Bank of Ghana Corporate Governance Directive 2018

BANK OF GHANA CORPORATE GOVERNANCE DIRECTIVE 2018 For Banks, Savings and Loans Companies, Finance Houses and Financial Holding Companies DECEMBER 2018

1 TABLE OF CONTENTS PART I - PRELIMINARY ...................................................................................................3 Title.........................................................................................................................................3 Application...........................................................................................................................3 Interpretation........................................................................................................................3 Objectives.............................................................................................................................6 PART II— RELEVANT LEGAL REQUIREMENTS...............................................................7 Disqualification of Directors, Employees and Key Management Personnel...............7 Intervention of the Bank of Ghana in Appointments .....................................................8 PART III— SOUND CORPORATE GOVERNANCE STANDARDS ...............................10 Board’s Overall Responsibility ..........................................................................................10 Annual Certification ..........................................................................................................10 Business Strategy................................................................................................................11 Duty of Care and Loyalty .................................................................................................11 Corporate culture and values .........................................................................................11 Related Party Transactions...............................................................................................12 Plan for Succession............................................................................................................12 Key Management Oversight – Board.............................................................................12 Separation of Powers........................................................................................................13 Independent Director .......................................................................................................14 Board Qualifications and Composition ..........................................................................15 Board Size and Structure...................................................................................................16 Directors’ Appointments and Managing Director/Chief Executive Officer Tenure.16 Appointment of Key Management Personnel ..............................................................16 Alternate Director ..............................................................................................................17 Board Chairperson.............................................................................................................17 Role of Board Secretary....................................................................................................18 Board Meetings..................................................................................................................18 Other Engagements of Directors.....................................................................................19 Board Performance Evaluation .......................................................................................20 Report on Board Evaluation.............................................................................................20 Board Sub-Committees.....................................................................................................20 Audit Committee...........................................................................................................21 Risk Committee..............................................................................................................21 Other Committees.........................................................................................................22

2 Conflicts of Interest............................................................................................................22 Group Structures................................................................................................................23 Senior Management Duties..............................................................................................23 Risk Management and Internal Controls........................................................................24 Risk Management Function .............................................................................................24 Chief Risk Officer................................................................................................................25 Internal Controls.................................................................................................................25 Chief Internal Auditor ........................................................................................................25 Group-wide and Bank-wide Risk Management............................................................26 Risk management in Subsidiary Banks............................................................................26 Internal and External Audit Functions.............................................................................26 Compensation System......................................................................................................27 “Know Your Structure”.......................................................................................................28 Disclosure and Transparency ...........................................................................................28 Ethics and Professionalism ................................................................................................28 Cooling-off Period..............................................................................................................29 PART V – REMEDIAL MEASURES AND SANCTIONS ..................................................30 Relevant Provisions of the Act 930 ..................................................................................30 PART VI - TRANSITIONAL PROVISIONS ......................................................................32 Tenure of Managing Director/Chief Executive Officer ................................................32 Tenure of Board Chair.......................................................................................................33 Tenure of Non-Executive Director....................................................................................34 Effective Implementation Date .......................................................................................35 APPENDIX.....................................................................................................................36 Risk Governance Structure...............................................................................................36

3 PART I - PRELIMINARY Title

1. This Directive may be cited as the Corporate Governance Directive, 2018. Revocation
2. This Directive shall supersede the Banking Business - Corporate Governance Directive 2018 issued in March 2018. The Banking Business￾Corporate Governance Directive 2018 issued in March 2018 is hereby revoked. Application
3. This Directive is issued under the powers conferred by Sections 56 and 92(1) of the Banks & Specialised Deposit Taking Institutions Act, 2016 (Act 930)) and shall apply to Banks, Savings and Loans Companies, Finance Houses and Financial Holding Companies licensed or registered under Act 930. Interpretation
4. In this Directive, unless the context otherwise requires, “Act 930” means the Banks & Specialised Deposit-Taking Institutions Act, 2016 (Act 930). “Alternate Director” means a person appointed by an existing director to act in his absence from the jurisdiction or inability for any other reason to act as a director. Such a person shall have the same powers to attend, speak and vote at meetings as the principal director would have had for a period not exceeding six (6) months. “Board” means the board of directors of a Regulated Financial Institution. “Corporate Governance” means the manner in which the business and affairs of a Regulated Financial Institution is governed by its Board and Senior Management, including how its strategy and objectives are set; its

4 risk appetite/tolerance are determined; its day-to-day business is operated; interests of depositors are protected and shareholders obligations are met, taking into account the interests of other recognised stakeholders; and aligning corporate activities and behaviour with the expectation that it will operate in a safe and sound manner, with integrity and in compliance with applicable laws and regulations. “Cross Directorship” means a situation where two (2) or more directors of a Regulated Financial Institution serve on the board of another institution. “Duty of Care” includes the duty of a director to act in utmost good faith towards a Regulated Financial Institution and to act at all times in the best interest of the Regulated Financial Institution so as to preserve its assets, further its business and promote the purposes for which it was formed. “Duty of Loyalty” includes a director’s duty not to act in his own interest, or the interests of another person(s), so as not to conflict with the interest of the Regulated Financial Institution or the director’s fiduciary duty to the Regulated Financial Institution. “Executive Director” means a director who has defined management responsibilities in addition to their function as director. “Independent Director” means a non-executive director who has the ability to exercise objective, independent judgment after fair consideration of all relevant information and views without undue influence from management or from inappropriate external parties or interests. However, a non-executive director who represent the interests of shareholders or has some form of connection with the Regulated Financial Institutions will not be considered as an independent director. “Key Management Personnel” means the chief executive officer or managing director, deputy chief executive officer, chief operating officer, chief finance officer, Board secretary, treasurer, chief internal auditor, the chief risk officer, the head of compliance, the anti-money laundering reporting officer, the head of internal control functions, the chief legal officer, the manager of a significant business unit of the a Regulated Financial Institution.

5 “Non-Executive Director” means a director other than an executive director, who is not an employee of the Regulated Financial Institution and does not hold any other office in the institution in conjunction with his office as a director. “Regulated Financial Institution” means a bank, savings and loans company, finance house or financial holding company regulated under Act 930. “Related Persons” includes a spouse, son, daughter, step son, step daughter, brother, sister, father and mother, cousin, nephew, niece, aunt, uncle, step sister and step brother of a shareholder, director or Key Management Personnel. “Related Party” in relation to business transactions means a company/entity in which a) The Regulated Financial Institution or any of its Directors or Key Management Personnel have equity interest of at least 5%; b) A director(s) of the Regulated Financial Institution also serves as a director(s) of the company/entity; c) A director or Key Management Personnel of the Regulated Financial Institution has influence in the company/entity. “Senior Management” means members of the Executive Management Committee (EXCO) of a Regulated Financial Institution and any other Key Management Personnel as may be determined by the Regulated Financial Institution. “Significant Shareholder” means a shareholder with direct or indirect holdings which represent five percent (5%) or more of the capital or of the voting rights. “Specialised Deposit-Taking Institution” means a body corporate which engages in deposit taking business and is issued with a licence to engage in the deposit-taking business in accordance with Act 930.

