Prudential Standard No. 1-2024/BSD: Risk Management

Prudential Standard No. 1-2024/BSD Risk Management NK OF A I Z B M E B V A R B E S W E E R Document No. 01-2024/BSD First Issue Date 2006 First Issue Title Guideline No. 1-2006/BSD, Risk Management Version 2 Revised Version Title Prudential Standard No. 1- 2024/BSD, Risk Management Date May 2024 BANK SUPERVISION DIVISION

Contents

1. INTRODUCTION..................................................................................................................... 1 Scope .......................................................................................................................................... 1 Application ..................................................................................................................................... 2 Objectives ...................................................................................................................................... 2
2. RISK MANAGEMENT FRAMEWORK......................................................................................... 3 2.1 Introduction .......................................................................................................................... 3 2.2 Role of the Board ................................................................................................................... 3 2.3 Risk Committee...................................................................................................................... 4 2.4 Senior Management ............................................................................................................... 4 2.5 Risk Management Function.................................................................................................... 5 2.6 Risk Culture ........................................................................................................................... 6 2.7 Key Risk Management Policies............................................................................................... 7 2.8 Risk Appetite Framework....................................................................................................... 8 2.9 Risk Appetite Statement ........................................................................................................ 9 2.10 Risk Limits ............................................................................................................................. 9 2.11 Risk Management Process ................................................................................................... 10 2.12 Risk Data Aggregation and Risk Concentration.................................................................... 11 2.13 Stress Testing ...................................................................................................................... 12 2.14 Internal Control Environment .............................................................................................. 13 2.15 Policies and Procedures ....................................................................................................... 13 2.16 Code of conduct ................................................................................................................... 14 2.17 Board and Senior Management Oversight ............................................................................ 14 2.18 Delegation of Authority........................................................................................................ 14 2.19 Segregation of Duties .......................................................................................................... 15 2.20 Audits .................................................................................................................................. 15 2.21 Compliance .......................................................................................................................... 15 2.22 Other elements of the control environment ......................................................................... 15 2.23 Business Process Controls.................................................................................................... 16 2.24 Management Information Systems ...................................................................................... 16 2.25 New Products/Business Lines/Activities/Product Enhancements........................................ 16
3. CREDIT RISK........................................................................................................................ 19 3.1 Introduction ........................................................................................................................ 19 3.2 Board and Senior Management Oversight ............................................................................ 19 3.3 Measuring and Monitoring Credit RiskMeasuring Credit Risk............................................... 24
4. LIQUIDITY RISK .................................................................................................................. 28 4.1 Introduction ........................................................................................................................ 28 4.2 Sources of Liquidity Risk...................................................................................................... 28 4.3 Framework for Managing Liquidity Risk............................................................................... 29
5. INTEREST RATE RISK........................................................................................................... 40 5.1 Introduction ........................................................................................................................ 40 5.2 Sources of Interest Rate Risk............................................................................................... 40 5.3 Sound Interest Rate Risk Management Practices................................................................. 41 5.4 Board Oversight of Interest Rate Risk.................................................................................. 41 5.5 Risk management Policies and Procedures .......................................................................... 43 5.6 Interest Rate Risk Management Process.............................................................................. 43 5.7 Reporting............................................................................................................................. 48 5.8 Internal controls .................................................................................................................. 49
6. FOREIGN EXCHANGE RISK................................................................................................... 50 6.1 Introduction ........................................................................................................................ 50 6.2 Risk Management Process ................................................................................................... 50

6.3 Board and Senior Management Oversight ............................................................................ 50 6.4 Policies and Procedures ....................................................................................................... 51 6.5 Risk Identification, Measurement and ControlRisk identification ........................................ 51 6.6 Risk Reporting ..................................................................................................................... 53 7. OPERATIONAL RISK............................................................................................................. 54 7.1 Introduction ........................................................................................................................ 54 7.2 Operational Resilience ......................................................................................................... 54 7.3 Operational Risk Management Framework .......................................................................... 55 7.4 Board and Senior Management Oversight ............................................................................ 56 7.5 Policies and Procedures ....................................................................................................... 59 7.6 Operational Risk Management Process ................................................................................ 61 8. MODEL RISK ........................................................................................................................ 67 9. LEGAL RISK.......................................................................................................................... 68 9.1 Introduction ........................................................................................................................ 68 9.2 Organisational Structure...................................................................................................... 68 9.3 Policies and Procedures ....................................................................................................... 68 10. COMPLIANCE RISK .............................................................................................................. 69 10.1 Introduction ........................................................................................................................ 69 10.2 Compliance Function............................................................................................................ 69 10.3 Board and Management Oversight ....................................................................................... 69 10.4 Policies and procedures… .................................................................................................... 71 10.5 Identification, Measurement and Monitoring of Compliance Risk ........................................ 71 10.6 Management Information System........................................................................................ 72 10.7 Internal Controls.................................................................................................................. 72 11. REPUTATIONAL RISK........................................................................................................... 73 11.1 Introduction ........................................................................................................................ 73 11.2 Board and Management Oversight ....................................................................................... 73 11.3 Policies and Procedures ....................................................................................................... 73 11.4 Reputational Risk Identification and Measurement ............................................................. 74 11.5 Risk Monitoring and Management Information System ....................................................... 75 11.6 Internal Controls.................................................................................................................. 75 12. MONEY LAUNDERING, TERRORISM FINANCING AND PROLIFERATIONFINANCING RISK ... 76 13. CLIMATE RISK AND ENVIRONMENTAL RELATED RISKS....................................................... 77 14. STRATEGIC RISK ................................................................................................................. 78 14.1 Introduction ........................................................................................................................ 78 14.2 Sources of Strategic Risk ..................................................................................................... 78 14.3 Strategic Risk Management Process .................................................................................... 79 14.4 Risk Mitigation Factors ........................................................................................................ 80 14.5 Board and senior management ............................................................................................ 80 14.6 Formulation & Implementation of strategic and operational plans ...................................... 80 14.7 Capacity building ................................................................................................................. 80 14.8 Risk Management System.................................................................................................... 80 14.9 Adequate Access to Information .......................................................................................... 81 14.10 Strategic Risk Management Framework .......................................................................... 81 14.11 Risk Identification and Measurement .............................................................................. 81 14.12 Risk monitoring and reporting......................................................................................... 82 14.13 Risk control ..................................................................................................................... 82 REFERENCES: ............................................................................................................................... 84

1

1. INTRODUCTION 1.1 The process of financial intermediation is fraught with risks and rewards that need tobe balanced through judicious and prudent risk management. 1.2 Regulated institutions are exposed to a variety of risks including credit, liquidity, foreign exchange, interest rate, legal, compliance, reputation, operational, strategic, and business model risks. 1.3 Developments in the operating landscape including technological advancement and financial innovation, pandemics, and climate and environmental changes, have resulted in the amplification of some risks and emergence of new ones, including cyber and climate related risks. These developments have led to the review of the Risk Management Guideline issued in 2006 in recognition that inadequate management of risks exposes regulated institutions to losses, failure to achieve strategic business objectives, and in the worst case, ultimate failure of the institution. 1.4 Against the background of the constantly shifting operating landscape and associatedrisk universe, regulated institutions need to take the responsibility to carefully evaluateall types and levels of risk in their business operations and activities. 1.5 To facilitate a consistent approach to risk management and the adoption of international best practice in a dynamic operating environment, the Reserve Bank hasprepared this set of guidelines which provides minimum requirements for sound risk management practices in regulated banking and non-bank financial institutions licensed and / or supervised by the Reserve Bank of Zimbabwe. 1.6 The guidelines emphasize four key pillars of a sound risk management framework, namely, adequate board and senior management oversight, sound risk management policies and procedures, adequate management information systems, strong enterprise-wide risk measurement, monitoring and control capabilities, and adequate internal controls, underpinned by appropriate risk culture, and risk appetite statements. 1.7 While the guidelines are organised by risk type, it is important to note that causal relationships exist between risk types, as well as different risk types manifesting themselves concurrently in a given situation. As such, regulated institutions should have an enterprise-wide risk management framework designed to manage risks in aninstitution’s activities on an aggregate basis. 1.8 In addition, regulated institutions that are part of regulated groups should adequately assess the impact on their financial condition, of risks assumed or associated with otherentities in the group. Intra-group exposures complicate risk measurement in individualentities. Scope 1.9 The Risk Management Prudential Standard provides guidance to regulated institutions on minimum standards for risk management. The principles recommended in the Standard, which are based on best practices, are not intended to be exhaustive or toprescribe a uniform set of risk management requirements for all institutions. A financial institution may, depending on the nature, scale, and complexity of their activities, establish a more sophisticated framework than outlined in this document, in line withthe principle of proportionality. 1.10 Regulated institutions are encouraged to assess their risk profile and operational context and customize their risk management architecture and approach to attain

2 organizational goals, while meeting the minimum standards set out in this Prudential Standard. The Prudential Standard provides for governance arrangements and risk management systems and controls to manage major risks: Credit, Liquidity, Foreign Exchange Interest Rate, Legal, Compliance, Reputation, Operational, Business Model and Strategic risks. Application 1.11 The Risk Management Prudential Standard applies to all regulated banking and non- bank financial institutions licensed and / or supervised by the Reserve Bank of Zimbabwe in terms of the Banking Act [Chapter 24:20] and in terms of the Microfinance Act [Chapter 24:30]. Objectives 1.12 The main aim of the Standard is to ensure that regulated institutions put in place requisite governance, risk management systems and internal controls in respect of major risks encountered in the financial intermediation process, underpinned by appropriate risk culture at all levels of the institutions.In particular, the Standard seeks to: a) provide minimum standards for risk management practices and promote adoption and implementation of sound risk management frameworks by financial institutions; b) promote sound risk management culture at all levels in financial institutions; and c) improve financial soundness of individual financial institutions and stability of theoverall financial sector.

3 2. RISK MANAGEMENT FRAMEWORK 2.1 Introduction 2.1.1 An effective risk governance framework plays a critical role in ensuring sound management of financial institutions. This includes putting in place requisite risk management systems, as well as guidance for sound informed decision-making and effective allocation of resources. 2.1.2 Sound risk governance practices require that the board and senior management effectively work together in managing risks, as well as driving the institution’s risk culture and risk appetite in line with the institution’s risk capacity. 2.2 Role of the Board 2.2.1 The board of directors of a regulated institution is expected to ensure the existence of a sound risk management culture and environment. The directors are the custodians of good corporate governance, the prerequisite for sound risk management. 2.2.2 The board of directors has the overall responsibility of a bank’s business strategy and financial soundness, key personnel decisions, internal organisation and governance structure and practices, and risk management and compliance obligations. While the board may delegate some of its functions to board committees where appropriate, it cannot delegate its responsibilities. 2.2.3 The board should ensure that an appropriate organisational structure is put in place to facilitate effective decision-making and good governance. 2.2.4 The board should put in place requisite board committees that facilitate effective enterprise-wide risk management. 2.2.5 In addition, the board should exercise its duty of care and loyalty to the banking institution under relevant laws and supervisory standards. Broadly, the board’s roles include the following: a) keeping abreast with the activities of the banking institution and closely following material changes in the operating environment and ensuring that the business strategy, internal resources, and capabilities, including business models, operating systems, and processes, are appropriately aligned; b) acting in a timely manner to protect the long-term interests of the bank; c) superintending the development of the banking institution’s business objectives and strategy, approving the same and monitoring implementation; d) playing a lead role in establishing the bank’s corporate and risk culture, values, and behaviours that are reinforced by performance appraisal methods and remuneration, and emphasizing the importance of sustainability of the bank and its business; e) overseeing implementation of the banking institution’s governance framework and its periodical review; f) ensuring establishment of board approved enterprise-wide risk management framework (ERM) that provides for identification of key risks through setting materiality thresholds (in context of earnings, funding, capital, or otherrelevant factors); g) ensuring that the ERM framework is commensurate with the complexity and risk profile of the bank;

4 h) working with senior management in the establishment of the bank’s risk appetite, after considering the competitive and regulatory environment and the bank’s long-term interests, risk exposure and ability to manage risk effectively; i) overseeing the bank’s adherence to the risk appetite statement, risk policy and risk limits; and j) approving and overseeing the implementation of key policies, including the bank’s capital adequacy assessment process, capital and liquidity plans, compliance policies and obligations, and the internal control system. 2.2.6 The board should ensure that transactions with related parties are conducted on arm’s length terms, reviewed to assess risk and are subject to appropriate restrictions. 2.2.7 The board and senior management should give special attention to the quality, completeness, and accuracy of the data used to make risk decisions. The risk management function should be designed to report material exceptions to the board and monitor the positions to ensure that they remain within the regulated institution’s framework of limits and controls or within exception approval. 2.3 Risk Committee 2.3.1 Every regulated institution should have a Board Risk Committee chaired by an independent non-executive director, in line with the provisions of the Banking Act [Chapter 24:20]. 2.3.2 The Risk Committee is responsible for: a) discussing the institution-wide risk management framework, assessing the institution's capital and liquidity planning, and presenting relevant recommendations to the board of directors; b) assessing, at least annually, the institution-wide risk management framework and ensuring that necessary changes are made; c) monitoring the implementation of risk strategies and ensuring that they are in line with the defined risk tolerance and risk limits defined in the institution- wide risk management framework; and d) receiving regular reports from the Chief Risk Officer and other relevant office holders on the respective aspects of the institution-wide risk management framework and compliance with it. 2.4 Senior Management 2.4.1 Senior management is responsible for: a) operational business activities which reflect the business strategy and the targets and resolutions of the board of directors; b) managing day-to-day financial, operational and risk management, including balance sheet structure and liquidity; and c) Developing and maintaining an effective internal process, and an appropriate management information system. 2.4.2 Senior management should define and approve and, as applicable, the board should review and provide effective challenge to the scenarios that are used in thefinancial institution’s risk analyses. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, regulated institutions are ultimately responsible for the assessment of

5 their risks. 2.5 Risk Management Function 2.5.1 Every regulated institution should establish an effective independent risk management function headed by a Chief Risk Officer (CRO)1 . The CRO should have sufficient stature, independence, resources, and access to the board. 2.5.2 The CRO’s primary responsibilities include: a) overseeing the implementation of the risk management framework across the entire group as applicable. This includes the on-going strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models, and reports as necessary to ensure that the institution’s risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities; b) supporting the board in its engagement with relevant stakeholders and oversight of the development of the regulated institution’s risk appetite statement and translating the risk appetite into risk limits; and c) managing and participating in key decision-making processes (e.g., strategic planning, capital and liquidity planning, new product and service development, compensation design and operation). d) The CRO should be independent from operational management and have duties distinct from other executive functions; e) The CRO should have unfettered access and a functional reporting line to the board or the Board Risk Committee. Interaction between the CRO and the board and/or Board Risk Committee should occur regularly, with or without executive directors being present. The reporting lines must therefore be established to appropriately reflect the importance of the role and accountability of the CRO; f) The CRO should keep the board and senior management apprised of the assumptions used in and potential shortcomings of the bank’s risk models and analyses. This promotes better understanding of risks and exposures and facilitates timely action to address and mitigate risks; and g) To avoid actions beyond the authority of the individual, as well as place reasonable checks on managerial and employee discretion, or even fraud, effective internal controls should be established. Internal reviews should also determine the extent of a bank’s compliance with policies and procedures, as well as with legal and regulatory policies. Adequate escalation procedures area key element of the internal control system. 2.5.3 The risk function oversees risk assumption across the institution and its major activities comprise: a) detecting material individual, aggregate and emerging risks; b) evaluating risks and measuring the bank’s exposure to them; c) developing and implementing the enterprise-wide risk governance framework, which includes the bank’s risk culture, risk appetite and risk limits subject to the review and approval of the board; d) on-going monitoring of the risk taking activities and risk exposures in line with the board approved risk appetite, risk limits and corresponding capital or liquidity needs; e) putting in place an early warning or trigger system in line with the bank’s risk 1 Officer in charge of the risk function.

6 appetite or limits, as well as regulatory requirements; f) influencing and, when necessary, challenging decisions that give rise to material risk; and g) reporting to senior management and the board or risk committee on risk related issues, including but not limited to proposing appropriate risk- mitigating actions. 2.5.4 Risk managers can work closely with business units, as long as the risk management function is sufficiently independent from risk taking activities. 2.5.5 The risk management function should include well-defined organizational responsibilities for risk management that addresses the following “three lines of defence”: a) First line of defence: entailing risk taking by business units, as well as responsibility and accountability for the on-going management of such risks. This includes identifying, assessing, and reporting such exposures, taking into account the regulated institution’s risk appetite and its policies, procedures, and controls. The manner in which the business line executes its responsibilities should reflect the regulated institution’s existing risk culture. The board should promote a strong culture of adhering to limits and managingrisk exposures; b) Second line of defence: whereat risk management and compliance functions are responsible for monitoring the implementation of effective risk management practices by the first line of defence and assisting in defining thetarget risk exposure and reporting adequate risk related information throughout the organization; and c) Third line of defence: consisting of an independent and effective internal audit function responsible for, inter alia, review and objective assurance on the quality and effectiveness of the regulated institution’s internal control system, the first and second lines of defence and the risk governance framework including links to organisational culture, as well as strategic and business planning, compensation, and decision-making processes. Internal auditors must be competent and appropriately trained and not be involved in first or second line of defence activities. 2.5.6 The risk management function should be adequately resourced with qualified and experienced staff. 2.5.7 To avoid conflict of interest, individuals who operate at a decision-making level in the regulated institution’s risk management function, should not be placed or place themselves in a position of real or perceived conflict of interest with regards to accounts, or relationships for which they previously held line responsibility or participated in business decision making or the approval process. The regulated institution should establish an appropriate cooling off period within its risk management framework to address the risk. 2.5.8 Risk identification, monitoring and control should encompass all material risks on an on-going enterprise-wide basis. The sophistication of the regulated institution’s risk management and internal control infrastructure should keep pace with changes to the institution’s risk profile, as well as to the external risk landscape and industry practice. 2.6 Risk Culture 2.6.1 Risk culture is a system of shared values and norms that define appropriate

7 attitudes and behaviors for organisational members in relation to the way the organisation assumes and manages risk. In this regard, risk culture is not separateto organisational culture, but reflects the influence of organisational culture on howrisks are managed. 2.6.2 Undesirable behavior and attitudes towards risk-taking and risk management threaten the viability of the regulated institutions. 2.6.3 The common foundational elements that support a sound risk culture include effective risk governance, effective risk appetite frameworks and compensation practices that promote appropriate risk-taking behavior. 2.6.4 As part of its supervisory activities, the Reserve Bank will assess regulated institutions’ culture in managing risk. In assessing the soundness of risk culture, the Reserve Bank shall evaluate a number of factors including the following: a) Tone from the top: the board and senior management should actively promote the dissemination of the regulated institution’s core values and expectations for the risk culture. A key value that should be espoused is the expectation that staff act with integrity and promptly escalate observed non￾compliance within or outside the organisation. The board and senior management should promote, monitor, and assess the risk culture of the regulated institution; consider the impact of culture on safety and soundness;and make changes where necessary. b) Accountability: Employees at all levels should understand the core values of the institution and its approach to risk. They should be capable of performing their prescribed roles and be aware that they are held accountable for their actions in relation to the institution’s risk-taking behavior. c) Effective risk awareness and communication: Risk awareness serves as a foundation of a strong risk culture. Risk awareness entails developing a comprehensive understanding of risks and their potential impact across the operations of the regulated entity. Effective risk communication is critical as it ensures that risk related information flows across departments and hierarchically. A sound risk culture promotes an environment of transparent and open communication which facilitates informed decision making and enables proactive risk mitigation. d) Incentives: Performance and talent management encourage and reinforce maintenance of the regulated institution’s desired risk management behavior. Financial and non- financial incentives support the core values and risk culture at all levels of the institution. 2.6.5 Consideration will also be given to the extent to which a regulated institution is able to define its risk culture, document the material elements that support it and actively assess gaps and areas of concern to be addressed or enhanced. The institution's willingness to sufficiently document the elements supporting its risk culture will form part of the supervisory overall assessment. 2.7 Key Risk Management Policies 2.7.1 The regulated institution should put in place a comprehensive board approved Enterprise-wide Risk Management Framework, risk policies and appropriate control proceduresand processes, designed to ensure that risk identification, aggregation, mitigation,and monitoring capabilities are commensurate with the institution’s size complexity and risk profile.

