Notice No. 4/GBM/2013, of September 18 - Establishes the Risk Management Guidelines, abbreviated as DGR

REPUBLIC GAZETTE OFFICIAL PUBLICATION OF THE REPUBLIC OF MOZAMBIQUE SUMMARY N O T I C E The matter to be published in the «Republika Gazette» must be submitted as a duly authenticated copy, one per subject, containing, in addition to the necessary indications for this purpose, the following endorsement, signed and authenticated: For publication in the «Republika Gazette». NATIONAL PRESS OF MOZAMBIQUE, E.P. Bank of Mozambique: Notice No. 4/GBM/2013: Establishes the Risk Management Guidelines, abbreviated as DGR. Notice No. 5/GBM/2013: Approves the Regulation of the Market Operations System. Notice No. 6/GBM/2013: Approves the Regulation on Operations with Agreements for Repurchase and Resale of Fixed Income Securities. Notice No. 7/GBM/2013: Approves the Regulation of the Interbank Money Market. Notice No. 8/GBM/2013: Approves the Regulation on the Issuance and Trading of Treasury Bills. Notice No. 9/GBM/2013: Appoints José Frederico da Cruz Viola Cabral as President of the Executive Committee of the Deposit Guarantee Fund. Wednesday, September 18, 2013 I SERIES — Number 75 BANK OF MOZAMBIQUE Notice No. 4/GBM/2013 of September 18 Credit institutions, in the development of their activities, assume risks that may cause negative impacts on expected returns. Thus, the existence of a management structure capable of optimizing the relationship between return maximization and risk minimization constitutes an essential prerequisite for the solidity of these institutions. With a view to improving the existing risk management practices in credit institutions, as well as harmonizing their terminology, the Bank of Mozambique has decided to issue a set of guidelines, based on internationally accepted best practices. The issuance of these guidelines is also in line with the Bank of Mozambique's intention to make its supervisory activity, both on-site and off-site, increasingly risk-focused, in response to the growing number of supervised institutions and the constant innovation in financial services provision by these entities. In these terms, the Bank of Mozambique, in the exercise of the competence conferred upon it by paragraph d) of paragraph 2 of Article 37 of Law No. 1/92, of January 3 – Organic Law of the Bank of Mozambique, determines: Article 1 (Object) This Notice establishes the Risk Management Guidelines, abbreviated as DGR, attached to this Notice and forming an integral part thereof: a) Annex I - Risk Management Guidelines; and b) Annex II - Risk Management Guidelines – Information Technology Risk. Article 2 (Scope of Application) This Notice applies to all credit institutions with headquarters in Mozambican territory and to branches in Mozambique of credit institutions with headquarters abroad. Article 3 (Deadline for Submission of Risk Management Programs)

1. Credit institutions must submit their Risk Management Programs (RMPs) to the Bank of Mozambique within thirty days, counted from the date of publication of this Notice, and subsequently, until March 31 of each year.
2. Whenever the RMPs are not in compliance with the DGR or appear misaligned with the nature and complexity of the institution's activity, the Bank of Mozambique shall set a deadline for the appropriate adjustment. Article 4 (Clarification of Doubts) Doubts arising from the interpretation and application of this Notice shall be clarified by the Banking Supervision Department of the Bank of Mozambique.

608 I SERIES — NUMBER 75 Article 5 (Entry into Force) This Notice enters into force on the date of its publication. Bank of Mozambique, in Maputo, May 24, 2013. – The Governor, Ernesto Gouveia Gove.