6 Objectives 5. The objectives of this directive are — a) to require Regulated Financial Institutions to adopt sound corporate governance principles and best practices to enable them under take their licensed business in a sustainable manner. b) to promote the interest of depositors and other stakeholders by enhancing corporate performance and accountability of the Regulated Financial Institutions. c) to promote and maintain public trust and confidence in Regulated Financial Institutions by prescribing sound corporate governance standards which are critical to the proper functioning of the banking sector and the economy as a whole.

7 PART II— RELEVANT LEGAL REQUIREMENTS Disqualification of Directors, Employees and Key Management Personnel 6. Section 58 of Act, 930 prohibits a person from being appointed or elected or from accepting an appointment or election as a director, Chief Executive Officer or Key Management Personnel of a Regulated Financial Institution if that person a) has been adjudged to be of unsound mind or is detained as a person with a mental disorder under any relevant enactment; b) has been declared insolvent, has entered into any agreement with another person for payment of that person’s debt and has suspended payment of the debt; c) has been convicted of an offence involving fraud, dishonesty or moral turpitude; d) has been a director, Key Management Personnel associated with the management of an institution which is being or has been wound up by a court of competent jurisdiction on account of bankruptcy or an offence committed under an enactment; e) is a director or Key Management Personnel of another bank, specialised deposit taking institution or financial holding company in the country; f) is under the age of eighteen years (18 years); g) does not have the prior written approval of the Bank of Ghana ; or h) has defaulted in the repayment of the financial exposure of that person. Disclosure of Interest by Directors 7. Section 59 of Act 930 requires a person, before assuming office as a director or Key Management Personnel of a Regulated Financial

8 Institution , to declare to the Board of that Regulated Financial Institution and the Bank of Ghana; a) the professional interests of that person or the office that person holds as manager, director, trustee or by any other designation; and b) the investment or business interests of that person in a firm, company or institution as a significant shareholder, director, partner, proprietor or guarantor, with a view to prevent a conflict of interest with the duties or interests of that person as a director, or Key Management Personnel of the Regulated Financial Institution. c) A director or Key Management Personnel of a Regulated Financial Institution shall declare to the Board of that Regulated Financial Institution and the Bank of Ghana any material change in business interest or holding of an office when a change in (a) and (b) above occurs. 8. Section 59 (3) of Act 930 requires a director of a Regulated Financial Institution who has an interest in a a) proposed credit facility to be given to a person by the Regulated Financial Institution or b) transaction that is proposed to be entered into with any other person to declare the nature and the extent of that interest to the Boards whether directly or indirectly and shall not take part in the deliberations and the decision of the Board with respect to that request. Intervention of the Bank of Ghana in Appointments 9. Section 60 of Act 930 prescribes, among others, the following: a) A Regulated Financial Institution shall seek prior written approval of the Bank of Ghana before it appoints a Chief Executive Officer or a Deputy Chief Executive Officer, each of whom shall be ordinarily resident in the country;

9 b) A Regulated Financial Institution shall not appoint a Key Management Personnel without the prior written approval of the Bank of Ghana; c) The Bank of Ghana shall not grant approval for a person to be appointed as a Chief Executive or Deputy Chief Executive of a Regulated Financial Institution, if in the opinion of the Bank of Ghana that person is not a “fit and proper person, in accordance with Act 930” to be appointed in that capacity; d) Where the Bank of Ghana considers, after hearing representations made by that Regulated Financial Institution, that a director or Key Management Personnel is not a fit and proper person, to act in that capacity, the Bank of Ghana shall direct the removal of such person(s) from the Board within one (1) month from the date of the directive.

10 PART III— SOUND CORPORATE GOVERNANCE STANDARDS Board’s Overall Responsibility 10. The Boards shall have overall responsibility for the Regulated Financial Institution, including approving and overseeing the implementation of the strategic objectives, risk strategy, corporate governance and corporate values. The Board shall be responsible for appointing and providing oversight of Senior Management. These responsibilities should be set out in the formal charter of the Board. 11. The Board shall ensure that a well-structured and rigorous selection system is in place for the appointment of Key Management Personnel of the Regulated Financial Institution. Annual Certification 12. a) Within 90 days after the beginning of each financial year, the Board shall provide a certification in the annual report as to the compliance of the Regulated Financial Institution or otherwise with the contents of this Directive. Additionally, the certification should state that, (i) The Board has independently assessed and documented whether the corporate governance process of the Regulated Financial Institution is effective and has successfully achieved its objectives or otherwise. (ii) Directors are aware of the responsibilities to the Regulated Financial Institution as persons charged with governance. b) The Board shall report any material deficiencies and weaknesses that have been identified in the course of the year, along with action plans and timetables for corrective action by the Board to the Bank of Ghana. c) Directors are required to obtain certification from the National Banking College or any other institution recognised by the Bank of Ghana to the effect that they have participated in a corporate

11 governance programme and have completed a programme on directors’ responsibilities. Business Strategy 13. a) Pursuant to its overall responsibility, the Board shall approve and monitor the overall business strategy of the Regulated Financial Institution, taking into account long-term financial interest of the Regulated Financial Institution, its exposure to risk, and its ability to manage risk effectively. b) The Board shall approve and oversee the formulation and implementation of the following in relation to the Regulated Financial Institution; (i) overall risk strategy, including its risk tolerance/appetite; (ii) policies for risk, risk management and compliance, including anti-money laundering and combating the financing of terrorism (AML/CFT) risk; (iii)internal controls system; (iv) corporate governance framework, principles and corporate values including a code of conduct or comparable document; and (v) compensation system. Duty of Care and Loyalty 14. The members of the Board shall exercise a “duty of care” and a “duty of loyalty” to the Regulated Financial Institution at all times. Corporate culture and values 15. The Board shall establish the corporate culture and values of the Regulated Financial Institution that promote and reinforces norms for responsible and ethical behaviour in terms of the Regulated Financial Institution’s risk awareness, risk-taking and risk management.

12 To promote sound corporate culture in the Regulated Financial Institution, the Board shall take the lead in establishing the “tone at the top” by; (i) Setting and adhering to corporate values for itself, key management and employees that create expectations that business should be conducted in a legal and ethical manner at all times (ii) Ensuring that appropriate steps are taken to communicate throughout the Regulated Financial Institution, the corporate values, professional standards it sets together with supporting policies and appropriate sanctions for unacceptable behaviours. Related Party Transactions 16. The Board shall ensure that transactions with related parties (including internal group transactions) are reviewed to assess risk and are subject to appropriate restrictions (e.g., by requiring that such transactions be conducted on non-preferential terms/basis) and applicable legislation and other requirements such as those prescribed under sections 67 to 70 of Act 930 regarding exposure limits for loans to related parties and staff. Plan for Succession 17. The Board shall select, subject to approval by the Bank of Ghana where applicable, and replace, where necessary, Key Management Personnel and put in place an appropriate plan for succession. The succession plan shall focus on developing human resources to enable the Regulated Financial Institution to retain a pool of qualified candidates who are ready to compete for key positions and areas when they become vacant to ensure effective continuity of the deposit-taking business. Key Management Oversight – Board 18. The Board shall provide oversight of Senior Management as part of the Regulated Financial Institution checks and balances and shall; a) monitor and ensure the actions of Senior Management are consistent with the strategy and policies approved by the Board, including the risk tolerance/appetite and risk culture;

