Instruction No. 28/2016 of November 16 on Operational Risk Governance

INSTRUCTION NO. 28/16 of November 16 SUBJECT: Operational Risk Governance

Considering the provisions established in Notice No. 07/2016 of June 22 on Risk Governance, financial institutions must adopt functions, policies, and risk management processes for the identification, assessment, monitoring, control, and reporting of operational risk;

Under these terms, and under the combined provisions of letters d) and f) of Article 21 and letter d) of paragraph 1 of Article 51, both of Law No. 16/10 of July 15 – Law of the National Bank of Angola, and Article 90 of Law No. 12/15 of June 17 – Law of the Bases of Financial Institutions.

I DETERMINE:

1. Definitions Without prejudice to the definitions established in the Law of the Bases of Financial Institutions, for the purposes of this Instruction, the following shall be understood: 1.1 Risk factor: aspect or characteristic that influences risk. In risk assessment, the characteristics of financial products and markets, borrowers, and processes in force within Institutions are relevant, namely: 1.2 Risk position: exposure relative to an asset, an off-balance sheet item, or a financial derivative instrument, plus profits of any nature not yet received that are reflected accounting-wise as amounts receivable, regardless of whether they are due or overdue, in accordance with the criteria of the Financial Institutions Accounting Plan Manual.

CONTINUATION OF INSTRUCTION NO. 28/2016 Page 2 of 11

2. Identification 2.1 Institutions must understand the relevant aspects of operational risk regarding their business activities, and it is necessary to ensure the classification of operational risk events through a set of objective criteria, duly documented, as established in Annex I which is an integral part of this Instruction, namely: a) internal fraud; b) external fraud; c) employment practices and workplace safety; d) clients, products, and commercial practices; e) damage to physical assets; f) business disruption and system failures; g) execution, delivery, and process management. 2.2 Institutions must consider internal and external factors, including macroeconomic and market conditions, which may have a negative, actual, or potential impact on their business activities. 2.3 Institutions must consider the possibility that operational risk sources and concentration are related to the characteristics of activities or organizational structure.

3. Assessment 3.1 Staff responsible for operational risk must be involved in the assessment of operational risk and its concentration, and, where applicable, must involve other internal control functions, with loss history forming part of that assessment. 3.2 Institutions must have operational risk assessment tools available, namely: a) audit observations; b) collection and analysis of internal loss data; c) collection and analysis of external data, namely loss values, dates, recoveries, and information on associated causes; d) risk assessment, considering the operational risk categories referred to in Annex I which is an integral part of this Instruction; e) mapping of business processes to identify procedures, activities, and organizational functions, determining key risk focal points; f) risk and performance indicators, metrics, and/or statistics, which provide an internal view of risk, particularly information regarding vulnerabilities, failures, and potential losses; g) scenario analysis on business processes to identify potential operational risk events and assess their potential outcome; h) comparison of results from various assessment tools to provide a more comprehensive view of the Institution's operational risk profile.

CONTINUATION OF INSTRUCTION NO. 28/2016 Page 3 of 11

4. General monitoring and control requirements 4.1 For the monitoring and control of operational risk, Institutions must consider relevant risk factors, risk-bearing capacity, risk appetite, financial condition, and strategy. 4.2 Institutions must ensure that internal pricing and performance evaluation methods take operational risk into account, so as to be aligned with risk appetite and risk-bearing capacity. 4.3 Institutions must develop compliance monitoring policies that include, namely: a) tracking progress of activities taking into account objectives set by the governing body; b) verification of compliance with management controls; c) review of the handling and resolution of non-compliance situations; d) evaluation of approval processes to ensure accountability at an appropriate management level; e) monitoring of exception and policy deviation reports. 4.4 Monitoring and control processes and procedures must include a system to ensure compliance with the policies mentioned in the previous point. 4.5 Institutions must ensure the functioning and effectiveness of internal controls intended to mitigate operational risk, namely: a) approval processes; b) monitoring of adherence to imposed limits; c) protection of access to Institution information and its use; d) continuous process for identifying business lines and products where a misalignment between actual and expected returns is verified; e) verification and reconciliation rules for transactions and accounts; f) policy ensuring continuity of staff functions during absence periods. 4.6 Without prejudice to the previous point, Institutions must consider risk mitigation mechanisms as complementary and not as substitutes for a complete and effective internal control of operational risk, verifying whether they actually reduce risk, transfer it to another sector or business area, or create a new risk. 4.7 Institutions must establish testing mechanisms and robust problem-solving processes for identified issues. 4.8 Institutions must ensure that the "three lines of defense" approach, set out in Annex II which is an integral part of this Instruction, is operational, and, when requested, explain the actions of the governing body and management staff in pursuing this objective.

