Internal Control System

Transcription

1 440 Internal Control System implements internal control in every business activity as well as everyday banking operations. LEGAL REFERENCE 1. Financial Services Authority Regulation (POJK) No 18/ POJK.03/2016 dated 16 March 2016 on the Implementation of Risk Management for Commercial Bank. 2. Circulation Letter of Financial Services Authority (SEOJK) No 34/SEOJK/03/2016 dated 1 September 2016 on the Implementation of Risk Management for Commercial Bank. 3. Circulation Letter of Bank Indonesia (SEBI) No 5/22/DPNP dated 29 September 2003 on Guideline of Internal Control System for Commercial Banks. IMPLEMENTATION OF INTERNAL CONTROL SYSTEM Financial Control The process on drafting s financial report is certified by Societe Generale de Surveilance (SGS) with ISO 9001:2008 in the scope of The Process of Preparing Financial Statements, valid until 9 December The control processes to maintain the quality of transparency in line with accounting rules and prevailing provisions are as follows: ACCOUNTING AND FINANCIAL MANAGEMENT DIVISION: Prepare annual Work Plan and Revenue Budget in bottomup manner according to proposals from each working unit in the head office as the budget manager. Monitor the accomplishment of RKAP monthly to the Finance Director. Prepare financial reports derived from Data Management Information System. HEAD OFFICE BUDGET MANAGEMENT WORKING UNIT Distribute the budget to Branch Offices and monitor the expenses as well as evaluate the effectiveness of the budget expenses. FINANCE DIRECTOR AND PRESIDENT DIRECTOR: Approve and determine annual RKAP. Approve and determine financial reports. Audit Committee Appoint Public Accountant. Reviewing financial reports. All Directors and Commissioners Responsible on the validation of the content of the annual report including the financial report. Public Accountant Conduct financial report validation according to the follow ups on the previous Management Letter. Prepare Management Letter based on the findings in the financial report. Send the Management Letter report to the OJK as banking regulator. Operational Control had formulated an organization structure equipped with a supervisory function, hence supporting operational control, including: 1. 1st line of defense through monitoring by Supervision Working Units (Branch office to Kanca, KCP, KK, and its supervisory unit; Kanca to KCP, KK and its supervisory unit); Divisions which carry out coaching and monitoring function to Operational Working Units, Coaching Director who assists each Assisted Branch Office, and Department Directors on each Division. These monitoring and coaching activities are conducted periodically. 2. 2nd line of defense function through monitoring the implementation of control in each Working Unit by conducting: Risk Management Function in each Working Unit The implementation of monitoring on the control activities in each Working Unit for each risk type are presented regularly in Risk Management Committee, Credit Risk Management Committee, Market Risk Management Committee, and Operational Risk Management Committee. Compliance Function both in the Head Office and Branch Office level To ensure that the policies, provisions, systems, and procedures, as well as business activities conducted by the Bank are in line with the provisions, conducts coaching and monitoring on the implementation of APU PPT, monitoring on the decision or policies of the Board of Directors which are tested based on the prudential principal, review on internal policies, monitor the commitment to regulator, monitor the

2 441 Corporate Profile implementation of prudential provisions, monitor on external provisions, monitor on cash transaction report & suspicious transaction report, financial transaction report on fund transfer to and from overseas. The compliance function report is presented to management every semester. 3. 3rd line of defense function by SKAI which is independent of Operational Working Units. SKAI conducts assurance and consultation on the adequacy and effectiveness of the internal control system, risk management, and corporate governance regularly as stipulated on the annual Audit Plan. SKAI consists of Working Units which conduct audit activities (Audit KP/KCK/UKLN & PA, TSI Division Audit, Inspection Office, and Special Investigation Group) and Standard Development and Audit Quality. In order to provide early detection on the rising risk in Operational Working Unit, has Resident Auditor Kance and Resident Auditor Unit which carry out audit activities on Kanca, KCP, KK, and Units in day to day basis. SKAI present realization of audit activity reports in the Quarterly Report about the implementation of these audit activities to the management. Strategic Control The strategic control process begins from the preparation, control implementation strategy as well as evaluation on s strategic implementation as follows: Corporate Development and Strategy Division: Prepare the Bank s medium-term Business Plan, Longterm Business Plan (Core Plan) by using bottom-up approach based on the aspiration of each Working Unit. Prepare performance achievement analysis in working unit level which presented in Business Performance Review forum and Support Performance Review. Accounting and Financial Management Division: Translate long-term and short-term strategy into the Company s Working Budget Plan equipped with projections of the financial performance achievement. Financial Director Conduct evaluation on financial performance achievement through ALCO forum. Present the working achievement to the Board of Commissioner in quarter basis. Present the working achievement to capital market community. Board of Directors Determine RKAP, RBB and Core Plan. President Director and Financial Director Determine the Company s Budget Management Working Unit. Board of Commissioners Approve RKAP, RBB, and Core Plan and present it to OJK as the banking supervisory board. Evaluate the realization of the Company s performance achievement based on the quarterly financial reports presented by the Board of Directors. EXPLANATION ON THE COMPATIBILITY BETWEEN INTERNAL CONTROL SYSTEM WITH COSO Pursuant to the Internal Control Integrated