13 b) meet regularly with Senior Management; c) question and review critically explanations and information provided by senior management; d) ensure that the knowledge and expertise of senior management remain appropriate given the nature of the business and the Regulated Financial Institution’s risk profile. e) Oversee the implementation of appropriate governance framework for the Regulated Financial Institution. f) Ensure that appropriate succession plans are in place for senior management positions. g) Oversee the design and operation of the Regulated Financial Institution, compensation system, monitor and review the system to ensure that it is aligned with the desired risk culture and risk appetite of the Regulated Financial Institution. h) Have the responsibility to approve the overall internal control framework of the Regulated Financial Institution and monitor its effectiveness Separation of Powers 19. There shall be a clear division of responsibilities at the top hierarchy of the Regulated Financial Institution. The positions of the Board Chair and the Managing Director/Chief Executive Officer shall be separate. No one individual shall have unfettered powers of decision in any Regulated Financial Institution and therefore no individual shall combine the two (2) top positions in any Regulated Financial Institution at the same time. The two (2) top positions of Board Chair and Managing Director/Chief Executive Officer in a Regulated Financial Institution shall not simultaneously be occupied by foreigners. One of these positions shall be occupied by a Ghanaian national.

14 20. No two (2) Related Persons shall occupy the positions of Board Chair and Managing Director/Chief Executive Officer of a Regulated Financial Institution. Independent Director 21. An independent director shall be non-executive and shall not; a) have more than five percent (5% )equity interest directly or indirectly in the Regulated Financial Institutions or in its related companies; b) be employed in an executive position in the Regulated Financial Institution or its related company at least two (2) years prior to his appointment date; c) have relatives employed by the Regulated Financial Institution or any of its related companies as Key Management Personnel in the last two (2) years; d) have engaged in any transaction within the last two (2) years with the Regulated Financial Institution on terms that are less favourable to the Regulated Financial Institution than those normally offered to other persons; or e) have served as a director in the Regulated Financial Institution continuously for more than two (2) terms unless the director can affirm that his/her independence is not impaired. f) be related to persons with significant shareholding in the Regulated Financial Institution or have any business or employment connections to a significant shareholder. g) hold cross directorship position(s) with another director(s) on the Board of other institutions h) be a director on the Board of an institutional shareholder with significant equity interest in the Regulated Financial Institution.

15 22. Independent directors in the case of state-owned banks, are directors appointed by government of Ghana in its capacity as a shareholder who in the reasonable opinion of the Bank of Ghana, are able to exercise independent judgement in relation to their role as directors of the Regulated Financial Institution and who are neither employees of the Regulated Financial Institutions, civil or public servants or other government officials, persons with direct links with government, nor persons who are actively engaged in party politics. Board Qualifications and Composition 23. Board members shall be and remain qualified, including through training, for their positions. They shall have a clear understanding of their role in corporate governance and be able to exercise sound and objective judgement about the affairs of the Regulated Financial Institution. They shall possess, individually and collectively, appropriate experience, competencies and personal qualities, including professionalism and integrity. 24. The competencies of Boards shall be diverse to facilitate effective oversight of Management and shall ideally cover a blend of the following fields: Banking, Law, Finance, Accounting, Economics, Information Technology, Business Administration, financial analysis, Entrepreneurship, Risk Management, Strategic planning and Corporate Governance and other areas that the Bank of Ghana deems fit. 25. The Board shall collectively have a reasonable knowledge and understanding of local, regional and where appropriate, global economic market forces as well as legal and regulatory environment in which the Regulated Financial Institution and its subsidiaries operate. 26. Ghanaian nationals, ordinarily resident in Ghana, shall constitute at least thirty percent (30%) of the Board composition of a Regulated Financial Institution. 27. Independent Directors shall constitute at least 30% (thirty percent) of the composition of the Board of a Regulated Financial Institution.

16 28. No Regulated Financial Institution shall have more than two (2) members serving on its Board that are Related Persons. Board Size and Structure 29. The Board shall have at least five (5) members including the Chairperson and a maximum of thirteen (13) members, the majority of which must be non-executive and ordinarily resident in Ghana. There shall be an appropriate balance of power and authority on the Board between the executive and non-executive directors such that no one individual or group shall dominate the Board’s decision-making process. 30. Where a Regulated Financial Institution is a member of a financial holding company, NOT more than two (2) Related Persons shall be allowed to serve on the Boards of the bank and the financial holding company. Directors’ Appointments and Managing Director/Chief Executive Officer Tenure 31. The procedure for appointment of directors to the Board shall be formal and transparent and shall conform to the Directive issued by the Bank of Ghana on fit and proper persons. 32. The tenure of the Managing Director/Chief Executive Officer of a Regulated Financial Institution shall be in accordance with the terms of engagement with the Regulated Financial Institution which shall be subject to a maximum of twelve (12) years. Such tenure may be split into three (3) terms not exceeding four (4) years per term. Appointment of Key Management Personnel 33. Every Regulated Financial Institution shall submit to the Bank of Ghana before it appoints a Key Management Personnel, a comprehensive report on the due diligence conducted on proposed nominees as Key Management Personnel. This submission shall be made in conjunction with the requirements under of Section 60 of Act 930. 34. Where a director or Key Management Personnel associated with the management of an institution whose licence has been revoked by the

17 Bank of Ghana is to be appointed by a Regulated Financial Institution, the Bank of Ghana may exercise its discretion on whether to approve such appointment after hearing representations made by the appointee. Alternate Director 35. A director may in respect of any period not exceeding six (6) months in which he/she is absent from Ghana or unable for any reason to act as a director, appoint another director or any person approved by a resolution of the Boards, as an alternate director. Such a director shall not be required to hold any share qualification and shall be appointed in accordance with section 188 of the Companies Act, 1963 (Act 179) Board Chairperson 36. (a) The Chairperson of the Board shall be an independent director and shall be ordinarily resident in Ghana unless it can be demonstrated to the Bank of Ghana that the position can be held effectively by a non-resident who is able to attune the strategic direction of the Regulated Financial Institution with the developments in Ghana. The Chairperson shall provide leadership to the Board and ensure that Board decisions are taken on a sound and well-informed basis. The Chairperson should encourage and promote critical discussion and ensure that dissenting views can be expressed and discussed within the decision-making process. b) The Chairperson shall encourage constructive relationship within the Board and between the Board and Management. c) To promote checks and balances in the governance structure of Regulated Financial Institutions, the Board chairperson shall not serve as a chair of any of its Board sub-committee. 37. The Board Chair shall be proposed for re-election within the maximum tenure of two (2) terms consisting of three (3) years per term.

