Measuring, Monitoring and Risk Control Process, as well as Information System for Strategic Risk In performing Risk Management via identification process, measurement, monitoring and Risk control, as well as Risk Management information system for Strategic Risk, so other than executing process as referred to in point I.C, Bank needs to pay attention to the things as follows:

1. Strategic Risk Identification a) Banks must identify and manage deviation or deflection as result for unrealized or ineffective strategy execution or set business plan especially which has significant effect to Bank finance. b) Banks must do Risk analysis especially toward strategy that needs a lot of resource and/or high risk, such as strategy to enter into new market, acquisition strategy or diversification strategy in the form of product and service.
2. Strategic Risk Measurement a) In measuring Strategic Risk, the following can be used as indicator/parameter such as Bank’s business strategy complexity rate, Bank’s positioning in banking industry, and achievement of business plan. b) Bank can do stress test towards strategy implementation in order to (i) identify every events or changes of business environment which has negative effect to the fulfillment of first assumption from strategic plan, and (ii) measure the potential of negative effect from the said event to bank

business performance, either financially or non￾financially. c) Stress testing result must give feed-back toward strategy planning process. d) In case of stress testing result produces higher Risk rating than Bank ability to absorb said Risk (Risk tolerance), so Bank must develop contingency plan or strategy to mitigate the risk. 3) Strategic Risk Monitoring a) Bank must have process to supervise and control strategy implementation development continuously. Monitoring can be done as follows by observing loss experience in the past that was caused by Strategic Risk or deviation on strategy plan execution. b) Strategic issues which is happened because of operational and business environment changes which has negative effect toward business and Bank financial condition must be reported to Director timely along with analysis of its effect on Strategic Risk as well as remedial action that should be taken. 4) Strategic Risk Control Bank must have system and control to monitor performance including financial performance by comparing ‘actual result’ with ‘expected result’ to ensure that taken Risk is still in tolerance limit and reports significant deviation to the Board of Directors. The risk control system concerned must be agreed and reviewed periodically by the Board of Directors to ensure its suitability. 5) Strategic Risk Information Management System a) Banks must ensure that information management system is already compatible in order to support planning process and strategic decision making and is reviewed continuously.

b) Work unit/function which performs Risk Management for Strategic Risk is responsible to ensure that all material Risk which is caused by business environment changes and strategy implementation is reported to the Board of Directors on a timely manner. d. d. Internal Control System Adequate internal control system in Risk Management implementation for Strategic Risk leads to general implementation in point I.D. G. COMPLIANCE RISK

1. Definition a. Compliance Risk is the Risk when Bank does not obey and/or implement the relevant rules and regulation. b. Compliance Risk may be sourced from the law behavior which is Bank’s behavior/activity which deviates or violates the applicable stipulation or legislation and the organization behavior which is Bank’s behavior/activity which deviates or against the generally accepted standard.
2. Purpose The main purpose of the Risk Management for the Compliance Risk is to ensure that the Risk management process may minimize the possibility of the negative impact from Bank’s behavior which deviates/violates the general standard, stipulation and/or the relevant legislation.
3. The Risk Management Implementation The implementation of the Risk Management for the Compliance Risk to the individual Bank or in consolidation with the Subsidiaries at the least includes:

a. Active Oversight from the Board of Commissioners and Board of Directors In implementing the Risk Management through the active oversight from the Board of Commissioners and Directors for the Compliance Risk, aside from implementing the active oversight as referred to in point I.A, it is deemed necessary for Banks to add several implementations in each aspects of the active oversight from the Board of Commissioners and Board of Directors, as the following: (1) The Authority and Responsibility of the Board of Commissioners and Board of Directors a) The Board of Commissioners and Board of Directors have to ensure that the Risk Management for the Compliance Risk is conducted in integration with other Risk Management which can have the impact to the Bank’s Compliance Risk profile. b) The Board of Commissioners and Board of Directors have to ensure that every issue of the compliance can be settled effectively by the related work unit and be monitored on the recovery action by the compliance work unit. c) The Board of Directors which are in charge of the Compliance Function have the significant role in Risk Management for the Compliance Risk with the responsibility which is ruled in the relevant regulation concerning the implementation of the Commercial Bank’s function, which are: (1) creating the strategies for motivating the creation of the compliance culture; (2) proposing the compliance policy or the compliance principles which will be established by the Board of Directors;