8 2.7.2 The risk management policies should outline actions to be taken when risk limits are breached, including disciplinary actions for excessive risk-taking, escalation procedures and notification to the Board. This should be supported by robust management information systems that facilitate timely and reliable reporting of risks, as well as the integration of information across the regulated institution. 2.7.3 The sophistication of the regulated institution’s risk management framework must keep pace with any changes in the institution’s risk profile (including its business growth and complexity) and the external risk environment. 2.8 Risk Appetite Framework 2.8.1 Regulated institutions should develop risk appetite frameworks through processes that require continuous engagement throughout the institution to attain requisite buy-in. 2.8.2 The risk appetite framework outlines the institution’s risk profile and forms part of the process of development and implementation of the institution’s strategy and determination of the risks undertaken in relation to the institution’s risk capacity. The framework clearly defines the boundaries within which management is expected to operate when pursuing the institution’s business strategy. 2.8.3 The risk appetite framework should be aligned with the business plan, strategy development, capital planning and compensation structures of the financial institution. In order for the risk appetite framework to be effective, it should provide a common framework and comparable measures across the financial institution for senior management and the board to communicate, understand, and assess the types and level of risk that they are willing to accept. 2.8.4 To implement a comprehensive risk appetite framework, a regulated institution should have an appropriate combination of policies, processes, controls, systems, and procedures to accomplish a set of objectives. The risk appetite framework should enable risk capacity, risk appetite, risk limits, and risk profile to be considered for business lines and legal entities as relevant, and within the group context, taking also into account relationships across legal entities. An effective and efficient risk appetite framework should, therefore, be closely linked to the development of information technology and management information systems in financial institutions. 2.8.5 The risk appetite framework should: a) establish a process for communicating the risk appetite framework across and within the regulated institution; b) be driven by both top-down board leadership and bottom-up involvement of management at all levels, and embedded and understood across the financial institution; c) facilitate embedding risk appetite into the financial institution’s risk culture; d) evaluate opportunities for appropriate risk taking and act as a defence against excessive risk-taking; e) allow for the risk appetite statement to be used as a tool to promote robust discussions on risk and as a basis upon which the board and assurance functions can effectively and credibly debate and challenge management recommendations and decisions; f) be adaptable to changing business and market conditions; and g) cover activities, operations and systems of the financial institution that fall

9 within its risk landscape but are outside its direct control, including subsidiaries and third-party outsourcing suppliers. 2.9 Risk Appetite Statement 2.9.1 A regulated institution should put in place a board-approved risk appetite statement that is easy to communicate and for all stakeholders to understand. 2.9.2 A sound risk appetite statement should: a) be directly linked to the regulated institution’s strategy, address the institution’s material risks under both normal and stressed market and macroeconomic conditions, and set clear boundaries and expectations by establishing quantitative limits and qualitative statements; b) outline quantitative measures of loss or negative outcomes that can be aggregated and disaggregated; c) include key background information and assumptions that informed the regulated institution’s strategic and business plans; d) be linked to the institution’s short and long-term strategic, capital, and financial plans, as well as compensation programs; e) establish the amount of risk the regulated institution is prepared to accept in pursuit of its strategic objectives and business plan; f) determine for each material risk and overall, the maximum level of risk that the financial institution is willing to operate within, based on its overall risk appetite, risk capacity, and risk profile; g) include quantitative measures that can be translated into risk limits applicable to business lines and legal entities as relevant, and at group level, which in turn can be aggregated and disaggregated to enable measurement of the riskprofile against risk appetite and risk capacity; h) include qualitative statements that clearly articulate the motivations for taking on or avoiding certain types of risk; i) ensure that the strategy and risk limits of each business line and legal entity, align with the institution-wide risk appetite statement as appropriate; and j) be forward looking and, where applicable, subject to scenario and stress testing for the regulated institution to understand the types of events that might push it outside its risk appetite and/or risk capacity. 2.10 Risk Limits 2.10.1 It is critical for regulated institutions to have risk limits in place. With regards to risk appetite, risk limits are the allocation of the regulated institutions’ aggregate risk appetite statement to business line, legal entity levels, specific risk categories, concentrations, and as appropriate, other levels. Risk limits should be specific and sensitive to the shape of actual portfolios, measurable, frequency based, reportable, and based on forward looking assumptions. 2.10.2 Measurable risk limits can prevent a regulated institution from unknowingly exceeding its risk capacity as market conditions change and be an effective defence against excessive risk-taking. 2.10.3 Risk limits should: a) be set at a level to constrain risk-taking within risk appetite; b) be established for business lines and legal entities as relevant and generally

10 expressed relative to earnings, capital, liquidity or other relevant measures; c) include material risk concentrations at the institution or group-wide, business line and legal entity levels as relevant; d) while referenced to market best practices and benchmarks, should not be strictly based on comparison to peers or default to regulatory limits; e) not be overly complicated, ambiguous, or subjective; and f) be monitored and breaches reported to the Risk Committee regularly. 2.11 Risk Management Process 2.11.1 Regardless of a regulated institution’s risk profile, each risk management process should include the following: a) Risk Identification: The operating business environment whether macro or micro has associated risks for a regulated institution. Risk identification should be a continuing process and risk should be understood at both the macro and microenvironment levels. b) Risk Measurement: Once risks are identified within a particular activity, the next step is to measure the significance of the risks. The risks should be viewed in terms of three dimensions: size, duration, and probability of adverse occurrences. Accurate and timely measurement of risk is essential to effective risk management systems. c) Risk Control: Once the risk has been identified and measured for significance, there are basically three ways to control significant risks, or at least minimize their adverse consequences: avoiding or placing limits on certain activities/risks, insurance, and/or offsetting risks. It is a primary management function to balance expected rewards against risks and the expenses associated with controlling risks. Regulated institutions should establish and communicate risk limits through policies, standards and procedures that define responsibility and authority. d) Risk Monitoring: Regulated institutions need to establish a well-coordinated framework that facilitates effective monitoring of risks on enterprise-wide risk basis. e) Risk Communication and escalation: risk communication ensures that relevant stakeholders are well-informed about potential hazards and uncertainties. Risk escalation serves to bring critical issues to the attention of decision-makers, enabling transparency, effective decision-making, and proactive risk handling. f) Due regard should be given to the management of Model Risk, which invariably extends beyond balance-sheet items to fee-generating services, such as origination, cash management, asset management, securities underwriting, and client advisory services. 2.11.2 The risk management process should incorporate risk mitigation factors that may include altering business strategies, reducing limits or increasing capital buffers in line with the desired risk profile. 2.11.3 Banking institutions should have a strong control environment that utilises policies, processes, and systems; appropriate internal controls; and appropriate risk mitigation and/ortransfer strategies. 2.11.4 Internal controls should be designed to provide reasonable assurance that a banking

11 institution will have efficient and effective operations; safeguard its assets; produce reliable financial reports; and comply with applicable laws and regulations. A sound internal control program consists of five components that are integral to the risk management process: control environment, risk assessment, control activities, information and communication, and monitoring activities. 2.11.5 As part of its quantitative and qualitative analysis, the financial institution should utilize stress tests and scenario analysis to better understand potential risk exposures under a variety of adverse circumstances. 2.11.6 Risk measurement and modelling techniques should be used in addition to, but should not replace, qualitative risk analysis and monitoring. The regulated institution should regularly compare actual performance against risk estimates (i.e. back-testing) to assist in judging the accuracy and effectiveness of the risk management process and making necessary adjustments. 2.11.7 The regulated institution should have risk management and approval processes for new or expanded products or services, lines of business and markets, as wellas for large and complex transactions that require significant use of resources orhave hard-to-quantify risks. If adequate risk management processes are not in place, a new product, service, business line or third-party relationship or major transaction should be delayed until the bank is able to appropriately address the activity. 2.11.8 The regulated institution should also have review and approval processes for outsourcing their functions. The risk management function should provide input on risks as part of such processes and on the outsourcer’s ability to manage risksand comply with legal and regulatory obligations. 2.12 Risk Data Aggregation and Risk Concentration 2.12.1 Problems experienced in the global financial system in the past revealed that many regulated institutions’ agility was significantly compromised by their inability to quickly and accurately aggregate risk exposures and identify risk concentrations fully. 2.12.2 Regulated institutions should ensure that their risk management processes are designed in a manner that enables effective risk data aggregation. They should develop forward-looking reporting capabilities to provide early warnings of any potential breaches of risk limits. Risk data aggregation facilitates the determination of an integrated risk profile to enable the regulated institution to measure its performance against its risk tolerance/appetite, and therefore reducethe probability and severity of losses resulting from risk management weaknesses. 2.12.3 Risk concentration refers to any single exposure or group of similar exposures (e.g. to the same borrower or counterparty, including protection providers, geographic area, industry or other risk factors) with the potential to produce: a) losses large enough (relative to a regulated institution’s earnings, capital, total assets or overall risk level) to threaten the regulated institution’s creditworthiness or ability to maintain its core operations; or b) A material change in a regulated institution’s risk profile. 2.12.4 Regulated institutions should analyse risk concentrations both on solo and consolidated basis, taking cognisance that an unmanaged concentration at a subsidiary entity may appear immaterial at the consolidated level but may threaten the viability of the standalone subsidiary institution. 2.12.5 A regulated institution should aggregate all similar direct and indirect exposures

12 regardless of where the exposures have been booked. 2.12.6 A regulated institution’s risk data aggregation capabilities and risk reporting practices should be: a) fully documented and subject to high standards of validation. The primary purpose of the independent validation is to ensure that a bank's risk data aggregation and reporting processes are functioning as intended and are appropriate for the bank's risk profile. Independent validation activities should be aligned and integrated with the other independent review activitieswithin the regulated institution's risk management program and encompass all components of the institution's risk data aggregation and reportingprocesses; b) considered as part of any new initiatives, including acquisitions and/or divestitures, new product development, as well as broader process and IT change initiatives; c) unaffected by the regulated institution’s group structure. The group structure should not hinder risk data aggregation capabilities at a consolidated level or at any relevant level within the organisation; d) include all material risk exposures, including those that are off-balance sheet; and e) flexible and adaptable to meet ad hoc data requests as needed, and forward￾looking to assess emerging risks. Adaptability will enable a regulated institution to conduct better risk management, including forecasting information, as well as to support stress testing and scenario analyses. 2.13 Stress Testing 2.13.1 Stress testing is a critical element of risk management which alerts management about the potential impact of unexpected adverse outcomes related to a variety of risks on capital and liquidity. 2.13.2 Regulated institutions should, therefore, develop stress testing frameworks with clear objectives, which are documented and approved by the Board. An effective governance structure should be in place for stress testing which should be well￾documented with responsibilities and accountability clearly stated. 2.13.3 Regulated institutions’ stress testing frameworks should identify and assess all material and relevant risks and parameters, including on and off-balance sheet exposures, earnings vulnerabilities, operational risks, and other factors affecting a bank's solvency or liquidity position. 2.13.4 The stress test models and methodologies should be designed to fit the intended use of the test, ensuring adequate coverage and segmentation of data and risk types. Stress tests should be supported by accurate and sufficiently granular data and by robust IT systems. The scenarios used in stress tests should be comprehensive, plausible and, severe enough to test a regulated institution’s resilience to shocks, and they should cover a wide range of events, including macroeconomic downturns, market shocks, and systemic risks. 2.13.5 Stress testing results should be utilised in line with the stress testing objectives and internal policies to inform regulated institutions’ strategic decisions. In this regard, the stress test results should be reported to the board and senior management on a regular basis, at relevant levels of aggregation, and should be given appropriate consideration by relevant business lines and individuals within the regulated institution.

13 2.13.6 Regulated institutions should have contingency plans and predefined actions in place to address vulnerabilities identified through stress tests. These can include capital raising, risk reduction, changes to risk management practices, and liquidity strategies. 2.13.7 Regulated institutions should put in place robust validation processes that ensure stress test models, assumptions, scenarios, data, and results are reliable, accurate and consistent with best practice. This includes independent review of the key components of the stress testing process, back-testing, and quality assurance of data, models, methodologies, and assumptions used in the stress tests. Reverse Stress Testing 2.13.8 Regulated institutions are expected to conduct reverse stress testing, which is a risk management technique used to identify scenarios that could lead to an institution’s financial distress or failure beyond normal business considerations. It challenges assumptions and ensures better capital planning and risk management arrangements. 2.13.9 Unlike traditional stress testing, which assesses an institution’s resilience to adverse conditions, reverse stress testing starts with the outcome of failure and works backward to determine which events could trigger it. This approach helps regulated institutions to identify vulnerabilities, enhance preparedness, regulatory compliance, and aid in strategic planning. If the probability of scenarios is unacceptably high, risk managers must devise realistic measures to mitigate or avoid the risk of failure. 2.14 Internal Control Environment 2.14.1 A system of effective internal controls is a critical component of a regulated institution’s risk management framework. 2.14.2 Internal controls are the policies, procedures, limits and processes established by the board and senior management to provide reasonable assurance on the safety, effectiveness and efficiency of the institution’s operations, the reliability of financial and managerial reporting, and compliance with regulatory requirements. 2.14.3 An effective internal control system is a fundamental mechanism for reducing the scope of risks faced by regulated institutions. 2.14.4 Below are the key elements of a sound internal control environment. 2.15 Policies and Procedures 2.15.1 Every regulated institution should have comprehensive and sound policies, approved by the Board, for prudent management of significant risks arising from its business activities. The approved policies should be consistent with the nature, complexity, and scale of the institution’s activities. The institution should have a clear delineation of roles, responsibilities, and accountability for the implementation of consistent policies across the institution. 2.15.2 The bank should establish appropriate procedures and processes to implement its policies. These should be documented in procedure manuals. The manuals should be periodically reviewed to ensure that they reflect current practices. There should also be adequate systems to monitor compliance with established policies and procedures. Deviations from such policies and procedures should be independently

14 investigated, reported, and addressed by the relevant parties. 2.16 Code of Conduct 2.16.1 A regulated institution should always conduct its activities with prudence and integrity. In this regard, the institution should establish a code of conduct that is commensurate with its structure and complexity of operations. 2.16.2 The code of conduct should state the ethical values of the institution and prescribe guidelines for employees to observe when discharging their duties. The code should cover areas such as acceptance of gifts and entertainment, conflicts of interest, safeguarding confidentiality of information, and disclosure of and restrictions on personal investments. 2.16.3 In addition to general guidelines, a regulated institution should prescribe specific guidelines for operations in functional areas such as treasury and accounting. 2.16.4 An institution should ensure that all personnel understand and adhere to the code of conduct. The code should come under the purview of a senior staff member or an appropriate unit. Employees should be required to acknowledge in writing that they have read, understood, and shall observe the code. Disciplinary action should be taken against those who breach the requirements. 2.16.5 The board or senior management should periodically review the code of conduct to incorporate changes in the internal and external environment. 2.17 Board and Senior Management Oversight 2.17.1 The board of directors has the ultimate responsibility for ensuring that an adequate and effective system of internal controls is established and maintained. 2.17.2 In this regard, the board’s mandate in relation to internal controls should include: a) ensuring that senior management has developed and implemented aproperly structured internal control system; b) periodic discussions with management concerning the effectiveness of the internal control system; c) timely reviews of evaluations of internal controls performed by management, internal auditors, and external auditors; d) periodic checks to ensure that management has promptly followed up on recommendations and concerns expressed by auditors and supervisory authorities on internal control weaknesses; and e) periodic reviews of the appropriateness of the bank’s strategy and risk limits. 2.17.3 On the other hand, senior management should implement the strategies and policies approved by the board; develop processes that adequately identify, measure, monitor and control risks faced by the bank. 2.17.4 Further, management should maintain an organisational structure that clearly assigns responsibility, authority and reporting relationships and ensure that delegated responsibilities are effectively carried out. 2.18 Delegation of Authority 2.18.1 Institutions should clearly define the responsibilities and levels of authority required in relation to various types of activities and exposures for accountability purposes.

15 Approval limits assigned to personnel should be commensurate with their seniority and responsibilities. 2.18.2 The delegation of authority needs to be clearly documented and should specify, among others, the specific authority being delegated, the authority of recipients to further delegate authority, and restrictions placed on the exercise of delegated authority. 2.19 Segregation of Duties 2.19.1 Regulated institutions should ensure adequate segregation of duties to mitigate the risk of unauthorised transactions or fraudulent activities. Senior management is responsible for ensuring that staff is not assigned incompatible duties which may compromise the effectiveness of internal controls. 2.19.2 Regulated institutions should conduct periodic reviews of the responsibilities of key personnel to minimise areas of potential conflict of interest and ensure independent checks are in place. 2.20 Audits 2.20.1 Every regulated institution should be subject to an independent audit by external auditors at least annually. 2.20.2 Internal auditors should audit the risk management process and internal controls periodically and scale the audit frequency according to the level of risk. 2.20.3 Results of audits and reviews by internal auditors or other persons and management responses or comments should be adequately documented. 2.21 Compliance 2.21.1 Regulated institutions should take a proactive view of their compliance function by appointing senior personnel, or an appropriate unit, to oversee compliance issues. Compliance officers should be equipped with the necessary skills and expertise, the level of which should be commensurate with the complexity of the institution’s products and activities. 2.21.2 Anomalies detected or instances of staff’s failure to address compliance issues in a responsible manner should be promptly escalated to senior management for action. 2.22 Other Elements of the Control Environment 2.22.1 Succession planning processes that are integrated with strategic plans should be developed to ensure business continuity. 2.22.2 Personnel policies requiring staff in key areas to take mandatory block leave each year to facilitate timely detection of unauthorised transactions and other irregularities, should be developed and approved by the board. 2.22.3 A regulated institution should have adequate procedures for centralising, recording, investigating, and monitoring complaints from customers which could be symptomatic of inadequate controls or non-compliance with existing procedures.

16 2.22.4 Regulated institutions should ensure that reward/compensation policies are appropriate and sufficient to attract and retain competent and experienced risk management personnel and that they do not inadvertently provide incentives for inappropriate activities. 2.22.5 Personnel should be provided with relevant and adequate training at regular intervals to equip them with knowledge of new products, new or amendments to laws, rules, and regulations, as well as to enhance their efficiency and effectiveness. 2.23 Business Process Controls Legal Documentation 2.23.1 Institutions should have written agreements with counterparties, where appropriate and in line with market practice, specifying the duties and responsibilities of each party. For the institution’s own protection, it should have clear guidelines and policies to ensure that the counterparty has the legal and necessary regulatory authority to enter into a transaction, prior to engaging in thetransaction. 2.23.2 The regulated institution should evaluate terms of any contract or agreement governing transactions to ensure that they are legally sound and enforceable in all relevant jurisdictions, and in the event of insolvency proceedings against the counterparty. 2.23.3 Legal protection also needs to be addressed in such documents, for instance, by ensuring that adequate remedies are available to parties and determination of risk allocation arising from external events. 2.24 Management Information Systems 2.24.1 Regulated institutions should have adequate management information systems (MIS) to facilitate effective risk management and control of all aspects of their operations. The sophistication of the MIS should be consistent with the complexity and diversity of the institution’s operations. Institutions should consider key elements such as timeliness, accuracy, consistency, completeness, and relevance when developing their MIS. 2.24.2 The MIS should also be sufficiently flexible to cope with various contingencies and have the capability to monitor compliance with the institution’s established policies, procedures, and limits. 2.24.3 As timely and accurate reports are critical elements of an effective MIS, institutions should, as far as possible, reduce the amount of manual intervention required to prepare management reports and take steps to minimise inaccuracies in reports. Relevant levels of management should receive reports with adequate information to facilitate effective oversight of the institutions’ activities. 2.25 New Products/Business Lines/Activities/Product Enhancements 2.25.1 An institution should have a new product policy to ensure that the risks inherent in new business lines or activities are properly assessed. Proposals on new as well as enhanced products, business lines or activities should be accompanied, where appropriate, by a product document that includes: a) an analysis of legal and regulatory requirements; b) a description of the relevant financial product and markets, and the underlying

17 objectives of the transactions (e.g. customer service, risk management or trading); c) an analysis of the risks that may arise from these activities, and details of any risk management procedures and systems established, for identifying, measuring, monitoring, and controlling risks; d) an evaluation of the impact of the proposed activities on the institution’s overall financial condition and capital level, where applicable; e) a description of the relevant accounting procedures; and f) A recommendation on the appropriate structure and staffing for trading aswell as for the key risk control functions. 2.25.2 The new product policy should contain a definition of the term “new product” and provide for the proper review and authorisation of variations to existing products. The policy may require such variations to be approved by the Board or senior management. The policy should be updated when market conditions warrant it, when major assumptions have been changed, or when there are regulatory changes. 2.25.3 As new products and enhanced products frequently require different pricing, processing, accounting and risk measurement systems, an institution should ensure that it has the necessary resources to support these activities. The new product approval process should include a sign-off by all relevant authorised personnel in areas such as risk control, operations, audit, accounting, legal and compliance, and by senior management. 2.25.4 Depending on the nature and complexity of a new or enhanced product, a post implementation review of the product should also be conducted at an appropriate period after its introduction, accompanied by proper documentation of the issues raised. Such a review would enable all the parties concerned to discuss the issues encountered during implementation and ensure that no risk remains unidentified.