Framework published in 2013 by the Committee of Sponsoring Organization of the Treadway Commission (COSO), the implementation of the internal control system in is conducted in an integrated manner which consists of the implementation of 5 (five) components as follows: Control Environment Control environment stipulates the values and ethics in the Company which were formed to regulate the behavior of s employees. The implementation of control environment in is conducted based on the following principals: a. Commitment on the integrity and ethic values applied in the ethic codes, working culture, anti-gratituity commitment, zero fraud tolerance commitment. b. Supervision on internal control development and performance done by SKAI through assurance activities to evaluate the adequacy and effectiveness of the internal control system. The identified weaknesses on the internal control on audit activities and the solutions are monitored and presented to the President Director and Audit Committee regularly. c. Organization structure, authority and responsible are explained in the List of Position Description (DUJ). DUJ is developed according to the business demand by considering the accountability and responsibilities of each party in the organization. d. The Book of Operational Guidelines (BPO) is prepared as the guideline of the operational working unit in conducting banking activities. BPO describes the authorities, responsibilities, mechanisms and job descriptions as well as internal control activities which are mandated in the working activities. Management Discussion and Analysis Corporate Social Responsibility Consolidated Financial Statements 2016 OJK Regulation & ARA 2016 Criteria Cross Reference

3 442 e. The commitment on the competence realized in the HR management consist of planning, recruiting and selection, HR development, compensation and benefit, disciplinary action, performance management, and lay off. f. Individual accountability is shown in the Key Performance Indicators (KPI) developed by using a Balanced Scorecard approach. Risk Assessment Risk assessment in is carried out through potential risk identification and analysis in a dynamic and sustainable manner; hence, mitigation procedures can be conducted precisely as explained in the Risk Management section in this Annual Report. Control Activities a. Operational Control implements segregation of duty principal in each of its operational activities. The segregation of duty principal is carried out through: segregating maker function, checker and signer, determination of authority limits on transactions, organizing employee access on the NET system using user ID and password. In the treasury department, the function segregation consist of: front office Working Unit, middle office Working Unit and back office Working Unit which are respectively responsible to monitor market price, determination and monitoring of market risk limit as well as conduct settlement. b. Credit Quality Control In loan departments, the segregation of functions is carried out by the implementation of the four eyes principle in which in the authority on the termination of credit has to be done by at least 2 (two) credit line officials, in which one or both has adequate authority, and which is conducted in a symmetrical or asymmetrical manner. c. Financial Control continuously conducts verification, reviews on completeness as well as gives authorization for transactions by authorized position. The verification process is designed both in the system and the transaction procedure. Through effective verification activities, monitoring activities are conducted and fraudulent activities can be prevented. d. Control On Physical Assets The control on s physical assets is stipulated on the Fixed Asset and Logistic General Management Policy (KEMAL). KEMAL stipulate s fixed assets and logistic management is done in an integrated manner which consist of planning, demand determination, funding, procurement, payment, distribution, insurance, maintenance, asset optimazion, administration and reporting as well as monitoring and evaluation. e. Control On Information Technology The implementation of risk management is conducted in every phase of information technology usage, including: system development and procurement, information technology operational activities, business continuity plan. s development on information and technology is based on the development life cycle system (SDLC) which consist of several phases as follows: planning, analysis, design, development, trial, implementation, evaluation, maintenance, and disposal. Information security is being conducted to secure privacy, integrity, and information availability from the physical risks such as theft, damage, sabotage, riot, physical access from an unauthorized party, logical risk such as: computer assisted fraud, malicious code, computer hacking, virus, and environmental, such as: fire, flood, earthquake, physical disturbance. The information security control is implemented through policies, processes, procedures supported by hardware and software which is designed, implemented, monitored and reviewed to guarantee information security. Information and Communication Systems Accounting, information and communication systems are developed as information distribution channels by prioritizing: a. Information Processing Automatization In order to guarantee fast, accurate and comprehensive data availability, develops information systems which can be used by management to monitor the implementation of internal control. has Portal Data Warehouse (DWH) and Management Information System (MIS) which display information such as: organization performance data, products, customer, and productivity. b. Effective Internal Communication The Board of Directors communicates the Company s targets and goals as well as risk mitigation procedures which have to be implemented through Strategic Forum (Forstra) meetings, ALCO meetings, Business Performance Reviews as well as Support Performance Reviews. Furthermore, the communication between the Board of Directors and Board of Commissioners is conducted regularly in Board of Directors and Board of Commissioners meetings (Radirkom).