1. General Provisions 1.1. Objectives 1.1.1. These guidelines aim to contribute to the establishment of a uniform language between credit institutions and the supervisor in matters of risk management, which, in turn, will contribute to the harmonization of risk management practices in the banking industry, with reference to international best practices in this field. 1.2 Risk Categories 1.2.1. These Risk Management Guidelines (DGR) encompass the nine most relevant risk categories in the banking activity in the Country, namely: a) Credit risk; b) Liquidity risk; c) Interest rate risk; d) Exchange rate risk; e) Operational risk; f) Strategic risk; g) Reputational risk; h) Compliance risk; and i) Information Technology (IT) risk1. 1.3 Risk Management Programs 1.3.1. Institutions must develop a detailed Risk Management Program (RMP), adjusted to the size and complexity of their activities. RMPs must be reviewed at least annually, and are expected to cover, at a minimum, the nine risks contained in these guidelines. 1.4 Risk Management Process 1.4.1. Risk management is a fundamental discipline in all institutions and comprises activities that affect their risk profile. Risk management, as commonly understood, does not mean risk minimization; on the contrary, its objective is to optimize the risk-return relationship with which institutions are confronted. This objective can be achieved by institutionalizing a conceptual framework for risk management to capture and appropriately manage all risks to which an institution is exposed. 1.4.2. Risk management involves four (4) key processes: 1.4.2.1. Identification – to properly manage risks, an institution must be able to identify existing or potential risks, both from existing business initiatives and new initiatives, for example, risks inherent to lending activity, which include credit, liquidity, interest rate, and operational risks. Risk identification must be a continuous process and must occur at both the individual and global levels (i.e., in each transaction and in the portfolio as a whole). 1.4.2.2. Measurement – once identified, risks must be measured to determine their impact on the institution's results or capital. This can be done using various techniques, from the simplest to the most sophisticated models. Timely and accurate risk measurement is an essential condition for risk management systems to be effective. An institution that does not have a risk measurement system has limited capacity to control or monitor the levels of risk to which it is exposed. At a minimum, an institution must periodically conduct tests to ensure that the measurement instruments used are reliable. A good risk measurement system evaluates both individual transaction risks and overall portfolio risks. 1.4.2.3. Control – after measuring risk, the institution must establish and communicate risk limits, through policies, standards, and procedures that define responsibilities and lines of authority. These limits must serve as control elements for exposures to the various risks associated with the institution's activities. Institutions may also employ various mitigation tools to minimize their exposure to risks. Furthermore, they must have a process to authorize exceptions or changes to limits, when justified. 1.4.2.4. Monitoring – institutions must establish an effective Management Information System (MIS) to monitor risk levels and facilitate the timely review of risk positions and exceptions. Monitoring reports must be frequent, timely, accurate, and informative, and must be distributed to the persons responsible for ensuring that actions are taken, if necessary. 1.5 Risk Management Conceptual Framework 1.5.1. A risk management conceptual framework comprises the scope of risks to be managed, the processes, systems, and procedures to manage such risks, as well as the duties and responsibilities of individuals involved in their management. The conceptual framework must be comprehensive enough to capture all risks to which an institution is exposed and flexible enough to accommodate any changes in the institution's activities. 1.5.2. The key elements of an effective risk management conceptual framework are: a) Active oversight by the top administrative and management body; b) Appropriate policies, procedures, and limits; c) Adequate measurement, monitoring, and management information systems; and d) Comprehensive internal controls. 1.5.3. Oversight by the Administrative2 and Top Management3 Body: 1.5.3.1. Administrative bodies ultimately bear responsibility for the level of risks assumed in the institution. Consequently, they must approve overall business strategies and policies, including those related to risk taking and management, and must also ensure that top management is fully capable of managing the activities developed by the institution. While all administrative bodies are required to be responsible for understanding the nature 1 Matter treated in a specific document. 2 It is the Board of Directors, Management Board, Directorate Board, or another body with analogous functions, according to paragraph 11 of Article 2 of Notice 8/GBM/2007. 3 They are persons who have authority and responsibility for the planning, direction, and control of activities, directly or indirectly, including any administrator (executive or otherwise).