(3) establishing compliance system and procedure which will be used in establishing the Bank’s internal stipulation and guideline; (4) ensuring that the entire policy, stipulation, system, and procedure, as well as Bank’s business activity in accordance to the relevant legislations; (5) minimizing Compliance Risk of the Bank; (6) taking the prevention actions so that the policy and/or decision which is made by the Directors of the Bank or the chief of Foreign Bank’s Branch Office does not deviate from the Bank Indonesia regulation and the applicable legislations; (7) doing other functions which is related to the Compliance Function. d) Director who is in charge of the Compliance Function must be independent and submit job execution reports to Bank Indonesia according to the relevant Bank Indonesia stipulations concerning the Implementation of Commercial Bank’s Compliance and other related stipulations. (2) Human Resources Officers and staffs in the Co mpliance work unit are not allowed to be assigned in the position that have conflict of interest in implementing the responsibility of the Compliance Function. (3) Compliance Risk Management Organization a) Banks must have adequate Risk Management for the Compliance Risk function with clear authorization and responsibility for each work unit that executes the Risk Management for the Compliance Risk function.

b) Banks must have independent compliance work unit which has the task, authority, and responsibility at least as ruled in the applicable stipulation concerning the implementation of the compliance function of the commercial Banks as follows: (1) Create the steps in order to support the establishment of the compliance culture in every Bank’s activity in each organization level. (2) Have a written working program and doing the identification, measurement, monitoring, and control which is related to the Risk Management for Compliance Risk. (3) Evaluate the effectiveness, adequacy, and compatibility of the policy, system, and procedure which are owned by the Bank with the applicable legislations. (4) Reviews and/or recommends updates and improvement of the policy, stipulation, system, or procedure of the Bank so that they are compatible with Bank Indonesia stipulation and the applicable legislations. (5) Ensure that the policy, stipulation, system, and procedure as well as Bank’s business activity are in accordance with Bank Indonesia stipulation and the applicable legislations. (6) Execute other tasks which are related to the compliance function. b. Policy, Procedure and Limit Establishment In implementing the policy, procedure, and limit establishment for the Compliance Risk, aside from implementing the policy, procedure, and

limit establishment as referred to in point I.B, it is deemed necessary for Banks to add some implementations in each aspects of policy, procedure, and limit establishments, as the following: (1) Risk Management Strategy The arrangement of the strategy for the Compliance Risk refers to the general implementation coverage as referred to in point I.B.1. (2) Risk Appetite and Risk Tolerance Basically Banks must adhere to the applicable legislation, whether the written or the spirit of the stipulation. This causes Banks to not having any tolerance to the Compliance Risk and to take immediate and exact steps in handling the Risk when it happens. (3) Policies and Procedures a) Banks must have a proper compliance working plan. b) Banks must ensure that the effectiveness of the Risk Management for Compliance Risk implementation, especially in order to arrange the policy and procedure, is in accordance with the general standard, stipulation, and/or the applicable legislation, among others are the ones related to: (1) the proper limit establishment; (2) the policy to exclude the execution of transactions which exceed limit; (3) the implementation of the policy in checking the compliance through the procedure periodically; (4) the promptness in communicating the policy to all of the employees in every organization level;

(5) the sufficiency of control towards new product development; (6) the sufficiency of the report and data system especially in order to control the data accuracy, data comprehensiveness, and data integrity. (4) Limit The implementation of limit for the Compliance Risk refers to the general coverage in as referred to in point I.B.4. c. Process of Risk Identification, Measurement, Monitoring, and Risk Control, as well as the Compliance Risk Management System. In implementing Risk Management through the identification process, measurement, monitoring, and Risk control, as well as Risk Management information system for Compliance Risk, thus aside from doing the processes as referred to in point I.C, Bank needs to add some implementations in each referred process, as the following:

1. Compliance Risk Identification Banks must do identification and analysis to several factors which may increase the Compliance Risk exposure, such as: a) the type and complexity of the Bank’s business activity, including the new product and activity. b) the volume and materiality of the Bank’s violation to the internal policy and procedure, the relevant stipulation and regulation, and the soundbusiness ethic practice and standard.
2. Compliance Risk Measurement The Compliance Risk can be measured by using the indicators/parameters in the form of type, signification, and the frequency of violation to the applicable stipulations or record traces of Bank’s compliance, the behavior which causes

violations, and the violation to the generally applicable standard. 3) Compliance Risk Monitoring The work unit which does the Risk Management for the Compliance Risk function is obliged to monitor and report the occurrence of Compliance Risk to the Board of Directors whether at times when the Compliance Risk occurs or periodically. 4) Compliance Risk Control In the case of Bank have branches aboard, the Bank must ensure that the Bank has the adequate compliance level to the relevant legislation in the country where the branch office is located. 5) Compliance Risk Information System The implementation of the management information system for the Compliance Risk refers to the general implementation coverage as referred to in point I.C.5 d. Internal Control System In implementing Risk Management for the Compliance Risk, therefore aside from doing the internal control as referred to in point I.D, Banks need to have the internal control system for the Compliance Risk which is to be sure of the Bank’s responsive level to the deviation in the generally accepted standard, stipulation, and/or relevant legislations. H. REPUTATION RISK

1. Definition a. Reputation Risk is the Risk which is caused by the decrease of the stakeholder trust level that is caused by negative perception towards the Bank.

b. Reputation risk may derived from various Bank business activity, as the followings:

1. events which damage Bank’s reputation, such as negative news from the mass media, business ethic violation, and customer complaints; or
2. other things which can cause the reputation Risk, for example the management weaknesses, corporate culture, and bank business practice.

2. Purpose The main purpose of the Risk Management for the Reputation Risk is to anticipate and minimize the loss impact from the Reputation Risk of the Bank.
3. The Implementation of the Risk Management The implementation of the Risk Management for the Reputation Risk for individual Banks or for Banks in consolidation with the Subsidiaries shall at least includes: a. Active Oversight from the Board of Commissioners and Board of Directors In implementing the Risk Management through the active Oversight of the Board of Commissioners and Directors for the Reputation Risk, therefore beside doing the active oversight as mentioned in point I.A, Bank needs to add several implementations of things in each aspect of the active oversight from the Board of Commissioners and Directors, as the following:

1. The Authority and Responsibility of The Board of Commissioners and Board of Directors a) Board of Commissioners and Board of Directors must give attention to the implementation of the Risk Management for the Reputation Risk by the related units

(corporate Secretary, Public Relation, and related business unit). b) The Board of Commissioners and Board of Directors must behave professionally and maintain business ethics in order to be the example for all of the Bank’s organization elements in building and maintaining the reputation. c) The Board of Directors must set the work unit/function which have the authority and responsibility to give information to the customers and stakeholders of the Bank which related to the Bank’s business activity in order to control Reputation Risk. 2) Human Resources The sufficiency of the human resources for the Reputation Risk refers to the general coverage of the implementation as referred in point I.A.2. 3) Risk Reputation Management Organization a) All of the employees including business unit management and the Bank’s supporting activities must be the part of the structure in the execution of the Risk management for the Reputation Risk, considering that the reputation is the result of all Bank’s business activities. The role of Business Unit Management is to identify the Reputation Risk which happen to the business or the unit’s activity and as the frontliner in building and preventing Reputation Risk, especially regarding customer relationships. b) The work unit which executes the Risk Management for Reputation Risk such as the Corporate Secretary, Public Relation, Investor Relation, have the responsibility to:

(1) Run the public relation function and respond the negative announcements or other events which can cause cost to the Bank. (2) Communicate the information which is needed by the stakeholders, investors, customers, creditors, association, and society. b. Policy, Procedure and Limit Establishment In implementing the policy, procedure, and limit establishment for the Compliance Risk, aside from implementing the policy, procedure, and limit establishment as referred to in point I.B, it is deemed necessary for Banks to add some implementations in each aspects of policy, procedure, and limit establishments, as the following:

1. Risk Management Strategy The arrangement of Risk Management Strategy for Reputation Risk refers to the general implementation coverage as referred to in point I.B.1
2. Risk Appetite and Risk Tolerance The implementation of Risk Appetite and Risk Tolerance for Reputation Risk refers to the general implementation coverage as referred to in point I.B.2
3. Policies and Procedures a) Bank must have a written policy and procedure which fulfill transparency principles in order to improve service quality to the customers and any other stakeholders in order to control Reputation Risk. The policy shall also compatible with the applicable regulation concerning consumer protection. b) Bank must have and implement an appropriate communication policy in order to face negative news/publication or to prevent a contra-productive