4 443 Corporate Profile provides special communication channels such as the whistle blowing report facility. The whistle blowing system (WBS) was established to increase the detection and prevention of fraud. All report conveyed through the WBS are being followed up by Working Units or authorized officials. provides a report facility for operational problems faced by s operational working unit Selindo through Remedial System application. The reporting application is managed and monitored by Service Division and Contact Center so that the operational problems are followed up in a fast and sufficient manner. Monitoring Activities and Improvement On Internal Control To ensure the adequacy and effectiveness of the implementation of the internal control system, conducts the following activities: a. Continous evaluation conducted through monitoring and operational coaching activities by the branch offices and Contact Center and Services Division. b. Improvement on internal control weaknesses is the responsibility of the head of pperational working units according to operational monitoring assistance results, SKAI audit results, and external auditor results, or Bank supervisory bodies. Management Discussion and Analysis c. Effective External Communication Access on product information, services as well as customer complaints to can be done through multi channels as explained in the Customer Responsibility section in CSR Chapter in this Annual Report. To support s communication activities to external parties, established the Investor Relation Desk which is responsible to conduct communication with investors, analysts, rating agencies, Self Regulatory Organizations (SRO) as well as others in financial communities. EXPLANATION ON SYSTEM EFFECTIVITY EVALUATION ON INTERNAL CONTROL The evaluation of s internal control system is conducted based on the COSO framework as follows: Environment control Risk assessment or identification, analysis, assessment and risk mitigation Control Activities and function segregation Information and Communication system Monitoring as well as internal control improvement. Follow-up of Internal Fraud Cases 2016 According to COSO component evaluations, s internal control system remains in adequate on identifying risks, as shown in s efficiency level which is maintained in the range of 43% to 45%, good financial performance accomplishment, reliable financial report, as well as compliance on the prevailing provisions. Corporate Social Responsibility No. Follow-up Status Management Permanent Employees Non Permanent Employees 1 Has been followed or Completed In process Not yet followed Total Consolidated Financial Statements 2016 OJK Regulation & ARA 2016 Criteria Cross Reference

5 428 Risk Management System s integrated risk management system is translated into the following: Pillar 1 Active Supervision from the Board of Commissioners and Board of Directors The Board of Commissioners and Board of Directors are in charge of the effectiveness of risk management implementation at. To ensure the effectiveness of management of activities and risks by the Board of Directors, the Board of Commissioners through RMOC evaluates the policy and implementation of risk management by the Board of Directors. RMC assisted the Board of Directors in determining the direction of risk management policies and strategies and its comprehensive implementation. The Board of Directors ensures that all material risks and the impact has been followed up, and the corrective measures for problems or irregularities in business activity are implemented. Culture of risk management, including risk awareness at all levels of the organization are also of the Board of Directors concern. Pillar 2 Adequacy of Policies, Procedures, and Limit Risk management policy at is set forth in General Policy of Risk Management (KUMR ). KUMR stipulates the basics of risk management policies and is the highest provision of risk management at, serving as reference for policies, procedures, and guidelines for risk management in accordance with prevailing regulations. KUMR set forth in detail the Guidelines for the Application of Risk Management (P3MR), which includes several stages of process of risk management, among others: risk identification, risk measurement, risk monitoring and risk control. P3MR consists of Guidelines for the Application of Credit Risk Management (P3MRK), Guidelines for the Application of Operational Risk Management (P3MRO), Guidelines for the Application of Market Risk Management (P3MRP), Guidelines for the Application of Liquidity Risk Management (P3MRL) and Guidelines for the Application of Enterprise Risk Management (P3ERM). Management procedures and limits for each type of risk should be managed in all products and business activities of, according to the risk appetite, taking into account experience of managing the risk in question. Limit is reviewed periodically in order to adjust it in accordance with the changing conditions. s Board of Directors has the authority to establish risk limits, tolerance levels for each type of risk, and risk exposure, by taking into account the experience, capital ability, capability of systems and risk management tools, available resources, as well as the applicable regulations. Risk Management Process and Risk Management Information System Identification identifies risk by analyzing all types and characteristics of risks inherent in the business of the Financial Conglomerate. Risk identification is proactive, covers all business activities of the Financial Conglomerate and is carried out in order to analyze the source and possible risks and impacts. Risk identification, among others is based on the loss that occurred in the past. Identification of risk issues for Operational Risk and Other Risks are conducted by the Head Office, Regional Offices and Branch Offices throughout Indonesia by using risk management tools. In this stage, determination and updating of risk issues were brought about. Measurement Risk measurement is conducted periodically for all business activities of the Financial Conglomerate. The use of risk measurement models is tailored to the needs, size, and complexity of business activities, as well as the benefits. Risk measurement is implemented to measure risk exposure, as a reference for control. Risk assessment is conducted periodically both for product and portfolio, as well as for all business activities of. The approach and methodology of measurement may be quantitative, qualitative, or a combination of both. Risk measurement system is evaluated and refined periodically, or at any time if deemed necessary to ensure the suitability of assumptions, data sources, as well as the procedures used to measure risk. Stress testing is carried out to complement the risk measurement system by estimating any potential loss to the Financial Conglomerate under crisis, using stress scenarios specific for the Financial Conglomerate and stress scenarios of the market.