18 Role of Board Secretary 38. The Board Secretary shall serve as an interface between the Board and Management and shall support the Chairperson in ensuring the smooth functioning of the Board. The Board Secretary shall advise the Board on matters relating to statutory duties of the directors under the law, disclosure obligations, and company law regulations as well as on matters of corporate governance requirements and effective Board processes. The Board Secretary shall ensure that directors are provided with complete, adequate and timely information prior to Board meetings. The Secretary shall be appointed by the directors for such term and remunerations they may think fit, and may be removed by the Board, but without prejudice to any claim for damages for breach of any contract of service with the Regulated Financial Institution. Board Meetings 39. A Regulated Financial Institution shall hold at least four (4) Board meetings per financial year. For convenience Board meetings can also be arranged and conducted via teleconference. 40. A director has a duty to attend Board meetings regularly and to effectively participate in the conduct of the business of the Board. A Regulated Financial Institution shall have a policy that requires the Board to meet at least once every quarter. 41. A member of the Board shall attend at least 50% (fifty percent) of the Board meetings of the Regulated Financial Institution in any financial year. This is to ensure that every Board member discharges his or her duties and responsibilities effectively and to qualify for re-election. In the event that a member of the Board does not attend the meetings regularly in a financial year, the Board Chairperson shall recommend the removal of such persons from the Board based on non-performance subject to shareholders approval. 42. A Director is deemed to have attended a Board meeting if that Director participates in the meeting via teleconference for the entire duration of the meeting.

19 43. The Board shall disclose in the corporate governance section of its annual report, the total number of Board meetings held in the financial year and the attendance by each director. 44. The Board shall discuss the business affairs of the Regulated Financial Institution through reports as submitted by management in writing. The reports should include among others: a) a summary of financial statements and performance review against the approved budget, business plan, peers and industry; b) the extent to which the bank is exposed to various risks such as credit, liquidity, interest rate, foreign exchange, operational and other risks; c) review of non-performing loans, related party transactions and credit concentration; d) activities of the Regulated Financial Institution in the financial market and in its “nostro” accounts; e) effectiveness of internal control systems and human resource issues; f) outstanding litigations and contingent liabilities; g) Compliance with Anti-Money Laundering/ Counter Financing of Terrorism (AML/CFT) policies, laws and regulations; h) List of related party exposures and their classification. Other Engagements of Directors 45. To ensure that directors give greater time commitment to their oversight function in the Regulated Financial Institution, no director shall a) hold more than five (5) directorship positions at a time in both financial and non-financial companies (including off-shore engagements) subject to the restriction against concurrent directorships in banks under section 58(1)(e) of Act 930. Directors’ other engagements shall be disclosed in the annual accounts of the Regulated Financial Institution.

20 Board Performance Evaluation 46. The Board shall carry out regular evaluation or self-assessment of its performance as a whole, including its sub-committees, and of individual Board members in order to review the effectiveness of its own governance practices and procedures including on Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) issues, to determine where improvements may be needed and make any necessary changes. 47. The Board shall in addition to the above, undertake a formal and rigorous evaluation of its performance with external facilitation of the process every two (2) years. Report on Board Evaluation 48. An in-house performance evaluation of the Board shall be conducted annually and a copy of the results shall be submitted to the Bank of Ghana not later than 30th June of each year.

a) A separate in-house performance evaluation of the Board on AML/CFT issues shall be submitted to the Bank of Ghana and the Financial Intelligence Centre for June and December each year before the end of the quarter following the evaluation period.

b) A statement on the external evaluation of the Board shall be included as a separate section of the annual report of Regulated Financial Institution and a detailed copy of the report submitted to the Bank of Ghana. Board Sub-Committees 49. The Board shall establish certain specialized Board sub-committees, the number and nature of which depends on the size and complexity of the Regulated Financial Institution and its Board and risk profile.

21 50. At a minimum, a Regulated Financial Institution shall have two (2) Board sub-committees, namely: an Audit Committee and a Risk Committee both of which shall be chaired by independent directors. 51. Other Board sub-committees may be established on optional basis per size, complexity, business lines and risk profile of the Regulated Financial Institution. Such committee(s) shall be chaired by a non-executive director(s) with the requisite qualification and experience in the specific functions of the committee. 52. The Board Chairperson shall not head or chair any of the Board sub￾committees and is only permitted to serve on one (1) Board sub￾committee as a member other than the risk and audit sub-committees. 53. The Board shall issue in writing the terms of reference for each sub￾committee which shall be contained in a charter which sets out the committee’s mandate, scope and procedures. A copy of the charter shall be submitted to the Bank of Ghana. Audit Committee 54. The audit committee of the Board shall consist solely of non-executive directors, the majority of which shall be Independent Directors. Members of the committee must be competent in accounting, auditing and finance and the committee shall have oversight of the Regulated Financial Institution’s internal and external audit functions, among others as may be prescribed by the Board. The chairperson of the committee shall be an independent director and shall not be the chair of the Board or any other committee. Risk Committee 55. The Risk Committee should be responsible for advising the Board on the Regulated Financial Institution’s overall current and future risk tolerance/appetite and strategy of the Regulated Financial Institution for various risks including AML/CFT risk and for overseeing Senior Management’s implementation of the risk strategy. The committee shall be chaired by an experienced independent director who is knowledgeable in risk management, finance, accounting, economics

22 and other business skills. The Bank of Ghana’s minimum requirement for risk governance structure is set out in Appendix 1. 56. Each of the two (2) sub-committees shall have at least thirty percent (30%) of its members being Ghanaians who are ordinarily resident in Ghana. 57. The Chief Risk Officer and the Chief Internal Auditor shall report directly to the MD/CEO and Audit Sub-Committee of the Board respectively. Other Committees 58. The Board may establish on an optional basis other committee such as the: a) Remuneration committee to oversee the design and operation of the compensation system, and ensures that compensation is appropriate and consistent with the culture, long-term business interest and risk strategy of the Regulated Financial Institution. b) Nominations/human resources/governance committee to recommend new members of the Board or Senior Management and to undertake assessment of Board and Senior Management. c) Ethics/compliance committee to ensure that the Regulated Financial Institution has the appropriate means for promoting proper decision making and compliance with laws, regulations and internal rules. Conflicts of Interest 59. The Board should have formal written conflicts of interest policy and an objective compliance process for implementing the policy. The policy should at the minimum include: a) the duty of the director to avoid possible activities that could create conflicts of interest;

23 b) a review or approval process for directors to follow before they engage in certain activity so as to ensure that such activity will not create a conflict of interest; c) the duty of the director to disclose in addition to section 59 of the Act, any matter that may result, or has already resulted in a conflict of interest; d) the responsibility of the director to abstain from voting as prescribed under section 59 of the Act and on any matter where the director may have conflict of interest; e) adequate procedures for transactions with related parties to be made on a non-preferential basis; and f) the way in which the Board will deal with any non-compliance with the policy. 60. The Board shall ensure that appropriate public disclosure is made in the annual reports and information relating to the policies of the Regulated Financial Institution on conflict of interest and potential material conflicts of interest as provided to the Bank of Ghana on quarterly basis. 61. The Board shall maintain an up-to-date register for documenting and managing conflict of interest situations in the Regulated Financial Institution. Group Structures 62. The Board of a financial holding company shall have the ultimate responsibility for the adequate corporate governance across the group. The Board shall ensure that there are governance policies and mechanisms appropriate to the structure, business and risk of the group and its entities. Senior Management Duties 63. Under the direction of the Board, Senior Management shall:

24 a) ensure that the regulated activities of the Regulated Financial Institution is consistent with the business strategy, risk tolerance/appetite and policies approved by the Board; b) establish a management structure that promotes accountability and transparency; and c) Implement appropriate systems for managing risks – both financial and non-financial - to which the Regulated Financial Institution is exposed. d) Engage skilled and competent staff and provide training and development opportunities to sustain the delivery of short and long￾term business objectives, the risk management framework and protect the reputation of the Regulated Financial Institution. Risk Management and Internal Controls 64. The Board shall ensure that the Regulated Financial Institution has effective internal controls systems and a risk management function (including Chief Risk Officer or equivalent) with sufficient authority, stature, independence, resources and access to the Board. Risk Management Function 65. The Board shall establish the risk management function as set out in Appendix 1 which shall be responsible for: identifying key risks to the Regulated Financial Institution; assessing those risks and the Regulated Financial Institution’s exposure to the identified risks; monitoring the risk exposures and determining the corresponding capital needs on an on￾going basis; monitoring and assessing decisions to accept particular risks, risk mitigation measures and whether risk decisions are in line with the Board approved risk tolerance/appetite and risk policy; and submitting risk management reports to Senior Management and the Board.

25 Chief Risk Officer 66. A bank shall have a Chief Risk Officer (CRO) as set out in Appendix who shall be an independent Key Management Personnel (who has no involvement in the operations of the bank) with distinct responsibility for the risk management function and the comprehensive risk management framework of the bank across the entire organization. The independence of the CRO is paramount and the role shall be distinct from other executive functions and business line responsibilities. The CRO shall report to the Chief Executive Officer with an unfettered reporting access to Board and its risk committee. Interaction between the Board and the CRO shall be regular and comprehensively documented. Internal Controls 67. Internal controls shall be designed to ensure that each key risk has a policy, process or other measure, as well as a control to ensure that such policy, process or other measure is being applied and works as intended. Internal controls shall help provide comfort that financial and management information is reliable, timely and complete and that the Regulated Financial Institution is in compliance with its various obligations, including applicable laws and regulations. Chief Internal Auditor 68. Every Regulated Financial Institution shall have a Chief Internal Auditor (CIA) as set out in Appendix 1 who shall be an independent Key Management Personnel who has no involvement in the audited activities and business line responsibilities of the Regulated Financial Institution. The CIA shall be competent to examine all areas in which the Regulated Financial Institution operates and shall; a) have the professional competence to collect and analyze financial information as well as evaluate audit evidence and to communicate with the stakeholders of the internal audit function; b) possess sufficient knowledge of auditing techniques and methodologies;

26 c) be a member of a relevant recognized professional body; The CIA shall report directly to the Board sub-committee on audit or the full Board (depending on size and complexity) and shall have direct access to the Board and its audit committee. Interaction between the Board and the CIA must be regular and comprehensively documented. Group-wide and Bank-wide Risk Management 69. Risks shall be identified and monitored on an on-going group-wide and bank-wide basis, and the sophistication of the risk management and internal control infrastructure - including, in particular, a sufficiently robust information technology infrastructure shall keep pace with developments such as balance sheet and revenue growth, increasing complexity of the deposit-taking business or operating structure and introduction of new business lines. Risk management in Subsidiary Banks 70. The Board and Senior Management of parent banks or financial holding companies shall conduct strategic, group-wide risk management and prescribe group risk policies. The Board and Senior Management of subsidiary Regulated Financial Institution shall have appropriate input into the group-wide risk management policies and assessments of local risks. Adequate stress-testing of subsidiary portfolios shall be done based on both the economic and operating environment of the subsidiary and on potential stress of the parent bank or Financial Holding Company. The results of stress tests and other risk management reports shall be communicated to the Board and Senior Management. Internal and External Audit Functions 71. The Board and Senior Management shall effectively utilize the work conducted by the internal audit functions, external auditors and internal control functions. The Board should recognize and acknowledge that independent, competent and qualified internal and external auditors, as well as other internal control functions, are vital to the corporate

27 governance process and shall engage the auditors to judge the effectiveness of the risk management function and the compliance function. Compensation System 72. In terms of compensation: a) The Board shall actively oversee the design and operation of the compensation system. The Board shall monitor and review the compensation system to ensure that it is effectively aligned with prudent risk taking; b) Levels of remuneration shall be sufficient to attract, retain and motivate executive officers of the bank and this shall be balanced against the interest of the bank in not paying excessive remuneration; c) Where remuneration is tied to performance, it shall be designed in such a way as to prevent excessive risk taking; d) A committee of independent directors shall determine the remuneration of executive directors; e) Executive directors shall not be entitled to sitting allowances and directors’ fees; f) Non-executive directors’ remuneration shall be limited to directors’ fees, sitting allowances for Board and committee meetings and shall not be performance-related. g) Where share options are adopted as part of executive remuneration or compensation, it shall be tied to performance and subject to shareholders’ approval at an annual general meeting (AGM). h) Banks shall disclose in the annual reports, details of shares held by directors and related parties.

28 “Know Your Structure” 73. The Board and Senior Management shall understand the structure and the organization of the group including the aims of its different units/entities and the formal and informal links and relationships among the entities and with the parent company. This includes understanding the legal and operational risks and constraints of the various types of intra￾group exposures and transactions and how they affect funding, capital and risk profile under normal and adverse circumstances of the group. Disclosure and Transparency 74.A Regulated Financial Institution shall submit a list of its significant shareholders, directors and Key Management personnel as at 31st of December of every year to the Bank of Ghana by 15th January of the following year. The governance of the bank shall also be adequately transparent to its shareholders, depositors, other relevant stakeholders and shall be disclosed in its annual report. The disclosure shall include, but not be limited to, material information on the organizational and governance structures and policies, (in particular the content of any corporate governance code or policy and the process by which it is implemented), major share ownership and voting rights and related parties transactions of the Regulated Financial Institution. Ethics and Professionalism 75. Regulated Financial Institutions shall establish a code of conduct which shall be made available to all persons to whom it applies. The code shall be reviewed regularly when necessary and shall contain among others: a) practices necessary to maintain confidence in the integrity of the Regulated Financial Institution; b) commit the Regulated Financial Institution, its employees, management and Board to the highest standards of professional behaviour, business conduct and sustainable business practices; and

29 c) establish a policy to govern trading in the shares of the Regulated Financial Institution by directors, Key Management Personnel and employees. d) Sign off by directors and employees that they understand the Code and sanctions for breaching the policy; Cooling-off Period 76. Former Bank of Ghana officers, directors or senior executives shall not be eligible for appointment as a director of a Regulated Financial Institution until after a period of two (2) years following the expiration or termination of their contract of employment or service from the Bank of Ghana. 77. A practicing audit professional or partner who is rendering services or had rendered auditing services in the banking industry shall not be appointed as a director of a bank until one (1) year has elapsed since last engagement with any Regulated Financial Institution by that person