19 3. CREDIT RISK 3.1 Introduction 3.1.1 This section provides guidance on sound practices in credit risk management. It also articulates broad principles that should be embedded in a risk management framework covering strategy, governance structure, policy, as well as credit control processes for origination, monitoring and administration of credit transactions and portfolio. 3.1.2 Credit risk is the risk that a borrower or counterparty will fail to meet obligations in accordance with agreed terms, resulting in a negative effect on the profitability and capital of the bank. Credit risk could stem from both on-balancesheet and off￾balance sheet activities. 3.1.3 An institution is exposed to credit risk from diverse financial products and instruments such as loans, acceptances, inter-bank transactions, trade financing, foreign exchange transactions, financial derivatives, and other off- balance sheet activities. Credit risk emanates from a regulated institution’s dealing with households, small or medium-sized enterprises (SMEs), corporate clients, other banks and financial institutions, or a sovereign. Thus, sources of credit risk exist throughout the activities of a bank both in the regulated book, as well as, in the trading book. 3.1.4 Credit risk often does not occur in isolation. An institution should adopt a holistic approach to assessing credit risk and ensure that credit risk management is part of an integrated approach to the management of all financial risks. Every bank should have comprehensive credit risk management systems commensurate with its type, scope, sophistication, and scale of operations. These systems should enable the bank to identify, quantify, monitor, and control credit risk andensure that adequate capital resources are available to cover the risk assumed. 3.1.5 The effective management of credit risk is a critical component of a comprehensive approach to risk management underpinned by effective board and senior management oversight, well-defined policies and procedures, strong management information systems and adequate internal control systems. 3.2 Board and Senior Management Oversight Board of Directors 3.2.1 The board of directors should be ultimately responsible for providing overall strategic direction to the bank through approving and reviewing the credit risk strategy and credit risk polices. 3.2.2 A credit risk strategy should clearly set the acceptable risk appetite and tolerance of the institution. The credit risk strategy should adequately cover allthe activities of the bank in which credit exposure is a significant risk. It shouldencompass the need to maintain sound credit quality, profits and business growth and allow for economic cycles and their effects on the credit portfolio during different stages of an economic cycle. 3.2.3 The board should ensure that the credit risk strategy has a credit risk appetite statement which defines the acceptable levels of exposure to the various economic sectors, currencies, and maturities. It should also include: a) the target markets, diversification, and concentration of the credit

20 portfolio; b) the credit risk strategy and policies are reviewed, approved, and effectively communicated throughout the institution; c) the financial results of the institution are periodically reviewed to determine if changes need to be made to the credit risk strategy; d) senior management is fully capable of managing the credit activities conducted by the bank and that such activities are done within the risk strategy, policies and procedures approved by the board; e) there is an internal audit function capable of assessing compliance with the credit policies and management of the entire credit portfolio; f) the delegation of authority and approval levels are clearly defined; g) exposures to insiders and other related parties are reviewed periodically, including policies related thereto; and h) Management provides periodic reports on insider loans, provisioning and write-offs on credit loan losses and audit findings on the credit granting and monitoring processes. Senior Management 3.2.4 The responsibility of senior management is to implement strategic directions set by the board in the form of policies and procedures. Senior management has to ensure that the policies are embedded in the culture of the regulated institution. Senior management is responsible for implementing the regulated institution’s credit strategy and ensuring that procedures are put in place to effectively manage and control credit risk. 3.2.5 Senior management should ensure that: a) the credit granting activities conform to the laid down procedures; b) written policies and procedures are developed, implemented and responsibilities of the various functions are clearly defined; c) the credit policies are communicated throughout the institution, implemented, monitored, and reviewed periodically to address any changes; d) compliance with internal exposure limits, prudential limits and regulatory requirements is enforced; e) the development and implementation of appropriate reporting systems with respect to the content, format and frequency of information concerning the credit portfolio; f) internal audit reviews of the credit risk management system and credit portfolio are undertaken regularly; and g) Adequate research is undertaken for any new products or activities to ensure risks are appropriately identified and managed. These products must receive prior board approval. Risk Management Structure 3.2.6 A regulated institution should adopt a risk management structure that is commensurate with the size, complexity, and nature of its activities. The credit governance structure should facilitate effective management oversight and execution of credit risk management and control processes.

21 3.2.7 A credit risk management committee should be established to oversee the credit risk management framework. The framework should cover areas such as recommendations of business and credit risk strategy and policy to the board, review of the credit portfolio and profile, delegation of credit approving authority within board approved limits and evaluation of the credit processes. This committee should comprise senior management from the business line and control functions. 3.2.8 An institution should establish risk management and control functions independent of the credit originating function. Such functions include policy formulation, limit setting, exposure and exception monitoring and reporting, custody and monitoring of documentation, and input of credit limits. Staff performing sensitive functions such as custody of key documents, funds transfer and limit inputs should report to managers who are independent of business origination and the credit approving process. 3.2.9 There should be adequate measures to address potential conflicts of interest where individuals performing the loan origination function are also involved in credit reviews and analysis. While there may be separate departments responsible for credit origination and credit risk control, the credit origination department should also be mindful of credit risk in its pursuit of business opportunities. Policies, Procedures and Limits 3.2.10 Every regulated institution should have a comprehensive credit policy, which is updated at least annually and approved by the board of directors. 3.2.11 The credit policy should incorporate a well-crafted risk appetite statement, which is approved by the board. The credit risk appetite statement should quantify the maximum expected loss the regulated institution is willing to endure across all credit products, including off-balance-sheet items such as letters of credit and guarantees. It may be expressed through both quantitative and qualitative perspectives and should be stated in relation to the potential impact on profitability, capital, and liquidity, and should be consistent with the regulated institution’s strategic and business objectives. 3.2.12 The credit policy should include concentration limits and lending to related parties. The exposure limits covered under the policies should include the following: a) acceptable exposure to individual borrowers; b) maximum exposure to connected parties and insider dealings; c) the overall limit on the credit portfolio in relation to capital, assets or liabilities; d) maximum exposure to individual economic sectors (e.g. commercial, consumer, real estate, agricultural); and e) acceptable limits on specific products. 3.2.13 Credit limits should be reviewed on a periodic basis to take into account changes in the counterparty’s credit strength and environmental conditions. All requests to increase credit limits should be adequately considered and substantiated. 3.2.14 The regulated institution should consider the results of stress tests in its overall limit setting and monitoring. 3.2.15 The credit policy should also provide sufficient guidance on product pricing based

22 upon a clearly articulated methodology. Cognizance should also be takenon facility structuring, to ensure that tenure is aligned to the borrower’s businesscycle. 3.2.16 Credit policies should set out the conditions and guidelines for the granting, maintenance, monitoring, and management of credit, at both the individual transaction and portfolio levels. Such policies should be documented, and well￾defined, consistent with prudent practices and regulatory requirements, and should be adequate for the nature and complexity of the institution’s activities. 3.2.17 The board should be the approving authority for changes and exceptions to set policies while senior management should implement operational processes and procedures to implement the credit policies. Credit Granting 3.2.18 Every regulated institution should have a clearly established process for approving credit facilities. This includes reviewing, renewing, and refinancing of existing credit facilities. 3.2.19 At a minimum, the policy should document the following: a) roles and responsibilities of business units and staff involved in the granting, administration, and monitoring of credit facilities; b) delegation of credit approval authority to various levels of management and staff including authority to approve deviations and exceptions; c) credit risk acceptance criteria; d) acceptable types of collateral and security documents; e) perfection of security interests in both movable and immovable assets; f) credit reference searches before granting loans to customers; g) general terms and conditions of the facility structure, such as pricing, tenure and limit; h) standards for credit review and monitoring; and i) guidelines on management of concentration risk and stress testing. 3.2.20 Credit approvals should be made in accordance with the bank’s written guidelines and granted by the appropriate level of management. There should be an audit trail documenting the approval process and identifying the individuals and committees providing input and making the credit decision. 3.2.21 Credit analysis requires that management should have a clear understanding of the borrower or counterparty and obtain adequate information to enable a comprehensive assessment of the risk profile of the customer. This will include the purpose of the loan, repayment sources, financial statements, integrity and reputation of the borrower or counterparty. Banking institutions should leverage on the credit registry as part of credit origination processes. The credit policies should articulate the principle of Know Your Customer even for existing clients. 3.2.22 Lending authority delegated to staff should have documented board approvals, with clearly established limits. It is important to include the functions and reporting procedures of the various committees and individual lending officers. 3.2.23 In addition, banks should establish checks and balances that ensure all credit facilities are granted at arms’ length in all respects. This also applies to the extension of credit to related parties including directors, senior management, and shareholders of the bank.

23 Credit Products 3.2.24 Every regulated institution should maintain adequate documentation relating to the various types of loan products and credit instruments it offers. 3.2.25 Prior approval for all new products should be obtained from the board, as well as clearance from independent control functions such as audit and risk management. All material risks arising from new products should be assessed before introduction to customers. Relevant policies should stipulate the credit risk analysis procedures and the administration of these credit instruments. Credit Risk Mitigation 3.2.26 In controlling credit risk, a regulated institution can use a variety of mitigating techniques which include collateral, guarantees and netting off loans against deposits of the same counterparty. While the use of these techniques will reduce or transfer credit risk, other risks may arise which include legal, operational, liquidity and market risks. A bank should, therefore, have comprehensive procedures and processes to control these risks and have them well documented in the policies. 3.2.27 Security held by a regulated institution to mitigate against credit risk should satisfy the following conditions: a) there must be legal certainty; all documentation used for collateralised lending must be binding to all parties and be legally enforceable; b) the legal environment must provide for right of liquidation or right of possession in a timely manner in the event of default; c) necessary steps must be taken for obtaining and maintaining enforceable security, for example registration, right of set-off or transfer of title must meet all the legal requirements; d) procedures for timely liquidation of collateral should be in place; e) on-going valuations of the collateral should be undertaken to confirm that it remains realizable and adequate for the assumed risk; and f) guidance on the various acceptable forms of collateral should be documented. 3.2.28 Banks may utilise the Collateral Registry System to verify the existence and ownership of collateral assets pledged by borrowers. The Collateral Registry System will also ensure that the collateral meets legal requirements and is eligible for use in securing loans. In line with best practice, the institution’s decision to lend should be based on the borrower’s capacity to repay and not on the adequacy of collateral. Management of Problem Credits 3.2.29 A regulated institution’s credit policy should establish the procedures for dealing with problem credit facilities. Early recognition of weaknesses in the credit portfolio is important and allows for effective determination of loan losspotential. 3.2.30 An institution must have clearly articulated and documented policies in respect of past due credit facilities and should at a minimum have approval levels and reporting requirements in respect of granting extensions, deferrals, renewals,

24 and additional credit facilities to existing accounts. 3.2.31 The policy should define a follow-up procedure for all loans and identify the reports to be submitted both to management and board of directors. 3.2.32 Appropriate remedial measures should be taken without delay, including requiring additional or increased guarantees. Rescheduling may be appropriate in certain instances. This involves changing the tenure of loans, repayment schedules, and interest rates and is generally to be agreed when the loan is performing but the borrower’s needs have changed. Where restructuring has been used as a remedial action, it must follow a specific approval process that includes a justification for how it will improve repayment prospects. 3.2.33 Restructuring includes all aspects of rescheduling and consideration of the relationship with a completely new dimension requiring additional documents and fresh credit assessment. Classification of rescheduled/renegotiated facilities should comply with appropriate provisions in the Banking Regulations SI 205 of 2000. Provisioning Policy 3.2.34 The credit policy must clearly outline the provisioning procedures for all credit facilities and the capital charge to be held. This should comply at a minimum with the International Financial Reporting Standards, regulatory and statutory requirements. 3.2.35 The credit policy should provide for adequate provisions in line with relevant International Financial Reporting Standards and prudential regulations. 3.2.36 Regulated institutions are expected to consider a wide range of forward-looking information, including macroeconomic factors, when applying provisioning models. Information considered should be relevant to the assessment and measurement of credit risk to the particular lending exposure being assessed and should include information about past events, current conditions and forecasts of future economic conditions. 3.2.37 Banking institutions are expected to leverage and integrate common processes that are used within a bank to determine the credit terms to be granted as well as to monitor credit risk and adequately provide for bad and doubtful debts. 3.2.38 Further, regulated institutions’ accounting policies should contain provisioning methodologies that include, criteria for restructurings/modifications of lending exposures; and the treatment of purchased or originated credit-impaired lending exposures as defined under the applicable accounting framework. 3.3 Measuring and Monitoring Credit Risk Measuring Credit Risk 3.3.1 Every regulated institution should have procedures for measuring its overall exposure to credit risk including exposure to related parties, products, customers, market segments and industries for appropriate risk management decisions to be made. 3.3.2 A bank must have comprehensive internal systems and models that effectively measure credit risk. 3.3.3 An institution should have robust management information systems capable of

25 providing timely, accurate and detailed reports to the board and senior management. 3.3.4 Credit risk measurement tools and techniques should take into account the nature of the credit, maturity, exposure profile, existence of collateral or guarantees and potential for default and environmental circumstances. 3.3.5 Credit risk measurement approaches should also be underpinned by appropriate financial reporting standards. Monitoring Credit Risk 3.3.6 Every regulated institution should have an internal risk rating system that comprises methods, processes, controls, data collection and IT systems that support the quantification of default and loss estimates. The institution should have a methodology to adequately classify credit risk at institution, portfolio, and borrower level, using both quantitative and qualitative criteria. 3.3.7 Monitoring of credit risk should be performed without influence of the risk-taking units2 . An effective monitoring system should ensure that the bank: a) understands the current financial condition of the borrower; b) monitors compliance with the existing terms and conditions; c) assesses collateral in relation to the borrower’s current condition; and d) identifies non-performing accounts and enforces proper classification and loan loss provisioning. 3.3.8 The institution should undertake a detailed credit portfolio review which covers the following: a) loans to borrowers with aggregate exposure larger than 10 percent of the institution’s capital; b) loans to shareholders and connected parties; c) loans for which interest or repayment terms have been rescheduled or otherwise altered since the granting of the loan; d) loans for which payment of interest and / or principal is more than 30, 60, 90 and 180 days past due, including those for which interest has been capitalized or rolled over; and e) Loans classified as substandard, doubtful or loss. 3.3.9 The frequency of credit portfolio reviews should reflect the level of credit risk. 3.3.10 The specific objective of these reviews is to assess the likelihood that the credit will be repaid, and that the classification of the loan is adequate. When the amount exceeds 10% of a bank’s capital, the analysis should also consider the borrower’s business plans for the future and the potential consequences for debt service capacity and principal repayment. 3.3.11 Credit risk information should be provided to board and management with sufficient frequency, currency and, should be reliable with appropriate disaggregation. 3.3.12 Reports should be generated on the on-balance sheet and off-balance sheet credit activities. The reports should show credit exposures: a) by business line such as commercial, industrial sector, real estate, construction, credit cards, mortgage and leasing; b) relating to the composition of on and off-balance sheet credit facilities by

2 Front line business units involved in the direct assumption of risk in the bank.

26 major types of counterparties, including government, foreign corporate, domestic corporate, consumer and other financial institutions; c) in relation to significant individual borrowers or counterparties, related borrowers, or groups of borrowers; d) by major asset category showing impaired and past due amounts relating to each category; and e) restructured during a certain period and credits for which special conditions have been granted. Credit Administration 3.3.13 Every regulated institution should have a system for the on-going administration of its various portfolios containing credit risks. 3.3.14 Management should set up a credit administration team to ensure that credit portfolios are properly maintained and administered. This will include record keeping, preparation of the terms and conditions, as well as perfection and safe custody of the securities. Credit files should at a minimum contain the following information: a) credit application; b) evidence of approval; c) latest financial information; d) record and date of all credit reviews; e) record of all guarantees and securities; f) record of terms and conditions of facility; g) evidence of securities validation function that should include, legal validity, existence, valuation, registration of charge and safekeeping; and h) internal rating. 3.3.15 Regulated institutions should develop controls to ensure compliance with the applicable laws and regulations and internal policy. Adequate segregation of duties between approval and administration process should be maintained. Stress Testing 3.3.16 A regulated institution should stress test its credit portfolio. This involves identification of possible events or future changes that could have a negative impact on the institution’s credit portfolio and the bank’s ability to withstand the changes. 3.3.17 Regulated institutions should subject their credit portfolios to changes relating to: a) economic or industry developments; b) market risk events; and c) liquidity conditions. Internal Controls and Audit 3.3.18 Regulated institutions should have an independent internal system for assessment of the credit risk management process in order to assist the boardto determine the effectiveness of the risk management process. 3.3.19 A review of the lending process should include analysis of the credit manuals and

27 other written guidelines applied by various departments of a bank, and the capacity and actual performance of all departments involved in the credit function. It should also cover origination, appraisal, approval, disbursement, monitoring, collection, and handling procedures for the various credit functions provided by the institution. 3.3.20 Internal audit reviews should assess compliance with the institution’s credit policies and procedures. This will require confirming the following: a) the credit granting function is carried out effectively; b) the credit exposures are within the prudential and internal limits set by the board of directors; c) validation of significant change in the risk management process; d) verification of the consistency, timeliness and reliability of data used for internal risk rating system; e) adherence to internal risk rating system; f) identification of areas of weaknesses in the credit risk management process; and g) Treatment of exceptions to the policies, procedures, and limits. 3.3.21 Internal audit reviews should be conducted periodically and ideally not less than once a year. The audits should also identify weaknesses in the credit risk management process and any deficiencies with the policies and procedures. 3.3.22 Regulated institutions should establish internal control practices which ensure that deviations from policies, procedures, limits, and prudential guidelines are promptly reported to the appropriate level of management.

28 4. LIQUIDITY RISK 4.1 Introduction 4.1.1 Liquidity risk is the risk of financial loss to an institution arising from its inability to fund increases in assets and/or meet obligations as they fall due without incurring unacceptable cost or losses. 4.1.2 Liquidity risk is inherent in regulated institutions’ activities. Regulated institutions’ balance sheets are such that long-term assets (loans and advances) are funded by short-term liabilities such as demand and time deposits. Inadequate liquidity risk management can have a negative impact on earnings and capital and, in a worst￾case scenario, cause the collapse of an otherwise solvent institution. 4.1.3 The importance of liquidity transcends the individual regulated institution since a liquidity shortfall at a single institution can have system-wide repercussions. The analysis of liquidity requires management not only to measure the liquidity position of the regulated institution on an ongoing basis but also to examine how funding requirements are likely to evolve under various scenarios, including adverse conditions. 4.1.4 The formality and sophistication of a regulated institution’s liquidity risk management processes should reflect the nature, size, and complexity of an institution’s activities. Institutions should have a thorough understanding of the factors that could give rise to liquidity risk and put in place mitigating controls. 4.1.5 Liquidity risk and other inherent risks such as credit, market, interest rate, operational, reputation and strategic faced by regulated institutions are notmutually exclusive and should not be considered in isolation. In fact, liquidity riskoften arises as a consequence of these other risks. Any real or perceived problemsassociated with a regulated institution in relation to these risks may affect the bank from accessing funds at a reasonable cost and thus increase its liquidity risk. 4.1.6 A regulated institution should understand how its exposures to other risks may affect liquidity and put in place mitigating controls. 4.1.7 Liquidity risk can be classified into four categories: a) Term liquidity risk (due to mismatch of maturities); b) Withdrawal/call risk (due to disinvestment before maturity); c) Structural liquidity risk (when the necessary funding transactions cannot be carried out or carried out at less favourable terms); and d) Market liquidity risk (arising from characteristics of the market). 4.2 Sources of Liquidity Risk 4.2.1 Liquidity risk arises from both sides of the balance sheet, as well as from off￾balance sheet transactions. 4.2.2 Managing liquidity risk involves understanding the characteristics and risks of different sources of liquidity, determining the appropriate funding strategies (including the mix of funding sources) to meet liquidity needs, and deploying the strategies in a cost-effective manner. Asset liquidity 4.2.3 The asset portfolio of a regulated institution provides liquidity through the maturity

29 of an asset, sale of an asset and the use of an asset as collateral for borrowing or repurchase agreements (repos). 4.2.4 A regulated institution should maintain a portfolio of liquid assets (e.g. money market placements and marketable securities) to supplement its funding sources. 4.2.5 A regulated institution is exposed to liquidity risk where inflows from the realisation of assets (either upon maturity or at the time of sale) are less than anticipated because of default risk or price volatility. 4.2.6 In addition, significant concentrations within the asset portfolio (e.g. in relation to the distribution of exposures by counterparty, instrument type, geographical location, or economic sector) increase the level of liquidity risk. 4.2.7 In managing asset liquidity, a regulated institution should establish a clear strategy for holding liquid assets, develop procedures for assessing the value, marketability, and liquidity of the asset holdings under different market conditions, and determine the appropriate volume and mix of such holdings to avoid potential concentrations. 4.2.8 In order to minimise scope for regulatory arbitrage, specific regulatory approval will be required for switching instruments between the trading book and the banking book following initial recognition. Liability liquidity 4.2.9 Every regulated institution should employ liability funding strategies which are appropriate to the nature and scale of the regulated institutions’ activities,including the proper mix of liabilities to avoid potential concentrations. 4.2.10 In managing liability liquidity, a regulated institution should be able to distinguish the behavior and characteristics of different funding sources and monitor their trends separately. 4.2.11 Every regulated institution should pay particular attention to the impact ofchanging market conditions on its funding structure. Off-balance sheet items 4.2.12 Off-balance sheet items, depending on the nature of transactions, can either supply or use liquidity. Examples include standby or committed facilities given by other financial institutions and loan commitments given by regulated institutions to their customers. 4.2.13 Regulated institutions should ensure that they have the ability to assess how their involvement in off-balance sheet activities would affect cashflows and liquidity risk. 4.3 Framework for Managing Liquidity Risk 4.3.1 A regulated institution should have a robust liquidity risk management framework that ensures it maintains sufficient liquidity, including a cushion of unencumbered, high quality liquid assets, to withstand a range of stress events, including those involving the loss or impairment of both unsecured and secured funding sources. 4.3.2 A regulated institution should adopt best practices and standards on liquidity management on an on-going basis, in line with changes in technology, product innovation, and funding dynamics which create new challenges for liquidity management.