information, among others by implementing an effective media usage strategy to overcome a negative news. c) Bank shall own a special protocol for reputation management during crisis in order to quickly anticipate Reputation Risk increase during crisis. The evaluation on this factor concerns (a) Crisis Management Structure, and (b) Crisis Management Manual Procedure. 4) Limit Reputation Risk Limit in general is not the financially quantified limit. For example: time limit in responding customer’s complaints, and the time limit of waiting in queue to get services. c. Process of Risk Identification, Measurement, Monitoring, and Risk Control, as well as the Information Management System for Reputation Risk In implementing Risk Management through identification process, measurement, monitoring, and Risk control, as well as Risk Management information system for Reputation Risk, aside from doing the processes as referred to in point I.C, Banks need to add some implementations in each referred process, as the following:

1. Identification and Reputation Risk Measurement a) Banks are obliged to record and manage each activities related to the Reputation Risk including the aggregate of potential loss which are caused by the activities referred in a data administration. The record and management of the data are compiled in a statistic data which is able to be used to reflect the loss potential in a period and Bank’s certain activity. b) Banks may use some information sources to identify and measure the effects of Reputation Risk, among others are: mass media news; Bank’s sites and social media analysis;

customer’s complains through customer service; and customer’s satisfaction questioner. 2) Reputation Risk Monitoring The implementation of the Reputation Risk refers to the general implementation coverage as referred to in point I.C.3. 3) Reputation Risk Control a) Banks must immediately follow up and overcome any customer’s complaints and law suits which are able to increase the Reputation Risk exposures. b) Banks must develop a reliable mechanism in doing the effective Reputation Risk. In general, Reputation Risk Control shall be done in 2 (two) ways: (1) By preventing activities which can result in Reputation Risk, which are generally done through the series of activities as follows: (a) Corporate Social Responsibility, is a series of activity done by Banks to empower society in the form of economy/ social activities which are expected to be able to create a positive reputation of the Bank’s concerned. (b) Routine communication/education of the stakeholders in order to form a positive reputation of the stakeholders. (2) Bank’s reputation recovery after the activity which causing Reputation Risk, which are the entire Bank’s responds to recover the reputation and to prevent deterioration of Bank’s reputation. . c) Reputation Risk Mitigation or any events which may cause Reputation Risk are done in considerations of the problem’s materiality and the fund. However, Reputation

Risk may be acceptable as long as it is still compatible to the Risk Appetite. d) In order to control a greater Reputation Risk in the future, preventing act and Risk Reputation recovery shall be followed by improving the control and procedures weaknesses which can trigger Reputation Risk to happen. 4) Reputation Risk Management Information System a) Banks are obliged to have the regular procedure as well as the mechanism of the Reputation Risk/occurrence report which result the Reputation Risk, whether in written or through the electronic system including the discussions in the board/management meeting. b) Banks are obliged to have the early warning mechanism system in order to give signs to the management to do the response and mitigations needed. d. Internal Control System The implementation of the internal control for Reputation Risk refers to the general implementation coverage as referred to in point I.D. III. RISK PROFILE ASSESSMENT GUIDELINES Compiling Risk profile report which is one of the results of the Risk Management information system, Banks do an evaluation on the Risk of all Bank’s business activities, either main business activities or supporting activities which include 8 (eight) Risks which are Credit Risk, Market Risk, Operational Risk, Liquidity Risk, Strategic Risk, Compliance Risk, Legal Risk, and Reputation Risk. The assessment is done for individual Bank or Bank in consolidation with the Subsidiaries based on a comprehensive and structured analysis on the: a. Risk which attached to Bank’s business activities (inherent risk); and

b. the quality of the Risk Management implementation, which reflects the Risk control system sufficiency assessment as referred to in the elucidation of Article 30 PBI No.5/8/PBI/2003 concerning the Risk Management Implementation for Commercial Banks. In accordance to the assessment concerned the Risk profile is produced which includes Risk rating for each Risk and Bank’s Risk profile. The risk rating for each Risk and the Risk Profile are categorized into 5 (five), which are 1 (Low), 2(Low to Moderate), 3 (Moderate), 4 (Moderate to High), and 5 (High). The assessment mechanism of the Risk profile and the determination of the Risk rating as well as the Risk profile rating refer to the assessment of Risk profile as governed in Bank Indonesia regulation concerning the assessment of Soundness Bank Rating Guideline for Commercial Bank. GOVERNOR OF BANK INDONESIA, MULIAMAN D. HADAD