30 PART V – REMEDIAL MEASURES AND SANCTIONS Relevant Provisions of the Act 930 78. The following remedial measures and sanctions under Act 930 shall apply in addition to any other corrective measures and specific directives that the Bank of Ghana may require: a) Under section 58 of Act 930 where a person is disqualified to be elected or appointed as a director, Chief Executive Officer or employee of a Regulated Financial Institution, that person shall immediately cease to hold office and the Regulated Financial Institution shall immediately terminate the appointment of that person, otherwise the Regulated Financial Institution or that person shall be subject to fine or imprisonment as provided for in Act 930; b) Under section 59 of Act 930, a person who contravenes the required disclosure of interest shall cease to be a director of the bank; c) Any non-compliance by a Regulated Financial Institution with the requirements under section 60 of Act 930 shall make that Regulated Financial Institution liable to a payment of a fine of One Thousand (1,000) penalty units to the Bank of Ghana; d) A Regulated Financial Institution which fails to comply with the Bank of Ghana directives is liable to pay to the Bank of Ghana under section 92(8) of Act 930, an administrative fine of not less than two thousand (2,000) penalty units and not more than ten thousand (10,000) penalty units ; and e) Under section 102(3) of Act 930, the Bank of Ghana may, amongst others, suspend or remove from office the Chief Executive of that Regulated Financial Institution or restrict the powers of the Chief Executive, or recommend the removal from any or all of the directors on the Board of the Regulated Financial Institution or restrict their powers if it is satisfied that Regulated Financial Institution has, failed to comply with a provision of the Act or rules or directives issued under Act 930, or if a Regulated Financial Institution has been conducting its affairs in a manner detrimental to the interests of its depositors and creditors, or if a Regulated Financial Institution no

31 longer possesses sufficient net own funds or is unlikely to fulfil its obligations towards its depositors and creditors.

32 PART VI - TRANSITIONAL PROVISIONS For the purpose of compliance with this Directive, the following transitional provisions are to be followed: 79. A Regulated Financial Institution in existence before the coming into force of this Directive that does not meet the required standard, shall have a grace period up till 31st March, 2019 to ensure full compliance with the provisions of the Directive in relation to the following: a) Business strategy; b) Board qualification and composition; c) Board size and structure; d) Directors’ independence; e) Board Secretary; f) Separation of powers; g) Other engagement of directors; and h) Board sub-committees. Tenure of Managing Director/Chief Executive Officer 80. a) The term of office of a Managing Director or Chief Executive Officer (MD/CEO) of a Regulated Financial Institution shall not be more than four (4) years and may be renewed for additional two (2) terms only in that Regulated Financial Institution. b) Despite sub paragraph 80(a), the term of office for a MD/CEO of a Regulated Financial Institution indicated in the contract of employment executed with the Regulated Financial Institution before the coming into force of this Directive may run in full and shall not be renewed where that MD/CEO has cumulatively served for more than twelve (12) years in that Regulated Financial Institution.

33 c) A renewal or extension of a contract under sub paragraph 80(b) shall be subject to the renewal guidelines under sub paragraph 80(a) and shall not be for any additional term that brings the cumulated years of service of the MD/CEO in that Regulated Financial Institution and in that capacity, to more than twelve(12) years. d) Where the existing contract of the MD/CEO of a Regulated Financial Institution as of the date of coming into force of this Directive does not stipulate a fixed term of office for the MD/CEO, and the MD/CEO has served for twelve years, or more in that Regulated Financial Institution, the Regulated Financial Institution shall by 31st January 2019 submit to the Bank of Ghana for consideration, a succession plan for the appointment of a new MD/CEO. The appointment of the new MD/CEO must be made by 31st December, 2019. e) Where the existing MD/CEO does not have a fixed term contract as of the time of coming into force of this Directive and the MD/CEO has served a term less than twelve (12) years cumulatively in that Regulated Financial Institution, the Regulated Financial Institution shall by 31st January, 2019 furnish the Bank of Ghana with a written contract stipulating a fixed term of office for the MD/CEO. Tenure of Board Chair 81. a) The term of office of a Board Chairperson of a Regulated Financial Institution shall not be more than three (3) years and may be renewed for one (1) additional term only in that Regulated Financial Institution. b) Despite paragraph 81(a) a Board Chairperson of a Regulated Financial Institution who has been in office for more than six (6) years prior to the coming into force of this Directive shall not be eligible for another term upon the expiration of the current term of his/her appointment in that Regulated Financial Institution. c) Where the existing appointment of the Board Chairperson of a Regulated Financial Institution as of the date of coming into force of this Directive does not stipulate a fixed term and the Board Chairperson has served for a period of more than six (6) years in that Regulated Financial Institution, the Regulated Financial Institution shall

34 by 31st January, 2019 submit to the Bank of Ghana for consideration, a succession plan for the appointment of a new Board Chairperson. The appointment of the new MD/CEO must be made by 31st December, 2019. d) Where the existing Board Chairperson does not have a fixed term contract as of the time of coming into force of this Directive and the Board Chairperson has served a term less than six (6) years cumulatively in that Regulated Financial Institution, the Regulated Financial Institution shall by 31st January, 2019 furnish the Bank of Ghana with a written contract stipulating a fixed term of office for the Board Chairperson. e) Where the existing Board Chairperson of a Regulated Financial Institution is not an independent Director as of the date of coming into force of this directive, the Board shall take steps to appoint an independent Chairperson by 31st December, 2019. Tenure of Non-Executive Director 82.a) The tenure of office of a non-executive director of a regulated financial institution shall not be more than three (3) years and may be renewed for not more than two (2) additional terms in that Regulated Financial Institution. b) Despite sub paragraphs 82(a) a non-executive director of a Regulated Financial Institution who prior to the coming into force of this Directive had served in that capacity for nine (9) years or more shall not be eligible for another term upon the expiration of the current term in that Regulated Financial Institution. c) Where the existing appointment of the non-executive director of a Regulated Financial Institution as of the date of coming into force of this Directive does not stipulate a fixed term, and the non-executive director has served for a period of more than nine (9) years in that Regulated Financial Institution, the Regulated Financial Institution shall by 31st January, 2019 submit to the Bank of Ghana for consideration, a succession plan for the appointment of a new non-executive

35 director. The appointment of the new non-executive director must be made by 31st December, 2019. d) Where the existing non-executive director does not have a fixed term contract as of the time of coming into force of this Directive and the non-executive director has served a term less than nine (9) years cumulatively in that Regulated Financial Institution, the Regulated Financial Institution shall by 31st January, 2019 furnish the Bank of Ghana with a written contract stipulating a fixed term for the non￾executive director. e) Sections 82(a) to (d) by extension are applicable to Independent Directors of the Regulated Financial Institutions Effective Implementation Date 83. The effective date for the implementation of all other sections of the Corporate Governance Directive not mentioned in the transitional provisions is effective 31st March, 2019.