6 429 Corporate Profile Risk measurement is reflected in the Consolidated Risk Profile Quarterly Report, Monthly Risk Profile Dashboard, Risk Profile Monthly Report from Regional Offices, consolidated RCSA quarterly report stress testing analyzing quarterly report, market risk potential loss weekly report, cash ratio monitoring monthly report, and quarterly Top Risk issue Book. Monitoring has adopted monitoring systems and procedures that include the monitoring of the magnitude of risk exposure, risk tolerance, adherence to internal limit, and the results of stress testing as well as the consistent implementation of policies, procedures, and limits. Risk monitoring activities are conducted by evaluating risk exposure inherent in the Financial Conglomerate business activities, as well as the effectiveness of integrated risk management processes. One form of monitoring is conducted by regularly hold Integrated Risk Management Committee to evaluate Risk Management process and provide recommendations/proposals related to implementation of Risk Management to members of the Financial Conglomerate. The results of risk monitoring can be used to enhance existing risk management processes. The evaluation of the risk exposure is conducted by monitoring and reporting of risks that are significant or affecting the capital of the Financial Conglomerate. Control Risk control process is carried out with due regard to the internal control system prepared in accordance with the applicable regulations and aims to manage certain risks that can jeopardize the business continuity of the Financial Conglomerate. The framework for risk management process is based on results from risk exposure evaluation in the business of the Financial Conglomerate. The main priority in the risk mitigation is against the risks that have high impacting losses or high frequency of occurrence. ensures that the members of the Financial Conglomerate have applied risk control methods against risks that can jeopardize the business continuity of the Financial Conglomerate, among others, by hedging, risk mitigation methods, and additional capital to absorb potential losses. Internal Control Systems A thorough internal control has been implemented through: a) Determination of organization structure with a clear segregation of functions between operational units (business units) and operating units that manage risk control functions (risk management unit). b) Determination of risk management unit, namely an independent operating unit that creates the risk management policies, risk measurement methodologies and performs risk limit setting and data/model validation. c) Each transaction and functional activity with exposure to risk is reviewed and monitored as required by each business unit. d) Data validation is conducted by executives and independent units of the operational units. Data validation is conducted at least once a month for all risks. e) Regular audits are conducted by the Internal Auditors, to audit the implementation of risk management processes and system in any functional activity with risk exposures. f) Implementation of the segregation of duties by applying the concepts of Maker, Checker, Signer (MCS) in all of s operational activities. g) Implementation of risk management information system, to facilitate the risks identification, measuring, monitoring, and controlling process. The risk management information system includes Operational Risk Assessor (OPRA), Loan Approval System (LAS), and Treasury and Market Risk System (GUAVA). EFFECTIVENESS OF THE EVALUATION OF RISK MANAGEMENT SYSTEM The evaluation of the quality of implementation of Risk Management on the four pillars of risk management system mentioned above is conducted in an integrated manner through Self Assessment which include the following: Evaluation on Risk Governance Evaluation on Risk Governance includes: Formulation of Risk Levels The formulation of risk appetite and risk tolerance is adequate. Such formulation is aligned with the strategic objectives and the bank s business as a whole. The parameter for corporate level risk limit is documented in the internal regulation regarding Circular Letter on the Guidelines for Risk Based Bank Rating of PT Bank Rakyat Indonesia (Persero) Tbk. Management Discussion and Analysis Corporate Social Responsibility Consolidated Financial Statements 2016 OJK Regulation & ARA 2016 Criteria Cross Reference

7 430 Adequacy of Active supervision by the Board of Commissioners and Board of Directors Adequacy of active supervision by the Board of Commissioners and Board of Directors, including the implementation of the authority and responsibilities of the Board of Commissioners and Board of Directors is considered adequate. BoC has established Risk Management Monitoring Committee set out in the Risk Management Monitoring Committee Charter, among others: 1. Evaluate and analyze the adequacy of risk management policies on regular basis. 2. Evaluate and analyze the risk profile report on quarterly basis. 3. Supervise and evaluate the implementation of Risk Management Committee and Risk Management Division duties. Risk Management Monitoring Committee regularly convenes meeting and provides recommendation for improvement that were documented and the follow-up are monitored. Meeting to discuss risk profile and risk management was conducted 4 (four) times on February 16, 2016, March 29, 2016, August 9, 2016 and October 25, In addition to the implementation of RMC, in general, the implementation of duties of BoC and BoD is considered adequate with the establishment of BoD Committees, such as ALCO, Business Performance Review (BPR), and the Strategic Forum (Forstra). Evaluation on the Framework for Risk Management Evaluation on the Risk Management Framework includes: Risk Management Strategy Risk Management Strategy which was considered adequate and in line with risk appetite and risk tolerance of the business strategy is stipulated in the corporate plan, RBB, and RKAP. The strategy has included discussion on the risk management strategy formulated in line with the risk appetite. Risk Management Organization Tool a) The organization tool that supports the effective implementation of Risk Management is considered adequate with clearly defined authority and responsibility in every business activities. In managing credit risk there was a separation of loan officers, between Relationship Management and Credit Risk Management. Delegation of authority is set forth in the internal regulations on Circular of Credit Committee (KK) and Decision of Loan Authority Delegation, and evaluated regularly by the authorized official. b) In the market risk management, the function of market risk management consist of front office work units (Treasury Division), back office (Operation Center Division), and middle office (Risk Management Division) as explained further in the Market Risk management in this Annual Report. c) In the management of operational risk there is separation of duties and authority of maker, checker, signer (segregation of duty and dual control) on the implementation of all operational activities in the work unit. Delegation of authority in the operational processes at work units is running well as reflected in the review of cost fiat of employee which conducted dynamically according to the competence and experience of the employees/officials. Policies, Procedures and Limit Determination Policies, procedures and limits determination are considered adequate. has placed policies and procedures in any risk management, and the policy is regularly refined in accordance with the latest provisions from the regulator. Monitoring of latest regulations is the responsibility of Compliance Unit. EVALUATION ON RISK MANAGEMENT PROCESS, HUMAN RESOURCE ADEQUACY AND RISK MANAGEMENT PROCESS INFORMATION SYSTEM ADEQUACY Risk Management process Risk Management process is adequate in identifying, measuring, monitoring and controlling risks in accordance with results from discussion in RMC forum held on a quarterly basis throughout The description of risk control process for each type of risk are described further in the risk management efforts in this Annual Report. Human Resources The Human Resource appointed to manage risks have sufficient competence and appropriate education according to the job level. Each employee is required to attend training at least once a year. In addition, in order to have effective and efficient human resource development, fulfillment of formation is tailored to the needs and determination of formation.