30 4.3.3 The framework for managing liquidity risk is anchored on an effective board and senior management oversight, an appropriate organisational structure, formulation of a liquidity strategy, adequate policies and procedures, effective internal controls, and independent reviews, as well as a sound process for identifying, measuring, monitoring, and controlling liquidity risk. 4.3.4 The liquidity strategy should set out the financial institution’s general approach to liquidity management, including various quantitative and qualitative targets. 4.3.5 The strategy should be communicated throughout the regulated institution and all relevant business units should operate under the approved policies, procedures, and limits. 4.4 Board and Senior Management Oversight 4.4.1 Effective board of directors and senior management oversight is a critical element of a bank’s liquidity risk management process. Sound liquidity risk management requires an informed board, capable management, and appropriate staffing. Board Oversight 4.4.2 The board of directors should have ultimate responsibility for liquidity risk management and establish the level of tolerance for liquidity risk. The level of tolerance depends on the bank’s business strategy and funding capabilities in the context of developments in the operating landscape. 4.4.3 The board of directors’ responsibilities in relation to liquidity risk management should include: a) approving significant policies that govern or influence the bank’s liquidity risk; b) establishing an appropriate structure for the management of liquidity risk and identifying lines of authority and responsibility for managing liquidity risk exposures; c) approving reviews of the liquidity risk management strategy and policies; d) monitoring the institution’s overall current and prospective liquidity risk profile on a regular basis; e) taking steps to ensure that liquidity risk is adequately identified, measured, monitored, and controlled; and f) reviewing adequacy of the contingency plans of the regulated institution. Senior Management Oversight 4.4.4 A regulated institution should have an appropriate senior management structure to oversee the day-to-day and long-term management of liquidity risk in line withthe board approved strategy, policies, and procedures. 4.4.5 The responsibility for managing the overall liquidity of the bank should be placed with a specific, identified group within the bank. This might be in the form of an Asset/Liability Committee comprising senior management from key functional areas. 4.4.6 The management structure should ensure that the liquidity strategy approved by the board can be effectively implemented. 4.4.7 Senior management should ensure that there is effective coordination between treasury and other functional areas. 4.4.8 Among other responsibilities, senior management should:

31 a) establish a schedule of liquidity reviews with appropriate frequency and depth; b) translate the board’s approved strategy, objectives, and risk tolerances into operational standards; c) implement management information systems that facilitate effective liquidity management through adequate identification, measurement, monitoring, and control of liquidity risk; d) institute effective internal controls over the liquidity risk management process; and e) promptly communicate any material changes in the regulated institution’s current or prospective liquidity position to the board of directors. Asset and Liability Management Committee (ALCO) 4.4.9 An Asset and Liability Management Committee (ALCO) comprising senior management from each functional area of the institution that assumes and/or manages liquidity risk, should be responsible for managing the overall liquidity of a banking institution. . 4.4.10 ALCO meetings should be held at least monthly. 4.4.11 The effective management of assets and liabilities should, at a minimum, incorporate the following activities: a) reviewing previous results; b) assessing current balance sheet position; c) projecting exogenous factors such as economic outlook, and performance of counterparties; d) developing asset and liability strategies; e) simulating the strategies; f) determining the most appropriate strategy; g) setting measurable targets; h) communicating the targets to appropriate managers and staff; and i) monitoring actions regularly and reviewing performance. Liquidity Strategy, Policies, Procedures and Limits 4.4.12 Every regulated institution should have documented liquidity strategy, policies, procedures, and limits approved by the board of directors. Strategy 4.4.13 The liquidity strategy should set out the general approach to liquidity management (including goals and objectives) and specific aspects of liquidity risk management, such as: a) composition of assets and liabilities; b) approach to managing liquidity in different currencies; c) managing access to interbank and other wholesale markets; d) diversification and stability of liabilities; and e) management of intra-group liquidity.

32 4.4.14 The strategy should also define the regulated institution’s liquidity approach to meeting potential funding needs in the short and long-term and the risk tolerance levels. 4.4.15 The liquidity strategy must be periodically evaluated to ensure that it remains relevant and effective. Policies 4.4.16 Every regulated institution should have a set of liquidity policies regardless of whether liquidity is managed on a consolidated global basis at head office level, in the case of regional and international regulated groups. Managing liquidity risk ona consolidated basis does not absolve the senior management of each affiliate entity from the responsibility for ensuring the safety and soundness of the particular institution and compliance with local regulatory requirements. 4.4.17 While specific details vary across institutions according to the nature of their business, the key elements of any liquidity policy include: a) management’s responsibilities - outline of responsibilities of the liquidity risk management functions, including structural balance sheet management, pricing, marketing, contingency planning, management reporting, lines of authority and responsibility for liquidity decisions; b) liquidity risk management structure - systems for monitoring, reporting, and reviewing liquidity; c) liquidity risk management tools - approach for identifying, measuring, monitoring, and controlling liquidity risk (including the types of liquidity limits and ratios in place and rationale for establishing limits and ratios); d) liquidity risk management in individual currencies; and e) contingency liquidity plan - strategy for handling liquidity crises. 4.4.18 The policy must be reviewed at the board and senior management/ALCO level at least annually or more frequently when there are material changes in the institution’s current and prospective liquidity risk profile. Procedure Manuals 4.4.19 An institution should establish documented procedure and/or process manuals in order to implement its liquidity policies. The procedure manual should detail the necessary operational steps and processes to execute the relevant liquidity risk controls. 4.4.20 Procedure manuals should be periodically reviewed and updated to take into account new activities, changes in risk management approaches and systems. Ratios and Limits 4.4.21 The board of directors and/or senior management should establish limits for the nature and amount of liquidity risk that the institution is willing to assume. The limits should incorporate the nature of the institution’s strategies and activities, its past performance, level of earnings and capital available to absorb potential losses, and the tolerance for risk. 4.4.22 Every regulated institution should factor the impact of the internal environment (expertise, experience, or past performance) and external environment (market

33 conditions, peer indicators, macroeconomic performance) when setting limits and benchmarks. 4.4.23 Limits should be documented in the liquidity policies and reviewed periodically (at least annually) or when conditions or risk tolerances change. 4.4.24 Senior management/ALCO should have the means to review compliance with established limits. The responsibility for monitoring limits should be assigned to a function independent of the funding areas. There should also be a defined procedure for reporting limit exceptions to senior management/ALCO. While the use of limits would not prevent a liquidity crisis, limit exceptions can be early indicators of excess risk or inadequate liquidity risk management. 4.4.25 Liquidity ratios are useful for quantifying liquidity risk. Limits can be set on these ratios. However, liquidity ratios should always be used in conjunction with more qualitative information such as funding capacity to reveal material liquidity trends. 4.4.26 Other ratios and limits that regulated institutions should use to monitor liquidity risk include the following: a) Cashflow Ratios and Limits - liquidity risk may arise from a regulated institution’s failure to roll-over maturing liabilities or realise anticipated cashflows from assets. Cashflow ratios and limits attempt to measure and control the volume of liabilities maturing during a specified period of time; b) Liability Concentration Ratios and Limits - these ratios and limits help to prevent a bank from relying on few funding sources. Limits should be expressed as either a percentage of liquid assets or an absolute amount; c) Other Balance Sheet Ratios – regulated institutions should use the following ratios: total loans/total deposits, total loans/total equity capital, borrowed funds/total assets among other ratios to monitor current and potential funding levels; and d) Liquidity Coverage Ratio and Net Stable Funding Ratio – Regulated institutions are required to comply with the Liquidity Coverage Ratio (LCR) and Net Stable Funding Ratio (NSFR) as stipulated in the respective Standards issued by the Reserve Bank. Liquidity Risk Measurement and Monitoring 4.4.27 Every regulated institution should establish a risk measurement system to ensure that liquidity requirements are identified and managed on an on-going basis. The measurement system and associated procedures should be applicable under both normal and stressed liquidity conditions. A number of techniques can be used for measuring liquidity risk, ranging from simple gap calculations to sophisticated modelling. 4.4.28 An institution should track and evaluate its current and anticipated liquidity position and capacity to fund potential gaps. A monitoring system should consist of limits, guidelines and trend development that enable management to monitor compliance with approved risk tolerances and to track variances. Management Information Systems 4.4.29 Every regulated institution should have adequate management information systems (MIS) for measuring, monitoring, controlling, and reporting liquidity risk under normal and stressed situations.

34 4.4.30 The MIS should encompass all significant aspects of liquidity risk, including those associated with new products and business initiatives, and be capable of evaluating their effect on cash flows and liquidity ratios. In particular, the MIS should be capable of: a) calculating cashflows and maturity mismatch positions arising from the full range of a regulated institution’s assets, liabilities, and off-balance sheet positions on a day-to-day basis; b) analysing cashflows and maturity mismatch positions in all currencies in which a regulated institution trades, both individually and on an aggregate basis; c) producing projected liquidity indicators as part of the risk management process; d) checking compliance with established liquidity policies and limits, and generating exception reports; and e) reporting risk measures and liquidity trends to management on a timely basis. 4.4.31 The MIS should be capable of providing, on a timely basis, accurate and relevant liquidity reports to the board, senior management / ALCO and other personnel responsible for assessment of the level of liquidity risk under different operating circumstances. Cashflow Analysis and Maturity Profile 4.4.32 Maturity mismatch analysis is a useful means for comparing cash inflows and outflows both on a day-to-day basis and over specified time periods. This approach measures an institution’s liquidity by identifying cashflows from on- and off-balance sheet items. 4.4.33 Cashflow and maturity mismatch analysis enables regulated institutions to assess their ability to meet immediate liquidity requirements, and identify their medium to long-term liquidity profile. 4.4.34 All cashflows (including those arising from off-balance sheet transactions) should be captured in the maturity profile. Where certain cashflows are considered to be immaterial, the decision to exclude them from the maturity profile should be approved by senior management/ALCO. 4.4.35 The following should be incorporated when constructing a maturity profile for maturity mismatch analysis: Time Bands 4.4.36 The maturity profile should have adequate time bands to effectively monitor both an institution’s short-term liquidity needs and its longer-term liquidity profile. An institution at a minimum should construct daily time bands over a period that ranges from one week to one month for the purposes of managing its short-termliquidity needs. 4.4.37 Wider time bands may be used to manage long-term liquidity. Behavioral Assumptions 4.4.38 In most instances, the actual maturities of assets and liabilities do not reflect their

35 contractual maturities. Therefore, in preparing the maturity profile, an institution should detail the assumptions underlying the behaviour of its assets, liabilities, and off-balance sheet items. 4.4.39 For liabilities with embedded optionality, such as retail deposits where the timing and amount of withdrawals are uncertain, an institution should analyse historical observations to determine their cashflow patterns and derive behavioural assumptions applicable to the cashflows. 4.4.40 An institution should also examine the potential for significant cashflows from its off-balance sheet activities. The contingent nature of most off-balance sheet instruments increases the complexity of managing the associated cashflows. Every regulated institution should therefore determine a “normal” level of net cashflows arising from off-balance sheet activities on an on-going basis. 4.4.41 All behavioral assumptions and their justifications should be documented and approved by senior management/ALCO. Granularity 4.4.42 A maturity profile should be constructed with appropriate granularity to reflect the institution’s nature of business. 4.4.43 An appropriate breakdown of the maturity profile by account type (e.g., a breakdown of deposits by type) allows for a more effective analysis to be carried out. Limits on Net Cumulative Funding Mismatch 4.4.44 A regulated institution should specify acceptable limits for the size of the cumulative funding mismatch position for the short-term time bands. 4.4.45 Greater emphasis of mismatch analysis should be on short-term cashflows, particularly positions from sight up to one month. However, an institution’s cashflow mismatch position for medium to long-term time bands is important in providing early warning of potential future liquidity problems. Cashflows Denominated in Individual Currencies 4.4.46 Every regulated institution should perform maturity mismatch analysis of all its cashflows denominated in the local currency. For foreign currencies, which represent a significant portion of the institution’s total funding and/or are not considered to be easily convertible, separate maturity mismatch analysis for such currencies should be performed. Management Reports 4.4.47 Liquidity management reports should include the following at a minimum: a) a cash flow analysis highlighting short-term liquidity needs; b) structure, level, and trend of assets and liabilities; c) level and trend of liquidity ratios; d) undrawn commitments; e) limit breaches;

36 f) computation of cost of funds and yield on assets; g) maturity gap analysis; h) levels of liquidity compared to established targets and resultant variance analysis; and i) alternative funding sources and funds available, including lines of credit and stand-by facilities, and associated costs. Funding Capacity 4.4.48 Every regulated institution should estimate its “normal” funding capacity in both retail and wholesale markets. Deterioration in the institution’s funding capacity can result from the following, among other circumstances: a) adverse change in credit rating; b) difficulty in accessing the interbank and wholesale markets; c) concentration in funding sources; d) deterioration in asset quality; e) increased competition for funds; f) worsening of earnings performance; and g) negative media attention. 4.4.49 For retail markets, an institution should consider its market share, competitive pressures, economic conditions, and other factors when estimating their funding capacity. 4.4.50 An institution that relies heavily on wholesale funds should continuously assess its market acceptance by counterparties to detect any hint of resistance in the funding market. 4.4.51 The board of directors and/or senior management must ensure that the relevant personnel are aware of any strategies or events that could affect the market’s perception of the institution. Intra-group Liquidity 4.4.52 For institutions that are part of regulated groups effective liquidity risk management requires a good understanding of the funding positions of all entitiesin the group that might affect the regulated institution’s liquidity. Intra-group liquidity analysis and monitoring require an integrated review of all relevant cashflows. 4.4.53 Regulated institutions should analyse and monitor intra-group liquidity on a continuous basis. Stress Testing 4.4.54 A regulated institution should conduct stress tests on a regular basis by applying various scenarios on their liquidity positions to ensure that they identify sources of potential liquidity strain and have adequate liquidity to withstand stressed conditions. Stress testing should also incorporate group level scenarios. 4.4.55 The board of directors and senior management should examine stress-testing results and adjust liquidity risk management strategies, policies, and positions to develop effective contingency plans, as well as formulate appropriate strategies to address the cash-flow needs reflected from the scenario analysis. For example, there may be a need to reduce liquidity risk by obtaining more long-term funding

37 or restructuring the composition of assets. 4.4.56 It is important for regulated institutions to construct reasonable adverse scenarios when stress testing liquidity, and to examine the resultant cash-flow needs. While regulated institutions are encouraged to cover stress events of different types and levels of adversity, they should include the following scenarios in their stress testing exercise: a) institution-specific crisis scenario; and b) General market crisis scenario. 4.4.57 Institution-specific crisis scenarios cover situations where there are some real or perceived problems at an institution, for example, operational problems, solvency concerns or adverse credit rating changes. A general market crisis scenario is one where liquidity at a large number of institutions in one or more markets is affected. 4.4.58 An institution should detail the assumptions underlying the behaviour of the cashflows of its assets, liabilities, and off-balance sheet items under plausible crisis scenarios. The timing and size of the cashflows are important factors to consider. 4.4.59 The assumptions may differ quite sharply from scenario to scenario as cashflow timing and size can behave differently in different situations. 4.4.60 Institutions should assign an appropriate liquidity discount factor to each asset to take into account the price risk when performing cashflow analysis under each scenario. Institutions should also factor in the settlement period, or the expected time needed for liquidating assets. 4.4.61 The key assumption underlying an institution-specific crisis scenario should be that many of the institution’s liabilities cannot be rolled-over or replaced, resulting in required repayment at maturity such that the institution would have to wind down its books to some degree. 4.4.62 The minimum criteria for using various assumptions when stress testing liquidity risk are as follows: a) the assumptions have to be consistent and reasonable for each scenario; b) the assumptions should be verified and supported by sufficient evidence, experience, and performance rather than arbitrarily selected; c) banks should document the behavioural assumptions in their liquidity management policy statement. The type of analysis performed under each assumption should also be documented to facilitate periodic review; and d) senior management should ensure that key assumptions are evaluated at least annually for reasonableness. 4.4.63 In stipulating stress testing assumptions, a bank should use a conservative approach taking account of the severity of the scenario and must consider appropriateness of a number of relevant assumptions, such as: a) asset market illiquidity, with erosion of asset values; b) the run-off of retail funding; c) the unavailability of secured and unsecured wholesale funding sources; d) additional margin calls and collateral requirements; e) liquidity drains arising from complex products or transactions; f) access to foreign exchange markets; g) ability of the bank to monetise assets; and h) estimates of future growth of balance sheet assets and liabilities 4.4.64 Under a general market crisis scenario, it is assumed that a regulated institution may have less control over the level and timing of future cash flows. Characteristics of this scenario may include a liquidity squeeze, counterparty defaults and substantial discounts needed to sell assets and wide differences in funding access

38 among regulated institutions due to the occurrence of a severe tiering of their perceived credit quality (i.e. flight to quality). 4.4.65 When performing scenario analysis, institutions may factor in the possibility of intra￾group or head office support. This support would be of particular value in a crisis affecting only local operations but could prove to be ineffective if the crisis impinged upon the group as a whole. 4.4.66 Institutions should perform scenario analysis on a periodic basis. Senior management/ALCO should review the results of this analysis periodically. Institutions should also review the behavioural assumptions utilised in managing cashflows under the various crisis scenarios on a periodic basis. These assumptions are to be approved by senior management/ALCO. 4.4.67 Regulated institutions should document in their stress testing policy the following: a) the cash-flow assumptions for the institution specific and general market crisis scenarios; and b) their own estimate of the minimum number of days needed to arrange emergency funding support from other sources. Contingency Liquidity Plan 4.4.68 Every regulated institution should have a contingency plan for handling liquidity crisis situations. A contingency liquidity plan is a projection of future cashflows and funding sources of a bank under stressed market scenarios including aggressive asset growth or rapid liability erosion. 4.4.69 The plan should be updated and reviewed on a periodic basis (at least annually) by senior management/ALCO to ensure that it remains robust over time and reflects the institution’s changing operating circumstances. At a minimum, the contingency plan should: a) designate the personnel responsible for the identification of crisis and for contingency management. This should include provisions for prompt notification of problems to the Reserve Bank. Responsibilities should be clearly defined so that all personnel understand their roles in a crisis situation; b) specify the early warning indicators that are used to signal an approaching crisis event. There should be mechanisms to facilitate constant monitoring and reporting of these indicators; c) contain reporting procedures to ensure that all necessary information is available for senior management to make quick decisions; d) set out procedures for making up cashflow shortfalls in crisis situations. These should clearly spell out sources of funds, their expected reliability and the priority ranking of the sources; e) outline courses of action for altering asset and liability structure and assess the likely impact of these on the market’s perception of the institution; and f) include details for handling public relations issues and media management. Stakeholder Management and Public Disclosure 4.4.70 Good public relations management can help a regulated institution counter rumours that can result in a significant run-off by retail depositors and institutionalinvestors. 4.4.71 Regulated institutions should provide adequate information on an on-going basis to

39 the public and, in particular, to major creditors and counterparties so that it is easier for them to manage market perceptions during crisis situations. Internal Controls 4.4.72 Every regulated institution must have an adequate system of internal controls over its liquidity risk management process. 4.4.73 The internal controls should promote effective and efficient operations, reliable financial and regulatory reporting, and compliance with relevant laws, regulations, and institutional policies. An effective system of internal controls for liquidity risk management includes: a) an adequate process for identifying and evaluating liquidity risk; b) the establishment of control measures such as policies and procedures; c) adequate management information systems; and d) continual review of adherence to established policies and procedures. 4.4.74 An important element of a regulated institution’s internal control system over its liquidity risk management process is regular evaluation and independent review. This includes ensuring that personnel are following established policies and procedures, as well as ensuring that the procedures that were established actually accomplish the intended objectives. Such reviews and evaluations should also address any significant change that may impact on the effectiveness of controls. 4.4.75 Management should ensure that all such reviews and evaluations are conducted regularly by individuals who are independent of the function being reviewed. When revisions or enhancements to internal controls are warranted, these should be implemented in a timely manner. 4.4.76 Limit breaches should receive the prompt attention of appropriate management and should be resolved according to the process described in approved policies. 4.4.77 The internal audit function should also periodically review the liquidity management process in order to identify any weaknesses or problems. In turn, these should be addressed by management in a timely and effective manner.

40 5. INTEREST RATE RISK 5.1 Introduction 5.1.1 Interest rate risk is the exposure of a regulated institution’s on- and off-balance sheet positions to adverse movements in interest rates resulting in a loss to earnings and capital. 5.1.2 The changes in interest rates affect a regulated institution’s earnings by altering interest sensitive income and expenses. Interest rate changes also affect the underlying value of an institution’s assets, liabilities, and off-balance sheet instruments through changes in the present value of future cash flows (and, in some cases, the cash flows themselves). 5.1.3 While interest rate risk is assumed by financial institutions as part of normal financial intermediation, excessive interest rate risk poses a significant threat to aregulated institution’s financial condition. In this regard, the board and senior management should design and implement sound interest rate risk management systems that minimise the bank’s vulnerability to movements in interest rates. 5.2 Sources of Interest Rate Risk 5.2.1 The primary forms of interest rate risk to which regulated institutions are exposed include: a) repricing risk which arises from timing differences in the maturity and repricing of bank assets, liabilities and off-balance sheet positions. The impact of repricing risk depends on whether changes to the term structure of interest rates occur across the yield curve (parallel risk) or differentially by period (non￾parallel risk). b) basis risk which arises from imperfect correlation in the adjustment of the rates earned and paid on different instruments with otherwise similar repricing characteristics. Basis risk affects a regulated institution’s net interest margin (NIM) by the widening or narrowing of spreads between interest income and interest expenses. The change also affects the anticipated future cash flows from such instruments, which in turn affect the regulated institution’s underlying net economic value. c) yield curve risk which arises when unanticipated shifts of the yield curve have adverse effects on a bank’s income or underlying economic value. Changes in the yield-curve3 can increase a regulated institution’s interest rate risk by amplifying the effect of maturity mismatches. For instance, a regulated institution that funds long-term assets with short-term liabilities will generally experience a greater decline in the NIM in a flattening yield curve environment versus a parallel shift in the yield curve; and d) option risk which arises from the options embedded in many bank assets, liabilities and off-balance sheet portfolios. An option gives the holder the right to buy (call option) or sell (put option) a financial instrument at a specified price (strike price) over a specified period. 5.2.2 Regulated institutions’ risk management systems should incorporate methodologies for identifying, measuring, monitoring, and controlling all theprimary forms of 3 In the absence of market yield curve, institutions are required to use internal models to value marketable instruments.