CONTINUATION OF INSTRUCTION NO. 28/2016 Page 4 of 11

5. Monitoring and control - business continuity plans 5.1 Institutions must develop and, if necessary, execute business continuity plans to ensure the capacity to operate on a continuous basis and limit losses in extreme cases and different vulnerability scenarios. 5.2 Institutions must identify critical operations and dependencies, internal and external, as well as their capacity to overcome adverse effects arising therefrom. 5.3 Business continuity plans must contain the following elements: a) contingency strategies; b) recovery and resumption of activities procedures; c) communication plans to inform staff, regulatory authorities, clients, suppliers, and, when appropriate, civil authorities; d) recovery priorities. 5.4 Institutions must conduct a disaster recovery and business continuity test, with results reported to management staff and the governing body, so that they can be taken into account in the preparation and adjustment of business continuity plans. 5.5 Institutions must periodically review their business continuity plans to ensure that their contingency strategy remains aligned with operations, risks, and threats, and the capacity to face adverse effects.

CONTINUATION OF INSTRUCTION NO. 28/2016 Page 5 of 11

6. Reporting 6.1 Institutions must define, formalize, implement, and periodically review policies and processes for reporting, which must be appropriate to their nature, size, complexity, and risk profile. 6.2 In internal reporting, Institutions must provide the main results of the identification, assessment, monitoring, and control stages of operational risk and its concentration to the governing body and management staff, which must include, at a minimum: a) summaries of aggregated risk positions of the Institution; b) compliance with operational risk policies, processes, and limits, as well as situations where limits were exceeded, identifying the reasons and staff responsible for approval; c) details of recent internal operational risk events and associated losses; d) relevant external events and any potential impact on the Institution or its regulatory capital; e) developments in new products or business initiatives; f) stress test results; g) qualitative and, when appropriate, quantitative information on inter- and intra-risk concentrations.

CONTINUATION OF INSTRUCTION NO. 28/2016 Page 6 of 11

6.3 In external reporting, Institutions must define, formalize, and implement policies and processes to transmit comprehensive information to stakeholders, which must include, at a minimum: a) qualitative information on: i. investment strategies and respective processes; ii. structure and organization of the operational risk management function; iii. tools used for operational risk identification and assessment; iv. scope and nature of reporting and risk assessment systems; v. strategies and processes to monitor the ongoing effectiveness of hedging or mitigation positions; vi. explanation of the "three lines of defense" approach. b) quantitative information on: i. overall gross exposure and average gross exposure during the period in question, breaking down the main types of risk positions; ii. operational risk events and their respective consequences on the Institution's results; iii. capital requirement for operational risk, in accordance with the Notice on regulatory capital requirements for operational risk. 6.4 The frequency of reporting must reflect the materiality and nature of operational risk sources, especially regarding their volatility, and be duly set out in the policies and processes provided for in point 8.1 of this paragraph. 6.5 Reports prepared on an ad hoc basis cannot be used as substitutes for regular reporting.

CONTINUATION OF INSTRUCTION NO. 28/2016 Page 7 of 11

7. Sanctions Non-compliance with the mandatory standards established in this Instruction constitutes an offense punishable under the Law of the Bases of Financial Institutions.

8. Transitional Provision Institutions must comply with the provisions of this Instruction in accordance with the transitional provisions of Notice No. 07/2016 of June 22 on Risk Governance.

9. Doubts and Omissions Doubts and omissions resulting from the interpretation and application of this Instruction are resolved by the National Bank of Angola.

10. Entry into Force This Instruction enters into force on the date of its publication.

PUBLISH Luanda, November 16, 2016 THE GOVERNOR VALTER FILIPE DUARTE DA SILVA

CONTINUATION OF INSTRUCTION NO. 28/2016 Page 8 of 11

ANNEX I - Operational Risk Categories

Operational Risk Category (Level 1)	Operational Risk Events	Categories (Level 2)	Examples (Level 3)
Fraud / Credit Fraud / Deposit Fraud	Robbery / Extortion / Embezzlement	Misappropriation of assets, Malicious destruction of assets, Forgery, Smuggling, Account takeover / Impersonation / etc., Tax evasion, Bribery / Corruption, Insider trading
Hacking damage, Information theft with material losses, General liability
Staff health and safety rules, Staff compensation, Diversity and discrimination	All types of discrimination
Breach of fiduciary duty / violation of guidelines, Suitability / disclosure issues, Retail client disclosure violation, Privacy violation, Aggressive sales practices, Misuse of client accounts, Improper use of confidential information
Lender responsibilities, Product failure	Defects in products
Selection, sponsorship and exposure	Errors in models
Consulting activities	Disputes regarding the execution of consulting activities
Damage to physical assets	Losses resulting from damage or prejudice caused to physical assets by natural disasters or other events
Disasters and other events	Losses associated with natural disasters
Failure to provide mandatory information, Inaccuracy of external reporting, Lack of customer permissions, Lack or incompleteness of legal documents
Service providers and suppliers	Intentional unreported transactions, Unauthorized transactions with material losses, Intentional failure to take positions
Hardware, Software, Telecommunications
Energy disruptions, Antitrust
Improper trading / market practices, Insider trading on behalf of the institution, Unlicensed activity, Money laundering
Communication failures, Data processing, maintenance and upload error, Deadline or responsibility breaches, Model / system failures