SEPTEMBER 18, 2013 609 of risks to which the institution is exposed and ensuring that management carries out the necessary diligence to identify, measure, control, and monitor such risks, the level of technical knowledge required from members of the administrative body may vary, depending on the particular circumstances of the institution. 1.5.3.2. Members of the administrative body must have a clear understanding of the risks to which the institution is exposed and must receive reports that identify the size and materiality of these risks. Additionally, they must take actions aimed at providing them with an adequate understanding of risks through meetings with auditors and external experts to the institution. Using this knowledge and information, members of the administrative body must provide clear guidance regarding acceptable exposure levels for the institution and ensure that top management implements the necessary procedures and controls for compliance with adopted policies. 1.5.3.3. Top management is responsible for implementing strategies that limit risks associated with each specific strategy and ensure permanent compliance with laws and regulations, both short-term and long-term. Likewise, management must be fully involved in the institution's activities and possess sufficient knowledge of all main business lines to ensure that appropriate policies, controls, and management systems are implemented and that accountability and lines of authority are clearly delineated. Top management is also responsible for establishing and communicating a strong sense of awareness regarding the need for effective internal controls and high ethical standards. 1.5.3.4. To achieve these objectives, it is necessary that top management has a broad understanding of banking activities and financial markets, as well as detailed knowledge of the activities the institution performs, including the nature of internal controls necessary to limit related risks. 1.5.4. Policies, Procedures, and Limits: 1.5.4.1. Members of the administrative body and top management of an institution must design risk management policies and procedures adjusted to the risks emerging from the activities they develop. Once such risks have been adequately identified, policies and procedures must provide detailed guidelines for the day-to-day implementation of overall business strategies, and must include limits designed to protect the institution from excessive risks, as well as those not taken based on the best criteria. Management must also ensure their updating whenever necessary, in order to respond to significant changes in the institution's activities or business conditions. 1.5.4.2. For an institution's policies, procedures, and limits to be adequate, they must, at a minimum: (i) Ensure identification, measurement, control, and monitoring of risks arising from the institution's activities; (ii) Be consistent with the complexity and size of the business, the objectives, targets, and financial robustness of the institution; (iii) Delineate clear lines of authority and accountability at the level of the institution's activities; and (iv) Facilitate the review of activities that are new in the institution, in order to ensure that the necessary infrastructure to identify, control, and monitor risks associated with a given activity is created before it begins. 1.5.5. Measurement, Monitoring, and Risk Management Information Systems: 1.5.5.1. Effective risk monitoring requires that institutions identify and measure all material risk exposures. Consequently, risk monitoring activities must be supported by information systems that provide top management and members of the administrative body with timely reports on financial situation, operational performance, and risk exposure, as well as regular and sufficiently detailed reports for line managers involved in the daily management of the institution's activities. 1.5.5.2. Institutions must possess risk monitoring and management systems that provide administrators and top management with a clear understanding of risk exposures. 1.5.5.3. To ensure effective risk measurement and monitoring and management information systems, the following must be observed: (i) The institution's risk monitoring practices and reports must reflect all its material risks; (ii) Key assumptions, data sources, and procedures used in risk measurement and monitoring must be appropriate, adequately documented, and their reliability verified on a continuous basis; (iii) Reports and other forms of communication must be consistent with the institution's activities and structured to monitor exposures and compliance with established limits, targets, or objectives, as well as, to the extent necessary, compare current performance with expected performance; and (iv) Reports to the management or administration of the institution must be accurate and timely and contain sufficient information for decision-makers to identify any adverse trends and adequately assess the level of risk assumed by the institution. 1.5.6. Internal Controls: 1.5.6.1. The internal control structure is crucial for the safe and robust functioning of an institution, in general, and for the risk management system, in particular. One of the most important responsibilities of management is to create and maintain an effective control system, including the enforcement of formal lines of authority and appropriate segregation of functions such as trading, custody, and back-office. 1.5.6.2. Indeed, appropriate segregation of functions is an essential element of a solid risk management and internal control system. Failure to implement and maintain an adequate segregation of functions system may lead to substantial losses or otherwise compromise the financial integrity of the institution. 1.5.6.3. When appropriately structured, the internal control system promotes effective operations, reliable financial and prudential reports, safeguards assets, and assists compliance with relevant laws, regulations, and institutional policies. To ensure the adequacy of audit procedures and internal controls, the following must be observed: a) The internal control system must be appropriate to the type and level of risks arising from the nature and scope of the institution's activities; b) Internal controls must be tested by an independent auditor who reports directly to the institution's administrative body or Audit Committee;