41 interest rate risk. 5.3 Sound Interest Rate Risk Management Practices 5.3.1 A strong interest rate risk control environment is built on the foundation of a well￾designed strategy and policy, adequate management information systems, rigorous internal controls, competent staff, and timely reporting. 5.3.2 Banks should identify the interest rate risk inherent in products and activities and ensure that these are subject to adequate procedures and controls which should be approved by the Board. Banks should have an understanding of the interest rate risk that is associated with new products and activities before they are adopted. The management of a bank’s interest rate risk should be integrated withinits broader risk management framework and aligned with its business planning andbudgeting activities. 5.3.3 At a minimum, a bank should have an interest rate risk management framework comprising four basic elements: a) appropriate board and senior management oversight; b) adequate risk management policies and procedures; c) appropriate risk measurement, monitoring, and control functions; and d) comprehensive internal controls and independent audits. 5.4 Board Oversight of Interest Rate Risk 5.4.1 Effective board oversight of a regulated institution’s exposure to interest rate riskis the cornerstone of an effective interest rate risk management process. The Board should understand the nature and level of interest rate risk assumed by the regulated institution and how this risk profile fits within the overall business strategies. 5.4.2 The responsibilities of the board of directors include the following: a) reviewing the overall objectives of the regulated institution with respect to interest rate risk and ensuring the provision of clear guidance regarding the level of interest rate risk acceptable to the bank; b) approving broad business strategies of the bank with respect to interest rate risk and ensuring that management takes the steps necessary to identify, measure, monitor, and control interest rate risk; c) setting appropriate limits on interest rate risk, including the definition of specific procedures and approvals necessary for exceptions, and ensuring compliance with those limits; d) approving policies that identify lines of authority and responsibility for managing interest rate risk exposures; and e) delegating responsibility for establishing interest rate risk policies to the Asset and Liability Committee (ALCO) or other designated structures. 5.4.3 The Board should be informed frequently (at least quarterly) on the level and direction of a bank’s interest rate risk exposures. The Board should regularly review timely information that is sufficiently detailed to allow effective assessment of the performance of management in monitoring and controlling interest rate risk in compliance with the Board approved policies. The frequency of the reviews should be in line with a bank’s interest rate risk exposures. 5.4.4 While Board members do not need individually to have detailed technical knowledge

42 of complex financial instruments, or of quantitative risk management techniques, they should understand the implications of the bank’s interest rate riskstrategies, including the potential linkages with and impact on market, liquidity, credit, and operational risk. Members should have sufficient knowledge to question and challenge the reports made to the Board. The Board members are responsiblefor ensuring that senior management has the capability and skills to understand interest rate risk, and that adequate resources are devoted to interest rate risk management. Senior management oversight 5.4.5 Senior Management is responsible for understanding an institution's interest risk exposure and ensuring clear guidance on acceptable risk levels based on business strategies. They must identify, measure, monitor, and control interest rate risk in line with approved strategies and policies. 5.4.6 Senior management should ensure that the structure of the bank’s business and the level of interest rate risk it assumes are correctly aligned and effectively managed. 5.4.7 It is the responsibility of management to maintain: a) appropriate limits on interest rate risk, including the definition of specific procedures and approvals necessary for exceptions, and ensuring compliance with those limits; b) adequate systems for measuring interest rate risk; c) standards for measuring interest rate risk, valuing positions and assessing performance, including procedures for updating interest rate shock and stress scenarios and key underlying assumptions driving the institution’s interest rate risk analysis; d) a comprehensive interest rate risk reporting and review process; and e) effective internal controls and management information systems (MIS). 5.4.8 In order to fulfil the above responsibilities senior management should: a) periodically review the organisation’s interest rate risk management policies and procedures to ensure that they remain appropriate and sound; b) set aside adequate capital commensurate with the level of interest rate risk assumed by the regulated institution; c) periodically update the board of directors regarding interest rate risk measurement, reporting and management procedures; d) ensure that there is sufficient depth and skill in staff resources to manage interest rate risk and to accommodate the temporary absence of key personnel; e) define lines of authority and responsibility for developing and implementing strategies and conducting the risk measurement and reporting functions of the interest rate risk management process; f) provide reasonable assurance, through the audit function, that all activities and all aspects of interest rate risk are covered by a regulated institution’s risk management process; g) ensure that there is adequate separation of duties in key elements of the interest rate risk management process to avoid potential conflicts of interest; h) ensure that sufficient safeguards exist to minimise the potential that individuals initiating risk-taking positions may inappropriately influence key control functions of the risk management process such as the development

43 and enforcement of policies and procedures, and the conduct of back-office functions; i) ensure that the nature and scope of these safeguards is in accordance with the size and structure of the bank. They should also be commensurate with the volume and complexity of interest rate risk incurred by the bank and the complexity of its transactions and commitments; and j) ensure that the bank has a designated independent function responsible for the design and administration of the bank’s interest rate risk measurement, monitoring, and control functions. 5.5 Risk management Policies and Procedures 5.5.1 A Bank's interest rate risk management procedures should be clearly defined and consistent with its activities. Policies, procedures, and limits should be documented, reviewed, and approved by management. An accurate, informative,and timely management information system is essential for senior management and business line managers to stay informed and comply with Board policy. 5.5.2 Interest rate risk management policies and procedures should: a) specify limits for all types of instruments, portfolios, and activities; b) delineate lines of responsibility and accountability over interest rate risk management decisions; c) clearly define authorised instruments, either specifically or by their characteristics, hedging strategies, and position taking opportunities; d) delineate a clear set of institutional procedures for acquiring specific instruments, managing portfolios, and controlling the bank’s aggregate interest rate risk exposure; and e) clearly define approvals necessary for exceptions to policies, limits, and authorizations. 5.5.3 Banks should be aware of interest rate risks in new services and activities. They should also be aware of the volatility of embedded option features and should be able adapt to changing market conditions. Banks should also consider balancing cash flows and managing interest rate risk through hedging. Major hedging or risk management initiatives should be approved in advance by the Board or a committee. 5.5.4 The procedures for undertaking new instruments or new strategies should at least contain these features: a) description of the relevant product or strategy; b) identification of the resources required to establish sound and effective interest rate risk management of the product or activity; c) analysis of the impact of the proposed activities on the regulated institution’s overall financial condition and capital levels; d) procedures to be used to measure, monitor, and control the risks of the proposed product or activity; and e) be reviewed and approved by the board at least on an annual basis. 5.6 Interest Rate Risk Management Process 5.6.1 Interest rate risk management process encompasses risk measurement, monitoring, and control.

44 Measurement 5.6.2 Banks should have interest rate risk measurement systems that capture all sources of interest rate risk and that assess the effect of interest rate changes in ways that are consistent with the scope of their activities. The assumptions underlying the risk measurement system should be clearly understood by the board and senior management. 5.6.3 Interest rate risk measurement systems should assess the effects of rate changes on both earnings and economic value. 5.6.4 Earnings perspective focuses on the impact of variation in interest rates on accrual or reported earnings. This approach to interest rate risk assessment is obtained by measuring the changes in the net interest income or net interest margin i.e. the difference between the total interest income and the total interestexpense. 5.6.5 Economic Value Perspective reflects the projected impact of fluctuation in the interest rates on the economic value of a regulated institution’s assets, liabilities, and off-balance sheet positions measured by the present value of future cash flows.In this respect, economic value is affected both by changes in future cash flows and discount rate used for determining present value. This perspective also considers the potential longer-term impact of interest rates on an institution. 5.6.6 Regulated institutions should consider the impact of past interest rates on future performance, as unmarked-to-market instruments may already contain embedded gains or losses due to past rate movements. These gains or losses may be reflected in the institution's earnings over time. For example, a long-term fixed rate loan with low interest rates may result in an embedded loss when replaced by higher- interest liabilities, which will materialize until the loan is settled. 5.6.7 The methodology for measuring interest rate risk should be based on adequate information on current positions, market conditions and instrument characteristics.A bank should have at least two techniques for measuring interest rate risk. 5.6.8 Several techniques are available for measuring interest rate risk exposure of both earnings and economic value. Their complexity ranges from simple calculations to static simulations using current holdings and highly sophisticated dynamic modelling techniques that reflect potential future business and business decisions. 5.6.9 The techniques that can be used to measure interest rate risk include gap analysis, duration, simulation, and Expected Shortfall (ES). Gap analysis 5.6.10 To evaluate earnings exposure, interest rate-sensitive liabilities in each time band should be subtracted from the corresponding interest rate-sensitive assets to produce a repricing “gap” for that time band. This gap should be multiplied by an assumed change in interest rates to yield an approximation of the change in net interest income that would result from such an interest rate movement. 5.6.11 The size of the interest rate movement used in the analysis can be based on a variety of factors, which include historical experience, simulation of potential future interest rate movements, and the judgment of bank management.

45 Duration 5.6.12 Duration is the weighted average term to maturity of assets/liabilities. 5.6.13 Duration-based weights can be used in combination with a maturity/repricing schedule to provide a rough approximation of the change in a bank’s economic value that would occur given a particular change in the level of market interest rates. Typically, such weights should be based on estimates of the duration of the assets and liabilities that fall into each time band. In some cases, different weights should be used for different positions that fall within a time band, reflecting broad differences in the coupon rates and maturities (for instance, one weight for assets, and another for liabilities). 5.6.14 In addition, different interest rate changes are sometimes used for different time bands, generally to reflect differences in the volatility of interest rates along the yield curve. The weighted gaps are aggregated across time bands to produce an estimate of the change in economic value of the bank that would result from the assumed changes in interest rates. Simulation 5.6.15 Regulated institutions with complex risk profiles or which use complex financial instruments should employ more sophisticated interest rate risk measurement systems than those based on simple maturity/repricing schedules. These simulation techniques typically involve detailed assessments of the potential effectsof changes in interest rates on earnings and economic value by simulating the potential direction of interest rates and their impact on cash flows. Static simulation 5.6.16 When measuring interest rate risk using static simulations, the cash-flows arising solely from the bank’s current on and off balance-sheet positions should be assessed. For assessing the exposure of earnings, simulations estimating the cash flows and resulting earnings streams over a specific period should be conducted based on one or more assumed interest rate scenarios. 5.6.17 These simulations should entail straight forward shifts or tilts of the yield curve or changes of spreads between different interest rates. When the resulting cash flows are simulated over the entire expected lives of the bank’s holdings and discounted back to their present values, an estimate of the change in the bank’s economic value should be calculated. Dynamic simulation 5.6.18 The simulation should build in more detailed assumptions about the future course of interest rates and the expected changes in a bank’s business activity over that time. These more sophisticated techniques allow for dynamic interaction ofpayment streams and interest rates, and better capture the effect of embedded orexplicit options. 5.6.19 The usefulness of simulation-based interest rate risk measurement techniques depends on the validity of the underlying assumptions and the accuracy of the basic methodology. The output of sophisticated simulations should be assessed largely in

46 the light of the validity of the simulation’s assumptions about future interest rates and the behaviour of the bank and its customers. Expected Shortfall (ES) 5.6.20 Expected shortfall is a risk measure sensitive to the shape of the tail of the distribution of returns on a portfolio. Expected shortfall is calculated by averaging all the returns in the distribution that are worse than the value-at-risk (VAR) of the portfolio at a given level of confidence. 5.6.21 Regulated institutions should design measurement methodologies that: a) evaluate all significant interest rate risk arising from the full range of a bank’s assets, liabilities, and off-balance sheet positions, both trading and nontrading; b) utilise generally accepted financial concepts, models, and risk measurement techniques; c) have accurate and timely data (in relation to rates, maturities, repricing, embedded options, and other details) on current positions; d) have well-documented assumptions and parameters on which they are based. Any manual adjustments to underlying data and assumptions should be clearly documented and the nature and reasons for the adjustments should be understood; e) cover all significant sources of interest rate risk. Regulated institutions should pay special attention to the largest concentrations and positions as well as instruments which might have a material effect on a bank’s overall position; and f) assess exposures in different currencies. 5.6.22 Senior management should have an integrated view of interest rate risk across products and business lines which will ensure that all positions and cashflows, whether stemming from on or off-balance sheet positions, are incorporated into the measurement system on a timely basis. 5.6.23 Assumptions used in assessing the interest rate sensitivity of complex instruments and instruments with uncertain maturities should be subject to thorough documentation and review. 5.6.24 Regulated institutions with multi-currency exposures should include techniques to aggregate their exposures in different currencies using assumptions about the correlation between interest rates in different currencies in their risk measurement process. A regulated institution should periodically review the stability and accuracy of the correlation assumptions and evaluate what its potential risk exposure would be in the event that such correlations break down. Monitoring 5.6.25 Regulated institutions should establish and enforce operating limits that maintain exposures within levels consistent with their internal policies and that are in accordance with their approach to measuring interest rate risk. 5.6.26 The limit system should enable management to control interest rate risk exposures, initiate discussion about opportunities and risks, and monitor actual risk taking against predetermined risk tolerances. 5.6.27 Policy limits should be tailored to the institution's size, complexity, capital adequacy,

47 and risk management capabilities. The limits should align with the institution’s risk profile and may be associated with specific interest rate or term structure changes and currency fluctuations. The limits should consider historical interest rate volatility and management's time to mitigate risk exposures, reflecting the institution's expectations and historical utilization levels. 5.6.28 An institution's activities and business model can lead to the identification of sub￾limits for individual business units, portfolios, or instruments. The granularity of risk limits should reflect the institution's holdings, including IRRBB exposures. Institutions with significant gaps or basis risks should establish appropriate risk tolerances. 5.6.29 Senior Management should approve major hedging or risk-taking initiatives in advance, develop risk limits and triggers for derivatives hedging, and control mark￾to-market risks in instruments. Proposals for new instrument types or strategies should be assessed to align with the institution's risk appetite, and procedures should be established for identifying, measuring, monitoring, and controlling risks. 5.6.30 Limits can be absolute or set for short-term tolerance under specific circumstances. Systems should be in place to escalate positions exceeding hard limits defined by Senior Management. A clear policy should be in place for communication, exception handling, and action response to exceptions. 5.6.31 Banks should have an accurate, informative, and timely information system. Regular reporting of risk measures, comparing current exposures to policy limits, and comparing past forecasts with actual results can identify shortcomings in risk measurement techniques. 5.6.32 Aggregate interest rate risk limits should be approved by the board of directors and reviewed at least once a year. These limits should be appropriate to the size, complexity, and capitalisation of the bank as well as its ability to measure and manage its risk. 5.6.33 At a minimum, regulated institutions should have limits in the following categories: a) change in net portfolio value; b) Expected Shortfall (ES); c) factor sensitivity; d) interest rate sensitivity gap; e) impact on earnings; and f) impact on capital. 5.6.34 Interest rate risk limits should be linked to specific scenarios of movements in market interest rates. Specified scenarios should take account of the full range of possible sources of interest rate risk to the bank. Stress Testing 5.6.35 A regulated institution's risk measurement system should support a meaningful evaluation of the effect of stressful market conditions on the regulated institution. The stress testing framework should be tailored to the institution’s nature, size, complexity, business activities, and risk profile. It should include clear objectives, scenarios, well-documented assumptions, and sound methodologies. The framework should assess the potential financial impact and management actions based on the stress test results. Interest rate stress tests should also aid in risk communication within the institution and externally. 5.6.36 Stress scenarios to be used for interest rate risk should include:

48 a) historical scenarios in which sharp changes in interest rates were experienced; b) hypothetical changes in the general level of interest rates; c) changes in the relationships between key market rates (i.e. basis risk), e.g.a surge in term and savings deposit rates and interbank rate but no changein the prime lending rate, and a drop in the prime lending rate but no changein term and savings deposit rates and interbank rate; d) changes in interest rates in individual time bands to different relative levels (i.e. yield curve risk); e) changes in the liquidity of key financial markets or changes in the volatility of market rates; f) impact of institution's acquisition and external factors like changing competitive, legal, or tax environments, that can lead to changes in a regulated institution’s portfolio composition; g) new products without historical data; h) new information; i) new and emerging risks that are not adequately covered by historical scenarios; and j) changes in key business assumptions and parameters used for illiquid instruments and instruments with uncertain contractual maturities. 5.6.37 Institutions should conduct reverse stress tests to identify potential interest rate scenarios that could harm their capital and earnings, as well as vulnerabilities from their customers’ behaviour. 5.7 Reporting 5.7.1 The reporting of interest rate risk measures to the Board and Senior management should be regular and compare current exposure with policy limits. Reporting should include the results of the periodic model reviews and audits as well as comparisons of past forecasts or risk estimates with actual results to inform potential modelling shortcomings on a regular basis. Portfolios that may be subjectto significant mark￾to-market movements should be clearly identified within the bank’s MIS and subject to oversight in line with any other portfolios exposed to market risk. 5.7.2 While the types of reports prepared for the Board and Senior Management will vary based on the bank’s portfolio composition, they should, at a minimum includethe following: a) summaries of the bank’s aggregate interest rate risk exposures, and explanatory text that highlights the assets, liabilities, cash flows, and strategies that are driving the level and direction of interest rate risk; b) the bank’s compliance with policies and limits; c) key modelling assumptions such as non-maturity deposit characteristics, prepayments and currency aggregation; d) results of stress tests, including assessment of sensitivity to key assumptions and parameters; e) adequacy of internal controls; and f) Summaries of the reviews of interest rate risk policies, procedures, and adequacy of the measurement systems, including any findings of internal and external auditors.

49 5.8 Internal controls 5.8.1 Regulated institutions should have adequate internal controls to ensure theintegrity of their interest rate risk management process. The internal controls should promote effective and efficient operations, reliable financial and regulatory reporting, and compliance with relevant laws, regulations, and bank policies. 5.8.2 Banks should have their interest rate risk identification, measurement, monitoring, and control processes reviewed by an independent auditing function (such as an internal or external auditor) on a regular basis. The reports written by internal/external auditors or other equivalent external parties (such as consultants) should be made available to relevant supervisory authorities. 5.8.3 An effective system of internal controls for interest rate risk should include: a) a strong control environment; b) an adequate process for identifying and evaluating risk; c) the establishment of control activities such as policies, procedures, and methodologies; d) adequate management information systems; and e) continual review of adherence to established policies and procedures. 5.8.4 A bank’s internal control systems must meet the following criteria: a) all material interest rate risk associated with a bank’s assets, liabilities, and off-balance sheet positions in the regulated book must be assessed; b) it must accurately incorporate all of a bank’s interest rate sensitive on and off- balance sheet holdings; c) it must utilise generally accepted financial concepts and risk measurement techniques; d) it must be capable of measuring risk using both an earnings and economic value approach; e) data inputs should be adequately specified with regard to rates, maturities, re-pricing, embedded options, and other details; f) assumptions used to transform positions into cash flows should be reasonable, properly documented, and stable over time; g) material changes to assumptions should be documented, justified, and approved by management; and h) must be integrated into the bank’s daily risk management practices.

50 6. FOREIGN EXCHANGE RISK 6.1 Introduction 6.1.1 Foreign exchange risk is the potential adverse impact on earnings and economic value due to currency rate movements. This involves settlement risk which arises when a regulated institution incurs financial loss due to foreign exchange positions taken in both the trading and regulated books. 6.1.2 The foreign exchange positions arise from the following activities: a) trading in foreign currencies through spot, forward and option transactions asa market maker or position taker, including the unhedged positions arising from customer-driven foreign exchange transactions; b) holding foreign currency positions in the regulated book (e.g., in the form of loans, bonds, deposits, or cross-border investments); or c) engaging in derivative transactions (e.g., structured notes, synthetic investments, and structured deposits) that are denominated in foreign currency for trading or hedging purposes. 6.1.3 There are various types of foreign exchange risk which include: a) exchange rate risk which is the risk of loss as a result of adverse movements in the exchange rate; b) interest rate risk which arises from maturity mismatches on foreign currency positions; c) credit risk which is due to counterparty default on foreign exchange loans or contracts; and d) sovereign risk which arises from country risk or political risk. 6.2 Risk Management Process 6.2.1 Sound foreign exchange risk management involves four basic elements in the management of on and off-balance sheet assets and liabilities: a) appropriate board and senior management oversight; b) adequate risk management policies and procedures; c) appropriate risk measurement, monitoring, and control functions; and d) comprehensive internal controls and independent audits. 6.3 Board and Senior Management Oversight 6.3.1 The board of directors and senior management have ultimate responsibility for understanding the nature and level of foreign exchange risk taken by the regulated institution and the management thereof. 6.3.2 Board oversight may be delegated to an appropriate subcommittee such as the Asset and Liability Committee (ALCO) or Risk Management Committee. 6.3.3 The board and senior management’s responsibilities include: a) setting the foreign exchange risk management strategy and tolerance levels; b) ensuring that effective risk management systems and internal controls are in place; c) monitoring significant foreign exchange exposures; d) ensuring that foreign exchange operations within the regulated institution are in compliance with foreign exchange control regulations; e) ensuring that foreign exchange operations are supported by adequate

51 management information systems which complement the risk management strategy; and f) reviewing policies, procedures, and currency limits regularly in line with changes in the economic environment. 6.4 Policies and Procedures 6.4.1 Regulated institutions should have written policies and procedures for identifying, measuring, and controlling foreign exchange rate risk. The policies and procedures should be consistent with the institution’s strategies, financial condition, and risk tolerance levels. 6.4.2 The policies and procedures should be supplemented with ethics and observation of set standards by employees engaged in foreign exchange trading. 6.4.3 Policies and procedures should identify the foreign exchange risks inherent in services and activities to ensure that their risk characteristics are understood and can be incorporated into the risk management process. 6.4.4 These policies and procedures should: a) define lines of responsibility and identify individuals or committees responsible for developing foreign exchange risk management strategies, making foreign exchange risk management decisions, and conducting oversight; b) identify authorized types of financial instruments and hedging strategies; c) describe a set of strategies for controlling the institution’s aggregate foreign exchange rate risk exposure; d) define quantitative limits on the acceptable level of foreign exchange risk for the institution. The limits include individual currency limits, individual counterparty limits, dealer limits, concentration limits, and stop loss limits; and e) define procedures and conditions for dealing with exceptions to policies, limits, and authorizations. 6.5 Risk Identification, Measurement and Control Risk identification 6.5.1 Foreign exchange risk exposures fall into structural and trading categories. Structural exposures typically arise because of structural imbalances between assets and liabilities. These exposures do not normally change rapidly. Structural exposures may arise from equity investment in overseas subsidiaries and related companies as well as booking of unremitted profits or remittance of profits from overseas branches. Exposures other than structural are generally regarded as trading. These exposures may arise because of business needs, customer transactions that cannot be covered immediately, or because a view is taken on currency movements. Foreign exchange risk can be split into: a) translation exposure, which arises from accounting based changes in consolidated financial statements caused by changes in exchange rates; b) transaction exposure, which occurs when exchange rates change between the time that an obligation is incurred and the time it is settled, thus affecting actual cash flows; and c) Economic exposure, which reflects the change in the present value of the firm’s expected future cash flows as a result of an unexpected change in exchange rates.