8 431 Corporate Profile To develop competencies in Risk Management, it is mandatory for the Board of Commissioners, Board of Directors, as well as officials to four levels below the Board of Directors to attend certification training in Risk Management. In addition, refreshment to the Human Resources also conducted regularly. Information System Implementation of Risk Management is supported by various information systems, among others: Credit initiatives process is carried out in the LAS system that has been integrated with the Debtor Information System (SID), Credit Risk Scoring Module (CRS) and Credit Risk Rating (CRR) to take into account the risk level of the borrowers. Credit portfolio management process is supported by Data Warehouse reporting information systems and Management Information System (MIS) The support of information system for the operational process is embodied in the unification of authority delegation upon approval of transactions in the Core Banking information system. Process monitoring against the Operational Risk is supported by the Operational Risk Assessor (OPRA) information system in capturing and identifying the occurrence of new risks, Key Risk Indicators (IRU) to monitor the movement of risk parameters and Incident Management (MI) to document the risk occurrence and its impact, as well as monitoring of the follow up on the risk occurrence. Strategic Risk Monitoring is supported by MIS capable of generating reports on the development of business performance on a regular basis. Reputation Risk Monitoring is equipped with Complaint Handling System (CHS) information systems equipped with provision on the escalation of customer complaints report to the Head Office level. EVALUATION ON THE ADEQUACY OF RISK CONTROL SYSTEMS Risk control systems is adequate since it has conducted evaluation on the adequacy of Internal Control System by Risk Management Unit (SKMR), Internal Audit Unit and External Auditor. The evaluation conducted by SKMR includes the methods, assumptions and variables used to measure and set limit of risk, while the review conducted by Internal Audit Unit and External Auditor includes the reliability of Risk Management framework and implementation of Risk Management by business unit and/or supporting unit. EXPLANATION ON RISKS FACED BY THE COMPANY 10 types of risks that should be managed by the Financial Conglomerate are: Credit Risk Credit Risk is any risk arising from failure by borrowers and/ or other parties to meet their obligations to Bank. Credit risk can be sourced from a variety of business activities of the Bank. Market Risk Risks arising from movements in market variables (adverse movement) from the Bank s portfolio, which may be detrimental to the Bank. Market variables in this point are the interest rate and exchange rate. Liquidity Risk Among others, risks arising from the failure of the Bank in meeting its overdue obligations. Operational risk Among others, risks arising from the inadequacy or failure of internal processes, human error, system failure, or external problems affecting the operations of the Bank Legal Risks Risks arising from the weakness of the judicial aspect. The weakness of judicial aspect among others due to lawsuits, the absence of supporting legislation or weakness of contract, such as the failure to fulfill the requirement for a valid contract and imperfect commitment. Strategic Risk Among others, risks arising from the failure of the Bank to determine or implement the right strategy, making wrong business decision of failed to respond the external changes. Reputation Risk Risks arising from negative publicity related to the business activities of the Bank or negative perceptions towards the Bank. Compliance Risk Risks that are resulted from failure to comply with or to implement legislation and other prevailing regulations. Compliance risk management is conducted through the consistent implementation of internal control systems Management Discussion and Analysis Corporate Social Responsibility Consolidated Financial Statements 2016 OJK Regulation & ARA 2016 Criteria Cross Reference

9 432 Intra-Group Transaction Risk The risk of reliance to an entity either directly or indirectly in a financial conglomerate in order to fulfill its written or unwritten contractual obligation agreements either followed and/or not followed by transfer of funds. The risk of intra-group transactions, among others, may arise from Cross ownership between LJK in Financial conglomerate Centralized management of short-term liquidity Guarantees, loans, and commitments given to or obtained from an LJK to another in financial conglomerate Exposure to controlling shareholders, including the exposure of loans and off-balance sheet items such as guarantees and commitments Purchase or sale of asset to another LJK within Financial conglomerate Transfer of risk through reinsurance; and/or Transaction to transfer third-party risk exposure among LJK in the financial conglomerate Risk Insurance Risks due to failure of the insurance company to meet obligations to policyholders as a result of the inadequacy of underwriting (risk selection) process, setting premiums (pricing), use of reinsurance, and/or the handling of claims EFFORTS TO MANAGE RISK has conducted risk management based on four pillars as follows: Credit Risk PILLAR 1 The process of credit decision above a certain nominal limit requires approval from BoD s Credit Committee and consultation with the Board of Commissioners Follow-up/action must be monitored by the Board of Commissioners and Directors if risk limit is exceeded Implementation of quarterly RMC forum that discusses strategic issues related to enterprise risk management Reporting monthly risk profile by Risk Management Unit to Board of Directors Pillar 2 Regulation on target markets Determination of risk limits at the corporate level (risk appetite statement) regarding the NPL and NPL Coverage Regulations on tiered credit authorization/pdwk Identification of credit risk is carried out using a system of Credit Risk Rating (CRR) and Credit Risk Scoring (CRS) since Internal Rating (Credit Risk Rating/Credit Risk Scoring) used at currently is based on empirical