36 APPENDIX Risk Governance Structure The risk management governance structure of an institution shall comprise the following: a) Board b) Board Risk Committee; c) Board Audit Committee; d) Senior/Executive Management; e) Chief Risk Officer; f) Chief Internal Auditor; g) Compliance Officer; and h) Operational Management. i) Company Secretary or Head of Legal (Legal & Reputational risk) A. Boards’ Oversight Responsibilities

1. The Board shall show concern for and set the tone for risk management in the institution. The overall responsibility for risk management including that of AML/CFT risk within the institution shall rest with the Boards.
2. The Board shall approve all significant policies relating to the management of risks including AML/CFT risk throughout the institution, as well as discuss and approve the organizational arrangement for managing and controlling the overall exposure to risks of the institution. The risk management policies shall be consistent with broader business strategies, capital strength, management expertise and the overall willingness to take risk or risk appetite of the institution.
3. The Board shall regularly re-evaluate its approved policies and procedures with special emphasis on those that define the risk tolerance limits of the institution including AML/CFT for significant activities.
4. The Boards shall discuss and grade the risks, and set acceptable limits for exposures in the various activity segments after considering the quality of the existing tools for managing and controlling every type of risk in each significant activity of the institution.

37 5. The Board shall receive and review reports on risk exposures in respect of: a) the nature and level of the exposure as against the approved limit; b) controls and mitigation actions for the exposure (s); c) deviations, reasons for deviations and action taken; d) results of scenario analysis and stress tests and the responses of management to the results; and e) any other information that the Board may from time to time determine. 6. The Board shall ensure that it approves every new activity of the institution (e.g. new products that are significantly different from existing ones, creation of new types of exposure, new markets, etc.) after it has: a) considered all the risks involved in the new activity; b) checked the mechanisms which the institution will use to measure and control the risks; c) set quantitative limits required as a result of the risks inherent in the activity; and d) ascertain that the institution has the necessary manpower, sources of finance, and the technological infrastructure to ensure the proper absorption and management of the activity and its consistency with the business strategy of the institution. 7. The Board shall also conduct and encourage discussions between its members and Senior Management, as well as between Senior Management and others in the institution, in respect of risk management process and risk exposures of the institution. B. Board Risk Committee 8. The Board Risk Committee shall be responsible for advising the Board on the overall current and future risk tolerance/appetite of the institution and

38 strategy including on AML/CFT and for overseeing implementation of that strategy by Senior Management. The objective of the Board Risk Committee shall be to provide an independent review and critique of: a) the risk management policies and procedures of the Regulated Financial Institution; b) the composition of the risk portfolios and concentrations; c) the risk-taking decisions of the institution covering all aspects of risk exposures including credit, market, liquidity, operational and country risks; and d) perform any other assignments relating to the management of risk in the institution as may be delegated by the Board. 9. The Board Risk Committee shall be chaired by an experienced independent director who is knowledgeable in risk management, finance, accounting and economics. The members of the Board Risk Committee shall comprise of all categories of directors and shall exclude the Chairman of the Board. 10. Appointment to the Board Risk Committee shall be for a period of up to three (3) years, which may be extended by not more than two (2) additional years. 11. The Chairman of the Board Risk Committee shall be appointed by the Board. In the absence of the Risk Committee Chairman and/or an appointed deputy, the remaining members present shall elect one of themselves to chair the meeting. 12. The Board Risk Committee shall operate under a charter. 13. The Board Risk Committee shall meet at least quarterly and their meeting shall be attended by the head of finance, chief risk officer, chief internal auditor, head of credit or corporate banking and head of business promotion.

39 14. The chairman of the Board, chief executive officer, and heads of departments or their representatives may also be invited to attend all or part of any meeting as and when appropriate. 15. The Board Risk Committee shall at minimum, on annual basis or more frequently as deemed fit, review, establish and recommend to the Board the risk appetite as well as assess the appropriateness of the corporate plan in the context of the risk appetite of the Regulated Financial Institution. 16. The Board Risk Committee shall annually or more frequently as deemed appropriate, review and make recommendations on the risk management of the Regulated Financial Institution (i.e. policies, processes, models and limits) to manage and mitigate risk within the approved strategy and risk appetite to the Board for approval. 17. The Board Risk Committee shall also: a) challenge the assessment and measurement of key risks of the institution; b) provide advice, oversight and the encouragement necessary to embed and maintain a supportive risk culture throughout the institution; c) provide high level oversight and critique of the day-to-day risk management and oversight arrangements of Senior Management; d) provide high level oversight and critique of the design and execution of the scenario analysis and stress-testing of the institution; e) review the internal capital adequacy assessment and internal liquidity adequacy assessment of the institution; f) review the external risk information disclosures including annual report and accounts and quarterly disclosures of the institution ; and g) provide oversight and critique of due diligence on risk issues relating to material transactions and strategic proposals that are subject to approval by the Board.

40 18. The Board Risk Committee shall also monitor the risk exposures of the Regulated Financial Institution through the: a) review of the risk profile of the institution(i.e. performance indicators) against the risk appetite, approved limits and risk trends; b) review of management report on the nature and extent of risk exposures of the institution; c) review of key performance indicators on risk, controls and compliance; and d) review of current risk exposures and future risk strategy, considering the macro-economic environment. e) Review the litigation portfolio of the institution. C. Board Audit Committee 19. The Board Audit Committee is responsible for overseeing the financial reporting process including the establishment of accounting policies and practices by the Regulated Financial Institution, providing oversight of the internal and external audit functions, the appointment, compensation and removal of auditors, reviewing and approving the audit scope and frequency, receiving key audit reports and ensuring that Senior Management is taking necessary corrective actions in a timely manner to address control weaknesses, non-compliance with policies, laws and regulations and other problems identified by auditors as well as any other relevant matter referred to the committee by the Board. D. Senior Management 20. Senior Management shall have the responsibility of transforming the strategic direction set by the Board into policies and procedures and to institute an effective structure to execute those policies. Senior Management is also responsible for oversight of the day-day management of risk.

41 21. Senior Management must ensure that policies relating to risk management are clear and communicated down the line and that these policies are embedded in the culture of the institution. 22. Risk tolerance levels for quantifiable risks shall be communicated as limits to operational management, while those relating to qualitative risk may be communicated as guidelines. 23. Senior Management shall have appropriate committees which shall review among others, reports on market and liquidity risks, credit risk, operational risk, country risk and legal/regulatory risk. 24. Senior Management shall be responsible for ensuring that there are adequate policies and procedures for carrying out the significant activities of the institution on both long-term and day-to-day basis. This responsibility includes ensuring that there are: a) clear lines of responsibility for managing risk; b) adequate systems for measuring risk; c) appropriately planned limits on risk-taking; d) effective internal controls; and e) comprehensive risk-reporting process. 25. Senior Management shall regularly evaluate the procedures in place to manage risk to ensure that those procedures are appropriate and sound. Senior management shall also foster and participate in active discussions with the Board and with staff of the risk management functions regarding procedures for measuring and managing risk. 26. Senior Management shall also ensure that the significant activities of the institution are allocated sufficient resources and staff to manage and control inherent risks. E. Management Committees 27. Senior Management shall have the following committees for the management of the risk exposures of the institution:

42 a) Credit Committee - The credit committee shall have clearly defined mandate, membership and delegated authority which shall be reviewed at least annually. The responsibilities of the credit committee shall include: i. exercising credit governance oversight; ii. recommending credit risk appetite; iii. establishing credit counterparty and portfolio risk limits; iv. setting concentration limits relating to industry, market, product, customer segment, and maturity; v. approving and overseeing credit risk mitigation; and vi. reviewing and taking action on watch list and non-performing accounts. b) Assets-Liability Management Committee (ALCO) - The ALCO shall be responsible for managing and overseeing the asset/liability management procedures of the institution. c) Management Risk Committee - The management (or executive) risk committee shall be responsible for: i. reviewing amongst others, summaries of market and liquidity, credit, operational, country and regulatory risks; and ii. reviewing the appropriateness and effectiveness of mitigation actions taken. d) Business Strategy Committee - The business strategy committee shall have the responsibility to: i. control implementation of the strategic plan; ii. initiate timely corrective actions in case of deviation from the plan in order to address the situation;

iii. report detailed progress of implementation of the plans and objectives, including comparison of actual performance against the business plan and budget; and

43 iv. constantly review internal and external conditions with the view to designing alternative strategies for unusual circumstances and to respond appropriately to unexpected changes in the environment. e) Executive Management Committee (EXCO) – The EXCO Committee will support the CEO/MD to guide and steer the direction of the institution and to facilitate the flow of information between the Boards and its Senior Management staff F. Independent Risk Management Oversight Function (RMOF)

28. An important aspect of the risk management philosophy is the concept of independent oversight review, i.e., those who take or accept risk shall not be the people to measure, monitor, and evaluate the risks and report to management and Board.
29. The RMOF which collectively renders independent oversight reviews comprises risk management oversight, internal audit, compliance and financial analysis.
30. For effectiveness, the risk management oversight reviews shall have sufficient authority, expertise and management status so that their functions and reporting of their findings will be accomplished without any hindrance. The findings of their reviews shall be reported to business units, Senior Management and where appropriate, the Board.
31. To the extent warranted by the size and scope of activities of the institution, risk management oversight shall be done independently of individuals conducting the activities up to the Senior Management level of the institution and shall include an independent system for reporting exposures to both Senior Management and Boards.
32. Where the size of the institution does not support a separate structure to carry out this independent risk management oversight function, Senior Management shall be responsible for the performance of this function.

44 33. The personnel of the independent risk management oversight functions shall have a thorough understanding of the risks associated with all the significant activities. G. Chief Risk Officer 34. The independent risk management oversight function shall be headed by a Chief Risk Officer (CRO) who is an independent senior executive with distinct responsibility for the risk management function and the comprehensive risk management framework across the entire organization. The independence of the CRO is paramount and his/her role shall be distinct from other executive functions and business line responsibilities, and there generally shall be no “dual hatting”, i.e., the chief operating officer, chief internal auditor or other Senior Management should not serve as CRO. 35. The Board shall appoint the CRO and the CRO shall report directly to CEO and be assessed by the Board Risk Committee. 36. The CRO shall advise Board and Senior Management on the control and measurement of risks, develop and implement best practices in the management of risks. He may also advise Board and management on issues relating to risk exposures, prior to decision making. 37. The independent risk management oversight function shall: a) Oversee and direct the enterprise-wide management of risk exposures; b) Formulate policies and measurement models for the various units involved in carrying out the significant activities that create exposures in the various activity segments in the institution; c) Make recommendations to the Boards and Senior Management on the type and level of exposures in each activity segment permitted by policy; d) Advise and recommend to the Boards and Senior Management on all matters relating to risk exposure management;

45 e) Regulate, monitor, review control procedures and report on matters relating to exposures management and report deviations from set limits and exception to policy to the Board and Senior Management for their appropriate actions; f) Perform monthly stress-tests on risk portfolios and at least on a quarterly basis, review and approve the appropriateness of the stresses applied at the business levels; g) Incorporate the results of the stress-tests (which will inform management of the expected risk tendency of the portfolio as against the approved risk appetite of the institution) into the risk governance structure of the institution; h) Be empowered where appropriate, to initiate management action to contain the potential risk levels within the approved risk appetite to ensure discipline in the risk management process of the institution; and i) In addition to the monthly stress tests, perform semi-annual reverse stress-testing to examine the impact of selected scenarios from a ‘bottom up’ perspective. H. Internal Audit 38. A Regulated Financial Institution shall have an internal audit function which shall be headed by a person of the status of a member of the Senior Management of the Regulated Financial Institution appointed and assessed by the Board Audit Committee, and who reports directly to such committee. 39. The Internal Audit shall operate under a charter approved by the Board and in compliance with International Standards for the Professional Practice of Internal Audit. 40. Internal audit shall incorporate in its annual work program an assessment of the overall procedures that the institution follows in the management of its risk exposures.

46 41. Internal Audit shall examine and review: a) the extent to which policies of the Boards are carried out; b) the extent to which Board decisions and instructions regarding the management, estimation and control of risks are implemented; c) the extent to which the units comply with the limits imposed; d) the adequacy and reliability of management information, financial and operational reports to the Boards and senior management; and e) the adequacy of risk management activities at the operational levels and the scope and effectiveness of the independent risk management oversight function in terms of its mandate and their responsibilities. I. Compliance Function 42. A Regulated Financial Institution shall appoint a Compliance Officer who is competent, experienced, and knowledgeable enough to discharge his/her duties and responsibilities. 43. The Compliance Officer must be of the status of a member of the Senior Management of the institution or directly subordinate to such a member, appointed by the CEO subject to the approval of the Boards or Board audit committee. 44. The Compliance Officer shall be responsible for monitoring and reporting on the adherence or otherwise to various obligations incumbent upon the institution in its business relations with customers. 45. The Compliance Officer shall assist management and the Board in meeting the responsibilities of the institution with regard to: a) the requirements of the law and other regulatory and ethical demands in respect of customer relations and anti-money laundering;

47 b) reducing the likelihood of violations of the laws and regulations; c) reducing the exposure of the institution and its management to claims, including those pertaining to the obligation to exercise caution; and d) preventing any breach of confidence by office-holders to prevent financial losses to the institution. J. Operational Management 46. Regulated Financial Institutions shall have in place the following components of sound operational management processes which are fundamental to all significant activities: a) a comprehensive risk measurement approach; b) a detailed structure of limits; c) a set of Guidelines or operating manuals and other parameters to govern risk-taking relating to each activity; and d) a strong management information system for controlling, monitoring and reporting risks. 47. The risk management activities for each significant activity shall be documented in a work manual and integrated into the overall risk management system of the institution, to enable the institution manage its risk exposures more effectively, since the various individual risks involved in an activity are often interconnected and transcend specific activities. 48. The management of business units shall by policy have the responsibility of ensuring that the requirements of risk governance standards, policies and procedures are implemented within the business units and independently monitored by the designated risk management teams of the unit. 49. Business units shall have in place a system to self-assess their compliance with the risk standards and policies of the institution at least annually.