52 Risk Measurement 6.5.2 Regulated institutions should have measurement systems that take into account all the sources of foreign exchange risk. The systems should evaluate the effect of foreign exchange rate changes on profitability and economic value of the institution. 6.5.3 The measurement systems should: a) evaluate all foreign exchange risks by maturity, on both gross and net bases, arising from the full range of a bank’s assets, liabilities, and off-balance sheet positions; b) employ accepted financial models or methods for measuring risk of foreign exchange options; c) be able to calculate comprehensive risk factor sensitivities for the purpose of capturing the non-linearity nature of price risk of foreign exchange positions; d) have accurate and timely data; e) incorporate daily mark-to-market of trading positions; and f) e nable banks to monitor their foreign exchange settlement risk in real-time in order to ensure that settlement limits will not be exceeded. Risk Limits 6.5.4 A comprehensive framework of limits to control foreign exchange risk exposures should be established for different levels of reporting. 6.5.5 At a minimum, regulated institutions should have the following limits for foreign exchange operations: a) Open position limits for individual currencies to which a regulated institution has material exposures, both during the day and overnight. Where limits are assigned to a group of currencies, the risk measures should beaggregated on a gross basis; open position limits on the aggregate of all currencies, both during the day and overnight; b) open position limits by each centre where the regulated institution operates; c) stop loss and/or management-action-trigger limits; and d) Limits for settlement risk of all counterparties. Stress Tests 6.5.6 Regulated institutions should conduct stress tests on their foreign currency positions. The stress tests for exchange rate risk assess the impact of changes in exchange rates on the profitability and economic value of a regulated institution’s equity. 6.5.7 The effects of significant exchange rate movements, including sharp reductions in liquidity, of individual currencies should be considered when setting stress scenarios. 6.5.8 Stress testing results should be incorporated in the review of business strategies, policies, and limits on foreign exchange risk. 6.5.9 The assumptions used in the stress testing model should be clearly documented and reviewed from time to time to reflect changes in the operating environment.

53 Risk Monitoring and Control 6.5.10 Foreign exchange risk monitoring processes should be established to evaluate the performance of a regulated institution’s risk strategies/policies and procedures in achieving its overall goals. 6.5.11 The monitoring function should be independent of units taking risk and should report directly to senior management/board. 6.5.12 The risk review function should be performed in relation to day-to-day activities. Being a highly specialized function, the function it should be staffed with people who have relevant expertise and knowledge. Reports should be prepared for the information of senior management as well as bank’s ALCO. 6.5.13 A reconciliation of positions of traders should be conducted regularly to ensure that these are within assigned limits. Internal reports comparing actual positions against internal limits should be routinely prepared for management. 6.5.14 A regulated institution should review and validate each step of the foreign exchange risk measurement process. The review should be performed by internal audit. At a minimum, the audit should consider of the following: a) The appropriateness of bank’s risk measurement system given the nature, scope, and complexity of bank’s activities; b) The accuracy or integrity of data being used in risk models; c) The reasonableness of scenarios and assumptions; and d) The validity of risk measurement calculations. 6.6 Risk Reporting 6.6.1 The types of reports vary depending upon overall foreign exchange risk profile of the regulated institution. At a minimum the reports should contain: a) individual and aggregate foreign exchange risk exposures; b) information on adherence to policies and limits; and c) findings of risk reviews on foreign exchange risk policies and procedures including any findings of internal/external auditors.

54 7. OPERATIONAL RISK 7.1 Introduction 7.1.1 Operational risk is defined as the risk of direct or indirect loss resulting from inadequate or failed internal processes, people, and systems or from external events. 7.1.2 Operational risk is inherent in all regulated products, activities, processes, and systems hence the effective management of operational risk is a fundamental element of every regulated institution’s risk management strategy. Sound operational risk management is a reflection of the effectiveness of the board of directors and senior management in administering their portfolio of products, activities, processes, and systems. 7.1.3 Although operational risk management and operational resilience address different goals, they are closely interconnected. An effective operational risk management system and a robust level of operational resilience work together to reduce the frequency and the impact of operational risk events. 7.1.4 Developments such as globalisation of financial markets, increasing prevalence of outsourcing and digitalisation of financial services, the growth of e-commerce, mergers and acquisitions are making the activities of regulated institutions more diverse and complex leading to high levels of operational risk. 7.2 Operational Resilience 7.2.1 Operational resilience refers to the ability of regulated institutions to anticipate, respond, recover, and learn from operational disruptions. Operational resilience ensures that critical operations continue even when faced with unexpected disruptions, maintaining customer protection, shareholder confidence, and regulatory compliance. Operational disruptions (including those due to pandemics, cyber incidents, technology failures and natural disasters) can affect the viability of individual regulated institutions, and in turn lead to financial instability. Enhancement of operational resilience, therefore, reinforces the ability of banks to withstand, adapt to and recover from potential hazards and thereby mitigate potentially severe adverse impacts. This provides additional safeguards to the financial system. 7.2.2 An operationally resilient regulated institution meets the following requirements: a) Can identify and mitigate risks that may threaten delivery of critical operations4 : b) Continues to deliver critical operations when disruptions occur, including under severe but plausible scenarios: c) Resumes normal operations in a timely manner after disruptions occur; and d) Absorbs learnings from disruptions or near misses to continually improve its ability to prevent, adapt to and recover from risks and disruptions to critical operations delivery. 7.2.3 A regulated institution should develop an operational resilience framework which enables it to satisfy the requirements detailed above. 4 “Critical operations” are defined by the Financial Stability Board (2013) as activities performed for third parties where failure would lead to the disruption of services that are vital for the functioning of the real economy and forfinancial stability due to the banking group’s size or market share, external and internal interconnectedness, complexity, and cross-border activities. Examples include payments, custody, certain lending, and deposit-taking activities in the commercial or retail sector, clearing and settling, limited segments of wholesale markets, market making in certain securities and highly concentrated specialist lending sectors.

55 7.2.4 Regulated institutions should develop effective recovery plans that enhance their operational resilience. The recovery plan should include a banking institution’s recovery options for responding to a range of stress scenarios. These recovery options should help the banking institution to restore itself to a stable and sustainable condition. Each aspect of the plan should be underpinned by detailed analysis as required by Prudential Standard No.1-2018/BSD Guidance on Recovery Planning. 7.2.5 Board and senior management are expected to actively participate in establishing, implementing, and overseeing the operational resilience framework. A regulated institution should determine the most appropriate approach to developing its operational resilience framework, considering its circumstances. 7.2.6 At a minimum, a regulated institution should include the following components within its operational resilience framework: a) methodology for determining the operational resilience parameters, namely critical operations, tolerance for disruption and severe but plausible scenarios; b) mapping exercises which enable a regulated institution to develop a detailed understanding of the interconnections and interdependencies that underlie critical operations delivery, and in turn, identify what risks or events may affect or disrupt critical operations delivery; c) risk management policies and frameworks that help a regulated institution prepare for and manage the various risks to critical operations delivery in an integrated and holistic way; d) scenario testing which enables a regulated institution to regularly assess whether it is able to continue delivering critical operations through disruption, including under severe but plausible scenarios; and e) an incident management programme which allows a regulated institution to effectively respond to and manage disruptions to critical operations delivery. 7.2.7 Artificial Intelligence (AI) is a critical component of operational resilience management and presents both transformative opportunities and unique risks for the banking sector. In this regard, banking institutions should proactively manage potential risks, including algorithmic biases, data privacy concerns, and cybersecurity threats. 7.2.8 Effective risk management requires robust governance frameworks to ensure AI systems are transparent, ethical, and compliant with regulatory standards. Banks should also implement ongoing monitoring and testing of AI models to detect and mitigate risks promptly. By adequately addressing risk management, banking institutions can harness AI’s power to enhance decision-making, improve customer experiences, and maintain a competitive edge while safeguarding against adverse outcomes. 7.3 Operational Risk Management Framework 7.3.1 Every regulated institution is expected to develop an appropriate framework for managing operational risk, commensurate with the size and complexity of its operations. 7.3.2 The operational risk framework should incorporate cyber risk and ensure that: a) the regulated institution proactively identifies, defends, detects, responds and is able to recover from external and inside cyber security threats, events, and incidents to maintain the confidentiality, integrity, and availability of its technology assets; and

56 b) current or emerging cyber threats are identified proactively using threat assessments to evaluate threats and assess security risk. This includes implementing information and cyber security threat and risk assessments, processes, and tools to cover controls at different layers of defence. 7.3.3 The operational risk management framework should consist of the following components: a) board and senior management oversight; b) operational risk management strategy, policies and procedures; c) adequate management information systems; and d) sound internal controls and reviews. 7.3.4 The operational risk management framework should be embedded across all levels of the organisation including group and business units as well as new business initiatives’ products, activities, processes, and systems. In addition, results of the bank’s operational risk assessment should be incorporated into the bank’s overall business strategy development process. 7.3.5 The operational risk management framework should be comprehensively and appropriately documented in board of directors approved policies and include definitions of operational risk and operational loss. Inadequate description and classification of operational risk and loss exposure may significantly reduce the effectiveness of a regulated institution’s operational risk management framework. 7.3.6 Banks commonly rely on three lines of defence: a) business unit management; b) an independent operational risk management function; and c) independent assurance. 7.3.7 Depending on the bank’s nature, size and complexity, and the risk profile of a bank’s activities, the degree of formality of how these three lines of defence are implemented will vary. 7.3.8 Banks should ensure that each line of defence: a) is adequately resourced in terms of budget, tools and staff; b) has clearly defined roles and responsibilities; c) is continuously and adequately trained; d) promotes a sound risk management culture across the organisation; and e) communicates with the other lines of defence to reinforce the Operational Risk Management Framework. 7.3.9 If in one business unit there are functions of both the first and second line of defence, the regulated institution should document and distinguish the responsibilities of such functions in the first and second line of defence, emphasising the independence of the second line of defence. 7.4 Board and Senior Management Oversight Board of Directors 7.4.1 The ultimate responsibility for operational risk management rests with the board of directors. 7.4.2 The board of directors should approve and periodically review the operational risk management framework, and ensure that senior management implements the policies, processes, and systems of the operational risk management framework effectively at all decision levels. 7.4.3 The board of directors should establish a risk management culture and ensure that

57 the bank has adequate processes for understanding the nature and scope of the operational risk inherent in the bank’s current and planned strategies and activities; 7.4.4 The board of directors should ensure that the operational risk management processes are subject to comprehensive and dynamic oversight and are fully integrated into, or coordinated with, the overall framework for managing all risks across the enterprise; 7.4.5 Banks with a strong culture of risk management and ethical business practices are less likely to experience damaging operational risk events and are better placed to effectively deal with those events that occur. The actions of the board of directors and senior management as well as the bank’s risk management policies, processes and systems provide the foundation for a sound risk management culture. 7.4.6 The board of directors should establish a code of conduct or an ethics policy to address conduct risk. This code or policy should be applicable to both staff and board members, set clear expectations for integrity and ethical values of the highest standard, identify acceptable business practices, and prohibit conflicts of interest or the inappropriate provision of financial services (whether wilful or negligent). 7.4.7 The code or policy should be regularly reviewed and approved by the board of directors. A separate code of conduct may be established for specific positions in the bank (e.g. treasury dealers, senior management). 7.4.8 The board of directors should approve and periodically review a risk appetite and tolerance statement for operational risk that articulates the nature, types, and levels of operational risk the bank is willing to assume. 7.4.9 To discharge this responsibility, the board or its delegated committee should: a) understand the major aspects of the institution’s operational risk as a distinct category of risk that should be managed; b) define the operational risk strategy and ensure that the strategy is aligned with the bank’s overall business objectives; c) approve and periodically review a written bank-wide operational risk management framework; d) approve the operational risk policies developed by senior management; e) review periodic high-level reports on the institution’s overall operational risk profile, which identify material risks and strategic implications for the institution; f) establish a management structure with clear lines of accountability and reporting. In addition, there must be segregated responsibilities and reporting lines between control functions and the revenue generating business lines; g) ensure that senior management is taking necessary steps to implement appropriate policies, processes and procedures as approved by the board; h) ensure that the operational risk management framework is subject to independent review by internal audit or other oversight functions; and i) ensure compliance with regulatory disclosure requirements on operational risk. Senior Management Responsibilities 7.4.10 Senior management should develop the operational risk management framework for approval by the board of directors and implement the board approved operational risk management policy. 7.4.11 Senior management should:

58 a) define the institution’s organisational structure and clearly assign authority, responsibility, and reporting relationships to encourage accountability. Senior management is responsible for consistently implementing and maintaining throughout the organisation policies, processes, and systems for managing operational risk in all of the bank’s activities consistent with the bank’s risk appetite and tolerance statement; b) ensure that the regulated institution’s activities are conducted by qualified staff with the necessary experience and technical capabilities and that staff responsible for monitoring and enforcing the institution’s operational risk policy are independent from the business units they oversee; c) ensure comprehensive identification and assessment of the operational risk inherent in all material products, activities, processes and systems; d) set clear expectations and accountabilities to ensure staff understand their roles and responsibilities for risk management, as well as their authority to act; e) ensure that an appropriate level of operational risk training is available at all levels throughout the organisation; f) ensure that the bank’s operational risk management policy has been clearly communicated to staff at all levels; g) ensure that compensation policies are aligned to the regulated institution’s statement of risk appetite and tolerance as well as overall safety and soundness, and appropriately balance risk and reward. h) put in place clear reporting systems of operational risk failures and provide for their subsequent resolution. Appropriate reporting mechanisms should be in place at the board of directors, senior management, and business unit levels to support proactive management of operational risk; and i) ensure that the operational risk management framework is subjected to independent reviews, which will provide assurance that the framework is adequate. 7.4.12 Sound operational risk governance recognises that business unit management are responsible for identifying and managing the risks inherent in the products, activities, processes, and systems for which they are accountable. Regulated institutions should have a policy that defines clear roles and responsibilities in relevant business units. The responsibilities of an effective first line of defence in promoting a sound operational risk management culture should include: a) identifying and assessing the materiality of operational risks inherent in their respective business units through the use of operational risk management tools; b) establishing appropriate controls to mitigate inherent operational risks, and assessing the design and effectiveness of these controls through the use of the operational risk management tools; c) monitoring and reporting the business units’ operational risk profiles, and ensuring their adherence to the established operational risk appetite and tolerance statement; and d) reporting residual operational risks not mitigated by controls, including operational loss events, control deficiencies, process inadequacies, and non￾compliance with operational risk tolerances. 7.4.13 A functionally independent corporate operational risk framework is typically the second line of defence. The responsibilities of an effective second line of defence should include: a) developing an independent view regarding business units’ (i) identified

59 material operational risks, (ii) design and effectiveness of key controls, and (iii) risk tolerance; b) challenging the relevance and consistency of the business unit’s implementation of the operational risk management tools, measurement activities and reporting systems, and providing evidence of this effective challenge; c) developing and maintaining operational risk management andmeasurement policies, standards and guidelines; d) reviewing and contributing to the monitoring and reporting of the operational risk profile; and e) designing and providing operational risk training and instilling risk awareness. 7.4.14 The third line of defence provides independent assurance to the board of the appropriateness of the regulated institution’s operational risk management framework. This function should not be involved in the development, implementation, and operation of operational risk management processes by the other two lines of defence. The third line of defence reviews are generally conducted by the regulated institution’s internal and/or external audit but may also involve other suitably qualified independent third parties. 7.4.15 An effective independent review should: a) review the design and implementation of the operational risk management systems and associated governance processes through the first and second lines of defence (including the independence of the second line of defence); b) review validation processes to ensure they are independent and implemented in a manner consistent with established bank policies; c) ensure that the quantification systems used by the bank are sufficiently robust as (i) they provide assurance of the integrity of inputs, assumptions, processes, and methodology and (ii) result in assessments of operational risk that credibly reflect the operational risk profile of the bank; d) ensure that business units’ management promptly, accurately, and adequately responds to the issues raised, and regularly reports to the board of directors or its relevant committees on pending and closed issues; and e) opine on the overall appropriateness and adequacy of the operational risk management framework and the associated governance processes across the bank. Beyond checking compliance with policies and procedures approved by the board of directors, the independent review should also assess whether the operational risk management framework meets organisational needs and expectations (such as respect of the corporate risk appetite and tolerance, and adjustment of the framework to changing operating circumstances) and complies with statutory and legislative provisions, contractual arrangements, internal rules, and ethical conduct. 7.5 Policies and Procedures 7.5.1 A regulated institution should have well-documented policies and procedures for managing operational risk. The policies should clearly set out the strategy, objectives, and the major elements of the operational risk management framework, including identifying, measuring, monitoring, and controlling operational risk. 7.5.2 The responsibility for defining the operational risk management strategy, and for ensuring that it is aligned with the overall business objectives, should rest with the

60 board. In doing so, the board should provide clear guidance on the bank’s risk appetite or tolerance. 7.5.3 Operational risk management policies, processes, and procedures should be documented and communicated to staff at all levels. 7.5.4 The policies and procedures should outline all aspects of the institution’s operational risk management framework, including: a) the organisational structure, which defines operational risk management roles, responsibilities and reporting lines of the board, committees, senior management,risk management function, business line management and other operational risk related functions; b) a definition for operational risk, including the loss event types that will be monitored; c) the capture and use of internal and external operational risk loss data, including large potential events (scenario analysis); d) an outline of the reporting framework and types of data/information to be included in the risk management reports; e) the development and incorporation of business environment and internal control factor assessments into the operational risk framework; f) the internally derived analytical framework that quantifies the operational risk exposure of the institution; g) qualitative factors and risk mitigants and how they are incorporated into the operational risk framework; h) factors that affect the measurement of operational risk; and i) provisions for the review and approval of significant policy and procedural exceptions. 7.5.5 The risk management policy should be supported by a set of principles that apply to specific components of operational risk, such as new customer approval, new product approval, new information technology systems approval, outsourcing, business continuity planning, crisis management, and anti-money laundering. 7.5.6 Operational Risk Management Framework documentation should clearly: a) identify the governance structures used to manage operational risk, including reporting lines and accountabilities, and the mandates and membership of the operational risk governance committees; b) reference the relevant operational risk management policies andprocedures; c) describe the tools for risk and control identification and assessment and the role and responsibilities of the three lines of defence in using them; d) describe the bank’s accepted operational risk appetite and tolerance; the thresholds, material activity triggers or limits for inherent and residual risk; and the approved risk mitigation strategies and instruments; e) describe the bank’s approach to ensure controls are designed, implemented, and operating effectively; f) describe the bank’s approach to establishing and monitoring thresholds or limits for inherent and residual risk exposure; g) inventory risks and controls implemented by all business units (e.g. in a control library); h) establish risk reporting and management information systems (MIS) producing timely, and accurate data; i) provide for a common taxonomy of operational risk terms to ensure consistency of risk identification, exposure rating and risk management objectives across all business units. The taxonomy can distinguish

61 operational risk exposures by event types, causes, materiality and business units where they occur; it can also flag those operational exposures that partially or entirely represent legal, conduct, model, and ICT (including cyber) risks as well as exposures in the credit or market risk boundary; provide for appropriate independent review and challenge of the outcomes of the risk management process; and j) require the policies to be reviewed and revised as appropriate based on continued assessment of the quality of the control environment addressing internal and external environmental changes or whenever a material change in the operational risk profile of the bank occurs. 7.6 Operational Risk Management Process Risk Identification and Assessment 7.6.1 Management should establish a process that identifies the nature and types of operational risk, its causes and impact on the regulated institution. Effective operational risk identification and assessment processes are vital for a bank to understand its risk profile and effectively focus risk management resources. 7.6.2 Risk identification should include both internal factors (such as the complexity of the bank’s structure, the nature of the bank’s activities, the quality of personnel, organisational changes, and employee turnover) and external factors (such as changes in the industry and technological advances) that could adversely affect the achievement of the bank’s objectives. 7.6.3 Banks should ensure that before new products, activities, processes, and systems are introduced or undertaken, the operational risk inherent in them is adequately assessed. 7.6.4 Every regulated institution should adopt techniques that provide meaningful information for assessing the bank’s exposure to operational risk and developing a policy to mitigate / control that risk. A bank should use at least one of the following processes, among others, to identify and assess operational risk: a) Self-Risk Assessment: Every business unit of a regulated institution should assess its operations and activities against a menu of potential operational risk vulnerabilities. The process should incorporate checklists and/or workshops to identify the strengths and weaknesses of the operational risk environment. b) Risk Mapping: Banks should have structures in place to map various business units, organisational functions or process flows by risk type in order to prioritize corrective actions. c) Key Risk Indicators: Key risk indicators are early warning statistics and/ or metrics, often financial, which may include the number of failed trades, staff turnover rates and the frequency and/or severity of errors and omissions. A regulated institution must have key risk indicators to give an insight into its risk position. These indicators should be reviewed on a quarterly basis to alert management to changes that may be indicative of risk concerns. d) Scorecards: A regulated institution must have techniques for: i translating qualitative assessments into quantitative metrics that give a relative ranking of different types of operational risk exposures; ii allocating economic capital to business lines in relation to performance in managing and controlling various aspects of operational risk; and iii addressing factor inherent risks, as well as the controls to mitigate them.