610 I SERIES — NUMBER 75 c) Audit or review results, whether conducted by an internal auditor or other personnel, must be adequately documented, as must management's response to these results. d) The institution's organizational structure must establish clear lines of authority and responsibility to monitor adherence to policies, procedures, and limits; e) Reporting lines must ensure the independence of control areas from business lines (such as trading, custody, back-office), thereby ensuring adequate segregation of functions at the institutional level; f) Institutional structures must reflect effective operational practices; g) Financial, operational, and prudential reports must be accurate, reliable, and timely. Where applicable, exceptions must be noted and promptly investigated; h) Adequate procedures must exist to ensure compliance with standards and regulations; i) Internal audit or other internal review functions must ensure independence and objectivity; j) Internal controls and information systems must be adequately tested and reviewed; the scope, procedures, findings, and responses to audit and review test results must be adequately documented; identified material weaknesses must receive appropriate and timely attention at the highest level. Likewise, management's actions to address material weaknesses must be objectively reviewed; and k) The Audit Committee or the institution's administrative body must review the effectiveness of internal audits (and other internal control review activities) on a regular basis. 1.5.7. Risk Management Function: 1.5.7.1. Institutions must establish a functional area responsible for overseeing the management of risks inherent in their operations. This unit may take the form of a committee, department, or risk manager, depending on the size and complexity of the institution. Personnel assigned to the comprehensive risk management function must be independent from those who take or accept risks on behalf of the institution. 1.5.7.2. The risk management function is responsible for ensuring the existence of effective processes for: a) Identifying present and future risks; b) Developing risk measurement and evaluation systems; c) Establishing policies, procedures, practices, and other mechanisms for risk management; d) Developing risk tolerance limits for approval by the administrative body; e) Monitoring taken positions, based on approved tolerance limits; and f) Reporting risk monitoring results to the administrative body and top management. 1.5.7.3. However, risk management is not restricted to individuals assigned to the comprehensive risk management function. Business areas are equally responsible for the risks they assume, and any lack of responsibility can cause problems. Personnel in these areas, more than anyone else, must understand the business risks. 1.5.8. Independent Review: 1.5.8.1. Institutions must have independent reviewers to assess the effectiveness and compliance with risk management policies and procedures. Reviewers may be internal auditors, external auditors, or any other entities independent of risk-taking areas and must report directly to the administrative body or committee designated by it. 1.5.8.2. To be effective, independent reviewers must have sufficient authority, proficiency, and appropriate corporate status to identify and report findings without any impediments. 1.5.8.3. The independent reviewer must, among other aspects, assess whether: a) The risk management system is appropriate for the nature, scope, and complexity of the institution and its activities; b) The administrative body and top management are actively involved in the risk management process; c) Risk management policies, procedures, and controls are adequately documented and strictly observed; d) The assumptions of the risk measurement system are valid and properly documented; e) Data aggregation and processing are accurate, appropriate, and reliable; and f) The institution has adequate personnel to carry out a solid risk management process. 1.5.9. Integration of Risk Management: 1.5.9.1. Risks must be considered and evaluated in an integrated manner, because a transaction underlies multiple risks and because one type of risk can trigger others. Since the interaction of various risks can result in a decrease or increase in the risk profile, the risk management process must recognize and reflect, to the appropriate extent, the interactions of risks in all activities. 1.5.9.2. When assessing and managing risks, management must have a holistic view of the risks to which the institution is exposed. This requires the existence or establishment of a structure that allows capturing the interrelationships existing between different types of risks across the entire institution. 1.5.10. Contingency Plan: 1.5.10.1. Institutions must possess mechanisms to proactively identify stress situations regarding all types of risks and contingency plans4 to deal with these situations in a timely and effective manner. These plans must be reviewed regularly to ensure they cover reasonably probable events that could produce adverse impacts on the institution. 1.5.10.2. Plans must be tested for the plausibility of responses, escalation, and communication channels and their impact on other areas of the institution.

2. Risk Management Guidelines for Credit Risk 2.1. Introduction 2.1.1. Credit risk is the possibility of occurrence of negative impacts on results or capital, due to the inability of a counterparty to fulfill its financial commitments to the institution, including possible restrictions on the transfer of payments from abroad. Credit risk exists, primarily, in credit exposures (including titled), credit lines, guarantees, and derivatives. This risk emerges from the institution's relationship with individuals, companies, financial institutions, and sovereigns

4 Contingency planning activities include, for example, disaster recovery planning, public relations damage control, litigation strategy, responses to regulatory recommendations, liquidity crisis, etc.