data/historical data of existing debtors with statistical methodology. Based on this internal ranking, periodic review of the accuracy of models and assumptions used to project is conducted to forecast failure, and adjustments of assumption should be made if there is a change of regulations, both in external (regulatory) and internal. In order to overcome weaknesses that may arise from the use of internal models of the rating, an independent working unit has been working to validate the working unit who applies the model. The validation process or review of the credit risk measurement models is carried out by back testing method. Measurement of credit risk is done by using standard method of calculating the probability of default and loss given default for each business segment based on the shifting of each segment s credit collectibility. Currently, is still developing its Internal Rating Based Approach (IRBA). In addition, a series of stress test is also performed to measure the maximum potential loss in the event of stress conditions. Stress test is done based on some hypotheses and assumptions, such as: economic growth, inflation, world oil prices and the rupiah exchange rate fluctuations. Monitoring credit risk is done through a process of monitoring loan portfolio which is the responsibility of credit administration units at the headquarters. Monitoring loan portfolio is based on credit quality, economic sector, use of credit, geographic factor of initiator unit, and so forth. Monitoring is also undertaken to limit credit risk, among others: NPL, SML, composition of the Loan at Risk, Credit Cost, NPL Coverage ratio, PH, Recovery income and Recovery Rate. Control of credit risk is through: - Credit Decision should take into account collateral analysis, which must comply with the provision of minimum loan to value or minimum coverage against the loan - Procedure of credit quality improvements through restructuring

10 433 Corporate Profile - Procedures to minimize the loss of credit risk through credit settlement and collection/billing optimization - Write-off procedures of problem loans 4 eyes principles: separate functions of credit initiators and credit decision makers Separation unit between credit initiator (business) and a working unit of credit risk analysis for Corporate segment Use of Loan Approval System (LAS) application, which includes the identification of credit risks through the calculation of CRR and CRS as well as loan decision in accordance with the provisions of tiered PDWK. Determination of CKPN is automatically based on an internal model to calculate the reserve adequacy of credit risk based on credit portfolio per segment. Integration between surpassing the limit of credit risk and performance assessment of business and individual working units, including loan composition in Collectability category 2 and NPL. Market Risk Pillar 1 Follow-up monitoring by Board of Commissioners and Directors if risk limit is surpassed Implementation of quarterly RMC forum that discusses strategic issues related to the Company s risk management Reporting of monthly risk profile by Risk Management Unit to Board of Directors Pillar 2 Policies, procedures, and market risk limit has been compiled and stipulated in the Treasury Policy and Market Risk Management Policy (KUMR and P3MRP). Market Risk Limits listed in the policy, among other things are: open position limits for trading, dealer transaction limit, limit of cut loss and stop loss, uncommitted credit line limit, counterparty limits, as well as limit Value at Risk (VaR). Identification Calculation of Interest Rate Risk by standard methods is carried out against the position of all financial instruments which are classified in Trading Book as exposed by Interest Rate Risk and Calculation of Foreign Exchange risk by standard methods is carried out on s foreign exchange positions in the Trading Book and in the Banking Book which is exposed to Foreign Exchange Risk, Risk factors which are considered in interest rate risk in the standard method are: - Specific Risks of any securities or financial instruments, regardless of a long or a short position. Thus the process of offsetting is not possible unless those positions are identical; - General Market Risk of the overall portfolio, where a long position or a short position of different securities or instruments can offset each other. The market value of securities used in the calculation of Specific Risk and General Risk is the dirty price, i.e the market value of securities (clean price) plus the present value of the interest income to be received (accrued interest). The calculation of the present value of accrued interest can not be done if it is based on the coupon payment term where the present value does not cause material differences. Foreign Exchange Risk calculations is performed for all positions, both Trading Book and Banking Book in foreign currencies, including gold, with reference to the calculation of the Net Open Position (NOP). The position of an instrument that denominated in foreign currency, in addition to Foreign Exchange Risk exposed, can also lead to Interest Rate Risk (e.g for crosscurrency swaps instrument). In this case, the Interest Rate Risk exposures should also be taken into account. Scope of portfolio accounted for in the Capital Adequacy Ratio (CAR), among others are Position held for resale in the short term. Position held for the purpose of obtaining short-term profits from actual and/or potential price movements. Position held for the purpose of maintaining the advantages of arbitration (locking in arbitrage profit). Derivative instruments related to securities or interest rates, such as Bond Forward, Bond Options, Interest Rate Swaps, Cross Currency Swaps, Forward Foreign Exchange, Interest Rate Options and Forward Rate Agreements/Fras. All debt securities with a fixed or floating interest rates, and all financial instruments that have similar characteristics, including Negotiable Certificates of Deposits and securities sold by on condition of repurchase (Repo/Securities lending). foreign exchange position in the trading book and the banking book which is exposed to foreign exchange risk Measurement Calculation of Interest Rate Risk by standard methods is carried out against the position of all financial instruments classified in Trading Book as exposed to Interest Rate Risk and Foreign Exchange Risk Calculation by standard methods is carried out on s foreign exchange positions in the Trading Book and the Banking Book, which is exposed to Foreign Exchange Risk, Management Discussion and Analysis Corporate Social Responsibility Consolidated Financial Statements 2016 OJK Regulation & ARA 2016 Criteria Cross Reference