62 e) Thresholds/limits: The bank’s operational risk framework must stipulate limits to be adhered to. Threshold levels in key risk indicators should be used to alert management on areas of potential problems when exceeded. Measurement 7.6.5 A regulated institution should adopt a comprehensive operational risk analytical framework that provides an estimate of the institution’s operational risk exposure. 7.6.6 Management should document the assumptions underpinning the operational risk management framework, including the choice of inputs, distributional assumptions, and the weighting across qualitative and quantitative elements. Management should also document and justify any subsequent changes to these assumptions. 7.6.7 The institution’s operational risk analytical framework should use a combination of internal operational loss event data, relevant external operational loss event data, business environment and internal control factor assessments, and scenario analysis. The institution should combine these elements in a manner that most effectively enables it to quantify its operational risk exposure. The institution should choose the analytical framework that is most appropriate to its business model. 7.6.8 A bank’s operational risk analytical framework should clearly identify: a) the different inputs that are combined and weighted to arrive at the overall operational risk exposure so that the analytical framework is transparent. The documentation should demonstrate that the analytical framework is comprehensive and internally consistent; b) quantitative and qualitative assumptions embedded in the methodology and provide explanation for the choice of these assumptions; c) results based purely on quantitative methods separately from results that incorporate qualitative factors. This will provide a transparent means of determining the relative importance of quantitative versus qualitative inputs; d) a comparison of the operational risk exposure estimates generated by the analytical framework with actual loss experience over time, to assess the reasonableness of the framework’s outputs (back testing); e) all changes to assumptions, and provide explanations for such changes; and f) the results of an independent verification of the analytical framework. Stress Testing 7.6.9 A regulated institution should conduct operational risk stress testing based on operational risk events which may be due to inadequate or failed internal processes, people and systems (including cyber events), or from external events,that may affect products and activities of the institution. 7.6.10 A regulated institution should use its capital adequacy ratio as the main metric. A regulated institution should consider the interactions of, and individual exposures to, idiosyncratic risk factors in determining its operational risk exposure. Aregulated institution should analyse the possible interaction of operational risk losses with credit and market risks. 7.6.11 The analysis of the stress test events should involve expert judgement, to include at least low-frequency high-severity events.

63 Monitoring and Reporting 7.6.12 To facilitate monitoring of operational risk, results from the measurement system should be summarized in reports that can be used by the bank-wide operational risk and functional business lines to understand, manage, and control operational risk and losses. These reports should serve as a basis for assessing operational risk and related mitigation strategies and creating incentives to improve operational risk management throughout the institution. 7.6.13 The frequency of monitoring should reflect the risks involved and the frequency and nature of changes in the operating environment. The internal control system should be integrated into the bank’s operations. The results of these monitoring activities should be included in management and board reports, as should compliance reviews performed by the internal audit and/or risk management functions. 7.6.14 Senior management should receive regular reports from both business units and the internal audit function. These reports should: a) contain internal financial, operational, and compliance data, as well as external market information about events and conditions that are relevant to decision making; b) be distributed to appropriate levels of management and to areas of the bank which may be directly affected by the events and/or conditions; c) outline trend analysis to assess and manage operational risk exposures at the business line level and bank-wide level; d) fully reflect operational risk loss experience of the bank by business line, event type and/or problem areas; and e) motivate timely corrective action on outstanding issues. 7.6.15 The results of monitoring activities, findings of compliance reviews performed by internal audit and/or the risk management function, management letters issued by external auditors, and reports generated by supervisory authorities should be included in regular reports to the board and senior management to support proactive management. 7.6.16 The board of directors should receive sufficient higher-level information to enable them to understand the bank’s overall risk profile and focus on the material and strategic implications of operational risk to the business. 7.6.17 To ensure the usefulness and reliability of the reports management should regularly verify the timeliness, accuracy, and relevance of reporting systems and internal controls. 7.6.18 A regulated institution's public disclosures should enable stakeholders to assess its operational risk management, resilience, and operational risk exposure. Disclosure should be proportionate to the bank's size, risk profile, and complexity. A formal disclosure policy should be reviewed and approved by senior management and the board of directors. Risk Control and Mitigation 7.6.19 Regulated institutions should have a strong control environment that utilises policies, processes, and systems; appropriate internal controls; and appropriate risk mitigation and/or transfer strategies, as well as a robust ICT risk management program in alignment with their operational risk management framework.

64 7.6.20 The board and senior management should establish policies, processes, and procedures to control and/or mitigate operational risks that the bank has identified.A bank should also have a system in place for ensuring compliance with a documented set of internal policies concerning the banks’ risk management system. 7.6.21 The risk management control infrastructure should keep pace with growth or changes in business activities (e.g., new products, operations in subsidiaries and entry into new markets). 7.6.22 A critical element to the control of operational risk is the existence of a sound internal control system. When properly designed and consistently enforced, a sound internal control system will help management safeguard the institution’s resources, produce reliable financial reports, and comply with laws and regulations. Sound internal controls will also reduce the possibility of significant human errorsand irregularities in internal processes and systems, and will assist in their timely detection when they do occur. 7.6.23 A regulated institution should have an effective internal control system which ensures: a) appropriate segregation of duties and that personnel are not assigned responsibilities which may create a conflict of interest; b) close monitoring of adherence to assigned risk limits or thresholds and investigation of breaches; c) maintaining safeguards for access to and use of bank assets and records; d) staff has appropriate expertise and training; e) identifying of business lines or products where returns appear to be significantly out of line with reasonable expectations; and f) regular verification and reconciliation of transactions and accounts. 7.6.24 A bank should utilise risk mitigation tools to reduce the exposure to, or frequency and/or severity of significant operational risks with low probabilities and potentially very large financial impact, and uncontrolled risk events. 7.6.25 The bank should use risk mitigation tools as complementary to, rather than a replacement for, thorough internal operational risk control. Careful consideration should also be given to the extent to which risk mitigation tools such as insurance truly reduce risk, or transfer the risk to another business sector or area, or even create a new risk (e.g.legal or counterparty risk). 7.6.26 A regulated institution should have relevant policies and procedures to control/mitigate their exposures arising from the following operational risk drivers, among others: a) new products and activities; b) change of IT systems, facilities and equipment; c) e-regulated services; d) outsourcing arrangements; e) money laundering; f) suitability of customers, and g) external documentation e.g. contracts and transaction statements. Contingency and Business Continuity Plans 7.6.27 Regulated institutions should have business resiliency and continuity plans in place to ensure an ability to operate on an ongoing basis and limit losses in the event of severe business disruption. 7.6.28 Continuity management should incorporate business impact analysis, recovery

65 strategies, testing, training and awareness programmes, and communication and crisis management programmes. A regulated institution should identify critical business operations, key internal and external dependencies, and appropriate resilience levels. Plausible disruptive scenarios should be assessed for their financial, operational, and reputational impact, and the resulting risk assessment should be the foundation for recovery priorities and objectives. Continuity plans should establish contingency strategies, recovery and resumption procedures, and communication plans for informing management, employees, regulatory authorities, customers, suppliers, and – where appropriate – civil authorities. 7.6.29 A regulated institution should periodically review its continuity plans to ensure contingency strategies remain consistent with current operations, risks and threats, resiliency requirements, and recovery priorities. Training and awareness programmes should be implemented to ensure that staff can effectively execute contingency plans. Plans should be tested periodically to ensure that recovery and resumption objectives and timeframes can be met. Results of formal testing activity should be reported to management and the board. Information Communication Technology and Cyber Risk Management 7.6.30 With heightened technological innovation and digitization, the complexity of information and communication technology (ICT) and security risks has increased considerably, and the frequency of ICT and security-related incidents (including cyber incidents) has risen. These developments, coupled with the interconnectedness of financial institutions heighten potential significant adverse systemic impacts on the financial system. Regulated institutions should develop ICT and cyber risk security frameworks that are designed to secure, maintain confidentiality, integrity, and availability of the institution’s technology assets5. 7.6.31 Regulated institutions should have a sufficiently robust ICT governance structure and policies in place to facilitate effective oversight of the management of ICT risks. 7.6.32 Board and senior management should ensure that regulated institutions have adequate internal governance and internal control framework in place for their ICT and security risks., taking cognizance of the nature, scale and complexity of the business operations of the institution. 7.6.33 Senior management should set clear roles and responsibilities for ICT functions, information security risk management, and business continuity. 7.6.34 Board and senior management should ensure availability of adequate and relevant skills and other resources to support their ICT operational needs and their ICT and security risk management processes on an ongoing basis and the implementation of the institution’s ICT strategy. 7.6.35 Regulated institutions should have well-considered and documented strategy, reviewed and approved by the Board, in place to address cyber risk. Documented cybersecurity policies and procedures should be maintained, monitored and enforced to support effective implementation of the security risk management strategy. The policies and procedures should be regularly reviewed and updated to reflect changes in the internal ICT operating environment and the external security environment. 7.6.36 Cybersecurity roles and responsibilities should be clearly defined, documented and 5 A “Technology asset” is something tangible (e.g., hardware, infrastructure) or intangible (e.g., software, data, information) that needs protection and supports the provision of technology services.

66 communicated to relevant staff. 7.6.37 Regulated institutions should also develop and implement security awareness training programmes to provide information on good ICT security practices, common threat types and the policies and procedures regarding the appropriate use of applications, systems and networks. Risk Management Process 7.6.38 Regulated institutions should put in place requisite risk identification and management systems and processes to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution’s risk appetite. 7.6.39 The roles and responsibilities in managing ICT risks, including in emergency or crisis decision-making, should be clearly defined, documented and communicated to relevant staff, and a thorough inventory of ICT assets, classified by business criticality, should be established and maintained. 7.6.40 At a minimum, cyber risk management should address: a) the identification of threats, vulnerabilities and risks and quantification of exposure specific to the institution; b) the prevention and detection of security events and incidents, including reducing likelihood of occurrence and potential impact when it does; c) security incident handling; and d) recovery planning for stabilisation and continuity of operations in the immediate aftermath of a security incident. 7.6.41 For further specific guidance on management of cyber risk, refer to the Cyber Risk Management Guideline.

67 8. MODEL RISK 8.1 Increasing reliance by regulated institutions on modelling for decision-making, including risk management, capital adequacy calculations, loan pricing, asset valuation, and forecasting, makes model risk management a vital element of strategic business planning and value chain management. 8.2 Model usage is associated with specific risks and costs. These include the risk of error in the process and choices of inputs, as well as measurement and interpretation of outputs. Inappropriate application of models may also generate financial losses due to, inter-alia, incorrect business decisions which may result in regulatory breaches or bank failure, as well as reputational damage to banks if outputs from models are not fully understood, or incorrectly applied due to a lack of understanding of the model’s potential limitations or implementation errors. 8.3 To mitigate these risks, banks should establish appropriate governance and risk management frameworks as prescribed in Prudential Standard No. 02- 2023/BSD Model Risk Management. These include adequate oversight, policies, procedures, management information systems and internal controls. 8.4 Senior management is responsible for implementing the board approved model risk management framework, ensuring high governance standards, active management of model risk, availability of skilled personnel, and adequate ICT infrastructure. Senior management should ensure internal controls promote independence between model owners, users, and reviewers.

68 9. LEGAL RISK 9.1 Introduction 9.1.1 Legal risk is the risk that a regulated institution will conduct activities or carry out transactions in which they are inadequately covered or are left exposed to potential litigation. 9.1.2 The legal risk management framework should provide an outline of the important issues that directors and/or executive staff of a bank may need to consider in ensuring due diligence in the operation of the bank as well as an overview of liability exposure faced by banks against this risk. 9.1.3 As it is impossible to adequately address all aspects of liabilities that may be faced by a bank and the steps, which need to be taken to protect against such risks. The legal risk management framework should at a minimum provide general overview of some of the considerations that the board and senior management should be aware of in order to effectively identify and manage legal risk. 9.2 Organisational Structure 9.2.1 Effective legal risk management requires a proper organizational structure and reporting lines that accord legal function adequate powers to maximize coordination and the flow of legal information to all business units of the bank. 9.2.2 The legal function should be managed in an integrated manner with compliance to promote efficiency and effectiveness. 9.3 Policies and Procedures 9.3.1 The board should approve the policies and procedures for managing legal risk. In general, the policies and procedures should provide for the following among other considerations: a) a framework for dealing with legal matters of varying complexity; b) maintenance of a central inventory of key documents such as contracts, licences, policy statements and others; c) regular review and assessment of legal risk in the regulated institution’s activities including new products; d) adequate documentation on all significant transactions including security administration; e) record maintenance in line with relevant statutory requirements; and f) maintenance of confidentiality provisions.

69 10. COMPLIANCE RISK 10.1 Introduction 10.1.1 Compliance risk is defined as “the risk of legal or regulatory sanctions, financial loss, or loss to reputation an organisation may suffer as a resultof its failure to comply with laws, regulations, rules, related self- regulatory organisation standards, and codes of conduct”, BaselCommittee on Regulated Institution Supervision (2005). 10.1.2 Non-compliance with the legal and regulatory framework exposes an institution to penalties, reputational damage, and the violation of contracts. It can also lead to diminished reputation, reduced business value, limited business opportunities, reduced expansion potential and an inability to enforce contracts. 10.1.3 Regulated institutions operating across borders must also ensure compliance with the applicable legal and regulatory requirements in jurisdictions where they have established operations. 10.1.4 Compliance with internal policies is also an important element of compliance risk management. Compliance risk, therefore, goes beyond what is legally binding to embrace broader standards of integrity and ethical conduct. 10.2 Compliance Function 10.2.1 Regulated institutions should put in place a Charter that establishes an independent compliance function tasked with facilitating efforts to achieve compliance. 10.2.2 A regulated institution should organise its compliance function and set priorities for the management of its compliance risk in a way that is consistent with its ownrisk management strategy and structures. The function should be sufficiently resourced to cover the volume, pace, and complexity of applicable regulation, to be able to respond to the multifaceted nature of the regulatory landscape and its responsibilities should be clearly specified. 10.2.3 In order to maintain the independence of compliance as an assurance function, the head of compliance should report directly to the board or a committee of the board, with an administrative reporting line to the managing director or the chief executive officer. 10.2.4 The independence of the head of compliance and any other staff having compliance responsibilities may be undermined if they are placed in a position where there is a real or potential conflict between their compliance responsibilitiesand their other responsibilities. It is therefore expected that regulated institutionsmust ensure that conflict of interest is avoided. 10.2.5 Compliance risk should be included in the risk assessment methodology of the institution’s internal audit function, covering the adequacy and effectiveness of the institution’s compliance function. This principle implies that the compliance function and the internal audit function should be separate to ensure that the activities of the compliance function are subject to independent review. 10.3 Board and Management Oversight 10.3.1 The board of directors is responsible for ensuring a regulated institution’s compliance with all relevant laws, rules, and standards. As such, the board and senior management should allocate sufficient resources for compliance programs

70 covering legal and compliance issues associated with the regulated institution’s operations. Management should establish a compliance function that is sufficiently independent from operations. Board Oversight 10.3.2 Effective board oversight is the cornerstone of an effective compliance risk management process. The board should understand the nature and level of compliance risk to which the regulated institution is exposed and how its risk profile fits within the overall business strategy. 10.3.3 The Board should be informed of the major aspects of the institution's compliance risk as a separate risk category that should be managed. The Board is responsible for the following: a) establishing a management structure capable of implementing the institution's compliance risk management process; b) defining the compliance risk management system and ensuring that the system is aligned to the institution’s overall business activities; c) approving the compliance risk management policy that provides the management with clear guidelines and procedures for managing compliance risk; d) reviewing the institution's compliance risk management framework to ensure continued guidance for the effective management of the institution’s compliance risk periodically. e) reviewing the extent to which the regulated institution is managing its compliance risk including ensuring that compliance issues are resolved effectively and expeditiously; and f) ensuring that management takes the steps necessary to identify, measure, monitor, and control compliance risk. Senior Management Oversight 10.3.4 Senior management is responsible for the effective management of a regulated institution’s compliance risk. Senior management should, with the assistance of the compliance function: a) implement the compliance risk management system approved by the board; b) identify and assess the main compliance risk issues facing the regulated institution and the plans to manage any shortfalls as well as the need for any additional policies or procedures to deal with new compliance risks; c) ensure that the regulated institution’s compliance risk management framework has clear lines of authority, reporting and communication; d) periodically report to the board of directors or a committee of the board on the bank’s management of compliance risk; e) report promptly to the board of directors or a committee of the board on any material compliance failures (e.g. failures that may attract a significant risk of legal or regulatory sanctions, material financial loss or loss to reputation); f) ensure that there is sufficient depth and skill in staff resources to manage legal and compliance risk; g) conduct ongoing compliance training that covers compliance requirements for all business lines, particularly when entering new markets or offering new

71 products; h) periodically conduct a compliance risk assessment reviewing the organisation’s compliance risk management framework to ensure that it remains appropriate and sound; and i) provide reasonable assurance, through the audit function, that all activities and all aspects of legal and compliance risk are covered by the regulated institution’s risk management process. 10.4 Policies and procedures 10.4.1 Compliance risk management policies and procedures should be clearly defined and consistent with the nature and complexity of a regulated institution’s activities. The compliance policy should address the following issues in respect of the compliance function: a) delineate responsibilities and ultimately ensure that the board and senior management are fully apprised of material compliance events; b) its relationship with other risk management functions within the bank and with the internal audit function; c) objectives of compliance risk management; d) procedures for identifying, assessing, monitoring, controlling, and managing compliance risks; e) clear statement of the institution’s accepted tolerance for compliance risk exposure; f) compliance risk management tools to analyse compliance risk and to manage the compliance process; g) in cases where compliance responsibilities are carried out by staff in different departments, how these responsibilities are to be allocated among the departments; h) compliance function’s right to obtain access to information necessary to carry out its responsibilities and the corresponding duty of bank staff to co-operate in supplying this information; i) the function’s right to conduct investigations of possible breaches of the compliance policy; j) the function’s right to be able freely to express and disclose its findings to senior management; and k) the function’s right of direct access to the board of directors or a committee of the board. 10.5 Identification, Measurement and Monitoring of Compliance Risk 10.5.1 An effective system of measurement and monitoring compliance risk is essential for adequately managing compliance risk. 10.5.2 In order to understand a regulated institution’s compliance risk profile, it is necessary to identify the sources of compliance risk that the institution is exposed to and assess its vulnerability to these risks. 10.5.3 Every regulated institution should identify and assess the compliance risk inherent in all existing and new, rules, procedures, internal processes, activities, contracts, and court cases.

72 10.6 Management Information System 10.6.1 Technology can be used as a tool in enhancing the process of developing performance indicators by aggregating or filtering data that may be indicative of potential compliance problems. 10.6.2 For effective monitoring of compliance risk, a robust management information system (MIS) should be in place to enable identification and measurement of compliance risk in a timely manner and generation of data and reports for regulatory reporting and board and management oversight. 10.6.3 The institution’s management information systems should therefore be capable of capturing aspects of non-compliance. In this regard, a strong control culture is key. Compliance considerations should be incorporated into product and system development and modification processes, including changes made by external service providers or vendors. 10.6.4 The MIS should be consistent with the complexity and diversity of the institution’s business operations. 10.7 Internal Controls 10.7.1 Regulated institutions should have proper internal control systems that integrate compliance risk management into the overall risk management process. The audit of compliance risk management should be incorporated into the annual plan of the internal audit function. 10.7.2 The internal audit function should, within its scope of operations, cover the following aspects of compliance risk management: a) verifying that compliance risk management policies and procedures have been implemented effectively across the institution; b) determining that senior management takes appropriate corrective actions when compliance failures are identified; c) ensuring that the scope and frequency of the audit plan/program is appropriate to the risk exposures; d) monitoring compliance risk profiles on an on-going basis; and e) analysing the timeliness and accuracy of compliance risk reports to senior management and board of directors.

73 11. REPUTATIONAL RISK 11.1 Introduction 11.1.1 Reputational risk arises when a situation, occurrence, business practice or event has the potential to materially influence the public and stakeholders’ perceived trust and confidence in a regulated institution. 11.1.2 Reputational risk can emerge at all business levels and has the following key components: a) Corporate reputation risk: which relates to an institution’s performance, strategy execution and delivery. This is closely intertwined with management’s reputation risk in their ability to create shareholder value and managing capital pricing. b) Operational or business reputation risk: where an activity, action, or stance taken by an institution, any of its affiliates or its officers will impair its image with one or more of its stakeholders and this will result in loss of business, and/or disproportionate decrease in the value of the institution. 11.1.3 Reputational risk may arise from a variety of sources, such as fraud and non￾compliance with statutory or regulatory requirements or industry standards. 11.1.4 Other sources of reputational risk include failure to safeguard non-public customer information through outsourcing relationships, a high volume of customer complaints, or public regulatory sanctions. 11.1.5 Reputational risks may also arise where occurrences in other categories of risk threaten an organisation’s image and stakeholder regard. As such, the task of managing reputation risk represents a critical aspect of risk management. 11.2 Board and Management Oversight 11.2.1 The ultimate accountability for reputational risk management rests with the board which should explicitly address reputational risk as a distinct and controllable riskto the institution’s safety and soundness. 11.2.2 Management should fully understand all aspects of reputational risk and exhibit a clear commitment to compliance and the commitment should be communicated throughout the institution. Board Oversight 11.2.3 The board should put in place a reputational risk strategy and establish a management structure capable of implementing the strategy. On a periodic basis, the board should review the strategy in order to ensure that the institution is managing the reputational risks. 11.3 Policies and Procedures 11.3.1 Regulated institutions are required to have policies and procedures under which they will: a) adopt sound risk management practices that include the practice of building reputational capital, and earning the goodwill of key stakeholders; b) manage reputational risk through a process of anticipation, risk analysis and

74 planning, and then attempting to manage both internal and external expectations; c) measure trends in the regulated institution’s reputation as a precursor to remedial action; and d) identify risk events as being either specific or systemic as this will determine the course of corrective action. 11.3.2 Regulated institutions should have policies, processes, and procedures to control or mitigate material reputational risks. Authority and accountability for compliance should be clearly defined and enforced. 11.3.3 A regulated institution’s privacy policies should fully consider legal and litigation concerns. Policies, procedures, and limits should cover matters including corporate governance practices, integrity, staff competence and corporate culture. 11.4 Reputational Risk Identification and Measurement 11.4.1 Risk identification is critical for the effective development of viable reputational risk measurement, monitoring, and control measures. Threats to reputation may manifest themselves through sustained media coverage, increased customer complaints, rapid fall in share price, and loss of customer confidence caused by effects of activism, discrimination in the workplace, unethical trading, marketing failures, or more traditional risks suchas product/service failure. 11.4.2 Once the risks have been identified, they must be prioritised in order to help managers determine where to devote effort and resources. Reputational Risk Measurement 11.4.3 Banks should establish and implement procedures to evaluate the likelihood of a reputational risk event affecting their liquidity and capital positions, using various techniques and tools to evaluate the potential impact of identified risks. 11.4.4 The techniques may include: a) Control assessment: This can be used by regulated institutions to evaluate the likelihood of a reputational risk by analysing its root causes, existing controls, and their effectiveness; b) Stakeholders’ impact assessment: This tool evaluates stakeholder interest and influence in relation to a reputational event, determining their critical influence on the bank and predicting potential adverse reactions if these groups react negatively; and c) Stress-testing: This tool aids in identifying potential threats to banks' reputation, potentially leading to a crisis and adversely impacting their businesses and reputation. 11.4.5 In situations in which there is inadequate data, regulated institutions may use information from past experience of similar institutions for assessing likelihood and impact of reputational risk. 11.4.6 Regulated institutions that are part of a group can be exposed to reputational risk events that affect other members of the group. Regulated institutions should, therefore, develop contingency plans and procedures to deal with the potential reputational risk that may emanate from such relationship.

75 11.5 Risk Monitoring and Management Information System 11.5.1 Every regulated institution must examine reputational risk for its likelihood and impact and assess the organization’s ability to avoid the risk or respond to it if it occurs. 11.5.2 Once key risks have been mapped, the regulated institution should establish procedures to monitor early warning signals of risks occurring or increasing. 11.5.3 The frequency of monitoring should reflect the risks involved and the frequency and nature of changes in the operating environment. The results of thesemonitoring activities should be included in management and board reports. 11.5.4 Every regulated institution must put in place a system to ensure that deficiencies are identified, and meaningful corrective action is implemented. 11.6 Internal Controls 11.6.1 A regulated institution’s audit and risk management committees should be responsible for reviewing adequacy and effectiveness of internal control systems relating to reputation risk and means through which exposures related to reputation risk are managed.

76 12. MONEY LAUNDERING, TERRORISM FINANCING AND PROLIFERATION FINANCING RISK 12.1 Money laundering, terrorism financing and proliferation financing (ML /TF/ PF) riskis recognised as a significant component of the regulated sector risk universe, which should be effectively managed to ensure the safety and soundness of the regulated sector, on an on-going basis. 12.2 A risk-based approach to the management of ML/ TF/ PF risk is applied, guided by the Money Laundering and Proceeds of Crime Act [Chapter 9:24], Act, international standards, and recommendations. 12.3 Regulated institutions are required to comply with relevant statutes, regulations, and standards on AML/CFT/PF risk management, and in particular Guidance to Financial Institutions and Designated Non-Financial Businesses and Professions on the Risk Based Approach to implementation of Anti￾Money Laundering and Combating Financing of Terrorism Obligations, January 2021 and other subsequent guidance.

77 13. CLIMATE RISK AND ENVIRONMENTAL RELATED RISKS 13.1 Climate change and environmental related risks have increasingly become topical as they have the potential to pose significant financial and operational risks through macro and micro- financial transmission channels. 13.2 Regulated institutions are, therefore, required to: a) understand the nature of climate and environmental related risks as well as macroeconomic and microeconomic transmission channels through which financial and operational risks are propagated; b) identify and quantify these risks within their overall process of ensuring capital adequacy. In their credit risk management, institutions are expected to consider climate-related and environmental risks at all stages of the credit-granting process and to monitor the risks in their portfolios; c) Integrate climate and environmental-related financial risks into internal control frameworks for effective identification, measurement, and mitigation, with clear responsibilities and reporting lines across the three lines of defence; d) regularly assess climate and environmental-related financial risks, setting materiality thresholds and recognizing all material risks with an integrated firm￾wide perspective; e) conduct stress tests to evaluate business models' resilience to climate and environmental -related risks; f) put in place robust internal reporting systems to monitor and manage climate and environmental-related financial risks, ensuring effective decision-making and data governanceacross the organization; and g) develop climate and environmental-related disclosures aligned with risk management approaches,ensuring transparency and meaningful disclosure in published financial statements. 13.3 For the purposes of internal reporting, institutions should report aggregated risk data that reflect their exposures to climate-related and environmental risks with a view to enabling the Board and Management and relevant sub-committees to make informed decisions. Climate-related and environmental risks are then incorporated as drivers of established risk categories into existing risk management frameworks, with a view to managing and monitoring these over a sufficiently long-term horizon. 13.4 Regulated institutions are expected to consider how climate and environmental - related events could have an adverse impact on business continuity and the extent to which the nature of institutions’ activities could amplify financial, operational, reputational and/or liability risks. Institutions should monitor on an ongoing basis, the effect of climate-related and environmental factors on current market risk positions and future investments, as well as develop stress-testing scenarios that incorporate climate-related and environmental risks. 13.5 Institutions with material climate-related and environmental risks are expected to evaluate the appropriateness of their stress testing with a view to incorporating them into baseline and adverse scenarios. Climate-related and environmental risks should also be assessed on whether they could cause net cash outflows or depletion of liquidity buffers and, if so, incorporate these factors into liquidity risk management and liquidity buffer calibration. 13.6 With regard to climate related risks, regulated institutions should comply with the provisions of Guideline No.01- 2023/BSD: Climate Risk Management in their management of climate related risks.

78 14. STRATEGIC RISK 14.1 Introduction 14.1.1 Strategic risk refers to the current and/or prospective impact on a bank’s earnings, capital or business viability arising from adverse business decisions and implementation of strategies which are inconsistent with internal factors and the external environment. 14.1.2 Strategic risk management acts as a tool for planning systematically about the future and facilitates the identification of opportunities and threats in light of an institution’s strengths and weaknesses. It enables the mitigation of risks and protects the stability of a bank through effective utilization of capital and can be used to turn strategic threats into growth opportunities. 14.1.3 In order to effectively manage strategic risk, the board of directors and senior management should appropriately align corporate goals and objectives, internal resources and capabilities and business strategies in the context of developments in the operating environment. At a minimum, every regulated institution should have strategic plans which should be supported by appropriate organisational and functional structures, skilled and experienced personnel, an adequate budget, management information systems, as well as risk monitoring and controlling systems. 14.1.4 Strategic risk has been amplified in the context of a dynamic operating environment that is constantly shifting on the back of emerging and amplified risksdriven by, inter￾alia, FINTECH revolution, climate change, as well as pandemics that may arise from time to time. The development and enhancement of dynamic capabilities by regulated institutions to ensure that business models, operating systems and processes are appropriately reconfigured on an ongoing basis becomes imperative. 14.1.5 In this Prudential Standard , a strategic plan is defined as a roadmap indicating the vision, mission, and the business direction of a regulated institution, generally for a period of at least tone year. 14.1.6 On the other hand, an operational plan specifies the overall operational framework of a regulated institution required to support successful implementation of a strategic plan and acts as a guideline for each business unit to set an action plan. Generally, an operating plan is a short-term plan, not exceeding one year, comprising goals, budgeted profits, responsibilities, resources to be used, work timeframe, and monitoring criteria for performance. 14.2 Sources of Strategic Risk 14.2.1 Strategic risk arises from two main sources, namely, external risk factors and internal risk factors. 14.2.2 External risk factors are events which a regulated institution has no control over, which may present threats and/or opportunities during implementation of a strategic plan. The following are some of the external factors which affect strategic planning and implementation by regulated institutions: a) industry competition; b) behavioural change of target customers; c) technological changes and developments; d) economic factors; e) regulatory changes;

79 f) environmental issues; g) political factors; and h) legal factors. 14.2.3 Internal risk factors are those, which can be controlled by a regulated institution but can, affect or deter the effective implementation of a strategic plan. Examples of internal factors include the following: a) organisational structure; b) work processes and procedures; c) adequacy and quality of personnel; d) adequacy of information for decision-making; and e) technology. 14.3 Strategic Risk Management Process 14.3.1 Setting future business direction is the ultimate responsibility of the board of directors or a delegated committee. A critical aspect of this process is determination of the institution’s strategic position, which is essentially concernedwith the impact on strategy of the external environment, internal resources and competences, and the expectations and influence of stakeholders. 14.3.2 To minimise strategic risk, therefore, the strategic planning process should be appropriately configured, with clear and realistic assumptions. 14.3.3 In this regard, every regulated institution should have an appropriate strategic planning process encompassing the following: a) support or participation of the board, delegated committees, and senior management; b) participation of staff from various departments; c) adequacy of information in developing assumptions in relation to economic factors, position of the regulated institution compared to competitors, current competitive position, future market trends and customer needs, among others; d) consistency of the operational plans with the overall objective of a regulated institution, and e) assessment of actual performance against strategic plans. 14.3.4 The board should approve the overall strategic plans and appropriate budget, while senior management should develop strategic and operational plans for each function by month, quarter, or year. The operational plans should be consistent with the overall organizational strategy. The regulated institution can formulate its plans through either a top- down approach or bottom- up approach or a mix of the two approaches. 14.3.5 The top-down approach is a strategic planning process where the board or delegated committees and senior management determine and allocate operating targets to departments. On the other hand, the bottom-up approach is a strategic planning process where operational plans and budget from each department are consolidated into the strategic plan. A bank should adopt an approach which is best aligned to the nature, size, and complexity of its operations. 14.3.6 A regulated institution’s strategic plans should complement and be integrated with other important issues such as capital adequacy, liquidity, source and use of funds, level and quality of earnings and management efficiency. 14.3.7 An important component of both strategic and operational plans is the budget. Regulated institutions should develop budgets that are consistent with their plans. The plans should also be aligned with internal resources and capabilities,

80 encompassing organisational structures, human and financial resource capabilities, as well as operating systems and processes. In addition, budgets should be underpinned by realistic assumptions, adequate allocation of resources for management and supporting functions as well as monitoring of actual performance. 14.3.8 Regulated institutions should pay adequate attention to business model risk and timely reconfigure their models in light of the increasingly shifting operating terrain. 14.4 Risk Mitigation Factors 14.4.1 Regulated institutions should adopt and implement robust strategic risk mitigation measures and techniques to enhance the achievement of strategic objectives. These include engaging qualified board and senior management, formulation of strategic and operational plans, high quality of personnel and proper training, comprehensive risk management systems and adequate access to information. 14.5 Board and senior management 14.5.1 The board and senior management should comprise of members with diverse and useful knowledge and experience. Further, they should be independent, active and have clear understanding of the market, economic and competitive conditions. 14.5.2 The bank’s independent non-executive directors should diligently provide a check and balance mechanism on the activities of executive management. 14.6 Formulation & Implementation of strategic and operational plans 14.6.1 The board and senior management should assess the changes in internal and external factors and continuously assess how these changes may affect the regulated institution as well as adjust the plans, reconfigure business models, operating systems, and processes to minimize the impact of these changes. 14.6.2 The board and senior management should also monitor compliance with laws, regulations, and shareholders’ resolutions. 14.6.3 Further, the regulated institution should set timeframes for implementation of different aspects of its strategic plans and establish performance evaluation systems. 14.7 Capacity building 14.7.1 Every regulated institution should recruit staff members with relevant knowledge, expertise, and experience in all business units. The staff members should have dynamic capabilities to appreciate market conditions, competition and trend of products offered to target customers in line with the regulated institution’s strategic and operational plans, as well as reconfigure business models, operating systems, and processes in line with developments. 14.7.2 In addition, staff should receive adequate training on risk management in order to promote efficient and effective implementation of the strategic and operational plans. 14.8 Risk Management System 14.8.1 A regulated institution should have an enterprise-wide risk management system. All

81 types of related risks must be taken into account during the formulation of strategic and operational plans by setting policies, procedures, and risk limits. 14.9 Adequate Access to Information 14.9.1 Regulated institutions should have adequate information on their internal and external environment in order to facilitate effective strategic risk management entailing proactive responses to developments in the operating environment, underpinned by strategic flexibility and agility. As such, every regulated institution should invest in systems and approaches that will enable it to access adequate, accurate, and timely information to understand developments in the operating environment, including industry rivalry, customer needs, technological, legal, and political factors. A bank should use various information sources, such as business experts, consultants, correspondent regulated institutions, and media platforms to build its information database. 14.10 Strategic Risk Management Framework 14.10.1 Every regulated institution should establish an integrated risk management function that is designed to enhance understanding and communication of risk issues internally, to provide clear direction and demonstrate senior management support. 14.10.2 To be effective, the risk management system needs to be aligned with an organisation’s overall objectives, corporate focus, strategic direction, operating practices, and internal culture. A regulated institution should integrate risk management within existing governance and decision-making structures both at the operational and strategic levels. 14.10.3 Each regulated institution should develop risk management systems appropriate to the size, complexity, and scope of its business. A system to report detailed progress of implementation of the plans and objectives should be implemented including comparison of actual performance against the operational plan and budget, and the business continuity plan for unusual circumstances to facilitate copying with unexpected changes in the environment. 14.11 Risk Identification and Measurement 14.11.1 Identification and measurement of strategic risk are the responsibility of management who should ensure that periodic reviews of strategic plans are conducted as circumstances change. 14.11.2 Every institution should design on-going methods for formal assessment of both the strategic and operational plans in relation to its business scope, complexity, external environment, and internal factors. 14.11.3 A regulated institution should utilize a range of practical tools to assess its strategic risk. The following are some examples of the techniques: a) risk maps: summary charts and diagrams that help the bank to identify, discuss, understand, and address risks by portraying sources and types of risks and functions involved; b) modelling tools: such as scenario analysis and forecasting models to show

82 the range of possibilities and to build scenarios into contingency plans, and c) qualitative techniques: such as questionnaires and self-assessment to identify and assess risks. 14.11.4 Special cognizance should be given to emergent risks such as business model risk as banks continually reconfigure their models in light of the increasingly shifting operating terrain. 14.12 Risk monitoring and reporting 14.12.1 The development of evaluation and reporting mechanisms for risk management activities provides critical feedback to management with respect to strategy implementation. Management should put in place a monitoring and evaluation system, that will enable collection, analysis, and reporting on the data and information related to strategic management indicators. The monitoring and evaluation system entails a set of processes, tools, and roles that facilitate planning, implementation, and management of monitoring and evaluation activities. The monitoring of strategic plan implementation should thus be allocated to a specific function in the bank. 14.12.2 Where appropriate, the monitoring and reporting of strategic risk should also fall to functional units responsible for review and audit. Reporting could take place through management channels such as performance reporting, ongoing monitoring, and appraisal. 14.12.3 A bank should evaluate the effectiveness of its strategy implementation on a periodic basis and make the necessary adjustments to ensure sustained progress toward the attainment of strategic objectives. 14.12.4 Effectiveness of risk monitoring depends on ability to identify and measure all the risks, which must be supported by appropriate, accurate and timely management information systems or model to help with analysis and decision making. 14.12.5 Therefore, the board or delegated committees and senior management must develop information systems that can identify and measure the risks in an accurate, reliable, and regular manner commensurate with the complexity and diversity of the regulated institution’s business. 14.12.6 Management information systems (MIS) should provide information necessary to support implementation of the strategic plans. The information systems of regulated institutions should be able to collect internal data such as financial data, accounting data, and external data such as economic conditions, competition, technology, and regulatory requirements. 14.12.7 The bank should review its MIS regularly, as well as set policies and procedures and operational framework on MIS development, maintenance, security, repair, or upgrade in order to maintain the standard. 14.13 Risk control 14.13.1 The board and management should establish a risk management controlling system in accordance with international best practice. The risk monitoring functionshould be independent of the risk-taking functions. In addition, the board should receive a variety of reports for risk review and monitoring. 14.13.2 A regulated institution should control strategic risk through the following among other approaches:

83 a) adaptive risk management structure; b) policies, procedures, and risk limits; c) new product reviews; d) comparisons of actual performance with projections; e) quality and effective independent reviews and internal control systems; f) management succession planning and training; and g) business continuity planning. 15. EFFECTIVE DATE 15.1 The effective date of the Prudential Standard shall be 15 May 2024. Questions relating to the Standard should be addressed to the Director, Bank Supervision Division, Reserve Bank of Zimbabwe.

84 REFERENCES:

1. Australian Prudential Regulatory Authority (October 2016): Information Paper - Risk Culture. https://www.apra.gov.au/sites/default/files/information-paper-risk-culture1.pdf
2. Bailey T., Banerjee S., Feeney C., & Hogsett H. (2020). Cybersecurity: Emerging challenges and solutions for the boards of financial-services companies. https://www.mckinsey.com/capabilities/risk-and-resilience/our￾insights/cybersecurity/cybersecurity-emerging-challenges-and-solutions-for-the-boards-of￾financial-services-companies#/
3. Bank for International Settlements. Guidelines. Corporate governance principles for banks. 2015. https://www.bis.org/bcbs/publ/d328.pdf
4. Bank for International Settlements. Interest rate risk in the banking book. 2016. https://www.bis.org/bcbs/publ/d368.htm.
5. Bank for International Settlements. Minimum Capital Requirements for Market Risk. 2019. https://www.bis.org/bcbs/publ/d457.pdf
6. Bank for International Settlements. Principles for effective risk data aggregation and riskreporting.
7. https://www.bis.org/publ/bcbs239.pdf
8. Bank for International Settlements. Principles for Sound Liquidity Risk Management and Supervision. 2008. https://www.bis.org/publ/bcbs144.pdf
9. Bank for International Settlements. Principles for the Management of Credit Risk. 2000. https://www.bis.org/publ/bcbs75.pdf
10. Bank for International Settlements. Principles for the Sound Management of Operational Risk￾Executive Summary. 2023. https://www.bis.org/fsi/fsisummaries/psmor.pdf
11. Bank for International Settlements. Principles for Operational Resilience. 2021. https://www.bis.org/bcbs/publ/d516.pdf
12. Bank for International Settlements. Guidelines. Sound management of risks related to money laundering and financing of terrorism. 2020. https://www.bis.org/bcbs/publ/d353.pdf
13. Bank for International Settlements. Stress testing principles. 2018. https://www.bis.org/bcbs/publ/d450.pdf
14. Central Bank of Kenya. Risk Management Guidelines. 2013. https://www.centralbank.go.ke/wp￾content/uploads/2016/08/risk-management-guidelines-january-20131.pdf
15. Financial Stability Board. Principles for an Effective Risk Appetite Framework. 2013. https://www.fsb.org/2013/11/r_131118/
16. Financial Stability Board. Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework for Assessing Risk Culture. 2014. https://www.fsb.org/2014/04/140407/
17. Nepal Rastra Bank. Risk Management Guidelines for Banks and Financial Institutions. 2018. https://www.nrb.org.np/contents/uploads/2019/12/Guidelines￾Risk_Management_Guidelines_for_Banks_and_Financial_Institutions_2018-new.pdf.
18. Office of the Superintendent of Financial Institutions Canada. Interest Rate Risk Management – Guideline. 2019.https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/interest-rate-risk￾management-guideline-2019.
19. Reserve Bank of Zimbabwe. Guideline No.01-2023/BSD: Climate Risk Management. 2023. https://www.rbz.co.zw/documents/BLSS/2023/CLIMATE_RISK_MANAGEMENT_GUIDELINE_Apr_20 23.pdf.
20. Reserve Bank of Zimbabwe. Prudential Standard No.02/2023/BSD: Model Risk Management. https://www.rbz.co.zw/documents/BLSS/Guidelines/2023/Model_Risk_Management_Prudential_Sta ndard_Final_June_2023.pdf.
21. Reserve Bank of Zimbabwe. Prudential Standard No: 02-2022/BSD: Guidance on the Implementation of the Liquidity Coverage Ratio.2022. https://www.rbz.co.zw/documents/BLSS/2022/Prudential_Standard_No02-2022_BSD_LCR.pdf.
22. World Bank. Technology Risk Checklist. 2003. https://cyberpartnership.org/World%20Bank%20Techchecklist.pdf