11 434 Measurement of market risk are conducted regularly (daily, weekly and monthly), among others by calculating market risk using standardized measurement approach and internal measurement models (VaR) through the application of GUAVA, conducting NII simulation everytime there is a change in market interest rates and managing maturity profile of securities, Valuation of trading book and banking book portfolio is done by using market prices quotes of the instruments that are actively traded (mark to market). The market prices reflect the actual and routine transactions which are reasonably conducted. The result of the valuation based on market value (mark to market) is validated periodically to ensure consistency and fairness of the market price used in the process. If market prices are not available because the instruments are not actively traded, the determination of fair value will use price simulation approach (mark-to-model). Monitoring and Control In carrying out market risk management, the Board of Directors regularly evaluates market risk through daily reports on net open position, Asset & Liability Committee (ALCO) forums, and report of market risk exposure in the market risk profile. In addition, also organizes Market Risk Management Committee forum on a quarterly basis. Separation of Front, Middle and Back office Functions s market risk management functions consist of front office work units (Treasury Division), middle office (Risk Management Division) and back office (Operations Center Division) with each division has different authority. Front office division is authorized to conduct financial instruments transaction and is responsible for monitoring the movement of the market price. Middle office sets and monitors market risk limit as well as regularly ensure market data (market price) used to mark-to-market (MTM). Back office division conducts treasury transaction settlement and sets daily market price (MTM) at the end of the day. Implementation of delegation of authority is realized through setting tiered transaction limits in accordance with the competency and experiences. Market Risk Control Systems Integrated with Front Office Functions has implemented treasury and market risk application systems (Guava), which is an integrated system that is used by the front office, middle office and back office functions. Through this application, can perform integrated market risk measurement in its daily transactions process. In addition to monitoring the risk exposure of the instruments, also monitors market risk limit and transactions limits including transactions dealer nominal limits, open position limit, uncommitted Credit Line Limit (UCL), cut loss limits and stop loss limits. Monitoring is conducted daily to accelerate the provision of current information that supports decisionmaking by line officials and management on a timely basis, especially for the instruments included in the trading classification. Integration Between Surpassing Market Risk Limits and Performance Assessment of Work Business Unit Liquidity Risk Pilar 1 Implementation of ad-hoc ALCO mini meetings and weekly Board of Directors Meeting when market of liquidity conditions is quite tight. Follow-up/action plan monitoring by the Board of Commissioners and Directors if risk limit is surpassed Implementation of quarterly RMC forum that discusses strategic issues related to the Company s risk management Reporting monthly risk profile by Risk Management Unit to Board of Directors Pilar 2 Determination of minimum Secondary Reserves limit to the minimum reserve requirement (risk appetite statement) Risk Identification, Measurement and Monitoring through dashboard of daily liquidity Risk Control through liquidity contingency plan Protocol Monitoring system of daily liquidity position Integration between surpassing liquidity risk limit and performance evaluation

12 435 Corporate Profile Operational Risk Pilar 1 Follow-up monitoring by the Board of Commissioners and Directors if risk limit is surpassed Implementation of quarterly RMC forum that discusses strategic issues related to the Company s risk management Reporting monthly risk profile by Risk Management Unit to Board of Directors Pilar 2 Tiered approval limit for a given transaction Identification of operational risk is done through the RCSA covering seven functional activity of banks, namely: Activity of credit, Treasury and Investment, Operational and services, trade financing, funding and debt instruments, information technology and management information systems, and human resource management. Measurement of operational risk is carried out using Basic Indicator Approach (BIA). Currently, is gradually preparing the calculation method using Standardized Approach (SA), which will be followed by the Advanced Measurement Approach (AMA). MONITORING of risk profile is conducted with Key Risk Indicators (IRU), based on assessment results of risk profile and operational loss data is managed through the Incident Management (MI). Controlling OF risk through: - Assessment Procedures for New Products and Activities for any new products or services, where any such product must go through a review by the Risk Management Unit and Compliance and Legal Unit (if necessary) before it is registered to a regulator - Business Continuity Management protocol for events that are catastrophic. In this case, has a Crisis Management Team (CMT), which plays an important role during disturbances or disaster and is responsible to step in including reputation risk management. TMK structure is established in all working units ie CMT Headquarters, CMT Regional Offices, Branch Office CMT. Strategic aspects that must be considered in the management of reputation risk at times of crisis is to maintain customers, shareholders, and the public confidence on good reputation. Segregation of duties among Maker-Checker-Signer in the operational activities of banking, where most of the approval process has been embedded in Core Banking, Asset Management and HR MIS systems Procedures of Complaint Handling with a specific SLA Implementation of SOP (Standard Operating Procedure) related to APU and PPT to protect from money laundering and terrorism-related crimes. As well as a system of AML (Anti Money Laundering) exists to monitor suspicious transactions (CTR and STR). Integration between the surpassing limit of operational, legal, strategic and compliance risks and performance assessment of either individual and/or business units Compliance Risk Pillar 1 Discussion on compliance risk profile and its management as well as the follow-up are discussed in the RMC, and RMOC Meetings Pillar 2 The compliance risk management process is described in both DUJ and/or BPO of Compliance Work Unit. Establishment of Special Working Unit at both branch offices and Headquarters is to coordinate the management of compliance risk which mainly related to APU and PPT program Management of compliance risks becomes part of the duties and responsibilities of the Risk Management function, which coordinates the implementation of Risk Management for eight types of risk including compliance risk. Identification of compliance risks is done through compliance risk profile reports submitted by each work unit to Compliance Division Each transaction process as well as new products and activities that have potential compliance risks must initially be reviewed by Compliance Division. Compliance monitoring with the latest regulations is the responsibility of Compliance Work Unit. Each regulatory changes, including legislation, regulation, POJK, and PBI are reviewed by Compliance Division and had its impacts assessed for the company. Management Discussion and Analysis Corporate Social Responsibility Consolidated Financial Statements 2016 OJK Regulation & ARA 2016 Criteria Cross Reference

13 436 Compliance Risk Management Process is supported by an adequate information system to identify and monitor the claim for money laundering and terrorism-related funding. The systems includes Anti-Money Laundering system and Cash Transaction Reporting System and Suspicious Transaction Report inherent in Core Banking. Compliance Division is actively disseminating the new regulatory impact on the business and operations of the company. Reputation Risk Pillar 1 The discussion on reputation risk profile and management as well as the follow-up are discussed in RMC, and RMOC Meetings Pillar 2 In order to control reputation risk, SKP Division has been appointed to handle any negative information. Reputation risk management process is described in DUJ and BPO of the Corporate Secretary Division. The identification of risk reputation is done regularly by the SKP Division to see the amount of negative coverage of, the number of customer complaints in both printed and electronic media, call center and company rating. Measurement of reputation risks aims at estimating the level of vulnerabilities of in facing reputational risks. After identification process, there will be measurement against risk of reputation to assess reputation risk categories by using several parameters correspond to the limit stated in the reputation risk profile report. Monitoring of risk undertaken by SKP Division is to conduct regular monitoring of the number of complaints and negative publicity in the media and to report in the reputation risk profile. Monitoring of reputation risk in the Regional Office carried out by OJL Section Service Subsection at each Regional Office is to conduct periodic monitoring of the quality of service in main branch offices, branch offices and each of Assistance Units, where quarterly report compiles report on handling of customer complaints on Headquarter Report of Commercial Banks/LKPBU for every year. reputation risk is controlled, among others, with the presence of SE policy and Management Information Services, while at the same time, SKP Division coordinates with Service Division and relevant work units to resolve negative press and complaints from customers in accordance with predefined SLA. Compliance Division is actively disseminating the new regulatory impact on the business and operations of the company. Strategic Risk Pilar 1 Discussion on strategic planning, target achievement monitoring and evaluation of strategies are deliberated in the Joint Meeting of Commissioners and Directors (Radirkom) during the discussion on RBB approval, approval of work and budget plan of the Company/CBP, and the discussion of the quarterly results. Material in strategic forum (Forstra) which is held each year to support the strategy formulation process are also discussed in the meeting of the Board of Directors. In addition, Board of Directors Committee meetings such as ALCO Committee Meeting also discusses performance achievements and financial performance. Pilar 2 The process of planning, monitoring and evaluation of the strategy set out in BPO and DUJ of Corporate Development and Strategy Division and of Accounting and Financial Management Division. Implementation of Joint Planning Session during the preparation of RBB to discuss business strategy along with the work plan of each Work Unit at the Divisions in Headquarters Organizing the Workshop on Alignment of Inter-Unit Strategic Work Program Plan in the Headquarters office in order to achieve the targets in the CBP and RBB. Implementation of Performance Management with the Balanced Scorecard approach, through the establishment of Key Performance Indicator (KPI) with the principle of vertical and horizontal synergies. Monitoring the Company s strategic initiatives by Change Management Work Unit. The Strategic Initiatives is nonroutine work programs that are very strategic and critical, which should be carried out in order to achieve targets of work unit. Establishment of Corporate Plan Team to prepare Long-Term Plan for the Period of